A thin-hypervisor that runs on aarch64 CPUs.

Overview

How to build the hypervisor

By Rust toolchain

(TBD)

By docker

Requirements

  • Docker (Tested by Docker version 20.10.8, build 3967b7d28e)
    • I tested by non-root users (See this to run docker command by non-root user)

Steps (commands list)

cd path/to/repo-root/src
./build_docker_image.sh #Build docker image to build
./build_hypervisor_by_docker.sh #Build the hypervisor by the docker image

More detail, please see the scripts.

How to run the hypervisor

On QEMU

First, please install QEMU that support to emulate QEMU 2.12 ARM Virtual Machine, cortex-a53 CPU. Then, run the following command to run the built hypervisor.

cd path/to/repo-root/src
make QEMU_EFI=/usr/share/qemu-efi/QEMU_EFI.fd run #Please set the path of your QEMU_EFI.fd to QEMU_EFI

On a physical machine from an USB memory stick

Requirement

  • Prepare a USB memory which has an EFI (FAT) partition that has /EFI/BOOT/ directory. Please confirm that there is no important file in the partition.
  • Prepare a physical machine that has ARMv8-A or later, and UEFI firmware.

Steps

  1. Attach your USB memory stick to the development machine which built the hypervisor binary.
  2. Identify the EFI partition (in the following description, /dev/sdX1 is the EFI partition).
  3. Run sudo make DEVICE=/dev/sdX1 write to copy the binary. !! Please be carefully not to specifying a wrong partition as DEVICE because the script mount/unmount the partition and copy the binary file with root privilege.!!
  4. Detach the USB memory from the development machine, and attach it to the physical machine to run the hypervisor.
  5. Boot the physical machine with UEFI, and specify BOOTAA64.EFI in the EFI partition as the EFI application to boot.
You might also like...
🍊 WIP: Yet another implementation of MikanOS for aarch64 CPUs, written in Rust.

🍊 mikan Yet another implementation of MikanOS for aarch64 CPUs, written in Rust. MikanOS (uchan-nos/mikanos) was originally created by @uchan-nos, wh

Minimal runtime / startup for RISC-V CPUs from Espressif

esp-riscv-rt Minimal runtime / startup for RISC-V CPUs from Espressif. Much of the code in this repository originated in the rust-embedded/riscv-rt re

Rust API to the OS X Hypervisor framework for hardware-accelerated virtualization

hypervisor-rs hypervisor is a Rust library that taps into functionality that enables hardware-accelerated execution of virtual machines on OS X. It bi

crosvm is a virtual machine monitor (VMM) based on Linux’s KVM hypervisor

crosvm - The Chrome OS Virtual Machine Monitor crosvm is a virtual machine monitor (VMM) based on Linux’s KVM hypervisor, with a focus on simplicity,

hy-rs, pronounced high rise, provides a unified and portable to the hypervisor APIs provided by various platforms.

Introduction The hy-rs crate, pronounced as high rise, provides a unified and portable interface to the hypervisor APIs provided by various platforms.

An Intel HAXM powered, protected mode, 32 bit, hypervisor addition calculator, written in Rust.

HyperCalc An Intel HAXM powered, protected mode, 32 bit, hypervisor addition calculator, written in Rust. Purpose None 😏 . Mostly just to learn Rust

A Rust library to manipulate AArch64 VMSA EL1 page tables.

aarch64 page table manipulation This crate provides a library to manipulate EL1 page tables conforming to the AArch64 Virtual Memory System Architectu

A tiny Rust std-lib for Linux x86_64 and aarch64

Tiny std Like a bad, probably buggy, tiny standard library for Linux. When it's appropriate If you are actually trying to do something solid, checkout

implementations of standard library components for bare-metal aarch64

aarch64-std aarch64-std implements components from the Rust standard library in a way suitable for no_std or bare metal ARM applications. Design Goals

Low level access to processors using the AArch64 execution state.

aarch64-cpu Low level access to processors using the AArch64 execution state. Usage Please note that for using this crate's register definitions (as p

A simple hypervisor demonstrating the use of the Intel VT-rp (redirect protection) technology.

Hello-VT-rp A simple hypervisor demonstrating the use of the Intel VT-rp (redirect protection) technology. This repository is a complement of the blob

Risc-V hypervisor for TEE development

A micro hypervisor for RISC-V systems. Quick Start Building (using Bazel) git submodule update --init bazel build //:salus-all Running Prerequisites S

A SIMD implementation of Keccak256 for aarch64, forked from Remco Bloeman's Goldilocks K12 implementation.

keccak256-aarch64 Warning This crate was forked from real cryptographers (Goldilocks by Remco Bloeman), by not a real cryptographer. Do not use this k

Command-Line program that takes images and produces the copy of the image with a thin frame and palette made of the 10 most frequent colors.
Command-Line program that takes images and produces the copy of the image with a thin frame and palette made of the 10 most frequent colors.

paleatra v.0.0.1 Command-Line program that takes an image and produces the copy of the image with a thin frame and palette made of the 10 most frequen

rsmpeg is a thin&safe layer above the FFmpeg's Rust bindings
rsmpeg is a thin&safe layer above the FFmpeg's Rust bindings

A Rust crate that exposes FFmpeg's power as much as possible.

