contrib: gunyah-hypervisor major update

This change contains significant updates to the Gunyah Hypervisor.

Signed-off-by: Carl van Schaik <[email protected]>

.clang-format

@@ -13,10 +13,30 @@ Language:        Cpp
 AccessModifierOffset: -8
 AlignAfterOpenBracket: Align
 AlignArrayOfStructures: None
-AlignConsecutiveMacros: Consecutive
-AlignConsecutiveAssignments: Consecutive
-AlignConsecutiveBitFields: None
-AlignConsecutiveDeclarations: Consecutive
+AlignConsecutiveAssignments:
+  Enabled:         true
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  PadOperators:    true
+AlignConsecutiveBitFields:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  PadOperators:    true
+AlignConsecutiveDeclarations:
+  Enabled:         true
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  PadOperators:    true
+AlignConsecutiveMacros:
+  Enabled:         true
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  PadOperators:    true
 AlignEscapedNewlines: Right
 AlignOperands:   Align
 AlignTrailingComments: true
@@ -49,6 +69,11 @@ AttributeMacros:
   - RELEASE_READ
   - REQUIRE_READ
   - EXCLUDE_READ
+  - ACQUIRE_RCU_READ
+  - TRY_ACQUIRE_RCU_READ
+  - RELEASE_RCU_READ
+  - REQUIRE_RCU_READ
+  - EXCLUDE_RCU_READ
   - LOCK_IMPL
   - ACQUIRE_SPINLOCK
   - ACQUIRE_SPINLOCK_NP
@@ -84,7 +109,7 @@ BraceWrapping:
   SplitEmptyRecord: true
   SplitEmptyNamespace: true
 BreakBeforeBinaryOperators: None
-BreakBeforeConceptDeclarations: true
+BreakBeforeConceptDeclarations: Always
 BreakBeforeBraces: Custom
 BreakBeforeInheritanceComma: false
 BreakInheritanceList: BeforeComma
@@ -95,6 +120,7 @@ BreakAfterJavaFieldAnnotations: false
 BreakStringLiterals: false
 ColumnLimit:     80
 CommentPragmas:  '^ FIXME:'
+QualifierAlignment: Left
 CompactNamespaces: false
 ConstructorInitializerIndentWidth: 8
 ContinuationIndentWidth: 8
@@ -105,6 +131,10 @@ DisableFormat:   false
 EmptyLineAfterAccessModifier: Never
 EmptyLineBeforeAccessModifier: LogicalBlock
 ExperimentalAutoDetectBinPacking: false
+PackConstructorInitializers: BinPack
+BasedOnStyle:    ''
+ConstructorInitializerAllOnOneLineOrOnePerLine: false
+AllowAllConstructorInitializersOnNextLine: true
 FixNamespaceComments: true
 ForEachMacros:
   - list_foreach
@@ -155,9 +185,10 @@ IndentCaseBlocks: false
 IndentGotoLabels: true
 IndentPPDirectives: None
 IndentExternBlock: AfterExternBlock
-IndentRequires:  false
+IndentRequiresClause: false
 IndentWidth:     8
 IndentWrappedFunctionNames: false
+InsertBraces:    true
 InsertTrailingCommas: None
 JavaScriptQuotes: Leave
 JavaScriptWrapImports: true
@@ -176,6 +207,7 @@ PenaltyBreakAssignment: 10
 PenaltyBreakBeforeFirstCallParameter: 30
 PenaltyBreakComment: 10
 PenaltyBreakFirstLessLess: 0
+PenaltyBreakOpenParenthesis: 0
 PenaltyBreakString: 10
 PenaltyBreakTemplateDeclaration: 10
 PenaltyExcessCharacter: 100
@@ -185,6 +217,9 @@ PointerAlignment: Right
 PPIndentWidth:   -1
 ReferenceAlignment: Pointer
 ReflowComments:  true
+RemoveBracesLLVM: false
+RequiresClausePosition: OwnLine
+SeparateDefinitionBlocks: Always
 ShortNamespaceLines: 1
 SortIncludes:    CaseSensitive
 SortJavaStaticImport: Before
@@ -198,6 +233,16 @@ SpaceBeforeCpp11BracedList: false
 SpaceBeforeCtorInitializerColon: true
 SpaceBeforeInheritanceColon: true
 SpaceBeforeParens: ControlStatements
+SpaceBeforeParensOptions:
+  AfterControlStatements: true
+  AfterForeachMacros: true
+  AfterFunctionDefinitionName: false
+  AfterFunctionDeclarationName: false
+  AfterIfMacros:   true
+  AfterOverloadedOperator: false
+  AfterRequiresInClause: false
+  AfterRequiresInExpression: false
+  BeforeNonEmptyParentheses: false
 SpaceAroundPointerQualifiers: Default
 SpaceBeforeRangeBasedForLoopColon: false
 SpaceInEmptyBlock: true

