Add Arm CCA support

accel/kvm/kvm-all.c

@@ -2479,7 +2479,7 @@ static int kvm_max_vcpus(KVMState *s)
 
 static int kvm_max_vcpu_id(KVMState *s)
 {
-    int ret = kvm_check_extension(s, KVM_CAP_MAX_VCPU_ID);
+    int ret = kvm_vm_check_extension(s, KVM_CAP_MAX_VCPU_ID);
     return (ret) ? ret : kvm_max_vcpus(s);
 }
 
@@ -2750,7 +2750,7 @@ static int kvm_init(AccelState *as, MachineState *ms)
 
 #ifdef TARGET_KVM_HAVE_GUEST_DEBUG
     kvm_has_guest_debug =
-        (kvm_check_extension(s, KVM_CAP_SET_GUEST_DEBUG) > 0);
+        (kvm_vm_check_extension(s, KVM_CAP_SET_GUEST_DEBUG) > 0);
 #endif
 
     kvm_sstep_flags = 0;

debian/changelog

@@ -1,3 +1,9 @@
+qemu (1:10.1.0+nvidia1-unstable) noble; urgency=medium
+
+  * Update to QEMU 10.1.0 upstream with NVIDIA support
+
+ -- Matthew R. Ochs <mochs@nvidia.com>  Tue, 07 Oct 2025 09:16:29 -0700
+
 qemu (1:8.2.2+ds-0ubuntu1) noble; urgency=medium
 
   * Merge version 8.2.2 from upstream. (LP: #2061005).  Cherry-picks from

debian/control

@@ -2,12 +2,12 @@
 Source: qemu
 Section: otherosfs
 Priority: optional
-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Maintainer: NVIDIA BaseOS Team <dgx-dev@nvidia.com>
 XSBC-Original-Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
 Uploaders: Michael Tokarev <mjt@tls.msk.ru>
 Build-Depends: debhelper-compat (= 13),
  python3:any,
- meson (>> 0.63.0~), ninja-build,
+ meson (>> 0.63.0~) | meson-1.5, ninja-build,
  flex, bison,
 Build-Depends-Arch:
 # In comments below we also specify (system-specific) arguments
@@ -127,25 +127,27 @@ Build-Depends-Arch:
 # various firmware files (kvmvapic.bin &Co), older qemu-system-data should work
 #XXX-cyclic-test-dep-dak-bug qemu-system-data [amd64 arm arm64 armel armhf i386 mips mips64 mips64el mipsel powerpc powerpcspe ppc64 ppc64el riscv64 s390x sparc sparc64 x32] <!nocheck>,
 Build-Depends-Indep:
+# Firmware build dependencies disabled since we're not building firmware
+# (sysdata-components commented out in debian/rules)
 # pc-bios/*.dts => *.dtb (PPC firmware)
  device-tree-compiler,
- gcc-s390x-linux-gnu,
+# gcc-s390x-linux-gnu,
 # qemu-palcode/palcode-clipper
- gcc-alpha-linux-gnu,
+# gcc-alpha-linux-gnu,
 # u-boot code
- gcc-powerpc-linux-gnu, bc,
+# gcc-powerpc-linux-gnu, bc,
 # skiboot firmware, openbios
- gcc-powerpc64-linux-gnu,
+# gcc-powerpc64-linux-gnu,
 # skiboot includes <openssl/something.h>
- libssl-dev,
+# libssl-dev,
 # openbios
- gcc-sparc64-linux-gnu, fcode-utils, xsltproc,
+# gcc-sparc64-linux-gnu, fcode-utils, xsltproc,
 # hppa-firmware
- gcc-hppa-linux-gnu,
+# gcc-hppa-linux-gnu,
 # opensbi
- gcc-riscv64-linux-gnu,
+# gcc-riscv64-linux-gnu,
 # vbootrom/npcm7xx_bootrom
- gcc-arm-none-eabi,
+# gcc-arm-none-eabi,
 Build-Conflicts: oss4-dev
 Standards-Version: 4.6.1
 Homepage: http://www.qemu.org/

