From: Marc Zyngier <maz@kernel.org>
To: Steven Price <steven.price@arm.com>
Cc: kvm@vger.kernel.org, kvmarm@lists.linux.dev,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>, James Morse <james.morse@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Joey Gouly <joey.gouly@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Christoffer Dall <christoffer.dall@arm.com>,
Fuad Tabba <tabba@google.com>,
linux-coco@lists.linux.dev,
Ganapatrao Kulkarni <gankulkarni@os.amperecomputing.com>,
Gavin Shan <gshan@redhat.com>,
Shanker Donthineni <sdonthineni@nvidia.com>,
Alper Gun <alpergun@google.com>,
"Aneesh Kumar K . V" <aneesh.kumar@kernel.org>,
Emi Kisanuki <fj0570is@fujitsu.com>,
Vishal Annapurve <vannapurve@google.com>
Subject: Re: [PATCH v12 20/46] arm64: RMI: Allow populating initial contents
Date: Mon, 02 Mar 2026 14:56:24 +0000 [thread overview]
Message-ID: <86qzq28elj.wl-maz@kernel.org> (raw)
In-Reply-To: <20251217101125.91098-21-steven.price@arm.com>
On Wed, 17 Dec 2025 10:10:57 +0000,
Steven Price <steven.price@arm.com> wrote:
>
> The VMM needs to populate the realm with some data before starting (e.g.
> a kernel and initrd). This is measured by the RMM and used as part of
> the attestation later on.
>
> Signed-off-by: Steven Price <steven.price@arm.com>
> ---
> Changes since v11:
> * The multiplex CAP is gone and there's a new ioctl which makes use of
> the generic kvm_gmem_populate() functionality.
> Changes since v7:
> * Improve the error codes.
> * Other minor changes from review.
> Changes since v6:
> * Handle host potentially having a larger page size than the RMM
> granule.
> * Drop historic "par" (protected address range) from
> populate_par_region() - it doesn't exist within the current
> architecture.
> * Add a cond_resched() call in kvm_populate_realm().
> Changes since v5:
> * Refactor to use PFNs rather than tracking struct page in
> realm_create_protected_data_page().
> * Pull changes from a later patch (in the v5 series) for accessing
> pages from a guest memfd.
> * Do the populate in chunks to avoid holding locks for too long and
> triggering RCU stall warnings.
> ---
> arch/arm64/include/asm/kvm_rmi.h | 4 +
> arch/arm64/kvm/Kconfig | 1 +
> arch/arm64/kvm/arm.c | 9 ++
> arch/arm64/kvm/rmi.c | 175 +++++++++++++++++++++++++++++++
> 4 files changed, 189 insertions(+)
>
> diff --git a/arch/arm64/include/asm/kvm_rmi.h b/arch/arm64/include/asm/kvm_rmi.h
> index 8a862fc1a99d..b5e36344975c 100644
> --- a/arch/arm64/include/asm/kvm_rmi.h
> +++ b/arch/arm64/include/asm/kvm_rmi.h
> @@ -99,6 +99,10 @@ int kvm_rec_enter(struct kvm_vcpu *vcpu);
> int kvm_rec_pre_enter(struct kvm_vcpu *vcpu);
> int handle_rec_exit(struct kvm_vcpu *vcpu, int rec_run_status);
>
> +struct kvm_arm_rmi_populate;
> +
> +int kvm_arm_rmi_populate(struct kvm *kvm,
> + struct kvm_arm_rmi_populate *arg);
> void kvm_realm_unmap_range(struct kvm *kvm,
> unsigned long ipa,
> unsigned long size,
> diff --git a/arch/arm64/kvm/Kconfig b/arch/arm64/kvm/Kconfig
> index 1cac6dfc0972..b495dfd3a8b4 100644
> --- a/arch/arm64/kvm/Kconfig
> +++ b/arch/arm64/kvm/Kconfig
> @@ -39,6 +39,7 @@ menuconfig KVM
> select GUEST_PERF_EVENTS if PERF_EVENTS
> select KVM_GUEST_MEMFD
> select KVM_GENERIC_MEMORY_ATTRIBUTES
> + select HAVE_KVM_ARCH_GMEM_POPULATE
> help
> Support hosting virtualized guest machines.
