Re: [PATCH v14 29/44] arm64: RMI: Runtime faulting of memory

[Lorenzo Pieralisi]

On Fri, Jun 05, 2026 at 06:11:11PM +1000, Gavin Shan wrote:
> On 6/5/26 5:28 PM, Lorenzo Pieralisi wrote:
> > On Fri, Jun 05, 2026 at 04:23:15PM +1000, Gavin Shan wrote:
> > 
> > [...]
> > 
> > > > +static int realm_map_ipa(struct kvm *kvm, phys_addr_t ipa,
> > > > +			 kvm_pfn_t pfn, unsigned long map_size,
> > > > +			 enum kvm_pgtable_prot prot,
> > > > +			 struct kvm_mmu_memory_cache *memcache)
> > > > +{
> > > > +	struct realm *realm = &kvm->arch.realm;
> > > > +
> > > > +	/*
> > > > +	 * Write permission is required for now even though it's possible to
> > > > +	 * map unprotected pages (granules) as read-only. It's impossible to
> > > > +	 * map protected pages (granules) as read-only.
> > > > +	 */
> > > > +	if (WARN_ON(!(prot & KVM_PGTABLE_PROT_W)))
> > > > +		return -EFAULT;
> > > > +
> > > 
> > > I'm a bit concerned with this. We don't have KVM_PGTABLE_PROT_W set in @prot
> > > if the stage2 fault is raised due to memory read. With -EFAULT returned to VMM
> > > (e.g. QEMU), the vCPU continuous execution is stopped and system won't be
> > > working any more.
> > > 
> > > > +	ipa = ALIGN_DOWN(ipa, PAGE_SIZE);
> > > > +	if (!kvm_realm_is_private_address(realm, ipa))
> > > > +		return realm_map_non_secure(realm, ipa, pfn, map_size, prot,
> > > > +					    memcache);
> > > > +
> > > > +	return realm_map_protected(kvm, ipa, pfn, map_size, memcache);
> > > > +}
> > > > +
> > > >    static bool kvm_vma_is_cacheable(struct vm_area_struct *vma)
> > > >    {
> > > >    	switch (FIELD_GET(PTE_ATTRINDX_MASK, pgprot_val(vma->vm_page_prot))) {
> > > > @@ -1604,27 +1641,52 @@ static int gmem_abort(const struct kvm_s2_fault_desc *s2fd)
> > > >    	bool write_fault, exec_fault;
> > > >    	enum kvm_pgtable_walk_flags flags = KVM_PGTABLE_WALK_SHARED;
> > > >    	enum kvm_pgtable_prot prot = KVM_PGTABLE_PROT_R;
> > > > -	struct kvm_pgtable *pgt = s2fd->vcpu->arch.hw_mmu->pgt;
> > > > +	struct kvm_vcpu *vcpu = s2fd->vcpu;
> > > > +	struct kvm_pgtable *pgt = vcpu->arch.hw_mmu->pgt;
> > > > +	gpa_t gpa = kvm_gpa_from_fault(vcpu->kvm, s2fd->fault_ipa);
> > > >    	unsigned long mmu_seq;
> > > >    	struct page *page;
> > > > -	struct kvm *kvm = s2fd->vcpu->kvm;
> > > > +	struct kvm *kvm = vcpu->kvm;
> > > >    	void *memcache;
> > > >    	kvm_pfn_t pfn;
> > > >    	gfn_t gfn;
> > > >    	int ret;
> > > > -	memcache = get_mmu_memcache(s2fd->vcpu);
> > > > -	ret = topup_mmu_memcache(s2fd->vcpu, memcache);
> > > > +	if (kvm_is_realm(vcpu->kvm)) {
> > > > +		/* check for memory attribute mismatch */
> > > > +		bool is_priv_gfn = kvm_mem_is_private(kvm, gpa >> PAGE_SHIFT);
> > > > +		/*
> > > > +		 * For Realms, the shared address is an alias of the private
> > > > +		 * PA with the top bit set. Thus if the fault address matches
> > > > +		 * the GPA then it is the private alias.
