From nobody Tue Sep  9 19:10:17 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail  header.i=@fujitsu.com;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=reject dis=none)  header.from=aa.jp.fujitsu.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1735899968683781.5319306519993;
 Fri, 3 Jan 2025 02:26:08 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 671C29AD; Fri,  3 Jan 2025 05:26:07 -0500 (EST)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 3F83F994;
	Fri,  3 Jan 2025 05:24:21 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 4BA8510F6; Wed, 25 Dec 2024 04:02:48 -0500 (EST)
Received: from esa3.hc1455-7.c3s2.iphmx.com (esa3.hc1455-7.c3s2.iphmx.com
 [207.54.90.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 014E2CD2
	for <devel@lists.libvirt.org>; Wed, 25 Dec 2024 04:02:42 -0500 (EST)
Received: from unknown (HELO oym-r2.gw.nic.fujitsu.com) ([210.162.30.90])
  by esa3.hc1455-7.c3s2.iphmx.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 25 Dec 2024 18:01:39 +0900
Received: from oym-m2.gw.nic.fujitsu.com (oym-nat-oym-m2.gw.nic.fujitsu.com
 [192.168.87.59])
	by oym-r2.gw.nic.fujitsu.com (Postfix) with ESMTP id F2E7DD4C48
	for <devel@lists.libvirt.org>; Wed, 25 Dec 2024 18:01:35 +0900 (JST)
Received: from oym-om1.fujitsu.com (oym-om1.o.css.fujitsu.com [10.85.58.161])
	by oym-m2.gw.nic.fujitsu.com (Postfix) with ESMTP id C3D81BF3C3
	for <devel@lists.libvirt.org>; Wed, 25 Dec 2024 18:01:35 +0900 (JST)
Received: from sm-x86-mem01.ssoft.mng.com (sm-x86-stp01.soft.fujitsu.com
 [10.124.178.20])
	by oym-om1.fujitsu.com (Postfix) with ESMTP id A7B3E4007A440;
	Wed, 25 Dec 2024 18:01:35 +0900 (JST)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,
	SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.4
X-Greylist: delayed 62 seconds by postgrey-1.37 at lists.libvirt.org;
 Wed, 25 Dec 2024 04:02:42 EST
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=fujitsu.com; i=@fujitsu.com; q=dns/txt; s=fj2;
  t=1735117364; x=1766653364;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=MuVS92Wech9K69233gIVTm1kfA8qZGV5S6Q1/Gxur7s=;
  b=NUMiBUE2Z0aUrR2euN+KN9EC0gaoAHHc85JBnOhxBhc7gCJ4dsi3f2vg
   c6poxU0aKVyp7/WqHluvH7sDsKiSVuehGIRZSdWaWhibVGgp/c5r1zVFN
   e2KSQFZ2K66WjXnrBkjKiiQjigKIOIuw3NisLWG85afwiQwmehe00PhWI
   Uh/NQeyDuVCvQjlLSkHGGzkQjvjCW2+y2HtYuxDsPNLWTeuABF3MxpYOm
   S2PKPabh9jibynN/b5XYcW+Sps+PMIV53RHc1fj6c/L5zU964Lw+6ORJI
   SYNQUJt4Z8prArUPLUfsDrGHkn6lomc3ojkT/vKgB0vthYjYMTg3kCMuj
   w==;
X-CSE-ConnectionGUID: Nn3nsuKRRiajweYbETLwtg==
X-CSE-MsgGUID: cRJhs0ZaSDOshcMMKINb5g==
X-IronPort-AV: E=McAfee;i="6700,10204,11296"; a="184868966"
X-IronPort-AV: E=Sophos;i="6.12,262,1728918000";
   d="scan'208";a="184868966"
From: Akio Kakuno <fj3333bs@aa.jp.fujitsu.com>
To: devel@lists.libvirt.org
Subject: [PATCH 1/1] RFC: Add Arm CCA support for getting capability
 information and running Realm VM
Date: Wed, 25 Dec 2024 09:01:32 +0000
Message-Id: <20241225090132.1991250-2-fj3333bs@aa.jp.fujitsu.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20241225090132.1991250-1-fj3333bs@aa.jp.fujitsu.com>
References: <20241225090132.1991250-1-fj3333bs@aa.jp.fujitsu.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-MailFrom: fj3333bs@aa.jp.fujitsu.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0
Message-ID-Hash: NXTDHH25HEHAZ3MEG5B76PJJ4VFD3LPG
X-Message-ID-Hash: NXTDHH25HEHAZ3MEG5B76PJJ4VFD3LPG
X-Mailman-Approved-At: Fri, 03 Jan 2025 10:24:18 -0500
CC: Taketani Ryo <taketani.ryo@fujitsu.com>,
 Akio Kakuno <fj3333bs@fujitsu.com>
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/NXTDHH25HEHAZ3MEG5B76PJJ4VFD3LPG/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1735899971195116600
Content-Type: text/plain; charset="utf-8"

- This patch adds Arm CCA support to qemu driver for aarch64 system.
