Series comparison

-[PULL 00/29] target-arm queue
+[PULL 00/35] target-arm queue
-Hi; this mostly contains the first slice of A64 decodetree
+The following changes since commit 5767815218efd3cbfd409505ed824d5f356044ae:
 patches, plus some other minor pieces. It also has the
 enablement of MTE for KVM guests.
-thanks
+  Merge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu into staging (2024-02-14 15:45:52 +0000)
 -- PMM
 The following changes since commit d27e7c359330ba7020bdbed7ed2316cb4cf6ffc1:
   qapi/parser: Drop two bad type hints for now (2023-05-17 10:18:33 -0700)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230518
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240215
-for you to fetch changes up to 91608e2a44f36e79cb83f863b8a7bb57d2c98061:
+for you to fetch changes up to f780e63fe731b058fe52d43653600d8729a1b5f2:
-  docs: Convert u2f.txt to rST (2023-05-18 11:40:32 +0100)
+  docs: Add documentation for the mps3-an536 board (2024-02-15 14:32:39 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * Fix vd == vm overlap in sve_ldff1_z
+ * hw/arm/xilinx_zynq: Wire FIQ between CPU <> GIC
- * Add support for MTE with KVM guests
+ * linux-user/aarch64: Choose SYNC as the preferred MTE mode
- * Add RAZ/WI handling for DBGDTR[TX|RX]
+ * Fix some errors in SVE/SME handling of MTE tags
- * Start of conversion of A64 decoder to decodetree
+ * hw/pci-host/raven.c: Mark raven_io_ops as implementing unaligned accesses
- * Saturate L2CTLR_EL1 core count field rather than overflowing
+ * hw/block/tc58128: Don't emit deprecation warning under qtest
- * vexpress: Avoid trivial memory leak of 'flashalias'
+ * tests/qtest: Fix handling of npcm7xx and GMAC tests
- * sbsa-ref: switch default cpu core to Neoverse-N1
+ * hw/arm/virt: Wire up non-secure EL2 virtual timer IRQ
- * sbsa-ref: use Bochs graphics card instead of VGA
+ * tests/qtest/npcm7xx_emc-test: Connect all NICs to a backend
- * MAINTAINERS: Add Marcin Juszkiewicz to sbsa-ref reviewer list
+ * Don't assert on vmload/vmsave of M-profile CPUs
- * docs: Convert u2f.txt to rST
+ * hw/arm/smmuv3: add support for stage 1 access fault
  * hw/arm/stellaris: QOM cleanups
  * Use new CBAR encoding for all v8 CPUs, not all aarch64 CPUs
  * Improve Cortex_R52 IMPDEF sysreg modelling
  * Allow access to SPSR_hyp from hyp mode
  * New board model mps3-an536 (Cortex-R52)
 ----------------------------------------------------------------
-Alex Bennée (1):
+Luc Michel (1):
-      target/arm: add RAZ/WI handling for DBGDTR[TX|RX]
+      hw/arm/smmuv3: add support for stage 1 access fault
-Cornelia Huck (1):
+Nabih Estefan (1):
-      arm/kvm: add support for MTE
+      tests/qtest: Fix GMAC test to run on a machine in upstream QEMU
-Marcin Juszkiewicz (3):
+Peter Maydell (22):
-      sbsa-ref: switch default cpu core to Neoverse-N1
+      hw/pci-host/raven.c: Mark raven_io_ops as implementing unaligned accesses
-      Maintainers: add myself as reviewer for sbsa-ref
+      hw/block/tc58128: Don't emit deprecation warning under qtest
-      sbsa-ref: use Bochs graphics card instead of VGA
+      tests/qtest/meson.build: Don't include qtests_npcm7xx in qtests_aarch64
       tests/qtest/bios-tables-test: Allow changes to virt GTDT
       hw/arm/virt: Wire up non-secure EL2 virtual timer IRQ
       tests/qtest/bios-tables-tests: Update virt golden reference
       hw/arm/npcm7xx: Call qemu_configure_nic_device() for GMAC modules
       tests/qtest/npcm7xx_emc-test: Connect all NICs to a backend
       target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ARM_FEATURE_PMU
       target/arm: Use new CBAR encoding for all v8 CPUs, not all aarch64 CPUs
       target/arm: The Cortex-R52 has a read-only CBAR
       target/arm: Add Cortex-R52 IMPDEF sysregs
       target/arm: Allow access to SPSR_hyp from hyp mode
       hw/misc/mps2-scc: Fix condition for CFG3 register
       hw/misc/mps2-scc: Factor out which-board conditionals
       hw/misc/mps2-scc: Make changes needed for AN536 FPGA image
       hw/arm/mps3r: Initial skeleton for mps3-an536 board
       hw/arm/mps3r: Add CPUs, GIC, and per-CPU RAM
       hw/arm/mps3r: Add UARTs
       hw/arm/mps3r: Add GPIO, watchdog, dual-timer, I2C devices
       hw/arm/mps3r: Add remaining devices
       docs: Add documentation for the mps3-an536 board
-Peter Maydell (14):
+Philippe Mathieu-Daudé (5):
-      target/arm: Create decodetree skeleton for A64
+      hw/arm/xilinx_zynq: Wire FIQ between CPU <> GIC
-      target/arm: Pull calls to disas_sve() and disas_sme() out of legacy decoder
+      hw/arm/stellaris: Convert ADC controller to Resettable interface
-      target/arm: Convert Extract instructions to decodetree
+      hw/arm/stellaris: Convert I2C controller to Resettable interface
-      target/arm: Convert unconditional branch immediate to decodetree
+      hw/arm/stellaris: Add missing QOM 'machine' parent
-      target/arm: Convert CBZ, CBNZ to decodetree
+      hw/arm/stellaris: Add missing QOM 'SoC' parent
       target/arm: Convert TBZ, TBNZ to decodetree
       target/arm: Convert conditional branch insns to decodetree
       target/arm: Convert BR, BLR, RET to decodetree
       target/arm: Convert BRA[AB]Z, BLR[AB]Z, RETA[AB] to decodetree
       target/arm: Convert BRAA, BRAB, BLRAA, BLRAB to decodetree
       target/arm: Convert ERET, ERETAA, ERETAB to decodetree
       target/arm: Saturate L2CTLR_EL1 core count field rather than overflowing
       hw/arm/vexpress: Avoid trivial memory leak of 'flashalias'
       docs: Convert u2f.txt to rST
-Richard Henderson (10):
+Richard Henderson (6):
-      target/arm: Fix vd == vm overlap in sve_ldff1_z
+      linux-user/aarch64: Choose SYNC as the preferred MTE mode
-      target/arm: Split out disas_a64_legacy
+      target/arm: Fix nregs computation in do_{ld,st}_zpa
-      target/arm: Convert PC-rel addressing to decodetree
+      target/arm: Adjust and validate mtedesc sizem1
-      target/arm: Split gen_add_CC and gen_sub_CC
+      target/arm: Split out make_svemte_desc
-      target/arm: Convert Add/subtract (immediate) to decodetree
+      target/arm: Handle mte in do_ldrq, do_ldro
-      target/arm: Convert Add/subtract (immediate with tags) to decodetree
+      target/arm: Fix SVE/SME gross MTE suppression checks
       target/arm: Replace bitmask64 with MAKE_64BIT_MASK
       target/arm: Convert Logical (immediate) to decodetree
       target/arm: Convert Move wide (immediate) to decodetree
       target/arm: Convert Bitfield to decodetree
- MAINTAINERS                      |    1 +
+ MAINTAINERS                             |   3 +-
- docs/system/device-emulation.rst |    1 +
+ docs/system/arm/mps2.rst                |  37 +-
- docs/system/devices/usb-u2f.rst  |   93 +++
+ configs/devices/arm-softmmu/default.mak |   1 +
- docs/system/devices/usb.rst      |    2 +-
+ hw/arm/smmuv3-internal.h                |   1 +
- docs/u2f.txt                     |  110 ----
+ include/hw/arm/smmu-common.h            |   1 +
- target/arm/cpu.h                 |    4 +
+ include/hw/arm/virt.h                   |   2 +
- target/arm/kvm_arm.h             |   19 +
+ include/hw/misc/mps2-scc.h              |   1 +
- target/arm/tcg/translate.h       |    5 +
+ linux-user/aarch64/target_prctl.h       |  29 +-
- target/arm/tcg/a64.decode        |  152 +++++
+ target/arm/internals.h                  |   2 +-
- hw/arm/sbsa-ref.c                |    4 +-
+ target/arm/tcg/translate-a64.h          |   2 +
- hw/arm/vexpress.c                |   40 +-
+ hw/arm/mps3r.c                          | 640 ++++++++++++++++++++++++++++++++
- hw/arm/virt.c                    |   73 ++-
+ hw/arm/npcm7xx.c                        |   1 +
- target/arm/cortex-regs.c         |   11 +-
+ hw/arm/smmu-common.c                    |  11 +
- target/arm/cpu.c                 |    9 +-
+ hw/arm/smmuv3.c                         |   1 +
- target/arm/debug_helper.c        |   11 +-
+ hw/arm/stellaris.c                      |  47 ++-
- target/arm/kvm.c                 |   35 +
+ hw/arm/virt-acpi-build.c                |  20 +-
- target/arm/kvm64.c               |    5 +
+ hw/arm/virt.c                           |  60 ++-
- target/arm/tcg/sve_helper.c      |    6 +
+ hw/arm/xilinx_zynq.c                    |   2 +
- target/arm/tcg/translate-a64.c   | 1321 ++++++++++++++++----------------------
+ hw/block/tc58128.c                      |   4 +-
- target/arm/tcg/meson.build       |    1 +
+ hw/misc/mps2-scc.c                      | 138 ++++++-
-files changed, 979 insertions(+), 924 deletions(-)
+ hw/pci-host/raven.c                     |   1 +
- create mode 100644 docs/system/devices/usb-u2f.rst
+ target/arm/helper.c                     |  14 +-
- delete mode 100644 docs/u2f.txt
+ target/arm/tcg/cpu32.c                  | 109 ++++++
- create mode 100644 target/arm/tcg/a64.decode
+ target/arm/tcg/op_helper.c              |  43 ++-
  target/arm/tcg/sme_helper.c             |   8 +-
  target/arm/tcg/sve_helper.c             |  12 +-
  target/arm/tcg/translate-sme.c          |  15 +-
  target/arm/tcg/translate-sve.c          |  83 +++--
  target/arm/tcg/translate.c              |  19 +-
  tests/qtest/npcm7xx_emc-test.c          |   5 +-
  tests/qtest/npcm_gmac-test.c            |  84 +----
  hw/arm/Kconfig                          |   5 +
  hw/arm/meson.build                      |   1 +
  tests/data/acpi/virt/FACP               | Bin 276 -> 276 bytes
  tests/data/acpi/virt/GTDT               | Bin 96 -> 104 bytes
  tests/qtest/meson.build                 |   4 +-
 files changed, 1184 insertions(+), 222 deletions(-)
  create mode 100644 hw/arm/mps3r.c

-New patch
+[PULL 01/35] hw/arm/xilinx_zynq: Wire FIQ between CPU <> GIC
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
+Similarly to commits dadbb58f59..5ae79fe825 for other ARM boards,
+connect FIQ output of the GIC CPU interfaces to the CPU.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-id: 20240130152548.17855-1-philmd@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/xilinx_zynq.c | 2 ++
+file changed, 2 insertions(+)
+diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xilinx_zynq.c
++++ b/hw/arm/xilinx_zynq.c
+@@ -XXX,XX +XXX,XX @@ static void zynq_init(MachineState *machine)
+     sysbus_mmio_map(busdev, 0, MPCORE_PERIPHBASE);
+     sysbus_connect_irq(busdev, 0,
+                        qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
++    sysbus_connect_irq(busdev, 1,
++                       qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_FIQ));
+     for (n = 0; n < 64; n++) {
+         pic[n] = qdev_get_gpio_in(dev, n);
+--
+.34.1

-[PULL 14/29] target/arm: Replace bitmask64 with MAKE_64BIT_MASK
+[PULL 02/35] linux-user/aarch64: Choose SYNC as the preferred MTE mode
 From: Richard Henderson <richard.henderson@linaro.org>
-Use the bitops.h macro rather than rolling our own here.
+The API does not generate an error for setting ASYNC | SYNC; that merely
 constrains the selection vs the per-cpu default.  For qemu linux-user,
 choose SYNC as the default.
+Cc: qemu-stable@nongnu.org
+Reported-by: Gustavo Romero <gustavo.romero@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
 Message-id: 20240207025210.8837-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20230512144106.3608981-9-peter.maydell@linaro.org
 ---
- target/arm/tcg/translate-a64.c | 11 ++---------
+ linux-user/aarch64/target_prctl.h | 29 +++++++++++++++++------------
-file changed, 2 insertions(+), 9 deletions(-)
+file changed, 17 insertions(+), 12 deletions(-)
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
+--- a/linux-user/aarch64/target_prctl.h
-+++ b/target/arm/tcg/translate-a64.c
++++ b/linux-user/aarch64/target_prctl.h
-@@ -XXX,XX +XXX,XX @@ static uint64_t bitfield_replicate(uint64_t mask, unsigned int e)
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_tagged_addr_ctrl(CPUArchState *env, abi_long arg2)
-     return mask;
+     env->tagged_addr_enable = arg2 & PR_TAGGED_ADDR_ENABLE;
- }
+     if (cpu_isar_feature(aa64_mte, cpu)) {
--/* Return a value with the bottom len bits set (where 0 < len <= 64) */
+-        switch (arg2 & PR_MTE_TCF_MASK) {
--static inline uint64_t bitmask64(unsigned int length)
+-        case PR_MTE_TCF_NONE:
--{
+-        case PR_MTE_TCF_SYNC:
--    assert(length > 0 && length <= 64);
+-        case PR_MTE_TCF_ASYNC:
--    return ~0ULL >> (64 - length);
+-            break;
--}
+-        default:
 -            return -EINVAL;
 -        }
 -
- /* Simplified variant of pseudocode DecodeBitMasks() for the case where we
+         /*
-  * only require the wmask. Returns false if the imms/immr/immn are a reserved
+          * Write PR_MTE_TCF to SCTLR_EL1[TCF0].
-  * value (ie should cause a guest UNDEF exception), and true if they are
+-         * Note that the syscall values are consistent with hw.
-@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
++         *
-     /* Create the value of one element: s+1 set bits rotated
++         * The kernel has a per-cpu configuration for the sysadmin,
-      * by r within the element (which is e bits wide)...
++         * /sys/devices/system/cpu/cpu<N>/mte_tcf_preferred,
-      */
++         * which qemu does not implement.
--    mask = bitmask64(s + 1);
++         *
-+    mask = MAKE_64BIT_MASK(0, s + 1);
++         * Because there is no performance difference between the modes, and
-     if (r) {
++         * because SYNC is most useful for debugging MTE errors, choose SYNC
-         mask = (mask >> r) | (mask << (e - r));
++         * as the preferred mode.  With this preference, and the way the API
--        mask &= bitmask64(e);
++         * uses only two bits, there is no way for the program to select
-+        mask &= MAKE_64BIT_MASK(0, e);
++         * ASYMM mode.
-     }
+          */
-     /* ...then replicate the element over the whole 64 bit value */
+-        env->cp15.sctlr_el[1] =
-     mask = bitfield_replicate(mask, e);
+-            deposit64(env->cp15.sctlr_el[1], 38, 2, arg2 >> PR_MTE_TCF_SHIFT);
 +        unsigned tcf = 0;
 +        if (arg2 & PR_MTE_TCF_SYNC) {
 +            tcf = 1;
 +        } else if (arg2 & PR_MTE_TCF_ASYNC) {
 +            tcf = 2;
 +        }
 +        env->cp15.sctlr_el[1] = deposit64(env->cp15.sctlr_el[1], 38, 2, tcf);
          /*
           * Write PR_MTE_TAG to GCR_EL1[Exclude].
 --
 .34.1

-[PULL 13/29] target/arm: Convert Add/subtract (immediate with tags) to decodetree
+[PULL 03/35] target/arm: Fix nregs computation in do_{ld,st}_zpa
 From: Richard Henderson <richard.henderson@linaro.org>
-Convert the ADDG and SUBG (immediate) instructions.
+The field is encoded as [0-3], which is convenient for
 indexing our array of function pointers, but the true
 value is [1-4].  Adjust before calling do_mem_zpa.
+Add an assert, and move the comment re passing ZT to
+the helper back next to the relevant code.
+Cc: qemu-stable@nongnu.org
+Fixes: 206adacfb8d ("target/arm: Add mte helpers for sve scalar + int loads")
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20240207025210.8837-3-richard.henderson@linaro.org
 Message-id: 20230512144106.3608981-8-peter.maydell@linaro.org
 [PMM: Rebased; use TRANS_FEAT()]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/a64.decode      |  8 +++++++
+ target/arm/tcg/translate-sve.c | 16 ++++++++--------
- target/arm/tcg/translate-a64.c | 38 ++++++++++------------------------
+file changed, 8 insertions(+), 8 deletions(-)
 files changed, 19 insertions(+), 27 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/target/arm/tcg/translate-sve.c
-+++ b/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ SUB_i           . 10 100010 0 ............ ..... .....  @addsub_imm
+@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
- SUB_i           . 10 100010 1 ............ ..... .....  @addsub_imm12
+     TCGv_ptr t_pg;
- SUBS_i          . 11 100010 0 ............ ..... .....  @addsub_imm
+     int desc = 0;
- SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
-+
+-    /*
-+# Add/subtract (immediate with tags)
+-     * For e.g. LD4, there are not enough arguments to pass all 4
-+
+-     * registers as pointers, so encode the regno into the data field.
-+&rri_tag        rd rn uimm6 uimm4
+-     * For consistency, do this even for LD1.
-+@addsub_imm_tag . .. ...... . uimm6:6 .. uimm4:4 rn:5 rd:5 &rri_tag
+-     */
-+
++    assert(mte_n >= 1 && mte_n <= 4);
-+ADDG_i          1 00 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
+     if (s->mte_active[0]) {
-+SUBG_i          1 10 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
+         int msz = dtype_msz(dtype);
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
---- a/target/arm/tcg/translate-a64.c
+         addr = clean_data_tbi(s, addr);
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ TRANS(SUBS_i, gen_rri, a, 0, 1, a->sf ? gen_sub64_CC : gen_sub32_CC)
  /*
   * Add/subtract (immediate, with tags)
 - *
 - *  31 30 29 28         23 22 21     16 14      10 9   5 4   0
 - * +--+--+--+-------------+--+---------+--+-------+-----+-----+
 - * |sf|op| S| 1 0 0 0 1 1 |o2|  uimm6  |o3| uimm4 |  Rn | Rd  |
 - * +--+--+--+-------------+--+---------+--+-------+-----+-----+
 - *
 - *    op: 0 -> add, 1 -> sub
   */
 -static void disas_add_sub_imm_with_tags(DisasContext *s, uint32_t insn)
 +
 +static bool gen_add_sub_imm_with_tags(DisasContext *s, arg_rri_tag *a,
 +                                      bool sub_op)
  {
 -    int rd = extract32(insn, 0, 5);
 -    int rn = extract32(insn, 5, 5);
 -    int uimm4 = extract32(insn, 10, 4);
 -    int uimm6 = extract32(insn, 16, 6);
 -    bool sub_op = extract32(insn, 30, 1);
      TCGv_i64 tcg_rn, tcg_rd;
      int imm;
 -    /* Test all of sf=1, S=0, o2=0, o3=0.  */
 -    if ((insn & 0xa040c000u) != 0x80000000u ||
 -        !dc_isar_feature(aa64_mte_insn_reg, s)) {
 -        unallocated_encoding(s);
 -        return;
 -    }
 -
 -    imm = uimm6 << LOG2_TAG_GRANULE;
 +    imm = a->uimm6 << LOG2_TAG_GRANULE;
      if (sub_op) {
          imm = -imm;
      }
--    tcg_rn = cpu_reg_sp(s, rn);
++    /*
--    tcg_rd = cpu_reg_sp(s, rd);
++     * For e.g. LD4, there are not enough arguments to pass all 4
-+    tcg_rn = cpu_reg_sp(s, a->rn);
++     * registers as pointers, so encode the regno into the data field.
-+    tcg_rd = cpu_reg_sp(s, a->rd);
++     * For consistency, do this even for LD1.
++     */
-     if (s->ata) {
+     desc = simd_desc(vsz, vsz, zt | desc);
-         gen_helper_addsubg(tcg_rd, cpu_env, tcg_rn,
+     t_pg = tcg_temp_new_ptr();
-                            tcg_constant_i32(imm),
--                           tcg_constant_i32(uimm4));
+@@ -XXX,XX +XXX,XX @@ static void do_ld_zpa(DisasContext *s, int zt, int pg,
-+                           tcg_constant_i32(a->uimm4));
+      * accessible via the instruction encoding.
       */
      assert(fn != NULL);
 -    do_mem_zpa(s, zt, pg, addr, dtype, nreg, false, fn);
 +    do_mem_zpa(s, zt, pg, addr, dtype, nreg + 1, false, fn);
  }
  static bool trans_LD_zprr(DisasContext *s, arg_rprr_load *a)
@@ -XXX,XX +XXX,XX @@ static void do_st_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
      if (nreg == 0) {
          /* ST1 */
          fn = fn_single[s->mte_active[0]][be][msz][esz];
 -        nreg = 1;
      } else {
-         tcg_gen_addi_i64(tcg_rd, tcg_rn, imm);
+         /* ST2, ST3, ST4 -- msz == esz, enforced by encoding */
-         gen_address_with_allocation_tag0(tcg_rd, tcg_rd);
+         assert(msz == esz);
          fn = fn_multiple[s->mte_active[0]][be][nreg - 1][msz];
      }
-+    return true;
+     assert(fn != NULL);
 -    do_mem_zpa(s, zt, pg, addr, msz_dtype(s, msz), nreg, true, fn);
 +    do_mem_zpa(s, zt, pg, addr, msz_dtype(s, msz), nreg + 1, true, fn);
  }
-+TRANS_FEAT(ADDG_i, aa64_mte_insn_reg, gen_add_sub_imm_with_tags, a, false)
+ static bool trans_ST_zprr(DisasContext *s, arg_rprr_store *a)
 +TRANS_FEAT(SUBG_i, aa64_mte_insn_reg, gen_add_sub_imm_with_tags, a, true)
 +
  /* The input should be a value in the bottom e bits (with higher
   * bits zero); returns that value replicated into every element
   * of size e in a 64 bit integer.
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
  static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
  {
      switch (extract32(insn, 23, 6)) {
 -    case 0x23: /* Add/subtract (immediate, with tags) */
 -        disas_add_sub_imm_with_tags(s, insn);
 -        break;
      case 0x24: /* Logical (immediate) */
          disas_logic_imm(s, insn);
          break;
 --
 .34.1

