From nobody Tue May 14 00:43:33 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1683222125; cv=none; d=zohomail.com; s=zohoarc; b=W7a/g1DW3t6HE3rnCy1qU/1iVYAnA+XIvvAa5NHLCzn2dQyiSctpvYOkedZAo9a83u7ffHN4jK3JUf57DixBABx66+pU5SWAbG53QOMhOpbbCYZ9R3TpUthLBAZkuVRRol89YZH2mceRlg6eaBbkcC2FrRlRNAIuSq5PI1uREPo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1683222125; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=cSMeFOVndklcI/jbHH1oIdgkQ1sxHzP52KBybeWL69E=; b=NuSlNlatq32J5XUsafltCBceZV1N0s0WpPu9Mp00SVLAu9ic2EoAf3mrwO2FEQBB4dXgCZhmFZfuUjVJ4Y2EJM+eU4eP9IhETq+vTKN0nda7nAzRuIY7qjlgiDYTPfa1SA7S+SgriZmfKMiNYOe4A26mv8oREqMIxdB1uUzorVg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1683222125734346.91696047837445; Thu, 4 May 2023 10:42:05 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pucoP-0006zd-DW; Thu, 04 May 2023 13:32:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1puZPk-0006tN-Gy for qemu-devel@nongnu.org; Thu, 04 May 2023 09:54:33 -0400 Received: from mail-wm1-x32c.google.com ([2a00:1450:4864:20::32c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1puZPh-0008Ec-LV for qemu-devel@nongnu.org; Thu, 04 May 2023 09:54:32 -0400 Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-3f193ca059bso3983055e9.3 for ; Thu, 04 May 2023 06:54:28 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id k22-20020a05600c0b5600b003f40049a65bsm3800428wmr.21.2023.05.04.06.54.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 May 2023 06:54:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1683208467; x=1685800467; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cSMeFOVndklcI/jbHH1oIdgkQ1sxHzP52KBybeWL69E=; b=i0iA/4P46rEWsS9xSMFcXZknTOQ82igTIXQiWX0tIXrLnwZZPKdd6Rgi3HiMR6RD01 D4C/GGtTB4DSYFpGCKvq6PS1S/VH3aLcffYh8J40HD75IZW2q/8B+00iohtg6XSd6xSR xVopkC4a6iFCXcLmpeMge8EUPgnrX/1LXCvbZauD9o9CvOUBNLtCM/Q+dGQ7p30D1RS7 TU6xRalBxeLDSdUBu/1GIqWrchVDc+TKjb7iDxs3YlQ2HCYvW9BFhp8tjxa17ZTgRxol 5KjZVLhcL8I+xZyY6W2FE2i7TTB2HOglJ9NeLLc5Xg5cL/CE+ksYT5ihSqsJDoGJExlX +jJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683208467; x=1685800467; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cSMeFOVndklcI/jbHH1oIdgkQ1sxHzP52KBybeWL69E=; b=d/gKTYHHp5tJ4LuInU7gZhUwS05jWcrxUcQtxcc98ZyFD8pIP6MNC12cgM5IKXuaqB ajKACd0cj9LwPfCbvwdnagop9fLvWj4s+vT0nunbKoIj70FmwKGY1WOOOrDSGx5mojTz tX+maHUEQF8dFH5aYZFwDsLLKGPkDLUT8oNfKQAmjNGEkooLuKLvM6Yvtm4klUClBce0 XtBJ/xOi9Mr6bC4bnb83W4TQ9n4pjmBdYH8p6DXPySq6eJR8Ke8OvuAvKwvNRELdeu23 2rlVtL/DTSHbfntWa2zZK6YFOxJl0lU7bhplFBS/qSeDA1B0d7reuTyJ1B710mipSQCT kSnQ== X-Gm-Message-State: AC+VfDy6qgFMtk5mHJ9ZQgZ+L7yndF+Mx4Xlp4LsAzrVA1gPW1jJt0rs IrXYh9POdbDR62qeEWunflyPTw== X-Google-Smtp-Source: ACHHUZ4n5PCBSz6234rjXeRFuOMc9PV3Y2tEDtvE6oFQZbFcWgl1rNokKSIjeHKIe5JBgNyxAa+hBA== X-Received: by 2002:a7b:cbcb:0:b0:3f0:310c:e3cf with SMTP id n11-20020a7bcbcb000000b003f0310ce3cfmr16876356wmi.37.1683208467572; Thu, 04 May 2023 06:54:27 -0700 (PDT) From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: Richard Henderson Subject: [PATCH v2 1/2] target/arm: Don't allow stage 2 page table walks to downgrade to NS Date: Thu, 4 May 2023 14:54:24 +0100 Message-Id: <20230504135425.2748672-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230504135425.2748672-1-peter.maydell@linaro.org> References: <20230504135425.2748672-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::32c; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x32c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1683222126916100007 Bit 63 in a Table descriptor is only the NSTable bit for stage 1 translations; in stage 2 it is RES0. We were incorrectly looking at it all the time. This causes problems if: * the stage 2 table descriptor was incorrectly setting the RES0 bit * we are doing a stage 2 translation in Secure address space for a NonSecure stage 1 regime -- in this case we would incorrectly do an immediate downgrade to NonSecure A bug elsewhere in the code currently prevents us from getting to the second situation, but when we fix that it will be possible. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- target/arm/ptw.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index bd75da8dbcf..8ac6d9b1d0c 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -1415,17 +1415,18 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1= Translate *ptw, descaddrmask &=3D ~indexmask_grainsize; =20 /* - * Secure accesses start with the page table in secure memory and + * Secure stage 1 accesses start with the page table in secure memory = and * can be downgraded to non-secure at any step. Non-secure accesses * remain non-secure. We implement this by just ORing in the NSTable/NS * bits at each step. + * Stage 2 never gets this kind of downgrade. */ tableattrs =3D is_secure ? 0 : (1 << 4); =20 next_level: descaddr |=3D (address >> (stride * (4 - level))) & indexmask; descaddr &=3D ~7ULL; - nstable =3D extract32(tableattrs, 4, 1); + nstable =3D !regime_is_stage2(mmu_idx) && extract32(tableattrs, 4, 1); if (nstable) { /* * Stage2_S -> Stage2 or Phys_S -> Phys_NS --=20 2.34.1 From nobody Tue May 14 00:43:33 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1683222457; cv=none; d=zohomail.com; s=zohoarc; b=WPCacdCtHHAwQj5j/y/aES+pemHw4R6DxfedVoPa9+1MvZz1AH007HORNNtHI56oLSpMY+Wt4vhHiSJTucaFRega6vW+jCP0GHOxqWUQBWDW6q7gmZ9BUX2V5UFgWFmqQhK16tpTFw064US+21UQpoJMITKzENtSIoFpJp73fis= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1683222457; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jHggXn20obPu0Drt0U7lWzebCMRiMj7MrkPBTmqQn7c=; b=BzaL9cP8f1+SKwQE4Yhw0l+DdO+bfP5wnu157YV63JcTKdXx0Yj4LZF3boatX/5enOCJxv12QLTZEy8Nx20xVrlZ01n9WyywS0udb6HBsMB4RWTVM2BTODjPoD2KjyytfnKwmv1yh0AtTS4VjcH/4ud2Zda2SW8zN007QzNzU68= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1683222457856495.80494507464516; Thu, 4 May 2023 10:47:37 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pucpW-0001ZI-Cd; Thu, 04 May 2023 13:33:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1puZPk-0006tS-Ti for qemu-devel@nongnu.org; Thu, 04 May 2023 09:54:33 -0400 Received: from mail-wr1-x433.google.com ([2a00:1450:4864:20::433]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1puZPh-0008Ep-KM for qemu-devel@nongnu.org; Thu, 04 May 2023 09:54:32 -0400 Received: by mail-wr1-x433.google.com with SMTP id ffacd0b85a97d-306281edf15so460638f8f.1 for ; Thu, 04 May 2023 06:54:29 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id k22-20020a05600c0b5600b003f40049a65bsm3800428wmr.21.2023.05.04.06.54.