{"id":2231965,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2231965/?format=json","web_url":"http://patchwork.ozlabs.org/project/opensbi/patch/20260501183346.1596027-3-raymondmaoca@gmail.com/","project":{"id":67,"url":"http://patchwork.ozlabs.org/api/1.2/projects/67/?format=json","name":"OpenSBI development","link_name":"opensbi","list_id":"opensbi.lists.infradead.org","list_email":"opensbi@lists.infradead.org","web_url":"https://github.com/riscv/opensbi","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":"https://github.com/riscv/opensbi/commit/{}"},"msgid":"<20260501183346.1596027-3-raymondmaoca@gmail.com>","list_archive_url":null,"date":"2026-05-01T18:33:45","name":"[RFC,2/3] docs: document hwiso WorldGuard DT bindings and add QEMU overlay example","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"d259c661c8ba36d544a860e80384c7448cfdf4ce","submitter":{"id":91989,"url":"http://patchwork.ozlabs.org/api/1.2/people/91989/?format=json","name":"Raymond Mao","email":"raymondmaoca@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/opensbi/patch/20260501183346.1596027-3-raymondmaoca@gmail.com/mbox/","series":[{"id":502489,"url":"http://patchwork.ozlabs.org/api/1.2/series/502489/?format=json","web_url":"http://patchwork.ozlabs.org/project/opensbi/list/?series=502489","date":"2026-05-01T18:33:43","name":"Add QEMU virt WorldGuard support on top of HWISO","version":1,"mbox":"http://patchwork.ozlabs.org/series/502489/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231965/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231965/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=L4sXnMuF;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=MC797YCK;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6fp52zgHz1yHZ\n\tfor ; Sat, 02 May 2026 04:34:21 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wIsgo-00000007ZmA-208f;\n\tFri, 01 May 2026 18:34:15 +0000","from mail-qv1-xf29.google.com ([2607:f8b0:4864:20::f29])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wIsgm-00000007ZkR-1N4R\n\tfor opensbi@lists.infradead.org;\n\tFri, 01 May 2026 18:34:13 +0000","by mail-qv1-xf29.google.com with SMTP id\n 6a1803df08f44-8b3fe2f19a4so20083846d6.2\n for ;\n Fri, 01 May 2026 11:34:11 -0700 (PDT)","from ubuntu.localdomain (172-97-209-197.cpe.distributel.net.\n [172.97.209.197])\n by smtp.gmail.com with ESMTPSA id\n 6a1803df08f44-8b53c1dceddsm29696886d6.30.2026.05.01.11.34.09\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 01 May 2026 11:34:10 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=Y1hKQ1Izma4dWXhNAQby8p3Y3O9sdMK5aZz5k9oE6oc=; b=L4sXnMuFfVt8Kz\n\tQ0F6NCOFt0eOa8KGkvstIdzp/kbngjJKe8rWz43KizZXC9DMzxdZL+EYapPFYww+ehwVOa2W8cQE0\n\tnmJl80OIsmBwngkqcuza28pQ0JFr0wxnR/5e58Afaw6Xg1RR5ybwDDIXy5VDx+B5Y6mwLgKsyC86t\n\tD3H/S+cu5M9hppv3bXL1XptLQroBqeO9aTBkkV7wtCPL8e10XtXZTkvkukkOaf/b+Rns9PAr6AQyz\n\t9pWA92AlTP+Ul+NRGrPaHDMCwRcDn8UJXMG42avwemBtAiMmaNRNtFEizeW2eNYqw8q5KQW3NcfUM\n\tr/xed/4OIG2BKUSs1N6g==;","v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777660451; x=1778265251;\n darn=lists.infradead.