From 2d710006a0da4a9b7ddf5c02d072e178906d0ef6 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 8 Sep 2015 17:38:44 +0100 Subject: hw/arm/virt: Default to not providing TrustZone support Switch the default for the 'virt' board to not providing TrustZone support in either the CPU or the GIC. This is primarily for the benefit of UEFI, which currently assumes there is no TrustZone support, and does not set the GIC up correctly if it is TZ-aware. It also means the board is consistent about its behaviour whether we're using KVM or TCG (KVM never has TrustZone support). If TrustZone support is required (for instance for running test suites or TZ-aware firmware) it can be enabled with the "-machine secure=on" command line option. Signed-off-by: Peter Maydell Reviewed-by: Peter Crosthwaite Reviewed-by: Peter Maydell Reviewed-by: Edgar E. Iglesias Tested-by: Edgar E. Iglesias Message-id: 1441383782-24378-6-git-send-email-peter.maydell@linaro.org --- hw/arm/virt.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'hw/arm/virt.c') diff --git a/hw/arm/virt.c b/hw/arm/virt.c index 91e45e04a1..a067748481 100644 --- a/hw/arm/virt.c +++ b/hw/arm/virt.c @@ -1044,8 +1044,11 @@ static void virt_instance_init(Object *obj) { VirtMachineState *vms = VIRT_MACHINE(obj); - /* EL3 is enabled by default on virt */ - vms->secure = true; + /* EL3 is disabled by default on virt: this makes us consistent + * between KVM and TCG for this board, and it also allows us to + * boot UEFI blobs which assume no TrustZone support. + */ + vms->secure = false; object_property_add_bool(obj, "secure", virt_get_secure, virt_set_secure, NULL); object_property_set_description(obj, "secure", -- cgit 1.4.1 From 0e21f183ca2d000bbda1fb63959a3d41a1c3ff42 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 8 Sep 2015 17:38:44 +0100 Subject: hw/arm/virt: Enable TZ extensions on the GIC if we are using them If we're creating a board with support for TrustZone, then enable it on the GIC model as well as on the CPUs. Signed-off-by: Peter Maydell Reviewed-by: Peter Crosthwaite Reviewed-by: Peter Maydell Reviewed-by: Edgar E. Iglesias Tested-by: Edgar E. Iglesias Message-id: 1441383782-24378-7-git-send-email-peter.maydell@linaro.org --- hw/arm/virt.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'hw/arm/virt.c') diff --git a/hw/arm/virt.c b/hw/arm/virt.c index a067748481..e9324f56bd 100644 --- a/hw/arm/virt.c +++ b/hw/arm/virt.c @@ -396,7 +396,7 @@ static void create_v2m(VirtBoardInfo *vbi, qemu_irq *pic) fdt_add_v2m_gic_node(vbi); } -static void create_gic(VirtBoardInfo *vbi, qemu_irq *pic) +static void create_gic(VirtBoardInfo *vbi, qemu_irq *pic, bool secure) { /* We create a standalone GIC v2 */ DeviceState *gicdev; @@ -413,6 +413,9 @@ static void create_gic(VirtBoardInfo *vbi, qemu_irq *pic) * interrupts; there are always 32 of the former (mandated by GIC spec). */ qdev_prop_set_uint32(gicdev, "num-irq", NUM_IRQS + 32); + if (!kvm_irqchip_in_kernel()) { + qdev_prop_set_bit(gicdev, "has-security-extensions", secure); + } qdev_init_nofail(gicdev); gicbusdev = SYS_BUS_DEVICE(gicdev); sysbus_mmio_map(gicbusdev, 0, vbi->memmap[VIRT_GIC_DIST].base); @@ -967,7 +970,7 @@ static void machvirt_init(MachineState *machine) create_flash(vbi); - create_gic(vbi, pic); + create_gic(vbi, pic, vms->secure); create_uart(vbi, pic); -- cgit 1.4.1