On Thu, Jul 16, 2015 at 1:11 PM, Peter Maydell <peter.mayd...@linaro.org> wrote:
> Switch the default for the 'virt' board to not providing TrustZone
> support in either the CPU or the GIC. This is primarily for the
> benefit of UEFI, which currently assumes there is no TrustZone
> support, and does not set the GIC up correctly if it is TZ-aware.
> It also means the board is consistent about its behaviour whether
> we're using KVM or TCG (KVM never has TrustZone support).
>
> If TrustZone support is required (for instance for running test
> suites or TZ-aware firmware) it can be enabled with the
> "-machine secure=on" command line option.
>
> Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Peter Crosthwaite <crosthwaite.pe...@gmail.com>
> ---
> hw/arm/virt.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
> index 95b1a9a..2bcf565 100644
> --- a/hw/arm/virt.c
> +++ b/hw/arm/virt.c
> @@ -946,8 +946,11 @@ static void virt_instance_init(Object *obj)
> {
> VirtMachineState *vms = VIRT_MACHINE(obj);
>
> - /* EL3 is enabled by default on virt */
> - vms->secure = true;
> + /* EL3 is disabled by default on virt: this makes us consistent
> + * between KVM and TCG for this board, and it also allows us to
> + * boot UEFI blobs which assume no TrustZone support.
> + */
> + vms->secure = false;
> object_property_add_bool(obj, "secure", virt_get_secure,
> virt_set_secure, NULL);
> object_property_set_description(obj, "secure",
> --
> 1.9.1
>
>
