+    /* For PV domains we only support rw, rx, rx2rw, rwx access permissions */

There is a bit of discrepancy between the comment and the code here. Also, could you briefly explain why only these permissions are supported?

I will add “r” to the comment.

Only these permissions are supported as the regular page tables unlike extended page tables (EPT) does not have an explicit R bit. It only has a present bit and hence there is no easy way to do permissions like execute only. And of course permissions like write or write-execute cannot be supported in both cases.

+    if ( unlikely(p2ma != p2m_access_r &&
+                  p2ma != p2m_access_rw &&
+                  p2ma != p2m_access_rx &&
+                  p2ma != p2m_access_rwx &&
+                  p2ma != p2m_access_rx2rw) )
+        return -EINVAL;

+    /* For PV domains we only support r, rw, rx, rwx access permissions */

Code/comment discrepancy again.

I will add “rx2rw” to the comment.

+    if ( p2m->default_access != p2m_access_r &&
+         p2m->default_access != p2m_access_rw &&
+         p2m->default_access != p2m_access_rx &&
+         p2m->default_access != p2m_access_rwx &&
+         p2m->default_access != p2m_access_rx2rw )
+        return -EINVAL;
+