Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.0/patches/2197505/?format=api
{ "id": 2197505, "url": "http://patchwork.ozlabs.org/api/1.0/patches/2197505/?format=api", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.0/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260218015151.4052-10-graf@amazon.com>", "date": "2026-02-18T01:51:49", "name": "[09/10] hw/nitro: Enable direct kernel boot", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "17bdc9209b129bdd4e0f66038da02f3d48132076", "submitter": { "id": 76572, "url": "http://patchwork.ozlabs.org/api/1.0/people/76572/?format=api", "name": "Alexander Graf", "email": "graf@amazon.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260218015151.4052-10-graf@amazon.com/mbox/", "series": [ { "id": 492503, "url": "http://patchwork.ozlabs.org/api/1.0/series/492503/?format=api", "date": "2026-02-18T01:51:40", "name": "Native Nitro Enclaves support", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492503/mbox/" } ], "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2197505/checks/", "tags": {}, "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=amazon.com header.i=@amazon.com header.a=rsa-sha256\n header.s=amazoncorp2 header.b=S1elGRZY;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fG00s5v6kz1xwC\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 18 Feb 2026 12:53:49 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1vsWku-0000W1-Me; Tue, 17 Feb 2026 20:53:32 -0500", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <prvs=502105d20=graf@amazon.de>)\n id 1vsWks-0000RL-GX; Tue, 17 Feb 2026 20:53:30 -0500", "from pdx-out-014.esa.us-west-2.outbound.mail-perimeter.amazon.com\n ([35.83.148.184])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <prvs=502105d20=graf@amazon.de>)\n id 1vsWkq-0005hY-Mq; Tue, 17 Feb 2026 20:53:30 -0500", "from ip-10-5-6-203.us-west-2.compute.internal (HELO\n smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.6.203])\n by internal-pdx-out-014.esa.us-west-2.outbound.mail-perimeter.amazon.com with\n ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2026 01:53:24 +0000", "from EX19MTAUWC001.ant.amazon.com [205.251.233.105:30148]\n by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.45.241:2525]\n with esmtp (Farcaster)\n id 0c8131c5-47b6-420c-ad7d-5afbafb4ae0e;\n Wed, 18 Feb 2026 01:53:23 +0000 (UTC)", "from EX19D020UWC004.ant.amazon.com (10.13.138.149) by\n EX19MTAUWC001.ant.amazon.com (10.250.64.174) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.35;\n Wed, 18 Feb 2026 01:53:23 +0000", "from ip-10-253-83-51.amazon.com (172.19.99.218) by\n EX19D020UWC004.ant.amazon.com (10.13.138.149) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.35;\n Wed, 18 Feb 2026 01:53:20 +0000" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2;\n t=1771379608; x=1802915608;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=vGUcozSGDe3LdA51buWeDnWuA1XOyLH+O+KdKgLB5Pc=;\n b=S1elGRZYfYi6eeLSA2ZbHPAvKxbrFZUe9HNijDZ+AIxE006rvcw8K3uG\n +uqZ6gwrUU975KYvUQJjyMoetT518uGs0q5kdZeAo90dZYNsj1ZjeRHVq\n r95HXvOcn3QQX+vibiL7QFEKZSgt6wkRprT1YG42cDztl8e349KrU6B8V\n K5xwQdjIT5eWpgCNt9E5CEBt6UQ/8MYJsZpK66CqkTlm7wVMHZM84N6ew\n O1Pwtpw6pnh5uKmgpH0G7JquvUStob4qQ9ZOG3SwSRyKWeoBihajB8oVv\n JIej/CwTp+xVwwvWvojxoChlNKOHuzr3QZAXFbxaXVMZzluuDE2QGgyUi A==;", "X-CSE-ConnectionGUID": "6RaYNiU/T8y49rRrUjpGMA==", "X-CSE-MsgGUID": "Pxs3kH1ESw2hw1KvXZzSRg==", "X-IronPort-AV": "E=Sophos;i=\"6.21,297,1763424000\"; d=\"scan'208\";a=\"13037688\"", "X-Farcaster-Flow-ID": "0c8131c5-47b6-420c-ad7d-5afbafb4ae0e", "From": "Alexander Graf <graf@amazon.com>", "To": "<qemu-devel@nongnu.org>", "CC": "<qemu-arm@nongnu.org>, Peter