From nobody Wed Sep 10 02:01:32 2025 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2CA931E51EA for ; Mon, 8 Sep 2025 22:35:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757370936; cv=none; b=bye2rNupqPm0ozbMm9aBWlcFUTC4yheARwJIfgoHNFqEIRwwfLaGg0j473GVq50O4BW2h0gS6FiqvBo5gaTR2lKQRf9F4CQETTgIS2vWg1LwciOQyGVowmA+BpEH/XF9OS7oBycEhVlhNp9wF+D1wVOzEv9aIi9EHTK2LgpK8Cc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757370936; c=relaxed/simple; bh=m2aotPAjAfucG7pVckcft7eX9s8Q4Ro8IiQU86TQZNw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rNTcSFGHMowIZxm6xmsbiKwXTARvgELw+zsGYQPx4MW5BP8w4XIHOq3L1W8h4ALaAQ5RT9XyUcDrwc+xdhxpJzoZa7XTDaEXrh7y1ZZ8ZJx0eD2YlxI39VSHZBKyCl9e1mwZ6LA/M2QWbLSp7LSFT5nsHDn074Gtt1+Be6Jn7TA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2794C1C14; Mon, 8 Sep 2025 15:35:26 -0700 (PDT) Received: from ewhatever.cambridge.arm.com (ewhatever.cambridge.arm.com [10.1.197.1]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 24FB53F694; Mon, 8 Sep 2025 15:35:33 -0700 (PDT) From: Suzuki K Poulose To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, catalin.marinas@arm.com, will@kernel.org, gshan@redhat.com, aneesh.kumar@kernel.org, sami.mujawar@arm.com, sudeep.holla@arm.com, steven.price@arm.com, Suzuki K Poulose Subject: [PATCH v2 1/3] arm64: realm: ioremap: Allow mapping memory as encrypted Date: Mon, 8 Sep 2025 23:35:17 +0100 Message-ID: <20250908223519.1759020-2-suzuki.poulose@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250908223519.1759020-1-suzuki.poulose@arm.com> References: <20250908223519.1759020-1-suzuki.poulose@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For ioremap(), so far we only checked if it was a device (RIPAS_DEV) to cho= ose an encrypted vs decrypted mapping. However, we may have firmware reserved m= emory regions exposed to the OS (e.g., EFI Coco Secret Securityfs, ACPI CCEL). We need to make sure that anything that is RIPAS_RAM (i.e., Guest protected memory with RMM guarantees) are also mapped as encrypted. Rephrasing the above, anything that is not RIPAS_EMPTY is guaranteed to be protected by the RMM. Thus we choose encrypted mapping for anything that is= not RIPAS_EMPTY. While at it, rename the helper function __arm64_is_protected_mmio =3D> arm64_rsi_is_protected to clearly indicate that this not an arm64 generic helper, but something to= do with Realms. Cc: Sami Mujawar Cc: Will Deacon Cc: Catalin Marinas Cc: Aneesh Kumar K.V Cc: Steven Price Reviewed-by: Gavin Shan Reviewed-by: Steven Price Tested-by: Sami Mujawar Signed-off-by: Suzuki K Poulose --- arch/arm64/include/asm/io.h | 2 +- arch/arm64/include/asm/rsi.h | 2 +- arch/arm64/kernel/rsi.c | 26 ++++++++++++++++++++++---- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h index 9b96840fb979..82276282a3c7 100644 --- a/arch/arm64/include/asm/io.h +++ b/arch/arm64/include/asm/io.h @@ -311,7 +311,7 @@ extern bool arch_memremap_can_ram_remap(resource_size_t= offset, size_t size, static inline bool arm64_is_protected_mmio(phys_addr_t phys_addr, size_t s= ize) { if (unlikely(is_realm_world())) - return __arm64_is_protected_mmio(phys_addr, size); + return arm64_rsi_is_protected(phys_addr, size); return false; } =20 diff --git a/arch/arm64/include/asm/rsi.h b/arch/arm64/include/asm/rsi.h index b42aeac05340..88b50d660e85 100644 --- a/arch/arm64/include/asm/rsi.h +++ b/arch/arm64/include/asm/rsi.h @@ -16,7 +16,7 @@ DECLARE_STATIC_KEY_FALSE(rsi_present); =20 void __init arm64_rsi_init(void); =20 -bool __arm64_is_protected_mmio(phys_addr_t base, size_t size); +bool arm64_rsi_is_protected(phys_addr_t base, size_t size); =20 static inline bool is_realm_world(void) { diff --git a/arch/arm64/kernel/rsi.c b/arch/arm64/kernel/rsi.c index ce4778141ec7..c64a06f58c0b 