-[PULL 16/29] target/arm: Convert Move wide (immediate) to decodetree
+[PULL 04/35] target/arm: Adjust and validate mtedesc sizem1
 From: Richard Henderson <richard.henderson@linaro.org>
-Convert the MON, MOVZ, MOVK instructions.
+When we added SVE_MTEDESC_SHIFT, we effectively limited the
 maximum size of MTEDESC.  Adjust SIZEM1 to consume the remaining
 bits (32 - 10 - 5 - 12 == 5).  Assert that the data to be stored
 fits within the field (expecting 8 * 4 - 1 == 31, exact fit).
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20240207025210.8837-4-richard.henderson@linaro.org
 Message-id: 20230512144106.3608981-11-peter.maydell@linaro.org
 [PMM: Rebased]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/a64.decode      | 13 ++++++
+ target/arm/internals.h         | 2 +-
- target/arm/tcg/translate-a64.c | 73 ++++++++++++++--------------------
+ target/arm/tcg/translate-sve.c | 7 ++++---
-files changed, 42 insertions(+), 44 deletions(-)
+files changed, 5 insertions(+), 4 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/target/arm/internals.h
-+++ b/target/arm/tcg/a64.decode
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_64
+@@ -XXX,XX +XXX,XX @@ FIELD(MTEDESC, TBI,   4, 2)
- EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_32
+ FIELD(MTEDESC, TCMA,  6, 2)
- ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_64
+ FIELD(MTEDESC, WRITE, 8, 1)
- ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_32
+ FIELD(MTEDESC, ALIGN, 9, 3)
-+
+-FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - 12)  /* size - 1 */
-+# Move wide (immediate)
++FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - SVE_MTEDESC_SHIFT - 12)  /* size - 1 */
-+
-+&movw           rd sf imm hw
+ bool mte_probe(CPUARMState *env, uint32_t desc, uint64_t ptr);
-+@movw_64        1 .. ...... hw:2   imm:16 rd:5          &movw sf=1
+ uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
-+@movw_32        0 .. ...... 0 hw:1 imm:16 rd:5          &movw sf=0
+diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
 +
 +MOVN            . 00 100101 .. ................ .....   @movw_64
 +MOVN            . 00 100101 .. ................ .....   @movw_32
 +MOVZ            . 10 100101 .. ................ .....   @movw_64
 +MOVZ            . 10 100101 .. ................ .....   @movw_32
 +MOVK            . 11 100101 .. ................ .....   @movw_64
 +MOVK            . 11 100101 .. ................ .....   @movw_32
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
+--- a/target/arm/tcg/translate-sve.c
-+++ b/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ TRANS(ANDS_i, gen_rri_log, a, true, tcg_gen_andi_i64)
+@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
  /*
   * Move wide (immediate)
 - *
 - *  31 30 29 28         23 22 21 20             5 4    0
 - * +--+-----+-------------+-----+----------------+------+
 - * |sf| opc | 1 0 0 1 0 1 |  hw |  imm16         |  Rd  |
 - * +--+-----+-------------+-----+----------------+------+
 - *
 - * sf: 0 -> 32 bit, 1 -> 64 bit
 - * opc: 00 -> N, 10 -> Z, 11 -> K
 - * hw: shift/16 (0,16, and sf only 32, 48)
   */
 -static void disas_movw_imm(DisasContext *s, uint32_t insn)
 +
 +static bool trans_MOVZ(DisasContext *s, arg_movw *a)
  {
--    int rd = extract32(insn, 0, 5);
+     unsigned vsz = vec_full_reg_size(s);
--    uint64_t imm = extract32(insn, 5, 16);
+     TCGv_ptr t_pg;
--    int sf = extract32(insn, 31, 1);
++    uint32_t sizem1;
--    int opc = extract32(insn, 29, 2);
+     int desc = 0;
--    int pos = extract32(insn, 21, 2) << 4;
--    TCGv_i64 tcg_rd = cpu_reg(s, rd);
+     assert(mte_n >= 1 && mte_n <= 4);
-+    int pos = a->hw << 4;
++    sizem1 = (mte_n << dtype_msz(dtype)) - 1;
-+    tcg_gen_movi_i64(cpu_reg(s, a->rd), (uint64_t)a->imm << pos);
++    assert(sizem1 <= R_MTEDESC_SIZEM1_MASK >> R_MTEDESC_SIZEM1_SHIFT);
-+    return true;
+     if (s->mte_active[0]) {
-+}
+-        int msz = dtype_msz(dtype);
+-
--    if (!sf && (pos >= 32)) {
+         desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
--        unallocated_encoding(s);
+         desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
--        return;
+         desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
--    }
+         desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);
-+static bool trans_MOVN(DisasContext *s, arg_movw *a)
+-        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (mte_n << msz) - 1);
-+{
++        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, sizem1);
-+    int pos = a->hw << 4;
+         desc <<= SVE_MTEDESC_SHIFT;
-+    uint64_t imm = a->imm;
+     } else {
+         addr = clean_data_tbi(s, addr);
 -    switch (opc) {
 -    case 0: /* MOVN */
 -    case 2: /* MOVZ */
 -        imm <<= pos;
 -        if (opc == 0) {
 -            imm = ~imm;
 -        }
 -        if (!sf) {
 -            imm &= 0xffffffffu;
 -        }
 -        tcg_gen_movi_i64(tcg_rd, imm);
 -        break;
 -    case 3: /* MOVK */
 -        tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_constant_i64(imm), pos, 16);
 -        if (!sf) {
 -            tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
 -        }
 -        break;
 -    default:
 -        unallocated_encoding(s);
 -        break;
 +    imm = ~(imm << pos);
 +    if (!a->sf) {
 +        imm = (uint32_t)imm;
      }
 +    tcg_gen_movi_i64(cpu_reg(s, a->rd), imm);
 +    return true;
 +}
 +
 +static bool trans_MOVK(DisasContext *s, arg_movw *a)
 +{
 +    int pos = a->hw << 4;
 +    TCGv_i64 tcg_rd, tcg_im;
 +
 +    tcg_rd = cpu_reg(s, a->rd);
 +    tcg_im = tcg_constant_i64(a->imm);
 +    tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_im, pos, 16);
 +    if (!a->sf) {
 +        tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
 +    }
 +    return true;
  }
  /* Bitfield
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
  static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
  {
      switch (extract32(insn, 23, 6)) {
 -    case 0x25: /* Move wide (immediate) */
 -        disas_movw_imm(s, insn);
 -        break;
      case 0x26: /* Bitfield */
          disas_bitfield(s, insn);
          break;
 --
 .34.1

-[PULL 12/29] target/arm: Convert Add/subtract (immediate) to decodetree
+[PULL 05/35] target/arm: Split out make_svemte_desc
 From: Richard Henderson <richard.henderson@linaro.org>
-Convert the ADD and SUB (immediate) instructions.
+Share code that creates mtedesc and embeds within simd_desc.
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20240207025210.8837-5-richard.henderson@linaro.org
 Message-id: 20230512144106.3608981-7-peter.maydell@linaro.org
 [PMM: Rebased; adjusted to use translate.h's TRANS macro]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/translate.h     |  5 +++
+ target/arm/tcg/translate-a64.h |  2 ++
- target/arm/tcg/a64.decode      | 17 ++++++++
+ target/arm/tcg/translate-sme.c | 15 +++--------
- target/arm/tcg/translate-a64.c | 73 ++++++++++------------------------
+ target/arm/tcg/translate-sve.c | 47 ++++++++++++++++++----------------
-files changed, 42 insertions(+), 53 deletions(-)
+files changed, 31 insertions(+), 33 deletions(-)
-diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
+diff --git a/target/arm/tcg/translate-a64.h b/target/arm/tcg/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate.h
+--- a/target/arm/tcg/translate-a64.h
-+++ b/target/arm/tcg/translate.h
++++ b/target/arm/tcg/translate-a64.h
-@@ -XXX,XX +XXX,XX @@ static inline int rsub_8(DisasContext *s, int x)
+@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
-     return 8 - x;
+ bool sve_access_check(DisasContext *s);
- }
+ bool sme_enabled_check(DisasContext *s);
+ bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);
-+static inline int shl_12(DisasContext *s, int x)
++uint32_t make_svemte_desc(DisasContext *s, unsigned vsz, uint32_t nregs,
-+{
++                          uint32_t msz, bool is_write, uint32_t data);
-+    return x << 12;
  /* This function corresponds to CheckStreamingSVEEnabled. */
  static inline bool sme_sm_enabled_check(DisasContext *s)
 diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-sme.c
 +++ b/target/arm/tcg/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
      TCGv_ptr t_za, t_pg;
      TCGv_i64 addr;
 -    int svl, desc = 0;
 +    uint32_t desc;
      bool be = s->be_data == MO_BE;
      bool mte = s->mte_active[0];
@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
      tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);
      tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));
 -    if (mte) {
 -        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
 -        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
 -        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
 -        desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);
 -        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);
 -        desc <<= SVE_MTEDESC_SHIFT;
 -    } else {
 +    if (!mte) {
          addr = clean_data_tbi(s, addr);
      }
 -    svl = streaming_vec_reg_size(s);
 -    desc = simd_desc(svl, svl, desc);
 +
 +    desc = make_svemte_desc(s, streaming_vec_reg_size(s), 1, a->esz, a->st, 0);
      fns[a->esz][be][a->v][mte][a->st](tcg_env, t_za, t_pg, addr,
                                        tcg_constant_i32(desc));
 diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-sve.c
 +++ b/target/arm/tcg/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t dtype_esz[16] = {
 , 2, 1, 3
  };
 -static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
 -                       int dtype, uint32_t mte_n, bool is_write,
 -                       gen_helper_gvec_mem *fn)
 +uint32_t make_svemte_desc(DisasContext *s, unsigned vsz, uint32_t nregs,
 +                          uint32_t msz, bool is_write, uint32_t data)
  {
 -    unsigned vsz = vec_full_reg_size(s);
 -    TCGv_ptr t_pg;
      uint32_t sizem1;
 -    int desc = 0;
 +    uint32_t desc = 0;
 -    assert(mte_n >= 1 && mte_n <= 4);
 -    sizem1 = (mte_n << dtype_msz(dtype)) - 1;
 +    /* Assert all of the data fits, with or without MTE enabled. */
 +    assert(nregs >= 1 && nregs <= 4);
 +    sizem1 = (nregs << msz) - 1;
      assert(sizem1 <= R_MTEDESC_SIZEM1_MASK >> R_MTEDESC_SIZEM1_SHIFT);
 +    assert(data < 1u << SVE_MTEDESC_SHIFT);
 +
      if (s->mte_active[0]) {
          desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
          desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
          desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);
          desc = FIELD_DP32(desc, MTEDESC, SIZEM1, sizem1);
          desc <<= SVE_MTEDESC_SHIFT;
 -    } else {
 +    }
 +    return simd_desc(vsz, vsz, desc | data);
 +}
 +
- static inline int neon_3same_fp_size(DisasContext *s, int x)
++static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
 +                       int dtype, uint32_t nregs, bool is_write,
 +                       gen_helper_gvec_mem *fn)
 +{
 +    TCGv_ptr t_pg;
 +    uint32_t desc;
 +
 +    if (!s->mte_active[0]) {
          addr = clean_data_tbi(s, addr);
      }
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
       * registers as pointers, so encode the regno into the data field.
       * For consistency, do this even for LD1.
       */
 -    desc = simd_desc(vsz, vsz, zt | desc);
 +    desc = make_svemte_desc(s, vec_full_reg_size(s), nregs,
 +                            dtype_msz(dtype), is_write, zt);
      t_pg = tcg_temp_new_ptr();
      tcg_gen_addi_ptr(t_pg, tcg_env, pred_full_reg_offset(s, pg));
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpz(DisasContext *s, int zt, int pg, int zm,
                         int scale, TCGv_i64 scalar, int msz, bool is_write,
                         gen_helper_gvec_mem_scatter *fn)
  {
-     /* Convert 0==fp32, 1==fp16 into a MO_* value */
+-    unsigned vsz = vec_full_reg_size(s);
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+     TCGv_ptr t_zm = tcg_temp_new_ptr();
-index XXXXXXX..XXXXXXX 100644
+     TCGv_ptr t_pg = tcg_temp_new_ptr();
---- a/target/arm/tcg/a64.decode
+     TCGv_ptr t_zt = tcg_temp_new_ptr();
-+++ b/target/arm/tcg/a64.decode
+-    int desc = 0;
-@@ -XXX,XX +XXX,XX @@
+-
- #
+-    if (s->mte_active[0]) {
+-        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
- &ri              rd imm
+-        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
-+&rri_sf          rd rn imm sf
+-        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
+-        desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);
+-        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << msz) - 1);
- ### Data Processing - Immediate
+-        desc <<= SVE_MTEDESC_SHIFT;
-@@ -XXX,XX +XXX,XX @@
+-    }
+-    desc = simd_desc(vsz, vsz, desc | scale);
- ADR             0 .. 10000 ................... .....    @pcrel
++    uint32_t desc;
- ADRP            1 .. 10000 ................... .....    @pcrel
      tcg_gen_addi_ptr(t_pg, tcg_env, pred_full_reg_offset(s, pg));
      tcg_gen_addi_ptr(t_zm, tcg_env, vec_full_reg_offset(s, zm));
      tcg_gen_addi_ptr(t_zt, tcg_env, vec_full_reg_offset(s, zt));
 +
-+# Add/subtract (immediate)
++    desc = make_svemte_desc(s, vec_full_reg_size(s), 1, msz, is_write, scale);
-+
+     fn(tcg_env, t_zt, t_pg, t_zm, scalar, tcg_constant_i32(desc));
 +%imm12_sh12     10:12 !function=shl_12
 +@addsub_imm     sf:1 .. ...... . imm:12 rn:5 rd:5
 +@addsub_imm12   sf:1 .. ...... . ............ rn:5 rd:5 imm=%imm12_sh12
 +
 +ADD_i           . 00 100010 0 ............ ..... .....  @addsub_imm
 +ADD_i           . 00 100010 1 ............ ..... .....  @addsub_imm12
 +ADDS_i          . 01 100010 0 ............ ..... .....  @addsub_imm
 +ADDS_i          . 01 100010 1 ............ ..... .....  @addsub_imm12
 +
 +SUB_i           . 10 100010 0 ............ ..... .....  @addsub_imm
 +SUB_i           . 10 100010 1 ............ ..... .....  @addsub_imm12
 +SUBS_i          . 11 100010 0 ............ ..... .....  @addsub_imm
 +SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
      }
  }
-+typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
-+
-+static bool gen_rri(DisasContext *s, arg_rri_sf *a,
-+                    bool rd_sp, bool rn_sp, ArithTwoOp *fn)
-+{
-+    TCGv_i64 tcg_rn = rn_sp ? cpu_reg_sp(s, a->rn) : cpu_reg(s, a->rn);
-+    TCGv_i64 tcg_rd = rd_sp ? cpu_reg_sp(s, a->rd) : cpu_reg(s, a->rd);
-+    TCGv_i64 tcg_imm = tcg_constant_i64(a->imm);
-+
-+    fn(tcg_rd, tcg_rn, tcg_imm);
-+    if (!a->sf) {
-+        tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
-+    }
-+    return true;
-+}
-+
- /*
-  * PC-rel. addressing
-  */
-@@ -XXX,XX +XXX,XX @@ static bool trans_ADRP(DisasContext *s, arg_ri *a)
- /*
-  * Add/subtract (immediate)
-- *
-- *  31 30 29 28         23 22 21         10 9   5 4   0
-- * +--+--+--+-------------+--+-------------+-----+-----+
-- * |sf|op| S| 1 0 0 0 1 0 |sh|    imm12    |  Rn | Rd  |
-- * +--+--+--+-------------+--+-------------+-----+-----+
-- *
-- *    sf: 0 -> 32bit, 1 -> 64bit
-- *    op: 0 -> add  , 1 -> sub
-- *     S: 1 -> set flags
-- *    sh: 1 -> LSL imm by 12
-  */
--static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
--{
--    int rd = extract32(insn, 0, 5);
--    int rn = extract32(insn, 5, 5);
--    uint64_t imm = extract32(insn, 10, 12);
--    bool shift = extract32(insn, 22, 1);
--    bool setflags = extract32(insn, 29, 1);
--    bool sub_op = extract32(insn, 30, 1);
--    bool is_64bit = extract32(insn, 31, 1);
--
--    TCGv_i64 tcg_rn = cpu_reg_sp(s, rn);
--    TCGv_i64 tcg_rd = setflags ? cpu_reg(s, rd) : cpu_reg_sp(s, rd);
--    TCGv_i64 tcg_result;
--
--    if (shift) {
--        imm <<= 12;
--    }
--
--    tcg_result = tcg_temp_new_i64();
--    if (!setflags) {
--        if (sub_op) {
--            tcg_gen_subi_i64(tcg_result, tcg_rn, imm);
--        } else {
--            tcg_gen_addi_i64(tcg_result, tcg_rn, imm);
--        }
--    } else {
--        TCGv_i64 tcg_imm = tcg_constant_i64(imm);
--        if (sub_op) {
--            gen_sub_CC(is_64bit, tcg_result, tcg_rn, tcg_imm);
--        } else {
--            gen_add_CC(is_64bit, tcg_result, tcg_rn, tcg_imm);
--        }
--    }
--
--    if (is_64bit) {
--        tcg_gen_mov_i64(tcg_rd, tcg_result);
--    } else {
--        tcg_gen_ext32u_i64(tcg_rd, tcg_result);
--    }
--}
-+TRANS(ADD_i, gen_rri, a, 1, 1, tcg_gen_add_i64)
-+TRANS(SUB_i, gen_rri, a, 1, 1, tcg_gen_sub_i64)
-+TRANS(ADDS_i, gen_rri, a, 0, 1, a->sf ? gen_add64_CC : gen_add32_CC)
-+TRANS(SUBS_i, gen_rri, a, 0, 1, a->sf ? gen_sub64_CC : gen_sub32_CC)
- /*
-  * Add/subtract (immediate, with tags)
-@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
- static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
- {
-     switch (extract32(insn, 23, 6)) {
--    case 0x22: /* Add/subtract (immediate) */
--        disas_add_sub_imm(s, insn);
--        break;
-     case 0x23: /* Add/subtract (immediate, with tags) */
-         disas_add_sub_imm_with_tags(s, insn);
-         break;
 --
 .34.1

-[PULL 07/29] target/arm: Split out disas_a64_legacy
+[PULL 06/35] target/arm: Handle mte in do_ldrq, do_ldro
 From: Richard Henderson <richard.henderson@linaro.org>
-Split out all of the decode stuff from aarch64_tr_translate_insn.
+These functions "use the standard load helpers", but
-Call it disas_a64_legacy to indicate it will be replaced.
+fail to clean_data_tbi or populate mtedesc.
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20240207025210.8837-6-richard.henderson@linaro.org
 Message-id: 20230512144106.3608981-2-peter.maydell@linaro.org
 [PMM: Rebased]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/translate-a64.c | 82 ++++++++++++++++++----------------
+ target/arm/tcg/translate-sve.c | 15 +++++++++++++--
-file changed, 44 insertions(+), 38 deletions(-)
+file changed, 13 insertions(+), 2 deletions(-)
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
+--- a/target/arm/tcg/translate-sve.c
-+++ b/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
+@@ -XXX,XX +XXX,XX @@ static void do_ldrq(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
-     return false;
+     unsigned vsz = vec_full_reg_size(s);
- }
+     TCGv_ptr t_pg;
+     int poff;
-+/* C3.1 A64 instruction index by encoding */
++    uint32_t desc;
-+static void disas_a64_legacy(DisasContext *s, uint32_t insn)
-+{
+     /* Load the first quadword using the normal predicated load helpers.  */
-+    switch (extract32(insn, 25, 4)) {
++    if (!s->mte_active[0]) {
-+    case 0x0:
++        addr = clean_data_tbi(s, addr);
 +        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
 +            unallocated_encoding(s);
 +        }
 +        break;
 +    case 0x1: case 0x3: /* UNALLOCATED */
 +        unallocated_encoding(s);
 +        break;
 +    case 0x2:
 +        if (!disas_sve(s, insn)) {
 +            unallocated_encoding(s);
 +        }
 +        break;
 +    case 0x8: case 0x9: /* Data processing - immediate */
 +        disas_data_proc_imm(s, insn);
 +        break;
 +    case 0xa: case 0xb: /* Branch, exception generation and system insns */
 +        disas_b_exc_sys(s, insn);
 +        break;
 +    case 0x4:
 +    case 0x6:
 +    case 0xc:
 +    case 0xe:      /* Loads and stores */
 +        disas_ldst(s, insn);
 +        break;
 +    case 0x5:
 +    case 0xd:      /* Data processing - register */
 +        disas_data_proc_reg(s, insn);
 +        break;
 +    case 0x7:
 +    case 0xf:      /* Data processing - SIMD and floating point */
 +        disas_data_proc_simd_fp(s, insn);
 +        break;
 +    default:
 +        assert(FALSE); /* all 15 cases should be handled above */
 +        break;
 +    }
-+}
 +
- static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
+     poff = pred_full_reg_offset(s, pg);
-                                           CPUState *cpu)
+     if (vsz > 16) {
- {
+         /*
-@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+@@ -XXX,XX +XXX,XX @@ static void do_ldrq(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
-         disas_sme_fa64(s, insn);
      gen_helper_gvec_mem *fn
          = ldr_fns[s->mte_active[0]][s->be_data == MO_BE][dtype][0];
 -    fn(tcg_env, t_pg, addr, tcg_constant_i32(simd_desc(16, 16, zt)));
 +    desc = make_svemte_desc(s, 16, 1, dtype_msz(dtype), false, zt);
 +    fn(tcg_env, t_pg, addr, tcg_constant_i32(desc));
      /* Replicate that first quadword.  */
      if (vsz > 16) {
@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
      unsigned vsz_r32;
      TCGv_ptr t_pg;
      int poff, doff;
 +    uint32_t desc;
      if (vsz < 32) {
          /*
@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
      }
--    switch (extract32(insn, 25, 4)) {
+     /* Load the first octaword using the normal predicated load helpers.  */
--    case 0x0:
++    if (!s->mte_active[0]) {
--        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
++        addr = clean_data_tbi(s, addr);
--            unallocated_encoding(s);
++    }
--        }
--        break;
+     poff = pred_full_reg_offset(s, pg);
--    case 0x1: case 0x3: /* UNALLOCATED */
+     if (vsz > 32) {
--        unallocated_encoding(s);
+@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
--        break;
--    case 0x2:
+     gen_helper_gvec_mem *fn
--        if (!disas_sve(s, insn)) {
+         = ldr_fns[s->mte_active[0]][s->be_data == MO_BE][dtype][0];
--            unallocated_encoding(s);
+-    fn(tcg_env, t_pg, addr, tcg_constant_i32(simd_desc(32, 32, zt)));
--        }
++    desc = make_svemte_desc(s, 32, 1, dtype_msz(dtype), false, zt);
--        break;
++    fn(tcg_env, t_pg, addr, tcg_constant_i32(desc));
 -    case 0x8: case 0x9: /* Data processing - immediate */
 -        disas_data_proc_imm(s, insn);
 -        break;
 -    case 0xa: case 0xb: /* Branch, exception generation and system insns */
 -        disas_b_exc_sys(s, insn);
 -        break;
 -    case 0x4:
 -    case 0x6:
 -    case 0xc:
 -    case 0xe:      /* Loads and stores */
 -        disas_ldst(s, insn);
 -        break;
 -    case 0x5:
 -    case 0xd:      /* Data processing - register */
 -        disas_data_proc_reg(s, insn);
 -        break;
 -    case 0x7:
 -    case 0xf:      /* Data processing - SIMD and floating point */
 -        disas_data_proc_simd_fp(s, insn);
 -        break;
 -    default:
 -        assert(FALSE); /* all 15 cases should be handled above */
 -        break;
 -    }
 +    disas_a64_legacy(s, insn);
      /*
-      * After execution of most insns, btype is reset to 0.
+      * Replicate that first octaword.
 --
 .34.1

-[PULL 02/29] target/arm: Fix vd == vm overlap in sve_ldff1_z
+[PULL 07/35] target/arm: Fix SVE/SME gross MTE suppression checks
 From: Richard Henderson <richard.henderson@linaro.org>
-If vd == vm, copy vm to scratch, so that we can pre-zero
+The TBI and TCMA bits are located within mtedesc, not desc.
 the output and still access the gather indicies.
 Cc: qemu-stable@nongnu.org
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1612
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20230504104232.1877774-1-richard.henderson@linaro.org
+Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20240207025210.8837-7-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/sve_helper.c | 6 ++++++
+ target/arm/tcg/sme_helper.c |  8 ++++----
-file changed, 6 insertions(+)
+ target/arm/tcg/sve_helper.c | 12 ++++++------
 files changed, 10 insertions(+), 10 deletions(-)
+diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/sme_helper.c
++++ b/target/arm/tcg/sme_helper.c
+@@ -XXX,XX +XXX,XX @@ void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
+     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+     /* Perform gross MTE suppression early. */
+-    if (!tbi_check(desc, bit55) ||
+-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
++    if (!tbi_check(mtedesc, bit55) ||
++        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
+         mtedesc = 0;
+     }
+@@ -XXX,XX +XXX,XX @@ void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
+     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+     /* Perform gross MTE suppression early. */
+-    if (!tbi_check(desc, bit55) ||
+-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
++    if (!tbi_check(mtedesc, bit55) ||
++        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
+         mtedesc = 0;
+     }
 diff --git a/target/arm/tcg/sve_helper.c b/target/arm/tcg/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/sve_helper.c
 +++ b/target/arm/tcg/sve_helper.c
-@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+@@ -XXX,XX +XXX,XX @@ void sve_ldN_r_mte(CPUARMState *env, uint64_t *vg, target_ulong addr,
-     intptr_t reg_off;
+     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
-     SVEHostPage info;
-     target_ulong addr, in_page;
+     /* Perform gross MTE suppression early. */
-+    ARMVectorReg scratch;
+-    if (!tbi_check(desc, bit55) ||
+-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
-     /* Skip to the first true predicate.  */
++    if (!tbi_check(mtedesc, bit55) ||
-     reg_off = find_next_active(vg, 0, reg_max, esz);
++        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
-@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+         mtedesc = 0;
          return;
      }
-+    /* Protect against overlap between vd and vm. */
+@@ -XXX,XX +XXX,XX @@ void sve_ldnfff1_r_mte(CPUARMState *env, void *vg, target_ulong addr,
-+    if (unlikely(vd == vm)) {
+     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
-+        vm = memcpy(&scratch, vm, reg_max);
-+    }
+     /* Perform gross MTE suppression early. */
-+
+-    if (!tbi_check(desc, bit55) ||
-     /*
+-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
-      * Probe the first element, allowing faults.
++    if (!tbi_check(mtedesc, bit55) ||
-      */
++        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
          mtedesc = 0;
      }
@@ -XXX,XX +XXX,XX @@ void sve_stN_r_mte(CPUARMState *env, uint64_t *vg, target_ulong addr,
      desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
      /* Perform gross MTE suppression early. */
 -    if (!tbi_check(desc, bit55) ||
 -        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
 +    if (!tbi_check(mtedesc, bit55) ||
 +        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
          mtedesc = 0;
      }
 --
 .34.1

