Implement an EFI flavor

.github/workflows/code_quality-aarch64-darwin.yml

@@ -30,7 +30,10 @@ jobs:
         run: cargo fmt -- --check
 
       - name: Clippy (default features)
-        run: cargo clippy -- -D warnings
+        run: cargo clippy --target aarch64-apple-darwin -- -D warnings
 
       - name: Clippy (net feature)
-        run: cargo clippy --features net -- -D warnings
+        run: cargo clippy --target aarch64-apple-darwin --features net -- -D warnings
+
+      - name: Clippy (efi feature)
+        run: cargo clippy --target aarch64-apple-darwin --features efi -- -D warnings

Makefile

@@ -17,17 +17,24 @@ SNP_INIT_SRC =	init/tee/snp_attest.c		\
 KBS_LD_FLAGS =	-lcurl -lidn2 -lssl -lcrypto -lzstd -lz -lbrotlidec-static \
 		-lbrotlicommon-static
 
+BUILD_INIT = 1
 INIT_DEFS =
 ifeq ($(SEV),1)
     VARIANT = -sev
     FEATURE_FLAGS := --features amd-sev
     INIT_DEFS += -DSEV=1
     INIT_DEFS += $(KBS_LD_FLAGS)
     INIT_SRC += $(SNP_INIT_SRC)
+	BUILD_INIT = 0
 endif
 ifeq ($(NET),1)
     FEATURE_FLAGS += --features net
 endif
+ifeq ($(EFI),1)
+	VARIANT = -efi
+	FEATURE_FLAGS := --features efi
+	BUILD_INIT = 0
+endif
 
 ifeq ($(ROSETTA),1)
     INIT_DEFS += -D__ROSETTA__
@@ -42,9 +49,9 @@ KRUN_BINARY_Linux = libkrun$(VARIANT).so.$(FULL_VERSION)
 KRUN_SONAME_Linux = libkrun$(VARIANT).so.$(ABI_VERSION)
 KRUN_BASE_Linux = libkrun$(VARIANT).so
 
-KRUN_BINARY_Darwin = libkrun.$(FULL_VERSION).dylib
-KRUN_SONAME_Darwin = libkrun.$(ABI_VERSION).dylib
-KRUN_BASE_Darwin = libkrun.dylib
+KRUN_BINARY_Darwin = libkrun$(VARIANT).$(FULL_VERSION).dylib
+KRUN_SONAME_Darwin = libkrun$(VARIANT).$(ABI_VERSION).dylib
+KRUN_BASE_Darwin = libkrun$(VARIANT).dylib
 
 LIBRARY_RELEASE_Linux = target/release/$(KRUN_BINARY_Linux)
 LIBRARY_DEBUG_Linux = target/debug/$(KRUN_BINARY_Linux)
@@ -64,7 +71,7 @@ all: $(LIBRARY_RELEASE_$(OS)) libkrun.pc
 
 debug: $(LIBRARY_DEBUG_$(OS)) libkrun.pc
 
-ifneq ($(SEV),1)
+ifeq ($(BUILD_INIT),1)
 INIT_BINARY = init/init
 $(INIT_BINARY): $(INIT_SRC)
 	gcc -O2 -static -Wall $(INIT_DEFS) -o $@ $(INIT_SRC) $(INIT_DEFS)

edk2/License.txt

@@ -0,0 +1,51 @@
+Copyright (c) 2019, TianoCore and contributors.  All rights reserved.
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+Subject to the terms and conditions of this license, each copyright holder
+and contributor hereby grants to those receiving rights under this license
+a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except for failure to satisfy the conditions of this license) patent
+license to make, have made, use, offer to sell, sell, import, and otherwise
+transfer this software, where such license applies only to those patent
+claims, already acquired or hereafter acquired, licensable by such copyright
+holder or contributor that are necessarily infringed by:
+
+(a) their Contribution(s) (the licensed copyrights of copyright holders and
+    non-copyrightable additions of contributors, in source or binary form)
+    alone; or
+
+(b) combination of their Contribution(s) with the work of authorship to
+    which such Contribution(s) was added by such copyright holder or
+    contributor, if, at the time the Contribution is added, such addition
+    causes such combination to be necessarily infringed. The patent license
+    shall not apply to any other combinations which include the
+    Contribution.
+
+Except as expressly stated above, no rights or licenses from any copyright
+holder or contributor is granted under this license, whether expressly, by
+implication, estoppel or otherwise.
+
+DISCLAIMER
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.

edk2/Sources.txt

@@ -0,0 +1 @@
+KRUN_EFI.silent.fd was built from commit 82563b1d62ba029bd7bbfff73d49cce21af302c0 of the https://github.com/slp/edk2 repository.

