* [PATCH for-7.1] hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF
@ 2022-04-04 15:53 Peter Maydell
2022-04-04 17:07 ` Richard Henderson
0 siblings, 1 reply; 2+ messages in thread
From: Peter Maydell @ 2022-04-04 15:53 UTC (permalink / raw)
To: qemu-arm, qemu-devel
It's not possible to provide the guest with the Security extensions
(TrustZone) when using KVM or HVF, because the hardware
virtualization extensions don't permit running EL3 guest code.
However, we weren't checking for this combination, with the result
that QEMU would assert if you tried it:
$ qemu-system-aarch64 -enable-kvm -machine virt,secure=on -cpu host -display none
Unexpected error in object_property_find_err() at ../../qom/object.c:1304:
qemu-system-aarch64: Property 'host-arm-cpu.secure-memory' not found
Aborted
Check for this combination of options and report an error, in the
same way we already do for attempts to give a KVM or HVF guest the
Virtualization or MTE extensions. Now we will report:
qemu-system-aarch64: mach-virt: KVM does not support providing Security extensions (TrustZone) to the guest CPU
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Not a regression, so not worth fixing in 7.0.
---
hw/arm/virt.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index d2e5ecd234a..8f94e2fde62 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2048,6 +2048,13 @@ static void machvirt_init(MachineState *machine)
exit(1);
}
+ if (vms->secure && (kvm_enabled() || hvf_enabled())) {
+ error_report("mach-virt: %s does not support providing "
+ "Security extensions (TrustZone) to the guest CPU",
+ kvm_enabled() ? "KVM" : "HVF");
+ exit(1);
+ }
+
if (vms->virt && (kvm_enabled() || hvf_enabled())) {
error_report("mach-virt: %s does not support providing "
"Virtualization extensions to the guest CPU",
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH for-7.1] hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF
2022-04-04 15:53 [PATCH for-7.1] hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF Peter Maydell
@ 2022-04-04 17:07 ` Richard Henderson
0 siblings, 0 replies; 2+ messages in thread
From: Richard Henderson @ 2022-04-04 17:07 UTC (permalink / raw)
To: Peter Maydell, qemu-arm, qemu-devel
On 4/4/22 10:53, Peter Maydell wrote:
> It's not possible to provide the guest with the Security extensions
> (TrustZone) when using KVM or HVF, because the hardware
> virtualization extensions don't permit running EL3 guest code.
> However, we weren't checking for this combination, with the result
> that QEMU would assert if you tried it:
>
> $ qemu-system-aarch64 -enable-kvm -machine virt,secure=on -cpu host -display none
> Unexpected error in object_property_find_err() at ../../qom/object.c:1304:
> qemu-system-aarch64: Property 'host-arm-cpu.secure-memory' not found
> Aborted
>
> Check for this combination of options and report an error, in the
> same way we already do for attempts to give a KVM or HVF guest the
> Virtualization or MTE extensions. Now we will report:
>
> qemu-system-aarch64: mach-virt: KVM does not support providing Security extensions (TrustZone) to the guest CPU
>
> Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
> ---
> Not a regression, so not worth fixing in 7.0.
> ---
> hw/arm/virt.c | 7 +++++++
> 1 file changed, 7 insertions(+)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
r~
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-04 17:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-04 15:53 [PATCH for-7.1] hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF Peter Maydell
2022-04-04 17:07 ` Richard Henderson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).