docs: E2E verification on native ARM64 + native crosvm build script#2
Merged
Conversation
Verified the full NS→Secure chain end-to-end on a native aarch64 host with stock QEMU 8.2.2 (no custom QEMU 9.2.3 needed): TF-A BL31+SPMD → S-EL2 SPMC → SP1/SP2/SP3 → BL33 FF-A client, 20/20 BL33 tests PASS. Re-confirmed the AVF/crosvm blocker on real ARM hardware: a normal (non-protected) crosvm guest still dies at "failed to create IRQ chip" because QEMU TCG cannot create the in-kernel vGICv3 — protected vs non-protected is irrelevant and real ARM hardware does not change it. - CLAUDE.md: compress (45KB→24KB), fix 33→34 test-suite count, add Coding Standards + Related Docs sections, dated E2E re-verification note, and the re-confirmed AVF/crosvm findings. - docs/zhihu/e2e-on-arm-fieldnotes.md, docs/devto-e2e-on-arm.md: Chinese/English field-notes articles on the E2E verification. - guest/linux/build-crosvm-native.sh: native (non-cross) crosvm build for aarch64 hosts, fixing the minijail bindgen 'sys/resource.h not found' failure in the cross-compile path. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概述
在一台原生 aarch64 服务器上,用发行版自带的 QEMU 8.2.2 完整复验了 NS→Secure 链路,并就 AVF/crosvm 的可行性边界做了实测。同时压缩了
CLAUDE.md并补了两篇实战记文章 + 一个原生 crosvm 构建脚本。验证结果
build-tfa-spmc+run-spmc,TF-A BL31+SPMD @ EL3 → S-EL2 SPMC → SP1/SP2/SP3 @ S-EL1 → BL33 FF-A client,20/20 BL33 tests PASS。无需自定义 QEMU 9.2.3,stock 8.2.2 即可(Makefile 注释 "需 9.2+" 过于保守)。make run,34/34 套件零失败。crosvm run后约 1s 死于failed to create IRQ chip——QEMU TCG 建不出 in-kernel vGICv3 (KVM_DEV_TYPE_ARM_VGIC_V3)。证明 protected 与否无关、真 ARM 硬件也不改变结论;guest 侧 pKVM 本身启动正常(Protected hVHE mode initialized successfully、/dev/kvmPASS)。真正跑通需嵌套虚拟化 KVM 或原生/dev/kvm。改动
CLAUDE.md:压缩 45KB→24KB;修正测试套件数 33→34;新增 Coding Standards / Related Docs;加 2026-05-26 E2E 复验记 + 复现后的 AVF/crosvm 结论。docs/zhihu/e2e-on-arm-fieldnotes.md、docs/devto-e2e-on-arm.md:中/英实战记。guest/linux/build-crosvm-native.sh:aarch64 原生 crosvm 构建(绕过交叉编译路径里 minijail bindgen 的sys/resource.h not found)。🤖 Generated with Claude Code