1. Building the Keystone Security Monitor¶
The security monitor (SM) is the core component of Keystone.
The SM is implemented on top of Berkeley Bootloader (bbl).
You can find the latest SM at https://github.com/keystone-enclave/riscv-pk (upstream bbl:
Most of the Keystone SM source code lives in
git clone https://github.com/keystone-enclave/riscv-pk cd riscv-pk
If you have followed Quick Start, the build directory is
already created at
Otherwise, create a build directory.
mkdir build cd build
Configure and build
bbl. The SM can be built by additional flags
--with-target-platform at configuration.
../configure \ --enable-sm \ --with-target-platform=default \ --host=riscv64-unknown-linux-gnu \ --with-payload=<path to vmlinux> make
The Keystone Security Monitor also has an experimental port to the Rust programming language. If you would like to try this version of the SM, specify
--enable-sm_rs instead of using
You may also wish to compile the SM with optimizations enabled. To do this, use the configure flag
make witll generate the boot image
bbl in the build directory. Use it to boot the machine.
Now, we will customize the SM for a FU540 chip on HiFive Unleashed board. Currently, we only have one experimental platform configuration for FU540. If you wish to add your platform as a target, please submit a proposal to GitHub.