The following changes since commit 5767815218efd3cbfd409505ed824d5f356044ae:

Merge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu into staging (2024-02-14 15:45:52 +0000)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240215

for you to fetch changes up to f780e63fe731b058fe52d43653600d8729a1b5f2:

docs: Add documentation for the mps3-an536 board (2024-02-15 14:32:39 +0000)

* hw/arm/xilinx_zynq: Wire FIQ between CPU <> GIC

* linux-user/aarch64: Choose SYNC as the preferred MTE mode

* Fix some errors in SVE/SME handling of MTE tags

* hw/pci-host/raven.c: Mark raven_io_ops as implementing unaligned accesses

* hw/block/tc58128: Don't emit deprecation warning under qtest

* tests/qtest: Fix handling of npcm7xx and GMAC tests

* hw/arm/virt: Wire up non-secure EL2 virtual timer IRQ

* tests/qtest/npcm7xx_emc-test: Connect all NICs to a backend

* Don't assert on vmload/vmsave of M-profile CPUs

* hw/arm/smmuv3: add support for stage 1 access fault

* hw/arm/stellaris: QOM cleanups

* Use new CBAR encoding for all v8 CPUs, not all aarch64 CPUs

* Improve Cortex_R52 IMPDEF sysreg modelling

* Allow access to SPSR_hyp from hyp mode

* New board model mps3-an536 (Cortex-R52)

Luc Michel (1):

hw/arm/smmuv3: add support for stage 1 access fault

Nabih Estefan (1):

tests/qtest: Fix GMAC test to run on a machine in upstream QEMU

Peter Maydell (22):

hw/pci-host/raven.c: Mark raven_io_ops as implementing unaligned accesses

hw/block/tc58128: Don't emit deprecation warning under qtest

tests/qtest/meson.build: Don't include qtests_npcm7xx in qtests_aarch64

tests/qtest/bios-tables-test: Allow changes to virt GTDT

hw/arm/virt: Wire up non-secure EL2 virtual timer IRQ

tests/qtest/bios-tables-tests: Update virt golden reference

hw/arm/npcm7xx: Call qemu_configure_nic_device() for GMAC modules

tests/qtest/npcm7xx_emc-test: Connect all NICs to a backend

target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ARM_FEATURE_PMU

target/arm: Use new CBAR encoding for all v8 CPUs, not all aarch64 CPUs

target/arm: The Cortex-R52 has a read-only CBAR

target/arm: Add Cortex-R52 IMPDEF sysregs

target/arm: Allow access to SPSR_hyp from hyp mode

hw/misc/mps2-scc: Fix condition for CFG3 register

hw/misc/mps2-scc: Factor out which-board conditionals

hw/misc/mps2-scc: Make changes needed for AN536 FPGA image

hw/arm/mps3r: Initial skeleton for mps3-an536 board

hw/arm/mps3r: Add CPUs, GIC, and per-CPU RAM

hw/arm/mps3r: Add UARTs

hw/arm/mps3r: Add GPIO, watchdog, dual-timer, I2C devices

hw/arm/mps3r: Add remaining devices

docs: Add documentation for the mps3-an536 board

Philippe Mathieu-Daudé (5):

hw/arm/xilinx_zynq: Wire FIQ between CPU <> GIC

hw/arm/stellaris: Convert ADC controller to Resettable interface

hw/arm/stellaris: Convert I2C controller to Resettable interface

hw/arm/stellaris: Add missing QOM 'machine' parent

hw/arm/stellaris: Add missing QOM 'SoC' parent

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Similarly to commits dadbb58f59..5ae79fe825 for other ARM boards,

connect FIQ output of the GIC CPU interfaces to the CPU.

hw/arm/xilinx_zynq.c | 2 ++

1 file changed, 2 insertions(+)

diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c

--- a/hw/arm/xilinx_zynq.c

+++ b/hw/arm/xilinx_zynq.c

@@ -XXX,XX +XXX,XX @@ static void zynq_init(MachineState *machine)

sysbus_mmio_map(busdev, 0, MPCORE_PERIPHBASE);

sysbus_connect_irq(busdev, 0,

qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));

+ sysbus_connect_irq(busdev, 1,

+ qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_FIQ));

for (n = 0; n < 64; n++) {

pic[n] = qdev_get_gpio_in(dev, n);

2.34.1

The API does not generate an error for setting ASYNC | SYNC; that merely

constrains the selection vs the per-cpu default. For qemu linux-user,

choose SYNC as the default.

