qemu/arm-VirtCCA-Compatibility-with-older-versions-of-TMM.patch

From 5ed17a43a4cc7fc76397d6d8cad8246063b5b2f3 Mon Sep 17 00:00:00 2001
From: gongchangsui <gongchangsui@outlook.com>
Date: Mon, 17 Mar 2025 02:43:55 -0400
Subject: [PATCH] arm: VirtCCA: Compatibility with older versions of TMM and
 the kernel

Since the base memory address of Confidential VMs in QEMU was changed
from 3GB to 1GB, corresponding adjustments are required in both the TMM
and kernel components. To maintain backward compatibility, the following
modifications were implemented:
    1. **TMM Versioning**: The TMM version number was incremented to
reflect the update
    2. **Kernel Interface**: A new interface was exposed in the kernel
to retrieve the TMM version number.
    3. **QEMU Compatibility Logic**: During initialization, QEMU checks
the TMM version via the kernel interface. If the TMM version is**<2.1**(legacy),
QEMU sets the Confidential VM's base memory address to**3GB**. For TMM versions
**2.1**(updated), the address is configured to**1GB**to align with the new memory layout
This approach ensures seamless backward compatibility while transitioning
to the revised memory addressing scheme.

Signed-off-by: gongchangsui <gongchangsui@outlook.com>
---
 accel/kvm/kvm-all.c           | 3 +--
 hw/arm/boot.c                 | 9 +++++++++
 hw/arm/virt.c                 | 9 +++++++--
 linux-headers/asm-arm64/kvm.h | 2 ++
 linux-headers/linux/kvm.h     | 3 +++
 5 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index a8e29f148e..38a48cc031 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -2390,6 +2390,7 @@ static int kvm_init(MachineState *ms)
     qemu_mutex_init(&kml_slots_lock);
 
     s = KVM_STATE(ms->accelerator);
+    kvm_state = s;
 
     /*
      * On systems where the kernel can support different base page
@@ -2609,8 +2610,6 @@ static int kvm_init(MachineState *ms)
 #endif
     }
 
-    kvm_state = s;
-
     ret = kvm_arch_init(ms, s);
     if (ret < 0) {
         goto err;
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index 6b2f46af4d..ca9f69fd3d 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -1162,6 +1162,15 @@ static void arm_setup_confidential_firmware_boot(ARMCPU *cpu,
                                                  struct arm_boot_info *info,
                                                  const char *firmware_filename)
 {
+    uint64_t tmi_version = 0;
+    if (kvm_ioctl(kvm_state, KVM_GET_TMI_VERSION, &tmi_version) < 0) {
+        error_report("please check the kernel version!");
+        exit(EXIT_FAILURE);
+    }
+    if (tmi_version < MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM) {
+        error_report("please check the tmi version!");
+        exit(EXIT_FAILURE);
+    }
     ssize_t fw_size;
     const char *fname;
     AddressSpace *as = arm_boot_address_space(cpu, info);
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 6ffb26e7e6..39dfec0877 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2050,8 +2050,13 @@ static void virt_set_memmap(VirtMachineState *vms, int pa_bits)
             /* support kae vf device tree nodes */
             vms->memmap[VIRT_PCIE_MMIO] = (MemMapEntry) { 0x10000000, 0x2edf0000 };
             vms->memmap[VIRT_KAE_DEVICE] = (MemMapEntry) { 0x3edf0000, 0x00200000 };
-
-            vms->memmap[VIRT_MEM].base = 1 * GiB;
+            uint64_t tmi_version = 0;
+            if (kvm_ioctl(kvm_state, KVM_GET_TMI_VERSION, &tmi_version) < 0) {
+                warn_report("can not get tmi version");
+            }
+            if (tmi_version < MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM) {
+                vms->memmap[VIRT_MEM].base = 3 * GiB;
+            }
             vms->memmap[VIRT_MEM].size = ms->ram_size;
             info_report("[qemu] fix VIRT_MEM range 0x%llx - 0x%llx\n", (unsigned long long)(vms->memmap[VIRT_MEM].base),
                  (unsigned long long)(vms->memmap[VIRT_MEM].base + ms->ram_size));
diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h
index 552fdcb18f..d69a71cbec 100644
--- a/linux-headers/asm-arm64/kvm.h
+++ b/linux-headers/asm-arm64/kvm.h
@@ -597,4 +597,6 @@ struct kvm_cap_arm_tmm_populate_region_args {
 
