[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFC PATCH v1 00/26] xen/arm: Initial Arm CCA Realm support

  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Koichiro Den <den@xxxxxxxxxxxxx>
  • Date: Fri, 15 May 2026 13:07:46 +0900
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=valinux.co.jp; dmarc=pass action=none header.from=valinux.co.jp; dkim=pass header.d=valinux.co.jp; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/s+QH172YUfJAOUDShLUJeRTXERwFlsao3DnYwOTmUo=; b=Y3EB0DeXIYQaDPapMVEcNmN7sxJ1UxDhKvZVQ749AnR7YoIPvSbdASR1SW0mbUGQ+ugNjQ3Hgxl4a5LfIkjXcU+t3N6IjPc3efVTPdhHVOIk8KwNCesn0KdG9ncjqaYviXHByKA6wBZMOB+YpuYCC5kJ0PTKg7wdI49UFyLichjbIP557muRgNGI+ckIgCUZKN9UXCy56ARH8TvUGqa9a/cNZSul4ir6vko3qDXjPL3A/eR3Ooix8DZ6meUmIM687W+m5/LT/2OSPhxE6AwQMTEaknSgRNI6jO9aCDmcTtKDXzwA3s1N98lBjHECiCQejWb7EOSiqojvE5Bq5iNvMA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GbcqENprtW3a5Mwb+8svrbGWTpFCSK2YFMf+uXqkPTwofeR23X4JMeaJ8/ZKgLKbtNMgVL9GkR4j9TKdr4jgeidBr1PXkaS/LidFnh14ufUrhP5vh7raNFGV0hD/yRi9TC9cP2rLeqwxVV2o4WF1J92EIfgOqG7Voq9biWEjHzvJyektwmmrMszI6joQdWOSqodK4Cx963GAbd1p7edI3EaVSoT8rYbKBdq4fUya+V4PXcKEF7IwOX36nTEpc+pLtCP99d/pA9p3AWlqOsEsOzkC8mpWQ1F516YqaAr1LSV8Jk/tyDJ5qtpxYS+TC4HC6aYnXfm8QmmusQurbiuTmw==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=valinux.co.jp header.i="@valinux.co.jp" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=valinux.co.jp;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Fri, 15 May 2026 04:08:39 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Hi,

This RFC adds the first Xen pieces needed to run an Arm PVH DomU as a CCA
Realm guest on Arm RME systems. It targets the RMI v2.0 ABI described by
DEN0137 2.0-bet1 (https://developer.arm.com/documentation/den0137/2-0bet1).

The scope is intentionally narrow. The series boots a small Realm guest and
exercises the Realm lifecycle, REC entry, basic MMIO exits, PSCI, RIPAS
changes and a local attestation smoke test. It is not complete Arm CCA
support.


Preface
=======

This work was prepared independently, using public Arm CCA material as the
reference point: the RMM architecture specification, the public TF-RMM v2.0
PoC branch, and the public Arm/KVM CCA series.

I expect this series to need further respins while TF-RMM v2.0 and the KVM
CCA support, v14 at the time of writing, continue to settle. Some choices
here follow the current public PoC code rather than a tagged TF-RMM v2.0
release.

Review from people familiar with Arm CCA, RMM and the KVM CCA work would be
much appreciated. I would be especially grateful if someone from Arm could
help sanity-check the RMI/RMM assumptions, even informally.

Developed and tested with the following component revisions:
  * TF-RMM:
    commit 3340667a291a
    topics/rmm-v2.0-poc_2 branch tip as of 2026-05-14
    
https://git.trustedfirmware.org/plugins/gitiles/TF-RMM/tf-rmm.git/+/3340667a291acd5722cb45d05135d7aa15174b25
  * TF-A [1]:
    commit 7ad4b5ed31e3
    
https://git.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a.git/+/7ad4b5ed31e33dca21dd4d2f4a9f64f9b7d4db85
  * Arm FVP:
    FVP_Base_RevC-2xAEMvA 11.30_27
  * vanilla Linux v7.0 for both Dom0 and the Realm guest.

