From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail03.groups.io (mail03.groups.io [45.79.227.220]) by spool.mail.gandi.net (Postfix) with ESMTPS id 74D0D941952 for ; Fri, 12 Apr 2024 15:14:17 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=eF8sxi8rk1jHelJhNnj9a55JdUJJv3LP6X1fSZobJ3g=; c=relaxed/simple; d=groups.io; h=Received-SPF:Received-SPF:From:To:CC:Subject:Date:Message-ID:MIME-Version:NoDisclaimer:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20240206; t=1712934856; v=1; b=vvcFl2r2hajFjg3jQ/TWzU4+ixKMnyPlLDkZR94zQuZBiHuIwQGuLa++ozHq7wtsogqdqoFX Aeo1ikqRuhl928BdAVh4kjcD0i8TByQpkLHcxcd3rIoz7hzw+BIv7S5LYlkbFmTPy3y18bBAnbR 3+WdWxRgR2STi42wjBLWPuqMX9LjRhwjk4iAPTMDrYwqxBBYbqOHK/RjgZr+6zcT9XMLCvXESsl j3t5dEEp/Prilz0GjpeYkkYPuFIDDuzhb8qm4oKQxTIB6c7GLjBKPisLN3BywhMozP1xTpjl6EY tggPR1EsnzzLSIjPjM7jeI6onYutig7LbTr7SOzHdm5uw== X-Received: by 127.0.0.2 with SMTP id 3QRJYY7687511x9dKaaZcarE; Fri, 12 Apr 2024 08:14:16 -0700 X-Received: from EUR02-VI1-obe.outbound.protection.outlook.com (EUR02-VI1-obe.outbound.protection.outlook.com [40.107.241.89]) by mx.groups.io with SMTP id smtpd.web10.49614.1712934855201554519 for ; Fri, 12 Apr 2024 08:14:15 -0700 X-Received: from AS8PR04CA0040.eurprd04.prod.outlook.com (2603:10a6:20b:312::15) by PR3PR08MB5834.eurprd08.prod.outlook.com (2603:10a6:102:90::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.54; Fri, 12 Apr 2024 15:14:05 +0000 X-Received: from AMS0EPF000001B2.eurprd05.prod.outlook.com (2603:10a6:20b:312:cafe::54) by AS8PR04CA0040.outlook.office365.com (2603:10a6:20b:312::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.19 via Frontend Transport; Fri, 12 Apr 2024 15:14:05 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AMS0EPF000001B2.mail.protection.outlook.com (10.167.16.166) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7452.22 via Frontend Transport; Fri, 12 Apr 2024 15:14:05 +0000 X-Received: ("Tessian outbound 88c46f8f09a7:v313"); Fri, 12 Apr 2024 15:14:05 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: c850ede54cb5bca4 X-CR-MTA-TID: 64aa7808 X-Received: from c03483d82902.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 894801FF-8AE4-40EB-9F46-792F1992DED8.1; Fri, 12 Apr 2024 15:13:54 +0000 X-Received: from EUR02-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id c03483d82902.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 12 Apr 2024 15:13:54 +0000 X-Received: from DUZP191CA0071.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:4fa::11) by GVXPR08MB7821.eurprd08.prod.outlook.com (2603:10a6:150:4::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Fri, 12 Apr 2024 15:13:46 +0000 X-Received: from DU2PEPF00028D08.eurprd03.prod.outlook.com (2603:10a6:10:4fa:cafe::aa) by DUZP191CA0071.outlook.office365.com (2603:10a6:10:4fa::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.26 via Frontend Transport; Fri, 12 Apr 2024 15:13:45 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 40.67.248.234 as permitted sender) receiver=protection.outlook.com; client-ip=40.67.248.234; helo=nebula.arm.com; pr=C X-Received: from nebula.arm.com (40.67.248.234) by DU2PEPF00028D08.mail.protection.outlook.com (10.167.242.