Series comparison

-[PULL 0/6] riscv-to-apply queue
+[PULL 00/16] riscv-to-apply queue
-The following changes since commit 3c8c36c9087da957f580a9bb5ebf7814a753d1c6:
+The following changes since commit c95bd5ff1660883d15ad6e0005e4c8571604f51a:
-  Merge remote-tracking branch 'remotes/kraxel/tags/ui-20201104-pull-request' into staging (2020-11-04 16:52:17 +0000)
+  Merge remote-tracking branch 'remotes/philmd/tags/mips-fixes-20210322' into staging (2021-03-22 14:26:13 +0000)
 are available in the Git repository at:
-  git@github.com:alistair23/qemu.git tags/pull-riscv-to-apply-20201109
+  git@github.com:alistair23/qemu.git tags/pull-riscv-to-apply-20210322-2
-for you to fetch changes up to 96338fefc19a143abdc91f6c44f37683274b08d4:
+for you to fetch changes up to 9a27f69bd668d9d71674407badc412ce1231c7d5:
-  hw/intc/ibex_plic: Clear the claim register when read (2020-11-09 15:09:53 -0800)
+  target/riscv: Prevent lost illegal instruction exceptions (2021-03-22 21:54:40 -0400)
 ----------------------------------------------------------------
-This fixes two bugs in the RISC-V port. One is a bug in the
+RISC-V PR for 6.0
-Ibex PLIC, the other fixes the Hypvervisor access functions.
 This PR includes:
  - Fix for vector CSR access
  - Improvements to the Ibex UART device
  - PMP improvements and bug fixes
  - Hypervisor extension bug fixes
  - ramfb support for the virt machine
  - Fast read support for SST flash
  - Improvements to the microchip_pfsoc machine
 ----------------------------------------------------------------
-Alistair Francis (6):
+Alexander Wagner (1):
-      target/riscv: Add a virtualised MMU Mode
+      hw/char: disable ibex uart receive if the buffer is full
       target/riscv: Set the virtualised MMU mode when doing hyp accesses
       target/riscv: Remove the HS_TWO_STAGE flag
       target/riscv: Remove the hyp load and store functions
       target/riscv: Split the Hypervisor execute load helpers
       hw/intc/ibex_plic: Clear the claim register when read
- target/riscv/cpu-param.h                |  11 ++-
+Asherah Connor (2):
- target/riscv/cpu.h                      |  19 ++++-
+      hw/riscv: Add fw_cfg support to virt
- target/riscv/cpu_bits.h                 |   1 -
+      hw/riscv: allow ramfb on virt
  target/riscv/helper.h                   |   5 +-
  hw/intc/ibex_plic.c                     |   3 +
  target/riscv/cpu_helper.c               |  62 ++++++--------
  target/riscv/op_helper.c                | 124 ++-------------------------
  target/riscv/translate.c                |   2 +
  target/riscv/insn_trans/trans_rvh.c.inc | 143 ++++++++++++--------------------
 files changed, 115 insertions(+), 255 deletions(-)
+Bin Meng (3):
+      hw/block: m25p80: Support fast read for SST flashes
+      hw/riscv: microchip_pfsoc: Map EMMC/SD mux register
+      docs/system: riscv: Add documentation for 'microchip-icicle-kit' machine
+Frank Chang (1):
+      target/riscv: fix vs() to return proper error code
+Georg Kotheimer (6):
+      target/riscv: Adjust privilege level for HLV(X)/HSV instructions
+      target/riscv: Make VSTIP and VSEIP read-only in hip
+      target/riscv: Use background registers also for MSTATUS_MPV
+      target/riscv: Fix read and write accesses to vsip and vsie
+      target/riscv: Add proper two-stage lookup exception detection
+      target/riscv: Prevent lost illegal instruction exceptions
+Jim Shu (3):
+      target/riscv: propagate PMP permission to TLB page
+      target/riscv: add log of PMP permission checking
+      target/riscv: flush TLB pages if PMP permission has been changed
+ docs/system/riscv/microchip-icicle-kit.rst |  89 ++++++++++++++
+ docs/system/target-riscv.rst               |   1 +
+ include/hw/char/ibex_uart.h                |   4 +
+ include/hw/riscv/microchip_pfsoc.h         |   1 +
+ include/hw/riscv/virt.h                    |   2 +
+ target/riscv/cpu.h                         |   4 +
+ target/riscv/pmp.h                         |   4 +-
+ hw/block/m25p80.c                          |   3 +
+ hw/char/ibex_uart.c                        |  23 +++-
+ hw/riscv/microchip_pfsoc.c                 |   6 +
+ hw/riscv/virt.c                            |  33 ++++++
+ target/riscv/cpu.c                         |   1 +
+ target/riscv/cpu_helper.c                  | 144 +++++++++++++++--------
+ target/riscv/csr.c                         |  77 +++++++------
+ target/riscv/pmp.c                         |  84 ++++++++++----
+ target/riscv/translate.c                   | 179 +----------------------------
+ hw/riscv/Kconfig                           |   1 +
+files changed, 367 insertions(+), 289 deletions(-)
+ create mode 100644 docs/system/riscv/microchip-icicle-kit.rst

-New patch
+[PULL 01/16] target/riscv: fix vs() to return proper error code
+From: Frank Chang <frank.chang@sifive.com>
+vs() should return -RISCV_EXCP_ILLEGAL_INST instead of -1 if rvv feature
+is not enabled.
+If -1 is returned, exception will be raised and cs->exception_index will
+be set to the negative return value. The exception will then be treated
+as an instruction access fault instead of illegal instruction fault.
+Signed-off-by: Frank Chang <frank.chang@sifive.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210223065935.20208-1-frank.chang@sifive.com
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ target/riscv/csr.c | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/target/riscv/csr.c b/target/riscv/csr.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/csr.c
++++ b/target/riscv/csr.c
+@@ -XXX,XX +XXX,XX @@ static int vs(CPURISCVState *env, int csrno)
+     if (env->misa & RVV) {
+         return 0;
+     }
+-    return -1;
++    return -RISCV_EXCP_ILLEGAL_INST;
+ }
+ static int ctr(CPURISCVState *env, int csrno)
+--
+.30.1

-New patch
+[PULL 02/16] hw/char: disable ibex uart receive if the buffer is full
+From: Alexander Wagner <alexander.wagner@ulal.de>
+Not disabling the UART leads to QEMU overwriting the UART receive buffer with
+the newest received byte. The rx_level variable is added to allow the use of
+the existing OpenTitan driver libraries.
+Signed-off-by: Alexander Wagner <alexander.wagner@ulal.de>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210309152130.13038-1-alexander.wagner@ulal.de
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ include/hw/char/ibex_uart.h |  4 ++++
+ hw/char/ibex_uart.c         | 23 ++++++++++++++++++-----
+files changed, 22 insertions(+), 5 deletions(-)
+diff --git a/include/hw/char/ibex_uart.h b/include/hw/char/ibex_uart.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/char/ibex_uart.h
++++ b/include/hw/char/ibex_uart.h
+@@ -XXX,XX +XXX,XX @@ REG32(FIFO_CTRL, 0x1c)
+     FIELD(FIFO_CTRL, RXILVL, 2, 3)
+     FIELD(FIFO_CTRL, TXILVL, 5, 2)
+ REG32(FIFO_STATUS, 0x20)
++    FIELD(FIFO_STATUS, TXLVL, 0, 5)
++    FIELD(FIFO_STATUS, RXLVL, 16, 5)
+ REG32(OVRD, 0x24)
+ REG32(VAL, 0x28)
+ REG32(TIMEOUT_CTRL, 0x2c)
+@@ -XXX,XX +XXX,XX @@ struct IbexUartState {
+     uint8_t tx_fifo[IBEX_UART_TX_FIFO_SIZE];
+     uint32_t tx_level;
++    uint32_t rx_level;
++
+     QEMUTimer *fifo_trigger_handle;
+     uint64_t char_tx_time;
+diff --git a/hw/char/ibex_uart.c b/hw/char/ibex_uart.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/char/ibex_uart.c
++++ b/hw/char/ibex_uart.c
+@@ -XXX,XX +XXX,XX @@ static int ibex_uart_can_receive(void *opaque)
+ {
+     IbexUartState *s = opaque;
+-    if (s->uart_ctrl & R_CTRL_RX_ENABLE_MASK) {
++    if ((s->uart_ctrl & R_CTRL_RX_ENABLE_MASK)
++           && !(s->uart_status & R_STATUS_RXFULL_MASK)) {
+         return 1;
+     }
+@@ -XXX,XX +XXX,XX @@ static void ibex_uart_receive(void *opaque, const uint8_t *buf, int size)
+     s->uart_status &= ~R_STATUS_RXIDLE_MASK;
+     s->uart_status &= ~R_STATUS_RXEMPTY_MASK;
++    /* The RXFULL is set after receiving a single byte
++     * as the FIFO buffers are not yet implemented.
++     */
++    s->uart_status |= R_STATUS_RXFULL_MASK;
++    s->rx_level += 1;
+     if (size > rx_fifo_level) {
+         s->uart_intr_state |= R_INTR_STATE_RX_WATERMARK_MASK;
+@@ -XXX,XX +XXX,XX @@ static void ibex_uart_reset(DeviceState *dev)
+     s->uart_timeout_ctrl = 0x00000000;
+     s->tx_level = 0;
++    s->rx_level = 0;
+     s->char_tx_time = (NANOSECONDS_PER_SECOND / 230400) * 10;
+@@ -XXX,XX +XXX,XX @@ static uint64_t ibex_uart_read(void *opaque, hwaddr addr,
+     case R_RDATA:
+         retvalue = s->uart_rdata;
+-        if (s->uart_ctrl & R_CTRL_RX_ENABLE_MASK) {
++        if ((s->uart_ctrl & R_CTRL_RX_ENABLE_MASK) && (s->rx_level > 0)) {
+             qemu_chr_fe_accept_input(&s->chr);
+-            s->uart_status |= R_STATUS_RXIDLE_MASK;
+-            s->uart_status |= R_STATUS_RXEMPTY_MASK;
++            s->rx_level -= 1;
++            s->uart_status &= ~R_STATUS_RXFULL_MASK;
++            if (s->rx_level == 0) {
++                s->uart_status |= R_STATUS_RXIDLE_MASK;
++                s->uart_status |= R_STATUS_RXEMPTY_MASK;
++            }
+         }
+         break;
+     case R_WDATA:
+@@ -XXX,XX +XXX,XX @@ static uint64_t ibex_uart_read(void *opaque, hwaddr addr,
+     case R_FIFO_STATUS:
+         retvalue = s->uart_fifo_status;
+-        retvalue |= s->tx_level & 0x1F;
++        retvalue |= (s->rx_level & 0x1F) << R_FIFO_STATUS_RXLVL_SHIFT;
++        retvalue |= (s->tx_level & 0x1F) << R_FIFO_STATUS_TXLVL_SHIFT;
+         qemu_log_mask(LOG_UNIMP,
+                       "%s: RX fifos are not supported\n", __func__);
+@@ -XXX,XX +XXX,XX @@ static void ibex_uart_write(void *opaque, hwaddr addr,
+         s->uart_fifo_ctrl = value;
+         if (value & R_FIFO_CTRL_RXRST_MASK) {
++            s->rx_level = 0;
+             qemu_log_mask(LOG_UNIMP,
+                           "%s: RX fifos are not supported\n", __func__);
+         }
+--
+.30.1

-New patch
+[PULL 03/16] target/riscv: propagate PMP permission to TLB page
+From: Jim Shu <cwshu@andestech.com>
 Currently, PMP permission checking of TLB page is bypassed if TLB hits
 Fix it by propagating PMP permission to TLB page permission.
 PMP permission checking also use MMU-style API to change TLB permission
 and size.
 Signed-off-by: Jim Shu <cwshu@andestech.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 1613916082-19528-2-git-send-email-cwshu@andestech.com
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
 ---
  target/riscv/pmp.h        |  4 +-
  target/riscv/cpu_helper.c | 84 +++++++++++++++++++++++++++++----------
  target/riscv/pmp.c        | 80 +++++++++++++++++++++++++++----------
 files changed, 125 insertions(+), 43 deletions(-)
 diff --git a/target/riscv/pmp.h b/target/riscv/pmp.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/pmp.h
 +++ b/target/riscv/pmp.h
@@ -XXX,XX +XXX,XX @@ void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index,
      target_ulong val);
  target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index);
  bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
 -    target_ulong size, pmp_priv_t priv, target_ulong mode);
 +    target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
 +    target_ulong mode);
  bool pmp_is_range_in_tlb(CPURISCVState *env, hwaddr tlb_sa,
                           target_ulong *tlb_size);
  void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index);
  void pmp_update_rule_nums(CPURISCVState *env);
  uint32_t pmp_get_num_rules(CPURISCVState *env);
 +int pmp_priv_to_page_prot(pmp_priv_t pmp_priv);
  #endif
 diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/cpu_helper.c
 +++ b/target/riscv/cpu_helper.c
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong newpriv)
      env->load_res = -1;
  }
 +/*
 + * get_physical_address_pmp - check PMP permission for this physical address
 + *
 + * Match the PMP region and check permission for this physical address and it's
 + * TLB page. Returns 0 if the permission checking was successful
 + *
 + * @env: CPURISCVState
 + * @prot: The returned protection attributes
 + * @tlb_size: TLB page size containing addr. It could be modified after PMP
 + *            permission checking. NULL if not set TLB page for addr.
 + * @addr: The physical address to be checked permission
 + * @access_type: The type of MMU access
 + * @mode: Indicates current privilege level.
 + */
 +static int get_physical_address_pmp(CPURISCVState *env, int *prot,
 +                                    target_ulong *tlb_size, hwaddr addr,
 +                                    int size, MMUAccessType access_type,
 +                                    int mode)
 +{
 +    pmp_priv_t pmp_priv;
 +    target_ulong tlb_size_pmp = 0;
 +
 +    if (!riscv_feature(env, RISCV_FEATURE_PMP)) {
 +        *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 +        return TRANSLATE_SUCCESS;
 +    }
 +
 +    if (!pmp_hart_has_privs(env, addr, size, 1 << access_type, &pmp_priv,
 +                            mode)) {
 +        *prot = 0;
 +        return TRANSLATE_PMP_FAIL;
 +    }
 +
 +    *prot = pmp_priv_to_page_prot(pmp_priv);
 +    if (tlb_size != NULL) {
 +        if (pmp_is_range_in_tlb(env, addr & ~(*tlb_size - 1), &tlb_size_pmp)) {
 +            *tlb_size = tlb_size_pmp;
 +        }
 +    }
 +
 +    return TRANSLATE_SUCCESS;
 +}
 +
  /* get_physical_address - get the physical address for this virtual address
   *
   * Do a page table walk to obtain the physical address corresponding to a
@@ -XXX,XX +XXX,XX @@ restart:
              pte_addr = base + idx * ptesize;
          }
 -        if (riscv_feature(env, RISCV_FEATURE_PMP) &&
 -            !pmp_hart_has_privs(env, pte_addr, sizeof(target_ulong),
 -            1 << MMU_DATA_LOAD, PRV_S)) {
 +        int pmp_prot;
 +        int pmp_ret = get_physical_address_pmp(env, &pmp_prot, NULL, pte_addr,
 +                                               sizeof(target_ulong),
 +                                               MMU_DATA_LOAD, PRV_S);
 +        if (pmp_ret != TRANSLATE_SUCCESS) {
              return TRANSLATE_PMP_FAIL;
          }
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
  #ifndef CONFIG_USER_ONLY
      vaddr im_address;
      hwaddr pa = 0;
 -    int prot, prot2;
 +    int prot, prot2, prot_pmp;
      bool pmp_violation = false;
      bool first_stage_error = true;
      bool two_stage_lookup = false;
      int ret = TRANSLATE_FAIL;
      int mode = mmu_idx;
 -    target_ulong tlb_size = 0;
 +    /* default TLB page size */
 +    target_ulong tlb_size = TARGET_PAGE_SIZE;
      env->guest_phys_fault_addr = 0;
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
              prot &= prot2;
 -            if (riscv_feature(env, RISCV_FEATURE_PMP) &&
 -                (ret == TRANSLATE_SUCCESS) &&
 -                !pmp_hart_has_privs(env, pa, size, 1 << access_type, mode)) {
 -                ret = TRANSLATE_PMP_FAIL;
 +            if (ret == TRANSLATE_SUCCESS) {
 +                ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
 +                                               size, access_type, mode);
 +                prot &= prot_pmp;
              }
              if (ret != TRANSLATE_SUCCESS) {
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                        "%s address=%" VADDR_PRIx " ret %d physical "
                        TARGET_FMT_plx " prot %d\n",
                        __func__, address, ret, pa, prot);
 -    }
 -    if (riscv_feature(env, RISCV_FEATURE_PMP) &&
 -        (ret == TRANSLATE_SUCCESS) &&
 -        !pmp_hart_has_privs(env, pa, size, 1 << access_type, mode)) {
 -        ret = TRANSLATE_PMP_FAIL;
 +        if (ret == TRANSLATE_SUCCESS) {
 +            ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
 +                                           size, access_type, mode);
 +            prot &= prot_pmp;
 +        }
      }
 +
      if (ret == TRANSLATE_PMP_FAIL) {
          pmp_violation = true;
      }
      if (ret == TRANSLATE_SUCCESS) {
 -        if (pmp_is_range_in_tlb(env, pa & TARGET_PAGE_MASK, &tlb_size)) {
 -            tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1),
 -                         prot, mmu_idx, tlb_size);
 -        } else {
 -            tlb_set_page(cs, address & TARGET_PAGE_MASK, pa & TARGET_PAGE_MASK,
 -                         prot, mmu_idx, TARGET_PAGE_SIZE);
 -        }
 +        tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1),
 +                     prot, mmu_idx, tlb_size);
          return true;
      } else if (probe) {
          return false;
 diff --git a/target/riscv/pmp.c b/target/riscv/pmp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/pmp.c
 +++ b/target/riscv/pmp.c
@@ -XXX,XX +XXX,XX @@ static int pmp_is_in_range(CPURISCVState *env, int pmp_index, target_ulong addr)
      return result;
  }
 +/*
 + * Check if the address has required RWX privs when no PMP entry is matched.
 + */
 +static bool pmp_hart_has_privs_default(CPURISCVState *env, target_ulong addr,
 +    target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
 +    target_ulong mode)
 +{
 +    bool ret;
 +
 +    if ((!riscv_feature(env, RISCV_FEATURE_PMP)) || (mode == PRV_M)) {
 +        /*
 +         * Privileged spec v1.10 states if HW doesn't implement any PMP entry
 +         * or no PMP entry matches an M-Mode access, the access succeeds.
 +         */
 +        ret = true;
 +        *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
 +    } else {
 +        /*
 +         * Other modes are not allowed to succeed if they don't * match a rule,
 +         * but there are rules. We've checked for no rule earlier in this
 +         * function.
 +         */
 +        ret = false;
 +        *allowed_privs = 0;
 +    }
 +
 +    return ret;
 +}
 +
  /*
   * Public Interface
@@ -XXX,XX +XXX,XX @@ static int pmp_is_in_range(CPURISCVState *env, int pmp_index, target_ulong addr)
   * Check if the address has required RWX privs to complete desired operation
   */
  bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
 -    target_ulong size, pmp_priv_t privs, target_ulong mode)
 +    target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
 +    target_ulong mode)
  {
      int i = 0;
      int ret = -1;
      int pmp_size = 0;
      target_ulong s = 0;
      target_ulong e = 0;
 -    pmp_priv_t allowed_privs = 0;
      /* Short cut if no rules */
      if (0 == pmp_get_num_rules(env)) {
 -        return (env->priv == PRV_M) ? true : false;
 +        return pmp_hart_has_privs_default(env, addr, size, privs,
 +                                          allowed_privs, mode);
      }
      if (size == 0) {
@@ -XXX,XX +XXX,XX @@ bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
           * check
           */
          if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) {
 -            allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
 +            *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
              if ((mode != PRV_M) || pmp_is_locked(env, i)) {
 -                allowed_privs &= env->pmp_state.pmp[i].cfg_reg;
 +                *allowed_privs &= env->pmp_state.pmp[i].cfg_reg;
              }
 -            if ((privs & allowed_privs) == privs) {
 -                ret = 1;
 -                break;
 -            } else {
 -                ret = 0;
 -                break;
 -            }
 +            ret = ((privs & *allowed_privs) == privs);
 +            break;
          }
      }
      /* No rule matched */
      if (ret == -1) {
 -        if (mode == PRV_M) {
 -            ret = 1; /* Privileged spec v1.10 states if no PMP entry matches an
 -                      * M-Mode access, the access succeeds */
 -        } else {
 -            ret = 0; /* Other modes are not allowed to succeed if they don't
 -                      * match a rule, but there are rules.  We've checked for
 -                      * no rule earlier in this function. */
 -        }
 +        return pmp_hart_has_privs_default(env, addr, size, privs,
 +                                          allowed_privs, mode);
      }
      return ret == 1 ? true : false;
  }
 -
  /*
   * Handle a write to a pmpcfg CSP
   */
@@ -XXX,XX +XXX,XX @@ bool pmp_is_range_in_tlb(CPURISCVState *env, hwaddr tlb_sa,
      return false;
  }
 +
 +/*
 + * Convert PMP privilege to TLB page privilege.
 + */
 +int pmp_priv_to_page_prot(pmp_priv_t pmp_priv)
 +{
 +    int prot = 0;
 +
 +    if (pmp_priv & PMP_READ) {
 +        prot |= PAGE_READ;
 +    }
 +    if (pmp_priv & PMP_WRITE) {
 +        prot |= PAGE_WRITE;
 +    }
 +    if (pmp_priv & PMP_EXEC) {
 +        prot |= PAGE_EXEC;
 +    }
 +
 +    return prot;
 +}
 --
 .30.1