> > > > +		 */
> > > > +		bool is_priv_fault = (gpa == s2fd->fault_ipa);
> > > > +
> > > > +		if (is_priv_gfn != is_priv_fault) {
> > > > +			kvm_prepare_memory_fault_exit(vcpu, gpa, PAGE_SIZE,
> > > > +						      kvm_is_write_fault(vcpu),
> > > > +						      false,
> > > > +						      is_priv_fault);
> > > > +			/*
> > > > +			 * KVM_EXIT_MEMORY_FAULT requires an return code of
> > > > +			 * -EFAULT, see the API documentation
> > > > +			 */
> > > > +			return -EFAULT;
> > > > +		}
> > > > +	}
> > > > +
> > > > +	memcache = get_mmu_memcache(vcpu);
> > > > +	ret = topup_mmu_memcache(vcpu, memcache);
> > > >    	if (ret)
> > > >    		return ret;
> > > >    	if (s2fd->nested)
> > > >    		gfn = kvm_s2_trans_output(s2fd->nested) >> PAGE_SHIFT;
> > > >    	else
> > > > -		gfn = s2fd->fault_ipa >> PAGE_SHIFT;
> > > > +		gfn = gpa >> PAGE_SHIFT;
> > > > -	write_fault = kvm_is_write_fault(s2fd->vcpu);
> > > > -	exec_fault = kvm_vcpu_trap_is_exec_fault(s2fd->vcpu);
> > > > +	write_fault = kvm_is_write_fault(vcpu);
> > > > +	exec_fault = kvm_vcpu_trap_is_exec_fault(vcpu);
> > > >    	VM_WARN_ON_ONCE(write_fault && exec_fault);
> > > > @@ -1634,7 +1696,7 @@ static int gmem_abort(const struct kvm_s2_fault_desc *s2fd)
> > > >    	ret = kvm_gmem_get_pfn(kvm, s2fd->memslot, gfn, &pfn, &page, NULL);
> > > >    	if (ret) {
> > > > -		kvm_prepare_memory_fault_exit(s2fd->vcpu, s2fd->fault_ipa, PAGE_SIZE,
> > > > +		kvm_prepare_memory_fault_exit(vcpu, gpa, PAGE_SIZE,
> > > >    					      write_fault, exec_fault, false);
> > > >    		return ret;
> > > >    	}
> > > > @@ -1654,14 +1716,20 @@ static int gmem_abort(const struct kvm_s2_fault_desc *s2fd)
> > > >    	kvm_fault_lock(kvm);
> > > >    	if (mmu_invalidate_retry(kvm, mmu_seq)) {
> > > >    		ret = -EAGAIN;
> > > > -		goto out_unlock;
> > > > +		goto out_release_page;
> > > > +	}
> > > > +
> > > > +	if (kvm_is_realm(kvm)) {
> > > > +		ret = realm_map_ipa(kvm, s2fd->fault_ipa, pfn,
> > > > +				    PAGE_SIZE, KVM_PGTABLE_PROT_R | KVM_PGTABLE_PROT_W, memcache);
> > > > +		goto out_release_page;
> > > >    	}
> > > >    	ret = KVM_PGT_FN(kvm_pgtable_stage2_map)(pgt, s2fd->fault_ipa, PAGE_SIZE,
> > > >    						 __pfn_to_phys(pfn), prot,
> > > >    						 memcache, flags);
> > > > -out_unlock:
> > > > +out_release_page:
> > > >    	kvm_release_faultin_page(kvm, page, !!ret, prot & KVM_PGTABLE_PROT_W);
> > > >    	kvm_fault_unlock(kvm);
> > > > @@ -1847,7 +1915,7 @@ static int kvm_s2_fault_get_vma_info(const struct kvm_s2_fault_desc *s2fd,
> > > >    	 * mapping size to ensure we find the right PFN and lay down the
> > > >    	 * mapping in the right place.