  CCA is an abbreviation for Arm Confidential Compute Architecture feature,
  it enhances the virtualization capabilities of the platform by separating
  the management of resources from access to those resources.

[summary]
- At this stage, all you can do is getting the CCA capability with the virsh
  domcapabilities command and start the CCA VM with the virsh create comman=
d.

[Capability example]
- Execution results of 'virsh domcapability" on qemu
<domaincapabilities>
...
  <features>
    ...
    </sgx>
    <cca supported=3D'yes'>
    <enum name=3D'measurement-algo'>
      <value>sha256</value>
      <value>sha512</value>
    </enum>
    </cca>
    <hyperv supported=3D'yes'>
    ...
  </features>
</domaincapabilities>

[XML example]
<domain>
  ...
  <launchsecurity type=3D'cca'>
    <measurement-algo>sha256</measurement-algo>
  </launchsecurity>
  ...
</domain>

Signed-off-by: Akio Kakuno <fj3333bs@fujitsu.com>
---
 docs/formatdomain.rst             |  28 ++++++
 docs/formatdomaincaps.rst         |  26 ++++-
 src/conf/domain_capabilities.c    |  41 ++++++++
 src/conf/domain_capabilities.h    |  12 +++
 src/conf/domain_conf.c            |  13 +++
 src/conf/domain_conf.h            |   7 ++
 src/conf/schemas/domaincaps.rng   |  14 +++
 src/conf/schemas/domaincommon.rng |  14 +++
 src/conf/virconftypes.h           |   2 +
 src/libvirt_private.syms          |   1 +
 src/qemu/qemu_capabilities.c      | 156 ++++++++++++++++++++++++++++++
 src/qemu/qemu_capabilities.h      |   4 +
 src/qemu/qemu_cgroup.c            |   2 +
 src/qemu/qemu_command.c           |  32 ++++++
 src/qemu/qemu_driver.c            |   2 +
 src/qemu/qemu_monitor.c           |  10 ++
 src/qemu/qemu_monitor.h           |   3 +
 src/qemu/qemu_monitor_json.c      | 104 ++++++++++++++++++++
 src/qemu/qemu_monitor_json.h      |   4 +
 src/qemu/qemu_namespace.c         |   2 +
 src/qemu/qemu_process.c           |   4 +
 src/qemu/qemu_validate.c          |   7 ++
 22 files changed, 487 insertions(+), 1 deletion(-)

diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 3253a28e5a..08e0abf0f3 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -9040,6 +9040,34 @@ The ``<launchSecurity/>`` element then accepts the f=
ollowing child elements:
    the SNP_LAUNCH_FINISH command in the SEV-SNP firmware ABI.
=20
=20
+The contents of the ``<launchSecurity type=3D'cca'>`` element is used to c=
reate
+RealmVM using the Arm CCA feature (Confidential Compute Architecture).
+CCA :since:`Since 10.9.0` enhances the virtualization capabilities of the
+platform by separating the management of resources from access to those re=
sources.
+This is achieved by extending the TrustZone of Cortex-A's Normal and Secure
+world concepts and adding the Realm world and the underlying Root world.
+The Secure Monitor runs in the root world and manages the transition betwe=
en
+these security states. For more information see the Learn the architecture=
 -
+Arm Confidential Compute Architecture software stack:
+`<https://developer.arm.com/documentation/den0127/latest>`__
+
+::
+
+  <domain>
+    ...
+    <launchSecurity type=3D'cca'>
+      <measurement-algo>sha256</measurement-algo>
+    </launchSecurity>
+    ...
+  </domain>
+
+The ``<launchSecurity/>`` element accepts the following attributes:
+
+``measurement-algo``
+   The optional ``measurement-algo`` element determines algorithm used to
+   describe blob hashes.
+
+
 Example configs
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
diff --git a/docs/formatdomaincaps.rst b/docs/formatdomaincaps.rst
index 5309c6c251..7457c3ac98 100644
--- a/docs/formatdomaincaps.rst
+++ b/docs/formatdomaincaps.rst
@@ -708,6 +708,12 @@ capabilities. All features occur as children of the ma=
in ``features`` element.
            <section node=3D'1' size=3D'262144' unit=3D'KiB'/>
          </sections>
        </sgx>
+       <cca supported=3D'yes'>
+         <enum name=3D'measurement-algo'>
+           <value>sha256</value>
+           <value>sha512</value>
+         </enum>
+       </cca>
        <hyperv supported=3D'yes'>
          <enum name=3D'features'>
            <value>relaxed</value>
@@ -835,6 +841,23 @@ document store. In order to use SGX with libvirt have =
a look at `SGX in domain X
 ``sections``
    The sections of the SGX enclave page cache (called EPC).
=20
+CCA capabilities
+^^^^^^^^^^^^^^^^
+
+Arm Confidential Compute Architecture (CCA) capabilities are exposed under=
 the
+``cca`` element.
+
+Arm CCA is a system solution comprised of hardware and software components=
 that
+maximizes the security of data on devices and in the cloud.
+CCA enhances the virtualization capabilities of the platform by separating=
 the
+management of resources from access to those resources.