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7452.22 via Frontend Transport; Fri, 12 Apr 2024 15:13:45 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 12 Apr 2024 15:13:42 +0000 X-Received: from E114225.Arm.com (10.1.196.56) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.2507.35 via Frontend Transport; Fri, 12 Apr 2024 15:13:42 +0000 From: "Sami Mujawar" To: CC: Sami Mujawar , , , , , , , , , , , , , Subject: [edk2-devel] [PATCH v2 00/45] Support for Arm CCA guest firmware Date: Fri, 12 Apr 2024 16:13:36 +0100 Message-ID: <20240412151341.16488-1-sami.mujawar@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-TrafficTypeDiagnostic: DU2PEPF00028D08:EE_|GVXPR08MB7821:EE_|AMS0EPF000001B2:EE_|PR3PR08MB5834:EE_ X-MS-Office365-Filtering-Correlation-Id: cbf8f0bd-ba26-4bd0-8eb9-08dc5b0331cb x-checkrecipientrouted: true NoDisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: AWHxo7pbZi0uAd2zR7SlE8UUnfelqaQo2l9QoNJ1uqUP8JzvLsuqvlcWpq6HiqBltwXphwD5hD3vSLVgjegVRe1+hrXXZjJH3+vn5zDtqG9QHh6NcMGJwj55NQRtSPZmzWZqQkKXkvfLQASAsuSkhBfwTKV1587p3tbdqqd/fGqoVX5Z0xMXOXutwoJ6LihbPvxL1CfozyMY7clGtq3tRMsSsz9vTes4+k7XRM2743mqGKVsFVmMRLvKTe1bHt127sGG5cXq7bHYwLpLyplZTwVLSjqcolENrFfOYt3kj2oEUYHWp1w+AVKuANKubFmuzXrilM7LcUL6N/UoJK2BcCiN8/W8+6mKPes7qSs4hqKwYjJ1g9+WAd3WRON2VoZzkOYzyKFsitq9PreQL7TJqwciIypUtsgAnEmzettJCr52S4f1eVDKU3nMLUXMlw+b5n5fmYcly9FsIwDrre0R3CVvtraPjStOY0XzHqDAVQH9zw8Bjry4F8mdBQXScwaj8rVbxcm1rCyFy7rsRPYefSGEMa0l3VSAZ08n8wiajDgw7AlN2sSu2RJF7VrzK+n2zzNW0eDTkCZ2VpQwZifOWjlW3sU79pX0mv/ADemlM3L5WeabNG4VW+OTEUq8F3a38O6L9c/41/FFnasaynuGr6sFrSKFE8sClsIMyOmZ+fYeQUl49nb+kUXTOQfPmGIr2W+ccTmAbR0gmdlT/opD/w== X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:nebula.arm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(1800799015)(36860700004)(376005)(82310400014);DIR:OUT;SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR08MB7821 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AMS0EPF000001B2.eurprd05.prod.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: 25979a8b-4223-4abe-dd57-08dc5b0325ca X-Microsoft-Antispam-Message-Info: x4qMsPWD8FAQbzggGCK3Zxxo+IdyFQosacRoX16JqvXMH2oKrEbLK6GnDt1qkwtiaVr5D0ShMKpSsCv5oFquGpLtnoVnR+SKVAH6dGkvzNMq44tP+QF5JbVdfCBtVSy6wrWLDLf/Q6dmEjoVbFxtMytyV6q8qD/dBz+Hu92YvnmJ55SOgwwiYFiLYDgStjxbGUqKyIVtNYhqUKb9jfRrRP9Fk8MXDfdIiKMYqm0m3MFLjzroaWzw192t8WvWQcmSDMuBrhnj15pRvEh+WrVROYwnTytakMLSiASqXZopXtAl/IUlSVDikW3PX15KsM18Judxv/Pqf2YVCBb867ZScgbt4VRIwiXTQezU2xaS9jB5+ebgaQtpPV3ipep/Z3csxtSU/qOobFMyA6vlbOi1TgBpTzk8QKNV7QfTRZpzFUfAqoVp7KmPc5VRLjpKRk6xkZEmBrkgkpKhRM6gIhw9lZ3DlmFHUgxXoxEIHeOS/wyE7dATa4Qdhha9AsqUw+qWTO1DkJUrE7yMJhZAvKaNnu3EtLDiCe0WZQNz+5ApHCckfSSqYuKdTDGXogzmOk5hyQV9iTgRIop1MLwhva2J0TovBrevsgZkGFfjX0uuUEtB0drPZTgdUn2setkGseytZA0PJnOqs2WFRbVLxhqZaJw838F0PxSUmcsvTH30TWEeDcTBHZ2/DOfSXbrGy6u0qFJrIB173mzdSzOtWh4AZQ== X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Apr 2024 15:14:05.7439 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: cbf8f0bd-ba26-4bd0-8eb9-08dc5b0331cb X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AMS0EPF000001B2.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5834 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 12 Apr 2024 08:14:15 -0700 Resent-From: sami.mujawar@arm.com Reply-To: devel@edk2.groups.io,sami.mujawar@arm.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 40XvXWCQ4N2P3eeptuM37a7bx7686176AA= Content-Type: text/plain X-Spam-Flag: yes X-Spam-Level: ************ X-GND-Spam-Score: 190 X-GND-Status: SPAM Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=vvcFl2r2; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=arm.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.227.220 as permitted sender) smtp.mailfrom=bounce@groups.io This v2 series enables the Arm Confidential Compute Architecture (CCA) support for the Kvmtool guest firmware and is aligned with the ARM CCA RMM 1.0-eac5 specification. The feedback received for the RFC v1 series has been addressed in this series and the intention is to integrate the Arm CCA support in ArmVirtPkg and enable the guest firmware support for Realms. Summary of updates in this v2 Series: ---------------------------------------- 1. Variable emulation support patches that we part of v1 series are already merged, hence dropped from this series. 