We had emulated Nitro Enclaves support in QEMU since 2024, but to launch
a native Nitro Enclave, you could only use the AWS nitro-cli tooling.

To simplify tooling and allow users to leverage the most convenient swiss
army knife of virtualization known to mankind (QEMU!), add native support
to launch a Nitro Enclave from within QEMU.

A Nitro Enclave is a Confidential Computing Virtual Machine spawned by
the Nitro Hypervisor which has a very basic machine model, with
virtio-vsock as the only real I/O between parent and enclave. This means
the amount of interactions between QEMU and the VM are limited, but for
debugging, experimentation and non-conventional use cases, it can be handy
to spawn a Nitro Enclave directly in a more fully featured virtualization
stack.

Example invocation:

  $ qemu-system-x86_64 -nographic -accel nitro,debug-mode=on -M nitro -kernel test.eif -smp 2
  QEMU 10.2.50 monitor - type 'help' for more information
  (qemu) [    0.000000] Linux version 4.14.256-209.484.amzn2.x86_64 (mockbuild@ip-10-0-50-84) (gcc version 7.3.1 20180712 (Red Hat 7.3.1-13) (GCC)) #1 SMP Tue Jan 11 21:47:36 UTC 2022
  [    0.000000] Command line: reboot=k panic=30 pci=off nomodules console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd random.trust_cpu=on virtio_mmio.device=4K@0xd0000000:5 virtio_mmio.device=4K@0xd0001000:6
  [    0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
  [    0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
  [    0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'

This patch set supports x86_64 as well as aarch64 Nitro Enclaves.
Virtio-vsock communication with the Enclave is handled directly through the
parent's virtio-vsock device.

Alex

v1 -> v2:

  - Add new nitro vsock bus (pbonzini@)
  - Convert vsock devices to the new bus (pbonzini@)
  - Replace enclave-cid qom property with bus logic (pbonzini@)
  - Change qom property to bridge and document (pbonzini@)
  - Use post_setup() instead of vcpu0 start (pbonzini@)
  - Replace CPU loop with dummy loop (pbonzini@)
  - Support -nodefaults (mst@)
  - Remove QEMU-level CPU creation, it's not really needed

Alexander Graf (11):
  scripts/update-linux-headers: Add Nitro Enclaves header
  linux-headers: Add nitro_enclaves.h
  hw/nitro: Add Nitro Vsock Bus
  accel: Add Nitro Enclaves accelerator
  hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock console
  hw/nitro: Introduce Nitro Enclave Heartbeat device
  target/arm/cpu64: Allow -host for nitro
  hw/nitro: Add nitro machine
  hw/core/eif: Move definitions to header
  hw/nitro: Enable direct kernel boot
  docs: Add Nitro Enclaves documentation

 MAINTAINERS                                   |  13 +
 accel/Kconfig                                 |   3 +
 accel/meson.build                             |   1 +
 accel/nitro/meson.build                       |   3 +
 accel/nitro/nitro-accel.c                     | 278 ++++++++++++++
 accel/nitro/trace-events                      |   6 +
 accel/nitro/trace.h                           |   2 +
 accel/stubs/meson.build                       |   1 +
 accel/stubs/nitro-stub.c                      |  11 +
 docs/system/confidential-guest-support.rst    |   1 +
 docs/system/index.rst                         |   1 +
 docs/system/nitro.rst                         | 133 +++++++
 hw/Kconfig                                    |   1 +
 hw/core/eif.c                                 |  38 --
 hw/core/eif.h                                 |  41 ++
 hw/meson.build                                |   1 +
 hw/nitro/Kconfig                              |  18 +
 hw/nitro/heartbeat.c                          | 115 ++++++
 hw/nitro/machine.c                            | 277 ++++++++++++++
 hw/nitro/meson.build                          |   4 +
 hw/nitro/nitro-vsock-bus.c                    |  98 +++++
 hw/nitro/serial-vsock.c                       | 123 ++++++
 hw/nitro/trace-events                         |   8 +
 hw/nitro/trace.h                              |   4 +
 include/hw/nitro/heartbeat.h                  |  24 ++
 include/hw/nitro/machine.h                    |  20 +
 include/hw/nitro/nitro-vsock-bus.h            |  71 ++++
 include/hw/nitro/serial-vsock.h               |  24 ++
 .../standard-headers/linux/nitro_enclaves.h   | 359 ++++++++++++++++++
 include/system/hw_accel.h                     |   1 +
 include/system/nitro-accel.h                  |  25 ++
 meson.build                                   |  12 +
 meson_options.txt                             |   2 +
 qemu-options.hx                               |   8 +-
 scripts/meson-buildoptions.sh                 |   3 +
 scripts/update-linux-headers.sh               |   1 +
 target/arm/cpu64.c                            |   8 +
 37 files changed, 1697 insertions(+), 42 deletions(-)
 create mode 100644 accel/nitro/meson.build
 create mode 100644 accel/nitro/nitro-accel.c
 create mode 100644 accel/nitro/trace-events
 create mode 100644 accel/nitro/trace.h
 create mode 100644 accel/stubs/nitro-stub.c
 create mode 100644 docs/system/nitro.rst
 create mode 100644 hw/nitro/Kconfig
 create mode 100644 hw/nitro/heartbeat.c
 create mode 100644 hw/nitro/machine.c
 create mode 100644 hw/nitro/meson.build
 create mode 100644 hw/nitro/nitro-vsock-bus.c
 create mode 100644 hw/nitro/serial-vsock.c
 create mode 100644 hw/nitro/trace-events
 create mode 100644 hw/nitro/trace.h
 create mode 100644 include/hw/nitro/heartbeat.h
 create mode 100644 include/hw/nitro/machine.h
 create mode 100644 include/hw/nitro/nitro-vsock-bus.h
 create mode 100644 include/hw/nitro/serial-vsock.h
 create mode 100644 include/standard-headers/linux/nitro_enclaves.h
 create mode 100644 include/system/nitro-accel.h

-- 
2.47.1




Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597