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=0U4em0sroFReNzax6pOfkO7oBtK1P9Y3THmOnYMP9as=;\n b=MC797YCKQCByciRBD3634gFsjtKQ0E6Q2fjc8cuDkUTBTG/Ri2kaL+6b54DUTXmlg3\n cRoPnvDmJWn8GsebLgY+nnT1/2uWeK9j4hJgJlRhaRkqXyRWPJxjfvPh+HLGm3Xtb0Q5\n rig7nhMYjIKSTmAW9uUNJF7/nB5jm3RT84tMyeZQ662Pw0CFhduOvhSLmDLWz/gQ6ZZ4\n XvZHtZWgRROA4a18BGiR2d35RPEcSI5NYE3idQfPNuGlIj7pdFQETJO9iDVbZgbse1jq\n a/U6TbNJrHJGJGvjxcxA3yVogpxlZ4XAQUVvY9knG7S0Dr0PL3C+O5DBAI81bo5GZTNu\n WqQA=="],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777660451; x=1778265251;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=0U4em0sroFReNzax6pOfkO7oBtK1P9Y3THmOnYMP9as=;\n b=LAD/8wCOmqEe0cy/CSjgXvn8RSQJDm8OAYiOSEE6Qm323nfioEUpaZOEkZMWlZAxFL\n rKQLHUUNQ0X5hgN9qMNTiK2wUlDrj9U1m5mOGDZDMxRgac/GsxiAhr7RYG4MLLeHal7Z\n JJGRKqwLWDfd85xpn8LFQ+xDK0jsP3K9K7PddWVAbtFCoiuv6bJO0Oh+MgCBw0PwcSXn\n fGiEPW0b2CBjSQqf+9URSEGYTg8F99tS27fZtnQelWVEwkaudcccS66ir9Pfs5O9aPmh\n g9Q/kfi/zHgtTrBIWB0rRF1Evy3zTEruXIkFHYFnZc5xIUeumDZwLrrAKOi7EOBI6MYR\n meWA==","X-Gm-Message-State":"AOJu0Ywqj/D6iSeyo04+Nf41u3GujMRoxWdROXEpugCs963SmhI874Lq\n\tDR4gI80IbnPERTzR9STAE8mxGy8g0cFBf+xxKGZUy4hqU7ERDsUXTrk4BFiIhvWk","X-Gm-Gg":"AeBDieu56wMNYWqxeEtuosef4I5As9SLssGJJmLLvN8fQKgLpoN7uSilduxeqKk6toC\n\tbjy6Wr/0M24MNHxOEIJwpCwLrYVw8BphAxewm3yQn7z5nnOJUrU8oNunWn93n5EYh02bdznGLCy\n\tDB84CEmmB0E5ny1HLS/CHKqllrzyJQpgcaWnm2oRDApRZTU3gNlJSmjXIUgkoiot5rA9HVABZHj\n\t9o8HpE2EINvopxlpLRpFb4o1LOto7K/mP97NFDZkQMOq4I+/gpaFkTnUdWZimIigrtKZIBqxnXY\n\tK3BDI1yY9Ibk84TsyiXgbA3bPFC40Y15omx+wOSYX4ehKyrhBhFab2BK+eDF2Z0zFVn3UkDkfo8\n\tNzEy7fht9Sj3x9gyuOhkZ/A7qTqk3w2c1+z7TdD4z6JfOIOVU/y9uluHYIwQ+ImnrEaXTGYxri+\n\t1rPQ+QB7EHUXq1ZuR1llzutzN+j7XyInawIEVTCbe3cqeqxr/ZbHy3YjlpBiKROJoENClJxmAiZ\n\tlW1JqW/LxfkWbpR3rn2rQ==","X-Received":"by 2002:a05:6214:3012:b0:89c:ac72:2f6e with SMTP id\n 6a1803df08f44-8b6691f764amr11136456d6.43.1777660450740;\n Fri, 01 May 2026 11:34:10 -0700 (PDT)","From":"Raymond Mao ","To":"opensbi@lists.infradead.org","Cc":"scott@riscstar.com,\n\tdave.patel@riscstar.com,\n\traymond.mao@riscstar.com,\n\trobin.randhawa@sifive.com,\n\tsamuel.holland@sifive.com,\n\tanup.patel@qti.qualcomm.com,\n\tanuppate@qti.qualcomm.com,\n\tanup@brainfault.org,\n\tdhaval@rivosinc.com,\n\tpeter.lin@sifive.com","Subject":"[RFC PATCH 2/3] docs: document hwiso WorldGuard DT bindings and add\n QEMU overlay example","Date":"Fri, 1 May 2026 14:33:45 -0400","Message-Id":"<20260501183346.1596027-3-raymondmaoca@gmail.com>","X-Mailer":"git-send-email 2.25.1","In-Reply-To":"<20260501183346.1596027-1-raymondmaoca@gmail.com>","References":"<20260501183346.1596027-1-raymondmaoca@gmail.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260501_113412_394178_06622970 ","X-CRM114-Status":"GOOD ( 18.88 )","X-Spam-Score":"-2.1 (--)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: From: Raymond Mao Document the hw-isolation and\n worldguard_cfg\n device-tree metadata used by the HWISO framework, and provide a QEMU virt\n overlay example showing domain WID/WID list assignment and checker\n permission\n pol [...]\n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no\n trust\n [2607:f8b0:4864:20:0:0:0:f29 listed in]\n [list.dnswl.org]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail\n provider\n [raymondmaoca(at)gmail.com]","X-BeenThere":"opensbi@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"opensbi\" ","Errors-To":"opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Raymond Mao \n\nDocument the hw-isolation and worldguard_cfg device-tree metadata used\nby the HWISO framework, and provide a QEMU virt overlay example showing\ndomain WID/WID list assignment and checker permission policy.