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 May 2023 06:54:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1683208468; x=1685800468; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jHggXn20obPu0Drt0U7lWzebCMRiMj7MrkPBTmqQn7c=; b=vHLRx/6FbDWcPKIA0RobEh7Ykg7AEwoYAj/AcnQRCusuI7ZAbGVMsW2ArdR30Z0gtL aHoTFKDOY9uQQO8EHum8rsu4sj50MgD8f6PdwaJk/c5+PkqIFPqUsclccsmiRDdpAZyB uEjH46oiR6ps39v2Q9gL6/wUhyMUqL1aU28kuN/c0H0mWEo6pP1typWuYmN0QHs1t/nb QPS/H0ic/LOGXthEQxKp4shn7Fi96vqkdGNEOETA4YwhyPcwY2kSfzJbst3FH4D8Y5fr ucjNKZ+2qsEH5WN2ZQP52MKmiDGLphLZmEHKDEfPf5QxzCVvaYPCkmozIqEHK7f5PTUy yLjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683208468; x=1685800468; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jHggXn20obPu0Drt0U7lWzebCMRiMj7MrkPBTmqQn7c=; b=Jhhvge0BEnPNcHudcblR8yOCQhq99ylF5pPQorRiZ4ASjIAWPpE4qYXbhuOa4UwpBr fHYYN8IKt2uBBJOOfoP37B7hp8zvkwxou3Px/WjFtaxLhIElWGKZk1tAYoBtdgXtO5Bb 7e66NXd9Ykv8YCYmRQufN0/2QrwHzzyopGbtybb5WAQ6N3zxFKZJR16+uilfrG0d9d4B 2tYcwI7HJ4bhb6kpu8aady1e1zuqnMOefveiPTs58gWNp0HY2bDs8V9PT8mdUZQ9bJiK xb72YOSuhEe9LiP2vfd5YsrW08PgUYhl/Z0Hzf5Eg5mMYgpSM+R3gsp4KPK5Ia2bKpQC n9Ww== X-Gm-Message-State: AC+VfDy8brVA7FOhvmypbzTD+n0Hewi52cEE6PWu6t2FWyDnmBjcWCuD M7ZSHyk73M9xDI/WvltyEfYwaA== X-Google-Smtp-Source: ACHHUZ7SvLlUGOcc574TEjMHENPAZGQMjDvNNawphHUWE/QEG+iGg/j4ES1Wy4LQ2NM05nf+ibxKNw== X-Received: by 2002:adf:ebc5:0:b0:306:266a:2dc8 with SMTP id v5-20020adfebc5000000b00306266a2dc8mr2871773wrn.64.1683208468091; Thu, 04 May 2023 06:54:28 -0700 (PDT) From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: Richard Henderson Subject: [PATCH v2 2/2] target/arm: Fix handling of SW and NSW bits for stage 2 walks Date: Thu, 4 May 2023 14:54:25 +0100 Message-Id: <20230504135425.2748672-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230504135425.2748672-1-peter.maydell@linaro.org> References: <20230504135425.2748672-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::433; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x433.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1683222459360100007 Content-Type: text/plain; charset="utf-8" We currently don't correctly handle the VSTCR_EL2.SW and VTCR_EL2.NSW configuration bits. These allow configuration of whether the stage 2 page table walks for Secure IPA and NonSecure IPA should do their descriptor reads from Secure or NonSecure physical addresses. (This is separate from how the translation table base address and other parameters are set: an NS IPA always uses VTTBR_EL2 and VTCR_EL2 for its base address and walk parameters, regardless of the NSW bit, and similarly for Secure.) Provide a new function ptw_idx_for_stage_2() which returns the MMU index to use for descriptor reads, and use it to set up the .in_ptw_idx wherever we call get_phys_addr_lpae(). For a stage 2 walk, wherever we call get_phys_addr_lpae(): * .in_ptw_idx should be ptw_idx_for_stage_2() of the .in_mmu_idx * .in_secure should be