Arm stuff, mostly patches from RTH.

The following changes since commit 01a9a51ffaf4699827ea6425cb2b834a356e159d:

Merge remote-tracking branch 'remotes/kraxel/tags/ui-20190205-pull-request' into staging (2019-02-05 14:01:29 +0000)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190205

for you to fetch changes up to a15945d98d3a3390c3da344d1b47218e91e49d8b:

target/arm: Make FPSCR/FPCR trapped-exception bits RAZ/WI (2019-02-05 16:52:42 +0000)

* Implement Armv8.5-BTI extension for system emulation mode

* Implement the PR_PAC_RESET_KEYS prctl() for linux-user mode's Armv8.3-PAuth support

* Support TBI (top-byte-ignore) properly for linux-user mode

* gdbstub: allow killing QEMU via vKill command

* hw/arm/boot: Support DTB autoload for firmware-only boots

* target/arm: Make FPSCR/FPCR trapped-exception bits RAZ/WI

Max Filippov (1):

gdbstub: allow killing QEMU via vKill command

target/arm: Compute TB_FLAGS for TBI for user-only

hw/arm/boot: Fix block comment style in arm_load_kernel()

hw/arm/boot: Factor out "direct kernel boot" code into its own function

hw/arm/boot: Factor out "set up firmware boot" code

hw/arm/boot: Clarify why arm_setup_firmware_boot() doesn't set env->boot_info

hw/arm/boot: Support DTB autoload for firmware-only boots

target/arm: Make FPSCR/FPCR trapped-exception bits RAZ/WI

Richard Henderson (14):

target/arm: Introduce isar_feature_aa64_bti

target/arm: Add PSTATE.BTYPE

target/arm: Add BT and BTYPE to tb->flags

exec: Add target-specific tlb bits to MemTxAttrs

target/arm: Cache the GP bit for a page in MemTxAttrs

target/arm: Default handling of BTYPE during translation

target/arm: Reset btype for direct branches

target/arm: Set btype for indirect branches

target/arm: Enable BTI for -cpu max

linux-user: Implement PR_PAC_RESET_KEYS

tests/tcg/aarch64: Add pauth smoke test

target/arm: Add TBFLAG_A64_TBID, split out gen_top_byte_ignore

target/arm: Clean TBI for data operations in the translator

target/arm: Enable TBI for user-only

tests/tcg/aarch64/Makefile.target | 6 +-

include/exec/memattrs.h | 10 +

linux-user/aarch64/target_syscall.h | 7 +

target/arm/cpu.h | 27 +-

target/arm/internals.h | 27 +-

target/arm/translate.h | 12 +-

gdbstub.c | 4 +

hw/arm/boot.c | 166 +++++++------

linux-user/syscall.c | 36 +++

target/arm/cpu.c | 6 +

target/arm/cpu64.c | 4 +

target/arm/helper.c | 80 +++---

target/arm/translate-a64.c | 476 +++++++++++++++++++++++++-----------

tests/tcg/aarch64/pauth-1.c | 23 ++

14 files changed, 623 insertions(+), 261 deletions(-)

create mode 100644 tests/tcg/aarch64/pauth-1.c

From: Max Filippov <jcmvbkbc@gmail.com>

With multiprocess extensions gdb uses 'vKill' packet instead of 'k' to

kill the inferior. Handle 'vKill' the same way 'k' was handled in the

presence of single process.

