[PATCH v2 0/3] arm64: realm: Add support for encrypted data from firmware

Sami Mujawar Sami.Mujawar at arm.com
Tue Sep 16 08:35:52 PDT 2025 

For this series.

Tested-by: Sami Mujawar <sami.mujawar at arm.com>

Thanks.

Regards,

Sami Mujawar

From: Suzuki K Poulose <suzuki.poulose at arm.com>
Date: Monday, 8 September 2025 at 23:35
To: linux-arm-kernel at lists.infradead.org <linux-arm-kernel at lists.infradead.org>
Cc: linux-kernel at vger.kernel.org <linux-kernel at vger.kernel.org>, linux-coco at lists.linux.dev <linux-coco at lists.linux.dev>, Catalin Marinas <Catalin.Marinas at arm.com>, will at kernel.org <will at kernel.org>, gshan at redhat.com <gshan at redhat.com>, aneesh.kumar at kernel.org <aneesh.kumar at kernel.org>, Sami Mujawar <Sami.Mujawar at arm.com>, Sudeep Holla <Sudeep.Holla at arm.com>, Steven Price <Steven.Price at arm.com>, Suzuki Poulose <Suzuki.Poulose at arm.com>
Subject: [PATCH v2 0/3] arm64: realm: Add support for encrypted data from firmware
Confidential compute firmware may provide secret data via reserved memory regions
(e.g., ACPI CCEL, EFI Coco secret area). These must be ioremap'ed() as encrypted.
As of now, realm only maps "trusted devices" (RIPAS = RSI_RIPAS_DEV) as encrypted.
This series adds support for mapping areas that are protected
(i.e., RIPAS = RSI_RIPAS_RAM) as encrypted. Also, extrapolating that, we can map
anything that is not RIPAS_EMPTY as protected, as it is guaranteed to be "protected".

With this in place, we can naturally map any firmware provided area based on the
RIPAS value. If the firmware provides a shared region (not trusted), it must have
set the RIPAS accordingly, before placing the data, as the transition is always
destructive.

Confidential Compute Event Log is exposed as EFI_ACPI_MEMORY_NVS, which is
reserved for firmware use even after the firmware exits the boot services [0].
Thus map the region as READ only in the kernel.

[0] https://uefi.org/specs/UEFI/2.10/07_Services_Boot_Services.html#memory-type-usage-before-exitbootservices

Changes since v1: 
  https://lkml.kernel.org/r/20250613111153.1548928-1-suzuki.poulose@arm.com/
 - Collect tags
 - Map EFI_MEMORY_ACPI_NVS as READ-ONLY, update comment and commit description


Suzuki K Poulose (3):
  arm64: realm: ioremap: Allow mapping memory as encrypted
  arm64: Enable EFI secret area Securityfs support
  arm64: acpi: Enable ACPI CCEL support

 arch/arm64/include/asm/io.h          |  6 +++++-
 arch/arm64/include/asm/rsi.h         |  2 +-
 arch/arm64/kernel/acpi.c             | 11 +++++++++++
 arch/arm64/kernel/rsi.c              | 26 ++++++++++++++++++++++----
 drivers/virt/coco/efi_secret/Kconfig |  2 +-
 5 files changed, 40 insertions(+), 7 deletions(-)

-- 
2.43.0

More information about the linux-arm-kernel mailing list