true if .in_mmu_idx is Stage2_S This allows us to correct S1_ptw_translate() so that it consistently always sets its (out_secure, out_phys) to the result it gets from the S2 walk (either by calling get_phys_addr_lpae() or by TLB lookup). This makes better conceptual sense because the S2 walk should return us an (address space, address) tuple, not an address that we then randomly assign to S or NS. Our previous handling of SW and NSW was broken, so guest code trying to use these bits to put the s2 page tables in the "other" address space wouldn't work correctly. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1600 Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson --- target/arm/ptw.c | 76 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 51 insertions(+), 25 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index 8ac6d9b1d0c..a89aa70b8b2 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -103,6 +103,37 @@ ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env) return stage_1_mmu_idx(arm_mmu_idx(env)); } =20 +/* + * Return where we should do ptw loads from for a stage 2 walk. + * This depends on whether the address we are looking up is a + * Secure IPA or a NonSecure IPA, which we know from whether this is + * Stage2 or Stage2_S. + * If this is the Secure EL1&0 regime we need to check the NSW and SW bits. + */ +static ARMMMUIdx ptw_idx_for_stage_2(CPUARMState *env, ARMMMUIdx stage2idx) +{ + bool s2walk_secure; + + /* + * We're OK to check the current state of the CPU here because + * (1) we always invalidate all TLBs when the SCR_EL3.NS bit changes + * (2) there's no way to do a lookup that cares about Stage 2 for a + * different security state to the current one for AArch64, and AArch32 + * never has a secure EL2. (AArch32 ATS12NSO[UP][RW] allow EL3 to do + * an NS stage 1+2 lookup while the NS bit is 0.) + */ + if (!arm_is_secure_below_el3(env) || !arm_el_is_aa64(env, 3)) { + return ARMMMUIdx_Phys_NS; + } + if (stage2idx =3D=3D ARMMMUIdx_Stage2_S) { + s2walk_secure =3D !(env->cp15.vstcr_el2 & VSTCR_SW); + } else { + s2walk_secure =3D !(env->cp15.vtcr_el2 & VTCR_NSW); + } + return s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS; + +} + static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_= idx) { return (regime_sctlr(env, mmu_idx) & SCTLR_EE) !=3D 0; @@ -220,7 +251,6 @@ static bool S1_ptw_translate(CPUARMState *env, S1Transl= ate *ptw, ARMMMUIdx mmu_idx =3D ptw->in_mmu_idx; ARMMMUIdx s2_mmu_idx =3D ptw->in_ptw_idx; uint8_t pte_attrs; - bool pte_secure; =20 ptw->out_virt =3D addr; =20 @@ -232,8 +262,8 @@ static bool S1_ptw_translate(CPUARMState *env, S1Transl= ate *ptw, if (regime_is_stage2(s2_mmu_idx)) { S1Translate s2ptw =3D { .in_mmu_idx =3D s2_mmu_idx, - .in_ptw_idx =3D is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_P= hys_NS, - .in_secure =3D is_secure, + .in_ptw_idx =3D ptw_idx_for_stage_2(env, s2_mmu_idx), + .in_secure =3D s2_mmu_idx =3D=3D ARMMMUIdx_Stage2_S, .in_debug =3D true, }; GetPhysAddrResult s2 =3D { }; @@ -244,12 +274,12 @@ static bool S1_ptw_translate(CPUARMState *env, S1Tran= slate *ptw, } ptw->out_phys =3D