Fixes: 7cf48f6752e5 ("gdbstub: add multiprocess support to

(f|s)ThreadInfo and ThreadExtraInfo")

Cc: Luc Michel <luc.michel@greensocs.com>

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>

Reviewed-by: Luc Michel <luc.michel@greensocs.com>

Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com>

Tested-by: KONRAD Frederic <frederic.konrad@adacore.com>

Message-id: 20190130192403.13754-1-jcmvbkbc@gmail.com

gdbstub.c | 4 ++++

1 file changed, 4 insertions(+)

diff --git a/gdbstub.c b/gdbstub.c

--- a/gdbstub.c

+++ b/gdbstub.c

@@ -XXX,XX +XXX,XX @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)

put_packet(s, buf);

break;

+ } else if (strncmp(p, "Kill;", 5) == 0) {

+ /* Kill the target */

+ error_report("QEMU: Terminated via GDBstub");

+ exit(0);

} else {

goto unknown_command;

}

The {IOE, DZE, OFE, UFE, IXE, IDE} bits in the FPSCR/FPCR are for

enabling trapped IEEE floating point exceptions (where IEEE exception

conditions cause a CPU exception rather than updating the FPSR status

bits). QEMU doesn't implement this (and nor does the hardware we're

modelling), but for implementations which don't implement trapped

exception handling these control bits are supposed to be RAZ/WI.

This allows guest code to test for whether the feature is present

by trying to write to the bit and checking whether it sticks.

QEMU is incorrectly making these bits read as written. Make them

RAZ/WI as the architecture requires.

In particular this was causing problems for the NetBSD automatic

test suite.

Reported-by: Martin Husemann <martin@netbsd.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20190131130700.28392-1-peter.maydell@linaro.org

---

target/arm/cpu.h | 6 ++++++

target/arm/helper.c | 6 ++++++

2 files changed, 12 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h

--- a/target/arm/cpu.h

+++ b/target/arm/cpu.h

@@ -XXX,XX +XXX,XX @@ void vfp_set_fpscr(CPUARMState *env, uint32_t val);

#define FPSR_MASK 0xf800009f

#define FPCR_MASK 0x07ff9f00

+#define FPCR_IOE (1 << 8) /* Invalid Operation exception trap enable */

+#define FPCR_DZE (1 << 9) /* Divide by Zero exception trap enable */

+#define FPCR_OFE (1 << 10) /* Overflow exception trap enable */

+#define FPCR_UFE (1 << 11) /* Underflow exception trap enable */

+#define FPCR_IXE (1 << 12) /* Inexact exception trap enable */

+#define FPCR_IDE (1 << 15) /* Input Denormal exception trap enable */

#define FPCR_FZ16 (1 << 19) /* ARMv8.2+, FP16 flush-to-zero */

#define FPCR_FZ (1 << 24) /* Flush-to-zero enable bit */

#define FPCR_DN (1 << 25) /* Default NaN enable bit */

diff --git a/target/arm/helper.c b/target/arm/helper.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/helper.c

+++ b/target/arm/helper.c

@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)

val &= ~FPCR_FZ16;

}

+ /*

+ * We don't implement trapped exception handling, so the

+ * trap enable bits are all RAZ/WI (not RES0!)

+ */

+ val &= ~(FPCR_IDE | FPCR_IXE | FPCR_UFE | FPCR_OFE | FPCR_DZE | FPCR_IOE);

changed = env->vfp.xregs[ARM_VFP_FPSCR];

env->vfp.xregs[ARM_VFP_FPSCR] = (val & 0xffc8ffff);

env->vfp.vec_len = (val >> 16) & 7;

The arm_boot_info struct has a skip_dtb_autoload flag: if this is

set to true by the board code then arm_load_kernel() will not

load the DTB itself, but will leave this for the board code to

do itself later. However, the check for this is done in a

code path which is only executed for the case where we load

a kernel image file. If we're taking the "boot via firmware"

code path then the flag isn't honoured and the DTB is never

loaded.

We didn't notice this because the only real user of "boot

via firmware" that cares about the DTB is the virt board

(for UEFI boot), and that always wants skip_dtb_autoload

anyway. But the SBSA reference board model we're planning to

add will want the flag to behave correctly.

