Re: [Qemu-devel] [PATCH 0/4] virt: provide secure-only RAM and first flash

[Paolo Bonzini]

On 12/02/2016 15:45, Peter Maydell wrote:
> This patchset adds some more secure-only devices to the virt board:
>  (1) a 16MB secure-only RAM
>  (2) the first flash device is secure-only
> 
> The second of these is strictly speaking a breaking change, but I don't
> expect it in practice to break anybody:
>  (a) there's not much use of the secure support in virt yet
>  (b) anything booting a rom image from that flash if TZ is enabled
>   will be booting it in Secure mode anyway so will be able to access
>   the code -- the only thing that would stop working would be if the
>   guest flipped to NS and still expected to be able to access the flash
> 
> The second flash device remains NS-accessible (with the expectation that
> it will be used for NS UEFI environment variable storage).

I think that, if UEFI secure boot is in use, the UEFI environment
variables should also be only accessible from TrustZone, because they
store the key database.  At least that's how it works on x86, where both
pflash devices have the secure=on flag.

Paolo