Public bug reported: [ Impact ]
ARM Confidential Compute Architecture (CCA) provides hardware-enforced isolation for confidential virtual machines called "Realms" on ARM64 platforms. This patch series enables CCA support for NVIDIA Vera platforms. This series is based on the ARM KVM RME host support patches (v10), rebased for the 6.17 kernel: https://lore.kernel.org/linux-coco/[email protected]/ This series enables: -KVM host support for creating and managing Realms via the Realm Management Extension (RME) -MECID (Memory Encryption Context ID) for improved isolation between Realms -Guest support for EFI secrets, ACPI CCEL, and encrypted memory mapping -Required kernel configuration options (CONFIG_EFI_SECRET, CONFIG_ARM_CCA_GUEST) [ Test Plan ] Deploy and test on NVIDIA Vera platform with RMM firmware Verify Realm guest VMs boot and run successfully CCA testing requires specialized hardware and firmware. Testing performed by NVIDIA CCA team. [ Where problems could occur ] Bugs in the KVM/RME integration could cause Realm guest failures or host instability. Issues would be limited to CCA-enabled platforms running Realm workloads. [ Other Info ] Patch summary: 43 patches for upstream v10 KVM/RME host support 3 upstream cherry-picks: arm64: realm: ioremap: Allow mapping memory as encrypted arm64: acpi: Enable ACPI CCEL support arm64: Enable EFI secret area Securityfs support 4 SAUCE patches: arm64: RME: Fix UBSAN shift-out-of-bounds in kvm_realm_unmap_range arm64: RME: Add MECID support arm64: RME: Add bounds check [Config] Update ARM CCA annotations ** Affects: linux-nvidia-6.17 (Ubuntu) Importance: Undecided Status: New ** Description changed: [Impact] ARM Confidential Compute Architecture (CCA) provides hardware-enforced isolation for confidential virtual machines called "Realms" on ARM64 - platforms. Without this patch series, NVIDIA Vera platforms cannot run - confidential workloads in Realms. + platforms. This patch series enables CCA support for NVIDIA Vera + platforms. This series is based on the ARM KVM RME host support patches (v10), rebased for the 6.17 kernel: https://lore.kernel.org/linux-coco/[email protected]/ This series enables: - -KVM host support for creating and managing Realms via the Realm Management Extension (RME) - -MECID (Memory Encryption Context ID) for improved isolation between Realms - -Guest support for EFI secrets, ACPI CCEL, and encrypted memory mapping - -Required kernel configuration options (CONFIG_EFI_SECRET, CONFIG_ARM_CCA_GUEST) - + -KVM host support for creating and managing Realms via the Realm Management Extension (RME) + -MECID (Memory Encryption Context ID) for improved isolation between Realms + -Guest support for EFI secrets, ACPI CCEL, and encrypted memory mapping + -Required kernel configuration options (CONFIG_EFI_SECRET, CONFIG_ARM_CCA_GUEST) [ Test Plan ] Deploy and test on NVIDIA Vera platform with RMM firmware Verify Realm guest VMs boot and run successfully CCA testing requires specialized hardware and firmware. Testing performed by NVIDIA CCA team. - [ Where problems could occur ] Bugs in the KVM/RME integration could cause Realm guest failures or host instability. Issues would be limited to CCA-enabled platforms running Realm workloads. - [ Other Info ] Patch summary: 43 patches for KVM/RME host support (from v10 upstream series) 3 upstream cherry-picks (ioremap, ACPI CCEL, EFI secret) 4 SAUCE patches (MECID support, bounds check, UBSAN fix, config annotations) ** Description changed: [Impact] ARM Confidential Compute Architecture (CCA) provides hardware-enforced isolation for confidential virtual machines called "Realms" on ARM64 platforms. This patch series enables CCA support for NVIDIA Vera platforms. This series is based on the ARM KVM RME host support patches (v10), rebased for the 6.17 kernel: https://lore.kernel.org/linux-coco/[email protected]/ This series enables: -KVM host support for creating and managing Realms via the Realm Management Extension (RME) -MECID (Memory Encryption Context ID) for improved isolation between Realms -Guest support for EFI secrets, ACPI CCEL, and encrypted memory mapping -Required kernel configuration options (CONFIG_EFI_SECRET, CONFIG_ARM_CCA_GUEST) [ Test Plan ] Deploy and test on NVIDIA Vera platform with RMM firmware Verify Realm guest VMs boot and run successfully CCA testing requires specialized hardware and firmware. Testing performed by NVIDIA CCA team. [ Where problems could occur ] Bugs in the KVM/RME integration could cause Realm guest failures or host instability. Issues would be limited to CCA-enabled platforms running Realm workloads. [ Other Info ] Patch summary: - 43 patches for KVM/RME host support (from v10 upstream series) - 3 upstream cherry-picks (ioremap, ACPI CCEL, EFI secret) - 4 SAUCE patches (MECID support, bounds check, UBSAN fix, config annotations) + 43 patches for upstream v10 KVM/RME host support + 3 upstream cherry-picks: + arm64: realm: ioremap: Allow mapping memory as encrypted + arm64: acpi: Enable ACPI CCEL support + arm64: Enable EFI secret area Securityfs support + 4 SAUCE patches: + arm64: RME: Fix UBSAN shift-out-of-bounds in kvm_realm_unmap_range + arm64: RME: Add MECID support + arm64: RME: Add bounds check + [Config] Update ARM CCA annotations ** Description changed: - [Impact] + [ Impact ] ARM Confidential Compute Architecture (CCA) provides hardware-enforced isolation for confidential virtual machines called "Realms" on ARM64 platforms. This patch series enables CCA support for NVIDIA Vera platforms. This series is based on the ARM KVM RME host support patches (v10), rebased for the 6.17 kernel: https://lore.kernel.org/linux-coco/[email protected]/ This series enables: -KVM host support for creating and managing Realms via the Realm Management Extension (RME) -MECID (Memory Encryption Context ID) for improved isolation between Realms -Guest support for EFI secrets, ACPI CCEL, and encrypted memory mapping -Required kernel configuration options (CONFIG_EFI_SECRET, CONFIG_ARM_CCA_GUEST) [ Test Plan ] Deploy and test on NVIDIA Vera platform with RMM firmware Verify Realm guest VMs boot and run successfully CCA testing requires specialized hardware and firmware. Testing performed by NVIDIA CCA team. [ Where problems could occur ] Bugs in the KVM/RME integration could cause Realm guest failures or host instability. Issues would be limited to CCA-enabled platforms running Realm workloads. [ Other Info ] Patch summary: 43 patches for upstream v10 KVM/RME host support 3 upstream cherry-picks: - arm64: realm: ioremap: Allow mapping memory as encrypted - arm64: acpi: Enable ACPI CCEL support - arm64: Enable EFI secret area Securityfs support + arm64: realm: ioremap: Allow mapping memory as encrypted + arm64: acpi: Enable ACPI CCEL support + arm64: Enable EFI secret area Securityfs support 4 SAUCE patches: - arm64: RME: Fix UBSAN shift-out-of-bounds in kvm_realm_unmap_range - arm64: RME: Add MECID support - arm64: RME: Add bounds check - [Config] Update ARM CCA annotations + arm64: RME: Fix UBSAN shift-out-of-bounds in kvm_realm_unmap_range + arm64: RME: Add MECID support + arm64: RME: Add bounds check + [Config] Update ARM CCA annotations -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2139249 Title: Add ARM CCA host support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-nvidia-6.17/+bug/2139249/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