+
+For more details on the CCA feature, please follow resources in the CCA de=
veloper's
+document store. In order to use CCA with libvirt have a look at `CCA in do=
main
+XML <formatdomain.html#launch-security>`__
+
+``measurement-algo``
+   Options for the ``measurement-algo`` used to describe blob hashes.
=20
 Hyper-V Enlightenments
 ^^^^^^^^^^^^^^^^^^^^^^
@@ -856,4 +879,5 @@ The ``sectype`` enum corresponds to ``type`` attribute =
of ``<launchSecurity/>``
 element as documented in `Launch Security
 <formatdomain.html#launch-security>`__.  :since:`(Since 10.5.0)` For addit=
ional
 information on individual types, see sections above: `s390-pv capability`_=
 for
-S390 PV, `SEV capabilities`_ for AMD SEV and/or AMD SEV-SNP.
+S390 PV, `SEV capabilities`_ for AMD SEV and/or AMD SEV-SNP, `CCA capabili=
ties`_
+for Arm CCA.
diff --git a/src/conf/domain_capabilities.c b/src/conf/domain_capabilities.c
index cf40d798e5..0a79fc0279 100644
--- a/src/conf/domain_capabilities.c
+++ b/src/conf/domain_capabilities.c
@@ -90,6 +90,19 @@ virSGXCapabilitiesFree(virSGXCapability *cap)
 }
=20
=20
+void
+virCCACapabilitiesFree(virCCACapability *cap)
+{
+    if (!cap)
+        return;
+
+    if (cap->ccaMeasurementAlgo)
+        g_free(cap->ccaMeasurementAlgo);
+
+    g_free(cap);
+}
+
+
 static void
 virDomainCapsDispose(void *obj)
 {
@@ -755,6 +768,33 @@ virDomainCapsFeatureSGXFormat(virBuffer *buf,
     virBufferAddLit(buf, "</sgx>\n");
 }
=20
+static void
+virDomainCapsFeatureCCAFormat(virBuffer *buf,
+                              const virCCACapability *cca)
+{
+    size_t i;
+
+    if (!cca) {
+        virBufferAddLit(buf, "<cca supported=3D'no'/>\n");
+        return;
+    }
+
+    virBufferAddLit(buf, "<cca supported=3D'yes'>\n");
+    virBufferAdjustIndent(buf, 2);
+
+    virBufferAddLit(buf, "<enum name=3D'measurement-algo'>\n");
+    virBufferAdjustIndent(buf, 2);
+    for (i =3D 0; i < cca->nCcaMeasurementAlgo; i++) {
+        virBufferAsprintf(buf, "<value>%s</value>\n",
+                          cca->ccaMeasurementAlgo[i]);
+    }
+    virBufferAdjustIndent(buf, -2);
+    virBufferAddLit(buf, "</enum>\n");
+
+    virBufferAdjustIndent(buf, -2);
+    virBufferAddLit(buf, "</cca>\n\n");
+}
+
 static void
 virDomainCapsFeatureHypervFormat(virBuffer *buf,
                                  const virDomainCapsFeatureHyperv *hyperv)
@@ -802,6 +842,7 @@ virDomainCapsFormatFeatures(const virDomainCaps *caps,
=20
     virDomainCapsFeatureSEVFormat(&childBuf, caps->sev);
     virDomainCapsFeatureSGXFormat(&childBuf, caps->sgx);
+    virDomainCapsFeatureCCAFormat(&childBuf, caps->cca);
     virDomainCapsFeatureHypervFormat(&childBuf, caps->hyperv);
     virDomainCapsLaunchSecurityFormat(&childBuf, &caps->launchSecurity);
=20
diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h
index a706ab337e..ef925fda0a 100644
--- a/src/conf/domain_capabilities.h
+++ b/src/conf/domain_capabilities.h
@@ -239,6 +239,12 @@ struct _virSGXCapability {
     virSGXSection *sgxSections;
 };
=20
+typedef struct _virCCACapability virCCACapability;
+struct _virCCACapability {
+    size_t nCcaMeasurementAlgo;
+    char **ccaMeasurementAlgo;
+};
+
 STATIC_ASSERT_ENUM(VIR_DOMAIN_CRYPTO_MODEL_LAST);
 STATIC_ASSERT_ENUM(VIR_DOMAIN_CRYPTO_TYPE_LAST);
 STATIC_ASSERT_ENUM(VIR_DOMAIN_CRYPTO_BACKEND_LAST);
@@ -300,6 +306,7 @@ struct _virDomainCaps {
     virDomainCapsFeatureGIC gic;
     virSEVCapability *sev;
     virSGXCapability *sgx;
+    virCCACapability *cca;
     virDomainCapsFeatureHyperv *hyperv;
     virDomainCapsLaunchSecurity launchSecurity;
     /* add new domain features here */
@@ -359,3 +366,8 @@ void
 virSGXCapabilitiesFree(virSGXCapability *capabilities);
=20
 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSGXCapability, virSGXCapabilitiesFree);
+
+void
+virCCACapabilitiesFree(virCCACapability *capabilities);
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(virCCACapability, virCCACapabilitiesFree);
