[RFC PATCH v4 0/4] RFC: Add Arm CCA support for getting capability information and running Realm VM

Hi, all. This patch adds Arm CCA support to QEMU driver for aarch64 system. CCA is an abbreviation for Arm Confidential Compute Architecture feature, it enhances the virtualization capabilities of the platform by separating the management of resources from access to those resources. We are not yet at the stage where we can merge this patch as host Linux/QEMU support is not yet merged, but I would like to receive reviews and comments on the overall direction. Changes in v4: - Changed the target QEMU binary (Linaro's CCA/v8 version with added QMP functionality) - Added the 'armrme' variant to tests/qemucapabilitiesdata/README.rst. - Renamed data files to include '+armrme': - tests/domaincapsdata/qemu_9.2.0-virt.aarch64+armrme.xml - tests/domaincapsdata/qemu_9.2.0.aarch64+armrme.xml - tests/qemucapabilitiesdata/caps_9.2.0_aarch64+armrme.replies - tests/qemucapabilitiesdata/caps_9.2.0_aarch64+armrme.xml - tests/qemuxmlconfdata/launch-security-cca.aarch64-latest+armrme.args - tests/qemuxmlconfdata/launch-security-cca.aarch64-latest+armrme.xml - Reorganized the commits to ensure the tests pass even with partial application of the patch. [summary] At this stage, all you can do is getting the CCA capability with the virsh domcapabilities command and start the CCA VM with the virsh create command. capability info uses QEMU QMP to query QEMU options. The option that exists now is for selecting a hash algorithm. QEMU QMP sections currently only contains a single member, but is wrapped in sections for expansion. [Capability example] Execution results of 'virsh domcapability" on QEMU <domaincapabilities> ... <features> ... </sgx> <cca supported='yes'> <enum name='measurement-algo'> <value>sha256</value> <value>sha512</value> </enum> </cca> <hyperv supported='yes'> ... </features> </domaincapabilities> [XML example] <domain> ... <launchsecurity type='cca'> <measurement-algo>sha256</measurement-algo> </launchsecurity> ... </domain> [limitations/tests] To obtain capability info, it is necessary to support the QEMU QMP command, which QEMU does not yet support. We added a QMP command to retrieve CCA info for test (See "[software version]" below). I need to check qemu_firmware.c to see if my CPU firmware supports CCA. Since it's not implemented yet, I'll wait until a Linux distributor provides me with a JSON file for CCA. We have confirmed that the added tests (qemucapabilitiestest, domaincapstest and qemuxmlconftest) and the CCA VM startup test (starting the CCA VM from the virsh create command) passed. The "personalization-value" and "measurement-log" parameters that exist in the current Linaro QEMU cca/latest branch will not be specified as CCA VM startup parameters with the virsh create command. [software version] I followed the steps in Linaro's blog below. https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29051027459/Building+... The QEMU used was enhanced with CCA QMP command and found at: https://github.com/Kazuhiro-Abe-fj/linaro_qemu/tree/cca-latest-qmp which is based on Linaro QEMU (cca/latest) https://git.codelinaro.org/linaro/dcap/qemu/-/tree/cca/latest?ref_type=heads RFC v1: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/V4... RFC v2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/5... RFC v3: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/LL... Signed-off-by: Kazuhiro Abe fj1078ii(a)aa.jp.fujitsu.com Akio Kakuno (3): src: Add ARM CCA support in qemu driver to launch VM src: Add ARM CCA support in domain capabilities command src: Add ARM CCA support in domain schema Kazuhiro Abe (1): tests: Adds Arm CCA support docs/formatdomain.rst | 43 + docs/formatdomaincaps.rst | 27 +- src/conf/domain_capabilities.c | 48 + src/conf/domain_capabilities.h | 12 + src/conf/domain_conf.c | 25 + src/conf/domain_conf.h | 9 + src/conf/domain_validate.c | 1 + src/conf/schemas/domaincaps.rng | 36 + src/conf/schemas/domaincommon.rng | 26 + src/conf/virconftypes.h | 2 + src/libvirt_private.syms | 1 + src/qemu/qemu_capabilities.c | 145 + src/qemu/qemu_capabilities.h | 4 + src/qemu/qemu_cgroup.c | 2 + src/qemu/qemu_command.c | 29 + src/qemu/qemu_driver.c | 2 + src/qemu/qemu_firmware.c | 1 + src/qemu/qemu_monitor.c | 10 + src/qemu/qemu_monitor.h | 3 + src/qemu/qemu_monitor_json.c | 98 + src/qemu/qemu_monitor_json.h | 4 + src/qemu/qemu_namespace.c | 2 + src/qemu/qemu_process.c | 4 + src/qemu/qemu_validate.c | 4 + src/security/security_dac.c | 2 + .../qemu_9.2.0-virt.aarch64+armrme.xml | 244 + .../qemu_9.2.0.aarch64+armrme.xml | 244 + tests/qemucapabilitiesdata/README.rst | 5 + .../caps_9.2.0_aarch64+armrme.replies | 36754 ++++++++++++++++ .../caps_9.2.0_aarch64+armrme.xml | 540 + ...ch-security-cca.aarch64-latest+armrme.args | 30 + ...nch-security-cca.aarch64-latest+armrme.xml | 24 + tests/qemuxmlconfdata/launch-security-cca.xml | 16 + tests/qemuxmlconftest.c | 2 + 34 files changed, 38398 insertions(+), 1 deletion(-) create mode 100644 tests/domaincapsdata/qemu_9.2.0-virt.aarch64+armrme.xml create mode 100644 tests/domaincapsdata/qemu_9.2.0.aarch64+armrme.xml create mode 100644 tests/qemucapabilitiesdata/caps_9.2.0_aarch64+armrme.replies create mode 100644 tests/qemucapabilitiesdata/caps_9.2.0_aarch64+armrme.xml create mode 100644 tests/qemuxmlconfdata/launch-security-cca.aarch64-latest+armrme.args create mode 100644 tests/qemuxmlconfdata/launch-security-cca.aarch64-latest+armrme.xml create mode 100644 tests/qemuxmlconfdata/launch-security-cca.xml -- 2.43.5