2. SetMemoryRegionAttributes() was dropped in the upstream code. Therefore, introduced SetMemoryProtectionAttribute() to configure the top bit of the Realm IPA space which is used as the protection bit 3. The patch to add the APRIORI Dxe ArmCcaDxe has been dropped. 4. Dropped patch that configured PcdMonitorConduitHvc as a dynamic PCD, and introduced ArmVirtMonitorLib, a new instance of the ArmMonitorLib that reads the conduit to be used from the FDT. 4. Bug fixes to correct the size of IMM field in RSI Host Call arguments, and to correct the RSI Version mask 5. Patches 32 to 43 include updates to the firmware support to RMM specification v1.0-EAC5. 6. Minor optimisations, e.g. to cache the current world value. Introduction ============ Arm Confidential Compute Architecture (CCA) ------------------------------------------- Arm CCA is a reference software architecture and implementation that builds on the Realm Management Extension (RME), enabling the execution of Virtual machines (VMs), while preventing access by more privileged software, such as hypervisor. Arm CCA allows the hypervisor to control the VM, but removes the right for access to the code, register state or data used by VM. More information on the architecture is available here [1]. Realm World || Normal World || Secure World || || | || || EL0 x---------x || x----x | x------x || || | Realm | || | | | | | || || | VM* | || | VM | | | | || || |x-------x| || | | | | | || || || || || | | | | H | || || || Guest || || | | | | | || || ----|| OS ||--------||-| |---| o |-||----------------|| || || || | | | | | || || |x-------x| || | | | | s | || || | ^ | || | | | | | || || | | | || | | | | t | || || |+-------+| || | | | | | || || || REALM || || | | | | | || || || GUEST || || | | | | O | || || || UEFI || || | | | | | || || |+-------+| || | | | | S | || || EL1 x---------x || x----x | | | || || ^ || | | | || || | || | | | || || -------- R*------------||----------| |-||----------------|| S || | | || || I || x-->| | || || | || | | | || || | || | x------x || || | || | ^ || || v || SMC | || || x-------x || | x------x || || | RMM* | || | | HOST | || || x-------x || | | UEFI | || || ^ || | x------x || || EL2 | || | || || | || | || || =========|=====================|================================ | | x------- *RMI* -------x EL3 Root World EL3 Firmware =============================================================== Where: RMM - Realm Management Monitor RMI - Realm Management Interface RSI - Realm Service Interface SMC - Secure Monitor Call RME introduces two added additional worlds, "Realm world" and "Root World" in addition to the traditional Secure world and Normal world. The Arm CCA defines a new component, Realm Management Monitor (RMM) that runs at R-EL2. This is a standard piece of firmware, verified, installed and loaded by the EL3 firmware (e.g., TF-A), at system boot. The RMM provides a standard interface Realm Management Interface (RMI) to the Normal world hypervisor to manage the VMs running in the Realm world (also called Realms). These are exposed via SMC and are routed through the EL3 firmware. The RMM also provides certain services to the Realms via SMC, called the Realm Service Interface (RSI). These include: - Realm Guest Configuration - Attestation & Measurement services - Managing the state of an Intermediate Physical Address (IPA aka GPA) page - Host Call service (Communication with the Normal world Hypervisor). This patch series aligns