examples/Makefile

@@ -4,29 +4,37 @@ LDFLAGS_x86_64_Linux = -lkrun
 LDFLAGS_aarch64_Linux = -lkrun
 LDFLAGS_arm64_Darwin = -L/opt/homebrew/lib -lkrun
 LDFLAGS_sev = -lkrun-sev
-CFLAGS_Linux = -O2 -g
-CFLAGS_Darwin = -O2 -g -I/opt/homebrew/include
+LDFLAGS_efi = -L/opt/homebrew/lib -lkrun-efi
+CFLAGS = -O2 -g -I../include
 ROOTFS_DISTRO := fedora
 ROOTFS_DIR = rootfs_$(ROOTFS_DISTRO)
 
 .PHONY: clean rootfs
 
+EXAMPLES := chroot_vm
 ifeq ($(SEV),1)
     EXAMPLES := launch-tee
-else
-    EXAMPLES := chroot_vm
+endif
+ifeq ($(EFI),1)
+    EXAMPLES := boot_efi
 endif
 
 all: $(EXAMPLES)
 
 chroot_vm: chroot_vm.c
-	gcc -o $@ $< $(CFLAGS_$(OS)) $(LDFLAGS_$(ARCH)_$(OS))
+	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_$(ARCH)_$(OS))
 ifeq ($(OS),Darwin)
 	codesign --entitlements chroot_vm.entitlements --force -s - $@
 endif
 
 launch-tee: launch-tee.c
-	gcc -o $@ $< $(CFLAGS_$(OS)) $(LDFLAGS_sev)
+	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_sev)
+
+boot_efi: boot_efi.c
+	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_efi)
+ifeq ($(OS),Darwin)
+	codesign --entitlements chroot_vm.entitlements --force -s - $@
+endif
 
 # Build the rootfs to be used with chroot_vm.
 rootfs:
@@ -36,4 +44,4 @@ rootfs:
 	podman rm libkrun_chroot_vm
 
 clean:
-	rm -rf chroot_vm $(ROOTFS_DIR) launch-tee
+	rm -rf chroot_vm $(ROOTFS_DIR) launch-tee boot_efi

examples/boot_efi.c

@@ -0,0 +1,181 @@
+/*
+ * This is an example implementing chroot-like functionality with libkrun.
+ *
+ * It executes the requested command (relative to NEWROOT) inside a fresh
+ * Virtual Machine created and managed by libkrun.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <libkrun.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <assert.h>
+
+#define MAX_ARGS_LEN 4096
+#ifndef MAX_PATH
+#define MAX_PATH 4096
+#endif
+
+static void print_help(char *const name)
+{
+    fprintf(stderr,
+        "Usage: %s [OPTIONS] DISK\n"
+        "OPTIONS: \n"
+        "        -h    --help                Show help\n"
+        "              --passt-socket=PATH   Connect to passt socket at PATH"
+        "\n"
+        "DISK:   path to the vm's disk image in raw format\n",
+        name
+    );
+}
+
+static const struct option long_options[] = {
+    { "help", no_argument, NULL, 'h' },
+    { "passt-socket", required_argument, NULL, 'P' },
+    { NULL, 0, NULL, 0 }
+};
+
+struct cmdline {
+    bool show_help;
+    char const *passt_socket_path;
+    char const *disk_image;
+};
+
+bool parse_cmdline(int argc, char *const argv[], struct cmdline *cmdline)
+{
+    assert(cmdline != NULL);
+
+    // set the defaults
+    *cmdline = (struct cmdline){
+        .show_help = false,
+        .passt_socket_path = "/tmp/network.sock",
+        .disk_image = NULL,
+    };
+
+    int option_index = 0;
+    int c;
+    // the '+' in optstring is a GNU extension that disables permutating argv
+    while ((c = getopt_long(argc, argv, "+h", long_options, &option_index)) != -1) {
+        switch (c) {
+        case 'h':
+            cmdline->show_help = true;
+            return true;
+        case 'P':
+            cmdline->passt_socket_path = optarg;
+            break;
+        case '?':
+            return false;
+        default:
+            fprintf(stderr, "internal argument parsing error (returned character code 0x%x)\n", c);
+            return false;
+        }
+    }
+
+    if (optind <= argc - 1) {
+        cmdline->disk_image = argv[optind];
+        return true;
+    }
+
+    if (optind == argc) {
+        fprintf(stderr, "Missing DISK argument\n");
+    }
+
+    return false;
+}
+
+int connect_to_passt(char *socket_path)
+{
+    struct sockaddr_un addr;
+    int socket_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+    if (socket_fd < 0) {
+        perror("Failed to create passt socket fd");
+        return -1;
+    }
+
+    memset(&addr, 0, sizeof(addr));
+    addr.sun_family = AF_UNIX;
+    strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
+
+    if (connect(socket_fd, (const struct sockaddr *) &addr, sizeof(addr)) < 0) {
+        perror("Failed to bind passt socket");
+        return -1;
+    }
+
+    return socket_fd;
+}
+
+int main(int argc, char *const argv[])
+{
+    int ctx_id;
+    int err;
+    struct cmdline cmdline;
+
+    if (!parse_cmdline(argc, argv, &cmdline)) {
+        putchar('\n');
+        print_help(argv[0]);
+        return -1;
+    }
+
+    if (cmdline.show_help){
+        print_help(argv[0]);
+        return 0;
+    }
+
+    // Set the log level to "off".
+    err = krun_set_log_level(0);
+    if (err) {
+        errno = -err;
+        perror("Error configuring log level");
+        return -1;
+    }
+
+    // Create the configuration context.
+    ctx_id = krun_create_ctx();
+    if (ctx_id < 0) {
+        errno = -ctx_id;
+        perror("Error creating configuration context");
+        return -1;
+    }
+
+    // Configure the number of vCPUs (2) and the amount of RAM (1024 MiB).
+    if (err = krun_set_vm_config(ctx_id, 2, 1024)) {
+        errno = -err;
+        perror("Error configuring the number of vCPUs and/or the amount of RAM");
+        return -1;
+    }
+
+    if (err = krun_set_root_disk(ctx_id, cmdline.disk_image)) {
+        errno = -err;
+        perror("Error configuring disk image");
+        return -1;
+    }
+
+    int passt_fd = connect_to_passt(cmdline.passt_socket_path);
+
+    if (passt_fd < 0) {
+      return -1;
+    }
+
+    if (err = krun_set_passt_fd(ctx_id, passt_fd)) {
+      errno = -err;
+      perror("Error configuring net mode");
+      return -1;
+    }
+
+    // Start and enter the microVM. Unless there is some error while creating the microVM
+    // this function never returns.
+    if (err = krun_start_enter(ctx_id)) {
+        errno = -err;
+        perror("Error creating the microVM");
+        return -1;
+    }
+
+    // Not reached.
+    return 0;
+}

