From nobody Sun Apr 12 06:07:42 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@amazon.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=amazon.com ARC-Seal: i=1; a=rsa-sha256; t=1771379634; cv=none; d=zohomail.com; s=zohoarc; b=M1Av9SQ6xMGXSbH0on6Q5jVyXbg1nV9sF4IT8Pg/O/NLNN9Brr4NY+TCJRS4rlywvtnO/FwhTELqLoxXwJU8fO0tRsGXqWXXGoVvq9SAfv07iH64r/pgZHPBaZl7LDCQHYcWAYVJ6l63XkQRCzVqsrJyt1i6H9JrhQVjF0mDds4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1771379634; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=QVGSh6QomGasFEgLBMFo/YmaboU2VJXN/YN9VZOxI5s=; b=J/tNyVP8YzOK7GTvpdWwvwzu4CHx9CjMyxXz4aRtqZfSWdd1SHujnCrWjNjYNPW/jXoHcqayax1HampWFHXWnWHW4luqigjZ9ws9J0F9NVv2mWeZ3NofjeFe3omqKQG4ywDmKPWP7ktetPjOgkCvMjYnr5aJ8HqM4M5QxFreOoQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@amazon.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177137963447746.0234111304336; Tue, 17 Feb 2026 17:53:54 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vsWk0-0007E8-KP; Tue, 17 Feb 2026 20:52:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vsWjy-0007D5-Kq; Tue, 17 Feb 2026 20:52:34 -0500 Received: from pdx-out-010.esa.us-west-2.outbound.mail-perimeter.amazon.com ([52.12.53.23]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vsWjw-0005GB-Hi; Tue, 17 Feb 2026 20:52:34 -0500 Received: from ip-10-5-9-48.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.9.48]) by internal-pdx-out-010.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2026 01:52:28 +0000 Received: from EX19MTAUWB002.ant.amazon.com [205.251.233.48:31640] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.55.107:2525] with esmtp (Farcaster) id 415e14a0-c25f-4b68-92fd-684b081b5a96; Wed, 18 Feb 2026 01:52:27 +0000 (UTC) Received: from EX19D020UWC004.ant.amazon.com (10.13.138.149) by EX19MTAUWB002.ant.amazon.com (10.250.64.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.35; Wed, 18 Feb 2026 01:52:27 +0000 Received: from ip-10-253-83-51.amazon.com (172.19.99.218) by EX19D020UWC004.ant.amazon.com (10.13.138.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.35; Wed, 18 Feb 2026 01:52:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1771379552; x=1802915552; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=QVGSh6QomGasFEgLBMFo/YmaboU2VJXN/YN9VZOxI5s=; b=k/Pu82E8T0hox3JXGYDfA+5rmYDpwh5d2MS0Dr+v13eY35PMAJpZNzMi 0q3jDu69pBei5LrXEiwJu4vrIE+d2UOjMcvUsQSlFlGGgmffED4MYFT9h hCtvlS+EZkNEfv0JP75sA3iUOR65ZTGth3lzf17qO+QDsh01K8i/6rEMV JYkaBpXKUOU7TDQMWCafrpg5LjP4I5ag13Y+y42iNMnvMki77sfnOX87U /QPFZYTIAsJEq5SepFwtB3Vva7wR7sMSLGuUBQboQi2f1vOIsBUZ3JT+K qxm5Pa0fPeGVVzypOQ3EwDXpuMOHzFRo/joTS7tN4yvMOROCZu9wzayrn w==; X-CSE-ConnectionGUID: JaUHGOg3QVKPhJFJtHZSHw== X-CSE-MsgGUID: atKWgTiwTpKoGKsb9VXQbg== X-IronPort-AV: E=Sophos;i="6.21,297,1763424000"; d="scan'208";a="13134030" X-Farcaster-Flow-ID: 415e14a0-c25f-4b68-92fd-684b081b5a96 From: Alexander Graf To: CC: , Peter Maydell , "Thomas Huth" , , , , , Cornelia Huck , , Dorjoy Chowdhury , Pierrick Bouvier , Paolo Bonzini , Tyler Fanelli , , Subject: [PATCH 04/10] hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock console Date: Wed, 18 Feb 2026 01:51:44 +0000 Message-ID: <20260218015151.4052-5-graf@amazon.