Merge pull request #109 from GaloisInc/103-enable-pkvm-in-ci

Enable pKVM in CI Previously, we ran the MPS tests in CI using ordinary KVM. This branch adds the kernel options to enable the pKVM hypervisor instead. This requires patching our aarch64 QEMU build to ignore errors from the `KVM_SET_USER_MEMORY_REGION` ioctl. pKVM returns an error code for some calls that ordinary KVM would allow, and these errors would normally cause QEMU to terminate. Ignoring error codes seems like a questionable design, but crosvm (which is designed to support pKVM) actually ignores these errors as well, and so far we haven't encountered any new problems under pKVM with this approach.
GaloisInc · Aug 30, 2024 · 3aee045 · 3aee045
2 parents f24ac1a + 0f2decc
commit 3aee045
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 4 deletions.
diff --git a/src/pkvm_setup/build_qemu.sh b/src/pkvm_setup/build_qemu.sh
@@ -13,10 +13,12 @@ case "$target" in
     # Accept `aarch64` as an alias for the Debian name `arm64`.
     aarch64)
         target="arm64"
+        base_tgz_suffix="arm64-base"
         ;;
     # If no target is provided, use the default for this host.
     '')
         target="$(dpkg --print-architecture)"
+        base_tgz_suffix="base"
         ;;
 esac
 
@@ -28,7 +30,7 @@ sudo apt install -y pbuilder ubuntu-dev-tools dpkg-dev pristine-tar
 PBUILDFOLDER="$(pwd)/qemu_build"
 export PBUILDFOLDER
 
-if [[ -f "$PBUILDFOLDER/${dist}-base.tgz" ]]; then
+if [[ -f "$PBUILDFOLDER/${dist}-${base_tgz_suffix}.tgz" ]]; then
     echo "Using existing pbuilder base.tgz for $dist $target" 1>&2
 else
     echo "Creating pbuilder base.tgz for $dist $target" 1>&2

diff --git a/src/pkvm_setup/qemu b/src/pkvm_setup/qemu
diff --git a/src/vm_runner/tests/mps/base_nested.toml b/src/vm_runner/tests/mps/base_nested.toml
@@ -12,7 +12,7 @@ kvm = false
 ram_mb = 1536
 kernel = "../../../pkvm_setup/vms/pkvm-boot/vmlinuz"
 initrd = "../../../pkvm_setup/vms/pkvm-boot/initrd.img"
-append = 'earlycon root=/dev/vda2 systemd.run=/opt/opensut/bin/opensut_boot opensut.app_device=/dev/vdc'
+append = 'earlycon root=/dev/vda2 nokaslr kvm-arm.mode=protected systemd.run=/opt/opensut/bin/opensut_boot opensut.app_device=/dev/vdc'
 
 [process.disk.vda]
 format = "qcow2"

diff --git a/src/vm_runner/tests/mps/base_single.toml b/src/vm_runner/tests/mps/base_single.toml
@@ -8,7 +8,7 @@ type = "vm"
 kvm = false
 kernel = "../../../pkvm_setup/vms/pkvm-boot/vmlinuz"
 initrd = "../../../pkvm_setup/vms/pkvm-boot/initrd.img"
-append = 'earlycon root=/dev/vda2 systemd.run=/opt/opensut/bin/opensut_boot opensut.app_device=/dev/vdb'
+append = 'earlycon root=/dev/vda2 nokaslr kvm-arm.mode=protected systemd.run=/opt/opensut/bin/opensut_boot opensut.app_device=/dev/vdb'
 
 [process.disk.vda]
 format = "qcow2"
+6 −0		debian/changelog
+1 −0		debian/patches/series
+12 −0		debian/patches/verse-ignore-pkvm-errors.patch