>
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index 7927181887cf..0a06ed9d1a64 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -2037,6 +2037,15 @@ int kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
> return -EFAULT;
> return kvm_vm_ioctl_get_reg_writable_masks(kvm, &range);
> }
> + case KVM_ARM_RMI_POPULATE: {
> + struct kvm_arm_rmi_populate req;
> +
> + if (!kvm_is_realm(kvm))
> + return -EPERM;
EPERM is odd. It isn't that the VMM doesn't have the right to do it,
it is that it shouldn't have called that, because the ioctl doesn't
exist for a normal VM. -ENOSYS?
> + if (copy_from_user(&req, argp, sizeof(req)))
> + return -EFAULT;
> + return kvm_arm_rmi_populate(kvm, &req);
> + }
> default:
> return -EINVAL;
> }
> diff --git a/arch/arm64/kvm/rmi.c b/arch/arm64/kvm/rmi.c
> index fe15b400091c..39577e956a59 100644
> --- a/arch/arm64/kvm/rmi.c
> +++ b/arch/arm64/kvm/rmi.c
> @@ -558,6 +558,150 @@ void kvm_realm_unmap_range(struct kvm *kvm, unsigned long start,
> realm_unmap_private_range(kvm, start, end, may_block);
> }
>
> +static int realm_create_protected_data_granule(struct realm *realm,
> + unsigned long ipa,
> + phys_addr_t dst_phys,
> + phys_addr_t src_phys,
> + unsigned long flags)
> +{
> + phys_addr_t rd = virt_to_phys(realm->rd);
> + int ret;
> +
> + if (rmi_granule_delegate(dst_phys))
> + return -ENXIO;
> +
> + ret = rmi_data_create(rd, dst_phys, ipa, src_phys, flags);
> + if (RMI_RETURN_STATUS(ret) == RMI_ERROR_RTT) {
> + /* Create missing RTTs and retry */
> + int level = RMI_RETURN_INDEX(ret);
> +
> + WARN_ON(level == RMM_RTT_MAX_LEVEL);
If this is unexpected, why do we still try to handle it? We should
abort hard on anything that doesn't seem 100% correct, and mark the
realm dead.
> +
> + ret = realm_create_rtt_levels(realm, ipa, level,
> + RMM_RTT_MAX_LEVEL, NULL);
> + if (ret)
> + return -EIO;
> +
> + ret = rmi_data_create(rd, dst_phys, ipa, src_phys, flags);
> + }
> + if (ret)
> + return -EIO;
> +
> + return 0;
> +}
> +
> +static int realm_create_protected_data_page(struct realm *realm,
> + unsigned long ipa,
> + kvm_pfn_t dst_pfn,
> + kvm_pfn_t src_pfn,
> + unsigned long flags)
> +{
> + unsigned long rd = virt_to_phys(realm->rd);
> + phys_addr_t dst_phys, src_phys;
> + bool undelegate_failed = false;
> + int ret, offset;
> +
> + dst_phys = __pfn_to_phys(dst_pfn);
> + src_phys = __pfn_to_phys(src_pfn);
> +
> + for (offset = 0; offset < PAGE_SIZE; offset += RMM_PAGE_SIZE) {
> + ret = realm_create_protected_data_granule(realm,
> + ipa,
> + dst_phys,
> + src_phys,
> + flags);
> + if (ret)
> + goto err;
> +
> + ipa += RMM_PAGE_SIZE;
> + dst_phys += RMM_PAGE_SIZE;
> + src_phys += RMM_PAGE_SIZE;
> + }
> +
> + return 0;
> +
> +err:
> + if (ret == -EIO) {
> + /* current offset needs undelegating */
> + if (WARN_ON(rmi_granule_undelegate(dst_phys)))
