Added support for WFI virtual instructions (#39)

* Running confidential Linux VM with virtio-*-pci devices because they support DMA API
* add minimal support for wfi virtual instruction
* Cleaning unused references and unnecessary features declarations in Rust code. Simplifying the build scripts. Pass on the documentation

---------

Signed-off-by: Wojciech Ozga <woz@zurich.ibm.com>

DEVELOPMENT.md

@@ -1,7 +1,42 @@
-    # Development Guide
+# Development Guide
+This document contains information useful for developers. 
+
+## Build on MacOS
+While MacOS is not fully supported by us, building the security monitor on MacOS is also possible. We have not tested yet the build process of the hypervisor on MacOS or running the confidential VMs in QEMU.
+
+Install basic dependencies:
+```
+brew install coreutils  # to have nproc available
+brew install autoconf automake curl python libmpc mpfr gmp gawk flex texinfo libtool bc expat # for OpenSBI build
+```
+
+Install the RISC-V toolchain:
+```
+# https://github.com/riscv-software-src/homebrew-riscv
+brew tap riscv-software-src/riscv
+brew install riscv-gnu-toolchain
+```
+
+Set environment variables to use the RISC-V toolchain:
+```
+export RISCV_GNU_TOOLCHAIN_WORK_DIR=`brew --prefix riscv-gnu-toolchain`
+export PATH=$RISCV_GNU_TOOLCHAIN_WORK_DIR/bin:$PATH
+export CROSS_COMPILE=riscv64-unknown-elf-
+```
+
+Build the security monitor:
+```
+make security_monitor
+```
+
+### Build directory
+By default, ACE will be installed in the `build/` directory of this repository. You can install it to an alternative location by specifying the `ACE_DIR` environment variable. Please make sure that you have enough permissions to install in that location.
+```
+export ACE_DIR="/opt/ace/"
+```
 
 ## Setup of a shared development machine
-We use `/opt` as a shared directory to which we install common tools, like Rust.
+We will use `/opt` as a shared directory to which we will install common tools, like Rust.
 
 ### Install a shared version of Rust
 ```
@@ -29,23 +64,17 @@ export RUSTUP_HOME=/opt/rust/rustup
 export PATH=${PATH}:/opt/rust/cargo/bin
 ```
 
-### Build directory
-By default, ACE will be installed in the `build/` directory of this repository. You can install it to an alternative location by specifying the `ACE_DIR` environment variable. Please make sure that you have enough permissions to install in that location.
-```
-export ACE_DIR="/opt/ace/"
-```
-
-## Modify the hypervisor
-Files in `configurations/overlay/root` will be included in the hypervisor filesystem during the build process. 
+## Modify the hypervisor's Linux kernel
+We use buildroot to fetch and compile the Linux kernel. It applies our changes to the Linux kernel using [patches](hypervisor/patches/). To build the Linux kernel using changes from custom Linux kernel sources you must do the following steps:
 
-To re-build the hypervisor without building all other components run:
+Define the location of your custom Linux kernel sources (e.g., under `/tmp/linux`) in a configuration file:
 ```
-make rootfs
+echo "LINUX_OVERRIDE_SRCDIR=/tmp/linux" > hypervisor/configurations/package_override.dev
 ```
 
-You can modify the kernel driver (`configurations/overlay/root/ace-kernel-module`) using the following command:
+Now, re-run the build process:
 ```
-make overlay rootfs
+make hypervisor_dev
 ```
 
 ## Run & Test

README.md

@@ -1,23 +1,23 @@
-# Assured Confidential Execution (ACE) for RISC-V
+# Assured Confidential Execution (ACE) for RISC-V 
 ![Build Status](https://github.com/IBM/ACE-RISCV/actions/workflows/build.yml/badge.svg?branch=main)
 
-<img src=".github/ace.png" align="right" width="100" height="100">
+<img src=".github/ace.png" align="right" width="100" height="100"> 
+
+ACE-RISCV is an open-source project, whose goal is to deliver a confidential computing framework with a formally proven security monitor. It is based on the [canonical architecture](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) and targets RISC-V with the goal of being portable to other architectures. The formal verification efforts focus on the [security monitor implementation](security-monitor/). We invite collaborators to work with us to push the boundaries of provable confidential computing technology. 
 
