From 902b31623cf0bb624af375f597c36c56cbf2da28 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Mon, 26 Jun 2023 18:05:39 +0300 Subject: [PATCH 01/60] Update flake.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'flake-utils': 'github:numtide/flake-utils/abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c' (2023-06-19) → 'github:numtide/flake-utils/dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7' (2023-06-25) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/649171f56a45af13ba693c156207eafbbbf7edfe' (2023-06-22) → 'github:nix-community/nixos-generators/844ce2ab9a0ba819b30df1fff2c48c9b2b2344be' (2023-06-26) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/908af6d1fa3643c5818ea45aa92b21d6385fbbe5' (2023-06-18) → 'github:nix-community/nixpkgs.lib/b3ec8fb525fc0c8f08eff5ef93c684b4c6d0e777' (2023-06-25) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/b6c73c5fe53bb3afbf65e870541e0645e9145171' (2023-06-20) → 'github:nixos/nixpkgs/35130d4b4f0b8c50ed2aceb909a538c66c91d4a0' (2023-06-25) Signed-off-by: Mika Tammi --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index c8f847bf5..e9c7b7668 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1687171271, - "narHash": "sha256-BJlq+ozK2B1sJDQXS3tzJM5a+oVZmi1q0FlBK/Xqv7M=", + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", "owner": "numtide", "repo": "flake-utils", - "rev": "abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", "type": "github" }, "original": { @@ -63,11 +63,11 @@ }, "nixlib": { "locked": { - "lastModified": 1687049841, - "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=", + "lastModified": 1687654967, + "narHash": "sha256-ki8vItcjn8Z8n+QD9NEoCQbbbG7VzWy71hyOkFFwCkM=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5", + "rev": "b3ec8fb525fc0c8f08eff5ef93c684b4c6d0e777", "type": "github" }, "original": { @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1687398392, - "narHash": "sha256-T6kc3NMTpGJk1/dve8PGupeVcxboEb78xtTKhe3LL/A=", + "lastModified": 1687743756, + "narHash": "sha256-WhDERdaMGX73CBxpDfoauKU2Z4NC10+/4khdBbpXjWs=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "649171f56a45af13ba693c156207eafbbbf7edfe", + "rev": "844ce2ab9a0ba819b30df1fff2c48c9b2b2344be", "type": "github" }, "original": { @@ -114,11 +114,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1687288566, - "narHash": "sha256-VckkiJ88Gzdc2cstm0z5eFcrHbvkm4VjxavHBGssvZI=", + "lastModified": 1687729501, + "narHash": "sha256-mTLkMePoHUWvTCf3NuKbeYEea/tsikSIKBWwb9OfRr4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b6c73c5fe53bb3afbf65e870541e0645e9145171", + "rev": "35130d4b4f0b8c50ed2aceb909a538c66c91d4a0", "type": "github" }, "original": { From 92414ab02fd00b4454e672f577b807ab3c01bd80 Mon Sep 17 00:00:00 2001 From: Jenni Nikolaenko Date: Tue, 27 Jun 2023 17:07:32 +0300 Subject: [PATCH 02/60] Docs: add Ghaf logo Add the Ghaf logo and update the Style Guide with the information about brand font and colors. Colors may be used for diagrams. Font could be applied to change the default theme render. Signed-off-by: Jenni Nikolaenko --- README.md | 13 +++++++- docs/README-docs.md | 4 ++- docs/src/img/1600px-Ghaf_logo.svg | 12 ++++++++ docs/style_guide.md | 50 +++++++++++++++++++++---------- 4 files changed, 61 insertions(+), 18 deletions(-) create mode 100644 docs/src/img/1600px-Ghaf_logo.svg diff --git a/README.md b/README.md index 1cbd4f4d0..8f6bae49f 100644 --- a/README.md +++ b/README.md @@ -5,12 +5,23 @@ # TII SSRC Secure Technologies: Ghaf Framework -[![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0) [![License: CC-BY-SA 4.0](https://img.shields.io/badge/License-CC--BY--SA--4.0-lightgrey.svg)](https://creativecommons.org/licenses/by-sa/4.0/legalcode) [![Style Guide](https://img.shields.io/badge/docs-Style%20Guide-blueviolet)](https://github.com/tiiuae/ghaf/blob/main/docs/style_guide.md) +

+ Ghaf Logo +

+ +
+ +[![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-darkgreen.svg)](./LICENSES/LICENSE.Apache-2.0) [![License: CC-BY-SA 4.0](https://img.shields.io/badge/License-CC--BY--SA--4.0-orange.svg)](./LICENSES/LICENSE.CC-BY-SA-4.0) [![Style Guide](https://img.shields.io/badge/docs-Style%20Guide-yellow)](https://github.com/tiiuae/ghaf/blob/main/docs/style_guide.md) + +
This repository contains the source files (code and documentation) of Ghaf Framework — an open-source project for enhancing security through compartmentalization on edge devices. For information on build instructions and supported hardware, see the [Reference Implementations](https://tiiuae.github.io/ghaf/ref_impl/reference_implementations.html) section of Ghaf documentation. + +### Other Project Repositories + Other repositories that are a part of the Ghaf project: * : a utility that generates SBOMs given Nix derivations or out paths diff --git a/docs/README-docs.md b/docs/README-docs.md index 31c5bfb22..52944d224 100644 --- a/docs/README-docs.md +++ b/docs/README-docs.md @@ -76,7 +76,9 @@ To add new pages to the book: 2. Put images into the `src/img` folder. We make diagrams with [diagrams.net](https://www.diagrams.net/) (use it online) or [draw.io](https://drawio-app.com/blog/use-draw-io-offline/) (use it offline and on a tablet). - To embed a diagram, make sure that you use the Editable Bitmap Image format `.drawio.png`. When creating a new diagram, choose *Editable Bitmap Image format (.png)* from the list. When editing the existing diagram, select **File > Export as > PNG...** and select the **Include a copy of my diagram** check box. + * To embed a diagram, make sure that you use the Editable Bitmap Image format `.drawio.png`. When creating a new diagram, choose *Editable Bitmap Image format (.png)* from the list. When editing the existing diagram, select **File > Export as > PNG...** and select the **Include a copy of my diagram** check box. + + * Try to use main colors according to brand colors: [Fonts and Colors](./style_guide.md#fonts-and-colors). 3. Add new structure elements (chapters, sections, subsections) to **SUMMARY.md** to update the table of contents. Otherwise, the files that you added will not be visible on GitHub Pages. Example: diff --git a/docs/src/img/1600px-Ghaf_logo.svg b/docs/src/img/1600px-Ghaf_logo.svg new file mode 100644 index 000000000..0a4ea610a --- /dev/null +++ b/docs/src/img/1600px-Ghaf_logo.svg @@ -0,0 +1,12 @@ + + + + + + + + + + + + diff --git a/docs/style_guide.md b/docs/style_guide.md index 06eaec6b9..bad6584f1 100644 --- a/docs/style_guide.md +++ b/docs/style_guide.md @@ -14,14 +14,47 @@ Here you can find the standards we follow for writing, formatting, and organizin Writing guidelines: - [Documentation Style Guide](#documentation-style-guide) - - [Markdown Syntax](#markdown-syntax) - [Voice and Tone](#voice-and-tone) + - [Fonts and Colors](#fonts-and-colors) + - [Markdown Syntax](#markdown-syntax) - [Headings](#headings) - [Spelling and Punctuation](#spelling-and-punctuation) - [References](#references) - [Tips and Tricks](#tips-and-tricks) +## Voice and Tone + +* Write in plain English—a universal language that makes information clear and better to understand: + * Use simple tenses and active voice. + * Understandable language, fewer gerunds. + * Short, sharp sentence. Try to use 15-20 words max. + * [Split information in paragraphs](https://github.com/tiiuae/ghaf/tree/main/docs#managing-content). + * Do not use parenthesis for additional information, make a separate sentence instead. + * Use numbered lists for actions that happen in sequence. + * Do not contract the words: use _cannot_ instead of _can’t_. +* Use “we” for us and our work, use “you” for readers. Do not use “please” to provide instructions, just ask what should be done. +* Avoid buzzwords, slang, and jargon. +* Readers often scan rather than read, put the important facts first. +* Do not assume that readers know everything you currently know. Provide clear instructions. +* Do not reference future development or features that do not yet exist. + + +## Fonts and Colors + +* Font + + The [Roboto font](https://fonts.google.com/specimen/Roboto) family is used in Ghaf digital platforms. Roboto is available via an open-source license. + +* Ghaf colors + + * Primary color is Light green (#5AC379). + * Secondary colors: + + * Dark green (#3D8252), Orange (#F15025), Yellow (#FABC3C) + * Light grey (#3A3A3A), Mid grey (#232323), Dark grey (#121212) + + ## Markdown Syntax Before you begin: @@ -84,21 +117,6 @@ To make our Markdown files maintainable over time and across teams, follow the r For GitHub .md files (not for GitHub Pages), emojis are welcome :octocat:. [Supported GitHub emojis](https://github-emoji-picker.vercel.app/). -## Voice and Tone - -* Write in plain English—a universal language that makes information clear and better to understand: - * Use simple tenses and active voice. - * Understandable language, fewer gerunds. - * Short, sharp sentence. Try to use 15-20 words max. - * [Split information in paragraphs](https://github.com/tiiuae/ghaf/tree/main/docs#managing-content). - * Do not use parenthesis for additional information, make a separate sentence instead. - * Use numbered lists for actions that happen in sequence. - * Do not contract the words: use _cannot_ instead of _can’t_. -* Use “we” for us and our work, use “you” for readers. Do not use “please” to provide instructions, just ask what should be done. -* Avoid buzzwords, slang, and jargon. -* Readers often scan rather than read, put the important facts first. -* Do not assume that readers know everything you currently know. Provide clear instructions. -* Do not reference future development or features that do not yet exist. ## Headings From edb767be9a47bd99db2295397b476d4bb1e3fcbc Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Mon, 3 Jul 2023 03:39:55 +0300 Subject: [PATCH 03/60] Update flake.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'microvm': 'github:astro/microvm.nix/c14833d8506a784f0b3cf91a2b864acb05662711' (2023-06-21) → 'github:astro/microvm.nix/f7c9df6a19de6bb5215b32f6bbd5a8c9d6510ebf' (2023-07-02) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/844ce2ab9a0ba819b30df1fff2c48c9b2b2344be' (2023-06-26) → 'github:nix-community/nixos-generators/cf341a2c94338eed91c35df291931ea775b31e99' (2023-07-03) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/b3ec8fb525fc0c8f08eff5ef93c684b4c6d0e777' (2023-06-25) → 'github:nix-community/nixpkgs.lib/a92befce80a487380ea5e92ae515fe33cebd3ac6' (2023-07-02) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/35130d4b4f0b8c50ed2aceb909a538c66c91d4a0' (2023-06-25) → 'github:nixos/nixpkgs/0de86059128947b2438995450f2c2ca08cc783d5' (2023-07-01) Signed-off-by: Mika Tammi --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index e9c7b7668..80fc2929c 100644 --- a/flake.lock +++ b/flake.lock @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1687369979, - "narHash": "sha256-pSkc15k9yug3vwnri5quvi0R6LHR4u7J0/8FkTpFlmQ=", + "lastModified": 1688334122, + "narHash": "sha256-wvQOOugnBzYPngvUy/b5Pzq6UhHeBGh/ZdXnsMlJDdY=", "owner": "astro", "repo": "microvm.nix", - "rev": "c14833d8506a784f0b3cf91a2b864acb05662711", + "rev": "f7c9df6a19de6bb5215b32f6bbd5a8c9d6510ebf", "type": "github" }, "original": { @@ -63,11 +63,11 @@ }, "nixlib": { "locked": { - "lastModified": 1687654967, - "narHash": "sha256-ki8vItcjn8Z8n+QD9NEoCQbbbG7VzWy71hyOkFFwCkM=", + "lastModified": 1688259758, + "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "b3ec8fb525fc0c8f08eff5ef93c684b4c6d0e777", + "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", "type": "github" }, "original": { @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1687743756, - "narHash": "sha256-WhDERdaMGX73CBxpDfoauKU2Z4NC10+/4khdBbpXjWs=", + "lastModified": 1688349424, + "narHash": "sha256-/wRCJP2d9ZmfZKrREWthpDHIx/F02Z1J2bytbC+gUiU=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "844ce2ab9a0ba819b30df1fff2c48c9b2b2344be", + "rev": "cf341a2c94338eed91c35df291931ea775b31e99", "type": "github" }, "original": { @@ -114,11 +114,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1687729501, - "narHash": "sha256-mTLkMePoHUWvTCf3NuKbeYEea/tsikSIKBWwb9OfRr4=", + "lastModified": 1688177999, + "narHash": "sha256-JZ5nk90Ym79b4J593xYb0mI79QxU0efJLuCU3sXDalQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "35130d4b4f0b8c50ed2aceb909a538c66c91d4a0", + "rev": "0de86059128947b2438995450f2c2ca08cc783d5", "type": "github" }, "original": { From 972b8c3ee60de6c3f4dccc83b09e346529129b47 Mon Sep 17 00:00:00 2001 From: Jaroslaw Kurowski Date: Thu, 22 Jun 2023 11:57:59 +0400 Subject: [PATCH 04/60] doc: update the hypervisors options section Signed-off-by: Jaroslaw Kurowski --- docs/src/technologies/hypervisor_options.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/src/technologies/hypervisor_options.md b/docs/src/technologies/hypervisor_options.md index 96303c9d4..1ea2470bd 100644 --- a/docs/src/technologies/hypervisor_options.md +++ b/docs/src/technologies/hypervisor_options.md @@ -19,8 +19,8 @@ Nevertheless, it may happen that some hypervisor options are not supported by mi A VM is defined under Ghaf’s subdirectory ``microvmConfigurations/VM_NAME/default.nix``, for example: ``` -microvmConfigurations/memshare/default.nix -https://github.com/jkuro-tii/ghaf/blob/main/microvmConfigurations/memshare/default.nix +microvmConfigurations/netvm/default.nix +https://github.com/tiiuae/ghaf/tree/main/microvmConfigurations/netvm/default.nix ``` This file contains hypervisor’s options for running the VM. For each hypervisor there is a bunch of microvm’s defined options: From 169fc7032489867cab9341d7d85ec68efbdda902 Mon Sep 17 00:00:00 2001 From: Jaroslaw Kurowski Date: Tue, 4 Jul 2023 13:53:48 +0400 Subject: [PATCH 05/60] doc: apply review comment Signed-off-by: Jaroslaw Kurowski --- docs/src/technologies/hypervisor_options.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/src/technologies/hypervisor_options.md b/docs/src/technologies/hypervisor_options.md index 1ea2470bd..b2c40a1d3 100644 --- a/docs/src/technologies/hypervisor_options.md +++ b/docs/src/technologies/hypervisor_options.md @@ -19,8 +19,8 @@ Nevertheless, it may happen that some hypervisor options are not supported by mi A VM is defined under Ghaf’s subdirectory ``microvmConfigurations/VM_NAME/default.nix``, for example: ``` -microvmConfigurations/netvm/default.nix -https://github.com/tiiuae/ghaf/tree/main/microvmConfigurations/netvm/default.nix +modules/virtualization/microvm/netvm.nix +https://github.com/tiiuae/ghaf/blob/main/modules/virtualization/microvm/netvm.nix ``` This file contains hypervisor’s options for running the VM. For each hypervisor there is a bunch of microvm’s defined options: From 84a3cbce3dc2e64a68f7494dd40fc6345ca18767 Mon Sep 17 00:00:00 2001 From: Vadim Likholetov Date: Thu, 27 Apr 2023 11:19:54 +0300 Subject: [PATCH 06/60] Platform bus support ADR Signed-off-by: Vadim Likholetov --- docs/src/architecture/adr.md | 3 +- .../adr/platform-bus-passthrough-support.md | 47 +++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 docs/src/architecture/adr/platform-bus-passthrough-support.md diff --git a/docs/src/architecture/adr.md b/docs/src/architecture/adr.md index 333fe08fb..4dd56018e 100644 --- a/docs/src/architecture/adr.md +++ b/docs/src/architecture/adr.md @@ -13,6 +13,7 @@ The Ghaf platform decision log: | -------- | ----------- | | [Minimal Host](../architecture/adr/minimal-host.md) | Proposed. | | [netvm—Networking Virtual Machine](../architecture/adr/netvm.md) | Proposed, partially implemented for development and testing. | +| [Platform Bus for RustVMM](../architecture/adr/platform-bus-passthrough-support.md) | Proposed, WIP. | -To create an architectural decision proposal, open [a pull request](https://github.com/tiiuae/ghaf/blob/main/CONTRIBUTING.md#contributing-documentation) and use the [decision record template](https://github.com/tiiuae/ghaf/blob/main/docs/src/architecture/adr/template.md). Contributions to the Ghaf architecture decisions are welcome. \ No newline at end of file +To create an architectural decision proposal, open [a pull request](https://github.com/tiiuae/ghaf/blob/main/CONTRIBUTING.md#contributing-documentation) and use the [decision record template](https://github.com/tiiuae/ghaf/blob/main/docs/src/architecture/adr/template.md). Contributions to the Ghaf architecture decisions are welcome. diff --git a/docs/src/architecture/adr/platform-bus-passthrough-support.md b/docs/src/architecture/adr/platform-bus-passthrough-support.md new file mode 100644 index 000000000..2c907a46a --- /dev/null +++ b/docs/src/architecture/adr/platform-bus-passthrough-support.md @@ -0,0 +1,47 @@ + + +# Platform bus passthrough support for RustVMM-based hypervisors + +## Status + +Proposed, WIP. + + +## Context + +This ADR is WIP notes for Platform bus passthrough implementation for RustVMM-based hypervisors. + +Support for Platform bus devices passthrough is important to have for ARM-based hardware because it's the mainly used bus to connect the peripherials. +Nowdays the only hypervisor that has some support for Platform bus is QEMU, the code is dated 2013 and not frequently used. + +On the other hand one of the main hardware platforms for GHAF is NVIDIA Orin, that is ARM and to achieve GHAF's security and hardware isolation goals, devices should be passthroughed to virtual machines. + +Production-ready RustVMM-based hypervisors (CrosVM, Firecracker, CloudHypervisor) do not have support for Platform bus, their developers (Google, Amazon, ...) mostly probable are not interested in supporting it because it doesn't align with their business needs. + + +## Decision + +Implement Platform bus passthrough support for RustVMM that is a base framework for RustVMM-based hypervisors. +After that use this support within production-ready RustVMM-based hypervisors. +The main candidate there is CrosVM, necessity to support Platform bus in other hypervisors are subject to discuss. + +Technically, Platform bus is rather simple bus -- it manages memory mapping and interrupts. Information about devices is not dynamic, but is read from device tree during the boot stage. + +Required components and their existance/use readiness. +- Host kernel side: + - VFIO drivers (to substitute real driver in host kernel) - + + - Host support for device trees + +- Guest kernel side: + - Device drivers for passthrough devices + + - Guest support for device trees + +- RustVMM side: + - Bus support - Needs to be developed + - VMM support for device trees -- rudimental, needs improvement. + +## Consequences + +GHAF's security and hardware isolation goals reached, platform bus devices are passthroughed to virtual machines. + From a570e7fba13a2a9b4fad182e997e31727cfabc7d Mon Sep 17 00:00:00 2001 From: Ville Ilvonen Date: Thu, 29 Jun 2023 18:00:28 +0300 Subject: [PATCH 07/60] doc: add mdbook-footnote plugin * on popular demand - example of adding mdbook-plugins * tested to generate footnote with "Normal text{{footnote: Or is it?}} in body." from docs/src/index.md using "nix build .#doc" Test footnote left out of the commit intentionally. Signed-off-by: Ville Ilvonen --- docs/book.toml | 2 ++ docs/doc.nix | 17 ++++++++++------- docs/plugins/mdbook-footnote.nix | 19 +++++++++++++++++++ 3 files changed, 31 insertions(+), 7 deletions(-) create mode 100644 docs/plugins/mdbook-footnote.nix diff --git a/docs/book.toml b/docs/book.toml index b3e8de83b..40cd60c05 100644 --- a/docs/book.toml +++ b/docs/book.toml @@ -10,3 +10,5 @@ src = "src" default-theme = "light" git-repository-url = "https://github.com/tiiuae/ghaf" git-repository-icon = "fa-github" + +[preprocessor.footnote] diff --git a/docs/doc.nix b/docs/doc.nix index eec0ac46e..1f1369126 100644 --- a/docs/doc.nix +++ b/docs/doc.nix @@ -1,12 +1,15 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: CC-BY-SA-4.0 { + callPackage, runCommandNoCC, mdbook, -}: -runCommandNoCC "ghaf-doc" -{ - nativeBuildInputs = [mdbook]; -} '' - ${mdbook}/bin/mdbook build -d $out ${./.} -'' +}: let + footnote = callPackage ./plugins/mdbook-footnote.nix {}; +in + runCommandNoCC "ghaf-doc" + { + nativeBuildInputs = [mdbook footnote]; + } '' + ${mdbook}/bin/mdbook build -d $out ${./.} + '' diff --git a/docs/plugins/mdbook-footnote.nix b/docs/plugins/mdbook-footnote.nix new file mode 100644 index 000000000..590884433 --- /dev/null +++ b/docs/plugins/mdbook-footnote.nix @@ -0,0 +1,19 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: CC-BY-SA-4.0 +{ + fetchFromGitHub, + rustPlatform, +}: +rustPlatform.buildRustPackage rec { + pname = "mdbook-footnote"; + version = "0.1.1"; + + src = fetchFromGitHub { + owner = "daviddrysdale"; + repo = "mdbook-footnote"; + rev = "refs/tags/v${version}"; + sha256 = "sha256-WUMgm1hwsU9BeheLfb8Di0AfvVQ6j92kXxH2SyG3ses="; + }; + + cargoHash = "sha256-Ig+uVCO5oHIkkvFsKiBiUFzjUgH/Pydn4MVJHb2wKGc="; +} From a5b3fa920d0e1c51f646a4d1ebcb513e808691cd Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Fri, 30 Jun 2023 23:42:46 +0300 Subject: [PATCH 08/60] nvidia-jetson-orin: uefi: Add ghaf logo to boot Add ghaf logo to boot screen of edk2 uefi bootloader. Signed-off-by: Mika Tammi --- modules/hardware/nvidia-jetson-orin/jetson-orin.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/hardware/nvidia-jetson-orin/jetson-orin.nix b/modules/hardware/nvidia-jetson-orin/jetson-orin.nix index ebf811847..64bc871df 100644 --- a/modules/hardware/nvidia-jetson-orin/jetson-orin.nix +++ b/modules/hardware/nvidia-jetson-orin/jetson-orin.nix @@ -43,6 +43,8 @@ in flashScriptOverrides = { flashArgs = lib.mkForce ["-r" config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard "mmcblk0p1"]; }; + + firmware.uefi.logo = ../../../docs/src/img/1600px-Ghaf_logo.svg; }; nixpkgs.hostPlatform.system = "aarch64-linux"; From bafe76884778c2df8cb235277f59606640d5bc64 Mon Sep 17 00:00:00 2001 From: Nikita Bazulin Date: Fri, 30 Jun 2023 14:24:36 +0300 Subject: [PATCH 09/60] Apps: add Zathura PDF Reader Task: TCAPPS-85 Signed-off-by: Nikita Bazulin --- modules/graphics/weston.ini.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/graphics/weston.ini.nix b/modules/graphics/weston.ini.nix index d4788b211..7be80d886 100644 --- a/modules/graphics/weston.ini.nix +++ b/modules/graphics/weston.ini.nix @@ -48,6 +48,11 @@ path = "${gala-app}/bin/gala --enable-features=UseOzonePlatform --ozone-platform=wayland"; icon = "${gala-app}/gala/resources/icon-24x24.png"; } + + { + path = "${pkgs.zathura}/bin/zathura"; + icon = "${pkgs.zathura}/share/icons/hicolor/32x32/apps/org.pwmt.zathura.png"; + } ]; in { options.ghaf.graphics.weston = with lib; { @@ -79,6 +84,7 @@ in { chromium element-desktop gala-app + zathura ]; environment.etc."xdg/weston/weston.ini" = { text = From e7fc1f15cc3a2162bc454b7c880711d2111939cd Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Mon, 10 Jul 2023 15:08:37 +0300 Subject: [PATCH 10/60] Fix docker module Signed-off-by: Mika Tammi --- modules/module-list.nix | 1 + modules/virtualization/docker.nix | 6 +----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/modules/module-list.nix b/modules/module-list.nix index acf34fb3e..f5c8be753 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -14,5 +14,6 @@ ./profiles/release.nix ./users/accounts.nix ./version + ./virtualization/docker.nix ./windows-launcher ] diff --git a/modules/virtualization/docker.nix b/modules/virtualization/docker.nix index 29734b06b..f98899660 100644 --- a/modules/virtualization/docker.nix +++ b/modules/virtualization/docker.nix @@ -1,8 +1,8 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { + lib, config, - modulesPath, ... }: let cfg = config.ghaf.virtualization.docker.daemon; @@ -13,10 +13,6 @@ in }; config = mkIf cfg.enable { - imports = [ - (modulesPath + "/virtualisation/docker.nix") - ]; - virtualisation.docker.enable = true; virtualisation.docker.rootless = { enable = true; From 6a1b3b16b3e63dc1667b9eded19e870864b2143f Mon Sep 17 00:00:00 2001 From: Valentin Kharin Date: Fri, 16 Jun 2023 20:49:44 +0300 Subject: [PATCH 11/60] Refactor Signed-off-by: Valentin Kharin --- docs/{doc.nix => default.nix} | 0 flake.nix | 12 +++++------- 2 files changed, 5 insertions(+), 7 deletions(-) rename docs/{doc.nix => default.nix} (100%) diff --git a/docs/doc.nix b/docs/default.nix similarity index 100% rename from docs/doc.nix rename to docs/default.nix diff --git a/flake.nix b/flake.nix index 7c4de5384..e5ca5acb6 100644 --- a/flake.nix +++ b/flake.nix @@ -56,14 +56,12 @@ # Combine list of attribute sets together lib.foldr lib.recursiveUpdate {} [ # Documentation - (flake-utils.lib.eachSystem systems (system: { - packages = let - pkgs = nixpkgs.legacyPackages.${system}; - in { - doc = pkgs.callPackage ./docs/doc.nix {}; - }; + (flake-utils.lib.eachSystem systems (system: let + pkgs = nixpkgs.legacyPackages.${system}; + in { + packages.doc = pkgs.callPackage ./docs {}; - formatter = nixpkgs.legacyPackages.${system}.alejandra; + formatter = pkgs.alejandra; })) # ghaf lib From 72130ad25b5a97bf4a01957adff4ee536d838b5b Mon Sep 17 00:00:00 2001 From: Valentin Kharin Date: Fri, 16 Jun 2023 21:49:39 +0300 Subject: [PATCH 12/60] Add autogenerated options docs Use nixpkgs documentation facilities to generate markdown for ghaf NixOS modules. This will improve the user-friendliness of ghaf for newcomers. Signed-off-by: Valentin Kharin --- docs/default.nix | 33 +++++++++++++++++++++++----- docs/src/SUMMARY.md | 1 + docs/src/ref_impl/modules_options.md | 5 +++++ flake.nix | 5 ++++- 4 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 docs/src/ref_impl/modules_options.md diff --git a/docs/default.nix b/docs/default.nix index 1f1369126..29a43424a 100644 --- a/docs/default.nix +++ b/docs/default.nix @@ -1,15 +1,38 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: CC-BY-SA-4.0 { + pkgs, + lib, callPackage, - runCommandNoCC, + runCommandLocal, + nixosOptionsDoc, mdbook, + revision ? "", + options ? {}, }: let - footnote = callPackage ./plugins/mdbook-footnote.nix {}; + optionsDocMd = + (nixosOptionsDoc { + inherit revision options; + transformOptions = x: + if lib.strings.hasPrefix "ghaf" x.name + then x + else x // {visible = false;}; + markdownByDefault = true; + }) + .optionsCommonMark; + combinedSrc = runCommandLocal "ghaf-doc-src" {} '' + mkdir $out + cp -r ${./.}/* $out + chmod +w $out/src/ref_impl/modules_options.md + cat ${optionsDocMd} >> $out/src/ref_impl/modules_options.md + ''; in - runCommandNoCC "ghaf-doc" + runCommandLocal "ghaf-doc" { - nativeBuildInputs = [mdbook footnote]; + nativeBuildInputs = let + footnote = callPackage ./plugins/mdbook-footnote.nix {}; + in [mdbook footnote]; + src = combinedSrc; } '' - ${mdbook}/bin/mdbook build -d $out ${./.} + ${mdbook}/bin/mdbook build -d $out $src '' diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 981d99401..2baa2b24b 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -15,6 +15,7 @@ - [Hypervisor Options](technologies/hypervisor_options.md) - [Reference Implementations](ref_impl/reference_implementations.md) - [Usage](ref_impl/usage.md) + - [Modules Options](ref_impl/modules_options.md) - [Development](ref_impl/development.md) - [Build and Run](ref_impl/build_and_run.md) - [Cross-Compilation](ref_impl/cross_compilation.md) diff --git a/docs/src/ref_impl/modules_options.md b/docs/src/ref_impl/modules_options.md new file mode 100644 index 000000000..d89659112 --- /dev/null +++ b/docs/src/ref_impl/modules_options.md @@ -0,0 +1,5 @@ + + diff --git a/flake.nix b/flake.nix index e5ca5acb6..eddc257b6 100644 --- a/flake.nix +++ b/flake.nix @@ -59,7 +59,10 @@ (flake-utils.lib.eachSystem systems (system: let pkgs = nixpkgs.legacyPackages.${system}; in { - packages.doc = pkgs.callPackage ./docs {}; + packages.doc = pkgs.callPackage ./docs { + revision = lib.version; + options = self.nixosConfigurations.vm-debug.options; + }; formatter = pkgs.alejandra; })) From 1a1ee4ed76d0c359c913533acf3c8abbe4f1343a Mon Sep 17 00:00:00 2001 From: Valentin Kharin Date: Wed, 21 Jun 2023 15:52:15 +0300 Subject: [PATCH 13/60] Add list of availiable modules to lib To generate documentation using the nixpkgs function, it is necessary to have a working NixOS configuration, so we write a function that will help collect all available modules for that configuration. Signed-off-by: Valentin Kharin --- lib/default.nix | 1 + lib/ghaf-modules.nix | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 lib/ghaf-modules.nix diff --git a/lib/default.nix b/lib/default.nix index 412286d2c..c31364ecf 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -7,4 +7,5 @@ version = release + versionSuffix; in { inherit release versionSuffix version; + modules = import ./ghaf-modules.nix {inherit lib;}; } diff --git a/lib/ghaf-modules.nix b/lib/ghaf-modules.nix new file mode 100644 index 000000000..c91dfb6c4 --- /dev/null +++ b/lib/ghaf-modules.nix @@ -0,0 +1,8 @@ +{lib}: let + inherit (builtins) readFile filter; + inherit (lib) filesystem hasInfix hasSuffix; + + isDesiredFile = path: hasSuffix ".nix" path && hasInfix "options" (readFile path); + modulesDirectoryFiles = filesystem.listFilesRecursive ../modules; +in + filter isDesiredFile modulesDirectoryFiles From e5ce69e35ea0535fa78388a1859feffd3988870c Mon Sep 17 00:00:00 2001 From: Valentin Kharin Date: Wed, 21 Jun 2023 17:36:23 +0300 Subject: [PATCH 14/60] Use all modules for options docs To get a working configuration with ghaf modules for documentation, it is necessary to have a jetpack NixOS module. Signed-off-by: Valentin Kharin --- flake.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index eddc257b6..2e6ef210c 100644 --- a/flake.nix +++ b/flake.nix @@ -61,7 +61,13 @@ in { packages.doc = pkgs.callPackage ./docs { revision = lib.version; - options = self.nixosConfigurations.vm-debug.options; + options = let + cfg = nixpkgs.lib.nixosSystem { + inherit system; + modules = lib.ghaf.modules ++ [jetpack-nixos.nixosModules.default]; + }; + in + cfg.options; }; formatter = pkgs.alejandra; From 7461e71bdb8ff6094ef37bb1e9140336629c107a Mon Sep 17 00:00:00 2001 From: Valentin Kharin Date: Wed, 21 Jun 2023 18:06:59 +0300 Subject: [PATCH 15/60] Add reference to options documentation Signed-off-by: Valentin Kharin --- docs/src/ref_impl/usage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/src/ref_impl/usage.md b/docs/src/ref_impl/usage.md index 534393a8c..f674b2d5e 100644 --- a/docs/src/ref_impl/usage.md +++ b/docs/src/ref_impl/usage.md @@ -69,7 +69,7 @@ After update, review and testing - commit the updated `flake.lock` to your versi ## Customize your Ghaf-based project -To use the Ghaf declarative module system, check what you need in your system and choose the module options you need. For example, import the ghaf `graphics`-module and declare that you won't need the reference Wayland-compositor Weston and the demo applications: +To use the Ghaf declarative module system, check what you need in your system and choose the [modules options](./modules_options.md) you need. For example, import the ghaf `graphics`-module and declare that you won't need the reference Wayland-compositor Weston and the demo applications: ``` { ghaf.graphics.weston = { From 7af2bcc906fe1474506a6bc0dc48f3804dc15aa8 Mon Sep 17 00:00:00 2001 From: Valentin Kharin Date: Mon, 10 Jul 2023 10:18:13 +0300 Subject: [PATCH 16/60] Fix docs modules The module that was excluded from the list that worked incorrectly because the module system tried to pass names to the first set of function arguments, but those arguments must be passed manually. Signed-off-by: Valentin Kharin --- flake.