[PATCH v2 OLK-6.6 00/31] Support CCA Guest

23 Jun 2025

      This series adds support for running Linux in a protected VM under the
Arm Confidential Compute Architecture (CCA).

To support CCA guest, we do things as follow:
1. Revert virtcca patches
Revert "virtcca feature : disable swiotlb for passthrough device"
Revert "gicv3: add lpi support for cvm guest"

2. Support CCA encrypt part
arm64: mm: Add top-level dispatcher for internal mem_encrypt API
arm64: mm: Add confidential computing hook to ioremap_prot()
arm64: rsi: Add RSI definitions
arm64: Detect if in a realm and set RIPAS RAM
arm64: realm: Query IPA size from the RMM
arm64: rsi: Add support for checking whether an MMIO is protected
arm64: rsi: Map unprotected MMIO as decrypted
efi: arm64: Map Device with Prot Shared
arm64: Enforce bounce buffers for realm DMA
arm64: mm: Avoid TLBI when marking pages as valid
arm64: Enable memory encrypt for Realms
irqchip/gic-v3-its: Share ITS tables with a non-trusted hypervisor
irqchip/gic-v3-its: Fix over allocation in itt_alloc_pool()
irqchip/gic-v3-its: Rely on genpool alignment
jump_label,module: Don't alloc static_key_mod for __ro_after_init keys
parisc: Delay write-protection until mark_rodata_ro() call
arm64: realm: ioremap: Allow mapping memory as encrypted
rme: make sure realm guest map memory in page granularity
dma: Fix encryption bit clearing for dma_to_phys
dma: Introduce generic dma_addr_*crypted helpers
arm64: realm: Use aliased addresses for device DMA to shared buffers

3. Support tsm report for arm-cca-guest
virt: coco: Add a coco/Makefile and coco/Kconfig
configfs-tsm: Introduce a shared ABI for attestation reports
mm/slab: Add __free() support for kvfree
virt: arm-cca-guest: TSM_REPORT support for realms
arm64: Document Arm Confidential Compute
configfs-tsm-report: Fix NULL dereference of tsm_ops
MAINTAINERS: Add CCA and pKVM CoCO guest support to the ARM64 entry

4. Recover virtcca
gicv3: add lpi support for virtcca cvm guest

V2:
Add 5 bugfix patch
commit fba4ceaa242d ("configfs-tsm-report: Fix NULL dereference of tsm_ops")
commit 92230596252a ("MAINTAINERS: Add CCA and pKVM CoCO guest support to the ARM64 entry")
commit 7d953a062416 ("arm64: realm: Use aliased addresses for device DMA to shared buffers")
commit b66e2ee7b6c8 ("dma: Introduce generic dma_addr_*crypted helpers")
commit c380931712d1 ("dma: Fix encryption bit clearing for dma_to_phys")

Cai Xinchen (2):
  Revert "virtcca feature : disable swiotlb for passthrough device"
  Revert "gicv3: add lpi support for cvm guest"

Dan Williams (4):
  virt: coco: Add a coco/Makefile and coco/Kconfig
  configfs-tsm: Introduce a shared ABI for attestation reports
  mm/slab: Add __free() support for kvfree
  configfs-tsm-report: Fix NULL dereference of tsm_ops

Helge Deller (1):
  parisc: Delay write-protection until mark_rodata_ro() call

Peter Zijlstra (1):
  jump_label,module: Don't alloc static_key_mod for __ro_after_init keys

Sami Mujawar (1):
  virt: arm-cca-guest: TSM_REPORT support for realms

Steven Price (7):
  arm64: realm: Query IPA size from the RMM
  arm64: Enforce bounce buffers for realm DMA
  arm64: mm: Avoid TLBI when marking pages as valid
  irqchip/gic-v3-its: Share ITS tables with a non-trusted hypervisor
  irqchip/gic-v3-its: Fix over allocation in itt_alloc_pool()
  irqchip/gic-v3-its: Rely on genpool alignment
  arm64: Document Arm Confidential Compute

Suzuki K Poulose (10):
  arm64: rsi: Add RSI definitions
  arm64: Detect if in a realm and set RIPAS RAM
  arm64: rsi: Add support for checking whether an MMIO is protected
  arm64: rsi: Map unprotected MMIO as decrypted
  efi: arm64: Map Device with Prot Shared
  arm64: Enable memory encrypt for Realms
  arm64: realm: ioremap: Allow mapping memory as encrypted
  dma: Fix encryption bit clearing for dma_to_phys
  dma: Introduce generic dma_addr_*crypted helpers
  arm64: realm: Use aliased addresses for device DMA to shared buffers

