tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

nitro_enclaves: Update documentation for Arm64 support

Add references for hugepages and booting steps for Arm64.

Include info about the current supported architectures for the
NE kernel driver.

Reviewed-by: George-Aurelian Popescu <popegeo@amazon.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Andra Paraschiv <andraprs@amazon.com>
Link: https://lore.kernel.org/r/20210827154930.40608-3-andraprs@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Andra Paraschiv and committed by
Greg Kroah-Hartman cfa3c18c f7e55f05

+13 -8
+13 -8
Documentation/virt/ne_overview.rst
··· 14 14 For example, an application that processes sensitive data and runs in a VM, 15 15 can be separated from other applications running in the same VM. This 16 16 application then runs in a separate VM than the primary VM, namely an enclave. 17 + It runs alongside the VM that spawned it. This setup matches low latency 18 + applications needs. 17 19 18 - An enclave runs alongside the VM that spawned it. This setup matches low latency 19 - applications needs. The resources that are allocated for the enclave, such as 20 - memory and CPUs, are carved out of the primary VM. Each enclave is mapped to a 21 - process running in the primary VM, that communicates with the NE driver via an 22 - ioctl interface. 20 + The current supported architectures for the NE kernel driver, available in the 21 + upstream Linux kernel, are x86 and ARM64. 22 + 23 + The resources that are allocated for the enclave, such as memory and CPUs, are 24 + carved out of the primary VM. Each enclave is mapped to a process running in the 25 + primary VM, that communicates with the NE kernel driver via an ioctl interface. 23 26 24 27 In this sense, there are two components: 25 28 ··· 46 43 The memory regions carved out of the primary VM and given to an enclave need to 47 44 be aligned 2 MiB / 1 GiB physically contiguous memory regions (or multiple of 48 45 this size e.g. 8 MiB). The memory can be allocated e.g. by using hugetlbfs from 49 - user space [2][3]. The memory size for an enclave needs to be at least 64 MiB. 50 - The enclave memory and CPUs need to be from the same NUMA node. 46 + user space [2][3][7]. The memory size for an enclave needs to be at least 47 + 64 MiB. The enclave memory and CPUs need to be from the same NUMA node. 51 48 52 49 An enclave runs on dedicated cores. CPU 0 and its CPU siblings need to remain 53 50 available for the primary VM. A CPU pool has to be set for NE purposes by an ··· 64 61 The application that runs in the enclave needs to be packaged in an enclave 65 62 image together with the OS ( e.g. kernel, ramdisk, init ) that will run in the 66 63 enclave VM. The enclave VM has its own kernel and follows the standard Linux 67 - boot protocol [6]. 64 + boot protocol [6][8]. 68 65 69 66 The kernel bzImage, the kernel command line, the ramdisk(s) are part of the 70 67 Enclave Image Format (EIF); plus an EIF header including metadata such as magic ··· 96 93 [4] https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html 97 94 [5] https://man7.org/linux/man-pages/man7/vsock.7.html 98 95 [6] https://www.kernel.org/doc/html/latest/x86/boot.html 96 + [7] https://www.kernel.org/doc/html/latest/arm64/hugetlbpage.html 97 + [8] https://www.kernel.org/doc/html/latest/arm64/booting.html