Hi; here's the latest batch of arm changes. The big thing

in here is the SMMUv3 changes to add stage-2 translation support.

The following changes since commit aa9bbd865502ed517624ab6fe7d4b5d89ca95e43:

Merge tag 'pull-ppc-20230528' of https://gitlab.com/danielhb/qemu into staging (2023-05-29 14:31:52 -0700)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230530

for you to fetch changes up to b03d0d4f531a8b867e0aac1fab0b876903015680:

docs: sbsa: correct graphics card name (2023-05-30 13:32:46 +0100)

* fsl-imx6: Add SNVS support for i.MX6 boards

* smmuv3: Add support for stage 2 translations

* hw/dma/xilinx_axidma: Check DMASR.HALTED to prevent infinite loop

* hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number

* cleanups for recent Kconfig changes

* target/arm: Explicitly select short-format FSR for M-profile

* tests/qtest: Run arm-specific tests only if the required machine is available

* hw/arm/sbsa-ref: add GIC node into DT

* docs: sbsa: correct graphics card name

* Update copyright dates to 2023

Clément Chigot (1):

hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number

Enze Li (1):

Update copyright dates to 2023

Fabiano Rosas (3):

target/arm: Explain why we need to select ARM_V7M

arm/Kconfig: Keep Kconfig default entries in default.mak as documentation

arm/Kconfig: Make TCG dependence explicit

Marcin Juszkiewicz (2):

hw/arm/sbsa-ref: add GIC node into DT

docs: sbsa: correct graphics card name

Mostafa Saleh (10):

hw/arm/smmuv3: Add missing fields for IDR0

hw/arm/smmuv3: Update translation config to hold stage-2

hw/arm/smmuv3: Refactor stage-1 PTW

hw/arm/smmuv3: Add page table walk for stage-2

hw/arm/smmuv3: Parse STE config for stage-2

hw/arm/smmuv3: Make TLB lookup work for stage-2

hw/arm/smmuv3: Add VMID to TLB tagging

hw/arm/smmuv3: Add CMDs related to stage-2

hw/arm/smmuv3: Add stage-2 support in iova notifier

hw/arm/smmuv3: Add knob to choose translation stage and enable stage-2

Peter Maydell (1):

target/arm: Explicitly select short-format FSR for M-profile

Thomas Huth (1):

tests/qtest: Run arm-specific tests only if the required machine is available

Tommy Wu (1):

hw/dma/xilinx_axidma: Check DMASR.HALTED to prevent infinite loop.

Vitaly Cheptsov (1):

fsl-imx6: Add SNVS support for i.MX6 boards

docs/conf.py | 2 +-

docs/system/arm/sbsa.rst | 2 +-

configs/devices/aarch64-softmmu/default.mak | 6 +

configs/devices/arm-softmmu/default.mak | 40 ++++

hw/arm/smmu-internal.h | 37 +++

hw/arm/smmuv3-internal.h | 12 +-

include/hw/arm/fsl-imx6.h | 2 +

include/hw/arm/smmu-common.h | 45 +++-

include/hw/arm/smmuv3.h | 4 +

include/qemu/help-texts.h | 2 +-

hw/arm/fsl-imx6.c | 8 +

hw/arm/sbsa-ref.c | 19 +-

hw/arm/smmu-common.c | 209 ++++++++++++++--

hw/arm/smmuv3.c | 357 ++++++++++++++++++++++++----

hw/arm/xlnx-zynqmp.c | 2 +-

hw/dma/xilinx_axidma.c | 11 +-

target/arm/tcg/tlb_helper.c | 13 +-

hw/arm/Kconfig | 123 ++++++----

hw/arm/trace-events | 14 +-

target/arm/Kconfig | 3 +

tests/qtest/meson.build | 7 +-

21 files changed, 773 insertions(+), 145 deletions(-)

From: Vitaly Cheptsov <cheptsov@ispras.ru>

SNVS is supported on both i.MX6 and i.MX6UL and is needed

to support shutdown on the board.

