€•£9Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ&/translations/zh_CN/arch/arm64/arm-cca”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ&/translations/zh_TW/arch/arm64/arm-cca”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ&/translations/it_IT/arch/arm64/arm-cca”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ&/translations/ja_JP/arch/arm64/arm-cca”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ&/translations/ko_KR/arch/arm64/arm-cca”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ&/translations/sp_SP/arch/arm64/arm-cca”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1h¡hhhžhhŸŒ@/var/lib/git/docbuild/linux/Documentation/arch/arm64/arm-cca.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ%Arm Confidential Compute Architecture”h]”hŒ%Arm Confidential Compute Architecture”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒ paragraph”“”)”}”(hXzArm systems that support the Realm Management Extension (RME) contain hardware to allow a VM guest to be run in a way which protects the code and data of the guest from the hypervisor. It extends the older "two world" model (Normal and Secure World) into four worlds: Normal, Secure, Root and Realm. Linux can then also be run as a guest to a monitor running in the Realm world.”h]”hX~Arm systems that support the Realm Management Extension (RME) contain hardware to allow a VM guest to be run in a way which protects the code and data of the guest from the hypervisor. It extends the older “two world†model (Normal and Secure World) into four worlds: Normal, Secure, Root and Realm. Linux can then also be run as a guest to a monitor running in the Realm world.”…””}”(hhËhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hX/The monitor running in the Realm world is known as the Realm Management Monitor (RMM) and implements the Realm Management Monitor specification[1]. The monitor acts a bit like a hypervisor (e.g. it runs in EL2 and manages the stage 2 page tables etc of the guests running in Realm world), however much of the control is handled by a hypervisor running in the Normal World. The Normal World hypervisor uses the Realm Management Interface (RMI) defined by the RMM specification to request the RMM to perform operations (e.g. mapping memory or executing a vCPU).”h]”hX/The monitor running in the Realm world is known as the Realm Management Monitor (RMM) and implements the Realm Management Monitor specification[1]. The monitor acts a bit like a hypervisor (e.g. it runs in EL2 and manages the stage 2 page tables etc of the guests running in Realm world), however much of the control is handled by a hypervisor running in the Normal World. The Normal World hypervisor uses the Realm Management Interface (RMI) defined by the RMM specification to request the RMM to perform operations (e.g. mapping memory or executing a vCPU).”…””}”(hhÙhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hX The RMM defines an environment for guests where the address space (IPA) is split into two. The lower half is protected - any memory that is mapped in this half cannot be seen by the Normal World and the RMM restricts what operations the Normal World can perform on this memory (e.g. the Normal World cannot replace pages in this region without the guest's cooperation). The upper half is shared, the Normal World is free to make changes to the pages in this region, and is able to emulate MMIO devices in this region too.”h]”hX The RMM defines an environment for guests where the address space (IPA) is split into two. The lower half is protected - any memory that is mapped in this half cannot be seen by the Normal World and the RMM restricts what operations the Normal World can perform on this memory (e.g. the Normal World cannot replace pages in this region without the guest’s cooperation). The upper half is shared, the Normal World is free to make changes to the pages in this region, and is able to emulate MMIO devices in this region too.”…””}”(hhçhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hXBA guest running in a Realm may also communicate with the RMM using the Realm Services Interface (RSI) to request changes in its environment or to perform attestation about its environment. In particular it may request that areas of the protected address space are transitioned between 'RAM' and 'EMPTY' (in either direction). This allows a Realm guest to give up memory to be returned to the Normal World, or to request new memory from the Normal World. Without an explicit request from the Realm guest the RMM will otherwise prevent the Normal World from making these changes.”h]”hXJA guest running in a Realm may also communicate with the RMM using the Realm Services Interface (RSI) to request changes in its environment or to perform attestation about its environment. In particular it may request that areas of the protected address space are transitioned between ‘RAM’ and ‘EMPTY’ (in either direction). This allows a Realm guest to give up memory to be returned to the Normal World, or to request new memory from the Normal World. Without an explicit request from the Realm guest the RMM will otherwise prevent the Normal World from making these changes.”