-New patch
+[PULL 08/35] hw/pci-host/raven.c: Mark raven_io_ops as implementing unaligned accesses
+The raven_io_ops MemoryRegionOps is the only one in the source tree
+which sets .valid.unaligned to indicate that it should support
+unaligned accesses and which does not also set .impl.unaligned to
+indicate that its read and write functions can do the unaligned
+handling themselves.  This is a problem, because at the moment the
+core memory system does not implement the support for handling
+unaligned accesses by doing a series of aligned accesses and
+combining them (system/memory.c:access_with_adjusted_size() has a
+TODO comment noting this).
+Fortunately raven_io_read() and raven_io_write() will correctly deal
+with the case of being passed an unaligned address, so we can fix the
+missing unaligned access support by setting .impl.unaligned in the
+MemoryRegionOps struct.
+Fixes: 9a1839164c9c8f06 ("raven: Implement non-contiguous I/O region")
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Tested-by: Cédric Le Goater <clg@redhat.com>
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Message-id: 20240112134640.1775041-1-peter.maydell@linaro.org
+---
+ hw/pci-host/raven.c | 1 +
+file changed, 1 insertion(+)
+diff --git a/hw/pci-host/raven.c b/hw/pci-host/raven.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/pci-host/raven.c
++++ b/hw/pci-host/raven.c
+@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps raven_io_ops = {
+     .write = raven_io_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .impl.max_access_size = 4,
++    .impl.unaligned = true,
+     .valid.unaligned = true,
+ };
+--
+.34.1

-[PULL 29/29] docs: Convert u2f.txt to rST
+[PULL 09/35] hw/block/tc58128: Don't emit deprecation warning under qtest
-Convert the u2f.txt file to rST, and place it in the right place
+Suppress the deprecation warning when we're running under qtest,
-in our manual layout. The old text didn't fit very well into our
+to avoid "make check" including warning messages in its output.
 manual style, so the new version ends up looking like a rewrite,
 although some of the original text is preserved:
  * the 'building' section of the old file is removed, since we
    generally assume that users have already built QEMU
  * some rather verbose text has been cut back
  * document the passthrough device first, on the assumption
    that's most likely to be of interest to users
  * cut back on the duplication of text between sections
  * format example command lines etc with rST
 As it's a short document it seemed simplest to do this all
 in one go rather than try to do a minimal syntactic conversion
 and then clean up the wording and layout.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-id: 20230421163734.1152076-1-peter.maydell@linaro.org
+Message-id: 20240206154151.155620-1-peter.maydell@linaro.org
 ---
- docs/system/device-emulation.rst |   1 +
+ hw/block/tc58128.c | 4 +++-
- docs/system/devices/usb-u2f.rst  |  93 ++++++++++++++++++++++++++
+file changed, 3 insertions(+), 1 deletion(-)
  docs/system/devices/usb.rst      |   2 +-
  docs/u2f.txt                     | 110 -------------------------------
 files changed, 95 insertions(+), 111 deletions(-)
  create mode 100644 docs/system/devices/usb-u2f.rst
  delete mode 100644 docs/u2f.txt
-diff --git a/docs/system/device-emulation.rst b/docs/system/device-emulation.rst
+diff --git a/hw/block/tc58128.c b/hw/block/tc58128.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/device-emulation.rst
+--- a/hw/block/tc58128.c
-+++ b/docs/system/device-emulation.rst
++++ b/hw/block/tc58128.c
-@@ -XXX,XX +XXX,XX @@ Emulated Devices
+@@ -XXX,XX +XXX,XX @@ static sh7750_io_device tc58128 = {
-    devices/virtio-pmem.rst
-    devices/vhost-user-rng.rst
+ int tc58128_init(struct SH7750State *s, const char *zone1, const char *zone2)
-    devices/canokey.rst
+ {
-+   devices/usb-u2f.rst
+-    warn_report_once("The TC58128 flash device is deprecated");
-    devices/igb.rst
++    if (!qtest_enabled()) {
-diff --git a/docs/system/devices/usb-u2f.rst b/docs/system/devices/usb-u2f.rst
++        warn_report_once("The TC58128 flash device is deprecated");
-new file mode 100644
++    }
-index XXXXXXX..XXXXXXX
+     init_dev(&tc58128_devs[0], zone1);
---- /dev/null
+     init_dev(&tc58128_devs[1], zone2);
-+++ b/docs/system/devices/usb-u2f.rst
+     return sh7750_register_io_device(s, &tc58128);
@@ -XXX,XX +XXX,XX @@
 +Universal Second Factor (U2F) USB Key Device
 +============================================
 +
 +U2F is an open authentication standard that enables relying parties
 +exposed to the internet to offer a strong second factor option for end
 +user authentication.
 +
 +The second factor is provided by a device implementing the U2F
 +protocol. In case of a USB U2F security key, it is a USB HID device
 +that implements the U2F protocol.
 +
 +QEMU supports both pass-through of a host U2F key device to a VM,
 +and software emulation of a U2F key.
 +
 +``u2f-passthru``
 +----------------
 +
 +The ``u2f-passthru`` device allows you to connect a real hardware
 +U2F key on your host to a guest VM. All requests made from the guest
 +are passed through to the physical security key connected to the
 +host machine and vice versa.
 +
 +In addition, the dedicated pass-through allows you to share a single
 +U2F security key with several guest VMs, which is not possible with a
 +simple host device assignment pass-through.
 +
 +You can specify the host U2F key to use with the ``hidraw``
 +option, which takes the host path to a Linux ``/dev/hidrawN`` device:
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-passthru,hidraw=/dev/hidraw0
 +
 +If you don't specify the device, the ``u2f-passthru`` device will
 +autoscan to take the first U2F device it finds on the host (this
 +requires a working libudev):
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-passthru
 +
 +``u2f-emulated``
 +----------------
 +
 +``u2f-emulated`` is a completely software emulated U2F device.
 +It uses `libu2f-emu <https://github.com/MattGorko/libu2f-emu>`__
 +for the U2F key emulation. libu2f-emu
 +provides a complete implementation of the U2F protocol device part for
 +all specified transports given by the FIDO Alliance.
 +
 +To work, an emulated U2F device must have four elements:
 +
 + * ec x509 certificate
 + * ec private key
 + * counter (four bytes value)
 + * 48 bytes of entropy (random bits)
 +
 +To use this type of device, these have to be configured, and these
 +four elements must be passed one way or another.
 +
 +Assuming that you have a working libu2f-emu installed on the host,
 +there are three possible ways to configure the ``u2f-emulated`` device:
 +
 + * ephemeral
 + * setup directory
 + * manual
 +
 +Ephemeral is the simplest way to configure; it lets the device generate
 +all the elements it needs for a single use of the lifetime of the device.
 +It is the default if you do not pass any other options to the device.
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-emulated
 +
 +You can pass the device the path of a setup directory on the host
 +using the ``dir`` option; the directory must contain these four files:
 +
 + * ``certificate.pem``: ec x509 certificate
 + * ``private-key.pem``: ec private key
 + * ``counter``: counter value
 + * ``entropy``: 48 bytes of entropy
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-emulated,dir=$dir
 +
 +You can also manually pass the device the paths to each of these files,
 +if you don't want them all to be in the same directory, using the options
 +
 + * ``cert``
 + * ``priv``
 + * ``counter``
 + * ``entropy``
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
 diff --git a/docs/system/devices/usb.rst b/docs/system/devices/usb.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/devices/usb.rst
 +++ b/docs/system/devices/usb.rst
@@ -XXX,XX +XXX,XX @@ option or the ``device_add`` monitor command. Available devices are:
     USB audio device
  ``u2f-{emulated,passthru}``
 -   Universal Second Factor device
 +   :doc:`usb-u2f`
  ``canokey``
     An Open-source Secure Key implementing FIDO2, OpenPGP, PIV and more.
 diff --git a/docs/u2f.txt b/docs/u2f.txt
 deleted file mode 100644
 index XXXXXXX..XXXXXXX
 --- a/docs/u2f.txt
 +++ /dev/null
@@ -XXX,XX +XXX,XX @@
 -QEMU U2F Key Device Documentation.
 -
 -Contents
 -1. USB U2F key device
 -2. Building
 -3. Using u2f-emulated
 -4. Using u2f-passthru
 -5. Libu2f-emu
 -
 -1. USB U2F key device
 -
 -U2F is an open authentication standard that enables relying parties
 -exposed to the internet to offer a strong second factor option for end
 -user authentication.
 -
 -The standard brings many advantages to both parties, client and server,
 -allowing to reduce over-reliance on passwords, it increases authentication
 -security and simplifies passwords.
 -
 -The second factor is materialized by a device implementing the U2F
 -protocol. In case of a USB U2F security key, it is a USB HID device
 -that implements the U2F protocol.
 -
 -In QEMU, the USB U2F key device offers a dedicated support of U2F, allowing
 -guest USB FIDO/U2F security keys operating in two possible modes:
 -pass-through and emulated.
 -
 -The pass-through mode consists of passing all requests made from the guest
 -to the physical security key connected to the host machine and vice versa.
 -In addition, the dedicated pass-through allows to have a U2F security key
 -shared on several guests which is not possible with a simple host device
 -assignment pass-through.
 -
 -The emulated mode consists of completely emulating the behavior of an
 -U2F device through software part. Libu2f-emu is used for that.
 -
 -
 -2. Building
 -
 -To ensure the build of the u2f-emulated device variant which depends
 -on libu2f-emu: configuring and building:
 -
 -    ./configure --enable-u2f && make
 -
 -The pass-through mode is built by default on Linux. To take advantage
 -of the autoscan option it provides, make sure you have a working libudev
 -installed on the host.
 -
 -
 -3. Using u2f-emulated
 -
 -To work, an emulated U2F device must have four elements:
 - * ec x509 certificate
 - * ec private key
 - * counter (four bytes value)
 - * 48 bytes of entropy (random bits)
 -
 -To use this type of device, this one has to be configured, and these
 -four elements must be passed one way or another.
 -
 -Assuming that you have a working libu2f-emu installed on the host.
 -There are three possible ways of configurations:
 - * ephemeral
 - * setup directory
 - * manual
 -
 -Ephemeral is the simplest way to configure, it lets the device generate
 -all the elements it needs for a single use of the lifetime of the device.
 -
 -    qemu -usb -device u2f-emulated
 -
 -Setup directory allows to configure the device from a directory containing
 -four files:
 - * certificate.pem: ec x509 certificate
 - * private-key.pem: ec private key
 - * counter: counter value
 - * entropy: 48 bytes of entropy
 -
 -    qemu -usb -device u2f-emulated,dir=$dir
 -
 -Manual allows to configure the device more finely by specifying each
 -of the elements necessary for the device:
 - * cert
 - * priv
 - * counter
 - * entropy
 -
 -    qemu -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
 -
 -
 -4. Using u2f-passthru
 -
 -On the host specify the u2f-passthru device with a suitable hidraw:
 -
 -    qemu -usb -device u2f-passthru,hidraw=/dev/hidraw0
 -
 -Alternately, the u2f-passthru device can autoscan to take the first
 -U2F device it finds on the host (this requires a working libudev):
 -
 -    qemu -usb -device u2f-passthru
 -
 -
 -5. Libu2f-emu
 -
 -The u2f-emulated device uses libu2f-emu for the U2F key emulation. Libu2f-emu
 -implements completely the U2F protocol device part for all specified
 -transport given by the FIDO Alliance.
 -
 -For more information about libu2f-emu see this page:
 -https://github.com/MattGorko/libu2f-emu.
 --
 .34.1

-New patch
+[PULL 10/35] tests/qtest/meson.build: Don't include qtests_npcm7xx in qtests_aarch64
+We deliberately don't include qtests_npcm7xx in qtests_aarch64,
+because we already get the coverage of those tests via qtests_arm,
+and we don't want to use extra CI minutes testing them twice.
+In commit 327b680877b79c4b we added it to qtests_aarch64; revert
+that change.
+Fixes: 327b680877b79c4b ("tests/qtest: Creating qtest for GMAC Module")
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-id: 20240206163043.315535-1-peter.maydell@linaro.org
+---
+ tests/qtest/meson.build | 1 -
+file changed, 1 deletion(-)
+diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/qtest/meson.build
++++ b/tests/qtest/meson.build
+@@ -XXX,XX +XXX,XX @@ qtests_aarch64 = \
+   (config_all_devices.has_key('CONFIG_RASPI') ? ['bcm2835-dma-test'] : []) +  \
+   (config_all_accel.has_key('CONFIG_TCG') and                                            \
+    config_all_devices.has_key('CONFIG_TPM_TIS_I2C') ? ['tpm-tis-i2c-test'] : []) + \
+-  (config_all_devices.has_key('CONFIG_NPCM7XX') ? qtests_npcm7xx : []) + \
+   ['arm-cpu-features',
+    'numa-test',
+    'boot-serial-test',
+--
+.34.1

-[PULL 27/29] target/arm: Saturate L2CTLR_EL1 core count field rather than overflowing
+[PULL 11/35] tests/qtest/bios-tables-test: Allow changes to virt GTDT
-The IMPDEF sysreg L2CTLR_EL1 found on the Cortex-A35, A53, A57, A72
+Allow changes to the virt GTDT -- we are going to add the IRQ
-and which we (arguably dubiously) also provide in '-cpu max' has a
+entry for a new timer to it.
 bit field for the number of processors in the cluster. On real
 hardware this must be sufficient because it can only be configured
 with up to 4 CPUs in the cluster. However on QEMU if the board code
 does not explicitly configure the code into clusters with the right
 CPU count we default to "give the value assuming that all CPUs in
 the system are in a single cluster", which might be too big to fit
 in the field.
 Instead of just overflowing this 2-bit field, saturate to 3 (meaning
 "4 CPUs", so at least we don't overwrite other fields in the register.
 It's unlikely that any guest code really cares about the value in
 this field; at least, if it does it probably also wants the system
 to be more closely matching real hardware, i.e. not to have more
 than 4 CPUs.
 This issue has been present since the L2CTLR was first added in
 commit 377a44ec8f2fac5b back in 2014. It was only noticed because
 Coverity complains (CID 1509227) that the shift might overflow 32 bits
 and inadvertently sign extend into the top half of the 64 bit value.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
-Message-id: 20230512170223.3801643-2-peter.maydell@linaro.org
+Message-id: 20240122143537.233498-2-peter.maydell@linaro.org
 ---
- target/arm/cortex-regs.c | 11 +++++++++--
+ tests/qtest/bios-tables-test-allowed-diff.h | 2 ++
-file changed, 9 insertions(+), 2 deletions(-)
+file changed, 2 insertions(+)
-diff --git a/target/arm/cortex-regs.c b/target/arm/cortex-regs.c
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cortex-regs.c
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/target/arm/cortex-regs.c
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@ static uint64_t l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
+@@ -1 +1,3 @@
- {
+ /* List of comma-separated changed AML files to ignore */
-     ARMCPU *cpu = env_archcpu(env);
++"tests/data/acpi/virt/FACP",
++"tests/data/acpi/virt/GTDT",
 -    /* Number of cores is in [25:24]; otherwise we RAZ */
 -    return (cpu->core_count - 1) << 24;
 +    /*
 +     * Number of cores is in [25:24]; otherwise we RAZ.
 +     * If the board didn't configure the CPUs into clusters,
 +     * we default to "all CPUs in one cluster", which might be
 +     * more than the 4 that the hardware permits and which is
 +     * all you can report in this two-bit field. Saturate to
 +     * 0b11 (== 4 CPUs) rather than overflowing the field.
 +     */
 +    return MIN(cpu->core_count - 1, 3) << 24;
  }
  static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
 --
 .34.1

