自己动手构建系统软件-运行Jailhouse(X86

自己动手构建系统软件-运行Jailhouse(X86_64)虚拟机

本章节我们在QemuX86_64虚拟机的CentOS中运行Jailhouse。

初始化运行环境：

Host $ modprobe -av 9pHost $ modprobe -av nbd max_part=8Host $ ssh -X root@`docker exec -it sysdev ip addr show eth0 | tr "/"" " |awk '$1=="inet" {print $2}'`Docker # . /opt/sysdev/sysdev_env.shDocker $ ${SYSDEV_TOOLS}/start-nat.shDocker $ ${SYSDEV_TOOLS}/test-nat.sh

构建Jailhouse镜像

在CentOS虚拟机中构建Jailhouse镜像。

升级Qemu客户机内核到4.X+版本，跟宿主机方法相同：

Guest $ rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.orgGuest $ rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpmGuest $ yum --disablerepo="*" --enablerepo="elrepo-kernel" list availableGuest $ yum --enablerepo=elrepo-kernel --skip-broken -y install kernel-ml kernel-ml-devel kernel-ml-doc kernel-ml-headers kernel-ml-tools kernel-ml-tools-libs kernel-ml-tools-libs-develGuest $ grep "menuentry " /boot/grub2/grub.cfg | awk -F"'"'{print $2}'CentOS Linux (5.3.7-1.el7.elrepo.x86_64) 7 (Core)CentOS Linux (3.10.0-957.27.2.el7.x86_64) 7 (Core)CentOS Linux (0-rescue-65113b1a0d2f6087d515e6a8cd0ee7ef) 7 (Core)Guest $ vi /etc/default/grubGRUB_DEFAULT="CentOS Linux (5.3.7-1.el7.elrepo.x86_64) 7 (Core)"Guest $ grub2-mkconfig -o /boot/grub2/grub.cfgGuest $ rebootGuest $ uname -aLinux jailhouse 5.3.7-1.el7.elrepo.x86_64 #1 SMP Thu Oct 17 18:17:07 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

安装编译Jailhouse所依赖的软件包：

Guest $ yum install -y epel-release# 需要安装Python和mako库，否则可能会导致部分命令无法正常执行：Guest $ yum install -y pythonGuest $ easy_install pipGuest $ pip install makoGuest $ yum install -y tree wget git gcc kernel-headers kernel-devel

编译和安装Jailhouse：

Guest $ mkdir -pv /opt/ahv/jailhouse && cd /opt/ahv/jailhouseGuest $ git clone https://github.com/siemens/jailhouse.gitGuest $ cd jailhouseGuest $ make# 安装到指定目录，这里仅仅是为了方便查看和分析：Guest $ make install DESTDIR=/opt/ahv/jailhouse/target# 安装到系统目录：Guest $ make install

加载Jailhouse内核模块，并进行硬件检查：

Guest $ modprobe jailhouseGuest $ jailhouse hardware checkFeature                         Availability------------------------------  ------------------Number of CPUs > 1              okLong mode                       okx2APIC                          okVT-x (VMX)                      ok  VMX outside SMX               ok  VMX inside SMX                missing (optional)  IA32_TRUE_*_CLTS              ok  NMI exiting                   ok  Preemption timer              ok  I/O bitmap                    ok  MSR bitmap                    ok  Secondary controls            ok  Optional CR3 interception     ok  Virtualize APIC access        ok  RDTSCP                        missing (optional)  Unrestricted guest            ok  EPT                           ok    4-level page walk           ok    EPTP write-back             ok    2M pages                    ok    1G pages                    ok    INVEPT                      ok      Single or all-context     ok  VM-exit save IA32_PAT         ok  VM-exit load IA32_PAT         ok  VM-exit save IA32_EFER        ok  VM-exit load IA32_EFER        ok  VM-entry load IA32_PAT        ok  VM-entry load IA32_EFER       ok  Activity state HLT            okVT-d (IOMMU #0)                 ok  39-bit AGAW                   ok  48-bit AGAW                   missing (optional)  2M pages                      ok  1G pages                      ok  Queued invalidation           ok  Interrupt remapping           ok  Extended interrupt mode       okCheck passed!