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20260218015151.4052-1-graf@amazon.com> References: <20260218015151.4052-1-graf@amazon.com> MIME-Version: 1.0 X-Originating-IP: [172.19.99.218] X-ClientProxiedBy: EX19D043UWC001.ant.amazon.com (10.13.139.202) To EX19D020UWC004.ant.amazon.com (10.13.138.149) Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=52.12.53.23; envelope-from=prvs=502105d20=graf@amazon.de; helo=pdx-out-010.esa.us-west-2.outbound.mail-perimeter.amazon.com X-Spam_score_int: -19 X-Spam_score: -2.0 X-Spam_bar: -- X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.043, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @amazon.com) X-ZM-MESSAGEID: 1771379635860158500 Nitro Enclaves support a special "debug" mode. When in debug mode, the Nitro Hypervisor provides a vsock port that the parent can connect to to receive serial console output of the Enclave. Add a new nitro-serial-vsock driver that implements short-circuit logic to establish the vsock connection to that port and feed its data into a chardev, so that a machine model can use it as serial device. Signed-off-by: Alexander Graf --- MAINTAINERS | 6 ++ hw/Kconfig | 1 + hw/meson.build | 1 + hw/nitro/Kconfig | 3 + hw/nitro/meson.build | 1 + hw/nitro/serial-vsock.c | 154 ++++++++++++++++++++++++++++++++ hw/nitro/trace-events | 4 + hw/nitro/trace.h | 4 + include/hw/nitro/serial-vsock.h | 26 ++++++ meson.build | 1 + 10 files changed, 201 insertions(+) create mode 100644 hw/nitro/Kconfig create mode 100644 hw/nitro/meson.build create mode 100644 hw/nitro/serial-vsock.c create mode 100644 hw/nitro/trace-events create mode 100644 hw/nitro/trace.h create mode 100644 include/hw/nitro/serial-vsock.h diff --git a/MAINTAINERS b/MAINTAINERS index 3d002143ae..53ce075e9a 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3022,6 +3022,12 @@ F: hw/vmapple/* F: include/hw/vmapple/* F: docs/system/arm/vmapple.rst =20 +Nitro Enclaves (native) +M: Alexander Graf +S: Maintained +F: hw/nitro/ +F: include/hw/nitro/ + Subsystems ---------- Overall Audio backends diff --git a/hw/Kconfig b/hw/Kconfig index f8f92b5d03..b3ce1520a6 100644 --- a/hw/Kconfig +++ b/hw/Kconfig @@ -22,6 +22,7 @@ source isa/Kconfig source mem/Kconfig source misc/Kconfig source net/Kconfig +source nitro/Kconfig source nubus/Kconfig source nvme/Kconfig source nvram/Kconfig diff --git a/hw/meson.build b/hw/meson.build index 66e46b8090..36da5322f7 100644 --- a/hw/meson.build +++ b/hw/meson.build @@ -44,6 +44,7 @@ subdir('isa') subdir('mem') subdir('misc') subdir('net') +subdir('nitro') subdir('nubus') subdir('nvme') subdir('nvram') diff --git a/hw/nitro/Kconfig b/hw/nitro/Kconfig new file mode 100644 index 0000000000..86c817c766 --- /dev/null +++ b/hw/nitro/Kconfig @@ -0,0 +1,3 @@ +config NITRO_SERIAL_VSOCK + bool + depends on NITRO diff --git a/hw/nitro/meson.build b/hw/nitro/meson.build new file mode 100644 index 0000000000..d95ed8dd79 --- /dev/null +++ b/hw/nitro/meson.build @@ -0,0 +1 @@ +system_ss.add(when: 'CONFIG_NITRO_SERIAL_VSOCK', if_true: files('serial-vs= ock.c')) diff --git