Re: [Qemu-devel] [PATCH 0/4] virt: provide secure-only RAM and first flash

From: Peter Maydell <peter.maydell@linaro.org>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	qemu-arm <qemu-arm@nongnu.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	QEMU Developers <qemu-devel@nongnu.org>,
	Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/4] virt: provide secure-only RAM and first flash
Date: Tue, 8 Mar 2016 06:34:07 +0700	[thread overview]
Message-ID: <CAFEAcA8C2VzkD=87W5Jn7X523cFZLZL6onxjKDoOcZsCPMQxZw@mail.gmail.com> (raw)
In-Reply-To: <56DD9C58.7050306@redhat.com>

On 7 March 2016 at 22:20, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
>
> On 12/02/2016 15:45, Peter Maydell wrote:
>> This patchset adds some more secure-only devices to the virt board:
>>  (1) a 16MB secure-only RAM
>>  (2) the first flash device is secure-only
>>
>> The second of these is strictly speaking a breaking change, but I don't
>> expect it in practice to break anybody:
>>  (a) there's not much use of the secure support in virt yet
>>  (b) anything booting a rom image from that flash if TZ is enabled
>>   will be booting it in Secure mode anyway so will be able to access
>>   the code -- the only thing that would stop working would be if the
>>   guest flipped to NS and still expected to be able to access the flash
>>
>> The second flash device remains NS-accessible (with the expectation that
>> it will be used for NS UEFI environment variable storage).
>
> I think that, if UEFI secure boot is in use, the UEFI environment
> variables should also be only accessible from TrustZone, because they
> store the key database.  At least that's how it works on x86, where both
> pflash devices have the secure=on flag.

If I understand the setup that is being used correctly, UEFI runs
in Non-secure, so making the second flash device secure would mean
it could not access it.

Ard, do I have that right?

thanks
-- PMM