Cc: Peter Maydell <peter.maydell@linaro.org> (odd fixer:SABRELITE / i.MX6)

Cc: Jean-Christophe Dubois <jcd@tribudubois.net> (reviewer:SABRELITE / i.MX6)

Cc: qemu-arm@nongnu.org (open list:SABRELITE / i.MX6)

Cc: qemu-devel@nongnu.org (open list:All patches CC here)

Signed-off-by: Vitaly Cheptsov <cheptsov@ispras.ru>

Message-id: 20230515095015.66860-1-cheptsov@ispras.ru

include/hw/arm/fsl-imx6.h | 2 ++

hw/arm/fsl-imx6.c | 8 ++++++++

2 files changed, 10 insertions(+)

diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h

--- a/include/hw/arm/fsl-imx6.h

+++ b/include/hw/arm/fsl-imx6.h

#include "hw/cpu/a9mpcore.h"

#include "hw/misc/imx6_ccm.h"

#include "hw/misc/imx6_src.h"

+#include "hw/misc/imx7_snvs.h"

#include "hw/watchdog/wdt_imx2.h"

#include "hw/char/imx_serial.h"

#include "hw/timer/imx_gpt.h"

@@ -XXX,XX +XXX,XX @@ struct FslIMX6State {

A9MPPrivState a9mpcore;

IMX6CCMState ccm;

IMX6SRCState src;

+ IMX7SNVSState snvs;

IMXSerialState uart[FSL_IMX6_NUM_UARTS];

IMXGPTState gpt;

IMXEPITState epit[FSL_IMX6_NUM_EPITS];

diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/fsl-imx6.c

+++ b/hw/arm/fsl-imx6.c

@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_init(Object *obj)

object_initialize_child(obj, "src", &s->src, TYPE_IMX6_SRC);

+ object_initialize_child(obj, "snvs", &s->snvs, TYPE_IMX7_SNVS);

+

for (i = 0; i < FSL_IMX6_NUM_UARTS; i++) {

snprintf(name, NAME_SIZE, "uart%d", i + 1);

object_initialize_child(obj, name, &s->uart[i], TYPE_IMX_SERIAL);

@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_realize(DeviceState *dev, Error **errp)

qdev_get_gpio_in(DEVICE(&s->a9mpcore),

FSL_IMX6_ENET_MAC_1588_IRQ));

+ /*

+ * SNVS

+ */

+ sysbus_realize(SYS_BUS_DEVICE(&s->snvs), &error_abort);

+ sysbus_mmio_map(SYS_BUS_DEVICE(&s->snvs), 0, FSL_IMX6_SNVSHP_ADDR);

+

/*

* Watchdog

*/

2.34.1

From: Mostafa Saleh <smostafa@google.com>

In preparation for adding stage-2 support.

Add IDR0 fields related to stage-2.

VMID16: 16-bit VMID supported.

S2P: Stage-2 translation supported.

They are described in 6.3.1 SMMU_IDR0.

No functional change intended.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Eric Auger <eric.auger@redhat.com>

Signed-off-by: Mostafa Saleh <smostafa@google.com>

Tested-by: Eric Auger <eric.auger@redhat.com>

Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>

Message-id: 20230516203327.2051088-2-smostafa@google.com

hw/arm/smmuv3-internal.h | 2 ++

1 file changed, 2 insertions(+)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h

--- a/hw/arm/smmuv3-internal.h

+++ b/hw/arm/smmuv3-internal.h

@@ -XXX,XX +XXX,XX @@ typedef enum SMMUTranslationStatus {

/* MMIO Registers */

REG32(IDR0, 0x0)

+ FIELD(IDR0, S2P, 0 , 1)

FIELD(IDR0, S1P, 1 , 1)

FIELD(IDR0, TTF, 2 , 2)

FIELD(IDR0, COHACC, 4 , 1)

FIELD(IDR0, ASID16, 12, 1)

+ FIELD(IDR0, VMID16, 18, 1)

FIELD(IDR0, TTENDIAN, 21, 2)

FIELD(IDR0, STALL_MODEL, 24, 2)

FIELD(IDR0, TERM_MODEL, 26, 1)

2.34.1

From: Mostafa Saleh <smostafa@google.com>

In preparation for adding stage-2 support, add a S2 config

struct(SMMUS2Cfg), composed of the following fields and embedded in

the main SMMUTransCfg:

-tsz: Size of IPA input region (S2T0SZ)

-sl0: Start level of translation (S2SL0)

-affd: AF Fault Disable (S2AFFD)

-record_faults: Record fault events (S2R)

-granule_sz: Granule page shift (based on S2TG)

-vmid: Virtual Machine ID (S2VMID)

-vttb: Address of translation table base (S2TTB)

-eff_ps: Effective PA output range (based on S2PS)

They will be used in the next patches in stage-2 address translation.

The fields in SMMUS2Cfg, are reordered to make the shared and stage-1

fields next to each other, this reordering didn't change the struct

size (104 bytes before and after).