a/hw/nitro/serial-vsock.c b/hw/nitro/serial-vsock.c new file mode 100644 index 0000000000..12d6804a33 --- /dev/null +++ b/hw/nitro/serial-vsock.c @@ -0,0 +1,154 @@ +/* + * Nitro Enclave Vsock Serial + * + * Copyright =C2=A9 2026 Amazon.com, Inc. or its affiliates. All Rights Re= served. + * + * Authors: + * Alexander Graf + * + * With Nitro Enclaves in debug mode, the Nitro Hypervisor provides a vsock + * port that the parent can connect to to receive serial console output of + * the Enclave. This driver implements short-circuit logic to establish the + * vsock connection to that port and feed its data into a chardev, so that + * a machine model can use it as serial device. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "qemu/error-report.h" +#include "qapi/error.h" +#include "qapi/visitor.h" +#include "chardev/char.h" +#include "chardev/char-fe.h" +#include "hw/core/qdev-properties.h" +#include "hw/core/qdev-properties-system.h" +#include "hw/core/sysbus.h" +#include "hw/nitro/serial-vsock.h" +#include "trace.h" + +#define CONSOLE_PORT_START 10000 +#define VMADDR_CID_HYPERVISOR_STR "0" + +static int nitro_serial_vsock_can_read(void *opaque) +{ + NitroSerialVsockState *s =3D opaque; + + /* Refuse vsock input until the output backend is ready */ + return qemu_chr_fe_backend_open(&s->output) ? 4096 : 0; +} + +static void nitro_serial_vsock_read(void *opaque, const uint8_t *buf, int = size) +{ + NitroSerialVsockState *s =3D opaque; + + /* Forward all vsock data to the output chardev */ + qemu_chr_fe_write_all(&s->output, buf, size); +} + +static void nitro_serial_vsock_event(void *opaque, QEMUChrEvent event) +{ + /* No need to action on connect/disconnect events, but trace for debug= */ + trace_nitro_serial_vsock_event(event); +} + +static void nitro_serial_vsock_set_cid(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + NitroSerialVsockState *s =3D NITRO_SERIAL_VSOCK(obj); + uint32_t cid, port; + g_autofree char *chardev_id =3D NULL; + Chardev *chr; + ChardevBackend *backend; + ChardevSocket *sock; + + if (!visit_type_uint32(v, name, &cid, errp)) { + return; + } + + s->cid =3D cid; + port =3D cid + CONSOLE_PORT_START; + + /* + * We know the Enclave CID to connect to now. Create a vsock + * client chardev that connects to the Enclave's console. + */ + chardev_id =3D g_strdup_printf("nitro-console-%u", cid); + + backend =3D g_new0(ChardevBackend, 1); + backend->type =3D CHARDEV_BACKEND_KIND_SOCKET; + sock =3D backend->u.socket.data =3D g_new0(ChardevSocket, 1); + sock->addr =3D g_new0(SocketAddressLegacy, 1); + sock->addr->type =3D SOCKET_ADDRESS_TYPE_VSOCK; + sock->addr->u.vsock.data =3D g_new0(VsockSocketAddress, 1); + sock->addr->u.vsock.data->cid =3D g_strdup(VMADDR_CID_HYPERVISOR_STR); + sock->addr->u.vsock.data->port =3D g_strdup_printf("%u", port); + sock->server =3D false; + sock->has_server =3D true; + + chr =3D qemu_chardev_new(chardev_id, TYPE_CHARDEV_SOCKET, + backend, NULL, errp); + if (!chr) { + return; + } + + if (!qemu_chr_fe_init(&s->vsock, chr, errp)) { + return; + } + + qemu_chr_fe_set_handlers(&s->vsock, + nitro_serial_vsock_can_read, + nitro_serial_vsock_read, + nitro_serial_vsock_event, + NULL, s, NULL, true); +} + +static