-[PULL 04/29] arm/kvm: add support for MTE
+[PULL 12/35] hw/arm/virt: Wire up non-secure EL2 virtual timer IRQ
-From: Cornelia Huck <cohuck@redhat.com>
+Armv8.1+ CPUs have the Virtual Host Extension (VHE) which adds a
+non-secure EL2 virtual timer.  We implemented the timer itself in the
-Extend the 'mte' property for the virt machine to cover KVM as
+CPU model, but never wired up its IRQ line to the GIC.
-well. For KVM, we don't allocate tag memory, but instead enable the
-capability.
+Wire up the IRQ line (this is always safe whether the CPU has the
+interrupt or not, since it always creates the outbound IRQ line).
-If MTE has been enabled, we need to disable migration, as we do not
+Report it to the guest via dtb and ACPI if the CPU has the feature.
-yet have a way to migrate the tags as well. Therefore, MTE will stay
-off with KVM unless requested explicitly.
+The DTB binding is documented in the kernel's
+Documentation/devicetree/bindings/timer/arm\,arch_timer.yaml
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+and the ACPI table entries are documented in the ACPI specification
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+version 6.3 or later.
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20230428095533.21747-2-cohuck@redhat.com
+Because the IRQ line ACPI binding is new in 6.3, we need to bump the
 FADT table rev to show that we might be using 6.3 features.
 Note that exposing this IRQ in the DTB will trigger a bug in EDK2
 versions prior to edk2-stable202311, for users who use the virt board
 with 'virtualization=on' to enable EL2 emulation and are booting an
 EDK2 guest BIOS, if that EDK2 has assertions enabled.  The effect is
 that EDK2 will assert on bootup:
  ASSERT [ArmTimerDxe] /home/kraxel/projects/qemu/roms/edk2/ArmVirtPkg/Library/ArmVirtTimerFdtClientLib/ArmVirtTimerFdtClientLib.c(72): PropSize == 36 || PropSize == 48
 If you see that assertion you should do one of:
  * update your EDK2 binaries to edk2-stable202311 or newer
  * use the 'virt-8.2' versioned machine type
  * not use 'virtualization=on'
 (The versions shipped with QEMU itself have the fix.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Message-id: 20240122143537.233498-3-peter.maydell@linaro.org
 ---
- target/arm/cpu.h     |  4 +++
+ include/hw/arm/virt.h    |  2 ++
- target/arm/kvm_arm.h | 19 ++++++++++++
+ hw/arm/virt-acpi-build.c | 20 ++++++++++----
- hw/arm/virt.c        | 73 +++++++++++++++++++++++++-------------------
+ hw/arm/virt.c            | 60 ++++++++++++++++++++++++++++++++++------
- target/arm/cpu.c     |  9 +++---
+files changed, 67 insertions(+), 15 deletions(-)
- target/arm/kvm.c     | 35 +++++++++++++++++++++
- target/arm/kvm64.c   |  5 +++
+diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
 files changed, 109 insertions(+), 36 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/include/hw/arm/virt.h
-+++ b/target/arm/cpu.h
++++ b/include/hw/arm/virt.h
-@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
+@@ -XXX,XX +XXX,XX @@ struct VirtMachineClass {
-      */
+     /* Machines < 6.2 have no support for describing cpu topology to guest */
-     uint32_t psci_conduit;
+     bool no_cpu_topology;
+     bool no_tcg_lpa2;
-+    /* CPU has Memory Tag Extension */
++    bool no_ns_el2_virt_timer_irq;
-+    bool has_mte;
+ };
-+
-     /* For v8M, initial value of the Secure VTOR */
+ struct VirtMachineState {
-     uint32_t init_svtor;
+@@ -XXX,XX +XXX,XX @@ struct VirtMachineState {
-     /* For v8M, initial value of the Non-secure VTOR */
+     PCIBus *bus;
-@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
+     char *oem_id;
-     bool prop_pauth;
+     char *oem_table_id;
-     bool prop_pauth_impdef;
++    bool ns_el2_virt_timer_irq;
-     bool prop_lpa2;
+ };
-+    OnOffAuto prop_mte;
+ #define VIRT_ECAM_ID(high) (high ? VIRT_HIGH_PCIE_ECAM : VIRT_PCIE_ECAM)
-     /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */
+diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
      uint32_t dcz_blocksize;
 diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm_arm.h
+--- a/hw/arm/virt-acpi-build.c
-+++ b/target/arm/kvm_arm.h
++++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_pmu_supported(void);
+@@ -XXX,XX +XXX,XX @@ build_srat(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
  }
  /*
 - * ACPI spec, Revision 5.1
 - * 5.2.24 Generic Timer Description Table (GTDT)
 + * ACPI spec, Revision 6.5
 + * 5.2.25 Generic Timer Description Table (GTDT)
   */
- bool kvm_arm_sve_supported(void);
+ static void
+ build_gtdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-+/**
+@@ -XXX,XX +XXX,XX @@ build_gtdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-+ * kvm_arm_mte_supported:
+     uint32_t irqflags = vmc->claim_edge_triggered_timers ?
-+ *
+: /* Interrupt is Edge triggered */
-+ * Returns: true if KVM can enable MTE, and false otherwise.
+;  /* Interrupt is Level triggered  */
-+ */
+-    AcpiTable table = { .sig = "GTDT", .rev = 2, .oem_id = vms->oem_id,
-+bool kvm_arm_mte_supported(void);
++    AcpiTable table = { .sig = "GTDT", .rev = 3, .oem_id = vms->oem_id,
-+
+                         .oem_table_id = vms->oem_table_id };
- /**
-  * kvm_arm_get_max_vm_ipa_size:
+     acpi_table_begin(&table, table_data);
-  * @ms: Machine state handle
+@@ -XXX,XX +XXX,XX @@ build_gtdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-@@ -XXX,XX +XXX,XX @@ void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa);
+     build_append_int_noprefix(table_data, 0, 4);
+     /* Platform Timer Offset */
- int kvm_arm_set_irq(int cpu, int irqtype, int irq, int level);
+     build_append_int_noprefix(table_data, 0, 4);
+-
-+void kvm_arm_enable_mte(Object *cpuobj, Error **errp);
++    if (vms->ns_el2_virt_timer_irq) {
-+
++        /* Virtual EL2 Timer GSIV */
- #else
++        build_append_int_noprefix(table_data, ARCH_TIMER_NS_EL2_VIRT_IRQ, 4);
++        /* Virtual EL2 Timer Flags */
- /*
++        build_append_int_noprefix(table_data, irqflags, 4);
-@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_steal_time_supported(void)
++    } else {
-     return false;
++        build_append_int_noprefix(table_data, 0, 4);
- }
++        build_append_int_noprefix(table_data, 0, 4);
++    }
-+static inline bool kvm_arm_mte_supported(void)
+     acpi_table_end(linker, &table);
-+{
+ }
-+    return false;
-+}
+@@ -XXX,XX +XXX,XX @@ build_madt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-+
+ static void build_fadt_rev6(GArray *table_data, BIOSLinker *linker,
- /*
+                             VirtMachineState *vms, unsigned dsdt_tbl_offset)
-  * These functions should never actually be called without KVM support.
+ {
-  */
+-    /* ACPI v6.0 */
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t kvm_arm_sve_get_vls(CPUState *cs)
++    /* ACPI v6.3 */
-     g_assert_not_reached();
+     AcpiFadtData fadt = {
- }
+         .rev = 6,
+-        .minor_ver = 0,
-+static inline void kvm_arm_enable_mte(Object *cpuobj, Error **errp)
++        .minor_ver = 3,
-+{
+         .flags = 1 << ACPI_FADT_F_HW_REDUCED_ACPI,
-+    g_assert_not_reached();
+         .xdsdt_tbl_offset = &dsdt_tbl_offset,
-+}
+     };
 +
  #endif
  static inline const char *gic_class_name(void)
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
+@@ -XXX,XX +XXX,XX @@ static void create_randomness(MachineState *ms, const char *node)
+     qemu_fdt_setprop(ms->fdt, node, "rng-seed", seed.rng, sizeof(seed.rng));
+ }
++/*
++ * The CPU object always exposes the NS EL2 virt timer IRQ line,
++ * but we don't want to advertise it to the guest in the dtb or ACPI
++ * table unless it's really going to do something.
++ */
++static bool ns_el2_virt_timer_present(void)
++{
++    ARMCPU *cpu = ARM_CPU(qemu_get_cpu(0));
++    CPUARMState *env = &cpu->env;
++
++    return arm_feature(env, ARM_FEATURE_AARCH64) &&
++        arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu);
++}
++
+ static void create_fdt(VirtMachineState *vms)
+ {
+     MachineState *ms = MACHINE(vms);
+@@ -XXX,XX +XXX,XX @@ static void fdt_add_timer_nodes(const VirtMachineState *vms)
+                                 "arm,armv7-timer");
+     }
+     qemu_fdt_setprop(ms->fdt, "/timer", "always-on", NULL, 0);
+-    qemu_fdt_setprop_cells(ms->fdt, "/timer", "interrupts",
+-                           GIC_FDT_IRQ_TYPE_PPI,
+-                           INTID_TO_PPI(ARCH_TIMER_S_EL1_IRQ), irqflags,
+-                           GIC_FDT_IRQ_TYPE_PPI,
+-                           INTID_TO_PPI(ARCH_TIMER_NS_EL1_IRQ), irqflags,
+-                           GIC_FDT_IRQ_TYPE_PPI,
+-                           INTID_TO_PPI(ARCH_TIMER_VIRT_IRQ), irqflags,
+-                           GIC_FDT_IRQ_TYPE_PPI,
+-                           INTID_TO_PPI(ARCH_TIMER_NS_EL2_IRQ), irqflags);
++    if (vms->ns_el2_virt_timer_irq) {
++        qemu_fdt_setprop_cells(ms->fdt, "/timer", "interrupts",
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_S_EL1_IRQ), irqflags,
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_NS_EL1_IRQ), irqflags,
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_VIRT_IRQ), irqflags,
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_NS_EL2_IRQ), irqflags,
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_NS_EL2_VIRT_IRQ), irqflags);
++    } else {
++        qemu_fdt_setprop_cells(ms->fdt, "/timer", "interrupts",
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_S_EL1_IRQ), irqflags,
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_NS_EL1_IRQ), irqflags,
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_VIRT_IRQ), irqflags,
++                               GIC_FDT_IRQ_TYPE_PPI,
++                               INTID_TO_PPI(ARCH_TIMER_NS_EL2_IRQ), irqflags);
++    }
+ }
+ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
+             [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
+             [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
+             [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
++            [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
+         };
+         for (unsigned irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
 @@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
-         exit(1);
+         qdev_realize(DEVICE(cpuobj), NULL, &error_fatal);
          object_unref(cpuobj);
      }
++
--    if (vms->mte && (kvm_enabled() || hvf_enabled())) {
++    /* Now we've created the CPUs we can see if they have the hypvirt timer */
-+    if (vms->mte && hvf_enabled()) {
++    vms->ns_el2_virt_timer_irq = ns_el2_virt_timer_present() &&
-         error_report("mach-virt: %s does not support providing "
++        !vmc->no_ns_el2_virt_timer_irq;
-                      "MTE to the guest CPU",
++
-                      current_accel_name());
+     fdt_add_timer_nodes(vms);
-@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+     fdt_add_cpu_nodes(vms);
-         }
+@@ -XXX,XX +XXX,XX @@ DEFINE_VIRT_MACHINE_AS_LATEST(9, 0)
-         if (vms->mte) {
--            /* Create the memory region only once, but link to all cpus. */
+ static void virt_machine_8_2_options(MachineClass *mc)
 -            if (!tag_sysmem) {
 -                /*
 -                 * The property exists only if MemTag is supported.
 -                 * If it is, we must allocate the ram to back that up.
 -                 */
 -                if (!object_property_find(cpuobj, "tag-memory")) {
 -                    error_report("MTE requested, but not supported "
 -                                 "by the guest CPU");
 +            if (tcg_enabled()) {
 +                /* Create the memory region only once, but link to all cpus. */
 +                if (!tag_sysmem) {
 +                    /*
 +                     * The property exists only if MemTag is supported.
 +                     * If it is, we must allocate the ram to back that up.
 +                     */
 +                    if (!object_property_find(cpuobj, "tag-memory")) {
 +                        error_report("MTE requested, but not supported "
 +                                     "by the guest CPU");
 +                        exit(1);
 +                    }
 +
 +                    tag_sysmem = g_new(MemoryRegion, 1);
 +                    memory_region_init(tag_sysmem, OBJECT(machine),
 +                                       "tag-memory", UINT64_MAX / 32);
 +
 +                    if (vms->secure) {
 +                        secure_tag_sysmem = g_new(MemoryRegion, 1);
 +                        memory_region_init(secure_tag_sysmem, OBJECT(machine),
 +                                           "secure-tag-memory",
 +                                           UINT64_MAX / 32);
 +
 +                        /* As with ram, secure-tag takes precedence over tag. */
 +                        memory_region_add_subregion_overlap(secure_tag_sysmem,
 +                                                            0, tag_sysmem, -1);
 +                    }
 +                }
 +
 +                object_property_set_link(cpuobj, "tag-memory",
 +                                         OBJECT(tag_sysmem), &error_abort);
 +                if (vms->secure) {
 +                    object_property_set_link(cpuobj, "secure-tag-memory",
 +                                             OBJECT(secure_tag_sysmem),
 +                                             &error_abort);
 +                }
 +            } else if (kvm_enabled()) {
 +                if (!kvm_arm_mte_supported()) {
 +                    error_report("MTE requested, but not supported by KVM");
                      exit(1);
                  }
 -
 -                tag_sysmem = g_new(MemoryRegion, 1);
 -                memory_region_init(tag_sysmem, OBJECT(machine),
 -                                   "tag-memory", UINT64_MAX / 32);
 -
 -                if (vms->secure) {
 -                    secure_tag_sysmem = g_new(MemoryRegion, 1);
 -                    memory_region_init(secure_tag_sysmem, OBJECT(machine),
 -                                       "secure-tag-memory", UINT64_MAX / 32);
 -
 -                    /* As with ram, secure-tag takes precedence over tag.  */
 -                    memory_region_add_subregion_overlap(secure_tag_sysmem, 0,
 -                                                        tag_sysmem, -1);
 -                }
 -            }
 -
 -            object_property_set_link(cpuobj, "tag-memory", OBJECT(tag_sysmem),
 -                                     &error_abort);
 -            if (vms->secure) {
 -                object_property_set_link(cpuobj, "secure-tag-memory",
 -                                         OBJECT(secure_tag_sysmem),
 -                                         &error_abort);
 +                kvm_arm_enable_mte(cpuobj, &error_abort);
              }
          }
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
                                       qdev_prop_allow_set_link_before_realize,
                                       OBJ_PROP_LINK_STRONG);
          }
 +        cpu->has_mte = true;
      }
  #endif
  }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
          }
          if (cpu->tag_memory) {
              error_setg(errp,
 -                       "Cannot enable %s when guest CPUs has MTE enabled",
 +                       "Cannot enable %s when guest CPUs has tag memory enabled",
                         current_accel_name());
              return;
          }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
      }
  #ifndef CONFIG_USER_ONLY
 -    if (cpu->tag_memory == NULL && cpu_isar_feature(aa64_mte, cpu)) {
 +    if (!cpu->has_mte && cpu_isar_feature(aa64_mte, cpu)) {
          /*
 -         * Disable the MTE feature bits if we do not have tag-memory
 -         * provided by the machine.
 +         * Disable the MTE feature bits if we do not have the feature
 +         * setup by the machine.
           */
          cpu->isar.id_aa64pfr1 =
              FIELD_DP64(cpu->isar.id_aa64pfr1, ID_AA64PFR1, MTE, 0);
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/boards.h"
  #include "hw/irq.h"
  #include "qemu/log.h"
 +#include "migration/blocker.h"
  const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
      KVM_CAP_LAST_INFO
@@ -XXX,XX +XXX,XX @@ bool kvm_arch_cpu_check_are_resettable(void)
  void kvm_arch_accel_class_init(ObjectClass *oc)
  {
- }
++    VirtMachineClass *vmc = VIRT_MACHINE_CLASS(OBJECT_CLASS(mc));
 +
-+void kvm_arm_enable_mte(Object *cpuobj, Error **errp)
+     virt_machine_9_0_options(mc);
-+{
+     compat_props_add(mc->compat_props, hw_compat_8_2, hw_compat_8_2_len);
-+    static bool tried_to_enable;
++    /*
-+    static bool succeeded_to_enable;
++     * Don't expose NS_EL2_VIRT timer IRQ in DTB on ACPI on 8.2 and
-+    Error *mte_migration_blocker = NULL;
++     * earlier machines. (Exposing it tickles a bug in older EDK2
-+    int ret;
++     * guest BIOS binaries.)
-+
++     */
-+    if (!tried_to_enable) {
++    vmc->no_ns_el2_virt_timer_irq = true;
-+        /*
+ }
-+         * MTE on KVM is enabled on a per-VM basis (and retrying doesn't make
+ DEFINE_VIRT_MACHINE(8, 2)
-+         * sense), and we only want a single migration blocker as well.
 +         */
 +        tried_to_enable = true;
 +
 +        ret = kvm_vm_enable_cap(kvm_state, KVM_CAP_ARM_MTE, 0);
 +        if (ret) {
 +            error_setg_errno(errp, -ret, "Failed to enable KVM_CAP_ARM_MTE");
 +            return;
 +        }
 +
 +        /* TODO: add proper migration support with MTE enabled */
 +        error_setg(&mte_migration_blocker,
 +                   "Live migration disabled due to MTE enabled");
 +        if (migrate_add_blocker(mte_migration_blocker, errp)) {
 +            error_free(mte_migration_blocker);
 +            return;
 +        }
 +        succeeded_to_enable = true;
 +    }
 +    if (succeeded_to_enable) {
 +        object_property_set_bool(cpuobj, "has_mte", true, NULL);
 +    }
 +}
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_steal_time_supported(void)
      return kvm_check_extension(kvm_state, KVM_CAP_STEAL_TIME);
  }
 +bool kvm_arm_mte_supported(void)
 +{
 +    return kvm_check_extension(kvm_state, KVM_CAP_ARM_MTE);
 +}
 +
  QEMU_BUILD_BUG_ON(KVM_ARM64_SVE_VQ_MIN != 1);
  uint32_t kvm_arm_sve_get_vls(CPUState *cs)
 --
 .34.1

-[PULL 25/29] target/arm: Convert BRAA, BRAB, BLRAA, BLRAB to decodetree
+[PULL 13/35] tests/qtest/bios-tables-tests: Update virt golden reference
-Convert the last four BR-with-pointer-auth insns to decodetree.
+Update the virt golden reference files to say that the FACP is ACPI
-The remaining cases in the outer switch in disas_uncond_b_reg()
+v6.3, and the GTDT table is a revision 3 table with space for the
-all return early rather than leaving the case statement, so we
+virtual EL2 timer.
-can delete the now-unused code at the end of that function.
 Diffs from iasl:
@@ -XXX,XX +XXX,XX @@
  /*
   * Intel ACPI Component Architecture
   * AML/ASL+ Disassembler version 20200925 (64-bit version)
   * Copyright (c) 2000 - 2020 Intel Corporation
   *
 - * Disassembly of tests/data/acpi/virt/FACP, Mon Jan 22 13:48:40 2024
 + * Disassembly of /tmp/aml-W8RZH2, Mon Jan 22 13:48:40 2024
   *
   * ACPI Data Table [FACP]
   *
   * Format: [HexOffset DecimalOffset ByteLength]  FieldName : FieldValue
   */
  [000h 0000   4]                    Signature : "FACP"    [Fixed ACPI Description Table (FADT)]
  [004h 0004   4]                 Table Length : 00000114
  [008h 0008   1]                     Revision : 06
 -[009h 0009   1]                     Checksum : 15
 +[009h 0009   1]                     Checksum : 12
  [00Ah 0010   6]                       Oem ID : "BOCHS "
  [010h 0016   8]                 Oem Table ID : "BXPC    "
  [018h 0024   4]                 Oem Revision : 00000001
  [01Ch 0028   4]              Asl Compiler ID : "BXPC"
  [020h 0032   4]        Asl Compiler Revision : 00000001
  [024h 0036   4]                 FACS Address : 00000000
  [028h 0040   4]                 DSDT Address : 00000000
  [02Ch 0044   1]                        Model : 00
  [02Dh 0045   1]                   PM Profile : 00 [Unspecified]
  [02Eh 0046   2]                SCI Interrupt : 0000
  [030h 0048   4]             SMI Command Port : 00000000
  [034h 0052   1]            ACPI Enable Value : 00
  [035h 0053   1]           ACPI Disable Value : 00
  [036h 0054   1]               S4BIOS Command : 00
  [037h 0055   1]              P-State Control : 00
@@ -XXX,XX +XXX,XX @@
       Use APIC Physical Destination Mode (V4) : 0
                         Hardware Reduced (V5) : 1
                        Low Power S0 Idle (V5) : 0
  [074h 0116  12]               Reset Register : [Generic Address Structure]
  [074h 0116   1]                     Space ID : 00 [SystemMemory]
  [075h 0117   1]                    Bit Width : 00
  [076h 0118   1]                   Bit Offset : 00
  [077h 0119   1]         Encoded Access Width : 00 [Undefined/Legacy]
  [078h 0120   8]                      Address : 0000000000000000
  [080h 0128   1]         Value to cause reset : 00
  [081h 0129   2]    ARM Flags (decoded below) : 0003
                                PSCI Compliant : 1
                         Must use HVC for PSCI : 1
 -[083h 0131   1]          FADT Minor Revision : 00
 +[083h 0131   1]          FADT Minor Revision : 03
  [084h 0132   8]                 FACS Address : 0000000000000000
  [08Ch 0140   8]                 DSDT Address : 0000000000000000
  [094h 0148  12]             PM1A Event Block : [Generic Address Structure]
  [094h 0148   1]                     Space ID : 00 [SystemMemory]
  [095h 0149   1]                    Bit Width : 00
  [096h 0150   1]                   Bit Offset : 00
  [097h 0151   1]         Encoded Access Width : 00 [Undefined/Legacy]
  [098h 0152   8]                      Address : 0000000000000000
  [0A0h 0160  12]             PM1B Event Block : [Generic Address Structure]
  [0A0h 0160   1]                     Space ID : 00 [SystemMemory]
  [0A1h 0161   1]                    Bit Width : 00
  [0A2h 0162   1]                   Bit Offset : 00
  [0A3h 0163   1]         Encoded Access Width : 00 [Undefined/Legacy]
  [0A4h 0164   8]                      Address : 0000000000000000
@@ -XXX,XX +XXX,XX @@
  [0F5h 0245   1]                    Bit Width : 00
  [0F6h 0246   1]                   Bit Offset : 00
  [0F7h 0247   1]         Encoded Access Width : 00 [Undefined/Legacy]
  [0F8h 0248   8]                      Address : 0000000000000000
  [100h 0256  12]        Sleep Status Register : [Generic Address Structure]
  [100h 0256   1]                     Space ID : 00 [SystemMemory]
  [101h 0257   1]                    Bit Width : 00
  [102h 0258   1]                   Bit Offset : 00
  [103h 0259   1]         Encoded Access Width : 00 [Undefined/Legacy]
  [104h 0260   8]                      Address : 0000000000000000
  [10Ch 0268   8]                Hypervisor ID : 00000000554D4551
  Raw Table Data: Length 276 (0x114)
 -    0000: 46 41 43 50 14 01 00 00 06 15 42 4F 43 48 53 20  // FACP......BOCHS
 +    0000: 46 41 43 50 14 01 00 00 06 12 42 4F 43 48 53 20  // FACP......BOCHS
 : 42 58 50 43 20 20 20 20 01 00 00 00 42 58 50 43  // BXPC    ....BXPC
 : 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 : 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 -    0080: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 +    0080: 00 03 00 03 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
 : 00 00 00 00 00 00 00 00 00 00 00 00 51 45 4D 55  // ............QEMU
 : 00 00 00 00                                      // ....
@@ -XXX,XX +XXX,XX @@
  /*
   * Intel ACPI Component Architecture
   * AML/ASL+ Disassembler version 20200925 (64-bit version)
   * Copyright (c) 2000 - 2020 Intel Corporation
   *
 - * Disassembly of tests/data/acpi/virt/GTDT, Mon Jan 22 13:48:40 2024
 + * Disassembly of /tmp/aml-XDSZH2, Mon Jan 22 13:48:40 2024
   *
   * ACPI Data Table [GTDT]
   *
   * Format: [HexOffset DecimalOffset ByteLength]  FieldName : FieldValue
   */
  [000h 0000   4]                    Signature : "GTDT"    [Generic Timer Description Table]
 -[004h 0004   4]                 Table Length : 00000060
 -[008h 0008   1]                     Revision : 02
 -[009h 0009   1]                     Checksum : 9C
 +[004h 0004   4]                 Table Length : 00000068
 +[008h 0008   1]                     Revision : 03
 +[009h 0009   1]                     Checksum : 93
  [00Ah 0010   6]                       Oem ID : "BOCHS "
  [010h 0016   8]                 Oem Table ID : "BXPC    "
  [018h 0024   4]                 Oem Revision : 00000001
  [01Ch 0028   4]              Asl Compiler ID : "BXPC"
  [020h 0032   4]        Asl Compiler Revision : 00000001
  [024h 0036   8]        Counter Block Address : FFFFFFFFFFFFFFFF
  [02Ch 0044   4]                     Reserved : 00000000
  [030h 0048   4]         Secure EL1 Interrupt : 0000001D
  [034h 0052   4]    EL1 Flags (decoded below) : 00000000
                                  Trigger Mode : 0
                                      Polarity : 0
                                     Always On : 0
  [038h 0056   4]     Non-Secure EL1 Interrupt : 0000001E
@@ -XXX,XX +XXX,XX @@
  [040h 0064   4]      Virtual Timer Interrupt : 0000001B
  [044h 0068   4]     VT Flags (decoded below) : 00000000
                                  Trigger Mode : 0
                                      Polarity : 0
                                     Always On : 0
  [048h 0072   4]     Non-Secure EL2 Interrupt : 0000001A
  [04Ch 0076   4]   NEL2 Flags (decoded below) : 00000000
                                  Trigger Mode : 0
                                      Polarity : 0
                                     Always On : 0
  [050h 0080   8]   Counter Read Block Address : FFFFFFFFFFFFFFFF
  [058h 0088   4]         Platform Timer Count : 00000000
  [05Ch 0092   4]        Platform Timer Offset : 00000000
 +[060h 0096   4]       Virtual EL2 Timer GSIV : 00000000
 +[064h 0100   4]      Virtual EL2 Timer Flags : 00000000
 -Raw Table Data: Length 96 (0x60)
 +Raw Table Data: Length 104 (0x68)
 -    0000: 47 54 44 54 60 00 00 00 02 9C 42 4F 43 48 53 20  // GTDT`.....BOCHS
 +    0000: 47 54 44 54 68 00 00 00 03 93 42 4F 43 48 53 20  // GTDTh.....BOCHS
 : 42 58 50 43 20 20 20 20 01 00 00 00 42 58 50 43  // BXPC    ....BXPC
 : 01 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00  // ................
 : 1D 00 00 00 00 00 00 00 1E 00 00 00 04 00 00 00  // ................
 : 1B 00 00 00 00 00 00 00 1A 00 00 00 00 00 00 00  // ................
 : FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00  // ................
 +    0060: 00 00 00 00 00 00 00 00                          // ........
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
-Message-id: 20230512144106.3608981-20-peter.maydell@linaro.org
+Message-id: 20240122143537.233498-4-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |  4 ++
+ tests/qtest/bios-tables-test-allowed-diff.h |   2 --
- target/arm/tcg/translate-a64.c | 97 ++++++++++++++--------------------
+ tests/data/acpi/virt/FACP                   | Bin 276 -> 276 bytes
-files changed, 43 insertions(+), 58 deletions(-)
+ tests/data/acpi/virt/GTDT                   | Bin 96 -> 104 bytes
+files changed, 2 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
 diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/target/arm/tcg/a64.decode
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@ BLRAZ           1101011 0001 11111 00001 m:1 rn:5 11111 &braz   # BLRAAZ, BLRABZ
+@@ -1,3 +1 @@
+ /* List of comma-separated changed AML files to ignore */
- &reta       m
+-"tests/data/acpi/virt/FACP",
- RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
+-"tests/data/acpi/virt/GTDT",
-+
+diff --git a/tests/data/acpi/virt/FACP b/tests/data/acpi/virt/FACP
 +&bra        rn rm m
 +BRA             1101011 1000 11111 00001 m:1 rn:5 rm:5 &bra # BRAA, BRAB
 +BLRA            1101011 1001 11111 00001 m:1 rn:5 rm:5 &bra # BLRAA, BLRAB
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
+GIT binary patch
-+++ b/target/arm/tcg/translate-a64.c
+delta 25
-@@ -XXX,XX +XXX,XX @@ static bool trans_RETA(DisasContext *s, arg_reta *a)
+gcmbQjG=+)F&CxkPgpq-PO=u!l<;2F$$vli407<0<)c^nh
-     return true;
- }
+delta 28
+kcmbQjG=+)F&CxkPgpq-PO>`nx<-|!<6Akz$^DuG%0AAS!ssI20
-+static bool trans_BRA(DisasContext *s, arg_bra *a)
-+{
+diff --git a/tests/data/acpi/virt/GTDT b/tests/data/acpi/virt/GTDT
-+    TCGv_i64 dst;
+index XXXXXXX..XXXXXXX 100644
-+
+GIT binary patch
-+    if (!dc_isar_feature(aa64_pauth, s)) {
+delta 25
-+        return false;
+bcmYeu;BpUf3CUn!U|^m+kt>V?$N&QXMtB4L
-+    }
-+    dst = auth_branch_target(s, cpu_reg(s,a->rn), cpu_reg_sp(s, a->rm), !a->m);
+delta 16
-+    gen_a64_set_pc(s, dst);
+Xcmc~u;BpUf2}xjJU|^avkt+-UB60)u
-+    set_btype_for_br(s, a->rn);
 +    s->base.is_jmp = DISAS_JUMP;
 +    return true;
 +}
 +
 +static bool trans_BLRA(DisasContext *s, arg_bra *a)
 +{
 +    TCGv_i64 dst, lr;
 +
 +    if (!dc_isar_feature(aa64_pauth, s)) {
 +        return false;
 +    }
 +    dst = auth_branch_target(s, cpu_reg(s, a->rn), cpu_reg_sp(s, a->rm), !a->m);
 +    lr = cpu_reg(s, 30);
 +    if (dst == lr) {
 +        TCGv_i64 tmp = tcg_temp_new_i64();
 +        tcg_gen_mov_i64(tmp, dst);
 +        dst = tmp;
 +    }
 +    gen_pc_plus_diff(s, lr, curr_insn_len(s));
 +    gen_a64_set_pc(s, dst);
 +    set_btype_for_blr(s);
 +    s->base.is_jmp = DISAS_JUMP;
 +    return true;
 +}
 +
  /* HINT instruction group, including various allocated HINTs */
  static void handle_hint(DisasContext *s, uint32_t insn,
                          unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
  static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
  {
      unsigned int opc, op2, op3, rn, op4;
 -    unsigned btype_mod = 2;   /* 0: BR, 1: BLR, 2: other */
      TCGv_i64 dst;
      TCGv_i64 modifier;
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
      case 0:
      case 1:
      case 2:
 +    case 8:
 +    case 9:
          /*
 -         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ:
 -         * handled in decodetree
 +         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ,
 +         * BRAA, BLRAA: handled in decodetree
           */
          goto do_unallocated;
 -    case 8: /* BRAA */
 -    case 9: /* BLRAA */
 -        if (!dc_isar_feature(aa64_pauth, s)) {
 -            goto do_unallocated;
 -        }
 -        if ((op3 & ~1) != 2) {
 -            goto do_unallocated;
 -        }
 -        btype_mod = opc & 1;
 -        if (s->pauth_active) {
 -            dst = tcg_temp_new_i64();
 -            modifier = cpu_reg_sp(s, op4);
 -            if (op3 == 2) {
 -                gen_helper_autia(dst, cpu_env, cpu_reg(s, rn), modifier);
 -            } else {
 -                gen_helper_autib(dst, cpu_env, cpu_reg(s, rn), modifier);
 -            }
 -        } else {
 -            dst = cpu_reg(s, rn);
 -        }
 -        /* BLRAA also needs to load return address */
 -        if (opc == 9) {
 -            TCGv_i64 lr = cpu_reg(s, 30);
 -            if (dst == lr) {
 -                TCGv_i64 tmp = tcg_temp_new_i64();
 -                tcg_gen_mov_i64(tmp, dst);
 -                dst = tmp;
 -            }
 -            gen_pc_plus_diff(s, lr, curr_insn_len(s));
 -        }
 -        gen_a64_set_pc(s, dst);
 -        break;
 -
      case 4: /* ERET */
          if (s->current_el == 0) {
              goto do_unallocated;
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
          unallocated_encoding(s);
          return;
      }
 -
 -    switch (btype_mod) {
 -    case 0: /* BR */
 -        if (dc_isar_feature(aa64_bti, s)) {
 -            /* BR to {x16,x17} or !guard -> 1, else 3.  */
 -            set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3);
 -        }
 -        break;
 -
 -    case 1: /* BLR */
 -        if (dc_isar_feature(aa64_bti, s)) {
 -            /* BLR sets BTYPE to 2, regardless of source guarded page.  */
 -            set_btype(s, 2);
 -        }
 -        break;
 -
 -    default: /* RET or none of the above.  */
 -        /* BTYPE will be set to 0 by normal end-of-insn processing.  */
 -        break;
 -    }
 -
 -    s->base.is_jmp = DISAS_JUMP;
  }
  /* Branches, exception generating and system instructions */
 --
 .34.1

