From 14f06c3a593dacceafc4cb2f8a101ac7876f9ea7 Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Fri, 27 Sep 2024 12:36:28 +0300 Subject: [PATCH 01/18] fix(buildroot): naming Signed-off-by: Rodney Osodo --- buildroot/linux/board/cube/{README.md => readme.txt} | 0 buildroot/linux/configs/cube_defconfig | 2 +- buildroot/linux/external.desc | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename buildroot/linux/board/cube/{README.md => readme.txt} (100%) diff --git a/buildroot/linux/board/cube/README.md b/buildroot/linux/board/cube/readme.txt similarity index 100% rename from buildroot/linux/board/cube/README.md rename to buildroot/linux/board/cube/readme.txt diff --git a/buildroot/linux/configs/cube_defconfig b/buildroot/linux/configs/cube_defconfig index a07bd51..08f34b3 100644 --- a/buildroot/linux/configs/cube_defconfig +++ b/buildroot/linux/configs/cube_defconfig @@ -2,7 +2,7 @@ BR2_x86_64=y # System -BR2_TARGET_GENERIC_HOSTNAME="Cube AI" +BR2_TARGET_GENERIC_HOSTNAME="cube" BR2_TARGET_GENERIC_ISSUE="Welcome to Cube AI" BR2_PACKAGE_DHCP=y BR2_PACKAGE_DHCP_CLIENT=y diff --git a/buildroot/linux/external.desc b/buildroot/linux/external.desc index 59d0836..b4eae5c 100644 --- a/buildroot/linux/external.desc +++ b/buildroot/linux/external.desc @@ -1,2 +1,2 @@ -name: Cube +name: CUBE desc: External buildroot tree for Cube AI From 308993381a76dd6fc9ba24e0b69ed856d33cd637 Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Fri, 27 Sep 2024 12:36:55 +0300 Subject: [PATCH 02/18] wip: add qemu command to run buildroot Signed-off-by: Rodney Osodo --- buildroot/README.md | 11 +++++++ buildroot/qemu.sh | 77 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 buildroot/README.md create mode 100644 buildroot/qemu.sh diff --git a/buildroot/README.md b/buildroot/README.md new file mode 100644 index 0000000..fcdd516 --- /dev/null +++ b/buildroot/README.md @@ -0,0 +1,11 @@ +# Buildroot + +To build the HAL for Linux, you need to install [Buildroot](https://buildroot.org/). Checkout [README.md](./linux/README.md) for more information. + +## To run using qemu + +After following the steps in [README.md](./linux/README.md), you will have + +```bash + +``` diff --git a/buildroot/qemu.sh b/buildroot/qemu.sh new file mode 100644 index 0000000..8a7a504 --- /dev/null +++ b/buildroot/qemu.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +VM_NAME="cube-ai-vm" +RAM="10240M" +CPU="4" + +if ! command -v qemu-system-x86_64 &> /dev/null; then + echo "qemu-system-x86_64 is not installed. Please install it and try again." + exit 1 +fi + +echo "Starting QEMU VM..." +qemu-system-x86_64 \ + -name $VM_NAME \ + -m $RAM \ + -smp $CPU \ + -cpu EPYC \ + -machine q35 \ + -enable-kvm \ + -boot d \ + -netdev user,id=vmnic,hostfwd=tcp::6190-:22,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001 \ + -device e1000,netdev=vmnic,romfile= \ + -vnc :9 \ + -nographic \ + -no-reboot \ + -drive file=$SEED_IMAGE,media=cdrom \ + -drive file=$CUSTOM_IMAGE,if=none,id=disk0,format=qcow2 \ + -device virtio-scsi-pci,id=scsi,disable-legacy=on,iommu_platform=true \ + -device scsi-hd,drive=disk0 \ + -machine memory-encryption=sev0,confidential-guest-support=sev0 \ + -object sev-guest,id=sev0,cbitpos=51,reduced-phys-bits=1 \ + -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE.fd,readonly=on \ + -drive if=pflash,format=raw,unit=1,file=/usr/share/OVMF/OVMF_VARS.fd + + +/home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64 \ + -name cube-ai-vm \ + -m 10240M \ + -smp 8 \ + -cpu EPYC-v4 \ + -machine q35 \ + -enable-kvm \ + -boot d \ + -netdev user,id=vmnic,hostfwd=tcp::6190-:22,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001 \ + -device e1000,netdev=vmnic,romfile= \ + -vnc :9 \ + -nographic \ + -no-reboot \ + -drive file=ubuntu-custom.qcow2,if=none,id=disk0,format=qcow2 \ + -device virtio-scsi-pci,id=scsi,disable-legacy=on,iommu_platform=true \ + -device scsi-hd,drive=disk0 \ + -machine memory-encryption=sev0,vmport=off \ + -object memory-backend-memfd-private,id=ram1,size=10240M,share=true \ + -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1 \ + -machine memory-backend=ram1,kvm-type=protected \ + -drive if=pflash,format=raw,unit=0,file=./OVMF_CODE.fd,readonly=on \ + -drive if=pflash,format=raw,unit=1,file=./OVMF_VARS.fd + +/home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64 \ + -enable-kvm \ + -machine q35 \ + -cpu EPYC-v4 \ + -smp 4,maxcpus=16 \ + -m 25G,slots=5,maxmem=30G \ + -drive if=pflash,format=raw,unit=0,file=/home/cocosai/danko/AMDSEV/ovmf/Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd,readonly=on \ + -netdev user,id=vmnic-ed3cd402-d78e-4136-8070-96c03affc0aa,hostfwd=tcp::6100-:7002 \ + -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic-ed3cd402-d78e-4136-8070-96c03affc0aa,addr=0x2,romfile= \ + -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=3 \ + -object memory-backend-memfd-private,id=ram1,size=25G,share=true \ + -machine memory-backend=ram1,kvm-type=protected \ + -kernel /home/sammy/bzImage \ + -append "quiet console=null rootfstype=ramfs" \ + -initrd /home/sammy/rootfs.cpio.gz \ + -object sev-snp-guest,id=sev0-ed3cd402-d78e-4136-8070-96c03affc0aa,cbitpos=51,reduced-phys-bits=1,discard=none,kernel-hashes=on,host-data=FTZtWfgKU2WimWFajBIdIUtKTcxy5xCMBNxex6sFf/4= \ + -machine memory-encryption=sev0-ed3cd402-d78e-4136-8070-96c03affc0aa \ + -nographic \ + -monitor pty From ad2752a4e037a1fa8f3e024b2a4ad389f6288d98 Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Sun, 29 Sep 2024 00:21:05 +0300 Subject: [PATCH 03/18] feat(snpguest): Add snpguest rust binary --- buildroot/linux/Config.in | 2 +- buildroot/linux/external.mk | 2 +- buildroot/linux/package/snpguest/Config.in | 9 +++++++++ buildroot/linux/package/snpguest/snpguest.mk | 12 ++++++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 buildroot/linux/package/snpguest/Config.in create mode 100644 buildroot/linux/package/snpguest/snpguest.mk diff --git a/buildroot/linux/Config.in b/buildroot/linux/Config.in index 8b13789..c70fa80 100644 --- a/buildroot/linux/Config.in +++ b/buildroot/linux/Config.in @@ -1 +1 @@ - +source "$BR2_EXTERNAL_CUBE_PATH/package/snpguest/Config.in" diff --git a/buildroot/linux/external.mk b/buildroot/linux/external.mk index 8b13789..0bfc533 100644 --- a/buildroot/linux/external.mk +++ b/buildroot/linux/external.mk @@ -1 +1 @@ - +include $(sort $(wildcard $(BR2_EXTERNAL_COCOS_PATH)/package/*/*.mk)) diff --git a/buildroot/linux/package/snpguest/Config.in b/buildroot/linux/package/snpguest/Config.in new file mode 100644 index 0000000..867f3b0 --- /dev/null +++ b/buildroot/linux/package/snpguest/Config.in @@ -0,0 +1,9 @@ +config BR2_PACKAGE_SNPGUEST + bool "snpguest" + default y + depends on BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS + select BR2_PACKAGE_HOST_RUSTC + help + snpguest is a CLI tool for interacting with SEV-SNP guest environment + + https://github.com/virtee/snpguest diff --git a/buildroot/linux/package/snpguest/snpguest.mk b/buildroot/linux/package/snpguest/snpguest.mk new file mode 100644 index 0000000..7d9d507 --- /dev/null +++ b/buildroot/linux/package/snpguest/snpguest.mk @@ -0,0 +1,12 @@ +SNPGUEST_VERSION=v0.7.1 +SNPGUEST_SITE = $(call github,virtee,snpguest,$(SNPGUEST_VERSION)) + +define SNPGUEST_CARGO_BUILD_OPTS + --release +endef + +define SNPGUEST_INSTALL_TARGET_CMDS + $(INSTALL) -D -m 0755 $(@D)/target/release/snpguest $(TARGET_DIR)/bin +endef + +$(eval $(cargo-package)) From 7c58db3a4b1f8156c83cbd939e03e990a29bd85d Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Sun, 29 Sep 2024 00:21:42 +0300 Subject: [PATCH 04/18] feat(hal): enable rootfs --- buildroot/linux/configs/cube_defconfig | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/buildroot/linux/configs/cube_defconfig b/buildroot/linux/configs/cube_defconfig index 08f34b3..5cedaa6 100644 --- a/buildroot/linux/configs/cube_defconfig +++ b/buildroot/linux/configs/cube_defconfig @@ -14,6 +14,17 @@ BR2_SYSTEM_BIN_SH_BASH=y BR2_TARGET_ROOTFS_CPIO=y BR2_TARGET_ROOTFS_CPIO_FULL=y BR2_TARGET_ROOTFS_CPIO_GZIP=y +BR2_TARGET_ROOTFS_EXT2=y +BR2_TARGET_ROOTFS_EXT2_4=y +BR2_TARGET_ROOTFS_EXT2_GEN=4 +BR2_TARGET_ROOTFS_EXT2_REV=1 +BR2_TARGET_ROOTFS_EXT2_LABEL="rootfs" +BR2_TARGET_ROOTFS_EXT2_SIZE="30G" +BR2_TARGET_ROOTFS_EXT2_INODES=0 +BR2_TARGET_ROOTFS_EXT2_INODE_SIZE=256 +BR2_TARGET_ROOTFS_EXT2_RESBLKS=5 +BR2_TARGET_ROOTFS_EXT2_MKFS_OPTIONS="-O ^64bit" +BR2_TARGET_ROOTFS_EXT2_GZIP=y # Image BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL_CUBE_PATH)/board/cube/post-build.sh" From 38445c00ae428619e3bca8a9a5a079de9ea7c7de Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Sun, 29 Sep 2024 00:21:59 +0300 Subject: [PATCH 05/18] feat(hal): add git support --- buildroot/linux/configs/cube_defconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/buildroot/linux/configs/cube_defconfig b/buildroot/linux/configs/cube_defconfig index 5cedaa6..2f52c13 100644 --- a/buildroot/linux/configs/cube_defconfig +++ b/buildroot/linux/configs/cube_defconfig @@ -65,3 +65,5 @@ BR2_PACKAGE_DOCKER_ENGINE=y BR2_PACKAGE_CONTAINERD=y BR2_PACKAGE_RUNC=y BR2_PACKAGE_IPTABLES=y + +BR2_PACKAGE_GIT=y From b82b3ea02a48086c2bd30e6349ab3dfcb9779a30 Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Sun, 29 Sep 2024 04:51:43 +0300 Subject: [PATCH 06/18] fix(snpguest): the guest was not installed properly --- .gitignore | 3 + buildroot/README.md | 28 +++++- buildroot/linux/README.md | 4 +- buildroot/linux/board/cube/readme.txt | 8 +- buildroot/linux/configs/cube_defconfig | 11 --- buildroot/linux/external.mk | 2 +- buildroot/linux/package/snpguest/Config.in | 1 - buildroot/linux/package/snpguest/snpguest.mk | 15 ++-- buildroot/qemu.sh | 93 +++++++++----------- 9 files changed, 88 insertions(+), 77 deletions(-) diff --git a/.gitignore b/.gitignore index cf06367..3cfd882 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,6 @@ acme.json # Proxy Build proxy/build + +# Filesystem +*.ext4 diff --git a/buildroot/README.md b/buildroot/README.md index fcdd516..01b10fe 100644 --- a/buildroot/README.md +++ b/buildroot/README.md @@ -4,8 +4,34 @@ To build the HAL for Linux, you need to install [Buildroot](https://buildroot.or ## To run using qemu -After following the steps in [README.md](./linux/README.md), you will have +After following the steps in [README.md](./linux/README.md), you will have bzImage and rootfs.cpio.gz files. + +Next we need to create a filesystem image. We will use `mkfs.ext4` to create the filesystem image. + +```bash +dd if=/dev/zero of=rootfs.ext4 bs=1M count=10240 +mkfs.ext4 ./rootfs.ext4 +``` + +Now we can run the QEMU VM with the filesystem image. + +```bash +bash hal/qemu.sh +``` + +Login to the VM using the following credentials: + +- Username: `root` + +To mount the filesystem image, you can use the following command: ```bash +mkdir -p /mnt/docker-volume +mount /dev/vda /mnt/docker-volume +``` + +You can now access the persitent storage of the VM using the following command: +```bash +ls /mnt/docker-volume ``` diff --git a/buildroot/linux/README.md b/buildroot/linux/README.md index cba37e9..b49c641 100644 --- a/buildroot/linux/README.md +++ b/buildroot/linux/README.md @@ -8,9 +8,9 @@ HAL uses [Buildroot](https://buildroot.org/)'s [_External Tree_ mechanism](https ```bash git clone https://gitlab.com/buildroot.org/buildroot.git +git clone https://github.com/ultravioletrs/cube.git cd buildroot -git checkout 2023.08 -make BR2_EXTERNAL=../cube/buildroot/linux cube_defconfig +make BR2_EXTERNAL=../cube/hal/linux cube_defconfig # Execute 'make menuconfig' only if you want to make additional configuration changes to Buildroot. make menuconfig make diff --git a/buildroot/linux/board/cube/readme.txt b/buildroot/linux/board/cube/readme.txt index 1af41ad..05fd393 100644 --- a/buildroot/linux/board/cube/readme.txt +++ b/buildroot/linux/board/cube/readme.txt @@ -1,11 +1,7 @@ -# Cube - Run the emulation with: -```bash -qemu-system-x86_64 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=virtio,format=raw -append "rootwait root=/dev/vda console=tty1 