debian/control-in

@@ -7,7 +7,7 @@ Priority: optional
 Uploaders: Michael Tokarev <mjt@tls.msk.ru>
 Build-Depends: debhelper-compat (= 13),
  python3:any,
- meson (>> 0.63.0~), ninja-build,
+ meson (>> 0.63.0~) | meson-1.5, ninja-build,
  flex, bison,
 Build-Depends-Arch:
 # In comments below we also specify (system-specific) arguments
@@ -131,25 +131,27 @@ Build-Depends-Arch:
 # various firmware files (kvmvapic.bin &Co), older qemu-system-data should work
 #XXX-cyclic-test-dep-dak-bug qemu-system-data [:system-arch-linux:] <!nocheck>,
 Build-Depends-Indep:
+# Firmware build dependencies disabled since we're not building firmware
+# (sysdata-components commented out in debian/rules)
 # pc-bios/*.dts => *.dtb (PPC firmware)
  device-tree-compiler,
- gcc-s390x-linux-gnu,
+# gcc-s390x-linux-gnu,
 # qemu-palcode/palcode-clipper
- gcc-alpha-linux-gnu,
+# gcc-alpha-linux-gnu,
 # u-boot code
- gcc-powerpc-linux-gnu, bc,
+# gcc-powerpc-linux-gnu, bc,
 # skiboot firmware, openbios
- gcc-powerpc64-linux-gnu,
+# gcc-powerpc64-linux-gnu,
 # skiboot includes <openssl/something.h>
- libssl-dev,
+# libssl-dev,
 # openbios
- gcc-sparc64-linux-gnu, fcode-utils, xsltproc,
+# gcc-sparc64-linux-gnu, fcode-utils, xsltproc,
 # hppa-firmware
- gcc-hppa-linux-gnu,
+# gcc-hppa-linux-gnu,
 # opensbi
- gcc-riscv64-linux-gnu,
+# gcc-riscv64-linux-gnu,
 # vbootrom/npcm7xx_bootrom
- gcc-arm-none-eabi,
+# gcc-arm-none-eabi,
 Build-Conflicts: oss4-dev
 Standards-Version: 4.6.1
 Homepage: http://www.qemu.org/

debian/qemu-system-common.install

@@ -11,11 +11,13 @@ usr/share/doc/qemu/system usr/share/doc/qemu-system-common
 
 # linux-specific
 usr/lib/qemu/qemu-bridge-helper
-usr/lib/qemu/virtfs-proxy-helper
-usr/share/man/man1/virtfs-proxy-helper.1
+# virtfs-proxy-helper removed in QEMU 9.0+ (replaced by vhost-user-fs)
+# usr/lib/qemu/virtfs-proxy-helper
+# usr/share/man/man1/virtfs-proxy-helper.1
 
 # common modules. Other gui modules are in qemu-system-gui
-usr/lib/${DEB_HOST_MULTIARCH}/qemu/accel-tcg-*.so
+# accel-tcg-*.so modules no longer built as separate .so files in QEMU 10.1+
+# usr/lib/${DEB_HOST_MULTIARCH}/qemu/accel-tcg-*.so
 usr/lib/${DEB_HOST_MULTIARCH}/qemu/audio-alsa.so
 usr/lib/${DEB_HOST_MULTIARCH}/qemu/audio-oss.so
 usr/lib/${DEB_HOST_MULTIARCH}/qemu/chardev-baum.so
@@ -26,5 +28,6 @@ usr/lib/${DEB_HOST_MULTIARCH}/qemu/hw-usb-host.so
 usr/lib/${DEB_HOST_MULTIARCH}/qemu/hw-usb-redirect.so
 usr/lib/${DEB_HOST_MULTIARCH}/qemu/hw-usb-smartcard.so
 usr/lib/${DEB_HOST_MULTIARCH}/qemu/hw-s390x-virtio-gpu-ccw.so
+usr/lib/${DEB_HOST_MULTIARCH}/qemu/hw-uefi-vars.so
 usr/lib/${DEB_HOST_MULTIARCH}/qemu/ui-curses.so
 debian/qemu-kvm-init /usr/share/qemu/init

debian/rules

@@ -108,11 +108,8 @@ common_configure_opts = \
 # but is -k flag useful these days?
 common_configure_opts += --disable-xkbcommon
 