Now we've refactored the arm_load_kernel() function, the

fix is simple: drop the early 'return' so we fall into

the same "load the DTB" code the boot-direct-kernel path uses.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>

Message-id: 20190131112240.8395-6-peter.maydell@linaro.org

hw/arm/boot.c | 1 -

1 file changed, 1 deletion(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c

--- a/hw/arm/boot.c

+++ b/hw/arm/boot.c

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

/* Load the kernel. */

if (!info->kernel_filename || info->firmware_loaded) {

arm_setup_firmware_boot(cpu, info);

- return;

} else {

arm_setup_direct_kernel_boot(cpu, info);

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20190201195404.30486-2-richard.henderson@linaro.org

linux-user/aarch64/target_syscall.h | 7 ++++++

linux-user/syscall.c | 36 +++++++++++++++++++++++++++++

2 files changed, 43 insertions(+)

diff --git a/linux-user/aarch64/target_syscall.h b/linux-user/aarch64/target_syscall.h

--- a/linux-user/aarch64/target_syscall.h

+++ b/linux-user/aarch64/target_syscall.h

@@ -XXX,XX +XXX,XX @@ struct target_pt_regs {

#define TARGET_PR_SVE_SET_VL 50

#define TARGET_PR_SVE_GET_VL 51

+#define TARGET_PR_PAC_RESET_KEYS 54

+# define TARGET_PR_PAC_APIAKEY (1 << 0)

+# define TARGET_PR_PAC_APIBKEY (1 << 1)

+# define TARGET_PR_PAC_APDAKEY (1 << 2)

+# define TARGET_PR_PAC_APDBKEY (1 << 3)

+# define TARGET_PR_PAC_APGAKEY (1 << 4)

+

void arm_init_pauth_key(ARMPACKey *key);

#endif /* AARCH64_TARGET_SYSCALL_H */

diff --git a/linux-user/syscall.c b/linux-user/syscall.c

index XXXXXXX..XXXXXXX 100644

--- a/linux-user/syscall.c

+++ b/linux-user/syscall.c

@@ -XXX,XX +XXX,XX @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,

return ret;

+ case TARGET_PR_PAC_RESET_KEYS:

+ {

+ CPUARMState *env = cpu_env;

+ ARMCPU *cpu = arm_env_get_cpu(env);

+

+ if (arg3 || arg4 || arg5) {

+ return -TARGET_EINVAL;

+ }

+ if (cpu_isar_feature(aa64_pauth, cpu)) {

+ int all = (TARGET_PR_PAC_APIAKEY | TARGET_PR_PAC_APIBKEY |

+ TARGET_PR_PAC_APDAKEY | TARGET_PR_PAC_APDBKEY |

+ TARGET_PR_PAC_APGAKEY);

+ if (arg2 == 0) {

+ arg2 = all;

+ } else if (arg2 & ~all) {

+ return -TARGET_EINVAL;

+ }

+ if (arg2 & TARGET_PR_PAC_APIAKEY) {

+ arm_init_pauth_key(&env->apia_key);

+ }

+ if (arg2 & TARGET_PR_PAC_APIBKEY) {

+ arm_init_pauth_key(&env->apib_key);

+ }

+ if (arg2 & TARGET_PR_PAC_APDAKEY) {

+ arm_init_pauth_key(&env->apda_key);

+ }

+ if (arg2 & TARGET_PR_PAC_APDBKEY) {

+ arm_init_pauth_key(&env->apdb_key);

+ }

+ if (arg2 & TARGET_PR_PAC_APGAKEY) {

+ arm_init_pauth_key(&env->apga_key);

+ }

+ return 0;

+ }

+ }

+ return -TARGET_EINVAL;

#endif /* AARCH64 */

case PR_GET_SECCOMP:

case PR_SET_SECCOMP:

The code path for booting firmware doesn't set env->boot_info. At

first sight this looks odd, so add a comment saying why we don't.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>

Message-id: 20190131112240.8395-5-peter.maydell@linaro.org

hw/arm/boot.c | 3 ++-

1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c

--- a/hw/arm/boot.c

+++ b/hw/arm/boot.c

@@ -XXX,XX +XXX,XX @@ static void arm_setup_firmware_boot(ARMCPU *cpu, struct arm_boot_info *info)

/*

* We will start from address 0 (typically a boot ROM image) in the

- * same way as hardware.