-ACE-RISCV is an open-source project, whose goal is to deliver a confidential computing framework with a formally proven security monitor. It is based on the [canonical architecture](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) and targets RISC-V with the goal of being portable to other architectures. The formal verification efforts focus on the [security monitor](security-monitor/) implementation. We invite collaborators to work with us to push the boundaries of provable confidential computing technology.
-
-**This is an active research project, without warranties of any kind.** Please read our [paper](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) to learn about our approach and goals.
+**This is an active research project, without warranties of any kind.** Please read our [paper](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) to learn about the approach and goals.
 
 ## Hardware requirements
-We are currently building on RISC-V with hypervisor extentions, physical memory protection (PMP), IOPMP, and supervisor timecmp extension (Sstc). We plan to adapt some of the RISC-V confidential computing extensions, such as [the CoVE extension](https://github.com/riscv-non-isa/riscv-ap-tee/blob/main/specification/riscv-cove.pdf) and [the Smmtt extension](https://github.com/riscv/riscv-smmtt).
+We are currently building on RISC-V with integer, atomic and hypervisor extentions, physical memory protection (PMP), memory management unit (MMU), IOPMP, core-local interrupt controller (CLINT), platform-level interrupt controller (PLIC), and supervisor timecmp extension (Sstc). We plan to adapt some of the RISC-V confidential computing extensions, such as [the CoVE extension](https://github.com/riscv-non-isa/riscv-ap-tee/blob/main/specification/riscv-cove.pdf) and [the Smmtt extension](https://github.com/riscv/riscv-smmtt).
 
 ## Quick Start
-Follow instructions to run a sample [confidential workload](harness/baremetal) under an [untrusted Linux-based hypervisor](hypervisor/) in an [emulated RISC-V environment](qemu/).
+Follow instructions to run one of the sample [confidential workloads](confidential-vms) under an [untrusted Linux KVM hypervisor](hypervisor/) in an [emulated RISC-V environment](qemu/).
 
 ### Requirements
-Full compilation of the framework takes a long time because all the tools are built from sources. Our tool chain currently includes: RISC-V emulator (`qemu`), hypervisor kernel (`Linux kernel`), and firmware (`security monitor` with `OpenSBI firmware`). Make sure to build this project on a machine with at least 4 cores, 4GB RAM, and 50GB disk space for reasonable (~30min) build time.
+Full compilation of the framework takes a long time because many tools are built from sources. Our toolchain currently includes: a RISC-V emulator (`qemu`), hypervisor kernel (`Linux kernel`), and firmware (`security monitor` with `OpenSBI firmware`). Make sure to build this project on a machine with at least 4 cores, 4GB RAM, and 50GB disk space for reasonable (~30min) build time.
 
 ### Dependencies
-You must install build dependencies specific to the operating system you use AND install the Rust toolchain.
+You must install build dependencies specific to the operating system you use AND install the Rust toolchain. You can also look at the [reproducible build configuration](.github/workflows/build.yml) of the continous integration (CI) system.
 
 Dependencies for Ubuntu 22.04
 ```
@@ -52,7 +52,7 @@ cargo install cargo-binutils
 . "$HOME/.cargo/env"
 ```
 