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 2e6ef210c..1b3b8bc69 100644 --- a/flake.nix +++ b/flake.nix @@ -64,7 +64,17 @@ options = let cfg = nixpkgs.lib.nixosSystem { inherit system; - modules = lib.ghaf.modules ++ [jetpack-nixos.nixosModules.default]; + modules = let + filteredModules = builtins.filter (module: !lib.hasSuffix "microvm-host.nix" module) lib.ghaf.modules; + in + filteredModules + ++ [ + (import ./modules/virtualization/microvm/microvm-host.nix { + inherit self microvm; + netvm = ""; + }) + ] + ++ [jetpack-nixos.nixosModules.default]; }; in cfg.options; From 0a63d22300f2fa30aaedbe0247844d7f5effeb5f Mon Sep 17 00:00:00 2001 From: Valentin Kharin Date: Mon, 10 Jul 2023 15:49:29 +0300 Subject: [PATCH 17/60] Fix documentation paths Before this commit in generated documentation reference to source file of an option referred to `/nix/store`. I replaced this with link to ghaf github repository main branch source file of the corresponding option. Signed-off-by: Valentin Kharin --- docs/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/default.nix b/docs/default.nix index 29a43424a..60eba4843 100644 --- a/docs/default.nix +++ b/docs/default.nix @@ -24,7 +24,9 @@ mkdir $out cp -r ${./.}/* $out chmod +w $out/src/ref_impl/modules_options.md - cat ${optionsDocMd} >> $out/src/ref_impl/modules_options.md + + # Refer to master branch files in github + sed 's/\(file:\/\/\)\?\/nix\/store\/[^/]*-source/https:\/\/github.com\/tiiuae\/ghaf\/blob\/main/g' ${optionsDocMd} >> $out/src/ref_impl/modules_options.md ''; in runCommandLocal "ghaf-doc" From 3b7f2b8843d841c79a0fa4afb7a02269299a83ab Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Wed, 28 Jun 2023 23:36:17 +0300 Subject: [PATCH 18/60] Declarative NetVM configuration * Move from flake-based microvm-configuration to declarative configuration. * Cross-compilation enabled for NetVM, when host has cross-compilation enabled. * Refactored modules/host from function to a nixosModule. * While building documentation, microvm-host.nix does not need to be filtered out anymore. Signed-off-by: Mika Tammi --- flake.nix | 15 ++--- modules/host/default.nix | 15 +---- .../virtualization/microvm/microvm-host.nix | 13 ---- modules/virtualization/microvm/netvm.nix | 66 ++++++++++++------ targets/generic-x86_64.nix | 66 +++++++++--------- targets/imx8qm-mek.nix | 24 ++++--- targets/nvidia-jetson-orin.nix | 67 +++++++++---------- targets/vm.nix | 23 ++++--- 8 files changed, 144 insertions(+), 145 deletions(-) diff --git a/flake.nix b/flake.nix index 1b3b8bc69..b4c6c3cf3 100644 --- a/flake.nix +++ b/flake.nix @@ -64,17 +64,12 @@ options = let cfg = nixpkgs.lib.nixosSystem { inherit system; - modules = let - filteredModules = builtins.filter (module: !lib.hasSuffix "microvm-host.nix" module) lib.ghaf.modules; - in - filteredModules + modules = + lib.ghaf.modules ++ [ - (import ./modules/virtualization/microvm/microvm-host.nix { - inherit self microvm; - netvm = ""; - }) - ] - ++ [jetpack-nixos.nixosModules.default]; + jetpack-nixos.nixosModules.default + microvm.nixosModules.host + ]; }; in cfg.options; diff --git a/modules/host/default.nix b/modules/host/default.nix index 4cb85142b..862db7308 100644 --- a/modules/host/default.nix +++ b/modules/host/default.nix @@ -1,10 +1,6 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - self, - microvm, - netvm, -}: { lib, pkgs, modulesPath, @@ -17,17 +13,8 @@ ../../overlays/custom-packages.nix - # TODO Refactor the microvm to be fully declarative - # SEE https://astro.github.io/microvm.nix/declarative.html - (import ../virtualization/microvm/microvm-host.nix {inherit self microvm netvm;}) + # TODO: Refactor this under virtualization/microvm/host/networking.nix ./networking.nix - - { - ghaf = { - virtualization.microvm-host.enable = true; - host.networking.enable = true; - }; - } ]; config = { diff --git a/modules/virtualization/microvm/microvm-host.nix b/modules/virtualization/microvm/microvm-host.nix index 2d6fb23e1..77c4d3ffc 100644 --- a/modules/virtualization/microvm/microvm-host.nix +++ b/modules/virtualization/microvm/microvm-host.nix @@ -1,10 +1,6 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - self, - microvm, - netvm, -}: { config, lib, ... @@ -16,16 +12,7 @@ in enable = mkEnableOption "MicroVM Host"; }; - imports = [ - microvm.nixosModules.host - ]; - config = mkIf cfg.enable { microvm.host.enable = true; - - microvm.vms."${netvm}" = { - flake = self; - autostart = true; - }; }; } diff --git a/modules/virtualization/microvm/netvm.nix b/modules/virtualization/microvm/netvm.nix index b92397010..5c7ce4ba4 100644 --- a/modules/virtualization/microvm/netvm.nix +++ b/modules/virtualization/microvm/netvm.nix @@ -1,33 +1,30 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { + config, lib, - microvm, - system, -}: -lib.nixosSystem { - inherit system; - specialArgs = {inherit lib;}; - modules = - [ - { + ... +}: let + configHost = config; + netvmBaseConfiguration = { + imports = [ + ({lib, ...}: { ghaf = { - users.accounts.enable = true; + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; development = { - ssh.daemon.enable = true; - debug.tools.enable = true; + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to NetVM + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; }; }; - } - - microvm.nixosModules.microvm - ({lib, ...}: { networking.hostName = "netvm"; - # TODO: Maybe inherit state version system.stateVersion = lib.trivial.release; - # TODO: crosvm PCI passthrough does not currently work + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + microvm.hypervisor = "qemu"; networking = { @@ -78,7 +75,36 @@ lib.nixosSystem { microvm.qemu.bios.enable = false; microvm.storeDiskType = "squashfs"; + + imports = import ../../module-list.nix; }) - ] - ++ (import ../../module-list.nix); + ]; + }; + cfg = config.ghaf.virtualization.microvm.netvm; +in { + options.ghaf.virtualization.microvm.netvm = { + enable = lib.mkEnableOption "NetVM"; + + extraModules = lib.mkOption { + description = '' + List of additional modules to be imported and evaluated as part of + NetVM's NixOS configuration. + ''; + default = []; + }; + }; + + config = lib.mkIf cfg.enable { + microvm.vms."netvm" = { + autostart = true; + config = + netvmBaseConfiguration + // { + imports = + netvmBaseConfiguration.imports + ++ cfg.extraModules; + }; + specialArgs = {inherit lib;}; + }; + }; } diff --git a/targets/generic-x86_64.nix b/targets/generic-x86_64.nix index 82e82ca5f..1fec14762 100644 --- a/targets/generic-x86_64.nix +++ b/targets/generic-x86_64.nix @@ -13,18 +13,45 @@ system = "x86_64-linux"; formatModule = nixos-generators.nixosModules.raw-efi; generic-x86 = variant: extraModules: let + netvmExtraModules = [ + { + microvm.devices = [ + { + bus = "pci"; + path = "0000:00:14.3"; + } + ]; + + # For WLAN firmwares + hardware.enableRedistributableFirmware = true; + + networking.wireless = { + enable = true; + + # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; + }; + } + ]; hostConfiguration = lib.nixosSystem { inherit system; specialArgs = {inherit lib;}; modules = [ - (import ../modules/host { - inherit self microvm netvm; - }) - + microvm.nixosModules.host + ../modules/host + ../modules/virtualization/microvm/microvm-host.nix + ../modules/virtualization/microvm/netvm.nix { ghaf = { hardware.x86_64.common.enable = true; + + virtualization.microvm-host.enable = true; + host.networking.enable = true; + virtualization.microvm.netvm = { + enable = true; + extraModules = netvmExtraModules; + }; + # Enable all the default UI applications profiles = { applications.enable = true; @@ -56,35 +83,9 @@ ++ (import ../modules/module-list.nix) ++ extraModules; }; - netvm = "netvm-${name}-${variant}"; in { - inherit hostConfiguration netvm; + inherit hostConfiguration; name = "${name}-${variant}"; - netvmConfiguration = - (import ../modules/virtualization/microvm/netvm.nix { - inherit lib microvm system; - }) - .extendModules { - modules = [ - { - microvm.devices = [ - { - bus = "pci"; - path = "0000:00:14.3"; - } - ]; - - # For WLAN firmwares - hardware.enableRedistributableFirmware = true; - - networking.wireless = { - enable = true; - - # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; - }; - } - ]; - }; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; debugModules = [../modules/development/usb-serial.nix {ghaf.development.usb-serial.enable = true;}]; @@ -94,8 +95,7 @@ ]; in { nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets) - // builtins.listToAttrs (map (t: lib.nameValuePair t.netvm t.netvmConfiguration) targets); + builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); packages = { x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); diff --git a/targets/imx8qm-mek.nix b/targets/imx8qm-mek.nix index 96006d349..6b0020636 100644 --- a/targets/imx8qm-mek.nix +++ b/targets/imx8qm-mek.nix @@ -19,13 +19,20 @@ modules = [ nixos-hardware.nixosModules.nxp-imx8qm-mek - (import ../modules/host { - inherit self microvm netvm; - }) + microvm.nixosModules.host + ../modules/host + ../modules/virtualization/microvm/microvm-host.nix + ../modules/virtualization/microvm/netvm.nix { - # Enable all the default UI applications ghaf = { + virtualization.microvm-host.enable = true; + host.networking.enable = true; + # TODO: NetVM enabled, but it does not include anything specific + # for iMX8 + virtualization.microvm.netvm.enable = true; + + # Enable all the default UI applications profiles = { applications.enable = true; #TODO clean this up when the microvm is updated to latest @@ -40,13 +47,9 @@ ++ (import ../modules/module-list.nix) ++ extraModules; }; - netvm = "netvm-${name}-${variant}"; in { - inherit hostConfiguration netvm; + inherit hostConfiguration; name = "${name}-${variant}"; - netvmConfiguration = import ../modules/virtualization/microvm/netvm.nix { - inherit lib microvm system; - }; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; debugModules = []; @@ -56,8 +59,7 @@ ]; in { nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets) - // builtins.listToAttrs (map (t: lib.nameValuePair t.netvm t.netvmConfiguration) targets); + builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); packages = { aarch64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); diff --git a/targets/nvidia-jetson-orin.nix b/targets/nvidia-jetson-orin.nix index fa3a4bc56..eaa77b3ee 100644 --- a/targets/nvidia-jetson-orin.nix +++ b/targets/nvidia-jetson-orin.nix @@ -12,22 +12,48 @@ system = "aarch64-linux"; formatModule = nixos-generators.nixosModules.raw-efi; nvidia-jetson-orin = variant: extraModules: let + netvmExtraModules = [ + { + microvm.devices = [ + { + bus = "pci"; + path = "0001:01:00.0"; + } + ]; + + # For WLAN firmwares + hardware.enableRedistributableFirmware = true; + + networking.wireless = { + enable = true; + + # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; + }; + } + ]; hostConfiguration = lib.nixosSystem { inherit system; specialArgs = {inherit lib;}; modules = [ - (import ../modules/host { - inherit self microvm netvm; - }) - jetpack-nixos.nixosModules.default - ../modules/hardware/nvidia-jetson-orin + microvm.nixosModules.host + ../modules/host + ../modules/virtualization/microvm/microvm-host.nix + ../modules/virtualization/microvm/netvm.nix { ghaf = { hardware.nvidia.orin.enable = true; + + virtualization.microvm-host.enable = true; + host.networking.enable = true; + virtualization.microvm.netvm = { + enable = true; + extraModules = netvmExtraModules; + }; + # Enable all the default UI applications profiles = { applications.enable = true; @@ -46,35 +72,9 @@ ++ (import ../modules/module-list.nix) ++ extraModules; }; - netvm = "netvm-${name}-${variant}"; in { - inherit hostConfiguration netvm; + inherit hostConfiguration; name = "${name}-${variant}"; - netvmConfiguration = - (import ../modules/virtualization/microvm/netvm.nix { - inherit lib microvm system; - }) - .extendModules { - modules = [ - { - microvm.devices = [ - { - bus = "pci"; - path = "0001:01:00.0"; - } - ]; - - # For WLAN firmwares - hardware.enableRedistributableFirmware = true; - - networking.wireless = { - enable = true; - - # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; - }; - } - ]; - }; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; nvidia-jetson-orin-debug = nvidia-jetson-orin "debug" []; @@ -109,8 +109,7 @@ }; in { nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) (targets ++ crossTargets)) - // builtins.listToAttrs (map (t: lib.nameValuePair t.netvm t.netvmConfiguration) targets); + builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) (targets ++ crossTargets)); packages = { aarch64-linux = diff --git a/targets/vm.nix b/targets/vm.nix index 3539011a8..9432d9133 100644 --- a/targets/vm.nix +++ b/targets/vm.nix @@ -15,13 +15,21 @@ specialArgs = {inherit lib;}; modules = [ - (import ../modules/host { - inherit self microvm netvm; - }) + microvm.nixosModules.host + ../modules/host + ../modules/virtualization/microvm/microvm-host.nix + ../modules/virtualization/microvm/netvm.nix { ghaf = { hardware.x86_64.common.enable = true; + + virtualization.microvm-host.enable = true; + host.networking.enable = true; + # TODO: NetVM enabled, but it does not include anything specific + # for this Virtual Machine target + virtualization.microvm.netvm.enable = true; + # Enable all the default UI applications profiles = { applications.enable = true; @@ -36,13 +44,9 @@ ] ++ (import ../modules/module-list.nix); }; - netvm = "netvm-${name}-${variant}"; in { - inherit hostConfiguration netvm; + inherit hostConfiguration; name = "${name}-${variant}"; - netvmConfiguration = import ../modules/virtualization/microvm/netvm.nix { - inherit lib microvm system; - }; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; targets = [ @@ -51,8 +55,7 @@ ]; in { nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets) - // builtins.listToAttrs (map (t: lib.nameValuePair t.netvm t.netvmConfiguration) targets); + builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); packages = { x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); From 9638a163542b939735bf34de483a9999a27e55ac Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Tue, 11 Jul 2023 23:52:56 +0300 Subject: [PATCH 19/60] Update flake.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'flake-utils': 'github:numtide/flake-utils/dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7' (2023-06-25) → 'github:numtide/flake-utils/919d646de7be200f3bf08cb76ae1f09402b6f9b4' (2023-07-11) • Updated input 'microvm': 'github:astro/microvm.nix/f7c9df6a19de6bb5215b32f6bbd5a8c9d6510ebf' (2023-07-02) → 'github:astro/microvm.nix/018691bf86a70b7e5d24eb37d6aad05ce1c1b12e' (2023-07-09) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/cf341a2c94338eed91c35df291931ea775b31e99' (2023-07-03) → 'github:nix-community/nixos-generators/9191c85aab6b1a7ad395c13d340f2aa0e3ddf552' (2023-07-07) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/429f232fe1dc398c5afea19a51aad6931ee0fb89' (2023-06-15) → 'github:nixos/nixos-hardware/44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c' (2023-07-11) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/0de86059128947b2438995450f2c2ca08cc783d5' (2023-07-01) → 'github:nixos/nixpkgs/8163a64662b43848802092d52015ef60777d6129' (2023-07-11) Signed-off-by: Mika Tammi --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 80fc2929c..68977339c 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1688334122, - "narHash": "sha256-wvQOOugnBzYPngvUy/b5Pzq6UhHeBGh/ZdXnsMlJDdY=", + "lastModified": 1688933605, + "narHash": "sha256-eux5CjKmO+6GFoovtckoVo0es1FZ2mzupehDyHuCaCk=", "owner": "astro", "repo": "microvm.nix", - "rev": "f7c9df6a19de6bb5215b32f6bbd5a8c9d6510ebf", + "rev": "018691bf86a70b7e5d24eb37d6aad05ce1c1b12e", "type": "github" }, "original": { @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1688349424, - "narHash": "sha256-/wRCJP2d9ZmfZKrREWthpDHIx/F02Z1J2bytbC+gUiU=", + "lastModified": 1688738567, + "narHash": "sha256-yax5BYOfpE0+95kyJmEcfKEdZBaFvCENDogBB4VQB3Q=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "cf341a2c94338eed91c35df291931ea775b31e99", + "rev": "9191c85aab6b1a7ad395c13d340f2aa0e3ddf552", "type": "github" }, "original": { @@ -99,11 +99,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1686838567, - "narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=", + "lastModified": 1689060619, + "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89", + "rev": "44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c", "type": "github" }, "original": { @@ -114,11 +114,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688177999, - "narHash": "sha256-JZ5nk90Ym79b4J593xYb0mI79QxU0efJLuCU3sXDalQ=", + "lastModified": 1689048911, + "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0de86059128947b2438995450f2c2ca08cc783d5", + "rev": "8163a64662b43848802092d52015ef60777d6129", "type": "github" }, "original": { From 29bae7644e838a673da3f7131ecfdaf65d694235 Mon Sep 17 00:00:00 2001 From: Ganga Ram Date: Wed, 5 Jul 2023 17:20:58 +0400 Subject: [PATCH 20/60] Polarfire Icicle-kit reference platform Enabled template for Polarfire Signed-off-by: Ganga Ram --- docs/src/features/features.md | 8 +- docs/src/ref_impl/build_and_run.md | 51 ++++++++++--- docs/src/ref_impl/cross_compilation.md | 14 +++- flake.nix | 5 +- .../hardware/polarfire/mpfs-nixos-sdimage.nix | 51 +++++++++++++ targets/default.nix | 1 + targets/microchip-icicle-kit.nix | 76 +++++++++++++++++++ templates/default.nix | 11 ++- .../riscv64/microchip/polarfire/flake.nix | 67 ++++++++++++++++ 9 files changed, 258 insertions(+), 26 deletions(-) create mode 100644 modules/hardware/polarfire/mpfs-nixos-sdimage.nix create mode 100644 targets/microchip-icicle-kit.nix create mode 100644 templates/targets/riscv64/microchip/polarfire/flake.nix diff --git a/docs/src/features/features.md b/docs/src/features/features.md index db9419d53..0fb87f2eb 100644 --- a/docs/src/features/features.md +++ b/docs/src/features/features.md @@ -8,7 +8,7 @@ The vision for the Ghaf platform is to create a virtualized, scalable reference platform that enables the building of secure products leveraging trusted, reusable, and portable software for edge devices. For more information on reference implementation for several devices, see [Reference Implementations](../ref_impl/reference_implementations.md). Ghaf demo desktop and applications are illustrated in the screen capture below: -![Ghaf demo desktop and application](../img/ghaf_demo_desktop.png) +![Ghaf demo desktop and application](../img/ghaf_demo_desktop.png) ## Status * ✅ - integrated and tested in the `main` branch. No known regression. @@ -33,7 +33,7 @@ The following tables show the status of Ghaf Platform features: | `aarch64` reference image | ✅ | `imx8qm` | Based on NXP BSP, implemented as [nixos-hardware module](https://github.com/NixOS/nixos-hardware/tree/master/nxp)| | `x86` generic image | ✅ | `x86` | Generic x86 computer, based on generic [NixOS](https://nixos.org/). NOTE: requires device specific configuration.| | Native build | ✅ | `aarch64, x86` | Remote `aarc64` nixos builders recommended | -| Cross-compilation | 🚧 | `aarch64` | Depends on NixOS `nixpkgs 23.05` support for cross-compilation | +| Cross-compilation | 🚧 | `aarch64, riscv64` | Depends on NixOS `nixpkgs 23.05` support for cross-compilation | | CI builds | ✅ | `All` | [Only `main`-branch, not for all PRs](https://vedenemo.dev/). | | Emulated build | ❌ | `aarch64` | `binfmt`, may freeze the build machine. Not recommended. [See instructions.](https://tiiuae.github.io/ghaf/ref_impl/cross_compilation.html#binfmt)| @@ -78,7 +78,7 @@ The following tables show the status of Ghaf Platform features: ## Next steps -[See discussion for the outline of next steps](https://github.com/tiiuae/ghaf/issues/150#issuecomment-1564061850) +[See discussion for the outline of next steps](https://github.com/tiiuae/ghaf/issues/150#issuecomment-1564061850) -![Outline of next phases](https://user-images.githubusercontent.com/1027150/241167552-bcb3a3f9-72f3-4b96-af8b-e9df6d1f3d5e.png) +![Outline of next phases](https://user-images.githubusercontent.com/1027150/241167552-bcb3a3f9-72f3-4b96-af8b-e9df6d1f3d5e.png) diff --git a/docs/src/ref_impl/build_and_run.md b/docs/src/ref_impl/build_and_run.md index db206a46c..1500354cf 100644 --- a/docs/src/ref_impl/build_and_run.md +++ b/docs/src/ref_impl/build_and_run.md @@ -19,7 +19,7 @@ First, follow the basic device-independent steps: * Clone the git repository . * Ghaf uses a Nix flake approach to build the framework targets, make sure to: * Install Nix or full NixOS if needed: . - * Enable flakes: . + * Enable flakes: . To see all Ghaf-supported outputs, type `nix flake show`. * Set up an AArch64 remote builder: . @@ -32,6 +32,7 @@ Then you can use one of the following instructions for the supported targets: | Generic x86 Сomputer | x86_64 | [Running Ghaf Image for x86 Computer](./build_and_run.md#running-ghaf-image-for-x86-computer) | | NVIDIA Jetson AGX Orin | AArch64 | [Ghaf Image for NVIDIA Jetson Orin AGX](./build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | | NXP i.MX 8QM-MEK | AArch64 | [Building Ghaf Image for NXP i.MX 8QM-MEK](./build_and_run.md#building-ghaf-image-for-nxp-imx-8qm-mek) | +| MICROCHIP icicle-kit | RISCV64 | [Building Ghaf Image for Microchip Icicle Kit](./build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) | --- @@ -75,22 +76,22 @@ Before you begin: 1. Run the command: ``` - nix build github:tiiuae/ghaf#nvidia-jetson-orin-debug-flash-script + nix build github:tiiuae/ghaf#nvidia-jetson-orin-debug-flash-script ``` It will build the Ghaf image and bootloader firmware, and prepare the flashing script. Give "yes" answers to all script questions. The building process takes around 1,5 hours. 2. Set up the following connections: 1. Connect the board to a power supply with a USB-C cable. 2. Connect a Linux laptop to the board with the USB-C cable. - 3. Connect the Linux laptop to the board with a Micro-USB cable to use [serial interface](https://developer.ridgerun.com/wiki/index.php/NVIDIA_Jetson_Orin/In_Board/Getting_in_Board/Serial_Console). - + 3. Connect the Linux laptop to the board with a Micro-USB cable to use [serial interface](https://developer.ridgerun.com/wiki/index.php/NVIDIA_Jetson_Orin/In_Board/Getting_in_Board/Serial_Console). + > For more information on the board's connections details, see the [Hardware Layout](https://developer.nvidia.com/embedded/learn/jetson-agx-orin-devkit-user-guide/developer_kit_layout.html) section of the Jetson AGX Orin Developer Kit User Guide. 3. After the build is completed, put the board in recovery mode. For more information, see the [Force Recovery](https://developer.nvidia.com/embedded/learn/jetson-agx-orin-devkit-user-guide/howto.html#force-recovery-mode) Mode section in the Jetson AGX Orin Developer Kit User Guide. - + 4. Run the flashing script: ``` - sudo ~/result/bin/flash-ghaf-host + sudo ~/result/bin/flash-ghaf-host ``` There is a time-out for this operation, so run the script within one minute after putting the device in recovery mode. If you got the error message "ERROR: might be timeout in USB write.": @@ -106,11 +107,11 @@ After the latest firmware is [flashed](./build_and_run.md#flashing-nvidia-jetson 1. To build the target image, run the command: ``` - nix build github:tiiuae/ghaf#nvidia-jetson-orin-debug + nix build github:tiiuae/ghaf#nvidia-jetson-orin-debug ``` 2. After the build is completed, prepare a USB boot media with the target image you built: ``` - dd if=./result/nixos.img of=/dev/ bs=32M + dd if=./result/nixos.img of=/dev/ bs=32M ``` 3. Boot the hardware from the USB media. @@ -145,10 +146,10 @@ In the current state of Ghaf, it is a bit tricky to make NVIDIA Jetson Orin AGX Before you begin, check device-independent [prerequisites](./build_and_run.md#prerequisites). -In the case of i.MX8, Ghaf deployment contains of creating a bootable SD card with a first-stage bootloader (Tow-Boot) and creating USB media with the Ghaf image: +In the case of i.MX8, Ghaf deployment consists of creating a bootable SD card with a first-stage bootloader (Tow-Boot) and USB media with the Ghaf image.: -1. To build and flash [**Tow-Boot**](https://github.com/tiiuae/Tow-Boot) bootloader: +1. To build and flash [**Tow-Boot**](https://github.com/tiiuae/Tow-Boot) bootloader: ``` $ git clone https://github.com/tiiuae/Tow-Boot.git && cd Tow-Boot @@ -159,5 +160,33 @@ In the case of i.MX8, Ghaf deployment contains of creating a bootable SD card wi 2. To build and flash the Ghaf image: 1. Run the `nix build .#packages.aarch64-linux.imx8qm-mek-release` command. 2. Prepare the USB boot media with the target HW image you built: `dd if=./result/nixos.img of=/dev/ bs=32M`. - + 3. Insert an SD card and USB boot media into the board and switch the power on. + +--- + +## Building Ghaf Image for Microchip Icicle Kit + +Before you begin: + +* Check device-independent [prerequisites](./build_and_run.md#prerequisites). +* Please make sure HSS version 0.99.35-v2023.02 is programmed in your board eNVM. The version can be seen in pre-bootloader log. + A video guide to build HSS and programming the eNVM is available in the below given link: + [How to build HSS and program the eNVM?](https://www.youtube.com/watch?v=McAt2-6cwd4) + +In the case of the Icicle Kit, Ghaf deployment consists of creating an SD image with U-Boot and Linux kernel from Microchip, and Ghaf-based NixOS rootfs. + +1. Build a Ghaf SD image: + a. Run the nix build .#packages.riscv64-linux.microchip-icicle-kit-release command to release the image. + b. Run the nix build .#packages.riscv64-linux.microchip-icicle-kit-debug command to debug the image. + +2. Flash the Ghaf SD image: + * If you want to use a SD card: + a. Prepare the SD card with the target HW image you built: dd if=./result/nixos.img of=/dev/ bs=32M. + b. Insert an SD card into the board and switch the power on. + * If you want to use the onboard MMC: + You can directly flash a NixOS image to onboard an MMC card: dd if=./result/nixos.img of=/dev/ bs=32M. + +For more information on how to access the MMC card as a USB disk, see [Icicle Kit user guide](https://tinyurl.com/48wycdka). + +--- diff --git a/docs/src/ref_impl/cross_compilation.md b/docs/src/ref_impl/cross_compilation.md index b60a9dd85..f2e8a6e67 100644 --- a/docs/src/ref_impl/cross_compilation.md +++ b/docs/src/ref_impl/cross_compilation.md @@ -22,7 +22,7 @@ To enable ``binfmt``, we recommend to set the following in your host systems ``c "riscv64-linux" "aarch64-linux" ]; - + In addition, it is recommended to enable KVM support with either boot.kernelModules = [ "kvm-amd" ]; @@ -30,11 +30,19 @@ In addition, it is recommended to enable KVM support with either or boot.kernelModules = [ "kvm-intel" ]; - + depending on whether your development host is running AMD or Intel processor. +## Cross-Compilation for Microchip Icicle Kit (RISCV64) + +An SD image for the Microchip Icicle Kit can be cross-compiled from an x86 machine. To generate the release or debug an SD image run the following command: + +``` + $> nix build .#packages.riscv64-linux.microchip-icicle-kit- +``` + ## Future Cross-Compilation Support This will involve working with upstream package maintainers to ensure that the packages are cross-compilation aware. This will be addressed on a package-by-package basis. - + diff --git a/flake.nix b/flake.nix index b4c6c3cf3..5e908e38e 100644 --- a/flake.nix +++ b/flake.nix @@ -15,13 +15,13 @@ }; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; flake-utils.url = "github:numtide/flake-utils"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-hardware.url = "github:nixos/nixos-hardware"; + nixos-hardware.url = "github:NixOS/nixos-hardware"; microvm = { url = "github:astro/microvm.nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -45,6 +45,7 @@ systems = with flake-utils.lib.system; [ x86_64-linux aarch64-linux + riscv64-linux ]; lib = nixpkgs.lib.extend (final: _prev: { ghaf = import ./lib { diff --git a/modules/hardware/polarfire/mpfs-nixos-sdimage.nix b/modules/hardware/polarfire/mpfs-nixos-sdimage.nix new file mode 100644 index 000000000..47d66255e --- /dev/null +++ b/modules/hardware/polarfire/mpfs-nixos-sdimage.nix @@ -0,0 +1,51 @@ +{ + config, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/sd-card/sd-image.nix") + ]; + + sdImage = { + compressImage = false; + populateFirmwareCommands = '' + cp ${pkgs.uboot-icicle-kit}/payload.bin firmware/ + ''; + + populateRootCommands = '' + mkdir -p ./files/boot + ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot + ''; + postBuildCommands = '' + sdimage="$out/nixos.img" + blocksize=512 + offset=34 + ubootsize=2048 + sfdisk --list $img | grep Linux + rootstart=$(sfdisk --list $img | grep Linux | awk '{print $3}') + rootsize=$(sfdisk --list $img | grep Linux | awk '{print $5}') + imagesize=$(((offset + ubootsize + rootsize + 2048)*blocksize)) + touch $sdimage + truncate -s $imagesize $sdimage + + echo -e " + label: gpt + label-id: 47D1675F-84FF-41C5-9CBD-CC6D822159EC + unit: sectors + first-lba: $offset + last-lba: $((ubootsize + offset + $rootsize - 1)) + sector-size: 512 + + start=$offset, size=$ubootsize, type=21686148-6449-6E6F-744E-656564454649, uuid=0F5E6BEA-86F5-4936-8712-6DBF3B46B2A0, name=\"uboot\" + start=$((offset + ubootsize)), size=$rootsize, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=17E58027-1F0E-4146-8F88-AB26C740BC6D, name=\"kernel\", attrs=\"LegacyBIOSBootable\" " > "$out/partition.txt" + + sfdisk $sdimage < "$out/partition.txt" + dd conv=notrunc if=${pkgs.uboot-icicle-kit}/payload.bin of=$sdimage seek=$offset + dd conv=notrunc if=$img of=$sdimage seek=$((offset + ubootsize)) skip=$rootstart count=$rootsize + sfdisk --list $sdimage + rm -rf $out/sd-image + ''; + }; +} diff --git a/targets/default.nix b/targets/default.nix index 7d59dbfb3..db0f7bd0b 100644 --- a/targets/default.nix +++ b/targets/default.nix @@ -16,4 +16,5 @@ lib.foldr lib.recursiveUpdate {} [ (import ./vm.nix {inherit self lib nixos-generators microvm;}) (import ./generic-x86_64.nix {inherit self lib nixos-generators nixos-hardware microvm;}) (import ./imx8qm-mek.nix {inherit self lib nixos-generators nixos-hardware microvm;}) + (import ./microchip-icicle-kit.nix {inherit self lib nixpkgs nixos-hardware;}) ] diff --git a/targets/microchip-icicle-kit.nix b/targets/microchip-icicle-kit.nix new file mode 100644 index 000000000..1d15e3ba1 --- /dev/null +++ b/targets/microchip-icicle-kit.nix @@ -0,0 +1,76 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Polarfire Enablement Kit +{ + self, + lib, + nixpkgs, + nixos-hardware, +}: let + name = "microchip-icicle-kit"; + system = "riscv64-linux"; + microchip-icicle-kit = variant: extraModules: let + hostConfiguration = lib.nixosSystem { + inherit system; + specialArgs = {inherit lib;}; + modules = + [ + nixos-hardware.nixosModules.microchip-icicle-kit + ../modules/hardware/polarfire/mpfs-nixos-sdimage.nix + ../modules/host + + { + appstream.enable = false; + boot = { + enableContainers = false; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + }; + + # Disable all the default UI applications + ghaf = { + profiles = { + applications.enable = false; + graphics.enable = false; + #TODO clean this up when the microvm is updated to latest + release.enable = variant == "release"; + debug.enable = variant == "debug"; + }; + development = { + debug.tools.enable = variant == "debug"; + ssh.daemon.enable = true; + }; + windows-launcher.enable = false; + }; + nixpkgs = { + buildPlatform.system = "x86_64-linux"; + hostPlatform.system = "riscv64-linux"; + }; + boot.kernelParams = ["root=/dev/mmcblk0p2" "rootdelay=5"]; + disabledModules = ["profiles/all-hardware.nix"]; + } + ] + ++ (import ../modules/module-list.nix) + ++ extraModules; + }; + in { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.sdImage; + }; + + targets = [ + (microchip-icicle-kit "debug" []) + (microchip-icicle-kit "release" []) + ]; +in { + nixosConfigurations = + builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + packages = { + riscv64-linux = + builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + }; +} diff --git a/templates/default.nix b/templates/default.nix index 2b5e7b8b4..9516439a5 100644 --- a/templates/default.nix +++ b/templates/default.nix @@ -31,11 +31,10 @@ description = "A Ghaf based configuration for x86_64 targets"; }; - #TODO Enable this when polarfire is merged - # # RISC-v targets - # target-riscv64-microchip-polarfire = { - # path = ./targets/riscv64/microchip/polarfire; - # description = "A Ghaf based configuration for the Microchip Polarfire"; - # }; + # RISC-v targets + target-riscv64-microchip-polarfire = { + path = ./targets/riscv64/microchip/polarfire; + description = "A Ghaf based configuration for the Microchip Polarfire"; + }; }; } diff --git a/templates/targets/riscv64/microchip/polarfire/flake.nix b/templates/targets/riscv64/microchip/polarfire/flake.nix new file mode 100644 index 000000000..a9582073b --- /dev/null +++ b/templates/targets/riscv64/microchip/polarfire/flake.nix @@ -0,0 +1,67 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + description = "PROJ_NAME - Ghaf based configuration"; + + nixConfig = { + extra-trusted-substituters = [ + "https://cache.vedenemo.dev" + "https://cache.ssrcdevops.tii.ae" + ]; + extra-trusted-public-keys = [ + "cache.vedenemo.dev:RGHheQnb6rXGK5v9gexJZ8iWTPX6OcSeS56YeXYzOcg=" + "cache.ssrcdevops.tii.ae:oOrzj9iCppf+me5/3sN/BxEkp5SaFkHfKTPPZ97xXQk=" + ]; + }; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + flake-utils.url = "github:numtide/flake-utils"; + nixos-hardware.url = "github:NixOS/nixos-hardware"; + ghaf = { + url = "github:tiiuae/ghaf"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-utils.follows = "flake-utils"; + nixos-hardware.follows = "nixos-hardware"; + }; + }; + }; + + outputs = { + self, + ghaf, + nixpkgs, + nixos-hardware, + flake-utils, + }: let + systems = with flake-utils.lib.system; [ + x86_64-linux + riscv64-linux + ]; + in + # Combine list of attribute sets together + nixpkgs.lib.foldr nixpkgs.lib.recursiveUpdate {} [ + (flake-utils.lib.eachSystem systems (system: { + formatter = nixpkgs.legacyPackages.