 #endif
 
+#define MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM  0x20001
+
 #endif /* __ARM_KVM_H__ */
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index 84cec64b88..7a08f9b1e9 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -2422,4 +2422,7 @@ struct kvm_s390_zpci_op {
 /* flags for kvm_s390_zpci_op->u.reg_aen.flags */
 #define KVM_S390_ZPCIOP_REGAEN_HOST    (1 << 0)
 
+/* get tmi version */
+#define KVM_GET_TMI_VERSION	_IOR(KVMIO, 0xd2, uint64_t)
+
 #endif /* __LINUX_KVM_H */
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-30: - Revert "linux-user: Print tid not pid with strace" - gpex-acpi: Remove duplicate DSM #5 - smmuv3: Use default bus for arm-smmuv3-accel - smmuv3: Change arm-smmuv3-nested name to arm-smmuv3-accel - smmu-common: Return sysmem address space only for vfio-pci - smmuv3: realize get_pasid_cap and set ssidsize with pasid - vfio: Synthesize vPASID capability to VM - backend/iommufd: Report PASID capability - pci: Get pasid capability from vIOMMU - smmuv3: Add support for page fault handling - kvm: Translate MSI doorbell address only if it is valid - hw/arm/smmuv3: Enable sva/stall IDR features - iommufd.h: Updated to openeuler olk-6.6 kernel - tests/data/acpi/virt: Update IORT acpi table - hw/arm/virt-acpi-build: Add IORT RMR regions to handle MSI nested binding - tests/qtest: Allow IORT acpi table to change - hw/arm/virt-acpi-build: Build IORT with multiple SMMU nodes - hw/arm/smmuv3: Associate a pci bus with a SMMUv3 Nested device - hw/arm/smmuv3: Add initial support for SMMUv3 Nested device - hw/arm/virt: Add an SMMU_IO_LEN macro - hw/pci-host/gpex: [needs kernel fix] Allow to generate preserve boot config DSM #5 - tests/data/acpi: Update DSDT acpi tables - acpi/gpex: Fix PCI Express Slot Information function 0 returned value - tests/qtest: Allow DSDT acpi tables to change - hw/arm/smmuv3: Forward cache invalidate commands via iommufd - hw/arm/smmu-common: Replace smmu_iommu_mr with smmu_find_sdev - hw/arm/smmuv3: Add missing STE invalidation - hw/arm/smmuv3: Add smmu_dev_install_nested_ste() for CFGI_STE - hw/arm/smmuv3: Check idr registers for STE_S1CDMAX and STE_S1STALLD - hw/arm/smmuv3: Read host SMMU device info - hw/arm/smmuv3: Ignore IOMMU_NOTIFIER_MAP for nested-smmuv3 - hw/arm/smmu-common: Return sysmem if stage-1 is bypassed - hw/arm/smmu-common: Add iommufd helpers - hw/arm/smmu-common: Add set/unset_iommu_device callback - hw/arm/smmu-common: Extract smmu_get_sbus and smmu_get_sdev helpers - hw/arm/smmu-common: Bypass emulated IOTLB for a nested SMMU - hw/arm/smmu-common: Add a nested flag to SMMUState - backends/iommufd: Introduce iommufd_viommu_invalidate_cache - backends/iommufd: Introduce iommufd_vdev_alloc - backends/iommufd: Introduce iommufd_backend_alloc_viommu - vfio/iommufd: Implement [at\|de]tach_hwpt handlers - vfio/iommufd: Implement HostIOMMUDeviceClass::realize_late() handler - HostIOMMUDevice: Introduce realize_late callback - vfio/iommufd: Add properties and handlers to TYPE_HOST_IOMMU_DEVICE_IOMMUFD - backends/iommufd: Add helpers for invalidating user-managed HWPT - Update iommufd.h header for vSVA - vfio/common: Allow disabling device dirty page tracking - vfio/migration: Don't block migration device dirty tracking is unsupported - vfio/iommufd: Implement VFIOIOMMUClass::query_dirty_bitmap support - vfio/iommufd: Implement VFIOIOMMUClass::set_dirty_tracking support - vfio/iommufd: Probe and request hwpt dirty tracking capability - vfio/{iommufd, container}: Invoke HostIOMMUDevice::realize() during attach_device() - vfio/iommufd: Add hw_caps field to HostIOMMUDeviceCaps - vfio/{iommufd,container}: Remove caps::aw_bits - HostIOMMUDevice: Store the VFIO/VDPA agent - vfio/iommufd: Introduce auto domain creation - vfio/ccw: Don't initialize HOST_IOMMU_DEVICE with mdev - vfio/ap: Don't initialize HOST_IOMMU_DEVICE with mdev - vfio/iommufd: Return errno in iommufd_cdev_attach_ioas_hwpt() - backends/iommufd: Extend iommufd_backend_get_device_info() to fetch HW capabilities - vfio/iommufd: Don't initialize nor set a HOST_IOMMU_DEVICE with mdev - vfio/pci: Extract mdev check into an helper - intel_iommu: Check compatibility with host IOMMU capabilities - intel_iommu: Implement [set\|unset]_iommu_device() callbacks - intel_iommu: Extract out vtd_cap_init() to initialize cap/ecap - vfio/pci: Pass HostIOMMUDevice to vIOMMU - hw/pci: Introduce pci_device_[set\|unset]_iommu_device() - hw/pci: Introduce helper function pci_device_get_iommu_bus_devfn() - vfio: Create host IOMMU device instance - backends/iommufd: Implement HostIOMMUDeviceClass::get_cap() handler - vfio/container: Implement HostIOMMUDeviceClass::get_cap() handler - vfio/iommufd: Implement HostIOMMUDeviceClass::realize() handler - backends/iommufd: Introduce helper function iommufd_backend_get_device_info() - vfio/container: Implement HostIOMMUDeviceClass::realize() handler - range: Introduce range_get_last_bit() - backends/iommufd: Introduce TYPE_HOST_IOMMU_DEVICE_IOMMUFD[_VFIO] devices - vfio/container: Introduce TYPE_HOST_IOMMU_DEVICE_LEGACY_VFIO device - backends/host_iommu_device: Introduce HostIOMMUDeviceCaps - backends: Introduce HostIOMMUDevice abstract - vfio/iommufd: Remove CONFIG_IOMMUFD usage - vfio/spapr: Extend VFIOIOMMUOps with a release handler - vfio/spapr: Only compile sPAPR IOMMU support when needed - vfio/iommufd: Introduce a VFIOIOMMU iommufd QOM interface - vfio/spapr: Introduce a sPAPR