> > > >    	 */
> > > > -	s2vi->gfn = ALIGN_DOWN(s2fd->fault_ipa, s2vi->vma_pagesize) >> PAGE_SHIFT;
> > > > +	s2vi->gfn = kvm_gpa_from_fault(kvm, ALIGN_DOWN(s2fd->fault_ipa, s2vi->vma_pagesize)) >> PAGE_SHIFT;
> > > >    	s2vi->mte_allowed = kvm_vma_mte_allowed(vma);
> > > > @@ -2056,6 +2124,9 @@ static int kvm_s2_fault_map(const struct kvm_s2_fault_desc *s2fd,
> > > >    		prot &= ~KVM_NV_GUEST_MAP_SZ;
> > > >    		ret = KVM_PGT_FN(kvm_pgtable_stage2_relax_perms)(pgt, gfn_to_gpa(gfn),
> > > >    								 prot, flags);
> > > > +	} else if (kvm_is_realm(kvm)) {
> > > > +		ret = realm_map_ipa(kvm, s2fd->fault_ipa, pfn, mapping_size,
> > > > +				    prot, memcache);
> > > >    	} else {
> > > >    		ret = KVM_PGT_FN(kvm_pgtable_stage2_map)(pgt, gfn_to_gpa(gfn), mapping_size,
> > > >    							 __pfn_to_phys(pfn), prot,
> > > 
> > > For the case kvm_is_realm(), need we adjust 's2fd->fault_ipa' for the sake of
> > > huge pages. In kvm_s2_fault_map(), @gfn and @pfn may have been adjusted by
> > > transparent_hugepage_adjust() to be aligned with huge page size. If the
> > > adjustment happened in transparent_hugepage_adjust(), we need to align
> > > s2fd->fault_ipa down to the huge page size either.
> > 
> > All of the above + some RMM changes are needed to get QEmu VMM going
> > with anon pages guest memory backing - currently testing various
> > configurations in the background.
> > 
> 
> I tried to rebase Jean's latest QEMU series [1] to upstream QEMU, and found
> that memory slots backed by THP are broken. With THP disabled on the host and
> other fixes (mentioned in my prevous replies) applied on the top of this (v14)
> series, I'm able to boot a realm guest with rebased QEMU series [2], plus more
> fxies on the top.
> 
> [1] https://git.codelinaro.org/linaro/dcap/qemu.git  (branch: cca/latest)
> [2] https://git.qemu.org/git/qemu.git                (branch: cca/gavin)
> 
> Lorenzo, You may be saying there is someone making QEMU to support ARM/CCA?

Mathieu and I are working on that yes and with Steven/Suzuki to fix the THP
issues you pointed out above.

> If so, I'm not sure if there is a QEMU repository for me to try?

We should be able to submit patches by end of June - we shall let you know
whether we can make something available earlier.

Thanks,
Lorenzo

> 
> Thanks,
> Gavin
> 
> > Thanks,
> > Lorenzo
> > 
> > > > @@ -2214,6 +2285,13 @@ int kvm_handle_guest_sea(struct kvm_vcpu *vcpu)
> > > >    	return 0;
> > > >    }
> > > > +static bool shared_ipa_fault(struct kvm *kvm, phys_addr_t fault_ipa)
> > > > +{
> > > > +	gpa_t gpa = kvm_gpa_from_fault(kvm, fault_ipa);
> > > > +
> > > > +	return (gpa != fault_ipa);
> > > > +}
> > > > +
> > > >    /**
> > > >     * kvm_handle_guest_abort - handles all 2nd stage aborts
> > > >     * @vcpu:	the VCPU pointer
> > > > @@ -2324,8 +2402,9 @@ int kvm_handle_guest_abort(struct kvm_vcpu *vcpu)
> > > >    		nested = &nested_trans;
> > > >    	}
> > > > -	gfn = ipa >> PAGE_SHIFT;
> > > > +	gfn = kvm_gpa_from_fault(vcpu->kvm, ipa) >> PAGE_SHIFT;
> > > >    	memslot = gfn_to_memslot(vcpu->kvm, gfn);
> > > > +
> > > >    	hva = gfn_to_hva_memslot_prot(memslot, gfn, &writable);
> > > >    	write_fault = kvm_is_write_fault(vcpu);
> > > >    	if (kvm_is_error_hva(hva) || (write_fault && !writable)) {
> > > > @@ -2368,7 +2447,7 @@ int kvm_handle_guest_abort(struct kvm_vcpu *vcpu)
> > > >    		 * of the page size.