Maydell <peter.maydell@linaro.org>, \"Thomas\n Huth\" <thuth@redhat.com>, <alex.bennee@linaro.org>, <philmd@linaro.org>,\n <berrange@redhat.com>, <marcandre.lureau@redhat.com>, Cornelia Huck\n <cohuck@redhat.com>, <mst@redhat.com>, Dorjoy Chowdhury\n <dorjoychy111@gmail.com>, Pierrick Bouvier <pierrick.bouvier@linaro.org>,\n Paolo Bonzini <pbonzini@redhat.com>, Tyler Fanelli <tfanelli@redhat.com>,\n <mknaust@amazon.com>, <nh-open-source@amazon.com>", "Subject": "[PATCH 09/10] hw/nitro: Enable direct kernel boot", "Date": "Wed, 18 Feb 2026 01:51:49 +0000", "Message-ID": "<20260218015151.4052-10-graf@amazon.com>", "X-Mailer": "git-send-email 2.47.1", "In-Reply-To": "<20260218015151.4052-1-graf@amazon.com>", "References": "<20260218015151.4052-1-graf@amazon.com>", "MIME-Version": "1.0", "X-Originating-IP": "[172.19.99.218]", "X-ClientProxiedBy": "EX19D032UWA004.ant.amazon.com (10.13.139.56) To\n EX19D020UWC004.ant.amazon.com (10.13.138.149)", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Received-SPF": "pass client-ip=35.83.148.184;\n envelope-from=prvs=502105d20=graf@amazon.de;\n helo=pdx-out-014.esa.us-west-2.outbound.mail-perimeter.amazon.com", "X-Spam_score_int": "-19", "X-Spam_score": "-2.0", "X-Spam_bar": "--", "X-Spam_report": "(-2.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.043,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,\n HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01,\n UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "Nitro Enclaves can only boot EIF files which are a combination of\nkernel, initramfs and cmdline in a single file. When the kernel image is\nnot an EIF, treat it like a kernel image and assemble an EIF image on\nthe fly. This way, users can call QEMU with a direct\nkernel/initrd/cmdline combination and everything \"just works\".\n\nSigned-off-by: Alexander Graf <graf@amazon.com>\n---\n hw/core/eif.h | 3 ++\n hw/nitro/machine.c | 116 +++++++++++++++++++++++++++++++++++++++++++\n hw/nitro/meson.build | 2 +-\n 3 files changed, 120 insertions(+), 1 deletion(-)", "diff": "diff --git a/hw/core/eif.h b/hw/core/eif.h\nindex a3412377a9..0c432dbc2d 100644\n--- a/hw/core/eif.h\n+++ b/hw/core/eif.h\n@@ -12,6 +12,7 @@\n #define HW_CORE_EIF_H\n \n #define MAX_SECTIONS 32\n+#define EIF_HDR_ARCH_ARM64 0x1\n \n /* members are ordered according to field order in .eif file */\n typedef struct EifHeader {\n@@ -49,6 +50,8 @@ enum EifSectionTypes {\n EIF_SECTION_MAX = 6,\n };\n \n+#define EIF_MAGIC { '.', 'e', 'i', 'f' }\n+\n bool read_eif_file(const char *eif_path, const char *machine_initrd,\n char **kernel_path, char **initrd_path,\n char **kernel_cmdline, uint8_t *image_sha384,\ndiff --git a/hw/nitro/machine.c b/hw/nitro/machine.c\nindex 197adfbdb5..33b0749288 100644\n--- a/hw/nitro/machine.c\n+++ b/hw/nitro/machine.c\n@@ -32,9 +32,104 @@\n #include \"system/nitro-accel.h\"\n #include \"qemu/accel.h\"\n #include \"hw/arm/machines-qom.h\"\n+#include \"hw/core/eif.h\"\n+#include <zlib.h> /* for crc32 */\n \n #define EIF_LOAD_ADDR (8 * 1024 * 1024)\n \n+static bool is_eif(char *eif, gsize len)\n+{\n+ const char eif_magic[] = EIF_MAGIC;\n+\n+ return len >= sizeof(eif_magic) &&\n+ !memcmp(eif, eif_magic, sizeof(eif_magic));\n+}\n+\n+static void build_eif_section(EifHeader *hdr, GByteArray *buf, uint16_t type,\n+ const char *data, uint64_t size)\n+{\n+ uint16_t section = be16_to_cpu(hdr->section_cnt);\n+ EifSectionHeader shdr = {\n+ .section_type = cpu_to_be16(type),\n+ .flags = 0,\n+ .section_size = cpu_to_be64(size),\n+ };\n+\n+ hdr->section_offsets[section] = cpu_to_be64(buf->len);\n+ hdr->section_sizes[section] = cpu_to_be64(size);\n+\n+ g_byte_array_append(buf, (const uint8_t *)&shdr, sizeof(shdr));\n+ if (size) {\n+ g_byte_array_append(buf, (const uint8_t *)data, size);\n+ }\n+\n+ hdr->section_cnt = cpu_to_be16(section + 1);\n+}\n+\n+/*\n+ * Nitro Enclaves only support loading EIF files. When the user provides\n+ * a Linux kernel, initrd and cmdline, convert them into EIF format.