Add support for arm cca

Makefile

@@ -27,6 +27,9 @@ ifeq ($(SEV),1)
     INIT_SRC += $(SNP_INIT_SRC)
 	BUILD_INIT = 0
 endif
+ifeq ($(CCA), 1)
+    FEATURE_FLAGS := --features cca
+endif
 ifeq ($(GPU),1)
     FEATURE_FLAGS += --features gpu
 endif

src/arch/Cargo.toml

@@ -5,6 +5,8 @@ authors = ["The Chromium OS Authors"]
 edition = "2021"
 
 [features]
+default = ["cca"]
+cca = []
 tee = []
 amd-sev = [ "tee" ]
 efi = []
@@ -18,8 +20,8 @@ smbios = { path = "../smbios" }
 utils = { path = "../utils" }
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" }
+kvm-ioctls = { version = ">=0.17", git = "https://github.com/virtee/kvm-ioctls", branch = "cca" }
 
 [target.'cfg(target_arch = "aarch64")'.dependencies]
 vm-fdt = ">= 0.2.0"

src/arch/src/aarch64/fdt.rs

@@ -285,7 +285,10 @@ fn create_psci_node(fdt: &mut FdtWriter) -> Result<()> {
     // Two methods available: hvc and smc.
     // As per documentation, PSCI calls between a guest and hypervisor may use the HVC conduit instead of SMC.
     // So, since we are using kvm, we need to use hvc.
+    #[cfg(not(feature = "cca"))]
     fdt.property_string("method", "hvc")?;
+    #[cfg(feature = "cca")]
+    fdt.property_string("method", "smc")?;
     fdt.end_node(node)?;
 
     Ok(())

src/arch/src/aarch64/linux/regs.rs

@@ -125,8 +125,10 @@ arm64_sys_reg!(MPIDR_EL1, 3, 0, 0, 0, 5);
 /// * `boot_ip` - Starting instruction pointer.
 /// * `mem` - Reserved DRAM for current VM.
 pub fn setup_regs(vcpu: &VcpuFd, cpu_id: u8, boot_ip: u64, mem: &GuestMemoryMmap) -> Result<()> {
-    // Get the register index of the PSTATE (Processor State) register.
+    // PSTATE cannot be accesed from the host in CCA
+    #[cfg(not(feature = "cca"))]
     #[allow(deref_nullptr)]
+    // Get the register index of the PSTATE (Processor State) register.
     vcpu.set_one_reg(arm64_core_reg!(pstate), &PSTATE_FAULT_BITS_64.to_le_bytes())
         .map_err(Error::SetCoreRegister)?;
 

src/cpuid/Cargo.toml

@@ -8,5 +8,5 @@ edition = "2021"
 vmm-sys-util = ">=0.11"
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" }
+kvm-ioctls = { version = ">=0.17", git = "https://github.com/virtee/kvm-ioctls", branch = "cca" }

src/devices/Cargo.toml

@@ -5,7 +5,9 @@ authors = ["The Chromium OS Authors"]
 edition = "2021"
 
 [features]
+default = ["cca"]
 tee = []
+cca = []
 amd-sev = ["blk", "tee"]
 net = []
 blk = []

src/devices/src/virtio/console/device.rs

@@ -30,9 +30,18 @@ use crate::virtio::{PortDescription, VmmExitObserver};
 pub(crate) const CONTROL_RXQ_INDEX: usize = 2;
 pub(crate) const CONTROL_TXQ_INDEX: usize = 3;
 
-pub(crate) const AVAIL_FEATURES: u64 = 1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64
-    | 1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64
-    | 1 << uapi::VIRTIO_F_VERSION_1 as u64;
+// CCA requires VIRTIO_F_ACCESS_PLATFORM to ensure DMA-APIs
+// are triggered for virtio in Linux
+pub(crate) const AVAIL_FEATURES: u64 = if cfg!(feature = "cca") {
+    1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64
+        | 1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64
+        | 1 << uapi::VIRTIO_F_VERSION_1 as u64
+        | 1 << uapi::VIRTIO_F_ACCESS_PLATFORM as u64
+} else {
+    1 << uapi::VIRTIO_CONSOLE_F_SIZE as u64
+        | 1 << uapi::VIRTIO_CONSOLE_F_MULTIPORT as u64
+        | 1 << uapi::VIRTIO_F_VERSION_1 as u64
+};
 