VFIOIOMMU QOM interface - vfio/container: Intoduce a new VFIOIOMMUClass::setup handler - vfio/container: Introduce a VFIOIOMMU legacy QOM interface - vfio/container: Introduce a VFIOIOMMU QOM interface - vfio/container: Initialize VFIOIOMMUOps under vfio_init_container() - vfio/container: Introduce vfio_legacy_setup() for further cleanups - docs/devel: Add VFIO iommufd backend documentation - vfio: Introduce a helper function to initialize VFIODevice - vfio/ccw: Move VFIODevice initializations in vfio_ccw_instance_init - vfio/ap: Move VFIODevice initializations in vfio_ap_instance_init - vfio/platform: Move VFIODevice initializations in vfio_platform_instance_init - vfio/pci: Move VFIODevice initializations in vfio_instance_init - hw/i386: Activate IOMMUFD for q35 machines - kconfig: Activate IOMMUFD for s390x machines - hw/arm: Activate IOMMUFD for virt machines - vfio: Make VFIOContainerBase poiner parameter const in VFIOIOMMUOps callbacks - vfio/ccw: Make vfio cdev pre-openable by passing a file handle - vfio/ccw: Allow the selection of a given iommu backend - vfio/ap: Make vfio cdev pre-openable by passing a file handle - vfio/ap: Allow the selection of a given iommu backend - vfio/platform: Make vfio cdev pre-openable by passing a file handle - vfio/platform: Allow the selection of a given iommu backend - vfio/pci: Make vfio cdev pre-openable by passing a file handle - vfio/pci: Allow the selection of a given iommu backend - vfio/iommufd: Enable pci hot reset through iommufd cdev interface - vfio/pci: Introduce a vfio pci hot reset interface - vfio/pci: Extract out a helper vfio_pci_get_pci_hot_reset_info - vfio/iommufd: Add support for iova_ranges and pgsizes - vfio/iommufd: Relax assert check for iommufd backend - vfio/iommufd: Implement the iommufd backend - vfio/common: return early if space isn't empty - util/char_dev: Add open_cdev() - backends/iommufd: Introduce the iommufd object - vfio/spapr: Move hostwin_list into spapr container - vfio/spapr: Move prereg_listener into spapr container - vfio/spapr: switch to spapr IOMMU BE add/del_section_window - vfio/spapr: Introduce spapr backend and target interface - vfio/container: Implement attach/detach_device - vfio/container: Move iova_ranges to base container - vfio/container: Move dirty_pgsizes and max_dirty_bitmap_size to base container - vfio/container: Move listener to base container - vfio/container: Move vrdl_list to base container - vfio/container: Move pgsizes and dma_max_mappings to base container - vfio/container: Convert functions to base container - vfio/container: Move per container device list in base container - vfio/container: Switch to IOMMU BE set_dirty_page_tracking/query_dirty_bitmap API - vfio/container: Move space field to base container - vfio/common: Move giommu_list in base container - vfio/common: Introduce vfio_container_init/destroy helper - vfio/container: Switch to dma_map\|unmap API - vfio/container: Introduce a empty VFIOIOMMUOps - vfio: Introduce base object for VFIOContainer and targeted interface - cryptodev: Fix error handling in cryptodev_lkcf_execute_task() - hw/xen: Fix xen_bus_realize() error handling - hw/misc/aspeed_hace: Fix buffer overflow in has_padding function - target/s390x: Fix a typo in s390_cpu_class_init() - hw/sd/sdhci: free irq on exit - hw/ufs: free irq on exit - hw/pci-host/designware: Fix ATU_UPPER_TARGET register access - target/i386: Make invtsc migratable when user sets tsc-khz explicitly - target/i386: Construct CPUID 2 as stateful iff times > 1 - target/i386: Enable fdp-excptn-only and zero-fcs-fds - target/i386: Don't construct a all-zero entry for CPUID[0xD 0x3f] - i386/cpuid: Remove subleaf constraint on CPUID leaf 1F - target/i386: pass X86CPU to x86_cpu_get_supported_feature_word - target/i386: Raise the highest index value used for any VMCS encoding - target/i386: Add VMX control bits for nested FRED support - target/i386: Delete duplicated macro definition CR4_FRED_MASK - target/i386: Add get/set/migrate support for FRED MSRs - target/i386: enumerate VMX nested-exception support - vmxcap: add support for VMX FRED controls - target/i386: mark CR4.FRED not reserved - target/i386: add support for FRED in CPUID enumeration - target/i386: fix feature dependency for WAITPKG - target/i386: Add more features enumerated by CPUID.7.2.EDX - net: fix build when libbpf is disabled, but libxdp is enabled - hw/nvme: fix invalid endian conversion - hw/nvme: fix invalid check on mcl - backends/cryptodev: Do not ignore throttle/backends Errors - backends/cryptodev: Do not abort for invalid session ID - virtcca: add kvm isolation when get tmi version. - qga: Don't daemonize before channel is initialized - qga: Add log to guest-fsfreeze-thaw command - backends: VirtCCA: cvm_gpa_start supports both 1GB and 3GB - BUGFIX: Enforce isolation for virtcca_shared_hugepage - arm: VirtCCA: qemu CoDA support UEFI boot - arm: VirtCCA: Compatibility with older versions of TMM and the kernel - arm: VirtCCA: qemu uefi boot support kae - arm: VirtCCA: CVM support UEFI boot Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit 85fd7a435d8203dde56fedc4c8f500e41faf132c) 2025-04-22 14:34:58 +08:00			`From 5ed17a43a4cc7fc76397d6d8cad8246063b5b2f3 Mon Sep 17 00:00:00 2001`
			`From: gongchangsui <gongchangsui@outlook.com>`
			`Date: Mon, 17 Mar 2025 02:43:55 -0400`
			`Subject: [PATCH] arm: VirtCCA: Compatibility with older versions of TMM and`
			`the kernel`

