Arm Confidential Compute Architecture¶
Arm systems that support the Realm Management Extension (RME) containhardware to allow a VM guest to be run in a way which protects the codeand data of the guest from the hypervisor. It extends the older “twoworld” model (Normal and Secure World) into four worlds: Normal, Secure,Root and Realm. Linux can then also be run as a guest to a monitorrunning in the Realm world.
The monitor running in the Realm world is known as the Realm ManagementMonitor (RMM) and implements the Realm Management Monitorspecification[1]. The monitor acts a bit like a hypervisor (e.g. it runsin EL2 and manages the stage 2 page tables etc of the guests running inRealm world), however much of the control is handled by a hypervisorrunning in the Normal World. The Normal World hypervisor uses the RealmManagement Interface (RMI) defined by the RMM specification to requestthe RMM to perform operations (e.g. mapping memory or executing a vCPU).
The RMM defines an environment for guests where the address space (IPA)is split into two. The lower half is protected - any memory that ismapped in this half cannot be seen by the Normal World and the RMMrestricts what operations the Normal World can perform on this memory(e.g. the Normal World cannot replace pages in this region without theguest’s cooperation). The upper half is shared, the Normal World is freeto make changes to the pages in this region, and is able to emulate MMIOdevices in this region too.
A guest running in a Realm may also communicate with the RMM using theRealm Services Interface (RSI) to request changes in its environment orto perform attestation about its environment. In particular it mayrequest that areas of the protected address space are transitionedbetween ‘RAM’ and ‘EMPTY’ (in either direction). This allows a Realmguest to give up memory to be returned to the Normal World, or torequest new memory from the Normal World. Without an explicit requestfrom the Realm guest the RMM will otherwise prevent the Normal Worldfrom making these changes.
Linux as a Realm Guest¶
To run Linux as a guest within a Realm, the following must be providedeither by the VMM or by aboot loader run in the Realm before Linux:
All protected RAM described to Linux (by DT or ACPI) must be markedRIPAS RAM before handing control over to Linux.
MMIO devices must be either unprotected (e.g. emulated by the NormalWorld) or marked RIPAS DEV.
MMIO devices emulated by the Normal World and used very early in boot(specifically earlycon) must be specified in the upper half of IPA.For earlycon this can be done by specifying the address on thecommand line, e.g. with an IPA size of 33 bits and the base addressof the emulated UART at 0x1000000:
earlycon=uart,mmio,0x101000000Linux will use bounce buffers for communicating with unprotecteddevices. It will transition some protected memory to RIPAS EMPTY andexpect to be able to access unprotected pages at the same IPA addressbut with the highest valid IPA bit set. The expectation is that theVMM will remove the physical pages from the protected mapping andprovide those pages as unprotected pages.