From 1370fd56ec771f16197f255c25c910e9386ac587 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
Date: Tue, 1 Jul 2025 15:08:34 +0100
Subject: [PATCH] hw/arm/virt: Make EL3-guest accel check an accept-list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Currently only the TCG and qtest accelerators can handle an EL3
guest.  Instead of making the condition check be "fail if KVM or HVF"
(an exclude-list), make it a be "allow if TCG or qtest" (an
accept-list).

This is better for if/when we add new accelerators, as it makes the
default be that we forbid an EL3 guest.  This is the most likely to
be correct and also "fails safe"; if the new accelerator really can
support EL3 guests then the implementor will see that they need to
add it to the accept-list.

Reported-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250623121845.7214-19-philmd@linaro.org
[PMM: rewrote commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index ae419e86712..b3b1c6df7fa 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2200,7 +2200,7 @@ static void machvirt_init(MachineState *machine)
         exit(1);
     }
 
-    if (vms->secure && (kvm_enabled() || hvf_enabled())) {
+    if (vms->secure && !tcg_enabled() && !qtest_enabled()) {
         error_report("mach-virt: %s does not support providing "
                      "Security extensions (TrustZone) to the guest CPU",
                      current_accel_name());
-- 
2.47.2