Stage-1 only fields: aa64, asid, tt, ttb, tbi, record_faults, oas.

oas is stage-1 output address size. However, it is used to check

input address in case stage-1 is unimplemented or bypassed according

to SMMUv3 manual IHI0070.E "3.4. Address sizes"

Shared fields: stage, disabled, bypassed, aborted, iotlb_*.

No functional change intended.

Reviewed-by: Eric Auger <eric.auger@redhat.com>

Signed-off-by: Mostafa Saleh <smostafa@google.com>

Tested-by: Eric Auger <eric.auger@redhat.com>

Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>

Message-id: 20230516203327.2051088-3-smostafa@google.com

include/hw/arm/smmu-common.h | 22 +++++++++++++++++++---

1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h

--- a/include/hw/arm/smmu-common.h

+++ b/include/hw/arm/smmu-common.h

@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTLBEntry {

uint8_t granule;

} SMMUTLBEntry;

+/* Stage-2 configuration. */

+typedef struct SMMUS2Cfg {

+ uint8_t tsz; /* Size of IPA input region (S2T0SZ) */

+ uint8_t sl0; /* Start level of translation (S2SL0) */

+ bool affd; /* AF Fault Disable (S2AFFD) */

+ bool record_faults; /* Record fault events (S2R) */

+ uint8_t granule_sz; /* Granule page shift (based on S2TG) */

+ uint8_t eff_ps; /* Effective PA output range (based on S2PS) */

+ uint16_t vmid; /* Virtual Machine ID (S2VMID) */

+ uint64_t vttb; /* Address of translation table base (S2TTB) */

+} SMMUS2Cfg;

/*

* Generic structure populated by derived SMMU devices

* after decoding the configuration information and used as

* input to the page table walk

*/

typedef struct SMMUTransCfg {

+ /* Shared fields between stage-1 and stage-2. */

int stage; /* translation stage */

- bool aa64; /* arch64 or aarch32 translation table */

bool disabled; /* smmu is disabled */

bool bypassed; /* translation is bypassed */

bool aborted; /* translation is aborted */

+ uint32_t iotlb_hits; /* counts IOTLB hits */

+ uint32_t iotlb_misses; /* counts IOTLB misses*/

+ /* Used by stage-1 only. */

+ bool aa64; /* arch64 or aarch32 translation table */

bool record_faults; /* record fault events */

uint64_t ttb; /* TT base address */

uint8_t oas; /* output address width */

uint8_t tbi; /* Top Byte Ignore */

uint16_t asid;

SMMUTransTableInfo tt[2];

- uint32_t iotlb_hits; /* counts IOTLB hits for this asid */

- uint32_t iotlb_misses; /* counts IOTLB misses for this asid */

+ /* Used by stage-2 only. */

+ struct SMMUS2Cfg s2cfg;

} SMMUTransCfg;

typedef struct SMMUDevice {

2.34.1

From: Mostafa Saleh <smostafa@google.com>

In preparation for adding stage-2 support, rename smmu_ptw_64 to

smmu_ptw_64_s1 and refactor some of the code so it can be reused in

stage-2 page table walk.

Remove AA64 check from PTW as decode_cd already ensures that AA64 is

used, otherwise it faults with C_BAD_CD.

A stage member is added to SMMUPTWEventInfo to differentiate

between stage-1 and stage-2 ptw faults.

Add stage argument to trace_smmu_ptw_level be consistent with other

trace events.

Signed-off-by: Mostafa Saleh <smostafa@google.com>

Reviewed-by: Eric Auger <eric.auger@redhat.com>

Tested-by: Eric Auger <eric.auger@redhat.com>

Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>

Message-id: 20230516203327.2051088-4-smostafa@google.com

include/hw/arm/smmu-common.h | 16 +++++++++++++---

hw/arm/smmu-common.c | 27 ++++++++++-----------------

hw/arm/smmuv3.c | 2 ++

hw/arm/trace-events | 2 +-

4 files changed, 26 insertions(+), 21 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h

--- a/include/hw/arm/smmu-common.h

+++ b/include/hw/arm/smmu-common.h

@@ -XXX,XX +XXX,XX @@

#include "hw/pci/pci.h"

#include "qom/object.h"

-#define SMMU_PCI_BUS_MAX 256

-#define SMMU_PCI_DEVFN_MAX 256

-#define SMMU_PCI_DEVFN(sid) (sid & 0xFF)

+#define SMMU_PCI_BUS_MAX 256

+#define SMMU_PCI_DEVFN_MAX 256

+#define SMMU_PCI_DEVFN(sid) (sid & 0xFF)