${system}.alejandra; + })) + + { + nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.microchip-icicle-kit-debug.extendModules { + modules = [ + { + #insert your additional modules here e.g. + # virtualisation.docker.enable = true; + # users.users."ghaf".extraGroups = ["docker"]; + } + ({pkgs, ...}: { + environment.systemPackages = with pkgs; [ + #Add additional system packages here + ]; + }) + ]; + }; + packages.riscv64-linux.PROJ_NAME-ghaf-debug = self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.system.build.sdImage; + } + ]; +} From 8532eb88e7fdf55fdff9e1774aa348131d2d4ddf Mon Sep 17 00:00:00 2001 From: Brian McGillion Date: Thu, 13 Jul 2023 14:27:23 +0400 Subject: [PATCH 21/60] Add the orin nx support Rebasing the changes from https://github.com/tiiuae/ghaf/pull/209 onto the latest declarative microvm changes. Signed-off-by: Emrah Billur emrah.billur@unikie.com Signed-off-by: Brian McGillion --- hydrajobs.nix | 3 +- .../nvidia-jetson-orin/jetson-orin.nix | 24 +++++++++++--- ...t.patch => pci-passthrough-agx-test.patch} | 0 .../pci-passthrough-nx-test.patch | 33 +++++++++++++++++++ targets/nvidia-jetson-orin.nix | 17 ++++++---- 5 files changed, 65 insertions(+), 12 deletions(-) rename modules/hardware/nvidia-jetson-orin/{pci-passthrough-test.patch => pci-passthrough-agx-test.patch} (100%) create mode 100644 modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch diff --git a/hydrajobs.nix b/hydrajobs.nix index 51199e41c..c2d0302f1 100644 --- a/hydrajobs.nix +++ b/hydrajobs.nix @@ -3,7 +3,8 @@ {self}: { hydraJobs = { generic-x86_64-debug.x86_64-linux = self.packages.x86_64-linux.generic-x86_64-debug; - nvidia-jetson-orin-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-debug; + nvidia-jetson-orin-agx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-agx-debug; + nvidia-jetson-orin-nx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-nx-debug; intel-vm-debug.x86_64-linux = self.packages.x86_64-linux.vm-debug; imx8qm-mek-debug.aarch64-linux = self.packages.aarch64-linux.imx8qm-mek-debug; }; diff --git a/modules/hardware/nvidia-jetson-orin/jetson-orin.nix b/modules/hardware/nvidia-jetson-orin/jetson-orin.nix index 64bc871df..2ec1841ec 100644 --- a/modules/hardware/nvidia-jetson-orin/jetson-orin.nix +++ b/modules/hardware/nvidia-jetson-orin/jetson-orin.nix @@ -1,13 +1,27 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -# Configuration for NVIDIA Jetson AGX Orin +# Configuration for NVIDIA Jetson Orin AGX/NX reference boards { lib, config, ... }: let cfg = config.ghaf.hardware.nvidia.orin; + somDefinition = { + "agx" = { + flashArgs = ["-r" config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard "mmcblk0p1"]; + passthrough-patch = ./pci-passthrough-agx-test.patch; + vfio-pci = "vfio-pci.ids=10ec:c82f"; + deviceTree = "tegra234-p3701-host-passthrough.dtb"; + }; + "nx" = { + flashArgs = ["-r" config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard "nvme0n1p1"]; + passthrough-patch = ./pci-passthrough-nx-test.patch; + vfio-pci = "vfio-pci.ids=10ec:8168"; + deviceTree = "tegra234-p3767-host-passthrough.dtb"; + }; + }; in with lib; { options.ghaf.hardware.nvidia.orin = { @@ -41,7 +55,7 @@ in modesetting.enable = true; flashScriptOverrides = { - flashArgs = lib.mkForce ["-r" config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard "mmcblk0p1"]; + flashArgs = lib.mkForce somDefinition."${cfg.somType}".flashArgs; }; firmware.uefi.logo = ../../../docs/src/img/1600px-Ghaf_logo.svg; @@ -59,7 +73,7 @@ in boot.kernelPatches = [ { name = "passthrough-patch"; - patch = ./pci-passthrough-test.patch; + patch = somDefinition."${cfg.somType}".passthrough-patch; } { name = "vsock-config"; @@ -79,12 +93,12 @@ in hardware.deviceTree = { enable = true; - name = "tegra234-p3701-host-passthrough.dtb"; + name = somDefinition."${cfg.somType}".deviceTree; }; # Passthrough Jetson Orin WiFi card boot.kernelParams = [ - "vfio-pci.ids=10ec:c82f" + somDefinition."${cfg.somType}".vfio-pci "vfio_iommu_type1.allow_unsafe_interrupts=1" ]; }; diff --git a/modules/hardware/nvidia-jetson-orin/pci-passthrough-test.patch b/modules/hardware/nvidia-jetson-orin/pci-passthrough-agx-test.patch similarity index 100% rename from modules/hardware/nvidia-jetson-orin/pci-passthrough-test.patch rename to modules/hardware/nvidia-jetson-orin/pci-passthrough-agx-test.patch diff --git a/modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch b/modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch new file mode 100644 index 000000000..6a138d929 --- /dev/null +++ b/modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch @@ -0,0 +1,33 @@ +diff --git a/nvidia/platform/t23x/p3768/kernel-dts/Makefile b/nvidia/platform/t23x/p3768/kernel-dts/Makefile +index f306119fe8a3..3034a22ca7ed 100644 +--- a/nvidia/platform/t23x/p3768/kernel-dts/Makefile ++++ b/nvidia/platform/t23x/p3768/kernel-dts/Makefile +@@ -23,6 +23,9 @@ dtb-$(BUILD_ENABLE) += tegra234-p3767-0000-as-p3767-0004-p3768-0000-a0.dtb + dtb-$(BUILD_ENABLE) += tegra234-p3767-0001-p3768-0000-a0.dtb + dtb-$(BUILD_ENABLE) += tegra234-p3767-0003-p3768-0000-a0.dtb + dtb-$(BUILD_ENABLE) += tegra234-p3767-0004-p3768-0000-a0.dtb ++ ++dtb-$(BUILD_ENABLE) += tegra234-p3767-host-passthrough.dtb ++ + dtbo-$(BUILD_ENABLE) += tegra234-p3767-0000-p3509-a02-adafruit-sph0645lm4h.dtbo + dtbo-$(BUILD_ENABLE) += tegra234-p3767-0000-p3509-a02-adafruit-uda1334a.dtbo + dtbo-$(BUILD_ENABLE) += tegra234-p3767-0000-p3509-a02-csi.dtbo +diff --git a/nvidia/platform/t23x/p3768/kernel-dts/tegra234-p3767-host-passthrough.dts b/nvidia/platform/t23x/p3768/kernel-dts/tegra234-p3767-host-passthrough.dts +new file mode 100644 +index 000000000000..e273e4e9505f +--- /dev/null ++++ b/nvidia/platform/t23x/p3768/kernel-dts/tegra234-p3767-host-passthrough.dts +@@ -0,0 +1,13 @@ ++/dts-v1/; ++#include "tegra234-p3767-0000-p3509-a02.dts" ++ ++/* ++ * Update the pci-e ethernet to be accessible from vfio/guest ++ * The ethernet device is pcie@140a0000 or with name pci_c8_rp ++ */ ++&pcie_c8_rp { ++ interconnect-names = "dma-mem", "write"; ++ /delete-property/ iommus; ++ /delete-property/ msi-parent; ++ /delete-property/ msi-map; ++}; diff --git a/targets/nvidia-jetson-orin.nix b/targets/nvidia-jetson-orin.nix index eaa77b3ee..f0331c085 100644 --- a/targets/nvidia-jetson-orin.nix +++ b/targets/nvidia-jetson-orin.nix @@ -11,7 +11,7 @@ name = "nvidia-jetson-orin"; system = "aarch64-linux"; formatModule = nixos-generators.nixosModules.raw-efi; - nvidia-jetson-orin = variant: extraModules: let + nvidia-jetson-orin = som: variant: extraModules: let netvmExtraModules = [ { microvm.devices = [ @@ -46,6 +46,7 @@ { ghaf = { hardware.nvidia.orin.enable = true; + hardware.nvidia.orin.somType = som; virtualization.microvm-host.enable = true; host.networking.enable = true; @@ -74,11 +75,13 @@ }; in { inherit hostConfiguration; - name = "${name}-${variant}"; + name = "${name}-${som}-${variant}"; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - nvidia-jetson-orin-debug = nvidia-jetson-orin "debug" []; - nvidia-jetson-orin-release = nvidia-jetson-orin "release" []; + nvidia-jetson-orin-agx-debug = nvidia-jetson-orin "agx" "debug" []; + nvidia-jetson-orin-agx-release = nvidia-jetson-orin "agx" "release" []; + nvidia-jetson-orin-nx-debug = nvidia-jetson-orin "nx" "debug" []; + nvidia-jetson-orin-nx-release = nvidia-jetson-orin "nx" "release" []; generate-cross-from-x86_64 = tgt: tgt // rec { @@ -95,8 +98,10 @@ package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; targets = [ - nvidia-jetson-orin-debug - nvidia-jetson-orin-release + nvidia-jetson-orin-agx-debug + nvidia-jetson-orin-agx-release + nvidia-jetson-orin-nx-debug + nvidia-jetson-orin-nx-release ]; crossTargets = map generate-cross-from-x86_64 targets; mkFlashScript = import ../lib/mk-flash-script.nix; From 74693c9315a8c794bdb7ea14a141f9c866f5b3f5 Mon Sep 17 00:00:00 2001 From: Brian McGillion Date: Thu, 13 Jul 2023 18:31:33 +0400 Subject: [PATCH 22/60] Update documentation for the AGX build Signed-off-by: Brian McGillion --- docs/src/ref_impl/build_and_run.md | 4 ++-- docs/src/ref_impl/cross_compilation.md | 31 ++++++++++++-------------- docs/src/ref_impl/development.md | 2 +- 3 files changed, 17 insertions(+), 20 deletions(-) diff --git a/docs/src/ref_impl/build_and_run.md b/docs/src/ref_impl/build_and_run.md index 1500354cf..fed287144 100644 --- a/docs/src/ref_impl/build_and_run.md +++ b/docs/src/ref_impl/build_and_run.md @@ -76,7 +76,7 @@ Before you begin: 1. Run the command: ``` - nix build github:tiiuae/ghaf#nvidia-jetson-orin-debug-flash-script + nix build github:tiiuae/ghaf#nvidia-jetson-orin-agx-debug-flash-script ``` It will build the Ghaf image and bootloader firmware, and prepare the flashing script. Give "yes" answers to all script questions. The building process takes around 1,5 hours. @@ -107,7 +107,7 @@ After the latest firmware is [flashed](./build_and_run.md#flashing-nvidia-jetson 1. To build the target image, run the command: ``` - nix build github:tiiuae/ghaf#nvidia-jetson-orin-debug + nix build github:tiiuae/ghaf#nvidia-jetson-orin-agx-debug ``` 2. After the build is completed, prepare a USB boot media with the target image you built: ``` diff --git a/docs/src/ref_impl/cross_compilation.md b/docs/src/ref_impl/cross_compilation.md index f2e8a6e67..07840b4f9 100644 --- a/docs/src/ref_impl/cross_compilation.md +++ b/docs/src/ref_impl/cross_compilation.md @@ -5,16 +5,27 @@ # Cross-Compilation -> Cross-compilation is currently under development and cannot be used properly on the supported devices. +> Cross-compilation is currently under development and cannot be used properly on all the supported device configurations. Ghaf is targeted at a range of devices and form factors that support different instruction set architectures (ISA). Many small form-factor edge devices are not powerful enough to compile the needed applications or OSs that run on them. As the most common ISA used in desktops and servers is ``x_86``, this will generally require that the code is cross-compiled for target ISA e.g. ``AArch64`` or ``RISC-V``. NixOS and Nixpkgs have good support for cross-compilation, however, there are still some that can not be compiled in this way. +## Cross-Compilation for Microchip Icicle Kit (RISCV64) -## binfmt +An SD image for the Microchip Icicle Kit can be cross-compiled from an x86 machine. To generate the release or debug an SD image run the following command: -[binfmt](https://en.wikipedia.org/wiki/Binfmt_misc) allows running different ISA on a development machine. This is achieved by running the target binary in an emulator such as ``QEMU`` or in a VM. +``` + $> nix build .#packages.riscv64-linux.microchip-icicle-kit- +``` + +## Future Cross-Compilation Support + +This will involve working with upstream package maintainers to ensure that the packages are cross-compilation aware. This will be addressed on a package-by-package basis. + +## binfmt Emulated Build + +[binfmt](https://en.wikipedia.org/wiki/Binfmt_misc) allows running different ISA on a development machine. This is achieved by running the target binary in an emulator such as ``QEMU`` or in a VM. So while not cross-compiled it can enable development for some embedded device configurations. To enable ``binfmt``, we recommend to set the following in your host systems ``configuration.nix``: @@ -32,17 +43,3 @@ or boot.kernelModules = [ "kvm-intel" ]; depending on whether your development host is running AMD or Intel processor. - - -## Cross-Compilation for Microchip Icicle Kit (RISCV64) - -An SD image for the Microchip Icicle Kit can be cross-compiled from an x86 machine. To generate the release or debug an SD image run the following command: - -``` - $> nix build .#packages.riscv64-linux.microchip-icicle-kit- -``` - -## Future Cross-Compilation Support - -This will involve working with upstream package maintainers to ensure that the packages are cross-compilation aware. This will be addressed on a package-by-package basis. - diff --git a/docs/src/ref_impl/development.md b/docs/src/ref_impl/development.md index 2af0c08e6..add8711dd 100644 --- a/docs/src/ref_impl/development.md +++ b/docs/src/ref_impl/development.md @@ -13,7 +13,7 @@ Once you are up and running, you can participate in the collaborative developmen If you set up development SSH keys in the [ssh.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/ssh.nix#L4) module, you can use `nixos-rebuild switch` to quickly deploy your configuration changes to the development board over the network using SSH: - nixos-rebuild --flake .#nvidia-jetson-orin-debug --target-host root@ghaf-host --fast switch + nixos-rebuild --flake .#packages.aarch64-linux.nvidia-jetson-orin-agx-debug --target-host root@ghaf-host --fast switch From 87adcf75a2d70002cc3834296b27b0b742c0ad9e Mon Sep 17 00:00:00 2001 From: Brian McGillion Date: Fri, 14 Jul 2023 11:33:35 +0400 Subject: [PATCH 23/60] use the latest case sensitivity for the flake.lock Signed-off-by: Brian McGillion --- flake.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 68977339c..c8237e017 100644 --- a/flake.lock +++ b/flake.lock @@ -101,28 +101,28 @@ "locked": { "lastModified": 1689060619, "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", - "owner": "nixos", + "owner": "NixOS", "repo": "nixos-hardware", "rev": "44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "repo": "nixos-hardware", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1689048911, - "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=", - "owner": "nixos", + "lastModified": 1689209875, + "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "8163a64662b43848802092d52015ef60777d6129", + "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" From 010d8b77066dfd04cebfe424de9af35def94ea9d Mon Sep 17 00:00:00 2001 From: Marko Lindqvist Date: Wed, 21 Jun 2023 14:53:20 +0000 Subject: [PATCH 24/60] hydrajobs: Add docs build Signed-off-by: Marko Lindqvist --- hydrajobs.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hydrajobs.nix b/hydrajobs.nix index c2d0302f1..8a5841360 100644 --- a/hydrajobs.nix +++ b/hydrajobs.nix @@ -7,5 +7,7 @@ nvidia-jetson-orin-nx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-nx-debug; intel-vm-debug.x86_64-linux = self.packages.x86_64-linux.vm-debug; imx8qm-mek-debug.aarch64-linux = self.packages.aarch64-linux.imx8qm-mek-debug; + docs.x86_64-linux = self.packages.x86_64-linux.doc; + docs.aarch64-linux = self.packages.aarch64-linux.doc; }; } From 97126ac7bf4cfc09626bd4042251464de0f6cefe Mon Sep 17 00:00:00 2001 From: Yuri Nesterov Date: Tue, 4 Jul 2023 17:27:17 +0300 Subject: [PATCH 25/60] Add windows launcher for x86_64 Signed-off-by: Yuri Nesterov --- docs/src/research/run_win_vm.md | 73 +++++++++-- modules/windows-launcher/default.nix | 2 +- targets/generic-x86_64.nix | 1 + user-apps/default.nix | 5 +- user-apps/windows-launcher/default.nix | 162 +++++++++++++++++-------- 5 files changed, 172 insertions(+), 71 deletions(-) diff --git a/docs/src/research/run_win_vm.md b/docs/src/research/run_win_vm.md index 8ccd9e644..c7f5be488 100644 --- a/docs/src/research/run_win_vm.md +++ b/docs/src/research/run_win_vm.md @@ -5,41 +5,88 @@ # Running Windows 11 in VM on Ghaf -You can run Windows 11 in a VM on Ghaf with NVIDIA Jetson Orin AGX. This method uses [QEMU](https://www.qemu.org/) as VMM. For information on how to build and run a Ghaf image for NVIDIA Jetson Orin AGX, see [Build and Run](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx). - +You can run Windows 11 in a VM on Ghaf with NVIDIA Jetson Orin AGX (ARM64) or Generic x86 device. This method uses [QEMU](https://www.qemu.org/) as VMM. For information on how to build and run a Ghaf image, see [Build and Run](../ref_impl/build_and_run.md). ## Getting Windows 11 Image -1. Use your Microsoft account to join the [Windows Insider Program](https://insider.windows.com/en-us/register) to be able to install Windows Insider Preview Builds. -2. On the *Windows 11 on Arm Insider Preview* page, select the `Windows 11 Client Arm64 Insider Preview (Canary) - Build 25324` build and the language to download a VHDX image file for ARM64. -3. Copy *Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX* to an external USB drive. Connect the USB drive to the NVIDIA device with the latest version of Ghaf installed, and mount it to some folder. +1. Depending on the device: + * For Generic x86, download Windows 11 ISO ([Win11_22H2_English_x64v2.iso](https://www.microsoft.com/software-download/windows11)) from the Microsoft website. + * For NVIDIA Jetson Orin AGX (ARM64), use your Microsoft account to join the [Windows Insider Program](https://insider.windows.com/en-us/register). On the Windows 11 on Arm Insider Preview page, select the `Windows 11 Client Arm64 Insider Preview (Canary) - Build 25324` build and the language to download a VHDX image file. +2. Copy the image to an external USB drive. Connect the USB drive to the device with the latest version of Ghaf installed, and mount it to some folder. ``` sudo mkdir /mnt sudo mount /dev/sda /mnt ``` - > **WARNING:** Make sure to use a fresh VHDX image file which has not been booted on some other environment before. - + > **WARNING:** [For NVIDIA Jetson Orin AGX] Make sure to use a fresh VHDX image file that was not booted in another environment before. ## Running Windows 11 in VM +#### Running Windows 11 in VM on ARM64 Device (NVIDIA Jetson Orin AGX) -1. In Weston terminal, go to the directory with the VHDX image and run the VM using the following Ghaf script: +1. In the Weston terminal, go to the directory with the Windows 11 image and run the VM without sudo and as a non-root user using the following Ghaf script: ``` cd /mnt windows-launcher ./Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX ``` - > **WARNING:** Do not use **sudo** or the root user to run windows-launcher. +2. Windows 11 requires Internet access to finish the setup. To boot the VM without an Internet connection, open cmd with Shift+F10 and type `OOBE\BYPASSNRO`. After the configuration restart click “I don’t have internet“ to skip the Internet connection step and continue the installation. + + > TIP: If after pressing Shift+F10 the command window is not displayed, try to switch between opened windows by using Alt+Tab. + +#### Running Windows 11 in VM on Generic x86 Device + +On x86_64 device Windows 11 VM can be launched with either an ISO image or QCOW2. + +- For an ISO image, the script creates an empty QCOW2 image in the same directory which is used as a system disk in the VM. +- After installing Windows 11, run the script for the QCOW2 image. + +1. In the Weston terminal, go to the directory with the Windows 11 image and run the VM without sudo and as a non-root user using the following Ghaf script: + + ``` + cd /mnt + windows-launcher ./Win11_22H2_English_x64v2.iso + ``` + +2. When the VM starts booting press any key to boot from a CD. +3. In order to bypass Windows 11 system requirements, open cmd with Shift+F10 and type `regedit`. In HKEY_LOCAL_MACHINE\SYSTEM\Setup, right-click New > Key and type LabConfig. For this key create two DWORD (32-bit) parameters: + * Name: `BypassTPMCheck`, value `1`. + * Name: `BypassSecureBootCheck`, value `1`. + + > TIP: [For Ghaf running on a laptop] If after pressing Shift+F10 the command window is not displayed, try again with the Fn key (Shift+Fn+F10) or switch between opened windows by using Alt+Tab. + +4. Install Windows 11 in the VM. +5. Windows 11 requires Internet access to finish the setup. To boot the VM without an Internet connection, open cmd with Shift+F10 and type `OOBE\BYPASSNRO`. After the configuration restart click “I don’t have internet“ to skip the Internet connection step and continue the installation. +6. After the installation is completed the script is launched with the QCOW2 image: + + ``` + windows-launcher ./win11.qcow2 + ``` + +## Using UI to Launch Windows 11 VM - Alternatively, you can launch the Windows 11 VM by clicking the corresponding icon in the Weston taskbar. +Instead of running Windows launcher from the command line it is possible to launch the Windows 11 VM by clicking the corresponding icon in the Weston taskbar. - When you click it for the first time, you will see a file selection dialog. Once Windows 11 image has been selected, it saves the path to the `~/.config/windows-launcher-ui.conf` configuration file and launches the VM. Next time, the VM will be immediately launched with one click. +When you click it for the first time, you will see a file selection dialog. Once Windows 11 image has been selected, it saves the path to the `~/.config/windows-launcher-ui.conf` configuration file and launches the VM. Next time, the VM will be immediately launched with one click. -2. You can pass additional parameter to QEMU after the image name. For example: +In order to use a different image instead of the saved one, delete the configuration file: + + ``` + rm ~/.config/windows-launcher-ui.conf + ``` + +## Passing Additional Parameters to QEMU + +It is possible to pass additional parameters to QEMU when running Windows launcher from the command line. + +NVIDIA Jetson Orin AGX (ARM64) example: ``` windows-launcher ./Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX -serial stdio ``` -3. Windows 11 requires Internet access to finish the setup. To boot the VM without an Internet connection, open cmd with Shift+F10 and type `OOBE\BYPASSNRO`. The VM will reboot and configuration will continue in offline mode. +Generic x86_64 example: + + ``` + windows-launcher ./win11.qcow2 -serial stdio + ``` \ No newline at end of file diff --git a/modules/windows-launcher/default.nix b/modules/windows-launcher/default.nix index 5a4d970cb..204302fdd 100644 --- a/modules/windows-launcher/default.nix +++ b/modules/windows-launcher/default.nix @@ -17,7 +17,7 @@ in { ghaf.graphics.weston.launchers = [ { path = "${windows-launcher}/bin/windows-launcher-ui"; - icon = "${pkgs.gnome.adwaita-icon-theme}/share/icons/Adwaita/24x24/devices/computer.png"; + icon = "${pkgs.gnome.adwaita-icon-theme}/share/icons/Adwaita/16x16/mimetypes/application-x-executable.png"; } ]; environment.systemPackages = [windows-launcher]; diff --git a/targets/generic-x86_64.nix b/targets/generic-x86_64.nix index 1fec14762..3036f1692 100644 --- a/targets/generic-x86_64.nix +++ b/targets/generic-x86_64.nix @@ -59,6 +59,7 @@ release.enable = variant == "release"; debug.enable = variant == "debug"; }; + windows-launcher.enable = true; }; } diff --git a/user-apps/default.nix b/user-apps/default.nix index 657ee8d8a..11e41a88b 100644 --- a/user-apps/default.nix +++ b/user-apps/default.nix @@ -17,10 +17,7 @@ in pkgs = nixpkgs.legacyPackages.${system}; in { gala-app = pkgs.callPackage ./gala {}; + windows-launcher = pkgs.callPackage ./windows-launcher {}; }; })) - - { - packages.aarch64-linux.windows-launcher = nixpkgs.legacyPackages.aarch64-linux.callPackage ./windows-launcher {}; - } ] diff --git a/user-apps/windows-launcher/default.nix b/user-apps/windows-launcher/default.nix index 86cadc95a..59ecd2fea 100644 --- a/user-apps/windows-launcher/default.nix +++ b/user-apps/windows-launcher/default.nix @@ -4,76 +4,131 @@ stdenvNoCC, pkgs, lib, + stdenv, ... }: let + ovmfPrefix = + if stdenv.isx86_64 + then "OVMF" + else if stdenv.isAarch64 + then "AAVMF" + else throw "Unsupported architecture"; windowsLauncher = pkgs.writeShellScript "windows-launcher" - '' - if [ $# -eq 0 ]; then + ('' + IMG_FILE=$1 + ISO_FILE="" + if [ $# -eq 0 ]; then + '' + + lib.optionalString stdenv.isAarch64 '' echo "Usage: windows-launcher ./Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX" - exit - fi + '' + + lib.optionalString stdenv.isx86_64 '' + echo "Usage: windows-launcher ./Win11_22H2_English_x64v2.iso or ./win11.qcow2" + '' + + '' + exit + fi - if [[ -z "''${WAYLAND_DISPLAY}" ]]; then - echo "Wayland display not found" - exit - fi + if [[ -z "''${WAYLAND_DISPLAY}" ]]; then + echo "Wayland display not found" + exit + fi - IMG_DIR="$(dirname "$1")" - AAVMF_VARS="$IMG_DIR/AAVMF_VARS.fd" + IMG_DIR="$(dirname "$IMG_FILE")" + OVMF_VARS="$IMG_DIR/${ovmfPrefix}_VARS.fd" + OVMF_CODE="$IMG_DIR/${ovmfPrefix}_CODE.fd" - if [ ! -f $AAVMF_VARS ]; then - cp ${pkgs.OVMF.fd}/FV/AAVMF_VARS.fd $AAVMF_VARS - chmod 644 $AAVMF_VARS - fi + if [ ! -f $OVMF_VARS ] || [ ! -f $OVMF_CODE ]; then + cp ${pkgs.OVMF.fd}/FV/${ovmfPrefix}_VARS.fd $OVMF_VARS + cp ${pkgs.OVMF.fd}/FV/${ovmfPrefix}_CODE.fd $OVMF_CODE + chmod 644 $OVMF_VARS + fi + '' + + lib.optionalString stdenv.isx86_64 '' + if [[ $1 == *.iso || $1 == *.ISO ]]; then + ISO_FILE=$1 + IMG_FILE="$IMG_DIR/win11.qcow2" + if [ ! -f $IMG_FILE ]; then + ${pkgs.qemu}/bin/qemu-img create -f qcow2 $IMG_FILE 64G + fi + fi + '' + + '' + QEMU_PARAMS=( + "-name \"Windows VM\"" + "-cpu host" + "-enable-kvm" + "-smp 6" + "-m 8G" + "-drive file=$OVMF_CODE,format=raw,if=pflash,readonly=on" + "-drive file=$OVMF_VARS,format=raw,if=pflash" + "-vga none" + "-device ramfb" + "-device virtio-gpu-pci" + "-device qemu-xhci" + "-device usb-kbd" + "-device usb-tablet" + "-nic user,model=virtio" + '' + + lib.optionalString stdenv.isAarch64 '' + "-M virt,highmem=on,gic-version=max" + "-drive file=$IMG_FILE,format=vhdx,if=none,id=boot" + "-device usb-storage,drive=boot,serial=boot,bootindex=1" + ) + '' + + lib.optionalString stdenv.isx86_64 '' + "-drive file=$IMG_FILE,format=qcow2,if=none,id=boot" + "-device nvme,drive=boot,serial=boot,bootindex=1" + ) - ${pkgs.qemu}/bin/qemu-system-aarch64 \ - -name "Windows VM" \ - -M virt,highmem=on,gic-version=max \ - -cpu host \ - -enable-kvm \ - -smp 6 \ - -m 12G \ - -drive file=${pkgs.OVMF.fd}/FV/AAVMF_CODE.fd,format=raw,if=pflash,readonly=on \ - -drive file=$AAVMF_VARS,format=raw,if=pflash \ - -device ramfb \ - -device virtio-gpu-pci \ - -device qemu-xhci \ - -device usb-kbd \ - -device usb-tablet \ - -drive file=$1,format=vhdx,if=none,id=boot \ - -device usb-storage,drive=boot,serial=boot \ - -nic user,model=virtio \ - ''${@:2} - ''; + if [ ! -z "$ISO_FILE" ]; then + QEMU_PARAMS+=( + "-drive file=$ISO_FILE,media=cdrom,if=none,id=installcd" + "-device usb-storage,drive=installcd,bootindex=0" + ) + fi + '' + + '' + eval "${pkgs.qemu}/bin/qemu-system-${stdenv.hostPlatform.qemuArch} ''${QEMU_PARAMS[@]} ''${@:2}" + ''); windowsLauncherUI = pkgs.writeShellScript "windows-launcher-ui" - '' - if [[ -z "''${WAYLAND_DISPLAY}" ]]; then - echo "Wayland display not found" - exit - fi + ('' + if [[ -z "''${WAYLAND_DISPLAY}" ]]; then + echo "Wayland display not found" + exit + fi - CONFIG=~/.config/windows-launcher-ui.conf - if [ -f "$CONFIG" ]; then - source $CONFIG - fi + CONFIG=~/.config/windows-launcher-ui.conf + if [ -f "$CONFIG" ]; then + source $CONFIG + fi - if [ ! -f "$FILE" ]; then + if [ ! -f "$FILE" ]; then + '' + + lib.optionalString stdenv.isAarch64 '' FILE=`${pkgs.gnome.zenity}/bin/zenity --file-selection --title="Select Windows VM image (VHDX)"` - if [ ''$? -ne 0 ]; then - exit - else - echo FILE="$FILE" > "$CONFIG" + '' + + lib.optionalString stdenv.isx86_64 '' + FILE=`${pkgs.gnome.zenity}/bin/zenity --file-selection --title="Select Windows VM image (QCOW2 or ISO)"` + '' + + '' + if [ ''$? -ne 0 ]; then + exit + else + if [[ $FILE != *.iso && $FILE != *.ISO ]]; then + echo FILE="$FILE" > "$CONFIG" + fi + fi fi - fi - if ! ${windowsLauncher} $FILE; then - ${pkgs.gnome.zenity}/bin/zenity --error --text="Failed to run Windows VM: $?" - fi - ''; + if ! ${windowsLauncher} $FILE; then + ${pkgs.gnome.zenity}/bin/zenity --error --text="Failed to run Windows VM: $?" + fi + ''); in stdenvNoCC.mkDerivation { name = "windows-launcher"; @@ -89,8 +144,9 @@ in ''; meta = with lib; { - description = "Helper scripts for launching Windows ARM64 virtual machines using QEMU"; + description = "Helper scripts for launching Windows virtual machines using QEMU"; platforms = [ + "x86_64-linux" "aarch64-linux" ]; }; From 472921c33c758247d80b6bae17b80df64d84dabf Mon Sep 17 00:00:00 2001 From: Marko Lindqvist Date: Thu, 13 Jul 2023 08:53:08 +0000 Subject: [PATCH 26/60] hydrajobs: Add microchip-icicle-kit job Signed-off-by: Marko Lindqvist --- hydrajobs.