Cc: qemu-stable@nongnu.org

Reported-by: Gustavo Romero <gustavo.romero@linaro.org>

Tested-by: Gustavo Romero <gustavo.romero@linaro.org>

Message-id: 20240207025210.8837-2-richard.henderson@linaro.org

linux-user/aarch64/target_prctl.h | 29 +++++++++++++++++------------

1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h

--- a/linux-user/aarch64/target_prctl.h

+++ b/linux-user/aarch64/target_prctl.h

@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_tagged_addr_ctrl(CPUArchState *env, abi_long arg2)

env->tagged_addr_enable = arg2 & PR_TAGGED_ADDR_ENABLE;

if (cpu_isar_feature(aa64_mte, cpu)) {

- switch (arg2 & PR_MTE_TCF_MASK) {

- case PR_MTE_TCF_NONE:

- case PR_MTE_TCF_SYNC:

- case PR_MTE_TCF_ASYNC:

- break;

- default:

- return -EINVAL;

- }

-

/*

* Write PR_MTE_TCF to SCTLR_EL1[TCF0].

- * Note that the syscall values are consistent with hw.

+ *

+ * The kernel has a per-cpu configuration for the sysadmin,

+ * /sys/devices/system/cpu/cpu<N>/mte_tcf_preferred,

+ * which qemu does not implement.

+ *

+ * Because there is no performance difference between the modes, and

+ * because SYNC is most useful for debugging MTE errors, choose SYNC

+ * as the preferred mode. With this preference, and the way the API

+ * uses only two bits, there is no way for the program to select

+ * ASYMM mode.

*/

- env->cp15.sctlr_el[1] =

- deposit64(env->cp15.sctlr_el[1], 38, 2, arg2 >> PR_MTE_TCF_SHIFT);

+ unsigned tcf = 0;

+ if (arg2 & PR_MTE_TCF_SYNC) {

+ tcf = 1;

+ } else if (arg2 & PR_MTE_TCF_ASYNC) {

+ tcf = 2;

+ env->cp15.sctlr_el[1] = deposit64(env->cp15.sctlr_el[1], 38, 2, tcf);

/*

* Write PR_MTE_TAG to GCR_EL1[Exclude].

2.34.1

The field is encoded as [0-3], which is convenient for

indexing our array of function pointers, but the true

value is [1-4]. Adjust before calling do_mem_zpa.

target/arm/tcg/translate-sve.c | 16 ++++++++--------

1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c

--- a/target/arm/tcg/translate-sve.c

+++ b/target/arm/tcg/translate-sve.c

@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,

TCGv_ptr t_pg;

int desc = 0;

- /*

- * For e.g. LD4, there are not enough arguments to pass all 4

- * registers as pointers, so encode the regno into the data field.

- * For consistency, do this even for LD1.

- */

+ assert(mte_n >= 1 && mte_n <= 4);

if (s->mte_active[0]) {

int msz = dtype_msz(dtype);

@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,

addr = clean_data_tbi(s, addr);

+ /*

+ * For e.g. LD4, there are not enough arguments to pass all 4

+ * registers as pointers, so encode the regno into the data field.

+ * For consistency, do this even for LD1.

+ */

desc = simd_desc(vsz, vsz, zt | desc);

t_pg = tcg_temp_new_ptr();

@@ -XXX,XX +XXX,XX @@ static void do_ld_zpa(DisasContext *s, int zt, int pg,

* accessible via the instruction encoding.

