My OS Lock/DoubleLock patches, plus a small selection of other

bug fixes and minor things.

The following changes since commit 8e9398e3b1a860b8c29c670c1b6c36afe8d87849:

Merge tag 'pull-ppc-20220706' of https://gitlab.com/danielhb/qemu into staging (2022-07-07 06:21:05 +0530)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220707

for you to fetch changes up to c2360eaa0262a816faf8032b7762d0c73df2cc62:

target/arm: Fix qemu-system-arm handling of LPAE block descriptors for highmem (2022-07-07 11:41:04 +0100)

* hw/arm/virt: dt: add rng-seed property

* Fix MTE check in sve_ldnfff1_r

* Record tagged bit for user-only in sve_probe_page

* Correctly implement OS Lock and OS DoubleLock

* Implement DBGDEVID, DBGDEVID1, DBGDEVID2 registers

* Fix qemu-system-arm handling of LPAE block descriptors for highmem

Jason A. Donenfeld (1):

hw/arm/virt: dt: add rng-seed property

Peter Maydell (6):

target/arm: Fix code style issues in debug helper functions

target/arm: Move define_debug_regs() to debug_helper.c

target/arm: Suppress debug exceptions when OS Lock set

target/arm: Implement AArch32 DBGDEVID, DBGDEVID1, DBGDEVID2

target/arm: Correctly implement Feat_DoubleLock

target/arm: Fix qemu-system-arm handling of LPAE block descriptors for highmem

Richard Henderson (2):

target/arm: Fix MTE check in sve_ldnfff1_r

target/arm: Record tagged bit for user-only in sve_probe_page

docs/about/deprecated.rst | 8 +

docs/system/arm/virt.rst | 17 +-

include/hw/arm/virt.h | 2 +-

target/arm/cpregs.h | 3 +

target/arm/cpu.h | 27 +++

target/arm/internals.h | 9 +

hw/arm/virt.c | 44 ++--

target/arm/cpu64.c | 6 +

target/arm/cpu_tcg.c | 6 +

target/arm/debug_helper.c | 580 ++++++++++++++++++++++++++++++++++++++++++++++

target/arm/helper.c | 513 +---------------------------------------

target/arm/ptw.c | 2 +-

target/arm/sve_helper.c | 5 +-

13 files changed, 684 insertions(+), 538 deletions(-)

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

In 60592cfed2 ("hw/arm/virt: dt: add kaslr-seed property"), the

kaslr-seed property was added, but the equally as important rng-seed

property was forgotten about, which has identical semantics for a

similar purpose. This commit implements it in exactly the same way as

kaslr-seed. It then changes the name of the disabling option to reflect

that this has more to do with randomness vs determinism, rather than

something particular about kaslr.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

[PMM: added deprecated.rst section for the deprecation]

docs/about/deprecated.rst | 8 +++++++

docs/system/arm/virt.rst | 17 +++++++++------

include/hw/arm/virt.h | 2 +-

hw/arm/virt.c | 44 ++++++++++++++++++++++++---------------

4 files changed, 47 insertions(+), 24 deletions(-)

diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst

--- a/docs/about/deprecated.rst

+++ b/docs/about/deprecated.rst

@@ -XXX,XX +XXX,XX @@ Use the more generic event ``DEVICE_UNPLUG_GUEST_ERROR`` instead.

System emulator machines

------------------------

+Arm ``virt`` machine ``dtb-kaslr-seed`` property

+''''''''''''''''''''''''''''''''''''''''''''''''

+

+The ``dtb-kaslr-seed`` property on the ``virt`` board has been

+deprecated; use the new name ``dtb-randomness`` instead. The new name

+better reflects the way this property affects all random data within

+the device tree blob, not just the ``kaslr-seed`` node.

+

PPC 405 ``taihu`` machine (since 7.0)

'''''''''''''''''''''''''''''''''''''

diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst

index XXXXXXX..XXXXXXX 100644

--- a/docs/system/arm/virt.rst

+++ b/docs/system/arm/virt.rst

@@ -XXX,XX +XXX,XX @@ ras

Set ``on``/``off`` to enable/disable reporting host memory errors to a guest

using ACPI and guest external abort exceptions. The default is off.