\n\nSigned-off-by: Raymond Mao \n---\n docs/domain_support.md | 159 ++++++++++++++++++\n .../generic/virt/qemu-virt-hwiso-overlay.dts | 120 +++++++++++++\n 2 files changed, 279 insertions(+)\n create mode 100644 platform/generic/virt/qemu-virt-hwiso-overlay.dts","diff":"diff --git a/docs/domain_support.md b/docs/domain_support.md\nindex b34e43aa..d81f1bc6 100644\n--- a/docs/domain_support.md\n+++ b/docs/domain_support.md\n@@ -201,6 +201,165 @@ The DT properties of a domain instance DT node are as follows:\n whether the domain instance is allowed to do system reset.\n * **system-suspend-allowed** (Optional) - A boolean flag representing\n whether the domain instance is allowed to do system suspend.\n+* **hw-isolation** (Optional) - A child node acting as a container for\n+ system-level hardware isolation mechanisms. Each child node represents a\n+ single mechanism configured via its compatible string and properties.\n+\n+Hardware Isolation Hooks\n+------------------------\n+\n+OpenSBI provides a system-level hardware isolation framework that dispatches\n+all registered mechanisms in the following phases:\n+\n+* **init** - Runs at boot to configure system-level isolation features.\n+* **domain_init** - Parses per-domain isolation configuration.\n+* **domain_exit** - Runs before switching out of a domain.\n+* **domain_enter** - Runs after switching into a domain.\n+\n+Hardware Isolation Device Tree Binding\n+--------------------------------------\n+\n+The hardware isolation configuration is specified as an optional child node\n+named **hw-isolation** under a domain instance node. The **hw-isolation**\n+node is a container for one or more mechanism nodes.\n+\n+The DT properties of a hardware isolation container node are as follows:\n+\n+* **#address-cells** / **#size-cells** (Optional) - Standard container node\n+ properties. They are not interpreted by OpenSBI.\n+\n+Each hardware isolation mechanism has its own properties and compatible\n+string. A mechanism can either use per-domain properties below the domain\n+instance node, or parse system-level DT nodes describing isolation hardware.\n+\n+For the WorldGuard support on QEMU virt, OpenSBI parses the\n+following WG-style system nodes:\n+\n+* **sifive,wgchecker2** - WorldGuard checker node.\n+* **reg** - Checker MMIO base/size.\n+* **sifive,slot-count** - Number of hardware checker slots.\n+* **sifive,subordinates** - List of protected resource phandles owned by the\n+ checker.\n+* **worldguard_cfg** - Child node of a protected memory or device node\n+ describing WorldGuard policy for that resource.\n+* **perms** - 64-bit permission bitmap values encoded as **** cell\n+ pairs, with either one value for the whole resource or one value per\n+ protected range.\n+* **reg** - Optional protected address ranges inside a **worldguard_cfg**\n+ child. If omitted, the resource node's own **reg** is used. A single\n+ subordinate with one **perms** entry and no explicit **worldguard_cfg/reg**\n+ is treated as a full-checker rule.\n+* **worldguard** - Optional CPU child node compatible with **riscv,wgcpu**\n+ providing default WG execution state.\n+* **mwid** - Default machine world ID for a hart.\n+* **mwidlist** - Valid/delegable world IDs for that hart.\n+\n+Domain nodes can optionally provide WG execution metadata under the\n+**hw-isolation** container:\n+\n+* **worldguard,wid** - Machine world ID selected when entering the domain.