.editorconfig

@@ -0,0 +1,16 @@
+root = True
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+tab_width = 8
+
+[*.{c,h,tc,ev,S,hvc}]
+indent_style = tab
+indent_size = 8
+
+[*.{py,md}]
+indent_style = space
+indent_size = 4

.gitignore

@@ -4,6 +4,7 @@
 /.ninja_log
 /.sconsign.dblite
 /build*/
+hyp/**/*.o
 
 # Ignore Python precompiled bitcode
 *.pyc
@@ -20,3 +21,10 @@
 # Ignore Vim temporary files
 .*.sw[a-p]
 .*.un~
+
+# Ignore host test temporary files
+*.o
+
+# Ignore documentation output
+*.pdf
+*.html

CHANGELOG.md

@@ -1,6 +1,7 @@
-# Changelog
+# Status and Changelog
 
-All notable changes to this project will be documented in this file.
+This page documents current status, known issues and work in progress. Some of
+these may impact your development or hypervisor usage.
 
 ## Open Issues
 
@@ -9,15 +10,29 @@ All notable changes to this project will be documented in this file.
 The Resource Manager being the root-VM, manages creation of the Primary VM
 (HLOS) and controls the rights to create additional VMs. In the Gunyah Resource
 Manager design, VM management services are provided by the Resource Manager
-(although it is technically possible for these rights to be delegated to other
-VMs).
 
-The current Resource Manager does not support Secondary VM loading. Support
-will be added in a subsequent contribution.
+Gunyah patches are required in Linux and the CrosVM VMM to support SVM loading.
 
-### 2. Virtio support
+### Known issues:
 
-Virtio support is under development and should be contributed along with secondary VM support.
+- Only QEMU serial communication is tested. Using host Linux networking (qemu
+  virtio) with adb (network) connection will permit greater flexibility in
+  connecting to the device.
+- SVM booting with Crosvm uses uart emulation, its very slow.
+- Crosvm opens the UART console in the current terminal, so it is via the host
+  uart terminal. We have not configured a way to open multiple terminals yet.
+- Debugging a system running QEMU with a remote gdb connection is unstable.
+
+### Untested scenarios:
+
+- Launching of multiple SVM's simultaneously from PVM, because of the known
+  issue of having only one console available.
+
+### TODO list:
+
+- Hardcoded platform parameters
+    + Memory address ranges are hardcoded (get from dtb nodes)
+    + Dtb address is hardcoded (get from register)
 
 ## Unreleased
 
@@ -27,7 +42,7 @@ Unreleased changes in the `develop` branch may be added here.
 
 Individual releases are tagged, and the latest release will be available in the `main` branch.
 
-* No releases have been made at this time.
+* No tagged releases have been made at this time.
 
 ## Contributions
 
@@ -38,4 +53,5 @@ Significant contributions are listed here.
 This is the initial contribution of source code to the Gunyah Hypervisor.
 
 * Support for QEMU AArch64 Simulator
-* Support unmodified Linux Primary VM kernel
+* Support unmodified Linux Primary VM kernel or with Gunyah patches for VM loading
+* Support unmodified Linux Secondary VM kernel

README.md

@@ -1,18 +1,27 @@
-![Qualcomm Innovation Center.](docs/images/logo-quic-on%40h68.png)
+[<img src="docs/images/logo-quic-on%40h68.png" height="68px" width="393px" alt="Qualcomm Innovation Center" align="right"/>](https://github.com/quic)
 
 # Gunyah Hypervisor
 
+Gunyah is a high performance, scalable and flexible hypervisor built for
+demanding battery powered, real-time, safety and security use cases.
+
+The Gunyah Hypervisor open source project provides a reference Type-1
+hypervisor configuration suitable for general purpose hosting of multiple
+trusted and dependent VMs.
+
+## Gunyah Origins
+
 *Gunyah* is an Australian Aboriginal word. See: https://en.wiktionary.org/wiki/gunyah
 
 The Gunyah Hypervisor was developed by Qualcomm in Sydney Australia.
 
 ## Type-1 Hypervisor Concept
 
-Gunyah is a Type-1 hypervisor, meaning that it is independent of any high-level
-OS kernel, and runs in a higher CPU privilege level. It does not depend on any
-lower-privileged OS kernel/code for its core functionality. This increases its
-security and can support a much smaller trusted computing base than a Type-2
-hypervisor.
+Gunyah is a Type-1 hypervisor, meaning that it runs independently of any
+high-level OS kernel - such as Linux, and runs in a higher CPU privilege level
+than VMs. It does not depend on any lower-privileged OS kernel/code for its
+core functionality. This increases its security and can support a much smaller
+trusted computing base than a Type-2 like hosted-hypervisors.
 
 Gunyah's design principle is not dissimilar to a traditional microkernel in
 that it provides only a minimal set of critical services to its clients, and
@@ -21,15 +30,16 @@ less-privileged) processes, wherever this is possible without an adverse impact
 on performance or security.
 
