Nvidia unstable 11.9+cca/latest#4
Merged
NathanChenNVIDIA merged 2 commits intoNVIDIA:nvidia_unstable-11.9from Nov 20, 2025
Merged
Nvidia unstable 11.9+cca/latest#4NathanChenNVIDIA merged 2 commits intoNVIDIA:nvidia_unstable-11.9from
NathanChenNVIDIA merged 2 commits intoNVIDIA:nvidia_unstable-11.9from
Conversation
…ests" This reverts commit 8a6274f. This patch is being replaced with an auto-conversion approach that converts pflash to ROM for CCA guests instead of rejecting the configuration. This allows the same domain XML to work for both CCA and non-CCA guests by simply toggling the launchSecurity element. Signed-off-by: Ian May <ianm@nvidia.com>
The CCA-enabled Arm virt machine doesn't support pflash devices when realm mode is active. Automatically convert pflash loaders to ROM and ignore NVRAM configuration when CCA launch security is enabled. This allows the same domain XML to work for both CCA and non-CCA guests. Signed-off-by: Ian May <ianm@nvidia.com>
nvmochs
approved these changes
Nov 20, 2025
Collaborator
nvmochs
left a comment
nvmochs
left a comment
There was a problem hiding this comment.
This seems like a better approach. Changes LGTM!
Acked-by: Matthew R. Ochs <mochs@nvidia.com>
Collaborator
NathanChenNVIDIA
left a comment
NathanChenNVIDIA
left a comment
There was a problem hiding this comment.
Acked-by: Nathan Chen nathanc@nvidia.com
NathanChenNVIDIA
approved these changes
Nov 20, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Auto-convert pflash to ROM for ARM CCA guests
What this does
Reverts the previous patch that rejected pflash configurations for CCA guests, and replaces it with automatic pflash to ROM conversion.
Background
The old approach (commit 8a6274f) rejected any pflash loader when CCA was enabled, forcing users to manually specify ROM in their XML. This meant:
New approach
Instead of rejecting pflash, automatically convert it to ROM when
<launchSecurity type='cca'>is present. NVRAM gets cleared automatically since ROM doesn't support it. Now the same XML works for both - just toggle the launchSecurity element.What changed
Testing
Tested on hardware. virt-install with pflash + CCA works now. Non-CCA VMs still use pflash normally.