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 6d7dee7956..62debe9eaa 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1515,6 +1515,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
               "sev",
               "sev-snp",
               "s390-pv",
+              "cca",
 );
=20
 VIR_ENUM_IMPL(virDomainPstoreBackend,
@@ -13775,6 +13776,15 @@ virDomainSEVSNPDefParseXML(virDomainSEVSNPDef *def,
 }
=20
=20
+static int
+virDomainCCADefParseXML(virDomainCCADef *def,
+                        xmlXPathContextPtr ctxt)
+{
+    def->measurement_algo =3D virXPathString("string(./measurement-algo)",=
 ctxt);
+    return 0;
+}
+
+
 static virDomainSecDef *
 virDomainSecDefParseXML(xmlNodePtr lsecNode,
                         xmlXPathContextPtr ctxt)
@@ -13800,6 +13810,9 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        virDomainCCADefParseXML(&sec->data.cca, ctxt);
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
     default:
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index a15af4fae3..c13b7995d3 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2870,6 +2870,7 @@ typedef enum {
     VIR_DOMAIN_LAUNCH_SECURITY_SEV,
     VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP,
     VIR_DOMAIN_LAUNCH_SECURITY_PV,
+    VIR_DOMAIN_LAUNCH_SECURITY_CCA,
=20
     VIR_DOMAIN_LAUNCH_SECURITY_LAST,
 } virDomainLaunchSecurity;
@@ -2904,11 +2905,17 @@ struct _virDomainSEVSNPDef {
 };
=20
=20
+struct _virDomainCCADef {
+    char *measurement_algo;
+};
+
+
 struct _virDomainSecDef {
     virDomainLaunchSecurity sectype;
     union {
         virDomainSEVDef sev;
         virDomainSEVSNPDef sev_snp;
+        virDomainCCADef cca;
     } data;
 };
=20
diff --git a/src/conf/schemas/domaincaps.rng b/src/conf/schemas/domaincaps.=
rng
index f9b87c8a59..5379bfb45c 100644
--- a/src/conf/schemas/domaincaps.rng
+++ b/src/conf/schemas/domaincaps.rng
@@ -334,6 +334,9 @@
       <optional>
         <ref name=3D"sgx"/>
       </optional>
+      <optional>
+        <ref name=3D"cca"/>
+      </optional>
       <optional>
         <ref name=3D"hyperv"/>
       </optional>
@@ -452,6 +455,17 @@
     </element>
   </define>
=20
+  <define name=3D"cca">
+    <element name=3D"cca">
+      <ref name=3D"supported"/>
+      <optional>
+        <element name=3D"measurement-algo">
+          <text/>
+        </element>
+      </optional>
+    </element>
+  </define>
+
   <define name=3D"hyperv">
     <element name=3D"hyperv">
       <ref name=3D"supported"/>
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincom=
mon.rng
index efb5f00d77..7cea83cc01 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -523,6 +523,9 @@
             <value>s390-pv</value>
           </attribute>
         </group>
+        <group>
+          <ref name=3D"launchSecurityCCA"/>
+        </group>
       </choice>
     </element>
   </define>
@@ -618,6 +621,17 @@
       </optional>
     </interleave>
   </define>
+
+  <define name=3D"launchSecurityCCA">
+    <attribute name=3D"type">
+      <value>cca</value>
+    </attribute>
+    <optional>
+      <element name=3D"measurement-algo">
+        <data type=3D"string"/>
+      </element>
+    </optional>
+  </define>
   <!--
       Enable or disable perf events for the domain. For each
       of the events the following rules apply:
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index f18ebcca10..76218f51b4 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -216,6 +216,8 @@ typedef struct _virDomainSEVDef virDomainSEVDef;
=20
 typedef struct _virDomainSEVSNPDef virDomainSEVSNPDef;
=20
+typedef struct _virDomainCCADef virDomainCCADef;
+
 typedef struct _virDomainSecDef virDomainSecDef;
=20
 typedef struct _virDomainShmemDef virDomainShmemDef;
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 5fb4df3513..7f3886ecd7 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -221,6 +221,7 @@ virDomainCapsFormat;