 #[repr(C)]
 #[derive(Default)]

src/devices/src/virtio/console/mod.rs

@@ -22,6 +22,7 @@ mod defs {
         pub const VIRTIO_CONSOLE_F_MULTIPORT: u32 = 1;
         pub const VIRTIO_F_VERSION_1: u32 = 32;
         pub const VIRTIO_ID_CONSOLE: u32 = 3;
+        pub const VIRTIO_F_ACCESS_PLATFORM: u32 = 33;
     }
 
     #[allow(dead_code)]

src/devices/src/virtio/fs/device.rs

@@ -9,7 +9,10 @@ use std::thread::JoinHandle;
 #[cfg(target_os = "macos")]
 use hvf::MemoryMapping;
 use utils::eventfd::{EventFd, EFD_NONBLOCK};
-use virtio_bindings::{virtio_config::VIRTIO_F_VERSION_1, virtio_ring::VIRTIO_RING_F_EVENT_IDX};
+use virtio_bindings::{
+    virtio_config::VIRTIO_F_ACCESS_PLATFORM, virtio_config::VIRTIO_F_VERSION_1,
+    virtio_ring::VIRTIO_RING_F_EVENT_IDX,
+};
 use vm_memory::{ByteValued, GuestMemoryMmap};
 
 use super::super::{
@@ -70,7 +73,13 @@ impl Fs {
                 .push(EventFd::new(utils::eventfd::EFD_NONBLOCK).map_err(FsError::EventFd)?);
         }
 
-        let avail_features = (1u64 << VIRTIO_F_VERSION_1) | (1u64 << VIRTIO_RING_F_EVENT_IDX);
+        let avail_features = if cfg!(feature = "cca") {
+            (1u64 << VIRTIO_F_VERSION_1)
+                | (1u64 << VIRTIO_RING_F_EVENT_IDX)
+                | (1 << VIRTIO_F_ACCESS_PLATFORM as u64)
+        } else {
+            (1u64 << VIRTIO_F_VERSION_1) | (1u64 << VIRTIO_RING_F_EVENT_IDX)
+        };
 
         let tag = fs_id.into_bytes();
         let mut config = VirtioFsConfig::default();

src/devices/src/virtio/rng/device.rs

@@ -13,12 +13,17 @@ use super::super::{
 use super::{defs, defs::uapi};
 use crate::legacy::Gic;
 use crate::Error as DeviceError;
+use virtio_bindings::virtio_config::VIRTIO_F_ACCESS_PLATFORM;
 
 // Request queue.
 pub(crate) const REQ_INDEX: usize = 0;
 
 // Supported features.
-pub(crate) const AVAIL_FEATURES: u64 = 1 << uapi::VIRTIO_F_VERSION_1 as u64;
+pub(crate) const AVAIL_FEATURES: u64 = if cfg!(feature = "cca") {
+    1 << uapi::VIRTIO_F_VERSION_1 as u64 | 1 << VIRTIO_F_ACCESS_PLATFORM as u64
+} else {
+    1 << uapi::VIRTIO_F_VERSION_1 as u64
+};
 
 #[derive(Copy, Clone, Debug, Default)]
 #[repr(C, packed)]

src/libkrun/Cargo.toml

@@ -16,12 +16,14 @@ snd = []
 virgl_resource_map2 = []
 
 [dependencies]
+vm-memory = { version = ">=0.13", features = ["backend-mmap"] }
 crossbeam-channel = "0.5"
 env_logger = "0.9.0"
 libc = ">=0.2.39"
 log = "0.4.0"
 once_cell = "1.4.1"
 
+kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" }
 devices = { path = "../devices" }
 polly = { path = "../polly" }
 utils = { path = "../utils" }

src/libkrun/src/lib.rs

@@ -1,6 +1,13 @@
 #[macro_use]
 extern crate log;
 
+use crossbeam_channel::unbounded;
+use kvm_bindings::kvm_memory_attributes;
+use libc::fallocate;
+use libc::madvise;
+use libc::FALLOC_FL_KEEP_SIZE;
+use libc::FALLOC_FL_PUNCH_HOLE;
+use libc::MADV_DONTNEED;
 use std::collections::hash_map::Entry;
 use std::collections::HashMap;
 use std::convert::TryInto;
@@ -11,10 +18,13 @@ use std::ffi::CString;
 #[cfg(target_os = "linux")]
 use std::os::fd::AsRawFd;
 use std::os::fd::RawFd;
+use std::os::raw::c_void;
 use std::path::PathBuf;
 use std::slice;
 use std::sync::atomic::{AtomicI32, Ordering};
 use std::sync::Mutex;
+use vm_memory::GuestMemoryRegion;
+use vm_memory::{Address, GuestMemory};
 