…””}”(hhõhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K hh¶hžhubhµ)”}”(hhh]”(hº)”}”(hŒLinux as a Realm Guest”h]”hŒLinux as a Realm Guest”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjhžhhŸh³h K+ubhÊ)”}”(hŒTo run Linux as a guest within a Realm, the following must be provided either by the VMM or by a `boot loader` run in the Realm before Linux:”h]”(hŒaTo run Linux as a guest within a Realm, the following must be provided either by the VMM or by a ”…””}”(hjhžhhŸNh NubhŒtitle_reference”“”)”}”(hŒ `boot loader`”h]”hŒ boot loader”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjubhŒ run in the Realm before Linux:”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K-hjhžhubhŒ block_quote”“”)”}”(hXÅ* All protected RAM described to Linux (by DT or ACPI) must be marked RIPAS RAM before handing control over to Linux. * MMIO devices must be either unprotected (e.g. emulated by the Normal World) or marked RIPAS DEV. * MMIO devices emulated by the Normal World and used very early in boot (specifically earlycon) must be specified in the upper half of IPA. For earlycon this can be done by specifying the address on the command line, e.g. with an IPA size of 33 bits and the base address of the emulated UART at 0x1000000: ``earlycon=uart,mmio,0x101000000`` * Linux will use bounce buffers for communicating with unprotected devices. It will transition some protected memory to RIPAS EMPTY and expect to be able to access unprotected pages at the same IPA address but with the highest valid IPA bit set. The expectation is that the VMM will remove the physical pages from the protected mapping and provide those pages as unprotected pages. ”h]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒtAll protected RAM described to Linux (by DT or ACPI) must be marked RIPAS RAM before handing control over to Linux. ”h]”hÊ)”}”(hŒsAll protected RAM described to Linux (by DT or ACPI) must be marked RIPAS RAM before handing control over to Linux.”h]”hŒsAll protected RAM described to Linux (by DT or ACPI) must be marked RIPAS RAM before handing control over to Linux.”…””}”(hjGhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K0hjCubah}”(h]”h ]”h"]”h$]”h&]”uh1jAhj>ubjB)”}”(hŒaMMIO devices must be either unprotected (e.g. emulated by the Normal World) or marked RIPAS DEV. ”h]”hÊ)”}”(hŒ`MMIO devices must be either unprotected (e.g. emulated by the Normal World) or marked RIPAS DEV.”h]”hŒ`MMIO devices must be either unprotected (e.g. emulated by the Normal World) or marked RIPAS DEV.”…””}”(hj_hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K3hj[ubah}”(h]”h ]”h"]”h$]”h&]”uh1jAhj>ubjB)”}”(hXSMMIO devices emulated by the Normal World and used very early in boot (specifically earlycon) must be specified in the upper half of IPA. For earlycon this can be done by specifying the address on the command line, e.g. with an IPA size of 33 bits and the base address of the emulated UART at 0x1000000: ``earlycon=uart,mmio,0x101000000`` ”h]”hÊ)”}”(hXRMMIO devices emulated by the Normal World and used very early in boot (specifically earlycon) must be specified in the upper half of IPA. For earlycon this can be done by specifying the address on the command line, e.g. with an IPA size of 33 bits and the base address of the emulated UART at 0x1000000: ``earlycon=uart,mmio,0x101000000``”h]”(hX0MMIO devices emulated by the Normal World and used very early in boot (specifically earlycon) must be specified in the upper half of IPA. For earlycon this can be done by specifying the address on the command line, e.g. with an IPA size of 33 bits and the base address of the emulated UART at 0x1000000: ”…””}”(hjwhžhhŸNh NubhŒliteral”“”)”}”(hŒ"``earlycon=uart,mmio,0x101000000``”h]”hŒearlycon=uart,mmio,0x101000000”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjwubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K6hjsubah}”(h]”h ]”h"]”h$]”h&]”uh1jAhj>ubjB)”}”(hX|Linux will use bounce buffers for communicating with unprotected devices. It will transition some protected memory to RIPAS EMPTY and expect to be able to access unprotected pages at the same IPA address but with the highest valid IPA bit set. The expectation is that the VMM will remove the physical pages from the protected mapping and provide those pages as unprotected pages. ”h]”hÊ)”}”(hX{Linux will use bounce buffers for communicating with unprotected devices. It will transition some protected memory to RIPAS EMPTY and expect to be able to access unprotected pages at the same IPA address but with the highest valid IPA bit set. The expectation is that the VMM will remove the physical pages from the protected mapping and provide those pages as unprotected pages.”h]”hX{Linux will use bounce buffers for communicating with unprotected devices. It will transition some protected memory to RIPAS EMPTY and expect to be able to access unprotected pages at the same IPA address but with the highest valid IPA bit set. The expectation is that the VMM will remove the physical pages from the protected mapping and provide those pages as unprotected pages.”…””}”(hjŸhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1j<hŸh³h K0hj8ubah}”(h]”h ]”h"]”h$]”h&]”uh1j6hŸh³h K0hjhžhubeh}”(h]”Œlinux-as-a-realm-guest”ah ]”h"]”Œlinux as a realm guest”ah$]”h&]”uh1h´hh¶hžhhŸh³h K+ubhµ)”}”(hhh]”(hº)”}”(hŒ References”h]”hŒ References”…””}”(hjÌhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÉhžhhŸh³h KDubhÊ)”}”(hŒ4[1] https://developer.arm.com/documentation/den0137/”h]”(hŒ[1] ”…””}”(hjÚhžhhŸNh NubhŒ reference”“”)”}”(hŒ0https://developer.arm.com/documentation/den0137/”h]”hŒ0https://developer.arm.com/documentation/den0137/”…””}”(hjähžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jæuh1jâhjÚubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KEhjÉhžhubeh}”(h]”Œ references”ah ]”h"]”Œ references”ah$]”h&]”uh1h´hh¶hžhhŸh³h KDubeh}”(h]”Œ%arm-confidential-compute-architecture”ah ]”h"]”Œ%arm confidential compute architecture”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j,Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jjjÆjÃjþjûuŒ nametypes”}”(j‰jƉjþ‰uh}”(jh¶jÃjjûjÉuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.