1. Patchew
  2. QEMU
  3. View series

[PATCH for-7.1] hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF

Peter Maydell posted 1 patch 2 years, 1 month ago
Test checkpatch passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20220404155301.566542-1-peter.maydell@linaro.org
Maintainers: Peter Maydell <peter.maydell@linaro.org>
hw/arm/virt.c | 7 +++++++
1 file changed, 7 insertions(+)
[PATCH for-7.1] hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF
Posted by Peter Maydell 2 years, 1 month ago 
It's not possible to provide the guest with the Security extensions
(TrustZone) when using KVM or HVF, because the hardware
virtualization extensions don't permit running EL3 guest code.
However, we weren't checking for this combination, with the result
that QEMU would assert if you tried it:

$ qemu-system-aarch64 -enable-kvm -machine virt,secure=on -cpu host -display none
Unexpected error in object_property_find_err() at ../../qom/object.c:1304:
qemu-system-aarch64: Property 'host-arm-cpu.secure-memory' not found
Aborted

Check for this combination of options and report an error, in the
same way we already do for attempts to give a KVM or HVF guest the
Virtualization or MTE extensions. Now we will report:

qemu-system-aarch64: mach-virt: KVM does not support providing Security extensions (TrustZone) to the guest CPU

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Not a regression, so not worth fixing in 7.0.
---
 hw/arm/virt.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index d2e5ecd234a..8f94e2fde62 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2048,6 +2048,13 @@ static void machvirt_init(MachineState *machine)
         exit(1);
     }
 
+    if (vms->secure && (kvm_enabled() || hvf_enabled())) {
+        error_report("mach-virt: %s does not support providing "
+                     "Security extensions (TrustZone) to the guest CPU",
+                     kvm_enabled() ? "KVM" : "HVF");
+        exit(1);
+    }
+
     if (vms->virt && (kvm_enabled() || hvf_enabled())) {
         error_report("mach-virt: %s does not support providing "
                      "Virtualization extensions to the guest CPU",
-- 
2.25.1
Re: [PATCH for-7.1] hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF
Posted by Richard Henderson 2 years, 1 month ago 
On 4/4/22 10:53, Peter Maydell wrote:
> It's not possible to provide the guest with the Security extensions
> (TrustZone) when using KVM or HVF, because the hardware
> virtualization extensions don't permit running EL3 guest code.
> However, we weren't checking for this combination, with the result
> that QEMU would assert if you tried it:
> 
> $ qemu-system-aarch64 -enable-kvm -machine virt,secure=on -cpu host -display none
> Unexpected error in object_property_find_err() at ../../qom/object.c:1304:
> qemu-system-aarch64: Property 'host-arm-cpu.secure-memory' not found
> Aborted
> 
> Check for this combination of options and report an error, in the
> same way we already do for attempts to give a KVM or HVF guest the
> Virtualization or MTE extensions. Now we will report:
> 
> qemu-system-aarch64: mach-virt: KVM does not support providing Security extensions (TrustZone) to the guest CPU
> 
> Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
> ---
> Not a regression, so not worth fixing in 7.0.
> ---
>   hw/arm/virt.c | 7 +++++++
>   1 file changed, 7 insertions(+)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.