 #[cfg(target_os = "macos")]
 use crossbeam_channel::unbounded;
@@ -1154,9 +1164,12 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
     #[cfg(target_os = "macos")]
     let (sender, receiver) = unbounded();
 
+    let (io_sender, receiver) = unbounded();
+
     let _vmm = match vmm::builder::build_microvm(
         &ctx_cfg.vmr,
         &mut event_manager,
+        io_sender,
         ctx_cfg.shutdown_efd,
         #[cfg(target_os = "macos")]
         sender,
@@ -1171,6 +1184,61 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
     #[cfg(target_os = "macos")]
     let mapper_vmm = _vmm.clone();
 
+    let vm = _vmm.lock().unwrap().kvm_vm().fd.clone();
+    let guest_mem = _vmm.lock().unwrap().guest_memory().clone();
+    let guest_memfd = _vmm.lock().unwrap().guest_memfd_vec.clone();
+
+    std::thread::spawn(move || loop {
+        match receiver.recv() {
+            Err(e) => error!("Error in receiver: {:?}", e),
+            Ok(m) => {
+                let _ret = vm
+                    .lock()
+                    .unwrap()
+                    .set_memory_attributes(kvm_memory_attributes {
+                        address: m.addr,
+                        size: m.size,
+                        attributes: m.attributes as u64,
+                        flags: 0,
+                    });
+
+                // from private to shared
+                if m.attributes == 0 {
+                    for (index, region) in guest_mem.iter().enumerate() {
+                        // this supposes that m.addr + m.size < region.start + region.size
+                        // which may be false
+                        if (region.start_addr().raw_value() + region.size() as u64) > m.addr {
+                            let offset = m.addr - region.start_addr().raw_value();
+                            unsafe {
+                                let _ret = fallocate(
+                                    *guest_memfd.get(index).unwrap(),
+                                    FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
+                                    offset as i64,
+                                    m.size as i64,
+                                );
+                            }
+                        }
+                    }
+                // from shared to private
+                } else {
+                    for (_index, region) in guest_mem.iter().enumerate() {
+                        if (region.start_addr().raw_value() + region.size() as u64) > m.addr {
+                            let offset = m.addr - region.start_addr().raw_value();
+                            let host_startaddr = m.addr + offset;
+                            unsafe {
+                                let _ret = madvise(
+                                    host_startaddr as *mut c_void,
+                                    m.size.try_into().unwrap(),
+                                    MADV_DONTNEED,
+                                );
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    });
+
     #[cfg(target_os = "macos")]
     std::thread::Builder::new()
         .name("mapping worker".into())

src/vmm/Cargo.toml

@@ -5,8 +5,10 @@ authors = ["Amazon Firecracker team <[email protected]>"]
 edition = "2021"
 
 [features]
+default = ["cca"]
 tee = []
 amd-sev = [ "blk", "tee", "codicon", "kbs-types", "procfs", "rdrand", "serde", "serde_json", "sev", "curl" ]
+cca = []
 net = []
 blk = []
 efi = [ "blk", "net" ]
@@ -37,12 +39,14 @@ sev = { version = "4.0.0", features = ["openssl"], optional = true }
 curl = { version = "0.4", optional = true }
 nix = "0.24.1"
 
+cca = { git = "https://github.com/virtee/cca" }
+
 [target.'cfg(target_arch = "x86_64")'.dependencies]
 cpuid = { path = "../cpuid" }
 
 [target.'cfg(target_os = "linux")'.dependencies]
-kvm-bindings = { version = ">=0.10", features = ["fam-wrappers"] }
-kvm-ioctls = ">=0.17"
+kvm-bindings = { version = ">=0.8", features = ["fam-wrappers"] , git = "https://github.com/virtee/kvm-bindings", branch = "add_bindings_for_realms" }
+kvm-ioctls = { version = ">=0.17", git = "https://github.com/virtee/kvm-ioctls", branch = "cca" }
 
 [target.'cfg(target_os = "macos")'.dependencies]
 hvf = { path = "../hvf" }