1.2.1.2.3. Compile Sources

1.2.1.2.3.1. Build All Components (RV64)

We use CMake as a build system. It lets you generate the Makefile for a given configuration.

PATH must include the RISC-V toolchain.

mkdir <build directory>
cd <build directory>
cmake ..
make

In order to build the driver and the tests, and have the final images for QEMU, you need to run

# in your <build directory>
make image

This updates all components except QEMU and the boot ROM.

If you want to use initramfs, use the following flag when running cmake

cmake .. -Dinitramfs=y

If you want to use the Rust port of the Security Monitor, run cmake with -DUSE_RUST_SM=y.

Please refer to the following sections if you want to learn how to build each individual component. Otherwise, skip to Run Tests.

Most of the components will be built out-of-tree; in <build directory>/<component name>.build directory.

If you run into any issues, check our CMakeLists.txt and as it will always have the up-to-date build recipes.

1.2.1.2.3.2. Build Buildroot

Buildroot config files are located at conf/. RV64 buildroot will use conf/qemu_riscv64_virt_defconfig. The following command will build buildroot with the config:

# in your <build directory>
make buildroot

1.2.1.2.3.3. Build QEMU (in-tree)

We do not try to build QEMU out-of-tree as it will unlikely to be rebuilt once it’s compiled. The in-tree compilation will take place in qemu. Thus, rebuilding QEMU may require make clean in qemu.

Keystone requires patches for QEMU (1) to emulate the secure boot via on-chip bootrom and (2) to apply not-yet-upstreamed bug fixes. All patches are located at patches/qemu/

The following command will configure and build QEMU after applying the patches:

# in your <build directory>
make qemu

1.2.1.2.3.4. Build Linux Kernel

Kernel config files are located at conf/. RV64 linux will use conf/linux-v5.0-defconfig-rv64. The following command will build the linux

Keystone requires patches for the Linux kernel to reserve CMA region at boot. The patch is located at patches/linux/

# in your <build directory>
make linux

1.2.1.2.3.5. Build Berkeley Bootloader (BBL) with Keystone Security Monitor

The following command will build the M-mode security monitor.

# in your <build directory>
make sm

Optionally, you can specify the target platform when you run cmake.

# in your <build directory>
cmake .. -DSM_PLATFORM=fu540
make sm

The default platform is “default”, which does not have any platform-specific features. See riscv-pk/sm/platform/ for available platforms. See Building the Keystone Security Monitor for details.

1.2.1.2.3.6. Build Root-of-Trust Boot ROM

This is used for secure boot. With our patch for QEMU, compiled boot code will be copied to the boot ROM in QEMU.

# in your <build directory>
make bootrom

1.2.1.2.3.7. Build Keystone Driver

Linux module does not support in-tree build. Thus, we rsync the entire source code directory with a build directory and build the driver there.

The following command will build the linux driver for Keystone.

# in your <build directory>
make driver

1.2.1.2.3.8. Build Tests

The tests are a part of Keystone SDK’s example enclaves. Thus, we build them using sdk/examples/CMakeLists.txt.

The following command will build the tests and copy the package into the buildroot overlay directory.

# in your <build directory>
make tests

1.2.1.2.3.9. Updating Images

Once you have built every component, you may need to update the final buildroot image by running

# in your <build directory>
make image