*/

assert(fn != NULL);

- do_mem_zpa(s, zt, pg, addr, dtype, nreg, false, fn);

+ do_mem_zpa(s, zt, pg, addr, dtype, nreg + 1, false, fn);

static bool trans_LD_zprr(DisasContext *s, arg_rprr_load *a)

@@ -XXX,XX +XXX,XX @@ static void do_st_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,

if (nreg == 0) {

/* ST1 */

fn = fn_single[s->mte_active[0]][be][msz][esz];

- nreg = 1;

} else {

/* ST2, ST3, ST4 -- msz == esz, enforced by encoding */

assert(msz == esz);

fn = fn_multiple[s->mte_active[0]][be][nreg - 1][msz];

}

assert(fn != NULL);

- do_mem_zpa(s, zt, pg, addr, msz_dtype(s, msz), nreg, true, fn);

+ do_mem_zpa(s, zt, pg, addr, msz_dtype(s, msz), nreg + 1, true, fn);

}

static bool trans_ST_zprr(DisasContext *s, arg_rprr_store *a)

2.34.1

When we added SVE_MTEDESC_SHIFT, we effectively limited the

maximum size of MTEDESC. Adjust SIZEM1 to consume the remaining

bits (32 - 10 - 5 - 12 == 5). Assert that the data to be stored

fits within the field (expecting 8 * 4 - 1 == 31, exact fit).

Cc: qemu-stable@nongnu.org

Tested-by: Gustavo Romero <gustavo.romero@linaro.org>

Message-id: 20240207025210.8837-4-richard.henderson@linaro.org

target/arm/internals.h | 2 +-

target/arm/tcg/translate-sve.c | 7 ++++---

2 files changed, 5 insertions(+), 4 deletions(-)

@@ -XXX,XX +XXX,XX @@ FIELD(MTEDESC, TBI, 4, 2)

FIELD(MTEDESC, TCMA, 6, 2)

FIELD(MTEDESC, WRITE, 8, 1)

FIELD(MTEDESC, ALIGN, 9, 3)

-FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - 12) /* size - 1 */

+FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - SVE_MTEDESC_SHIFT - 12) /* size - 1 */

bool mte_probe(CPUARMState *env, uint32_t desc, uint64_t ptr);

uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/tcg/translate-sve.c

+++ b/target/arm/tcg/translate-sve.c

@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,

unsigned vsz = vec_full_reg_size(s);

TCGv_ptr t_pg;

+ uint32_t sizem1;

int desc = 0;

assert(mte_n >= 1 && mte_n <= 4);

+ sizem1 = (mte_n << dtype_msz(dtype)) - 1;

+ assert(sizem1 <= R_MTEDESC_SIZEM1_MASK >> R_MTEDESC_SIZEM1_SHIFT);

if (s->mte_active[0]) {

- int msz = dtype_msz(dtype);

-

desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));

desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);

desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);

desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);

- desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (mte_n << msz) - 1);

+ desc = FIELD_DP32(desc, MTEDESC, SIZEM1, sizem1);

desc <<= SVE_MTEDESC_SHIFT;

} else {

addr = clean_data_tbi(s, addr);

2.34.1

Share code that creates mtedesc and embeds within simd_desc.

Tested-by: Gustavo Romero <gustavo.romero@linaro.org>

Message-id: 20240207025210.8837-5-richard.henderson@linaro.org

target/arm/tcg/translate-a64.h | 2 ++

target/arm/tcg/translate-sme.c | 15 +++--------

target/arm/tcg/translate-sve.c | 47 ++++++++++++++++++----------------

3 files changed, 31 insertions(+), 33 deletions(-)

diff --git a/target/arm/tcg/translate-a64.h b/target/arm/tcg/translate-a64.h

--- a/target/arm/tcg/translate-a64.h

+++ b/target/arm/tcg/translate-a64.h

@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,

bool sve_access_check(DisasContext *s);

bool sme_enabled_check(DisasContext *s);

bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);

+uint32_t make_svemte_desc(DisasContext *s, unsigned vsz, uint32_t nregs,

+ uint32_t msz, bool is_write, uint32_t data);