+ * same way as hardware. Leave env->boot_info NULL, so that

+ * do_cpu_reset() knows it does not need to alter the PC on reset.

*/

}

Factor out the "boot via firmware" code path from arm_load_kernel()

into its own function.

This commit only moves code around; no semantic changes.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>

Message-id: 20190131112240.8395-4-peter.maydell@linaro.org

hw/arm/boot.c | 92 +++++++++++++++++++++++++++------------------------

1 file changed, 49 insertions(+), 43 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c

--- a/hw/arm/boot.c

+++ b/hw/arm/boot.c

@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,

}

+static void arm_setup_firmware_boot(ARMCPU *cpu, struct arm_boot_info *info)

+{

+ /* Set up for booting firmware (which might load a kernel via fw_cfg) */

+

+ if (have_dtb(info)) {

+ /*

+ * If we have a device tree blob, but no kernel to supply it to (or

+ * the kernel is supposed to be loaded by the bootloader), copy the

+ * DTB to the base of RAM for the bootloader to pick up.

+ */

+ info->dtb_start = info->loader_start;

+ }

+

+ if (info->kernel_filename) {

+ FWCfgState *fw_cfg;

+ bool try_decompressing_kernel;

+

+ fw_cfg = fw_cfg_find();

+ try_decompressing_kernel = arm_feature(&cpu->env,

+ ARM_FEATURE_AARCH64);

+

+ /*

+ * Expose the kernel, the command line, and the initrd in fw_cfg.

+ * We don't process them here at all, it's all left to the

+ * firmware.

+ */

+ load_image_to_fw_cfg(fw_cfg,

+ FW_CFG_KERNEL_SIZE, FW_CFG_KERNEL_DATA,

+ info->kernel_filename,

+ try_decompressing_kernel);

+ load_image_to_fw_cfg(fw_cfg,

+ FW_CFG_INITRD_SIZE, FW_CFG_INITRD_DATA,

+ info->initrd_filename, false);

+

+ if (info->kernel_cmdline) {

+ fw_cfg_add_i32(fw_cfg, FW_CFG_CMDLINE_SIZE,

+ strlen(info->kernel_cmdline) + 1);

+ fw_cfg_add_string(fw_cfg, FW_CFG_CMDLINE_DATA,

+ info->kernel_cmdline);

+ }

+ }

+

+ /*

+ * We will start from address 0 (typically a boot ROM image) in the

+ * same way as hardware.

+ */

+}

+

void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

{

CPUState *cs;

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

/* Load the kernel. */

if (!info->kernel_filename || info->firmware_loaded) {

-

- if (have_dtb(info)) {

- /*

- * If we have a device tree blob, but no kernel to supply it to (or

- * the kernel is supposed to be loaded by the bootloader), copy the

- * DTB to the base of RAM for the bootloader to pick up.

- */

- info->dtb_start = info->loader_start;

- }

-

- if (info->kernel_filename) {

- FWCfgState *fw_cfg;

- bool try_decompressing_kernel;

-

- fw_cfg = fw_cfg_find();

- try_decompressing_kernel = arm_feature(&cpu->env,

- ARM_FEATURE_AARCH64);

-

- /*

- * Expose the kernel, the command line, and the initrd in fw_cfg.

- * We don't process them here at all, it's all left to the

- * firmware.