-# pvrdma is an extension/optimisation for vmxnet3 vmware virtual network
-# adapter. This piece of code seems to be buggy and poorly maintained,
-# resulting in numerous security issues which comes unfixed for long time.
-# This device isn't native for qemu.  # Just disable it for now.
-common_configure_opts += --disable-pvrdma
+# pvrdma was removed in QEMU 9.1, no longer needs to be disabled
+# (it was an extension for vmxnet3 vmware virtual network adapter)
 
 # Cross compiling support
 ifneq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
@@ -162,10 +159,11 @@ system-kvmcpus-x86 = amd64 i386
 system-kvmlink-amd64 = x86_64
 system-kvmlink-i386 = x86_64
 
-system-archlist-misc = alpha avr cris hppa m68k loongarch64 \
-		microblaze microblazeel nios2 or1k riscv32 riscv64 rx sh4 sh4eb \
+system-archlist-misc = alpha avr hppa m68k loongarch64 \
+		microblaze microblazeel or1k riscv32 riscv64 rx sh4 sh4eb \
 		$(if ${system-s390x},,s390x) \
 		tricore xtensa xtensaeb
+# Note: cris and nios2 removed in QEMU 9.1+ - system emulation targets no longer exist
 system-alias-loongarch64 = loong64
 system-kvmcpus-misc = $(if ${system-s390x},,s390x)
 
@@ -381,10 +379,11 @@ qemu-builds += $(if $(filter qemu-system-xen,${BUILD_PACKAGES}),xen)
 ##############################
 
 # list of linux-user targets, from configs/targets/*-linux-user.mak
+# Note: cris and nios2 removed in QEMU 9.1+
 user-targets = \
- aarch64 aarch64_be alpha arm armeb cris hexagon hppa i386 loongarch64 \
+ aarch64 aarch64_be alpha arm armeb hexagon hppa i386 loongarch64 \
  m68k microblaze microblazeel mips mips64 mips64el mipsel mipsn32 mipsn32el \
- nios2 or1k ppc ppc64 ppc64le riscv32 riscv64 \
+ or1k ppc ppc64 ppc64le riscv32 riscv64 \
  s390x sh4 sh4eb sparc sparc32plus sparc64 \
  x86_64 xtensa xtensaeb
 # aliases for missing ${DEB_HOST_ARCH} names in qemu-user:
@@ -572,7 +571,7 @@ install-openbios: build-openbios
 		b/openbios/obj-sparc32/QEMU,tcx.bin \
 		b/openbios/obj-sparc32/QEMU,cgthree.bin \
 		b/openbios/obj-sparc64/QEMU,VGA.bin
-sysdata-components += openbios
+# sysdata-components += openbios
 
 ### powernv firmware in roms/skiboot
 build-skiboot: b/skiboot/skiboot.lid
@@ -588,7 +587,7 @@ b/skiboot/skiboot.lid: | roms/skiboot/.version
 	  CROSS_COMPILE=${PPC64_CROSSPFX} V=${V}
 install-skiboot: b/skiboot/skiboot.lid
 	install -m 0644 -t ${sysdataidir} $<
-sysdata-components += skiboot
+# sysdata-components += skiboot
 
 build-vof: b/vof/vof.bin
 b/vof/vof.bin: | b
@@ -597,7 +596,7 @@ b/vof/vof.bin: | b
 	${MAKE} -C b/vof CROSS=${PPC64_CROSSPFX} SRC_DIR=../../pc-bios/vof -f../../pc-bios/vof/Makefile
 install-vof: b/vof/vof.bin
 	install -m 0644 -t ${sysdataidir} $<
-sysdata-components += vof
+# sysdata-components += vof
 