> + undelegate_failed = true;
> + }
> + while (offset > 0) {
> + ipa -= RMM_PAGE_SIZE;
> + offset -= RMM_PAGE_SIZE;
> + dst_phys -= RMM_PAGE_SIZE;
> +
> + rmi_data_destroy(rd, ipa, NULL, NULL);
> +
> + if (WARN_ON(rmi_granule_undelegate(dst_phys)))
> + undelegate_failed = true;
> + }
> +
> + if (undelegate_failed) {
> + /*
> + * A granule could not be undelegated,
> + * so the page has to be leaked
> + */
> + get_page(pfn_to_page(dst_pfn));
> + }
> +
> + return -ENXIO;
> +}
> +
> +static int populate_region_cb(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
> + void __user *src, int order, void *opaque)
> +{
> + struct realm *realm = &kvm->arch.realm;
> + unsigned long data_flags = *(unsigned long *)opaque;
> + phys_addr_t ipa = gfn_to_gpa(gfn);
> + int npages = (1 << order);
> + int i;
> +
> + for (i = 0; i < npages; i++) {
> + struct page *src_page;
> + int ret;
> +
> + ret = get_user_pages((unsigned long)src, 1, 0, &src_page);
> + if (ret < 0)
> + return ret;
> + if (ret != 1)
> + return -ENOMEM;
> +
> + ret = realm_create_protected_data_page(realm, ipa, pfn,
> + page_to_pfn(src_page),
> + data_flags);
> +
> + put_page(src_page);
> +
> + if (ret)
> + return ret;
> +
> + ipa += PAGE_SIZE;
> + pfn++;
> + src += PAGE_SIZE;
> + }
> +
> + return 0;
> +}
> +
> +static long populate_region(struct kvm *kvm,
> + gfn_t base_gfn,
> + unsigned long pages,
> + u64 uaddr,
> + unsigned long data_flags)
> +{
> + long ret = 0;
> +
> + mutex_lock(&kvm->slots_lock);
> + mmap_read_lock(current->mm);
> + ret = kvm_gmem_populate(kvm, base_gfn, u64_to_user_ptr(uaddr), pages,
> + populate_region_cb, &data_flags);
> + mmap_read_unlock(current->mm);
> + mutex_unlock(&kvm->slots_lock);
> +
> + return ret;
> +}
> +
> enum ripas_action {
> RIPAS_INIT,
> RIPAS_SET,
> @@ -655,6 +799,37 @@ static int realm_ensure_created(struct kvm *kvm)
> return -ENXIO;
> }
>
> +int kvm_arm_rmi_populate(struct kvm *kvm,
> + struct kvm_arm_rmi_populate *args)
> +{
> + unsigned long data_flags = 0;
> + unsigned long ipa_start = args->base;
> + unsigned long ipa_end = ipa_start + args->size;
> + int ret;
> +
> + if (args->reserved ||
> + (args->flags & ~KVM_ARM_RMI_POPULATE_FLAGS_MEASURE) ||
> + !IS_ALIGNED(ipa_start, PAGE_SIZE) ||
> + !IS_ALIGNED(ipa_end, PAGE_SIZE))
> + return -EINVAL;
> +
> + ret = realm_ensure_created(kvm);
> + if (ret)
> + return ret;
> +
> + if (args->flags & KVM_ARM_RMI_POPULATE_FLAGS_MEASURE)
This flag isn't documented.
> + data_flags |= RMI_MEASURE_CONTENT;
> +
> + ret = populate_region(kvm, gpa_to_gfn(ipa_start),
> + args->size >> PAGE_SHIFT,
> + args->source_uaddr, args->flags);
> +
> + if (ret < 0)
> + return ret;
> +
> + return ret * PAGE_SIZE;
Bits of the code works on PAGE_SIZE, other bits on RMM_PAGE_SIZE. It
is pretty confusing. Are you in the middle of reworking this?