+

+/* VMSAv8-64 Translation constants and functions */

+#define VMSA_LEVELS 4

+

+#define VMSA_STRIDE(gran) ((gran) - VMSA_LEVELS + 1)

+#define VMSA_BIT_LVL(isz, strd, lvl) ((isz) - (strd) * \

+ (VMSA_LEVELS - (lvl)))

+#define VMSA_IDXMSK(isz, strd, lvl) ((1ULL << \

+ VMSA_BIT_LVL(isz, strd, lvl)) - 1)

/*

* Page table walk error types

@@ -XXX,XX +XXX,XX @@ typedef enum {

} SMMUPTWEventType;

typedef struct SMMUPTWEventInfo {

+ int stage;

SMMUPTWEventType type;

dma_addr_t addr; /* fetched address that induced an abort, if any */

} SMMUPTWEventInfo;

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/smmu-common.c

+++ b/hw/arm/smmu-common.c

@@ -XXX,XX +XXX,XX @@ SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)

/**

- * smmu_ptw_64 - VMSAv8-64 Walk of the page tables for a given IOVA

+ * smmu_ptw_64_s1 - VMSAv8-64 Walk of the page tables for a given IOVA

* @cfg: translation config

* @iova: iova to translate

* @perm: access type

@@ -XXX,XX +XXX,XX @@ SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)

* Upon success, @tlbe is filled with translated_addr and entry

* permission rights.

*/

-static int smmu_ptw_64(SMMUTransCfg *cfg,

- dma_addr_t iova, IOMMUAccessFlags perm,

- SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)

+static int smmu_ptw_64_s1(SMMUTransCfg *cfg,

+ dma_addr_t iova, IOMMUAccessFlags perm,

+ SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)

dma_addr_t baseaddr, indexmask;

int stage = cfg->stage;

@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64(SMMUTransCfg *cfg,

}

granule_sz = tt->granule_sz;

- stride = granule_sz - 3;

+ stride = VMSA_STRIDE(granule_sz);

inputsize = 64 - tt->tsz;

level = 4 - (inputsize - 4) / stride;

- indexmask = (1ULL << (inputsize - (stride * (4 - level)))) - 1;

+ indexmask = VMSA_IDXMSK(inputsize, stride, level);

baseaddr = extract64(tt->ttb, 0, 48);

baseaddr &= ~indexmask;

- while (level <= 3) {

+ while (level < VMSA_LEVELS) {

uint64_t subpage_size = 1ULL << level_shift(level, granule_sz);

uint64_t mask = subpage_size - 1;

uint32_t offset = iova_level_offset(iova, inputsize, level, granule_sz);

@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64(SMMUTransCfg *cfg,

if (get_pte(baseaddr, offset, &pte, info)) {

goto error;

}

- trace_smmu_ptw_level(level, iova, subpage_size,

+ trace_smmu_ptw_level(stage, level, iova, subpage_size,

baseaddr, offset, pte);

if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) {

@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64(SMMUTransCfg *cfg,

info->type = SMMU_PTW_ERR_TRANSLATION;

error:

+ info->stage = 1;

tlbe->entry.perm = IOMMU_NONE;

return -EINVAL;

}

@@ -XXX,XX +XXX,XX @@ error:

int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,

SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)

{

- if (!cfg->aa64) {

- /*

- * This code path is not entered as we check this while decoding

- * the configuration data in the derived SMMU model.

- */

- g_assert_not_reached();

- return smmu_ptw_64(cfg, iova, perm, tlbe, info);

+ return smmu_ptw_64_s1(cfg, iova, perm, tlbe, info);

/**

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/smmuv3.c

+++ b/hw/arm/smmuv3.c

@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,

cached_entry = g_new0(SMMUTLBEntry, 1);

if (smmu_ptw(cfg, aligned_addr, flag, cached_entry, &ptw_info)) {

+ /* All faults from PTW has S2 field. */

+ event.u.f_walk_eabt.s2 = (ptw_info.stage == 2);

g_free(cached_entry);

switch (ptw_info.type) {

case SMMU_PTW_ERR_WALK_EABT:

diff --git a/hw/arm/trace-events b/hw/arm/trace-events

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/trace-events

+++ b/hw/arm/trace-events

@@ -XXX,XX +XXX,XX @@ virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."

