From nobody Mon Feb  2 07:32:15 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail  header.i=@fujitsu.com;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=reject dis=none)  header.from=aa.jp.fujitsu.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1769076224099188.74943494659135;
 Thu, 22 Jan 2026 02:03:44 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 6BEAB41A40; Thu, 22 Jan 2026 05:03:43 -0500 (EST)
Received: from [172.19.199.3] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 578C143E92;
	Thu, 22 Jan 2026 05:02:22 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 0D8A9419F3; Thu, 22 Jan 2026 05:02:08 -0500 (EST)
Received: from esa1.hc1455-7.c3s2.iphmx.com (esa1.hc1455-7.c3s2.iphmx.com
 [207.54.90.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id BD43E419E5
	for <devel@lists.libvirt.org>; Thu, 22 Jan 2026 05:01:26 -0500 (EST)
Received: from unknown (HELO az2uksmgr4.o.css.fujitsu.com) ([52.151.125.19])
  by esa1.hc1455-7.c3s2.iphmx.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 22 Jan 2026 19:00:24 +0900
Received: from az2uksmgm3.o.css.fujitsu.com (unknown [10.151.22.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by az2uksmgr4.o.css.fujitsu.com (Postfix) with ESMTPS id 5CDEEC01B37
	for <devel@lists.libvirt.org>; Thu, 22 Jan 2026 10:00:24 +0000 (UTC)
Received: from az2uksmom4.o.css.fujitsu.com (az2uksmom4.o.css.fujitsu.com
 [10.151.22.204])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by az2uksmgm3.o.css.fujitsu.com (Postfix) with ESMTPS id 13F3FC060A3
	for <devel@lists.libvirt.org>; Thu, 22 Jan 2026 10:00:24 +0000 (UTC)
Received: from sm-arm-grace07.ssoft.mng.com (sm-x86-stp01.soft.fujitsu.com
 [10.124.178.20])
	by az2uksmom4.o.css.fujitsu.com (Postfix) with ESMTP id B53F24076AF;
	Thu, 22 Jan 2026 10:00:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
	RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=fujitsu.com; i=@fujitsu.com; q=dns/txt; s=fj2;
  t=1769076087; x=1800612087;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=MCZBGlsFAJYs+ln7iiTC5cbhn4KAhIfUHe5xo71md24=;
  b=FJlWEwt7KWlEps3wBPksa6S/qXu+RCamTc4OwDGr5rwDx/J5buvl8NS0
   ARhZR2v5BFDT0pJ/bE0qF/dl0mERkcCmQR4uNFMRetcwaK7Rtl7Eih3iZ
   lJSt8jyPxLsvNgk9ur7PUbBaN3qGoyszvMFeKZQ2tmJ8jWdwhEnEg7zn3
   tUVxeEt9mSBcmK1Jl5odcxlY2e/HoPPsC9V4PqcM1itnEBpvGy9iM+JdP
   U5Va4GpL362lX0Uta+TR+Axtei/dCU+ptGpwJetTmhSccxX4yA4/8YcJ4
   qsIgRABtMKh+4GOVeZXINu7TpfKsAwgerbi2NHXMl2XBQ5vijONwWiviz
   g==;
X-CSE-ConnectionGUID: ojOm3IKXSzq3t28mUmkrdA==
X-CSE-MsgGUID: wLbWTANBQAeu8QQJF0+psw==
X-IronPort-AV: E=McAfee;i="6800,10657,11678"; a="226723807"
X-IronPort-AV: E=Sophos;i="6.21,246,1763391600";
   d="scan'208";a="226723807"
From: Kazuhiro Abe <fj1078ii@aa.jp.fujitsu.com>
To: devel@lists.libvirt.org
Subject: [RFC PATCH v5 1/5] src: Add ARM CCA support in qemu driver to launch
 VM
Date: Thu, 22 Jan 2026 18:58:34 +0900
Message-ID: <20260122095930.3544797-2-fj1078ii@aa.jp.fujitsu.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260122095930.3544797-1-fj1078ii@aa.jp.fujitsu.com>
References: <20260122095930.3544797-1-fj1078ii@aa.jp.fujitsu.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: OWBCILYKFZ3OILXJAUWK2GZEBBPTHJ5X
X-Message-ID-Hash: OWBCILYKFZ3OILXJAUWK2GZEBBPTHJ5X
X-MailFrom: fj1078ii@aa.jp.fujitsu.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
CC: taketani.ryo@fujitsu.com
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/OWBCILYKFZ3OILXJAUWK2GZEBBPTHJ5X/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1769076226655154100
Content-Type: text/plain; charset="utf-8"

From: Akio Kakuno <fj3333bs@aa.jp.fujitsu.com>

- Add ARM CCA support to the qemu driver for aarch64 systems.