100644 --- a/arch/arm64/kernel/rsi.c +++ b/arch/arm64/kernel/rsi.c @@ -84,7 +84,25 @@ static void __init arm64_rsi_setup_memory(void) } } =20 -bool __arm64_is_protected_mmio(phys_addr_t base, size_t size) +/* + * Check if a given PA range is Trusted (e.g., Protected memory, a Trusted= Device + * mapping, or an MMIO emulated in the Realm world). + * + * We can rely on the RIPAS value of the region to detect if a given regio= n is + * protected. + * + * RIPAS_DEV - A trusted device memory or a trusted emulated MMIO (in the= Realm + * world + * RIPAS_RAM - Memory (RAM), protected by the RMM guarantees. (e.g., Firm= ware + * reserved regions for data sharing). + * + * RIPAS_DESTROYED is a special case of one of the above, where the host = did + * something without our permission and as such we can't do anything abou= t it. + * + * The only case where something is emulated by the untrusted hypervisor o= r is + * backed by shared memory is indicated by RSI_RIPAS_EMPTY. + */ +bool arm64_rsi_is_protected(phys_addr_t base, size_t size) { enum ripas ripas; phys_addr_t end, top; @@ -101,18 +119,18 @@ bool __arm64_is_protected_mmio(phys_addr_t base, size= _t size) break; if (WARN_ON(top <=3D base)) break; - if (ripas !=3D RSI_RIPAS_DEV) + if (ripas =3D=3D RSI_RIPAS_EMPTY) break; base =3D top; } =20 return base >=3D end; } -EXPORT_SYMBOL(__arm64_is_protected_mmio); +EXPORT_SYMBOL(arm64_rsi_is_protected); =20 static int realm_ioremap_hook(phys_addr_t phys, size_t size, pgprot_t *pro= t) { - if (__arm64_is_protected_mmio(phys, size)) + if (arm64_rsi_is_protected(phys, size)) *prot =3D pgprot_encrypted(*prot); else *prot =3D pgprot_decrypted(*prot); --=20 2.43.0 From nobody Wed Sep 10 02:01:32 2025 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D16212EC0AA for ; Mon, 8 Sep 2025 22:35:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757370938; cv=none; b=GNSyk1zF5ZInRI+mCOcm9UzV0b7c+Ezvq5e5CI6PcAJ0H9+s9xmxutWyAs/5++UeV1ZLRztsOvVItqTRPsosQ8zf3ouIpm0do0ilVPrYonOvwcvg6TmOec/G993Orsj5UdC3QhM0pcu7qCkDpzm6pRNGeRG6yVhKVw6trW3iwi0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757370938; c=relaxed/simple; bh=bwvyHVJBZAjMcnsVcx3mFaC9jBdi0suEgz8i+jKzcy8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=q9nJzMyf/IDL5r1PJPP1N1FPifCihpisc8ayegEqd09zceDSCOEb+Geux1kGNEW3IHc32bZpZQ4QwKF3/qwOFLfeXqVOzwshxuhIRR5zzYBNoUrwKc7yR+DXVzyU7O7CkAaGkSquDK53owpHBk6X4YDr1DejrhvKmhWccFojvko= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id BC5EF2F9D; Mon, 8 Sep 2025 15:35:27 -0700 (PDT) Received: from ewhatever.cambridge.arm.com (ewhatever.cambridge.arm.com [10.1.197.1]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id B88E03F694; Mon, 8 Sep 2025 15:35:34 -0700 (PDT) From: Suzuki K Poulose To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, catalin.marinas@arm.com, will@kernel.org, gshan@redhat.com, aneesh.kumar@kernel.org, sami.mujawar@arm.com, sudeep.holla@arm.com, steven.price@arm.com, Suzuki K Poulose Subject: [PATCH v2 2/3] arm64: Enable EFI secret area Securityfs support Date: Mon, 8 Sep 2025 23:35:18 +0100 Message-ID: <20250908223519.1759020-3-suzuki.poulose@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250908223519.1759020-1-suzuki.poulose@arm.com> References: <20250908223519.1759020-1-suzuki.poulose@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Enable EFI COCO secrets support. Provide the ioremap_encrypted() support re= quired by the driver. Cc: Sami Mujawar Cc: Will Deacon Cc: Catalin Marinas Cc: Aneesh Kumar K.V Cc: Steven Price Reviewed-by: Gavin Shan Tested-by: Sami Mujawar Signed-off-by: Suzuki K Poulose --- arch/arm64/include/asm/io.h | 4 ++++ drivers/virt/coco/efi_secret/Kconfig | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h