Hi Neptune

You are right, I would have expected a Granule protection fault (GPF) when accessing a physical address delegated to realm world. It is difficult to say why, without further information about the platform , EL3 firmware used etc. If the platform is FVP, then the FVP cmd line options would need to be verified.

Would recommend reproducing your test in a shrinkwrap setup https://shrinkwrap.docs.arm.com/en/latest/userguide/configstore/cca-3world.html and see the behavior.

Best Regards

Soby Mathew

From: neptune via tf-rmm <tf-rmm@lists.trustedfirmware.org>
Sent: Tuesday, August 5, 2025 2:02 PM
To: tf-rmm <tf-rmm@lists.trustedfirmware.org>
Subject: [tf-rmm] question about rmm

I'm doing some tests on tf-rmm while found something interesting.

Why this code can execute without error?This code is part of a driver.

__attribute__((aligned(4096)))

static int realm_start(void)

{

return 11;

}

int create_realm(void)

{

struct smc_result result;

int ret = 10;

flush_cache_all();

flush_tlb_all();

isb();

host_rmi_granule_delegate(virt_to_phys(realm_start), &result);

CHECK_RMI_RESULT();

pr_info("host_rmi_granule_delegate %lx\n", (uintptr_t)virt_to_phys(realm_start));

flush_cache_all();

flush_tlb_all();

isb();

ret = realm_start();

pr_info("run realm start %d\n", ret);

char dst[9] = {0};

memcpy(dst, realm_start, 8);

pr_info("memcpy done %x\n", *(uint64_t *)dst);

host_rmi_granule_undelegate(virt_to_phys(realm_start), &result);

CHECK_RMI_RESULT();

pr_info("host_rmi_granule_undelegate done\n");

return 0;

}

Here is the output of linux and tf-rmm

[ 743.248076] realm: loading out-of-tree module taints kernel.

[ 743.260986] realm_create: Module loaded

[ 743.261778] SMC_GRANULE_DELEGATE: addr = 0xeda70000 eda70000

[ 743.265428] host_rmi_granule_delegate eda70000

[ 743.266110] run realm start 11

[ 743.266581] memcpy done 52800160

[ 743.268005] host_rmi_granule_undelegate done

SMC_RMI_GRANULE_DELEGATE eda70000 > RMI_SUCCESS

SMC_RMI_GRANULE_UNDELEGATE eda70000 > RMI_SUCCESS