去掉Qemu客户机Linux启动参数中的串口选项，并关闭虚拟机（否则可能会因为串口被占用而导致Jailhouse虚拟机无法启动）：

Guest $ vi /etc/default/grub#GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200"GRUB_CMDLINE_LINUX="intel_iommu=off memmap=82M\\\$0x3a000000 console=tty0 crashkernel=auto"Guest $ grub2-mkconfig -o /boot/grub2/grub.cfgGuest $ poweroff

再次启动虚拟机：

Host $ /usr/libexec/qemu-kvm -machine q35,kernel_irqchip=split -m 1G \-smp 2 -device intel-iommu,intremap=on,x-buggy-eim=on \-cpu kvm64,-kvm_pv_eoi,-kvm_steal_time,-kvm_asyncpf,-kvmclock,+vmx \-drive file=System-X86_64.qcow2,format=qcow2,id=disk,if=none \-device ide-hd,drive=disk -serial stdio -serial vc \-net nic,model=virtio,macaddr=fa:16:3e:4d:58:6f \-net tap,ifname=tap-jh,script=vm-ifup,downscript=vm-ifdown \-device intel-hda,addr=1b.0 -device hda-duplex -cdrom Init.iso

自动生成Jailhouse的RootCell配置，并启动虚拟机：

# 由于Linux内核不再使用串口，所以使用SSH登录虚拟机：Host $ ssh root@192.168.2.139SSH $ cd /opt/ahv/jailhouse/jailhouseSSH $ jailhouse config create configs/x86/qemu-x86_64.cSSH $ makeSSH $ modprobe jailhouseSSH $ jailhouse enable configs/x86/qemu-x86_64.cell

在Qemu虚拟机的串口控制台以和SSH控制台可以看到Jailhouse的输出，虚拟机启动成功：

# SerialInitializing Jailhouse hypervisor v0.11 (40-g90e8d6c-dirty) on CPU 1Code location: 0xfffffffff0000050Using x2APICPage pool usage after early setup: mem 35/974, remap 0/131072Initializing processors: CPU 1... (APIC ID 1) OK CPU 0... (APIC ID 0) OKInitializing unit: VT-dDMAR unit @0xfed90000/0x1000Reserving 24 interrupt(s) for device ff:00.0 at index 0Initializing unit: IOAPICInitializing unit: Cache Allocation TechnologyInitializing unit: PCIAdding PCI device 00:00.0 to cell "RootCell"Adding PCI device 00:01.0 to cell "RootCell"Adding PCI device 00:02.0 to cell "RootCell"Reserving 3 interrupt(s) for device 00:02.0 at index 24Adding PCI device 00:1b.0 to cell "RootCell"Reserving 1 interrupt(s) for device 00:1b.0 at index 27Adding PCI device 00:1f.0 to cell "RootCell"Adding PCI device 00:1f.2 to cell "RootCell"Reserving 1 interrupt(s) for device 00:1f.2 at index 28Adding PCI device 00:1f.3 to cell "RootCell"qemu-kvm: vtd_irte_get: detected non-present IRTE (index=0, high=0xff00, low=0x100)Page pool usage after late setup: mem 248/974, remap 65542/131072Activating hypervisorSSH $ jailhouse consoleInitializing Jailhouse hypervisor v0.11 (40-g90e8d6c-dirty) on CPU 1Code location: 0xfffffffff0000050Using x2APICPage pool usage after early setup: mem 35/974, remap 0/131072Initializing processors: CPU 1... (APIC ID 1) OK CPU 0... (APIC ID 0) OKInitializing unit: VT-dDMAR unit @0xfed90000/0x1000Reserving 24 interrupt(s) for device ff:00.0 at index 0Initializing unit: IOAPICInitializing unit: Cache Allocation TechnologyInitializing unit: PCIAdding PCI device 00:00.0 to cell "RootCell"Adding PCI device 00:01.0 to cell "RootCell"Adding PCI device 00:02.0 to cell "RootCell"Reserving 3 interrupt(s) for device 00:02.0 at index 24Adding PCI device 00:1b.0 to cell "RootCell"Reserving 1 interrupt(s) for device 00:1b.0 at index 27Adding PCI device 00:1f.0 to cell "RootCell"Adding PCI device 00:1f.2 to cell "RootCell"Reserving 1 interrupt(s) for device 00:1f.2 at index 28Adding PCI device 00:1f.3 to cell "RootCell"Page pool usage after late setup: mem 248/974, remap 65542/131072Activating hypervisor

