From nobody Mon Feb  2 07:32:14 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail  header.i=@fujitsu.com;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=reject dis=none)  header.from=aa.jp.fujitsu.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1769076273591162.3616026170239;
 Thu, 22 Jan 2026 02:04:33 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 1791C43E23; Thu, 22 Jan 2026 05:04:33 -0500 (EST)
Received: from [172.19.199.3] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 0E2BC43EAA;
	Thu, 22 Jan 2026 05:02:25 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 409AD419A2; Thu, 22 Jan 2026 05:02:08 -0500 (EST)
Received: from esa1.hc1455-7.c3s2.iphmx.com (esa1.hc1455-7.c3s2.iphmx.com
 [207.54.90.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id BD91443DBE
	for <devel@lists.libvirt.org>; Thu, 22 Jan 2026 05:01:40 -0500 (EST)
Received: from unknown (HELO az2nlsmgr2.o.css.fujitsu.com) ([20.61.8.234])
  by esa1.hc1455-7.c3s2.iphmx.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 22 Jan 2026 19:00:37 +0900
Received: from az2nlsmgm2.o.css.fujitsu.com (unknown [10.150.26.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by az2nlsmgr2.o.css.fujitsu.com (Postfix) with ESMTPS id E747723682
	for <devel@lists.libvirt.org>; Thu, 22 Jan 2026 10:00:36 +0000 (UTC)
Received: from az2uksmom4.o.css.fujitsu.com (az2uksmom4.o.css.fujitsu.com
 [10.151.22.204])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by az2nlsmgm2.o.css.fujitsu.com (Postfix) with ESMTPS id 992301C0CAEA
	for <devel@lists.libvirt.org>; Thu, 22 Jan 2026 10:00:36 +0000 (UTC)
Received: from sm-arm-grace07.ssoft.mng.com (sm-x86-stp01.soft.fujitsu.com
 [10.124.178.20])
	by az2uksmom4.o.css.fujitsu.com (Postfix) with ESMTP id 2B47E407699;
	Thu, 22 Jan 2026 10:00:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
	RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=fujitsu.com; i=@fujitsu.com; q=dns/txt; s=fj2;
  t=1769076101; x=1800612101;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=UV6GwQ6tP4JqEIK+VMs3I1vW1+g5oXCOaCrx4BCWywY=;
  b=ZBGI4Jn5DYr399xFPRnI07l1mBFca+iWypagkWE67vOKg5dvqvQyKwAS
   +dgapMR5FtEReroSrFpQuj9xum5gB6MaO9m+IcfUZqNHaMAs5zAjb4RX0
   5Jnw+b3ggHosp+nJUCjzLK9PDGWET+ziAejk/yqo3cbvaxUPw0EdXciJw
   rpZjwJ5bM60oqx1FI7pVPG0W6T0ZKMxG2PRl/XdrOx2ogaPV674kPrs6h
   i6M2a3PS87SbnYP5HopVKF5D6Q6MifCa6/KZdLyP2YZES8NDwFrDEdCxR
   itgBcR1PPeLHgDYIUZ9HuplTUeSL2ZWX0ozsdrGW0D/d1CHPsp+7Y9ZgP
   A==;
X-CSE-ConnectionGUID: 61X11QmqRpC6k9cy3STCWQ==
X-CSE-MsgGUID: kZy9nnDNRrGgEeky1hAnBQ==
X-IronPort-AV: E=McAfee;i="6800,10657,11678"; a="226723841"
X-IronPort-AV: E=Sophos;i="6.21,246,1763391600";
   d="scan'208";a="226723841"
From: Kazuhiro Abe <fj1078ii@aa.jp.fujitsu.com>
To: devel@lists.libvirt.org
Subject: [RFC PATCH v5 4/5] src: Add ARM CCA support in firmware feature
Date: Thu, 22 Jan 2026 18:58:37 +0900
Message-ID: <20260122095930.3544797-5-fj1078ii@aa.jp.fujitsu.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260122095930.3544797-1-fj1078ii@aa.jp.fujitsu.com>
References: <20260122095930.3544797-1-fj1078ii@aa.jp.fujitsu.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: V36K3GIZDE7VOGKZZI2ZEPNIZGT2KKW6
X-Message-ID-Hash: V36K3GIZDE7VOGKZZI2ZEPNIZGT2KKW6
X-MailFrom: fj1078ii@aa.jp.fujitsu.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
CC: taketani.ryo@fujitsu.com
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/V36K3GIZDE7VOGKZZI2ZEPNIZGT2KKW6/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1769076275289154100
Content-Type: text/plain; charset="utf-8"

- Add ARM CCA to the supporting firmware feature.