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hydrajobs.nix b/hydrajobs.nix index 8a5841360..ab06b5c09 100644 --- a/hydrajobs.nix +++ b/hydrajobs.nix @@ -9,5 +9,6 @@ imx8qm-mek-debug.aarch64-linux = self.packages.aarch64-linux.imx8qm-mek-debug; docs.x86_64-linux = self.packages.x86_64-linux.doc; docs.aarch64-linux = self.packages.aarch64-linux.doc; + microchip-icicle-kit-debug.x86_64-linux = self.packages.riscv64-linux.microchip-icicle-kit-debug; }; } From ba13b47b46759a98bd0b2ef1ae7a573ad7854dca Mon Sep 17 00:00:00 2001 From: Jenni Nikolaenko Date: Tue, 18 Jul 2023 14:00:33 +0300 Subject: [PATCH 27/60] Docs: new structure and proofreading Let's try the new structure with ghaf overview, for developers, build system and supply chain, usage scenarios, append. Signed-off-by: Jenni Nikolaenko --- docs/src/SUMMARY.md | 39 +++++++---- docs/src/architecture/adr/minimal-host.md | 2 +- .../adr/platform-bus-passthrough-support.md | 48 ++++++-------- docs/src/architecture/adr/template.md | 10 ++- docs/src/ref_impl/build_and_run.md | 24 ++++--- .../{usage.md => ghaf-based-project.md} | 65 ++++++++++--------- docs/src/ref_impl/modules_options.md | 3 + .../src/ref_impl/reference_implementations.md | 4 +- docs/src/research/research.md | 3 +- .../src/{research => scenarios}/run_win_vm.md | 16 +++-- docs/style_guide.md | 11 +++- 11 files changed, 129 insertions(+), 96 deletions(-) rename docs/src/ref_impl/{usage.md => ghaf-based-project.md} (64%) rename docs/src/{research => scenarios}/run_win_vm.md (94%) diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 2baa2b24b..4392c4590 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -1,5 +1,7 @@ # Summary +# Overview + - [About Ghaf](index.md) - [Features](features/features.md) - [Architecture](architecture/architecture.md) @@ -7,30 +9,43 @@ - [Architecture Decision Records](architecture/adr.md) - [Minimal Host](architecture/adr/minimal-host.md) - [Networking VM](architecture/adr/netvm.md) + - [Platform Bus for Rust VMM](architecture/adr/platform-bus-passthrough-support.md) - [Stack](architecture/stack.md) + +# For Developers + +- [Contributing](appendices/contributing_general.md) +- [Reference Implementations](ref_impl/reference_implementations.md) + - [Development](ref_impl/development.md) + - [Build and Run](ref_impl/build_and_run.md) + - [Cross-Compilation](ref_impl/cross_compilation.md) + - [Ghaf-Based Project](ref_impl/ghaf-based-project.md) + - [Modules Options](ref_impl/modules_options.md) - [Technologies](technologies/technologies.md) - [Passthrough](technologies/passthrough.md) - [NVIDIA Jetson AGX Orin: UART Passthrough](technologies/nvidia_agx_pt_uart.md) - [NVIDIA Jetson AGX Orin: PCIe Passthrough](technologies/nvidia_agx_pt_pcie.md) - [Hypervisor Options](technologies/hypervisor_options.md) -- [Reference Implementations](ref_impl/reference_implementations.md) - - [Usage](ref_impl/usage.md) - - [Modules Options](ref_impl/modules_options.md) - - [Development](ref_impl/development.md) - - [Build and Run](ref_impl/build_and_run.md) - - [Cross-Compilation](ref_impl/cross_compilation.md) + +# Build System and Supply Chain + +- [CI/CD System]() - [Supply Chain Security](scs/scs.md) - [SLSA Framework](scs/slsa-framework.md) - [Basic Security Measures](scs/basics.md) - [Software Bill of Materials](scs/sbom.md) - [Public Key Infrastructure](scs/pki.md) - [Patch Management Automation](scs/patching-automation.md) -- [Research Notes](research/research.md) - - [i.MX 8QM Ethernet Passthrough](research/passthrough/ethernet.md) - - [Running Windows VM on Ghaf](research/run_win_vm.md) +- [Release Notes]() ------------ +# Ghaf Usage Scenarios + +- [Showcases]() + - [Running Windows VM on Ghaf](scenarios/run_win_vm.md) +- [Build Your Environment]() -[Glossary](appendices/glossary.md) +----------- -[Contributing](appendices/contributing_general.md) +- [Glossary](appendices/glossary.md) +- [Research Notes](research/research.md) + - [i.MX 8QM Ethernet Passthrough](research/passthrough/ethernet.md) \ No newline at end of file diff --git a/docs/src/architecture/adr/minimal-host.md b/docs/src/architecture/adr/minimal-host.md index 1d517f525..108debea1 100644 --- a/docs/src/architecture/adr/minimal-host.md +++ b/docs/src/architecture/adr/minimal-host.md @@ -7,7 +7,7 @@ ## Status -Proposed +Proposed. ## Context diff --git a/docs/src/architecture/adr/platform-bus-passthrough-support.md b/docs/src/architecture/adr/platform-bus-passthrough-support.md index 2c907a46a..e537d7e08 100644 --- a/docs/src/architecture/adr/platform-bus-passthrough-support.md +++ b/docs/src/architecture/adr/platform-bus-passthrough-support.md @@ -3,45 +3,39 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> -# Platform bus passthrough support for RustVMM-based hypervisors +# rust-vmm—Bus Passthrough Support for Rust VMMs ## Status -Proposed, WIP. +Proposed, work in progress. ## Context -This ADR is WIP notes for Platform bus passthrough implementation for RustVMM-based hypervisors. +This ADR is a work-in-progress note for Ghaf bus passthrough implementation that will support rust-vmm-based hypervisors. -Support for Platform bus devices passthrough is important to have for ARM-based hardware because it's the mainly used bus to connect the peripherials. -Nowdays the only hypervisor that has some support for Platform bus is QEMU, the code is dated 2013 and not frequently used. +> *rust-vmm* is an open-source project that empowers the community to build custom Virtual Machine Monitors (VMMs) and hypervisors. For more information, see . -On the other hand one of the main hardware platforms for GHAF is NVIDIA Orin, that is ARM and to achieve GHAF's security and hardware isolation goals, devices should be passthroughed to virtual machines. +It is crucial to have bus devices passthrough support for ARM-based hardware as the bus is mainly used to connect the peripherals. Nowadays, the only hypervisor with some support for Platform bus is QEMU but the code is dated 2013 and not frequently used. -Production-ready RustVMM-based hypervisors (CrosVM, Firecracker, CloudHypervisor) do not have support for Platform bus, their developers (Google, Amazon, ...) mostly probable are not interested in supporting it because it doesn't align with their business needs. +On the other hand, one of the target hardware devices for Ghaf is NVIDIA Orin with an ARM core. To achieve Ghaf's security and hardware isolation goals, devices should support passthrough mode. Production-ready rust-vmm-based hypervisors ([crosvm](https://github.com/google/crosvm), [Firecracker](https://github.com/firecracker-microvm/firecracker), [Cloud Hypervisor](https://www.cloudhypervisor.org/)) do not have support for Platform bus. ## Decision -Implement Platform bus passthrough support for RustVMM that is a base framework for RustVMM-based hypervisors. -After that use this support within production-ready RustVMM-based hypervisors. -The main candidate there is CrosVM, necessity to support Platform bus in other hypervisors are subject to discuss. - -Technically, Platform bus is rather simple bus -- it manages memory mapping and interrupts. Information about devices is not dynamic, but is read from device tree during the boot stage. - -Required components and their existance/use readiness. -- Host kernel side: - - VFIO drivers (to substitute real driver in host kernel) - + - - Host support for device trees + -- Guest kernel side: - - Device drivers for passthrough devices + - - Guest support for device trees + -- RustVMM side: - - Bus support - Needs to be developed - - VMM support for device trees -- rudimental, needs improvement. - -## Consequences - -GHAF's security and hardware isolation goals reached, platform bus devices are passthroughed to virtual machines. +Implementation of Platform bus passthrough is a base framework for Rust VMM. This will make it possible to use this mode within production-ready rust-vmm-based hypervisors. The main candidate here is crosvm. The necessity to support Platform bus in other hypervisors is subject to discussion. Technically, the Platform bus is rather a simple bus: it manages memory mapping and interrupts. Information about devices is not dynamic but is read from the device tree during the boot stage. + +The current status: + +| Required Components | Status of Readiness | +|--- |--- | +| Host kernel side: | | +| VFIO drivers (to substitute real driver in host kernel) | -/+ | +| Host support for device trees | + | +| Guest kernel side: | | +| Device drivers for passthrough devices | + | +| Guest support for device trees | + | +| Rust VMM side: | +| Bus support | Needs to be developed. | +| VMM support for device trees | Rudimental, needs improvement. | diff --git a/docs/src/architecture/adr/template.md b/docs/src/architecture/adr/template.md index f28be2cf6..6ce54adf1 100644 --- a/docs/src/architecture/adr/template.md +++ b/docs/src/architecture/adr/template.md @@ -5,19 +5,23 @@ This is the template for managing the ADR files. In each ADR file, write these sections: + # Title ## Status -What is the status, such as proposed, accepted, rejected, deprecated, superseded, etc.? +What is the status: proposed, accepted, rejected, deprecated, superseded, etc.? + ## Context -What is the issue that we're seeing that is motivating this decision or change? +What is the issue that we are seeing that is motivating this decision or change? + ## Decision -What is the change that we're proposing and/or doing? +What is the change that we are proposing and/or doing? + ## Consequences diff --git a/docs/src/ref_impl/build_and_run.md b/docs/src/ref_impl/build_and_run.md index fed287144..4ada1258d 100644 --- a/docs/src/ref_impl/build_and_run.md +++ b/docs/src/ref_impl/build_and_run.md @@ -139,15 +139,13 @@ In the current state of Ghaf, it is a bit tricky to make NVIDIA Jetson Orin AGX ``` 6. After these changes NVIDIA Jetson Orin AGX cannot boot from its internal eMMC. It will boot from the USB device with the correct partition labels. - --- ## Building Ghaf Image for NXP i.MX 8QM-MEK Before you begin, check device-independent [prerequisites](./build_and_run.md#prerequisites). -In the case of i.MX8, Ghaf deployment consists of creating a bootable SD card with a first-stage bootloader (Tow-Boot) and USB media with the Ghaf image.: - +In the case of i.MX8, Ghaf deployment consists of creating a bootable SD card with a first-stage bootloader (Tow-Boot) and USB media with the Ghaf image: 1. To build and flash [**Tow-Boot**](https://github.com/tiiuae/Tow-Boot) bootloader: @@ -165,28 +163,28 @@ In the case of i.MX8, Ghaf deployment consists of creating a bootable SD card wi --- + ## Building Ghaf Image for Microchip Icicle Kit Before you begin: * Check device-independent [prerequisites](./build_and_run.md#prerequisites). -* Please make sure HSS version 0.99.35-v2023.02 is programmed in your board eNVM. The version can be seen in pre-bootloader log. - A video guide to build HSS and programming the eNVM is available in the below given link: - [How to build HSS and program the eNVM?](https://www.youtube.com/watch?v=McAt2-6cwd4) +* Make sure HSS version 0.99.35-v2023.02 is programmed in your board eNVM. The version can be seen in the pre-bootloader log. Check the video guide to build HSS and program the eNVM: [How to build HSS and program the eNVM?](https://www.youtube.com/watch?v=McAt2-6cwd4) -In the case of the Icicle Kit, Ghaf deployment consists of creating an SD image with U-Boot and Linux kernel from Microchip, and Ghaf-based NixOS rootfs. +In the case of the Icicle Kit, Ghaf deployment consists of creating an SD image with U-Boot and Linux kernel from Microchip, and Ghaf-based NixOS rootfs: 1. Build a Ghaf SD image: + a. Run the nix build .#packages.riscv64-linux.microchip-icicle-kit-release command to release the image. b. Run the nix build .#packages.riscv64-linux.microchip-icicle-kit-debug command to debug the image. 2. Flash the Ghaf SD image: + * If you want to use a SD card: - a. Prepare the SD card with the target HW image you built: dd if=./result/nixos.img of=/dev/ bs=32M. - b. Insert an SD card into the board and switch the power on. - * If you want to use the onboard MMC: - You can directly flash a NixOS image to onboard an MMC card: dd if=./result/nixos.img of=/dev/ bs=32M. + * Prepare the SD card with the target HW image you built: dd if=./result/nixos.img of=/dev/ bs=32M. + * Insert an SD card into the board and switch the power on. -For more information on how to access the MMC card as a USB disk, see [Icicle Kit user guide](https://tinyurl.com/48wycdka). + * If you want to use the onboard MMC: + * You can directly flash a NixOS image to onboard an MMC card: dd if=./result/nixos.img of=/dev/ bs=32M. ---- +For more information on how to access the MMC card as a USB disk, see [MPFS Icicle Kit User Guide](https://tinyurl.com/48wycdka). diff --git a/docs/src/ref_impl/usage.md b/docs/src/ref_impl/ghaf-based-project.md similarity index 64% rename from docs/src/ref_impl/usage.md rename to docs/src/ref_impl/ghaf-based-project.md index f674b2d5e..9fd088b84 100644 --- a/docs/src/ref_impl/usage.md +++ b/docs/src/ref_impl/ghaf-based-project.md @@ -3,41 +3,44 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> -# Usage +# Ghaf-Based Project Ghaf is a framework for creating virtualized edge devices, it is therefore expected that projects wishing to use Ghaf should import it to create a derived work for the specific use case. -In practice, projects should import Ghaf and it's dependencies in an external version control (git) repository. +In practise, projects should import Ghaf and its dependencies into an external version control (git) repository. Ghaf provides templates for the reference hardware to ease this process. In this section: -Ghaf provides templates for the reference hardware to ease this process. This documented describes: - - overview of Ghaf usage and upstream dependencies - - required steps to create a Ghaf-based project - - updating the project to get the latest changes - - customization of the project using Ghaf-modules - and Nix-supported mechanisms + * overview of Ghaf usage and upstream dependencies + * required steps to create a Ghaf-based project + * updating the project to get the latest changes + * customization of the project using Ghaf-modules and Nix-supported mechanisms -## Overview +Ghaf usage in your project is illustrated in the following diagram: -Ghaf usage in your project is illustrated in the following diagram. ![Ghaf Usage Overview](../img/usage_overview.drawio.png "Your project and example inputs from Ghaf and other repositories") -Ghaf platform repository provides declarative modules and reference implementations to help with declaring your customized, secure system. +The Ghaf Platform repository provides declarative modules and reference implementations to help with declaring your customized secure system. -External repositories help with making variety of HW options, system image generators and reference board-support packages available. +External repositories help make various HW options, system image generators, and reference board-support packages available. -## Creating a Ghaf-based project - step-by-step -1. Check the available target templates -``` +## Creating Ghaf-Based Project + +1. Check the available target templates: + + ``` nix flake show github:tiiuae/ghaf -``` -2. Select the appropriate template based on reference implementation e.g. `target-aarch64-nvidia-orin-agx` -``` + ``` + +2. Select the appropriate template based on reference implementation, for example, `target-aarch64-nvidia-orin-agx`: + + ``` nix flake new --template github:tiiuae/ghaf#target-aarch64-nvidia-orin-agx ~/ghaf-example wrote: ~/ghaf-example/flake.nix -``` -3. See your project template outputs -``` + ``` + +3. See your project template outputs: + + ``` cd ~/ghaf-example/ nix flake show git+file://~/ghaf-example @@ -51,25 +54,27 @@ External repositories help with making variety of HW options, system image gener │ └───PROJ_NAME-ghaf-debug: package 'nixos-disk-image' └───x86_64-linux └───PROJ_NAME-ghaf-debug-flash-script: package 'flash-ghaf' -``` + ``` + +4. Change the placeholder `` to the name of your project `your_project`: + + ``` + sed -i 's/PROJ_NAME/your_project/g' flake.nix + ``` -4. Change the placeholder `` to your new projects name e.g. `cool_project` -``` - sed -i 's/PROJ_NAME/cool_project/g' flake.nix -``` -## Update your Ghaf-based project +## Updating Ghaf-Based Project -To update your project, run `nix flake update`. -This check the inputs for updates and based on availability of the updates, generate an updated `flake.lock` which locks the specific versions to support the reproducible builds without side effects. +To update your project, run `nix flake update`. This check the inputs for updates and based on availability of the updates, generate an updated `flake.lock` which locks the specific versions to support the reproducible builds without side effects. In practice, nix flake will not allow floating inputs but all the inputs and declared packages must be mapped to specific hashes to get exact revisions of your inputs. This mechanism also supports the supply-chain security - if someone changes the upstream project e.g. by over-writing a part of the input so that the hash changes, you will notice. (Believe it or not, this happens even with large HW vendors). After update, review and testing - commit the updated `flake.lock` to your version history to share reproducible builds within your project. -## Customize your Ghaf-based project +## Customizing Ghaf-Based Project To use the Ghaf declarative module system, check what you need in your system and choose the [modules options](./modules_options.md) you need. For example, import the ghaf `graphics`-module and declare that you won't need the reference Wayland-compositor Weston and the demo applications: + ``` { ghaf.graphics.weston = { diff --git a/docs/src/ref_impl/modules_options.md b/docs/src/ref_impl/modules_options.md index d89659112..52f7afd98 100644 --- a/docs/src/ref_impl/modules_options.md +++ b/docs/src/ref_impl/modules_options.md @@ -3,3 +3,6 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> + \ No newline at end of file diff --git a/docs/src/ref_impl/reference_implementations.md b/docs/src/ref_impl/reference_implementations.md index 2ce21a25a..e16215338 100644 --- a/docs/src/ref_impl/reference_implementations.md +++ b/docs/src/ref_impl/reference_implementations.md @@ -24,11 +24,11 @@ NixOS, a Linux OS distribution packaged with Nix, provides us with: * to extend and change packages with [overlays](https://nixos.wiki/wiki/Overlays) * to [override](https://nixos.org/guides/nix-pills/override-design-pattern.html) packages -Even when unmodified upstream is often preferred, even ideal, to ensure timely security updates from upstream — customizations are sometimes required. +Even when unmodified upstream is often preferred, even ideal, to ensure timely security updates from upstream—customizations are sometimes required. ### Example -To support a reference board without a vendor board support package (BSP) — bootloader, kernel, device drivers — is often not feasible. With this approach, we can overlay the generic NixOS Linux kernel with the vendor kernel and add a vendor bootloader to build a target image. +To support a reference board without a vendor board support package (BSP)—bootloader, kernel, device drivers—is often not feasible. With this approach, we can overlay the generic NixOS Linux kernel with the vendor kernel and add a vendor bootloader to build a target image. Often the vendor BSPs are also open source but sometimes contain unfree binary blobs from the vendor's hardware. Those are handled by allowing ``unfree`` - if the user agrees with the end-user license agreement (EULA). If not, ``unfree`` support can be dropped along with that part of the BSP support. diff --git a/docs/src/research/research.md b/docs/src/research/research.md index dc5c738df..1eafa57e4 100644 --- a/docs/src/research/research.md +++ b/docs/src/research/research.md @@ -7,5 +7,4 @@ Our experience in research and lessons learned activities: -* [i.MX 8QM platform bus ethernet passthrough](passthrough/ethernet.md) -* [Windows 11 in VM on Ghaf](run_win_vm.md) \ No newline at end of file +* [i.MX 8QM platform bus ethernet passthrough](passthrough/ethernet.md) \ No newline at end of file diff --git a/docs/src/research/run_win_vm.md b/docs/src/scenarios/run_win_vm.md similarity index 94% rename from docs/src/research/run_win_vm.md rename to docs/src/scenarios/run_win_vm.md index c7f5be488..e66a6d21f 100644 --- a/docs/src/research/run_win_vm.md +++ b/docs/src/scenarios/run_win_vm.md @@ -7,11 +7,13 @@ You can run Windows 11 in a VM on Ghaf with NVIDIA Jetson Orin AGX (ARM64) or Generic x86 device. This method uses [QEMU](https://www.qemu.org/) as VMM. For information on how to build and run a Ghaf image, see [Build and Run](../ref_impl/build_and_run.md). + ## Getting Windows 11 Image 1. Depending on the device: * For Generic x86, download Windows 11 ISO ([Win11_22H2_English_x64v2.iso](https://www.microsoft.com/software-download/windows11)) from the Microsoft website. * For NVIDIA Jetson Orin AGX (ARM64), use your Microsoft account to join the [Windows Insider Program](https://insider.windows.com/en-us/register). On the Windows 11 on Arm Insider Preview page, select the `Windows 11 Client Arm64 Insider Preview (Canary) - Build 25324` build and the language to download a VHDX image file. + 2. Copy the image to an external USB drive. Connect the USB drive to the device with the latest version of Ghaf installed, and mount it to some folder. ``` @@ -20,7 +22,9 @@ You can run Windows 11 in a VM on Ghaf with NVIDIA Jetson Orin AGX (ARM64) or Ge ``` > **WARNING:** [For NVIDIA Jetson Orin AGX] Make sure to use a fresh VHDX image file that was not booted in another environment before. + ## Running Windows 11 in VM + #### Running Windows 11 in VM on ARM64 Device (NVIDIA Jetson Orin AGX) 1. In the Weston terminal, go to the directory with the Windows 11 image and run the VM without sudo and as a non-root user using the following Ghaf script: @@ -34,12 +38,15 @@ You can run Windows 11 in a VM on Ghaf with NVIDIA Jetson Orin AGX (ARM64) or Ge > TIP: If after pressing Shift+F10 the command window is not displayed, try to switch between opened windows by using Alt+Tab. + #### Running Windows 11 in VM on Generic x86 Device -On x86_64 device Windows 11 VM can be launched with either an ISO image or QCOW2. +On x86_64 device Windows 11 VM can be launched with either an ISO image or QCOW2: + + * For an ISO image, the script creates an empty QCOW2 image in the same directory which is used as a system disk in the VM. + * After installing Windows 11, run the script for the QCOW2 image. -- For an ISO image, the script creates an empty QCOW2 image in the same directory which is used as a system disk in the VM. -- After installing Windows 11, run the script for the QCOW2 image. +Do the folowwing: 1. In the Weston terminal, go to the directory with the Windows 11 image and run the VM without sudo and as a non-root user using the following Ghaf script: @@ -50,6 +57,7 @@ On x86_64 device Windows 11 VM can be launched with either an ISO image or QCOW2 2. When the VM starts booting press any key to boot from a CD. 3. In order to bypass Windows 11 system requirements, open cmd with Shift+F10 and type `regedit`. In HKEY_LOCAL_MACHINE\SYSTEM\Setup, right-click New > Key and type LabConfig. For this key create two DWORD (32-bit) parameters: + * Name: `BypassTPMCheck`, value `1`. * Name: `BypassSecureBootCheck`, value `1`. @@ -85,7 +93,7 @@ NVIDIA Jetson Orin AGX (ARM64) example: windows-launcher ./Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX -serial stdio ``` -Generic x86_64 example: +Generic x86 example: ``` windows-launcher ./win11.qcow2 -serial stdio diff --git a/docs/style_guide.md b/docs/style_guide.md index bad6584f1..1f3d24895 100644 --- a/docs/style_guide.md +++ b/docs/style_guide.md @@ -33,6 +33,10 @@ Writing guidelines: * Do not use parenthesis for additional information, make a separate sentence instead. * Use numbered lists for actions that happen in sequence. * Do not contract the words: use _cannot_ instead of _can’t_. + * Do not use Latin words. For example: + * perform operations, **etc.** ⇒ perform operations, and **so on** + * **e.g.** a Microsoft SQL Server ⇒ **for example**, a Microsoft SQL Server + * **via** the system ⇒ **through** the system * Use “we” for us and our work, use “you” for readers. Do not use “please” to provide instructions, just ask what should be done. * Avoid buzzwords, slang, and jargon. * Readers often scan rather than read, put the important facts first. @@ -124,7 +128,9 @@ To make our Markdown files maintainable over time and across teams, follow the r Capitalize words in the heading according to title case. > Title Case: You Capitalize All Words in the Title Except for the Little Words. -> + +For a hyphenated compound word, capitalize both parts, unless it is an article, preposition, or coordinating conjunction. For example: Step-by-Step, Ghaf-Based, Follow-Up, Non-Functional. + In Ghaf documentation, we do not use articles in headings as soon as the meaning remains clear (compare, for example: "History of China" and "The History of China"). Headlines should be attention grabbers, not full sentences. @@ -193,6 +199,7 @@ In Ghaf documentation, we do not use articles in headings as soon as the meaning ## References For references (additional information on sections, terms and any other issues in a document that require supplementary explanation) use the following combination: + * *for more information on X, see B* * *to learn how to X, see B* @@ -214,4 +221,4 @@ Congratulations! You found the Room of Requirement that adjusts itself to its se | cross compilation vs. cross-compilation | In Ghaf documentation, we use **cross-compilation** as a noun or an adjective to describe a compilation that is performed between different devices. Use **cross-compile** as a verb meaning to build on one platform an executable binary that will run on another platform. | -To do: function vs. feature, feature vs. functionality, toward vs. towards. +Happy writing! From 863eec248a2703f43b9275e6da3c044135311963 Mon Sep 17 00:00:00 2001 From: "Alexander V. Nikolaev" Date: Mon, 17 Jul 2023 12:13:40 +0300 Subject: [PATCH 28/60] Backport fixes for perl cross-build Signed-off-by: Alexander V. Nikolaev --- overlays/cross-compilation.nix | 37 +++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/overlays/cross-compilation.nix b/overlays/cross-compilation.nix index 8667ed30f..0cf70230f 100644 --- a/overlays/cross-compilation.nix +++ b/overlays/cross-compilation.nix @@ -5,6 +5,41 @@ # {...}: { nixpkgs.overlays = [ - (final: prev: {}) + (final: prev: let + crossCompiling = prev.stdenv.buildPlatform != prev.stdenv.hostPlatform; + filterOutByName = name: builtins.filter (x: (builtins.baseNameOf x) != name); + # FIXME: should be prev.buildPackages.fetchpatch2, why I can't use fetchpatch2 here + crossPatch = builtins.fetchurl { + url = "https://raw.githubusercontent.com/ck3d/nixpkgs/2d6f287f403f11f48bba19e2b2f2a7050592d51a/pkgs/development/interpreters/perl/cross.patch"; + sha256 = "06n6p078m9g12m82z6dz0h0qlkm394af7b21vhwdpjrr6kbjbvf2"; + }; + # function to list patches for debug purposes + tracePatches = xs: map (x: builtins.trace (builtins.toString x) x) xs; + # Attempt to port https://github.com/NixOS/nixpkgs/pull/225640/files to stable branch via overlay + # Also included into https://github.com/NixOS/nixpkgs/pull/241848 (Remove it in next 23.11 stable, if this PR merged) + in rec { + perl536 = prev.perl536.overrideAttrs (old: { + patches = (filterOutByName "MakeMaker-cross.patch" old.patches) ++ prev.lib.optional crossCompiling crossPatch; + }); + perl536Packages = prev.perl536Packages.overrideScope (self: super: { + perl = perl536; # Otherwise ModuleBuild builds with unpatched perl + ModuleBuild = super.ModuleBuild.overrideAttrs (old: { + postConfigure = prev.lib.optionalString crossCompiling '' + # for unknown reason, the first run of Build fails + ./Build || true + ''; + postPatch = prev.lib.optionalString crossCompiling '' + # remove version check since miniperl uses a stub of File::Temp, which do not provide a version: + # https://github.com/arsv/perl-cross/blob/master/cnf/stub/File/Temp.pm + sed -i '/File::Temp/d' \ + Build.PL + + # fix discover perl function, it can not handle a wrapped perl + sed -i "s,\$self->_discover_perl_interpreter,'$(type -p perl)',g" \ + lib/Module/Build/Base.pm + ''; + }); + }); + }) ]; } From 226255a145763e72a07c39adffdf39cac6d21bd6 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Mon, 24 Jul 2023 20:06:10 +0300 Subject: [PATCH 29/60] Use fetchpatch2 instead of builtins.fetchurl Hydra breaks if using builtins.fetchurl, so use fetchpatch2 instead. Signed-off-by: Mika Tammi --- overlays/cross-compilation.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/overlays/cross-compilation.nix b/overlays/cross-compilation.nix index 0cf70230f..d5ee916dc 100644 --- a/overlays/cross-compilation.nix +++ b/overlays/cross-compilation.nix @@ -8,10 +8,9 @@ (final: prev: let crossCompiling = prev.stdenv.buildPlatform != prev.stdenv.hostPlatform; filterOutByName = name: builtins.filter (x: (builtins.baseNameOf x) != name); - # FIXME: should be prev.buildPackages.fetchpatch2, why I can't use fetchpatch2 here - crossPatch = builtins.fetchurl { + crossPatch = final.buildPackages.fetchpatch2 { url = "https://raw.githubusercontent.com/ck3d/nixpkgs/2d6f287f403f11f48bba19e2b2f2a7050592d51a/pkgs/development/interpreters/perl/cross.patch"; - sha256 = "06n6p078m9g12m82z6dz0h0qlkm394af7b21vhwdpjrr6kbjbvf2"; + sha256 = "sha256-ha7GPgSePU5P/UQpxnIEZD6CyJfDRUsfcysgBoVKrbc="; }; # function to list patches for debug purposes tracePatches = xs: map (x: builtins.trace (builtins.toString x) x) xs; From 2cccbb84d94658073754a5141d9021b078b26f38 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Mon, 24 Jul 2023 22:14:37 +0300 Subject: [PATCH 30/60] Update flake.