\n+ */\n+static char *build_eif(const char *kernel_data, gsize kernel_size,\n+ const char *initrd_path, const char *cmdline,\n+ gsize *out_size, Error **errp)\n+{\n+ g_autofree char *initrd_data = NULL;\n+ static const char metadata[] = \"{}\";\n+ size_t metadata_len = sizeof(metadata) - 1;\n+ gsize initrd_size = 0;\n+ GByteArray *buf;\n+ EifHeader hdr;\n+ uint32_t crc = 0;\n+ size_t cmdline_len;\n+\n+ if (initrd_path) {\n+ if (!g_file_get_contents(initrd_path, &initrd_data,\n+ &initrd_size, NULL)) {\n+ error_setg(errp, \"Failed to read initrd '%s'\", initrd_path);\n+ return NULL;\n+ }\n+ }\n+\n+ buf = g_byte_array_new();\n+\n+ cmdline_len = cmdline ? strlen(cmdline) : 0;\n+\n+ hdr = (EifHeader) {\n+ .magic = EIF_MAGIC,\n+ .version = cpu_to_be16(4),\n+ .flags = cpu_to_be16(target_aarch64() ? EIF_HDR_ARCH_ARM64 : 0),\n+ };\n+\n+ g_byte_array_append(buf, (const uint8_t *)&hdr, sizeof(hdr));\n+\n+ /* Kernel */\n+ build_eif_section(&hdr, buf, EIF_SECTION_KERNEL, kernel_data, kernel_size);\n+\n+ /* Command line */\n+ build_eif_section(&hdr, buf, EIF_SECTION_CMDLINE, cmdline, cmdline_len);\n+\n+ /* Initramfs */\n+ build_eif_section(&hdr, buf, EIF_SECTION_RAMDISK, initrd_data, initrd_size);\n+\n+ /* Metadata */\n+ build_eif_section(&hdr, buf, EIF_SECTION_METADATA, metadata, metadata_len);\n+\n+ /*\n+ * Patch the header into the buffer first (with real section offsets\n+ * and sizes), then compute CRC over everything except the CRC field.\n+ */\n+ memcpy(buf->data, &hdr, sizeof(hdr));\n+ crc = crc32(crc, buf->data, offsetof(EifHeader, eif_crc32));\n+ crc = crc32(crc, &buf->data[sizeof(hdr)], buf->len - sizeof(hdr));\n+\n+ /* Finally write the CRC into the in-buffer header */\n+ ((EifHeader *)buf->data)->eif_crc32 = cpu_to_be32(crc);\n+\n+ *out_size = buf->len;\n+ return (char *)g_byte_array_free(buf, false);\n+}\n+\n static void nitro_create_cpu(const char *cpu_type, int index)\n {\n Object *obj = object_new(cpu_type);\n@@ -87,6 +182,27 @@ static void nitro_machine_init(MachineState *machine)\n error_report(\"nitro: failed to read EIF '%s'\", eif_path);\n exit(1);\n }\n+\n+ if (!is_eif(eif_data, eif_size)) {\n+ char *kernel_data = eif_data;\n+ gsize kernel_size = eif_size;\n+ Error *err = NULL;\n+\n+ /*\n+ * The user gave us a non-EIF kernel, likely a Linux kernel image.\n+ * Assemble an EIF file from it, the -initrd and the -append arguments,\n+ * so that users can perform a natural direct kernel boot.\n+ */\n+ eif_data = build_eif(kernel_data, kernel_size, machine->initrd_filename,\n+ machine->kernel_cmdline, &eif_size, &err);\n+ if (!eif_data) {\n+ error_report_err(err);\n+ exit(1);\n+ }\n+\n+ g_free(kernel_data);\n+ }\n+\n address_space_write(&address_space_memory, EIF_LOAD_ADDR,\n MEMTXATTRS_UNSPECIFIED, eif_data, eif_size);\n \ndiff --git a/hw/nitro/meson.build b/hw/nitro/meson.build\nindex 813f5a9c87..7b23f71d5a 100644\n--- a/hw/nitro/meson.build\n+++ b/hw/nitro/meson.build\n@@ -1,3 +1,3 @@\n system_ss.add(when: 'CONFIG_NITRO_SERIAL_VSOCK', if_true: files('serial-vsock.c'))\n system_ss.add(when: 'CONFIG_NITRO_HEARTBEAT', if_true: files('heartbeat.c'))\n-system_ss.add(when: 'CONFIG_NITRO_MACHINE', if_true: files('machine.c'))\n+system_ss.add(when: 'CONFIG_NITRO_MACHINE', if_true: [files('machine.c'), zlib])\n", "prefixes": [ "09/10" ] }