-New patch
+[PULL 04/16] target/riscv: add log of PMP permission checking
+From: Jim Shu <cwshu@andestech.com>
+Like MMU translation, add qemu log of PMP permission checking for
+debugging.
+Signed-off-by: Jim Shu <cwshu@andestech.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 1613916082-19528-3-git-send-email-cwshu@andestech.com
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ target/riscv/cpu_helper.c | 12 ++++++++++++
+file changed, 12 insertions(+)
+diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/cpu_helper.c
++++ b/target/riscv/cpu_helper.c
+@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
+             if (ret == TRANSLATE_SUCCESS) {
+                 ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
+                                                size, access_type, mode);
++
++                qemu_log_mask(CPU_LOG_MMU,
++                              "%s PMP address=" TARGET_FMT_plx " ret %d prot"
++                              " %d tlb_size " TARGET_FMT_lu "\n",
++                              __func__, pa, ret, prot_pmp, tlb_size);
++
+                 prot &= prot_pmp;
+             }
+@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
+         if (ret == TRANSLATE_SUCCESS) {
+             ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
+                                            size, access_type, mode);
++
++            qemu_log_mask(CPU_LOG_MMU,
++                          "%s PMP address=" TARGET_FMT_plx " ret %d prot"
++                          " %d tlb_size " TARGET_FMT_lu "\n",
++                          __func__, pa, ret, prot_pmp, tlb_size);
++
+             prot &= prot_pmp;
+         }
+     }
+--
+.30.1

-New patch
+[PULL 05/16] target/riscv: flush TLB pages if PMP permission has been changed
+From: Jim Shu <cwshu@andestech.com>
+If PMP permission of any address has been changed by updating PMP entry,
+flush all TLB pages to prevent from getting old permission.
+Signed-off-by: Jim Shu <cwshu@andestech.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 1613916082-19528-4-git-send-email-cwshu@andestech.com
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ target/riscv/pmp.c | 4 ++++
+file changed, 4 insertions(+)
+diff --git a/target/riscv/pmp.c b/target/riscv/pmp.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/pmp.c
++++ b/target/riscv/pmp.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qapi/error.h"
+ #include "cpu.h"
+ #include "trace.h"
++#include "exec/exec-all.h"
+ static void pmp_write_cfg(CPURISCVState *env, uint32_t addr_index,
+     uint8_t val);
+@@ -XXX,XX +XXX,XX @@ void pmpcfg_csr_write(CPURISCVState *env, uint32_t reg_index,
+         cfg_val = (val >> 8 * i)  & 0xff;
+         pmp_write_cfg(env, (reg_index * 4) + i, cfg_val);
+     }
++
++    /* If PMP permission of any addr has been changed, flush TLB pages. */
++    tlb_flush(env_cpu(env));
+ }
+--
+.30.1

-New patch
+[PULL 06/16] target/riscv: Adjust privilege level for HLV(X)/HSV instructions
+From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
+According to the specification the "field SPVP of hstatus controls the
+privilege level of the access" for the hypervisor virtual-machine load
+and store instructions HLV, HLVX and HSV.
+Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210311103005.1400718-1-georg.kotheimer@kernkonzept.com
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ target/riscv/cpu_helper.c | 25 ++++++++++++++-----------
+file changed, 14 insertions(+), 11 deletions(-)
+diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/cpu_helper.c
++++ b/target/riscv/cpu_helper.c
+@@ -XXX,XX +XXX,XX @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
+         use_background = true;
+     }
+-    if (mode == PRV_M && access_type != MMU_INST_FETCH) {
++    /* MPRV does not affect the virtual-machine load/store
++       instructions, HLV, HLVX, and HSV. */
++    if (riscv_cpu_two_stage_lookup(mmu_idx)) {
++        mode = get_field(env->hstatus, HSTATUS_SPVP);
++    } else if (mode == PRV_M && access_type != MMU_INST_FETCH) {
+         if (get_field(env->mstatus, MSTATUS_MPRV)) {
+             mode = get_field(env->mstatus, MSTATUS_MPP);
+         }
+@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
+     qemu_log_mask(CPU_LOG_MMU, "%s ad %" VADDR_PRIx " rw %d mmu_idx %d\n",
+                   __func__, address, access_type, mmu_idx);
+-    if (mode == PRV_M && access_type != MMU_INST_FETCH) {
+-        if (get_field(env->mstatus, MSTATUS_MPRV)) {
+-            mode = get_field(env->mstatus, MSTATUS_MPP);
++    /* MPRV does not affect the virtual-machine load/store
++       instructions, HLV, HLVX, and HSV. */
++    if (riscv_cpu_two_stage_lookup(mmu_idx)) {
++        mode = get_field(env->hstatus, HSTATUS_SPVP);
++    } else if (mode == PRV_M && access_type != MMU_INST_FETCH &&
++               get_field(env->mstatus, MSTATUS_MPRV)) {
++        mode = get_field(env->mstatus, MSTATUS_MPP);
++        if (riscv_has_ext(env, RVH) && get_field(env->mstatus, MSTATUS_MPV)) {
++            two_stage_lookup = true;
+         }
+     }
+-    if (riscv_has_ext(env, RVH) && env->priv == PRV_M &&
+-        access_type != MMU_INST_FETCH &&
+-        get_field(env->mstatus, MSTATUS_MPRV) &&
+-        get_field(env->mstatus, MSTATUS_MPV)) {
+-        two_stage_lookup = true;
+-    }
+-
+     if (riscv_cpu_virt_enabled(env) ||
+         ((riscv_cpu_two_stage_lookup(mmu_idx) || two_stage_lookup) &&
+          access_type != MMU_INST_FETCH)) {
+--
+.30.1

-New patch
+[PULL 07/16] target/riscv: Make VSTIP and VSEIP read-only in hip
+From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
+Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210311094902.1377593-1-georg.kotheimer@kernkonzept.com
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ target/riscv/csr.c | 7 ++++---
+file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/target/riscv/csr.c b/target/riscv/csr.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/csr.c
++++ b/target/riscv/csr.c
+@@ -XXX,XX +XXX,XX @@ static const target_ulong sstatus_v1_10_mask = SSTATUS_SIE | SSTATUS_SPIE |
+     SSTATUS_UIE | SSTATUS_UPIE | SSTATUS_SPP | SSTATUS_FS | SSTATUS_XS |
+     SSTATUS_SUM | SSTATUS_MXR | SSTATUS_SD;
+ static const target_ulong sip_writable_mask = SIP_SSIP | MIP_USIP | MIP_UEIP;
+-static const target_ulong hip_writable_mask = MIP_VSSIP | MIP_VSTIP | MIP_VSEIP;
++static const target_ulong hip_writable_mask = MIP_VSSIP;
++static const target_ulong hvip_writable_mask = MIP_VSSIP | MIP_VSTIP | MIP_VSEIP;
+ static const target_ulong vsip_writable_mask = MIP_VSSIP;
+ static const char valid_vm_1_10_32[16] = {
+@@ -XXX,XX +XXX,XX @@ static int rmw_hvip(CPURISCVState *env, int csrno, target_ulong *ret_value,
+                    target_ulong new_value, target_ulong write_mask)
+ {
+     int ret = rmw_mip(env, 0, ret_value, new_value,
+-                      write_mask & hip_writable_mask);
++                      write_mask & hvip_writable_mask);
+-    *ret_value &= hip_writable_mask;
++    *ret_value &= hvip_writable_mask;
+     return ret;
+ }
+--
+.30.1

-[PULL 1/6] target/riscv: Add a virtualised MMU Mode
+[PULL 08/16] target/riscv: Use background registers also for MSTATUS_MPV
-Add a new MMU mode that includes the current virt mode.
+From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
+The current condition for the use of background registers only
+considers the hypervisor load and store instructions,
+but not accesses from M mode via MSTATUS_MPRV+MPV.
+Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210311103036.1401073-1-georg.kotheimer@kernkonzept.com
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 4b301bc0ea36da962fc1605371b65019ac3073df.1604464950.git.alistair.francis@wdc.com
 ---
- target/riscv/cpu-param.h  | 11 ++++++++++-
+ target/riscv/cpu_helper.c | 2 +-
- target/riscv/cpu.h        |  4 +++-
+file changed, 1 insertion(+), 1 deletion(-)
  target/riscv/cpu_helper.c |  2 +-
 files changed, 14 insertions(+), 3 deletions(-)
-diff --git a/target/riscv/cpu-param.h b/target/riscv/cpu-param.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/cpu-param.h
-+++ b/target/riscv/cpu-param.h
-@@ -XXX,XX +XXX,XX @@
- # define TARGET_VIRT_ADDR_SPACE_BITS 32 /* sv32 */
- #endif
- #define TARGET_PAGE_BITS 12 /* 4 KiB Pages */
--#define NB_MMU_MODES 4
-+/*
-+ * The current MMU Modes are:
-+ *  - U mode 0b000
-+ *  - S mode 0b001
-+ *  - M mode 0b011
-+ *  - U mode HLV/HLVX/HSV 0b100
-+ *  - S mode HLV/HLVX/HSV 0b101
-+ *  - M mode HLV/HLVX/HSV 0b111
-+ */
-+#define NB_MMU_MODES 8
- #endif
-diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/cpu.h
-+++ b/target/riscv/cpu.h
-@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN riscv_raise_exception(CPURISCVState *env,
- target_ulong riscv_cpu_get_fflags(CPURISCVState *env);
- void riscv_cpu_set_fflags(CPURISCVState *env, target_ulong);
--#define TB_FLAGS_MMU_MASK   3
-+#define TB_FLAGS_MMU_MASK   7
-+#define TB_FLAGS_PRIV_MMU_MASK                3
-+#define TB_FLAGS_PRIV_HYP_ACCESS_MASK   (1 << 2)
- #define TB_FLAGS_MSTATUS_FS MSTATUS_FS
- typedef CPURISCVState CPUArchState;
 diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/cpu_helper.c
 +++ b/target/riscv/cpu_helper.c
 @@ -XXX,XX +XXX,XX @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
-      * (riscv_cpu_do_interrupt) is correct */
+      * was called. Background registers will be used if the guest has
-     MemTxResult res;
+      * forced a two stage translation to be on (in HS or M mode).
-     MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+      */
--    int mode = mmu_idx;
+-    if (!riscv_cpu_virt_enabled(env) && riscv_cpu_two_stage_lookup(mmu_idx)) {
-+    int mode = mmu_idx & TB_FLAGS_PRIV_MMU_MASK;
++    if (!riscv_cpu_virt_enabled(env) && two_stage) {
-     bool use_background = false;
+         use_background = true;
+     }
-     /*
 --
-.29.2
+.30.1

-New patch
+[PULL 09/16] hw/riscv: Add fw_cfg support to virt
+From: Asherah Connor <ashe@kivikakk.ee>
+Provides fw_cfg for the virt machine on riscv.  This enables
+using e.g.  ramfb later.
+Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
+Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210318235041.17175-2-ashe@kivikakk.ee
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ include/hw/riscv/virt.h |  2 ++
+ hw/riscv/virt.c         | 30 ++++++++++++++++++++++++++++++
+ hw/riscv/Kconfig        |  1 +
+files changed, 33 insertions(+)
+diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/riscv/virt.h
++++ b/include/hw/riscv/virt.h
+@@ -XXX,XX +XXX,XX @@ struct RISCVVirtState {
+     RISCVHartArrayState soc[VIRT_SOCKETS_MAX];
+     DeviceState *plic[VIRT_SOCKETS_MAX];
+     PFlashCFI01 *flash[2];
++    FWCfgState *fw_cfg;
+     int fdt_size;
+ };
+@@ -XXX,XX +XXX,XX @@ enum {
+     VIRT_PLIC,
+     VIRT_UART0,
+     VIRT_VIRTIO,
++    VIRT_FW_CFG,
+     VIRT_FLASH,
+     VIRT_DRAM,
+     VIRT_PCIE_MMIO,
+diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/riscv/virt.c
++++ b/hw/riscv/virt.c
+@@ -XXX,XX +XXX,XX @@ static const MemMapEntry virt_memmap[] = {
+     [VIRT_PLIC] =        {  0xc000000, VIRT_PLIC_SIZE(VIRT_CPUS_MAX * 2) },
+     [VIRT_UART0] =       { 0x10000000,         0x100 },
+     [VIRT_VIRTIO] =      { 0x10001000,        0x1000 },
++    [VIRT_FW_CFG] =      { 0x10100000,          0x18 },
+     [VIRT_FLASH] =       { 0x20000000,     0x4000000 },
+     [VIRT_PCIE_ECAM] =   { 0x30000000,    0x10000000 },
+     [VIRT_PCIE_MMIO] =   { 0x40000000,    0x40000000 },
+@@ -XXX,XX +XXX,XX @@ static inline DeviceState *gpex_pcie_init(MemoryRegion *sys_mem,
+     return dev;
+ }
++static FWCfgState *create_fw_cfg(const MachineState *mc)
++{
++    hwaddr base = virt_memmap[VIRT_FW_CFG].base;
++    hwaddr size = virt_memmap[VIRT_FW_CFG].size;
++    FWCfgState *fw_cfg;
++    char *nodename;
++
++    fw_cfg = fw_cfg_init_mem_wide(base + 8, base, 8, base + 16,
++                                  &address_space_memory);
++    fw_cfg_add_i16(fw_cfg, FW_CFG_NB_CPUS, (uint16_t)mc->smp.cpus);
++
++    nodename = g_strdup_printf("/fw-cfg@%" PRIx64, base);
++    qemu_fdt_add_subnode(mc->fdt, nodename);
++    qemu_fdt_setprop_string(mc->fdt, nodename,
++                            "compatible", "qemu,fw-cfg-mmio");
++    qemu_fdt_setprop_sized_cells(mc->fdt, nodename, "reg",
++                                 2, base, 2, size);
++    qemu_fdt_setprop(mc->fdt, nodename, "dma-coherent", NULL, 0);
++    g_free(nodename);
++    return fw_cfg;
++}
++
+ static void virt_machine_init(MachineState *machine)
+ {
+     const MemMapEntry *memmap = virt_memmap;
+@@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine)
+         start_addr = virt_memmap[VIRT_FLASH].base;
+     }
++    /*
++     * Init fw_cfg.  Must be done before riscv_load_fdt, otherwise the device
++     * tree cannot be altered and we get FDT_ERR_NOSPACE.
++     */
++    s->fw_cfg = create_fw_cfg(machine);
++    rom_set_fw(s->fw_cfg);
++
+     /* Compute the fdt load address in dram */
+     fdt_load_addr = riscv_load_fdt(memmap[VIRT_DRAM].base,
+                                    machine->ram_size, machine->fdt);
+diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/riscv/Kconfig
++++ b/hw/riscv/Kconfig
+@@ -XXX,XX +XXX,XX @@ config RISCV_VIRT
+     select SIFIVE_PLIC
+     select SIFIVE_TEST
+     select VIRTIO_MMIO
++    select FW_CFG_DMA
+ config SIFIVE_E
+     bool
+--
+.30.1

-[PULL 5/6] target/riscv: Split the Hypervisor execute load helpers
+[PULL 10/16] hw/riscv: allow ramfb on virt
-Split the hypervisor execute load functions into two seperate functions.
+From: Asherah Connor <ashe@kivikakk.ee>
 This avoids us having to pass the memop to the C helper functions.
+Allow ramfb on virt.  This lets `-device ramfb' work.
+Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
+Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210318235041.17175-3-ashe@kivikakk.ee
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 5b1550f0faa3c435cc77f3c1ae811dea98ab9e36.1604464950.git.alistair.francis@wdc.com
 ---
- target/riscv/helper.h                   |  3 ++-
+ hw/riscv/virt.c | 3 +++
- target/riscv/op_helper.c                | 36 +++++++------------------
+file changed, 3 insertions(+)
  target/riscv/insn_trans/trans_rvh.c.inc | 20 +++++---------
 files changed, 17 insertions(+), 42 deletions(-)
-diff --git a/target/riscv/helper.h b/target/riscv/helper.h
+diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/helper.h
+--- a/hw/riscv/virt.c
-+++ b/target/riscv/helper.h
++++ b/hw/riscv/virt.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(tlb_flush, void, env)
+@@ -XXX,XX +XXX,XX @@
- #ifndef CONFIG_USER_ONLY
+ #include "sysemu/sysemu.h"
- DEF_HELPER_1(hyp_tlb_flush, void, env)
+ #include "hw/pci/pci.h"
- DEF_HELPER_1(hyp_gvma_tlb_flush, void, env)
+ #include "hw/pci-host/gpex.h"
--DEF_HELPER_4(hyp_x_load, tl, env, tl, tl, tl)
++#include "hw/display/ramfb.h"
-+DEF_HELPER_2(hyp_hlvx_hu, tl, env, tl)
-+DEF_HELPER_2(hyp_hlvx_wu, tl, env, tl)
+ static const MemMapEntry virt_memmap[] = {
- #endif
+     [VIRT_DEBUG] =       {        0x0,         0x100 },
+@@ -XXX,XX +XXX,XX @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
- /* Vector functions */
+     mc->cpu_index_to_instance_props = riscv_numa_cpu_index_to_props;
-diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
+     mc->get_default_cpu_node_id = riscv_numa_get_default_cpu_node_id;
-index XXXXXXX..XXXXXXX 100644
+     mc->numa_mem_supported = true;
---- a/target/riscv/op_helper.c
++
-+++ b/target/riscv/op_helper.c
++    machine_class_allow_dynamic_sysbus_dev(mc, TYPE_RAMFB_DEVICE);
@@ -XXX,XX +XXX,XX @@ void helper_hyp_gvma_tlb_flush(CPURISCVState *env)
      helper_hyp_tlb_flush(env);
  }
--target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
+ static const TypeInfo virt_machine_typeinfo = {
 -                               target_ulong attrs, target_ulong memop)
 +target_ulong helper_hyp_hlvx_hu(CPURISCVState *env, target_ulong address)
  {
 -    if (env->priv == PRV_M ||
 -        (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
 -        (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
 -            get_field(env->hstatus, HSTATUS_HU))) {
 -        target_ulong pte;
 -        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 -
 -        switch (memop) {
 -        case MO_TEUW:
 -            pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
 -            break;
 -        case MO_TEUL:
 -            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
 -            break;
 -        default:
 -            g_assert_not_reached();
 -        }
 +    int mmu_idx = cpu_mmu_index(env, true) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 -        return pte;
 -    }
 +    return cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
 +}
 -    if (riscv_cpu_virt_enabled(env)) {
 -        riscv_raise_exception(env, RISCV_EXCP_VIRT_INSTRUCTION_FAULT, GETPC());
 -    } else {
 -        riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
 -    }
 -    return 0;
 +target_ulong helper_hyp_hlvx_wu(CPURISCVState *env, target_ulong address)
 +{
 +    int mmu_idx = cpu_mmu_index(env, true) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 +
 +    return cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
  }
  #endif /* !CONFIG_USER_ONLY */
 diff --git a/target/riscv/insn_trans/trans_rvh.c.inc b/target/riscv/insn_trans/trans_rvh.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/insn_trans/trans_rvh.c.inc
 +++ b/target/riscv/insn_trans/trans_rvh.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_hlvx_hu(DisasContext *ctx, arg_hlvx_hu *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TEUW);
 -    gen_helper_hyp_x_load(t1, cpu_env, t0, mem_idx, memop);
 +    gen_helper_hyp_hlvx_hu(t1, cpu_env, t0);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlvx_wu(DisasContext *ctx, arg_hlvx_wu *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TEUL);
 -    gen_helper_hyp_x_load(t1, cpu_env, t0, mem_idx, memop);
 +    gen_helper_hyp_hlvx_wu(t1, cpu_env, t0);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
 --
-.29.2
+.30.1