配置系统环境

宿主机使用IntelCPU和CentOS（ 7.6.1908X86_64）发行版。

开启宿主机硬件虚拟化支持

在BIOS中开启Intel VT-x/VT-d虚拟化支持，打开成功时可以看到CPU的vmx特性支持：

$ cat /proc/cpuinfo | grep vmxflags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp tpr_shadow vnmi ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec arat spec_ctrl intel_stibp flush_l1d arch_capabilitiesflags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp tpr_shadow vnmi ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec arat spec_ctrl intel_stibp flush_l1d arch_capabilitiesflags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp tpr_shadow vnmi ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec arat spec_ctrl intel_stibp flush_l1d arch_capabilitiesflags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp tpr_shadow vnmi ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec arat spec_ctrl intel_stibp flush_l1d arch_capabilities

升级Linux内核到4.X+版本

安装第三方编译好的内核：

$ rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org$ yum install -y https://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm# yum --disablerepo="*" --enablerepo="elrepo-kernel" list available$ yum --enablerepo=elrepo-kernel --skip-broken -y install kernel-ml kernel-ml-devel kernel-ml-doc kernel-ml-headers kernel-ml-tools kernel-ml-tools-libs kernel-ml-tools-libs-devel

修改默认启动内核版本：

$ grep "menuentry " /boot/grub2/grub.cfg | awk -F"'"'{print $2}'CentOS Linux (5.3.7-1.el7.elrepo.x86_64) 7 (Core)CentOS Linux (3.10.0-1062.1.2.el7.x86_64) 7 (Core)CentOS Linux (0-rescue-a922db9ab47c4a278e33b55f7b8d56b4) 7 (Core)$ vi /etc/default/grubGRUB_DEFAULT="CentOS Linux (5.3.7-1.el7.elrepo.x86_64) 7 (Core)"$ grub2-mkconfig -o /boot/grub2/grub.cfg

重启并查看升级是否成功：

$ reboot$ uname -aLinux CentOS7-LR 5.3.7-1.el7.elrepo.x86_64 #1 SMP Thu Oct 17 18:17:07 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

开启内核硬件虚拟化支持

修改启动参数，增加Intel硬件虚拟化支持：

$ vi /etc/default/grubGRUB_CMDLINE_LINUX="intel_iommu=on iommu=pt crashkernel=auto rhgb quiet net.ifnames=0 biosdevname=0"$ grub2-mkconfig -o /boot/grub2/grub.cfg

重启并查看修改是否成功：

$ reboot$ cat /proc/cmdlineBOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.1.2.el7.x86_64 root=UUID=5801d8e4-8cc9-4a57-920f-ef58fbd0de40 ro intel_iommu=on iommu=pt net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rhgb quiet LANG=zh_CN.UTF-8$ uname -aLinux MiBook-LR 5.3.7-1.el7.elrepo.x86_64 #1 SMP Thu Oct 17 18:17:07 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