[XML example]
<domain>
  ...
  <launchsecurity type=3D'cca'>
    <measurement-algo>sha256</measurement-algo>
  </launchsecurity>
  ...
</domain>

Signed-off-by: Kazuhiro Abe <fj1078ii@aa.jp.fujitsu.com>
---
 docs/formatdomain.rst          | 46 ++++++++++++++++++++++++++++++++++
 src/conf/domain_capabilities.h |  6 +++++
 src/conf/domain_conf.c         | 25 ++++++++++++++++++
 src/conf/domain_conf.h         |  9 +++++++
 src/conf/domain_validate.c     |  1 +
 src/conf/virconftypes.h        |  2 ++
 src/qemu/qemu_capabilities.c   |  4 +++
 src/qemu/qemu_capabilities.h   |  1 +
 src/qemu/qemu_cgroup.c         |  2 ++
 src/qemu/qemu_command.c        | 30 ++++++++++++++++++++++
 src/qemu/qemu_driver.c         |  2 ++
 src/qemu/qemu_firmware.c       |  1 +
 src/qemu/qemu_namespace.c      |  2 ++
 src/qemu/qemu_process.c        |  4 +++
 src/qemu/qemu_validate.c       |  4 +++
 src/security/security_dac.c    |  2 ++
 16 files changed, 141 insertions(+)

diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 04ef319a73..19c6006980 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -9728,6 +9728,52 @@ Example configuration:
    ``/var/run/tdx-qgs/qgs.socket`` is used as default. User in TD guest ca=
nnot
    get TD quoting for attestation if this subelement is not provided.
=20
+The contents of the ``<launchSecurity type=3D'cca'>`` element is used to c=
reate
+RealmVM using the Arm CCA feature (Confidential Compute Architecture).
+CCA :since:`Since 11.0.0` enhances the virtualization capabilities of the
+platform by separating the management of resources from access to those re=
sources.
+This is achieved by extending the TrustZone of Cortex-A's Normal and Secure
+world concepts and adding the Realm world and the underlying Root world.
+The Secure Monitor runs in the root world and manages the transition betwe=
en
+these security states. For more information see the Learn the architecture=
 -
+Arm Confidential Compute Architecture software stack:
+`<https://developer.arm.com/documentation/den0127/latest>`__
+
+::
+
+  <domain>
+    ...
+    <launchSecurity type=3D'cca' measurement-log=3D'yes'>
+      <measurement-algo>sha256</measurement-algo>
+      <personalization-value>...</personalization-value>
+    </launchSecurity>
+    ...
+  </domain>
+
+The ``<launchSecurity/>`` element accepts the following attributes:
+
+``measurement-algo``
+   The optional ``measurement-algo`` element determines algorithm used to
+   describe blob hashes.
+   The default value, when omitted, is determined by QEMU.
+
+``personalization-value``
+   The optional ``personalization-value`` element is used to configure
+   the Realm Personalization Value (RPV). The Realm Personalization
+   Value (RPV) is provided by the user to distinguish Realms that have
+   the same initial measurement. The personalization-value for libvirt
+   must be an 88-character string representing the Base64 encoding of
+   the 64-byte hexadecimal value defined in the RMM specification.
+   Ensure that you encode the 64-byte hex value from the RMM specification
+   using Base64 before providing it to libvirt.
+   The default value, when omitted, is determined by QEMU.
+
+``measurement-log``
+   The optional ``measurement-log`` element provides a way to create
+   an event log in the format defined by the Trusted Computing Group
+   for TPM2.
+   The default value, when omitted, is determined by QEMU.
