[PATCH v14 27/44] arm64: RMI: Set RIPAS of initial memslots

Tue May 19 06:06:11 PDT 2026

On 19/05/2026 13:55, Aneesh Kumar K.V wrote:
> Suzuki K Poulose <suzuki.poulose at arm.com> writes:
> 
>> On 19/05/2026 11:02, Aneesh Kumar K.V wrote:
>>> Steven Price <steven.price at arm.com> writes:
>>>
>>>> The memory which the realm guest accesses must be set to RIPAS_RAM.
>>>> Iterate over the memslots and set all gmem memslots to RIPAS_RAM.
>>>>
>>>> Signed-off-by: Steven Price <steven.price at arm.com>
>>>> ---
>>>    
>>>    ...
>>>    
>>>> +static int set_ripas_of_protected_regions(struct kvm *kvm)
>>>> +{
>>>> +	struct kvm_memslots *slots;
>>>> +	struct kvm_memory_slot *memslot;
>>>> +	int idx, bkt;
>>>> +	int ret = 0;
>>>> +
>>>> +	idx = srcu_read_lock(&kvm->srcu);
>>>> +
>>>> +	slots = kvm_memslots(kvm);
>>>> +	kvm_for_each_memslot(memslot, bkt, slots) {
>>>> +		if (!kvm_slot_has_gmem(memslot))
>>>> +			continue;
>>>> +
>>>> +		ret = realm_init_ipa_state(kvm, memslot->base_gfn,
>>>> +					   memslot->npages);
>>>> +		if (ret)
>>>> +			break;
>>>> +	}
>>>> +	srcu_read_unlock(&kvm->srcu, idx);
>>>> +
>>>> +	return ret;
>>>> +}
>>>> +
>>>>    int kvm_arm_rmi_populate(struct kvm *kvm,
>>>>    			 struct kvm_arm_rmi_populate *args)
>>>>    {
>>>> @@ -890,6 +922,10 @@ int kvm_activate_realm(struct kvm *kvm)
>>>>    			return ret;
>>>>    	}
>>>>    
>>>> +	ret = set_ripas_of_protected_regions(kvm);
>>>> +	if (ret)
>>>> +		return ret;
>>>> +
>>>>    	ret = rmi_realm_activate(virt_to_phys(realm->rd));
>>>>    	if (ret)
>>>>    		return -ENXIO;
>>>
>>> relam guest already does.
>>> 	for_each_mem_range(i, &start, &end) {
>>> 		if (rsi_set_memory_range_protected_safe(start, end)) {
>>> 			panic("Failed to set memory range to protected: %pa-%pa",
>>> 			      &start, &end);
>>> 		}
>>> 	}
>>>
>>> if so why is host required to do this ?
>>
>> Ideally this should be a call from the VMM (i.e., user). Irrespective of
>> what the guest does (which the host has no knowledge about), the VMM/
>> user is better aware of what to do for a given guest. We have done this
>> implicitly in the KVM as a start, to keep the initial implementation
>> simple. This could be moved out to the VMM as UABI, if there is
>> sufficient demand for it.
>>
>> TL,DR: This should be a host/deployer decision, not the Guest. There
>> may other guest OS, which do not do RIPAS_RAM early enough.
>>
> 
> Are we suggesting that when the guest is running out of DRAM initialized
> via rmi_rtt_data_map_init(), it may need to access memory outside that
> range before it gets a chance to set the RIPAS as RAM?

It may. This was one of the review comments we got when we published
the Linux Guest patches. In fact, this is in the Linux booting
requirements. See :

Documentation/arch/arm64/booting.rst: Section 1

> 
> Does that mean the guest now has to trust the host for that?

No, this has been the case. We added the code in Linux to convert memory
as a back stop. The worse could happens is Guest crashing, without it
having any secrets receving from the Remote entity.

> rmi_rtt_init_ripas() is not added to the measurement details, right?

It is not (at least for now). It doesn't matter for security much.

Suzuki

> 
> -aneesh