 virDomainCapsNew;
 virSEVCapabilitiesFree;
 virSGXCapabilitiesFree;
+virCCACapabilitiesFree;
=20
=20
 # conf/domain_conf.h
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 9322ae9ae6..43e7a164ea 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -719,6 +719,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
               /* 465 */
               "snapshot-internal-qmp", /* QEMU_CAPS_SNAPSHOT_INTERNAL_QMP =
*/
               "chardev-reconnect-miliseconds", /* QEMU_CAPS_CHARDEV_RECONN=
ECT_MILISECONDS */
+              "rme-guest", /* QEMU_CAPS_CCA_GUEST */
     );
=20
=20
@@ -804,6 +805,8 @@ struct _virQEMUCaps {
=20
     virSGXCapability *sgxCapabilities;
=20
+    virCCACapability *ccaCapabilities;
+
     virDomainCapsFeatureHyperv *hypervCapabilities;
=20
     /* Capabilities which may differ depending on the accelerator. */
@@ -1407,6 +1410,7 @@ struct virQEMUCapsStringFlags virQEMUCapsObjectTypes[=
] =3D {
     { "virtio-sound-device", QEMU_CAPS_DEVICE_VIRTIO_SOUND },
     { "sev-snp-guest", QEMU_CAPS_SEV_SNP_GUEST },
     { "acpi-erst", QEMU_CAPS_DEVICE_ACPI_ERST },
+    { "rme-guest", QEMU_CAPS_CCA_GUEST },
 };
=20
=20
@@ -1942,6 +1946,34 @@ virQEMUCapsSGXInfoCopy(virSGXCapability **dst,
 }
=20
=20
+static void
+virQEMUCapsCCAInfoCopy(virCCACapability **dst,
+                       virCCACapability *src)
+{
+    g_autoptr(virCCACapability) tmp =3D NULL;
+    size_t i;
+
+    if (!src) {
+        *dst =3D NULL;
+        return;
+    }
+
+    tmp =3D g_new0(virCCACapability, 1);
+
+    tmp->nCcaMeasurementAlgo =3D src->nCcaMeasurementAlgo;
+
+    if (tmp->nCcaMeasurementAlgo !=3D 0) {
+        tmp->ccaMeasurementAlgo =3D g_new0(char *, tmp->nCcaMeasurementAlg=
o);
+
+        for (i=3D0; i<tmp->nCcaMeasurementAlgo; i++) {
+            tmp->ccaMeasurementAlgo[i] =3D src->ccaMeasurementAlgo[i];
+        }
+    }
+
+    *dst =3D g_steal_pointer(&tmp);
+}
+
+
 static void
 virQEMUCapsAccelCopyMachineTypes(virQEMUCapsAccel *dst,
                                  virQEMUCapsAccel *src)
@@ -2017,6 +2049,9 @@ virQEMUCaps *virQEMUCapsNewCopy(virQEMUCaps *qemuCaps)
     if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC))
         virQEMUCapsSGXInfoCopy(&ret->sgxCapabilities, qemuCaps->sgxCapabil=
ities);
=20
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_CCA_GUEST))
+        virQEMUCapsCCAInfoCopy(&ret->ccaCapabilities, qemuCaps->ccaCapabil=
ities);
+
     ret->hypervCapabilities =3D g_memdup(qemuCaps->hypervCapabilities,
                                        sizeof(virDomainCapsFeatureHyperv));
=20
@@ -2654,6 +2689,13 @@ virQEMUCapsGetSGXCapabilities(virQEMUCaps *qemuCaps)
 }
=20
=20
+virCCACapability *
+virQEMUCapsGetCCACapabilities(virQEMUCaps *qemuCaps)
+{
+    return qemuCaps->ccaCapabilities;
+}
+
+
 static int
 virQEMUCapsProbeQMPObjectTypes(virQEMUCaps *qemuCaps,
                                qemuMonitor *mon)
@@ -3571,6 +3613,32 @@ virQEMUCapsProbeQMPSGXCapabilities(virQEMUCaps *qemu=
Caps,
 }
=20
=20
+static int
+virQEMUCapsProbeQMPCCACapabilities(virQEMUCaps *qemuCaps,
+                                   qemuMonitor *mon)
+{
+    int rc =3D -1;
+    virCCACapability *caps =3D NULL;
+
+    if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_CCA_GUEST))
+        return 0;
+
+    if ((rc =3D qemuMonitorGetCCACapabilities(mon, &caps)) < 0)
+        return -1;
+
+    /* CCA isn't actually supported */
+    if (rc =3D=3D 0) {
+        virQEMUCapsClear(qemuCaps, QEMU_CAPS_CCA_GUEST);
+        return 0;
+    }
+
+    virCCACapabilitiesFree(qemuCaps->ccaCapabilities);
+    qemuCaps->ccaCapabilities =3D caps;
+    return 0;
+}
+
+
+
 /*
  * Filter for features which should never be passed to QEMU. Either because
  * QEMU never supported them or they were dropped as they never did anythi=
ng
@@ -4438,6 +4506,41 @@ virQEMUCapsParseSGXInfo(virQEMUCaps *qemuCaps,
 }
=20
=20
+static int