-### Sources & Patches
+### Sources
 Checkout this repository with submodules (this takes a long time!):
 ```
 git clone --recurse-submodules git@github.com:IBM/ACE-RISCV.git
@@ -62,52 +62,47 @@ git clone --recurse-submodules git@github.com:IBM/ACE-RISCV.git
 #### Prerequisites
 Run the following commands from the directory containing this README file.
 
-Set up the ACE_DIR variable to point to the location where the project will build. Default is the build/ subdirectory of the location where you will execute `make` command.
+Set up the ACE_DIR variable to point to the location where the project will build. Default is the `build/` subdirectory of the location where you will execute the `make` command.
 ```
 export ACE_DIR=/your/path/to/build/ace
 ```
 
 #### Build everything
-The following command will build the entire framework. Set `-j` flag to the number of processor cores you have in the system.
+The following command will build the entire framework. Set `-j` flag to the number of processor cores you have in the system. Below command assumes that you have 4 cores.
 ```
 MAKEFLAGS="--silent -j4" make
 ```
 
 #### Build individual components
-Alternativly, you can build individual components to avoid long builds that can lead to 'ssh disconnections', 'hangups', and similar issues.
+Alternativly, you can build individual components to avoid long builds that can lead to 'ssh disconnections', 'hangups', and similar issues. 
 
-Install all develoment tools required to compile code for risc-v architecture:
+Install all develoment tools required to compile code for the RISC-V architecture:
 ```
 make devtools
 ```
 
-Build the host and guest Linux-based OSes
+Build the host OS -- [a Linux KVM hypervisor](hypervisor/):
 ```
 make hypervisor
 ```
 
-Build the security monitor (SM)
-```
-make security_monitor
-```
-
-Build the firmware that will boot the system
+Build [the low level firmware](security-monitor/opensbi) responsible for the boot process. This command will also build the [security monitor (SM)](security-monitor/):
 ```
 make firmware
 ```
 
-Build test confidential VMs
+Build sample [confidential workloads](confidential-vms/):
 ```
 make confidential_vms
 ```
 
-Build the RISC-V emulator and tools that will simplify running the test environment
+Build the RISC-V emulator and utility tools that simplify running the test environment:
 ```
 make emulator
 ```
 
 ## Run and Test
-Make sure you have the ACE_DIR environmental variable set and it points to the location of your build. Check 'compilation' section in case this variable is not set.
+Make sure you have the `ACE_DIR` environmental variable set and it points to the location of your build. Check the 'Compilation' section in case this variable is not set.
 ```
 echo $ACE_DIR
 ```
@@ -117,7 +112,7 @@ To run the test environment on a RISC-V emulator run:
 ${ACE_DIR}/tools/ace run
 ```
 