# smmu-common.c

smmu_add_mr(const char *name) "%s"

-smmu_ptw_level(int level, uint64_t iova, size_t subpage_size, uint64_t baseaddr, uint32_t offset, uint64_t pte) "level=%d iova=0x%"PRIx64" subpage_sz=0x%zx baseaddr=0x%"PRIx64" offset=%d => pte=0x%"PRIx64

+smmu_ptw_level(int stage, int level, uint64_t iova, size_t subpage_size, uint64_t baseaddr, uint32_t offset, uint64_t pte) "stage=%d level=%d iova=0x%"PRIx64" subpage_sz=0x%zx baseaddr=0x%"PRIx64" offset=%d => pte=0x%"PRIx64

smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint32_t offset, uint64_t pte) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" offset=%d pte=0x%"PRIx64

smmu_ptw_page_pte(int stage, int level, uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64

smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"

2.34.1

From: Mostafa Saleh <smostafa@google.com>

In preparation for adding stage-2 support, add Stage-2 PTW code.

Only Aarch64 format is supported as stage-1.

Nesting stage-1 and stage-2 is not supported right now.

HTTU is not supported, SW is expected to maintain the Access flag.

This is described in the SMMUv3 manual(IHI 0070.E.a)

"5.2. Stream Table Entry" in "[181] S2AFFD".

This flag determines the behavior on access of a stage-2 page whose

descriptor has AF == 0:

- 0b0: An Access flag fault occurs (stall not supported).

- 0b1: An Access flag fault never occurs.

An Access fault takes priority over a Permission fault.

There are 3 address size checks for stage-2 according to

(IHI 0070.E.a) in "3.4. Address sizes".

- As nesting is not supported, input address is passed directly to

stage-2, and is checked against IAS.

We use cfg->oas to hold the OAS when stage-1 is not used, this is set

in the next patch.

This check is done outside of smmu_ptw_64_s2 as it is not part of

stage-2(it throws stage-1 fault), and the stage-2 function shouldn't

change it's behavior when nesting is supported.

When nesting is supported and we figure out how to combine TLB for

stage-1 and stage-2 we can move this check into the stage-1 function

as described in ARM DDI0487I.a in pseudocode

aarch64/translation/vmsa_translation/AArch64.S1Translate

aarch64/translation/vmsa_translation/AArch64.S1DisabledOutput

- Input to stage-2 is checked against s2t0sz, and throws stage-2

transaltion fault if exceeds it.

- Output of stage-2 is checked against effective PA output range.

Reviewed-by: Eric Auger <eric.auger@redhat.com>

Signed-off-by: Mostafa Saleh <smostafa@google.com>

Tested-by: Eric Auger <eric.auger@redhat.com>

Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>

Message-id: 20230516203327.2051088-5-smostafa@google.com

hw/arm/smmu-internal.h | 35 ++++++++++

hw/arm/smmu-common.c | 142 ++++++++++++++++++++++++++++++++++++++++-

2 files changed, 176 insertions(+), 1 deletion(-)

diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h

--- a/hw/arm/smmu-internal.h

+++ b/hw/arm/smmu-internal.h

@@ -XXX,XX +XXX,XX @@

#define PTE_APTABLE(pte) \

(extract64(pte, 61, 2))

+#define PTE_AF(pte) \

+ (extract64(pte, 10, 1))

/*

* TODO: At the moment all transactions are considered as privileged (EL1)

* as IOMMU translation callback does not pass user/priv attributes.

@@ -XXX,XX +XXX,XX @@

#define is_permission_fault(ap, perm) \

(((perm) & IOMMU_WO) && ((ap) & 0x2))

+#define is_permission_fault_s2(s2ap, perm) \

+ (!(((s2ap) & (perm)) == (perm)))

+

#define PTE_AP_TO_PERM(ap) \

(IOMMU_ACCESS_FLAG(true, !((ap) & 0x2)))

@@ -XXX,XX +XXX,XX @@ uint64_t iova_level_offset(uint64_t iova, int inputsize,

MAKE_64BIT_MASK(0, gsz - 3);

+/* FEAT_LPA2 and FEAT_TTST are not implemented. */

+static inline int get_start_level(int sl0 , int granule_sz)

+ /* ARM DDI0487I.a: Table D8-12. */

+ if (granule_sz == 12) {

+ return 2 - sl0;

+ }

+ /* ARM DDI0487I.a: Table D8-22 and Table D8-31. */

+ return 3 - sl0;

+/*

+ * Index in a concatenated first level stage-2 page table.

+ * ARM DDI0487I.a: D8.2.2 Concatenated translation tables.