\n+* **worldguard,widlist** - World IDs delegated to the domain.\n+\n+At runtime the WorldGuard implementation uses the hooks as follows:\n+\n+* **init** - Parses all WG checker nodes, validates the protected ranges, and\n+ programs checker MMIO slots at boot when platform checker nodes are\n+ present. Runtime WID/WID list support is enabled only when per-CPU WG\n+ runtime nodes are present; checker-only DTs do not force runtime\n+ switching on.\n+* **domain_init** - Parses per-domain **worldguard,wid** and\n+ **worldguard,widlist** metadata.\n+* **domain_exit** - Quiesces the current hart back to its per-hart default\n+ machine WID and clears **MWIDDELEG** before the handoff.\n+* **domain_enter** - Reprograms **MLWID**, **MWIDDELEG**, and, when\n+ delegation is active, **SLWID** for the destination domain when the hart\n+ supports **smwg** / **sswg**.\n+\n+The CPU **worldguard** defaults are parsed per hart from **/cpus/**, so\n+platforms may provide different default **mwid** / **mwidlist** values on\n+different harts.\n+\n+Hardware Isolation Examples\n+---------------------------\n+\n+Domain instance with WG execution metadata:\n+\n+```text\n+ chosen {\n+ opensbi-domains {\n+ compatible = \"opensbi,domain,config\";\n+\n+ example_domain: domain@1 {\n+ compatible = \"opensbi,domain,instance\";\n+ possible-harts = <&cpu2>;\n+ regions = <&mem0 0x3f>;\n+ boot-hart = <&cpu2>;\n+ next-addr = <0x00000000 0x80200000>;\n+ next-mode = <0x1>;\n+\n+ hw-isolation {\n+ worldguard {\n+ compatible = \"sifive,wgchecker2\";\n+ worldguard,wid = <1>;\n+ worldguard,widlist = <1 3>;\n+ };\n+ };\n+ };\n+ };\n+ };\n+```\n+\n+WG checker, CPU default state, and protected resource example. These nodes\n+remain in the normal system DT topology because they describe isolation\n+hardware and protected resources, not OpenSBI domain instances:\n+\n+```text\n+ cpu0: cpu@0 {\n+ worldguard {\n+ compatible = \"riscv,wgcpu\";\n+ mwid = <0>;\n+ mwidlist = <0 1 3>;\n+ };\n+ };\n+\n+ flash0: flash@20000000 {\n+ reg = <0x0 0x20000000 0x0 0x2000000>;\n+ worldguard_cfg {\n+ perms = <0x0 0xc3>;\n+ };\n+ };\n+\n+ uart0: serial@10000000 {\n+ reg = <0x0 0x10000000 0x0 0x100>;\n+ worldguard_cfg {\n+ perms = <0x0 0xc0>;\n+ };\n+ };\n+\n+ memory0: memory@80000000 {\n+ reg = <0x0 0x80000000 0x0 0x80000000>;\n+ worldguard_cfg {\n+ reg = <0x0 0x80000000 0x0 0x40000000\n+ 0x0 0xc0000000 0x0 0x01000000\n+ 0x0 0xc1000000 0x0 0x3f000000>;\n+ perms = <0x0 0xcf 0x0 0xcc 0x0 0xcf>;\n+ };\n+ };\n+\n+ wgchecker0: wgchecker@10100000 {\n+ compatible = \"sifive,wgchecker2\";\n+ reg = <0x0 0x10100000 0x0 0x1000>;\n+ sifive,slot-count = <8>;\n+ sifive,subordinates = <&memory0 &flash0 &uart0>;\n+ };\n+```\n+\n+The test overlay used in this tree is at:\n+\n+* **platform/generic/virt/qemu-virt-hwiso-overlay.dts**\n+\n+That overlay only adds per-domain and per-resource metadata. The base DTB\n+must still provide the WG checker nodes and per-CPU **worldguard** nodes.\n \n ### Assigning HART To Domain Instance\n \ndiff --git a/platform/generic/virt/qemu-virt-hwiso-overlay.dts b/platform/generic/virt/qemu-virt-hwiso-overlay.dts\nnew file mode 100644\nindex 00000000..63676abb\n--- /dev/null\n+++ b/platform/generic/virt/qemu-virt-hwiso-overlay.dts\n@@ -0,0 +1,120 @@\n+/dts-v1/;\n+/plugin/;\n+\n+/*\n+ * Test-only overlay for exercising HWISO with WorldGuard metadata.