A runnable demo workspace is here:
https://gitlab.com/cca-for-xen-demo/cca-stack-xen-demo

The tested path is:
  * boot Xen and Dom0 on the Arm FVP Base RevC AEMvA RME model
  * create a Realm guest through toolstack
  * boot a Linux Realm guest
  * attach to the current debug vUART
  * run a local Realm attestation smoke test
  * shut the Realm guest down and relinquish the Realm resources

[1] 
https://lists.trustedfirmware.org/archives/list/tf-a@xxxxxxxxxxxxxxxxxxxxxxxxx/message/NL63OIIDQVFGQ4TFXY7TNZS43TLLIKXD/

Overview
========

The series contains:

  * RMI v2.0 ABI definitions and SMCCC wrappers.
  * Realm domain and vCPU state.
  * Realm-owned granule tracking for RD, RTT, DATA and REC pages, plus REC
    auxiliary pages donated through SRO.
  * Host RAM tracking checks and GPT L1 setup before Xen creates Realms.
  * Stateful RMI Operation helpers for RMM, Realm and REC lifecycle commands.
  * Realm construction:
      - RMI_REALM_CREATE
      - RTT creation
      - DATA mapping with measured initial contents
      - REC creation
      - RMI_REALM_ACTIVATE
  * Realm relinquish and teardown:
      - RMI_REALM_TERMINATE
      - DATA unmap
      - RTT destroy
      - REC destroy and SRO reclaim of auxiliary pages
      - RMI_REALM_DESTROY
  * A dedicated REC execution path based on RMI_REC_ENTER.
  * Minimal REC exit handling for:
      - interrupt exits returning control to Xen
      - PSCI
      - WFI/WFE
      - RIPAS change
      - emulatable Data Abort MMIO
      - selected GICv3 sysreg exits
      - simple timer state handoff around Realm entry and exit.
  * A domctl used by libxl to finalize Realm construction.
  * A libxl/xl option, realm=true, for Arm PVH guests.


Current scope and limitations
=============================

The initial support is intentionally minimally-scoped:

  * No Dom0less Realm launch at Xen boot
  * No Xen PV interfaces for Realm guests
  * No device assignment or VDEV/VSMMU handling
  * No Multi-Plane Realms
  * No Realm LPA2, so the Realm IPA size is limited to 48 bits
  * No Realm SVE or Realm PMU
  * No selectable Live Firmware Activation policy
  * Shared MEC policy only
  * Fixed zero Realm Personalization Value
  * No guest RAM outside the first Arm guest RAM bank
  * No S2AP change handling through RMI_RTT_SET_S2AP
  * No Host call exits
  * No frontend/backend devices, virtio, or Xen grant mappings for Realm guests
  * No ACPI Realm guests
  * No non-4KB RMI granule or non-1GB tracking-region configurations
  * No shared-memory mappings through RMI_RTT_UNPROT_MAP and
    RMI_RTT_UNPROT_UNMAP
  * No hardware-backed vIRQ deactivation in the ICC_DIR_EL1 emulation path
  * No production-safe replacement for the current clear-text debug VUART.

The debug VUART is Kconfig-gated and host-visible. It is only a debug path,
not a confidential Realm I/O path.

Realm creation is intended to be libxl-driven in this RFC. libxl rejects
Realm guests whose RAM does not fit in the first Arm guest RAM bank, and
passes that single first-bank RAM range to Xen for Realm conversion.

The current Linux v7.0 Realm guest code used for testing does not issue
RSI_MEM_SET_PERM_INDEX, so the missing S2AP change flow is not exercised by
the tested boot and attestation path.

Two implementation details are worth mentioning. Initial Realm RAM
population measures every populated DATA granule. There is no
measured-range interface yet. Xen also tracks up to 64 accepted donation
pages for one memory-transferring SRO. That is a Xen implementation cap,
not an RMI limit.

Device assignment is separate work. The tested TF-RMM revision already has
some PDEV, VDEV and PSMMU code. Xen simply does not create those objects,
enable Realm DA in RmiRealmParams, or handle the related REC exits yet.