+ */

+static inline int pgd_concat_idx(int start_level, int granule_sz,

+ dma_addr_t ipa)

+ uint64_t ret;

+ /*

+ * Get the number of bits handled by next levels, then any extra bits in

+ * the address should index the concatenated tables. This relation can be

+ * deduced from tables in ARM DDI0487I.a: D8.2.7-9

+ */

+ int shift = level_shift(start_level - 1, granule_sz);

+

+ ret = ipa >> shift;

+ return ret;

#define SMMU_IOTLB_ASID(key) ((key).asid)

typedef struct SMMUIOTLBPageInvInfo {

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/smmu-common.c

+++ b/hw/arm/smmu-common.c

@@ -XXX,XX +XXX,XX @@ error:

return -EINVAL;

}

+/**

+ * smmu_ptw_64_s2 - VMSAv8-64 Walk of the page tables for a given ipa

+ * for stage-2.

+ * @cfg: translation config

+ * @ipa: ipa to translate

+ * @perm: access type

+ * @tlbe: SMMUTLBEntry (out)

+ * @info: handle to an error info

+ *

+ * Return 0 on success, < 0 on error. In case of error, @info is filled

+ * and tlbe->perm is set to IOMMU_NONE.

+ * Upon success, @tlbe is filled with translated_addr and entry

+ * permission rights.

+ */

+static int smmu_ptw_64_s2(SMMUTransCfg *cfg,

+ dma_addr_t ipa, IOMMUAccessFlags perm,

+ SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)

+{

+ const int stage = 2;

+ int granule_sz = cfg->s2cfg.granule_sz;

+ /* ARM DDI0487I.a: Table D8-7. */

+ int inputsize = 64 - cfg->s2cfg.tsz;

+ int level = get_start_level(cfg->s2cfg.sl0, granule_sz);

+ int stride = VMSA_STRIDE(granule_sz);

+ int idx = pgd_concat_idx(level, granule_sz, ipa);

+ /*

+ * Get the ttb from concatenated structure.

+ * The offset is the idx * size of each ttb(number of ptes * (sizeof(pte))

+ */

+ uint64_t baseaddr = extract64(cfg->s2cfg.vttb, 0, 48) + (1 << stride) *

+ idx * sizeof(uint64_t);

+ dma_addr_t indexmask = VMSA_IDXMSK(inputsize, stride, level);

+

+ baseaddr &= ~indexmask;

+

+ /*

+ * On input, a stage 2 Translation fault occurs if the IPA is outside the

+ * range configured by the relevant S2T0SZ field of the STE.

+ */

+ if (ipa >= (1ULL << inputsize)) {

+ info->type = SMMU_PTW_ERR_TRANSLATION;

+ goto error;

+ }

+

+ while (level < VMSA_LEVELS) {

+ uint64_t subpage_size = 1ULL << level_shift(level, granule_sz);

+ uint64_t mask = subpage_size - 1;

+ uint32_t offset = iova_level_offset(ipa, inputsize, level, granule_sz);

+ uint64_t pte, gpa;

+ dma_addr_t pte_addr = baseaddr + offset * sizeof(pte);

+ uint8_t s2ap;

+

+ if (get_pte(baseaddr, offset, &pte, info)) {

+ goto error;

+ }

+ trace_smmu_ptw_level(stage, level, ipa, subpage_size,

+ baseaddr, offset, pte);

+ if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) {

+ trace_smmu_ptw_invalid_pte(stage, level, baseaddr,

+ pte_addr, offset, pte);

+ break;

+ }

+

+ if (is_table_pte(pte, level)) {

+ baseaddr = get_table_pte_address(pte, granule_sz);

+ level++;

+ continue;

+ } else if (is_page_pte(pte, level)) {

+ gpa = get_page_pte_address(pte, granule_sz);

+ trace_smmu_ptw_page_pte(stage, level, ipa,

+ baseaddr, pte_addr, pte, gpa);

+ } else {

+ uint64_t block_size;

+

+ gpa = get_block_pte_address(pte, level, granule_sz,

+ &block_size);

+ trace_smmu_ptw_block_pte(stage, level, baseaddr,

+ pte_addr, pte, ipa, gpa,

+ block_size >> 20);

+ }

+

+ /*

+ * If S2AFFD and PTE.AF are 0 => fault. (5.2. Stream Table Entry)

+ * An Access fault takes priority over a Permission fault.

+ */

+ if (!PTE_AF(pte) && !cfg->s2cfg.affd) {

+ info->type = SMMU_PTW_ERR_ACCESS;

+ goto error;

+ }

+

+ s2ap = PTE_AP(pte);

+ if (is_permission_fault_s2(s2ap, perm)) {

+ info->type = SMMU_PTW_ERR_PERMISSION;

+ goto error;

+ }

+

+ /*

+ * The address output from the translation causes a stage 2 Address

+ * Size fault if it exceeds the effective PA output range.