+dtb-randomness

+ Set ``on``/``off`` to pass random seeds via the guest DTB

+ rng-seed and kaslr-seed nodes (in both "/chosen" and

+ "/secure-chosen") to use for features like the random number

+ generator and address space randomisation. The default is

+ ``on``. You will want to disable it if your trusted boot chain

+ will verify the DTB it is passed, since this option causes the

+ DTB to be non-deterministic. It would be the responsibility of

+ the firmware to come up with a seed and pass it on if it wants to.

+

dtb-kaslr-seed

- Set ``on``/``off`` to pass a random seed via the guest dtb

- kaslr-seed node (in both "/chosen" and /secure-chosen) to use

- for features like address space randomisation. The default is

- ``on``. You will want to disable it if your trusted boot chain will

- verify the DTB it is passed. It would be the responsibility of the

- firmware to come up with a seed and pass it on if it wants to.

+ A deprecated synonym for dtb-randomness.

Linux guest kernel configuration

""""""""""""""""""""""""""""""""

diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h

index XXXXXXX..XXXXXXX 100644

--- a/include/hw/arm/virt.h

+++ b/include/hw/arm/virt.h

@@ -XXX,XX +XXX,XX @@ struct VirtMachineState {

bool virt;

bool ras;

bool mte;

- bool dtb_kaslr_seed;

+ bool dtb_randomness;

OnOffAuto acpi;

VirtGICType gic_version;

VirtIOMMUType iommu;

diff --git a/hw/arm/virt.c b/hw/arm/virt.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/virt.c

+++ b/hw/arm/virt.c

@@ -XXX,XX +XXX,XX @@ static bool cpu_type_valid(const char *cpu)

return false;

}

-static void create_kaslr_seed(MachineState *ms, const char *node)

+static void create_randomness(MachineState *ms, const char *node)

- uint64_t seed;

+ struct {

+ uint64_t kaslr;

+ uint8_t rng[32];

+ } seed;

if (qemu_guest_getrandom(&seed, sizeof(seed), NULL)) {

return;

}

- qemu_fdt_setprop_u64(ms->fdt, node, "kaslr-seed", seed);

+ qemu_fdt_setprop_u64(ms->fdt, node, "kaslr-seed", seed.kaslr);

+ qemu_fdt_setprop(ms->fdt, node, "rng-seed", seed.rng, sizeof(seed.rng));

static void create_fdt(VirtMachineState *vms)

@@ -XXX,XX +XXX,XX @@ static void create_fdt(VirtMachineState *vms)

/* /chosen must exist for load_dtb to fill in necessary properties later */

qemu_fdt_add_subnode(fdt, "/chosen");

- if (vms->dtb_kaslr_seed) {

- create_kaslr_seed(ms, "/chosen");

+ if (vms->dtb_randomness) {

+ create_randomness(ms, "/chosen");

}

if (vms->secure) {

qemu_fdt_add_subnode(fdt, "/secure-chosen");

- if (vms->dtb_kaslr_seed) {

- create_kaslr_seed(ms, "/secure-chosen");

+ if (vms->dtb_randomness) {

+ create_randomness(ms, "/secure-chosen");

}

}

@@ -XXX,XX +XXX,XX @@ static void virt_set_its(Object *obj, bool value, Error **errp)

vms->its = value;

}

-static bool virt_get_dtb_kaslr_seed(Object *obj, Error **errp)

+static bool virt_get_dtb_randomness(Object *obj, Error **errp)

{

VirtMachineState *vms = VIRT_MACHINE(obj);

- return vms->dtb_kaslr_seed;

+ return vms->dtb_randomness;

}

-static void virt_set_dtb_kaslr_seed(Object *obj, bool value, Error **errp)

+static void virt_set_dtb_randomness(Object *obj, bool value, Error **errp)

{

VirtMachineState *vms = VIRT_MACHINE(obj);

- vms->dtb_kaslr_seed = value;

+ vms->dtb_randomness = value;

}

static char *virt_get_oem_id(Object *obj, Error **errp)