\n+ *\n+ * This overlay only adds OpenSBI domain metadata and worldguard_cfg resource\n+ * policy. The base DTB is expected to already provide the WG checker nodes\n+ * and per-CPU worldguard child nodes.\n+ *\n+ * Usage:\n+ * Domain hart phandles are filled in after merge because fdtoverlay does not\n+ * reliably resolve CPU-node references against QEMU dumpdtb output here.\n+ * See below steps for filling the domain hart phandles (assume the dumped dtb\n+ * and merged dtb are represented by 'qemu.dtb' and 'qemu-merged.dtb'\n+ * respectively):\n+ * cpu0_phandle=$(fdtget -t x qemu.dtb /cpus/cpu@0 phandle)\n+ * cpu1_phandle=$(fdtget -t x qemu.dtb /cpus/cpu@1 phandle)\n+ * fdtput -t x qemu-merged.dtb /chosen/opensbi-domains/domain@0 \\\n+ * possible-harts \"$cpu0_phandle\" \"$cpu1_phandle\"\n+ * fdtput -t x qemu-merged.dtb /chosen/opensbi-domains/domain@0 \\\n+ * boot-hart \"$cpu0_phandle\"\n+ * fdtput -t x qemu-merged.dtb /chosen/opensbi-domains/domain@1 \\\n+ * possible-harts \"$cpu1_phandle\"\n+ * fdtput -t x qemu-merged.dtb /chosen/opensbi-domains/domain@1 \\\n+ * boot-hart \"$cpu1_phandle\"\n+ */\n+/ {\n+\tfragment@0 {\n+\t\ttarget-path = \"/chosen\";\n+\t\t__overlay__ {\n+\t\t\topensbi-domains {\n+\t\t\t\tcompatible = \"opensbi,domain,config\";\n+\t\t\t\t#address-cells = <1>;\n+\t\t\t\t#size-cells = <0>;\n+\n+\t\t\t\tmemregion0: memregion@0 {\n+\t\t\t\t\tcompatible = \"opensbi,domain,memregion\";\n+\t\t\t\t\tbase = <0x00000000 0x80000000>;\n+\t\t\t\t\torder = <0x1f>;\n+\t\t\t\t};\n+\n+\t\t\t\tguest0: domain@0 {\n+\t\t\t\t\tcompatible = \"opensbi,domain,instance\";\n+\t\t\t\t\tregions = <&memregion0 0x3f>;\n+\t\t\t\t\tnext-addr = <0x00000000 0x80200000>;\n+\t\t\t\t\tnext-arg1 = <0x00000000 0x82200000>;\n+\t\t\t\t\tnext-mode = <0x1>;\n+\n+\t\t\t\t\thw-isolation {\n+\t\t\t\t\t\tworldguard {\n+\t\t\t\t\t\t\tcompatible = \"sifive,wgchecker2\";\n+\t\t\t\t\t\t\tworldguard,wid = <0>;\n+\t\t\t\t\t\t\tworldguard,widlist = <0 1 3>;\n+\t\t\t\t\t\t};\n+\t\t\t\t\t};\n+\t\t\t\t};\n+\n+\t\t\t\tguest1: domain@1 {\n+\t\t\t\t\tcompatible = \"opensbi,domain,instance\";\n+\t\t\t\t\tregions = <&memregion0 0x3f>;\n+\t\t\t\t\tnext-addr = <0x00000000 0x80200000>;\n+\t\t\t\t\tnext-mode = <0x1>;\n+\n+\t\t\t\t\thw-isolation {\n+\t\t\t\t\t\tworldguard {\n+\t\t\t\t\t\t\tcompatible = \"sifive,wgchecker2\";\n+\t\t\t\t\t\t\tworldguard,wid = <1>;\n+\t\t\t\t\t\t\tworldguard,widlist = <1 3>;\n+\t\t\t\t\t\t};\n+\t\t\t\t\t};\n+\t\t\t\t};\n+\t\t\t};\n+\t\t};\n+\t};\n+\n+\tfragment@1 {\n+\t\ttarget-path = \"/cpus/cpu@0\";\n+\t\t__overlay__ {\n+\t\t\topensbi-domain = <&guest0>;\n+\t\t};\n+\t};\n+\n+\tfragment@2 {\n+\t\ttarget-path = \"/cpus/cpu@1\";\n+\t\t__overlay__ {\n+\t\t\topensbi-domain = <&guest0>;\n+\t\t};\n+\t};\n+\n+\tfragment@3 {\n+\t\ttarget-path = \"/memory@80000000\";\n+\t\t__overlay__ {\n+\t\t\tworldguard_cfg {\n+\t\t\t\treg = <0x00000000 0x80000000 0x00000000 0x40000000\n+\t\t\t\t 0x00000000 0xc0000000 0x00000000 0x01000000\n+\t\t\t\t 0x00000000 0xc1000000 0x00000000 0x3f000000>;\n+\t\t\t\tperms = <0x0 0xcf 0x0 0xcc 0x0 0xcf>;\n+\t\t\t};\n+\t\t};\n+\t};\n+\n+\tfragment@4 {\n+\t\ttarget-path = \"/flash@20000000\";\n+\t\t__overlay__ {\n+\t\t\tworldguard_cfg {\n+\t\t\t\tperms = <0x0 0xc3>;\n+\t\t\t};\n+\t\t};\n+\t};\n+\n+\tfragment@5 {\n+\t\ttarget-path = \"/soc/serial@10000000\";\n+\t\t__overlay__ {\n+\t\t\tworldguard_cfg {\n+\t\t\t\tperms = <0x0 0xc0>;\n+\t\t\t};\n+\t\t};\n+\t};\n+};\n","prefixes":["RFC","2/3"]}