[PATCH v14 27/44] arm64: RMI: Set RIPAS of initial memslots

Aneesh Kumar K.V aneesh.kumar at kernel.org
Tue May 19 05:55:52 PDT 2026 

Suzuki K Poulose <suzuki.poulose at arm.com> writes:

> On 19/05/2026 11:02, Aneesh Kumar K.V wrote:
>> Steven Price <steven.price at arm.com> writes:
>> 
>>> The memory which the realm guest accesses must be set to RIPAS_RAM.
>>> Iterate over the memslots and set all gmem memslots to RIPAS_RAM.
>>>
>>> Signed-off-by: Steven Price <steven.price at arm.com>
>>> ---
>>   
>>   ...
>>   
>>> +static int set_ripas_of_protected_regions(struct kvm *kvm)
>>> +{
>>> +	struct kvm_memslots *slots;
>>> +	struct kvm_memory_slot *memslot;
>>> +	int idx, bkt;
>>> +	int ret = 0;
>>> +
>>> +	idx = srcu_read_lock(&kvm->srcu);
>>> +
>>> +	slots = kvm_memslots(kvm);
>>> +	kvm_for_each_memslot(memslot, bkt, slots) {
>>> +		if (!kvm_slot_has_gmem(memslot))
>>> +			continue;
>>> +
>>> +		ret = realm_init_ipa_state(kvm, memslot->base_gfn,
>>> +					   memslot->npages);
>>> +		if (ret)
>>> +			break;
>>> +	}
>>> +	srcu_read_unlock(&kvm->srcu, idx);
>>> +
>>> +	return ret;
>>> +}
>>> +
>>>   int kvm_arm_rmi_populate(struct kvm *kvm,
>>>   			 struct kvm_arm_rmi_populate *args)
>>>   {
>>> @@ -890,6 +922,10 @@ int kvm_activate_realm(struct kvm *kvm)
>>>   			return ret;
>>>   	}
>>>   
>>> +	ret = set_ripas_of_protected_regions(kvm);
>>> +	if (ret)
>>> +		return ret;
>>> +
>>>   	ret = rmi_realm_activate(virt_to_phys(realm->rd));
>>>   	if (ret)
>>>   		return -ENXIO;
>> 
>> relam guest already does.
>> 	for_each_mem_range(i, &start, &end) {
>> 		if (rsi_set_memory_range_protected_safe(start, end)) {
>> 			panic("Failed to set memory range to protected: %pa-%pa",
>> 			      &start, &end);
>> 		}
>> 	}
>> 
>> if so why is host required to do this ?
>
> Ideally this should be a call from the VMM (i.e., user). Irrespective of
> what the guest does (which the host has no knowledge about), the VMM/
> user is better aware of what to do for a given guest. We have done this
> implicitly in the KVM as a start, to keep the initial implementation
> simple. This could be moved out to the VMM as UABI, if there is
> sufficient demand for it.
>
> TL,DR: This should be a host/deployer decision, not the Guest. There
> may other guest OS, which do not do RIPAS_RAM early enough.
>

Are we suggesting that when the guest is running out of DRAM initialized
via rmi_rtt_data_map_init(), it may need to access memory outside that
range before it gets a chance to set the RIPAS as RAM?

Does that mean the guest now has to trust the host for that?
rmi_rtt_init_ripas() is not added to the measurement details, right?

-aneesh

More information about the linux-arm-kernel mailing list