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2026-03-02 14:56 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-17 10:10 [PATCH v12 00/46] arm64: Support for Arm CCA in KVM Steven Price
2025-12-17 10:10 ` [PATCH v12 01/46] kvm: arm64: Include kvm_emulate.h in kvm/arm_psci.h Steven Price
2025-12-17 10:10 ` [PATCH v12 02/46] arm64: RME: Handle Granule Protection Faults (GPFs) Steven Price
2025-12-17 10:10 ` [PATCH v12 03/46] arm64: RMI: Add SMC definitions for calling the RMM Steven Price
2025-12-17 10:10 ` [PATCH v12 04/46] arm64: RMI: Add wrappers for RMI calls Steven Price
2025-12-17 10:10 ` [PATCH v12 05/46] arm64: RMI: Check for RMI support at KVM init Steven Price
2025-12-17 10:10 ` [PATCH v12 06/46] arm64: RMI: Define the user ABI Steven Price
2026-01-23 16:47 ` Suzuki K Poulose
2026-01-26 9:37 ` Steven Price
2026-03-02 14:25 ` Marc Zyngier
2026-03-02 15:23 ` Steven Price
2026-03-02 17:13 ` Suzuki K Poulose
2026-03-03 13:13 ` Marc Zyngier
2026-03-03 14:23 ` Suzuki K Poulose
2026-03-03 14:37 ` Marc Zyngier
2026-03-03 16:02 ` Suzuki K Poulose
2026-03-03 13:11 ` Marc Zyngier
2026-03-04 12:08 ` Steven Price
2026-03-11 19:10 ` Marc Zyngier
2026-03-12 9:28 ` Suzuki K Poulose
2026-03-12 9:39 ` Marc Zyngier
2026-03-12 10:45 ` Steven Price
2025-12-17 10:10 ` [PATCH v12 07/46] arm64: RMI: Basic infrastructure for creating a realm Steven Price
2025-12-17 10:10 ` [PATCH v12 08/46] kvm: arm64: Don't expose unsupported capabilities for realm guests Steven Price
2025-12-17 10:10 ` [PATCH v12 09/46] KVM: arm64: Allow passing machine type in KVM creation Steven Price
2025-12-17 10:10 ` [PATCH v12 10/46] arm64: RMI: RTT tear down Steven Price
2025-12-17 10:10 ` [PATCH v12 11/46] arm64: RMI: Activate realm on first VCPU run Steven Price
2025-12-17 14:29 ` Suzuki K Poulose
2026-03-02 14:40 ` Marc Zyngier
2026-03-02 16:31 ` Steven Price
2025-12-17 10:10 ` [PATCH v12 12/46] arm64: RMI: Allocate/free RECs to match vCPUs Steven Price
2025-12-17 10:10 ` [PATCH v12 13/46] KVM: arm64: vgic: Provide helper for number of list registers Steven Price
2025-12-17 10:10 ` [PATCH v12 14/46] arm64: RMI: Support for the VGIC in realms Steven Price
2025-12-17 10:10 ` [PATCH v12 15/46] KVM: arm64: Support timers in realm RECs Steven Price
2025-12-17 10:10 ` [PATCH v12 16/46] arm64: RMI: Handle realm enter/exit Steven Price
2025-12-17 10:10 ` [PATCH v12 17/46] arm64: RMI: Handle RMI_EXIT_RIPAS_CHANGE Steven Price
2025-12-17 10:10 ` [PATCH v12 18/46] KVM: arm64: Handle realm MMIO emulation Steven Price
2025-12-17 10:10 ` [PATCH v12 19/46] KVM: arm64: Expose support for private memory Steven Price
2025-12-20 13:46 ` kernel test robot
2025-12-20 13:59 ` kernel test robot
2025-12-20 14:18 ` kernel test robot
2025-12-17 10:10 ` [PATCH v12 20/46] arm64: RMI: Allow populating initial contents Steven Price
2025-12-20 14:34 ` kernel test robot
2026-03-02 14:56 ` Marc Zyngier [this message]
2026-03-02 16:46 ` Steven Price
2025-12-17 10:10 ` [PATCH v12 21/46] arm64: RMI: Set RIPAS of initial memslots Steven Price
2025-12-17 10:10 ` [PATCH v12 22/46] arm64: RMI: Create the realm descriptor Steven Price
2026-01-23 18:57 ` Alper Gun
2026-01-26 9:50 ` Steven Price
2025-12-17 10:11 ` [PATCH v12 23/46] arm64: RMI: Add a VMID allocator for realms Steven Price