-[PULL 4/6] target/riscv: Remove the hyp load and store functions
+[PULL 11/16] target/riscv: Fix read and write accesses to vsip and vsie
-Remove the special Virtulisation load and store functions and just use
+From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
 the standard tcg tcg_gen_qemu_ld_tl() and tcg_gen_qemu_st_tl() functions
 instead.
-As part of this change we ensure we still run an access check to make
+The previous implementation was broken in many ways:
-sure we can perform the operations.
+ - Used mideleg instead of hideleg to mask accesses
  - Used MIP_VSSIP instead of VS_MODE_INTERRUPTS to mask writes to vsie
  - Did not shift between S bits and VS bits (VSEIP <-> SEIP, ...)
+Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210311094738.1376795-1-georg.kotheimer@kernkonzept.com
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 189ac3e53ef2854824d18aad7074c6649f17de2c.1604464950.git.alistair.francis@wdc.com
 ---
- target/riscv/cpu.h                      |  12 +++
+ target/riscv/csr.c | 68 +++++++++++++++++++++++-----------------------
- target/riscv/helper.h                   |   2 -
+file changed, 34 insertions(+), 34 deletions(-)
  target/riscv/op_helper.c                |  86 -----------------
  target/riscv/translate.c                |   2 +
  target/riscv/insn_trans/trans_rvh.c.inc | 123 +++++++++---------------
 files changed, 59 insertions(+), 166 deletions(-)
-diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
+diff --git a/target/riscv/csr.c b/target/riscv/csr.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/cpu.h
+--- a/target/riscv/csr.c
-+++ b/target/riscv/cpu.h
++++ b/target/riscv/csr.c
-@@ -XXX,XX +XXX,XX @@ FIELD(TB_FLAGS, VL_EQ_VLMAX, 2, 1)
+@@ -XXX,XX +XXX,XX @@ static int write_sstatus(CPURISCVState *env, int csrno, target_ulong val)
- FIELD(TB_FLAGS, LMUL, 3, 2)
+     return write_mstatus(env, CSR_MSTATUS, newval);
- FIELD(TB_FLAGS, SEW, 5, 3)
+ }
- FIELD(TB_FLAGS, VILL, 8, 1)
-+/* Is a Hypervisor instruction load/store allowed? */
++static int read_vsie(CPURISCVState *env, int csrno, target_ulong *val)
-+FIELD(TB_FLAGS, HLSX, 9, 1)
++{
++    /* Shift the VS bits to their S bit location in vsie */
- /*
++    *val = (env->mie & env->hideleg & VS_MODE_INTERRUPTS) >> 1;
-  * A simplification for VLMAX
++    return 0;
-@@ -XXX,XX +XXX,XX @@ static inline void cpu_get_tb_cpu_state(CPURISCVState *env, target_ulong *pc,
++}
-     if (riscv_cpu_fp_enabled(env)) {
++
-         flags |= env->mstatus & MSTATUS_FS;
+ static int read_sie(CPURISCVState *env, int csrno, target_ulong *val)
  {
      if (riscv_cpu_virt_enabled(env)) {
 -        /* Tell the guest the VS bits, shifted to the S bit locations */
 -        *val = (env->mie & env->mideleg & VS_MODE_INTERRUPTS) >> 1;
 +        read_vsie(env, CSR_VSIE, val);
      } else {
          *val = env->mie & env->mideleg;
      }
+     return 0;
+ }
+-static int write_sie(CPURISCVState *env, int csrno, target_ulong val)
++static int write_vsie(CPURISCVState *env, int csrno, target_ulong val)
+ {
+-    target_ulong newval;
++    /* Shift the S bits to their VS bit location in mie */
++    target_ulong newval = (env->mie & ~VS_MODE_INTERRUPTS) |
++                          ((val << 1) & env->hideleg & VS_MODE_INTERRUPTS);
++    return write_mie(env, CSR_MIE, newval);
++}
++static int write_sie(CPURISCVState *env, int csrno, target_ulong val)
++{
+     if (riscv_cpu_virt_enabled(env)) {
+-        /* Shift the guests S bits to VS */
+-        newval = (env->mie & ~VS_MODE_INTERRUPTS) |
+-                 ((val << 1) & VS_MODE_INTERRUPTS);
++        write_vsie(env, CSR_VSIE, val);
+     } else {
+-        newval = (env->mie & ~S_MODE_INTERRUPTS) | (val & S_MODE_INTERRUPTS);
++        target_ulong newval = (env->mie & ~S_MODE_INTERRUPTS) |
++                              (val & S_MODE_INTERRUPTS);
++        write_mie(env, CSR_MIE, newval);
+     }
+-    return write_mie(env, CSR_MIE, newval);
++    return 0;
+ }
+ static int read_stvec(CPURISCVState *env, int csrno, target_ulong *val)
+@@ -XXX,XX +XXX,XX @@ static int write_sbadaddr(CPURISCVState *env, int csrno, target_ulong val)
+     return 0;
+ }
++static int rmw_vsip(CPURISCVState *env, int csrno, target_ulong *ret_value,
++                    target_ulong new_value, target_ulong write_mask)
++{
++    /* Shift the S bits to their VS bit location in mip */
++    int ret = rmw_mip(env, 0, ret_value, new_value << 1,
++                      (write_mask << 1) & vsip_writable_mask & env->hideleg);
++    *ret_value &= VS_MODE_INTERRUPTS;
++    /* Shift the VS bits to their S bit location in vsip */
++    *ret_value >>= 1;
++    return ret;
++}
 +
-+    if (riscv_has_ext(env, RVH)) {
+ static int rmw_sip(CPURISCVState *env, int csrno, target_ulong *ret_value,
-+        if (env->priv == PRV_M ||
+                    target_ulong new_value, target_ulong write_mask)
-+            (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
+ {
-+            (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
+     int ret;
-+                get_field(env->hstatus, HSTATUS_HU))) {
-+            flags = FIELD_DP32(flags, TB_FLAGS, HLSX, 1);
+     if (riscv_cpu_virt_enabled(env)) {
-+        }
+-        /* Shift the new values to line up with the VS bits */
-+    }
+-        ret = rmw_mip(env, CSR_MSTATUS, ret_value, new_value << 1,
- #endif
+-                      (write_mask & sip_writable_mask) << 1 & env->mideleg);
-+
+-        ret &= vsip_writable_mask;
-     *pflags = flags;
+-        ret >>= 1;
 +        ret = rmw_vsip(env, CSR_VSIP, ret_value, new_value, write_mask);
      } else {
          ret = rmw_mip(env, CSR_MSTATUS, ret_value, new_value,
                        write_mask & env->mideleg & sip_writable_mask);
@@ -XXX,XX +XXX,XX @@ static int write_vsstatus(CPURISCVState *env, int csrno, target_ulong val)
      return 0;
  }
-diff --git a/target/riscv/helper.h b/target/riscv/helper.h
+-static int rmw_vsip(CPURISCVState *env, int csrno, target_ulong *ret_value,
-index XXXXXXX..XXXXXXX 100644
+-                    target_ulong new_value, target_ulong write_mask)
 --- a/target/riscv/helper.h
 +++ b/target/riscv/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(tlb_flush, void, env)
  #ifndef CONFIG_USER_ONLY
  DEF_HELPER_1(hyp_tlb_flush, void, env)
  DEF_HELPER_1(hyp_gvma_tlb_flush, void, env)
 -DEF_HELPER_4(hyp_load, tl, env, tl, tl, tl)
 -DEF_HELPER_5(hyp_store, void, env, tl, tl, tl, tl)
  DEF_HELPER_4(hyp_x_load, tl, env, tl, tl, tl)
  #endif
 diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/op_helper.c
 +++ b/target/riscv/op_helper.c
@@ -XXX,XX +XXX,XX @@ void helper_hyp_gvma_tlb_flush(CPURISCVState *env)
      helper_hyp_tlb_flush(env);
  }
 -target_ulong helper_hyp_load(CPURISCVState *env, target_ulong address,
 -                             target_ulong attrs, target_ulong memop)
 -{
--    if (env->priv == PRV_M ||
+-    int ret = rmw_mip(env, 0, ret_value, new_value,
--        (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
+-                      write_mask & env->mideleg & vsip_writable_mask);
--        (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
+-    return ret;
--            get_field(env->hstatus, HSTATUS_HU))) {
+-}
 -        target_ulong pte;
 -        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 -
--        switch (memop) {
+-static int read_vsie(CPURISCVState *env, int csrno, target_ulong *val)
--        case MO_SB:
+-{
--            pte = cpu_ldsb_mmuidx_ra(env, address, mmu_idx, GETPC());
+-    *val = env->mie & env->mideleg & VS_MODE_INTERRUPTS;
 -            break;
 -        case MO_UB:
 -            pte = cpu_ldub_mmuidx_ra(env, address, mmu_idx, GETPC());
 -            break;
 -        case MO_TESW:
 -            pte = cpu_ldsw_mmuidx_ra(env, address, mmu_idx, GETPC());
 -            break;
 -        case MO_TEUW:
 -            pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
 -            break;
 -        case MO_TESL:
 -            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
 -            break;
 -        case MO_TEUL:
 -            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
 -            break;
 -        case MO_TEQ:
 -            pte = cpu_ldq_mmuidx_ra(env, address, mmu_idx, GETPC());
 -            break;
 -        default:
 -            g_assert_not_reached();
 -        }
 -
 -        return pte;
 -    }
 -
 -    if (riscv_cpu_virt_enabled(env)) {
 -        riscv_raise_exception(env, RISCV_EXCP_VIRT_INSTRUCTION_FAULT, GETPC());
 -    } else {
 -        riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
 -    }
 -    return 0;
 -}
 -
--void helper_hyp_store(CPURISCVState *env, target_ulong address,
+-static int write_vsie(CPURISCVState *env, int csrno, target_ulong val)
 -                      target_ulong val, target_ulong attrs, target_ulong memop)
 -{
--    if (env->priv == PRV_M ||
+-    target_ulong newval = (env->mie & ~env->mideleg) | (val & env->mideleg & MIP_VSSIP);
--        (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
+-    return write_mie(env, CSR_MIE, newval);
 -        (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
 -            get_field(env->hstatus, HSTATUS_HU))) {
 -        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 -
 -        switch (memop) {
 -        case MO_SB:
 -        case MO_UB:
 -            cpu_stb_mmuidx_ra(env, address, val, mmu_idx, GETPC());
 -            break;
 -        case MO_TESW:
 -        case MO_TEUW:
 -            cpu_stw_mmuidx_ra(env, address, val, mmu_idx, GETPC());
 -            break;
 -        case MO_TESL:
 -        case MO_TEUL:
 -            cpu_stl_mmuidx_ra(env, address, val, mmu_idx, GETPC());
 -            break;
 -        case MO_TEQ:
 -            cpu_stq_mmuidx_ra(env, address, val, mmu_idx, GETPC());
 -            break;
 -        default:
 -            g_assert_not_reached();
 -        }
 -
 -        return;
 -    }
 -
 -    if (riscv_cpu_virt_enabled(env)) {
 -        riscv_raise_exception(env, RISCV_EXCP_VIRT_INSTRUCTION_FAULT, GETPC());
 -    } else {
 -        riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
 -    }
 -}
 -
- target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
+ static int read_vstvec(CPURISCVState *env, int csrno, target_ulong *val)
                                 target_ulong attrs, target_ulong memop)
  {
-diff --git a/target/riscv/translate.c b/target/riscv/translate.c
+     *val = env->vstvec;
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/translate.c
 +++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
         to reset this known value.  */
      int frm;
      bool ext_ifencei;
 +    bool hlsx;
      /* vector extension */
      bool vill;
      uint8_t lmul;
@@ -XXX,XX +XXX,XX @@ static void riscv_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
      ctx->frm = -1;  /* unknown rounding mode */
      ctx->ext_ifencei = cpu->cfg.ext_ifencei;
      ctx->vlen = cpu->cfg.vlen;
 +    ctx->hlsx = FIELD_EX32(tb_flags, TB_FLAGS, HLSX);
      ctx->vill = FIELD_EX32(tb_flags, TB_FLAGS, VILL);
      ctx->sew = FIELD_EX32(tb_flags, TB_FLAGS, SEW);
      ctx->lmul = FIELD_EX32(tb_flags, TB_FLAGS, LMUL);
 diff --git a/target/riscv/insn_trans/trans_rvh.c.inc b/target/riscv/insn_trans/trans_rvh.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/insn_trans/trans_rvh.c.inc
 +++ b/target/riscv/insn_trans/trans_rvh.c.inc
@@ -XXX,XX +XXX,XX @@
   * this program.  If not, see <http://www.gnu.org/licenses/>.
   */
 +#ifndef CONFIG_USER_ONLY
 +static void check_access(DisasContext *ctx) {
 +    if (!ctx->hlsx) {
 +        if (ctx->virt_enabled) {
 +            generate_exception(ctx, RISCV_EXCP_VIRT_INSTRUCTION_FAULT);
 +        } else {
 +            generate_exception(ctx, RISCV_EXCP_ILLEGAL_INST);
 +        }
 +    }
 +}
 +#endif
 +
  static bool trans_hlv_b(DisasContext *ctx, arg_hlv_b *a)
  {
      REQUIRE_EXT(ctx, RVH);
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_SB);
 -    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
 +    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_SB);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_h(DisasContext *ctx, arg_hlv_h *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TESW);
 -    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
 +    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TESW);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_w(DisasContext *ctx, arg_hlv_w *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TESL);
 -    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
 +    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TESL);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_bu(DisasContext *ctx, arg_hlv_bu *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_UB);
 -    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
 +    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_UB);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_hu(DisasContext *ctx, arg_hlv_hu *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 -    gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TEUW);
 +    check_access(ctx);
 -    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
 +    gen_get_gpr(t0, a->rs1);
 +    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TEUW);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hsv_b(DisasContext *ctx, arg_hsv_b *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv dat = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
      gen_get_gpr(dat, a->rs2);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_SB);
 -    gen_helper_hyp_store(cpu_env, t0, dat, mem_idx, memop);
 +    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_SB);
      tcg_temp_free(t0);
      tcg_temp_free(dat);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hsv_h(DisasContext *ctx, arg_hsv_h *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv dat = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
      gen_get_gpr(dat, a->rs2);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TESW);
 -    gen_helper_hyp_store(cpu_env, t0, dat, mem_idx, memop);
 +    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TESW);
      tcg_temp_free(t0);
      tcg_temp_free(dat);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hsv_w(DisasContext *ctx, arg_hsv_w *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv dat = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
      gen_get_gpr(dat, a->rs2);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TESL);
 -    gen_helper_hyp_store(cpu_env, t0, dat, mem_idx, memop);
 +    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TESL);
      tcg_temp_free(t0);
      tcg_temp_free(dat);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_wu(DisasContext *ctx, arg_hlv_wu *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TEUL);
 -    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
 +    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TEUL);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_d(DisasContext *ctx, arg_hlv_d *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv t1 = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TEQ);
 -    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
 +    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TEQ);
      gen_set_gpr(a->rd, t1);
      tcg_temp_free(t0);
      tcg_temp_free(t1);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hsv_d(DisasContext *ctx, arg_hsv_d *a)
  #ifndef CONFIG_USER_ONLY
      TCGv t0 = tcg_temp_new();
      TCGv dat = tcg_temp_new();
 -    TCGv mem_idx = tcg_temp_new();
 -    TCGv memop = tcg_temp_new();
 +
 +    check_access(ctx);
      gen_get_gpr(t0, a->rs1);
      gen_get_gpr(dat, a->rs2);
 -    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
 -    tcg_gen_movi_tl(memop, MO_TEQ);
 -    gen_helper_hyp_store(cpu_env, t0, dat, mem_idx, memop);
 +    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TEQ);
      tcg_temp_free(t0);
      tcg_temp_free(dat);
 -    tcg_temp_free(mem_idx);
 -    tcg_temp_free(memop);
      return true;
  #else
      return false;
 --
-.29.2
+.30.1

-[PULL 3/6] target/riscv: Remove the HS_TWO_STAGE flag
+[PULL 12/16] target/riscv: Add proper two-stage lookup exception detection
-The HS_TWO_STAGE flag is no longer required as the MMU index contains
+From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
 the information if we are performing a two stage access.
+The current two-stage lookup detection in riscv_cpu_do_interrupt falls
+short of its purpose, as all it checks is whether two-stage address
+translation either via the hypervisor-load store instructions or the
+MPRV feature would be allowed.
+What we really need instead is whether two-stage address translation was
+active when the exception was raised. However, in riscv_cpu_do_interrupt
+we do not have the information to reliably detect this. Therefore, when
+we raise a memory fault exception we have to record whether two-stage
+address translation is active.
+Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210319141459.1196741-1-georg.kotheimer@kernkonzept.com
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: f514b128b1ff0fb41c85f914cee18f905007a922.1604464950.git.alistair.francis@wdc.com
 ---
- target/riscv/cpu.h        |  3 +-
+ target/riscv/cpu.h        |  4 ++++
- target/riscv/cpu_bits.h   |  1 -
+ target/riscv/cpu.c        |  1 +
- target/riscv/cpu_helper.c | 60 ++++++++++++++++-----------------------
+ target/riscv/cpu_helper.c | 21 ++++++++-------------
- target/riscv/op_helper.c  | 12 --------
+files changed, 13 insertions(+), 13 deletions(-)
 files changed, 25 insertions(+), 51 deletions(-)
 diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/cpu.h
 +++ b/target/riscv/cpu.h
-@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_virt_enabled(CPURISCVState *env);
+@@ -XXX,XX +XXX,XX @@ struct CPURISCVState {
- void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool enable);
+     target_ulong satp_hs;
- bool riscv_cpu_force_hs_excep_enabled(CPURISCVState *env);
+     uint64_t mstatus_hs;
- void riscv_cpu_set_force_hs_excep(CPURISCVState *env, bool enable);
--bool riscv_cpu_two_stage_lookup(CPURISCVState *env);
++    /* Signals whether the current exception occurred with two-stage address
--void riscv_cpu_set_two_stage_lookup(CPURISCVState *env, bool enable);
++       translation active. */
-+bool riscv_cpu_two_stage_lookup(int mmu_idx);
++    bool two_stage_lookup;
- int riscv_cpu_mmu_index(CPURISCVState *env, bool ifetch);
++
- hwaddr riscv_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
+     target_ulong scounteren;
- void  riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
+     target_ulong mcounteren;
-diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
 diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/cpu_bits.h
+--- a/target/riscv/cpu.c
-+++ b/target/riscv/cpu_bits.h
++++ b/target/riscv/cpu.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void riscv_cpu_reset(DeviceState *dev)
-  * page table fault.
+     env->mstatus &= ~(MSTATUS_MIE | MSTATUS_MPRV);
-  */
+     env->mcause = 0;
- #define FORCE_HS_EXCEP      2
+     env->pc = env->resetvec;
--#define HS_TWO_STAGE        4
++    env->two_stage_lookup = false;
+ #endif
- /* RV32 satp CSR field masks */
+     cs->exception_index = EXCP_NONE;
- #define SATP32_MODE         0x80000000
+     env->load_res = -1;
 diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/cpu_helper.c
 +++ b/target/riscv/cpu_helper.c
-@@ -XXX,XX +XXX,XX @@ void riscv_cpu_set_force_hs_excep(CPURISCVState *env, bool enable)
+@@ -XXX,XX +XXX,XX @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
-     env->virt = set_field(env->virt, FORCE_HS_EXCEP, enable);
+         g_assert_not_reached();
      }
      env->badaddr = address;
 +    env->two_stage_lookup = two_stage;
  }
--bool riscv_cpu_two_stage_lookup(CPURISCVState *env)
+ hwaddr riscv_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
-+bool riscv_cpu_two_stage_lookup(int mmu_idx)
+@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
- {
+     }
--    if (!riscv_has_ext(env, RVH)) {
--        return false;
+     env->badaddr = addr;
--    }
++    env->two_stage_lookup = riscv_cpu_virt_enabled(env) ||
--
++                            riscv_cpu_two_stage_lookup(mmu_idx);
--    return get_field(env->virt, HS_TWO_STAGE);
+     riscv_raise_exception(&cpu->env, cs->exception_index, retaddr);
 -}
 -
 -void riscv_cpu_set_two_stage_lookup(CPURISCVState *env, bool enable)
 -{
 -    if (!riscv_has_ext(env, RVH)) {
 -        return;
 -    }
 -
 -    env->virt = set_field(env->virt, HS_TWO_STAGE, enable);
 +    return mmu_idx & TB_FLAGS_PRIV_HYP_ACCESS_MASK;
  }
- int riscv_cpu_claim_interrupts(RISCVCPU *cpu, uint32_t interrupts)
+@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
-@@ -XXX,XX +XXX,XX @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
+         g_assert_not_reached();
       * was called. Background registers will be used if the guest has
       * forced a two stage translation to be on (in HS or M mode).
       */
 -    if (riscv_cpu_two_stage_lookup(env) && access_type != MMU_INST_FETCH) {
 +    if (!riscv_cpu_virt_enabled(env) && riscv_cpu_two_stage_lookup(mmu_idx)) {
          use_background = true;
      }
+     env->badaddr = addr;
-@@ -XXX,XX +XXX,XX @@ restart:
++    env->two_stage_lookup = riscv_cpu_virt_enabled(env) ||
++                            riscv_cpu_two_stage_lookup(mmu_idx);
- static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
+     riscv_raise_exception(env, cs->exception_index, retaddr);
-                                 MMUAccessType access_type, bool pmp_violation,
+ }
--                                bool first_stage)
+ #endif /* !CONFIG_USER_ONLY */
 +                                bool first_stage, bool two_stage)
  {
      CPUState *cs = env_cpu(env);
      int page_fault_exceptions;
@@ -XXX,XX +XXX,XX @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
          }
          break;
      case MMU_DATA_LOAD:
 -        if ((riscv_cpu_virt_enabled(env) || riscv_cpu_two_stage_lookup(env)) &&
 -            !first_stage) {
 +        if (two_stage && !first_stage) {
              cs->exception_index = RISCV_EXCP_LOAD_GUEST_ACCESS_FAULT;
          } else {
              cs->exception_index = page_fault_exceptions ?
@@ -XXX,XX +XXX,XX @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
          }
          break;
      case MMU_DATA_STORE:
 -        if ((riscv_cpu_virt_enabled(env) || riscv_cpu_two_stage_lookup(env)) &&
 -            !first_stage) {
 +        if (two_stage && !first_stage) {
              cs->exception_index = RISCV_EXCP_STORE_GUEST_AMO_ACCESS_FAULT;
          } else {
              cs->exception_index = page_fault_exceptions ?
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
      int prot, prot2;
      bool pmp_violation = false;
      bool first_stage_error = true;
 +    bool two_stage_lookup = false;
      int ret = TRANSLATE_FAIL;
      int mode = mmu_idx;
      target_ulong tlb_size = 0;
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
          access_type != MMU_INST_FETCH &&
          get_field(env->mstatus, MSTATUS_MPRV) &&
          get_field(env->mstatus, MSTATUS_MPV)) {
 -        riscv_cpu_set_two_stage_lookup(env, true);
 +        two_stage_lookup = true;
      }
      if (riscv_cpu_virt_enabled(env) ||
 -        (riscv_cpu_two_stage_lookup(env) && access_type != MMU_INST_FETCH)) {
 +        ((riscv_cpu_two_stage_lookup(mmu_idx) || two_stage_lookup) &&
 +         access_type != MMU_INST_FETCH)) {
          /* Two stage lookup */
          ret = get_physical_address(env, &pa, &prot, address,
                                     &env->guest_phys_fault_addr, access_type,
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                        __func__, address, ret, pa, prot);
      }
 -    /* We did the two stage lookup based on MPRV, unset the lookup */
 -    if (riscv_has_ext(env, RVH) && env->priv == PRV_M &&
 -        access_type != MMU_INST_FETCH &&
 -        get_field(env->mstatus, MSTATUS_MPRV) &&
 -        get_field(env->mstatus, MSTATUS_MPV)) {
 -        riscv_cpu_set_two_stage_lookup(env, false);
 -    }
 -
      if (riscv_feature(env, RISCV_FEATURE_PMP) &&
          (ret == TRANSLATE_SUCCESS) &&
          !pmp_hart_has_privs(env, pa, size, 1 << access_type, mode)) {
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
      } else if (probe) {
          return false;
      } else {
 -        raise_mmu_exception(env, address, access_type, pmp_violation, first_stage_error);
 +        raise_mmu_exception(env, address, access_type, pmp_violation,
 +                            first_stage_error,
 +                            riscv_cpu_virt_enabled(env) ||
 +                                riscv_cpu_two_stage_lookup(mmu_idx));
          riscv_raise_exception(env, cs->exception_index, retaddr);
      }
 @@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_interrupt(CPUState *cs)
          /* handle the trap in S-mode */
          if (riscv_has_ext(env, RVH)) {
              target_ulong hdeleg = async ? env->hideleg : env->hedeleg;
-+            bool two_stage_lookup = false;
+-            bool two_stage_lookup = false;
-+
-+            if (env->priv == PRV_M ||
+-            if (env->priv == PRV_M ||
-+                (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
+-                (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
-+                (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
+-                (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
-+                    get_field(env->hstatus, HSTATUS_HU))) {
+-                    get_field(env->hstatus, HSTATUS_HU))) {
-+                    two_stage_lookup = true;
+-                    two_stage_lookup = true;
-+            }
+-            }
+-
--            if ((riscv_cpu_virt_enabled(env) ||
+-            if ((riscv_cpu_virt_enabled(env) || two_stage_lookup) && write_tval) {
--                 riscv_cpu_two_stage_lookup(env)) && write_tval) {
++            if (env->two_stage_lookup && write_tval) {
 +            if ((riscv_cpu_virt_enabled(env) || two_stage_lookup) && write_tval) {
                  /*
                   * If we are writing a guest virtual address to stval, set
                   * this to 1. If we are trapping to VS we will set this to 0
 @@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_interrupt(CPUState *cs)
                  riscv_cpu_set_force_hs_excep(env, 0);
              } else {
                  /* Trap into HS mode */
--                if (!riscv_cpu_two_stage_lookup(env)) {
+-                if (!two_stage_lookup) {
-+                if (!two_stage_lookup) {
+-                    env->hstatus = set_field(env->hstatus, HSTATUS_SPV,
-                     env->hstatus = set_field(env->hstatus, HSTATUS_SPV,
+-                                             riscv_cpu_virt_enabled(env));
-                                              riscv_cpu_virt_enabled(env));
+-                }
-                 }
++                env->hstatus = set_field(env->hstatus, HSTATUS_SPV, false);
 -                riscv_cpu_set_two_stage_lookup(env, false);
                  htval = env->guest_phys_fault_addr;
              }
          }
-diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
+@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_interrupt(CPUState *cs)
-index XXXXXXX..XXXXXXX 100644
+      * RISC-V ISA Specification.
---- a/target/riscv/op_helper.c
+      */
-+++ b/target/riscv/op_helper.c
-@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_load(CPURISCVState *env, target_ulong address,
++    env->two_stage_lookup = false;
-         target_ulong pte;
+ #endif
-         int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
+     cs->exception_index = EXCP_NONE; /* mark handled to qemu */
+ }
 -        riscv_cpu_set_two_stage_lookup(env, true);
 -
          switch (memop) {
          case MO_SB:
              pte = cpu_ldsb_mmuidx_ra(env, address, mmu_idx, GETPC());
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_load(CPURISCVState *env, target_ulong address,
              g_assert_not_reached();
          }
 -        riscv_cpu_set_two_stage_lookup(env, false);
 -
          return pte;
      }
@@ -XXX,XX +XXX,XX @@ void helper_hyp_store(CPURISCVState *env, target_ulong address,
              get_field(env->hstatus, HSTATUS_HU))) {
          int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 -        riscv_cpu_set_two_stage_lookup(env, true);
 -
          switch (memop) {
          case MO_SB:
          case MO_UB:
@@ -XXX,XX +XXX,XX @@ void helper_hyp_store(CPURISCVState *env, target_ulong address,
              g_assert_not_reached();
          }
 -        riscv_cpu_set_two_stage_lookup(env, false);
 -
          return;
      }
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
          target_ulong pte;
          int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 -        riscv_cpu_set_two_stage_lookup(env, true);
 -
          switch (memop) {
          case MO_TEUW:
              pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
              g_assert_not_reached();
          }
 -        riscv_cpu_set_two_stage_lookup(env, false);
 -
          return pte;
      }
 --
-.29.2
+.30.1