> > > >    		 */
> > > >    		ipa |= FAR_TO_FIPA_OFFSET(kvm_vcpu_get_hfar(vcpu));
> > > > -		ret = io_mem_abort(vcpu, ipa);
> > > > +		ret = io_mem_abort(vcpu, kvm_gpa_from_fault(vcpu->kvm, ipa));
> > > >    		goto out_unlock;
> > > >    	}
> > > > @@ -2396,7 +2475,7 @@ int kvm_handle_guest_abort(struct kvm_vcpu *vcpu)
> > > >    				!write_fault &&
> > > >    				!kvm_vcpu_trap_is_exec_fault(vcpu));
> > > > -		if (kvm_slot_has_gmem(memslot))
> > > > +		if (kvm_slot_has_gmem(memslot) && !shared_ipa_fault(vcpu->kvm, fault_ipa))
> > > >    			ret = gmem_abort(&s2fd);
> > > >    		else
> > > >    			ret = user_mem_abort(&s2fd);
> > > > @@ -2433,6 +2512,10 @@ bool kvm_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
> > > >    	if (!kvm->arch.mmu.pgt || kvm_vm_is_protected(kvm))
> > > >    		return false;
> > > > +	/* We don't support aging for Realms */
> > > > +	if (kvm_is_realm(kvm))
> > > > +		return true;
> > > > +
> > > >    	return KVM_PGT_FN(kvm_pgtable_stage2_test_clear_young)(kvm->arch.mmu.pgt,
> > > >    						   range->start << PAGE_SHIFT,
> > > >    						   size, true);
> > > > @@ -2449,6 +2532,10 @@ bool kvm_test_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
> > > >    	if (!kvm->arch.mmu.pgt || kvm_vm_is_protected(kvm))
> > > >    		return false;
> > > > +	/* We don't support aging for Realms */
> > > > +	if (kvm_is_realm(kvm))
> > > > +		return true;
> > > > +
> > > >    	return KVM_PGT_FN(kvm_pgtable_stage2_test_clear_young)(kvm->arch.mmu.pgt,
> > > >    						   range->start << PAGE_SHIFT,
> > > >    						   size, false);
> > > > @@ -2628,10 +2715,11 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
> > > >    		return -EFAULT;
> > > >    	/*
> > > > -	 * Only support guest_memfd backed memslots with mappable memory, since
> > > > -	 * there aren't any CoCo VMs that support only private memory on arm64.
> > > > +	 * Only support guest_memfd backed memslots with mappable memory,
> > > > +	 * unless the guest is a CCA realm guest.
> > > >    	 */
> > > > -	if (kvm_slot_has_gmem(new) && !kvm_memslot_is_gmem_only(new))
> > > > +	if (kvm_slot_has_gmem(new) && !kvm_memslot_is_gmem_only(new) &&
> > > > +	    !kvm_is_realm(kvm))
> > > >    		return -EINVAL;
> > > >    	hva = new->userspace_addr;
> > > > diff --git a/arch/arm64/kvm/rmi.c b/arch/arm64/kvm/rmi.c
> > > > index cae29fd3353c..761b38a4071c 100644
> > > > --- a/arch/arm64/kvm/rmi.c
> > > > +++ b/arch/arm64/kvm/rmi.c
> > > > @@ -597,6 +597,179 @@ static int realm_data_map_init(struct kvm *kvm, unsigned long ipa,
> > > >    	return ret;
> > > >    }
> > > > +static unsigned long addr_range_desc(unsigned long phys, unsigned long size)
> > > > +{
> > > > +	unsigned long out = 0;
> > > > +
> > > > +	switch (size) {
> > > > +	case P4D_SIZE:
> > > > +		out = 3 | (1 << 2);
> > > > +		break;
> > > > +	case PUD_SIZE:
> > > > +		out = 2 | (1 << 2);
> > > > +		break;
> > > > +	case PMD_SIZE:
> > > > +		out = 1 | (1 << 2);
> > > > +		break;
> > > > +	case PAGE_SIZE:
> > > > +		out = 0 | (1 << 2);
> > > > +		break;
> > > > +	default:
> > > > +		/*
> > > > +		 * Only support mapping at the page level granulatity when
> > > > +		 * it's an unusual length. This should get us back onto a larger
> > > > +		 * block size for the subsequent mappings.