- */

- load_image_to_fw_cfg(fw_cfg,

- FW_CFG_KERNEL_SIZE, FW_CFG_KERNEL_DATA,

- info->kernel_filename,

- try_decompressing_kernel);

- load_image_to_fw_cfg(fw_cfg,

- FW_CFG_INITRD_SIZE, FW_CFG_INITRD_DATA,

- info->initrd_filename, false);

-

- if (info->kernel_cmdline) {

- fw_cfg_add_i32(fw_cfg, FW_CFG_CMDLINE_SIZE,

- strlen(info->kernel_cmdline) + 1);

- fw_cfg_add_string(fw_cfg, FW_CFG_CMDLINE_DATA,

- info->kernel_cmdline);

- }

- }

-

- /*

- * We will start from address 0 (typically a boot ROM image) in the

- * same way as hardware.

- */

+ arm_setup_firmware_boot(cpu, info);

return;

} else {

arm_setup_direct_kernel_boot(cpu, info);

Fix the block comment style in arm_load_kernel() to QEMU's

current style preferences. This will allow us to do some

refactoring of this function without checkpatch complaining

about the code-motion patches.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>

Message-id: 20190131112240.8395-2-peter.maydell@linaro.org

hw/arm/boot.c | 30 ++++++++++++++++++++----------

1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c

--- a/hw/arm/boot.c

+++ b/hw/arm/boot.c

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

static const ARMInsnFixup *primary_loader;

AddressSpace *as = arm_boot_address_space(cpu, info);

- /* CPU objects (unlike devices) are not automatically reset on system

+ /*

+ * CPU objects (unlike devices) are not automatically reset on system

* reset, so we must always register a handler to do so. If we're

* actually loading a kernel, the handler is also responsible for

* arranging that we start it correctly.

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

qemu_register_reset(do_cpu_reset, ARM_CPU(cs));

}

- /* The board code is not supposed to set secure_board_setup unless

+ /*

+ * The board code is not supposed to set secure_board_setup unless

* running its code in secure mode is actually possible, and KVM

* doesn't support secure.

*/

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

if (!info->kernel_filename || info->firmware_loaded) {

if (have_dtb(info)) {

- /* If we have a device tree blob, but no kernel to supply it to (or

+ /*

+ * If we have a device tree blob, but no kernel to supply it to (or

* the kernel is supposed to be loaded by the bootloader), copy the

* DTB to the base of RAM for the bootloader to pick up.

*/

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

try_decompressing_kernel = arm_feature(&cpu->env,

ARM_FEATURE_AARCH64);

- /* Expose the kernel, the command line, and the initrd in fw_cfg.

+ /*

+ * Expose the kernel, the command line, and the initrd in fw_cfg.

* We don't process them here at all, it's all left to the

* firmware.

*/

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

}

}

- /* We will start from address 0 (typically a boot ROM image) in the

+ /*

+ * We will start from address 0 (typically a boot ROM image) in the

* same way as hardware.

*/

return;

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

if (info->nb_cpus == 0)

info->nb_cpus = 1;

- /* We want to put the initrd far enough into RAM that when the

+ /*

+ * We want to put the initrd far enough into RAM that when the

* kernel is uncompressed it will not clobber the initrd. However

* on boards without much RAM we must ensure that we still leave

* enough room for a decent sized initrd, and on boards with large

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

kernel_size = arm_load_elf(info, &elf_entry, &elf_low_addr,

&elf_high_addr, elf_machine, as);

if (kernel_size > 0 && have_dtb(info)) {

- /* If there is still some room left at the base of RAM, try and put

+ /*

+ * If there is still some room left at the base of RAM, try and put

* the DTB there like we do for images loaded with -bios or -pflash.

*/

if (elf_low_addr > info->loader_start

|| elf_high_addr < info->loader_start) {

- /* Set elf_low_addr as address limit for arm_load_dtb if it may be

+ /*

+ * Set elf_low_addr as address limit for arm_load_dtb if it may be

* pointing into RAM, otherwise pass '0' (no limit)

*/

if (elf_low_addr < info->loader_start) {

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

fixupcontext[FIXUP_BOARDID] = info->board_id;

fixupcontext[FIXUP_BOARD_SETUP] = info->board_setup_addr;

- /* for device tree boot, we pass the DTB directly in r2. Otherwise

+ /*

+ * for device tree boot, we pass the DTB directly in r2. Otherwise

* we point to the kernel args.