			`Since the base memory address of Confidential VMs in QEMU was changed`
			`from 3GB to 1GB, corresponding adjustments are required in both the TMM`
			`and kernel components. To maintain backward compatibility, the following`
			`modifications were implemented:`
			`1. TMM Versioning: The TMM version number was incremented to`
			`reflect the update`
			`2. Kernel Interface: A new interface was exposed in the kernel`
			`to retrieve the TMM version number.`
			`3. QEMU Compatibility Logic: During initialization, QEMU checks`
			`the TMM version via the kernel interface. If the TMM version is<2.1(legacy),`
			`QEMU sets the Confidential VM's base memory address to3GB. For TMM versions`
			`2.1(updated), the address is configured to1GBto align with the new memory layout`
			`This approach ensures seamless backward compatibility while transitioning`
			`to the revised memory addressing scheme.`

			`Signed-off-by: gongchangsui <gongchangsui@outlook.com>`
			`---`
			`accel/kvm/kvm-all.c \| 3 +--`
			`hw/arm/boot.c \| 9 +++++++++`
			`hw/arm/virt.c \| 9 +++++++--`
			`linux-headers/asm-arm64/kvm.h \| 2 ++`
			`linux-headers/linux/kvm.h \| 3 +++`
			`5 files changed, 22 insertions(+), 4 deletions(-)`

