启动机密虚拟机
当前virtCCA仅支持Kernel+rootfs分离方式启动,云上场景下,虚拟机的启动主要采用grub boot的方式(需要将EDK2+Kernel挂载到同一个qcow镜像中),通过这种方式满足客户的使用方式。
在启动机密虚拟机前请您先查看宿主机是否有virbr0网桥,如果没有可使用如下命令添加网桥virbr0。
brctl addbr virbr0
方式一:使用QEMU命令行启动机密虚拟机
新建run-qemu.sh文件并将以下内容拷贝进文件。
- launch_uefi为启动机密虚拟机,launch_uefi_normal为启动普通虚拟机。
- QEMU、efi.fd、qcow2的文件路径需替换为实际路径。
- 虚拟机如果需要连接网络,新建qemu-ifup文件并将以下内容拷贝进文件,其中“switch = virbr0”中的网桥根据实际配置。
#!/bin/sh set -x switch=virbr0 if [ -n "$1" ];then ip tuntap add $1 mode tap user `whoami` ip link set $1 up sleep 1s ip link set $1 master $switch exit 0 else echo "Error: no interface specified" exit 1 fi
#!/bin/sh
MAC_ADDR_0=DE:AD:BE:EF:FA:28
function launch_uefi()
{
cd /home/uefi/qemu/build
taskset -c 0 ./qemu-system-aarch64 \
-M virt,usb=off,gic-version=host,accel=kvm,kvm-type=cvm \
--enable-kvm \
-bios /home/uefi/QEMU_EFI.fd \
-cpu host \
-m 2048 \
-smp 1 \
-no-user-config \
-nographic \
--no-reboot \
-object tmm-guest,id=tmm0,num-pmu-counters=1 \
-drive if=none,file=/home/uefi/openEuler-24.03-SP1-aarch64.qcow2,format=qcow2,id=disk01 \
-device virtio-blk-pci-non-transitional,drive=disk01,num-queues=1,bootindex=1,iommu_platform=on \
-netdev tap,id=vnet,ifname=tap0,script=/home/uefi/qemu-ifup,queues=2 \
-device virtio-net-pci-non-transitional,netdev=vnet,iommu_platform=on
}
function launch_uefi_normal()
{
cd /home/uefi/qemu/build
./qemu-system-aarch64 \
-M virt,usb=off,gic-version=host,accel=kvm \
--enable-kvm \
-bios /home/uefi/QEMU_EFI.fd \
-cpu host \
-m 2048 \
-smp 1\
-no-user-config \
-nographic \
--no-reboot \
-drive if=none,file=/home/uefi/openEuler-24.03-SP1-aarch64.qcow2,format=qcow2,id=disk01 \
-device virtio-blk-pci-non-transitional,drive=disk01,num-queues=1,bootindex=1 \
-netdev tap,id=vnet,ifname=tap0,script=/home/uefi/qemu-ifup,queues=2 \
-device virtio-net-pci,netdev=vnet,mac=${MAC_ADDR_0}
}
if [ "$1" == "u" ]
then
launch_uefi
fi
# Launch cVM to test KATA
if [ "$1" == "nu" ]
then
launch_uefi_normal
fi
方式二:使用libvirt启动机密虚拟机
新建cvm.xml文件,拷贝如下内容并将QEMU、efi.fd、qcow2文件路径替换为实际路径。
<domain type='kvm' xmlns:qemu="http://libvirt.org/schemas/domain/qemu/1.0">
<name>cvm-uefi</name>
<memory unit='GiB'>8</memory>
<vcpu placement='static'>4</vcpu>
<cputune>
<vcpupin vcpu='0' cpuset='0'/>
<vcpupin vcpu='1' cpuset='1'/>
<vcpupin vcpu='2' cpuset='2'/>
<vcpupin vcpu='3' cpuset='3'/>
<emulatorpin cpuset='0-3'/>
</cputune>
<numatune>
<memnode cellid='0' mode='strict' nodeset='0'/>
</numatune>
<os>
<type arch='aarch64' machine='virt'>hvm</type>
<loader readonly='yes' type='rom'>/home/uefi/QEMU_EFI.fd</loader>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<gic version='3'/>
</features>
<cpu mode='host-passthrough'>
<topology sockets='1' dies='1' clusters='1' cores='4' threads='1'/>
<numa>
<cell id='0' cpus='0-3' memory='8' unit='GiB'/>
</numa>
</cpu>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/home/uefi/qemu/build/qemu-system-aarch64</emulator>
<console type='pty'/>
<disk type='file' device='disk' model='virtio-non-transitional'>
<driver name='qemu' type='qcow2' queues='2' cache='none' iommu='on'/>
<source file='/home/uefi/openEuler-24.03-SP1-aarch64.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<interface type='bridge'>
<source bridge='virbr0'/>
<driver iommu='on'/>
<model type='virtio-non-transitional'/>
</interface>
</devices>
<launchSecurity type='cvm'/>
<qemu:commandline>
<qemu:arg value='-object'/>
<qemu:arg value='tmm-guest,id=tmm0,num-pmu-counters=1'/>
</qemu:commandline>
</domain>
父主题: 机密虚拟机支持UEFI