> > > > +		 */
> > > > +		out = 0 | ((MIN(size >> PAGE_SHIFT, PTRS_PER_PTE - 1)) << 2);
> > > > +		break;
> > > > +	}
> > > > +
> > > > +	WARN_ON(phys & ~PAGE_MASK);
> > > > +
> > > > +	out |= phys & PAGE_MASK;
> > > > +
> > > > +	return out;
> > > > +}
> > > > +
> > > > +int realm_map_protected(struct kvm *kvm,
> > > > +			unsigned long ipa,
> > > > +			kvm_pfn_t pfn,
> > > > +			unsigned long map_size,
> > > > +			struct kvm_mmu_memory_cache *memcache)
> > > > +{
> > > > +	struct realm *realm = &kvm->arch.realm;
> > > > +	phys_addr_t phys = __pfn_to_phys(pfn);
> > > > +	phys_addr_t base_phys = phys;
> > > > +	phys_addr_t rd = virt_to_phys(realm->rd);
> > > > +	unsigned long base_ipa = ipa;
> > > > +	unsigned long ipa_top = ipa + map_size;
> > > > +	int ret = 0;
> > > > +
> > > > +	if (WARN_ON(!IS_ALIGNED(map_size, PAGE_SIZE) ||
> > > > +		    !IS_ALIGNED(ipa, map_size)))
> > > > +		return -EINVAL;
> > > > +
> > > > +	if (rmi_delegate_range(phys, map_size)) {
> > > > +		/*
> > > > +		 * It's likely we raced with another VCPU on the same
> > > > +		 * fault. Assume the other VCPU has handled the fault
> > > > +		 * and return to the guest.
> > > > +		 */
> > > > +		return 0;
> > > > +	}
> > > > +
> > > > +	while (ipa < ipa_top) {
> > > > +		unsigned long flags = RMI_ADDR_TYPE_SINGLE;
> > > > +		unsigned long range_desc = addr_range_desc(phys, ipa_top - ipa);
> > > > +		unsigned long out_top;
> > > > +
> > > > +		ret = rmi_rtt_data_map(rd, ipa, ipa_top, flags, range_desc,
> > > > +				       &out_top);
> > > > +
> > > > +		if (RMI_RETURN_STATUS(ret) == RMI_ERROR_RTT) {
> > > > +			/* Create missing RTTs and retry */
> > > > +			int level = RMI_RETURN_INDEX(ret);
> > > > +
> > > > +			WARN_ON(level == KVM_PGTABLE_LAST_LEVEL);
> > > > +			ret = realm_create_rtt_levels(realm, ipa, level,
> > > > +						      KVM_PGTABLE_LAST_LEVEL,
> > > > +						      memcache);
> > > > +			if (ret)
> > > > +				goto err_undelegate;
> > > > +
> > > > +			ret = rmi_rtt_data_map(rd, ipa, ipa_top, flags,
> > > > +					       range_desc, &out_top);
> > > > +		}
> > > > +
> > > > +		if (WARN_ON(ret))
> > > > +			goto err_undelegate;
> > > > +
> > > > +		phys += out_top - ipa;
> > > > +		ipa = out_top;
> > > > +	}
> > > > +
> > > > +	return 0;
> > > > +
> > > > +err_undelegate:
> > > > +	realm_unmap_private_range(kvm, base_ipa, ipa, true);
> > > > +	if (WARN_ON(rmi_undelegate_range(base_phys, map_size))) {
> > > > +		/* Page can't be returned to NS world so is lost */
> > > > +		get_page(phys_to_page(base_phys));
> > > > +	}
> > > > +	return -ENXIO;
> > > > +}
> > > > +