-[PULL 6/6] hw/intc/ibex_plic: Clear the claim register when read
+[PULL 13/16] hw/block: m25p80: Support fast read for SST flashes
-After claiming the interrupt by reading the claim register we want to
+From: Bin Meng <bin.meng@windriver.com>
 clear the register to make sure the interrupt doesn't appear at the next
 read.
-This matches the documentation for the claim register as when an interrupt
+Per SST25VF016B datasheet [1], SST flash requires a dummy byte after
-is claimed by a target the relevant bit of IP is cleared (which we already
+the address bytes. Note only SPI mode is supported by SST flashes.
 do): https://docs.opentitan.org/hw/ip/rv_plic/doc/index.html
-This also matches the current hardware.
+[1] http://ww1.microchip.com/downloads/en/devicedoc/s71271_04.pdf
+Signed-off-by: Bin Meng <bin.meng@windriver.com>
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210306060152.7250-1-bmeng.cn@gmail.com
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 68d4575deef2559b7a747f3bda193fcf43af4558.1604629928.git.alistair.francis@wdc.com
 ---
- hw/intc/ibex_plic.c | 3 +++
+ hw/block/m25p80.c | 3 +++
 file changed, 3 insertions(+)
-diff --git a/hw/intc/ibex_plic.c b/hw/intc/ibex_plic.c
+diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/ibex_plic.c
+--- a/hw/block/m25p80.c
-+++ b/hw/intc/ibex_plic.c
++++ b/hw/block/m25p80.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t ibex_plic_read(void *opaque, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ static void decode_fast_read_cmd(Flash *s)
-         /* Return the current claimed interrupt */
+     s->needed_bytes = get_addr_length(s);
-         ret = s->claim;
+     switch (get_man(s)) {
+     /* Dummy cycles - modeled with bytes writes instead of bits */
-+        /* Clear the claimed interrupt */
++    case MAN_SST:
-+        s->claim = 0x00000000;
++        s->needed_bytes += 1;
-+
++        break;
-         /* Update the interrupt status after the claim */
+     case MAN_WINBOND:
-         ibex_plic_update(s);
+         s->needed_bytes += 8;
-     }
+         break;
 --
-.29.2
+.30.1

-New patch
+[PULL 14/16] hw/riscv: microchip_pfsoc: Map EMMC/SD mux register
+From: Bin Meng <bin.meng@windriver.com>
+Since HSS commit c20a89f8dcac, the Icicle Kit reference design has
+been updated to use a register mapped at 0x4f000000 instead of a
+GPIO to control whether eMMC or SD card is to be used. With this
+support the same HSS image can be used for both eMMC and SD card
+boot flow, while previously two different board configurations were
+used. This is undocumented but one can take a look at the HSS code
+HSS_MMCInit() in services/mmc/mmc_api.c.
+With this commit, HSS image built from 2020.12 release boots again.
+Signed-off-by: Bin Meng <bin.meng@windriver.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210322075248.136255-1-bmeng.cn@gmail.com
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ include/hw/riscv/microchip_pfsoc.h | 1 +
+ hw/riscv/microchip_pfsoc.c         | 6 ++++++
+files changed, 7 insertions(+)
+diff --git a/include/hw/riscv/microchip_pfsoc.h b/include/hw/riscv/microchip_pfsoc.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/riscv/microchip_pfsoc.h
++++ b/include/hw/riscv/microchip_pfsoc.h
+@@ -XXX,XX +XXX,XX @@ enum {
+     MICROCHIP_PFSOC_ENVM_DATA,
+     MICROCHIP_PFSOC_QSPI_XIP,
+     MICROCHIP_PFSOC_IOSCB,
++    MICROCHIP_PFSOC_EMMC_SD_MUX,
+     MICROCHIP_PFSOC_DRAM_LO,
+     MICROCHIP_PFSOC_DRAM_LO_ALIAS,
+     MICROCHIP_PFSOC_DRAM_HI,
+diff --git a/hw/riscv/microchip_pfsoc.c b/hw/riscv/microchip_pfsoc.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/riscv/microchip_pfsoc.c
++++ b/hw/riscv/microchip_pfsoc.c
+@@ -XXX,XX +XXX,XX @@ static const MemMapEntry microchip_pfsoc_memmap[] = {
+     [MICROCHIP_PFSOC_ENVM_DATA] =       { 0x20220000,    0x20000 },
+     [MICROCHIP_PFSOC_QSPI_XIP] =        { 0x21000000,  0x1000000 },
+     [MICROCHIP_PFSOC_IOSCB] =           { 0x30000000, 0x10000000 },
++    [MICROCHIP_PFSOC_EMMC_SD_MUX] =     { 0x4f000000,        0x4 },
+     [MICROCHIP_PFSOC_DRAM_LO] =         { 0x80000000, 0x40000000 },
+     [MICROCHIP_PFSOC_DRAM_LO_ALIAS] =   { 0xc0000000, 0x40000000 },
+     [MICROCHIP_PFSOC_DRAM_HI] =       { 0x1000000000,        0x0 },
+@@ -XXX,XX +XXX,XX @@ static void microchip_pfsoc_soc_realize(DeviceState *dev, Error **errp)
+     sysbus_mmio_map(SYS_BUS_DEVICE(&s->ioscb), 0,
+                     memmap[MICROCHIP_PFSOC_IOSCB].base);
++    /* eMMC/SD mux */
++    create_unimplemented_device("microchip.pfsoc.emmc_sd_mux",
++        memmap[MICROCHIP_PFSOC_EMMC_SD_MUX].base,
++        memmap[MICROCHIP_PFSOC_EMMC_SD_MUX].size);
++
+     /* QSPI Flash */
+     memory_region_init_rom(qspi_xip_mem, OBJECT(dev),
+                            "microchip.pfsoc.qspi_xip",
+--
+.30.1

-[PULL 2/6] target/riscv: Set the virtualised MMU mode when doing hyp accesses
+[PULL 15/16] docs/system: riscv: Add documentation for 'microchip-icicle-kit' machine
-When performing the hypervisor load/store operations set the MMU mode to
+From: Bin Meng <bin.meng@windriver.com>
 indicate that we are virtualised.
+This adds the documentation to describe what is supported for the
+'microchip-icicle-kit' machine, and how to boot the machine in QEMU.
+Signed-off-by: Bin Meng <bin.meng@windriver.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20210322075248.136255-2-bmeng.cn@gmail.com
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: e411c61a1452cad16853f13cac2fb86dc91ebee8.1604464950.git.alistair.francis@wdc.com
 ---
- target/riscv/op_helper.c | 30 +++++++++++++++++-------------
+ docs/system/riscv/microchip-icicle-kit.rst | 89 ++++++++++++++++++++++
-file changed, 17 insertions(+), 13 deletions(-)
+ docs/system/target-riscv.rst               |  1 +
 files changed, 90 insertions(+)
  create mode 100644 docs/system/riscv/microchip-icicle-kit.rst
-diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
+diff --git a/docs/system/riscv/microchip-icicle-kit.rst b/docs/system/riscv/microchip-icicle-kit.rst
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/docs/system/riscv/microchip-icicle-kit.rst
@@ -XXX,XX +XXX,XX @@
 +Microchip PolarFire SoC Icicle Kit (``microchip-icicle-kit``)
 +=============================================================
 +
 +Microchip PolarFire SoC Icicle Kit integrates a PolarFire SoC, with one
 +SiFive's E51 plus four U54 cores and many on-chip peripherals and an FPGA.
 +
 +For more details about Microchip PolarFire SoC, please see:
 +https://www.microsemi.com/product-directory/soc-fpgas/5498-polarfire-soc-fpga
 +
 +The Icicle Kit board information can be found here:
 +https://www.microsemi.com/existing-parts/parts/152514
 +
 +Supported devices
 +-----------------
 +
 +The ``microchip-icicle-kit`` machine supports the following devices:
 +
 + * 1 E51 core
 + * 4 U54 cores
 + * Core Level Interruptor (CLINT)
 + * Platform-Level Interrupt Controller (PLIC)
 + * L2 Loosely Integrated Memory (L2-LIM)
 + * DDR memory controller
 + * 5 MMUARTs
 + * 1 DMA controller
 + * 2 GEM Ethernet controllers
 + * 1 SDHC storage controller
 +
 +Boot options
 +------------
 +
 +The ``microchip-icicle-kit`` machine can start using the standard -bios
 +functionality for loading its BIOS image, aka Hart Software Services (HSS_).
 +HSS loads the second stage bootloader U-Boot from an SD card. It does not
 +support direct kernel loading via the -kernel option. One has to load kernel
 +from U-Boot.
 +
 +The memory is set to 1537 MiB by default which is the minimum required high
 +memory size by HSS. A sanity check on ram size is performed in the machine
 +init routine to prompt user to increase the RAM size to > 1537 MiB when less
 +than 1537 MiB ram is detected.
 +
 +Boot the machine
 +----------------
 +
 +HSS 2020.12 release is tested at the time of writing. To build an HSS image
 +that can be booted by the ``microchip-icicle-kit`` machine, type the following
 +in the HSS source tree:
 +
 +.. code-block:: bash
 +
 +  $ export CROSS_COMPILE=riscv64-linux-
 +  $ cp boards/mpfs-icicle-kit-es/def_config .config
 +  $ make BOARD=mpfs-icicle-kit-es
 +
 +Download the official SD card image released by Microchip and prepare it for
 +QEMU usage:
 +
 +.. code-block:: bash
 +
 +  $ wget ftp://ftpsoc.microsemi.com/outgoing/core-image-minimal-dev-icicle-kit-es-sd-20201009141623.rootfs.wic.gz
 +  $ gunzip core-image-minimal-dev-icicle-kit-es-sd-20201009141623.rootfs.wic.gz
 +  $ qemu-img resize core-image-minimal-dev-icicle-kit-es-sd-20201009141623.rootfs.wic 4G
 +
 +Then we can boot the machine by:
 +
 +.. code-block:: bash
 +
 +  $ qemu-system-riscv64 -M microchip-icicle-kit -smp 5 \
 +      -bios path/to/hss.bin -sd path/to/sdcard.img \
 +      -nic user,model=cadence_gem \
 +      -nic tap,ifname=tap,model=cadence_gem,script=no \
 +      -display none -serial stdio \
 +      -chardev socket,id=serial1,path=serial1.sock,server=on,wait=on \
 +      -serial chardev:serial1
 +
 +With above command line, current terminal session will be used for the first
 +serial port. Open another terminal window, and use `minicom` to connect the
 +second serial port.
 +
 +.. code-block:: bash
 +
 +  $ minicom -D unix\#serial1.sock
 +
 +HSS output is on the first serial port (stdio) and U-Boot outputs on the
 +second serial port. U-Boot will automatically load the Linux kernel from
 +the SD card image.
 +
 +.. _HSS: https://github.com/polarfire-soc/hart-software-services
 diff --git a/docs/system/target-riscv.rst b/docs/system/target-riscv.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/op_helper.c
+--- a/docs/system/target-riscv.rst
-+++ b/target/riscv/op_helper.c
++++ b/docs/system/target-riscv.rst
-@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_load(CPURISCVState *env, target_ulong address,
+@@ -XXX,XX +XXX,XX @@ undocumented; you can get a complete list by running
-         (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
+ .. toctree::
-             get_field(env->hstatus, HSTATUS_HU))) {
+    :maxdepth: 1
-         target_ulong pte;
-+        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
++   riscv/microchip-icicle-kit
+    riscv/sifive_u
-         riscv_cpu_set_two_stage_lookup(env, true);
+ RISC-V CPU features
          switch (memop) {
          case MO_SB:
 -            pte = cpu_ldsb_data_ra(env, address, GETPC());
 +            pte = cpu_ldsb_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          case MO_UB:
 -            pte = cpu_ldub_data_ra(env, address, GETPC());
 +            pte = cpu_ldub_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          case MO_TESW:
 -            pte = cpu_ldsw_data_ra(env, address, GETPC());
 +            pte = cpu_ldsw_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          case MO_TEUW:
 -            pte = cpu_lduw_data_ra(env, address, GETPC());
 +            pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          case MO_TESL:
 -            pte = cpu_ldl_data_ra(env, address, GETPC());
 +            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          case MO_TEUL:
 -            pte = cpu_ldl_data_ra(env, address, GETPC());
 +            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          case MO_TEQ:
 -            pte = cpu_ldq_data_ra(env, address, GETPC());
 +            pte = cpu_ldq_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          default:
              g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ void helper_hyp_store(CPURISCVState *env, target_ulong address,
          (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
          (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
              get_field(env->hstatus, HSTATUS_HU))) {
 +        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 +
          riscv_cpu_set_two_stage_lookup(env, true);
          switch (memop) {
          case MO_SB:
          case MO_UB:
 -            cpu_stb_data_ra(env, address, val, GETPC());
 +            cpu_stb_mmuidx_ra(env, address, val, mmu_idx, GETPC());
              break;
          case MO_TESW:
          case MO_TEUW:
 -            cpu_stw_data_ra(env, address, val, GETPC());
 +            cpu_stw_mmuidx_ra(env, address, val, mmu_idx, GETPC());
              break;
          case MO_TESL:
          case MO_TEUL:
 -            cpu_stl_data_ra(env, address, val, GETPC());
 +            cpu_stl_mmuidx_ra(env, address, val, mmu_idx, GETPC());
              break;
          case MO_TEQ:
 -            cpu_stq_data_ra(env, address, val, GETPC());
 +            cpu_stq_mmuidx_ra(env, address, val, mmu_idx, GETPC());
              break;
          default:
              g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
          (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
              get_field(env->hstatus, HSTATUS_HU))) {
          target_ulong pte;
 +        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
          riscv_cpu_set_two_stage_lookup(env, true);
          switch (memop) {
          case MO_TEUW:
 -            pte = cpu_lduw_data_ra(env, address, GETPC());
 +            pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          case MO_TEUL:
 -            pte = cpu_ldl_data_ra(env, address, GETPC());
 +            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
              break;
          default:
              g_assert_not_reached();
 --
-.29.2
+.30.1

