{"id":2197506,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2197506/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260218015151.4052-5-graf@amazon.com>","date":"2026-02-18T01:51:44","name":"[04/10] hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock console","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"28a256ac0bae4088c2559af84c7cff7acd08fbe7","submitter":{"id":76572,"url":"http://patchwork.ozlabs.org/api/1.0/people/76572/?format=json","name":"Alexander Graf","email":"graf@amazon.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260218015151.4052-5-graf@amazon.com/mbox/","series":[{"id":492503,"url":"http://patchwork.ozlabs.org/api/1.0/series/492503/?format=json","date":"2026-02-18T01:51:40","name":"Native Nitro Enclaves support","version":1,"mbox":"http://patchwork.ozlabs.org/series/492503/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2197506/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=amazon.com header.i=@amazon.com header.a=rsa-sha256\n header.s=amazoncorp2 header.b=k/Pu82E8;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fG00y7543z1xwC\n\tfor ; Wed, 18 Feb 2026 12:53:54 +1100 (AEDT)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1vsWk0-0007E8-KP; Tue, 17 Feb 2026 20:52:36 -0500","from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1vsWjy-0007D5-Kq; Tue, 17 Feb 2026 20:52:34 -0500","from pdx-out-010.esa.us-west-2.outbound.mail-perimeter.amazon.com\n ([52.12.53.23])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1vsWjw-0005GB-Hi; Tue, 17 Feb 2026 20:52:34 -0500","from ip-10-5-9-48.us-west-2.compute.internal (HELO\n smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.9.48])\n by internal-pdx-out-010.esa.us-west-2.outbound.mail-perimeter.amazon.com with\n ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2026 01:52:28 +0000","from EX19MTAUWB002.ant.amazon.com [205.251.233.48:31640]\n by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.55.107:2525]\n with esmtp (Farcaster)\n id 415e14a0-c25f-4b68-92fd-684b081b5a96;\n Wed, 18 Feb 2026 01:52:27 +0000 (UTC)","from EX19D020UWC004.ant.amazon.com (10.13.138.149) by\n EX19MTAUWB002.ant.amazon.com (10.250.64.231) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.35;\n Wed, 18 Feb 2026 01:52:27 +0000","from ip-10-253-83-51.amazon.com (172.19.99.218) by\n EX19D020UWC004.ant.amazon.com (10.13.138.149) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.35;\n Wed, 18 Feb 2026 01:52:25 +0000"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2;\n t=1771379552; x=1802915552;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=QVGSh6QomGasFEgLBMFo/YmaboU2VJXN/YN9VZOxI5s=;\n b=k/Pu82E8T0hox3JXGYDfA+5rmYDpwh5d2MS0Dr+v13eY35PMAJpZNzMi\n 0q3jDu69pBei5LrXEiwJu4vrIE+d2UOjMcvUsQSlFlGGgmffED4MYFT9h\n hCtvlS+EZkNEfv0JP75sA3iUOR65ZTGth3lzf17qO+QDsh01K8i/6rEMV\n JYkaBpXKUOU7TDQMWCafrpg5LjP4I5ag13Y+y42iNMnvMki77sfnOX87U\n /QPFZYTIAsJEq5SepFwtB3Vva7wR7sMSLGuUBQboQi2f1vOIsBUZ3JT+K\n qxm5Pa0fPeGVVzypOQ3EwDXpuMOHzFRo/joTS7tN4yvMOROCZu9wzayrn w==;","X-CSE-ConnectionGUID":"JaUHGOg3QVKPhJFJtHZSHw==","X-CSE-MsgGUID":"atKWgTiwTpKoGKsb9VXQbg==","X-IronPort-AV":"E=Sophos;i=\"6.21,297,1763424000\"; d=\"scan'208\";a=\"13134030\"","X-Farcaster-Flow-ID":"415e14a0-c25f-4b68-92fd-684b081b5a96","From":"Alexander Graf ","To":"","CC":", Peter Maydell , \"Thomas\n Huth\" , , ,\n , , Cornelia Huck\n , , Dorjoy Chowdhury\n , Pierrick Bouvier ,\n Paolo Bonzini , Tyler Fanelli ,\n , ","Subject":"[PATCH 04/10] hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock\n console","Date":"Wed, 18 Feb 2026 01:51:44 +0000","Message-ID":"<20260218015151.4052-5-graf@amazon.com>","X-Mailer":"git-send-email 2.47.1","In-Reply-To":"<20260218015151.4052-1-graf@amazon.com>","References":"<20260218015151.4052-1-graf@amazon.com>","MIME-Version":"1.0","X-Originating-IP":"[172.19.99.218]","X-ClientProxiedBy":"EX19D043UWC001.ant.amazon.com (10.13.139.202) To\n EX19D020UWC004.ant.amazon.com (10.13.138.149)","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Received-SPF":"pass client-ip=52.12.53.23;\n envelope-from=prvs=502105d20=graf@amazon.de;\n helo=pdx-out-010.esa.us-west-2.outbound.mail-perimeter.amazon.com","X-Spam_score_int":"-19","X-Spam_score":"-2.0","X-Spam_bar":"--","X-Spam_report":"(-2.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.043,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,\n HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01,\n UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"Nitro Enclaves support a special \"debug\" mode. When in debug mode, the\nNitro Hypervisor provides a vsock port that the parent can connect to to\nreceive serial console output of the Enclave. Add a new nitro-serial-vsock\ndriver that implements short-circuit logic to establish the vsock\nconnection to that port and feed its data into a chardev, so that a machine\nmodel can use it as serial device.\n\nSigned-off-by: Alexander Graf \n---\n MAINTAINERS | 6 ++\n hw/Kconfig | 1 +\n hw/meson.build | 1 +\n hw/nitro/Kconfig | 3 +\n hw/nitro/meson.build | 1 +\n hw/nitro/serial-vsock.c | 154 ++++++++++++++++++++++++++++++++\n hw/nitro/trace-events | 4 +\n hw/nitro/trace.h | 4 +\n include/hw/nitro/serial-vsock.h | 26 ++++++\n meson.build | 1 +\n 10 files changed, 201 insertions(+)\n create mode 100644 hw/nitro/Kconfig\n create mode 100644 hw/nitro/meson.build\n create mode 100644 hw/nitro/serial-vsock.c\n create mode 100644 hw/nitro/trace-events\n create mode 100644 hw/nitro/trace.h\n create mode 100644 include/hw/nitro/serial-vsock.h","diff":"diff --git a/MAINTAINERS b/MAINTAINERS\nindex 3d002143ae..53ce075e9a 100644\n--- a/MAINTAINERS\n+++ b/MAINTAINERS\n@@ -3022,6 +3022,12 @@ F: hw/vmapple/*\n F: include/hw/vmapple/*\n F: docs/system/arm/vmapple.rst\n \n+Nitro Enclaves (native)\n+M: Alexander Graf \n+S: Maintained\n+F: hw/nitro/\n+F: include/hw/nitro/\n+\n Subsystems\n ----------\n Overall Audio backends\ndiff --git a/hw/Kconfig b/hw/Kconfig\nindex f8f92b5d03..b3ce1520a6 100644\n--- a/hw/Kconfig\n+++ b/hw/Kconfig\n@@ -22,6 +22,7 @@ source isa/Kconfig\n source mem/Kconfig\n source misc/Kconfig\n source net/Kconfig\n+source nitro/Kconfig\n source nubus/Kconfig\n source nvme/Kconfig\n source nvram/Kconfig\ndiff --git a/hw/meson.build b/hw/meson.build\nindex 66e46b8090..36da5322f7 100644\n--- a/hw/meson.build\n+++ b/hw/meson.build\n@@ -44,6 +44,7 @@ subdir('isa')\n subdir('mem')\n subdir('misc')\n subdir('net')\n+subdir('nitro')\n subdir('nubus')\n subdir('nvme')\n subdir('nvram')\ndiff --git a/hw/nitro/Kconfig b/hw/nitro/Kconfig\nnew file mode 100644\nindex 0000000000..86c817c766\n--- /dev/null\n+++ b/hw/nitro/Kconfig\n@@ -0,0 +1,3 @@\n+config NITRO_SERIAL_VSOCK\n+ bool\n+ depends on NITRO\ndiff --git a/hw/nitro/meson.build b/hw/nitro/meson.build\nnew file mode 100644\nindex 0000000000..d95ed8dd79\n--- /dev/null\n+++ b/hw/nitro/meson.build\n@@ -0,0 +1 @@\n+system_ss.add(when: 'CONFIG_NITRO_SERIAL_VSOCK', if_true: files('serial-vsock.c'))\ndiff --git a/hw/nitro/serial-vsock.c b/hw/nitro/serial-vsock.c\nnew file mode 100644\nindex 0000000000..12d6804a33\n--- /dev/null\n+++ b/hw/nitro/serial-vsock.c\n@@ -0,0 +1,154 @@\n+/*\n+ * Nitro Enclave Vsock Serial\n+ *\n+ * Copyright © 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved.\n+ *\n+ * Authors:\n+ * Alexander Graf \n+ *\n+ * With Nitro Enclaves in debug mode, the Nitro Hypervisor provides a vsock\n+ * port that the parent can connect to to receive serial console output of\n+ * the Enclave. This driver implements short-circuit logic to establish the\n+ * vsock connection to that port and feed its data into a chardev, so that\n+ * a machine model can use it as serial device.\n+ *\n+ * SPDX-License-Identifier: GPL-2.0-or-later\n+ */\n+\n+#include \"qemu/osdep.h\"\n+#include \"qemu/error-report.h\"\n+#include \"qapi/error.h\"\n+#include \"qapi/visitor.h\"\n+#include \"chardev/char.h\"\n+#include \"chardev/char-fe.h\"\n+#include \"hw/core/qdev-properties.h\"\n+#include \"hw/core/qdev-properties-system.h\"\n+#include \"hw/core/sysbus.h\"\n+#include \"hw/nitro/serial-vsock.h\"\n+#include \"trace.h\"\n+\n+#define CONSOLE_PORT_START 10000\n+#define VMADDR_CID_HYPERVISOR_STR \"0\"\n+\n+static int nitro_serial_vsock_can_read(void *opaque)\n+{\n+ NitroSerialVsockState *s = opaque;\n+\n+ /* Refuse vsock input until the output backend is ready */\n+ return qemu_chr_fe_backend_open(&s->output) ? 4096 : 0;\n+}\n+\n+static void nitro_serial_vsock_read(void *opaque, const uint8_t *buf, int size)\n+{\n+ NitroSerialVsockState *s = opaque;\n+\n+ /* Forward all vsock data to the output chardev */\n+ qemu_chr_fe_write_all(&s->output, buf, size);\n+}\n+\n+static void nitro_serial_vsock_event(void *opaque, QEMUChrEvent event)\n+{\n+ /* No need to action on connect/disconnect events, but trace for debug */\n+ trace_nitro_serial_vsock_event(event);\n+}\n+\n+static void nitro_serial_vsock_set_cid(Object *obj, Visitor *v,\n+ const char *name, void *opaque,\n+ Error **errp)\n+{\n+ NitroSerialVsockState *s = NITRO_SERIAL_VSOCK(obj);\n+ uint32_t cid, port;\n+ g_autofree char *chardev_id = NULL;\n+ Chardev *chr;\n+ ChardevBackend *backend;\n+ ChardevSocket *sock;\n+\n+ if (!visit_type_uint32(v, name, &cid, errp)) {\n+ return;\n+ }\n+\n+ s->cid = cid;\n+ port = cid + CONSOLE_PORT_START;\n+\n+ /*\n+ * We know the Enclave CID to connect to now. Create a vsock\n+ * client chardev that connects to the Enclave's console.\n+ */\n+ chardev_id = g_strdup_printf(\"nitro-console-%u\", cid);\n+\n+ backend = g_new0(ChardevBackend, 1);\n+ backend->type = CHARDEV_BACKEND_KIND_SOCKET;\n+ sock = backend->u.socket.data = g_new0(ChardevSocket, 1);\n+ sock->addr = g_new0(SocketAddressLegacy, 1);\n+ sock->addr->type = SOCKET_ADDRESS_TYPE_VSOCK;\n+ sock->addr->u.vsock.data = g_new0(VsockSocketAddress, 1);\n+ sock->addr->u.vsock.data->cid = g_strdup(VMADDR_CID_HYPERVISOR_STR);\n+ sock->addr->u.vsock.data->port = g_strdup_printf(\"%u\", port);\n+ sock->server = false;\n+ sock->has_server = true;\n+\n+ chr = qemu_chardev_new(chardev_id, TYPE_CHARDEV_SOCKET,\n+ backend, NULL, errp);\n+ if (!chr) {\n+ return;\n+ }\n+\n+ if (!qemu_chr_fe_init(&s->vsock, chr, errp)) {\n+ return;\n+ }\n+\n+ qemu_chr_fe_set_handlers(&s->vsock,\n+ nitro_serial_vsock_can_read,\n+ nitro_serial_vsock_read,\n+ nitro_serial_vsock_event,\n+ NULL, s, NULL, true);\n+}\n+\n+static void nitro_serial_vsock_get_cid(Object *obj, Visitor *v,\n+ const char *name, void *opaque,\n+ Error **errp)\n+{\n+ NitroSerialVsockState *s = NITRO_SERIAL_VSOCK(obj);\n+ uint32_t cid = s->cid;\n+\n+ visit_type_uint32(v, name, &cid, errp);\n+}\n+\n+static void nitro_serial_vsock_realize(DeviceState *dev, Error **errp)\n+{\n+ /*\n+ * At realize we don't know the Enclave CID yet, because the nitro accel\n+ * first needs to launch the Enclave. Delay creation of the connection\n+ * until the nitro accel pushes the CID as QOM property.\n+ */\n+}\n+\n+static const Property nitro_serial_vsock_props[] = {\n+ DEFINE_PROP_CHR(\"chardev\", NitroSerialVsockState, output),\n+};\n+\n+static void nitro_serial_vsock_class_init(ObjectClass *oc, const void *data)\n+{\n+ DeviceClass *dc = DEVICE_CLASS(oc);\n+ dc->realize = nitro_serial_vsock_realize;\n+ device_class_set_props(dc, nitro_serial_vsock_props);\n+\n+ object_class_property_add(oc, \"enclave-cid\", \"uint32\",\n+ nitro_serial_vsock_get_cid,\n+ nitro_serial_vsock_set_cid,\n+ NULL, NULL);\n+}\n+\n+static const TypeInfo nitro_serial_vsock_info = {\n+ .name = TYPE_NITRO_SERIAL_VSOCK,\n+ .parent = TYPE_SYS_BUS_DEVICE,\n+ .instance_size = sizeof(NitroSerialVsockState),\n+ .class_init = nitro_serial_vsock_class_init,\n+};\n+\n+static void nitro_serial_vsock_register(void)\n+{\n+ type_register_static(&nitro_serial_vsock_info);\n+}\n+\n+type_init(nitro_serial_vsock_register);\ndiff --git a/hw/nitro/trace-events b/hw/nitro/trace-events\nnew file mode 100644\nindex 0000000000..20617a024a\n--- /dev/null\n+++ b/hw/nitro/trace-events\n@@ -0,0 +1,4 @@\n+# See docs/devel/tracing.rst for syntax documentation.\n+\n+# serial-vsock.c\n+nitro_serial_vsock_event(int event) \"event %d\"\ndiff --git a/hw/nitro/trace.h b/hw/nitro/trace.h\nnew file mode 100644\nindex 0000000000..b455d6c17b\n--- /dev/null\n+++ b/hw/nitro/trace.h\n@@ -0,0 +1,4 @@\n+/*\n+ * SPDX-License-Identifier: GPL-2.0-or-later\n+ */\n+#include \"trace/trace-hw_nitro.h\"\ndiff --git a/include/hw/nitro/serial-vsock.h b/include/hw/nitro/serial-vsock.h\nnew file mode 100644\nindex 0000000000..92c9374eeb\n--- /dev/null\n+++ b/include/hw/nitro/serial-vsock.h\n@@ -0,0 +1,26 @@\n+/*\n+ * Nitro Enclave Serial (vsock)\n+ *\n+ * SPDX-License-Identifier: GPL-2.0-or-later\n+ */\n+\n+#ifndef HW_CHAR_NITRO_SERIAL_VSOCK_H\n+#define HW_CHAR_NITRO_SERIAL_VSOCK_H\n+\n+#include \"hw/core/qdev.h\"\n+#include \"hw/core/sysbus.h\"\n+#include \"chardev/char-fe.h\"\n+#include \"qom/object.h\"\n+\n+#define TYPE_NITRO_SERIAL_VSOCK \"nitro-serial-vsock\"\n+OBJECT_DECLARE_SIMPLE_TYPE(NitroSerialVsockState, NITRO_SERIAL_VSOCK)\n+\n+struct NitroSerialVsockState {\n+ SysBusDevice parent_obj;\n+\n+ CharFrontend output; /* chardev to write console output to */\n+ CharFrontend vsock; /* vsock chardev to enclave console */\n+ uint32_t cid;\n+};\n+\n+#endif /* HW_CHAR_NITRO_SERIAL_VSOCK_H */\ndiff --git a/meson.build b/meson.build\nindex bdeee65db2..3c6fa7a55a 100644\n--- a/meson.build\n+++ b/meson.build\n@@ -3634,6 +3634,7 @@ if have_system\n 'hw/misc/macio',\n 'hw/net',\n 'hw/net/can',\n+ 'hw/nitro',\n 'hw/nubus',\n 'hw/nvme',\n 'hw/nvram',\n","prefixes":["04/10"]}