+virQEMUCapsParseCCAInfo(virQEMUCaps *qemuCaps,
+                        xmlXPathContextPtr ctxt)
+{
+    g_autofree xmlNodePtr *nodes =3D NULL;
+    g_autoptr(virCCACapability) tmp =3D NULL;
+    size_t i;
+    int n;
+
+    if ((n =3D virXPathNodeSet("./cca", ctxt, &nodes)) < 0)
+        return -1;
+
+    tmp =3D g_new0(virCCACapability, 1);
+    tmp->nCcaMeasurementAlgo =3D n;
+
+    if (tmp->nCcaMeasurementAlgo > 0) {
+        tmp->ccaMeasurementAlgo =3D g_new0(char *, tmp->nCcaMeasurementAlg=
o);
+
+        for (i =3D 0; i < n; i++) {
+            char *malgo =3D NULL;
+            if (!(malgo =3D virXMLPropString(nodes[i], "measurement-algo")=
)) {
+                virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                               _("missing CCA measurement-algo in QEMU cap=
abilities cache"));
+                return -1;
+            }
+
+            tmp->ccaMeasurementAlgo[i] =3D g_strdup(malgo);
+        }
+    }
+
+    qemuCaps->ccaCapabilities =3D g_steal_pointer(&tmp);
+    return 0;
+}
+
+
 static int
 virQEMUCapsParseHypervCapabilities(virQEMUCaps *qemuCaps,
                                    xmlXPathContextPtr ctxt)
@@ -4758,6 +4861,9 @@ virQEMUCapsLoadCache(virArch hostArch,
     if (virQEMUCapsParseSGXInfo(qemuCaps, ctxt) < 0)
         return -1;
=20
+    if (virQEMUCapsParseCCAInfo(qemuCaps, ctxt) < 0)
+        return -1;
+
     if (virQEMUCapsParseHypervCapabilities(qemuCaps, ctxt) < 0)
         return -1;
=20
@@ -4986,6 +5092,31 @@ virQEMUCapsFormatSGXInfo(virQEMUCaps *qemuCaps,
 }
=20
=20
+static void
+virQEMUCapsFormatCCAInfo(virQEMUCaps *qemuCaps, virBuffer *buf)
+{
+    virCCACapability *cca =3D virQEMUCapsGetCCACapabilities(qemuCaps);
+    size_t i;
+    size_t n;
+
+    virBufferAddLit(buf, "<cca>\n");
+
+    n =3D cca->nCcaMeasurementAlgo;
+
+    if (n !=3D 0) {
+        virBufferAdjustIndent(buf, 2);
+
+        for (i =3D 0; i < n; i++) {
+            virBufferAsprintf(buf, "<measurement-algo>%s</measurement-algo=
>\n", cca->ccaMeasurementAlgo[i]);
+        }
+
+        virBufferAdjustIndent(buf, -2);
+    }
+
+    virBufferAddLit(buf, "</cca>\n");
+}
+
+
 static void
 virQEMUCapsFormatHypervCapabilities(virQEMUCaps *qemuCaps,
                                     virBuffer *buf)
@@ -5094,6 +5225,9 @@ virQEMUCapsFormatCache(virQEMUCaps *qemuCaps)
     if (qemuCaps->sgxCapabilities)
         virQEMUCapsFormatSGXInfo(qemuCaps, &buf);
=20
+    if (qemuCaps->ccaCapabilities)
+        virQEMUCapsFormatCCAInfo(qemuCaps, &buf);
+
     if (qemuCaps->hypervCapabilities)
         virQEMUCapsFormatHypervCapabilities(qemuCaps, &buf);
=20
@@ -5646,6 +5780,8 @@ virQEMUCapsInitQMPMonitor(virQEMUCaps *qemuCaps,
         return -1;
     if (virQEMUCapsProbeQMPSGXCapabilities(qemuCaps, mon) < 0)
         return -1;
+    if (virQEMUCapsProbeQMPCCACapabilities(qemuCaps, mon) < 0)
+        return -1;
=20
     virQEMUCapsInitProcessCaps(qemuCaps);
=20
@@ -6618,6 +6754,8 @@ virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemu=
Caps,
     if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) &&
         virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPO=
RT))
         VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNC=
H_SECURITY_PV);
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_CCA_GUEST))
+        VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNC=
H_SECURITY_CCA);
=20
     if (launchSecurity->sectype.values =3D=3D 0) {
         launchSecurity->supported =3D VIR_TRISTATE_BOOL_NO;
@@ -6786,6 +6924,23 @@ virQEMUCapsFillDomainFeatureSGXCaps(virQEMUCaps *qem=
uCaps,
 }
=20
=20
+/**
+ * virQEMUCapsFillDomainFeatureCCACaps:
+ * @qemuCaps: QEMU capabilities
+ * @domCaps: domain capabilities
+ *
+ * Take the information about CCA capabilities that has been obtained
+ * using the 'query-cca-capabilities' QMP command and stored in @qemuCaps
+ * and convert it to a form suitable for @domCaps.
