Support for Arm CCA guest firmware v5

[samimujawar]

PR Tracking

#	Description	PR Series	PR Link	Comments	Status
1	ArmPkg, MdePkg: Add helper function to detect RME	S3	#12380		Merged
2	UefiCpuPkg/ArmMmuLib: Handle Realm unprotected bit	S3	#12380		Merged
3	UefiCpuPkg/ArmMmuLib: Introduce ArmCcaSetMemoryProtectionAttribute()	S3	#12380		Merged
4	ArmVirtPkg: Add Arm CCA Realm Service Interface Library	S4	#12382		Merged
5	ArmVirtPkg: ArmCcaRsiLib: Add interfaces to manage the Realm IPA state	S4	#12382		Merged
6	ArmVirtPkg: ArmCcaRsiLib: Add an interface to get an attestation token	S4	#12382		Merged
7	ArmVirtPkg: ArmCcaRsiLib: Add interfaces to get/extend REMs	S4	#12382		Merged
8	ArmVirtPkg: ArmCcaRsiLib: Add an interface to make a RSI Host Call	S4	#12382		Merged
9	ArmVirtPkg: Add library for Arm CCA initialisation in PEI	S6	#12506		Merged
10	ArmVirtPkg: Add NULL instance of ArmCcaInitPeiLib	S6	#12506		Merged
11	ArmVirtPkg: Add library for Arm CCA helper functions	S5	#12505		Merged
12	ArmVirtPkg: Add Null instance of ArmCcaLib	S5	#12505		Merged
13	ArmVirtPkg: Kvmtool: Use Null version of DebugLib in PrePi	S8	#12508		Draft
14	ArmVirtPkg: Add Arm CCA libraries for Kvmtool guest firmware	S8	#12508		Draft
15	ArmVirtPkg: Arm CCA configure system memory in early Pei	S8	#12508		Draft
16	ArmVirtPkg: Introduce Realm Aperture Management Protocol	S7	#12507		In Review
17	ArmVirtPkg: IoMMU driver to DMA from Realms	S7	#12507		In Review
18	ArmVirtPkg: Enable Virtio communication for Arm CCA	S8	#12508		Draft
19	ArmVirtPkg: RMM 1.0-bet1 - Update width of RSI host call struct	S4	#12382		Merged
20	ArmVirtPkg: RMM 1.0-bet2 - Increase number of RSI host call args	S4	#12382		Merged
21	ArmVirtPkg: RMM 1.0-eac0 - Update RsiSetIpaState parameter usage	S4	#12382		Merged
22	ArmVirtPkg: RMM 1.0-eac1 - Relax alignment of RSI host call arg	S4	#12382		Merged
23	ArmVirtPkg: RMM 1.0-eac2 - Update RsiRealmConfig structure	S4	#12382		Merged
24	ArmVirtPkg: RMM 1.0-eac2 - Add RIPAS DESTROYED state	S4	#12382		Merged
25	ArmVirtPkg: RMM 1.0-eac2 - Add RsiRipasChangeFlags definitions	S4	#12382		Merged
26	ArmVirtPkg: RMM 1.0-eac2 - Add Flags to RsiSetIpaState()	S4	#12382		Merged
27	ArmVirtPkg: RMM 1.0-eac3 - Handle RsiSetIpaState() response	S4	#12382		Merged
28	ArmVirtPkg: RMM 1.0-eac3 - RsiSetIpaState() validate RIPSA input	S4	#12382		Merged
29	ArmVirtPkg: RMM 1.0-eac4 - Add RSI Features support	S4	#12382		Merged
30	EmbeddedPkg: Add missing FreeAlignedPages() implementation	S3	#12380		Merged
31	ArmVirtPkg: RMM 1.0-eac5 - Attestation token API updates	S4	#12382		Merged
32	ArmVirtPkg: RMM 1.0-eac5 - Update RSI Version support	S4	#12382		Merged
33	ArmVirtPkg: Add GUID HOBs to cache Realm IPA width and execution state	S5	#12505		Merged
34	ArmVirtPkg: Add a helper function to initialise Arm CCA HOBs	S6	#12506		Merged
35	ArmVirtPkg: Kvmtool: Init Arm CCA HOBs in PlatformPeim()	S6	#12506		Merged
36	ArmVirtPkg: Refactor ArmCcaLib to optimise and support safe early boot	S5	#12505	Melded	Merged