@@ -XXX,XX +XXX,XX @@ static void virt_machine_class_init(ObjectClass *oc, void *data)

"Set on/off to enable/disable "

"ITS instantiation");

+ object_class_property_add_bool(oc, "dtb-randomness",

+ virt_get_dtb_randomness,

+ virt_set_dtb_randomness);

+ object_class_property_set_description(oc, "dtb-randomness",

+ "Set off to disable passing random or "

+ "non-deterministic dtb nodes to guest");

+

object_class_property_add_bool(oc, "dtb-kaslr-seed",

- virt_get_dtb_kaslr_seed,

- virt_set_dtb_kaslr_seed);

+ virt_get_dtb_randomness,

+ virt_set_dtb_randomness);

object_class_property_set_description(oc, "dtb-kaslr-seed",

- "Set off to disable passing of kaslr-seed "

- "dtb node to guest");

+ "Deprecated synonym of dtb-randomness");

object_class_property_add_str(oc, "x-oem-id",

virt_get_oem_id,

@@ -XXX,XX +XXX,XX @@ static void virt_instance_init(Object *obj)

/* MTE is disabled by default. */

vms->mte = false;

- /* Supply a kaslr-seed by default */

- vms->dtb_kaslr_seed = true;

+ /* Supply kaslr-seed and rng-seed by default */

+ vms->dtb_randomness = true;

vms->irqmap = a15irqmap;

2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The comment was correct, but the test was not:

disable mte if tagged is *not* set.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

target/arm/sve_helper.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c

--- a/target/arm/sve_helper.c

+++ b/target/arm/sve_helper.c

@@ -XXX,XX +XXX,XX @@ void sve_ldnfff1_r(CPUARMState *env, void *vg, const target_ulong addr,

* Disable MTE checking if the Tagged bit is not set. Since TBI must

* be set within MTEDESC for MTE, !mtedesc => !mte_active.

- if (arm_tlb_mte_tagged(&info.page[0].attrs)) {

+ if (!arm_tlb_mte_tagged(&info.page[0].attrs)) {

mtedesc = 0;

}

2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Fixes a bug in that we were not honoring MTE from user-only

SVE. Copy the user-only MTE logic from allocation_tag_mem

into sve_probe_page.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

target/arm/sve_helper.c | 3 +++

1 file changed, 3 insertions(+)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c

--- a/target/arm/sve_helper.c

+++ b/target/arm/sve_helper.c

@@ -XXX,XX +XXX,XX @@ bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,

#ifdef CONFIG_USER_ONLY

memset(&info->attrs, 0, sizeof(info->attrs));

+ /* Require both MAP_ANON and PROT_MTE -- see allocation_tag_mem. */

+ arm_tlb_mte_tagged(&info->attrs) =

+ (flags & PAGE_ANON) && (flags & PAGE_MTE);

#else

/*

* Find the iotlbentry for addr and return the transaction attributes.

2.25.1

Before moving debug system register helper functions to a

different file, fix the code style issues (mostly block

comment syntax) so checkpatch doesn't complain about the

code-motion patch.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20220630194116.3438513-2-peter.maydell@linaro.org

target/arm/helper.c | 58 +++++++++++++++++++++++++++++----------------

1 file changed, 38 insertions(+), 20 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c

--- a/target/arm/helper.c

+++ b/target/arm/helper.c

@@ -XXX,XX +XXX,XX @@ static uint64_t arm_mdcr_el2_eff(CPUARMState *env)

return arm_is_el2_enabled(env) ? env->cp15.mdcr_el2 : 0;

}

-/* Check for traps to "powerdown debug" registers, which are controlled

+/*

+ * Check for traps to "powerdown debug" registers, which are controlled

* by MDCR.TDOSA

*/

static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri,

@@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri,

return CP_ACCESS_OK;

}

-/* Check for traps to "debug ROM" registers, which are controlled

+/*

+ * Check for traps to "debug ROM" registers, which are controlled

* by MDCR_EL2.TDRA for EL2 but by the more general MDCR_EL3.TDA for EL3.