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'jetpack-nixos': 'github:anduril/jetpack-nixos/ddaff1bfceafb93ea67cb4ef953ba8eff5cf942b' (2023-06-17) → 'github:anduril/jetpack-nixos/ec27d1c4e81d8e5470571782ad58bb1111bce975' (2023-07-21) • Updated input 'microvm': 'github:astro/microvm.nix/018691bf86a70b7e5d24eb37d6aad05ce1c1b12e' (2023-07-09) → 'github:astro/microvm.nix/4b0f24f26638937036dc0dc9e28d2bab4152ef3d' (2023-07-19) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/9191c85aab6b1a7ad395c13d340f2aa0e3ddf552' (2023-07-07) → 'github:nix-community/nixos-generators/b1171de4d362c022130c92d7c8adc4bf2b83d586' (2023-07-23) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/a92befce80a487380ea5e92ae515fe33cebd3ac6' (2023-07-02) → 'github:nix-community/nixpkgs.lib/02fea408f27186f139153e1ae88f8ab2abd9c22c' (2023-07-16) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c' (2023-07-11) → 'github:NixOS/nixos-hardware/ba9650b14e83b365fb9e731f7d7c803f22d2aecf' (2023-07-24) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/fcc147b1e9358a8386b2c4368bd928e1f63a7df2' (2023-07-13) → 'github:NixOS/nixpkgs/ac1acba43b2f9db073943ff5ed883ce7e8a40a2c' (2023-07-23) Signed-off-by: Mika Tammi --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index c8237e017..49c992444 100644 --- a/flake.lock +++ b/flake.lock @@ -25,11 +25,11 @@ ] }, "locked": { - "lastModified": 1686967443, - "narHash": "sha256-PXIDBOVM8JpMBo/oYrfDHD08AfO/rJKredz3yO/gDeA=", + "lastModified": 1689964252, + "narHash": "sha256-4esn5USqPgWFrmdzaqQUnCwhSW3/Ucg/2RDZLo76MTY=", "owner": "anduril", "repo": "jetpack-nixos", - "rev": "ddaff1bfceafb93ea67cb4ef953ba8eff5cf942b", + "rev": "ec27d1c4e81d8e5470571782ad58bb1111bce975", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1688933605, - "narHash": "sha256-eux5CjKmO+6GFoovtckoVo0es1FZ2mzupehDyHuCaCk=", + "lastModified": 1689768420, + "narHash": "sha256-fW43dx0TqeGyjQ6bImWkhOICODQ4cLbkCjcri0c3bxQ=", "owner": "astro", "repo": "microvm.nix", - "rev": "018691bf86a70b7e5d24eb37d6aad05ce1c1b12e", + "rev": "4b0f24f26638937036dc0dc9e28d2bab4152ef3d", "type": "github" }, "original": { @@ -63,11 +63,11 @@ }, "nixlib": { "locked": { - "lastModified": 1688259758, - "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", + "lastModified": 1689469483, + "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", + "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c", "type": "github" }, "original": { @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1688738567, - "narHash": "sha256-yax5BYOfpE0+95kyJmEcfKEdZBaFvCENDogBB4VQB3Q=", + "lastModified": 1690133435, + "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "9191c85aab6b1a7ad395c13d340f2aa0e3ddf552", + "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586", "type": "github" }, "original": { @@ -99,11 +99,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1689060619, - "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", + "lastModified": 1690200740, + "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c", + "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf", "type": "github" }, "original": { @@ -114,11 +114,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689209875, - "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", + "lastModified": 1690148897, + "narHash": "sha256-l/j/AX1d2K79EWslwgWR2+htkzCbtjKZsS5NbWXnhz4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", + "rev": "ac1acba43b2f9db073943ff5ed883ce7e8a40a2c", "type": "github" }, "original": { From c376c1ce8062c5af8ffc1bf07d6b5e289fa965d1 Mon Sep 17 00:00:00 2001 From: Julius Koskela Date: Wed, 26 Jul 2023 15:00:01 +0300 Subject: [PATCH 31/60] Correct target name in Nvidia Jetson Agx template flake Signed-off-by: Julius Koskela --- templates/targets/aarch64/nvidia/orin-agx/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/targets/aarch64/nvidia/orin-agx/flake.nix b/templates/targets/aarch64/nvidia/orin-agx/flake.nix index f298f4336..8b7483f2f 100644 --- a/templates/targets/aarch64/nvidia/orin-agx/flake.nix +++ b/templates/targets/aarch64/nvidia/orin-agx/flake.nix @@ -51,7 +51,7 @@ })) { - nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.nvidia-jetson-orin-debug.extendModules { + nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.nvidia-jetson-orin-agx-debug.extendModules { modules = [ { #insert your additional modules here e.g. From 8a62c10577a7ff65cdecb28614d5cb78b20f96f2 Mon Sep 17 00:00:00 2001 From: Jon Sahlberg Date: Thu, 22 Jun 2023 12:17:25 +0300 Subject: [PATCH 32/60] doc: Generic vfio setup for passthrough Signed-off-by: Jon Sahlberg --- docs/src/SUMMARY.md | 6 +++ docs/src/technologies/passthrough.md | 5 +- docs/src/technologies/vfio.md | 70 ++++++++++++++++++++++++++++ 3 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 docs/src/technologies/vfio.md diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 4392c4590..bf238e1f8 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -1,3 +1,8 @@ + + # Summary # Overview @@ -23,6 +28,7 @@ - [Modules Options](ref_impl/modules_options.md) - [Technologies](technologies/technologies.md) - [Passthrough](technologies/passthrough.md) + - [Binding Device to VFIO Driver](technologies/vfio.md) - [NVIDIA Jetson AGX Orin: UART Passthrough](technologies/nvidia_agx_pt_uart.md) - [NVIDIA Jetson AGX Orin: PCIe Passthrough](technologies/nvidia_agx_pt_pcie.md) - [Hypervisor Options](technologies/hypervisor_options.md) diff --git a/docs/src/technologies/passthrough.md b/docs/src/technologies/passthrough.md index e0a1fd0f3..f55f38048 100644 --- a/docs/src/technologies/passthrough.md +++ b/docs/src/technologies/passthrough.md @@ -8,6 +8,9 @@ Devices passthrough to virtual machines (VM) allows us to isolate the device drivers and their memory access in one or several VMs. This reduces the Trusted Code Base (TCB) in the host, due to the passed-through device drivers can be removed completely from the host kernel. +Whether the device platform is x86 or ARM, the passthrough device needs to be bound to the VFIO device driver by the host system before it can be passed through to the guest environment. For more information, see [Binding Device to VFIO Driver](vfio.md). + + Our current supported passthrough devices implementations: - [NVIDIA Jetson AGX Orin: UART Passthrough](nvidia_agx_pt_uart.md) -- [NVIDIA Jetson AGX Orin: PCIe Passthrough](nvidia_agx_pt_pcie.md) \ No newline at end of file +- [NVIDIA Jetson AGX Orin: PCIe Passthrough](nvidia_agx_pt_pcie.md) diff --git a/docs/src/technologies/vfio.md b/docs/src/technologies/vfio.md new file mode 100644 index 000000000..c37f15060 --- /dev/null +++ b/docs/src/technologies/vfio.md @@ -0,0 +1,70 @@ + + +# Binding Devices to VFIO Driver to Allow Passthrough + +An example of binding a PCI device to the VFIO driver manually: + +``` +export DEVICE="0001:01:00.0" +export VENDOR_ID=$(cat /sys/bus/pci/devices/$DEVICE/vendor) +export DEVICE_ID=$(cat /sys/bus/pci/devices/$DEVICE/device) + +echo "$DEVICE" > /sys/bus/pci/devices/$DEVICE/driver/unbind + +echo "$VENDOR_ID $DEVICE_ID" > /sys/bus/pci/drivers/vfio-pci/new_id +``` + +Similar approach also works for platform devices. The device path for platform + devices is `/sys/bus/platform/devices/$DEVICE/`. + +``` +export DEVICE="31d0000.serial" +echo vfio-platform > /sys/bus/platform/devices/$DEVICE/driver_override +echo "$DEVICE" > /sys/bus/platform/drivers/vfio-platform/bind +``` + + +## Using driverctl Package + +[driverctl](https://gitlab.com/driverctl/driverctl) is an open-source device +driver control utility for Linux systems. With `driverctl` it is easier to set +up VFIO or change the driver for a device: + +``` +export DEVICE="0001:01:00.0" +driverctl --nosave set-override ${DEVICE} vfio-pci +``` + +or for platform bus device passthrough +``` +export DEVICE="31d0000.serial" +driverctl --nosave --bus platform set-override ${DEVICE} vfio-platform +``` + +It is important to note that by default `driverctl` stores the set driver +overrides and reactivates the override after a device reboot. With VFIO this +can cause issues since some hardware devices may be required while the device +starts up. This behavior can be effected by using the `--nosave` option as in +the example above so that the override is reset back to default at reboot. + +The `driverctl` tool also features a way to list devices based on their bus type + with the `list-devices` command. + + ``` +# Default usage of the tool is for pci bus +driverctl list-devices + +# Using command line option --bus platform sets the usage for platform bus +driverctl --bus platform list-devices +``` + +driverctl can also reset the default driver by using the `unset-override` +command. + +``` +export DEVICE="0001:01:00.0" +driverctl unset-override ${DEVICE} +``` From ee2b855c102becd6d3c34fe60c0cfcfd724fdc4b Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Wed, 26 Jul 2023 22:42:17 +0300 Subject: [PATCH 33/60] templates: fix Orin NX template Signed-off-by: Mika Tammi --- templates/targets/aarch64/nvidia/orin-nx/flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/targets/aarch64/nvidia/orin-nx/flake.nix b/templates/targets/aarch64/nvidia/orin-nx/flake.nix index d825da9b7..0710be64e 100644 --- a/templates/targets/aarch64/nvidia/orin-nx/flake.nix +++ b/templates/targets/aarch64/nvidia/orin-nx/flake.nix @@ -51,7 +51,7 @@ })) { - nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.nvidia-jetson-orin-debug.extendModules { + nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.nvidia-jetson-orin-nx-debug.extendModules { modules = [ { #insert your additional modules here e.g. @@ -60,7 +60,7 @@ } ]; }; - packages.aarch64-linux.PROJ_NAME-ghaf-debug = self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.system.build.${self.nixosConfigurations.fog-ghaf-debug.config.formatAttr}; + packages.aarch64-linux.PROJ_NAME-ghaf-debug = self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.system.build.${self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.formatAttr}; packages.x86_64-linux.PROJ_NAME-ghaf-debug-flash-script = mkFlashScript { inherit nixpkgs jetpack-nixos; From dc3775cf9e141989a863835bd756d266c94f4fda Mon Sep 17 00:00:00 2001 From: Jon Sahlberg Date: Thu, 22 Jun 2023 12:28:07 +0300 Subject: [PATCH 34/60] doc: Crosvm x86 pcie passthrough Signed-off-by: Jon Sahlberg --- docs/src/SUMMARY.md | 1 + docs/src/technologies/passthrough.md | 1 + docs/src/technologies/x86_pcie_crosvm.md | 53 ++++++++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 docs/src/technologies/x86_pcie_crosvm.md diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index bf238e1f8..2f42bf507 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -31,6 +31,7 @@ - [Binding Device to VFIO Driver](technologies/vfio.md) - [NVIDIA Jetson AGX Orin: UART Passthrough](technologies/nvidia_agx_pt_uart.md) - [NVIDIA Jetson AGX Orin: PCIe Passthrough](technologies/nvidia_agx_pt_pcie.md) + - [Generic x86: PCIe Passthrough on crosvm](technologies/x86_pcie_crosvm.md) - [Hypervisor Options](technologies/hypervisor_options.md) # Build System and Supply Chain diff --git a/docs/src/technologies/passthrough.md b/docs/src/technologies/passthrough.md index f55f38048..8d08c1c7a 100644 --- a/docs/src/technologies/passthrough.md +++ b/docs/src/technologies/passthrough.md @@ -14,3 +14,4 @@ Whether the device platform is x86 or ARM, the passthrough device needs to be bo Our current supported passthrough devices implementations: - [NVIDIA Jetson AGX Orin: UART Passthrough](nvidia_agx_pt_uart.md) - [NVIDIA Jetson AGX Orin: PCIe Passthrough](nvidia_agx_pt_pcie.md) +- [Generic x86: PCIe Passthrough on crosvm](x86_pcie_crosvm.md) diff --git a/docs/src/technologies/x86_pcie_crosvm.md b/docs/src/technologies/x86_pcie_crosvm.md new file mode 100644 index 000000000..bb7673f9b --- /dev/null +++ b/docs/src/technologies/x86_pcie_crosvm.md @@ -0,0 +1,53 @@ + + +# x86 PCIe Device Passthrough with crosvm + + +## Enabling PCIe Devices for VFIO with driverctl + +As with other passthroughs, first, we need to set the target device to use VFIO + driver. This can be done manually or by using the [driverctl](https://gitlab.com/driverctl/driverctl) tool as below. + +> Running driverctl requires root permissions. + +``` +export BUS="0000:01:00.0" +driverctl --nosave set-override ${BUS} vfio-pci +``` + +Let's consider the example of starting crosvm. + +In some cases, crosvm may need privileged permissions to work properly. This +applies specially for passthrough hardware devices as vfio devices are +generally owned by the root user or the vfio group. For simplicity, it may be +easier to run crosvm as the root user but it is be possible to set up correct +permissions so that running as root is not needed. + +Crosvm expects the device's system path as its `--vfio` argument. + The device identifier is different when comparing how passthrough devices are + refrenced in QEMU. Using the `guest-address` option is not strictly required + by the source documentation but it gives a bit more control for handling the + passthrough device on the guest side. + +``` +export BUS="0000:01:00.0" +export GUESTBUS="00:08.0" +./target/debug/crosvm run \ + --mem=8192 \ + --block ./ubuntu-22.10.img \ + -i /boot/initrd.img-5.19.0-31-generic /boot/vmlinuz-5.19.0-31-generic \ + -p "root=/dev/vda2 loglevel=8 earlycon earlyprintk debug" \ + --vfio /sys/bus/pci/devices/${BUS},guest-address=${GUESTBUS},iommu=viommu +``` + + +## Reseting Driver to Original State Afterwards + +The driverctl tool can reset the original device driver afterward: +``` +export BUS="0000:01:00.0" +driverctl unset-override ${BUS} +``` \ No newline at end of file From cd1caf60dd62682e25ea95b3b91015c4272ba7e0 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Sat, 29 Jul 2023 05:13:24 +0300 Subject: [PATCH 35/60] Add libjack2 to cross-compilation overlay Signed-off-by: Mika Tammi --- overlays/cross-compilation.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/overlays/cross-compilation.nix b/overlays/cross-compilation.nix index d5ee916dc..6841d35c4 100644 --- a/overlays/cross-compilation.nix +++ b/overlays/cross-compilation.nix @@ -39,6 +39,15 @@ ''; }); }); + # TODO: Remove if this PR gets backported to nixos-23.05 + # https://github.com/NixOS/nixpkgs/pull/245228 + libjack2 = prev.libjack2.overrideAttrs (old: { + prePatch = '' + ''; + postPatch = '' + patchShebangs --build svnversion_regenerate.sh + ''; + }); }) ]; } From bf18061a6f81e708408bca10621291f802fa4c90 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Sat, 29 Jul 2023 05:14:44 +0300 Subject: [PATCH 36/60] Update flake.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'jetpack-nixos': 'github:anduril/jetpack-nixos/ec27d1c4e81d8e5470571782ad58bb1111bce975' (2023-07-21) → 'github:anduril/jetpack-nixos/f6de47bd2ff24bb99459f01d04c324dce335aff9' (2023-07-29) • Updated input 'microvm': 'github:astro/microvm.nix/4b0f24f26638937036dc0dc9e28d2bab4152ef3d' (2023-07-19) → 'github:astro/microvm.nix/062fd71f2a8f25c5d80864eb99bdff98e1684efb' (2023-07-24) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/ac1acba43b2f9db073943ff5ed883ce7e8a40a2c' (2023-07-23) → 'github:NixOS/nixpkgs/48e82fe1b1c863ee26a33ce9bd39621d2ada0a33' (2023-07-28) Signed-off-by: Mika Tammi --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 49c992444..d73fac927 100644 --- a/flake.lock +++ b/flake.lock @@ -25,11 +25,11 @@ ] }, "locked": { - "lastModified": 1689964252, - "narHash": "sha256-4esn5USqPgWFrmdzaqQUnCwhSW3/Ucg/2RDZLo76MTY=", + "lastModified": 1690589233, + "narHash": "sha256-+ctn11e/veom4cavSuEB1voBy18hP/FOTjXUwub2Hq0=", "owner": "anduril", "repo": "jetpack-nixos", - "rev": "ec27d1c4e81d8e5470571782ad58bb1111bce975", + "rev": "f6de47bd2ff24bb99459f01d04c324dce335aff9", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1689768420, - "narHash": "sha256-fW43dx0TqeGyjQ6bImWkhOICODQ4cLbkCjcri0c3bxQ=", + "lastModified": 1690231039, + "narHash": "sha256-O5mIDXhe4FAEdRpoVxVtg003/UUNweUTu14cdNT8SLE=", "owner": "astro", "repo": "microvm.nix", - "rev": "4b0f24f26638937036dc0dc9e28d2bab4152ef3d", + "rev": "062fd71f2a8f25c5d80864eb99bdff98e1684efb", "type": "github" }, "original": { @@ -114,11 +114,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690148897, - "narHash": "sha256-l/j/AX1d2K79EWslwgWR2+htkzCbtjKZsS5NbWXnhz4=", + "lastModified": 1690558459, + "narHash": "sha256-5W7y1l2cLYPkpJGNlAja7XW2X2o9rjf0O1mo9nxS9jQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ac1acba43b2f9db073943ff5ed883ce7e8a40a2c", + "rev": "48e82fe1b1c863ee26a33ce9bd39621d2ada0a33", "type": "github" }, "original": { From 69aa97d7f78f1ec0cfe0c633dd78a1c862c5e60a Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Sat, 29 Jul 2023 21:00:18 +0300 Subject: [PATCH 37/60] Update flake.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'microvm': 'github:astro/microvm.nix/062fd71f2a8f25c5d80864eb99bdff98e1684efb' (2023-07-24) → 'github:astro/microvm.nix/38260452faac611b03cb8a03cf4ba78999587f5e' (2023-07-29) Signed-off-by: Mika Tammi --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index d73fac927..513407b0b 100644 --- a/flake.lock +++ b/flake.lock @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1690231039, - "narHash": "sha256-O5mIDXhe4FAEdRpoVxVtg003/UUNweUTu14cdNT8SLE=", + "lastModified": 1690637422, + "narHash": "sha256-hSEkpMhbQUcYLkKwOM5NiaSQ78NdPkosqcYc1TyMog8=", "owner": "astro", "repo": "microvm.nix", - "rev": "062fd71f2a8f25c5d80864eb99bdff98e1684efb", + "rev": "38260452faac611b03cb8a03cf4ba78999587f5e", "type": "github" }, "original": { From f84059c7acd36d943f00467f3b951d8bb098b0d9 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Thu, 3 Aug 2023 01:08:23 +0300 Subject: [PATCH 38/60] Cache NVIDIA Jetson Orin cross-compiled packages Add toplevel derivations of cross-compiled NVIDIA Jetson Orin configurations to Hydra jobs, to cache cross-compiled packages. Signed-off-by: Mika Tammi --- hydrajobs.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hydrajobs.nix b/hydrajobs.nix index ab06b5c09..91c915325 100644 --- a/hydrajobs.nix +++ b/hydrajobs.nix @@ -10,5 +10,9 @@ docs.x86_64-linux = self.packages.x86_64-linux.doc; docs.aarch64-linux = self.packages.aarch64-linux.doc; microchip-icicle-kit-debug.x86_64-linux = self.packages.riscv64-linux.microchip-icicle-kit-debug; + + # Build these toplevel derivations to cache cross-compiled packages + nvidia-jetson-orin-agx-debug-from-x86_64-toplevel.x86_64-linux = self.nixosConfigurations.nvidia-jetson-orin-agx-debug-from-x86_64.config.system.build.toplevel; + nvidia-jetson-orin-nx-debug-from-x86_64-toplevel.x86_64-linux = self.nixosConfigurations.nvidia-jetson-orin-nx-debug-from-x86_64.config.system.build.toplevel; }; } From 4317cd4f587dc3b81adcdcc8a8d1c0818b1fb6f2 Mon Sep 17 00:00:00 2001 From: Ivan Nikolaenko Date: Tue, 1 Aug 2023 11:07:32 +0300 Subject: [PATCH 39/60] weston.ini: Keep weston-terminal launcher When adding launchers on weston panel, new launchers override existing weston-terminal launcher which has to be enabled explicitly in this case. Signed-off-by: Ivan Nikolaenko --- modules/graphics/weston.ini.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/modules/graphics/weston.ini.nix b/modules/graphics/weston.ini.nix index 7be80d886..256b0d6fc 100644 --- a/modules/graphics/weston.ini.nix +++ b/modules/graphics/weston.ini.nix @@ -26,14 +26,16 @@ mkLaunchers = lib.concatMapStrings mkLauncher; gala-app = pkgs.callPackage ../../user-apps/gala {}; - demoLaunchers = [ - # Add application launchers - # Adding terminal launcher because it is overwritten if other launchers are on the panel + defaultLauncher = [ + # Keep weston-terminal launcher always enabled explicitly since if someone adds + # a launcher on the panel, the launcher will replace weston-terminal launcher. { path = "${pkgs.weston}/bin/weston-terminal"; icon = "${pkgs.weston}/share/weston/icon_terminal.png"; } - + ]; + demoLaunchers = [ + # Add application launchers { path = "${pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; icon = "${pkgs.chromium}/share/icons/hicolor/24x24/apps/chromium.png"; @@ -76,7 +78,7 @@ in { }; config = lib.mkIf cfg.enable { - ghaf.graphics.weston.launchers = lib.optionals cfg.enableDemoApplications demoLaunchers; + ghaf.graphics.weston.launchers = defaultLauncher ++ lib.optionals cfg.enableDemoApplications demoLaunchers; environment.systemPackages = with pkgs; lib.optionals cfg.enableDemoApplications [ # Graphical applications From 559d00b18cc4e019123b8e23fe6f45497eb867c9 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Fri, 4 Aug 2023 04:51:49 +0300 Subject: [PATCH 40/60] Cache versions without demo apps Demoapps fail to cross-compile currontly, so add another versions of NVIDIA Jetson Orin hydra jobs, which don't include demo apps. Signed-off-by: Mika Tammi --- flake.nix | 2 +- hydrajobs.nix | 29 +++++++++++++++++++++++++++-- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 5e908e38e..2a8e90c7f 100644 --- a/flake.nix +++ b/flake.nix @@ -91,7 +91,7 @@ (import ./user-apps {inherit lib nixpkgs flake-utils;}) # Hydra jobs - (import ./hydrajobs.nix {inherit self;}) + (import ./hydrajobs.nix {inherit self lib;}) #templates (import ./templates) diff --git a/hydrajobs.nix b/hydrajobs.nix index 91c915325..331e3c5c9 100644 --- a/hydrajobs.nix +++ b/hydrajobs.nix @@ -1,7 +1,14 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{self}: { - hydraJobs = { +{ + self, + lib, +}: { + hydraJobs = let + disableDemoAppsModule = { + ghaf.graphics.weston.enableDemoApplications = lib.mkForce false; + }; + in { generic-x86_64-debug.x86_64-linux = self.packages.x86_64-linux.generic-x86_64-debug; nvidia-jetson-orin-agx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-agx-debug; nvidia-jetson-orin-nx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-nx-debug; @@ -14,5 +21,23 @@ # Build these toplevel derivations to cache cross-compiled packages nvidia-jetson-orin-agx-debug-from-x86_64-toplevel.x86_64-linux = self.nixosConfigurations.nvidia-jetson-orin-agx-debug-from-x86_64.config.system.build.toplevel; nvidia-jetson-orin-nx-debug-from-x86_64-toplevel.x86_64-linux = self.nixosConfigurations.nvidia-jetson-orin-nx-debug-from-x86_64.config.system.build.toplevel; + + # Build also cross-compiled toplevel derivations without demo apps + nvidia-jetson-orin-agx-debug-from-x86_64-nodemoapps-toplevel.x86_64-linux = + (self.nixosConfigurations.nvidia-jetson-orin-agx-debug-from-x86_64.extendModules { + modules = [disableDemoAppsModule]; + }) + .config + .system + .build + .toplevel; + nvidia-jetson-orin-nx-debug-from-x86_64-nodemoapps-toplevel.x86_64-linux = + (self.nixosConfigurations.nvidia-jetson-orin-nx-debug-from-x86_64.extendModules { + modules = [disableDemoAppsModule]; + }) + .config + .system + .build + .toplevel; }; } From 49846a417c72d9c9ca83d362d53fbbd98185bc45 Mon Sep 17 00:00:00 2001 From: Yuri Nesterov Date: Fri, 4 Aug 2023 16:50:42 +0300 Subject: [PATCH 41/60] doc: add instructions how to run Cuttlefish (Android VM) Signed-off-by: Yuri Nesterov --- docs/src/SUMMARY.md | 1 + docs/src/scenarios/run_cuttlefish.md | 103 +++++++++++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 docs/src/scenarios/run_cuttlefish.md diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 2f42bf507..488de19ba 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -49,6 +49,7 @@ - [Showcases]() - [Running Windows VM on Ghaf](scenarios/run_win_vm.md) + - [Running Cuttlefish on Ghaf](scenarios/run_cuttlefish.md) - [Build Your Environment]() ----------- diff --git a/docs/src/scenarios/run_cuttlefish.md b/docs/src/scenarios/run_cuttlefish.md new file mode 100644 index 000000000..603fdb414 --- /dev/null +++ b/docs/src/scenarios/run_cuttlefish.md @@ -0,0 +1,103 @@ + + +# Running Android Cuttlefish Virtual Device on Ghaf + +Cuttlefish is a configurable virtual Android device (virtual-machine based Android emulator) that can run both remotely (using third-party cloud offerings such as Google Cloud Engine) and locally (on Linux x86 machines). For more information about Cuttlefish, see the official [Cuttlefish Virtual Android Devices](https://source.android.com/docs/setup/create/cuttlefish) documentation. + +You can run Android as a VM on Ghaf for testing and development purposes using NVIDIA Jetson Orin AGX (ARM64) or Generic x86. + + +## Installing Cuttlefish + +1. Download *host_package* (includes binaries and scripts that must be run on the host machine to set up and run the Cuttlefish virtual device) and *aosp_cf_phone-img* (a system image) files from the Android CI server and copy them to Ghaf: + + * For NVIDIA Jetson Orin AGX (ARM64): [cvd-host_package.tar.gz](https://ci.android.com/builds/submitted/9970479/aosp_cf_arm64_phone-userdebug/latest/cvd-host_package.tar.gz) and [aosp_cf_arm64_phone-img-9970479.zip](https://ci.android.com/builds/submitted/9970479/aosp_cf_arm64_phone-userdebug/latest/aosp_cf_arm64_phone-img-9970479.zip) + * For Generic x86: [cvd-host_package.tar.gz](https://ci.android.com/builds/submitted/9970479/aosp_cf_x86_64_phone-userdebug/latest/cvd-host_package.tar.gz) and [aosp_cf_x86_64_phone-img-9970479.zip](https://ci.android.com/builds/submitted/9970479/aosp_cf_x86_64_phone-userdebug/latest/aosp_cf_x86_64_phone-img-9970479.zip) + + > Download a host package from the same build as the image. + +2. Make sure Internet connection is working in Ghaf. If the system gets an IP address but the DNS server is not responding, set the correct date and time. + +3. [For x86_64 only] Install the required packages: + + ``` + NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -i python3 openssl bash unzip + ``` + +4. Create some hackish links that are required for running Cuttlefish: + + ``` + sudo ln -s $(which mv) /bin/mv + sudo ln -s $(which bash) /bin/bash + sudo mkdir -p /usr/lib/cuttlefish-common/bin/ + sudo touch /usr/lib/cuttlefish-common/bin/capability_query.py + sudo chmod 755 /usr/lib/cuttlefish-common/bin/capability_query.py + sudo groupadd -f cvdnetwork + sudo usermod -aG cvdnetwork $USER + sudo usermod -aG kvm $USER + sudo su ghaf + ``` + +5. Change directory to the one that contains host package and image files and extract them: + + * For NVIDIA Jetson Orin AGX (ARM64): + ``` + tar xvf cvd-host_package.tar.gz + unzip aosp_cf_arm64_phone-img-9970479.zip + ``` + + * For Generic x86: + ``` + tar xvf cvd-host_package.tar.gz + unzip aosp_cf_x86_64_phone-img-9970479.zip + ``` + +6. [For x86_64 only] Extra steps to fix missing dependencies: + * Find ld-linux-x86-64.so.2 and create a link in `/lib64`: + + ``` + sudo find /nix/store -name ld-linux-x86-64.so.2 + sudo mkdir /lib64 + sudo ln -s /nix/store/dg8mpqqykmw9c7l0bgzzb5znkymlbfjw-glibc-2.37-8/lib/ld-linux-x86-64.so.2 /lib64 + ``` + + * Find libdrm.so.2 in the `/nix/store` and copy it to the lib64 directory where the host package was extracted: + + ``` + sudo find /nix/store -name libdrm.so.2 + cp /nix/store/2jdx0r0yiz1k38ra0diwqm5akb0k1rjh-libdrm-2.4.115/lib/ ./lib64 + ``` + + +## Running Cuttlefish + +Go to the directory with exctacted host package and image files and run Cuttlefish: + +``` +HOME=$PWD ./bin/launch_cvd -report_anonymous_usage_stats=n +``` + +It will take some time to load. There should be the following messages in the console when the VM is booted and ready to use: + +``` +VIRTUAL_DEVICE_DISPLAY_POWER_MODE_CHANGED +VIRTUAL_DEVICE_BOOT_STARTED +VIRTUAL_DEVICE_BOOT_COMPLETED +Virtual device booted successfully +``` + + +## Connecting to Cuttlefish Device + +1. Run the Chromium browser by clicking on the corresponding icon in Weston and navigate to . Ignore a warning about the SSL certificate (“Your connection is not private“) and click **Advanced** > **Proceed to 127.0.0.1 (unsafe)**. + +2. Click the **cvd-1 Connect** button. A new tab with an Android VM window will be opened. + +3. [Optionally] You can close the browser and use the following command to open a standalone window with an Android VM: + +``` +chromium-browser --enable-features=UseOzonePlatform --ozone-platform=wayland --new-window --app=https://127.0.0.1:8443/client.html?deviceId=cvd-1 +``` \ No newline at end of file From 0d0836dc65286ca6b2b06afbdb7b4a1878da95b1 Mon Sep 17 00:00:00 2001 From: Henri Rosten Date: Thu, 22 Jun 2023 10:57:31 +0300 Subject: [PATCH 42/60] docs: Add Ghaf security fix automation section Under SCS documentation, add a section for security fix automation. Signed-off-by: Henri Rosten --- docs/src/img/ghaf-security-fix-automation.svg | 268 ++++++++++++++ docs/src/img/ghaf-security-fix-automation.uxf | 331 ++++++++++++++++++ docs/src/scs/ghaf-security-fix-automation.md | 29 ++ docs/src/scs/sbom.md | 4 +- docs/src/scs/scs.md | 1 + 5 files changed, 630 insertions(+), 3 deletions(-) create mode 100644 docs/src/img/ghaf-security-fix-automation.svg create mode 100644 docs/src/img/ghaf-security-fix-automation.uxf create mode 100644 docs/src/scs/ghaf-security-fix-automation.md diff --git a/docs/src/img/ghaf-security-fix-automation.svg b/docs/src/img/ghaf-security-fix-automation.svg new file mode 100644 index 000000000..2f36154cd --- /dev/null +++ b/docs/src/img/ghaf-security-fix-automation.svg @@ -0,0 +1,268 @@ + + +[Automated vulnerability analysis][Manual vulnerability analysis](5)(4)(3)(2)(1)Push a fix PR to nixpkgsInitiate Ghaf flakelock file update vuln_id | package | local | nixpkgs | upstream | classify -------------------------+------------+-------+-----------+--------------+---------------------------------------------+ CVE-2023-32570 | dav1d | 1.1.0 | 1.1.0 | 1.2.0 | fix_update_to_version_upstream CVE-2023-29383 | shadow | 4.13 | 4.13 | 4.13 | fix_not_available CVE-2022-48434 | ffmpeg | 4.4.3 | 6.0 | 6.0 | fix_update_to_version_nixpkgs ...ManualvulnerabilityanalysisManually analyze automatedvulnerability report(s) ondaily basisManually analyze eachvulnerabilityLocally update Ghafflake lock fileTriggerautomaticallyon daily basisAutomatedvulnerabilityanalysisrun nix_secupdates.pyfor each relevant Ghafbuild targets [if any new issues] [if any fixed issues] [no new issues] Daily auto triage report for each selected target diff --git a/docs/src/img/ghaf-security-fix-automation.uxf b/docs/src/img/ghaf-security-fix-automation.uxf new file mode 100644 index 000000000..62da4bee8 --- /dev/null +++ b/docs/src/img/ghaf-security-fix-automation.uxf @@ -0,0 +1,331 @@ + + + 10 + + UMLState + + 710 + 70 + 190 + 120 + + *Automated* +*vulnerability* +*analysis* +-- +run nix_secupdates.py +for each relevant Ghaf +build targets +valign=top + + + + + Relation + + 300 + 120 + 180 + 30 + + lt=-> + 10.0;10.0;160.0;10.0 + + + Text + + 320 + 60 + 120 + 70 + + Trigger automatically +on daily basis +style=wordwrap + + + + UMLState + + 460 + 100 + 180 + 70 + + Locally update Ghaf +flake lock file + + + + Relation + + 630 + 120 + 100 + 30 + + lt=-> + 10.0;10.0;80.0;10.0 + + + Relation + + 780 + 180 + 210 + 120 + + lt=.> + Daily auto triage report + for each selected target + 10.0;10.0;10.0;100.0 + + + Relation + + 600 + 400 + 30 + 90 + + lt=.> + 10.0;10.0;10.0;70.0 + + + UMLState + + 500 + 470 + 220 + 160 + + valign=top +*Manual* +*vulnerability* +*analysis* +-- +Manually analyze automated +vulnerability report(s) on +daily basis +- +Manually analyze each +vulnerability + + + + + + UMLSpecialState + + 590 + 670 + 40 + 40 + + type=decision + + + + UMLSpecialState + + 600 + 860 + 20 + 20 + + type=final + + + + Relation + + 600 + 620 + 30 + 70 + + lt=-> + 10.0;10.0;10.0;50.0 + + + Relation + + 600 + 700 + 140 + 180 + + lt=-> + [no new issues] + 10.0;10.0;10.0;160.0 + + + UMLNote + + 320 + 280 + 600 + 130 + + halign=left +lt=.. +fontsize=13 + + + vuln_id | package | local | nixpkgs | upstream | classify +-------------------------+------------+-------+-----------+--------------+---------------------------------------------+ + CVE-2023-32570 | dav1d | 1.1.0 | 1.1.0 | 1.2.0 | fix_update_to_version_upstream + CVE-2023-29383 | shadow | 4.13 | 4.13 | 4.13 | fix_not_available + CVE-2022-48434 | ffmpeg | 4.4.3 | 6.0 | 6.0 | fix_update_to_version_nixpkgs + ... + + + + UMLState + + 290 + 730 + 180 + 70 + + Initiate Ghaf flake +lock file update + + + + Relation + + 370 + 670 + 240 + 80 + + lt=-> + [if any fixed issues] + 220.0;20.0;10.0;20.0;10.0;60.0 + + + UMLSpecialState + + 300 + 120 + 20 + 20 + + type=initial + + + + UMLState + + 760 + 730 + 180 + 70 + + Push a fix PR to nixpkgs + + + + Relation + + 620 + 670 + 260 + 80 + + lt=-> + [if any new issues] + 10.0;20.0;240.0;20.0;240.0;60.0 + + + Text + + 540 + 70 + 40 + 30 + + *(1)* +style=wordwrap + + + + Text + + 780 + 40 + 40 + 30 + + *(2)* +style=wordwrap + + + + Text + + 460 + 490 + 40 + 30 + + *(3)* +style=wordwrap + + + + Text + + 260 + 740 + 40 + 30 + + *(4)* +style=wordwrap + + + + Text + + 940 + 740 + 40 + 30 + + *(5)* +style=wordwrap + + + + UMLClass + + 230 + 440 + 800 + 460 + + halign=left +lt=.. +*[Manual vulnerability analysis]* + + + + + + UMLClass + + 230 + 10 + 800 + 430 + + halign=left +lt=.. +*[Automated vulnerability analysis]* + + + + + diff --git a/docs/src/scs/ghaf-security-fix-automation.md b/docs/src/scs/ghaf-security-fix-automation.md new file mode 100644 index 000000000..661e9d6b9 --- /dev/null +++ b/docs/src/scs/ghaf-security-fix-automation.md @@ -0,0 +1,29 @@ + + +# Ghaf Security Fix Automation + +This page outlines the process and tooling for Ghaf security fix automation. + +## Motivation + +Nix community is able to identify and fix security issues relatively quickly. However, the community process that ensures critical security fixes end-up included in nixpkgs is unclear or unspecified. Indeed, Ghaf should not solely rely on the community to provide security fixes, but take action to understand the vulnerabilities that impact Ghaf and take an active role in fixing such issues. + +## Semi-Automated Upstream-First Process + +The following image captures the high-level process we propose to identify and remediate the security vulnerabilities that impact Ghaf. +![Security Fix Automation](../img/ghaf-security-fix-automation.svg "Ghaf Security Fix Automation") + +We have divided the process to two parts - **automated** and **manual**: +- **Automated vulnerability analysis** is a scripted job, triggered on daily basis in Ghaf CI/CD and consists of the following actions:
+ **(1)** Locally (temporarily) update the Ghaf flake lock file. Temporary lockfile update is needed so the Ghaf dependencies are up-to-date with the nixpkgs input Ghaf is pinned to. Otherwise, the automated analysis results would also include vulnerabilities that have been fixed in nixpkgs upstream since the last Ghaf flake lock update.