*/

if (have_dtb(info)) {

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

info->write_board_setup(cpu, info);

}

- /* Notify devices which need to fake up firmware initialization

+ /*

+ * Notify devices which need to fake up firmware initialization

* that we're doing a direct kernel boot.

*/

object_child_foreach_recursive(object_get_root(),

Factor out the "direct kernel boot" code path from arm_load_kernel()

into its own function; this function is getting long enough that

the code flow is a bit confusing.

This commit only moves code around; no semantic changes.

We leave the "load the dtb" code in arm_load_kernel() -- this

is currently only used by the "direct kernel boot" path, but

this is a bug which we will fix shortly.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>

Message-id: 20190131112240.8395-3-peter.maydell@linaro.org

hw/arm/boot.c | 150 +++++++++++++++++++++++++++-----------------------

1 file changed, 80 insertions(+), 70 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c

--- a/hw/arm/boot.c

+++ b/hw/arm/boot.c

@@ -XXX,XX +XXX,XX @@ static uint64_t load_aarch64_image(const char *filename, hwaddr mem_base,

return size;

-void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

+static void arm_setup_direct_kernel_boot(ARMCPU *cpu,

+ struct arm_boot_info *info)

{

+ /* Set up for a direct boot of a kernel image file. */

CPUState *cs;

+ AddressSpace *as = arm_boot_address_space(cpu, info);

int kernel_size;

int initrd_size;

int is_linux = 0;

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

int elf_machine;

hwaddr entry;

static const ARMInsnFixup *primary_loader;

- AddressSpace *as = arm_boot_address_space(cpu, info);

-

- /*

- * CPU objects (unlike devices) are not automatically reset on system

- * reset, so we must always register a handler to do so. If we're

- * actually loading a kernel, the handler is also responsible for

- * arranging that we start it correctly.

- */

- for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {

- qemu_register_reset(do_cpu_reset, ARM_CPU(cs));

- }

-

- /*

- * The board code is not supposed to set secure_board_setup unless

- * running its code in secure mode is actually possible, and KVM

- * doesn't support secure.

- */

- assert(!(info->secure_board_setup && kvm_enabled()));

-

- info->dtb_filename = qemu_opt_get(qemu_get_machine_opts(), "dtb");

- info->dtb_limit = 0;

-

- /* Load the kernel. */

- if (!info->kernel_filename || info->firmware_loaded) {

-

- if (have_dtb(info)) {

- /*

- * If we have a device tree blob, but no kernel to supply it to (or

- * the kernel is supposed to be loaded by the bootloader), copy the

- * DTB to the base of RAM for the bootloader to pick up.

- */

- info->dtb_start = info->loader_start;

- }

-

- if (info->kernel_filename) {

- FWCfgState *fw_cfg;

- bool try_decompressing_kernel;

-

- fw_cfg = fw_cfg_find();

- try_decompressing_kernel = arm_feature(&cpu->env,

- ARM_FEATURE_AARCH64);

-

- /*

- * Expose the kernel, the command line, and the initrd in fw_cfg.

- * We don't process them here at all, it's all left to the

- * firmware.

- */

- load_image_to_fw_cfg(fw_cfg,

- FW_CFG_KERNEL_SIZE, FW_CFG_KERNEL_DATA,

- info->kernel_filename,

- try_decompressing_kernel);

- load_image_to_fw_cfg(fw_cfg,

- FW_CFG_INITRD_SIZE, FW_CFG_INITRD_DATA,

- info->initrd_filename, false);

-

- if (info->kernel_cmdline) {

- fw_cfg_add_i32(fw_cfg, FW_CFG_CMDLINE_SIZE,

- strlen(info->kernel_cmdline) + 1);

- fw_cfg_add_string(fw_cfg, FW_CFG_CMDLINE_DATA,

- info->kernel_cmdline);

- }

- }

-

- /*

- * We will start from address 0 (typically a boot ROM image) in the

- * same way as hardware.