+ */
+static void
+virQEMUCapsFillDomainFeatureCCACaps(virQEMUCaps *qemuCaps,
+                                    virDomainCaps *domCaps)
+{
+    virQEMUCapsCCAInfoCopy(&domCaps->cca, qemuCaps->ccaCapabilities);
+}
+
+
 static void
 virQEMUCapsFillDomainFeatureHypervCaps(virQEMUCaps *qemuCaps,
                                        virDomainCaps *domCaps)
@@ -6855,6 +7010,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
     virQEMUCapsFillDomainFeatureS390PVCaps(qemuCaps, domCaps);
     virQEMUCapsFillDomainFeaturePS2Caps(qemuCaps, domCaps);
     virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps);
+    virQEMUCapsFillDomainFeatureCCACaps(qemuCaps, domCaps);
     virQEMUCapsFillDomainFeatureHypervCaps(qemuCaps, domCaps);
     virQEMUCapsFillDomainDeviceCryptoCaps(qemuCaps, crypto);
     virQEMUCapsFillDomainLaunchSecurity(qemuCaps, launchSecurity);
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 54c7e30903..ea6e397037 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -698,6 +698,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for =
syntax-check */
     /* 465 */
     QEMU_CAPS_SNAPSHOT_INTERNAL_QMP, /* internal snapshot support via QMP =
commands 'snapshot-save'/'snapshot-delete' */
     QEMU_CAPS_CHARDEV_RECONNECT_MILISECONDS, /* 'reconnect-ms' option for =
chardevs supported */
+    QEMU_CAPS_CCA_GUEST, /* -object rme-guest */
=20
     QEMU_CAPS_LAST /* this must always be the last item */
 } virQEMUCapsFlags;
@@ -917,6 +918,9 @@ virQEMUCapsGetSEVCapabilities(virQEMUCaps *qemuCaps);
 virSGXCapability *
 virQEMUCapsGetSGXCapabilities(virQEMUCaps *qemuCaps);
=20
+virCCACapability *
+virQEMUCapsGetCCACapabilities(virQEMUCaps *qemuCaps);
+
 bool
 virQEMUCapsGetKVMSupportsSecureGuest(virQEMUCaps *qemuCaps) G_NO_INLINE;
=20
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 23b7e6b4e8..647ec8da86 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -852,6 +852,8 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
             if (qemuSetupSEVCgroup(vm) < 0)
                 return -1;
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index a5ff7695c3..60ae213729 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6894,6 +6894,9 @@ qemuBuildMachineCommandLine(virCommand *cmd,
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             virBufferAddLit(&buf, ",confidential-guest-support=3Dlsec0");
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            virBufferAddLit(&buf, ",confidential-guest-support=3Drme0");
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sec=
type);
@@ -9644,6 +9647,32 @@ qemuBuildPVCommandLine(virDomainObj *vm, virCommand =
*cmd)
 }
=20
=20
+static int
+qemuBuildCCACommandLine(virDomainObj *vm, virCommand *cmd,
+                        virDomainCCADef *cca)
+{
+    g_autoptr(virJSONValue) props =3D NULL;
+    qemuDomainObjPrivate *priv =3D vm->privateData;
+
+    VIR_DEBUG("measurement_algorithm=3D%s", cca->measurement_algo);
+
+    if (cca->measurement_algo) {
+        if (qemuMonitorCreateObjectProps(&props, "rme-guest", "rme0",
+                                         "S:measurement-algorithm", cca->m=
easurement_algo,
+                                         NULL) < 0)
+            return -1;
+    } else {
+        if (qemuMonitorCreateObjectProps(&props, "rme-guest", "rme0", NULL=
) < 0)
+            return -1;
+    }
+
+    if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv->qemuCaps) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static int
 qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
                         virDomainSecDef *sec)
@@ -9661,6 +9690,9 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand =
*cmd,
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         return qemuBuildPVCommandLine(vm, cmd);
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        return qemuBuildCCACommandLine(vm, cmd, &sec->data.cca);
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 72211da137..9745086c6a 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -19145,6 +19145,8 @@ qemuDomainGetLaunchSecurityInfo(virDomainPtr domain,
         if (qemuDomainGetSEVInfo(vm, params, nparams, flags) < 0)
             goto cleanup;
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index fd888e2468..56cee3e7a6 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -3472,6 +3472,16 @@ qemuMonitorGetSGXCapabilities(qemuMonitor *mon,
 }
=20
=20
+int
+qemuMonitorGetCCACapabilities(qemuMonitor *mon,
+                              virCCACapability **capabilities)
+{
+    QEMU_CHECK_MONITOR(mon);
+
+    return qemuMonitorJSONGetCCACapabilities(mon, capabilities);
+}
+
+
 int
 qemuMonitorNBDServerStart(qemuMonitor *mon,
                           const virStorageNetHostDef *server,
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index 4341519cfe..451ad2ff47 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -839,6 +839,9 @@ int qemuMonitorGetSEVCapabilities(qemuMonitor *mon,
 int qemuMonitorGetSGXCapabilities(qemuMonitor *mon,
                                   virSGXCapability **capabilities);
=20
+int qemuMonitorGetCCACapabilities(qemuMonitor *mon,
+                                  virCCACapability **capabilities);
+
 typedef enum {
   QEMU_MONITOR_MIGRATE_RESUME           =3D 1 << 0, /* resume failed post-=
copy migration */
   QEMU_MONITOR_MIGRATION_FLAGS_LAST
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index c594b33106..2b0daa08db 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -6153,6 +6153,110 @@ qemuMonitorJSONGetSGXCapabilities(qemuMonitor *mon,
 }
=20
=20
+static int
+qemuMonitorJSONGetCCAMeasurementAlgo(qemuMonitor *mon,
+                                     size_t *numalgo,
+                                     char ***malgo)
+{
+    g_autoptr(virJSONValue) cmd =3D NULL;
+    g_autoptr(virJSONValue) reply =3D NULL;
+    virJSONValue *caps;
+    virJSONValue *malgolist =3D NULL;
+    g_auto(GStrv) list =3D NULL;
+    size_t i;
+    size_t n =3D 0;
+
+    if (!(cmd =3D qemuMonitorJSONMakeCommand("query-cca-capabilities",
+                                           NULL)))
+        return -1;
+
+    if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0)
+        return -1;
+
+    /* If the 'query-cca-capabilities' QMP command was not available
+     * we simply successfully return zero capabilities.