+ */

+ if (gpa >= (1ULL << cfg->s2cfg.eff_ps)) {

+ info->type = SMMU_PTW_ERR_ADDR_SIZE;

+ goto error;

+ }

+

+ tlbe->entry.translated_addr = gpa;

+ tlbe->entry.iova = ipa & ~mask;

+ tlbe->entry.addr_mask = mask;

+ tlbe->entry.perm = s2ap;

+ tlbe->level = level;

+ tlbe->granule = granule_sz;

+ return 0;

+ }

+ info->type = SMMU_PTW_ERR_TRANSLATION;

+

+error:

+ info->stage = 2;

+ tlbe->entry.perm = IOMMU_NONE;

+ return -EINVAL;

+}

+

/**

* smmu_ptw - Walk the page tables for an IOVA, according to @cfg

*

@@ -XXX,XX +XXX,XX @@ error:

int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,

SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)

- return smmu_ptw_64_s1(cfg, iova, perm, tlbe, info);

+ if (cfg->stage == 1) {

+ return smmu_ptw_64_s1(cfg, iova, perm, tlbe, info);

+ } else if (cfg->stage == 2) {

+ /*

+ * If bypassing stage 1(or unimplemented), the input address is passed

+ * directly to stage 2 as IPA. If the input address of a transaction

+ * exceeds the size of the IAS, a stage 1 Address Size fault occurs.

+ * For AA64, IAS = OAS according to (IHI 0070.E.a) "3.4 Address sizes"

+ */

+ if (iova >= (1ULL << cfg->oas)) {

+ info->type = SMMU_PTW_ERR_ADDR_SIZE;

+ info->stage = 1;

+ tlbe->entry.perm = IOMMU_NONE;

+ return -EINVAL;

+ }

+

+ return smmu_ptw_64_s2(cfg, iova, perm, tlbe, info);

+ }

+

+ g_assert_not_reached();

}

/**

2.34.1

From: Mostafa Saleh <smostafa@google.com>

Parse stage-2 configuration from STE and populate it in SMMUS2Cfg.

Validity of field values are checked when possible.

Only AA64 tables are supported and Small Translation Tables (STT) are

not supported.

According to SMMUv3 UM(IHI0070E) "5.2 Stream Table Entry": All fields

with an S2 prefix (with the exception of S2VMID) are IGNORED when

stage-2 bypasses translation (Config[1] == 0).

Which means that VMID can be used(for TLB tagging) even if stage-2 is

bypassed, so we parse it unconditionally when S2P exists. Otherwise

it is set to -1.(only S1P)

As stall is not supported, if S2S is set the translation would abort.

For S2R, we reuse the same code used for stage-1 with flag

record_faults. However when nested translation is supported we would

need to separate stage-1 and stage-2 faults.

Fix wrong shift in STE_S2HD, STE_S2HA, STE_S2S.

Signed-off-by: Mostafa Saleh <smostafa@google.com>

Tested-by: Eric Auger <eric.auger@redhat.com>

Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>

Reviewed-by: Eric Auger <eric.auger@redhat.com>

Message-id: 20230516203327.2051088-6-smostafa@google.com

hw/arm/smmuv3-internal.h | 10 +-

include/hw/arm/smmu-common.h | 1 +

include/hw/arm/smmuv3.h | 3 +

hw/arm/smmuv3.c | 181 +++++++++++++++++++++++++++++++++--

4 files changed, 185 insertions(+), 10 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h

--- a/hw/arm/smmuv3-internal.h

+++ b/hw/arm/smmuv3-internal.h

@@ -XXX,XX +XXX,XX @@ typedef struct CD {

#define STE_S2TG(x) extract32((x)->word[5], 14, 2)

#define STE_S2PS(x) extract32((x)->word[5], 16, 3)

#define STE_S2AA64(x) extract32((x)->word[5], 19, 1)

-#define STE_S2HD(x) extract32((x)->word[5], 24, 1)

-#define STE_S2HA(x) extract32((x)->word[5], 25, 1)

-#define STE_S2S(x) extract32((x)->word[5], 26, 1)

+#define STE_S2ENDI(x) extract32((x)->word[5], 20, 1)

+#define STE_S2AFFD(x) extract32((x)->word[5], 21, 1)