Thin wrapper around starship.rs to format kakoune status line

kakship is just a thin wrapper around starship to format the status line of kakoune and is meant to be used with the included kakoune script kakship.kak.

Thin but safe ALSA wrappers for Rust

ALSA bindings for Rust Thin but safe wrappers for ALSA, the most common API for accessing audio devices on Linux. The ALSA API is rather big, so every

Brotlic (or BrotliC) is a thin wrapper around brotli.

Bindings to the brotli library featuring a low-overhead encoder and decoder, Writers and Readers for compression and decompression at customizable compression qualities and window sizes.

Thin wrapper around [`tokio::process`] to make it streamable

process-stream Wraps tokio::process::Command to future::stream. Install process-stream = "0.2.2" Example usage: From VecString or Vec&str use proc

Comments
  • :new: add workspace configuration

    :new: add workspace configuration

    Add Cargo Workspace definition under src directory

    This will help cargo commands to recognize these packages under this directories and improve developer exeperience.

    opened by garasubo 4
Releases(v1.2.0)
  • v1.2.0(Dec 19, 2022)

    Changes from version 1.1.0

    • Add workspace(Contributed by @garasubo)
    • Add support of FX1000(Feature Name: a64fx)

    a64fx is not the default feature. Therefore when you want to use MilvusVisor on FX1000, use make custom_all FEATURES=default,tftp,....

    Source code(tar.gz)
    Source code(zip)
    MilvusVisor.zip(68.40 KB)
  • v1.1.0(Nov 28, 2022)

    Changes from version 1.0.0

    • Added PXE Boot Support(Feature Name: tftp)

    tftp is not the default feature. Therefore when you want to use PXE boot, use make custom_all FEATURES=default,tftp,....

    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Aug 10, 2022)

    Changes from version 0.4.0

    • SMMU: Dedicating stage 2 translation only for sharing SMMU with guest OS
    • Linked-List Style Memory Allocator
    • Bug fixes

    Functions in version 1.0.0

    (Since this is the first major version release, all features in this version are described on this release note.)

    You can build with enabling some functions by make custom_all FEATURES=feature1,feautre2,....(featureN is described like Feature Name: feature_name in each section.)

    • Protecting non-volatile data in devices from guest OS

      • Intel I210 (Feature Name: i210)

        • Protect EEPROM from writing access
      • Mellanox Technologies MT27800 (Feature Name: mt27800)

        • Protect from firmware update
    • Protecting MilvusVisor itself against DMA attack (Feature Name: smmu)

      • Using SMMUv3 Stage 2 translation to protect from DMA attack
      • Stage 1 translation is available from guest OS
    • Fast restore: Fast restoring the guest environments without reboot the machine (Feature Name: fast_restore)

      • Taking a snapshot just before the first boot of the guest OS
      • Restoring it on rebooting/shutting down the guest OS
    • Protecting ACPI Tables from write accesses (Feature Name: acpi_table_protection)

      • For the Fast Restore
    • Linked-List Style Memory Allocator (Feature Name: advanced_memory_manager)

    • Contiguous Bit (Feature Name: contiguous_bit)

      • Set contiguous bit enabled if available (TLB will be optimized by the contiguous bit)
      • Some machine may noe work fine with the contiguous bit
    • A64FX specific registers' initialization (Feature Name: a64fx)

      • Initialize some a64fx specific registers during boot

    Supported toolchain

    • GNU Make 4.3
    • cargo 1.65.0-nightly (4fd148c47 2022-08-03)
    • rustc 1.65.0-nightly (34a6cae28 2022-08-09)

    MilvusVisor uses some unstable feature gates, therefore it may become not able to compile with later version of rustc.

    Supported Devices

    • FX700
      • Supported features: all
    • QEMU
      • Supported features: i210, fast_restore, acpi_table_protection, advanced_memory_manager, contiguous_bit
    • GIGABYTE E252-P30
      • Supported features: smmu, advanced_memory_manager, contiguous_bit
    Source code(tar.gz)
    Source code(zip)
    MilvusVisor.zip(77.05 KB)
  • v0.4.0(Jun 28, 2022)

    新機能

    • Mellanox MT27800のファームウェアアップデートからの保護
    • 高速リストア
      • ゲストOSが電源オフや再起動しようとすると、それをトラップし最初の起動時の状態に巻き戻し再起動させる
    • ACPI Tableの書換からの保護
      • 高速リストア実装による
    • 個別の機能のON/OFFを行いビルド
      • make custom_all FEATURES=(カンマ区切りで機能名)でビルド可能

    動作確認

    • FUJITSU FX700 (Linux起動可能済, 新機能動作確認)
    • GIGABYTE E252-P30 (Linux起動可能済)
    Source code(tar.gz)
    Source code(zip)
    MilvusVisor.zip(68.05 KB)
  • v0.3.0(Mar 7, 2022)