-You should see the output from the boot process and a promt to login to the hypervisor.
+You should see the output from the boot process and a promt to login to the hypervisor:
 ```
 # login: root, password: passwd
 ```
@@ -132,33 +127,6 @@ To run the sample Linux kernel confidential VM execute:
 ./run_linux_vm.sh
 ```
 
-## Build on MacOS
-While MacOS is not fully supported by us, building the security monitor on MacOS is also possible.
-We have not tested building the hypervisor on MacOS or running the VMs in Qemu.
-
-1. Install basic dependencies.
-```
-brew install coreutils  # to have nproc available
-brew install autoconf automake curl python libmpc mpfr gmp gawk flex texinfo libtool bc expat # for OpenSBI build
-```
-
-2. Install the Risc-V toolchain.
-```
-# https://github.com/riscv-software-src/homebrew-riscv
-brew tap riscv-software-src/riscv
-brew install riscv-gnu-toolchain
-```
-
-3. Source environment variables for using the toolchain.
-```
-source macos_env
-```
-
-4. Build the security monitor:
-```
-make security_monitor
-```
-
 # License
 This repository is distributed under the terms of the Apache 2.0 License, see [LICENSE](LICENSE).
 

confidential-vms/linux_vm/Makefile

@@ -47,8 +47,8 @@ buildroot: setup
 		sed "s@^BR2_TARGET_ROOTFS_EXT2_SIZE=.*@BR2_TARGET_ROOTFS_EXT2_SIZE=\"$(LINUX_VM_BUILDROOT_ROOTFS_SIZE)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
 		sed "s@^BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=.*@BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=\"$(LINUX_VM_KERNEL_CONFIG)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
 		sed "s@^BR2_LINUX_KERNEL_PATCH=.*@BR2_LINUX_KERNEL_PATCH=\"$(LINUX_VM_PATCHES_DIR)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
-		PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) CROSS_COMPILE=$(CROSS_COMPILE) BR2_JLEVEL=0 olddefconfig; \
-		PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) BR2_JLEVEL=0; \
+		$(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) CROSS_COMPILE=$(CROSS_COMPILE) BR2_JLEVEL=0 olddefconfig; \
+		$(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) BR2_JLEVEL=0; \
 	fi
 
 dev:
@@ -59,7 +59,7 @@ dev:
 	sed "s@^BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=.*@BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=\"$(LINUX_VM_KERNEL_CONFIG)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
 	sed "s@^BR2_LINUX_KERNEL_PATCH=.*@BR2_LINUX_KERNEL_PATCH=\"$(LINUX_VM_PATCHES_DIR)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
 	sed "s@^BR2_PACKAGE_OVERRIDE_FILE=.*@BR2_PACKAGE_OVERRIDE_FILE=\"$(LINUX_VM_BUILDROOT_OVERRIDE_DIR)\"@g" -i $(LINUX_VM_BUILDROOT_WORK_DIR)/.config; \
-	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) CROSS_COMPILE=$(CROSS_COMPILE) BR2_JLEVEL=0 linux-rebuild all
+	$(MAKE) -s -C $(LINUX_VM_BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(LINUX_VM_BUILDROOT_WORK_DIR) CROSS_COMPILE=$(CROSS_COMPILE) BR2_JLEVEL=0 linux-rebuild all
 
 overlay: setup
 	mkdir -p $(HYPERVISOR_OVERLAY_ROOT_DIR) ;\

confidential-vms/linux_vm/rootfs/run_linux_vm.sh

@@ -56,8 +56,8 @@ ${QEMU_CMD} ${DEBUG_OPTIONS} \
     -global virtio-mmio.force-legacy=false \
     -append "console=ttyS0 ro root=/dev/vda swiotlb=force" \
     -netdev user,id=net0,net=192.168.100.1/24,dhcpstart=192.168.100.128,hostfwd=tcp::${HOST_PORT}-:22 \
-    -device virtio-net-device,netdev=net0 \
+    -device virtio-net-pci,netdev=net0 \
     -device virtio-rng-pci \
     -drive if=none,format=raw,file=${DRIVE},id=hd0 \
-    -device virtio-blk-device,scsi=off,drive=hd0 \
+    -device virtio-blk-pci,drive=hd0 \
     -nographic 

hypervisor/Makefile

@@ -43,8 +43,8 @@ buildroot: setup
 		sed "s@^BR2_TARGET_ROOTFS_EXT2_SIZE=.*@BR2_TARGET_ROOTFS_EXT2_SIZE=\"$(HYPERVISOR_ROOTFS_SIZE)\"@g" -i $(BUILDROOT_WORK_DIR)/.config; \
 		sed "s@^BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=.*@BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=\"$(HYPERVISOR_LINUX_CONFIG)\"@g" -i $(BUILDROOT_WORK_DIR)/.config; \
 		sed "s@^BR2_LINUX_KERNEL_PATCH=.*@BR2_LINUX_KERNEL_PATCH=\"$(HYPERVISOR_LINUX_PATCH)\"@g" -i $(BUILDROOT_WORK_DIR)/.config; \
-		PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) CROSS_COMPILE=$(CROSS_COMPILE) BR2_JLEVEL=0 olddefconfig ;\
-		PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) BR2_JLEVEL=0 ;\
+		$(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) CROSS_COMPILE=$(CROSS_COMPILE) BR2_JLEVEL=0 olddefconfig ;\
+		$(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) BR2_JLEVEL=0 ;\
 	fi
 
 overlay:
@@ -55,11 +55,11 @@ overlay:
 