with the RMM *v1.0-eac5* specification, and the latest version is available here [2]. The Trusted Firmware foundation has an implementation of the RMM - TF-RMM - available here [4]. Implementation ============== This version of the Realm Guest UEFI firmware is intended to be used with the Linux Kernel stack[7] which is also based on the RMM specification v1.0-eac5[3]. This release includes the following features: a) Boot a Linux Kernel in a Realm VM using the Realm Guest UEFI firmware b) Hardware description is provided using ACPI tables c) Support for Virtio v1.0 d) All I/O are treated as non-secure/shared e) Load the Linux Kernel and RootFS from a Virtio attached disk using the Virtio-1.0 PCIe transport. Overview of updates for enabling Arm CCA ---------------------------------------- The Arm CCA implementation is spread across a number of libraries that provide required functionality during various phases of the firmware boot. The following libraries have been provided: i. ArmCcaInitPeiLib - A library that implements the hook functions in the PEI phase ii. ArmCcaLib - A library that implements common functions like checking if RME extension is implemented and to configure the Protection attribute for the memory regions iii. ArmCcaRsiLib - A library that implements the Realm Service Interface functions. A NULL implementation of the ArmCcaInitPeiLib and ArmCcaLib is also provided for platforms that do not implement the RME extensions. Additionally, the following DXE modules have been provided to implement the required functionality in the DXE phase. i. RealmApertureManagementProtocolDxe - A DXE that implements the Realm Aperture Management Protocol, used to manage the sharing of buffers in a Realm with the Host ii. ArmCcaIoMmuDxe - A driver which implements the EDKII_IOMMU_PROTOCOL that provides the necessary hooks so that DMA operations can be performed by bouncing buffers using pages shared with the Host. Arm CCA updates in PEI phase ---------------------------- For supporting Arm CCA two hooks have been added in the PrePi module: i. An early hook to configure the System Memory as Protected RAM ii. A second hook after the MMU is initialised to perform the remaining CCA initialisations like reading the Realm Config to determine the IPA width of the realm, configuring the Protection attribute for the MMIO regions, etc. These hook functions are implemented in ArmCcaInitPeiLib. A NULL version of the library has also been provided for implementations that do not have the RME extensions. Additionally, the ArmVirtMemInfoLib has been updated to implement a platform specific hook function ArmCcaConfigureMmio() that can configure the protection attribute for the MMIO regions for the platform. +=====+ |PrePi| +=====+ | _ModuleEntryPoint() =================== | DiscoverDramFromDt() | +--> ArmCcaInitPeiLib|ArmCcaConfigureSystemMemory() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | // configure System Memory ---------------- // as Protected RAM. | ... | -------- | CEntryPoint() | PrePiMain() =========== | ... | ProcessLibraryConstructorList() | MemoryPeim() | ArmCcaInitPeiLib|ArmCcaInitialize() // Perform Arm CCA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // initialisations, | // like reading the | // Realm Config, etc. | ArmVirtMemInfoLib|ArmCcaConfigureMmio() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | // Configure Protection attribute -------- // for the MMIO region. | ---------- | ... | +===+ |DXE| +===+ Building the UEFI firmware ============================ a. Set up the development environment Follow the steps as described in