2025-12-17 10:11 ` [PATCH v12 24/46] arm64: RMI: Runtime faulting of memory Steven Price
2025-12-17 10:11 ` [PATCH v12 25/46] KVM: arm64: Handle realm VCPU load Steven Price
2025-12-17 10:11 ` [PATCH v12 26/46] KVM: arm64: Validate register access for a Realm VM Steven Price
2025-12-17 10:11 ` [PATCH v12 27/46] KVM: arm64: Handle Realm PSCI requests Steven Price
2026-03-02 16:39 ` Marc Zyngier
2026-03-03 9:26 ` Suzuki K Poulose
2026-03-03 13:04 ` Marc Zyngier
2025-12-17 10:11 ` [PATCH v12 28/46] KVM: arm64: WARN on injected undef exceptions Steven Price
2025-12-17 10:11 ` [PATCH v12 29/46] arm64: Don't expose stolen time for realm guests Steven Price
2025-12-17 10:11 ` [PATCH v12 30/46] arm64: RMI: allow userspace to inject aborts Steven Price
2025-12-17 10:11 ` [PATCH v12 31/46] arm64: RMI: support RSI_HOST_CALL Steven Price
2025-12-17 10:11 ` [PATCH v12 32/46] arm64: RMI: Allow checking SVE on VM instance Steven Price
2025-12-17 10:11 ` [PATCH v12 33/46] arm64: RMI: Always use 4k pages for realms Steven Price
2025-12-17 10:11 ` [PATCH v12 34/46] arm64: RMI: Prevent Device mappings for Realms Steven Price
2025-12-17 10:11 ` [PATCH v12 35/46] HACK: Restore per-CPU cpu_armpmu pointer Steven Price
2025-12-17 10:11 ` [PATCH v12 36/46] arm_pmu: Provide a mechanism for disabling the physical IRQ Steven Price
2025-12-17 10:11 ` [PATCH v12 37/46] arm64: RMI: Enable PMU support with a realm guest Steven Price
2025-12-17 10:11 ` [PATCH v12 38/46] arm64: RMI: Propagate number of breakpoints and watchpoints to userspace Steven Price
2025-12-17 10:11 ` [PATCH v12 39/46] arm64: RMI: Set breakpoint parameters through SET_ONE_REG Steven Price
2025-12-17 10:11 ` [PATCH v12 40/46] arm64: RMI: Initialize PMCR.N with number counter supported by RMM Steven Price
2025-12-17 10:11 ` [PATCH v12 41/46] arm64: RMI: Propagate max SVE vector length from RMM Steven Price
2025-12-17 10:11 ` [PATCH v12 42/46] arm64: RMI: Configure max SVE vector length for a Realm Steven Price
2025-12-17 10:11 ` [PATCH v12 43/46] arm64: RMI: Provide register list for unfinalized RMI RECs Steven Price
2025-12-17 10:11 ` [PATCH v12 44/46] arm64: RMI: Provide accurate register list Steven Price
2025-12-17 10:11 ` [PATCH v12 45/46] KVM: arm64: Expose KVM_ARM_VCPU_REC to user space Steven Price
2025-12-17 10:11 ` [PATCH v12 46/46] arm64: RMI: Enable realms to be created Steven Price
2025-12-17 14:55 ` [PATCH v12 00/46] arm64: Support for Arm CCA in KVM Marc Zyngier
2025-12-17 15:28 ` Steven Price
2026-02-12 17:48 ` Mathieu Poirier
2026-02-16 12:33 ` Steven Price
2026-02-16 14:27 ` Steven Price
2026-02-17 17:47 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86qzq28elj.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=alexandru.elisei@arm.com \
--cc=alpergun@google.com \
--cc=aneesh.kumar@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=christoffer.dall@arm.com \
--cc=fj0570is@fujitsu.com \
--cc=gankulkarni@os.amperecomputing.com \
--cc=gshan@redhat.com \
--cc=james.morse@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=oliver.upton@linux.dev \
--cc=sdonthineni@nvidia.com \
--cc=steven.price@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=vannapurve@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.