/* This function corresponds to CheckStreamingSVEEnabled. */

static inline bool sme_sm_enabled_check(DisasContext *s)

diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/tcg/translate-sme.c

+++ b/target/arm/tcg/translate-sme.c

@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)

TCGv_ptr t_za, t_pg;

TCGv_i64 addr;

- int svl, desc = 0;

+ uint32_t desc;

bool be = s->be_data == MO_BE;

bool mte = s->mte_active[0];

@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)

tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);

tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));

- if (mte) {

- desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));

- desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);

- desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);

- desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);

- desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);

- desc <<= SVE_MTEDESC_SHIFT;

- } else {

+ if (!mte) {

addr = clean_data_tbi(s, addr);

}

- svl = streaming_vec_reg_size(s);

- desc = simd_desc(svl, svl, desc);

+

+ desc = make_svemte_desc(s, streaming_vec_reg_size(s), 1, a->esz, a->st, 0);

fns[a->esz][be][a->v][mte][a->st](tcg_env, t_za, t_pg, addr,

tcg_constant_i32(desc));

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/tcg/translate-sve.c

+++ b/target/arm/tcg/translate-sve.c

@@ -XXX,XX +XXX,XX @@ static const uint8_t dtype_esz[16] = {

3, 2, 1, 3

};

-static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,

- int dtype, uint32_t mte_n, bool is_write,

- gen_helper_gvec_mem *fn)

+uint32_t make_svemte_desc(DisasContext *s, unsigned vsz, uint32_t nregs,

+ uint32_t msz, bool is_write, uint32_t data)

- unsigned vsz = vec_full_reg_size(s);

- TCGv_ptr t_pg;

uint32_t sizem1;

- int desc = 0;

+ uint32_t desc = 0;

- assert(mte_n >= 1 && mte_n <= 4);

- sizem1 = (mte_n << dtype_msz(dtype)) - 1;

+ /* Assert all of the data fits, with or without MTE enabled. */

+ assert(nregs >= 1 && nregs <= 4);

+ sizem1 = (nregs << msz) - 1;

assert(sizem1 <= R_MTEDESC_SIZEM1_MASK >> R_MTEDESC_SIZEM1_SHIFT);

+ assert(data < 1u << SVE_MTEDESC_SHIFT);

+

if (s->mte_active[0]) {

desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));

desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);

@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,

desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);

desc = FIELD_DP32(desc, MTEDESC, SIZEM1, sizem1);

desc <<= SVE_MTEDESC_SHIFT;

- } else {

+ }

+ return simd_desc(vsz, vsz, desc | data);

+}

+

+static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,

+ int dtype, uint32_t nregs, bool is_write,

+ gen_helper_gvec_mem *fn)

+{

+ TCGv_ptr t_pg;

+ uint32_t desc;

+

+ if (!s->mte_active[0]) {

addr = clean_data_tbi(s, addr);

}

@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,

* registers as pointers, so encode the regno into the data field.

* For consistency, do this even for LD1.

*/

- desc = simd_desc(vsz, vsz, zt | desc);

+ desc = make_svemte_desc(s, vec_full_reg_size(s), nregs,

+ dtype_msz(dtype), is_write, zt);

t_pg = tcg_temp_new_ptr();

tcg_gen_addi_ptr(t_pg, tcg_env, pred_full_reg_offset(s, pg));

@@ -XXX,XX +XXX,XX @@ static void do_mem_zpz(DisasContext *s, int zt, int pg, int zm,

int scale, TCGv_i64 scalar, int msz, bool is_write,

gen_helper_gvec_mem_scatter *fn)

{

- unsigned vsz = vec_full_reg_size(s);

TCGv_ptr t_zm = tcg_temp_new_ptr();

TCGv_ptr t_pg = tcg_temp_new_ptr();

TCGv_ptr t_zt = tcg_temp_new_ptr();

- int desc = 0;

-

- if (s->mte_active[0]) {

- desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));

- desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);

- desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);

- desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);

- desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << msz) - 1);

