On 8 March 2016 at 19:14, Paolo Bonzini <pbonz...@redhat.com> wrote: > > > On 08/03/2016 13:13, Ard Biesheuvel wrote: >> > As far as this QEMU port is concerned, having some flash in secure and >> > some in non-secure is going to be useful regardless, and 64 MB is >> > plenty for both the code and the data. So if users of the Trustzone >> > port (which is disjoint from the KVM port in any case) can tolerate >> > having the code and the variables in the same pflash file, I could >> > simply move the code into the second flash, and we could reserve the >> > first flash for secure (so it sits at physical address 0x0 >> >> Uhm, actually, the code is not even in the flash to begin with. So >> having the second bank be non-secure only makes perfect sense imo > > Interesting, where is the code? >
The UEFI code is loaded into DRAM by the secure firmware, and relocated and executed from there.