index 82276282a3c7..83e03abbb2ca 100644 --- a/arch/arm64/include/asm/io.h +++ b/arch/arm64/include/asm/io.h @@ -274,6 +274,10 @@ int arm64_ioremap_prot_hook_register(const ioremap_pro= t_hook_t hook); #define ioremap_np(addr, size) \ ioremap_prot((addr), (size), __pgprot(PROT_DEVICE_nGnRnE)) =20 + +#define ioremap_encrypted(addr, size) \ + ioremap_prot((addr), (size), PAGE_KERNEL) + /* * io{read,write}{16,32,64}be() macros */ diff --git a/drivers/virt/coco/efi_secret/Kconfig b/drivers/virt/coco/efi_s= ecret/Kconfig index 4404d198f3b2..94d88e5da707 100644 --- a/drivers/virt/coco/efi_secret/Kconfig +++ b/drivers/virt/coco/efi_secret/Kconfig @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0-only config EFI_SECRET tristate "EFI secret area securityfs support" - depends on EFI && X86_64 + depends on EFI && (X86_64 || ARM64) select EFI_COCO_SECRET select SECURITYFS help --=20 2.43.0 From nobody Wed Sep 10 02:01:32 2025 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 597302EF66C for ; Mon, 8 Sep 2025 22:35:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757370939; cv=none; b=Rb8R4NGHLVUD0HkmXgPkdcLKpGKgSD5vs3ArOxcjt+jIzBNMqIihrhVLyZNUkTe6AB69BGDD36RSRMUH1INjYdgaC/lCukPplrXEqN3V6JjJE+3uHMnRvDCpQrpREz5qPbbfm4CEl0BZR2HUQ24E4z4jgWt0mgYSX+cU26ZW+KY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757370939; c=relaxed/simple; bh=rbvboZZ1ZVqBG/4LKcVh3kB2RdRKMoUZ2A70CphpX+4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VHdAYqUnKmrCtqUctOmOYHBXAthjoU2iYCVJYi8SDLXo27SntdXjKxNHCOvdXSX0G+4FChsk1ccbYHunUi6GpBrD82UoaKe5Wf7OH2fUUQoZeIlK59+UpoBCPwDl/uLQqnx7jhjq8dYwd7Muo6Rl5o3bTaTPkbbNwIGnsYRKRQw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5C3D33024; Mon, 8 Sep 2025 15:35:29 -0700 (PDT) Received: from ewhatever.cambridge.arm.com (ewhatever.cambridge.arm.com [10.1.197.1]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 57A583F694; Mon, 8 Sep 2025 15:35:36 -0700 (PDT) From: Suzuki K Poulose To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, catalin.marinas@arm.com, will@kernel.org, gshan@redhat.com, aneesh.kumar@kernel.org, sami.mujawar@arm.com, sudeep.holla@arm.com, steven.price@arm.com, Suzuki K Poulose Subject: [PATCH v2 3/3] arm64: acpi: Enable ACPI CCEL support Date: Mon, 8 Sep 2025 23:35:19 +0100 Message-ID: <20250908223519.1759020-4-suzuki.poulose@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250908223519.1759020-1-suzuki.poulose@arm.com> References: <20250908223519.1759020-1-suzuki.poulose@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add support for ACPI CCEL by handling the EfiACPIMemoryNVS type memory. As per UEFI specifications NVS memory is reserved for Firmware use even after exiting boot services. Thus map the region as read-only. Cc: Sami Mujawar Cc: Will Deacon Cc: Catalin Marinas Cc: Aneesh Kumar K.V Cc: Steven Price Cc: Sudeep Holla Cc: Gavin Shan Signed-off-by: Suzuki K Poulose --- Changes since v1 - Map NVS region as read-only, update comment to clarify that the region is reserved for firmware use. --- arch/arm64/kernel/acpi.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c index 4d529ff7ba51..93b70f48a51f 100644 --- a/arch/arm64/kernel/acpi.c +++ b/arch/arm64/kernel/acpi.c @@ -360,6 +360,17 @@ void __iomem *acpi_os_ioremap(acpi_physical_address ph= ys, acpi_size size) prot =3D PAGE_KERNEL_RO; break; =20 + case EFI_ACPI_MEMORY_NVS: + /* + * ACPI NVS marks an area reserved for use by the + * firmware, even after exiting the boot service. + * This may be used by the firmware for sharing dynamic + * tables/data (e.g., ACPI CCEL) with the OS. Map it + * as read-only. + */ + prot =3D PAGE_KERNEL_RO; + break; + case EFI_ACPI_RECLAIM_MEMORY: /* * ACPI reclaim memory is used to pass firmware tables --=20 2.43.0