src/arch/Cargo.toml

@@ -7,6 +7,7 @@ edition = "2021"
 [features]
 tee = []
 amd-sev = [ "tee" ]
+efi = []
 
 [dependencies]
 libc = ">=0.2.39"

src/arch/src/aarch64/fdt.rs

@@ -172,7 +172,7 @@ fn create_memory_node(
     _guest_mem: &GuestMemoryMmap,
     arch_memory_info: &ArchMemoryInfo,
 ) -> Result<()> {
-    let mem_size = arch_memory_info.ram_last_addr - super::layout::DRAM_MEM_START + 1;
+    let mem_size = arch_memory_info.ram_last_addr - super::layout::DRAM_MEM_START;
     // See https://github.com/torvalds/linux/blob/master/Documentation/devicetree/booting-without-of.txt#L960
     // for an explanation of this.
     let mem_reg_prop = generate_prop64(&[super::layout::DRAM_MEM_START, mem_size]);

src/arch/src/aarch64/layout.rs

@@ -50,7 +50,10 @@
 // Taken from (http://infocenter.arm.com/help/topic/com.arm.doc.den0001c/DEN0001C_principles_of_arm_memory_maps.pdf).
 
 /// Start of RAM on 64 bit ARM.
+#[cfg(not(feature = "efi"))]
 pub const DRAM_MEM_START: u64 = 0x8000_0000; // 2 GB.
+#[cfg(feature = "efi")]
+pub const DRAM_MEM_START: u64 = 0x4000_0000; // 1 GB.
 /// The maximum addressable RAM address.
 pub const DRAM_MEM_END: u64 = 0x00FF_8000_0000; // 1024 - 2 = 1022 GB.
 /// The maximum RAM size.
@@ -82,4 +85,7 @@ pub const GTIMER_VIRT: u32 = 11;
 pub const GTIMER_PHYS: u32 = 12;
 
 /// Below this address will reside the GIC, above this address will reside the MMIO devices.
+#[cfg(not(feature = "efi"))]
 pub const MAPPED_IO_START: u64 = 1 << 30; // 1 GB
+#[cfg(feature = "efi")]
+pub const MAPPED_IO_START: u64 = 0x0a00_0000;

src/arch/src/aarch64/macos/gicv2.rs

@@ -61,7 +61,7 @@ impl GICDevice for GICv2 {
     }
 
     fn fdt_compatibility(&self) -> &str {
-        "arm,gic-400"
+        "arm,cortex-a15-gic"
     }
 
     fn fdt_maint_irq(&self) -> u32 {