- desc <<= SVE_MTEDESC_SHIFT;

- }

- desc = simd_desc(vsz, vsz, desc | scale);

+ uint32_t desc;

tcg_gen_addi_ptr(t_pg, tcg_env, pred_full_reg_offset(s, pg));

tcg_gen_addi_ptr(t_zm, tcg_env, vec_full_reg_offset(s, zm));

tcg_gen_addi_ptr(t_zt, tcg_env, vec_full_reg_offset(s, zt));

+

+ desc = make_svemte_desc(s, vec_full_reg_size(s), 1, msz, is_write, scale);

fn(tcg_env, t_zt, t_pg, t_zm, scalar, tcg_constant_i32(desc));

2.34.1

Tested-by: Gustavo Romero <gustavo.romero@linaro.org>

Message-id: 20240207025210.8837-6-richard.henderson@linaro.org

target/arm/tcg/translate-sve.c | 15 +++++++++++++--

1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c

--- a/target/arm/tcg/translate-sve.c

+++ b/target/arm/tcg/translate-sve.c

@@ -XXX,XX +XXX,XX @@ static void do_ldrq(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)

unsigned vsz = vec_full_reg_size(s);

TCGv_ptr t_pg;

int poff;

+ uint32_t desc;

/* Load the first quadword using the normal predicated load helpers. */

+ if (!s->mte_active[0]) {

+ addr = clean_data_tbi(s, addr);

+ }

poff = pred_full_reg_offset(s, pg);

if (vsz > 16) {

/*

@@ -XXX,XX +XXX,XX @@ static void do_ldrq(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)

gen_helper_gvec_mem *fn

= ldr_fns[s->mte_active[0]][s->be_data == MO_BE][dtype][0];

- fn(tcg_env, t_pg, addr, tcg_constant_i32(simd_desc(16, 16, zt)));

+ desc = make_svemte_desc(s, 16, 1, dtype_msz(dtype), false, zt);

+ fn(tcg_env, t_pg, addr, tcg_constant_i32(desc));

/* Replicate that first quadword. */

if (vsz > 16) {

@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)

unsigned vsz_r32;

TCGv_ptr t_pg;

int poff, doff;

+ uint32_t desc;

if (vsz < 32) {

/*

@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)

}

/* Load the first octaword using the normal predicated load helpers. */

+ if (!s->mte_active[0]) {

+ addr = clean_data_tbi(s, addr);

+ }

poff = pred_full_reg_offset(s, pg);

if (vsz > 32) {

@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)

gen_helper_gvec_mem *fn

= ldr_fns[s->mte_active[0]][s->be_data == MO_BE][dtype][0];

- fn(tcg_env, t_pg, addr, tcg_constant_i32(simd_desc(32, 32, zt)));

+ desc = make_svemte_desc(s, 32, 1, dtype_msz(dtype), false, zt);

+ fn(tcg_env, t_pg, addr, tcg_constant_i32(desc));

/*

* Replicate that first octaword.

2.34.1

Tested-by: Gustavo Romero <gustavo.romero@linaro.org>

Message-id: 20240207025210.8837-7-richard.henderson@linaro.org

target/arm/tcg/sme_helper.c | 8 ++++----

target/arm/tcg/sve_helper.c | 12 ++++++------

2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c

--- a/target/arm/tcg/sme_helper.c

+++ b/target/arm/tcg/sme_helper.c

@@ -XXX,XX +XXX,XX @@ void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,

desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);

/* Perform gross MTE suppression early. */

- if (!tbi_check(desc, bit55) ||

- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {

+ if (!tbi_check(mtedesc, bit55) ||

+ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {

mtedesc = 0;

}

@@ -XXX,XX +XXX,XX @@ void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,

desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);

/* Perform gross MTE suppression early. */

- if (!tbi_check(desc, bit55) ||

- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {

+ if (!tbi_check(mtedesc, bit55) ||

+ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {

mtedesc = 0;

}

diff --git a/target/arm/tcg/sve_helper.c b/target/arm/tcg/sve_helper.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/tcg/sve_helper.c

