Two Hypervisors, One SoC: Replacing Hafnium with 30K Lines of Rust

Two Hypervisors, One SoC: Replacing Hafnium with 30K Lines of Rust Over about 10 weeks, I built a bare-metal SPMC at S-EL2 that boots Linux, manages Secure Partitions, and runs alongside Android pKVM on the same SoC. I built an ARM64 hypervisor that runs next to Google's pKVM on the same chip. pKVM takes the Normal world at NS-EL2. My hypervisor takes the Secure world at S-EL2. They coordinate through ARM's FF-A protocol, relayed by EL3 firmware. 35 end-to-end tests pass through the full four-level stack: Linux kernel module → pKVM → TF-A → my SPMC → Secure Partitions → and back. The Secure side already had an implementation: Hafnium , Google's reference SPMC. It's 200K+ lines of C. I replaced it with 30,000 lines of no_std Rust — no runtime, no allocator crate, one dependency (a DTB parser). It boots Linux to a BusyBox shell, manages three Secure Partitions, and handles FF-A v1.1 messaging and memory sharing. I'll walk through the architecture, the parts that were genuinely hard, and