+ **(2)** Run automated vulnerability analysis tooling for each relevant Ghaf build target. For Ghaf, being Nix-based, we propose to use [nix_secupdates](https://github.com/tiiuae/sbomnix/tree/main/scripts/nixupdate#nix_secupdates) for automated vulnerability analysis. As a result of this step, the tooling generates an auto triaged vulnerability report, which will be the main input for the manual analysis. For more details on the nix_secupdates, refer the [relevant documentation on nix_secupdates repository](https://github.com/tiiuae/sbomnix/tree/main/scripts/nixupdate#nix_secupdates).

+ +- **Manual vulnerability analysis** is a manual process, which is also executed on daily basis.
+ **(3)** Using the auto triaged vulnerability report from the previous step, manually analyze the automation results comparing the new results to earlier day's results from the relevant build.
+ **(4)** If there are any fixed issues compared to the last analyzed report, initiate the Ghaf flake lockfile update for relevant inputs to include the vulnerability fixes from nixpkgs upstream to relevant Ghaf branches.
+ **(5)** If there are any new vulnerabilities compared to the last analyzed report, manually analyze each vulnerability in detail. If the issue requires a fix, push a fix PR to relevant nixpkgs branches.
+ +The process described above is an upstream-first, with the main benefit of eliminating the need to maintain our own vulnerability fix patches on top of nixpgks in Ghaf. This process will also benefit the nixpkgs community, contributing to the overall security improvement for the packages Ghaf depends on. diff --git a/docs/src/scs/sbom.md b/docs/src/scs/sbom.md index 21cca6894..9b404bd3f 100644 --- a/docs/src/scs/sbom.md +++ b/docs/src/scs/sbom.md @@ -33,9 +33,7 @@ Ghaf framework will use SBOMs for: ## SBOM Tooling in Ghaf -Ghaf is based on Nix, therefore, the selected SBOM tooling needs to support creating SBOMs for nix artifacts. As part of the Ghaf project, we have created the sbomnix tool to support SBOM generation for Ghaf and, more generally, for any nix targets. For more details on the SBOM tooling in Ghaf, see [sbomnix](https://github.com/tiiuae/sbomnix#sbomnix) and [nixgraph](https://github.com/tiiuae/sbomnix/blob/main/doc/nixgraph.md#nixgraph). - -Initially, sbomnix will support [CycloneDX](https://cyclonedx.org/specification/overview/) SBOM specification, due to the availability of other open source tools that also support CycloneDX. Support for other SBOM formats to sbomnix might be added in later versions. +Ghaf is based on Nix, therefore, the selected SBOM tooling needs to support creating SBOMs for nix artifacts. As part of the Ghaf project, we have created the sbomnix tool to support SBOM generation for Ghaf and, more generally, for any nix targets. For more details on the SBOM tooling in Ghaf, see [sbomnix](https://github.com/tiiuae/sbomnix#sbomnix) and [nixgraph](https://github.com/tiiuae/sbomnix/blob/main/doc/nixgraph.md#nixgraph). sbomnix supports [CycloneDX](https://cyclonedx.org/specification/overview/) as well as [SPDX](https://spdx.dev/specifications/) SBOM specification. ## References diff --git a/docs/src/scs/scs.md b/docs/src/scs/scs.md index 55f34b83b..ff959319e 100644 --- a/docs/src/scs/scs.md +++ b/docs/src/scs/scs.md @@ -25,3 +25,4 @@ The software artifact, SBOM, and provenance are signed by the build machinery at - [SBOM](../scs/sbom.md) - [Public Key Infrastructure](../scs/pki.md) - [Patch Management Automation](../scs/patching-automation.md) +- [Ghaf Security Fix Automation](../scs/ghaf-security-fix-automation.md) \ No newline at end of file From 2b6446f86eb30dd73fecf54dc217017b9f896115 Mon Sep 17 00:00:00 2001 From: Henri Rosten Date: Mon, 7 Aug 2023 11:12:31 +0300 Subject: [PATCH 43/60] Docs: address security fix automation review comments Signed-off-by: Henri Rosten --- .../ghaf-security-fix-automation.drawio.svg | 4 + docs/src/img/ghaf-security-fix-automation.svg | 268 -------------- docs/src/img/ghaf-security-fix-automation.uxf | 331 ------------------ docs/src/scs/ghaf-security-fix-automation.md | 20 +- docs/src/scs/sbom.md | 2 +- docs/src/scs/scs.md | 1 - 6 files changed, 14 insertions(+), 612 deletions(-) create mode 100644 docs/src/img/ghaf-security-fix-automation.drawio.svg delete mode 100644 docs/src/img/ghaf-security-fix-automation.svg delete mode 100644 docs/src/img/ghaf-security-fix-automation.uxf diff --git a/docs/src/img/ghaf-security-fix-automation.drawio.svg b/docs/src/img/ghaf-security-fix-automation.drawio.svg new file mode 100644 index 000000000..3d26aa124 --- /dev/null +++ b/docs/src/img/ghaf-security-fix-automation.drawio.svg @@ -0,0 +1,4 @@ + + + +
Trigger
automatically 
on daily basis
Trigger...
(1)
(1)
Automated vulnerability analysis
Automated vulnerability analysis
run nix_secupdates.py for each
relevant Ghaf build targets
run nix_secupdates.py for each...
Locally update Ghaf flake lock file
Locally update Ghaf...
(2)
(2)
Daily auto triage report  for each selected target
Daily auto triage repor...
Manual vulnerability analysis
Manual vulnerability analysis
Manually analyze automate
dvulnerability report(s)
on daily basis
Manually analyze automate...
(3)
(3)
Manually analyze each vulnerability
Manually analyze each vulnerabi...
Initiate Ghaf flakelock file update
Initiate Ghaf flakel...
Push a fix PR to nixpkgs
Push a fix PR to nix...
(4)
(4)
(5)
(5)
If any new issues
If any new issues
If any fixed issues
If any fixed issues
No new issues
No new issuesText is not SVG - cannot display \ No newline at end of file diff --git a/docs/src/img/ghaf-security-fix-automation.svg b/docs/src/img/ghaf-security-fix-automation.svg deleted file mode 100644 index 2f36154cd..000000000 --- a/docs/src/img/ghaf-security-fix-automation.svg +++ /dev/null @@ -1,268 +0,0 @@ - - -[Automated vulnerability analysis][Manual vulnerability analysis](5)(4)(3)(2)(1)Push a fix PR to nixpkgsInitiate Ghaf flakelock file update vuln_id | package | local | nixpkgs | upstream | classify -------------------------+------------+-------+-----------+--------------+---------------------------------------------+ CVE-2023-32570 | dav1d | 1.1.0 | 1.1.0 | 1.2.0 | fix_update_to_version_upstream CVE-2023-29383 | shadow | 4.13 | 4.13 | 4.13 | fix_not_available CVE-2022-48434 | ffmpeg | 4.4.3 | 6.0 | 6.0 | fix_update_to_version_nixpkgs ...ManualvulnerabilityanalysisManually analyze automatedvulnerability report(s) ondaily basisManually analyze eachvulnerabilityLocally update Ghafflake lock fileTriggerautomaticallyon daily basisAutomatedvulnerabilityanalysisrun nix_secupdates.pyfor each relevant Ghafbuild targets [if any new issues] [if any fixed issues] [no new issues] Daily auto triage report for each selected target diff --git a/docs/src/img/ghaf-security-fix-automation.uxf b/docs/src/img/ghaf-security-fix-automation.uxf deleted file mode 100644 index 62da4bee8..000000000 --- a/docs/src/img/ghaf-security-fix-automation.uxf +++ /dev/null @@ -1,331 +0,0 @@ - - - 10 - - UMLState - - 710 - 70 - 190 - 120 - - *Automated* -*vulnerability* -*analysis* --- -run nix_secupdates.py -for each relevant Ghaf -build targets -valign=top - - - - - Relation - - 300 - 120 - 180 - 30 - - lt=-> - 10.0;10.0;160.0;10.0 - - - Text - - 320 - 60 - 120 - 70 - - Trigger automatically -on daily basis -style=wordwrap - - - - UMLState - - 460 - 100 - 180 - 70 - - Locally update Ghaf -flake lock file - - - - Relation - - 630 - 120 - 100 - 30 - - lt=-> - 10.0;10.0;80.0;10.0 - - - Relation - - 780 - 180 - 210 - 120 - - lt=.> - Daily auto triage report - for each selected target - 10.0;10.0;10.0;100.0 - - - Relation - - 600 - 400 - 30 - 90 - - lt=.> - 10.0;10.0;10.0;70.0 - - - UMLState - - 500 - 470 - 220 - 160 - - valign=top -*Manual* -*vulnerability* -*analysis* --- -Manually analyze automated -vulnerability report(s) on -daily basis -- -Manually analyze each -vulnerability - - - - - - UMLSpecialState - - 590 - 670 - 40 - 40 - - type=decision - - - - UMLSpecialState - - 600 - 860 - 20 - 20 - - type=final - - - - Relation - - 600 - 620 - 30 - 70 - - lt=-> - 10.0;10.0;10.0;50.0 - - - Relation - - 600 - 700 - 140 - 180 - - lt=-> - [no new issues] - 10.0;10.0;10.0;160.0 - - - UMLNote - - 320 - 280 - 600 - 130 - - halign=left -lt=.. -fontsize=13 - - - vuln_id | package | local | nixpkgs | upstream | classify --------------------------+------------+-------+-----------+--------------+---------------------------------------------+ - CVE-2023-32570 | dav1d | 1.1.0 | 1.1.0 | 1.2.0 | fix_update_to_version_upstream - CVE-2023-29383 | shadow | 4.13 | 4.13 | 4.13 | fix_not_available - CVE-2022-48434 | ffmpeg | 4.4.3 | 6.0 | 6.0 | fix_update_to_version_nixpkgs - ... - - - - UMLState - - 290 - 730 - 180 - 70 - - Initiate Ghaf flake -lock file update - - - - Relation - - 370 - 670 - 240 - 80 - - lt=-> - [if any fixed issues] - 220.0;20.0;10.0;20.0;10.0;60.0 - - - UMLSpecialState - - 300 - 120 - 20 - 20 - - type=initial - - - - UMLState - - 760 - 730 - 180 - 70 - - Push a fix PR to nixpkgs - - - - Relation - - 620 - 670 - 260 - 80 - - lt=-> - [if any new issues] - 10.0;20.0;240.0;20.0;240.0;60.0 - - - Text - - 540 - 70 - 40 - 30 - - *(1)* -style=wordwrap - - - - Text - - 780 - 40 - 40 - 30 - - *(2)* -style=wordwrap - - - - Text - - 460 - 490 - 40 - 30 - - *(3)* -style=wordwrap - - - - Text - - 260 - 740 - 40 - 30 - - *(4)* -style=wordwrap - - - - Text - - 940 - 740 - 40 - 30 - - *(5)* -style=wordwrap - - - - UMLClass - - 230 - 440 - 800 - 460 - - halign=left -lt=.. -*[Manual vulnerability analysis]* - - - - - - UMLClass - - 230 - 10 - 800 - 430 - - halign=left -lt=.. -*[Automated vulnerability analysis]* - - - - - diff --git a/docs/src/scs/ghaf-security-fix-automation.md b/docs/src/scs/ghaf-security-fix-automation.md index 661e9d6b9..b5dce03e4 100644 --- a/docs/src/scs/ghaf-security-fix-automation.md +++ b/docs/src/scs/ghaf-security-fix-automation.md @@ -7,23 +7,21 @@ This page outlines the process and tooling for Ghaf security fix automation. -## Motivation - -Nix community is able to identify and fix security issues relatively quickly. However, the community process that ensures critical security fixes end-up included in nixpkgs is unclear or unspecified. Indeed, Ghaf should not solely rely on the community to provide security fixes, but take action to understand the vulnerabilities that impact Ghaf and take an active role in fixing such issues. +The Nix community is able to identify and fix security issues relatively quickly. At the same time, the community process to ensure critical security fixes are included in nixpkgs is unclear or unspecified. Indeed, Ghaf should not solely rely on the community to provide security fixes but take action to understand the vulnerabilities that impact Ghaf and take an active role in fixing such issues. ## Semi-Automated Upstream-First Process The following image captures the high-level process we propose to identify and remediate the security vulnerabilities that impact Ghaf. -![Security Fix Automation](../img/ghaf-security-fix-automation.svg "Ghaf Security Fix Automation") +![Security Fix Automation](../img/ghaf-security-fix-automation.drawio.svg "Ghaf Security Fix Automation") -We have divided the process to two parts - **automated** and **manual**: -- **Automated vulnerability analysis** is a scripted job, triggered on daily basis in Ghaf CI/CD and consists of the following actions:
- **(1)** Locally (temporarily) update the Ghaf flake lock file. Temporary lockfile update is needed so the Ghaf dependencies are up-to-date with the nixpkgs input Ghaf is pinned to. Otherwise, the automated analysis results would also include vulnerabilities that have been fixed in nixpkgs upstream since the last Ghaf flake lock update.
- **(2)** Run automated vulnerability analysis tooling for each relevant Ghaf build target. For Ghaf, being Nix-based, we propose to use [nix_secupdates](https://github.com/tiiuae/sbomnix/tree/main/scripts/nixupdate#nix_secupdates) for automated vulnerability analysis. As a result of this step, the tooling generates an auto triaged vulnerability report, which will be the main input for the manual analysis. For more details on the nix_secupdates, refer the [relevant documentation on nix_secupdates repository](https://github.com/tiiuae/sbomnix/tree/main/scripts/nixupdate#nix_secupdates).

+The process consists of two parts - **automated** and **manual**: +- **Automated vulnerability analysis** is a scripted job triggered on a daily basis in Ghaf CI/CD. It consists of the following actions:
+ **(1)** Locally (temporarily) update the Ghaf flake lock file. Temporary lock file update is needed so the Ghaf dependencies are up-to-date with the nixpkgs input Ghaf is pinned to. Otherwise, the automated analysis results would also include vulnerabilities that have been fixed in nixpkgs upstream since the last Ghaf flake lock update.
+ **(2)** Run automated vulnerability analysis tooling for each relevant Ghaf build target. For Ghaf, being Nix-based, we propose to use [nix_secupdates](https://github.com/tiiuae/sbomnix/tree/main/scripts/nixupdate#nix_secupdates) for automated vulnerability analysis. As a result of this step, the tooling generates an auto-triaged vulnerability report, which will be the main input for the manual analysis.

- **Manual vulnerability analysis** is a manual process, which is also executed on daily basis.
- **(3)** Using the auto triaged vulnerability report from the previous step, manually analyze the automation results comparing the new results to earlier day's results from the relevant build.
- **(4)** If there are any fixed issues compared to the last analyzed report, initiate the Ghaf flake lockfile update for relevant inputs to include the vulnerability fixes from nixpkgs upstream to relevant Ghaf branches.
- **(5)** If there are any new vulnerabilities compared to the last analyzed report, manually analyze each vulnerability in detail. If the issue requires a fix, push a fix PR to relevant nixpkgs branches.
+ **(3)** Using the auto-triaged vulnerability report from the previous step, manually analyze the automation results comparing the new results to earlier day's results from the relevant build.
+ **(4)** If there are any fixed issues compared to the last analyzed report, initiate the Ghaf flake lock file update for relevant inputs to include the vulnerability fixes from the nixpkgs upstream to relevant Ghaf branches.
+ **(5)** If there are any new vulnerabilities compared to the last analyzed report, manually analyze each vulnerability in detail. If the issue requires a fix, create a pull request to push the changes to relevant nixpkgs branches.
The process described above is an upstream-first, with the main benefit of eliminating the need to maintain our own vulnerability fix patches on top of nixpgks in Ghaf. This process will also benefit the nixpkgs community, contributing to the overall security improvement for the packages Ghaf depends on. diff --git a/docs/src/scs/sbom.md b/docs/src/scs/sbom.md index 9b404bd3f..525e58e44 100644 --- a/docs/src/scs/sbom.md +++ b/docs/src/scs/sbom.md @@ -33,7 +33,7 @@ Ghaf framework will use SBOMs for: ## SBOM Tooling in Ghaf -Ghaf is based on Nix, therefore, the selected SBOM tooling needs to support creating SBOMs for nix artifacts. As part of the Ghaf project, we have created the sbomnix tool to support SBOM generation for Ghaf and, more generally, for any nix targets. For more details on the SBOM tooling in Ghaf, see [sbomnix](https://github.com/tiiuae/sbomnix#sbomnix) and [nixgraph](https://github.com/tiiuae/sbomnix/blob/main/doc/nixgraph.md#nixgraph). sbomnix supports [CycloneDX](https://cyclonedx.org/specification/overview/) as well as [SPDX](https://spdx.dev/specifications/) SBOM specification. +Ghaf is based on Nix, therefore, the selected SBOM tooling needs to support creating SBOMs for nix artifacts. As part of the Ghaf project, we have created the sbomnix tool to support SBOM generation for Ghaf and, more generally, for any Nix-based targets. For more details on the SBOM tooling in Ghaf, see [sbomnix](https://github.com/tiiuae/sbomnix#sbomnix) and [nixgraph](https://github.com/tiiuae/sbomnix/blob/main/doc/nixgraph.md#nixgraph). sbomnix supports [CycloneDX](https://cyclonedx.org/specification/overview/) as well as [SPDX](https://spdx.dev/specifications/) SBOM specification. ## References diff --git a/docs/src/scs/scs.md b/docs/src/scs/scs.md index ff959319e..8e40c447b 100644 --- a/docs/src/scs/scs.md +++ b/docs/src/scs/scs.md @@ -24,5 +24,4 @@ The software artifact, SBOM, and provenance are signed by the build machinery at - [Basic Security Measures](../scs/basics.md) - [SBOM](../scs/sbom.md) - [Public Key Infrastructure](../scs/pki.md) -- [Patch Management Automation](../scs/patching-automation.md) - [Ghaf Security Fix Automation](../scs/ghaf-security-fix-automation.md) \ No newline at end of file From 31d28c93e22f71954f91559c2056a67539e7620c Mon Sep 17 00:00:00 2001 From: Jenni Nikolaenko Date: Tue, 22 Aug 2023 11:48:20 +0300 Subject: [PATCH 44/60] Docs: proofreading Signed-off-by: Jenni Nikolaenko --- docs/src/SUMMARY.md | 4 +- docs/src/img/usage_overview.drawio | 127 ------------------- docs/src/scenarios/run_win_vm.md | 2 +- docs/src/scenarios/showcases.md | 13 ++ docs/src/scs/ghaf-security-fix-automation.md | 31 +++-- docs/src/scs/scs.md | 2 +- 6 files changed, 36 insertions(+), 143 deletions(-) delete mode 100644 docs/src/img/usage_overview.drawio create mode 100644 docs/src/scenarios/showcases.md diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 488de19ba..8a14d9427 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -42,12 +42,12 @@ - [Basic Security Measures](scs/basics.md) - [Software Bill of Materials](scs/sbom.md) - [Public Key Infrastructure](scs/pki.md) - - [Patch Management Automation](scs/patching-automation.md) + - [Security Fix Automation](scs/ghaf-security-fix-automation.md) - [Release Notes]() # Ghaf Usage Scenarios -- [Showcases]() +- [Showcases](scenarios/showcases.md) - [Running Windows VM on Ghaf](scenarios/run_win_vm.md) - [Running Cuttlefish on Ghaf](scenarios/run_cuttlefish.md) - [Build Your Environment]() diff --git a/docs/src/img/usage_overview.drawio b/docs/src/img/usage_overview.drawio deleted file mode 100644 index e6c06eb05..000000000 --- a/docs/src/img/usage_overview.drawio +++ /dev/null @@ -1,127 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/src/scenarios/run_win_vm.md b/docs/src/scenarios/run_win_vm.md index e66a6d21f..80e9c9eeb 100644 --- a/docs/src/scenarios/run_win_vm.md +++ b/docs/src/scenarios/run_win_vm.md @@ -46,7 +46,7 @@ On x86_64 device Windows 11 VM can be launched with either an ISO image or QCOW2 * For an ISO image, the script creates an empty QCOW2 image in the same directory which is used as a system disk in the VM. * After installing Windows 11, run the script for the QCOW2 image. -Do the folowwing: +Do the folowing: 1. In the Weston terminal, go to the directory with the Windows 11 image and run the VM without sudo and as a non-root user using the following Ghaf script: diff --git a/docs/src/scenarios/showcases.md b/docs/src/scenarios/showcases.md new file mode 100644 index 000000000..21d7f7c5b --- /dev/null +++ b/docs/src/scenarios/showcases.md @@ -0,0 +1,13 @@ + + +# Showcases + +The Ghaf Platform can be used in various different environments, configurations, and hardware to serve several purposes. Ghaf is not a fully-fledged product but a module that can serve as a centerpiece to enable secure edge systems. + +## In This Chapter + +- [Running Windows VM on Ghaf](scenarios/run_win_vm.md) +- [Running Cuttlefish on Ghaf](scenarios/run_cuttlefish.md) \ No newline at end of file diff --git a/docs/src/scs/ghaf-security-fix-automation.md b/docs/src/scs/ghaf-security-fix-automation.md index b5dce03e4..9e2bbe70a 100644 --- a/docs/src/scs/ghaf-security-fix-automation.md +++ b/docs/src/scs/ghaf-security-fix-automation.md @@ -3,25 +3,32 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> -# Ghaf Security Fix Automation +# Security Fix Automation -This page outlines the process and tooling for Ghaf security fix automation. +The Nix community is able to identify and fix security issues relatively quickly. At the same time, the community process to ensure critical security fixes are included in nixpkgs is unclear or unspecified. -The Nix community is able to identify and fix security issues relatively quickly. At the same time, the community process to ensure critical security fixes are included in nixpkgs is unclear or unspecified. Indeed, Ghaf should not solely rely on the community to provide security fixes but take action to understand the vulnerabilities that impact Ghaf and take an active role in fixing such issues. +Indeed, Ghaf should not solely rely on the community to provide security fixes but take action to understand the vulnerabilities that impact Ghaf and take an active role in fixing such issues. ## Semi-Automated Upstream-First Process -The following image captures the high-level process we propose to identify and remediate the security vulnerabilities that impact Ghaf. +The following image captures the high-level process we propose to identify and remediate the security vulnerabilities that impact Ghaf: + ![Security Fix Automation](../img/ghaf-security-fix-automation.drawio.svg "Ghaf Security Fix Automation") The process consists of two parts - **automated** and **manual**: -- **Automated vulnerability analysis** is a scripted job triggered on a daily basis in Ghaf CI/CD. It consists of the following actions:
- **(1)** Locally (temporarily) update the Ghaf flake lock file. Temporary lock file update is needed so the Ghaf dependencies are up-to-date with the nixpkgs input Ghaf is pinned to. Otherwise, the automated analysis results would also include vulnerabilities that have been fixed in nixpkgs upstream since the last Ghaf flake lock update.
- **(2)** Run automated vulnerability analysis tooling for each relevant Ghaf build target. For Ghaf, being Nix-based, we propose to use [nix_secupdates](https://github.com/tiiuae/sbomnix/tree/main/scripts/nixupdate#nix_secupdates) for automated vulnerability analysis. As a result of this step, the tooling generates an auto-triaged vulnerability report, which will be the main input for the manual analysis.

- -- **Manual vulnerability analysis** is a manual process, which is also executed on daily basis.
- **(3)** Using the auto-triaged vulnerability report from the previous step, manually analyze the automation results comparing the new results to earlier day's results from the relevant build.
- **(4)** If there are any fixed issues compared to the last analyzed report, initiate the Ghaf flake lock file update for relevant inputs to include the vulnerability fixes from the nixpkgs upstream to relevant Ghaf branches.
- **(5)** If there are any new vulnerabilities compared to the last analyzed report, manually analyze each vulnerability in detail. If the issue requires a fix, create a pull request to push the changes to relevant nixpkgs branches.