*/

static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri,

@@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri,

return CP_ACCESS_OK;

}

-/* Check for traps to general debug registers, which are controlled

+/*

+ * Check for traps to general debug registers, which are controlled

* by MDCR_EL2.TDA for EL2 and MDCR_EL3.TDA for EL3.

*/

static CPAccessResult access_tda(CPUARMState *env, const ARMCPRegInfo *ri,

@@ -XXX,XX +XXX,XX @@ static CPAccessResult ctr_el0_access(CPUARMState *env, const ARMCPRegInfo *ri,

static void oslar_write(CPUARMState *env, const ARMCPRegInfo *ri,

uint64_t value)

{

- /* Writes to OSLAR_EL1 may update the OS lock status, which can be

+ /*

+ * Writes to OSLAR_EL1 may update the OS lock status, which can be

* read via a bit in OSLSR_EL1.

*/

int oslock;

@@ -XXX,XX +XXX,XX @@ static void oslar_write(CPUARMState *env, const ARMCPRegInfo *ri,

}

static const ARMCPRegInfo debug_cp_reginfo[] = {

- /* DBGDRAR, DBGDSAR: always RAZ since we don't implement memory mapped

+ /*

+ * DBGDRAR, DBGDSAR: always RAZ since we don't implement memory mapped

* debug components. The AArch64 version of DBGDRAR is named MDRAR_EL1;

* unlike DBGDRAR it is never accessible from EL0.

* DBGDSAR is deprecated and must RAZ from v8 anyway, so it has no AArch64

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {

.cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 4,

.access = PL1_RW, .accessfn = access_tdosa,

.type = ARM_CP_NOP },

- /* Dummy DBGVCR: Linux wants to clear this on startup, but we don't

+ /*

+ * Dummy DBGVCR: Linux wants to clear this on startup, but we don't

* implement vector catch debug events yet.

*/

{ .name = "DBGVCR",

.cp = 14, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,

.access = PL1_RW, .accessfn = access_tda,

.type = ARM_CP_NOP },

- /* Dummy DBGVCR32_EL2 (which is only for a 64-bit hypervisor

+ /*

+ * Dummy DBGVCR32_EL2 (which is only for a 64-bit hypervisor

* to save and restore a 32-bit guest's DBGVCR)

*/

{ .name = "DBGVCR32_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 2, .opc1 = 4, .crn = 0, .crm = 7, .opc2 = 0,

.access = PL2_RW, .accessfn = access_tda,

.type = ARM_CP_NOP | ARM_CP_EL3_NO_EL2_KEEP },

- /* Dummy MDCCINT_EL1, since we don't implement the Debug Communications

+ /*

+ * Dummy MDCCINT_EL1, since we don't implement the Debug Communications

* Channel but Linux may try to access this register. The 32-bit

* alias is DBGDCCINT.

*/

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {

static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {

/* 64 bit access versions of the (dummy) debug registers */

{ .name = "DBGDRAR", .cp = 14, .crm = 1, .opc1 = 0,

- .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },

+ .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },

{ .name = "DBGDSAR", .cp = 14, .crm = 2, .opc1 = 0,

- .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },

+ .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },

/*

@@ -XXX,XX +XXX,XX @@ void hw_watchpoint_update(ARMCPU *cpu, int n)

break;

}

- /* Attempts to use both MASK and BAS fields simultaneously are

+ /*

+ * Attempts to use both MASK and BAS fields simultaneously are

* CONSTRAINED UNPREDICTABLE; we opt to ignore BAS in this case,

* thus generating a watchpoint for every byte in the masked region.

*/

mask = FIELD_EX64(wcr, DBGWCR, MASK);

if (mask == 1 || mask == 2) {

- /* Reserved values of MASK; we must act as if the mask value was

+ /*

+ * Reserved values of MASK; we must act as if the mask value was

* some non-reserved value, or as if the watchpoint were disabled.

* We choose the latter.