+++ b/target/arm/tcg/sve_helper.c

@@ -XXX,XX +XXX,XX @@ void sve_ldN_r_mte(CPUARMState *env, uint64_t *vg, target_ulong addr,

desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);

/* Perform gross MTE suppression early. */

- if (!tbi_check(desc, bit55) ||

- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {

+ if (!tbi_check(mtedesc, bit55) ||

+ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {

mtedesc = 0;

}

@@ -XXX,XX +XXX,XX @@ void sve_ldnfff1_r_mte(CPUARMState *env, void *vg, target_ulong addr,

desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);

/* Perform gross MTE suppression early. */

- if (!tbi_check(desc, bit55) ||

- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {

+ if (!tbi_check(mtedesc, bit55) ||

+ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {

mtedesc = 0;

}

@@ -XXX,XX +XXX,XX @@ void sve_stN_r_mte(CPUARMState *env, uint64_t *vg, target_ulong addr,

desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);

/* Perform gross MTE suppression early. */

- if (!tbi_check(desc, bit55) ||

- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {

+ if (!tbi_check(mtedesc, bit55) ||

+ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {

mtedesc = 0;

}

2.34.1

Armv8.1+ CPUs have the Virtual Host Extension (VHE) which adds a

non-secure EL2 virtual timer. We implemented the timer itself in the

CPU model, but never wired up its IRQ line to the GIC.

Wire up the IRQ line (this is always safe whether the CPU has the

interrupt or not, since it always creates the outbound IRQ line).

Report it to the guest via dtb and ACPI if the CPU has the feature.

The DTB binding is documented in the kernel's

Documentation/devicetree/bindings/timer/arm\,arch_timer.yaml

and the ACPI table entries are documented in the ACPI specification

version 6.3 or later.

Because the IRQ line ACPI binding is new in 6.3, we need to bump the

FADT table rev to show that we might be using 6.3 features.

Note that exposing this IRQ in the DTB will trigger a bug in EDK2

versions prior to edk2-stable202311, for users who use the virt board

with 'virtualization=on' to enable EL2 emulation and are booting an

EDK2 guest BIOS, if that EDK2 has assertions enabled. The effect is

that EDK2 will assert on bootup:

ASSERT [ArmTimerDxe] /home/kraxel/projects/qemu/roms/edk2/ArmVirtPkg/Library/ArmVirtTimerFdtClientLib/ArmVirtTimerFdtClientLib.c(72): PropSize == 36 || PropSize == 48

If you see that assertion you should do one of:

* update your EDK2 binaries to edk2-stable202311 or newer

* use the 'virt-8.2' versioned machine type

* not use 'virtualization=on'

(The versions shipped with QEMU itself have the fix.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Ard Biesheuvel <ardb@kernel.org>

Message-id: 20240122143537.233498-3-peter.maydell@linaro.org

---

include/hw/arm/virt.h | 2 ++

hw/arm/virt-acpi-build.c | 20 ++++++++++----

hw/arm/virt.c | 60 ++++++++++++++++++++++++++++++++++------

3 files changed, 67 insertions(+), 15 deletions(-)

diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h

index XXXXXXX..XXXXXXX 100644

--- a/include/hw/arm/virt.h

+++ b/include/hw/arm/virt.h

@@ -XXX,XX +XXX,XX @@ struct VirtMachineClass {

/* Machines < 6.2 have no support for describing cpu topology to guest */

bool no_cpu_topology;

bool no_tcg_lpa2;

+ bool no_ns_el2_virt_timer_irq;

};

struct VirtMachineState {

@@ -XXX,XX +XXX,XX @@ struct VirtMachineState {

PCIBus *bus;

char *oem_id;

char *oem_table_id;

+ bool ns_el2_virt_timer_irq;

};

#define VIRT_ECAM_ID(high) (high ? VIRT_HIGH_PCIE_ECAM : VIRT_PCIE_ECAM)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c

index XXXXXXX..XXXXXXX 100644