-New patch
+[PULL 14/35] hw/arm/npcm7xx: Call qemu_configure_nic_device() for GMAC modules
+The patchset adding the GMAC ethernet to this SoC crossed in the
+mail with the patchset cleaning up the NIC handling. When we
+create the GMAC modules we must call qemu_configure_nic_device()
+so that the user has the opportunity to use the -nic commandline
+option to create a network backend and connect it to the GMACs.
+Add the missing call.
+Fixes: 21e5326a7c ("hw/arm: Add GMAC devices to NPCM7XX SoC")
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Message-id: 20240206171231.396392-2-peter.maydell@linaro.org
+---
+ hw/arm/npcm7xx.c | 1 +
+file changed, 1 insertion(+)
+diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/npcm7xx.c
++++ b/hw/arm/npcm7xx.c
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_realize(DeviceState *dev, Error **errp)
+     for (i = 0; i < ARRAY_SIZE(s->gmac); i++) {
+         SysBusDevice *sbd = SYS_BUS_DEVICE(&s->gmac[i]);
++        qemu_configure_nic_device(DEVICE(sbd), false, NULL);
+         /*
+          * The device exists regardless of whether it's connected to a QEMU
+          * netdev backend. So always instantiate it even if there is no
+--
+.34.1

-[PULL 22/29] target/arm: Convert conditional branch insns to decodetree
+[PULL 15/35] tests/qtest/npcm7xx_emc-test: Connect all NICs to a backend
-Convert the immediate conditional branch insn B.cond to
+Currently QEMU will warn if there is a NIC on the board that
-decodetree.
+is not connected to a backend. By default the '-nic user' will
 get used for all NICs, but if you manually connect a specific
 NIC to a specific backend, then the other NICs on the board
 have no backend and will be warned about:
 qemu-system-arm: warning: nic npcm7xx-emc.1 has no peer
 qemu-system-arm: warning: nic npcm-gmac.0 has no peer
 qemu-system-arm: warning: nic npcm-gmac.1 has no peer
 So suppress those warnings by manually connecting every NIC
 on the board to some backend.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
-Message-id: 20230512144106.3608981-17-peter.maydell@linaro.org
+Reviewed-by: Thomas Huth <thuth@redhat.com>
 Message-id: 20240206171231.396392-3-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |  2 ++
+ tests/qtest/npcm7xx_emc-test.c | 5 ++++-
- target/arm/tcg/translate-a64.c | 30 ++++++------------------------
+file changed, 4 insertions(+), 1 deletion(-)
 files changed, 8 insertions(+), 24 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/tests/qtest/npcm7xx_emc-test.c b/tests/qtest/npcm7xx_emc-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/tests/qtest/npcm7xx_emc-test.c
-+++ b/target/arm/tcg/a64.decode
++++ b/tests/qtest/npcm7xx_emc-test.c
-@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
+@@ -XXX,XX +XXX,XX @@ static int *packet_test_init(int module_num, GString *cmd_line)
- &tbz       rt imm nz bitpos
+      * KISS and use -nic. The driver accepts 'emc0' and 'emc1' as aliases
+      * in the 'model' field to specify the device to match.
- TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
+      */
-+
+-    g_string_append_printf(cmd_line, " -nic socket,fd=%d,model=emc%d ",
-+B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
++    g_string_append_printf(cmd_line, " -nic socket,fd=%d,model=emc%d "
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
++                           "-nic user,model=npcm7xx-emc "
-index XXXXXXX..XXXXXXX 100644
++                           "-nic user,model=npcm-gmac "
---- a/target/arm/tcg/translate-a64.c
++                           "-nic user,model=npcm-gmac",
-+++ b/target/arm/tcg/translate-a64.c
+                            test_sockets[1], module_num);
-@@ -XXX,XX +XXX,XX @@ static bool trans_TBZ(DisasContext *s, arg_tbz *a)
-     return true;
+     g_test_queue_destroy(packet_test_clear, test_sockets);
  }
 -/* Conditional branch (immediate)
 - *  31           25  24  23                  5   4  3    0
 - * +---------------+----+---------------------+----+------+
 - * | 0 1 0 1 0 1 0 | o1 |         imm19       | o0 | cond |
 - * +---------------+----+---------------------+----+------+
 - */
 -static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
 +static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
  {
 -    unsigned int cond;
 -    int64_t diff;
 -
 -    if ((insn & (1 << 4)) || (insn & (1 << 24))) {
 -        unallocated_encoding(s);
 -        return;
 -    }
 -    diff = sextract32(insn, 5, 19) * 4;
 -    cond = extract32(insn, 0, 4);
 -
      reset_btype(s);
 -    if (cond < 0x0e) {
 +    if (a->cond < 0x0e) {
          /* genuinely conditional branches */
          DisasLabel match = gen_disas_label(s);
 -        arm_gen_test_cc(cond, match.label);
 +        arm_gen_test_cc(a->cond, match.label);
          gen_goto_tb(s, 0, 4);
          set_disas_label(s, match);
 -        gen_goto_tb(s, 1, diff);
 +        gen_goto_tb(s, 1, a->imm);
      } else {
          /* 0xe and 0xf are both "always" conditions */
 -        gen_goto_tb(s, 0, diff);
 +        gen_goto_tb(s, 0, a->imm);
      }
 +    return true;
  }
  /* HINT instruction group, including various allocated HINTs */
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
  static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
  {
      switch (extract32(insn, 25, 7)) {
 -    case 0x2a: /* Conditional branch (immediate) */
 -        disas_cond_b_imm(s, insn);
 -        break;
      case 0x6a: /* Exception generation / System */
          if (insn & (1 << 24)) {
              if (extract32(insn, 22, 2) == 0) {
 --
 .34.1

-New patch
+[PULL 16/35] target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ARM_FEATURE_PMU
+It doesn't make sense to read the value of MDCR_EL2 on a non-A-profile
+CPU, and in fact if you try to do it we will assert:
+#6  0x00007ffff4b95e96 in __GI___assert_fail
+    (assertion=0x5555565a8c70 "!arm_feature(env, ARM_FEATURE_M)", file=0x5555565a6e5c "../../target/arm/helper.c", line=12600, function=0x5555565a9560 <__PRETTY_FUNCTION__.0> "arm_security_space_below_el3") at ./assert/assert.c:101
+#7  0x0000555555ebf412 in arm_security_space_below_el3 (env=0x555557bc8190) at ../../target/arm/helper.c:12600
+#8  0x0000555555ea6f89 in arm_is_el2_enabled (env=0x555557bc8190) at ../../target/arm/cpu.h:2595
+#9  0x0000555555ea942f in arm_mdcr_el2_eff (env=0x555557bc8190) at ../../target/arm/internals.h:1512
+We might call pmu_counter_enabled() on an M-profile CPU (for example
+from the migration pre/post hooks in machine.c); this should always
+return false because these CPUs don't set ARM_FEATURE_PMU.
+Avoid the assertion by not calling arm_mdcr_el2_eff() before we
+have done the early return for "PMU not present".
+This fixes an assertion failure if you try to do a loadvm or
+savevm for an M-profile board.
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2155
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240208153346.970021-1-peter.maydell@linaro.org
+---
+ target/arm/helper.c | 12 ++++++++++--
+file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter)
+     bool enabled, prohibited = false, filtered;
+     bool secure = arm_is_secure(env);
+     int el = arm_current_el(env);
+-    uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
+-    uint8_t hpmn = mdcr_el2 & MDCR_HPMN;
++    uint64_t mdcr_el2;
++    uint8_t hpmn;
++    /*
++     * We might be called for M-profile cores where MDCR_EL2 doesn't
++     * exist and arm_mdcr_el2_eff() will assert, so this early-exit check
++     * must be before we read that value.
++     */
+     if (!arm_feature(env, ARM_FEATURE_PMU)) {
+         return false;
+     }
++    mdcr_el2 = arm_mdcr_el2_eff(env);
++    hpmn = mdcr_el2 & MDCR_HPMN;
++
+     if (!arm_feature(env, ARM_FEATURE_EL2) ||
+             (counter < hpmn || counter == 31)) {
+         e = env->cp15.c9_pmcr & PMCRE;
+--
+.34.1

-[PULL 15/29] target/arm: Convert Logical (immediate) to decodetree
+[PULL 17/35] tests/qtest: Fix GMAC test to run on a machine in upstream QEMU
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Nabih Estefan <nabihestefan@google.com>
-Convert the ADD, ORR, EOR, ANDS (immediate) instructions.
+Fix the nocm_gmac-test.c file to run on a nuvoton 7xx machine instead
 of 8xx. Also fix comments referencing this and values expecting 8xx.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Change-Id: Iabd0fba14910c3f1e883c4a9521350f3db9ffab8
 Signed-Off-By: Nabih Estefan <nabihestefan@google.com>
 Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
 Message-id: 20240208194759.2858582-2-nabihestefan@google.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: commit message tweaks]
 Message-id: 20230512144106.3608981-10-peter.maydell@linaro.org
 [PMM: rebased]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/a64.decode      | 15 ++++++
+ tests/qtest/npcm_gmac-test.c | 84 +-----------------------------------
- target/arm/tcg/translate-a64.c | 94 +++++++++++-----------------------
+ tests/qtest/meson.build      |  3 +-
-files changed, 44 insertions(+), 65 deletions(-)
+files changed, 4 insertions(+), 83 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/tests/qtest/npcm_gmac-test.c b/tests/qtest/npcm_gmac-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/tests/qtest/npcm_gmac-test.c
-+++ b/target/arm/tcg/a64.decode
++++ b/tests/qtest/npcm_gmac-test.c
-@@ -XXX,XX +XXX,XX @@ SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
+@@ -XXX,XX +XXX,XX @@ typedef struct TestData {
+     const GMACModule *module;
- ADDG_i          1 00 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
+ } TestData;
- SUBG_i          1 10 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
-+
+-/* Values extracted from hw/arm/npcm8xx.c */
-+# Logical (immediate)
++/* Values extracted from hw/arm/npcm7xx.c */
-+
+ static const GMACModule gmac_module_list[] = {
-+&rri_log        rd rn sf dbm
+     {
-+@logic_imm_64   1 .. ...... dbm:13 rn:5 rd:5            &rri_log sf=1
+         .irq        = 14,
-+@logic_imm_32   0 .. ...... 0 dbm:12 rn:5 rd:5          &rri_log sf=0
+@@ -XXX,XX +XXX,XX @@ static const GMACModule gmac_module_list[] = {
-+
+         .irq        = 15,
-+AND_i           . 00 100100 . ...... ...... ..... ..... @logic_imm_64
+         .base_addr  = 0xf0804000
-+AND_i           . 00 100100 . ...... ...... ..... ..... @logic_imm_32
+     },
-+ORR_i           . 01 100100 . ...... ...... ..... ..... @logic_imm_64
+-    {
-+ORR_i           . 01 100100 . ...... ...... ..... ..... @logic_imm_32
+-        .irq        = 16,
-+EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_64
+-        .base_addr  = 0xf0806000
-+EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_32
+-    },
-+ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_64
+-    {
-+ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_32
+-        .irq        = 17,
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+-        .base_addr  = 0xf0808000
-index XXXXXXX..XXXXXXX 100644
+-    }
---- a/target/arm/tcg/translate-a64.c
+ };
-+++ b/target/arm/tcg/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t bitfield_replicate(uint64_t mask, unsigned int e)
+ /* Returns the index of the GMAC module. */
-     return mask;
+@@ -XXX,XX +XXX,XX @@ static uint32_t gmac_read(QTestState *qts, const GMACModule *mod,
      return qtest_readl(qts, mod->base_addr + regno);
  }
--/* Simplified variant of pseudocode DecodeBitMasks() for the case where we
+-static uint16_t pcs_read(QTestState *qts, const GMACModule *mod,
-+/*
+-                          NPCMRegister regno)
-+ * Logical (immediate)
+-{
-+ */
+-    uint32_t write_value = (regno & 0x3ffe00) >> 9;
-+
+-    qtest_writel(qts, PCS_BASE_ADDRESS + NPCM_PCS_IND_AC_BA, write_value);
-+/*
+-    uint32_t read_offset = regno & 0x1ff;
-+ * Simplified variant of pseudocode DecodeBitMasks() for the case where we
+-    return qtest_readl(qts, PCS_BASE_ADDRESS + read_offset);
-  * only require the wmask. Returns false if the imms/immr/immn are a reserved
+-}
-  * value (ie should cause a guest UNDEF exception), and true if they are
+-
-  * valid, in which case the decoded bit pattern is written to result.
+ /* Check that GMAC registers are reset to default value */
-@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
+ static void test_init(gconstpointer test_data)
      return true;
  }
 -/* Logical (immediate)
 - *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
 - * +----+-----+-------------+---+------+------+------+------+
 - * | sf | opc | 1 0 0 1 0 0 | N | immr | imms |  Rn  |  Rd  |
 - * +----+-----+-------------+---+------+------+------+------+
 - */
 -static void disas_logic_imm(DisasContext *s, uint32_t insn)
 +static bool gen_rri_log(DisasContext *s, arg_rri_log *a, bool set_cc,
 +                        void (*fn)(TCGv_i64, TCGv_i64, int64_t))
  {
--    unsigned int sf, opc, is_n, immr, imms, rn, rd;
+     const TestData *td = test_data;
-     TCGv_i64 tcg_rd, tcg_rn;
+     const GMACModule *mod = td->module;
--    uint64_t wmask;
+-    QTestState *qts = qtest_init("-machine npcm845-evb");
--    bool is_and = false;
++    QTestState *qts = qtest_init("-machine npcm750-evb");
-+    uint64_t imm;
+ #define CHECK_REG32(regno, value) \
--    sf = extract32(insn, 31, 1);
+     do { \
--    opc = extract32(insn, 29, 2);
+         g_assert_cmphex(gmac_read(qts, mod, (regno)), ==, (value)); \
--    is_n = extract32(insn, 22, 1);
+     } while (0)
--    immr = extract32(insn, 16, 6);
--    imms = extract32(insn, 10, 6);
+-#define CHECK_REG_PCS(regno, value) \
--    rn = extract32(insn, 5, 5);
+-    do { \
--    rd = extract32(insn, 0, 5);
+-        g_assert_cmphex(pcs_read(qts, mod, (regno)), ==, (value)); \
 -    } while (0)
 -
--    if (!sf && is_n) {
+     CHECK_REG32(NPCM_DMA_BUS_MODE, 0x00020100);
--        unallocated_encoding(s);
+     CHECK_REG32(NPCM_DMA_XMT_POLL_DEMAND, 0);
--        return;
+     CHECK_REG32(NPCM_DMA_RCV_POLL_DEMAND, 0);
-+    /* Some immediate field values are reserved. */
+@@ -XXX,XX +XXX,XX @@ static void test_init(gconstpointer test_data)
-+    if (!logic_imm_decode_wmask(&imm, extract32(a->dbm, 12, 1),
+     CHECK_REG32(NPCM_GMAC_PTP_TAR, 0);
-+                                extract32(a->dbm, 0, 6),
+     CHECK_REG32(NPCM_GMAC_PTP_TTSR, 0);
-+                                extract32(a->dbm, 6, 6))) {
-+        return false;
+-    /* TODO Add registers PCS */
-+    }
+-    if (mod->base_addr == 0xf0802000) {
-+    if (!a->sf) {
+-        CHECK_REG_PCS(NPCM_PCS_SR_CTL_ID1, 0x699e);
-+        imm &= 0xffffffffull;
+-        CHECK_REG_PCS(NPCM_PCS_SR_CTL_ID2, 0);
-     }
+-        CHECK_REG_PCS(NPCM_PCS_SR_CTL_STS, 0x8000);
 -    if (opc == 0x3) { /* ANDS */
 -        tcg_rd = cpu_reg(s, rd);
 -    } else {
 -        tcg_rd = cpu_reg_sp(s, rd);
 -    }
 -    tcg_rn = cpu_reg(s, rn);
 +    tcg_rd = set_cc ? cpu_reg(s, a->rd) : cpu_reg_sp(s, a->rd);
 +    tcg_rn = cpu_reg(s, a->rn);
 -    if (!logic_imm_decode_wmask(&wmask, is_n, imms, immr)) {
 -        /* some immediate field values are reserved */
 -        unallocated_encoding(s);
 -        return;
 +    fn(tcg_rd, tcg_rn, imm);
 +    if (set_cc) {
 +        gen_logic_CC(a->sf, tcg_rd);
      }
 -
--    if (!sf) {
+-        CHECK_REG_PCS(NPCM_PCS_SR_MII_CTRL, 0x1140);
--        wmask &= 0xffffffff;
+-        CHECK_REG_PCS(NPCM_PCS_SR_MII_STS, 0x0109);
 -        CHECK_REG_PCS(NPCM_PCS_SR_MII_DEV_ID1, 0x699e);
 -        CHECK_REG_PCS(NPCM_PCS_SR_MII_DEV_ID2, 0x0ced0);
 -        CHECK_REG_PCS(NPCM_PCS_SR_MII_AN_ADV, 0x0020);
 -        CHECK_REG_PCS(NPCM_PCS_SR_MII_LP_BABL, 0);
 -        CHECK_REG_PCS(NPCM_PCS_SR_MII_AN_EXPN, 0);
 -        CHECK_REG_PCS(NPCM_PCS_SR_MII_EXT_STS, 0xc000);
 -
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_ABL, 0x0003);
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_TX_MAX_DLY_LWR, 0x0038);
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_TX_MAX_DLY_UPR, 0);
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_TX_MIN_DLY_LWR, 0x0038);
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_TX_MIN_DLY_UPR, 0);
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_RX_MAX_DLY_LWR, 0x0058);
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_RX_MAX_DLY_UPR, 0);
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_RX_MIN_DLY_LWR, 0x0048);
 -        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_RX_MIN_DLY_UPR, 0);
 -
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MMD_DIG_CTRL1, 0x2400);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_AN_CTRL, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_AN_INTR_STS, 0x000a);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_TC, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_DBG_CTRL, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_EEE_MCTRL0, 0x899c);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_EEE_TXTIMER, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_EEE_RXTIMER, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_LINK_TIMER_CTRL, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_EEE_MCTRL1, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_DIG_STS, 0x0010);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_ICG_ERRCNT1, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MISC_STS, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_RX_LSTS, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_BSTCTRL0, 0x00a);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_LVLCTRL0, 0x007f);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_GENCTRL0, 0x0001);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_GENCTRL1, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_STS, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_RX_GENCTRL0, 0x0100);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_RX_GENCTRL1, 0x1100);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_RX_LOS_CTRL0, 0x000e);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MPLL_CTRL0, 0x0100);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MPLL_CTRL1, 0x0032);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MPLL_STS, 0x0001);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MISC_CTRL2, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_LVL_CTRL, 0x0019);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MISC_CTRL0, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MISC_CTRL1, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_DIG_CTRL2, 0);
 -        CHECK_REG_PCS(NPCM_PCS_VR_MII_DIG_ERRCNT_SEL, 0);
 -    }
 -
--    switch (opc) {
+     qtest_quit(qts);
 -    case 0x3: /* ANDS */
 -    case 0x0: /* AND */
 -        tcg_gen_andi_i64(tcg_rd, tcg_rn, wmask);
 -        is_and = true;
 -        break;
 -    case 0x1: /* ORR */
 -        tcg_gen_ori_i64(tcg_rd, tcg_rn, wmask);
 -        break;
 -    case 0x2: /* EOR */
 -        tcg_gen_xori_i64(tcg_rd, tcg_rn, wmask);
 -        break;
 -    default:
 -        assert(FALSE); /* must handle all above */
 -        break;
 -    }
 -
 -    if (!sf && !is_and) {
 -        /* zero extend final result; we know we can skip this for AND
 -         * since the immediate had the high 32 bits clear.
 -         */
 +    if (!a->sf) {
          tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
      }
 -
 -    if (opc == 3) { /* ANDS */
 -        gen_logic_CC(sf, tcg_rd);
 -    }
 +    return true;
  }
-+TRANS(AND_i, gen_rri_log, a, false, tcg_gen_andi_i64)
+diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
-+TRANS(ORR_i, gen_rri_log, a, false, tcg_gen_ori_i64)
+index XXXXXXX..XXXXXXX 100644
-+TRANS(EOR_i, gen_rri_log, a, false, tcg_gen_xori_i64)
+--- a/tests/qtest/meson.build
-+TRANS(ANDS_i, gen_rri_log, a, true, tcg_gen_andi_i64)
++++ b/tests/qtest/meson.build
-+
+@@ -XXX,XX +XXX,XX @@ qtests_npcm7xx = \
- /*
+    'npcm7xx_sdhci-test',
-  * Move wide (immediate)
+    'npcm7xx_smbus-test',
-  *
+    'npcm7xx_timer-test',
-@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
+-   'npcm7xx_watchdog_timer-test'] + \
- static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
++   'npcm7xx_watchdog_timer-test',
- {
++   'npcm_gmac-test'] + \
-     switch (extract32(insn, 23, 6)) {
+    (slirp.found() ? ['npcm7xx_emc-test'] : [])
--    case 0x24: /* Logical (immediate) */
+ qtests_aspeed = \
--        disas_logic_imm(s, insn);
+   ['aspeed_hace-test',
 -        break;
      case 0x25: /* Move wide (immediate) */
          disas_movw_imm(s, insn);
          break;
 --
 .34.1