void nitro_serial_vsock_get_cid(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + NitroSerialVsockState *s =3D NITRO_SERIAL_VSOCK(obj); + uint32_t cid =3D s->cid; + + visit_type_uint32(v, name, &cid, errp); +} + +static void nitro_serial_vsock_realize(DeviceState *dev, Error **errp) +{ + /* + * At realize we don't know the Enclave CID yet, because the nitro acc= el + * first needs to launch the Enclave. Delay creation of the connection + * until the nitro accel pushes the CID as QOM property. + */ +} + +static const Property nitro_serial_vsock_props[] =3D { + DEFINE_PROP_CHR("chardev", NitroSerialVsockState, output), +}; + +static void nitro_serial_vsock_class_init(ObjectClass *oc, const void *dat= a) +{ + DeviceClass *dc =3D DEVICE_CLASS(oc); + dc->realize =3D nitro_serial_vsock_realize; + device_class_set_props(dc, nitro_serial_vsock_props); + + object_class_property_add(oc, "enclave-cid", "uint32", + nitro_serial_vsock_get_cid, + nitro_serial_vsock_set_cid, + NULL, NULL); +} + +static const TypeInfo nitro_serial_vsock_info =3D { + .name =3D TYPE_NITRO_SERIAL_VSOCK, + .parent =3D TYPE_SYS_BUS_DEVICE, + .instance_size =3D sizeof(NitroSerialVsockState), + .class_init =3D nitro_serial_vsock_class_init, +}; + +static void nitro_serial_vsock_register(void) +{ + type_register_static(&nitro_serial_vsock_info); +} + +type_init(nitro_serial_vsock_register); diff --git a/hw/nitro/trace-events b/hw/nitro/trace-events new file mode 100644 index 0000000000..20617a024a --- /dev/null +++ b/hw/nitro/trace-events @@ -0,0 +1,4 @@ +# See docs/devel/tracing.rst for syntax documentation. + +# serial-vsock.c +nitro_serial_vsock_event(int event) "event %d" diff --git a/hw/nitro/trace.h b/hw/nitro/trace.h new file mode 100644 index 0000000000..b455d6c17b --- /dev/null +++ b/hw/nitro/trace.h @@ -0,0 +1,4 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + */ +#include "trace/trace-hw_nitro.h" diff --git a/include/hw/nitro/serial-vsock.h b/include/hw/nitro/serial-vsoc= k.h new file mode 100644 index 0000000000..92c9374eeb --- /dev/null +++ b/include/hw/nitro/serial-vsock.h @@ -0,0 +1,26 @@ +/* + * Nitro Enclave Serial (vsock) + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_CHAR_NITRO_SERIAL_VSOCK_H +#define HW_CHAR_NITRO_SERIAL_VSOCK_H + +#include "hw/core/qdev.h" +#include "hw/core/sysbus.h" +#include "chardev/char-fe.h" +#include "qom/object.h" + +#define TYPE_NITRO_SERIAL_VSOCK "nitro-serial-vsock" +OBJECT_DECLARE_SIMPLE_TYPE(NitroSerialVsockState, NITRO_SERIAL_VSOCK) + +struct NitroSerialVsockState { + SysBusDevice parent_obj; + + CharFrontend output; /* chardev to write console output to */ + CharFrontend vsock; /* vsock chardev to enclave console */ + uint32_t cid; +}; + +#endif /* HW_CHAR_NITRO_SERIAL_VSOCK_H */ diff --git a/meson.build b/meson.build index bdeee65db2..3c6fa7a55a 100644 --- a/meson.build +++ b/meson.build @@ -3634,6 +3634,7 @@ if have_system 'hw/misc/macio', 'hw/net', 'hw/net/can', + 'hw/nitro', 'hw/nubus', 'hw/nvme', 'hw/nvram', --=20 2.47.1 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597