37	ArmVirtPkg: ArmCcaIoMmu: Provide an implementation for SetAttribute	S7	#12507		In Review
38	ArmVirtPkg: RMM 1.0-rel0 - Update RIPAS state to add RipasDev	S4	#12382		Merged
39	ArmVirtPkg: RMM 1.0-rel0 - Add IPA range param to RsiGetIpaState()	S4	#12382		Merged
40	ArmVirtPkg: RMM 1.0-rel0 - Add RPV to RealmConfig	S4	#12382		Merged
41	ArmVirtPkg: RMM 1.0-rel0 - Add RSI_ERROR_UNKNOWN return code	S4	#12382		Merged
42	OvmfPkg: Introduce a PlatformDeviceInfo lib	S2	#12379		In Review
43	OvmfPkg: PlatformDeviceInfoLib - add Arm GIC parser	S2	#12379		In Review
44	OvmfPkg: PlatformDeviceInfoLib - add PCI parser	S2	#12379		In Review
45	OvmfPkg: PlatformDeviceInfoLib - add dev parser	S2	#12379		In Review
46	OvmfPkg: PlatformDeviceInfoLib - add serial parser	S2	#12379		In Review
47	OvmfPkg: PlatformDeviceInfoLib - add RTC parser	S2	#12379		In Review
48	ArmVirtPkg: Kvmtool - Parse FDT to populate mem map	S2	#12379		In Review
49	ArmVirtPkg: RMM 1.0-rel0 - Helper to check protected MMIO address	S5	#12505	Renamed subject	Merged
50	ArmVirtPkg: Rework MMIO mapping and configuration for Arm CCA	S8	TODO	Depends on S2 #12379	Draft
51	ArmVirtPkg: Kvmtool: Only install IORT if ITS is present	S1	#12375		Merged
52	ArmVirtPkg: ArmCcaIoMmuDxe: unmap all mappings on reset	S7	#12507		In Review
53	ArmVirtPkg: Install Realm Aperture Mgmt Absent Protocol if not Realm	S7	#12507		In Review
54	DynamicTablesPkg: handle missing 'iommu-map' in root complex parser	S1	#12375		Merged
55	OvmfPkg/FdtNorFlashQemuLib: Parse device tree earlier	S9	#12518		In Review
56	ArmVirtPkg, OvmfPkg, UefiPayloadPkg: Fallback to runtime variable emulation	S9	#12518		In Review
57	ArmVirtPkg/ArmVirtQemu: Dispatch variable store emulation when necessary	S9	#12518		In Review
58	ArmVirtPkg/ArmVirtQemu: Align .text and .data to 4KB	S9	#12518		In Review
59	ArmVirtPkg/ArmPlatformLibQemu: Add id_pte macro to IdMap.S	S9	#12518		In Review
60	ArmVirtPkg: Add a third-level page table for the UART idmap	S9	#12518		In Review
61	ArmVirtPkg/ArmPlatformLibQemu: Setup early UART mapping in a Realm	S10
62	ArmVirtPkg/ArmVirtQemu: Add Arm CCA libraries	S10
63	ArmVirtPkg/ArmVirtQemu: Init Arm CCA HOBs in PlatformPeim()	S10
64	ArmVirtPkg/QemuVirtMemInfoLib: Share the MMIO space with the VMM under CCA	S10
65	ArmVirtPkg/ArmVirtQemu: Add RAMP and CcaIommu	S10
66	UefiCpuPkg/ArmMmuLib: Don't clear address bits when setting page attributes	S10
67	OvmfPkg/QemuFwCfgLibMmio: Use IOMMU for DMA buffers	S10
68	OvmfPkg: Publish IoMmuAbsentProtocol for non-CC VMs	S10
69	OvmfPkg: Include IoMmuDxe in RiscVVirtQemu and LoongArchVirtQemu	S10
70	ArmVirtPkg: Add BlobVerifierLibArmCca library	S10
71	ArmVirtPkg/ArmVirtQemu: Use BlobVerifierLibArmCca	S10
72	ArmVirtPkg: Add Readme for Arm CCA guest firmware	S8	#12508		Draft

Description

This v5 series enables the Arm Confidential Compute Architecture (CCA) support for the Kvmtool guest firmware and is aligned with the ARM CCA RMM 1.0-rel0 specification.