-[PULL 17/29] target/arm: Convert Bitfield to decodetree
+[PULL 18/35] hw/arm/smmuv3: add support for stage 1 access fault
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Luc Michel <luc.michel@amd.com>
-Convert the BFM, SBFM, UBFM instructions.
+An access fault is raised when the Access Flag is not set in the
 looked-up PTE and the AFFD field is not set in the corresponding context
 descriptor. This was already implemented for stage 2. Implement it for
 stage 1 as well.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Luc Michel <luc.michel@amd.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Mostafa Saleh <smostafa@google.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20230512144106.3608981-12-peter.maydell@linaro.org
+Tested-by: Mostafa Saleh <smostafa@google.com>
-[PMM: Rebased]
+Message-id: 20240213082211.3330400-1-luc.michel@amd.com
 [PMM: tweaked comment text]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/a64.decode      |  13 +++
+ hw/arm/smmuv3-internal.h     |  1 +
- target/arm/tcg/translate-a64.c | 144 ++++++++++++++++++---------------
+ include/hw/arm/smmu-common.h |  1 +
-files changed, 94 insertions(+), 63 deletions(-)
+ hw/arm/smmu-common.c         | 11 +++++++++++
  hw/arm/smmuv3.c              |  1 +
 files changed, 14 insertions(+)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/hw/arm/smmuv3-internal.h
-+++ b/target/arm/tcg/a64.decode
++++ b/hw/arm/smmuv3-internal.h
-@@ -XXX,XX +XXX,XX @@ MOVZ            . 10 100101 .. ................ .....   @movw_64
+@@ -XXX,XX +XXX,XX @@ static inline int pa_range(STE *ste)
- MOVZ            . 10 100101 .. ................ .....   @movw_32
+ #define CD_EPD(x, sel)   extract32((x)->word[0], (16 * (sel)) + 14, 1)
- MOVK            . 11 100101 .. ................ .....   @movw_64
+ #define CD_ENDI(x)       extract32((x)->word[0], 15, 1)
- MOVK            . 11 100101 .. ................ .....   @movw_32
+ #define CD_IPS(x)        extract32((x)->word[1], 0 , 3)
 +#define CD_AFFD(x)       extract32((x)->word[1], 3 , 1)
  #define CD_TBI(x)        extract32((x)->word[1], 6 , 2)
  #define CD_HD(x)         extract32((x)->word[1], 10 , 1)
  #define CD_HA(x)         extract32((x)->word[1], 11 , 1)
 diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/smmu-common.h
 +++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTransCfg {
      bool disabled;             /* smmu is disabled */
      bool bypassed;             /* translation is bypassed */
      bool aborted;              /* translation is aborted */
 +    bool affd;                 /* AF fault disable */
      uint32_t iotlb_hits;       /* counts IOTLB hits */
      uint32_t iotlb_misses;     /* counts IOTLB misses*/
      /* Used by stage-1 only. */
 diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmu-common.c
 +++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
                                       pte_addr, pte, iova, gpa,
                                       block_size >> 20);
          }
 +
-+# Bitfield
++        /*
-+
++         * QEMU does not currently implement HTTU, so if AFFD and PTE.AF
-+&bitfield       rd rn sf immr imms
++         * are 0 we take an Access flag fault. (5.4. Context Descriptor)
-+@bitfield_64    1 .. ...... 1 immr:6 imms:6 rn:5 rd:5      &bitfield sf=1
++         * An Access flag fault takes priority over a Permission fault.
-+@bitfield_32    0 .. ...... 0 0 immr:5 0 imms:5 rn:5 rd:5  &bitfield sf=0
++         */
-+
++        if (!PTE_AF(pte) && !cfg->affd) {
-+SBFM            . 00 100110 . ...... ...... ..... ..... @bitfield_64
++            info->type = SMMU_PTW_ERR_ACCESS;
-+SBFM            . 00 100110 . ...... ...... ..... ..... @bitfield_32
++            goto error;
 +BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_64
 +BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_32
 +UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_64
 +UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_MOVK(DisasContext *s, arg_movw *a)
      return true;
  }
 -/* Bitfield
 - *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
 - * +----+-----+-------------+---+------+------+------+------+
 - * | sf | opc | 1 0 0 1 1 0 | N | immr | imms |  Rn  |  Rd  |
 - * +----+-----+-------------+---+------+------+------+------+
 +/*
 + * Bitfield
   */
 -static void disas_bitfield(DisasContext *s, uint32_t insn)
 +
 +static bool trans_SBFM(DisasContext *s, arg_SBFM *a)
  {
 -    unsigned int sf, n, opc, ri, si, rn, rd, bitsize, pos, len;
 -    TCGv_i64 tcg_rd, tcg_tmp;
 +    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
 +    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +    unsigned int bitsize = a->sf ? 64 : 32;
 +    unsigned int ri = a->immr;
 +    unsigned int si = a->imms;
 +    unsigned int pos, len;
 -    sf = extract32(insn, 31, 1);
 -    opc = extract32(insn, 29, 2);
 -    n = extract32(insn, 22, 1);
 -    ri = extract32(insn, 16, 6);
 -    si = extract32(insn, 10, 6);
 -    rn = extract32(insn, 5, 5);
 -    rd = extract32(insn, 0, 5);
 -    bitsize = sf ? 64 : 32;
 -
 -    if (sf != n || ri >= bitsize || si >= bitsize || opc > 2) {
 -        unallocated_encoding(s);
 -        return;
 -    }
 -
 -    tcg_rd = cpu_reg(s, rd);
 -
 -    /* Suppress the zero-extend for !sf.  Since RI and SI are constrained
 -       to be smaller than bitsize, we'll never reference data outside the
 -       low 32-bits anyway.  */
 -    tcg_tmp = read_cpu_reg(s, rn, 1);
 -
 -    /* Recognize simple(r) extractions.  */
      if (si >= ri) {
          /* Wd<s-r:0> = Wn<s:r> */
          len = (si - ri) + 1;
 -        if (opc == 0) { /* SBFM: ASR, SBFX, SXTB, SXTH, SXTW */
 -            tcg_gen_sextract_i64(tcg_rd, tcg_tmp, ri, len);
 -            goto done;
 -        } else if (opc == 2) { /* UBFM: UBFX, LSR, UXTB, UXTH */
 -            tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
 -            return;
 +        tcg_gen_sextract_i64(tcg_rd, tcg_tmp, ri, len);
 +        if (!a->sf) {
 +            tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
          }
 -        /* opc == 1, BFXIL fall through to deposit */
 +    } else {
 +        /* Wd<32+s-r,32-r> = Wn<s:0> */
 +        len = si + 1;
 +        pos = (bitsize - ri) & (bitsize - 1);
 +
 +        if (len < ri) {
 +            /*
 +             * Sign extend the destination field from len to fill the
 +             * balance of the word.  Let the deposit below insert all
 +             * of those sign bits.
 +             */
 +            tcg_gen_sextract_i64(tcg_tmp, tcg_tmp, 0, len);
 +            len = ri;
 +        }
 +
-+        /*
+         ap = PTE_AP(pte);
-+         * We start with zero, and we haven't modified any bits outside
+         if (is_permission_fault(ap, perm)) {
-+         * bitsize, therefore no final zero-extension is unneeded for !sf.
+             info->type = SMMU_PTW_ERR_PERMISSION;
-+         */
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-+        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
+index XXXXXXX..XXXXXXX 100644
-+    }
+--- a/hw/arm/smmuv3.c
-+    return true;
++++ b/hw/arm/smmuv3.c
-+}
+@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
-+
+     cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
-+static bool trans_UBFM(DisasContext *s, arg_UBFM *a)
+     cfg->tbi = CD_TBI(cd);
-+{
+     cfg->asid = CD_ASID(cd);
-+    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
++    cfg->affd = CD_AFFD(cd);
-+    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
-+    unsigned int bitsize = a->sf ? 64 : 32;
+     trace_smmuv3_decode_cd(cfg->oas);
-+    unsigned int ri = a->immr;
 +    unsigned int si = a->imms;
 +    unsigned int pos, len;
 +
 +    tcg_rd = cpu_reg(s, a->rd);
 +    tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +
 +    if (si >= ri) {
 +        /* Wd<s-r:0> = Wn<s:r> */
 +        len = (si - ri) + 1;
 +        tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
 +    } else {
 +        /* Wd<32+s-r,32-r> = Wn<s:0> */
 +        len = si + 1;
 +        pos = (bitsize - ri) & (bitsize - 1);
 +        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
 +    }
 +    return true;
 +}
 +
 +static bool trans_BFM(DisasContext *s, arg_BFM *a)
 +{
 +    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
 +    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +    unsigned int bitsize = a->sf ? 64 : 32;
 +    unsigned int ri = a->immr;
 +    unsigned int si = a->imms;
 +    unsigned int pos, len;
 +
 +    tcg_rd = cpu_reg(s, a->rd);
 +    tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +
 +    if (si >= ri) {
 +        /* Wd<s-r:0> = Wn<s:r> */
          tcg_gen_shri_i64(tcg_tmp, tcg_tmp, ri);
 +        len = (si - ri) + 1;
          pos = 0;
      } else {
 -        /* Handle the ri > si case with a deposit
 -         * Wd<32+s-r,32-r> = Wn<s:0>
 -         */
 +        /* Wd<32+s-r,32-r> = Wn<s:0> */
          len = si + 1;
          pos = (bitsize - ri) & (bitsize - 1);
      }
 -    if (opc == 0 && len < ri) {
 -        /* SBFM: sign extend the destination field from len to fill
 -           the balance of the word.  Let the deposit below insert all
 -           of those sign bits.  */
 -        tcg_gen_sextract_i64(tcg_tmp, tcg_tmp, 0, len);
 -        len = ri;
 -    }
 -
 -    if (opc == 1) { /* BFM, BFXIL */
 -        tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
 -    } else {
 -        /* SBFM or UBFM: We start with zero, and we haven't modified
 -           any bits outside bitsize, therefore the zero-extension
 -           below is unneeded.  */
 -        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
 -        return;
 -    }
 -
 - done:
 -    if (!sf) { /* zero extend final result */
 +    tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
 +    if (!a->sf) {
          tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
      }
 +    return true;
  }
  /* Extract
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
  static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
  {
      switch (extract32(insn, 23, 6)) {
 -    case 0x26: /* Bitfield */
 -        disas_bitfield(s, insn);
 -        break;
      case 0x27: /* Extract */
          disas_extract(s, insn);
          break;
 --
 .34.1

-[PULL 10/29] target/arm: Convert PC-rel addressing to decodetree
+[PULL 19/35] hw/arm/stellaris: Convert ADC controller to Resettable interface
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-Convert the ADR and ADRP instructions.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20230512144106.3608981-5-peter.maydell@linaro.org
+Message-id: 20240213155214.13619-2-philmd@linaro.org
 [PMM: Rebased]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/a64.decode      | 13 ++++++++++++
+ hw/arm/stellaris.c | 6 ++++--
- target/arm/tcg/translate-a64.c | 38 +++++++++++++---------------------
+file changed, 4 insertions(+), 2 deletions(-)
 files changed, 27 insertions(+), 24 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/hw/arm/stellaris.c
-+++ b/target/arm/tcg/a64.decode
++++ b/hw/arm/stellaris.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_trigger(void *opaque, int irq, int level)
  #
  # This file is processed by scripts/decodetree.py
  #
 +
 +&ri              rd imm
 +
 +
 +### Data Processing - Immediate
 +
 +# PC-rel addressing
 +
 +%imm_pcrel      5:s19 29:2
 +@pcrel          . .. ..... ................... rd:5     &ri imm=%imm_pcrel
 +
 +ADR             0 .. 10000 ................... .....    @pcrel
 +ADRP            1 .. 10000 ................... .....    @pcrel
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
      }
  }
--/* PC-rel. addressing
+-static void stellaris_adc_reset(StellarisADCState *s)
-- *   31  30   29 28       24 23                5 4    0
++static void stellaris_adc_reset_hold(Object *obj)
 - * +----+-------+-----------+-------------------+------+
 - * | op | immlo | 1 0 0 0 0 |       immhi       |  Rd  |
 - * +----+-------+-----------+-------------------+------+
 +/*
 + * PC-rel. addressing
   */
 -static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
 +
 +static bool trans_ADR(DisasContext *s, arg_ri *a)
  {
--    unsigned int page, rd;
++    StellarisADCState *s = STELLARIS_ADC(obj);
--    int64_t offset;
+     int n;
-+    gen_pc_plus_diff(s, cpu_reg(s, a->rd), a->imm);
-+    return true;
+     for (n = 0; n < 4; n++) {
-+}
+@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_init(Object *obj)
+     memory_region_init_io(&s->iomem, obj, &stellaris_adc_ops, s,
--    page = extract32(insn, 31, 1);
+                           "adc", 0x1000);
--    /* SignExtend(immhi:immlo) -> offset */
+     sysbus_init_mmio(sbd, &s->iomem);
--    offset = sextract64(insn, 5, 19);
+-    stellaris_adc_reset(s);
--    offset = offset << 2 | extract32(insn, 29, 2);
+     qdev_init_gpio_in(dev, stellaris_adc_trigger, 1);
 -    rd = extract32(insn, 0, 5);
 +static bool trans_ADRP(DisasContext *s, arg_ri *a)
 +{
 +    int64_t offset = (int64_t)a->imm << 12;
 -    if (page) {
 -        /* ADRP (page based) */
 -        offset <<= 12;
 -        /* The page offset is ok for CF_PCREL. */
 -        offset -= s->pc_curr & 0xfff;
 -    }
 -
 -    gen_pc_plus_diff(s, cpu_reg(s, rd), offset);
 +    /* The page offset is ok for CF_PCREL. */
 +    offset -= s->pc_curr & 0xfff;
 +    gen_pc_plus_diff(s, cpu_reg(s, a->rd), offset);
 +    return true;
  }
- /*
+@@ -XXX,XX +XXX,XX @@ static const TypeInfo stellaris_i2c_info = {
-@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
+ static void stellaris_adc_class_init(ObjectClass *klass, void *data)
  static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
  {
-     switch (extract32(insn, 23, 6)) {
+     DeviceClass *dc = DEVICE_CLASS(klass);
--    case 0x20: case 0x21: /* PC-rel. addressing */
++    ResettableClass *rc = RESETTABLE_CLASS(klass);
--        disas_pc_rel_adr(s, insn);
--        break;
++    rc->phases.hold = stellaris_adc_reset_hold;
-     case 0x22: /* Add/subtract (immediate) */
+     dc->vmsd = &vmstate_stellaris_adc;
-         disas_add_sub_imm(s, insn);
+ }
-         break;
 --
 .34.1

-[PULL 11/29] target/arm: Split gen_add_CC and gen_sub_CC
+[PULL 20/35] hw/arm/stellaris: Convert I2C controller to Resettable interface
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-Split out specific 32-bit and 64-bit functions.
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
-These carry the same signature as tcg_gen_add_i64,
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-and so will be easier to pass as callbacks.
+Message-id: 20240213155214.13619-3-philmd@linaro.org
 Retain gen_add_CC and gen_sub_CC during conversion.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20230512144106.3608981-6-peter.maydell@linaro.org
 [PMM: rebased]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/translate-a64.c | 149 +++++++++++++++++++--------------
+ hw/arm/stellaris.c | 26 ++++++++++++++++++++++----
-file changed, 84 insertions(+), 65 deletions(-)
+file changed, 22 insertions(+), 4 deletions(-)
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
+--- a/hw/arm/stellaris.c
-+++ b/target/arm/tcg/translate-a64.c
++++ b/hw/arm/stellaris.c
-@@ -XXX,XX +XXX,XX @@ static inline void gen_logic_CC(int sf, TCGv_i64 result)
+@@ -XXX,XX +XXX,XX @@ static void stellaris_sys_instance_init(Object *obj)
      s->sysclk = qdev_init_clock_out(DEVICE(s), "SYSCLK");
  }
- /* dest = T0 + T1; compute C, N, V and Z flags */
+-/* I2C controller.  */
-+static void gen_add64_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
++/*
-+{
++ * I2C controller.
-+    TCGv_i64 result, flag, tmp;
++ * ??? For now we only implement the master interface.
-+    result = tcg_temp_new_i64();
++ */
-+    flag = tcg_temp_new_i64();
-+    tmp = tcg_temp_new_i64();
+ #define TYPE_STELLARIS_I2C "stellaris-i2c"
  OBJECT_DECLARE_SIMPLE_TYPE(stellaris_i2c_state, STELLARIS_I2C)
@@ -XXX,XX +XXX,XX @@ static void stellaris_i2c_write(void *opaque, hwaddr offset,
      stellaris_i2c_update(s);
  }
 -static void stellaris_i2c_reset(stellaris_i2c_state *s)
 +static void stellaris_i2c_reset_enter(Object *obj, ResetType type)
  {
 +    stellaris_i2c_state *s = STELLARIS_I2C(obj);
 +
-+    tcg_gen_movi_i64(tmp, 0);
+     if (s->mcs & STELLARIS_I2C_MCS_BUSBSY)
-+    tcg_gen_add2_i64(result, flag, t0, tmp, t1, tmp);
+         i2c_end_transfer(s->bus);
 +
 +    tcg_gen_extrl_i64_i32(cpu_CF, flag);
 +
 +    gen_set_NZ64(result);
 +
 +    tcg_gen_xor_i64(flag, result, t0);
 +    tcg_gen_xor_i64(tmp, t0, t1);
 +    tcg_gen_andc_i64(flag, flag, tmp);
 +    tcg_gen_extrh_i64_i32(cpu_VF, flag);
 +
 +    tcg_gen_mov_i64(dest, result);
 +}
 +
-+static void gen_add32_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
++static void stellaris_i2c_reset_hold(Object *obj)
 +{
-+    TCGv_i32 t0_32 = tcg_temp_new_i32();
++    stellaris_i2c_state *s = STELLARIS_I2C(obj);
-+    TCGv_i32 t1_32 = tcg_temp_new_i32();
-+    TCGv_i32 tmp = tcg_temp_new_i32();
+     s->msa = 0;
-+
+     s->mcs = 0;
-+    tcg_gen_movi_i32(tmp, 0);
+@@ -XXX,XX +XXX,XX @@ static void stellaris_i2c_reset(stellaris_i2c_state *s)
-+    tcg_gen_extrl_i64_i32(t0_32, t0);
+     s->mimr = 0;
-+    tcg_gen_extrl_i64_i32(t1_32, t1);
+     s->mris = 0;
-+    tcg_gen_add2_i32(cpu_NF, cpu_CF, t0_32, tmp, t1_32, tmp);
+     s->mcr = 0;
 +    tcg_gen_mov_i32(cpu_ZF, cpu_NF);
 +    tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
 +    tcg_gen_xor_i32(tmp, t0_32, t1_32);
 +    tcg_gen_andc_i32(cpu_VF, cpu_VF, tmp);
 +    tcg_gen_extu_i32_i64(dest, cpu_NF);
 +}
 +
- static void gen_add_CC(int sf, TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
++static void stellaris_i2c_reset_exit(Object *obj)
 +{
 +    stellaris_i2c_state *s = STELLARIS_I2C(obj);
 +
      stellaris_i2c_update(s);
  }
@@ -XXX,XX +XXX,XX @@ static void stellaris_i2c_init(Object *obj)
      memory_region_init_io(&s->iomem, obj, &stellaris_i2c_ops, s,
                            "i2c", 0x1000);
      sysbus_init_mmio(sbd, &s->iomem);
 -    /* ??? For now we only implement the master interface.  */
 -    stellaris_i2c_reset(s);
  }
  /* Analogue to Digital Converter.  This is only partially implemented,
@@ -XXX,XX +XXX,XX @@ type_init(stellaris_machine_init)
  static void stellaris_i2c_class_init(ObjectClass *klass, void *data)
  {
-     if (sf) {
+     DeviceClass *dc = DEVICE_CLASS(klass);
--        TCGv_i64 result, flag, tmp;
++    ResettableClass *rc = RESETTABLE_CLASS(klass);
--        result = tcg_temp_new_i64();
--        flag = tcg_temp_new_i64();
++    rc->phases.enter = stellaris_i2c_reset_enter;
--        tmp = tcg_temp_new_i64();
++    rc->phases.hold = stellaris_i2c_reset_hold;
--
++    rc->phases.exit = stellaris_i2c_reset_exit;
--        tcg_gen_movi_i64(tmp, 0);
+     dc->vmsd = &vmstate_stellaris_i2c;
 -        tcg_gen_add2_i64(result, flag, t0, tmp, t1, tmp);
 -
 -        tcg_gen_extrl_i64_i32(cpu_CF, flag);
 -
 -        gen_set_NZ64(result);
 -
 -        tcg_gen_xor_i64(flag, result, t0);
 -        tcg_gen_xor_i64(tmp, t0, t1);
 -        tcg_gen_andc_i64(flag, flag, tmp);
 -        tcg_gen_extrh_i64_i32(cpu_VF, flag);
 -
 -        tcg_gen_mov_i64(dest, result);
 +        gen_add64_CC(dest, t0, t1);
      } else {
 -        /* 32 bit arithmetic */
 -        TCGv_i32 t0_32 = tcg_temp_new_i32();
 -        TCGv_i32 t1_32 = tcg_temp_new_i32();
 -        TCGv_i32 tmp = tcg_temp_new_i32();
 -
 -        tcg_gen_movi_i32(tmp, 0);
 -        tcg_gen_extrl_i64_i32(t0_32, t0);
 -        tcg_gen_extrl_i64_i32(t1_32, t1);
 -        tcg_gen_add2_i32(cpu_NF, cpu_CF, t0_32, tmp, t1_32, tmp);
 -        tcg_gen_mov_i32(cpu_ZF, cpu_NF);
 -        tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
 -        tcg_gen_xor_i32(tmp, t0_32, t1_32);
 -        tcg_gen_andc_i32(cpu_VF, cpu_VF, tmp);
 -        tcg_gen_extu_i32_i64(dest, cpu_NF);
 +        gen_add32_CC(dest, t0, t1);
      }
  }
- /* dest = T0 - T1; compute C, N, V and Z flags */
-+static void gen_sub64_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
-+{
-+    /* 64 bit arithmetic */
-+    TCGv_i64 result, flag, tmp;
-+
-+    result = tcg_temp_new_i64();
-+    flag = tcg_temp_new_i64();
-+    tcg_gen_sub_i64(result, t0, t1);
-+
-+    gen_set_NZ64(result);
-+
-+    tcg_gen_setcond_i64(TCG_COND_GEU, flag, t0, t1);
-+    tcg_gen_extrl_i64_i32(cpu_CF, flag);
-+
-+    tcg_gen_xor_i64(flag, result, t0);
-+    tmp = tcg_temp_new_i64();
-+    tcg_gen_xor_i64(tmp, t0, t1);
-+    tcg_gen_and_i64(flag, flag, tmp);
-+    tcg_gen_extrh_i64_i32(cpu_VF, flag);
-+    tcg_gen_mov_i64(dest, result);
-+}
-+
-+static void gen_sub32_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
-+{
-+    /* 32 bit arithmetic */
-+    TCGv_i32 t0_32 = tcg_temp_new_i32();
-+    TCGv_i32 t1_32 = tcg_temp_new_i32();
-+    TCGv_i32 tmp;
-+
-+    tcg_gen_extrl_i64_i32(t0_32, t0);
-+    tcg_gen_extrl_i64_i32(t1_32, t1);
-+    tcg_gen_sub_i32(cpu_NF, t0_32, t1_32);
-+    tcg_gen_mov_i32(cpu_ZF, cpu_NF);
-+    tcg_gen_setcond_i32(TCG_COND_GEU, cpu_CF, t0_32, t1_32);
-+    tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
-+    tmp = tcg_temp_new_i32();
-+    tcg_gen_xor_i32(tmp, t0_32, t1_32);
-+    tcg_gen_and_i32(cpu_VF, cpu_VF, tmp);
-+    tcg_gen_extu_i32_i64(dest, cpu_NF);
-+}
-+
- static void gen_sub_CC(int sf, TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
- {
-     if (sf) {
--        /* 64 bit arithmetic */
--        TCGv_i64 result, flag, tmp;
--
--        result = tcg_temp_new_i64();
--        flag = tcg_temp_new_i64();
--        tcg_gen_sub_i64(result, t0, t1);
--
--        gen_set_NZ64(result);
--
--        tcg_gen_setcond_i64(TCG_COND_GEU, flag, t0, t1);
--        tcg_gen_extrl_i64_i32(cpu_CF, flag);
--
--        tcg_gen_xor_i64(flag, result, t0);
--        tmp = tcg_temp_new_i64();
--        tcg_gen_xor_i64(tmp, t0, t1);
--        tcg_gen_and_i64(flag, flag, tmp);
--        tcg_gen_extrh_i64_i32(cpu_VF, flag);
--        tcg_gen_mov_i64(dest, result);
-+        gen_sub64_CC(dest, t0, t1);
-     } else {
--        /* 32 bit arithmetic */
--        TCGv_i32 t0_32 = tcg_temp_new_i32();
--        TCGv_i32 t1_32 = tcg_temp_new_i32();
--        TCGv_i32 tmp;
--
--        tcg_gen_extrl_i64_i32(t0_32, t0);
--        tcg_gen_extrl_i64_i32(t1_32, t1);
--        tcg_gen_sub_i32(cpu_NF, t0_32, t1_32);
--        tcg_gen_mov_i32(cpu_ZF, cpu_NF);
--        tcg_gen_setcond_i32(TCG_COND_GEU, cpu_CF, t0_32, t1_32);
--        tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
--        tmp = tcg_temp_new_i32();
--        tcg_gen_xor_i32(tmp, t0_32, t1_32);
--        tcg_gen_and_i32(cpu_VF, cpu_VF, tmp);
--        tcg_gen_extu_i32_i64(dest, cpu_NF);
-+        gen_sub32_CC(dest, t0, t1);
-     }
- }
 --
 .34.1

-[PULL 06/29] sbsa-ref: use Bochs graphics card instead of VGA
+[PULL 21/35] hw/arm/stellaris: Add missing QOM 'machine' parent
-From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-Bochs card is normal PCI Express card so it fits better in system with
+QDev objects created with qdev_new() need to manually add
-PCI Express bus. VGA is simple legacy PCI card.
+their parent relationship with object_property_add_child().
-Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+This commit plug the devices which aren't part of the SoC;
-Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
+they will be plugged into a SoC container in the next one.
-Message-id: 20230505120936.1097060-1-marcin.juszkiewicz@linaro.org
 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20240213155214.13619-4-philmd@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/sbsa-ref.c | 2 +-
+ hw/arm/stellaris.c | 4 ++++
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 4 insertions(+)
-diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
+diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/sbsa-ref.c
+--- a/hw/arm/stellaris.c
-+++ b/hw/arm/sbsa-ref.c
++++ b/hw/arm/stellaris.c
-@@ -XXX,XX +XXX,XX @@ static void create_pcie(SBSAMachineState *sms)
+@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
                                     &error_fatal);
              ssddev = qdev_new("ssd0323");
 +            object_property_add_child(OBJECT(ms), "oled", OBJECT(ssddev));
              qdev_prop_set_uint8(ssddev, "cs", 1);
              qdev_realize_and_unref(ssddev, bus, &error_fatal);
              gpio_d_splitter = qdev_new(TYPE_SPLIT_IRQ);
 +            object_property_add_child(OBJECT(ms), "splitter",
 +                                      OBJECT(gpio_d_splitter));
              qdev_prop_set_uint32(gpio_d_splitter, "num-lines", 2);
              qdev_realize_and_unref(gpio_d_splitter, NULL, &error_fatal);
              qdev_connect_gpio_out(
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
          DeviceState *gpad;
          gpad = qdev_new(TYPE_STELLARIS_GAMEPAD);
 +        object_property_add_child(OBJECT(ms), "gamepad", OBJECT(gpad));
          for (i = 0; i < ARRAY_SIZE(gpad_keycode); i++) {
              qlist_append_int(gpad_keycode_list, gpad_keycode[i]);
          }
-     }
--    pci_create_simple(pci->bus, -1, "VGA");
-+    pci_create_simple(pci->bus, -1, "bochs-display");
-     create_smmu(sms, pci->bus);
- }
 --
 .34.1