    新機能

    • SMMUv3への対応及びDMA Attackからの保護

      SMMUv3を発見したら、CPUのStage2 Page Tableのアドレスを設定したSTEを作成し、そのエントリをクローンしたもので構成されたテーブルをSMMUに適用することでHypervisor領域への書き込みを行えないようにしています。
    • SMMUのMMIO領域の保護

      SMMUのMMIO領域をフックし、書き込みしようとした場合はその命令をキャンセルすることでSMMUの設定変更を不能にしています。
    • ACPIのIORTエントリの隠蔽

      SMMUのMMIOアドレスなどの情報を提供するACPIのIORTというテーブルが存在するメモリ領域へのアクセスをフックし常に0を返すことでOSからはテーブルが存在しないように しています。

    動作確認

    • FX700(Linux起動可能・DMA Attackからの保護確認済)
    Source code(tar.gz)
    Source code(zip)
    MilvusVisor.zip(62.10 KB)
  • v0.2.0(Feb 7, 2022)

    新機能

    • ページングの効率化
      • コードの整理
      • Stage1/2の処理の分離
      • Block Entryの使用
      • Contiguous Bitの使用
      • Stage2におけるRead/Write特定のアクセス方法のみでのトラップを追加
    • PCIバス走査機能追加
    • メモリトラップハンドラー機構追加
    • i210ハンドラーの追加
      • BARアドレスの追跡
      • EEPROM Data Registerへの書き込み禁止
      • iNVM Registersへの書き込み禁止
      • Flash Burst Control Registerへの書き込み禁止
      • Flash Burst Data Write Registerへの書き込み禁止
      • Expansion ROMへの書き込み禁止

    動作確認

    FX700(Linux起動可能)

    Source code(tar.gz)
    Source code(zip)
    MilvusVisor-bin.zip(66.39 KB)
  • v0.1.0(Feb 7, 2022)

    新機能

    • UEFIから起動
    • ページテーブルをUEFIの設定したものをコピーして変更しハイパーバイザー本体をロード
    • シリアルポートの検出・マップ
    • 2段ページングの実装
    • EL2からEL1への移行
    • HyperVisorCallへの対応
    • マルチコア起動(PSCI)対応

    動作確認

    • QEMU
    • AML-S805-AX(マルチコア起動は未確認)
    • FX700(Linux起動可能)
    Source code(tar.gz)
    Source code(zip)
Owner
RIKEN R-CCS
RIKEN R-CCS
hy-rs, pronounced high rise, provides a unified and portable to the hypervisor APIs provided by various platforms.

Introduction The hy-rs crate, pronounced as high rise, provides a unified and portable interface to the hypervisor APIs provided by various platforms.

S.J.R. van Schaik 12 Nov 1, 2022
A simple hypervisor demonstrating the use of the Intel VT-rp (redirect protection) technology.

Hello-VT-rp A simple hypervisor demonstrating the use of the Intel VT-rp (redirect protection) technology. This repository is a complement of the blob

Satoshi Tanda 22 Jun 23, 2023
Risc-V hypervisor for TEE development

A micro hypervisor for RISC-V systems. Quick Start Building (using Bazel) git submodule update --init bazel build //:salus-all Running Prerequisites S

Rivos Inc. 68 Jul 3, 2023
Thin wrapper around [`tokio::process`] to make it streamable

This library provide ProcessExt to create your own custom process

null 4 Jun 25, 2022
The classic game Pong, written in lambda calculus, and a thin layer of Rust.

What? The good old game Pong, written in lambda calculus, and a thin layer of Rust. Why? I was bored. No, seriously, why? Everyone keeps saying that l

null 2 Aug 14, 2022
BSV stdlib written in Rust and runs in WASM environments

BSV.WASM A Rust/WASM Library to interact with Bitcoin SV Installation NodeJS: npm i bsv-wasm --save Web: npm i bsv-wasm-web --save Rust: https://crate

null 56 Dec 15, 2022
Watches changes in a rust project, runs test and shows friendly notification

Cargo testify Automatically runs tests on your Rust project and notifies about the result. Install Install prerequisites (for Debian/Ubuntu): apt-get

Sergey Potapov 77 May 16, 2022
Sampling profiler and tracer for Ruby (CRuby) which runs in BPF

rbperf rbperf is a low-overhead sampling profiler and tracer for Ruby (CRuby) which runs in BPF Build To build rbperf you would need a Linux machine w

Javier Honduvilla Coto 75 Dec 19, 2022
Creates a DLL that runs a payload once injected into a process.

Educational purposes only Don't use this project maliciously. Prerequisites Install rust Install windows toolchain Setup Run cargo run --bin builder -

RadonCoding 3 Aug 27, 2022
runs init, preview and apply on pulumi stacks right in your Github Actions. Inspired from Atalantis for Terraform

pulumi-actions runs init, preview and apply on pulumi stacks right in your Github-Actions. Inspired from Atlantis for Terraform PREVIEW Release Curren

Meet Vasani 6 Aug 7, 2023