console=ttyS0" -serial stdio -net nic,model=virtio -net user # cube_defconfig -``` + qemu-system-x86_64 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=virtio,format=raw -append "rootwait root=/dev/vda console=tty1 console=ttyS0" -serial stdio -net nic,model=virtio -net user # cube_defconfig -Optionally add `-smp N` to emulate a SMP system with N CPUs. +Optionally add -smp N to emulate a SMP system with N CPUs. The login prompt will appear in the graphical window. diff --git a/buildroot/linux/configs/cube_defconfig b/buildroot/linux/configs/cube_defconfig index 2f52c13..83defe4 100644 --- a/buildroot/linux/configs/cube_defconfig +++ b/buildroot/linux/configs/cube_defconfig @@ -14,17 +14,6 @@ BR2_SYSTEM_BIN_SH_BASH=y BR2_TARGET_ROOTFS_CPIO=y BR2_TARGET_ROOTFS_CPIO_FULL=y BR2_TARGET_ROOTFS_CPIO_GZIP=y -BR2_TARGET_ROOTFS_EXT2=y -BR2_TARGET_ROOTFS_EXT2_4=y -BR2_TARGET_ROOTFS_EXT2_GEN=4 -BR2_TARGET_ROOTFS_EXT2_REV=1 -BR2_TARGET_ROOTFS_EXT2_LABEL="rootfs" -BR2_TARGET_ROOTFS_EXT2_SIZE="30G" -BR2_TARGET_ROOTFS_EXT2_INODES=0 -BR2_TARGET_ROOTFS_EXT2_INODE_SIZE=256 -BR2_TARGET_ROOTFS_EXT2_RESBLKS=5 -BR2_TARGET_ROOTFS_EXT2_MKFS_OPTIONS="-O ^64bit" -BR2_TARGET_ROOTFS_EXT2_GZIP=y # Image BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL_CUBE_PATH)/board/cube/post-build.sh" diff --git a/buildroot/linux/external.mk b/buildroot/linux/external.mk index 0bfc533..eff80f1 100644 --- a/buildroot/linux/external.mk +++ b/buildroot/linux/external.mk @@ -1 +1 @@ -include $(sort $(wildcard $(BR2_EXTERNAL_COCOS_PATH)/package/*/*.mk)) +include $(sort $(wildcard $(BR2_EXTERNAL_CUBE_PATH)/package/*/*.mk)) diff --git a/buildroot/linux/package/snpguest/Config.in b/buildroot/linux/package/snpguest/Config.in index 867f3b0..5412f55 100644 --- a/buildroot/linux/package/snpguest/Config.in +++ b/buildroot/linux/package/snpguest/Config.in @@ -5,5 +5,4 @@ config BR2_PACKAGE_SNPGUEST select BR2_PACKAGE_HOST_RUSTC help snpguest is a CLI tool for interacting with SEV-SNP guest environment - https://github.com/virtee/snpguest diff --git a/buildroot/linux/package/snpguest/snpguest.mk b/buildroot/linux/package/snpguest/snpguest.mk index 7d9d507..31fc9bc 100644 --- a/buildroot/linux/package/snpguest/snpguest.mk +++ b/buildroot/linux/package/snpguest/snpguest.mk @@ -1,12 +1,17 @@ -SNPGUEST_VERSION=v0.7.1 +SNPGUEST_VERSION = main SNPGUEST_SITE = $(call github,virtee,snpguest,$(SNPGUEST_VERSION)) +SNPGUEST_LICENSE = Apache-2.0 +SNPGUEST_LICENSE_FILES = LICENSE -define SNPGUEST_CARGO_BUILD_OPTS - --release +SNPGUEST_DEPENDENCIES = host-rustc + +define SNPGUEST_BUILD_CMDS + $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \ + $(HOST_DIR)/bin/cargo build --release --manifest-path=$(@D)/Cargo.toml endef define SNPGUEST_INSTALL_TARGET_CMDS - $(INSTALL) -D -m 0755 $(@D)/target/release/snpguest $(TARGET_DIR)/bin + $(INSTALL) -D -m 0755 $(@D)/target/release/snpguest $(TARGET_DIR)/usr/bin/snpguest endef -$(eval $(cargo-package)) +$(eval $(generic-package)) diff --git a/buildroot/qemu.sh b/buildroot/qemu.sh index 8a7a504..b8fda9a 100644 --- a/buildroot/qemu.sh +++ b/buildroot/qemu.sh @@ -20,58 +20,51 @@ qemu-system-x86_64 \ -boot d \ -netdev user,id=vmnic,hostfwd=tcp::6190-:22,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001 \ -device e1000,netdev=vmnic,romfile= \ - -vnc :9 \ -nographic \ -no-reboot \ - -drive file=$SEED_IMAGE,media=cdrom \ - -drive file=$CUSTOM_IMAGE,if=none,id=disk0,format=qcow2 \ - -device virtio-scsi-pci,id=scsi,disable-legacy=on,iommu_platform=true \ - -device scsi-hd,drive=disk0 \ - -machine memory-encryption=sev0,confidential-guest-support=sev0 \ - -object sev-guest,id=sev0,cbitpos=51,reduced-phys-bits=1 \ - -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE.fd,readonly=on \ - -drive if=pflash,format=raw,unit=1,file=/usr/share/OVMF/OVMF_VARS.fd + -kernel ../buildroot/output/images/bzImage \ + -initrd ../buildroot/output/images/rootfs.cpio.gz \ + -drive file=./rootfs.ext4,format=raw,if=virtio \ + -append "root=/dev/vda console=ttyS0" -/home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64 \ - -name cube-ai-vm \ - -m 10240M \ - -smp 8 \ - -cpu EPYC-v4 \ - -machine q35 \ - -enable-kvm \ - -boot d \ - -netdev user,id=vmnic,hostfwd=tcp::6190-:22,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001 \ - -device e1000,netdev=vmnic,romfile= \ - -vnc :9 \ - -nographic \ - -no-reboot \ - -drive file=ubuntu-custom.qcow2,if=none,id=disk0,format=qcow2 \ - -device virtio-scsi-pci,id=scsi,disable-legacy=on,iommu_platform=true \ - -device scsi-hd,drive=disk0 \ - -machine memory-encryption=sev0,vmport=off \ - -object memory-backend-memfd-private,id=ram1,size=10240M,share=true \ - -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1 \ - -machine memory-backend=ram1,kvm-type=protected \ - -drive if=pflash,format=raw,unit=0,file=./OVMF_CODE.fd,readonly=on \ - -drive if=pflash,format=raw,unit=1,file=./OVMF_VARS.fd +# /home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64 \ +# -enable-kvm \ +# -machine q35 \ +# -cpu EPYC-v4 \ +# -smp 4,maxcpus=16 \ +# -m 25G,slots=5,maxmem=30G \ +# -drive if=pflash,format=raw,unit=0,file=/home/cocosai/danko/AMDSEV/ovmf/Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd,readonly=on \ +# -netdev user,id=vmnic-ed3cd402-d78e-4136-8070-96c03affc0aa,hostfwd=tcp::6100-:7002 \ +# -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic-ed3cd402-d78e-4136-8070-96c03affc0aa,addr=0x2,romfile= \ +# -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=3 \ +# -object memory-backend-memfd-private,id=ram1,size=25G,share=true \ +# -machine memory-backend=ram1,kvm-type=protected \ +# -kernel /home/sammy/bzImage \ +# -append "quiet console=null rootfstype=ramfs" \ +# -initrd /home/sammy/rootfs.cpio.gz \ +# -object sev-snp-guest,id=sev0-ed3cd402-d78e-4136-8070-96c03affc0aa,cbitpos=51,reduced-phys-bits=1,discard=none,kernel-hashes=on,host-data=FTZtWfgKU2WimWFajBIdIUtKTcxy5xCMBNxex6sFf/4= \ +# -machine memory-encryption=sev0-ed3cd402-d78e-4136-8070-96c03affc0aa \ +# -nographic \ +# -monitor pty -/home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64 \ - -enable-kvm \ - -machine q35 \ - -cpu EPYC-v4 \ - -smp 4,maxcpus=16 \ - -m 25G,slots=5,maxmem=30G \ - -drive if=pflash,format=raw,unit=0,file=/home/cocosai/danko/AMDSEV/ovmf/Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd,readonly=on \ - -netdev user,id=vmnic-ed3cd402-d78e-4136-8070-96c03affc0aa,hostfwd=tcp::6100-:7002 \ - -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic-ed3cd402-d78e-4136-8070-96c03affc0aa,addr=0x2,romfile= \ - -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=3 \ - -object memory-backend-memfd-private,id=ram1,size=25G,share=true \ - -machine memory-backend=ram1,kvm-type=protected \ - -kernel /home/sammy/bzImage \ - -append "quiet console=null rootfstype=ramfs" \ - -initrd /home/sammy/rootfs.cpio.gz \ - -object sev-snp-guest,id=sev0-ed3cd402-d78e-4136-8070-96c03affc0aa,cbitpos=51,reduced-phys-bits=1,discard=none,kernel-hashes=on,host-data=FTZtWfgKU2WimWFajBIdIUtKTcxy5xCMBNxex6sFf/4= \ - -machine memory-encryption=sev0-ed3cd402-d78e-4136-8070-96c03affc0aa \ - -nographic \ - -monitor pty +# /home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64 \ +# -enable-kvm \ +# -cpu EPYC-v4 \ +# -machine q35 \ +# -smp 4 \ +# -m 2048M,slots=5,maxmem=10240M \ +# -no-reboot \ +# -netdev user,id=vmnic \ +# -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ +# -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=8 \ +# -kernel /home/rodney/buildroot/output/images/bzImage \ +# -append "earlyprintk=serial console=ttyS0" \ +# -initrd /home/rodney/buildroot/output/images/rootfs.cpio.gz \ +# -machine memory-encryption=sev0,vmport=off \ +# -object memory-backend-memfd-private,id=ram1,size=2048M,share=true \ +# -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1 \ +# -machine memory-backend=ram1,kvm-type=protected \ +# -drive if=pflash,format=raw,unit=0,file=/home/cocosai/danko/AMDSEV/OVMF_CODE.fd,readonly=on \ +# -drive if=pflash,format=raw,unit=1,file=/home/cocosai/danko/AMDSEV/OVMF_VARS.fd \ +# -nographic From 8edf1f4bd32b641c6fdb8a4b473edf0ce6854cdd Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Mon, 30 Sep 2024 10:27:50 +0300 Subject: [PATCH 07/18] fix(msr): give access to x86 model specific registers --- buildroot/README.md | 2 +- buildroot/linux/board/cube/linux.config | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/buildroot/README.md b/buildroot/README.md index 01b10fe..27c8482 100644 --- a/buildroot/README.md +++ b/buildroot/README.md @@ -16,7 +16,7 @@ mkfs.ext4 ./rootfs.ext4 Now we can run the QEMU VM with the filesystem image. ```bash -bash hal/qemu.sh +bash buildroot/qemu.sh ``` Login to the VM using the following credentials: diff --git a/buildroot/linux/board/cube/linux.config b/buildroot/linux/board/cube/linux.config index 5c8c3ac..e49063d 100644 --- a/buildroot/linux/board/cube/linux.config +++ b/buildroot/linux/board/cube/linux.config @@ -65,3 +65,4 @@ CONFIG_PREEMPT_DYNAMIC=n CONFIG_DEBUG_PREEMPT=n CONFIG_CGROUP_MISC=y CONFIG_X86_CPUID=y +CONFIG_X86_MSR=y From 27597230598e2ccabb32c8cd28519baf9cccbd1d Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Mon, 30 Sep 2024 11:25:34 +0300 Subject: [PATCH 08/18] feat(buildroot): add bash script for setting things up --- buildroot/qemu.sh | 196 +++++++++++++++++++++++++++++++--------------- 1 file changed, 134 insertions(+), 62 deletions(-) diff --git a/buildroot/qemu.sh b/buildroot/qemu.sh index b8fda9a..7ac3d4a 100644 --- a/buildroot/qemu.sh +++ b/buildroot/qemu.sh @@ -3,68 +3,140 @@ VM_NAME="cube-ai-vm" RAM="10240M" CPU="4" +CPU_TYPE="EPYC-v4" +QEMU_AMDSEV_BINARY="/home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64" +QEMU_OVMF_CODE="/home/cocosai/danko/AMDSEV/ovmf/Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd" +KERNEL_PATH="../buildroot/output/images/bzImage" +INITRD_PATH="../buildroot/output/images/rootfs.cpio.gz" +QEMU_APPEND_ARG="root=/dev/vda console=ttyS0" -if ! command -v qemu-system-x86_64 &> /dev/null; then - echo "qemu-system-x86_64 is not installed. Please install it and try again." - exit 1 +function check(){ + if [ ! -f "./rootfs.ext4" ]; then + echo "rootfs.ext4 file not found. Please create it and try again." + exit 1 + fi + + if [ ! -f "../buildroot/output/images/bzImage" ]; then + echo "bzImage file not found. Please build it and try again." + exit 1 + fi + + if [ ! -f "../buildroot/output/images/rootfs.cpio.gz" ]; then + echo "rootfs.cpio.gz file not found. Please build it and try again." + exit 1 + fi +} + +function start_qemu(){ + if ! command -v qemu-system-x86_64 &> /dev/null; then + echo "qemu-system-x86_64 is not installed. Please install it and try again." + exit 1 + fi + + check + + echo "Starting QEMU VM..." + + qemu-system-x86_64 \ + -name $VM_NAME \ + -m $RAM \ + -smp $CPU \ + -cpu $CPU_TYPE \ + -machine q35 \ + -enable-kvm \ + -boot d \ + -netdev user,id=vmnic,hostfwd=tcp::6190-:80,hostfwd=tcp::6191-:443,hostfwd=tcp::6192-:3001,dns=8.8.8.8 \ + -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ + -nographic \ + -no-reboot \ + -kernel $KERNEL_PATH \ + -initrd $INITRD_PATH \ + -drive file=./rootfs.ext4,format=raw,if=virtio \ + -append "$QEMU_APPEND_ARG" +} + +function start_cvm(){ + if ! command -v $QEMU_AMDSEV_BINARY &> /dev/null; then + echo "qemu-system-x86_64 is not installed. Please install it and try again." + exit 1 + fi + + check + + echo "Starting QEMU VM..." + + $QEMU_AMDSEV_BINARY \ + -name $VM_NAME \ + -m $RAM \ + -smp $CPU \ + -cpu $CPU_TYPE \ + -machine q35 \ + -enable-kvm \ + -boot d \ + -netdev user,id=vmnic,hostfwd=tcp::6190-:80,hostfwd=tcp::6191-:443,hostfwd=tcp::6192-:3001,dns=8.8.8.8 \ + -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ + -nographic \ + -no-reboot \ + -kernel $KERNEL_PATH \ + -initrd $INITRD_PATH \ + -drive file=./rootfs.ext4,format=raw,if=virtio \ + -drive if=pflash,format=raw,unit=0,file=$QEMU_OVMF_CODE,readonly=on \ + -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=198 \ + -object memory-backend-memfd-private,id=ram1,size=$RAM,share=true \ + -machine