*/

@@ -XXX,XX +XXX,XX @@ void hw_watchpoint_update(ARMCPU *cpu, int n)

} else if (mask) {

/* Watchpoint covers an aligned area up to 2GB in size */

len = 1ULL << mask;

- /* If masked bits in WVR are not zero it's CONSTRAINED UNPREDICTABLE

+ /*

+ * If masked bits in WVR are not zero it's CONSTRAINED UNPREDICTABLE

* whether the watchpoint fires when the unmasked bits match; we opt

* to generate the exceptions.

*/

@@ -XXX,XX +XXX,XX @@ void hw_watchpoint_update(ARMCPU *cpu, int n)

int basstart;

if (extract64(wvr, 2, 1)) {

- /* Deprecated case of an only 4-aligned address. BAS[7:4] are

+ /*

+ * Deprecated case of an only 4-aligned address. BAS[7:4] are

* ignored, and BAS[3:0] define which bytes to watch.

*/

bas &= 0xf;

@@ -XXX,XX +XXX,XX @@ void hw_watchpoint_update(ARMCPU *cpu, int n)

return;

}

- /* The BAS bits are supposed to be programmed to indicate a contiguous

+ /*

+ * The BAS bits are supposed to be programmed to indicate a contiguous

* range of bytes. Otherwise it is CONSTRAINED UNPREDICTABLE whether

* we fire for each byte in the word/doubleword addressed by the WVR.

* We choose to ignore any non-zero bits after the first range of 1s.

@@ -XXX,XX +XXX,XX @@ void hw_watchpoint_update_all(ARMCPU *cpu)

int i;

CPUARMState *env = &cpu->env;

- /* Completely clear out existing QEMU watchpoints and our array, to

+ /*

+ * Completely clear out existing QEMU watchpoints and our array, to

* avoid possible stale entries following migration load.

*/

cpu_watchpoint_remove_all(CPU(cpu), BP_CPU);

@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update(ARMCPU *cpu, int n)

case 11: /* linked context ID and VMID match (reserved if no EL2) */

case 3: /* linked context ID match */

default:

- /* We must generate no events for Linked context matches (unless

+ /*

+ * We must generate no events for Linked context matches (unless

* they are linked to by some other bp/wp, which is handled in

* updates for the linking bp/wp). We choose to also generate no events

* for reserved values.

@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update_all(ARMCPU *cpu)

int i;

CPUARMState *env = &cpu->env;

- /* Completely clear out existing QEMU breakpoints and our array, to

+ /*

+ * Completely clear out existing QEMU breakpoints and our array, to

* avoid possible stale entries following migration load.

*/

cpu_breakpoint_remove_all(CPU(cpu), BP_CPU);

@@ -XXX,XX +XXX,XX @@ static void dbgbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,

ARMCPU *cpu = env_archcpu(env);

int i = ri->crm;

- /* BAS[3] is a read-only copy of BAS[2], and BAS[1] a read-only

+ /*

+ * BAS[3] is a read-only copy of BAS[2], and BAS[1] a read-only

* copy of BAS[0].

*/

value = deposit64(value, 6, 1, extract64(value, 5, 1));

@@ -XXX,XX +XXX,XX @@ static void dbgbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,

static void define_debug_regs(ARMCPU *cpu)

- /* Define v7 and v8 architectural debug registers.

+ /*

+ * Define v7 and v8 architectural debug registers.

* These are just dummy implementations for now.

*/

int i;

2.25.1

The target/arm/helper.c file is very long and is a grabbag of all

kinds of functionality. We have already a debug_helper.c which has

code for implementing architectural debug. Move the code which

defines the debug-related system registers out to this file also.

This affects the define_debug_regs() function and the various

functions and arrays which are used only by it.