+ +- **Automated vulnerability analysis** is a scripted job triggered on a daily basis in Ghaf CI/CD. It consists of the following actions: + + **(1)** Locally (temporarily) update the Ghaf flake lock file. Temporary lock file update is needed so the Ghaf dependencies are up-to-date with the nixpkgs input Ghaf is pinned to. Otherwise, the automated analysis results would also include vulnerabilities that have been fixed in nixpkgs upstream since the last Ghaf flake lock update. + + **(2)** Run automated vulnerability analysis tooling for each relevant Ghaf build target. For Ghaf, being Nix-based, we propose to use [nix_secupdates](https://github.com/tiiuae/sbomnix/tree/main/scripts/nixupdate#nix_secupdates) for automated vulnerability analysis. As a result of this step, the tooling generates an auto-triaged vulnerability report, which will be the main input for the manual analysis. + +- **Manual vulnerability analysis** is a manual process, which is also executed on daily basis. + + **(3)** Using the auto-triaged vulnerability report from the previous step, manually analyze the automation results comparing the new results to earlier day's results from the relevant build. + + **(4)** If there are any fixed issues compared to the last analyzed report, initiate the Ghaf flake lock file update for relevant inputs to include the vulnerability fixes from the nixpkgs upstream to relevant Ghaf branches. + + **(5)** If there are any new vulnerabilities compared to the last analyzed report, manually analyze each vulnerability in detail. If the issue requires a fix, create a pull request to push the changes to relevant nixpkgs branches. The process described above is an upstream-first, with the main benefit of eliminating the need to maintain our own vulnerability fix patches on top of nixpgks in Ghaf. This process will also benefit the nixpkgs community, contributing to the overall security improvement for the packages Ghaf depends on. diff --git a/docs/src/scs/scs.md b/docs/src/scs/scs.md index 8e40c447b..e37b846ae 100644 --- a/docs/src/scs/scs.md +++ b/docs/src/scs/scs.md @@ -24,4 +24,4 @@ The software artifact, SBOM, and provenance are signed by the build machinery at - [Basic Security Measures](../scs/basics.md) - [SBOM](../scs/sbom.md) - [Public Key Infrastructure](../scs/pki.md) -- [Ghaf Security Fix Automation](../scs/ghaf-security-fix-automation.md) \ No newline at end of file +- [Security Fix Automation](../scs/ghaf-security-fix-automation.md) \ No newline at end of file From 5da21a068dcc977cc5b8d86ec3438344ac58eacb Mon Sep 17 00:00:00 2001 From: Mika Nokka Date: Wed, 23 Aug 2023 13:41:37 +0300 Subject: [PATCH 45/60] Random readme change --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 1cbd4f4d0..48048e573 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,8 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> +Change by mnokka-unikie + # TII SSRC Secure Technologies: Ghaf Framework [![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0) [![License: CC-BY-SA 4.0](https://img.shields.io/badge/License-CC--BY--SA--4.0-lightgrey.svg)](https://creativecommons.org/licenses/by-sa/4.0/legalcode) [![Style Guide](https://img.shields.io/badge/docs-Style%20Guide-blueviolet)](https://github.com/tiiuae/ghaf/blob/main/docs/style_guide.md) From 35473952ba15195617ab486cb1412c4b8bc85692 Mon Sep 17 00:00:00 2001 From: Mika Nokka Date: Wed, 23 Aug 2023 15:19:25 +0300 Subject: [PATCH 46/60] Yet another change --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 48048e573..7a344c1bd 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,8 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> +Another change for existing PR + Change by mnokka-unikie # TII SSRC Secure Technologies: Ghaf Framework From 3e3142ec3d6eae2dc1b8ed1f921d9a23212236fd Mon Sep 17 00:00:00 2001 From: "Alexander V. Nikolaev" Date: Wed, 23 Aug 2023 14:46:33 +0300 Subject: [PATCH 47/60] Fix cross-building of element-desktop Overlay for build seshat, and disable building of keytar Signed-off-by: Alexander V. Nikolaev --- overlays/cross-compilation.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/overlays/cross-compilation.nix b/overlays/cross-compilation.nix index 6841d35c4..9cb6a32c3 100644 --- a/overlays/cross-compilation.nix +++ b/overlays/cross-compilation.nix @@ -5,6 +5,25 @@ # {...}: { nixpkgs.overlays = [ + # Overlay for element-desktop based on https://github.com/NixOS/nixpkgs/pull/241710 + (final: prev: { + element-desktop = + (prev.element-desktop.override { + # Disable keytar, it breaks cross-build. Saving passwords would be not available. + useKeytar = false; + }) + .overrideAttrs (oldED: { + seshat = oldED.seshat.overrideAttrs (oldSeshat: { + buildPhase = + builtins.replaceStrings + # Add extra cargo options required for cross-compilation + ["build --release"] + ["build --release -- --target ${prev.rust.toRustTargetSpec prev.stdenv.hostPlatform} -Z unstable-options --out-dir target/release"] + # Replace target 'fixup_yarn_lock' with build one + (builtins.replaceStrings ["${prev.fixup_yarn_lock}"] ["${prev.buildPackages.fixup_yarn_lock}"] oldSeshat.buildPhase); + }); + }); + }) (final: prev: let crossCompiling = prev.stdenv.buildPlatform != prev.stdenv.hostPlatform; filterOutByName = name: builtins.filter (x: (builtins.baseNameOf x) != name); From 0992662db3f82bba9986230e005f7f19dd19eeb0 Mon Sep 17 00:00:00 2001 From: Jenni Nikolaenko Date: Tue, 29 Aug 2023 15:58:00 +0300 Subject: [PATCH 48/60] Docs: add release notes information Signed-off-by: Jenni Nikolaenko --- docs/src/SUMMARY.md | 2 +- docs/src/release_notes/ghaf-23.05.md | 45 +++++++++++++++++++++++ docs/src/release_notes/ghaf-23.06.md | 47 +++++++++++++++++++++++++ docs/src/release_notes/release_notes.md | 18 ++++++++++ 4 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 docs/src/release_notes/ghaf-23.05.md create mode 100644 docs/src/release_notes/ghaf-23.06.md create mode 100644 docs/src/release_notes/release_notes.md diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 8a14d9427..394043d27 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -43,7 +43,7 @@ - [Software Bill of Materials](scs/sbom.md) - [Public Key Infrastructure](scs/pki.md) - [Security Fix Automation](scs/ghaf-security-fix-automation.md) -- [Release Notes]() +- [Release Notes](release_notes/release_notes.md) # Ghaf Usage Scenarios diff --git a/docs/src/release_notes/ghaf-23.05.md b/docs/src/release_notes/ghaf-23.05.md new file mode 100644 index 000000000..746e3473e --- /dev/null +++ b/docs/src/release_notes/ghaf-23.05.md @@ -0,0 +1,45 @@ + + +# Release ghaf-23.05 + + +## Release Branch + + + +## Supported Hardware + +The following target hardware is supported by this release: + +* NXP i.MX 8QM-MEK +* NVIDIA Jetson AGX Orin +* Generic x86 (PC) + + +## What is New in ghaf-23.05 + +This is the first release of Ghaf including support for: + +* the Wayland display server protocol (on the host) +* the graphical interface with Weston Window Manager (on the host) +* the Chromium browser (on the host) +* Element, a Matrix-based chat client (on the host) +* the Google Android look-alike (GALA) application + +> Ghaf Framework is under active development, some of the features may not be stable. + + +## Known Issues and Limitations + +* Build time is used as the current time on NVIDIA Jetson AGX Orin. + * Prevents logging into GALA and Element applications. +* Personal security keys cannot be created: + * Prevents running Android in the Cloud. + * Workaround: use another device to create security keys. +* NVIDIA Jetson AGX Orin: сannot open windows-launcher using a shortcut or a command line. +* No audio in a USB headset. +* Cannot log in to the Element chat with a Google account. + * Workaround: create a separate user account for Element. \ No newline at end of file diff --git a/docs/src/release_notes/ghaf-23.06.md b/docs/src/release_notes/ghaf-23.06.md new file mode 100644 index 000000000..73b487532 --- /dev/null +++ b/docs/src/release_notes/ghaf-23.06.md @@ -0,0 +1,47 @@ + + +# Release ghaf-23.06 + + +## Release Branch + + + +## Supported Hardware + +The following target hardware is supported by this release: + +* NXP i.MX 8QM-MEK +* NVIDIA Jetson AGX Orin +* Generic x86 (PC) + + +## What is New in ghaf-23.06 + +* Ghaf Modularization (partially done): + * general description and context on how to use: [Ghaf-Based Project](../ref_impl/ghaf-based-project.md) + * the development status: +* SLSA v1.0 level provenance file included. +* Ghaf version information (query). +* NixOS is updated to 23.05: [NixOS 23.05 released!](https://discourse.nixos.org/t/nixos-23-05-released/28649) + + +## Bug Fixes + +Build time is used as the current time on NVIDIA Jetson AGX Orin. + + +## Known Issues and Limitations + +* Known since ghaf-23.05: + * Personal security keys cannot be created. + * NVIDIA Jetson AGX Orin: сannot open windows-launcher using a shortcut or a command line. + * No audio in a USB headset. + * Cannot log in to the Element chat with a Google account + * Workaround for x86: create a separate user account for Element. +* Element cannot be opened on NVIDIA Jetson AGX Orin. +* Cannot move the GALA/Element window by dragging with the mouse. +* No windows-launcher in the x86 build. \ No newline at end of file diff --git a/docs/src/release_notes/release_notes.md b/docs/src/release_notes/release_notes.md new file mode 100644 index 000000000..528827d4a --- /dev/null +++ b/docs/src/release_notes/release_notes.md @@ -0,0 +1,18 @@ + + +# Ghaf Release Notes + +The Ghaf Platform can be used in various different environments, configurations, and hardware to serve several purposes. Ghaf is not a fully-fledged product but a module that can serve as a centerpiece to enable secure edge systems. + +Ghaf is released 4 times per year at the end of each quarter. Additional releases may be made as per request. + +Release numbering scheme: *ghaf-yy.mm*. + + +## In This Chapter + +- [Release ghaf-23.05](../release_notes/ghaf-23.05.md) +- [Release ghaf-23.06](../release_notes/ghaf-23.06.md) \ No newline at end of file From 890ce08ea7d7f4f1771c5ead446f575f80958549 Mon Sep 17 00:00:00 2001 From: Ivan Nikolaenko Date: Mon, 14 Aug 2023 16:08:17 +0300 Subject: [PATCH 49/60] Compartmentalize GPU and graphic apps into VMs This commit introduces several new entities such as GPU VM and Application VMs. To use those, you need to properly set up devices passthroug first. Refer to the project documentation on how to achieve that. Lenovo X1 Carbon Gen11 is introduced as a new target and the reference device for implementing compartmentalization. It is still possible to build standard "mainline" ghaf with weston and demo apps working on host. * User apps are now added into the scope of nixpkgs; * minimal.nix module is disabled since it introduced some weird metadata changes. Co-authored-by: Berk Arslan Co-authored-by: Mika Tammi Co-authored-by: Nikita Bazulin Co-authored-by: Vadim Likholetov Co-authored-by: Valentin Kharin Co-authored-by: Yuriy Nesterov Signed-off-by: Ivan Nikolaenko --- modules/graphics/weston.ini.nix | 5 +- modules/graphics/weston.nix | 8 +- modules/host/default.nix | 5 +- modules/virtualization/microvm/appvm.nix | 176 +++++++++++++++++++++ modules/virtualization/microvm/guivm.nix | 128 +++++++++++++++ overlays/custom-packages.nix | 2 + targets/default.nix | 1 + targets/lenovo-x1-carbon.nix | 191 +++++++++++++++++++++++ user-apps/waypipe-ssh/default.nix | 39 +++++ 9 files changed, 550 insertions(+), 5 deletions(-) create mode 100644 modules/virtualization/microvm/appvm.nix create mode 100644 modules/virtualization/microvm/guivm.nix create mode 100644 targets/lenovo-x1-carbon.nix create mode 100644 user-apps/waypipe-ssh/default.nix diff --git a/modules/graphics/weston.ini.nix b/modules/graphics/weston.ini.nix index 256b0d6fc..fb6dc3581 100644 --- a/modules/graphics/weston.ini.nix +++ b/modules/graphics/weston.ini.nix @@ -25,7 +25,6 @@ */ mkLaunchers = lib.concatMapStrings mkLauncher; - gala-app = pkgs.callPackage ../../user-apps/gala {}; defaultLauncher = [ # Keep weston-terminal launcher always enabled explicitly since if someone adds # a launcher on the panel, the launcher will replace weston-terminal launcher. @@ -47,8 +46,8 @@ } { - path = "${gala-app}/bin/gala --enable-features=UseOzonePlatform --ozone-platform=wayland"; - icon = "${gala-app}/gala/resources/icon-24x24.png"; + path = "${pkgs.gala-app}/bin/gala --enable-features=UseOzonePlatform --ozone-platform=wayland"; + icon = "${pkgs.gala-app}/gala/resources/icon-24x24.png"; } { diff --git a/modules/graphics/weston.nix b/modules/graphics/weston.nix index 9ed6f770e..0355487b0 100644 --- a/modules/graphics/weston.nix +++ b/modules/graphics/weston.nix @@ -64,6 +64,10 @@ in { StandardOutput = "journal"; StandardError = "journal"; ExecStart = "${pkgs.weston}/bin/weston"; + #GPU pt needs some time to start - weston fails to restart 3 times in avg. + ExecStartPre = "${pkgs.coreutils}/bin/sleep 3"; + Restart = "on-failure"; + RestartSec = "1"; # Ivan N: I do not know if this is bug or feature of NixOS, but # when I add weston.ini file to environment.etc, the file ends up in # /etc/xdg directory on the filesystem, while NixOS uses @@ -71,7 +75,9 @@ in { # searching for weston.ini even if /etc/xdg is already in XDG_CONFIG_DIRS # The solution is to add /etc/xdg one more time for weston service. # It does not affect on system-wide XDG_CONFIG_DIRS variable. - Environment = "XDG_CONFIG_DIRS=$XDG_CONFIG_DIRS:/etc/xdg"; + # + # Ivan N: adding openssh into the PATH since it is needed for waypipe to work + Environment = "XDG_CONFIG_DIRS=$XDG_CONFIG_DIRS:/etc/xdg PATH=${pkgs.openssh}/bin:$PATH"; }; wantedBy = ["default.target"]; }; diff --git a/modules/host/default.nix b/modules/host/default.nix index 862db7308..eee9239bd 100644 --- a/modules/host/default.nix +++ b/modules/host/default.nix @@ -9,7 +9,10 @@ imports = [ # TODO remove this when the minimal config is defined # Replace with the baseModules definition - (modulesPath + "/profiles/minimal.nix") + # UPDATE 26.07.2023: + # This line breaks build of GUIVM. No investigations of a + # root cause are done so far. + #(modulesPath + "/profiles/minimal.nix") ../../overlays/custom-packages.nix diff --git a/modules/virtualization/microvm/appvm.nix b/modules/virtualization/microvm/appvm.nix new file mode 100644 index 000000000..ccf71c657 --- /dev/null +++ b/modules/virtualization/microvm/appvm.nix @@ -0,0 +1,176 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: let + configHost = config; + cfg = config.ghaf.virtualization.microvm.appvm; + waypipe-ssh = pkgs.callPackage ../../../user-apps/waypipe-ssh {}; + + makeVm = {vm}: let + hostname = "vm-" + vm.name; + appvmConfiguration = { + imports = [ + ({ + lib, + config, + ... + }: { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.graphics.enable = true; + + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to NetVM + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + }; + }; + + users.users.${configHost.ghaf.users.accounts.user}.openssh.authorizedKeys.keyFiles = ["${waypipe-ssh}/keys/waypipe-ssh.pub"]; + + networking.hostName = hostname; + system.stateVersion = lib.trivial.release; + + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + + networking = { + enableIPv6 = false; + interfaces.ethint0.useDHCP = false; + firewall.allowedTCPPorts = [22]; + firewall.allowedUDPPorts = [67]; + useNetworkd = true; + }; + + environment.systemPackages = [ + pkgs.waypipe + ]; + + microvm = { + mem = vm.ramMb; + vcpu = vm.cores; + hypervisor = "qemu"; + qemu.bios.enable = true; + storeDiskType = "squashfs"; + interfaces = [ + { + type = "tap"; + id = hostname; + mac = vm.macAddress; + } + ]; + }; + + networking.nat = { + enable = true; + internalInterfaces = ["ethint0"]; + }; + + # Set internal network's interface name to ethint0 + systemd.network.links."10-ethint0" = { + matchConfig.PermanentMACAddress = vm.macAddress; + linkConfig.Name = "ethint0"; + }; + + systemd.network = { + enable = true; + networks."10-ethint0" = { + matchConfig.MACAddress = vm.macAddress; + addresses = [ + { + # IP-address for debugging subnet + addressConfig.Address = vm.ipAddress; + } + ]; + routes = [ + {routeConfig.Gateway = "192.168.101.1";} + ]; + linkConfig.RequiredForOnline = "routable"; + linkConfig.ActivationPolicy = "always-up"; + }; + }; + + imports = import ../../module-list.nix; + }) + ]; + }; + in { + autostart = true; + config = appvmConfiguration // {imports = appvmConfiguration.imports ++ cfg.extraModules ++ [{environment.systemPackages = vm.packages;}];}; + specialArgs = {inherit lib;}; + }; +in { + options.ghaf.virtualization.microvm.appvm = with lib; { + enable = lib.mkEnableOption "appvm"; + vms = with types; + mkOption { + description = '' + List of AppVMs to be created + ''; + type = lib.types.listOf (submodule { + options = { + name = mkOption { + description = '' + Name of the AppVM + ''; + type = str; + }; + packages = mkOption { + description = '' + Packages that are included into the AppVM + ''; + type = types.listOf package; + default = []; + }; + ipAddress = mkOption { + description = '' + AppVM's IP address in the inter-vm network + ''; + type = str; + }; + macAddress = mkOption { + description = '' + AppVM's network interface MAC address + ''; + type = str; + }; + ramMb = mkOption { + description = '' + Amount of RAM for this AppVM + ''; + type = int; + }; + cores = mkOption { + description = '' + Amount of processor cores for this AppVM + ''; + type = int; + }; + }; + }); + default = []; + }; + + extraModules = mkOption { + description = '' + List of additional modules to be imported and evaluated as part of + appvm's NixOS configuration. + ''; + default = []; + }; + }; + + config = lib.mkIf cfg.enable { + microvm.vms = ( + let + vms = map (vm: {"appvm-${vm.name}" = makeVm {inherit vm;};}) cfg.vms; + in + lib.foldr lib.recursiveUpdate {} vms + ); + }; +} diff --git a/modules/virtualization/microvm/guivm.nix b/modules/virtualization/microvm/guivm.nix new file mode 100644 index 000000000..db9c09f51 --- /dev/null +++ b/modules/virtualization/microvm/guivm.nix @@ -0,0 +1,128 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: let + configHost = config; + waypipe-ssh = pkgs.callPackage ../../../user-apps/waypipe-ssh {}; + guivmBaseConfiguration = { + imports = [ + ({ + lib, + pkgs, + ... + }: { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.graphics.enable = true; + profiles.applications.enable = false; + windows-launcher.enable = false; + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to NetVM + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + }; + }; + + environment = { + etc = { + "ssh/waypipe-ssh".source = "${waypipe-ssh}/keys/waypipe-ssh"; + }; + systemPackages = [ + pkgs.waypipe + ]; + }; + + networking.hostName = "guivm"; + system.stateVersion = lib.trivial.release; + + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + + networking = { + enableIPv6 = false; + interfaces.ethint0.useDHCP = false; + firewall.allowedTCPPorts = [22]; + firewall.allowedUDPPorts = [67]; + useNetworkd = true; + }; + + microvm = { + mem = 2048; + hypervisor = "qemu"; + qemu.bios.enable = false; + storeDiskType = "squashfs"; + interfaces = [ + { + type = "tap"; + id = "vm-guivm"; + mac = "02:00:00:02:02:02"; + } + ]; + }; + + networking.nat = { + enable = true; + internalInterfaces = ["ethint0"]; + }; + + # Set internal network's interface name to ethint0 + systemd.network.links."10-ethint0" = { + matchConfig.PermanentMACAddress = "02:00:00:02:02:02"; + linkConfig.Name = "ethint0"; + }; + + systemd.network = { + enable = true; + networks."10-ethint0" = { + matchConfig.MACAddress = "02:00:00:02:02:02"; + addresses = [ + { + # IP-address for debugging subnet + addressConfig.Address = "192.168.101.3/24"; + } + ]; + routes = [ + {routeConfig.Gateway = "192.168.101.1";} + ]; + linkConfig.RequiredForOnline = "routable"; + linkConfig.ActivationPolicy = "always-up"; + }; + }; + + imports = import ../../module-list.nix; + }) + ]; + }; + cfg = config.ghaf.virtualization.microvm.guivm; +in { + options.ghaf.virtualization.microvm.guivm = { + enable = lib.mkEnableOption "GUIVM"; + + extraModules = lib.mkOption { + description = '' + List of additional modules to be imported and evaluated as part of + GUIVM's NixOS configuration. + ''; + default = []; + }; + }; + + config = lib.mkIf cfg.enable { + microvm.vms."guivm" = { + autostart = true; + config = + guivmBaseConfiguration + // { + imports = + guivmBaseConfiguration.imports + ++ cfg.extraModules; + }; + specialArgs = {inherit lib;}; + }; + }; +} diff --git a/overlays/custom-packages.nix b/overlays/custom-packages.nix index 5f1342dd3..c3cc5b14e 100644 --- a/overlays/custom-packages.nix +++ b/overlays/custom-packages.nix @@ -19,6 +19,8 @@ {lib, ...}: { nixpkgs.overlays = [ (_final: prev: { + gala-app = _final.callPackage ../user-apps/gala {}; + waypipe-ssh = _final.callPackage ../user-apps/waypipe-ssh {}; # TODO: Remove this override if/when the fix is upstreamed. # Disabling colord dependency for weston. Colord has argyllcms as # a dependency, and this package is not cross-compilable. diff --git a/targets/default.nix b/targets/default.nix index db0f7bd0b..f41707990 100644 --- a/targets/default.nix +++ b/targets/default.nix @@ -15,6 +15,7 @@ lib.foldr lib.recursiveUpdate {} [ (import ./nvidia-jetson-orin.nix {inherit self lib nixpkgs nixos-generators microvm jetpack-nixos;}) (import ./vm.nix {inherit self lib nixos-generators microvm;}) (import ./generic-x86_64.nix {inherit self lib nixos-generators nixos-hardware microvm;}) + (import ./lenovo-x1-carbon.nix {inherit self lib nixos-generators nixos-hardware microvm;}) (import ./imx8qm-mek.nix {inherit self lib nixos-generators nixos-hardware microvm;}) (import ./microchip-icicle-kit.nix {inherit self lib nixpkgs nixos-hardware;}) ] diff --git a/targets/lenovo-x1-carbon.nix b/targets/lenovo-x1-carbon.nix new file mode 100644 index 000000000..50052a182 --- /dev/null +++ b/targets/lenovo-x1-carbon.nix @@ -0,0 +1,191 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Generic x86_64 computer -target +{ + self, + lib, + nixos-generators, + nixos-hardware, + microvm, +}: let + name = "lenovo-x1-carbon-gen11"; + system = "x86_64-linux"; + formatModule = nixos-generators.nixosModules.raw-efi; + lenovo-x1 = variant: extraModules: let + netvmExtraModules = [ + { + microvm.devices = lib.mkForce [ + { + bus = "pci"; + path = "0000:00:14.3"; + } + ]; + + # For WLAN firmwares + hardware.enableRedistributableFirmware = true; + + networking.wireless = { + enable = true; + + #networks."ssid".psk = "psk"; + }; + } + ]; + guivmExtraModules = [ + { + microvm.qemu.extraArgs = [ + # Lenovo X1 touchpad and keyboard + "-device" + "virtio-input-host-pci,evdev=/dev/input/by-path/platform-i8042-serio-0-event-kbd" + "-device" + "virtio-input-host-pci,evdev=/dev/input/by-path/pci-0000:00:15.0-platform-i2c_designware.0-event-mouse" + # Lenovo X1 trackpoint (red button/joystick) + "-device" + "virtio-input-host-pci,evdev=/dev/input/by-path/platform-i8042-serio-1-event-mouse" + ]; + microvm.devices = [ + { + bus = "pci"; + path = "0000:00:02.0"; + } + ]; + } + ({pkgs, ...}: { + ghaf.graphics.weston.launchers = [ + { + path = "${pkgs.waypipe}/bin/waypipe ssh -i ${pkgs.waypipe-ssh}/keys/waypipe-ssh -o StrictHostKeyChecking=no 192.168.101.5 chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; + icon = "${pkgs.weston}/share/weston/icon_editor.png"; + } + + { + path = "${pkgs.waypipe}/bin/waypipe ssh -i ${pkgs.waypipe-ssh}/keys/waypipe-ssh -o StrictHostKeyChecking=no 192.168.101.6 gala --enable-features=UseOzonePlatform --ozone-platform=wayland"; + icon = "${pkgs.weston}/share/weston/icon_editor.png"; + } + + { + path = "${pkgs.waypipe}/bin/waypipe ssh -i ${pkgs.waypipe-ssh}/keys/waypipe-ssh -o StrictHostKeyChecking=no 192.168.101.7 zathura"; + icon = "${pkgs.weston}/share/weston/icon_editor.png"; + } + ]; + }) + ]; + hostConfiguration = lib.nixosSystem { + inherit system; + specialArgs = {inherit lib;}; + modules = + [ + microvm.nixosModules.host + ../modules/host + ../modules/virtualization/microvm/microvm-host.nix + ../modules/virtualization/microvm/netvm.nix + ../modules/virtualization/microvm/guivm.nix + ../modules/virtualization/microvm/appvm.nix + ({ + pkgs, + lib, + ... + }: { + services.udev.extraRules = '' + # Laptop keyboard + SUBSYSTEM=="input",ATTRS{name}=="AT Translated Set 2 keyboard",GROUP="kvm" + # Laptop touchpad + SUBSYSTEM=="input",ATTRS{name}=="SYNA8016:00",GROUP="kvm" + SUBSYSTEM=="input",ATTRS{name}=="SYNA8016:00 06CB:CEB3 Mouse",GROUP="kvm" + # Laptop TrackPoint + SUBSYSTEM=="input",ATTRS{name}=="TPPS/2 Elan TrackPoint",GROUP="kvm" + ''; + ghaf = { + hardware.x86_64.common.enable = true; + + virtualization.microvm-host.enable = true; + host.networking.enable = true; + virtualization.microvm.netvm = { + enable = true; + extraModules = netvmExtraModules; + }; + virtualization.microvm.guivm = { + enable = true; + extraModules = guivmExtraModules; + }; + virtualization.microvm.appvm = { + enable = true; + vms = [ + { + name = "chromium"; + packages = [pkgs.chromium]; + ipAddress = "192.168.101.5/24"; + macAddress = "02:00:00:03:03:05"; + ramMb = 3072; + cores = 4; + } + { + name = "gala"; + packages = [pkgs.gala-app]; + ipAddress = "192.168.101.6/24"; + macAddress = "02:00:00:03:03:06"; + ramMb = 1536; + cores = 2; + } + { + name = "zathura"; + packages = [pkgs.zathura]; + ipAddress = "192.168.101.7/24"; + macAddress = "02:00:00:03:03:07"; + ramMb = 512; + cores = 1; + } + ]; + extraModules = [{}]; + }; + + # Enable all the default UI applications + profiles = { + applications.enable = false; + #TODO clean this up when the microvm is updated to latest + release.enable = variant == "release"; + debug.enable = variant == "debug"; + }; + windows-launcher.enable = false; + }; + }) + + formatModule + + #TODO: how to handle the majority of laptops that need a little + # something extra? + # SEE: https://github.com/NixOS/nixos-hardware/blob/master/flake.nix + # nixos-hardware.nixosModules.lenovo-thinkpad-x1-10th-gen + + { + boot.kernelParams = [ + "intel_iommu=on,igx_off,sm_on" + "iommu=pt" + + # Passthrough Intel WiFi card 8086:51f1 + # Passthrough Intel Iris GPU 8086:a7a1 + "vfio-pci.ids=8086:51f1,8086:a7a1" + ]; + } + ] + ++ (import ../modules/module-list.nix) + ++ extraModules; + }; + in { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; + }; + debugModules = [../modules/development/usb-serial.nix {ghaf.development.usb-serial.enable = true;}]; + targets = [ + (lenovo-x1 "debug" debugModules) + (lenovo-x1 "release" []) + ]; +in { + nixosConfigurations = + builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + packages = { + x86_64-linux = + builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + }; +} diff --git a/user-apps/waypipe-ssh/default.nix b/user-apps/waypipe-ssh/default.nix new file mode 100644 index 000000000..11382a6a1 --- /dev/null +++ b/user-apps/waypipe-ssh/default.nix @@ -0,0 +1,39 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# This package does nothing more than generates a pair of SSH keys and +# puts them into the /nix/store/. This package is only used in GUIvm +# and APPvms and is needed for passwordless ssh access which is required +# by waypipe package. +# I realize that this is not right, and from the security perspective it +# looks even worse, but this is an intermediate step, and in nearest future +# we completely get rid of SSH for proxying Wayland protocol. +{ + stdenv, + pkgs, + lib, + ... +}: +stdenv.mkDerivation { + name = "waypipe-ssh"; + + buildInputs = [pkgs.openssh]; + + phases = ["buildPhase" "installPhase"]; + + buildPhase = '' + echo -e "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" + ''; + + installPhase = '' + mkdir -p $out/keys + install ./waypipe-ssh $out/keys + install ./waypipe-ssh.pub $out/keys + ''; + + meta = with lib; { + description = "Helper script for launching Waypipe"; + platforms = [ + "x86_64-linux" + ]; + }; +} From ea2cc63dd0d11f58bb6dd6d5ffa9171bcf3fb5c0 Mon Sep 17 00:00:00 2001 From: Ivan Nikolaenko Date: Tue, 22 Aug 2023 15:12:10 +0300 Subject: [PATCH 50/60] doc: Lenovo X1 and compartmentalization Co-authored-by: Nikita Bazulin Signed-off-by: Ivan Nikolaenko --- docs/src/SUMMARY.md | 5 +- docs/src/features/features.md | 14 +++-- docs/src/ref_impl/build_and_run.md | 18 ++++++ docs/src/ref_impl/creating_appvm.md | 73 +++++++++++++++++++++++++ docs/src/ref_impl/development.md | 2 +- docs/src/ref_impl/example_project.md | 36 ++++++++++++ docs/src/ref_impl/ghaf-based-project.md | 8 +-- docs/src/scenarios/showcases.md | 4 +- docs/src/technologies/compartment.md | 13 +++++ 9 files changed, 160 insertions(+), 13 deletions(-) create mode 100644 docs/src/ref_impl/creating_appvm.md create mode 100644 docs/src/ref_impl/example_project.md create mode 100644 docs/src/technologies/compartment.md diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 394043d27..660c84f4e 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -24,9 +24,12 @@ - [Development](ref_impl/development.md) - [Build and Run](ref_impl/build_and_run.md) - [Cross-Compilation](ref_impl/cross_compilation.md) - - [Ghaf-Based Project](ref_impl/ghaf-based-project.md) + - [Creating Application VM](ref_impl/creating_appvm.md) + - [Ghaf as Library](ref_impl/ghaf-based-project.md) + - [Example Project](ref_impl/example_project.md) - [Modules Options](ref_impl/modules_options.md) - [Technologies](technologies/technologies.md) + - [Compartmentalization](technologies/compartment.md) - [Passthrough](technologies/passthrough.md) - [Binding Device to VFIO Driver](technologies/vfio.md) - [NVIDIA Jetson AGX Orin: UART Passthrough](technologies/nvidia_agx_pt_uart.md) diff --git a/docs/src/features/features.md b/docs/src/features/features.md index 0fb87f2eb..80fe0a0bc 100644 --- a/docs/src/features/features.md +++ b/docs/src/features/features.md @@ -19,6 +19,7 @@ Ghaf demo desktop and applications are illustrated in the screen capture below: - `Orin`—NVIDIA Jetson AGX Orin as the main reference device. - `x86`—generic x86_64; tested on Intel NUC (Next Unit of Computing) or laptop. +- `Lenovo X1`—Lenovo X1 Carbon Gen11 laptop. - `aarch64`—generic AArch64; tested on an ARM server, laptop (e.g. Apple M's), or NVIDIA Jetson AGX Orin. - `All variants`—supported devices from [Architectural Variants](https://tiiuae.github.io/ghaf/architecture/variants.html). @@ -32,6 +33,7 @@ The following tables show the status of Ghaf Platform features: | `aarch64` reference image | ✅ | `Orin` | Based on [Jetson Linux](https://developer.nvidia.com/embedded/jetson-linux), [OE4T](https://github.com/OE4T) and [jetpack-nixos](https://github.com/anduril/jetpack-nixos). | | `aarch64` reference image | ✅ | `imx8qm` | Based on NXP BSP, implemented as [nixos-hardware module](https://github.com/NixOS/nixos-hardware/tree/master/nxp)| | `x86` generic image | ✅ | `x86` | Generic x86 computer, based on generic [NixOS](https://nixos.org/). NOTE: requires device specific configuration.| +| `Lenovo X1` reference image | ✅ | `Lenovo X1` | x86_64 laptop computer, supports basic compartmentalized environment | | Native build | ✅ | `aarch64, x86` | Remote `aarc64` nixos builders recommended | | Cross-compilation | 🚧 | `aarch64, riscv64` | Depends on NixOS `nixpkgs 23.05` support for cross-compilation | | CI builds | ✅ | `All` | [Only `main`-branch, not for all PRs](https://vedenemo.dev/). | @@ -47,6 +49,7 @@ The following tables show the status of Ghaf Platform features: | root filesystem flashing | ✅ | `x86, imx8qm` | `dd` image to bootable media - [see](https://tiiuae.github.io/ghaf/ref_impl/build_and_run.html#running-ghaf-image-for-x86-computer) | | Debug: SSH | ✅ | `Orin`, `x86` | Host access only in `-debug`-target, see [authentication.