From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52921)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <edgar.iglesias@gmail.com>) id 1YgCyf-0000To-4m
	for qemu-devel@nongnu.org; Thu, 09 Apr 2015 09:58:47 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <edgar.iglesias@gmail.com>) id 1YgCyZ-0008Bf-Co
	for qemu-devel@nongnu.org; Thu, 09 Apr 2015 09:58:41 -0400
Received: from mail-pd0-x236.google.com ([2607:f8b0:400e:c02::236]:35466)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <edgar.iglesias@gmail.com>) id 1YgCyZ-0008BM-3U
	for qemu-devel@nongnu.org; Thu, 09 Apr 2015 09:58:35 -0400
Received: by pddn5 with SMTP id n5so153911516pdd.2
	for <qemu-devel@nongnu.org>; Thu, 09 Apr 2015 06:58:33 -0700 (PDT)
Date: Thu, 9 Apr 2015 23:58:28 +1000
From: "Edgar E. Iglesias" <edgar.iglesias@gmail.com>
Message-ID: <20150409135828.GO30629@toto>
References: <1428582043-19080-1-git-send-email-pbonzini@redhat.com>
	<CAFEAcA9WZ5Vx3tRVrykP33+JSq-A=a+-fMRMPR-PJnGaHazmtg@mail.gmail.com>
	<5526795F.1020802@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5526795F.1020802@redhat.com>
Subject: Re: [Qemu-devel] [RFC PATCH 0/3] pflash_cfi01: allow
 reading/writing it only in secure mode
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>, Peter Crosthwaite <peter.crosthwaite@xilinx.com>, Laszlo Ersek <lersek@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>, Gerd Hoffmann <kraxel@redhat.com>

On Thu, Apr 09, 2015 at 03:06:39PM +0200, Paolo Bonzini wrote:
> 
> 
> On 09/04/2015 14:47, Peter Maydell wrote:
> > On 9 April 2015 at 13:20, Paolo Bonzini <pbonzini@redhat.com> wrote:
> >> This is an example of usage of attributes in a device model.  It lets
> >> you block flash writes unless the CPU is in secure mode.  Enabling it
> >> currently requires a -readconfig file:
> >>
> >>         [global]
> >>         driver = "cfi.pflash01"
> >>         property = "secure"
> >>         value = "on"
> >>
> >> because the driver includes a "."; however, I plan to enable this through
> >> the command line for the final version of the patches.
> > 
> > Are real flash devices ever wired up like this?
> 
> On x86 machines it is almost exactly like this.  I'm implementing x86
> system management mode, and I'm reusing MEMTXATTRS_SECURE for it.
> 
> Recent x86 chipsets make this a run-time setting, rather than a static
> setting, but the idea is the same.  It is a run-time setting (chipset
> register) so that the firmware can do some initial detection of the
> flash outside system management mode.  Then it writes a 1 to the
> register, and finally it writes a 1 to a "lock" register so that the
> first register becomes read-only.
> 
> The above scheme was actually more complicated, and allowed a race that
> let you bypass the protection.  So, even more recent machines have some
> additional complication, whereby flash accesses are only allowed if
> _all_ processors are in system management mode.  Again, it is a run-time
> setting.
> 
> QEMU emulates a slightly older chipset, which is why I'm making it a
> static property.  The static property is also much harder to get wrong
> and insecure by mistake.

Hi Paulo,

How would this work with XIP off the romd region?
Without s/ns address spaces,  CPUs in NS state will be able to execute
and access data while in ROMD state won't they?

I may be missing something...

Cheers,
Edgar