+#define STE_S2HD(x) extract32((x)->word[5], 23, 1)

+#define STE_S2HA(x) extract32((x)->word[5], 24, 1)

+#define STE_S2S(x) extract32((x)->word[5], 25, 1)

+#define STE_S2R(x) extract32((x)->word[5], 26, 1)

+

#define STE_CTXPTR(x) \

({ \

unsigned long addr; \

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h

index XXXXXXX..XXXXXXX 100644

--- a/include/hw/arm/smmu-common.h

+++ b/include/hw/arm/smmu-common.h

/* VMSAv8-64 Translation constants and functions */

#define VMSA_LEVELS 4

+#define VMSA_MAX_S2_CONCAT 16

#define VMSA_STRIDE(gran) ((gran) - VMSA_LEVELS + 1)

#define VMSA_BIT_LVL(isz, strd, lvl) ((isz) - (strd) * \

diff --git a/include/hw/arm/smmuv3.h b/include/hw/arm/smmuv3.h

--- a/include/hw/arm/smmuv3.h

+++ b/include/hw/arm/smmuv3.h

@@ -XXX,XX +XXX,XX @@ struct SMMUv3Class {

#define TYPE_ARM_SMMUV3 "arm-smmuv3"

OBJECT_DECLARE_TYPE(SMMUv3State, SMMUv3Class, ARM_SMMUV3)

+#define STAGE1_SUPPORTED(s) FIELD_EX32(s->idr[0], IDR0, S1P)

+#define STAGE2_SUPPORTED(s) FIELD_EX32(s->idr[0], IDR0, S2P)

+

#endif

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c

--- a/hw/arm/smmuv3.c

+++ b/hw/arm/smmuv3.c

#include "smmuv3-internal.h"

#include "smmu-internal.h"

+#define PTW_RECORD_FAULT(cfg) (((cfg)->stage == 1) ? (cfg)->record_faults : \

+ (cfg)->s2cfg.record_faults)

+

/**

* smmuv3_trigger_irq - pulse @irq if enabled and update

* GERROR register in case of GERROR interrupt

@@ -XXX,XX +XXX,XX @@ static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,

return 0;

+/*

+ * Max valid value is 39 when SMMU_IDR3.STT == 0.

+ * In architectures after SMMUv3.0:

+ * - If STE.S2TG selects a 4KB or 16KB granule, the minimum valid value for this

+ * field is MAX(16, 64-IAS)

+ * - If STE.S2TG selects a 64KB granule, the minimum valid value for this field

+ * is (64-IAS).

+ * As we only support AA64, IAS = OAS.

+ */

+static bool s2t0sz_valid(SMMUTransCfg *cfg)

+ if (cfg->s2cfg.tsz > 39) {

+ return false;

+ }

+

+ if (cfg->s2cfg.granule_sz == 16) {

+ return (cfg->s2cfg.tsz >= 64 - oas2bits(SMMU_IDR5_OAS));

+ }

+

+ return (cfg->s2cfg.tsz >= MAX(64 - oas2bits(SMMU_IDR5_OAS), 16));

+/*

+ * Return true if s2 page table config is valid.

+ * This checks with the configured start level, ias_bits and granularity we can

+ * have a valid page table as described in ARM ARM D8.2 Translation process.

+ * The idea here is to see for the highest possible number of IPA bits, how

+ * many concatenated tables we would need, if it is more than 16, then this is

+ * not possible.

+ */

+static bool s2_pgtable_config_valid(uint8_t sl0, uint8_t t0sz, uint8_t gran)

+{

+ int level = get_start_level(sl0, gran);

+ uint64_t ipa_bits = 64 - t0sz;

+ uint64_t max_ipa = (1ULL << ipa_bits) - 1;

+ int nr_concat = pgd_concat_idx(level, gran, max_ipa) + 1;

+

+ return nr_concat <= VMSA_MAX_S2_CONCAT;

+}

+

+static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)

+{

+ cfg->stage = 2;

+

+ if (STE_S2AA64(ste) == 0x0) {

+ qemu_log_mask(LOG_UNIMP,

+ "SMMUv3 AArch32 tables not supported\n");

+ g_assert_not_reached();

+ }

+

+ switch (STE_S2TG(ste)) {

+ case 0x0: /* 4KB */

+ cfg->s2cfg.granule_sz = 12;

+ break;

+ case 0x1: /* 64KB */

+ cfg->s2cfg.granule_sz = 16;

+ break;

+ case 0x2: /* 16KB */

+ cfg->s2cfg.granule_sz = 14;