查看内核中的IOMMU是否正确初始化，如果成功则会有如下信息：

$ dmesg | grep -e DMAR -e IOMMU[    0.030112] ACPI: DMAR 0x000000008CFB0000 0000F0 (v01 XMCC   XMCC1701 00000001 ACPI 00040000)[    0.169366] DMAR: Host address width 39[    0.169367] DMAR: DRHD base: 0x000000fed90000 flags: 0x0[    0.169374] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap 1c0000c40660462 ecap 19e2ff0505e[    0.169375] DMAR: DRHD base: 0x000000fed91000 flags: 0x1[    0.169380] DMAR: dmar1: reg_base_addr fed91000 ver 1:0 cap d2008c40660462 ecap f050da[    0.169381] DMAR: RMRR base: 0x0000008ae55000 end: 0x0000008ae74fff[    0.169382] DMAR: RMRR base: 0x0000008d800000 end: 0x0000008fffffff[    0.169383] DMAR: ANDD device: 1 name: \_SB.PCI0.I2C0[    0.169384] DMAR: ANDD device: 2 name: \_SB.PCI0.I2C1[    0.169386] DMAR-IR: IOAPIC id 2 under DRHD base  0xfed91000 IOMMU 1[    0.169387] DMAR-IR: HPET id 0 under DRHD base 0xfed91000[    0.169388] DMAR-IR: Queued invalidation will be enabled to support x2apic and Intr-remapping.[    0.171026] DMAR-IR: Enabled IRQ remapping in x2apic mode[    1.401327] DMAR: ACPI device "device:70" under DMAR at fed91000 as 00:15.0[    1.401331] DMAR: ACPI device "device:71" under DMAR at fed91000 as 00:15.1[root@MiBook-LR jailhouse]# uname -aLinux MiBook-LR 5.3.7-1.el7.elrepo.x86_64 #1 SMP Thu Oct 17 18:17:07 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

查看IOMMU分组是否正常，如果目录非空则表明分组成功（可选）：

$ ls /sys/kernel/iommu_groups/0  1  2  3  4  5  6  7  8  9

开启KVM嵌套虚拟化支持

通过修改kvm_intel模块参数为KVM增加嵌套虚拟化支持（部分可能不会生效）：

$ cat /sys/module/kvm_intel/parameters/nestedN$ vi /usr/lib/modprobe.d/kvm_intel.confoptions kvm_intel nested=1options kvm_intel enable_shadow_vmcs=1options kvm_intel enable_apicv=1options kvm_intel ept=1$ modprobe -r kvm_intel && modprobe -a kvm_intel$ cat /sys/module/kvm_intel/parameters/nestedY

安装虚拟机相关软件包

安装第额外的虚拟化软件包仓库源：

$ yum install -y epel-release$ yum install -y centos-release-qemu-ev

安装并查看Qemu和KVM软件包：

$ yum install -y qemu-kvm-ev$ /usr/libexec/qemu-kvm --versionQEMU emulator version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7)Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers$ /bin/qemu-img --versionqemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7)Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

安装libvirt以一些工具包（可以方便的进行虚拟机管理和镜像制作）：

$ yum install -y libvirt libguestfs-tools libguestfs-xfs genisoimage$ systemctl enable libvirtd && systemctl start libvirtd && systemctl status libvirtd

编译Jailhouse虚拟机

升级Qemu客户机内核到4.X+版本，跟宿主机方法相同：

Guest $ rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.orgGuest $ rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpmGuest $ yum --disablerepo="*" --enablerepo="elrepo-kernel" list availableGuest $ yum --enablerepo=elrepo-kernel --skip-broken -y install kernel-ml kernel-ml-devel kernel-ml-doc kernel-ml-headers kernel-ml-tools kernel-ml-tools-libs kernel-ml-tools-libs-develGuest $ grep "menuentry " /boot/grub2/grub.cfg | awk -F"'"'{print $2}'CentOS Linux (5.3.7-1.el7.elrepo.x86_64) 7 (Core)CentOS Linux (3.10.0-957.27.2.el7.x86_64) 7 (Core)CentOS Linux (0-rescue-65113b1a0d2f6087d515e6a8cd0ee7ef) 7 (Core)Guest $ vi /etc/default/grubGRUB_DEFAULT="CentOS Linux (5.3.7-1.el7.elrepo.x86_64) 7 (Core)"Guest $ grub2-mkconfig -o /boot/grub2/grub.cfgGuest $ rebootGuest $ uname -aLinux jailhouse 5.3.7-1.el7.elrepo.x86_64 #1 SMP Thu Oct 17 18:17:07 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

安装编译Jailhouse所依赖的软件包：

Guest $ yum install -y epel-release# 需要安装Python和mako库，否则可能会导致部分命令无法正常执行：Guest $ yum install -y pythonGuest $ easy_install pipGuest $ pip install makoGuest $ yum install -y tree wget git gcc kernel-headers kernel-devel

编译和安装Jailhouse：

Guest $ mkdir -pv /opt/ahv/jailhouse && cd /opt/ahv/jailhouseGuest $ git clone https://github.com/siemens/jailhouse.gitGuest $ cd jailhouseGuest $ make# 安装到指定目录，这里仅仅是为了方便查看和分析：Guest $ make install DESTDIR=/opt/ahv/jailhouse/target# 安装到系统目录：Guest $ make install