 dev:
 	sed "s@^BR2_PACKAGE_OVERRIDE_FILE=.*@BR2_PACKAGE_OVERRIDE_FILE=\"$(HYPERVISOR_BUILDROOT_OVERRIDE_DIR)\"@g" -i $(BUILDROOT_WORK_DIR)/.config; \
-	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) BR2_JLEVEL=0 linux-rebuild all
+	$(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) BR2_JLEVEL=0 linux-rebuild all
 
 rootfs: overlay
 	echo "Generating hypervisor's root filesystem" ;\
-	PATH="$(RISCV_GNU_TOOLCHAIN_WORK_DIR)/bin:$(PATH)" $(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) rootfs-ext2 
+	$(MAKE) -s -C $(BUILDROOT_SOURCE_DIR) RISCV=$(RISCV_GNU_TOOLCHAIN_WORK_DIR) PATH=$(PATH) O=$(BUILDROOT_WORK_DIR) rootfs-ext2 
 
 clean:
 	rm -rf $(HYPERVISOR_WORK_DIR)

security-monitor/platform/generic/configs/defconfig

@@ -1,16 +1,16 @@
-//CONFIG_FDT_GPIO=y
-//CONFIG_FDT_I2C=y
+# CONFIG_FDT_GPIO=y
+# CONFIG_FDT_I2C=y
 CONFIG_FDT_IPI=y
-//CONFIG_FDT_IRQCHIP=y
-//CONFIG_FDT_IRQCHIP_APLIC=y
+# CONFIG_FDT_IRQCHIP=y
+# CONFIG_FDT_IRQCHIP_APLIC=y
 CONFIG_FDT_IRQCHIP_PLIC=y
-//CONFIG_FDT_REGMAP=y
-//CONFIG_FDT_REGMAP_SYSCON=y
+# CONFIG_FDT_REGMAP=y
+# CONFIG_FDT_REGMAP_SYSCON=y
 CONFIG_FDT_RESET=y
-//CONFIG_FDT_RESET_GPIO=y
-//CONFIG_FDT_RESET_SYSCON=y
+# CONFIG_FDT_RESET_GPIO=y
+# CONFIG_FDT_RESET_SYSCON=y
 CONFIG_FDT_SERIAL=y
 CONFIG_FDT_SERIAL_UART8250=y
 CONFIG_FDT_TIMER=y
 CONFIG_FDT_TIMER_MTIMER=y
-//CONFIG_FDT_TIMER_PLMT=y
+# CONFIG_FDT_TIMER_PLMT=y

security-monitor/src/confidential_flow/control_flow/mod.rs

@@ -87,8 +87,9 @@ impl<'a> ConfidentialFlow<'a> {
             VsEcall(Srst(SystemReset)) => sbi_srst::handle(self),
             VsEcall(_) => invalid_call::handle(self),
             GuestLoadPageFault => guest_load_page_fault::handle(confidential_hart.guest_load_page_fault_request(), self),
+            VirtualInstruction => virtual_instruction_request::handle(confidential_hart.virtual_instruction_request(), self),
             GuestStorePageFault => guest_store_page_fault::handle(confidential_hart.guest_store_page_fault_request(), self),
-            _ => panic!("Bug: Incorrect interrupt delegation configuration"),
+            trap_reason => panic!("Bug: Incorrect interrupt delegation configuration: {:?}", trap_reason),
         }
     }
 

security-monitor/src/confidential_flow/handlers/mod.rs

@@ -21,3 +21,4 @@ pub mod share_page;
 pub mod share_page_result;
 pub mod shutdown_confidential_hart;
 pub mod unshare_page;
+pub mod virtual_instruction_request;

security-monitor/src/confidential_flow/handlers/print_debug_info.rs

@@ -2,7 +2,7 @@
 // SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
 // SPDX-License-Identifier: Apache-2.0
 use crate::confidential_flow::ConfidentialFlow;
-use crate::core::transformations::{ExposeToConfidentialVm, ExposeToHypervisor, PendingRequest, SbiRequest, SbiResult};
+use crate::core::transformations::{ExposeToConfidentialVm, SbiRequest, SbiResult};
 
 /// Handles a hypercall from a confidential hart to hypervisor.
 pub fn handle(sbi_request: SbiRequest, confidential_flow: ConfidentialFlow) -> ! {

security-monitor/src/confidential_flow/handlers/virtual_instruction_request.rs

@@ -0,0 +1,18 @@
+// SPDX-FileCopyrightText: 2023 IBM Corporation
+// SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
+// SPDX-License-Identifier: Apache-2.0
+use crate::confidential_flow::ConfidentialFlow;
+use crate::core::transformations::{ExposeToConfidentialVm, VirtualInstructionRequest, VirtualInstructionResult};
+
+const WFI_INSTRUCTION: usize = 0x10500073;
+
+pub fn handle(request: VirtualInstructionRequest, confidential_flow: ConfidentialFlow) -> ! {
+    let transformation = if request.instruction == WFI_INSTRUCTION {
+        ExposeToConfidentialVm::VirtualInstructionResult(VirtualInstructionResult::new(request.instruction_length))
+    } else {
+        // TODO: add support for some CSR manipulation
+        // TODO: for not supported instructions, inject illegal instruction exception to the guest
+        panic!("Not supported virtual instruction: {:x}", request.instruction);
+    };
+    confidential_flow.exit_to_confidential_hart(transformation)
+}

security-monitor/src/core/architecture/mod.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 pub use riscv::{
     decode_result_register, AceExtension, BaseExtension, FpRegisters, GpRegister, GpRegisters, HartArchitecturalState, HartLifecycleState,
-    HsmExtension, IpiExtension, RfenceExtension, SbiExtension, SrstExtension, TimerExtension, TrapReason,
+    HsmExtension, IpiExtension, RfenceExtension, SbiExtension, SrstExtension, TrapReason,
 };
 
 mod riscv;