The functions raw_write() and arm_mdcr_el2_eff() and

define_debug_regs() now need to be global rather than local to

helper.c; everything else is pure code movement.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20220630194116.3438513-3-peter.maydell@linaro.org

target/arm/cpregs.h | 3 +

target/arm/internals.h | 9 +

target/arm/debug_helper.c | 525 +++++++++++++++++++++++++++++++++++++

target/arm/helper.c | 531 +-------------------------------------

4 files changed, 538 insertions(+), 530 deletions(-)

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h

--- a/target/arm/cpregs.h

+++ b/target/arm/cpregs.h

@@ -XXX,XX +XXX,XX @@ void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,

/* CPReadFn that can be used for read-as-zero behaviour */

uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri);

+/* CPWriteFn that just writes the value to ri->fieldoffset */

+void raw_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value);

+

/*

* CPResetFn that does nothing, for use if no reset is required even

* if fieldoffset is non zero.

diff --git a/target/arm/internals.h b/target/arm/internals.h

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/internals.h

+++ b/target/arm/internals.h

@@ -XXX,XX +XXX,XX @@ int exception_target_el(CPUARMState *env);

bool arm_singlestep_active(CPUARMState *env);

bool arm_generate_debug_exceptions(CPUARMState *env);

+/* Add the cpreg definitions for debug related system registers */

+void define_debug_regs(ARMCPU *cpu);

+

+/* Effective value of MDCR_EL2 */

+static inline uint64_t arm_mdcr_el2_eff(CPUARMState *env)

+{

+ return arm_is_el2_enabled(env) ? env->cp15.mdcr_el2 : 0;

+}

+

/* Powers of 2 for sve_vq_map et al. */

#define SVE_VQ_POW2_MAP \

((1 << (1 - 1)) | (1 << (2 - 1)) | \

diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/debug_helper.c

+++ b/target/arm/debug_helper.c

* SPDX-License-Identifier: GPL-2.0-or-later

*/

#include "qemu/osdep.h"

+#include "qemu/log.h"

#include "cpu.h"

#include "internals.h"

+#include "cpregs.h"

#include "exec/exec-all.h"

#include "exec/helper-proto.h"

@@ -XXX,XX +XXX,XX @@ void HELPER(exception_swstep)(CPUARMState *env, uint32_t syndrome)

raise_exception_debug(env, EXCP_UDEF, syndrome);

}

+/*

+ * Check for traps to "powerdown debug" registers, which are controlled

+ * by MDCR.TDOSA

+ */

+static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri,

+ bool isread)

+{

+ int el = arm_current_el(env);

+ uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);

+ bool mdcr_el2_tdosa = (mdcr_el2 & MDCR_TDOSA) || (mdcr_el2 & MDCR_TDE) ||

+ (arm_hcr_el2_eff(env) & HCR_TGE);

+

+ if (el < 2 && mdcr_el2_tdosa) {

+ return CP_ACCESS_TRAP_EL2;

+ }

+ if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDOSA)) {

+ return CP_ACCESS_TRAP_EL3;

+ }

+ return CP_ACCESS_OK;

+}

+

+/*

+ * Check for traps to "debug ROM" registers, which are controlled

+ * by MDCR_EL2.TDRA for EL2 but by the more general MDCR_EL3.TDA for EL3.

+ */

+static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri,

+ bool isread)

+{

+ int el = arm_current_el(env);

+ uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);

+ bool mdcr_el2_tdra = (mdcr_el2 & MDCR_TDRA) || (mdcr_el2 & MDCR_TDE) ||

+ (arm_hcr_el2_eff(env) & HCR_TGE);

+

+ if (el < 2 && mdcr_el2_tdra) {

+ return CP_ACCESS_TRAP_EL2;

+ }

+ if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) {

+ return CP_ACCESS_TRAP_EL3;

+ }

+ return CP_ACCESS_OK;

+}

+

+/*

+ * Check for traps to general debug registers, which are controlled

+ * by MDCR_EL2.TDA for EL2 and MDCR_EL3.TDA for EL3.

+ */

+static CPAccessResult access_tda(CPUARMState *env, const ARMCPRegInfo *ri,

+ bool isread)

+{

+ int el = arm_current_el(env);

+ uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);

+ bool mdcr_el2_tda = (mdcr_el2 & MDCR_TDA) || (mdcr_el2 & MDCR_TDE) ||

+ (arm_hcr_el2_eff(env) & HCR_TGE);

+

+ if (el < 2 && mdcr_el2_tda) {

+ return CP_ACCESS_TRAP_EL2;

+ }

+ if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) {

+ return CP_ACCESS_TRAP_EL3;

+ }

+ return CP_ACCESS_OK;

+}

+

+static void oslar_write(CPUARMState *env, const ARMCPRegInfo *ri,

+ uint64_t value)

+{

+ /*

+ * Writes to OSLAR_EL1 may update the OS lock status, which can be

+ * read via a bit in OSLSR_EL1.