查看Jailhouse生成的目标文件：

Guest $ tree /opt/ahv/jailhouse/target//opt/ahv/jailhouse/target/|-- lib|   |-- firmware|   |   |-- jailhouse-amd.bin|   |   `-- jailhouse-intel.bin|   `-- modules|       `-- 5.3.7-1.el7.elrepo.x86_64|           |-- extra|           |   `-- driver|           |       `-- jailhouse.ko|           |-- modules.alias|           |-- modules.alias.bin|           |-- modules.builtin.bin|           |-- modules.dep|           |-- modules.dep.bin|           |-- modules.devname|           |-- modules.softdep|           |-- modules.symbols|           `-- modules.symbols.bin`-- usr    |-- lib    |   `-- python2.7    |       `-- site-packages    |           |-- pyjailhouse    |           |   |-- cell.py    |           |   |-- cell.pyc    |           |   |-- extendedenum.py    |           |   |-- extendedenum.pyc    |           |   |-- __init__.py    |           |   |-- __init__.pyc    |           |   |-- pci_defs.py    |           |   |-- pci_defs.pyc    |           |   |-- sysfs_parser.py    |           |   `-- sysfs_parser.pyc    |           `-- pyjailhouse-0.11_-py2.7.egg-info    |               |-- dependency_links.txt    |               |-- installed-files.txt    |               |-- PKG-INFO    |               |-- SOURCES.txt    |               `-- top_level.txt    |-- local    |   |-- libexec    |   |   `-- jailhouse    |   |       |-- jailhouse-cell-linux    |   |       |-- jailhouse-cell-stats    |   |       |-- jailhouse-config-create    |   |       |-- jailhouse-hardware-check    |   |       `-- linux-loader.bin    |   |-- sbin    |   |   `-- jailhouse    |   `-- share    |       |-- jailhouse    |       |   |-- jailhouse-config-collect.tmpl    |       |   `-- root-cell-config.c.tmpl    |       `-- man    |           `-- man8    |               |-- jailhouse.8    |               |-- jailhouse-cell.8    |               `-- jailhouse-enable.8    `-- share        `-- bash-completion            `-- completions                `-- jailhouse23 directories, 39 files

运行Jailhouse虚拟机

加载Jailhouse内核模块，并进行硬件检查：

Guest $ modprobe jailhouseGuest $ jailhouse hardware checkFeature                         Availability------------------------------  ------------------Number of CPUs > 1              okLong mode                       okx2APIC                          okVT-x (VMX)                      ok  VMX outside SMX               ok  VMX inside SMX                missing (optional)  IA32_TRUE_*_CLTS              ok  NMI exiting                   ok  Preemption timer              ok  I/O bitmap                    ok  MSR bitmap                    ok  Secondary controls            ok  Optional CR3 interception     ok  Virtualize APIC access        ok  RDTSCP                        missing (optional)  Unrestricted guest            ok  EPT                           ok    4-level page walk           ok    EPTP write-back             ok    2M pages                    ok    1G pages                    ok    INVEPT                      ok      Single or all-context     ok  VM-exit save IA32_PAT         ok  VM-exit load IA32_PAT         ok  VM-exit save IA32_EFER        ok  VM-exit load IA32_EFER        ok  VM-entry load IA32_PAT        ok  VM-entry load IA32_EFER       ok  Activity state HLT            okVT-d (IOMMU #0)                 ok  39-bit AGAW                   ok  48-bit AGAW                   missing (optional)  2M pages                      ok  1G pages                      ok  Queued invalidation           ok  Interrupt remapping           ok  Extended interrupt mode       okCheck passed!