-New patch
+[PULL 16/16] target/riscv: Prevent lost illegal instruction exceptions
+From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
 When decode_insn16() fails, we fall back to decode_RV32_64C() for
 further compressed instruction decoding. However, prior to this change,
 we did not raise an illegal instruction exception, if decode_RV32_64C()
 fails to decode the instruction. This means that we skipped illegal
 compressed instructions instead of raising an illegal instruction
 exception.
 Instead of patching decode_RV32_64C(), we can just remove it,
 as it is dead code since f330433b363 anyway.
 Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20210322121609.3097928-1-georg.kotheimer@kernkonzept.com
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
 ---
  target/riscv/translate.c | 179 +--------------------------------------
 file changed, 1 insertion(+), 178 deletions(-)
 diff --git a/target/riscv/translate.c b/target/riscv/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/translate.c
 +++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      CPUState *cs;
  } DisasContext;
 -#ifdef TARGET_RISCV64
 -/* convert riscv funct3 to qemu memop for load/store */
 -static const int tcg_memop_lookup[8] = {
 -    [0 ... 7] = -1,
 -    [0] = MO_SB,
 -    [1] = MO_TESW,
 -    [2] = MO_TESL,
 -    [3] = MO_TEQ,
 -    [4] = MO_UB,
 -    [5] = MO_TEUW,
 -    [6] = MO_TEUL,
 -};
 -#endif
 -
  #ifdef TARGET_RISCV64
  #define CASE_OP_32_64(X) case X: case glue(X, W)
  #else
@@ -XXX,XX +XXX,XX @@ static void gen_jal(DisasContext *ctx, int rd, target_ulong imm)
      ctx->base.is_jmp = DISAS_NORETURN;
  }
 -#ifdef TARGET_RISCV64
 -static void gen_load_c(DisasContext *ctx, uint32_t opc, int rd, int rs1,
 -        target_long imm)
 -{
 -    TCGv t0 = tcg_temp_new();
 -    TCGv t1 = tcg_temp_new();
 -    gen_get_gpr(t0, rs1);
 -    tcg_gen_addi_tl(t0, t0, imm);
 -    int memop = tcg_memop_lookup[(opc >> 12) & 0x7];
 -
 -    if (memop < 0) {
 -        gen_exception_illegal(ctx);
 -        return;
 -    }
 -
 -    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, memop);
 -    gen_set_gpr(rd, t1);
 -    tcg_temp_free(t0);
 -    tcg_temp_free(t1);
 -}
 -
 -static void gen_store_c(DisasContext *ctx, uint32_t opc, int rs1, int rs2,
 -        target_long imm)
 -{
 -    TCGv t0 = tcg_temp_new();
 -    TCGv dat = tcg_temp_new();
 -    gen_get_gpr(t0, rs1);
 -    tcg_gen_addi_tl(t0, t0, imm);
 -    gen_get_gpr(dat, rs2);
 -    int memop = tcg_memop_lookup[(opc >> 12) & 0x7];
 -
 -    if (memop < 0) {
 -        gen_exception_illegal(ctx);
 -        return;
 -    }
 -
 -    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx, memop);
 -    tcg_temp_free(t0);
 -    tcg_temp_free(dat);
 -}
 -#endif
 -
  #ifndef CONFIG_USER_ONLY
  /* The states of mstatus_fs are:
   * 0 = disabled, 1 = initial, 2 = clean, 3 = dirty
@@ -XXX,XX +XXX,XX @@ static void mark_fs_dirty(DisasContext *ctx)
  static inline void mark_fs_dirty(DisasContext *ctx) { }
  #endif
 -#if !defined(TARGET_RISCV64)
 -static void gen_fp_load(DisasContext *ctx, uint32_t opc, int rd,
 -        int rs1, target_long imm)
 -{
 -    TCGv t0;
 -
 -    if (ctx->mstatus_fs == 0) {
 -        gen_exception_illegal(ctx);
 -        return;
 -    }
 -
 -    t0 = tcg_temp_new();
 -    gen_get_gpr(t0, rs1);
 -    tcg_gen_addi_tl(t0, t0, imm);
 -
 -    switch (opc) {
 -    case OPC_RISC_FLW:
 -        if (!has_ext(ctx, RVF)) {
 -            goto do_illegal;
 -        }
 -        tcg_gen_qemu_ld_i64(cpu_fpr[rd], t0, ctx->mem_idx, MO_TEUL);
 -        /* RISC-V requires NaN-boxing of narrower width floating point values */
 -        tcg_gen_ori_i64(cpu_fpr[rd], cpu_fpr[rd], 0xffffffff00000000ULL);
 -        break;
 -    case OPC_RISC_FLD:
 -        if (!has_ext(ctx, RVD)) {
 -            goto do_illegal;
 -        }
 -        tcg_gen_qemu_ld_i64(cpu_fpr[rd], t0, ctx->mem_idx, MO_TEQ);
 -        break;
 -    do_illegal:
 -    default:
 -        gen_exception_illegal(ctx);
 -        break;
 -    }
 -    tcg_temp_free(t0);
 -
 -    mark_fs_dirty(ctx);
 -}
 -
 -static void gen_fp_store(DisasContext *ctx, uint32_t opc, int rs1,
 -        int rs2, target_long imm)
 -{
 -    TCGv t0;
 -
 -    if (ctx->mstatus_fs == 0) {
 -        gen_exception_illegal(ctx);
 -        return;
 -    }
 -
 -    t0 = tcg_temp_new();
 -    gen_get_gpr(t0, rs1);
 -    tcg_gen_addi_tl(t0, t0, imm);
 -
 -    switch (opc) {
 -    case OPC_RISC_FSW:
 -        if (!has_ext(ctx, RVF)) {
 -            goto do_illegal;
 -        }
 -        tcg_gen_qemu_st_i64(cpu_fpr[rs2], t0, ctx->mem_idx, MO_TEUL);
 -        break;
 -    case OPC_RISC_FSD:
 -        if (!has_ext(ctx, RVD)) {
 -            goto do_illegal;
 -        }
 -        tcg_gen_qemu_st_i64(cpu_fpr[rs2], t0, ctx->mem_idx, MO_TEQ);
 -        break;
 -    do_illegal:
 -    default:
 -        gen_exception_illegal(ctx);
 -        break;
 -    }
 -
 -    tcg_temp_free(t0);
 -}
 -#endif
 -
  static void gen_set_rm(DisasContext *ctx, int rm)
  {
      TCGv_i32 t0;
@@ -XXX,XX +XXX,XX @@ static void gen_set_rm(DisasContext *ctx, int rm)
      tcg_temp_free_i32(t0);
  }
 -static void decode_RV32_64C0(DisasContext *ctx, uint16_t opcode)
 -{
 -    uint8_t funct3 = extract16(opcode, 13, 3);
 -    uint8_t rd_rs2 = GET_C_RS2S(opcode);
 -    uint8_t rs1s = GET_C_RS1S(opcode);
 -
 -    switch (funct3) {
 -    case 3:
 -#if defined(TARGET_RISCV64)
 -        /* C.LD(RV64/128) -> ld rd', offset[7:3](rs1')*/
 -        gen_load_c(ctx, OPC_RISC_LD, rd_rs2, rs1s,
 -                 GET_C_LD_IMM(opcode));
 -#else
 -        /* C.FLW (RV32) -> flw rd', offset[6:2](rs1')*/
 -        gen_fp_load(ctx, OPC_RISC_FLW, rd_rs2, rs1s,
 -                    GET_C_LW_IMM(opcode));
 -#endif
 -        break;
 -    case 7:
 -#if defined(TARGET_RISCV64)
 -        /* C.SD (RV64/128) -> sd rs2', offset[7:3](rs1')*/
 -        gen_store_c(ctx, OPC_RISC_SD, rs1s, rd_rs2,
 -                  GET_C_LD_IMM(opcode));
 -#else
 -        /* C.FSW (RV32) -> fsw rs2', offset[6:2](rs1')*/
 -        gen_fp_store(ctx, OPC_RISC_FSW, rs1s, rd_rs2,
 -                     GET_C_LW_IMM(opcode));
 -#endif
 -        break;
 -    }
 -}
 -
 -static void decode_RV32_64C(DisasContext *ctx, uint16_t opcode)
 -{
 -    uint8_t op = extract16(opcode, 0, 2);
 -
 -    switch (op) {
 -    case 0:
 -        decode_RV32_64C0(ctx, opcode);
 -        break;
 -    }
 -}
 -
  static int ex_plus_1(DisasContext *ctx, int nf)
  {
      return nf + 1;
@@ -XXX,XX +XXX,XX @@ static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
          } else {
              ctx->pc_succ_insn = ctx->base.pc_next + 2;
              if (!decode_insn16(ctx, opcode)) {
 -                /* fall back to old decoder */
 -                decode_RV32_64C(ctx, opcode);
 +                gen_exception_illegal(ctx);
              }
          }
      } else {
 --
 .30.1

The following changes since commit 3c8c36c9087da957f580a9bb5ebf7814a753d1c6:

Merge remote-tracking branch 'remotes/kraxel/tags/ui-20201104-pull-request' into staging (2020-11-04 16:52:17 +0000)

are available in the Git repository at:

git@github.com:alistair23/qemu.git tags/pull-riscv-to-apply-20201109

for you to fetch changes up to 96338fefc19a143abdc91f6c44f37683274b08d4:

hw/intc/ibex_plic: Clear the claim register when read (2020-11-09 15:09:53 -0800)

----------------------------------------------------------------
This fixes two bugs in the RISC-V port. One is a bug in the
Ibex PLIC, the other fixes the Hypvervisor access functions.

----------------------------------------------------------------
Alistair Francis (6):
      target/riscv: Add a virtualised MMU Mode
      target/riscv: Set the virtualised MMU mode when doing hyp accesses
      target/riscv: Remove the HS_TWO_STAGE flag
      target/riscv: Remove the hyp load and store functions
      target/riscv: Split the Hypervisor execute load helpers
      hw/intc/ibex_plic: Clear the claim register when read

Add a new MMU mode that includes the current virt mode.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 4b301bc0ea36da962fc1605371b65019ac3073df.1604464950.git.alistair.francis@wdc.com
---
 target/riscv/cpu-param.h  | 11 ++++++++++-
 target/riscv/cpu.h        |  4 +++-
 target/riscv/cpu_helper.c |  2 +-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/target/riscv/cpu-param.h b/target/riscv/cpu-param.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu-param.h
+++ b/target/riscv/cpu-param.h
@@ -XXX,XX +XXX,XX @@
 # define TARGET_VIRT_ADDR_SPACE_BITS 32 /* sv32 */
 #endif
 #define TARGET_PAGE_BITS 12 /* 4 KiB Pages */
-#define NB_MMU_MODES 4
+/*
+ * The current MMU Modes are:
+ *  - U mode 0b000
+ *  - S mode 0b001
+ *  - M mode 0b011
+ *  - U mode HLV/HLVX/HSV 0b100
+ *  - S mode HLV/HLVX/HSV 0b101
+ *  - M mode HLV/HLVX/HSV 0b111
+ */
+#define NB_MMU_MODES 8
 
 #endif
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN riscv_raise_exception(CPURISCVState *env,
 target_ulong riscv_cpu_get_fflags(CPURISCVState *env);
 void riscv_cpu_set_fflags(CPURISCVState *env, target_ulong);
 
-#define TB_FLAGS_MMU_MASK   3
+#define TB_FLAGS_MMU_MASK   7
+#define TB_FLAGS_PRIV_MMU_MASK                3
+#define TB_FLAGS_PRIV_HYP_ACCESS_MASK   (1 << 2)
 #define TB_FLAGS_MSTATUS_FS MSTATUS_FS
 
 typedef CPURISCVState CPUArchState;
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -XXX,XX +XXX,XX @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
      * (riscv_cpu_do_interrupt) is correct */
     MemTxResult res;
     MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
-    int mode = mmu_idx;
+    int mode = mmu_idx & TB_FLAGS_PRIV_MMU_MASK;
     bool use_background = false;
 
     /*
-- 
2.29.2

When performing the hypervisor load/store operations set the MMU mode to
indicate that we are virtualised.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: e411c61a1452cad16853f13cac2fb86dc91ebee8.1604464950.git.alistair.francis@wdc.com
---
 target/riscv/op_helper.c | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_load(CPURISCVState *env, target_ulong address,
         (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
             get_field(env->hstatus, HSTATUS_HU))) {
         target_ulong pte;
+        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 
         riscv_cpu_set_two_stage_lookup(env, true);
 
         switch (memop) {
         case MO_SB:
-            pte = cpu_ldsb_data_ra(env, address, GETPC());
+            pte = cpu_ldsb_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         case MO_UB:
-            pte = cpu_ldub_data_ra(env, address, GETPC());
+            pte = cpu_ldub_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         case MO_TESW:
-            pte = cpu_ldsw_data_ra(env, address, GETPC());
+            pte = cpu_ldsw_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         case MO_TEUW:
-            pte = cpu_lduw_data_ra(env, address, GETPC());
+            pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         case MO_TESL:
-            pte = cpu_ldl_data_ra(env, address, GETPC());
+            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         case MO_TEUL:
-            pte = cpu_ldl_data_ra(env, address, GETPC());
+            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         case MO_TEQ:
-            pte = cpu_ldq_data_ra(env, address, GETPC());
+            pte = cpu_ldq_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         default:
             g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ void helper_hyp_store(CPURISCVState *env, target_ulong address,
         (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
         (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
             get_field(env->hstatus, HSTATUS_HU))) {
+        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
+
         riscv_cpu_set_two_stage_lookup(env, true);
 
         switch (memop) {
         case MO_SB:
         case MO_UB:
-            cpu_stb_data_ra(env, address, val, GETPC());
+            cpu_stb_mmuidx_ra(env, address, val, mmu_idx, GETPC());
             break;
         case MO_TESW:
         case MO_TEUW:
-            cpu_stw_data_ra(env, address, val, GETPC());
+            cpu_stw_mmuidx_ra(env, address, val, mmu_idx, GETPC());
             break;
         case MO_TESL:
         case MO_TEUL:
-            cpu_stl_data_ra(env, address, val, GETPC());
+            cpu_stl_mmuidx_ra(env, address, val, mmu_idx, GETPC());
             break;
         case MO_TEQ:
-            cpu_stq_data_ra(env, address, val, GETPC());
+            cpu_stq_mmuidx_ra(env, address, val, mmu_idx, GETPC());
             break;
         default:
             g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
         (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
             get_field(env->hstatus, HSTATUS_HU))) {
         target_ulong pte;
+        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 
         riscv_cpu_set_two_stage_lookup(env, true);
 
         switch (memop) {
         case MO_TEUW:
-            pte = cpu_lduw_data_ra(env, address, GETPC());
+            pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         case MO_TEUL:
-            pte = cpu_ldl_data_ra(env, address, GETPC());
+            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
             break;
         default:
             g_assert_not_reached();
-- 
2.29.2

The HS_TWO_STAGE flag is no longer required as the MMU index contains
the information if we are performing a two stage access.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: f514b128b1ff0fb41c85f914cee18f905007a922.1604464950.git.alistair.francis@wdc.com
---
 target/riscv/cpu.h        |  3 +-
 target/riscv/cpu_bits.h   |  1 -
 target/riscv/cpu_helper.c | 60 ++++++++++++++++-----------------------
 target/riscv/op_helper.c  | 12 --------
 4 files changed, 25 insertions(+), 51 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_virt_enabled(CPURISCVState *env);
 void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool enable);
 bool riscv_cpu_force_hs_excep_enabled(CPURISCVState *env);
 void riscv_cpu_set_force_hs_excep(CPURISCVState *env, bool enable);
-bool riscv_cpu_two_stage_lookup(CPURISCVState *env);
-void riscv_cpu_set_two_stage_lookup(CPURISCVState *env, bool enable);
+bool riscv_cpu_two_stage_lookup(int mmu_idx);
 int riscv_cpu_mmu_index(CPURISCVState *env, bool ifetch);
 hwaddr riscv_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 void  riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -XXX,XX +XXX,XX @@
  * page table fault.
  */
 #define FORCE_HS_EXCEP      2
-#define HS_TWO_STAGE        4
 
 /* RV32 satp CSR field masks */
 #define SATP32_MODE         0x80000000
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_set_force_hs_excep(CPURISCVState *env, bool enable)
     env->virt = set_field(env->virt, FORCE_HS_EXCEP, enable);
 }
 
-bool riscv_cpu_two_stage_lookup(CPURISCVState *env)
+bool riscv_cpu_two_stage_lookup(int mmu_idx)
 {
-    if (!riscv_has_ext(env, RVH)) {
-        return false;
-    }
-
-    return get_field(env->virt, HS_TWO_STAGE);
-}
-
-void riscv_cpu_set_two_stage_lookup(CPURISCVState *env, bool enable)
-{
-    if (!riscv_has_ext(env, RVH)) {
-        return;
-    }
-
-    env->virt = set_field(env->virt, HS_TWO_STAGE, enable);
+    return mmu_idx & TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 }
 
 int riscv_cpu_claim_interrupts(RISCVCPU *cpu, uint32_t interrupts)
@@ -XXX,XX +XXX,XX @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
      * was called. Background registers will be used if the guest has
      * forced a two stage translation to be on (in HS or M mode).
      */
-    if (riscv_cpu_two_stage_lookup(env) && access_type != MMU_INST_FETCH) {
+    if (!riscv_cpu_virt_enabled(env) && riscv_cpu_two_stage_lookup(mmu_idx)) {
         use_background = true;
     }
 
@@ -XXX,XX +XXX,XX @@ restart:
 
 static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
                                 MMUAccessType access_type, bool pmp_violation,
-                                bool first_stage)
+                                bool first_stage, bool two_stage)
 {
     CPUState *cs = env_cpu(env);
     int page_fault_exceptions;
@@ -XXX,XX +XXX,XX @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
         }
         break;
     case MMU_DATA_LOAD:
-        if ((riscv_cpu_virt_enabled(env) || riscv_cpu_two_stage_lookup(env)) &&
-            !first_stage) {
+        if (two_stage && !first_stage) {
             cs->exception_index = RISCV_EXCP_LOAD_GUEST_ACCESS_FAULT;
         } else {
             cs->exception_index = page_fault_exceptions ?
@@ -XXX,XX +XXX,XX @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
         }
         break;
     case MMU_DATA_STORE:
-        if ((riscv_cpu_virt_enabled(env) || riscv_cpu_two_stage_lookup(env)) &&
-            !first_stage) {
+        if (two_stage && !first_stage) {
             cs->exception_index = RISCV_EXCP_STORE_GUEST_AMO_ACCESS_FAULT;
         } else {
             cs->exception_index = page_fault_exceptions ?
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     int prot, prot2;
     bool pmp_violation = false;
     bool first_stage_error = true;
+    bool two_stage_lookup = false;
     int ret = TRANSLATE_FAIL;
     int mode = mmu_idx;
     target_ulong tlb_size = 0;
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
         access_type != MMU_INST_FETCH &&
         get_field(env->mstatus, MSTATUS_MPRV) &&
         get_field(env->mstatus, MSTATUS_MPV)) {
-        riscv_cpu_set_two_stage_lookup(env, true);
+        two_stage_lookup = true;
     }
 
     if (riscv_cpu_virt_enabled(env) ||
-        (riscv_cpu_two_stage_lookup(env) && access_type != MMU_INST_FETCH)) {
+        ((riscv_cpu_two_stage_lookup(mmu_idx) || two_stage_lookup) &&
+         access_type != MMU_INST_FETCH)) {
         /* Two stage lookup */
         ret = get_physical_address(env, &pa, &prot, address,
                                    &env->guest_phys_fault_addr, access_type,
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                       __func__, address, ret, pa, prot);
     }
 
-    /* We did the two stage lookup based on MPRV, unset the lookup */
-    if (riscv_has_ext(env, RVH) && env->priv == PRV_M &&
-        access_type != MMU_INST_FETCH &&
-        get_field(env->mstatus, MSTATUS_MPRV) &&
-        get_field(env->mstatus, MSTATUS_MPV)) {
-        riscv_cpu_set_two_stage_lookup(env, false);
-    }
-
     if (riscv_feature(env, RISCV_FEATURE_PMP) &&
         (ret == TRANSLATE_SUCCESS) &&
         !pmp_hart_has_privs(env, pa, size, 1 << access_type, mode)) {
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     } else if (probe) {
         return false;
     } else {
-        raise_mmu_exception(env, address, access_type, pmp_violation, first_stage_error);
+        raise_mmu_exception(env, address, access_type, pmp_violation,
+                            first_stage_error,
+                            riscv_cpu_virt_enabled(env) ||
+                                riscv_cpu_two_stage_lookup(mmu_idx));
         riscv_raise_exception(env, cs->exception_index, retaddr);
     }
 
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_interrupt(CPUState *cs)
         /* handle the trap in S-mode */
         if (riscv_has_ext(env, RVH)) {
             target_ulong hdeleg = async ? env->hideleg : env->hedeleg;
+            bool two_stage_lookup = false;
+
+            if (env->priv == PRV_M ||
+                (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
+                (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
+                    get_field(env->hstatus, HSTATUS_HU))) {
+                    two_stage_lookup = true;
+            }
 
-            if ((riscv_cpu_virt_enabled(env) ||
-                 riscv_cpu_two_stage_lookup(env)) && write_tval) {
+            if ((riscv_cpu_virt_enabled(env) || two_stage_lookup) && write_tval) {
                 /*
                  * If we are writing a guest virtual address to stval, set
                  * this to 1. If we are trapping to VS we will set this to 0
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_interrupt(CPUState *cs)
                 riscv_cpu_set_force_hs_excep(env, 0);
             } else {
                 /* Trap into HS mode */
-                if (!riscv_cpu_two_stage_lookup(env)) {
+                if (!two_stage_lookup) {
                     env->hstatus = set_field(env->hstatus, HSTATUS_SPV,
                                              riscv_cpu_virt_enabled(env));
                 }
-                riscv_cpu_set_two_stage_lookup(env, false);
                 htval = env->guest_phys_fault_addr;
             }
         }
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_load(CPURISCVState *env, target_ulong address,
         target_ulong pte;
         int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 
-        riscv_cpu_set_two_stage_lookup(env, true);
-
         switch (memop) {
         case MO_SB:
             pte = cpu_ldsb_mmuidx_ra(env, address, mmu_idx, GETPC());
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_load(CPURISCVState *env, target_ulong address,
             g_assert_not_reached();
         }
 
-        riscv_cpu_set_two_stage_lookup(env, false);
-
         return pte;
     }
 
@@ -XXX,XX +XXX,XX @@ void helper_hyp_store(CPURISCVState *env, target_ulong address,
             get_field(env->hstatus, HSTATUS_HU))) {
         int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 
-        riscv_cpu_set_two_stage_lookup(env, true);
-
         switch (memop) {
         case MO_SB:
         case MO_UB:
@@ -XXX,XX +XXX,XX @@ void helper_hyp_store(CPURISCVState *env, target_ulong address,
             g_assert_not_reached();
         }
 
-        riscv_cpu_set_two_stage_lookup(env, false);
-
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
         target_ulong pte;
         int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 
-        riscv_cpu_set_two_stage_lookup(env, true);
-
         switch (memop) {
         case MO_TEUW:
             pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
@@ -XXX,XX +XXX,XX @@ target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
             g_assert_not_reached();
         }
 
-        riscv_cpu_set_two_stage_lookup(env, false);
-
         return pte;
     }
 
-- 
2.29.2

Remove the special Virtulisation load and store functions and just use
the standard tcg tcg_gen_qemu_ld_tl() and tcg_gen_qemu_st_tl() functions
instead.