 ### u-boot-e500 (u-boot.e500)
 build-u-boot-e500: b/u-boot/build-e500/u-boot
@@ -608,7 +607,7 @@ b/u-boot/build-e500/u-boot: | b
 	${PPC_CROSSPFX}strip $@
 install-u-boot-e500: b/u-boot/build-e500/u-boot
 	install -m 0644 $< ${sysdataidir}/u-boot.e500
-sysdata-components += u-boot-e500
+# sysdata-components += u-boot-e500
 
 ### u-boot-sam460 (u-boot-sam460-20100605.bin)
 build-u-boot-sam460: b/u-boot-sam460ex/u-boot.bin
@@ -620,7 +619,7 @@ b/u-boot-sam460ex/u-boot.bin: | b
 #	${PPC_CROSSPFX}strip $@
 install-u-boot-sam460: b/u-boot-sam460ex/u-boot.bin | ${sysdataidir}
 	install -m 0644 $< ${sysdataidir}/u-boot-sam460-20100605.bin
-sysdata-components += u-boot-sam460
+# sysdata-components += u-boot-sam460
 
 ### x86 optionrom
 build-x86-optionrom: b/optionrom/built
@@ -630,7 +629,7 @@ b/optionrom/built:
 	touch $@
 install-x86-optionrom: build-x86-optionrom | ${sysdataidir}
 	${MAKE} -f ${CURDIR}/debian/optionrom.mak -C b/optionrom SRC_PATH="${CURDIR}" install DESTDIR="${CURDIR}/${sysdataidir}"
-sysdata-components += x86-optionrom
+# sysdata-components += x86-optionrom
 
 ### qboot, aka bios-microvm
 build-qboot: b/qboot/bios.bin
@@ -640,7 +639,7 @@ b/qboot/bios.bin: | b
 	ninja -C b/qboot $(if $V,-v)
 install-qboot: b/qboot/bios.bin
 	install -m 0644 $< ${sysdataidir}/qboot.rom
-sysdata-components += qboot
+# sysdata-components += qboot
 
 ### alpha firmware in roms/palcode-clipper
 build-palcode-clipper: b/qemu-palcode/palcode-clipper
@@ -652,7 +651,7 @@ b/qemu-palcode/palcode-clipper: | b
 	${ALPHAEV67_CROSSPFX}strip b/qemu-palcode/palcode-clipper
 install-palcode-clipper: b/qemu-palcode/palcode-clipper
 	install -m 0644 $< ${sysdataidir}/palcode-clipper
-sysdata-components += palcode-clipper
+# sysdata-components += palcode-clipper
 
 ### SLOF
 build-slof: b/SLOF/boot_rom.bin
@@ -661,7 +660,7 @@ b/SLOF/boot_rom.bin: | b
 	env -u LDFLAGS -u CFLAGS $(MAKE) -C b/SLOF qemu CROSS=${PPC64_CROSSPFX} V=${V}
 install-slof: b/SLOF/boot_rom.bin
 	install -m 0644 $< ${sysdataidir}/slof.bin
-sysdata-components += slof
+# sysdata-components += slof
 
 ### s390x firmware in pc-bios/s390-ccw
 build-s390x-fw: b/s390fw/built
@@ -671,7 +670,7 @@ b/s390fw/built:
 	touch $@
 install-s390x-fw: build-s390x-fw
 	install -m 0644 -t ${sysdataidir} b/s390fw/s390*.img
-sysdata-components += s390x-fw
+# sysdata-components += s390x-fw
 
 ### hppa-firmware (roms/seabios-hppa)
 build-hppa-fw: b/hppafw/hppa-firmware.img
@@ -683,7 +682,7 @@ b/hppafw/hppa-firmware.img:
 	hppa-linux-gnu-strip -R.note -R.comment $@
 install-hppa-fw: b/hppafw/hppa-firmware.img
 	install -m 0644 $< ${sysdataidir}
-sysdata-components += hppa-fw
+# sysdata-components += hppa-fw
 