https://github.com/tianocore/edk2-platforms/blob/master/Platform/ARM/Readme.md b. The source code for the Host and Realm Guest firmware can be downloaded from [12]. c. Building the Host UEFI firmware for FVP Base RevC AEM Model Follow the instructions in https://github.com/tianocore/edk2-platforms/blob/master/Platform/ARM/Readme.md to "Build the firmware for Arm FVP Base AEMv8A-AEMv8A model platform" based on your development environment configuration. Note: The same firmware binary can be used for both the Arm FVP Base AEMv8A-AEMv8A and the FVP Base RevC AEM Model. d. Building the Realm Guest UEFI firmware for kvmtool: To build the kvmtool guest firmware, run the following commands: $build -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtKvmTool.dsc -b DEBUG $build -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtKvmTool.dsc -b RELEASE The Kvmtool guest firmware binaries are at the following location: $WORKSPACE/Build/ArmVirtKvmTool-AARCH64/_GCC5/ FV/KVMTOOL_EFI.fd Running the stack ==================== To run/test the stack, you would need the following components: i. FVP Base AEM RevC model with FEAT_RME support [5] ii. TF-A firmware for EL3 [6] iii. TF-A RMM for R-EL2 [4] iv. Linux Kernel [7] v. kvmtool [8] vi. UEFI Firmware for Arm CCA [12]. Instructions for building the remaining firmware components and running the model are available here [10]. Once, the host kernel has finished booting, a Realm can be launched by invoking the `lkvm` command as follows: $ lkvm run --realm \ --restricted_mem \ --measurement-algo=["sha256", "sha512"] \ --firmware KVMTOOL_EFI.fd \ -m 512 \ --irqchip=gicv3-its \ --force-pci \ --disk Where: * --measurement-algo (Optional) specifies the algorithm selected for creating the initial measurements by the RMM for this Realm (defaults to sha256) * GICv3 is mandatory for the Realms * --force-pci is required as only Virtio-v1.0 PCIe transport is supported. Links ============ [1] Arm CCA Landing page (See Key Resources section for various documentations) https://www.arm.com/armcca [2] RMM Specification Latest https://developer.arm.com/documentation/den0137/latest [3] RMM v1.0-eac5 specification https://developer.arm.com/documentation/den0137/1-0eac5 [4] Trusted Firmware RMM - TF-RMM https://www.trustedfirmware.org/projects/tf-rmm/ GIT: https://git.trustedfirmware.org/TF-RMM/tf-rmm.git TAG: rmm-spec-v1.0-eac5 [5] FVP Base RevC AEM Model (available on x86_64 / Arm64 Linux) https://developer.arm.com/Tools%20and%20Software/Fixed%20Virtual%20Platforms [6] Trusted Firmware for A class https://www.trustedfirmware.org/projects/tf-a/ [7] Linux kernel support for Arm-CCA https://gitlab.arm.com/linux-arm/linux-cca KVM Support branch: cca-host/v2 Linux Guest branch: cca-guest/v2 Full stack branch: cca-full/v2 [8] kvmtool support for Arm CCA https://gitlab.arm.com/linux-arm/kvmtool-cca Branch: cca/v2 [9] kvm-unit-tests support for Arm CCA https://gitlab.arm.com/linux-arm/kvm-unit-tests-cca Branch: cca/v2 [10] Instructions for Building Firmware components and running the model, see section 4.19.2 "Building and running TF-A with RME" https://trustedfirmware-a.readthedocs.io/en/latest/components/realm-management-extension.html#building-and-running-tf-a-with-rme [11] RFC V1 series posted previously for adding support for Arm CCA guest firmware: https://edk2.groups.io/g/devel/message/103581 [12] UEFI Firmware support for Arm CCA Host & Guest Support: - Repo: edk2: https://gitlab.arm.com/linux-arm/edk2-cca edk2-platforms: https://gitlab.arm.com/linux-arm/edk2-platforms-cca - Branch: 2865_arm_cca_v2 - URLs: edk2: https://gitlab.arm.com/linux-arm/edk2-cca/-/tree/2865_arm_cca_v2 