- */

- return;

- }

if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {

primary_loader = bootloader_aarch64;

@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {

ARM_CPU(cs)->env.boot_info = info;

}

+void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)

+{

+ CPUState *cs;

+ AddressSpace *as = arm_boot_address_space(cpu, info);

+

+ /*

+ * CPU objects (unlike devices) are not automatically reset on system

+ * reset, so we must always register a handler to do so. If we're

+ * actually loading a kernel, the handler is also responsible for

+ * arranging that we start it correctly.

+ */

+ for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {

+ qemu_register_reset(do_cpu_reset, ARM_CPU(cs));

+ }

+

+ /*

+ * The board code is not supposed to set secure_board_setup unless

+ * running its code in secure mode is actually possible, and KVM

+ * doesn't support secure.

+ */

+ assert(!(info->secure_board_setup && kvm_enabled()));

+

+ info->dtb_filename = qemu_opt_get(qemu_get_machine_opts(), "dtb");

+ info->dtb_limit = 0;

+

+ /* Load the kernel. */

+ if (!info->kernel_filename || info->firmware_loaded) {

+

+ if (have_dtb(info)) {

+ * If we have a device tree blob, but no kernel to supply it to (or

+ * the kernel is supposed to be loaded by the bootloader), copy the

+ * DTB to the base of RAM for the bootloader to pick up.

+ info->dtb_start = info->loader_start;

+

+ if (info->kernel_filename) {

+ FWCfgState *fw_cfg;

+ bool try_decompressing_kernel;

+

+ fw_cfg = fw_cfg_find();

+ try_decompressing_kernel = arm_feature(&cpu->env,

+ ARM_FEATURE_AARCH64);

+

+ /*

+ * Expose the kernel, the command line, and the initrd in fw_cfg.

+ * We don't process them here at all, it's all left to the

+ * firmware.

+ */

+ load_image_to_fw_cfg(fw_cfg,

+ FW_CFG_KERNEL_SIZE, FW_CFG_KERNEL_DATA,

+ info->kernel_filename,

+ try_decompressing_kernel);

+ load_image_to_fw_cfg(fw_cfg,

+ FW_CFG_INITRD_SIZE, FW_CFG_INITRD_DATA,

+ info->initrd_filename, false);

+

+ if (info->kernel_cmdline) {

+ fw_cfg_add_i32(fw_cfg, FW_CFG_CMDLINE_SIZE,

+ strlen(info->kernel_cmdline) + 1);

+ fw_cfg_add_string(fw_cfg, FW_CFG_CMDLINE_DATA,

+ info->kernel_cmdline);

+ }

+ }

+

+ /*

+ * We will start from address 0 (typically a boot ROM image) in the

+ * same way as hardware.

+ */

+ return;

+ } else {

+ arm_setup_direct_kernel_boot(cpu, info);

+ }

if (!info->skip_dtb_autoload && have_dtb(info)) {

if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as) < 0) {

From: Richard Henderson <richard.henderson@linaro.org>

This has been enabled in the linux kernel since v3.11

(commit d50240a5f6cea, 2013-09-03,

"arm64: mm: permit use of tagged pointers at EL0").

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20190204132126.3255-5-richard.henderson@linaro.org

target/arm/cpu.c | 6 ++++++

1 file changed, 6 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s)

env->vfp.zcr_el[1] = cpu->sve_max_vq - 1;

env->vfp.zcr_el[2] = env->vfp.zcr_el[1];

env->vfp.zcr_el[3] = env->vfp.zcr_el[1];

+ /*

+ * Enable TBI0 and TBI1. While the real kernel only enables TBI0,

+ * turning on both here will produce smaller code and otherwise

+ * make no difference to the user-level emulation.