In addition to the Kvmtool guest firmware, the patches for adding Realm support to the ArmVirtQemu firmware from PR tianocore/edk2-staging#518 have been included

RMM 1.0-rel0 specification updated this series has been rebased with the latest edk2 & edk2-platforms codebase and the intention is to integrate the Arm CCA support in ArmVirtPkg and enable the guest firmware support for Realms.

Note the Arm CCA Guest Firmware v4 series PR tianocore/edk2-staging#514 was merged in the edk2-staging/arm-cca branch. Following this a PR for enabling Realms support for ArmVirtQemu was created at PR tianocore/edk2-staging#518.

This v5 series consolidates both these series in a single pull request to be merged in edk2 mainline.

Summary of updates in this v5 Series:

This section outlines the changes done since the v4 series and were merged in the edk2-staging/arm-cca branch.

1. Rebased the Kvmtool guest patch series edk2-staging/arm-cca branch with the latest edk2 mainline.
2. Made several cleanups and improvements to the Kvmtool guest firmware (details).
3. Reworked the caching mechanism for both the IsRealm value and the IPA width.
4. Cherry-picked the relevant patches from PR Add CCA Realm support to ArmVirtQemu edk2-staging#518 and resolved merge conflicts, ensuring the firmware builds successfully.

In addition to these a changes the 'staging branch description/creation patch' from the edk2-staging/arm-cca branch has been dropped and instead a new patch
4d8af71 ArmVirtPkg: Add Readme for Arm CCA guest firmware
to document the Arm CCA guest firmware design, build and test instructions has been added.

NOTE: A detailed summary of the changes done since the v4 series can be seen at tianocore/edk2-staging#518 (comment)

Summary of updates in the previous v4 Series:

1. This series is a rebased version of the v3 series at:
   Support for Arm CCA guest firmware v3 (RMM-v1.0-rel0) #6480
2. The patch "[PATCH v3 03/57] ArmPkg: Extend number of
   parameter registers in SMC" has been dropped as it is no
   longer required.
3. The feedback raised for the v3 series is not yet addressed and
   the plan is to discuss and address those as part of this pull request.

Summary of updates in the previous v3 Series:

1. Updates to align with RMM 1.0-rel0 specification.
2. Add support to parse the Kvmtool guest VM Device Tree
   and populate the memory map accordingly.
3. Check if the MMIO range is for a protected Realm device
   and if so, skip configuring the shared attribute for the
   MMIO region.
4. Add check to conditionally install the IORT table if
   a GIVc3-ITS is present.

Summary of updates in the previous v2 Series:

1. Variable emulation support patches that we part of v1 series
   are already merged, hence dropped from this series.
2. SetMemoryRegionAttributes() was dropped in the upstream
   code. Therefore, introduced SetMemoryProtectionAttribute()
   to configure the top bit of the Realm IPA space which is
   used as the protection bit
3. The patch to add the APRIORI Dxe ArmCcaDxe has been dropped.
4. Dropped patch that configured PcdMonitorConduitHvc as a
   dynamic PCD, and introduced ArmVirtMonitorLib, a new
   instance of the ArmMonitorLib that reads the conduit to
   be used from the FDT.
5. Bug fixes to correct the size of IMM field in RSI Host
   Call arguments, and to correct the RSI Version mask
6. Patches 32 to 43 include updates to the firmware support
   to RMM specification v1.0-EAC5.
7. Minor optimisations, e.g. to cache the current world value.

Arm Confidential Compute Architecture (CCA)

Arm CCA is a reference software architecture and implementation that
builds on the Realm Management Extension (RME), enabling the execution
of Virtual machines (VMs), while preventing access by more privileged
software, such as hypervisor. Arm CCA allows the hypervisor to control
the VM, but removes the right for access to the code, register state or
data used by VM.

More information on the architecture is available here [1].