edk2-platforms: https://gitlab.arm.com/linux-arm/edk2-platforms-cca/-/tree/2865_arm_cca_v2 Sami Mujawar (45): ArmPkg: Add helper function to detect RME ArmPkg: Introduce SetMemoryProtectionAttribute() for Realms ArmPkg: Extend number of parameter registers in SMC call ArmVirtPkg: Add Arm CCA Realm Service Interface Library ArmVirtPkg: ArmCcaRsiLib: Add interfaces to manage the Realm IPA state ArmVirtPkg: ArmCcaRsiLib: Add an interface to get an attestation token ArmVirtPkg: ArmCcaRsiLib: Add interfaces to get/extend REMs ArmVirtPkg: ArmCcaRsiLib: Add an interface to make a RSI Host Call ArmVirtPkg: Define a GUID HOB for IPA width of a Realm ArmVirtPkg: Add library for Arm CCA initialisation in PEI ArmVirtPkg: Add NULL instance of ArmCcaInitPeiLib ArmVirtPkg: Add library for Arm CCA helper functions ArmVirtPkg: Add Null instance of ArmCcaLib ArmVirtPkg: Define an interface to configure MMIO regions for Arm CCA ArmVirtPkg: CloudHv: Add a NULL implementation of ArmCcaConfigureMmio ArmVirtPkg: Qemu: Add a NULL implementation of ArmCcaConfigureMmio ArmVirtPkg: Xen: Add a NULL implementation of ArmCcaConfigureMmio ArmVirtPkg: Configure the MMIO regions for Arm CCA ArmVirtPkg: Kvmtool: Use Null version of DebugLib in PrePi ArmVirtPkg: Introduce ArmVirtMonitorLib library ArmVirtPkg: Kvmtool: Use ArmVirt instance of ArmMonitorLib ArmVirtPkg: Add Arm CCA libraries for Kvmtool guest firmware ArmVirtPkg: Arm CCA configure system memory in early Pei ArmVirtPkg: Perform Arm CCA initialisation in the Pei phase ArmVirtPkg: Introduce Realm Aperture Management Protocol ArmVirtPkg: IoMMU driver to DMA from Realms ArmVirtPkg: Enable Virtio communication for Arm CCA MdePkg: Warn if AArch64 RNDR instruction is not supported ArmVirtPkg: Kvmtool: Switch to use BaseRng for AArch64 ArmVirtPkg: ArmCcaRsiLib: Fix incorrect RSI version masks ArmVirtPkg: ArmCcaRsiLib: Fix size of Imm field in HostCallArgs ArmVirtPkg: RMM 1.0-bet1 - Update width of RSI host call struct ArmVirtPkg: RMM 1.0-bet2 - Increase number of RSI host call args ArmVirtPkg: RMM 1.0-eac0 - Update RsiSetIpaState parameter usage ArmVirtPkg: RMM 1.0-eac1 - Relax alignment of RSI host call arg ArmVirtPkg: RMM 1.0-eac2 - Update RsiRealmConfig structure ArmVirtPkg: RMM 1.0-eac2 - Add RIPAS DESTROYED state ArmVirtPkg: RMM 1.0-eac2 - Add RsiRipasChangeFlags definitions ArmVirtPkg: RMM 1.0-eac2 - Add Flags to RsiSetIpaState() ArmVirtPkg: RMM 1.0-eac3 - Handle RsiSetIpaState() response ArmVirtPkg: RMM 1.0-eac4 - Add RSI Features support ArmVirtPkg: RMM 1.0-eac5 - Attestation token API updates ArmVirtPkg: RMM 1.0-eac5 - Update RSI Version support ArmVirtPkg: ArmCcaLib: Cache current world value ArmVirtPkg: ArmCcaIoMmu: Provide an implementation for SetAttribute ArmPkg/Include/Chipset/AArch64.h | 3 +- ArmPkg/Include/Library/ArmLib.h | 15 +- ArmPkg/Include/Library/ArmMmuLib.h | 55 ++ ArmPkg/Include/Library/ArmSmcLib.h | 50 +- ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c | 16 +- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 90 ++ ArmPkg/Library/ArmSmcLib/AArch64/ArmSmc.S | 22 +- ArmVirtPkg/ArmCcaIoMmuDxe/ArmCcaIoMmu.c | 872 ++++++++++++++++++++ ArmVirtPkg/ArmCcaIoMmuDxe/ArmCcaIoMmu.h | 66 ++ ArmVirtPkg/ArmCcaIoMmuDxe/ArmCcaIoMmuDxe.c | 59 ++ ArmVirtPkg/ArmCcaIoMmuDxe/ArmCcaIoMmuDxe.inf | 45 + ArmVirtPkg/ArmVirt.dsc.inc | 6 +- ArmVirtPkg/ArmVirtKvmTool.dsc | 26 +- ArmVirtPkg/ArmVirtKvmTool.fdf | 10 + ArmVirtPkg/ArmVirtPkg.dec | 7 + ArmVirtPkg/Include/Library/ArmCcaInitPeiLib.h | 49 ++ ArmVirtPkg/Include/Library/ArmCcaLib.h | 114 +++ ArmVirtPkg/Include/Library/ArmCcaRsiLib.h | 376 +++++++++ ArmVirtPkg/Include/Library/ArmVirtMemInfoLib.h | 19 +- ArmVirtPkg/Include/Protocol/RealmApertureManagementProtocol.h | 103 +++ ArmVirtPkg/Library/ArmCcaInitPeiLib/ArmCcaInitPeiLib.c | 117 +++ ArmVirtPkg/Library/ArmCcaInitPeiLib/ArmCcaInitPeiLib.inf | 39 + ArmVirtPkg/Library/ArmCcaInitPeiLibNull/ArmCcaInitPeiLibNull.c | 59 ++ ArmVirtPkg/Library/ArmCcaInitPeiLibNull/ArmCcaInitPeiLibNull.inf | 27 + ArmVirtPkg/Library/ArmCcaLib/ArmCcaLib.c | 184 +++++ ArmVirtPkg/Library/ArmCcaLib/ArmCcaLib.inf | 34 + ArmVirtPkg/Library/ArmCcaLibNull/ArmCcaLibNull.c | 117 +++ ArmVirtPkg/Library/ArmCcaLibNull/ArmCcaLibNull.inf | 28 + ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsi.h | 59 ++ ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.c | 744 +++++++++++++++++ ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.inf | 29 + ArmVirtPkg/Library/ArmVirtMonitorLib/ArmVirtMonitorLib.c | 119 +++ ArmVirtPkg/Library/ArmVirtMonitorLib/ArmVirtMonitorLib.inf | 37 + ArmVirtPkg/Library/CloudHvVirtMemInfoLib/CloudHvVirtMemInfoLib.c | 22 +- ArmVirtPkg/Library/KvmtoolVirtMemInfoLib/KvmtoolVirtMemInfoLib.c | 39 +- ArmVirtPkg/Library/KvmtoolVirtMemInfoLib/KvmtoolVirtMemInfoLib.inf | 3 +- ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c | 21 + ArmVirtPkg/Library/XenVirtMemInfoLib/XenVirtMemInfoLib.c | 21 + ArmVirtPkg/PrePi/AArch64/ModuleEntryPoint.S | 6 +- ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRelocatable.inf | 3 +- ArmVirtPkg/PrePi/PrePi.c | 8 + ArmVirtPkg/RealmApertureManagementProtocolDxe/RealmApertureManagementProtocolDxe.c | 660 +++++++++++++++ ArmVirtPkg/RealmApertureManagementProtocolDxe/RealmApertureManagementProtocolDxe.inf | 48 ++ MdePkg/Library/BaseRngLib/AArch64/Rndr.c | 10 +- 44 files changed, 4409 insertions(+), 28 deletions(-) create mode 100644 ArmVirtPkg/ArmCcaIoMmuDxe/ArmCcaIoMmu.c create mode 100644 ArmVirtPkg/ArmCcaIoMmuDxe/ArmCcaIoMmu.h create mode 100644 ArmVirtPkg/ArmCcaIoMmuDxe/ArmCcaIoMmuDxe.c create mode 100644 ArmVirtPkg/ArmCcaIoMmuDxe/ArmCcaIoMmuDxe.inf create mode 100644 ArmVirtPkg/Include/Library/ArmCcaInitPeiLib.h create mode 100644 ArmVirtPkg/Include/Library/ArmCcaLib.h create mode 100644 ArmVirtPkg/Include/Library/ArmCcaRsiLib.h create mode 100644 ArmVirtPkg/Include/Protocol/RealmApertureManagementProtocol.h create mode 100644 ArmVirtPkg/Library/ArmCcaInitPeiLib/ArmCcaInitPeiLib.c create mode 100644 ArmVirtPkg/Library/ArmCcaInitPeiLib/ArmCcaInitPeiLib.inf create mode 100644 ArmVirtPkg/Library/ArmCcaInitPeiLibNull/ArmCcaInitPeiLibNull.c create mode 100644 ArmVirtPkg/Library/ArmCcaInitPeiLibNull/ArmCcaInitPeiLibNull.inf create mode 100644 ArmVirtPkg/Library/ArmCcaLib/ArmCcaLib.c create mode 100644 ArmVirtPkg/Library/ArmCcaLib/ArmCcaLib.inf create mode 100644 ArmVirtPkg/Library/ArmCcaLibNull/ArmCcaLibNull.c create mode 100644 ArmVirtPkg/Library/ArmCcaLibNull/ArmCcaLibNull.inf create mode 100644 ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsi.h create mode 100644 ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.c create mode 100644 ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.inf create mode 100644 ArmVirtPkg/Library/ArmVirtMonitorLib/ArmVirtMonitorLib.c create mode 100644 ArmVirtPkg/Library/ArmVirtMonitorLib/ArmVirtMonitorLib.inf create mode 100644 ArmVirtPkg/RealmApertureManagementProtocolDxe/RealmApertureManagementProtocolDxe.c create mode 100644 ArmVirtPkg/RealmApertureManagementProtocolDxe/RealmApertureManagementProtocolDxe.inf -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117716): https://edk2.groups.io/g/devel/message/117716 Mute This Topic: https://groups.io/mt/105484270/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-