Skip to content

kata.kernel-uvm: add AML sandbox#2231

Merged
katexochen merged 9 commits intomainfrom
p/aml-sandbox
Mar 10, 2026
Merged

kata.kernel-uvm: add AML sandbox#2231
katexochen merged 9 commits intomainfrom
p/aml-sandbox

Conversation

@katexochen
Copy link
Member

@katexochen katexochen commented Mar 6, 2026

No description provided.

burgerdev
burgerdev approved these changes Mar 6, 2026
View reviewed changes
Copy link
Member

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks a lot, this is great!

Once you're done testing, you could consider squashing the AML code commits in the middle, because they are partially reverting themselves.

charludo
charludo approved these changes Mar 9, 2026
View reviewed changes
Copy link
Collaborator

@charludo charludo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have looked esp. at the Nix and Go parts, which look good to me; can't really comment on the actual sandbox / C code.

@katexochen
Copy link
Member Author

katexochen commented Mar 10, 2026
edited
Loading

Changed in last push:

  • Added a workflow that triggers the badaml e2e tests when relevant files change
  • For badaml e2e on TDX, set isn't working (measurement mismatch), so wait for sandbox ready instead
  • Add code to wait for a single container
  • Updated the sandbox patch:
    • Remove cmdline toggle (security risk when parsing cmdline, wasn't really needed)
    • Remove cache (was only used for Azure hypercalls and unused in prev patch version)
    • Refactored the logging for better human redability:
      ACPI: SANDBOX: ACCESS r virt=ff11000045100002 phys=45100002 denied

@katexochen katexochen requested a review from burgerdev March 10, 2026 08:06
burgerdev
burgerdev approved these changes Mar 10, 2026
View reviewed changes
katexochen and others added 9 commits March 10, 2026 13:32
@katexochen @sespiros
kata.kernel-uvm: add AML sandbox
81816b3 
Co-authored-by: Spyros Seimenis <sse@edgeless.systems>
@sespiros @katexochen
package/qemu-badaml: init, pass acpi table
0b15f66 
Co-authored-by: Paul Meyer <katexochen0@gmail.com>
@katexochen
badaml-payload: init
89b191a
@katexochen @sespiros
badaml-payload: initrd file overwrite
b57c9a3 
Co-authored-by: Spyros Seimenis <sse@edgeless.systems>
@katexochen
badaml-payload: scan all memory
7fb0c7f 
To reduce the dependency on the initrd start address, which changes
based on various factors and cannot be predicted without starting a VM,
we increase the file size of the target file and scan all the memory
instead of just the initrd. This way we can get rid of the dependency on
the initrd start address entirely.
@sespiros @katexochen
nixos: add option for kernel ACPI debug messages
263aec6 
and increase the size of the kernel ring buffer so that early messages
don't dissapear.

Co-authored-by: Paul Meyer <katexochen0@gmail.com>
@katexochen
node-installer-image: make extensible
29f7e7d
@katexochen
sets/badaml-{vuln,sandbox}: init
eb865fa
@katexochen
e2e/badaml-{vuln,sandbox}: init
fe9a47c
@katexochen
Copy link
Member Author

katexochen commented Mar 10, 2026
edited
Loading

Changed in last push:

  • Remove __sandbox_is_efi_memory from sandbox patch. According to the paper, read access to efi memory is only needed on azure, so we don't need to allow it. This came up in a discussion with @msanft, thanks!
  • Removed some unused headers.

@burgerdev burgerdev modified the milestone: v1.18.0 Mar 10, 2026
@katexochen katexochen added the feature Shiny new feature for our users label Mar 10, 2026
@katexochen katexochen merged commit fd0d0c9 into main Mar 10, 2026
33 of 41 checks passed
@katexochen katexochen deleted the p/aml-sandbox branch March 10, 2026 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@burgerdev burgerdev burgerdev approved these changes

@charludo charludo charludo approved these changes

Assignees

No one assigned

Labels

feature Shiny new feature for our users

Projects

None yet

Milestone

v1.18.0

Development

Successfully merging this pull request may close these issues.

4 participants

@katexochen @burgerdev @charludo @sespiros