Will Deacon (3):
  arm64: mm: Add top-level dispatcher for internal mem_encrypt API
  arm64: mm: Add confidential computing hook to ioremap_prot()
  MAINTAINERS: Add CCA and pKVM CoCO guest support to the ARM64 entry

Yiwei Zhuang (1):
  rme: make sure realm guest map memory in page granularity

yxk (1):
  gicv3: add lpi support for virtcca cvm guest

 Documentation/ABI/testing/configfs-tsm        |  82 ++++
 Documentation/arch/arm64/arm-cca.rst          |  69 +++
 Documentation/arch/arm64/booting.rst          |   3 +
 Documentation/arch/arm64/index.rst            |   1 +
 MAINTAINERS                                   |  10 +
 arch/arm64/Kconfig                            |   4 +
 arch/arm64/include/asm/io.h                   |  12 +
 arch/arm64/include/asm/mem_encrypt.h          |  35 ++
 arch/arm64/include/asm/pgtable-prot.h         |   4 +
 arch/arm64/include/asm/pgtable.h              |   5 +
 arch/arm64/include/asm/rsi.h                  |  68 +++
 arch/arm64/include/asm/rsi_cmds.h             | 160 +++++++
 arch/arm64/include/asm/rsi_smc.h              | 193 ++++++++
 arch/arm64/include/asm/set_memory.h           |   4 +
 arch/arm64/include/asm/virtcca_cvm_guest.h    |   8 +
 arch/arm64/kernel/Makefile                    |   2 +-
 arch/arm64/kernel/efi.c                       |  12 +-
 arch/arm64/kernel/rsi.c                       | 165 +++++++
 arch/arm64/kernel/setup.c                     |   3 +
 arch/arm64/kernel/virtcca_cvm_guest.c         |  24 +
 arch/arm64/mm/Makefile                        |   2 +-
 arch/arm64/mm/init.c                          |  10 +-
 arch/arm64/mm/ioremap.c                       |  23 +-
 arch/arm64/mm/mem_encrypt.c                   |  50 ++
 arch/arm64/mm/pageattr.c                      |  98 +++-
 arch/parisc/mm/init.c                         |  16 +-
 drivers/irqchip/irq-gic-v3-its.c              | 329 +++++--------
 drivers/virt/Kconfig                          |   8 +-
 drivers/virt/Makefile                         |   5 +-
 drivers/virt/coco/Kconfig                     |  18 +
 drivers/virt/coco/Makefile                    |  10 +
 drivers/virt/coco/arm-cca-guest/Kconfig       |  11 +
 drivers/virt/coco/arm-cca-guest/Makefile      |   2 +
 .../virt/coco/arm-cca-guest/arm-cca-guest.c   | 224 +++++++++
 drivers/virt/coco/tsm.c                       | 452 ++++++++++++++++++
 include/asm-generic/sections.h                |   5 +
 include/linux/dma-direct.h                    |  13 +-
 include/linux/jump_label.h                    |   3 +
 include/linux/mem_encrypt.h                   |  23 +
 include/linux/slab.h                          |   2 +
 include/linux/tsm.h                           |  69 +++
 include/linux/virtcca_cvm_domain.h            |  10 +
 init/main.c                                   |   1 +
 kernel/jump_label.c                           |  53 ++
 44 files changed, 2062 insertions(+), 239 deletions(-)
 create mode 100644 Documentation/ABI/testing/configfs-tsm
 create mode 100644 Documentation/arch/arm64/arm-cca.rst
 create mode 100644 arch/arm64/include/asm/mem_encrypt.h
 create mode 100644 arch/arm64/include/asm/rsi.h
 create mode 100644 arch/arm64/include/asm/rsi_cmds.h
 create mode 100644 arch/arm64/include/asm/rsi_smc.h
 create mode 100644 arch/arm64/kernel/rsi.c
 create mode 100644 arch/arm64/mm/mem_encrypt.c
 create mode 100644 drivers/virt/coco/Kconfig
 create mode 100644 drivers/virt/coco/Makefile
 create mode 100644 drivers/virt/coco/arm-cca-guest/Kconfig
 create mode 100644 drivers/virt/coco/arm-cca-guest/Makefile
 create mode 100644 drivers/virt/coco/arm-cca-guest/arm-cca-guest.c
 create mode 100644 drivers/virt/coco/tsm.c
 create mode 100644 include/linux/tsm.h

-- 
2.18.0.huawei.25