        Realm World     ||    Normal World   ||  Secure World  ||
                        ||        |          ||                ||
 EL0 x---------x        || x----x | x------x ||                ||
     | Realm   |        || |    | | |      | ||                ||
     |  VM*    |        || | VM | | |      | ||                ||
     |x-------x|        || |    | | |      | ||                ||
     ||       ||        || |    | | |  H   | ||                ||
     || Guest ||        || |    | | |      | ||                ||
 ----||  OS   ||--------||-|    |---|  o   |-||----------------||
     ||       ||        || |    | | |      | ||                ||
     |x-------x|        || |    | | |  s   | ||                ||
     |    ^    |        || |    | | |      | ||                ||
     |    |    |        || |    | | |  t   | ||                ||
     |+-------+|        || |    | | |      | ||                ||
     || REALM ||        || |    | | |      | ||                ||
     || GUEST ||        || |    | | |  O   | ||                ||
     || UEFI  ||        || |    | | |      | ||                ||
     |+-------+|        || |    | | |  S   | ||                ||
 EL1 x---------x        || x----x | |      | ||                ||
          ^             ||        | |      | ||                ||
          |             ||        | |      | ||                ||
 -------- R*------------||----------|      |-||----------------||
          S             ||          |      | ||                ||
          I             ||      x-->|      | ||                ||
          |             ||      |   |      | ||                ||
          |             ||      |   x------x ||                ||
          |             ||      |       ^    ||                ||
          v             ||     SMC      |    ||                ||
      x-------x         ||      |   x------x ||                ||
      |  RMM* |         ||      |   | HOST | ||                ||
      x-------x         ||      |   | UEFI | ||                ||
          ^             ||      |   x------x ||                ||
 EL2      |             ||      |            ||                ||
          |             ||      |            ||                ||
 =========|=====================|================================
          |                     |
          x------- *RMI* -------x

 EL3                   Root World
                       EL3 Firmware
 ===============================================================

Where:
RMM - Realm Management Monitor
RMI - Realm Management Interface
RSI - Realm Service Interface
SMC - Secure Monitor Call

RME introduces two added additional worlds, "Realm world" and "Root
World" in addition to the traditional Secure world and Normal world.
The Arm CCA defines a new component, Realm Management Monitor (RMM)
that runs at R-EL2. This is a standard piece of firmware, verified,
installed and loaded by the EL3 firmware (e.g., TF-A), at system boot.

The RMM provides a standard interface Realm Management Interface (RMI)
to the Normal world hypervisor to manage the VMs running in the Realm
world (also called Realms). These are exposed via SMC and are routed
through the EL3 firmware.

The RMM also provides certain services to the Realms via SMC, called
the Realm Service Interface (RSI). These include:

• Realm Guest Configuration
• Attestation & Measurement services
• Managing the state of an Intermediate Physical Address (IPA aka GPA)
  page
• Host Call service (Communication with the Normal world Hypervisor).

The Arm CCA reference software currently aligns with the RMM v1.0-rel0
specification, and the latest version is available here [2].

The Trusted Firmware foundation has an implementation of the RMM -
TF-RMM - available here [4].

Related Modules

1. Trusted Firmware RMM - TF-RMM, see [4]
2. Trusted Firmware for A class, see [6]
3. Linux kernel support for Arm CCA, see [7]
4. kvmtool support for Arm CCA, see [8]

Implementation

This version of the Realm Guest UEFI firmware is intended to be
used with the Linux Kernel stack[7] which is also based on the
RMM specification v1.0-rel0[3].

This release includes the following features:

1. Boot a Linux Kernel in a Realm VM using the Realm Guest UEFI
   firmware
2. Hardware description is provided using ACPI tables
3. Support for Virtio v1.0
4. All I/O are treated as non-secure/shared
5. Load the Linux Kernel and RootFS from a Virtio attached disk
   using the Virtio-1.0 PCIe transport.

Overview of updates for enabling Arm CCA

The Arm CCA implementation is spread across a number of libraries
that provide required functionality during various phases of the
firmware boot.

The following libraries have been provided:

1. ArmCcaInitPeiLib - A library that implements the hook functions
   in the PEI phase

2. ArmCcaLib - A library that implements common functions like
   checking if RME extension is implemented and to configure the
   Protection attribute for the memory regions

3. ArmCcaRsiLib - A library that implements the Realm Service
   Interface functions.

A NULL implementation of the ArmCcaInitPeiLib and ArmCcaLib is also
provided for platforms that do not implement the RME extensions.

