# Running Keystone on the CVA6 RISC-V processor ## Reference - Documentation: http://docs.keystone-enclave.org/en/latest/Getting-Started/Running-Keystone-on-CVA6.html. Based on revision [e9fcf7f](https://github.com/keystone-enclave/keystone/tree/e9fcf7f26a788c282647f820393dd262560f60cc). - CVA6 revision [f301d69](https://github.com/openhwgroup/cva6/tree/f301d6967517336a21a58c9b8a00ea3186906c01). ## Prerequisites - Vivado 2018.3. - Genesys2 FPGA board. ## Building a CVA6-ready Keystone image {{< admonition >}} **NB: we didn't enable the root of trust for attestation report yet (http://docs.keystone-enclave.org/en/latest/Getting-Started/Running-Keystone-on-CVA6.html#root-of-trust) as it seems we don't need it for the moment.** {{< /admonition >}} {{< admonition tip >}} Be careful of the device ID (`/dev/sdc` in this tutorial). You may harm your hard drive if you don't choose the right ID. {{< /admonition >}} ### SD card formatting The tutorial has been tested with a 16GB SD card. The card was formatted with a GPT partition table and an ext4 partition taking the full space. ![](../img/gparted.png) ### SD card flashing ```bash # Cloning the Keystone repository export KEYSTONE_ROOT=$HOME/keystone git clone https://github.com/keystone-enclave/keystone.git $KEYSTONE_ROOT cd $KEYSTONE_ROOT git checkout 88c49ee99e745980eea623bddacb40f7303107bd git submodule update --init --recursive # Building Keystone KEYSTONE_PLATFORM=cva6 make # Flashing an SD card sudo KEYSTONE_PLATFORM=cva6 SD_DEVICE=/dev/sdc make flash ``` `make flash` will basically perform a `dd` of `fw_payload.bin` and `uImage` files. ### Known issue Flashing the SD card should give the following output: ```bash sudo KEYSTONE_PLATFORM=cva6 SD_DEVICE=/dev/sdc make flash PAYLOAD INFORMATION /keystone//build-cva664/buildroot.build/images/fw_payload.bin /dev/sdc /dev/sdc1 /dev/sdc2 sgdisk --clear -g --new=1:2048:4M --new=2:512M:0 --typecode=1:3000 --typecode=2:8300 /dev/sdc The operation has completed successfully. dd if=/keystone//build-cva664/buildroot.build/images/fw_payload.bin of=/dev/sdc1 status=progress oflag=sync bs=1M 2+1 records in 2+1 records out 2503880 bytes (2.5 MB, 2.4 MiB) copied, 0.206553 s, 12.1 MB/s dd if=/keystone//build-cva664/buildroot.build/images/uImage of=/dev/sdc2 status=progress oflag=sync bs=1M 8+1 records in 8+1 records out 9152085 bytes (9.2 MB, 8.7 MiB) copied, 0.765139 s, 12.0 MB/s ``` If it gives you an error while copying the `fw_payload.bin`, just re-run the command at least once. ## Building a CVA6 compatible with Keystone The Keystone documentation shows it has been tested with CVA6 revision [f301d69](https://github.com/openhwgroup/cva6/tree/f301d6967517336a21a58c9b8a00ea3186906c01). ```bash # Clone CVA6 repository export CVA6_ROOT=$HOME/cva6 git clone https://github.com/openhwgroup/cva6 $CVA6_ROOT cd $CVA6_ROOT git checkout f301d6967517336a21a58c9b8a00ea3186906c01 git submodule update --init --recursive ``` The CVA6 prerequisites are well described [here](https://github.com/openhwgroup/cva6/tree/f301d6967517336a21a58c9b8a00ea3186906c01?tab=readme-ov-file#prerequisites). We assume you have installed the RISC-V toolchain from these instructions. Then, don't forget to source your Vivado settings script. ```bash make fpga ``` It will generate a bitstream (`*.bit`) in `corev_apu/fpga/work-fpga` which can be download with the Xilinx Hardware Manager. ## Current status After the Linux, we are able to run Keystone enclaves on the CVA6 implemented on a Genesys2! ``` Welcome to Buildroot buildroot login: root Password: # modprobe keystone-driver [ 56.491986] keystone_driver: loading out-of-tree module taints [ 56.576970] keystone_enclave: keystone enclave v1.0.0 # cat /proc/cpuinfo processor : 0 hart : 0 isa : rv64imafdc mmu : sv39 uarch : eth, cva6 mvendorid : 0x602 marchid : 0x3 mimpid : 0x0 # # /usr/share/keystone/examples/hello.ke Verifying archive integrity... MD5 checksums are OK. All good. Uncompressing Keystone Enclave Package hello, world! ``` The full log is available at: https://gist.github.com/pcotret/475b8d7f8e0582de5c58645689bb3f08 ## Todo list - Getting the Keystone framework running on a more recent CVA6 (not tested yet).