Nitro Enclaves support a special "debug" mode. When in debug mode, the Nitro Hypervisor provides a vsock port that the parent can connect to to receive serial console output of the Enclave. Add a new nitro-serial-vsock driver that implements short-circuit logic to establish the vsock connection to that port and feed its data into a chardev, so that a machine model can use it as serial device.
Signed-off-by: Alexander Graf <[email protected]> --- v1 -> v2: - Convert to nitro-vsock-device - Use enclave_started() callback instead of enclave-cid QOM property - Move directory infrastructure to bus patch --- hw/nitro/Kconfig | 4 ++ hw/nitro/meson.build | 1 + hw/nitro/serial-vsock.c | 123 ++++++++++++++++++++++++++++++++ hw/nitro/trace-events | 2 + include/hw/nitro/serial-vsock.h | 24 +++++++ 5 files changed, 154 insertions(+) create mode 100644 hw/nitro/serial-vsock.c create mode 100644 include/hw/nitro/serial-vsock.h diff --git a/hw/nitro/Kconfig b/hw/nitro/Kconfig index 767472cb2c..ce24c09c21 100644 --- a/hw/nitro/Kconfig +++ b/hw/nitro/Kconfig @@ -1,2 +1,6 @@ config NITRO_VSOCK_BUS bool + +config NITRO_SERIAL_VSOCK + bool + depends on NITRO_VSOCK_BUS diff --git a/hw/nitro/meson.build b/hw/nitro/meson.build index 7e2807f137..76399d4265 100644 --- a/hw/nitro/meson.build +++ b/hw/nitro/meson.build @@ -1 +1,2 @@ system_ss.add(when: 'CONFIG_NITRO_VSOCK_BUS', if_true: files('nitro-vsock-bus.c')) +system_ss.add(when: 'CONFIG_NITRO_SERIAL_VSOCK', if_true: files('serial-vsock.c')) diff --git a/hw/nitro/serial-vsock.c b/hw/nitro/serial-vsock.c new file mode 100644 index 0000000000..1d56c33804 --- /dev/null +++ b/hw/nitro/serial-vsock.c @@ -0,0 +1,123 @@ +/* + * Nitro Enclave Vsock Serial + * + * Copyright © 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Authors: + * Alexander Graf <[email protected]> + * + * With Nitro Enclaves in debug mode, the Nitro Hypervisor provides a vsock + * port that the parent can connect to to receive serial console output of + * the Enclave. This driver implements short-circuit logic to establish the + * vsock connection to that port and feed its data into a chardev, so that + * a machine model can use it as serial device. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "qemu/error-report.h" +#include "qapi/error.h" +#include "chardev/char.h" +#include "chardev/char-fe.h" +#include "hw/core/qdev-properties.h" +#include "hw/core/qdev-properties-system.h" +#include "hw/nitro/serial-vsock.h" +#include "trace.h" + +#define CONSOLE_PORT_START 10000 +#define VMADDR_CID_HYPERVISOR_STR "0" + +static int nitro_serial_vsock_can_read(void *opaque) +{ + NitroSerialVsockState *s = opaque; + + /* Refuse vsock input until the output backend is ready */ + return qemu_chr_fe_backend_open(&s->output) ? 4096 : 0; +} + +static void nitro_serial_vsock_read(void *opaque, const uint8_t *buf, int size) +{ + NitroSerialVsockState *s = opaque; + + /* Forward all vsock data to the output chardev */ + qemu_chr_fe_write_all(&s->output, buf, size); +} + +static void nitro_serial_vsock_event(void *opaque, QEMUChrEvent event) +{ + /* No need to action on connect/disconnect events, but trace for debug */ + trace_nitro_serial_vsock_event(event); +} + +static void nitro_serial_vsock_enclave_started(NitroVsockDevice *dev, + uint32_t enclave_cid, + Error **errp) +{ + NitroSerialVsockState *s = NITRO_SERIAL_VSOCK(dev); + uint32_t port = enclave_cid + CONSOLE_PORT_START; + g_autofree char *chardev_id = NULL; + Chardev *chr; + ChardevBackend *backend; + ChardevSocket *sock; + + /* + * We know the Enclave CID to connect to now. Create a vsock + * client chardev that connects to the Enclave's console. + */ + chardev_id = g_strdup_printf("nitro-console-%u", enclave_cid); + + backend = g_new0(ChardevBackend, 1); + backend->type = CHARDEV_BACKEND_KIND_SOCKET; + sock = backend->u.socket.data = g_new0(ChardevSocket, 1); + sock->addr = g_new0(SocketAddressLegacy, 1); + sock->addr->type = SOCKET_ADDRESS_TYPE_VSOCK; + sock->addr->u.vsock.data = g_new0(VsockSocketAddress, 1); + sock->addr->u.vsock.data->cid = g_strdup(VMADDR_CID_HYPERVISOR_STR); + sock->addr->u.vsock.data->port = g_strdup_printf("%u", port); + sock->server = false; + sock->has_server = true; + + chr = qemu_chardev_new(chardev_id, TYPE_CHARDEV_SOCKET, + backend, NULL, errp); + if (!chr) { + return; + } + + if (!qemu_chr_fe_init(&s->vsock, chr, errp)) { + return; + } + + qemu_chr_fe_set_handlers(&s->vsock, + nitro_serial_vsock_can_read, + nitro_serial_vsock_read, + nitro_serial_vsock_event, + NULL, s, NULL, true); +} + +static const Property nitro_serial_vsock_props[] = { + DEFINE_PROP_CHR("chardev", NitroSerialVsockState, output), +}; + +static void nitro_serial_vsock_class_init(ObjectClass *oc, const void *data) +{ + DeviceClass *dc = DEVICE_CLASS(oc); + NitroVsockDeviceClass *ndc = NITRO_VSOCK_DEVICE_CLASS(oc); + + device_class_set_props(dc, nitro_serial_vsock_props); + ndc->enclave_started = nitro_serial_vsock_enclave_started; +} + +static const TypeInfo nitro_serial_vsock_info = { + .name = TYPE_NITRO_SERIAL_VSOCK, + .parent = TYPE_NITRO_VSOCK_DEVICE, + .instance_size = sizeof(NitroSerialVsockState), + .class_init = nitro_serial_vsock_class_init, +}; + +static void nitro_serial_vsock_register(void) +{ + type_register_static(&nitro_serial_vsock_info); +} + +type_init(nitro_serial_vsock_register); diff --git a/hw/nitro/trace-events b/hw/nitro/trace-events index 9ccc579048..20617a024a 100644 --- a/hw/nitro/trace-events +++ b/hw/nitro/trace-events @@ -1,2 +1,4 @@ # See docs/devel/tracing.rst for syntax documentation. +# serial-vsock.c +nitro_serial_vsock_event(int event) "event %d" diff --git a/include/hw/nitro/serial-vsock.h b/include/hw/nitro/serial-vsock.h new file mode 100644 index 0000000000..c365880e11 --- /dev/null +++ b/include/hw/nitro/serial-vsock.h @@ -0,0 +1,24 @@ +/* + * Nitro Enclave Serial (vsock) + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_CHAR_NITRO_SERIAL_VSOCK_H +#define HW_CHAR_NITRO_SERIAL_VSOCK_H + +#include "hw/nitro/nitro-vsock-bus.h" +#include "chardev/char-fe.h" +#include "qom/object.h" + +#define TYPE_NITRO_SERIAL_VSOCK "nitro-serial-vsock" +OBJECT_DECLARE_SIMPLE_TYPE(NitroSerialVsockState, NITRO_SERIAL_VSOCK) + +struct NitroSerialVsockState { + NitroVsockDevice parent_obj; + + CharFrontend output; /* chardev to write console output to */ + CharFrontend vsock; /* vsock chardev to enclave console */ +}; + +#endif /* HW_CHAR_NITRO_SERIAL_VSOCK_H */ -- 2.47.1 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597