+ */

+ int oslock;

+

+ if (ri->state == ARM_CP_STATE_AA32) {

+ oslock = (value == 0xC5ACCE55);

+ } else {

+ oslock = value & 1;

+ }

+

+ env->cp15.oslsr_el1 = deposit32(env->cp15.oslsr_el1, 1, 1, oslock);

+}

+

+static const ARMCPRegInfo debug_cp_reginfo[] = {

+ /*

+ * DBGDRAR, DBGDSAR: always RAZ since we don't implement memory mapped

+ * debug components. The AArch64 version of DBGDRAR is named MDRAR_EL1;

+ * unlike DBGDRAR it is never accessible from EL0.

+ * DBGDSAR is deprecated and must RAZ from v8 anyway, so it has no AArch64

+ * accessor.

+ */

+ { .name = "DBGDRAR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 0,

+ .access = PL0_R, .accessfn = access_tdra,

+ .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "MDRAR_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0,

+ .access = PL1_R, .accessfn = access_tdra,

+ .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "DBGDSAR", .cp = 14, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,

+ .access = PL0_R, .accessfn = access_tdra,

+ .type = ARM_CP_CONST, .resetvalue = 0 },

+ /* Monitor debug system control register; the 32-bit alias is DBGDSCRext. */

+ { .name = "MDSCR_EL1", .state = ARM_CP_STATE_BOTH,

+ .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,

+ .access = PL1_RW, .accessfn = access_tda,

+ .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1),

+ .resetvalue = 0 },

+ /*

+ * MDCCSR_EL0[30:29] map to EDSCR[30:29]. Simply RAZ as the external

+ * Debug Communication Channel is not implemented.

+ */

+ { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_AA64,

+ .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 1, .opc2 = 0,

+ .access = PL0_R, .accessfn = access_tda,

+ .type = ARM_CP_CONST, .resetvalue = 0 },

+ /*

+ * DBGDSCRint[15,12,5:2] map to MDSCR_EL1[15,12,5:2]. Map all bits as

+ * it is unlikely a guest will care.

+ * We don't implement the configurable EL0 access.

+ */

+ { .name = "DBGDSCRint", .state = ARM_CP_STATE_AA32,

+ .cp = 14, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,

+ .type = ARM_CP_ALIAS,

+ .access = PL1_R, .accessfn = access_tda,

+ .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1), },

+ { .name = "OSLAR_EL1", .state = ARM_CP_STATE_BOTH,

+ .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 4,

+ .access = PL1_W, .type = ARM_CP_NO_RAW,

+ .accessfn = access_tdosa,

+ .writefn = oslar_write },

+ { .name = "OSLSR_EL1", .state = ARM_CP_STATE_BOTH,

+ .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 4,

+ .access = PL1_R, .resetvalue = 10,

+ .accessfn = access_tdosa,

+ .fieldoffset = offsetof(CPUARMState, cp15.oslsr_el1) },

+ /* Dummy OSDLR_EL1: 32-bit Linux will read this */

+ { .name = "OSDLR_EL1", .state = ARM_CP_STATE_BOTH,

+ .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 4,

+ .access = PL1_RW, .accessfn = access_tdosa,

+ .type = ARM_CP_NOP },

+ /*

+ * Dummy DBGVCR: Linux wants to clear this on startup, but we don't

+ * implement vector catch debug events yet.

+ */

+ { .name = "DBGVCR",

+ .cp = 14, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,

+ .access = PL1_RW, .accessfn = access_tda,

+ .type = ARM_CP_NOP },

+ /*

+ * Dummy DBGVCR32_EL2 (which is only for a 64-bit hypervisor

+ * to save and restore a 32-bit guest's DBGVCR)

+ */

+ { .name = "DBGVCR32_EL2", .state = ARM_CP_STATE_AA64,

+ .opc0 = 2, .opc1 = 4, .crn = 0, .crm = 7, .opc2 = 0,

+ .access = PL2_RW, .accessfn = access_tda,

+ .type = ARM_CP_NOP | ARM_CP_EL3_NO_EL2_KEEP },

+ /*

+ * Dummy MDCCINT_EL1, since we don't implement the Debug Communications

+ * Channel but Linux may try to access this register. The 32-bit

+ * alias is DBGDCCINT.