Additionally, the following DXE modules have been provided to implement
the required functionality in the DXE phase.

1. RealmApertureManagementProtocolDxe - A DXE that implements the
   Realm Aperture Management Protocol, used to manage the sharing
   of buffers in a Realm with the Host

2. ArmCcaIoMmuDxe - A driver which implements the EDKII_IOMMU_PROTOCOL
   that provides the necessary hooks so that DMA operations can be
   performed by bouncing buffers using pages shared with the Host.

Arm CCA updates in PEI phase

For supporting Arm CCA An early hook to configure the System Memory
as Protected RAM has been added in the PrePi module.
This hook function is implemented in ArmCcaInitPeiLib. A NULL
version of the library has also been provided for implementations
that do not have the RME extensions.

The ArmVirtGetMemoryMap() implementation for the Guest firmware
has been updated to check if the device MMIO region is protected
MMIO, i.e. if it is a Realm emulated device or a Host emulated
device.
If the device is Host emulated, the Arm CCA Protection attribute bit
is set to shared, i.e. PhysicalBase = BaseAddress | (1 << (IpaWidth - 1))

   +=====+
   |PrePi|
   +=====+
      |
      _ModuleEntryPoint()
      ===================
              |
              DiscoverDramFromDt()
              |
              +--> ArmCcaInitPeiLib|ArmCcaConfigureSystemMemory()
                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                             |      // configure System Memory
              ----------------      // as Protected RAM.
              |
             ...
              |
      --------
      |
      CEntryPoint()
      |
      PrePiMain()
      ===========
          |
         ...
          |
          ProcessLibraryConstructorList()
          |
          MemoryPeim()
               |
               ArmVirtMemInfoLib|ArmVirtGetMemoryMap()
               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                   |
                   ParsePlatformDeviceFdt()
                   |    // Populate the memory map
                   ArmCcaMemRangeIsProtectedMmio()
                   |    // Check if device MMIO is protected MMIO i.e. Realm emulated
                   |    // device. If not then the device is Host emulated, so set the
                   |    // Arm CCA Protection attribute bit to shared,
                   |    // i.e. PhysicalBase = BaseAddress | (1 << (IpaWidth - 1))
                   |
               -----
               |
               ArmConfigureMmu()   // MMU is configured.
               |
         -------
         |
        ...
         |
       +===+
       |DXE|
       +===+

Building the UEFI firmware

1. Set up the development environment
   Follow the steps as described in
   https://github.com/tianocore/edk2-platforms/blob/master/Platform/ARM/Readme.md

2. The source code for the Host and Realm Guest firmware can
   be found at [10].

3. Building the Host UEFI firmware for FVP Base RevC AEM Model
   Follow the instructions in
   https://github.com/tianocore/edk2-platforms/blob/master/Platform/ARM/Readme.md
   to "Build the firmware for Arm FVP Base AEMv8A-AEMv8A model
   platform" based on your development environment configuration.

Note: The same firmware binary can be used for both the Arm FVP
Base AEMv8A-AEMv8A and the FVP Base RevC AEM Model.

4. Building the Realm Guest UEFI firmware for kvmtool:
   To build the kvmtool guest firmware, run the following commands:

   $build -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtKvmTool.dsc -b DEBUG
   $build -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtKvmTool.dsc -b RELEASE

The Kvmtool guest firmware binaries are at the following location:

   $WORKSPACE/Build/ArmVirtKvmTool-AARCH64/<DEBUG|RELEASE>_GCC5/FV/KVMTOOL_EFI.fd

Running the stack

To run/test the stack, you would need the following components:

1. FVP Base AEM RevC model with FEAT_RME support [5]
2. TF-A firmware for EL3 [6]
3. TF-A RMM for R-EL2 [4]
4. Linux Kernel [7]
5. kvmtool [8]
6. UEFI Firmware for Arm CCA [10].

