Running Keystone on the CVA6 RISC-V processor

2025-04-15 290 words 2 minutes

Contents

Reference

Documentation: http://docs.keystone-enclave.org/en/latest/Getting-Started/Running-Keystone-on-CVA6.html. Based on revision e9fcf7f.
CVA6 revision f301d69.

Prerequisites

Vivado 2018.3.
Genesys2 FPGA board.

Building a CVA6-ready Keystone image

NB: we didn’t enable the root of trust for attestation report yet (http://docs.keystone-enclave.org/en/latest/Getting-Started/Running-Keystone-on-CVA6.html#root-of-trust) as it seems we don’t need it for the moment.

        
        
        
    
# Cloning the Keystone repository
export KEYSTONE_ROOT=$HOME/keystone
git clone https://github.com/keystone-enclave/keystone.git $KEYSTONE_ROOT
cd $KEYSTONE_ROOT
git checkout 88c49ee99e745980eea623bddacb40f7303107bd
git submodule update --init --recursive

# Building Keystone
KEYSTONE_PLATFORM=cva6 make

# Flashing an SD card
sudo KEYSTONE_PLATFORM=cva6 SD_DEVICE=/dev/sdb make flash

Be careful of the device ID (/dev/sdb in this tutorial).
make flash will basically perform a dd of fw_payload.bin.

Building a CVA6 compatible with Keystone

The Keystone documentation shows it has been tested with CVA6 revision f301d69.

        
        
        
    
# Clone CVA6 repository
export CVA6_ROOT=$HOME/cva6
git clone https://github.com/openhwgroup/cva6 $CVA6_ROOT
cd $CVA6_ROOT
git checkout f301d6967517336a21a58c9b8a00ea3186906c01
git submodule update --init --recursive

The CVA6 prerequisites are well described here. We assume you have installed the RISC-V toolchain from these instructions.

Then, don’t forget to source your Vivado settings script.

make fpga

It will generate a bitstream (*.bit) in corev_apu/fpga/work-fpga which can be download with the Xilinx Hardware Manager.

Current status

After the Linux, we are able to run Keystone enclaves on the CVA6 implemented on a Genesys2!

        
        
        
    
Welcome to Buildroot
buildroot login: root
Password: 
# modprobe keystone-driver
[   56.491986] keystone_driver: loading out-of-tree module taints [   56.576970] keystone_enclave: keystone enclave v1.0.0
# cat /proc/cpuinfo 

processor       : 0
hart            : 0
isa             : rv64imafdc
mmu             : sv39
uarch           : eth, cva6
mvendorid       : 0x602
marchid         : 0x3
mimpid          : 0x0

# 
# /usr/share/keystone/examples/hello.ke 

Verifying archive integrity... MD5 checksums are OK. All good.
Uncompressing Keystone Enclave Package
hello, world!

The full log is available at: https://gist.github.com/pcotret/475b8d7f8e0582de5c58645689bb3f08

Todo list

Getting the Keystone framework running on a more recent CVA6 (not tested yet).