+ */

+ { .name = "MDCCINT_EL1", .state = ARM_CP_STATE_BOTH,

+ .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,

+ .access = PL1_RW, .accessfn = access_tda,

+ .type = ARM_CP_NOP },

+};

+

+static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {

+ /* 64 bit access versions of the (dummy) debug registers */

+ { .name = "DBGDRAR", .cp = 14, .crm = 1, .opc1 = 0,

+ .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },

+ { .name = "DBGDSAR", .cp = 14, .crm = 2, .opc1 = 0,

+ .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },

+};

+

+void hw_watchpoint_update(ARMCPU *cpu, int n)

+{

+ CPUARMState *env = &cpu->env;

+ vaddr len = 0;

+ vaddr wvr = env->cp15.dbgwvr[n];

+ uint64_t wcr = env->cp15.dbgwcr[n];

+ int mask;

+ int flags = BP_CPU | BP_STOP_BEFORE_ACCESS;

+

+ if (env->cpu_watchpoint[n]) {

+ cpu_watchpoint_remove_by_ref(CPU(cpu), env->cpu_watchpoint[n]);

+ env->cpu_watchpoint[n] = NULL;

+ }

+

+ if (!FIELD_EX64(wcr, DBGWCR, E)) {

+ /* E bit clear : watchpoint disabled */

+ return;

+ }

+

+ switch (FIELD_EX64(wcr, DBGWCR, LSC)) {

+ case 0:

+ /* LSC 00 is reserved and must behave as if the wp is disabled */

+ return;

+ case 1:

+ flags |= BP_MEM_READ;

+ break;

+ case 2:

+ flags |= BP_MEM_WRITE;

+ break;

+ case 3:

+ flags |= BP_MEM_ACCESS;

+ break;

+ }

+

+ /*

+ * Attempts to use both MASK and BAS fields simultaneously are

+ * CONSTRAINED UNPREDICTABLE; we opt to ignore BAS in this case,

+ * thus generating a watchpoint for every byte in the masked region.

+ */

+ mask = FIELD_EX64(wcr, DBGWCR, MASK);

+ if (mask == 1 || mask == 2) {

+ /*

+ * Reserved values of MASK; we must act as if the mask value was

+ * some non-reserved value, or as if the watchpoint were disabled.

+ * We choose the latter.

+ */

+ return;

+ } else if (mask) {

+ /* Watchpoint covers an aligned area up to 2GB in size */

+ len = 1ULL << mask;

+ /*

+ * If masked bits in WVR are not zero it's CONSTRAINED UNPREDICTABLE

+ * whether the watchpoint fires when the unmasked bits match; we opt

+ * to generate the exceptions.

+ */

+ wvr &= ~(len - 1);

+ } else {

+ /* Watchpoint covers bytes defined by the byte address select bits */

+ int bas = FIELD_EX64(wcr, DBGWCR, BAS);

+ int basstart;

+

+ if (extract64(wvr, 2, 1)) {

+ /*

+ * Deprecated case of an only 4-aligned address. BAS[7:4] are

+ * ignored, and BAS[3:0] define which bytes to watch.

+ */

+ bas &= 0xf;

+ }

+

+ if (bas == 0) {

+ /* This must act as if the watchpoint is disabled */

+ return;

+ }

+

+ /*

+ * The BAS bits are supposed to be programmed to indicate a contiguous

+ * range of bytes. Otherwise it is CONSTRAINED UNPREDICTABLE whether

+ * we fire for each byte in the word/doubleword addressed by the WVR.

+ * We choose to ignore any non-zero bits after the first range of 1s.

+ */

+ basstart = ctz32(bas);

+ len = cto32(bas >> basstart);

+ wvr += basstart;