memory-encryption=sev0-cb42cb55-17d4-4da3-9321-d04b4961b0e4 \ + -machine memory-backend=ram1,kvm-type=protected \ + -object sev-snp-guest,id=sev0-cb42cb55-17d4-4da3-9321-d04b4961b0e4,cbitpos=51,reduced-phys-bits=1,discard=none,kernel-hashes=on \ + -append "$QEMU_APPEND_ARG" +} + +function generate_snp_expected_measurement(){ + if ! command -v sev-snp-measure &> /dev/null; then + echo "sev-snp-measure is not installed. Please install it and try again." + exit 1 + fi + + echo "Generating expected measurement..." + sev-snp-measure \ + --mode snp \ + --vcpus=$CPU \ + --vcpu-type=$CPU_TYPE \ + --ovmf=$QEMU_OVMF_CODE \ + --kernel=$KERNEL_PATH \ + --initrd=$INITRD_PATH \ + --append="$QEMU_APPEND_ARG" +} + +function print_help(){ + echo "Usage: $0 [command]" + echo "Commands:" + echo " start: Start the QEMU VM" + echo " start_cvm: Start the QEMU VM with AMD SEV-SNP enabled" + echo " measure: Use sev-snp-measure utility to calculate the expected measurement" + echo " check: Check if the required files are present" +} + +if [ $# -eq 0 ]; then + print_help + exit 0 fi -echo "Starting QEMU VM..." -qemu-system-x86_64 \ - -name $VM_NAME \ - -m $RAM \ - -smp $CPU \ - -cpu EPYC \ - -machine q35 \ - -enable-kvm \ - -boot d \ - -netdev user,id=vmnic,hostfwd=tcp::6190-:22,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001 \ - -device e1000,netdev=vmnic,romfile= \ - -nographic \ - -no-reboot \ - -kernel ../buildroot/output/images/bzImage \ - -initrd ../buildroot/output/images/rootfs.cpio.gz \ - -drive file=./rootfs.ext4,format=raw,if=virtio \ - -append "root=/dev/vda console=ttyS0" - - -# /home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64 \ -# -enable-kvm \ -# -machine q35 \ -# -cpu EPYC-v4 \ -# -smp 4,maxcpus=16 \ -# -m 25G,slots=5,maxmem=30G \ -# -drive if=pflash,format=raw,unit=0,file=/home/cocosai/danko/AMDSEV/ovmf/Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd,readonly=on \ -# -netdev user,id=vmnic-ed3cd402-d78e-4136-8070-96c03affc0aa,hostfwd=tcp::6100-:7002 \ -# -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic-ed3cd402-d78e-4136-8070-96c03affc0aa,addr=0x2,romfile= \ -# -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=3 \ -# -object memory-backend-memfd-private,id=ram1,size=25G,share=true \ -# -machine memory-backend=ram1,kvm-type=protected \ -# -kernel /home/sammy/bzImage \ -# -append "quiet console=null rootfstype=ramfs" \ -# -initrd /home/sammy/rootfs.cpio.gz \ -# -object sev-snp-guest,id=sev0-ed3cd402-d78e-4136-8070-96c03affc0aa,cbitpos=51,reduced-phys-bits=1,discard=none,kernel-hashes=on,host-data=FTZtWfgKU2WimWFajBIdIUtKTcxy5xCMBNxex6sFf/4= \ -# -machine memory-encryption=sev0-ed3cd402-d78e-4136-8070-96c03affc0aa \ -# -nographic \ -# -monitor pty - -# /home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64 \ -# -enable-kvm \ -# -cpu EPYC-v4 \ -# -machine q35 \ -# -smp 4 \ -# -m 2048M,slots=5,maxmem=10240M \ -# -no-reboot \ -# -netdev user,id=vmnic \ -# -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ -# -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=8 \ -# -kernel /home/rodney/buildroot/output/images/bzImage \ -# -append "earlyprintk=serial console=ttyS0" \ -# -initrd /home/rodney/buildroot/output/images/rootfs.cpio.gz \ -# -machine memory-encryption=sev0,vmport=off \ -# -object memory-backend-memfd-private,id=ram1,size=2048M,share=true \ -# -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1 \ -# -machine memory-backend=ram1,kvm-type=protected \ -# -drive if=pflash,format=raw,unit=0,file=/home/cocosai/danko/AMDSEV/OVMF_CODE.fd,readonly=on \ -# -drive if=pflash,format=raw,unit=1,file=/home/cocosai/danko/AMDSEV/OVMF_VARS.fd \ -# -nographic +if [ $# -gt 0 ]; then + case "$1" in + "start") + start_qemu + ;; + "check") + check + ;; + "start_cvm") + start_cvm + ;; + "measure") + generate_snp_expected_measurement + ;; + *) + echo "Unknown command: $1" + exit 1 + ;; + esac +fi From a2d9639aa71e6f5349f313a72106d73ba5342ae6 Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Mon, 30 Sep 2024 12:21:55 +0300 Subject: [PATCH 09/18] feat(buildroot): mount fs and fix docker Setup networking at initialization and mount the rootfs Signed-off-by: Rodney Osodo --- buildroot/linux/Config.in | 1 + buildroot/linux/package/setup/Config.in | 9 +++++ buildroot/linux/package/setup/setup.mk | 10 +++++ buildroot/linux/package/snpguest/Config.in | 4 +- buildroot/linux/systemd/cube.service | 10 +++++ buildroot/linux/systemd/setup-cube.sh | 43 ++++++++++++++++++++++ 6 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 buildroot/linux/package/setup/Config.in create mode 100644 buildroot/linux/package/setup/setup.mk create mode 100644 buildroot/linux/systemd/cube.service create mode 100755 buildroot/linux/systemd/setup-cube.sh diff --git a/buildroot/linux/Config.in b/buildroot/linux/Config.in index c70fa80..835cef4 100644 --- a/buildroot/linux/Config.in +++ b/buildroot/linux/Config.in @@ -1 +1,2 @@ +source "$BR2_EXTERNAL_CUBE_PATH/package/setup/Config.in" source "$BR2_EXTERNAL_CUBE_PATH/package/snpguest/Config.in" diff --git a/buildroot/linux/package/setup/Config.in b/buildroot/linux/package/setup/Config.in new file mode 100644 index 0000000..99a6116 --- /dev/null +++ b/buildroot/linux/package/setup/Config.in @@ -0,0 +1,9 @@ +config BR2_PACKAGE_SETUP + bool "setup" + default y + help + This Setup package it used to setup the Docker environment used in the HAL + It does the following: + - Start networking + - Mounts the rootfs.ext4 file system + - Configure the docker daemon to use the rootfs.ext4 file system diff --git a/buildroot/linux/package/setup/setup.mk b/buildroot/linux/package/setup/setup.mk new file mode 100644 index 0000000..a7b20c9 --- /dev/null +++ b/buildroot/linux/package/setup/setup.mk @@ -0,0 +1,10 @@ +define SETUP_INSTALL_TARGET_CMDS + mkdir -p $(TARGET_DIR)/cube/ +endef + +define SETUP_INSTALL_INIT_SYSTEMD + cp ../cube/buildroot/linux/systemd/cube.service $(TARGET_DIR)/usr/lib/systemd/system/cube.service + cp ../cube/buildroot/linux/systemd/setup-cube.sh $(TARGET_DIR)/cube/setup-cube.sh +endef + +$(eval $(generic-package)) diff --git a/buildroot/linux/package/snpguest/Config.in b/buildroot/linux/package/snpguest/Config.in index 5412f55..d388586 100644 --- a/buildroot/linux/package/snpguest/Config.in +++ b/buildroot/linux/package/snpguest/Config.in @@ -4,5 +4,5 @@ config BR2_PACKAGE_SNPGUEST depends on BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS select BR2_PACKAGE_HOST_RUSTC help - snpguest is a CLI tool for interacting with SEV-SNP guest environment - https://github.com/virtee/snpguest + snpguest is a CLI tool for interacting with SEV-SNP guest environment + https://github.com/virtee/snpguest diff --git a/buildroot/linux/systemd/cube.service b/buildroot/linux/systemd/cube.service new file mode 100644 index 0000000..b374dbd --- /dev/null +++ b/buildroot/linux/systemd/cube.service @@ -0,0 +1,10 @@ +[Unit] +Description=Cube Network Agent +After=network.target +Before=docker.service + +[Service] +ExecStart=/cube/setup-cube.sh + +[Install] +WantedBy=default.target diff --git a/buildroot/linux/systemd/setup-cube.sh b/buildroot/linux/systemd/setup-cube.sh new file mode 100755 index 0000000..c27b35b --- /dev/null +++ b/buildroot/linux/systemd/setup-cube.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +# IFACES are all network interfaces excluding lo (LOOPBACK) and sit interfaces +IFACES=$(ip link show | grep -vE 'LOOPBACK|sit*' | awk -F': ' '{print $2}') + +# This for loop brings up all network interfaces in IFACES and dhclient obtains an IP address for the every interface +for IFACE in $IFACES; do + STATE=$(ip link show $IFACE | grep DOWN) + if [ -n "$STATE" ]; then + ip link set $IFACE up + fi + + IP_ADDR=$(ip addr show $IFACE | grep 'inet ') + if [ -z "$IP_ADDR" ]; then + dhclient $IFACE + fi +done + +# Mount filesystem +mkdir -p /mnt/docker-volume +mount /dev/vda /mnt/docker-volume + +# Change the docker.service file to allow the Docker to run in RAM +mkdir -p /etc/systemd/system/docker.service.d + +# Create or overwrite the override.conf file with the new Environment variable +tee /etc/systemd/system/docker.service.d/override.conf > /dev/null < Date: Mon, 30 Sep 2024 13:01:12 +0300 Subject: [PATCH 10/18] refactor(buildroot): change from ramfs to mounted disk --- buildroot/linux/systemd/setup-cube.sh | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/buildroot/linux/systemd/setup-cube.sh b/buildroot/linux/systemd/setup-cube.sh index c27b35b..11396f4 100755 --- a/buildroot/linux/systemd/setup-cube.sh +++ b/buildroot/linux/systemd/setup-cube.sh @@ -20,24 +20,14 @@ done mkdir -p /mnt/docker-volume mount /dev/vda /mnt/docker-volume -# Change the docker.service file to allow the Docker to run in RAM -mkdir -p /etc/systemd/system/docker.service.d +systemctl stop docker -# Create or overwrite the override.conf file with the new Environment variable -tee /etc/systemd/system/docker.service.d/override.conf > /dev/null < /dev/null < Date: Mon, 30 Sep 2024 13:39:29 +0300 Subject: [PATCH 11/18] fix(buildroot): enable git --- buildroot/linux/configs/cube_defconfig | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/buildroot/linux/configs/cube_defconfig b/buildroot/linux/configs/cube_defconfig index 83defe4..be8659e 100644 --- a/buildroot/linux/configs/cube_defconfig +++ b/buildroot/linux/configs/cube_defconfig @@ -39,6 +39,7 @@ BR2_LINUX_KERNEL_PATCH="" BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_CUBE_PATH)/board/cube/linux.config" BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y +BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y # host-qemu for gitlab testing BR2_PACKAGE_HOST_QEMU=y @@ -56,3 +57,12 @@ BR2_PACKAGE_RUNC=y BR2_PACKAGE_IPTABLES=y BR2_PACKAGE_GIT=y + +BR2_PACKAGE_LIBCURL=y +BR2_PACKAGE_OPENSSL=y +BR2_PACKAGE_LIBOPENSSL=y +BR2_PACKAGE_LIBOPENSSL_BIN=y +BR2_PACKAGE_LIBRESSL_ARCH_SUPPORTS=y +BR2_PACKAGE_HAS_OPENSSL=y +BR2_PACKAGE_PROVIDES_OPENSSL="libopenssl" +BR2_PACKAGE_PROVIDES_HOST_OPENSSL="host-libopenssl" From 90f82eb94b1a30221d28085dbb81757997d224ed Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Mon, 30 Sep 2024 13:59:58 +0300 Subject: [PATCH 12/18] feat(buildroot): Add script to run guest attestation --- buildroot/linux/package/setup/setup.mk | 1 + buildroot/linux/systemd/attest.sh | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 buildroot/linux/systemd/attest.sh diff --git a/buildroot/linux/package/setup/setup.mk b/buildroot/linux/package/setup/setup.mk index a7b20c9..384f901 100644 --- a/buildroot/linux/package/setup/setup.mk +++ b/buildroot/linux/package/setup/setup.mk @@ -5,6 +5,7 @@ endef define SETUP_INSTALL_INIT_SYSTEMD cp ../cube/buildroot/linux/systemd/cube.service $(TARGET_DIR)/usr/lib/systemd/system/cube.service cp ../cube/buildroot/linux/systemd/setup-cube.sh $(TARGET_DIR)/cube/setup-cube.sh + cp ../cube/buildroot/linux/systemd/attest.sh $(TARGET_DIR)/cube/attest.sh endef $(eval $(generic-package)) diff --git a/buildroot/linux/systemd/attest.sh b/buildroot/linux/systemd/attest.sh new file mode 100644 index 0000000..872bf99 --- /dev/null +++ b/buildroot/linux/systemd/attest.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +function attest() { + snpguest report attestation-report.bin request-data.txt --random + + snpguest fetch ca pem milan . --endorser vcek + snpguest fetch vcek pem milan . attestation-report.bin + + # Verifies that ARK, ASK and VCEK are all properly signed + snpguest verify certs . + + # Verifies the attestation-report trusted compute base matches vcek + snpguest verify attestation . attestation-report.bin + + snpguest_report_measurement=$(snpguest display report attestation-report.bin | tr '\n' ' ' | sed "s|.*Measurement:\(.*\)Host Data.