[PATCH 3/3] arm64/coco: Add pKVM as a CC platform

Aneesh Kumar K.V aneesh.kumar at kernel.org
Fri Jun 12 08:07:42 PDT 2026 

Mostafa Saleh <smostafa at google.com> writes:

> On Thu, Jun 04, 2026 at 02:29:00PM +0530, Aneesh Kumar K.V wrote:
>> Mostafa Saleh <smostafa at google.com> writes:
>> 
>> > pKVM does support memory encryption, expose that to the rest of
>> > the kernel through cc_platform_has()
>> >
>> > At the moment, all devices inside the guest are emulated which
>> > requires its memory to be shared back to the host (decrypted), so
>> > set force_dma_unencrypted() to always return true.
>> >
>> > Although, typically pKVM guests rely on restricted-dma-pools to
>> > bounce traffic, with this change, it is possible to solely rely on
>> > the default SWIOTLB for that (assuming the appropriate size is set
>> > from the command line)
>> >
>> > Signed-off-by: Mostafa Saleh <smostafa at google.com>
>> > ---
>> > This change is critical for the ongoing refactoring of the DMA-API[1]
>> > that will break protected guests under pKVM with this patch. That is
>> > due to this rework will make the state of the SWIOTLB and restricted
>> > dma pools depends on the value returned by cc_platform_has()
>> >
>> > [1] https://lore.kernel.org/all/20260522042815.370873-1-aneesh.kumar@kernel.org/
>> > ---
>> >  arch/arm64/include/asm/hypervisor.h           | 13 +++++++++++++
>> >  arch/arm64/include/asm/mem_encrypt.h          |  3 ++-
>> >  arch/arm64/kernel/rsi.c                       | 12 ------------
>> >  arch/arm64/mm/init.c                          | 15 ++++++++++++++-
>> >  drivers/virt/coco/pkvm-guest/arm-pkvm-guest.c |  3 +++
>> >  5 files changed, 32 insertions(+), 14 deletions(-)
>> >
>> > index d66291def0f4..26fe9c3f22e3 100644
> [...]
>> > --- a/drivers/virt/coco/pkvm-guest/arm-pkvm-guest.c
>> > +++ b/drivers/virt/coco/pkvm-guest/arm-pkvm-guest.c
>> > @@ -17,6 +17,7 @@
>> >  #include <asm/hypervisor.h>
>> >  
>> >  static size_t pkvm_granule;
>> > +DEFINE_STATIC_KEY_FALSE_RO(pkvm_guest);
>> >
>> 
>> Do we need EXPORT_SYMBOL on this? 
>
> I was not sure about that, all users of this are in tree, I saw RME
> code have the EXPORT but did not know why?
>

arm-cca-guest is one example. I was assuming is_protected_kvm_guest()
would be a helper that could get pulled into various code paths via
force_dma_unencrypted().

If we have not found any build failures for now, we can probably avoid
that change for now.

-aneesh

More information about the linux-arm-kernel mailing list