+     * This is the current QEMU (=3D9.1.91) and all non-ARM architectures =
*/
+    if (qemuMonitorJSONHasError(reply, "CommandNotFound"))
+        return 0;
+
+    if (qemuMonitorJSONCheckError(cmd, reply) < 0)
+        return -1;
+
+    caps =3D virJSONValueObjectGetObject(reply, "return");
+
+    if (!(caps =3D qemuMonitorJSONGetReply(cmd, reply, VIR_JSON_TYPE_ARRAY=
)))
+        return -1;
+
+    if ((malgolist =3D virJSONValueObjectGetArray(caps, "sections"))) {
+        n =3D virJSONValueArraySize(caps);
+
+        /* If the recieved array is empty, an error is returned. */
+        if (n =3D=3D 0) {
+            *numalgo =3D n;
+            *malgo =3D NULL;
+
+            return -1;
+        }
+
+        list =3D g_new0(char *, n + 1);
+
+        for (i =3D 0; i < n; i++) {
+            virJSONValue *cap =3D virJSONValueArrayGet(malgolist, i);
+            const char *measurement_algo =3D NULL;
+
+            if (!cap || virJSONValueGetType(cap) !=3D VIR_JSON_TYPE_OBJECT=
) {
+                virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                               _("missing entry in CCA capabilities list")=
);
+                return -1;
+            }
+
+            if (!(measurement_algo =3D virJSONValueObjectGetString(cap, "m=
easurement-algo"))) {
+                virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                           _("query-cca-capabilities reply was missing 'me=
asurement-algo' field"));
+                return -1;
+            }
+
+            list[i] =3D g_strdup(measurement_algo);
+        }
+    }
+
+    *numalgo =3D n;
+    *malgo =3D g_steal_pointer(&list);
+    return 1;
+}
+
+
+/**
+ * qemuMonitorJSONGetCCACapabilities:
+ * @mon: qemu monitor object
+ * @capabilities: pointer to pointer to a CCA capability structure to be f=
illed
+ *
+ * Returns -1 on error, 0 if CCA is not supported, and 1 if CCA is support=
ed on
+ * the platform.
+ */
+int
+qemuMonitorJSONGetCCACapabilities(qemuMonitor *mon,
+                                  virCCACapability **capabilities)
+{
+    g_autoptr(virCCACapability) capability =3D NULL;
+    int ret =3D 0;
+
+    *capabilities =3D NULL;
+    capability =3D g_new0(virCCACapability, 1);
+
+    *capabilities =3D NULL;
+
+    ret =3D qemuMonitorJSONGetCCAMeasurementAlgo(mon,
+                                               &capability->nCcaMeasuremen=
tAlgo,
+                                               &capability->ccaMeasurement=
Algo);
+
+    if (ret > 0)
+        *capabilities =3D g_steal_pointer(&capability);
+
+    return ret;
+}
+
+
 static virJSONValue *
 qemuMonitorJSONBuildInetSocketAddress(const char *host,
                                       const char *port)
diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h
index 10491b809b..46fb7bf108 100644
--- a/src/qemu/qemu_monitor_json.h
+++ b/src/qemu/qemu_monitor_json.h
@@ -168,6 +168,10 @@ int
 qemuMonitorJSONGetSEVCapabilities(qemuMonitor *mon,
                                   virSEVCapability **capabilities);
=20
+int
+qemuMonitorJSONGetCCACapabilities(qemuMonitor *mon,
+                                  virCCACapability **capabilities);
+
 int
 qemuMonitorJSONMigrate(qemuMonitor *mon,
                        unsigned int flags,
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 5d9385afd6..c9c1de179c 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -660,6 +660,8 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
=20
         VIR_DEBUG("Set up launch security for SEV");
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 0815bffe3c..695ee64373 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6714,6 +6714,8 @@ qemuProcessPrepareDomain(virQEMUDriver *driver,
             if (qemuProcessUpdateSEVInfo(vm) < 0)
                 return -1;
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
@@ -6786,6 +6788,8 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainO=
bj *vm)
         return qemuProcessPrepareSEVGuestInput(vm);
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        return 0;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         return 0;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index fa23c5f973..c5e5de4d7e 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1369,6 +1369,13 @@ qemuValidateDomainDef(const virDomainDef *def,
                 return -1;
             }
             break;
+
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_CCA_GUEST)) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("CCA la=
unch security is not supported by this QEMU binary"));
+            }
+            break;
+
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sec=
type);
--=20
2.34.1