*|\1\n|g" | sed "s| ||g") + # Remove any special characters and print the value + snpguest_report_measurement=$(echo ${snpguest_report_measurement} | sed $'s/[^[:print:]\t]//g') + echo -e "Measurement from SNP Attestation Report: ${snpguest_report_measurement}\n" +} + +attest From 5f8bdd8d9dabc0a101d1fb1da1e66ed2c12d2116 Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Tue, 1 Oct 2024 10:02:20 +0300 Subject: [PATCH 13/18] refactor: working buildroot config --- buildroot/README.md | 4 ++-- buildroot/linux/board/cube/linux.config | 13 +++++++++++++ buildroot/linux/configs/cube_defconfig | 4 ++++ buildroot/linux/systemd/setup-cube.sh | 17 ++++++++++++++--- buildroot/qemu.sh | 11 ++++++----- 5 files changed, 39 insertions(+), 10 deletions(-) diff --git a/buildroot/README.md b/buildroot/README.md index 27c8482..a89cd05 100644 --- a/buildroot/README.md +++ b/buildroot/README.md @@ -9,8 +9,8 @@ After following the steps in [README.md](./linux/README.md), you will have bzIma Next we need to create a filesystem image. We will use `mkfs.ext4` to create the filesystem image. ```bash -dd if=/dev/zero of=rootfs.ext4 bs=1M count=10240 -mkfs.ext4 ./rootfs.ext4 +dd if=/dev/zero of=rootfs.img bs=1M count=10240 +mkfs.ext4 ./rootfs.img ``` Now we can run the QEMU VM with the filesystem image. diff --git a/buildroot/linux/board/cube/linux.config b/buildroot/linux/board/cube/linux.config index e49063d..0d01328 100644 --- a/buildroot/linux/board/cube/linux.config +++ b/buildroot/linux/board/cube/linux.config @@ -34,6 +34,7 @@ CONFIG_VIRTIO_INPUT=y CONFIG_VIRTIO_MMIO=y CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y CONFIG_EXT4_FS=y +CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_AUTOFS4_FS=y CONFIG_TMPFS=y CONFIG_TMPFS_POSIX_ACL=y @@ -66,3 +67,15 @@ CONFIG_DEBUG_PREEMPT=n CONFIG_CGROUP_MISC=y CONFIG_X86_CPUID=y CONFIG_X86_MSR=y + +CONFIG_KERNEL_EXT4_FS_SECURITY=y +CONFIG_EXT4_FS_SECURITY=y + + +CONFIG_QUOTA=y +CONFIG_QUOTA_NETLINK_INTERFACE=y +CONFIG_PRINT_QUOTA_WARNING=y +CONFIG_QUOTA_DEBUG=y +CONFIG_QUOTA_TREE=y +CONFIG_QFMT_V2=y +CONFIG_EXT4_FS_QUOTA=y diff --git a/buildroot/linux/configs/cube_defconfig b/buildroot/linux/configs/cube_defconfig index be8659e..76d88f5 100644 --- a/buildroot/linux/configs/cube_defconfig +++ b/buildroot/linux/configs/cube_defconfig @@ -56,6 +56,7 @@ BR2_PACKAGE_CONTAINERD=y BR2_PACKAGE_RUNC=y BR2_PACKAGE_IPTABLES=y + BR2_PACKAGE_GIT=y BR2_PACKAGE_LIBCURL=y @@ -66,3 +67,6 @@ BR2_PACKAGE_LIBRESSL_ARCH_SUPPORTS=y BR2_PACKAGE_HAS_OPENSSL=y BR2_PACKAGE_PROVIDES_OPENSSL="libopenssl" BR2_PACKAGE_PROVIDES_HOST_OPENSSL="host-libopenssl" + +BR2_PACKAGE_QUOTA=y +BR2_PACKAGE_QUOTATOOL=y diff --git a/buildroot/linux/systemd/setup-cube.sh b/buildroot/linux/systemd/setup-cube.sh index 11396f4..61418ae 100755 --- a/buildroot/linux/systemd/setup-cube.sh +++ b/buildroot/linux/systemd/setup-cube.sh @@ -16,9 +16,20 @@ for IFACE in $IFACES; do fi done +# Change the docker.service file to allow the Docker to run in RAM +mkdir -p /etc/systemd/system/docker.service.d + +# Create or overwrite the override.conf file with the new Environment variable +tee /etc/systemd/system/docker.service.d/override.conf > /dev/null < /dev/null < Date: Tue, 1 Oct 2024 11:11:56 +0300 Subject: [PATCH 14/18] docs: update documentation on how to start vm Signed-off-by: Rodney Osodo --- buildroot/README.md | 57 ++++++++++++++++++++++--- buildroot/linux/README.md | 2 +- buildroot/linux/board/cube/linux.config | 1 - buildroot/linux/configs/cube_defconfig | 1 - buildroot/qemu.sh | 4 +- 5 files changed, 53 insertions(+), 12 deletions(-) diff --git a/buildroot/README.md b/buildroot/README.md index a89cd05..13ac642 100644 --- a/buildroot/README.md +++ b/buildroot/README.md @@ -9,29 +9,72 @@ After following the steps in [README.md](./linux/README.md), you will have bzIma Next we need to create a filesystem image. We will use `mkfs.ext4` to create the filesystem image. ```bash -dd if=/dev/zero of=rootfs.img bs=1M count=10240 +dd if=/dev/zero of=rootfs.img bs=1M count=30720 mkfs.ext4 ./rootfs.img ``` Now we can run the QEMU VM with the filesystem image. ```bash -bash buildroot/qemu.sh +sudo bash buildroot/qemu.sh start_cvm +``` + +If you want to start a normal VM, you can run: + +```bash +sudo bash buildroot/qemu.sh start ``` Login to the VM using the following credentials: - Username: `root` -To mount the filesystem image, you can use the following command: +Attest the VM by running the following command: + +```bash +bash /cube/attest.sh +``` + +You will see a report similar to the following: + +```bash +The AMD ARK was self-signed! +The AMD ASK was signed by the AMD ARK! +The VCEK was signed by the AMD ASK! +Reported TCB Boot Loader from certificate matches the attestation report. +Reported TCB TEE from certificate matches the attestation report. +Reported TCB SNP from certificate matches the attestation report. +Reported TCB Microcode from certificate matches the attestation report. +Chip ID from certificate matches the attestation report. +VEK signed the Attestation Report! +Measurement from SNP Attestation Report: daa2e216eafd8c6404b72157a130500ab0c0944064c8e1009ebf5e910371caf57a6711654108a01a69baaa1a05759cf0 +``` + +Clone the repository. Since this is a private repository, you need to create a classic personal access token with `repo` and `read:packages` permissions. + +```bash +git clone https://github.com/ultravioletrs/cube.git +``` + +Your username is your github username and your password is the access token you generated in step above. + +Login to the docker registry + +```bash +docker login ghcr.io +``` + +Your username is your github username and your password is the access token you generated in step above. + +Pull the docker images ```bash -mkdir -p /mnt/docker-volume -mount /dev/vda /mnt/docker-volume +cd cube/docker-compose/ +docker compose pull ``` -You can now access the persitent storage of the VM using the following command: +Start the docker composition ```bash -ls /mnt/docker-volume +docker compose up -d ``` diff --git a/buildroot/linux/README.md b/buildroot/linux/README.md index b49c641..6040229 100644 --- a/buildroot/linux/README.md +++ b/buildroot/linux/README.md @@ -10,7 +10,7 @@ HAL uses [Buildroot](https://buildroot.org/)'s [_External Tree_ mechanism](https git clone https://gitlab.com/buildroot.org/buildroot.git git clone https://github.com/ultravioletrs/cube.git