+ */

+ env->cp15.tcr_el[1].raw_tcr = (3ULL << 37);

#else

/* Reset into the highest available EL */

if (arm_feature(env, ARM_FEATURE_EL3)) {

Caching the bit means that we will not have to re-walk the

page tables to look up the bit during translation.

Message-id: 20190128223118.5255-6-richard.henderson@linaro.org

[PMM: no need to OR in guarded bit status]

target/arm/helper.c | 6 ++++++

1 file changed, 6 insertions(+)

@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,

bool ttbr1_valid;

uint64_t descaddrmask;

bool aarch64 = arm_el_is_aa64(env, el);

+ bool guarded = false;

/* TODO:

* This code does not handle the different format TCR for VTCR_EL2.

@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,

}

/* Merge in attributes from table descriptors */

attrs |= nstable << 3; /* NS */

+ guarded = extract64(descriptor, 50, 1); /* GP */

if (param.hpd) {

/* HPD disables all the table attributes except NSTable. */

break;

@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,

*/

txattrs->secure = false;

}

+ /* When in aarch64 mode, and BTI is enabled, remember GP in the IOTLB. */

+ if (aarch64 && guarded && cpu_isar_feature(aa64_bti, cpu)) {

+ txattrs->target_tlb_bit0 = true;

+ }

if (cacheattrs != NULL) {

if (mmu_idx == ARMMMUIdx_S2NS) {

Enables, but does not turn on, TBI for CONFIG_USER_ONLY.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20190204132126.3255-4-richard.henderson@linaro.org

[PMM: adjusted #ifdeffery to placate clang, which otherwise complains

about static functions that are unused in the CONFIG_USER_ONLY build]

target/arm/internals.h | 21 --------------------

target/arm/helper.c | 45 ++++++++++++++++++++++--------------------

2 files changed, 24 insertions(+), 42 deletions(-)

@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {

bool using64k : 1;

} ARMVAParameters;

-#ifdef CONFIG_USER_ONLY

-static inline ARMVAParameters aa64_va_parameters_both(CPUARMState *env,

- uint64_t va,

- ARMMMUIdx mmu_idx)

-{

- return (ARMVAParameters) {

- /* 48-bit address space */

- .tsz = 16,

- /* We can't handle tagged addresses properly in user-only mode */

- .tbi = false,

- };

-}

-

-static inline ARMVAParameters aa64_va_parameters(CPUARMState *env,

- uint64_t va,

- ARMMMUIdx mmu_idx, bool data)

-{

- return aa64_va_parameters_both(env, va, mmu_idx);

-}

-#else

ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,

ARMMMUIdx mmu_idx);

ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,

ARMMMUIdx mmu_idx, bool data);

-#endif

#endif

@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(rbit)(uint32_t x)

return revbit32(x);

-#if defined(CONFIG_USER_ONLY)

+#ifdef CONFIG_USER_ONLY

/* These should probably raise undefined insn exceptions. */

void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)

@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_interrupt(CPUState *cs)

cs->interrupt_request |= CPU_INTERRUPT_EXITTB;

+#endif /* !CONFIG_USER_ONLY */

/* Return the exception level which controls this address translation regime */

static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)

@@ -XXX,XX +XXX,XX @@ static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)

}

}

+#ifndef CONFIG_USER_ONLY

+

/* Return the SCTLR value which controls this address translation regime */

static inline uint32_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx)

{

@@ -XXX,XX +XXX,XX @@ static inline bool regime_translation_big_endian(CPUARMState *env,

return (regime_sctlr(env, mmu_idx) & SCTLR_EE) != 0;

}

+/* Return the TTBR associated with this translation regime */

+static inline uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx,

+ int ttbrn)

+{

+ if (mmu_idx == ARMMMUIdx_S2NS) {

+ return env->cp15.vttbr_el2;

+ }

+ if (ttbrn == 0) {