去掉Qemu客户机Linux启动参数中的串口选项，并关闭虚拟机（否则可能会因为串口被占用而导致Jailhouse虚拟机无法启动）：

Guest $ vi /etc/default/grub#GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200"GRUB_CMDLINE_LINUX="intel_iommu=off memmap=82M\\\$0x3a000000 console=tty0 crashkernel=auto"Guest $ grub2-mkconfig -o /boot/grub2/grub.cfgGuest $ poweroff

再次启动虚拟机：

Host $ /usr/libexec/qemu-kvm -machine q35,kernel_irqchip=split -m 1G \-smp 2 -device intel-iommu,intremap=on,x-buggy-eim=on \-cpu kvm64,-kvm_pv_eoi,-kvm_steal_time,-kvm_asyncpf,-kvmclock,+vmx \-drive file=System-X86_64.qcow2,format=qcow2,id=disk,if=none \-device ide-hd,drive=disk -serial stdio -serial vc \-net nic,model=virtio,macaddr=fa:16:3e:4d:58:6f \-net tap,ifname=tap-jh,script=vm-ifup,downscript=vm-ifdown \-device intel-hda,addr=1b.0 -device hda-duplex -cdrom Init.iso

自动生成Jailhouse的RootCell配置，并启动虚拟机：

# 由于Linux内核不再使用串口，所以使用SSH登录虚拟机：Host $ ssh root@192.168.2.139SSH $ cd /opt/ahv/jailhouse/jailhouseSSH $ jailhouse config create configs/x86/qemu-x86_64.cSSH $ makeSSH $ modprobe jailhouseSSH $ jailhouse enable configs/x86/qemu-x86_64.cell

在Qemu虚拟机的串口控制台以和SSH控制台可以看到Jailhouse的输出，虚拟机启动成功：

# SerialInitializing Jailhouse hypervisor v0.11 (40-g90e8d6c-dirty) on CPU 1Code location: 0xfffffffff0000050Using x2APICPage pool usage after early setup: mem 35/974, remap 0/131072Initializing processors: CPU 1... (APIC ID 1) OK CPU 0... (APIC ID 0) OKInitializing unit: VT-dDMAR unit @0xfed90000/0x1000Reserving 24 interrupt(s) for device ff:00.0 at index 0Initializing unit: IOAPICInitializing unit: Cache Allocation TechnologyInitializing unit: PCIAdding PCI device 00:00.0 to cell "RootCell"Adding PCI device 00:01.0 to cell "RootCell"Adding PCI device 00:02.0 to cell "RootCell"Reserving 3 interrupt(s) for device 00:02.0 at index 24Adding PCI device 00:1b.0 to cell "RootCell"Reserving 1 interrupt(s) for device 00:1b.0 at index 27Adding PCI device 00:1f.0 to cell "RootCell"Adding PCI device 00:1f.2 to cell "RootCell"Reserving 1 interrupt(s) for device 00:1f.2 at index 28Adding PCI device 00:1f.3 to cell "RootCell"qemu-kvm: vtd_irte_get: detected non-present IRTE (index=0, high=0xff00, low=0x100)Page pool usage after late setup: mem 248/974, remap 65542/131072Activating hypervisorSSH $ jailhouse consoleInitializing Jailhouse hypervisor v0.11 (40-g90e8d6c-dirty) on CPU 1Code location: 0xfffffffff0000050Using x2APICPage pool usage after early setup: mem 35/974, remap 0/131072Initializing processors: CPU 1... (APIC ID 1) OK CPU 0... (APIC ID 0) OKInitializing unit: VT-dDMAR unit @0xfed90000/0x1000Reserving 24 interrupt(s) for device ff:00.0 at index 0Initializing unit: IOAPICInitializing unit: Cache Allocation TechnologyInitializing unit: PCIAdding PCI device 00:00.0 to cell "RootCell"Adding PCI device 00:01.0 to cell "RootCell"Adding PCI device 00:02.0 to cell "RootCell"Reserving 3 interrupt(s) for device 00:02.0 at index 24Adding PCI device 00:1b.0 to cell "RootCell"Reserving 1 interrupt(s) for device 00:1b.0 at index 27Adding PCI device 00:1f.0 to cell "RootCell"Adding PCI device 00:1f.2 to cell "RootCell"Reserving 1 interrupt(s) for device 00:1f.2 at index 28Adding PCI device 00:1f.3 to cell "RootCell"Page pool usage after late setup: mem 248/974, remap 65542/131072Activating hypervisor

如果喜欢，请麻烦点个关注，会更快的更新！