s2.f.phys_addr; pte_attrs =3D s2.cacheattrs.attrs; - pte_secure =3D s2.f.attrs.secure; + ptw->out_secure =3D s2.f.attrs.secure; } else { /* Regime is physical. */ ptw->out_phys =3D addr; pte_attrs =3D 0; - pte_secure =3D is_secure; + ptw->out_secure =3D s2_mmu_idx =3D=3D ARMMMUIdx_Phys_S; } ptw->out_host =3D NULL; ptw->out_rw =3D false; @@ -270,7 +300,7 @@ static bool S1_ptw_translate(CPUARMState *env, S1Transl= ate *ptw, ptw->out_phys =3D full->phys_addr | (addr & ~TARGET_PAGE_MASK); ptw->out_rw =3D full->prot & PAGE_WRITE; pte_attrs =3D full->pte_attrs; - pte_secure =3D full->attrs.secure; + ptw->out_secure =3D full->attrs.secure; #else g_assert_not_reached(); #endif @@ -293,11 +323,6 @@ static bool S1_ptw_translate(CPUARMState *env, S1Trans= late *ptw, } } =20 - /* Check if page table walk is to secure or non-secure PA space. */ - ptw->out_secure =3D (is_secure - && !(pte_secure - ? env->cp15.vstcr_el2 & VSTCR_SW - : env->cp15.vtcr_el2 & VTCR_NSW)); ptw->out_be =3D regime_translation_big_endian(env, mmu_idx); return true; =20 @@ -2726,7 +2751,7 @@ static bool get_phys_addr_twostage(CPUARMState *env, = S1Translate *ptw, hwaddr ipa; int s1_prot, s1_lgpgsz; bool is_secure =3D ptw->in_secure; - bool ret, ipa_secure, s2walk_secure; + bool ret, ipa_secure; ARMCacheAttrs cacheattrs1; bool is_el0; uint64_t hcr; @@ -2740,20 +2765,11 @@ static bool get_phys_addr_twostage(CPUARMState *env= , S1Translate *ptw, =20 ipa =3D result->f.phys_addr; ipa_secure =3D result->f.attrs.secure; - if (is_secure) { - /* Select TCR based on the NS bit from the S1 walk. */ - s2walk_secure =3D !(ipa_secure - ? env->cp15.vstcr_el2 & VSTCR_SW - : env->cp15.vtcr_el2 & VTCR_NSW); - } else { - assert(!ipa_secure); - s2walk_secure =3D false; - } =20 is_el0 =3D ptw->in_mmu_idx =3D=3D ARMMMUIdx_Stage1_E0; - ptw->in_mmu_idx =3D s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Sta= ge2; - ptw->in_ptw_idx =3D s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_= NS; - ptw->in_secure =3D s2walk_secure; + ptw->in_mmu_idx =3D ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2; + ptw->in_secure =3D ipa_secure; + ptw->in_ptw_idx =3D ptw_idx_for_stage_2(env, ptw->in_mmu_idx); =20 /* * S1 is done, now do S2 translation. @@ -2861,6 +2877,16 @@ static bool get_phys_addr_with_struct(CPUARMState *e= nv, S1Translate *ptw, ptw->in_ptw_idx =3D is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Sta= ge2; break; =20 + case ARMMMUIdx_Stage2: + case ARMMMUIdx_Stage2_S: + /* + * Second stage lookup uses physical for ptw; whether this is S or + * NS may depend on the SW/NSW bits if this is a stage 2 lookup for + * the Secure EL2&0 regime. + */ + ptw->in_ptw_idx =3D ptw_idx_for_stage_2(env, mmu_idx); + break; + case ARMMMUIdx_E10_0: s1_mmu_idx =3D ARMMMUIdx_Stage1_E0; goto do_twostage; @@ -2884,7 +2910,7 @@ static bool get_phys_addr_with_struct(CPUARMState *en= v, S1Translate *ptw, /* fall through */ =20 default: - /* Single stage and second stage uses physical for ptw. */ + /* Single stage uses physical for ptw. */ ptw->in_ptw_idx =3D is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_= NS; break; } --=20 2.34.1