 ### opensbi (riscv firmware)
 # we only build v64 variants, not v32
@@ -696,7 +695,7 @@ b/opensbi/.built:
 install-opensbi: build-opensbi
 	install -m 0644 b/opensbi/platform/generic/firmware/fw_dynamic.bin ${sysdataidir}/opensbi-riscv64-generic-fw_dynamic.bin
 	install -m 0644 b/opensbi/platform/generic/firmware/fw_dynamic.elf ${sysdataidir}/opensbi-riscv64-generic-fw_dynamic.elf
-sysdata-components += opensbi
+# sysdata-components += opensbi
 
 ### vbootrom (npcm7xx)
 build-vbootrom: b/vbootrom/.built
@@ -706,7 +705,7 @@ b/vbootrom/.built: | b
 	touch $@
 install-vbootrom: build-vbootrom
 	install -m 0644 b/vbootrom/npcm7xx_bootrom.bin ${sysdataidir}/
-sysdata-components += vbootrom
+# sysdata-components += vbootrom
 
 ### misc firmware
 build-misc: b/misc/.built
@@ -732,7 +731,7 @@ install-misc: build-misc
 	 debian/qemu-system-data/usr/share/icons/hicolor/32x32/apps/qemu.bmp
 	install -Dp -m0644 -t debian/qemu-system-data/usr/share/qemu/keymaps/ \
 	 $$(ls -1 pc-bios/keymaps/* | fgrep -v /meson.build)
-sysdata-components += misc
+# sysdata-components += misc
 
 ${sysdataidir}:
 	mkdir -p -m 0755 $@

docs/interop/firmware.json

@@ -159,6 +159,9 @@
 #               options related to this feature are documented in
 #               "docs/system/i386/amd-memory-encryption.rst".
 #
+# @arm-rme: The firmware supports running in a Realm, under the Arm Realm
+#           Management Extension (RME).
+#
 # @intel-tdx: The firmware supports running under Intel Trust Domain
 #             Extensions (TDX).
 #
@@ -237,7 +240,7 @@
 { 'enum' : 'FirmwareFeature',
   'data' : [ 'acpi-s3', 'acpi-s4',
              'amd-sev', 'amd-sev-es', 'amd-sev-snp',
-             'intel-tdx',
+             'arm-rme', 'intel-tdx',
              'enrolled-keys', 'requires-smm',
              'secure-boot', 'host-uefi-vars',
              'verbose-dynamic', 'verbose-static' ] }

docs/system/arm/virt.rst

@@ -203,10 +203,11 @@ dtb-randomness
   rng-seed and kaslr-seed nodes (in both "/chosen" and
   "/secure-chosen") to use for features like the random number
   generator and address space randomisation. The default is
-  ``on``. You will want to disable it if your trusted boot chain
-  will verify the DTB it is passed, since this option causes the
-  DTB to be non-deterministic. It would be the responsibility of
-  the firmware to come up with a seed and pass it on if it wants to.
+  ``off`` for confidential VMs, and ``on`` otherwise. You will want
+  to disable it if your trusted boot chain will verify the DTB it is
+  passed, since this option causes the DTB to be non-deterministic.
+  It would be the responsibility of the firmware to come up with a
+  seed and pass it on if it wants to.
 
 dtb-kaslr-seed
   A deprecated synonym for dtb-randomness.

docs/system/confidential-guest-support.rst

@@ -41,5 +41,6 @@ Currently supported confidential guest mechanisms are:
 * Intel Trust Domain Extension (TDX) (see :doc:`i386/tdx`)
 * POWER Protected Execution Facility (PEF) (see :ref:`power-papr-protected-execution-facility-pef`)
 * s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`)
+* Arm Realm Management Extension (RME)
 
 Other mechanisms may be supported in future.