As part of this change we ensure we still run an access check to make
sure we can perform the operations.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 189ac3e53ef2854824d18aad7074c6649f17de2c.1604464950.git.alistair.francis@wdc.com
---
 target/riscv/cpu.h                      |  12 +++
 target/riscv/helper.h                   |   2 -
 target/riscv/op_helper.c                |  86 -----------------
 target/riscv/translate.c                |   2 +
 target/riscv/insn_trans/trans_rvh.c.inc | 123 +++++++++---------------
 5 files changed, 59 insertions(+), 166 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TB_FLAGS, VL_EQ_VLMAX, 2, 1)
 FIELD(TB_FLAGS, LMUL, 3, 2)
 FIELD(TB_FLAGS, SEW, 5, 3)
 FIELD(TB_FLAGS, VILL, 8, 1)
+/* Is a Hypervisor instruction load/store allowed? */
+FIELD(TB_FLAGS, HLSX, 9, 1)
 
 /*
  * A simplification for VLMAX
@@ -XXX,XX +XXX,XX @@ static inline void cpu_get_tb_cpu_state(CPURISCVState *env, target_ulong *pc,
     if (riscv_cpu_fp_enabled(env)) {
         flags |= env->mstatus & MSTATUS_FS;
     }
+
+    if (riscv_has_ext(env, RVH)) {
+        if (env->priv == PRV_M ||
+            (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
+            (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
+                get_field(env->hstatus, HSTATUS_HU))) {
+            flags = FIELD_DP32(flags, TB_FLAGS, HLSX, 1);
+        }
+    }
 #endif
+
     *pflags = flags;
 }
 
diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(tlb_flush, void, env)
 #ifndef CONFIG_USER_ONLY
 DEF_HELPER_1(hyp_tlb_flush, void, env)
 DEF_HELPER_1(hyp_gvma_tlb_flush, void, env)
-DEF_HELPER_4(hyp_load, tl, env, tl, tl, tl)
-DEF_HELPER_5(hyp_store, void, env, tl, tl, tl, tl)
 DEF_HELPER_4(hyp_x_load, tl, env, tl, tl, tl)
 #endif
 
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -XXX,XX +XXX,XX @@ void helper_hyp_gvma_tlb_flush(CPURISCVState *env)
     helper_hyp_tlb_flush(env);
 }
 
-target_ulong helper_hyp_load(CPURISCVState *env, target_ulong address,
-                             target_ulong attrs, target_ulong memop)
-{
-    if (env->priv == PRV_M ||
-        (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
-        (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
-            get_field(env->hstatus, HSTATUS_HU))) {
-        target_ulong pte;
-        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
-
-        switch (memop) {
-        case MO_SB:
-            pte = cpu_ldsb_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        case MO_UB:
-            pte = cpu_ldub_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        case MO_TESW:
-            pte = cpu_ldsw_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        case MO_TEUW:
-            pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        case MO_TESL:
-            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        case MO_TEUL:
-            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        case MO_TEQ:
-            pte = cpu_ldq_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        default:
-            g_assert_not_reached();
-        }
-
-        return pte;
-    }
-
-    if (riscv_cpu_virt_enabled(env)) {
-        riscv_raise_exception(env, RISCV_EXCP_VIRT_INSTRUCTION_FAULT, GETPC());
-    } else {
-        riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
-    }
-    return 0;
-}
-
-void helper_hyp_store(CPURISCVState *env, target_ulong address,
-                      target_ulong val, target_ulong attrs, target_ulong memop)
-{
-    if (env->priv == PRV_M ||
-        (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
-        (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
-            get_field(env->hstatus, HSTATUS_HU))) {
-        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
-
-        switch (memop) {
-        case MO_SB:
-        case MO_UB:
-            cpu_stb_mmuidx_ra(env, address, val, mmu_idx, GETPC());
-            break;
-        case MO_TESW:
-        case MO_TEUW:
-            cpu_stw_mmuidx_ra(env, address, val, mmu_idx, GETPC());
-            break;
-        case MO_TESL:
-        case MO_TEUL:
-            cpu_stl_mmuidx_ra(env, address, val, mmu_idx, GETPC());
-            break;
-        case MO_TEQ:
-            cpu_stq_mmuidx_ra(env, address, val, mmu_idx, GETPC());
-            break;
-        default:
-            g_assert_not_reached();
-        }
-
-        return;
-    }
-
-    if (riscv_cpu_virt_enabled(env)) {
-        riscv_raise_exception(env, RISCV_EXCP_VIRT_INSTRUCTION_FAULT, GETPC());
-    } else {
-        riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
-    }
-}
-
 target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
                                target_ulong attrs, target_ulong memop)
 {
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
        to reset this known value.  */
     int frm;
     bool ext_ifencei;
+    bool hlsx;
     /* vector extension */
     bool vill;
     uint8_t lmul;
@@ -XXX,XX +XXX,XX @@ static void riscv_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     ctx->frm = -1;  /* unknown rounding mode */
     ctx->ext_ifencei = cpu->cfg.ext_ifencei;
     ctx->vlen = cpu->cfg.vlen;
+    ctx->hlsx = FIELD_EX32(tb_flags, TB_FLAGS, HLSX);
     ctx->vill = FIELD_EX32(tb_flags, TB_FLAGS, VILL);
     ctx->sew = FIELD_EX32(tb_flags, TB_FLAGS, SEW);
     ctx->lmul = FIELD_EX32(tb_flags, TB_FLAGS, LMUL);
diff --git a/target/riscv/insn_trans/trans_rvh.c.inc b/target/riscv/insn_trans/trans_rvh.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_rvh.c.inc
+++ b/target/riscv/insn_trans/trans_rvh.c.inc
@@ -XXX,XX +XXX,XX @@
  * this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#ifndef CONFIG_USER_ONLY
+static void check_access(DisasContext *ctx) {
+    if (!ctx->hlsx) {
+        if (ctx->virt_enabled) {
+            generate_exception(ctx, RISCV_EXCP_VIRT_INSTRUCTION_FAULT);
+        } else {
+            generate_exception(ctx, RISCV_EXCP_ILLEGAL_INST);
+        }
+    }
+}
+#endif
+
 static bool trans_hlv_b(DisasContext *ctx, arg_hlv_b *a)
 {
     REQUIRE_EXT(ctx, RVH);
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_SB);
 
-    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
+    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_SB);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_h(DisasContext *ctx, arg_hlv_h *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TESW);
 
-    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
+    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TESW);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_w(DisasContext *ctx, arg_hlv_w *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TESL);
 
-    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
+    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TESL);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_bu(DisasContext *ctx, arg_hlv_bu *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_UB);
 
-    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
+    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_UB);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_hu(DisasContext *ctx, arg_hlv_hu *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
 
-    gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TEUW);
+    check_access(ctx);
 
-    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
+    gen_get_gpr(t0, a->rs1);
+    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TEUW);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hsv_b(DisasContext *ctx, arg_hsv_b *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv dat = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
     gen_get_gpr(dat, a->rs2);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_SB);
 
-    gen_helper_hyp_store(cpu_env, t0, dat, mem_idx, memop);
+    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_SB);
 
     tcg_temp_free(t0);
     tcg_temp_free(dat);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hsv_h(DisasContext *ctx, arg_hsv_h *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv dat = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
     gen_get_gpr(dat, a->rs2);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TESW);
 
-    gen_helper_hyp_store(cpu_env, t0, dat, mem_idx, memop);
+    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TESW);
 
     tcg_temp_free(t0);
     tcg_temp_free(dat);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hsv_w(DisasContext *ctx, arg_hsv_w *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv dat = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
     gen_get_gpr(dat, a->rs2);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TESL);
 
-    gen_helper_hyp_store(cpu_env, t0, dat, mem_idx, memop);
+    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TESL);
 
     tcg_temp_free(t0);
     tcg_temp_free(dat);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_wu(DisasContext *ctx, arg_hlv_wu *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TEUL);
 
-    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
+    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TEUL);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlv_d(DisasContext *ctx, arg_hlv_d *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TEQ);
 
-    gen_helper_hyp_load(t1, cpu_env, t0, mem_idx, memop);
+    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TEQ);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hsv_d(DisasContext *ctx, arg_hsv_d *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv dat = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
     gen_get_gpr(dat, a->rs2);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TEQ);
 
-    gen_helper_hyp_store(cpu_env, t0, dat, mem_idx, memop);
+    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, MO_TEQ);
 
     tcg_temp_free(t0);
     tcg_temp_free(dat);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
-- 
2.29.2

Split the hypervisor execute load functions into two seperate functions.
This avoids us having to pass the memop to the C helper functions.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 5b1550f0faa3c435cc77f3c1ae811dea98ab9e36.1604464950.git.alistair.francis@wdc.com
---
 target/riscv/helper.h                   |  3 ++-
 target/riscv/op_helper.c                | 36 +++++++------------------
 target/riscv/insn_trans/trans_rvh.c.inc | 20 +++++---------
 3 files changed, 17 insertions(+), 42 deletions(-)

diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(tlb_flush, void, env)
 #ifndef CONFIG_USER_ONLY
 DEF_HELPER_1(hyp_tlb_flush, void, env)
 DEF_HELPER_1(hyp_gvma_tlb_flush, void, env)
-DEF_HELPER_4(hyp_x_load, tl, env, tl, tl, tl)
+DEF_HELPER_2(hyp_hlvx_hu, tl, env, tl)
+DEF_HELPER_2(hyp_hlvx_wu, tl, env, tl)
 #endif
 
 /* Vector functions */
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -XXX,XX +XXX,XX @@ void helper_hyp_gvma_tlb_flush(CPURISCVState *env)
     helper_hyp_tlb_flush(env);
 }
 
-target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
-                               target_ulong attrs, target_ulong memop)
+target_ulong helper_hyp_hlvx_hu(CPURISCVState *env, target_ulong address)
 {
-    if (env->priv == PRV_M ||
-        (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
-        (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
-            get_field(env->hstatus, HSTATUS_HU))) {
-        target_ulong pte;
-        int mmu_idx = cpu_mmu_index(env, false) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
-
-        switch (memop) {
-        case MO_TEUW:
-            pte = cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        case MO_TEUL:
-            pte = cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
-            break;
-        default:
-            g_assert_not_reached();
-        }
+    int mmu_idx = cpu_mmu_index(env, true) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
 
-        return pte;
-    }
+    return cpu_lduw_mmuidx_ra(env, address, mmu_idx, GETPC());
+}
 
-    if (riscv_cpu_virt_enabled(env)) {
-        riscv_raise_exception(env, RISCV_EXCP_VIRT_INSTRUCTION_FAULT, GETPC());
-    } else {
-        riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
-    }
-    return 0;
+target_ulong helper_hyp_hlvx_wu(CPURISCVState *env, target_ulong address)
+{
+    int mmu_idx = cpu_mmu_index(env, true) | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
+
+    return cpu_ldl_mmuidx_ra(env, address, mmu_idx, GETPC());
 }
 
 #endif /* !CONFIG_USER_ONLY */
diff --git a/target/riscv/insn_trans/trans_rvh.c.inc b/target/riscv/insn_trans/trans_rvh.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_rvh.c.inc
+++ b/target/riscv/insn_trans/trans_rvh.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_hlvx_hu(DisasContext *ctx, arg_hlvx_hu *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TEUW);
 
-    gen_helper_hyp_x_load(t1, cpu_env, t0, mem_idx, memop);
+    gen_helper_hyp_hlvx_hu(t1, cpu_env, t0);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_hlvx_wu(DisasContext *ctx, arg_hlvx_wu *a)
 #ifndef CONFIG_USER_ONLY
     TCGv t0 = tcg_temp_new();
     TCGv t1 = tcg_temp_new();
-    TCGv mem_idx = tcg_temp_new();
-    TCGv memop = tcg_temp_new();
+
+    check_access(ctx);
 
     gen_get_gpr(t0, a->rs1);
-    tcg_gen_movi_tl(mem_idx, ctx->mem_idx);
-    tcg_gen_movi_tl(memop, MO_TEUL);
 
-    gen_helper_hyp_x_load(t1, cpu_env, t0, mem_idx, memop);
+    gen_helper_hyp_hlvx_wu(t1, cpu_env, t0);
     gen_set_gpr(a->rd, t1);
 
     tcg_temp_free(t0);
     tcg_temp_free(t1);
-    tcg_temp_free(mem_idx);
-    tcg_temp_free(memop);
     return true;
 #else
     return false;
-- 
2.29.2

After claiming the interrupt by reading the claim register we want to
clear the register to make sure the interrupt doesn't appear at the next
read.

This matches the documentation for the claim register as when an interrupt
is claimed by a target the relevant bit of IP is cleared (which we already
do): https://docs.opentitan.org/hw/ip/rv_plic/doc/index.html

This also matches the current hardware.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 68d4575deef2559b7a747f3bda193fcf43af4558.1604629928.git.alistair.francis@wdc.com
---
 hw/intc/ibex_plic.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/intc/ibex_plic.c b/hw/intc/ibex_plic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/ibex_plic.c
+++ b/hw/intc/ibex_plic.c
@@ -XXX,XX +XXX,XX @@ static uint64_t ibex_plic_read(void *opaque, hwaddr addr,
         /* Return the current claimed interrupt */
         ret = s->claim;
 
+        /* Clear the claimed interrupt */
+        s->claim = 0x00000000;
+
         /* Update the interrupt status after the claim */
         ibex_plic_update(s);
     }
-- 
2.29.2

The following changes since commit c95bd5ff1660883d15ad6e0005e4c8571604f51a:

Merge remote-tracking branch 'remotes/philmd/tags/mips-fixes-20210322' into staging (2021-03-22 14:26:13 +0000)

are available in the Git repository at:

git@github.com:alistair23/qemu.git tags/pull-riscv-to-apply-20210322-2

for you to fetch changes up to 9a27f69bd668d9d71674407badc412ce1231c7d5:

target/riscv: Prevent lost illegal instruction exceptions (2021-03-22 21:54:40 -0400)

----------------------------------------------------------------
RISC-V PR for 6.0

This PR includes:
 - Fix for vector CSR access
 - Improvements to the Ibex UART device
 - PMP improvements and bug fixes
 - Hypervisor extension bug fixes
 - ramfb support for the virt machine
 - Fast read support for SST flash
 - Improvements to the microchip_pfsoc machine

----------------------------------------------------------------
Alexander Wagner (1):
      hw/char: disable ibex uart receive if the buffer is full

Asherah Connor (2):
      hw/riscv: Add fw_cfg support to virt
      hw/riscv: allow ramfb on virt

Bin Meng (3):
      hw/block: m25p80: Support fast read for SST flashes
      hw/riscv: microchip_pfsoc: Map EMMC/SD mux register
      docs/system: riscv: Add documentation for 'microchip-icicle-kit' machine

Frank Chang (1):
      target/riscv: fix vs() to return proper error code

Georg Kotheimer (6):
      target/riscv: Adjust privilege level for HLV(X)/HSV instructions
      target/riscv: Make VSTIP and VSEIP read-only in hip
      target/riscv: Use background registers also for MSTATUS_MPV
      target/riscv: Fix read and write accesses to vsip and vsie
      target/riscv: Add proper two-stage lookup exception detection
      target/riscv: Prevent lost illegal instruction exceptions

Jim Shu (3):
      target/riscv: propagate PMP permission to TLB page
      target/riscv: add log of PMP permission checking
      target/riscv: flush TLB pages if PMP permission has been changed

From: Frank Chang <frank.chang@sifive.com>

vs() should return -RISCV_EXCP_ILLEGAL_INST instead of -1 if rvv feature
is not enabled.

If -1 is returned, exception will be raised and cs->exception_index will
be set to the negative return value. The exception will then be treated
as an instruction access fault instead of illegal instruction fault.

Signed-off-by: Frank Chang <frank.chang@sifive.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210223065935.20208-1-frank.chang@sifive.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/csr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -XXX,XX +XXX,XX @@ static int vs(CPURISCVState *env, int csrno)
     if (env->misa & RVV) {
         return 0;
     }
-    return -1;
+    return -RISCV_EXCP_ILLEGAL_INST;
 }
 
 static int ctr(CPURISCVState *env, int csrno)
-- 
2.30.1

From: Alexander Wagner <alexander.wagner@ulal.de>

Not disabling the UART leads to QEMU overwriting the UART receive buffer with
the newest received byte. The rx_level variable is added to allow the use of
the existing OpenTitan driver libraries.

Signed-off-by: Alexander Wagner <alexander.wagner@ulal.de>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210309152130.13038-1-alexander.wagner@ulal.de
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 include/hw/char/ibex_uart.h |  4 ++++
 hw/char/ibex_uart.c         | 23 ++++++++++++++++++-----
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/include/hw/char/ibex_uart.h b/include/hw/char/ibex_uart.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/char/ibex_uart.h
+++ b/include/hw/char/ibex_uart.h
@@ -XXX,XX +XXX,XX @@ REG32(FIFO_CTRL, 0x1c)
     FIELD(FIFO_CTRL, RXILVL, 2, 3)
     FIELD(FIFO_CTRL, TXILVL, 5, 2)
 REG32(FIFO_STATUS, 0x20)
+    FIELD(FIFO_STATUS, TXLVL, 0, 5)
+    FIELD(FIFO_STATUS, RXLVL, 16, 5)
 REG32(OVRD, 0x24)
 REG32(VAL, 0x28)
 REG32(TIMEOUT_CTRL, 0x2c)
@@ -XXX,XX +XXX,XX @@ struct IbexUartState {
     uint8_t tx_fifo[IBEX_UART_TX_FIFO_SIZE];
     uint32_t tx_level;
 
+    uint32_t rx_level;
+
     QEMUTimer *fifo_trigger_handle;
     uint64_t char_tx_time;
 
diff --git a/hw/char/ibex_uart.c b/hw/char/ibex_uart.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/ibex_uart.c
+++ b/hw/char/ibex_uart.c
@@ -XXX,XX +XXX,XX @@ static int ibex_uart_can_receive(void *opaque)
 {
     IbexUartState *s = opaque;
 
-    if (s->uart_ctrl & R_CTRL_RX_ENABLE_MASK) {
+    if ((s->uart_ctrl & R_CTRL_RX_ENABLE_MASK)
+           && !(s->uart_status & R_STATUS_RXFULL_MASK)) {
         return 1;
     }
 
@@ -XXX,XX +XXX,XX @@ static void ibex_uart_receive(void *opaque, const uint8_t *buf, int size)
 
     s->uart_status &= ~R_STATUS_RXIDLE_MASK;
     s->uart_status &= ~R_STATUS_RXEMPTY_MASK;
+    /* The RXFULL is set after receiving a single byte
+     * as the FIFO buffers are not yet implemented.
+     */
+    s->uart_status |= R_STATUS_RXFULL_MASK;
+    s->rx_level += 1;
 
     if (size > rx_fifo_level) {
         s->uart_intr_state |= R_INTR_STATE_RX_WATERMARK_MASK;
@@ -XXX,XX +XXX,XX @@ static void ibex_uart_reset(DeviceState *dev)
     s->uart_timeout_ctrl = 0x00000000;
 
     s->tx_level = 0;
+    s->rx_level = 0;
 
     s->char_tx_time = (NANOSECONDS_PER_SECOND / 230400) * 10;
 
@@ -XXX,XX +XXX,XX @@ static uint64_t ibex_uart_read(void *opaque, hwaddr addr,
 
     case R_RDATA:
         retvalue = s->uart_rdata;
-        if (s->uart_ctrl & R_CTRL_RX_ENABLE_MASK) {
+        if ((s->uart_ctrl & R_CTRL_RX_ENABLE_MASK) && (s->rx_level > 0)) {
             qemu_chr_fe_accept_input(&s->chr);
 
-            s->uart_status |= R_STATUS_RXIDLE_MASK;
-            s->uart_status |= R_STATUS_RXEMPTY_MASK;
+            s->rx_level -= 1;
+            s->uart_status &= ~R_STATUS_RXFULL_MASK;
+            if (s->rx_level == 0) {
+                s->uart_status |= R_STATUS_RXIDLE_MASK;
+                s->uart_status |= R_STATUS_RXEMPTY_MASK;
+            }
         }
         break;
     case R_WDATA:
@@ -XXX,XX +XXX,XX @@ static uint64_t ibex_uart_read(void *opaque, hwaddr addr,
     case R_FIFO_STATUS:
         retvalue = s->uart_fifo_status;
 
-        retvalue |= s->tx_level & 0x1F;
+        retvalue |= (s->rx_level & 0x1F) << R_FIFO_STATUS_RXLVL_SHIFT;
+        retvalue |= (s->tx_level & 0x1F) << R_FIFO_STATUS_TXLVL_SHIFT;
 
         qemu_log_mask(LOG_UNIMP,
                       "%s: RX fifos are not supported\n", __func__);
@@ -XXX,XX +XXX,XX @@ static void ibex_uart_write(void *opaque, hwaddr addr,
         s->uart_fifo_ctrl = value;
 
         if (value & R_FIFO_CTRL_RXRST_MASK) {
+            s->rx_level = 0;
             qemu_log_mask(LOG_UNIMP,
                           "%s: RX fifos are not supported\n", __func__);
         }
-- 
2.30.1

From: Jim Shu <cwshu@andestech.com>

Currently, PMP permission checking of TLB page is bypassed if TLB hits
Fix it by propagating PMP permission to TLB page permission.

PMP permission checking also use MMU-style API to change TLB permission
and size.