-[PULL 05/29] target/arm: add RAZ/WI handling for DBGDTR[TX|RX]
+[PULL 22/35] hw/arm/stellaris: Add missing QOM 'SoC' parent
-From: Alex Bennée <alex.bennee@linaro.org>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-The commit b3aa2f2128 (target/arm: provide stubs for more external
+QDev objects created with qdev_new() need to manually add
-debug registers) was added to handle HyperV's unconditional usage of
+their parent relationship with object_property_add_child().
 Debug Communications Channel. It turns out that Linux will similarly
 break if you enable CONFIG_HVC_DCC "ARM JTAG DCC console".
-Extend the registers we RAZ/WI set to avoid this.
+Since we don't model the SoC, just use a QOM container.
-Cc: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Cc: Evgeny Iakovlev <eiakovlev@linux.microsoft.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20240213155214.13619-5-philmd@linaro.org
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20230516104420.407912-1-alex.bennee@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/debug_helper.c | 11 +++++++++--
+ hw/arm/stellaris.c | 11 ++++++++++-
-file changed, 9 insertions(+), 2 deletions(-)
+file changed, 10 insertions(+), 1 deletion(-)
-diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
+diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/debug_helper.c
+--- a/hw/arm/stellaris.c
-+++ b/target/arm/debug_helper.c
++++ b/hw/arm/stellaris.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
+@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
-       .access = PL0_R, .accessfn = access_tdcc,
+      * 400fe000 system control
-       .type = ARM_CP_CONST, .resetvalue = 0 },
+      */
 +    Object *soc_container;
      DeviceState *gpio_dev[7], *nvic;
      qemu_irq gpio_in[7][8];
      qemu_irq gpio_out[7][8];
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
      flash_size = (((board->dc0 & 0xffff) + 1) << 1) * 1024;
      sram_size = ((board->dc0 >> 18) + 1) * 1024;
 +    soc_container = object_new("container");
 +    object_property_add_child(OBJECT(ms), "soc", soc_container);
 +
      /* Flash programming is done via the SCU, so pretend it is ROM.  */
      memory_region_init_rom(flash, NULL, "stellaris.flash", flash_size,
                             &error_fatal);
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
       * need its sysclk output.
       */
      ssys_dev = qdev_new(TYPE_STELLARIS_SYS);
 +    object_property_add_child(soc_container, "sys", OBJECT(ssys_dev));
      /*
--     * OSDTRRX_EL1/OSDTRTX_EL1 are used for save and restore of DBGDTRRX_EL0.
+      * Most devices come preprogrammed with a MAC address in the user data.
--     * It is a component of the Debug Communications Channel, which is not implemented.
+@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
-+     * These registers belong to the Debug Communications Channel,
+     sysbus_realize_and_unref(SYS_BUS_DEVICE(ssys_dev), &error_fatal);
-+     * which is not implemented. However we implement RAZ/WI behaviour
-+     * with trapping to prevent spurious SIGILLs if the guest OS does
+     nvic = qdev_new(TYPE_ARMV7M);
-+     * access them as the support cannot be probed for.
++    object_property_add_child(soc_container, "v7m", OBJECT(nvic));
-      */
+     qdev_prop_set_uint32(nvic, "num-irq", NUM_IRQ_LINES);
-     { .name = "OSDTRRX_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14,
+     qdev_prop_set_uint8(nvic, "num-prio-bits", NUM_PRIO_BITS);
-       .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 2,
+     qdev_prop_set_string(nvic, "cpu-type", ms->cpu_type);
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
+@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
-       .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
-       .access = PL1_RW, .accessfn = access_tdcc,
+             dev = qdev_new(TYPE_STELLARIS_GPTM);
-       .type = ARM_CP_CONST, .resetvalue = 0 },
+             sbd = SYS_BUS_DEVICE(dev);
-+    /* DBGDTRTX_EL0/DBGDTRRX_EL0 depend on direction */
++            object_property_add_child(soc_container, "gptm[*]", OBJECT(dev));
-+    { .name = "DBGDTR_EL0", .state = ARM_CP_STATE_BOTH, .cp = 14,
+             qdev_connect_clock_in(dev, "clk",
-+      .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 5, .opc2 = 0,
+                                   qdev_get_clock_out(ssys_dev, "SYSCLK"));
-+      .access = PL0_RW, .accessfn = access_tdcc,
+             sysbus_realize_and_unref(sbd, &error_fatal);
-+      .type = ARM_CP_CONST, .resetvalue = 0 },
+@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
-     /*
-      * OSECCR_EL1 provides a mechanism for an operating system
+     if (board->dc1 & (1 << 3)) { /* watchdog present */
-      * to access the contents of EDECCR. EDECCR is not implemented though,
+         dev = qdev_new(TYPE_LUMINARY_WATCHDOG);
 -
 +        object_property_add_child(soc_container, "wdg", OBJECT(dev));
          qdev_connect_clock_in(dev, "WDOGCLK",
                                qdev_get_clock_out(ssys_dev, "SYSCLK"));
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
              SysBusDevice *sbd;
              dev = qdev_new("pl011_luminary");
 +            object_property_add_child(soc_container, "uart[*]", OBJECT(dev));
              sbd = SYS_BUS_DEVICE(dev);
              qdev_prop_set_chr(dev, "chardev", serial_hd(i));
              sysbus_realize_and_unref(sbd, &error_fatal);
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
          DeviceState *enet;
          enet = qdev_new("stellaris_enet");
 +        object_property_add_child(soc_container, "enet", OBJECT(enet));
          if (nd) {
              qdev_set_nic_properties(enet, nd);
          } else {
 --
 .34.1

-[PULL 21/29] target/arm: Convert TBZ, TBNZ to decodetree
+[PULL 23/35] target/arm: Use new CBAR encoding for all v8 CPUs, not all aarch64 CPUs
-Convert the test-and-branch-immediate insns TBZ and TBNZ
+We support two different encodings for the AArch32 IMPDEF
-to decodetree.
+CBAR register -- older cores like the Cortex A9, A7, A15
 have this at 4, c15, c0, 0; newer cores like the
 Cortex A35, A53, A57 and A72 have it at 1 c15 c0 0.
 When we implemented this we picked which encoding to
 use based on whether the CPU set ARM_FEATURE_AARCH64.
 However this isn't right for three cases:
  * the qemu-system-arm 'max' CPU, which is supposed to be
    a variant on a Cortex-A57; it ought to use the same
    encoding the A57 does and which the AArch64 'max'
    exposes to AArch32 guest code
  * the Cortex-R52, which is AArch32-only but has the CBAR
    at the newer encoding (and where we incorrectly are
    not yet setting ARM_FEATURE_CBAR_RO anyway)
  * any possible future support for other v8 AArch32
    only CPUs, or for supporting "boot the CPU into
    AArch32 mode" on our existing cores like the A57 etc
 Make the decision of the encoding be based on whether
 the CPU implements the ARM_FEATURE_V8 flag instead.
 This changes the behaviour only for the qemu-system-arm
 '-cpu max'. We don't expect anybody to be relying on the
 old behaviour because:
  * it's not what the real hardware Cortex-A57 does
    (and that's what our ID register claims we are)
  * we don't implement the memory-mapped GICv3 support
    which is the only thing that exists at the peripheral
    base address pointed to by the register
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20230512144106.3608981-16-peter.maydell@linaro.org
+Message-id: 20240206132931.38376-2-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |  6 ++++++
+ target/arm/helper.c | 2 +-
- target/arm/tcg/translate-a64.c | 25 +++++--------------------
+file changed, 1 insertion(+), 1 deletion(-)
 files changed, 11 insertions(+), 20 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/target/arm/helper.c
-+++ b/target/arm/tcg/a64.decode
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ BL              1 00101 .......................... @branch
+@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
- &cbz     rt imm sf nz
+          * AArch64 cores we might need to add a specific feature flag
+          * to indicate cores with "flavour 2" CBAR.
- CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
+          */
-+
+-        if (arm_feature(env, ARM_FEATURE_AARCH64)) {
-+%imm14     5:s14 !function=times_4
++        if (arm_feature(env, ARM_FEATURE_V8)) {
-+%imm31_19  31:1 19:5
+             /* 32 bit view is [31:18] 0...0 [43:32]. */
-+&tbz       rt imm nz bitpos
+             uint32_t cbar32 = (extract64(cpu->reset_cbar, 18, 14) << 18)
-+
+                 | extract64(cpu->reset_cbar, 32, 12);
 +TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_CBZ(DisasContext *s, arg_cbz *a)
      return true;
  }
 -/* Test and branch (immediate)
 - *   31  30         25  24  23   19 18          5 4    0
 - * +----+-------------+----+-------+-------------+------+
 - * | b5 | 0 1 1 0 1 1 | op |  b40  |    imm14    |  Rt  |
 - * +----+-------------+----+-------+-------------+------+
 - */
 -static void disas_test_b_imm(DisasContext *s, uint32_t insn)
 +static bool trans_TBZ(DisasContext *s, arg_tbz *a)
  {
 -    unsigned int bit_pos, op, rt;
 -    int64_t diff;
      DisasLabel match;
      TCGv_i64 tcg_cmp;
 -    bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
 -    op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
 -    diff = sextract32(insn, 5, 14) * 4;
 -    rt = extract32(insn, 0, 5);
 -
      tcg_cmp = tcg_temp_new_i64();
 -    tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, rt), (1ULL << bit_pos));
 +    tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, a->rt), 1ULL << a->bitpos);
      reset_btype(s);
      match = gen_disas_label(s);
 -    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
 +    tcg_gen_brcondi_i64(a->nz ? TCG_COND_NE : TCG_COND_EQ,
                          tcg_cmp, 0, match.label);
      gen_goto_tb(s, 0, 4);
      set_disas_label(s, match);
 -    gen_goto_tb(s, 1, diff);
 +    gen_goto_tb(s, 1, a->imm);
 +    return true;
  }
  /* Conditional branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
  static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
  {
      switch (extract32(insn, 25, 7)) {
 -    case 0x1b: case 0x5b: /* Test & branch (immediate) */
 -        disas_test_b_imm(s, insn);
 -        break;
      case 0x2a: /* Conditional branch (immediate) */
          disas_cond_b_imm(s, insn);
          break;
 --
 .34.1

-[PULL 20/29] target/arm: Convert CBZ, CBNZ to decodetree
+[PULL 24/35] target/arm: The Cortex-R52 has a read-only CBAR
-Convert the compare-and-branch-immediate insns CBZ and CBNZ
+The Cortex-R52 implements the Configuration Base Address Register
-to decodetree.
+(CBAR), as a read-only register.  Add ARM_FEATURE_CBAR_RO to this CPU
 type, so that our implementation provides the register and the
 associated qdev property.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20230512144106.3608981-15-peter.maydell@linaro.org
+Message-id: 20240206132931.38376-3-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |  5 +++++
+ target/arm/tcg/cpu32.c | 1 +
- target/arm/tcg/translate-a64.c | 26 ++++++--------------------
+file changed, 1 insertion(+)
 files changed, 11 insertions(+), 20 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/target/arm/tcg/cpu32.c
-+++ b/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/cpu32.c
-@@ -XXX,XX +XXX,XX @@ EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
+@@ -XXX,XX +XXX,XX @@ static void cortex_r52_initfn(Object *obj)
+     set_feature(&cpu->env, ARM_FEATURE_PMSA);
- B               0 00101 .......................... @branch
+     set_feature(&cpu->env, ARM_FEATURE_NEON);
- BL              1 00101 .......................... @branch
+     set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
-+
++    set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
-+%imm19   5:s19 !function=times_4
+     cpu->midr = 0x411fd133; /* r1p3 */
-+&cbz     rt imm sf nz
+     cpu->revidr = 0x00000000;
-+
+     cpu->reset_fpsid = 0x41034023;
 +CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_BL(DisasContext *s, arg_i *a)
      return true;
  }
 -/* Compare and branch (immediate)
 - *   31  30         25  24  23                  5 4      0
 - * +----+-------------+----+---------------------+--------+
 - * | sf | 0 1 1 0 1 0 | op |         imm19       |   Rt   |
 - * +----+-------------+----+---------------------+--------+
 - */
 -static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
 +
 +static bool trans_CBZ(DisasContext *s, arg_cbz *a)
  {
 -    unsigned int sf, op, rt;
 -    int64_t diff;
      DisasLabel match;
      TCGv_i64 tcg_cmp;
 -    sf = extract32(insn, 31, 1);
 -    op = extract32(insn, 24, 1); /* 0: CBZ; 1: CBNZ */
 -    rt = extract32(insn, 0, 5);
 -    diff = sextract32(insn, 5, 19) * 4;
 -
 -    tcg_cmp = read_cpu_reg(s, rt, sf);
 +    tcg_cmp = read_cpu_reg(s, a->rt, a->sf);
      reset_btype(s);
      match = gen_disas_label(s);
 -    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
 +    tcg_gen_brcondi_i64(a->nz ? TCG_COND_NE : TCG_COND_EQ,
                          tcg_cmp, 0, match.label);
      gen_goto_tb(s, 0, 4);
      set_disas_label(s, match);
 -    gen_goto_tb(s, 1, diff);
 +    gen_goto_tb(s, 1, a->imm);
 +    return true;
  }
  /* Test and branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
  static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
  {
      switch (extract32(insn, 25, 7)) {
 -    case 0x1a: case 0x5a: /* Compare & branch (immediate) */
 -        disas_comp_b_imm(s, insn);
 -        break;
      case 0x1b: case 0x5b: /* Test & branch (immediate) */
          disas_test_b_imm(s, insn);
          break;
 --
 .34.1

-[PULL 08/29] target/arm: Create decodetree skeleton for A64
+[PULL 25/35] target/arm: Add Cortex-R52 IMPDEF sysregs
-The A64 translator uses a hand-written decoder for everything except
+Add the Cortex-R52 IMPDEF sysregs, by defining them here and
-SVE or SME.  It's fairly well structured, but it's becoming obvious
+also by enabling the AUXCR feature which defines the ACTLR
-that it's still more painful to add instructions to than the A32
+and HACTLR registers. As is our usual practice, we make these
-translator, because putting a new instruction into the right place in
+simple reads-as-zero stubs for now.
 a hand-written decoder is much harder than adding new instruction
 patterns to a decodetree file.
 As the first step in conversion to decodetree, create the skeleton of
 the decodetree decoder; where it does not handle instructions we will
 fall back to the legacy decoder (which will be for everything at the
 moment, since there are no patterns in a64.decode).
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20230512144106.3608981-3-peter.maydell@linaro.org
+Message-id: 20240206132931.38376-4-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      | 20 ++++++++++++++++++++
+ target/arm/tcg/cpu32.c | 108 +++++++++++++++++++++++++++++++++++++++++
- target/arm/tcg/translate-a64.c | 18 +++++++++++-------
+file changed, 108 insertions(+)
  target/arm/tcg/meson.build     |  1 +
 files changed, 32 insertions(+), 7 deletions(-)
  create mode 100644 target/arm/tcg/a64.decode
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c
-new file mode 100644
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX
+--- a/target/arm/tcg/cpu32.c
---- /dev/null
++++ b/target/arm/tcg/cpu32.c
-+++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ static void cortex_r5_initfn(Object *obj)
-@@ -XXX,XX +XXX,XX @@
+     define_arm_cp_regs(cpu, cortexr5_cp_reginfo);
-+# AArch64 A64 allowed instruction decoding
+ }
-+#
-+#  Copyright (c) 2023 Linaro, Ltd
++static const ARMCPRegInfo cortex_r52_cp_reginfo[] = {
-+#
++    { .name = "CPUACTLR", .cp = 15, .opc1 = 0, .crm = 15,
-+# This library is free software; you can redistribute it and/or
++      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-+# modify it under the terms of the GNU Lesser General Public
++    { .name = "IMP_ATCMREGIONR",
-+# License as published by the Free Software Foundation; either
++      .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
-+# version 2.1 of the License, or (at your option) any later version.
++      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-+#
++    { .name = "IMP_BTCMREGIONR",
-+# This library is distributed in the hope that it will be useful,
++      .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
++      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++    { .name = "IMP_CTCMREGIONR",
-+# Lesser General Public License for more details.
++      .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 2,
-+#
++      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-+# You should have received a copy of the GNU Lesser General Public
++    { .name = "IMP_CSCTLR",
-+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
++      .cp = 15, .opc1 = 1, .crn = 9, .crm = 1, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_BPCTLR",
 +      .cp = 15, .opc1 = 1, .crn = 9, .crm = 1, .opc2 = 1,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_MEMPROTCLR",
 +      .cp = 15, .opc1 = 1, .crn = 9, .crm = 1, .opc2 = 2,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_SLAVEPCTLR",
 +      .cp = 15, .opc1 = 0, .crn = 11, .crm = 0, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_PERIPHREGIONR",
 +      .cp = 15, .opc1 = 0, .crn = 15, .crm = 0, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_FLASHIFREGIONR",
 +      .cp = 15, .opc1 = 0, .crn = 15, .crm = 0, .opc2 = 1,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_BUILDOPTR",
 +      .cp = 15, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 0,
 +      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_PINOPTR",
 +      .cp = 15, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 7,
 +      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_QOSR",
 +      .cp = 15, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 1,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_BUSTIMEOUTR",
 +      .cp = 15, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 2,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_INTMONR",
 +      .cp = 15, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 4,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_ICERR0",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 0, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_ICERR1",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 0, .opc2 = 1,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_DCERR0",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 1, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_DCERR1",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 1, .opc2 = 1,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_TCMERR0",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 2, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_TCMERR1",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 2, .opc2 = 1,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_TCMSYNDR0",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 2, .opc2 = 2,
 +      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_TCMSYNDR1",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 2, .opc2 = 3,
 +      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_FLASHERR0",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 3, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_FLASHERR1",
 +      .cp = 15, .opc1 = 2, .crn = 15, .crm = 3, .opc2 = 1,
 +      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_CDBGDR0",
 +      .cp = 15, .opc1 = 3, .crn = 15, .crm = 0, .opc2 = 0,
 +      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_CBDGBR1",
 +      .cp = 15, .opc1 = 3, .crn = 15, .crm = 0, .opc2 = 1,
 +      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_TESTR0",
 +      .cp = 15, .opc1 = 4, .crn = 15, .crm = 0, .opc2 = 0,
 +      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "IMP_TESTR1",
 +      .cp = 15, .opc1 = 4, .crn = 15, .crm = 0, .opc2 = 1,
 +      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
 +    { .name = "IMP_CDBGDCI",
 +      .cp = 15, .opc1 = 0, .crn = 15, .crm = 15, .opc2 = 0,
 +      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
 +    { .name = "IMP_CDBGDCT",
 +      .cp = 15, .opc1 = 3, .crn = 15, .crm = 2, .opc2 = 0,
 +      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
 +    { .name = "IMP_CDBGICT",
 +      .cp = 15, .opc1 = 3, .crn = 15, .crm = 2, .opc2 = 1,
 +      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
 +    { .name = "IMP_CDBGDCD",
 +      .cp = 15, .opc1 = 3, .crn = 15, .crm = 4, .opc2 = 0,
 +      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
 +    { .name = "IMP_CDBGICD",
 +      .cp = 15, .opc1 = 3, .crn = 15, .crm = 4, .opc2 = 1,
 +      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
 +};
 +
-+#
-+# This file is processed by scripts/decodetree.py
-+#
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
-+++ b/target/arm/tcg/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ enum a64_shift_type {
-     A64_SHIFT_TYPE_ROR = 3
- };
-+/*
-+ * Include the generated decoders.
-+ */
 +
-+#include "decode-sme-fa64.c.inc"
+ static void cortex_r52_initfn(Object *obj)
-+#include "decode-a64.c.inc"
+ {
      ARMCPU *cpu = ARM_CPU(obj);
@@ -XXX,XX +XXX,XX @@ static void cortex_r52_initfn(Object *obj)
      set_feature(&cpu->env, ARM_FEATURE_NEON);
      set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
      set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
 +    set_feature(&cpu->env, ARM_FEATURE_AUXCR);
      cpu->midr = 0x411fd133; /* r1p3 */
      cpu->revidr = 0x00000000;
      cpu->reset_fpsid = 0x41034023;
@@ -XXX,XX +XXX,XX @@ static void cortex_r52_initfn(Object *obj)
      cpu->pmsav7_dregion = 16;
      cpu->pmsav8r_hdregion = 16;
 +
- /* Table based decoder typedefs - used when the relevant bits for decode
++    define_arm_cp_regs(cpu, cortex_r52_cp_reginfo);
   * are too awkwardly scattered across the instruction (eg SIMD).
   */
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
      }
  }
--/*
+ static void cortex_r5f_initfn(Object *obj)
 - * Include the generated SME FA64 decoder.
 - */
 -
 -#include "decode-sme-fa64.c.inc"
 -
  static bool trans_OK(DisasContext *s, arg_OK *a)
  {
      return true;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          disas_sme_fa64(s, insn);
      }
 -    disas_a64_legacy(s, insn);
 +
 +    if (!disas_a64(s, insn)) {
 +        disas_a64_legacy(s, insn);
 +    }
      /*
       * After execution of most insns, btype is reset to 0.
 diff --git a/target/arm/tcg/meson.build b/target/arm/tcg/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/meson.build
 +++ b/target/arm/tcg/meson.build
@@ -XXX,XX +XXX,XX @@ gen = [
    decodetree.process('a32-uncond.decode', extra_args: '--static-decode=disas_a32_uncond'),
    decodetree.process('t32.decode', extra_args: '--static-decode=disas_t32'),
    decodetree.process('t16.decode', extra_args: ['-w', '16', '--static-decode=disas_t16']),
 +  decodetree.process('a64.decode', extra_args: ['--static-decode=disas_a64']),
  ]
  arm_ss.add(gen)
 --
 .34.1