Signed-off-by: Kazuhiro Abe <fj1078ii@aa.jp.fujitsu.com>
---
 src/qemu/qemu_firmware.c                      | 19 ++++++++++++++-
 .../qemu/firmware/50-edk2-aarch64-armcca.json | 24 +++++++++++++++++++
 tests/qemufirmwaretest.c                      |  3 +++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-=
aarch64-armcca.json

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 9391956521..4395e79223 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -142,6 +142,7 @@ typedef enum {
     QEMU_FIRMWARE_FEATURE_AMD_SEV_ES,
     QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP,
     QEMU_FIRMWARE_FEATURE_INTEL_TDX,
+    QEMU_FIRMWARE_FEATURE_ARM_CCA,
     QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
     QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
     QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
@@ -161,6 +162,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
               "amd-sev-es",
               "amd-sev-snp",
               "intel-tdx",
+              "arm-rme",
               "enrolled-keys",
               "requires-smm",
               "secure-boot",
@@ -1092,6 +1094,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
     bool supportsSEVES =3D false;
     bool supportsSEVSNP =3D false;
     bool supportsTDX =3D false;
+    bool supportsARMCCA =3D false;
     bool supportsSecureBoot =3D false;
     bool hasEnrolledKeys =3D false;
     int reqSecureBoot;
@@ -1169,6 +1172,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             supportsTDX =3D true;
             break;
=20
+        case QEMU_FIRMWARE_FEATURE_ARM_CCA:
+            supportsARMCCA =3D true;
+            break;
+
         case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
             requiresSMM =3D true;
             break;
@@ -1400,8 +1407,15 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             }
             break;
=20
-        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            if (!supportsARMCCA) {
+                VIR_DEBUG("Domain requires ARM-CCA firmware '%s' doesn't s=
upport it",
+                          path);
+                return false;
+            }
+            break;
+
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             break;
=20
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
@@ -1516,6 +1530,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
         case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+        case QEMU_FIRMWARE_FEATURE_ARM_CCA:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1566,6 +1581,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
         case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+        case QEMU_FIRMWARE_FEATURE_ARM_CCA:
             isConfidential =3D true;
             break;
         case QEMU_FIRMWARE_FEATURE_NONE:
@@ -2062,6 +2078,7 @@ qemuFirmwareGetSupported(const char *machine,
             case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
             case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
             case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+            case QEMU_FIRMWARE_FEATURE_ARM_CCA:
             case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
             case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
             case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64=
-armcca.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch=
64-armcca.json
new file mode 100644
index 0000000000..681c1eadac
--- /dev/null
+++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-aarch64-armcca=
.json
@@ -0,0 +1,24 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines with CCA supp=
ort",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/aarch64/QEMU_EFI-armcca.fd"
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+        "arm-rme"
+    ],
+    "tags": [
+
+    ]
+}
diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c
index a4fb5c9b9c..091f385abb 100644
--- a/tests/qemufirmwaretest.c
+++ b/tests/qemufirmwaretest.c
@@ -89,6 +89,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED)
         PREFIX "/share/qemu/firmware/31-edk2-ovmf-2m-raw-x64-sb-enrolled.j=
son",
         PREFIX "/share/qemu/firmware/40-edk2-ovmf-4m-qcow2-x64-sb.json",
         PREFIX "/share/qemu/firmware/41-edk2-ovmf-2m-raw-x64-sb.json",
+        PREFIX "/share/qemu/firmware/50-edk2-aarch64-armcca.json",
         PREFIX "/share/qemu/firmware/50-edk2-aarch64-qcow2.json",
         PREFIX "/share/qemu/firmware/50-edk2-loongarch64.json",
         PREFIX "/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json",
@@ -269,6 +270,7 @@ mymain(void)
     DO_PARSE_TEST("usr/share/qemu/firmware/31-edk2-ovmf-2m-raw-x64-sb-enro=
lled.json");
     DO_PARSE_TEST("usr/share/qemu/firmware/40-edk2-ovmf-4m-qcow2-x64-sb.js=
on");
     DO_PARSE_TEST("usr/share/qemu/firmware/41-edk2-ovmf-2m-raw-x64-sb.json=
");
+    DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-aarch64-armcca.json");
     DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-aarch64-qcow2.json");
     DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-loongarch64.json");
     DO_PARSE_TEST("usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.=
json");
@@ -329,6 +331,7 @@ mymain(void)
                       "/usr/share/edk2/ovmf/MICROVM.fd:NULL",
                       VIR_DOMAIN_OS_DEF_FIRMWARE_EFI);
     DO_SUPPORTED_TEST("virt-3.1", VIR_ARCH_AARCH64, false,
+                      "/usr/share/edk2/aarch64/QEMU_EFI-armcca.fd:NULL:"
                       "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow=
2:/usr/share/edk2/aarch64/vars-template-pflash.qcow2:"
                       "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw:=
/usr/share/edk2/aarch64/vars-template-pflash.raw:"
                       "/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2:/usr/=
share/edk2/aarch64/vars-template-pflash.qcow2:"
--=20
2.43.0