> > > > +int realm_map_non_secure(struct realm *realm,
> > > > +			 unsigned long ipa,
> > > > +			 kvm_pfn_t pfn,
> > > > +			 unsigned long size,
> > > > +			 enum kvm_pgtable_prot prot,
> > > > +			 struct kvm_mmu_memory_cache *memcache)
> > > > +{
> > > > +	unsigned long attr, flags = 0;
> > > > +	phys_addr_t rd = virt_to_phys(realm->rd);
> > > > +	phys_addr_t phys = __pfn_to_phys(pfn);
> > > > +	unsigned long ipa_top = ipa + size;
> > > > +	int ret;
> > > > +
> > > > +	if (WARN_ON(!IS_ALIGNED(size, PAGE_SIZE) ||
> > > > +		    !IS_ALIGNED(ipa, size)))
> > > > +		return -EINVAL;
> > > > +
> > > > +	switch (prot & (KVM_PGTABLE_PROT_DEVICE | KVM_PGTABLE_PROT_NORMAL_NC)) {
> > > > +	case KVM_PGTABLE_PROT_DEVICE | KVM_PGTABLE_PROT_NORMAL_NC:
> > > > +		return -EINVAL;
> > > > +	case KVM_PGTABLE_PROT_DEVICE:
> > > > +		attr = MT_S2_FWB_DEVICE_nGnRE;
> > > > +		break;
> > > > +	case KVM_PGTABLE_PROT_NORMAL_NC:
> > > > +		attr = MT_S2_FWB_NORMAL_NC;
> > > > +		break;
> > > > +	default:
> > > > +		attr = MT_S2_FWB_NORMAL;
> > > > +	}
> > > > +
> > > > +	flags |= FIELD_PREP(RMI_RTT_UNPROT_MAP_FLAGS_MEMATTR, attr);
> > > > +
> > > > +	if (prot & KVM_PGTABLE_PROT_R)
> > > > +		flags |= FIELD_PREP(RMI_RTT_UNPROT_MAP_FLAGS_S2AP, RMI_S2AP_DIRECT_READ);
> > > > +	if (prot & KVM_PGTABLE_PROT_W)
> > > > +		flags |= FIELD_PREP(RMI_RTT_UNPROT_MAP_FLAGS_S2AP, RMI_S2AP_DIRECT_WRITE);
> > > > +
> > > > +	flags |= RMI_ADDR_TYPE_SINGLE;
> > > > +
> > > > +	while (ipa < ipa_top) {
> > > > +		unsigned long range_desc = addr_range_desc(phys, ipa_top - ipa);
> > > > +		unsigned long out_top;
> > > > +
> > > > +		ret = rmi_rtt_unprot_map(rd, ipa, ipa_top, flags, range_desc,
> > > > +					 &out_top);
> > > > +
> > > > +		if (RMI_RETURN_STATUS(ret) == RMI_ERROR_RTT) {
> > > > +			/* Create missing RTTs and retry */
> > > > +			int level = RMI_RETURN_INDEX(ret);
> > > > +
> > > > +			WARN_ON(level == KVM_PGTABLE_LAST_LEVEL);
> > > > +			ret = realm_create_rtt_levels(realm, ipa, level,
> > > > +						      KVM_PGTABLE_LAST_LEVEL,
> > > > +						      memcache);
> > > > +			if (ret)
> > > > +				return ret;
> > > > +
> > > > +			ret = rmi_rtt_unprot_map(rd, ipa, ipa_top, flags,
> > > > +						 range_desc, &out_top);
> > > > +		}
> > > > +
> > > > +		if (WARN_ON(ret))
> > > > +			return ret;
> > > > +
> > > > +		phys += out_top - ipa;
> > > > +		ipa = out_top;
> > > > +	}
> > > > +
> > > > +	return 0;
> > > > +}
> > > > +
> > > >    static int populate_region_cb(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
> > > >    			      struct page *src_page, void *opaque)
> > > >    {
> > > 
> > > Thanks,
> > > Gavin
> > > 
> > 
>