cd buildroot -make BR2_EXTERNAL=../cube/hal/linux cube_defconfig +make BR2_EXTERNAL=../cube/buildroot/linux cube_defconfig # Execute 'make menuconfig' only if you want to make additional configuration changes to Buildroot. make menuconfig make diff --git a/buildroot/linux/board/cube/linux.config b/buildroot/linux/board/cube/linux.config index 0d01328..ad5e14d 100644 --- a/buildroot/linux/board/cube/linux.config +++ b/buildroot/linux/board/cube/linux.config @@ -71,7 +71,6 @@ CONFIG_X86_MSR=y CONFIG_KERNEL_EXT4_FS_SECURITY=y CONFIG_EXT4_FS_SECURITY=y - CONFIG_QUOTA=y CONFIG_QUOTA_NETLINK_INTERFACE=y CONFIG_PRINT_QUOTA_WARNING=y diff --git a/buildroot/linux/configs/cube_defconfig b/buildroot/linux/configs/cube_defconfig index 76d88f5..3f884c3 100644 --- a/buildroot/linux/configs/cube_defconfig +++ b/buildroot/linux/configs/cube_defconfig @@ -56,7 +56,6 @@ BR2_PACKAGE_CONTAINERD=y BR2_PACKAGE_RUNC=y BR2_PACKAGE_IPTABLES=y - BR2_PACKAGE_GIT=y BR2_PACKAGE_LIBCURL=y diff --git a/buildroot/qemu.sh b/buildroot/qemu.sh index 5241673..4a5ef6b 100644 --- a/buildroot/qemu.sh +++ b/buildroot/qemu.sh @@ -46,7 +46,7 @@ function start_qemu(){ -machine q35 \ -enable-kvm \ -boot d \ - -netdev user,id=vmnic,hostfwd=tcp::6190-:80,hostfwd=tcp::6191-:443,hostfwd=tcp::6192-:3001,dns=8.8.8.8 \ + -netdev user,id=vmnic,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001,dns=8.8.8.8 \ -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ -nographic \ -no-reboot \ @@ -74,7 +74,7 @@ function start_cvm(){ -machine q35 \ -enable-kvm \ -boot d \ - -netdev user,id=vmnic,hostfwd=tcp::6190-:80,hostfwd=tcp::6191-:443,hostfwd=tcp::6192-:3001,dns=8.8.8.8 \ + -netdev user,id=vmnic,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001,dns=8.8.8.8 \ -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ -nographic \ -no-reboot \ From 38d1636c64d3e5a64ed5ea3ec1057fa5cd7277f4 Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Tue, 1 Oct 2024 12:38:44 +0300 Subject: [PATCH 15/18] fix: make attest.sh executable --- buildroot/linux/systemd/attest.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 buildroot/linux/systemd/attest.sh diff --git a/buildroot/linux/systemd/attest.sh b/buildroot/linux/systemd/attest.sh old mode 100644 new mode 100755 From 7d6212231c4dfcc10fcbdc6611bf4547425ea06d Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Tue, 1 Oct 2024 15:48:28 +0300 Subject: [PATCH 16/18] refactor(buildroot): add root password and change sev params --- buildroot/linux/configs/cube_defconfig | 10 ++++++++++ buildroot/qemu.sh | 6 ++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/buildroot/linux/configs/cube_defconfig b/buildroot/linux/configs/cube_defconfig index 3f884c3..5ff0891 100644 --- a/buildroot/linux/configs/cube_defconfig +++ b/buildroot/linux/configs/cube_defconfig @@ -69,3 +69,13 @@ BR2_PACKAGE_PROVIDES_HOST_OPENSSL="host-libopenssl" BR2_PACKAGE_QUOTA=y BR2_PACKAGE_QUOTATOOL=y + +BR2_TARGET_GENERIC_PASSWD_SHA512=y +BR2_TARGET_GENERIC_PASSWD_METHOD="sha-512" + +BR2_TARGET_ENABLE_ROOT_LOGIN=y +BR2_TARGET_GENERIC_ROOT_PASSWD="m2N2Lfno" + +BR2_PACKAGE_HOST_MKPASSWD=y + +BR2_PACKAGE_HTOP=y diff --git a/buildroot/qemu.sh b/buildroot/qemu.sh index 4a5ef6b..f565386 100644 --- a/buildroot/qemu.sh +++ b/buildroot/qemu.sh @@ -45,7 +45,6 @@ function start_qemu(){ -cpu $CPU_TYPE \ -machine q35 \ -enable-kvm \ - -boot d \ -netdev user,id=vmnic,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001,dns=8.8.8.8 \ -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ -nographic \ @@ -73,7 +72,6 @@ function start_cvm(){ -cpu $CPU_TYPE \ -machine q35 \ -enable-kvm \ - -boot d \ -netdev user,id=vmnic,hostfwd=tcp::6191-:80,hostfwd=tcp::6192-:443,hostfwd=tcp::6193-:3001,dns=8.8.8.8 \ -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ -nographic \ @@ -84,9 +82,9 @@ function start_cvm(){ -drive if=pflash,format=raw,unit=0,file=$QEMU_OVMF_CODE,readonly=on \ -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=198 \ -object memory-backend-memfd-private,id=ram1,size=$RAM,share=true \ - -machine memory-encryption=sev0-cb42cb55-17d4-4da3-9321-d04b4961b0e4 \ + -machine memory-encryption=sev0 \ -machine memory-backend=ram1,kvm-type=protected \ - -object sev-snp-guest,id=sev0-cb42cb55-17d4-4da3-9321-d04b4961b0e4,cbitpos=51,reduced-phys-bits=1,discard=none,kernel-hashes=on \ + -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,discard=none,kernel-hashes=on \ -append "$QEMU_APPEND_ARG" } From e33eab94286232af97582359a97054bf9e928b2a Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Tue, 1 Oct 2024 16:16:05 +0300 Subject: [PATCH 17/18] style(proxy): one line const definition --- proxy/api/transport.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/proxy/api/transport.go b/proxy/api/transport.go index 9c20671..2c2c177 100644 --- a/proxy/api/transport.go +++ b/proxy/api/transport.go @@ -17,9 +17,7 @@ import ( "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" ) -const ( - ContentType = "application/json" -) +const ContentType = "application/json" func MakeHandler(svc proxy.Service, logger *slog.Logger, instanceID string) http.Handler { opts := []kithttp.ServerOption{ From 9f2b4800de693e70f4871d33e256fb33086fee5c Mon Sep 17 00:00:00 2001 From: Rodney Osodo Date: Tue, 1 Oct 2024 20:44:32 +0300 Subject: [PATCH 18/18] fix(buildroot): change path for qemu on dell machine --- buildroot/qemu.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/buildroot/qemu.sh b/buildroot/qemu.sh index f565386..f83a798 100644 --- a/buildroot/qemu.sh +++ b/buildroot/qemu.sh @@ -4,8 +4,8 @@ VM_NAME="cube-ai-vm" RAM="10240M" CPU="4" CPU_TYPE="EPYC-v4" -QEMU_AMDSEV_BINARY="/home/cocosai/danko/AMDSEV/usr/local/bin/qemu-system-x86_64" -QEMU_OVMF_CODE="/home/cocosai/danko/AMDSEV/ovmf/Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd" +QEMU_AMDSEV_BINARY="/var/cube-ai/bin/qemu-system-x86_64" +QEMU_OVMF_CODE="/var/cube-ai/OVMF.fd" KERNEL_PATH="../buildroot/output/images/bzImage" INITRD_PATH="../buildroot/output/images/rootfs.cpio.gz" FS_PATH="./rootfs.img"