Instructions for building the remaining firmware components and
running the model are available here [9]. Once, the host kernel
has finished booting, a Realm can be launched by invoking the
lkvm command as follows:

 $ lkvm run --realm \
   --restricted_mem \
   --measurement-algo=["sha256", "sha512"] \
   --firmware KVMTOOL_EFI.fd \
   -m 512 \
   --irqchip=gicv3-its \
   --force-pci \
   --disk <Disk image containing the Guest Kernel & RootFS>
   <normal-vm-options>

Where:

• --measurement-algo (Optional) specifies the algorithm selected for
  creating the initial measurements by the RMM for this Realm (defaults to sha256)
• GICv3 is mandatory for the Realms
• --force-pci is required as only Virtio-v1.0 PCIe transport is
  supported.

Links

[1] Arm CCA Landing page (See Key Resources section for various documentations)

[2] RMM Specification Latest

[3] RMM v1.0-rel0 specification

[4] Trusted Firmware RMM - TF-RMM

GIT: https://git.trustedfirmware.org/TF-RMM/tf-rmm.git

[5] FVP Base RevC AEM Model
(available on x86_64 / Arm64 Linux)

[6] Trusted Firmware for A class

[7] Linux kernel support for Arm CCA

https://gitlab.arm.com/linux-arm/linux-cca
Linux Host branch: cca-host/v10
Linux Guest branch: Linux kernel mainline

[8] kvmtool support for Arm CCA

https://gitlab.arm.com/linux-arm/kvmtool-cca
Branch: cca/v8

[9] Instructions for Building Firmware components and running the model, see section 4.19.2 "Building and running TF-A with RME"

[10] UEFI Firmware support for Arm CCA

Host & Guest Support:
- Repo:
      edk2: git@github.com:tianocore/edk2.git
      edk2-platforms: git@github.com:tianocore/edk2-platforms.git

• Breaking change?
  NO
• Impacts security?
  NO
• Includes tests?
  See ‘Running the stack’ section above.

How This Was Tested

See ‘Running the stack’ section above.

Integration Instructions

N/A

[pierregondois]

NIT: The CI might complain about declaration + initialization

[samimujawar]

I have not seen the CI complain about this. But, I have tried to resolve most CI issues in the next series.

[samimujawar]

You are right. The CI is complaining about this. I will get this fixed.

[pierregondois]

NIT:
This could be considered as a success.
Maybe we could just print a message and return success instead ?

[samimujawar]

Thanks, I have fixed this now.

[pierregondois]

I think this comment should be moved up with the ALIGN_VALUE() logic

[samimujawar]

Ack

[pierregondois]

NIT: If the returned value is ignored, ArmCcaConfigureSystemMemory() might just return VOID ?

[samimujawar]

Ack.

[pierregondois]

Isn't the library only used at SEC currently ? Same question for other platforms

[samimujawar]

Ack.

[pierregondois]

NIT:
ArmVirtPkg: Refactor ArmCcaLib for safe early boot
The patch name is a bit misleading as this seems to be more an optimization

[samimujawar]

Updated commit message accordingly.

[pierregondois]

It seems this doesn't exist anymore

[samimujawar]

This was also flagged by the CI. This should be fixed now.

[pierregondois]

Should we undo things if we fail in the middle of an address range ?

[samimujawar]

We cannot recover from such failures. I am not sure if trying to roll back would help. I think the caller must handle the errors and just panic.

[pierregondois]

Generic question: all the Rsi functions should operate on protected IPA, so should there be an assert or or check on the protected big of the input address ?

[samimujawar]

The Address passed here is the VA. The protection bit is set in the page tables for this address.

[tianocore-assign-reviewers]

⚠ WARNING: Cannot add some reviewers: A user specified as a reviewer for this PR is not a collaborator of the repository. Please add them as a collaborator to the repository so they can be requested in the future.

Non-collaborators requested:

• @bibo-mao
• @lixianglai

Attn Admins:

• @jljusten
• @ardbiesheuvel
• @lgao4
• @mdkinney
• @makubacki
• @jkmathews

---

Admin Instructions:

• Add the non-collaborators as collaborators to the appropriate team(s) listed in teams
• If they are no longer needed as reviewers, remove them from Maintainers.txt

[mergify]

PR can not be merged due to conflict. Please rebase and resubmit