Signed-off-by: Jim Shu <cwshu@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 1613916082-19528-2-git-send-email-cwshu@andestech.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/pmp.h        |  4 +-
 target/riscv/cpu_helper.c | 84 +++++++++++++++++++++++++++++----------
 target/riscv/pmp.c        | 80 +++++++++++++++++++++++++++----------
 3 files changed, 125 insertions(+), 43 deletions(-)

diff --git a/target/riscv/pmp.h b/target/riscv/pmp.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/pmp.h
+++ b/target/riscv/pmp.h
@@ -XXX,XX +XXX,XX @@ void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index,
     target_ulong val);
 target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index);
 bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
-    target_ulong size, pmp_priv_t priv, target_ulong mode);
+    target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
+    target_ulong mode);
 bool pmp_is_range_in_tlb(CPURISCVState *env, hwaddr tlb_sa,
                          target_ulong *tlb_size);
 void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index);
 void pmp_update_rule_nums(CPURISCVState *env);
 uint32_t pmp_get_num_rules(CPURISCVState *env);
+int pmp_priv_to_page_prot(pmp_priv_t pmp_priv);
 
 #endif
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong newpriv)
     env->load_res = -1;
 }
 
+/*
+ * get_physical_address_pmp - check PMP permission for this physical address
+ *
+ * Match the PMP region and check permission for this physical address and it's
+ * TLB page. Returns 0 if the permission checking was successful
+ *
+ * @env: CPURISCVState
+ * @prot: The returned protection attributes
+ * @tlb_size: TLB page size containing addr. It could be modified after PMP
+ *            permission checking. NULL if not set TLB page for addr.
+ * @addr: The physical address to be checked permission
+ * @access_type: The type of MMU access
+ * @mode: Indicates current privilege level.
+ */
+static int get_physical_address_pmp(CPURISCVState *env, int *prot,
+                                    target_ulong *tlb_size, hwaddr addr,
+                                    int size, MMUAccessType access_type,
+                                    int mode)
+{
+    pmp_priv_t pmp_priv;
+    target_ulong tlb_size_pmp = 0;
+
+    if (!riscv_feature(env, RISCV_FEATURE_PMP)) {
+        *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+        return TRANSLATE_SUCCESS;
+    }
+
+    if (!pmp_hart_has_privs(env, addr, size, 1 << access_type, &pmp_priv,
+                            mode)) {
+        *prot = 0;
+        return TRANSLATE_PMP_FAIL;
+    }
+
+    *prot = pmp_priv_to_page_prot(pmp_priv);
+    if (tlb_size != NULL) {
+        if (pmp_is_range_in_tlb(env, addr & ~(*tlb_size - 1), &tlb_size_pmp)) {
+            *tlb_size = tlb_size_pmp;
+        }
+    }
+
+    return TRANSLATE_SUCCESS;
+}
+
 /* get_physical_address - get the physical address for this virtual address
  *
  * Do a page table walk to obtain the physical address corresponding to a
@@ -XXX,XX +XXX,XX @@ restart:
             pte_addr = base + idx * ptesize;
         }
 
-        if (riscv_feature(env, RISCV_FEATURE_PMP) &&
-            !pmp_hart_has_privs(env, pte_addr, sizeof(target_ulong),
-            1 << MMU_DATA_LOAD, PRV_S)) {
+        int pmp_prot;
+        int pmp_ret = get_physical_address_pmp(env, &pmp_prot, NULL, pte_addr,
+                                               sizeof(target_ulong),
+                                               MMU_DATA_LOAD, PRV_S);
+        if (pmp_ret != TRANSLATE_SUCCESS) {
             return TRANSLATE_PMP_FAIL;
         }
 
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 #ifndef CONFIG_USER_ONLY
     vaddr im_address;
     hwaddr pa = 0;
-    int prot, prot2;
+    int prot, prot2, prot_pmp;
     bool pmp_violation = false;
     bool first_stage_error = true;
     bool two_stage_lookup = false;
     int ret = TRANSLATE_FAIL;
     int mode = mmu_idx;
-    target_ulong tlb_size = 0;
+    /* default TLB page size */
+    target_ulong tlb_size = TARGET_PAGE_SIZE;
 
     env->guest_phys_fault_addr = 0;
 
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 
             prot &= prot2;
 
-            if (riscv_feature(env, RISCV_FEATURE_PMP) &&
-                (ret == TRANSLATE_SUCCESS) &&
-                !pmp_hart_has_privs(env, pa, size, 1 << access_type, mode)) {
-                ret = TRANSLATE_PMP_FAIL;
+            if (ret == TRANSLATE_SUCCESS) {
+                ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
+                                               size, access_type, mode);
+                prot &= prot_pmp;
             }
 
             if (ret != TRANSLATE_SUCCESS) {
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                       "%s address=%" VADDR_PRIx " ret %d physical "
                       TARGET_FMT_plx " prot %d\n",
                       __func__, address, ret, pa, prot);
-    }
 
-    if (riscv_feature(env, RISCV_FEATURE_PMP) &&
-        (ret == TRANSLATE_SUCCESS) &&
-        !pmp_hart_has_privs(env, pa, size, 1 << access_type, mode)) {
-        ret = TRANSLATE_PMP_FAIL;
+        if (ret == TRANSLATE_SUCCESS) {
+            ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
+                                           size, access_type, mode);
+            prot &= prot_pmp;
+        }
     }
+
     if (ret == TRANSLATE_PMP_FAIL) {
         pmp_violation = true;
     }
 
     if (ret == TRANSLATE_SUCCESS) {
-        if (pmp_is_range_in_tlb(env, pa & TARGET_PAGE_MASK, &tlb_size)) {
-            tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1),
-                         prot, mmu_idx, tlb_size);
-        } else {
-            tlb_set_page(cs, address & TARGET_PAGE_MASK, pa & TARGET_PAGE_MASK,
-                         prot, mmu_idx, TARGET_PAGE_SIZE);
-        }
+        tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1),
+                     prot, mmu_idx, tlb_size);
         return true;
     } else if (probe) {
         return false;
diff --git a/target/riscv/pmp.c b/target/riscv/pmp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/pmp.c
+++ b/target/riscv/pmp.c
@@ -XXX,XX +XXX,XX @@ static int pmp_is_in_range(CPURISCVState *env, int pmp_index, target_ulong addr)
     return result;
 }
 
+/*
+ * Check if the address has required RWX privs when no PMP entry is matched.
+ */
+static bool pmp_hart_has_privs_default(CPURISCVState *env, target_ulong addr,
+    target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
+    target_ulong mode)
+{
+    bool ret;
+
+    if ((!riscv_feature(env, RISCV_FEATURE_PMP)) || (mode == PRV_M)) {
+        /*
+         * Privileged spec v1.10 states if HW doesn't implement any PMP entry
+         * or no PMP entry matches an M-Mode access, the access succeeds.
+         */
+        ret = true;
+        *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
+    } else {
+        /*
+         * Other modes are not allowed to succeed if they don't * match a rule,
+         * but there are rules. We've checked for no rule earlier in this
+         * function.
+         */
+        ret = false;
+        *allowed_privs = 0;
+    }
+
+    return ret;
+}
+
 
 /*
  * Public Interface
@@ -XXX,XX +XXX,XX @@ static int pmp_is_in_range(CPURISCVState *env, int pmp_index, target_ulong addr)
  * Check if the address has required RWX privs to complete desired operation
  */
 bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
-    target_ulong size, pmp_priv_t privs, target_ulong mode)
+    target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
+    target_ulong mode)
 {
     int i = 0;
     int ret = -1;
     int pmp_size = 0;
     target_ulong s = 0;
     target_ulong e = 0;
-    pmp_priv_t allowed_privs = 0;
 
     /* Short cut if no rules */
     if (0 == pmp_get_num_rules(env)) {
-        return (env->priv == PRV_M) ? true : false;
+        return pmp_hart_has_privs_default(env, addr, size, privs,
+                                          allowed_privs, mode);
     }
 
     if (size == 0) {
@@ -XXX,XX +XXX,XX @@ bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
          * check
          */
         if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) {
-            allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
+            *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
             if ((mode != PRV_M) || pmp_is_locked(env, i)) {
-                allowed_privs &= env->pmp_state.pmp[i].cfg_reg;
+                *allowed_privs &= env->pmp_state.pmp[i].cfg_reg;
             }
 
-            if ((privs & allowed_privs) == privs) {
-                ret = 1;
-                break;
-            } else {
-                ret = 0;
-                break;
-            }
+            ret = ((privs & *allowed_privs) == privs);
+            break;
         }
     }
 
     /* No rule matched */
     if (ret == -1) {
-        if (mode == PRV_M) {
-            ret = 1; /* Privileged spec v1.10 states if no PMP entry matches an
-                      * M-Mode access, the access succeeds */
-        } else {
-            ret = 0; /* Other modes are not allowed to succeed if they don't
-                      * match a rule, but there are rules.  We've checked for
-                      * no rule earlier in this function. */
-        }
+        return pmp_hart_has_privs_default(env, addr, size, privs,
+                                          allowed_privs, mode);
     }
 
     return ret == 1 ? true : false;
 }
 
-
 /*
  * Handle a write to a pmpcfg CSP
  */
@@ -XXX,XX +XXX,XX @@ bool pmp_is_range_in_tlb(CPURISCVState *env, hwaddr tlb_sa,
 
     return false;
 }
+
+/*
+ * Convert PMP privilege to TLB page privilege.
+ */
+int pmp_priv_to_page_prot(pmp_priv_t pmp_priv)
+{
+    int prot = 0;
+
+    if (pmp_priv & PMP_READ) {
+        prot |= PAGE_READ;
+    }
+    if (pmp_priv & PMP_WRITE) {
+        prot |= PAGE_WRITE;
+    }
+    if (pmp_priv & PMP_EXEC) {
+        prot |= PAGE_EXEC;
+    }
+
+    return prot;
+}
-- 
2.30.1

From: Jim Shu <cwshu@andestech.com>

Like MMU translation, add qemu log of PMP permission checking for
debugging.

Signed-off-by: Jim Shu <cwshu@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 1613916082-19528-3-git-send-email-cwshu@andestech.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/cpu_helper.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
             if (ret == TRANSLATE_SUCCESS) {
                 ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
                                                size, access_type, mode);
+
+                qemu_log_mask(CPU_LOG_MMU,
+                              "%s PMP address=" TARGET_FMT_plx " ret %d prot"
+                              " %d tlb_size " TARGET_FMT_lu "\n",
+                              __func__, pa, ret, prot_pmp, tlb_size);
+
                 prot &= prot_pmp;
             }
 
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
         if (ret == TRANSLATE_SUCCESS) {
             ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
                                            size, access_type, mode);
+
+            qemu_log_mask(CPU_LOG_MMU,
+                          "%s PMP address=" TARGET_FMT_plx " ret %d prot"
+                          " %d tlb_size " TARGET_FMT_lu "\n",
+                          __func__, pa, ret, prot_pmp, tlb_size);
+
             prot &= prot_pmp;
         }
     }
-- 
2.30.1

From: Jim Shu <cwshu@andestech.com>

If PMP permission of any address has been changed by updating PMP entry,
flush all TLB pages to prevent from getting old permission.

Signed-off-by: Jim Shu <cwshu@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 1613916082-19528-4-git-send-email-cwshu@andestech.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/pmp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/riscv/pmp.c b/target/riscv/pmp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/pmp.c
+++ b/target/riscv/pmp.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "cpu.h"
 #include "trace.h"
+#include "exec/exec-all.h"
 
 static void pmp_write_cfg(CPURISCVState *env, uint32_t addr_index,
     uint8_t val);
@@ -XXX,XX +XXX,XX @@ void pmpcfg_csr_write(CPURISCVState *env, uint32_t reg_index,
         cfg_val = (val >> 8 * i)  & 0xff;
         pmp_write_cfg(env, (reg_index * 4) + i, cfg_val);
     }
+
+    /* If PMP permission of any addr has been changed, flush TLB pages. */
+    tlb_flush(env_cpu(env));
 }
 
 
-- 
2.30.1

From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>

According to the specification the "field SPVP of hstatus controls the
privilege level of the access" for the hypervisor virtual-machine load
and store instructions HLV, HLVX and HSV.

Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210311103005.1400718-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/cpu_helper.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -XXX,XX +XXX,XX @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
         use_background = true;
     }
 
-    if (mode == PRV_M && access_type != MMU_INST_FETCH) {
+    /* MPRV does not affect the virtual-machine load/store
+       instructions, HLV, HLVX, and HSV. */
+    if (riscv_cpu_two_stage_lookup(mmu_idx)) {
+        mode = get_field(env->hstatus, HSTATUS_SPVP);
+    } else if (mode == PRV_M && access_type != MMU_INST_FETCH) {
         if (get_field(env->mstatus, MSTATUS_MPRV)) {
             mode = get_field(env->mstatus, MSTATUS_MPP);
         }
@@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     qemu_log_mask(CPU_LOG_MMU, "%s ad %" VADDR_PRIx " rw %d mmu_idx %d\n",
                   __func__, address, access_type, mmu_idx);
 
-    if (mode == PRV_M && access_type != MMU_INST_FETCH) {
-        if (get_field(env->mstatus, MSTATUS_MPRV)) {
-            mode = get_field(env->mstatus, MSTATUS_MPP);
+    /* MPRV does not affect the virtual-machine load/store
+       instructions, HLV, HLVX, and HSV. */
+    if (riscv_cpu_two_stage_lookup(mmu_idx)) {
+        mode = get_field(env->hstatus, HSTATUS_SPVP);
+    } else if (mode == PRV_M && access_type != MMU_INST_FETCH &&
+               get_field(env->mstatus, MSTATUS_MPRV)) {
+        mode = get_field(env->mstatus, MSTATUS_MPP);
+        if (riscv_has_ext(env, RVH) && get_field(env->mstatus, MSTATUS_MPV)) {
+            two_stage_lookup = true;
         }
     }
 
-    if (riscv_has_ext(env, RVH) && env->priv == PRV_M &&
-        access_type != MMU_INST_FETCH &&
-        get_field(env->mstatus, MSTATUS_MPRV) &&
-        get_field(env->mstatus, MSTATUS_MPV)) {
-        two_stage_lookup = true;
-    }
-
     if (riscv_cpu_virt_enabled(env) ||
         ((riscv_cpu_two_stage_lookup(mmu_idx) || two_stage_lookup) &&
          access_type != MMU_INST_FETCH)) {
-- 
2.30.1

From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>

Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210311094902.1377593-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/csr.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -XXX,XX +XXX,XX @@ static const target_ulong sstatus_v1_10_mask = SSTATUS_SIE | SSTATUS_SPIE |
     SSTATUS_UIE | SSTATUS_UPIE | SSTATUS_SPP | SSTATUS_FS | SSTATUS_XS |
     SSTATUS_SUM | SSTATUS_MXR | SSTATUS_SD;
 static const target_ulong sip_writable_mask = SIP_SSIP | MIP_USIP | MIP_UEIP;
-static const target_ulong hip_writable_mask = MIP_VSSIP | MIP_VSTIP | MIP_VSEIP;
+static const target_ulong hip_writable_mask = MIP_VSSIP;
+static const target_ulong hvip_writable_mask = MIP_VSSIP | MIP_VSTIP | MIP_VSEIP;
 static const target_ulong vsip_writable_mask = MIP_VSSIP;
 
 static const char valid_vm_1_10_32[16] = {
@@ -XXX,XX +XXX,XX @@ static int rmw_hvip(CPURISCVState *env, int csrno, target_ulong *ret_value,
                    target_ulong new_value, target_ulong write_mask)
 {
     int ret = rmw_mip(env, 0, ret_value, new_value,
-                      write_mask & hip_writable_mask);
+                      write_mask & hvip_writable_mask);
 
-    *ret_value &= hip_writable_mask;
+    *ret_value &= hvip_writable_mask;
 
     return ret;
 }
-- 
2.30.1

From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>

The current condition for the use of background registers only
considers the hypervisor load and store instructions,
but not accesses from M mode via MSTATUS_MPRV+MPV.

Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210311103036.1401073-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/cpu_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

From: Asherah Connor <ashe@kivikakk.ee>

Provides fw_cfg for the virt machine on riscv.  This enables
using e.g.  ramfb later.

Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210318235041.17175-2-ashe@kivikakk.ee
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 include/hw/riscv/virt.h |  2 ++
 hw/riscv/virt.c         | 30 ++++++++++++++++++++++++++++++
 hw/riscv/Kconfig        |  1 +
 3 files changed, 33 insertions(+)

diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/riscv/virt.h
+++ b/include/hw/riscv/virt.h
@@ -XXX,XX +XXX,XX @@ struct RISCVVirtState {
     RISCVHartArrayState soc[VIRT_SOCKETS_MAX];
     DeviceState *plic[VIRT_SOCKETS_MAX];
     PFlashCFI01 *flash[2];
+    FWCfgState *fw_cfg;
 
     int fdt_size;
 };
@@ -XXX,XX +XXX,XX @@ enum {
     VIRT_PLIC,
     VIRT_UART0,
     VIRT_VIRTIO,
+    VIRT_FW_CFG,
     VIRT_FLASH,
     VIRT_DRAM,
     VIRT_PCIE_MMIO,
diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -XXX,XX +XXX,XX @@ static const MemMapEntry virt_memmap[] = {
     [VIRT_PLIC] =        {  0xc000000, VIRT_PLIC_SIZE(VIRT_CPUS_MAX * 2) },
     [VIRT_UART0] =       { 0x10000000,         0x100 },
     [VIRT_VIRTIO] =      { 0x10001000,        0x1000 },
+    [VIRT_FW_CFG] =      { 0x10100000,          0x18 },
     [VIRT_FLASH] =       { 0x20000000,     0x4000000 },
     [VIRT_PCIE_ECAM] =   { 0x30000000,    0x10000000 },
     [VIRT_PCIE_MMIO] =   { 0x40000000,    0x40000000 },
@@ -XXX,XX +XXX,XX @@ static inline DeviceState *gpex_pcie_init(MemoryRegion *sys_mem,
     return dev;
 }
 
+static FWCfgState *create_fw_cfg(const MachineState *mc)
+{
+    hwaddr base = virt_memmap[VIRT_FW_CFG].base;
+    hwaddr size = virt_memmap[VIRT_FW_CFG].size;
+    FWCfgState *fw_cfg;
+    char *nodename;
+
+    fw_cfg = fw_cfg_init_mem_wide(base + 8, base, 8, base + 16,
+                                  &address_space_memory);
+    fw_cfg_add_i16(fw_cfg, FW_CFG_NB_CPUS, (uint16_t)mc->smp.cpus);
+
+    nodename = g_strdup_printf("/fw-cfg@%" PRIx64, base);
+    qemu_fdt_add_subnode(mc->fdt, nodename);
+    qemu_fdt_setprop_string(mc->fdt, nodename,
+                            "compatible", "qemu,fw-cfg-mmio");
+    qemu_fdt_setprop_sized_cells(mc->fdt, nodename, "reg",
+                                 2, base, 2, size);
+    qemu_fdt_setprop(mc->fdt, nodename, "dma-coherent", NULL, 0);
+    g_free(nodename);
+    return fw_cfg;
+}
+
 static void virt_machine_init(MachineState *machine)
 {
     const MemMapEntry *memmap = virt_memmap;
@@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine)
         start_addr = virt_memmap[VIRT_FLASH].base;
     }
 
+    /*
+     * Init fw_cfg.  Must be done before riscv_load_fdt, otherwise the device
+     * tree cannot be altered and we get FDT_ERR_NOSPACE.
+     */
+    s->fw_cfg = create_fw_cfg(machine);
+    rom_set_fw(s->fw_cfg);
+
     /* Compute the fdt load address in dram */
     fdt_load_addr = riscv_load_fdt(memmap[VIRT_DRAM].base,
                                    machine->ram_size, machine->fdt);
diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/riscv/Kconfig
+++ b/hw/riscv/Kconfig
@@ -XXX,XX +XXX,XX @@ config RISCV_VIRT
     select SIFIVE_PLIC
     select SIFIVE_TEST
     select VIRTIO_MMIO
+    select FW_CFG_DMA
 
 config SIFIVE_E
     bool
-- 
2.30.1

From: Asherah Connor <ashe@kivikakk.ee>

Allow ramfb on virt.  This lets `-device ramfb' work.

Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210318235041.17175-3-ashe@kivikakk.ee
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 hw/riscv/virt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/sysemu.h"
 #include "hw/pci/pci.h"
 #include "hw/pci-host/gpex.h"
+#include "hw/display/ramfb.h"
 
 static const MemMapEntry virt_memmap[] = {
     [VIRT_DEBUG] =       {        0x0,         0x100 },
@@ -XXX,XX +XXX,XX @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
     mc->cpu_index_to_instance_props = riscv_numa_cpu_index_to_props;
     mc->get_default_cpu_node_id = riscv_numa_get_default_cpu_node_id;
     mc->numa_mem_supported = true;
+
+    machine_class_allow_dynamic_sysbus_dev(mc, TYPE_RAMFB_DEVICE);
 }
 
 static const TypeInfo virt_machine_typeinfo = {
-- 
2.30.1

From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>

The previous implementation was broken in many ways:
 - Used mideleg instead of hideleg to mask accesses
 - Used MIP_VSSIP instead of VS_MODE_INTERRUPTS to mask writes to vsie
 - Did not shift between S bits and VS bits (VSEIP <-> SEIP, ...)

Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210311094738.1376795-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/csr.c | 68 +++++++++++++++++++++++-----------------------
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -XXX,XX +XXX,XX @@ static int write_sstatus(CPURISCVState *env, int csrno, target_ulong val)
     return write_mstatus(env, CSR_MSTATUS, newval);
 }
 
+static int read_vsie(CPURISCVState *env, int csrno, target_ulong *val)
+{
+    /* Shift the VS bits to their S bit location in vsie */
+    *val = (env->mie & env->hideleg & VS_MODE_INTERRUPTS) >> 1;
+    return 0;
+}
+
 static int read_sie(CPURISCVState *env, int csrno, target_ulong *val)
 {
     if (riscv_cpu_virt_enabled(env)) {
-        /* Tell the guest the VS bits, shifted to the S bit locations */
-        *val = (env->mie & env->mideleg & VS_MODE_INTERRUPTS) >> 1;
+        read_vsie(env, CSR_VSIE, val);
     } else {
         *val = env->mie & env->mideleg;
     }
     return 0;
 }
 
-static int write_sie(CPURISCVState *env, int csrno, target_ulong val)
+static int write_vsie(CPURISCVState *env, int csrno, target_ulong val)
 {
-    target_ulong newval;
+    /* Shift the S bits to their VS bit location in mie */
+    target_ulong newval = (env->mie & ~VS_MODE_INTERRUPTS) |
+                          ((val << 1) & env->hideleg & VS_MODE_INTERRUPTS);
+    return write_mie(env, CSR_MIE, newval);
+}
 
+static int write_sie(CPURISCVState *env, int csrno, target_ulong val)
+{
     if (riscv_cpu_virt_enabled(env)) {
-        /* Shift the guests S bits to VS */
-        newval = (env->mie & ~VS_MODE_INTERRUPTS) |
-                 ((val << 1) & VS_MODE_INTERRUPTS);
+        write_vsie(env, CSR_VSIE, val);
     } else {
-        newval = (env->mie & ~S_MODE_INTERRUPTS) | (val & S_MODE_INTERRUPTS);
+        target_ulong newval = (env->mie & ~S_MODE_INTERRUPTS) |
+                              (val & S_MODE_INTERRUPTS);
+        write_mie(env, CSR_MIE, newval);
     }
 
-    return write_mie(env, CSR_MIE, newval);
+    return 0;
 }
 
 static int read_stvec(CPURISCVState *env, int csrno, target_ulong *val)
@@ -XXX,XX +XXX,XX @@ static int write_sbadaddr(CPURISCVState *env, int csrno, target_ulong val)
     return 0;
 }
 
+static int rmw_vsip(CPURISCVState *env, int csrno, target_ulong *ret_value,
+                    target_ulong new_value, target_ulong write_mask)
+{
+    /* Shift the S bits to their VS bit location in mip */
+    int ret = rmw_mip(env, 0, ret_value, new_value << 1,
+                      (write_mask << 1) & vsip_writable_mask & env->hideleg);
+    *ret_value &= VS_MODE_INTERRUPTS;
+    /* Shift the VS bits to their S bit location in vsip */
+    *ret_value >>= 1;
+    return ret;
+}
+
 static int rmw_sip(CPURISCVState *env, int csrno, target_ulong *ret_value,
                    target_ulong new_value, target_ulong write_mask)
 {
     int ret;
 
     if (riscv_cpu_virt_enabled(env)) {
-        /* Shift the new values to line up with the VS bits */
-        ret = rmw_mip(env, CSR_MSTATUS, ret_value, new_value << 1,
-                      (write_mask & sip_writable_mask) << 1 & env->mideleg);
-        ret &= vsip_writable_mask;
-        ret >>= 1;
+        ret = rmw_vsip(env, CSR_VSIP, ret_value, new_value, write_mask);
     } else {
         ret = rmw_mip(env, CSR_MSTATUS, ret_value, new_value,
                       write_mask & env->mideleg & sip_writable_mask);
@@ -XXX,XX +XXX,XX @@ static int write_vsstatus(CPURISCVState *env, int csrno, target_ulong val)
     return 0;
 }
 
-static int rmw_vsip(CPURISCVState *env, int csrno, target_ulong *ret_value,
-                    target_ulong new_value, target_ulong write_mask)
-{
-    int ret = rmw_mip(env, 0, ret_value, new_value,
-                      write_mask & env->mideleg & vsip_writable_mask);
-    return ret;
-}
-
-static int read_vsie(CPURISCVState *env, int csrno, target_ulong *val)
-{
-    *val = env->mie & env->mideleg & VS_MODE_INTERRUPTS;
-    return 0;
-}
-
-static int write_vsie(CPURISCVState *env, int csrno, target_ulong val)
-{
-    target_ulong newval = (env->mie & ~env->mideleg) | (val & env->mideleg & MIP_VSSIP);
-    return write_mie(env, CSR_MIE, newval);
-}
-
 static int read_vstvec(CPURISCVState *env, int csrno, target_ulong *val)
 {
     *val = env->vstvec;
-- 
2.30.1

From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>

The current two-stage lookup detection in riscv_cpu_do_interrupt falls
short of its purpose, as all it checks is whether two-stage address
translation either via the hypervisor-load store instructions or the
MPRV feature would be allowed.

