-
Notifications
You must be signed in to change notification settings - Fork 258
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Working DM-Verity boot using 5..15 kernel Signed-off-by: Ken Gordon <Ken.Gordon@microsoft.com> Signed-off-by: Joe Powell <joepowell@microsoft.com> * Working to boot 6.1 or 5.15 kernels with vhd supplied userland and merkle tree. Signed-off-by: Ken Gordon <Ken.Gordon@microsoft.com> Signed-off-by: Joe Powell <joepowell@microsoft.com> * PR #1886 changes which are required or gcs cannot start on 6.1 Signed-off-by: Ken Gordon <Ken.Gordon@microsoft.com> Signed-off-by: Joe Powell <joepowell@microsoft.com> * Use "modern" igvm tooling from github repo. Signed-off-by: Ken Gordon <Ken.Gordon@microsoft.com> Signed-off-by: Joe Powell <joepowell@microsoft.com> * Clean up Makefile Signed-off-by: Joe Powell <joepowell@microsoft.com> * Add boot doc Signed-off-by: Joe Powell <joepowell@microsoft.com> * Remove startup_2 as it is now redundant Signed-off-by: Joe Powell <joepowell@microsoft.com> * Tidying Signed-off-by: Joe Powell <joepowell@microsoft.com> * print opts Signed-off-by: Joe Powell <joepowell@microsoft.com> * debug Signed-off-by: Joe Powell <joepowell@microsoft.com> * debug Signed-off-by: Joe Powell <joepowell@microsoft.com> * Remove extra err Signed-off-by: Joe Powell <joepowell@microsoft.com> * Rm fmt Signed-off-by: Joe Powell <joepowell@microsoft.com> * Clean up startups Signed-off-by: Joe Powell <joepowell@microsoft.com> * Kick CI Signed-off-by: Joe Powell <joepowell@microsoft.com> * Add HvSock port annotation Signed-off-by: Joe Powell <joepowell@microsoft.com> * Clean up merge Signed-off-by: Joe Powell <joepowell@microsoft.com> * Mark ups pre-rebasing Signed-off-by: Joe Powell <joepowell@microsoft.com> * gofmt Signed-off-by: Joe Powell <joepowell@microsoft.com> * More concise Makefile snp target Signed-off-by: Joe Powell <joepowell@microsoft.com> * Apply nits Signed-off-by: Joe Powell <joepowell@microsoft.com> --------- Signed-off-by: Ken Gordon <Ken.Gordon@microsoft.com> Signed-off-by: Joe Powell <joepowell@microsoft.com> Co-authored-by: Ken Gordon <Ken.Gordon@microsoft.com>
- Loading branch information
Showing
14 changed files
with
419 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# UVM Boot Info | ||
|
||
For understanding the UVM's boot sequence it's useful to think of the UVM as consisting of: | ||
- Linux kernel | ||
- Kernel command line | ||
- The command line is a set of parameters the kernel understands which correspond to actions it will perform during boot. | ||
- Root filesystem (rootfs) disk | ||
- This contains all the files that exist when first starting the VM. | ||
- Startup script | ||
- Stored in the rootfs disk. This scripts does the last bits of setup required to get the VM ready for use. | ||
- Hash disk (SNP Mode only) | ||
- Containing DM-Verity hash data (read more below about DM-Verity and SNP mode below). | ||
|
||
|
||
## The SNP Mode UVM boot sequence. | ||
- The vmgs (kernel + commandline) file is loaded into memory. | ||
- The instructions from the kernel command line are performed, the kernel: | ||
- Checks the hash disk's hash data (a merkle tree) is consistent. | ||
- Checks the hash disk's root hash matches the root hash in the kernel command line. The boot fails if not because the integrity of the UVM cannot be confirmed. | ||
- Makes the rootfs disk available as a dm-verity device. | ||
- Mounts the dm-verity rootfs device. | ||
- Sets the newly mounted disk as the root filesystem | ||
- Finds and runs the startup script (which is specified in the kernel command line) from the rootfs to initialise the system. | ||
- Anytime that data is read from the dm-verity rootfs, that data's integrity is checked on the fly by comparing the data's hash with the hash data on the hash disk. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/sh | ||
|
||
export PATH="/usr/bin:/usr/local/bin:/bin:/root/bin:/sbin:/usr/sbin:/usr/local/sbin" | ||
export HOME="/root" | ||
|
||
/init -e 1 /bin/vsockexec -o 109 -e 109 /bin/gcs -v4 -log-format json -loglevel debug |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/sh | ||
|
||
export PATH="/usr/bin:/usr/local/bin:/bin:/root/bin:/sbin:/usr/sbin:/usr/local/sbin" | ||
export HOME="/root" | ||
|
||
/bin/vsockexec -o 2056 -e 2056 echo Running startup_simple.sh | ||
/bin/vsockexec -o 2056 -e 2056 date | ||
|
||
/bin/vsockexec -o 2056 -e 2056 echo /init -e 1 /bin/vsockexec -o 2056 -e 109 /bin/gcs -v4 -log-format text -loglevel debug -logfile /tmp/gcs.log | ||
/init -e 1 /bin/vsockexec -o 2056 -e 109 /bin/gcs -v4 -log-format text -loglevel debug -logfile /tmp/gcs.log | ||
|
||
/bin/vsockexec -o 2056 -e 2056 echo dmesg | ||
/bin/vsockexec -o 2056 -e 2056 dmesg | ||
|
||
/bin/vsockexec -o 2056 -e 2056 echo sleeping 2 | ||
/bin/vsockexec -o 2056 -e 2056 sleep 2 | ||
|
||
/bin/vsockexec -o 2056 -e 2056 ls -Rl /dev/se* | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
#!/bin/sh | ||
|
||
export PATH="/usr/bin:/usr/local/bin:/bin:/root/bin:/sbin:/usr/sbin:/usr/local/sbin" | ||
export HOME="/root" | ||
|
||
/bin/vsockexec -o 2056 -e 2056 echo Running startup_v2056.sh | ||
/bin/vsockexec -o 2056 -e 2056 date | ||
|
||
/bin/vsockexec -o 2056 -e 2056 echo /init -e 1 /bin/vsockexec -o 2056 -e 109 /bin/gcs -v4 -log-format text -loglevel debug -logfile /tmp/gcs.log | ||
/init -e 1 /bin/vsockexec -o 2056 -e 109 /bin/gcs -v4 -log-format text -loglevel debug -logfile /tmp/gcs.log | ||
|
||
/bin/vsockexec -o 2056 -e 2056 echo ls -l /dev/dm* | ||
/bin/vsockexec -o 2056 -e 2056 ls -l /dev/dm* | ||
/bin/vsockexec -o 2056 -e 2056 echo ls -l /dev/mapper | ||
/bin/vsockexec -o 2056 -e 2056 ls -l /dev/mapper | ||
/bin/vsockexec -o 2056 -e 2056 echo ls -l /dev/mapper | ||
/bin/vsockexec -o 2056 -e 2056 ls -l /dev/mapper | ||
|
||
#/bin/vsockexec -o 2056 -e 2056 /bin/snp-report | ||
|
||
# need init to have run before top shows much | ||
/bin/vsockexec -o 2056 -e 2056 top -n 1 | ||
|
||
/bin/vsockexec -o 2056 -e 2056 echo tmp | ||
/bin/vsockexec -o 2056 -e 2056 ls -la /tmp | ||
|
||
/bin/vsockexec -o 2056 -e 2056 /bin/dmesg | ||
|
||
sleep 1 | ||
/bin/vsockexec -o 2056 -e 2056 echo Thats all folks... | ||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.