+
 Example configs
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h
index 437981c711..0ce68b44ef 100644
--- a/src/conf/domain_capabilities.h
+++ b/src/conf/domain_capabilities.h
@@ -245,6 +245,12 @@ struct _virSGXCapability {
     virSGXSection *sgxSections;
 };
=20
+typedef struct _virCCACapability virCCACapability;
+struct _virCCACapability {
+    size_t nCcaMeasurementAlgo;
+    char **ccaMeasurementAlgo;
+};
+
 STATIC_ASSERT_ENUM(VIR_DOMAIN_CRYPTO_MODEL_LAST);
 STATIC_ASSERT_ENUM(VIR_DOMAIN_CRYPTO_TYPE_LAST);
 STATIC_ASSERT_ENUM(VIR_DOMAIN_CRYPTO_BACKEND_LAST);
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 9ca5c2450c..3a8f9c0316 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1545,6 +1545,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
               "sev-snp",
               "s390-pv",
               "tdx",
+              "cca",
 );
=20
 VIR_ENUM_IMPL(virDomainPstoreBackend,
@@ -3972,6 +3973,10 @@ virDomainSecDefFree(virDomainSecDef *def)
         g_free(def->data.tdx.mrownerconfig);
         g_free(def->data.tdx.qgs_unix_path);
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        g_free(def->data.cca.measurement_algo);
+        g_free(def->data.cca.personalization_value);
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -14316,6 +14321,21 @@ virDomainTDXDefParseXML(virDomainTDXDef *def,
 }
=20
=20
+static int
+virDomainCCADefParseXML(virDomainCCADef *def,
+                        xmlXPathContextPtr ctxt)
+{
+    def->measurement_algo =3D virXPathString("string(./measurement-algo)",=
 ctxt);
+    def->personalization_value =3D virXPathString("string(./personalizatio=
n-value)", ctxt);
+
+    if (virXMLPropTristateBool(ctxt->node, "measurement-log", VIR_XML_PROP=
_NONE,
+                               &def->measurement_log) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static virDomainSecDef *
 virDomainSecDefParseXML(xmlNodePtr lsecNode,
                         xmlXPathContextPtr ctxt)
@@ -14345,6 +14365,10 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        if (virDomainCCADefParseXML(&sec->data.cca, ctxt) < 0)
+            return NULL;
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
     default:
@@ -28021,6 +28045,7 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecD=
ef *sec)
         break;
=20
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
         break;
=20
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index cb35ff06bd..dfe903e85e 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2976,6 +2976,7 @@ typedef enum {
     VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP,
     VIR_DOMAIN_LAUNCH_SECURITY_PV,
     VIR_DOMAIN_LAUNCH_SECURITY_TDX,
+    VIR_DOMAIN_LAUNCH_SECURITY_CCA,
=20
     VIR_DOMAIN_LAUNCH_SECURITY_LAST,
 } virDomainLaunchSecurity;
@@ -3029,12 +3030,20 @@ struct _virDomainTDXDef {
 #define VIR_DOMAIN_TDX_POLICY_ALLOWED_MASK       (VIR_DOMAIN_TDX_POLICY_DE=
BUG | \
                                                   VIR_DOMAIN_TDX_POLICY_SE=
PT_VE_DISABLE)
=20
+struct _virDomainCCADef {
+    char *measurement_algo;
+    char *personalization_value;
+    virTristateBool measurement_log;
+};
+
+
 struct _virDomainSecDef {
     virDomainLaunchSecurity sectype;
     union {
         virDomainSEVDef sev;
         virDomainSEVSNPDef sev_snp;
         virDomainTDXDef tdx;
+        virDomainCCADef cca;
     } data;
 };
=20
diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index 7346a61731..0a82f63aee 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -2000,6 +2000,7 @@ virDomainDefLaunchSecurityValidate(const virDomainDef=
 *def)
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         break;
     }
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 6e2573035a..475ec99a4e 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -224,6 +224,8 @@ typedef struct _virDomainSEVSNPDef virDomainSEVSNPDef;
=20
 typedef struct _virDomainTDXDef virDomainTDXDef;
=20
+typedef struct _virDomainCCADef virDomainCCADef;
+
 typedef struct _virDomainSecDef virDomainSecDef;
=20
 typedef struct _virDomainShmemDef virDomainShmemDef;
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 92b863a826..9a2eadb673 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -755,6 +755,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
               "disk-timed-stats", /* QEMU_CAPS_DISK_TIMED_STATS */
               "query-accelerators", /* QEMU_CAPS_QUERY_ACCELERATORS */
               "mshv", /* QEMU_CAPS_MSHV */
+              "rme-guest", /* QEMU_CAPS_CCA_GUEST */
     );
=20
=20
@@ -840,6 +841,8 @@ struct _virQEMUCaps {
=20
     virSGXCapability *sgxCapabilities;
=20
+    virCCACapability *ccaCapabilities;
+
     virDomainCapsFeatureHyperv *hypervCapabilities;
=20
     /* Capabilities which may differ depending on the accelerator. */
@@ -1462,6 +1465,7 @@ struct virQEMUCapsStringFlags virQEMUCapsObjectTypes[=
] =3D {
     { "tpm-emulator", QEMU_CAPS_DEVICE_TPM_EMULATOR },
     { "tpm-passthrough", QEMU_CAPS_DEVICE_TPM_PASSTHROUGH },
     { "acpi-generic-initiator", QEMU_CAPS_ACPI_GENERIC_INITIATOR },
+    { "rme-guest", QEMU_CAPS_CCA_GUEST },