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/authentication.nix) | | Debug: Serial | ✅ | `all` | Host access only in `-debug`-target - e.g. `screen /dev/ttyACM0 115200` | +| Compartmentalized environment | 🚧 | `Lenovo X1` | NetVM, GUI VM (with GPU passthrough) plus some Application VMs | ## Target architecture @@ -55,11 +58,12 @@ The following tables show the status of Ghaf Platform features: | `minimal host` | 🚧 | [`all`](https://tiiuae.github.io/ghaf/architecture/variants.html) | See [Minimal Host](https://tiiuae.github.io/ghaf/architecture/adr/minimal-host.html) and [PR #140](https://github.com/tiiuae/ghaf/pull/140). | | `netvm` | ✅ | `Orin` | See [netvm](https://tiiuae.github.io/ghaf/architecture/adr/netvm.html). Passthrough with Wifi works but requires SSID/password configuration | | `idsvm` | ✅ | `Orin` | [Defensive security VM placeholder PR open](https://github.com/tiiuae/ghaf/pull/146) | -| `guivm` | 🚧 | `All`| Currently Wayland stack and apps on host for demos. Graphics are host-only for now. [PCI GPU passthrough and guivm PR open](https://github.com/tiiuae/ghaf/pull/118)| +| `guivm` | 🚧 | `All`, `Lenovo-X1`| Implemented for Lenovo X1 reference device, other devices have Wayland compositor running on the host.| +| `appvm` | 🚧 | `All`, `Lenovo-X1`| Implemented for Lenovo X1 reference device: chromium, GALA and zathura VMs. Requires `guivm` in place | | `adminvm` | ✅ | `All` | Not started | | Inter VM comms - IP-based | 🚧 | `All` |`-debug`-targets have network bridges to access VMs from host | | Inter VM comms - shared memory | 🚧 | `All` | | -| Inter VM Wayland | 🚧 | `All` | Being ported from previous work | +| Inter VM Wayland | 🚧 | `All` | Currently it is `waypipe` over SSH, for test and demo purpose only | | SW update | 🚧 | `All` | A/B update tooling being evaluated | | USB passthrough | 🚧 | `Orin` | No reference implementation integrated yet | | PCI passthrough | ✅ | `All` | Used for reference in `netvm` on `Orin` | @@ -70,10 +74,10 @@ The following tables show the status of Ghaf Platform features: | Feature | Status | Reference Device | Details | |-------------------|-------------|------------------|----------------------------------------------| -| Wayland-compositor | 🚧 | `Orin`, `x86` | On host | -| Chromium | 🚧 | `Orin`, `x86` | On host | +| Wayland-compositor | 🚧 | `Orin`, `x86` | Implemented for `Lenovo-X1` | +| Chromium | 🚧 | `Orin`, `x86` | Implemented for `Lenovo-X1` | | Element | 🚧 | `Orin`, `x86` | On host | -| Cloud Android (CVD) client app (GALA )| 🚧 | `Orin`, `x86` | On host | +| Cloud Android (CVD) client app (GALA )| 🚧 | `Orin`, `x86` | Implemented for `Lenovo-X1` | | Virtualization control | 🚧 | [`All`](https://tiiuae.github.io/ghaf/architecture/variants.html) | See [vmd design](https://github.com/tiiuae/vmd/blob/main/doc/design.md). | ## Next steps diff --git a/docs/src/ref_impl/build_and_run.md b/docs/src/ref_impl/build_and_run.md index 4ada1258d..f5c78f77b 100644 --- a/docs/src/ref_impl/build_and_run.md +++ b/docs/src/ref_impl/build_and_run.md @@ -30,6 +30,7 @@ Then you can use one of the following instructions for the supported targets: |--- |--- | --- | | Virtual Machine | x86_64 | [Running Ghaf Image for x86 VM (ghaf-host)](./build_and_run.md#running-ghaf-image-for-x86-vm-ghaf-host) | | Generic x86 Сomputer | x86_64 | [Running Ghaf Image for x86 Computer](./build_and_run.md#running-ghaf-image-for-x86-computer) | +| Lenovo X1 Carbon Gen 11 | x86_64 | [Running Ghaf Image for Lenovo X1](./build_and_run.md#running-ghaf-image-for-lenovo-x1) | | NVIDIA Jetson AGX Orin | AArch64 | [Ghaf Image for NVIDIA Jetson Orin AGX](./build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | | NXP i.MX 8QM-MEK | AArch64 | [Building Ghaf Image for NXP i.MX 8QM-MEK](./build_and_run.md#building-ghaf-image-for-nxp-imx-8qm-mek) | | MICROCHIP icicle-kit | RISCV64 | [Building Ghaf Image for Microchip Icicle Kit](./build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) | @@ -64,6 +65,23 @@ Do the following: --- +## Running Ghaf Image for Lenovo X1 + +Lenovo X1 is the reference x86_64 device for the Ghaf project. + +Do the following: +1. To build the target image, run the command: + ``` + nix build github:tiiuae/ghaf#lenovo-x1-carbon-gen11-debug + ``` +2. After the build is completed, prepare a USB boot media with the target image you built: + ``` + dd if=./result/nixos.img of=/dev/ bs=32M + ``` +3. Boot the computer from the USB media. + +--- + ## Ghaf Image for NVIDIA Jetson Orin AGX Before you begin: diff --git a/docs/src/ref_impl/creating_appvm.md b/docs/src/ref_impl/creating_appvm.md new file mode 100644 index 000000000..ecd05c8c7 --- /dev/null +++ b/docs/src/ref_impl/creating_appvm.md @@ -0,0 +1,73 @@ + + +# Creating an Application VM + +## What is AppVM? + +AppVM is a virtual machine that is used to improve trust in system components by isolating the applications from both host OS and other applications. This way user can use applications of different trust levels within the same system and without compromising system security. This is because virtualization with hardware backed mechanisms provides better resource protection than traditional OS. While the VMs have overhead, it's acceptable via improved security and usability that makes the application seem like it is running inside an ordinary OS. + +As a result - both highly trusted applications and untrusted applications can be hosted in the same secure system when the concerns are separated in their own AppVMs. + +## How to add a new AppVM + +### 1. AppVM description + +Add the VM description in the target configuration. +[lenovo-x1.nix](../../../targets/lenovo-x1.nix) already has AppVMs inside for Chromium, Gala, and Zathura applications. + +#### Example of the current AppVMs + +``` +vms = with pkgs; [ + { + name = "chromium"; + packages = [chromium]; + ipAddress = "192.168.101.5/24"; + macAddress = "02:00:00:03:03:05"; + ramMb = 3072; + cores = 4; + } + { + name = "gala"; + packages = [(pkgs.callPackage ../user-apps/gala {})]; + ipAddress = "192.168.101.6/24"; + macAddress = "02:00:00:03:03:06"; + ramMb = 1536; + cores = 2; + } + { + name = "zathura"; + packages = [zathura]; + ipAddress = "192.168.101.7/24"; + macAddress = "02:00:00:03:03:07"; + ramMb = 512; + cores = 1; + } +]; +``` + +Each VM has the following properties: + + +| **Property** | **Type** | **Unique** | **Description** | **Example** | +| -------------- | --------------------------- | ------------ | --------------------------------------------------------------------------------------------------------------- | --------------------- | +| name | str | yes | This name is prefixed with `vm-` and will be shown in microvm list. The prefixed name - e.g. `vm-chromium` will be also the VM hostname | “chromium” | +| packages | list of types.package | no | Packages to include in a VM. It’s possible to make it empty or add several packages | [chromium top] | +| ipAddress | str | yes | This IP will be used to access a VM from the host. Should has the same subnetwork, as other VMs: Net, GUI VMs | "192.168.101.5/24" | +| macAddress | str | yes | Needed for network configuration | "02:00:00:03:03:05" | +| ramMb | int, [1, …, host memory] | no | Memory in MB | 3072 | +| cores | int, [1, …, host cores] | no | Virtual CPU cores | 4 | + + +### 2. Add an app launcher in GUI VM + +To add an app launcher, add an element in the [guivm.nix](../../../modules/virtualization/microvm/guivm.nix) file to the **graphics.weston.launchers** list. +A launcher element has 2 properties: + +1. **path** – path to the executable you want to run, like a graphical application. +2. **icon** – path to an icon to show. + +You may want to check the example launchers [here](../../../modules/virtualization/microvm/guivm.nix) \ No newline at end of file diff --git a/docs/src/ref_impl/development.md b/docs/src/ref_impl/development.md index add8711dd..0fa2a77e9 100644 --- a/docs/src/ref_impl/development.md +++ b/docs/src/ref_impl/development.md @@ -9,7 +9,7 @@ Ghaf Framework is free software, currently under active development. Scope of target support is updated with development progress. -Once you are up and running, you can participate in the collaborative development process by building a development build with additional options. For example, with the development username and password that are defined in the[authentication.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/authentication.nix#L4-L5) module. +Once you are up and running, you can participate in the collaborative development process by building a development build with additional options. For example, with the development username and password that are defined in the [authentication.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/authentication.nix#L4-L5) module. If you set up development SSH keys in the [ssh.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/ssh.nix#L4) module, you can use `nixos-rebuild switch` to quickly deploy your configuration changes to the development board over the network using SSH: diff --git a/docs/src/ref_impl/example_project.md b/docs/src/ref_impl/example_project.md new file mode 100644 index 000000000..72c485f97 --- /dev/null +++ b/docs/src/ref_impl/example_project.md @@ -0,0 +1,36 @@ + + +# Example Project + +The compartmentalization could be applied to many specific x86_64 computers and laptops with some customization applied to the Ghaf. The best way of the Ghaf customization is using Ghaf templates. + +1. Create a template project as described in [Ghaf as Library](../ref_impl/ghaf-based-project.md) section +2. Adjust your system configuration with accordance to your HW specification. Determine all VIDs and PIDs of the devices that are passed to the VMs + +3. Add GUIVM configuration, NetworkVM configuration and optionally some AppVMs +4. Set up weston panel shortcuts. +Refer to the existing [project example for Lenovo T14 and Lenovo X1 laptops](https://github.com/unbel13ver/ghaf-lib) + +Creating the structure that includes all necessary data for the device passthrough: +``` +# File 'my-hardware/lenovo-t14.nix': +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Generic x86_64 computer -target +{ + deviceName = "lenovo-t14"; + networkPciAddr = "0000:00:14.3"; + networkPciVid = "8086"; + networkPciPid = "02f0"; + gpuPciAddr = "0000:00:02.0"; + gpuPciVid = "8086"; + gpuPciPid = "9b41"; + usbInputVid = "046d"; + usbInputPid = "c52b"; +} +``` +The fields of that structure are self-explanatory. Use `lspci -nnk` command to get this data from any Linux OS running on the device. diff --git a/docs/src/ref_impl/ghaf-based-project.md b/docs/src/ref_impl/ghaf-based-project.md index 9fd088b84..51d1e40ef 100644 --- a/docs/src/ref_impl/ghaf-based-project.md +++ b/docs/src/ref_impl/ghaf-based-project.md @@ -3,7 +3,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> -# Ghaf-Based Project +# Ghaf as Library: Templates Ghaf is a framework for creating virtualized edge devices, it is therefore expected that projects wishing to use Ghaf should import it to create a derived work for the specific use case. @@ -23,7 +23,7 @@ The Ghaf Platform repository provides declarative modules and reference implemen External repositories help make various HW options, system image generators, and reference board-support packages available. -## Creating Ghaf-Based Project +## Using Ghaf Templates 1. Check the available target templates: @@ -63,7 +63,7 @@ External repositories help make various HW options, system image generators, and ``` -## Updating Ghaf-Based Project +## Updating Ghaf Revision To update your project, run `nix flake update`. This check the inputs for updates and based on availability of the updates, generate an updated `flake.lock` which locks the specific versions to support the reproducible builds without side effects. @@ -71,7 +71,7 @@ In practice, nix flake will not allow floating inputs but all the inputs and dec After update, review and testing - commit the updated `flake.lock` to your version history to share reproducible builds within your project. -## Customizing Ghaf-Based Project +## Customizing Ghaf Modules To use the Ghaf declarative module system, check what you need in your system and choose the [modules options](./modules_options.md) you need. For example, import the ghaf `graphics`-module and declare that you won't need the reference Wayland-compositor Weston and the demo applications: diff --git a/docs/src/scenarios/showcases.md b/docs/src/scenarios/showcases.md index 21d7f7c5b..6e7e06472 100644 --- a/docs/src/scenarios/showcases.md +++ b/docs/src/scenarios/showcases.md @@ -9,5 +9,5 @@ The Ghaf Platform can be used in various different environments, configurations, ## In This Chapter -- [Running Windows VM on Ghaf](scenarios/run_win_vm.md) -- [Running Cuttlefish on Ghaf](scenarios/run_cuttlefish.md) \ No newline at end of file +- [Running Windows VM on Ghaf](./run_win_vm.md) +- [Running Cuttlefish on Ghaf](./run_cuttlefish.md) \ No newline at end of file diff --git a/docs/src/technologies/compartment.md b/docs/src/technologies/compartment.md new file mode 100644 index 000000000..eee53820b --- /dev/null +++ b/docs/src/technologies/compartment.md @@ -0,0 +1,13 @@ + + +# Compartmentalization +Compartmentalization is the technique of separating parts of a system to decrease attack surface and prevent malfunctions from cascading in the system. In Ghaf architecture, there is a separate Virtual Machine (VM) for every vital function of the system. + +Current implementation supports Graphic User Interface (GUI) VM, Networking VM and a couple of Application VMs, such as Chromium web-browser and Zathura pdf reader. + +The GUI VM owns computer's GPU and performs desktop environment and application windows rendering. Wayland protocol for applications in this case is proxified by `waypipe` over SSH. This approach is used temporarly before moving to more sophisticated solutions. + +VM compartmentalization requires all necessary devices passthrough in place. More specifically, you need to know PCI VID and PID of a device and also it's number on the PCI bus. In case of USB device passthrough, it is enough to know device's VID and PID. See [Ghaf as Library](../ref_impl/ghaf-based-project.md) and [Creating Application VM](../ref_impl/creating_appvm.md) sections to know more about the actual implementation. \ No newline at end of file From be553527f327f34bdf49cfa6ae24c4f8fed6aaa2 Mon Sep 17 00:00:00 2001 From: Emrah Billur Date: Wed, 30 Aug 2023 11:47:59 +0300 Subject: [PATCH 51/60] Orin Nx Ethernet Passthrough Signed-off-by: Emrah Billur --- .../nvidia-jetson-orin/jetson-orin.nix | 47 +++++- .../pci-passthrough-nx-test.patch | 143 +++++++++++++++++- targets/nvidia-jetson-orin.nix | 37 ++--- 3 files changed, 206 insertions(+), 21 deletions(-) diff --git a/modules/hardware/nvidia-jetson-orin/jetson-orin.nix b/modules/hardware/nvidia-jetson-orin/jetson-orin.nix index 2ec1841ec..aa66d12ee 100644 --- a/modules/hardware/nvidia-jetson-orin/jetson-orin.nix +++ b/modules/hardware/nvidia-jetson-orin/jetson-orin.nix @@ -4,7 +4,9 @@ # Configuration for NVIDIA Jetson Orin AGX/NX reference boards { lib, + pkgs, config, + nixpkgs, ... }: let cfg = config.ghaf.hardware.nvidia.orin; @@ -14,14 +16,48 @@ passthrough-patch = ./pci-passthrough-agx-test.patch; vfio-pci = "vfio-pci.ids=10ec:c82f"; deviceTree = "tegra234-p3701-host-passthrough.dtb"; + buspath = [ + { + bus = "pci"; + path = "0001:01:00.0"; + } + ]; + kernelParams = []; }; "nx" = { flashArgs = ["-r" config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard "nvme0n1p1"]; + # This patch uses Alex Williamson's patch for enabling overrides for missing ACS capabilities on pci + # bus which could be accessed from following link: https://lkml.org/lkml/2013/5/30/513 passthrough-patch = ./pci-passthrough-nx-test.patch; + # Multiple device passing option + # vfio-pci = "vfio-pci.ids=10de:229c,10ec:8168"; vfio-pci = "vfio-pci.ids=10ec:8168"; deviceTree = "tegra234-p3767-host-passthrough.dtb"; + buspath = [ + # Multiple devices and path could be passed through this option + # { + # bus = "pci"; + # path = "0008:00:00.0"; + # } + { + bus = "pci"; + path = "0008:01:00.0"; + } + ]; + kernelParams = [ + "pci=nomsi" + "pcie_acs_override=downstream,multifunction" + ]; }; }; + netvmExtraModules = [ + { + # This is the device dependent part of netvm configuration. + # This part should be conditional for AGX 01:01 for NX 08:01 + microvm.devices = somDefinition."${cfg.somType}".buspath; + microvm.kernelParams = somDefinition."${cfg.somType}".kernelParams; + } + ]; in with lib; { options.ghaf.hardware.nvidia.orin = { @@ -65,11 +101,16 @@ in ghaf.boot.loader.systemd-boot-dtb.enable = true; + ghaf.virtualization.microvm.netvm = { + enable = true; + extraModules = netvmExtraModules; + }; + boot.loader = { efi.canTouchEfiVariables = true; systemd-boot.enable = true; }; - + boot.modprobeConfig.enable = true; boot.kernelPatches = [ { name = "passthrough-patch"; @@ -96,7 +137,9 @@ in name = somDefinition."${cfg.somType}".deviceTree; }; - # Passthrough Jetson Orin WiFi card + # Passthrough Jetson Orin Network cards + boot.kernelModules = ["vfio_pci" "vfio_iommu_type1" "vfio"]; + boot.kernelParams = [ somDefinition."${cfg.somType}".vfio-pci "vfio_iommu_type1.allow_unsafe_interrupts=1" diff --git a/modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch b/modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch index 6a138d929..1c2320136 100644 --- a/modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch +++ b/modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch @@ -1,3 +1,141 @@ +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index d00618967854..a7b459f69e33 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3641,6 +3641,14 @@ + nomsi [MSI] If the PCI_MSI kernel config parameter is + enabled, this kernel boot option can be used to + disable the use of MSI interrupts system-wide. ++ pci_acs_override [PCIE] Override missing PCIe ACS support for: ++ downstream ++ All downstream ports - full ACS capabilities ++ multifunction ++ Add multifunction devices - multifunction ACS subset ++ id:nnnn:nnnn ++ Specific device - full ACS capabilities ++ Specified as vid:did (vendor/device ID) in hex + noioapicquirk [APIC] Disable all boot interrupt quirks. + Safety option to keep boot IRQs enabled. This + should never be necessary. +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 0c4492a7a308..2fc00e4dd7ac 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3571,6 +3571,106 @@ static void quirk_no_bus_reset(struct pci_dev *dev) + dev->dev_flags |= PCI_DEV_FLAGS_NO_BUS_RESET; + } + ++static bool acs_on_downstream; ++static bool acs_on_multifunction; ++ ++#define NUM_ACS_IDS 16 ++struct acs_on_id { ++ unsigned short vendor; ++ unsigned short device; ++}; ++static struct acs_on_id acs_on_ids[NUM_ACS_IDS]; ++static u8 max_acs_id; ++ ++static __init int pcie_acs_override_setup(char *p) ++{ ++ if (!p) ++ return -EINVAL; ++ ++ while (*p) { ++ if (!strncmp(p, "downstream", 10)) ++ acs_on_downstream = true; ++ if (!strncmp(p, "multifunction", 13)) ++ acs_on_multifunction = true; ++ if (!strncmp(p, "id:", 3)) { ++ char opt[5]; ++ int ret; ++ long val; ++ ++ if (max_acs_id >= NUM_ACS_IDS - 1) { ++ pr_warn("Out of PCIe ACS override slots (%d)\n", ++ NUM_ACS_IDS); ++ goto next; ++ } ++ ++ p += 3; ++ snprintf(opt, 5, "%s", p); ++ ret = kstrtol(opt, 16, &val); ++ if (ret) { ++ pr_warn("PCIe ACS ID parse error %d\n", ret); ++ goto next; ++ } ++ acs_on_ids[max_acs_id].vendor = val; ++ ++ p += strcspn(p, ":"); ++ if (*p != ':') { ++ pr_warn("PCIe ACS invalid ID\n"); ++ goto next; ++ } ++ ++ p++; ++ snprintf(opt, 5, "%s", p); ++ ret = kstrtol(opt, 16, &val); ++ if (ret) { ++ pr_warn("PCIe ACS ID parse error %d\n", ret); ++ goto next; ++ } ++ acs_on_ids[max_acs_id].device = val; ++ max_acs_id++; ++ } ++next: ++ p += strcspn(p, ","); ++ if (*p == ',') ++ p++; ++ } ++ ++ if (acs_on_downstream || acs_on_multifunction || max_acs_id) ++ pr_warn("Warning: PCIe ACS overrides enabled; This may allow non-IOMMU protected peer-to-peer DMA\n"); ++ ++ return 0; ++} ++early_param("pcie_acs_override", pcie_acs_override_setup); ++ ++static int pcie_acs_overrides(struct pci_dev *dev, u16 acs_flags) ++{ ++ int i; ++ ++ /* Never override ACS for legacy devices or devices with ACS caps */ ++ if (!pci_is_pcie(dev) || ++ pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ACS)) ++ return -ENOTTY; ++ ++ for (i = 0; i < max_acs_id; i++) ++ if (acs_on_ids[i].vendor == dev->vendor && ++ acs_on_ids[i].device == dev->device) ++ return 1; ++ ++ switch (pci_pcie_type(dev)) { ++ case PCI_EXP_TYPE_DOWNSTREAM: ++ case PCI_EXP_TYPE_ROOT_PORT: ++ if (acs_on_downstream) ++ return 1; ++ break; ++ case PCI_EXP_TYPE_ENDPOINT: ++ case PCI_EXP_TYPE_UPSTREAM: ++ case PCI_EXP_TYPE_LEG_END: ++ case PCI_EXP_TYPE_RC_END: ++ if (acs_on_multifunction && dev->multifunction) ++ return 1; ++ } ++ ++ return -ENOTTY; ++} + /* + * Some NVIDIA GPU devices do not work with bus reset, SBR needs to be + * prevented for those affected devices. +@@ -4938,6 +5038,7 @@ static const struct pci_dev_acs_enabled { + { PCI_VENDOR_ID_NXP, 0x8d9b, pci_quirk_nxp_rp_acs }, + /* Zhaoxin Root/Downstream Ports */ + { PCI_VENDOR_ID_ZHAOXIN, PCI_ANY_ID, pci_quirk_zhaoxin_pcie_ports_acs }, ++ { PCI_ANY_ID, PCI_ANY_ID, pcie_acs_overrides }, + { 0 } + }; + diff --git a/nvidia/platform/t23x/p3768/kernel-dts/Makefile b/nvidia/platform/t23x/p3768/kernel-dts/Makefile index f306119fe8a3..3034a22ca7ed 100644 --- a/nvidia/platform/t23x/p3768/kernel-dts/Makefile @@ -14,10 +152,10 @@ index f306119fe8a3..3034a22ca7ed 100644 dtbo-$(BUILD_ENABLE) += tegra234-p3767-0000-p3509-a02-csi.dtbo diff --git a/nvidia/platform/t23x/p3768/kernel-dts/tegra234-p3767-host-passthrough.dts b/nvidia/platform/t23x/p3768/kernel-dts/tegra234-p3767-host-passthrough.dts new file mode 100644 -index 000000000000..e273e4e9505f +index 000000000000..7b1c2f6fda7d --- /dev/null +++ b/nvidia/platform/t23x/p3768/kernel-dts/tegra234-p3767-host-passthrough.dts -@@ -0,0 +1,13 @@ +@@ -0,0 +1,14 @@ +/dts-v1/; +#include "tegra234-p3767-0000-p3509-a02.dts" + @@ -28,6 +166,7 @@ index 000000000000..e273e4e9505f +&pcie_c8_rp { + interconnect-names = "dma-mem", "write"; + /delete-property/ iommus; ++ /delete-property/ dma-coherent; + /delete-property/ msi-parent; + /delete-property/ msi-map; +}; diff --git a/targets/nvidia-jetson-orin.nix b/targets/nvidia-jetson-orin.nix index f0331c085..16939cac8 100644 --- a/targets/nvidia-jetson-orin.nix +++ b/targets/nvidia-jetson-orin.nix @@ -10,35 +10,42 @@ }: let name = "nvidia-jetson-orin"; system = "aarch64-linux"; + formatModule = nixos-generators.nixosModules.raw-efi; nvidia-jetson-orin = som: variant: extraModules: let netvmExtraModules = [ { - microvm.devices = [ - { - bus = "pci"; - path = "0001:01:00.0"; - } - ]; - - # For WLAN firmwares - hardware.enableRedistributableFirmware = true; + # The Nvidia Orin hardware dependent configuration is in + # modules/hardware/nvidia-jetson-orin/jetson-orin.nx + # Please refer to that section for hardware dependent netvm configuration. + # To enable or disable wireless networking.wireless = { - enable = true; - - # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; + # Wireless Configuration + # Orin AGX has WiFi enabled where Orin Nx does not + enable = + if som == "agx" + then nixpkgs.lib.mkForce true + else nixpkgs.lib.mkForce false; }; + + # For WLAN firmwares + hardware.enableRedistributableFirmware = + if som == "agx" + then nixpkgs.lib.mkForce true + else nixpkgs.lib.mkForce false; + # Note: When 21.11 arrives replace the below statement with + # wirelessRegulatoryDatabase = true; } ]; hostConfiguration = lib.nixosSystem { inherit system; specialArgs = {inherit lib;}; + modules = [ jetpack-nixos.nixosModules.default ../modules/hardware/nvidia-jetson-orin - microvm.nixosModules.host ../modules/host ../modules/virtualization/microvm/microvm-host.nix @@ -50,10 +57,6 @@ virtualization.microvm-host.enable = true; host.networking.enable = true; - virtualization.microvm.netvm = { - enable = true; - extraModules = netvmExtraModules; - }; # Enable all the default UI applications profiles = { From fec29af15c37b88776dfbf5067d79cfd645d9768 Mon Sep 17 00:00:00 2001 From: "Alexander V. Nikolaev" Date: Thu, 31 Aug 2023 18:44:11 +0300 Subject: [PATCH 52/60] Remove requirement of aarch64-linux builder for EFI stuff Signed-off-by: Alexander V. Nikolaev --- lib/mk-flash-script.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/mk-flash-script.nix b/lib/mk-flash-script.nix index 8f7edab87..a9e211fd1 100644 --- a/lib/mk-flash-script.nix +++ b/lib/mk-flash-script.nix @@ -10,7 +10,7 @@ }: let cfg = hostConfiguration.config.hardware.nvidia-jetpack; inherit (jetpack-nixos.legacyPackages.${flash-tools-system}) flash-tools; - devicePkgs = jetpack-nixos.legacyPackages.aarch64-linux.devicePkgsFromNixosConfig hostConfiguration.config; + devicePkgs = jetpack-nixos.legacyPackages.${flash-tools-system}.devicePkgsFromNixosConfig hostConfiguration.config; flashScript = devicePkgs.mkFlashScript { flash-tools = flash-tools.overrideAttrs ({postPatch ? "", ...}: { postPatch = postPatch + cfg.flashScriptOverrides.postPatch; From a973cabb8452a02332d082fdb6c4783e1d27ffb4 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Thu, 3 Aug 2023 03:18:23 +0300 Subject: [PATCH 53/60] Enable cross-compiled devicePkgs for flash-script Signed-off-by: Mika Tammi --- lib/mk-flash-script.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/mk-flash-script.nix b/lib/mk-flash-script.nix index a9e211fd1..a4f2cedef 100644 --- a/lib/mk-flash-script.nix +++ b/lib/mk-flash-script.nix @@ -10,7 +10,19 @@ }: let cfg = hostConfiguration.config.hardware.nvidia-jetpack; inherit (jetpack-nixos.legacyPackages.${flash-tools-system}) flash-tools; - devicePkgs = jetpack-nixos.legacyPackages.${flash-tools-system}.devicePkgsFromNixosConfig hostConfiguration.config; + + # jetpack-nixos has the cross-compilation set up in a slightly strange way, + # the packages under x86_64-linux are actually cross-compiled packages for + # aarch64-linux. So we will get devicePkgs from x86_64-linux if we are cross + # compiling, otherwise we end up building UEFI firmware etc. binaries used by + # flash-script natively. + isCross = hostConfiguration.config.nixpkgs.buildPlatform.system != hostConfiguration.config.nixpkgs.hostPlatform.system; + devicePkgsSystem = + if isCross + then "x86_64-linux" + else "aarch64-linux"; + devicePkgs = jetpack-nixos.legacyPackages.${devicePkgsSystem}.devicePkgsFromNixosConfig hostConfiguration.config; + flashScript = devicePkgs.mkFlashScript { flash-tools = flash-tools.overrideAttrs ({postPatch ? "", ...}: { postPatch = postPatch + cfg.flashScriptOverrides.postPatch; From 38c307f401b29d17b29e72d1e8841d1e00a3dfd9 Mon Sep 17 00:00:00 2001 From: Mika Tammi Date: Thu, 7 Sep 2023 15:13:51 +0300 Subject: [PATCH 54/60] hydraJobs: Add job for Lenovo Carbon X1 laptop Signed-off-by: Mika Tammi --- hydrajobs.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hydrajobs.nix b/hydrajobs.nix index 331e3c5c9..33b14945f 100644 --- a/hydrajobs.nix +++ b/hydrajobs.nix @@ -10,6 +10,7 @@ }; in { generic-x86_64-debug.x86_64-linux = self.packages.x86_64-linux.generic-x86_64-debug; + lenovo-x1-carbon-gen11-debug.x86_64-linux = self.packages.x86_64-linux.lenovo-x1-carbon-gen11-debug; nvidia-jetson-orin-agx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-agx-debug; nvidia-jetson-orin-nx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-nx-debug; intel-vm-debug.x86_64-linux = self.packages.x86_64-linux.vm-debug; From b0ad0719c70e4f9f93135f9aeb714f5131a5e2c3 Mon Sep 17 00:00:00 2001 From: Yuri Nesterov Date: Thu, 7 Sep 2023 14:10:24 +0300 Subject: [PATCH 55/60] Fix Lenovo X1 touchpad passthrough Signed-off-by: Yuri Nesterov --- modules/development/debug-tools.nix | 1 + targets/lenovo-x1-carbon.nix | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/development/debug-tools.nix b/modules/development/debug-tools.nix index c7cf96826..e4fdc7845 100644 --- a/modules/development/debug-tools.nix +++ b/modules/development/debug-tools.nix @@ -31,6 +31,7 @@ in traceroute dig + evtest ]; }; } diff --git a/targets/lenovo-x1-carbon.nix b/targets/lenovo-x1-carbon.nix index 50052a182..074834e04 100644 --- a/targets/lenovo-x1-carbon.nix +++ b/targets/lenovo-x1-carbon.nix @@ -39,7 +39,9 @@ "-device" "virtio-input-host-pci,evdev=/dev/input/by-path/platform-i8042-serio-0-event-kbd" "-device" - "virtio-input-host-pci,evdev=/dev/input/by-path/pci-0000:00:15.0-platform-i2c_designware.0-event-mouse" + "virtio-input-host-pci,evdev=/dev/mouse" + "-device" + "virtio-input-host-pci,evdev=/dev/touchpad" # Lenovo X1 trackpoint (red button/joystick) "-device" "virtio-input-host-pci,evdev=/dev/input/by-path/platform-i8042-serio-1-event-mouse" @@ -90,8 +92,8 @@ # Laptop keyboard SUBSYSTEM=="input",ATTRS{name}=="AT Translated Set 2 keyboard",GROUP="kvm" # Laptop touchpad - SUBSYSTEM=="input",ATTRS{name}=="SYNA8016:00",GROUP="kvm" - SUBSYSTEM=="input",ATTRS{name}=="SYNA8016:00 06CB:CEB3 Mouse",GROUP="kvm" + SUBSYSTEM=="input",ATTRS{name}=="SYNA8016:00 06CB:CEB3 Mouse",GROUP="kvm",SYMLINK+="mouse" + SUBSYSTEM=="input",ATTRS{name}=="SYNA8016:00 06CB:CEB3 Touchpad",GROUP="kvm",SYMLINK+="touchpad" # Laptop TrackPoint SUBSYSTEM=="input",ATTRS{name}=="TPPS/2 Elan TrackPoint",GROUP="kvm" ''; From 669fbbb8046d1e324b7d65f5dc1e5b4501c3d9fb Mon Sep 17 00:00:00 2001 From: Mika Nokka Date: Tue, 12 Sep 2023 12:19:18 +0300 Subject: [PATCH 56/60] testing sshgen hack --- user-apps/waypipe-ssh/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user-apps/waypipe-ssh/default.nix b/user-apps/waypipe-ssh/default.nix index 11382a6a1..e130939bd 100644 --- a/user-apps/waypipe-ssh/default.nix +++ b/user-apps/waypipe-ssh/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { phases = ["buildPhase" "installPhase"]; buildPhase = '' - echo -e "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" + echo -e "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" -N '' ''; installPhase = '' From 11f0b4660e574a398134885906022792516f2f67 Mon Sep 17 00:00:00 2001 From: Mika Nokka Date: Tue, 12 Sep 2023 12:30:56 +0300 Subject: [PATCH 57/60] removed echo --- user-apps/waypipe-ssh/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user-apps/waypipe-ssh/default.nix b/user-apps/waypipe-ssh/default.nix index e130939bd..7447cff87 100644 --- a/user-apps/waypipe-ssh/default.nix +++ b/user-apps/waypipe-ssh/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { phases = ["buildPhase" "installPhase"]; buildPhase = '' - echo -e "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" -N '' + ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" -N '' ''; installPhase = '' From 2ef7f2cda63ba30c282da1a6a11e5487c04804fc Mon Sep 17 00:00:00 2001 From: Mika Nokka Date: Tue, 12 Sep 2023 13:04:26 +0300 Subject: [PATCH 58/60] set x added --- user-apps/waypipe-ssh/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user-apps/waypipe-ssh/default.nix b/user-apps/waypipe-ssh/default.nix index 7447cff87..00e54c45e 100644 --- a/user-apps/waypipe-ssh/default.nix +++ b/user-apps/waypipe-ssh/default.nix @@ -21,10 +21,12 @@ stdenv.mkDerivation { phases = ["buildPhase" "installPhase"]; buildPhase = '' + set -x ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" -N '' ''; installPhase = '' + set -x mkdir -p $out/keys install ./waypipe-ssh $out/keys install ./waypipe-ssh.pub $out/keys From 5e2f0475e52b518665facb4776443b6d094ee586 Mon Sep 17 00:00:00 2001 From: Mika Nokka Date: Tue, 12 Sep 2023 13:25:13 +0300 Subject: [PATCH 59/60] added failure line --- user-apps/waypipe-ssh/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user-apps/waypipe-ssh/default.nix b/user-apps/waypipe-ssh/default.nix index 00e54c45e..e4a8cdb2a 100644 --- a/user-apps/waypipe-ssh/default.nix +++ b/user-apps/waypipe-ssh/default.nix @@ -25,6 +25,8 @@ stdenv.mkDerivation { ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" -N '' ''; +THIS IS FAILURE LINE + installPhase = '' set -x mkdir -p $out/keys From 50af9a5320ea3e70357bb2d69553eac48b56e2f3 Mon Sep 17 00:00:00 2001 From: Mika Nokka Date: Tue, 12 Sep 2023 14:20:40 +0300 Subject: [PATCH 60/60] removed broken line, fixed -n parameter --- user-apps/waypipe-ssh/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/user-apps/waypipe-ssh/default.nix b/user-apps/waypipe-ssh/default.nix index e4a8cdb2a..5ea34c1c8 100644 --- a/user-apps/waypipe-ssh/default.nix +++ b/user-apps/waypipe-ssh/default.nix @@ -22,11 +22,9 @@ stdenv.mkDerivation { buildPhase = '' set -x - ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" -N '' + ${pkgs.openssh}/bin/ssh-keygen -o -a 100 -t ed25519 -f waypipe-ssh -C "" -N "" ''; -THIS IS FAILURE LINE - installPhase = '' set -x mkdir -p $out/keys