 The hypervisor uses the CPU's virtualization mode and features to isolate
-itself from OS kernels in VMs. On ARM, this includes trapping privileged
-registers, using GIC virtualization support, and the Stage-2 MMU to provide
-isolated VMs in EL1/0.
+itself from OS kernels in VMs and isolate VMs from each other. On ArM, this
+includes trapping and emulating registers as required, virtualizing core
+platform devices, Arm's GIC virtualization support, and the CPU's Stage-2 MMU
+to provide isolated VMs in EL1/0.
 
 ## Why Gunyah
 
-- **strong security**: Mobile payments, secure user-interface, and many more security sensitive use-cases all require strong security. Gunyah's design is suited to providing strong isolation guarantees and its small size is conducive to audit.
-- **performance**: Mobile devices are particularly demanding. Battery powered devices demand low software overheads to get the most performance per-watt. Gunyah is designed to have high performance with minimal impact to high-level operating systems.
-- **modularity**: The hypervisor is designed to be modular, allowing customization and enhancement by swapping out module implementations and adding new feature via new modules.
+- **Strong security**: Mobile payments, secure user-interface, and many more security sensitive use-cases all require strong security. Gunyah's design is suited to providing strong isolation guarantees and its small size is conducive to audit.
+- **Performance**: Mobile devices are particularly demanding. Battery powered devices demand low software overheads to get the most performance per-watt. Gunyah is designed to have high performance with minimal impact to high-level operating systems.
+- **Modularity**: The hypervisor is designed to be modular, allowing customization and enhancement by swapping out module implementations and adding new feature via new modules.
 
 ## Features
 
@@ -41,17 +51,23 @@ isolated VMs in EL1/0.
 
 ## Platform Support
 
-Gunyah is architected to support other CPU architectures, so its core design ensures architecture independence and portability in non-architecture specific areas.
+Gunyah is architected to support multiple CPU architectures, so its core design
+ensures architecture independence and portability in non-architecture specific
+areas.
 
-Gunyah currently supports ARMv8.2+ platforms as it uses AArch64 EL2 in VHE mode. Some porting is required to support ARMv8.0.
+Gunyah currently supports the ARM64 (ARMv8+) architecure, it uses AArch64 EL2
+in VHE mode by default.
 
-We have developed an initial port of Gunyah to the QEMU ARMv8 simulator. *Note QEMU v5+ is required*. Additional platforms are expected to be supported in future contributions.
+We have developed an initial port of Gunyah to the QEMU Arm System emulator.
+*Note QEMU v7+ is recommended*. Additional platforms are expected to be
+supported in future contributions.
 
 ## Getting Started
+- [Terminology](docs/terminology.md)
 - [Setup Instructions](docs/setup.md)
+    + [Quick Start Instructions](https://github.com/quic/gunyah-support-scripts/blob/develop/quickstart.md)
 - [Build Instructions](docs/build.md)
-- [Testing Instructions](docs/test.md)
-- [Changelog](CHANGELOG.md)
+- [Status and Changelog](CHANGELOG.md)
 
 ## Resources
 - [Gunyah Hypercall API](docs/api/gunyah_api.md)

SConstruct

@@ -10,8 +10,10 @@ import os
 
 env_vars = {
     'PATH': os.environ['PATH'],
-    'LLVM': os.environ['LLVM'],
 }
 
+if 'LLVM' in os.environ:
+    env_vars['LLVM'] = os.environ['LLVM']
+
 env = Environment(tools={}, SCANNERS=[], BUILDERS={}, ENV=env_vars)
 configure.SConsBuild(env, Builder, Action, arguments=SCons.Script.ARGUMENTS)()

config/arch/aarch64.conf

@@ -6,6 +6,5 @@ is_abi
 # Use the Linux target because it knows how to link with LLD
 target_triple aarch64-linux-gnu
 defines_link
-defines_registers
 flags -mgeneral-regs-only -mtp=el2
 configs ARCH_IS_64BIT=1 ARCH_ENDIAN_LITTLE=1

config/arch/cortex-a-v8_0.conf

@@ -0,0 +1,28 @@
+# © 2021 Qualcomm Innovation Center, Inc. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+
+base_arch armv8-64
+
+configs ARCH_AARCH64_32BIT_EL0=1
+configs ARCH_AARCH64_32BIT_EL0_ALL_CORES=1
+# FIXME
+configs ARCH_AARCH64_32BIT_EL1=0
+
+# Mandatory architecture extensions in v8.0
+configs ARCH_ARM_PMU_VER=3
+
+# The number of implemented ICH_LR<n>_EL2 registers.
+configs CPU_GICH_LR_COUNT=4U
+
+# The number of implemented ICH_APR[01]R<n>_EL2 registers.
+configs CPU_GICH_APR_COUNT=1U
+
+# The number of implemented DBGB[CV]R_EL1 (HW breakpoint) registers.
+configs CPU_DEBUG_BP_COUNT=6U
+
+# The number of implemented DBGW[CV]R_EL1 (HW watchpoint) registers.
+configs CPU_DEBUG_WP_COUNT=4U
+
+# These CPUs always have an ETM.
+configs PLATFORM_HAS_NO_ETM_BASE=0