From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53911)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1adI1j-0006MY-Cz
	for qemu-devel@nongnu.org; Tue, 08 Mar 2016 08:50:20 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1adI1f-0003Fv-Jb
	for qemu-devel@nongnu.org; Tue, 08 Mar 2016 08:50:19 -0500
Received: from mail-vk0-x22e.google.com ([2607:f8b0:400c:c05::22e]:32807)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1adI1f-0003Fi-F8
	for qemu-devel@nongnu.org; Tue, 08 Mar 2016 08:50:15 -0500
Received: by mail-vk0-x22e.google.com with SMTP id k1so16851276vkb.0
	for <qemu-devel@nongnu.org>; Tue, 08 Mar 2016 05:50:15 -0800 (PST)
MIME-Version: 1.0
In-Reply-To: <CAKv+Gu-joM8MqtM=G_F7NLZEwpxLBMPeqimDwZv7yivTjYBFVQ@mail.gmail.com>
References: <1455288361-30117-1-git-send-email-peter.maydell@linaro.org>
	<56DD9C58.7050306@redhat.com>
	<CAFEAcA8C2VzkD=87W5Jn7X523cFZLZL6onxjKDoOcZsCPMQxZw@mail.gmail.com>
	<56DEBF6A.6070809@redhat.com>
	<CAKv+Gu9LzTTzdw5CSCDfpCyjSgB2h6+KawTTJQXSqJ7mhV_YdQ@mail.gmail.com>
	<CAKv+Gu8OgSK5+X71GLrvWLkcGcQ9=MuwOuFAsQroQTa3bWbHNA@mail.gmail.com>
	<56DEC234.70907@redhat.com>
	<CAKv+Gu-joM8MqtM=G_F7NLZEwpxLBMPeqimDwZv7yivTjYBFVQ@mail.gmail.com>
From: Peter Maydell <peter.maydell@linaro.org>
Date: Tue, 8 Mar 2016 20:49:55 +0700
Message-ID: <CAFEAcA8Pk_fBR_v8gg0-oX7nvJ88WRnr-d-uEMTdLfsWMNeESQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Qemu-devel] [PATCH 0/4] virt: provide secure-only RAM and
	first flash
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-arm <qemu-arm@nongnu.org>, "Michael S. Tsirkin" <mst@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>, Markus Armbruster <armbru@redhat.com>

On 8 March 2016 at 19:16, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> The UEFI code is loaded into DRAM by the secure firmware, and
> relocated and executed from there.

Incidentally, since we're using the semihosting API to do this at
the moment, this makes the whole thing completely dependent on the
nonsecure guest not being badly behaved, because NS EL1 can happily
make its own semihosting calls which do interesting things like
read and write arbitrary host files.

Presumably one could in theory configure ATF to use something
more sensible (like having the various blobs it loads be
stuffed into the flash with it, or loaded off an emulated disk
or something). But the current use case is as a development
tool for the firmware and secure apps and so on, not something
intended to contain malicious code. Making the flash, ram, etc
secure-only is worthwhile because it exposes plausible bugs
in the guest code being developed.

thanks
-- PMM