Running Keystone on the CVA6 RISC-V processor

Pascal included in Articles

2025-04-15 437 words 3 minutes

Contents

Reference

Documentation: http://docs.keystone-enclave.org/en/latest/Getting-Started/Running-Keystone-on-CVA6.html. Based on revision e9fcf7f.
CVA6 revision f301d69.

Prerequisites

Vivado 2018.3.
Genesys2 FPGA board.

Building a CVA6-ready Keystone image

Note

NB: we didn’t enable the root of trust for attestation report yet (http://docs.keystone-enclave.org/en/latest/Getting-Started/Running-Keystone-on-CVA6.html#root-of-trust) as it seems we don’t need it for the moment.

Tip

Be careful of the device ID (/dev/sdc in this tutorial). You may harm your hard drive if you don’t choose the right ID.

SD card formatting

The tutorial has been tested with a 16GB SD card. The card was formatted with a GPT partition table and an ext4 partition taking the full space.

SD card flashing

        
        
        
    
# Cloning the Keystone repository
export KEYSTONE_ROOT=$HOME/keystone
git clone https://github.com/keystone-enclave/keystone.git $KEYSTONE_ROOT
cd $KEYSTONE_ROOT
git checkout 88c49ee99e745980eea623bddacb40f7303107bd
git submodule update --init --recursive

# Building Keystone
KEYSTONE_PLATFORM=cva6 make

# Flashing an SD card
sudo KEYSTONE_PLATFORM=cva6 SD_DEVICE=/dev/sdc make flash

make flash will basically perform a dd of fw_payload.bin and uImage files.

Known issue

Flashing the SD card should give the following output:

        
        
        
    
sudo KEYSTONE_PLATFORM=cva6 SD_DEVICE=/dev/sdc make flash
PAYLOAD INFORMATION
/keystone//build-cva664/buildroot.build/images/fw_payload.bin
/dev/sdc
/dev/sdc1
/dev/sdc2
sgdisk --clear -g --new=1:2048:4M --new=2:512M:0 --typecode=1:3000 --typecode=2:8300 /dev/sdc
The operation has completed successfully.
dd if=/keystone//build-cva664/buildroot.build/images/fw_payload.bin of=/dev/sdc1 status=progress oflag=sync bs=1M
2+1 records in
2+1 records out
2503880 bytes (2.5 MB, 2.4 MiB) copied, 0.206553 s, 12.1 MB/s
dd if=/keystone//build-cva664/buildroot.build/images/uImage of=/dev/sdc2 status=progress oflag=sync bs=1M
8+1 records in
8+1 records out
9152085 bytes (9.2 MB, 8.7 MiB) copied, 0.765139 s, 12.0 MB/s

If it gives you an error while copying the fw_payload.bin, just re-run the command at least once.

Building a CVA6 compatible with Keystone

The Keystone documentation shows it has been tested with CVA6 revision f301d69.

        
        
        
    
# Clone CVA6 repository
export CVA6_ROOT=$HOME/cva6
git clone https://github.com/openhwgroup/cva6 $CVA6_ROOT
cd $CVA6_ROOT
git checkout f301d6967517336a21a58c9b8a00ea3186906c01
git submodule update --init --recursive

The CVA6 prerequisites are well described here. We assume you have installed the RISC-V toolchain from these instructions.

Then, don’t forget to source your Vivado settings script.

make fpga

It will generate a bitstream (*.bit) in corev_apu/fpga/work-fpga which can be download with the Xilinx Hardware Manager.

Current status

After the Linux, we are able to run Keystone enclaves on the CVA6 implemented on a Genesys2!

        
        
        
    
Welcome to Buildroot
buildroot login: root
Password: 
# modprobe keystone-driver
[   56.491986] keystone_driver: loading out-of-tree module taints [   56.576970] keystone_enclave: keystone enclave v1.0.0
# cat /proc/cpuinfo 

processor       : 0
hart            : 0
isa             : rv64imafdc
mmu             : sv39
uarch           : eth, cva6
mvendorid       : 0x602
marchid         : 0x3
mimpid          : 0x0

# 
# /usr/share/keystone/examples/hello.ke 

Verifying archive integrity... MD5 checksums are OK. All good.
Uncompressing Keystone Enclave Package
hello, world!

The full log is available at: https://gist.github.com/pcotret/475b8d7f8e0582de5c58645689bb3f08

Todo list

Getting the Keystone framework running on a more recent CVA6 (not tested yet).