Everyone figured Hafnium, Google’s battle-tested C fortress, would rule ARM’s Secure world forever. Secure hypervisors? Nah, stick to C’s raw power for that EL2 nitty-gritty. But hold on—this lone dev just flipped the script in 10 weeks flat. A bare-metal Rust SPMC at S-EL2, booting Linux, juggling Secure Partitions, and high-fiving Android’s pKVM on the same SoC. Two hypervisors, one chip. Boom.
That’s the shift. No more solo acts in virtualization land. ARM’s latest beasts split the CPU into Normal and Secure realms, each with its own EL2 overlord. pKVM owns the Normal side; this Rust beast claims Secure. They chat via FF-A protocol, bounced through EL3 firmware like interstellar messengers. And it works—35 end-to-end tests green across four exception levels.
Picture This: Hypervisors as Duelists on a Single Stage
Imagine two swordmasters circling on one tiny arena floor, blades flashing but never clashing. pKVM at NS-EL2, Rust SPMC at S-EL2, TF-A at EL3 refereeing the dance. Boot chain? TF-A kicks off, drops the Rust hypervisor into Secure EL2 (spinning up three partitions), then flips to pKVM and Linux in Normal world. Secondary CPUs? They register entry points, snag per-CPU stacks—miss a handshake, and PSCI boot stalls the whole show.
Here’s the proof in the pudding:
ffa_test: x3=0xaaaa x4=0xcbbb x5=0xcccc x6=0xdddd x7=0xeeee ffa_test: [PASS] DIRECT_REQ to SP 0x8001 returns success ffa_test: [PASS] SP 0x8001 x4 = 0xBBBB + 0x1000
Linux guest fires off 0xBBBB; Secure Partition 1 tacks on 0x1000; response zips back pristine. Four privilege hops, two world switches. Magic? Nah—smart engineering.
But why Rust? Hafnium’s 200K+ lines of C scream ‘enterprise bloat.’ This? 30K no_std lines. No runtime. No allocator. One dep: a DTB parser. Boots BusyBox Linux shell, handles FF-A v1.1 messaging, shares memory like a pro. Rust’s enums nail the partition state machine—Reset to Idle to Blocked—no leaky invariants like C enums force you to babysit.
Why Rust for ARM Hypervisors Right Now?
Look. We’re at an inflection. AI’s gobbling cycles; phones need ironclad secure enclaves for your biometrics, crypto keys, that neural copilot whispering in your ear. C crashes? Kernel panic. Memory bugs? Game over for Secure world. Rust? Borrow checker as bouncer—memory safety without GC tax. This isn’t hype; it’s the Rust-for-Linux kernel push, but turbocharged for hypervisors.
My bold call—and here’s the insight no one’s yelling yet: this mirrors the 90s Java applets era, but done right. Back then, browsers sandboxed untrusted code for safety. Today, Rust SPMCs sandbox your trusted workloads from the OS itself. Prediction? By 2026, premium Android flagships ship Rust Secure hypervisors stock. Hafnium? Legacy museum piece. Phones become AI fortresses, your private data truly private.
Rust shrinks the attack surface—30K vs 200K lines means fewer bugs to pwn. And those war stories? Deliciously human.
First: S-EL2 MMU NS bit madness. Secure writes to 0x42a16000 hit Secure alias; pKVM’s buffer? Non-Secure alias. Same address, parallel universes. Fix? Stage-1 identity map marks Normal DRAM NS=1, forces the right path. Like tuning a quantum bridge.
Second. Cross-CPU cache coherency hell. pKVM scribbles on CPU0 TX buffer, SMCs to random CPU2 with stale L1. DSB SY barriers? Not enough. Solution: copy to local stack before parse. Data aborts vanished.
SPMD per-CPU state? Docs? Buried in TF-A source. Skip FFA_MSG_WAIT? Boot deadlock. Secondary EP register or bust.
And the tests—make run-pkvm-ffa-test lights up:
[SPMC] SP1 booted, now Idle (FFA_MSG_WAIT received) [SPMC] Secondary EP registered with SPMD ffa_test: Results: 35/35 PASS
Full stack: Linux module → pKVM → TF-A → Rust SPMC → partitions → reverse. Shared pages verified (0xCAFEFACE magic), MEM_RECLAIM, relay chains. Flawless.
What Makes Coexistence a Beast?
Single hypervisor? Easy street. But dual-world tango? CPUs juggle personas per core. pKVM boots secondaries via PSCI; each drops into S-EL2 on its landing core. Rust allocates stacks (3x32KB), runs event loops everywhere. One flake, and SPMD stonewalls.
FF-A v1.1? Messaging, memory loans, page flips, partition wrangling. Rust’s no_std purity shines—no alloc panics mid-SMC.
This changes everything for edge AI. Secure Partitions as lightweight TEEs—run models in Secure world, shielded from Android’s chaos. Your face unlock? Not peeking at cloud. Local inference? Locked tight.
Skeptical? Google’s Hafnium was reference gold. But Rust proves you don’t need C’s chains to fly. Open source this beast, and ARM ecosystem explodes—phones, IoT, servers. The platform shift? Memory-safe virtualization at the metal.
Energy here feels electric. Wonder at Rust eating C’s lunch, one hypervisor at a time.
🧬 Related Insights
- Read more: Claude Mythos: The AI That Finds Crypto’s Unlocked Doors Overnight
- Read more: IPS vs LED Displays: Picking the Pixel Perfect for Dashboards and Billboards
Frequently Asked Questions
What is an SPMC on ARM?
SPMC (Secure Partition Manager Client) runs at S-EL2 in ARM’s Secure world, managing Secure Partitions like mini-VMs isolated from the Normal world OS.
Can Rust really replace C in hypervisors?
Yes— this 30K-line no_std Rust SPMC boots Linux, passes FF-A tests alongside pKVM, proving Rust’s safety and leanness crush C’s bloat for secure low-level code.
How do pKVM and SPMC coexist on one SoC?
They split EL2 realms (NS-EL2 vs S-EL2), relay via TF-A at EL3 using FF-A protocol—messages cross worlds with four EL hops per round trip.