			`diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c`
			`index a8e29f148e..38a48cc031 100644`
			`--- a/accel/kvm/kvm-all.c`
			`+++ b/accel/kvm/kvm-all.c`
			`@@ -2390,6 +2390,7 @@ static int kvm_init(MachineState *ms)`
			`qemu_mutex_init(&kml_slots_lock);`

			`s = KVM_STATE(ms->accelerator);`
			`+ kvm_state = s;`

			`/*`
			`* On systems where the kernel can support different base page`
			`@@ -2609,8 +2610,6 @@ static int kvm_init(MachineState *ms)`
			`#endif`
			`}`

			`- kvm_state = s;`
			`-`
			`ret = kvm_arch_init(ms, s);`
			`if (ret < 0) {`
			`goto err;`
			`diff --git a/hw/arm/boot.c b/hw/arm/boot.c`
			`index 6b2f46af4d..ca9f69fd3d 100644`
			`--- a/hw/arm/boot.c`
			`+++ b/hw/arm/boot.c`
			`@@ -1162,6 +1162,15 @@ static void arm_setup_confidential_firmware_boot(ARMCPU *cpu,`
			`struct arm_boot_info *info,`
			`const char *firmware_filename)`
			`{`
			`+ uint64_t tmi_version = 0;`
			`+ if (kvm_ioctl(kvm_state, KVM_GET_TMI_VERSION, &tmi_version) < 0) {`
			`+ error_report("please check the kernel version!");`
			`+ exit(EXIT_FAILURE);`
			`+ }`
			`+ if (tmi_version < MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM) {`
			`+ error_report("please check the tmi version!");`
			`+ exit(EXIT_FAILURE);`
			`+ }`
			`ssize_t fw_size;`
			`const char *fname;`
			`AddressSpace *as = arm_boot_address_space(cpu, info);`
			`diff --git a/hw/arm/virt.c b/hw/arm/virt.c`
			`index 6ffb26e7e6..39dfec0877 100644`
			`--- a/hw/arm/virt.c`
			`+++ b/hw/arm/virt.c`
			`@@ -2050,8 +2050,13 @@ static void virt_set_memmap(VirtMachineState *vms, int pa_bits)`
			`/* support kae vf device tree nodes */`
			`vms->memmap[VIRT_PCIE_MMIO] = (MemMapEntry) { 0x10000000, 0x2edf0000 };`
			`vms->memmap[VIRT_KAE_DEVICE] = (MemMapEntry) { 0x3edf0000, 0x00200000 };`
			`-`
			`- vms->memmap[VIRT_MEM].base = 1 * GiB;`
			`+ uint64_t tmi_version = 0;`
			`+ if (kvm_ioctl(kvm_state, KVM_GET_TMI_VERSION, &tmi_version) < 0) {`
			`+ warn_report("can not get tmi version");`
			`+ }`
			`+ if (tmi_version < MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM) {`
			`+ vms->memmap[VIRT_MEM].base = 3 * GiB;`
			`+ }`
			`vms->memmap[VIRT_MEM].size = ms->ram_size;`
			`info_report("[qemu] fix VIRT_MEM range 0x%llx - 0x%llx\n", (unsigned long long)(vms->memmap[VIRT_MEM].base),`
			`(unsigned long long)(vms->memmap[VIRT_MEM].base + ms->ram_size));`
			`diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h`
			`index 552fdcb18f..d69a71cbec 100644`
			`--- a/linux-headers/asm-arm64/kvm.h`
			`+++ b/linux-headers/asm-arm64/kvm.h`
			`@@ -597,4 +597,6 @@ struct kvm_cap_arm_tmm_populate_region_args {`

			`#endif`

			`+#define MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM 0x20001`
			`+`
			`#endif /* __ARM_KVM_H__ */`
			`diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h`
			`index 84cec64b88..7a08f9b1e9 100644`
			`--- a/linux-headers/linux/kvm.h`
			`+++ b/linux-headers/linux/kvm.h`
			`@@ -2422,4 +2422,7 @@ struct kvm_s390_zpci_op {`
			`/* flags for kvm_s390_zpci_op->u.reg_aen.flags */`
			`#define KVM_S390_ZPCIOP_REGAEN_HOST (1 << 0)`

			`+/* get tmi version */`
			`+#define KVM_GET_TMI_VERSION _IOR(KVMIO, 0xd2, uint64_t)`
			`+`
			`#endif /* __LINUX_KVM_H */`
			`--`
			`2.41.0.windows.1`