** Description changed: [ Impact ] ARM Confidential Compute Architecture (CCA) provides hardware-enforced isolation for confidential virtual machines called "Realms" on ARM64 platforms. This patch series enables CCA support for NVIDIA Vera platforms. This series is based on the ARM KVM RME host support patches (v10), rebased for the 6.17 kernel: https://lore.kernel.org/linux-coco/[email protected]/ This series enables: -KVM host support for creating and managing Realms via the Realm Management Extension (RME) -MECID (Memory Encryption Context ID) for improved isolation between Realms -Guest support for EFI secrets, ACPI CCEL, and encrypted memory mapping -Required kernel configuration options (CONFIG_EFI_SECRET, CONFIG_ARM_CCA_GUEST) [ Test Plan ] Deploy and test on NVIDIA Vera platform with RMM firmware Verify Realm guest VMs boot and run successfully CCA testing requires specialized hardware and firmware. Testing performed by NVIDIA CCA team. [ Where problems could occur ] Bugs in the KVM/RME integration could cause Realm guest failures or host instability. Issues would be limited to CCA-enabled platforms running Realm workloads. [ Other Info ] Patch summary: - 43 patches for upstream v10 KVM/RME host support + 43 patches for upstream v10 KVM/RME host support - marked as SAUCE because not in upstream kernel yet. 3 upstream cherry-picks: arm64: realm: ioremap: Allow mapping memory as encrypted arm64: acpi: Enable ACPI CCEL support arm64: Enable EFI secret area Securityfs support 4 SAUCE patches: arm64: RME: Fix UBSAN shift-out-of-bounds in kvm_realm_unmap_range arm64: RME: Add MECID support arm64: RME: Add bounds check [Config] Update ARM CCA annotations
** Description changed: [ Impact ] ARM Confidential Compute Architecture (CCA) provides hardware-enforced isolation for confidential virtual machines called "Realms" on ARM64 platforms. This patch series enables CCA support for NVIDIA Vera platforms. This series is based on the ARM KVM RME host support patches (v10), rebased for the 6.17 kernel: https://lore.kernel.org/linux-coco/[email protected]/ This series enables: -KVM host support for creating and managing Realms via the Realm Management Extension (RME) -MECID (Memory Encryption Context ID) for improved isolation between Realms - -Guest support for EFI secrets, ACPI CCEL, and encrypted memory mapping -Required kernel configuration options (CONFIG_EFI_SECRET, CONFIG_ARM_CCA_GUEST) [ Test Plan ] Deploy and test on NVIDIA Vera platform with RMM firmware Verify Realm guest VMs boot and run successfully CCA testing requires specialized hardware and firmware. Testing performed by NVIDIA CCA team. [ Where problems could occur ] Bugs in the KVM/RME integration could cause Realm guest failures or host instability. Issues would be limited to CCA-enabled platforms running Realm workloads. [ Other Info ] Patch summary: 43 patches for upstream v10 KVM/RME host support - marked as SAUCE because not in upstream kernel yet. 3 upstream cherry-picks: arm64: realm: ioremap: Allow mapping memory as encrypted arm64: acpi: Enable ACPI CCEL support arm64: Enable EFI secret area Securityfs support 4 SAUCE patches: arm64: RME: Fix UBSAN shift-out-of-bounds in kvm_realm_unmap_range arm64: RME: Add MECID support arm64: RME: Add bounds check [Config] Update ARM CCA annotations ** Description changed: [ Impact ] ARM Confidential Compute Architecture (CCA) provides hardware-enforced isolation for confidential virtual machines called "Realms" on ARM64 platforms. This patch series enables CCA support for NVIDIA Vera platforms. This series is based on the ARM KVM RME host support patches (v10), rebased for the 6.17 kernel: https://lore.kernel.org/linux-coco/[email protected]/ This series enables: -KVM host support for creating and managing Realms via the Realm Management Extension (RME) -MECID (Memory Encryption Context ID) for improved isolation between Realms - -Required kernel configuration options (CONFIG_EFI_SECRET, CONFIG_ARM_CCA_GUEST) + -Required CCA kernel configuration options [ Test Plan ] Deploy and test on NVIDIA Vera platform with RMM firmware Verify Realm guest VMs boot and run successfully CCA testing requires specialized hardware and firmware. Testing performed by NVIDIA CCA team. [ Where problems could occur ] Bugs in the KVM/RME integration could cause Realm guest failures or host instability. Issues would be limited to CCA-enabled platforms running Realm workloads. [ Other Info ] Patch summary: 43 patches for upstream v10 KVM/RME host support - marked as SAUCE because not in upstream kernel yet. 3 upstream cherry-picks: arm64: realm: ioremap: Allow mapping memory as encrypted arm64: acpi: Enable ACPI CCEL support arm64: Enable EFI secret area Securityfs support 4 SAUCE patches: arm64: RME: Fix UBSAN shift-out-of-bounds in kvm_realm_unmap_range arm64: RME: Add MECID support arm64: RME: Add bounds check [Config] Update ARM CCA annotations -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2139249 Title: Add ARM CCA host support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-nvidia-6.17/+bug/2139249/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
