GSoC'23: Arm CCA Support for Unikraft (Part 1)

This project aims to bring Arm Confidential Computing Architecture (CCA) feature to Unikraft.

This project aims to bring Arm Confidential Computing Architecture (CCA) feature to Unikraft. It has been accepted as a Google Summer of Code (GSoC) project. Arm CCA is a new confidential computing technology in Armv9 architecture that enables OS to run as a confidential VM without trusting the underlying hypervisor. This blog gives an overview of the project, the progress made in the first three weeks of GSoC, and future steps.

About Me#

My name is Xingjian Zhang. I am a second-year graduate student studying at Zhejiang University. You can find me on GitHub. I am really happy to work on this project.

Project Overview#

Arm CCA#

Arm CCA introduces Realm Management Extension (RME), which extends Arm TrustZone technology with two new security states: the realm state and the root state. The following figure shows the system architecture of the CCA. Instead of running a VM in the normal world, the CCA can run a VM in the realm state. The realm state constructs protected execution environments called realms, which protect the data in the realms from other components. This architecture allows the hypervisor to control the VM but removes the right for access to that VM. The CCA achieves this separation through a combination of architectural hardware extensions (RME) and firmware (Realm Manager in EL2 and Monitor in EL3).

Arm CCA architecture

The Realm Management Monitor (RMM) is the realm world firmware that is used to manage the execution of the realm VMs and their interaction with the hypervisor in the normal world. The RMM operates in Exception level 2 in the realm world. The RMM provides services to the realms, using Realm Service Interface (RSI). Therefore, to use a unikernel as an application in a realm, Unikraft needs to support the use of RSI. Besides, Unikraft also needs to support memory management and attestation in Arm CCA. As a reference, Arm has provided an integration stack for Arm's reference CCA software architecture and implementation. The main components in the reference integration are Linux-CCA, Kvmtool-CCA, Trusted-Firmware-A, Hafnium, TF-RMM.


To make Unikraft run on the CCA, we need to achieve the following objectives:

  • Add support for kvmtool to run app-helloworld in the normal world.
  • Add options for CCA and basic support like RSI commands to run app-helloworld in a realm.
  • Prepare the FVP environment and add support for it.
  • Add support for more advanced features like attestation and memory encryption
  • Add testing applications and evaluate the overall project.

Current Progress#

All the progress made and the relevant knowledge of this project is maintained on this GitHub Project page. My progress in the first three weeks of GSoC can be divided into information gathering and code implementation.

On the information-gathering side, I have gathered the necessary details on the following questions:

  • How does Unikraft currently boot?
  • How Linux is booted in kvmtool?
  • What devices are supported in kvmtool?
  • What are the changes by Arm to kvmtool for CCA?
  • What are the changes in the realm Linux?

On the code-implementation side, the differences between kvmtool and QEMU virt platforms lead to several changes:

  • The page table in unikraft/plat/kvm/arm/bpt64.S maps memory regions according to the memory layout of kvmtool.
  • Kvmtool supports the ns16550 serial console, so it replaces the default pl011 in Unikraft. Besides, the ns16550 serial console in kvmtool uses byte-width registers.
  • Kvmtool puts the device tree at the end of the memory region and passes its address in the x0 register. So _init_dtb_mem excludes the dtb regions from the stack and heap area.

Next steps#

As Unikraft's app-helloworld can be run in kvmtool and the relevant knowledge of CCA is gathered, this project moves toward adding support for CCA and running app-helloworld in a realm. This includes adding options for CCA and basic support like RSI commands. The goal of this project, by the midterm of GSoC, is to bring basic features for CCA to Unikraft.


Thanks to all my mentors and the Unikraft community for their guidance and support.

Edit this page on GitHub

Connect with the community

Feel free to ask questions, report issues, and meet new people.

Join us on Discord!

Getting Started

What is a unikernel?Install CLI companion toolUnikraft InternalsRoadmap

© 2023  The Unikraft Authors. All rights reserved. Documentation distributed under CC BY-NC 4.0.