 };
=20
=20
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index f180844e66..71e3440180 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -730,6 +730,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for =
syntax-check */
     QEMU_CAPS_DISK_TIMED_STATS, /* timed stats support ('stats-intervals' =
property of disk frontends) */
     QEMU_CAPS_QUERY_ACCELERATORS, /* query-accelerators command */
     QEMU_CAPS_MSHV, /* -accel mshv */
+    QEMU_CAPS_CCA_GUEST, /* -object rme-guest */
=20
     QEMU_CAPS_LAST /* this must always be the last item */
 } virQEMUCapsFlags;
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 7dadef0739..9adb4bed1c 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -874,6 +874,8 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
             if (qemuSetupSEVCgroup(vm) < 0)
                 return -1;
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
             break;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 0de0a79b46..d12c84e048 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7244,6 +7244,9 @@ qemuBuildMachineCommandLine(virCommand *cmd,
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
             virBufferAddLit(&buf, ",confidential-guest-support=3Dlsec0");
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            virBufferAddLit(&buf, ",confidential-guest-support=3Drme0");
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sec=
type);
@@ -10052,6 +10055,29 @@ qemuBuildTDXCommandLine(virCommand *cmd, virDomain=
TDXDef *tdx)
 }
=20
=20
+static int
+qemuBuildCCACommandLine(virCommand *cmd, virDomainCCADef *cca)
+{
+    g_autoptr(virJSONValue) props =3D NULL;
+
+    VIR_DEBUG("measurement_algorithm=3D%s personalization_value=3D%s measu=
rement_log=3D%d",
+              cca->measurement_algo, cca->personalization_value,
+              cca->measurement_log);
+
+    if (qemuMonitorCreateObjectProps(&props, "rme-guest", "rme0",
+                                     "S:measurement-algorithm", cca->measu=
rement_algo,
+                                     "S:personalization-value", cca->perso=
nalization_value,
+                                     "T:measurement-log", cca->measurement=
_log,
+                                     NULL) < 0)
+        return -1;
+
+    if (qemuBuildObjectCommandlineFromJSON(cmd, props) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static int
 qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
                         virDomainSecDef *sec)
@@ -10071,6 +10097,10 @@ qemuBuildSecCommandLine(virDomainObj *vm, virComma=
nd *cmd,
=20
     case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
         return qemuBuildTDXCommandLine(cmd, &sec->data.tdx);
+
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        return qemuBuildCCACommandLine(cmd, &sec->data.cca);
+
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 3f154969b8..619d80bc24 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -19452,6 +19452,8 @@ qemuDomainGetLaunchSecurityInfo(virDomainPtr domain,
         if (qemuDomainGetSEVInfo(vm, list, flags) < 0)
             goto cleanup;
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
         break;
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 52205b72f8..9391956521 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1401,6 +1401,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             break;
=20
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
             break;
=20
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index c689cc3e40..6ba7e5cab4 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -672,6 +672,8 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
=20
         VIR_DEBUG("Set up launch security for SEV");
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
         break;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index a53bb40783..ebf1e27ccf 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7144,6 +7144,8 @@ qemuProcessPrepareDomain(virQEMUDriver *driver,
             if (qemuProcessUpdateSEVInfo(vm) < 0)
                 return -1;
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
             break;
@@ -7217,6 +7219,8 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainO=
bj *vm)
         return qemuProcessPrepareSEVGuestInput(vm);
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+        return 0;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
         return 0;
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 184c23d307..167a4b532f 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1512,6 +1512,10 @@ qemuValidateDomainDef(const virDomainDef *def,
                 return -1;
             }
             break;
+
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
+
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sec=
type);
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 2f788b872a..3c85f0bc15 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2018,6 +2018,7 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -2265,6 +2266,7 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
--=20
2.43.0