What we really need instead is whether two-stage address translation was
active when the exception was raised. However, in riscv_cpu_do_interrupt
we do not have the information to reliably detect this. Therefore, when
we raise a memory fault exception we have to record whether two-stage
address translation is active.

Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210319141459.1196741-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/cpu.h        |  4 ++++
 target/riscv/cpu.c        |  1 +
 target/riscv/cpu_helper.c | 21 ++++++++-------------
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -XXX,XX +XXX,XX @@ struct CPURISCVState {
     target_ulong satp_hs;
     uint64_t mstatus_hs;
 
+    /* Signals whether the current exception occurred with two-stage address
+       translation active. */
+    bool two_stage_lookup;
+
     target_ulong scounteren;
     target_ulong mcounteren;
 
diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -XXX,XX +XXX,XX @@ static void riscv_cpu_reset(DeviceState *dev)
     env->mstatus &= ~(MSTATUS_MIE | MSTATUS_MPRV);
     env->mcause = 0;
     env->pc = env->resetvec;
+    env->two_stage_lookup = false;
 #endif
     cs->exception_index = EXCP_NONE;
     env->load_res = -1;
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -XXX,XX +XXX,XX @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
         g_assert_not_reached();
     }
     env->badaddr = address;
+    env->two_stage_lookup = two_stage;
 }
 
 hwaddr riscv_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
     }
 
     env->badaddr = addr;
+    env->two_stage_lookup = riscv_cpu_virt_enabled(env) ||
+                            riscv_cpu_two_stage_lookup(mmu_idx);
     riscv_raise_exception(&cpu->env, cs->exception_index, retaddr);
 }
 
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
         g_assert_not_reached();
     }
     env->badaddr = addr;
+    env->two_stage_lookup = riscv_cpu_virt_enabled(env) ||
+                            riscv_cpu_two_stage_lookup(mmu_idx);
     riscv_raise_exception(env, cs->exception_index, retaddr);
 }
 #endif /* !CONFIG_USER_ONLY */
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_interrupt(CPUState *cs)
         /* handle the trap in S-mode */
         if (riscv_has_ext(env, RVH)) {
             target_ulong hdeleg = async ? env->hideleg : env->hedeleg;
-            bool two_stage_lookup = false;
 
-            if (env->priv == PRV_M ||
-                (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
-                (env->priv == PRV_U && !riscv_cpu_virt_enabled(env) &&
-                    get_field(env->hstatus, HSTATUS_HU))) {
-                    two_stage_lookup = true;
-            }
-
-            if ((riscv_cpu_virt_enabled(env) || two_stage_lookup) && write_tval) {
+            if (env->two_stage_lookup && write_tval) {
                 /*
                  * If we are writing a guest virtual address to stval, set
                  * this to 1. If we are trapping to VS we will set this to 0
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_interrupt(CPUState *cs)
                 riscv_cpu_set_force_hs_excep(env, 0);
             } else {
                 /* Trap into HS mode */
-                if (!two_stage_lookup) {
-                    env->hstatus = set_field(env->hstatus, HSTATUS_SPV,
-                                             riscv_cpu_virt_enabled(env));
-                }
+                env->hstatus = set_field(env->hstatus, HSTATUS_SPV, false);
                 htval = env->guest_phys_fault_addr;
             }
         }
@@ -XXX,XX +XXX,XX @@ void riscv_cpu_do_interrupt(CPUState *cs)
      * RISC-V ISA Specification.
      */
 
+    env->two_stage_lookup = false;
 #endif
     cs->exception_index = EXCP_NONE; /* mark handled to qemu */
 }
-- 
2.30.1

From: Bin Meng <bin.meng@windriver.com>

Per SST25VF016B datasheet [1], SST flash requires a dummy byte after
the address bytes. Note only SPI mode is supported by SST flashes.

[1] http://ww1.microchip.com/downloads/en/devicedoc/s71271_04.pdf

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210306060152.7250-1-bmeng.cn@gmail.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 hw/block/m25p80.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -XXX,XX +XXX,XX @@ static void decode_fast_read_cmd(Flash *s)
     s->needed_bytes = get_addr_length(s);
     switch (get_man(s)) {
     /* Dummy cycles - modeled with bytes writes instead of bits */
+    case MAN_SST:
+        s->needed_bytes += 1;
+        break;
     case MAN_WINBOND:
         s->needed_bytes += 8;
         break;
-- 
2.30.1

From: Bin Meng <bin.meng@windriver.com>

Since HSS commit c20a89f8dcac, the Icicle Kit reference design has
been updated to use a register mapped at 0x4f000000 instead of a
GPIO to control whether eMMC or SD card is to be used. With this
support the same HSS image can be used for both eMMC and SD card
boot flow, while previously two different board configurations were
used. This is undocumented but one can take a look at the HSS code
HSS_MMCInit() in services/mmc/mmc_api.c.

With this commit, HSS image built from 2020.12 release boots again.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210322075248.136255-1-bmeng.cn@gmail.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 include/hw/riscv/microchip_pfsoc.h | 1 +
 hw/riscv/microchip_pfsoc.c         | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/include/hw/riscv/microchip_pfsoc.h b/include/hw/riscv/microchip_pfsoc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/riscv/microchip_pfsoc.h
+++ b/include/hw/riscv/microchip_pfsoc.h
@@ -XXX,XX +XXX,XX @@ enum {
     MICROCHIP_PFSOC_ENVM_DATA,
     MICROCHIP_PFSOC_QSPI_XIP,
     MICROCHIP_PFSOC_IOSCB,
+    MICROCHIP_PFSOC_EMMC_SD_MUX,
     MICROCHIP_PFSOC_DRAM_LO,
     MICROCHIP_PFSOC_DRAM_LO_ALIAS,
     MICROCHIP_PFSOC_DRAM_HI,
diff --git a/hw/riscv/microchip_pfsoc.c b/hw/riscv/microchip_pfsoc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/riscv/microchip_pfsoc.c
+++ b/hw/riscv/microchip_pfsoc.c
@@ -XXX,XX +XXX,XX @@ static const MemMapEntry microchip_pfsoc_memmap[] = {
     [MICROCHIP_PFSOC_ENVM_DATA] =       { 0x20220000,    0x20000 },
     [MICROCHIP_PFSOC_QSPI_XIP] =        { 0x21000000,  0x1000000 },
     [MICROCHIP_PFSOC_IOSCB] =           { 0x30000000, 0x10000000 },
+    [MICROCHIP_PFSOC_EMMC_SD_MUX] =     { 0x4f000000,        0x4 },
     [MICROCHIP_PFSOC_DRAM_LO] =         { 0x80000000, 0x40000000 },
     [MICROCHIP_PFSOC_DRAM_LO_ALIAS] =   { 0xc0000000, 0x40000000 },
     [MICROCHIP_PFSOC_DRAM_HI] =       { 0x1000000000,        0x0 },
@@ -XXX,XX +XXX,XX @@ static void microchip_pfsoc_soc_realize(DeviceState *dev, Error **errp)
     sysbus_mmio_map(SYS_BUS_DEVICE(&s->ioscb), 0,
                     memmap[MICROCHIP_PFSOC_IOSCB].base);
 
+    /* eMMC/SD mux */
+    create_unimplemented_device("microchip.pfsoc.emmc_sd_mux",
+        memmap[MICROCHIP_PFSOC_EMMC_SD_MUX].base,
+        memmap[MICROCHIP_PFSOC_EMMC_SD_MUX].size);
+
     /* QSPI Flash */
     memory_region_init_rom(qspi_xip_mem, OBJECT(dev),
                            "microchip.pfsoc.qspi_xip",
-- 
2.30.1

From: Bin Meng <bin.meng@windriver.com>

This adds the documentation to describe what is supported for the
'microchip-icicle-kit' machine, and how to boot the machine in QEMU.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210322075248.136255-2-bmeng.cn@gmail.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 docs/system/riscv/microchip-icicle-kit.rst | 89 ++++++++++++++++++++++
 docs/system/target-riscv.rst               |  1 +
 2 files changed, 90 insertions(+)
 create mode 100644 docs/system/riscv/microchip-icicle-kit.rst

diff --git a/docs/system/riscv/microchip-icicle-kit.rst b/docs/system/riscv/microchip-icicle-kit.rst
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/docs/system/riscv/microchip-icicle-kit.rst
@@ -XXX,XX +XXX,XX @@
+Microchip PolarFire SoC Icicle Kit (``microchip-icicle-kit``)
+=============================================================
+
+Microchip PolarFire SoC Icicle Kit integrates a PolarFire SoC, with one
+SiFive's E51 plus four U54 cores and many on-chip peripherals and an FPGA.
+
+For more details about Microchip PolarFire SoC, please see:
+https://www.microsemi.com/product-directory/soc-fpgas/5498-polarfire-soc-fpga
+
+The Icicle Kit board information can be found here:
+https://www.microsemi.com/existing-parts/parts/152514
+
+Supported devices
+-----------------
+
+The ``microchip-icicle-kit`` machine supports the following devices:
+
+ * 1 E51 core
+ * 4 U54 cores
+ * Core Level Interruptor (CLINT)
+ * Platform-Level Interrupt Controller (PLIC)
+ * L2 Loosely Integrated Memory (L2-LIM)
+ * DDR memory controller
+ * 5 MMUARTs
+ * 1 DMA controller
+ * 2 GEM Ethernet controllers
+ * 1 SDHC storage controller
+
+Boot options
+------------
+
+The ``microchip-icicle-kit`` machine can start using the standard -bios
+functionality for loading its BIOS image, aka Hart Software Services (HSS_).
+HSS loads the second stage bootloader U-Boot from an SD card. It does not
+support direct kernel loading via the -kernel option. One has to load kernel
+from U-Boot.
+
+The memory is set to 1537 MiB by default which is the minimum required high
+memory size by HSS. A sanity check on ram size is performed in the machine
+init routine to prompt user to increase the RAM size to > 1537 MiB when less
+than 1537 MiB ram is detected.
+
+Boot the machine
+----------------
+
+HSS 2020.12 release is tested at the time of writing. To build an HSS image
+that can be booted by the ``microchip-icicle-kit`` machine, type the following
+in the HSS source tree:
+
+.. code-block:: bash
+
+  $ export CROSS_COMPILE=riscv64-linux-
+  $ cp boards/mpfs-icicle-kit-es/def_config .config
+  $ make BOARD=mpfs-icicle-kit-es
+
+Download the official SD card image released by Microchip and prepare it for
+QEMU usage:
+
+.. code-block:: bash
+
+  $ wget ftp://ftpsoc.microsemi.com/outgoing/core-image-minimal-dev-icicle-kit-es-sd-20201009141623.rootfs.wic.gz
+  $ gunzip core-image-minimal-dev-icicle-kit-es-sd-20201009141623.rootfs.wic.gz
+  $ qemu-img resize core-image-minimal-dev-icicle-kit-es-sd-20201009141623.rootfs.wic 4G
+
+Then we can boot the machine by:
+
+.. code-block:: bash
+
+  $ qemu-system-riscv64 -M microchip-icicle-kit -smp 5 \
+      -bios path/to/hss.bin -sd path/to/sdcard.img \
+      -nic user,model=cadence_gem \
+      -nic tap,ifname=tap,model=cadence_gem,script=no \
+      -display none -serial stdio \
+      -chardev socket,id=serial1,path=serial1.sock,server=on,wait=on \
+      -serial chardev:serial1
+
+With above command line, current terminal session will be used for the first
+serial port. Open another terminal window, and use `minicom` to connect the
+second serial port.
+
+.. code-block:: bash
+
+  $ minicom -D unix\#serial1.sock
+
+HSS output is on the first serial port (stdio) and U-Boot outputs on the
+second serial port. U-Boot will automatically load the Linux kernel from
+the SD card image.
+
+.. _HSS: https://github.com/polarfire-soc/hart-software-services
diff --git a/docs/system/target-riscv.rst b/docs/system/target-riscv.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/target-riscv.rst
+++ b/docs/system/target-riscv.rst
@@ -XXX,XX +XXX,XX @@ undocumented; you can get a complete list by running
 .. toctree::
    :maxdepth: 1
 
+   riscv/microchip-icicle-kit
    riscv/sifive_u
 
 RISC-V CPU features
-- 
2.30.1

From: Georg Kotheimer <georg.kotheimer@kernkonzept.com>

When decode_insn16() fails, we fall back to decode_RV32_64C() for
further compressed instruction decoding. However, prior to this change,
we did not raise an illegal instruction exception, if decode_RV32_64C()
fails to decode the instruction. This means that we skipped illegal
compressed instructions instead of raising an illegal instruction
exception.

Instead of patching decode_RV32_64C(), we can just remove it,
as it is dead code since f330433b363 anyway.

Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210322121609.3097928-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/translate.c | 179 +--------------------------------------
 1 file changed, 1 insertion(+), 178 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     CPUState *cs;
 } DisasContext;
 
-#ifdef TARGET_RISCV64
-/* convert riscv funct3 to qemu memop for load/store */
-static const int tcg_memop_lookup[8] = {
-    [0 ... 7] = -1,
-    [0] = MO_SB,
-    [1] = MO_TESW,
-    [2] = MO_TESL,
-    [3] = MO_TEQ,
-    [4] = MO_UB,
-    [5] = MO_TEUW,
-    [6] = MO_TEUL,
-};
-#endif
-
 #ifdef TARGET_RISCV64
 #define CASE_OP_32_64(X) case X: case glue(X, W)
 #else
@@ -XXX,XX +XXX,XX @@ static void gen_jal(DisasContext *ctx, int rd, target_ulong imm)
     ctx->base.is_jmp = DISAS_NORETURN;
 }
 
-#ifdef TARGET_RISCV64
-static void gen_load_c(DisasContext *ctx, uint32_t opc, int rd, int rs1,
-        target_long imm)
-{
-    TCGv t0 = tcg_temp_new();
-    TCGv t1 = tcg_temp_new();
-    gen_get_gpr(t0, rs1);
-    tcg_gen_addi_tl(t0, t0, imm);
-    int memop = tcg_memop_lookup[(opc >> 12) & 0x7];
-
-    if (memop < 0) {
-        gen_exception_illegal(ctx);
-        return;
-    }
-
-    tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, memop);
-    gen_set_gpr(rd, t1);
-    tcg_temp_free(t0);
-    tcg_temp_free(t1);
-}
-
-static void gen_store_c(DisasContext *ctx, uint32_t opc, int rs1, int rs2,
-        target_long imm)
-{
-    TCGv t0 = tcg_temp_new();
-    TCGv dat = tcg_temp_new();
-    gen_get_gpr(t0, rs1);
-    tcg_gen_addi_tl(t0, t0, imm);
-    gen_get_gpr(dat, rs2);
-    int memop = tcg_memop_lookup[(opc >> 12) & 0x7];
-
-    if (memop < 0) {
-        gen_exception_illegal(ctx);
-        return;
-    }
-
-    tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx, memop);
-    tcg_temp_free(t0);
-    tcg_temp_free(dat);
-}
-#endif
-
 #ifndef CONFIG_USER_ONLY
 /* The states of mstatus_fs are:
  * 0 = disabled, 1 = initial, 2 = clean, 3 = dirty
@@ -XXX,XX +XXX,XX @@ static void mark_fs_dirty(DisasContext *ctx)
 static inline void mark_fs_dirty(DisasContext *ctx) { }
 #endif
 
-#if !defined(TARGET_RISCV64)
-static void gen_fp_load(DisasContext *ctx, uint32_t opc, int rd,
-        int rs1, target_long imm)
-{
-    TCGv t0;
-
-    if (ctx->mstatus_fs == 0) {
-        gen_exception_illegal(ctx);
-        return;
-    }
-
-    t0 = tcg_temp_new();
-    gen_get_gpr(t0, rs1);
-    tcg_gen_addi_tl(t0, t0, imm);
-
-    switch (opc) {
-    case OPC_RISC_FLW:
-        if (!has_ext(ctx, RVF)) {
-            goto do_illegal;
-        }
-        tcg_gen_qemu_ld_i64(cpu_fpr[rd], t0, ctx->mem_idx, MO_TEUL);
-        /* RISC-V requires NaN-boxing of narrower width floating point values */
-        tcg_gen_ori_i64(cpu_fpr[rd], cpu_fpr[rd], 0xffffffff00000000ULL);
-        break;
-    case OPC_RISC_FLD:
-        if (!has_ext(ctx, RVD)) {
-            goto do_illegal;
-        }
-        tcg_gen_qemu_ld_i64(cpu_fpr[rd], t0, ctx->mem_idx, MO_TEQ);
-        break;
-    do_illegal:
-    default:
-        gen_exception_illegal(ctx);
-        break;
-    }
-    tcg_temp_free(t0);
-
-    mark_fs_dirty(ctx);
-}
-
-static void gen_fp_store(DisasContext *ctx, uint32_t opc, int rs1,
-        int rs2, target_long imm)
-{
-    TCGv t0;
-
-    if (ctx->mstatus_fs == 0) {
-        gen_exception_illegal(ctx);
-        return;
-    }
-
-    t0 = tcg_temp_new();
-    gen_get_gpr(t0, rs1);
-    tcg_gen_addi_tl(t0, t0, imm);
-
-    switch (opc) {
-    case OPC_RISC_FSW:
-        if (!has_ext(ctx, RVF)) {
-            goto do_illegal;
-        }
-        tcg_gen_qemu_st_i64(cpu_fpr[rs2], t0, ctx->mem_idx, MO_TEUL);
-        break;
-    case OPC_RISC_FSD:
-        if (!has_ext(ctx, RVD)) {
-            goto do_illegal;
-        }
-        tcg_gen_qemu_st_i64(cpu_fpr[rs2], t0, ctx->mem_idx, MO_TEQ);
-        break;
-    do_illegal:
-    default:
-        gen_exception_illegal(ctx);
-        break;
-    }
-
-    tcg_temp_free(t0);
-}
-#endif
-
 static void gen_set_rm(DisasContext *ctx, int rm)
 {
     TCGv_i32 t0;
@@ -XXX,XX +XXX,XX @@ static void gen_set_rm(DisasContext *ctx, int rm)
     tcg_temp_free_i32(t0);
 }
 
-static void decode_RV32_64C0(DisasContext *ctx, uint16_t opcode)
-{
-    uint8_t funct3 = extract16(opcode, 13, 3);
-    uint8_t rd_rs2 = GET_C_RS2S(opcode);
-    uint8_t rs1s = GET_C_RS1S(opcode);
-
-    switch (funct3) {
-    case 3:
-#if defined(TARGET_RISCV64)
-        /* C.LD(RV64/128) -> ld rd', offset[7:3](rs1')*/
-        gen_load_c(ctx, OPC_RISC_LD, rd_rs2, rs1s,
-                 GET_C_LD_IMM(opcode));
-#else
-        /* C.FLW (RV32) -> flw rd', offset[6:2](rs1')*/
-        gen_fp_load(ctx, OPC_RISC_FLW, rd_rs2, rs1s,
-                    GET_C_LW_IMM(opcode));
-#endif
-        break;
-    case 7:
-#if defined(TARGET_RISCV64)
-        /* C.SD (RV64/128) -> sd rs2', offset[7:3](rs1')*/
-        gen_store_c(ctx, OPC_RISC_SD, rs1s, rd_rs2,
-                  GET_C_LD_IMM(opcode));
-#else
-        /* C.FSW (RV32) -> fsw rs2', offset[6:2](rs1')*/
-        gen_fp_store(ctx, OPC_RISC_FSW, rs1s, rd_rs2,
-                     GET_C_LW_IMM(opcode));
-#endif
-        break;
-    }
-}
-
-static void decode_RV32_64C(DisasContext *ctx, uint16_t opcode)
-{
-    uint8_t op = extract16(opcode, 0, 2);
-
-    switch (op) {
-    case 0:
-        decode_RV32_64C0(ctx, opcode);
-        break;
-    }
-}
-
 static int ex_plus_1(DisasContext *ctx, int nf)
 {
     return nf + 1;
@@ -XXX,XX +XXX,XX @@ static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
         } else {
             ctx->pc_succ_insn = ctx->base.pc_next + 2;
             if (!decode_insn16(ctx, opcode)) {
-                /* fall back to old decoder */
-                decode_RV32_64C(ctx, opcode);
+                gen_exception_illegal(ctx);
             }
         }
     } else {
-- 
2.30.1