Best regards,
Koichiro


Koichiro Den (26):
  xen/arm/cca: add RMI v2.0 ABI definitions
  xen/arm/cca: add RMI v2.0 SMCCC core wrappers
  xen/arm/cca: add RMI v2.0 lifecycle wrappers
  xen/arm/cca: add Realm domain and vCPU state
  xen/arm/cca: track Realm-owned granules
  xen/arm/cca: add Realm granule helpers
  xen/arm/cca: initialize the RMM and Realm parameters
  xen/arm/cca: add shared SRO helpers
  xen/arm: vpl011: expose VPL011 presence to Arm code
  xen/arm/cca: add Realm relinquish entry point
  xen/arm/cca: terminate and destroy Realms on relinquish
  xen/arm/cca: tear down Realm DATA and RTT granules
  xen/arm/cca: destroy RECs during Realm relinquish
  xen/arm/cca: validate Realm construction inputs
  xen/arm/cca: create Realm descriptors
  xen/arm/cca: build Realm RTTs
  xen/arm/cca: populate Realm DATA granules
  xen/arm/cca: create RECs and activate Realms
  xen/arm: io: add register-backed MMIO emulation helpers
  xen/arm: vgic-v3: expose SGI emulation for Realm exits
  xen/arm/cca: add Realm vCPU timer state
  xen/arm/cca: add Realm REC enter path
  xen/arm/cca: handle Realm RIPAS and GIC sysreg exits
  xen/arm, tools: add domctl for Realm finalization
  libxl/arm: add and validate Realm guest support
  docs: arm: add an Arm CCA Realm guest guide

 docs/hypervisor-guide/arm/cca-realm.rst |   83 ++
 docs/hypervisor-guide/arm/index.rst     |    1 +
 docs/man/xl.cfg.5.pod.in                |   46 +-
 tools/flask/policy/modules/xen.if       |    1 +
 tools/include/libxl.h                   |    5 +
 tools/include/xenctrl.h                 |   12 +
 tools/libs/ctrl/xc_domain.c             |   37 +
 tools/libs/light/libxl_arm.c            |  140 ++-
 tools/libs/light/libxl_create.c         |    2 +
 tools/libs/light/libxl_types.idl        |    1 +
 tools/xl/xl_parse.c                     |    2 +
 xen/arch/arm/Kconfig                    |   25 +
 xen/arch/arm/Makefile                   |    1 +
 xen/arch/arm/cca/Makefile               |    7 +
 xen/arch/arm/cca/build.c                | 1131 +++++++++++++++++++++++
 xen/arch/arm/cca/granule.c              |  150 +++
 xen/arch/arm/cca/realm.c                |  191 ++++
 xen/arch/arm/cca/rec.c                  |  965 +++++++++++++++++++
 xen/arch/arm/cca/rmi-abi.h              |  433 +++++++++
 xen/arch/arm/cca/rmi.c                  |  441 +++++++++
 xen/arch/arm/cca/rmi.h                  |  214 +++++
 xen/arch/arm/cca/sro.c                  |  485 ++++++++++
 xen/arch/arm/cca/sro.h                  |   25 +
 xen/arch/arm/cca/state.c                |  470 ++++++++++
 xen/arch/arm/domain.c                   |   32 +-
 xen/arch/arm/domctl.c                   |   60 ++
 xen/arch/arm/include/asm/arm64/hsr.h    |    1 +
 xen/arch/arm/include/asm/cca.h          |  137 +++
 xen/arch/arm/include/asm/domain.h       |   16 +
 xen/arch/arm/include/asm/hsr.h          |    4 +
 xen/arch/arm/include/asm/mmio.h         |   11 +
 xen/arch/arm/include/asm/vgic.h         |   10 +
 xen/arch/arm/include/asm/vpl011.h       |    5 +
 xen/arch/arm/io.c                       |   99 +-
 xen/arch/arm/vgic-v3.c                  |    4 +-
 xen/arch/arm/vpl011.c                   |    5 +
 xen/include/public/domctl.h             |   12 +
 xen/xsm/flask/hooks.c                   |    3 +
 xen/xsm/flask/policy/access_vectors     |    2 +
 39 files changed, 5221 insertions(+), 48 deletions(-)
 create mode 100644 docs/hypervisor-guide/arm/cca-realm.rst
 create mode 100644 xen/arch/arm/cca/Makefile
 create mode 100644 xen/arch/arm/cca/build.c
 create mode 100644 xen/arch/arm/cca/granule.c
 create mode 100644 xen/arch/arm/cca/realm.c
 create mode 100644 xen/arch/arm/cca/rec.c
 create mode 100644 xen/arch/arm/cca/rmi-abi.h
 create mode 100644 xen/arch/arm/cca/rmi.c
 create mode 100644 xen/arch/arm/cca/rmi.h
 create mode 100644 xen/arch/arm/cca/sro.c
 create mode 100644 xen/arch/arm/cca/sro.h
 create mode 100644 xen/arch/arm/cca/state.c
 create mode 100644 xen/arch/arm/include/asm/cca.h

-- 
2.51.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.