-[PULL 19/29] target/arm: Convert unconditional branch immediate to decodetree
+[PULL 26/35] target/arm: Allow access to SPSR_hyp from hyp mode
-Convert the unconditional branch immediate insns B and BL to
+Architecturally, the AArch32 MSR/MRS to/from banked register
-decodetree.
+instructions are UNPREDICTABLE for attempts to access a banked
 register that the guest could access in a more direct way (e.g.
 using this insn to access r8_fiq when already in FIQ mode).  QEMU has
 chosen to UNDEF on all of these.
 However, for the case of accessing SPSR_hyp from hyp mode, it turns
 out that real hardware permits this, with the same effect as if the
 guest had directly written to SPSR. Further, there is some
 guest code out there that assumes it can do this, because it
 happens to work on hardware: an example Cortex-R52 startup code
 fragment uses this, and it got copied into various other places,
 including Zephyr. Zephyr was fixed to not use this:
  https://github.com/zephyrproject-rtos/zephyr/issues/47330
 but other examples are still out there, like the selftest
 binary for the MPS3-AN536.
 For convenience of being able to run guest code, permit
 this UNPREDICTABLE access instead of UNDEFing it.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20230512144106.3608981-14-peter.maydell@linaro.org
+Message-id: 20240206132931.38376-5-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |  9 +++++++++
+ target/arm/tcg/op_helper.c | 43 ++++++++++++++++++++++++++------------
- target/arm/tcg/translate-a64.c | 31 +++++++++++--------------------
+ target/arm/tcg/translate.c | 19 +++++++++++------
-files changed, 20 insertions(+), 20 deletions(-)
+files changed, 43 insertions(+), 19 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/target/arm/tcg/op_helper.c b/target/arm/tcg/op_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/target/arm/tcg/op_helper.c
-+++ b/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/op_helper.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
+      */
- &ri              rd imm
+     int curmode = env->uncached_cpsr & CPSR_M;
- &rri_sf          rd rn imm sf
-+&i               imm
+-    if (regno == 17) {
+-        /* ELR_Hyp: a special case because access from tgtmode is OK */
+-        if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
- ### Data Processing - Immediate
+-            goto undef;
-@@ -XXX,XX +XXX,XX @@ UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
++    if (tgtmode == ARM_CPU_MODE_HYP) {
++        /*
- EXTR            1 00 100111 1 0 rm:5 imm:6 rn:5 rd:5     &extract sf=1
++         * Handle Hyp target regs first because some are special cases
- EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
++         * which don't want the usual "not accessible from tgtmode" check.
-+
++         */
-+# Branches
++        switch (regno) {
-+
++        case 16 ... 17: /* ELR_Hyp, SPSR_Hyp */
-+%imm26   0:s26 !function=times_4
++            if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
-+@branch         . ..... .......................... &i imm=%imm26
++                goto undef;
-+
++            }
-+B               0 00101 .......................... @branch
++            break;
-+BL              1 00101 .......................... @branch
++        case 13:
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
++            if (curmode != ARM_CPU_MODE_MON) {
-index XXXXXXX..XXXXXXX 100644
++                goto undef;
---- a/target/arm/tcg/translate-a64.c
++            }
-+++ b/target/arm/tcg/translate-a64.c
++            break;
-@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
++        default:
-  * match up with those in the manual.
++            g_assert_not_reached();
-  */
+         }
+         return;
--/* Unconditional branch (immediate)
+     }
-- *   31  30       26 25                                  0
+@@ -XXX,XX +XXX,XX @@ static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
-- * +----+-----------+-------------------------------------+
+         }
-- * | op | 0 0 1 0 1 |                 imm26               |
+     }
-- * +----+-----------+-------------------------------------+
-- */
+-    if (tgtmode == ARM_CPU_MODE_HYP) {
--static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
+-        /* SPSR_Hyp, r13_hyp: accessible from Monitor mode only */
-+static bool trans_B(DisasContext *s, arg_i *a)
+-        if (curmode != ARM_CPU_MODE_MON) {
- {
+-            goto undef;
--    int64_t diff = sextract32(insn, 0, 26) * 4;
+-        }
 -
 -    if (insn & (1U << 31)) {
 -        /* BL Branch with link */
 -        gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
 -    }
 -
--    /* B Branch / BL Branch with link */
+     return;
-     reset_btype(s);
--    gen_goto_tb(s, 0, diff);
+ undef:
-+    gen_goto_tb(s, 0, a->imm);
+@@ -XXX,XX +XXX,XX @@ void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode,
-+    return true;
-+}
+     switch (regno) {
-+
+     case 16: /* SPSRs */
-+static bool trans_BL(DisasContext *s, arg_i *a)
+-        env->banked_spsr[bank_number(tgtmode)] = value;
-+{
++        if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
-+    gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
++            /* Only happens for SPSR_Hyp access in Hyp mode */
-+    reset_btype(s);
++            env->spsr = value;
-+    gen_goto_tb(s, 0, a->imm);
++        } else {
-+    return true;
++            env->banked_spsr[bank_number(tgtmode)] = value;
- }
++        }
+         break;
- /* Compare and branch (immediate)
+     case 17: /* ELR_Hyp */
-@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+         env->elr_el[2] = value;
- static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno)
- {
-     switch (extract32(insn, 25, 7)) {
+     switch (regno) {
--    case 0x0a: case 0x0b:
+     case 16: /* SPSRs */
--    case 0x4a: case 0x4b: /* Unconditional branch (immediate) */
+-        return env->banked_spsr[bank_number(tgtmode)];
--        disas_uncond_b_imm(s, insn);
++        if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
--        break;
++            /* Only happens for SPSR_Hyp access in Hyp mode */
-     case 0x1a: case 0x5a: /* Compare & branch (immediate) */
++            return env->spsr;
-         disas_comp_b_imm(s, insn);
++        } else {
 +            return env->banked_spsr[bank_number(tgtmode)];
 +        }
      case 17: /* ELR_Hyp */
          return env->elr_el[2];
      case 13:
 diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate.c
 +++ b/target/arm/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
          break;
      case ARM_CPU_MODE_HYP:
          /*
 -         * SPSR_hyp and r13_hyp can only be accessed from Monitor mode
 -         * (and so we can forbid accesses from EL2 or below). elr_hyp
 -         * can be accessed also from Hyp mode, so forbid accesses from
 -         * EL0 or EL1.
 +         * r13_hyp can only be accessed from Monitor mode, and so we
 +         * can forbid accesses from EL2 or below.
 +         * elr_hyp can be accessed also from Hyp mode, so forbid
 +         * accesses from EL0 or EL1.
 +         * SPSR_hyp is supposed to be in the same category as r13_hyp
 +         * and UNPREDICTABLE if accessed from anything except Monitor
 +         * mode. However there is some real-world code that will do
 +         * it because at least some hardware happens to permit the
 +         * access. (Notably a standard Cortex-R52 startup code fragment
 +         * does this.) So we permit SPSR_hyp from Hyp mode also, to allow
 +         * this (incorrect) guest code to run.
           */
 -        if (!arm_dc_feature(s, ARM_FEATURE_EL2) || s->current_el < 2 ||
 -            (s->current_el < 3 && *regno != 17)) {
 +        if (!arm_dc_feature(s, ARM_FEATURE_EL2) || s->current_el < 2
 +            || (s->current_el < 3 && *regno != 16 && *regno != 17)) {
              goto undef;
          }
          break;
 --
 .34.1

-[PULL 01/29] sbsa-ref: switch default cpu core to Neoverse-N1
+[PULL 27/35] hw/misc/mps2-scc: Fix condition for CFG3 register
-From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+We currently guard the CFG3 register read with
  (scc_partno(s) == 0x524 && scc_partno(s) == 0x547)
 which is clearly wrong as it is never true.
-The world outside moves to newer and newer cpu cores. Let move SBSA
+This register is present on all board types except AN524
-Reference Platform to something newer as well.
+and AN527; correct the condition.
-Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+Fixes: 6ac80818941829c0 ("hw/misc/mps2-scc: Implement changes for AN547")
 Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
 Message-id: 20230506183417.1360427-1-marcin.juszkiewicz@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240206132931.38376-6-peter.maydell@linaro.org
 ---
- hw/arm/sbsa-ref.c | 2 +-
+ hw/misc/mps2-scc.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
+diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/sbsa-ref.c
+--- a/hw/misc/mps2-scc.c
-+++ b/hw/arm/sbsa-ref.c
++++ b/hw/misc/mps2-scc.c
-@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_class_init(ObjectClass *oc, void *data)
+@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
+         r = s->cfg2;
-     mc->init = sbsa_ref_init;
+         break;
-     mc->desc = "QEMU 'SBSA Reference' ARM Virtual Machine";
+     case A_CFG3:
--    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a57");
+-        if (scc_partno(s) == 0x524 && scc_partno(s) == 0x547) {
-+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("neoverse-n1");
++        if (scc_partno(s) == 0x524 || scc_partno(s) == 0x547) {
-     mc->max_cpus = 512;
+             /* CFG3 reserved on AN524 */
-     mc->pci_allow_0_address = true;
+             goto bad_offset;
-     mc->minimum_page_bits = 12;
+         }
 --
 .34.1

-[PULL 24/29] target/arm: Convert BRA[AB]Z, BLR[AB]Z, RETA[AB] to decodetree
+[PULL 28/35] hw/misc/mps2-scc: Factor out which-board conditionals
-Convert the single-register pointer-authentication variants of BR,
+The MPS SCC device has a lot of different flavours for the various
-BLR, RET to decodetree. (BRAA/BLRAA are in a different branch of
+different MPS FPGA images, which look mostly similar but have
-the legacy decoder and will be dealt with in the next commit.)
+differences in how particular registers are handled.  Currently we
 deal with this with a lot of open-coded checks on scc_partno(), but
 as we add more board types this is getting a bit hard to read.
 Factor out the conditions into some functions which we can
 give more descriptive names to.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20230512144106.3608981-19-peter.maydell@linaro.org
+Message-id: 20240206132931.38376-7-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |   7 ++
+ hw/misc/mps2-scc.c | 45 +++++++++++++++++++++++++++++++--------------
- target/arm/tcg/translate-a64.c | 132 +++++++++++++++++++--------------
+file changed, 31 insertions(+), 14 deletions(-)
 files changed, 84 insertions(+), 55 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/hw/misc/mps2-scc.c
-+++ b/target/arm/tcg/a64.decode
++++ b/hw/misc/mps2-scc.c
-@@ -XXX,XX +XXX,XX @@ B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
+@@ -XXX,XX +XXX,XX @@ static int scc_partno(MPS2SCC *s)
- BR              1101011 0000 11111 000000 rn:5 00000 &r
+     return extract32(s->id, 4, 8);
  BLR             1101011 0001 11111 000000 rn:5 00000 &r
  RET             1101011 0010 11111 000000 rn:5 00000 &r
 +
 +&braz       rn m
 +BRAZ            1101011 0000 11111 00001 m:1 rn:5 11111 &braz   # BRAAZ, BRABZ
 +BLRAZ           1101011 0001 11111 00001 m:1 rn:5 11111 &braz   # BLRAAZ, BLRABZ
 +
 +&reta       m
 +RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_RET(DisasContext *s, arg_r *a)
      return true;
  }
-+static TCGv_i64 auth_branch_target(DisasContext *s, TCGv_i64 dst,
++/* Is CFG_REG2 present? */
-+                                   TCGv_i64 modifier, bool use_key_a)
++static bool have_cfg2(MPS2SCC *s)
 +{
-+    TCGv_i64 truedst;
++    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547;
 +    /*
 +     * Return the branch target for a BRAA/RETA/etc, which is either
 +     * just the destination dst, or that value with the pauth check
 +     * done and the code removed from the high bits.
 +     */
 +    if (!s->pauth_active) {
 +        return dst;
 +    }
 +
 +    truedst = tcg_temp_new_i64();
 +    if (use_key_a) {
 +        gen_helper_autia(truedst, cpu_env, dst, modifier);
 +    } else {
 +        gen_helper_autib(truedst, cpu_env, dst, modifier);
 +    }
 +    return truedst;
 +}
 +
-+static bool trans_BRAZ(DisasContext *s, arg_braz *a)
++/* Is CFG_REG3 present? */
 +static bool have_cfg3(MPS2SCC *s)
 +{
-+    TCGv_i64 dst;
++    return scc_partno(s) != 0x524 && scc_partno(s) != 0x547;
 +
 +    if (!dc_isar_feature(aa64_pauth, s)) {
 +        return false;
 +    }
 +
 +    dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m);
 +    gen_a64_set_pc(s, dst);
 +    set_btype_for_br(s, a->rn);
 +    s->base.is_jmp = DISAS_JUMP;
 +    return true;
 +}
 +
-+static bool trans_BLRAZ(DisasContext *s, arg_braz *a)
++/* Is CFG_REG5 present? */
 +static bool have_cfg5(MPS2SCC *s)
 +{
-+    TCGv_i64 dst, lr;
++    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547;
 +
 +    if (!dc_isar_feature(aa64_pauth, s)) {
 +        return false;
 +    }
 +
 +    dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m);
 +    lr = cpu_reg(s, 30);
 +    if (dst == lr) {
 +        TCGv_i64 tmp = tcg_temp_new_i64();
 +        tcg_gen_mov_i64(tmp, dst);
 +        dst = tmp;
 +    }
 +    gen_pc_plus_diff(s, lr, curr_insn_len(s));
 +    gen_a64_set_pc(s, dst);
 +    set_btype_for_blr(s);
 +    s->base.is_jmp = DISAS_JUMP;
 +    return true;
 +}
 +
-+static bool trans_RETA(DisasContext *s, arg_reta *a)
++/* Is CFG_REG6 present? */
 +static bool have_cfg6(MPS2SCC *s)
 +{
-+    TCGv_i64 dst;
++    return scc_partno(s) == 0x524;
 +
 +    dst = auth_branch_target(s, cpu_reg(s, 30), cpu_X[31], !a->m);
 +    gen_a64_set_pc(s, dst);
 +    s->base.is_jmp = DISAS_JUMP;
 +    return true;
 +}
 +
- /* HINT instruction group, including various allocated HINTs */
+ /* Handle a write via the SYS_CFG channel to the specified function/device.
- static void handle_hint(DisasContext *s, uint32_t insn,
+  * Return false on error (reported to guest via SYS_CFGCTRL ERROR bit).
-                         unsigned int op1, unsigned int op2, unsigned int crm)
+  */
-@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
-     }
+         r = s->cfg1;
+         break;
-     switch (opc) {
+     case A_CFG2:
--    case 0: /* BR */
+-        if (scc_partno(s) != 0x524 && scc_partno(s) != 0x547) {
--    case 1: /* BLR */
+-            /* CFG2 reserved on other boards */
--    case 2: /* RET */
++        if (!have_cfg2(s)) {
--        btype_mod = opc;
+             goto bad_offset;
--        switch (op3) {
+         }
--        case 0:
+         r = s->cfg2;
--            /* BR, BLR, RET : handled in decodetree */
+         break;
--            goto do_unallocated;
+     case A_CFG3:
--
+-        if (scc_partno(s) == 0x524 || scc_partno(s) == 0x547) {
--        case 2:
+-            /* CFG3 reserved on AN524 */
--        case 3:
++        if (!have_cfg3(s)) {
--            if (!dc_isar_feature(aa64_pauth, s)) {
+             goto bad_offset;
--                goto do_unallocated;
+         }
--            }
+         /* These are user-settable DIP switches on the board. We don't
--            if (opc == 2) {
+@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
--                /* RETAA, RETAB */
+         r = s->cfg4;
--                if (rn != 0x1f || op4 != 0x1f) {
+         break;
--                    goto do_unallocated;
+     case A_CFG5:
--                }
+-        if (scc_partno(s) != 0x524 && scc_partno(s) != 0x547) {
--                rn = 30;
+-            /* CFG5 reserved on other boards */
--                modifier = cpu_X[31];
++        if (!have_cfg5(s)) {
--            } else {
+             goto bad_offset;
--                /* BRAAZ, BRABZ, BLRAAZ, BLRABZ */
+         }
--                if (op4 != 0x1f) {
+         r = s->cfg5;
--                    goto do_unallocated;
+         break;
--                }
+     case A_CFG6:
--                modifier = tcg_constant_i64(0);
+-        if (scc_partno(s) != 0x524) {
--            }
+-            /* CFG6 reserved on other boards */
--            if (s->pauth_active) {
++        if (!have_cfg6(s)) {
--                dst = tcg_temp_new_i64();
+             goto bad_offset;
--                if (op3 == 2) {
+         }
--                    gen_helper_autia(dst, cpu_env, cpu_reg(s, rn), modifier);
+         r = s->cfg6;
--                } else {
+@@ -XXX,XX +XXX,XX @@ static void mps2_scc_write(void *opaque, hwaddr offset, uint64_t value,
--                    gen_helper_autib(dst, cpu_env, cpu_reg(s, rn), modifier);
+         }
--                }
+         break;
--            } else {
+     case A_CFG2:
--                dst = cpu_reg(s, rn);
+-        if (scc_partno(s) != 0x524 && scc_partno(s) != 0x547) {
--            }
+-            /* CFG2 reserved on other boards */
--            break;
++        if (!have_cfg2(s)) {
--
+             goto bad_offset;
--        default:
+         }
--            goto do_unallocated;
+         /* AN524: QSPI Select signal */
--        }
+         s->cfg2 = value;
--        /* BLR also needs to load return address */
+         break;
--        if (opc == 1) {
+     case A_CFG5:
--            TCGv_i64 lr = cpu_reg(s, 30);
+-        if (scc_partno(s) != 0x524 && scc_partno(s) != 0x547) {
--            if (dst == lr) {
+-            /* CFG5 reserved on other boards */
--                TCGv_i64 tmp = tcg_temp_new_i64();
++        if (!have_cfg5(s)) {
--                tcg_gen_mov_i64(tmp, dst);
+             goto bad_offset;
--                dst = tmp;
+         }
--            }
+         /* AN524: ACLK frequency in Hz */
--            gen_pc_plus_diff(s, lr, curr_insn_len(s));
+         s->cfg5 = value;
--        }
+         break;
--        gen_a64_set_pc(s, dst);
+     case A_CFG6:
--        break;
+-        if (scc_partno(s) != 0x524) {
-+    case 0:
+-            /* CFG6 reserved on other boards */
-+    case 1:
++        if (!have_cfg6(s)) {
-+    case 2:
+             goto bad_offset;
-+        /*
+         }
-+         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ:
+         /* AN524: Clock divider for BRAM */
 +         * handled in decodetree
 +         */
 +        goto do_unallocated;
      case 8: /* BRAA */
      case 9: /* BLRAA */
 --
 .34.1

-[PULL 09/29] target/arm: Pull calls to disas_sve() and disas_sme() out of legacy decoder
+[PULL 29/35] hw/misc/mps2-scc: Make changes needed for AN536 FPGA image
-The SVE and SME decode is already done by decodetree.  Pull the calls
+The MPS2 SCC device is broadly the same for all FPGA images, but has
-to these decoders out of the legacy decoder.  This doesn't change
+minor differences in the behaviour of the CFG registers depending on
-behaviour because all the patterns in sve.decode and sme.decode
+the image. In many cases we don't really care about the functionality
-already require the bits that the legacy decoder is decoding to have
+controlled by these registers and a reads-as-written or similar
-the correct values.
+behaviour is sufficient for the moment.
 For the AN536 the required behaviour is:
  * A_CFG0 has CPU reset and halt bits
     - implement as reads-as-written for the moment
  * A_CFG1 has flash or ATCM address 0 remap handling
     - QEMU doesn't model this; implement as reads-as-written
  * A_CFG2 has QSPI select (like AN524)
     - implemented (no behaviour, as with AN524)
  * A_CFG3 is MCC_MSB_ADDR "additional MCC addressing bits"
     - QEMU doesn't care about these, so use the existing
       RAZ behaviour for convenience
  * A_CFG4 is board rev (like all other images)
     - no change needed
  * A_CFG5 is ACLK frq in hz (like AN524)
     - implemented as reads-as-written, as for other boards
  * A_CFG6 is core 0 vector table base address
     - implemented as reads-as-written for the moment
  * A_CFG7 is core 1 vector table base address
     - implemented as reads-as-written for the moment
 Make the changes necessary for this; leave TODO comments where
 appropriate to indicate where we might want to come back and
 implement things like CPU reset.
 The other aspects of the device specific to this FPGA image (like the
 values of the board ID and similar registers) will be set via the
 device's qdev properties.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20230512144106.3608981-4-peter.maydell@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20240206132931.38376-8-peter.maydell@linaro.org
 ---
- target/arm/tcg/translate-a64.c | 20 ++++----------------
+ include/hw/misc/mps2-scc.h |   1 +
-file changed, 4 insertions(+), 16 deletions(-)
+ hw/misc/mps2-scc.c         | 101 +++++++++++++++++++++++++++++++++----
+files changed, 92 insertions(+), 10 deletions(-)
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 diff --git a/include/hw/misc/mps2-scc.h b/include/hw/misc/mps2-scc.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
+--- a/include/hw/misc/mps2-scc.h
-+++ b/target/arm/tcg/translate-a64.c
++++ b/include/hw/misc/mps2-scc.h
-@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
+@@ -XXX,XX +XXX,XX @@ struct MPS2SCC {
- static void disas_a64_legacy(DisasContext *s, uint32_t insn)
+     uint32_t cfg4;
- {
+     uint32_t cfg5;
-     switch (extract32(insn, 25, 4)) {
+     uint32_t cfg6;
--    case 0x0:
++    uint32_t cfg7;
--        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+     uint32_t cfgdata_rtn;
--            unallocated_encoding(s);
+     uint32_t cfgdata_out;
--        }
+     uint32_t cfgctrl;
--        break;
+diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c
--    case 0x1: case 0x3: /* UNALLOCATED */
+index XXXXXXX..XXXXXXX 100644
--        unallocated_encoding(s);
+--- a/hw/misc/mps2-scc.c
--        break;
++++ b/hw/misc/mps2-scc.c
--    case 0x2:
+@@ -XXX,XX +XXX,XX @@ REG32(CFG3, 0xc)
--        if (!disas_sve(s, insn)) {
+ REG32(CFG4, 0x10)
--            unallocated_encoding(s);
+ REG32(CFG5, 0x14)
--        }
+ REG32(CFG6, 0x18)
--        break;
++REG32(CFG7, 0x1c)
-     case 0x8: case 0x9: /* Data processing - immediate */
+ REG32(CFGDATA_RTN, 0xa0)
-         disas_data_proc_imm(s, insn);
+ REG32(CFGDATA_OUT, 0xa4)
-         break;
+ REG32(CFGCTRL, 0xa8)
-@@ -XXX,XX +XXX,XX @@ static void disas_a64_legacy(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static int scc_partno(MPS2SCC *s)
-         disas_data_proc_simd_fp(s, insn);
+ /* Is CFG_REG2 present? */
-         break;
+ static bool have_cfg2(MPS2SCC *s)
-     default:
+ {
--        assert(FALSE); /* all 15 cases should be handled above */
+-    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547;
-+        unallocated_encoding(s);
++    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547 ||
-         break;
++        scc_partno(s) == 0x536;
  }
  /* Is CFG_REG3 present? */
  static bool have_cfg3(MPS2SCC *s)
  {
 -    return scc_partno(s) != 0x524 && scc_partno(s) != 0x547;
 +    return scc_partno(s) != 0x524 && scc_partno(s) != 0x547 &&
 +        scc_partno(s) != 0x536;
  }
  /* Is CFG_REG5 present? */
  static bool have_cfg5(MPS2SCC *s)
  {
 -    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547;
 +    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547 ||
 +        scc_partno(s) == 0x536;
  }
  /* Is CFG_REG6 present? */
  static bool have_cfg6(MPS2SCC *s)
  {
 -    return scc_partno(s) == 0x524;
 +    return scc_partno(s) == 0x524 || scc_partno(s) == 0x536;
 +}
 +
 +/* Is CFG_REG7 present? */
 +static bool have_cfg7(MPS2SCC *s)
 +{
 +    return scc_partno(s) == 0x536;
 +}
 +
 +/* Does CFG_REG0 drive the 'remap' GPIO output? */
 +static bool cfg0_is_remap(MPS2SCC *s)
 +{
 +    return scc_partno(s) != 0x536;
 +}
 +
 +/* Is CFG_REG1 driving a set of LEDs? */
 +static bool cfg1_is_leds(MPS2SCC *s)
 +{
 +    return scc_partno(s) != 0x536;
  }
  /* Handle a write via the SYS_CFG channel to the specified function/device.
@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
          if (!have_cfg3(s)) {
              goto bad_offset;
          }
 -        /* These are user-settable DIP switches on the board. We don't
 +        /*
 +         * These are user-settable DIP switches on the board. We don't
           * model that, so just return zeroes.
 +         *
 +         * TODO: for AN536 this is MCC_MSB_ADDR "additional MCC addressing
 +         * bits". These change which part of the DDR4 the motherboard
 +         * configuration controller can see in its memory map (see the
 +         * appnote section 2.4). QEMU doesn't model the MCC at all, so these
 +         * bits are not interesting to us; read-as-zero is as good as anything
 +         * else.
           */
          r = 0;
          break;
@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
          }
          r = s->cfg6;
          break;
 +    case A_CFG7:
 +        if (!have_cfg7(s)) {
 +            goto bad_offset;
 +        }
 +        r = s->cfg7;
 +        break;
      case A_CFGDATA_RTN:
          r = s->cfgdata_rtn;
          break;
@@ -XXX,XX +XXX,XX @@ static void mps2_scc_write(void *opaque, hwaddr offset, uint64_t value,
           * we always reflect bit 0 in the 'remap' GPIO output line,
           * and let the board wire it up or not as it chooses.
           * TODO on some boards bit 1 is CPU_WAIT.
 +         *
 +         * TODO: on the AN536 this register controls reset and halt
 +         * for both CPUs. For the moment we don't implement this, so the
 +         * register just reads as written.
           */
          s->cfg0 = value;
 -        qemu_set_irq(s->remap, s->cfg0 & 1);
 +        if (cfg0_is_remap(s)) {
 +            qemu_set_irq(s->remap, s->cfg0 & 1);
 +        }
          break;
      case A_CFG1:
          s->cfg1 = value;
 -        for (size_t i = 0; i < ARRAY_SIZE(s->led); i++) {
 -            led_set_state(s->led[i], extract32(value, i, 1));
 +        /*
 +         * On most boards this register drives LEDs.
 +         *
 +         * TODO: for AN536 this controls whether flash and ATCM are
 +         * enabled or disabled on reset. QEMU doesn't model this, and
 +         * always wires up RAM in the ATCM area and ROM in the flash area.
 +         */
 +        if (cfg1_is_leds(s)) {
 +            for (size_t i = 0; i < ARRAY_SIZE(s->led); i++) {
 +                led_set_state(s->led[i], extract32(value, i, 1));
 +            }
          }
          break;
      case A_CFG2:
          if (!have_cfg2(s)) {
              goto bad_offset;
          }
 -        /* AN524: QSPI Select signal */
 +        /* AN524, AN536: QSPI Select signal */
          s->cfg2 = value;
          break;
      case A_CFG5:
          if (!have_cfg5(s)) {
              goto bad_offset;
          }
 -        /* AN524: ACLK frequency in Hz */
 +        /* AN524, AN536: ACLK frequency in Hz */
          s->cfg5 = value;
          break;
      case A_CFG6:
@@ -XXX,XX +XXX,XX @@ static void mps2_scc_write(void *opaque, hwaddr offset, uint64_t value,
              goto bad_offset;
          }
          /* AN524: Clock divider for BRAM */
 +        /* AN536: Core 0 vector table base address */
 +        s->cfg6 = value;
 +        break;
 +    case A_CFG7:
 +        if (!have_cfg7(s)) {
 +            goto bad_offset;
 +        }
 +        /* AN536: Core 1 vector table base address */
          s->cfg6 = value;
          break;
      case A_CFGDATA_OUT:
@@ -XXX,XX +XXX,XX @@ static void mps2_scc_finalize(Object *obj)
      g_free(s->oscclk_reset);
  }
 +static bool cfg7_needed(void *opaque)
 +{
 +    MPS2SCC *s = opaque;
 +
 +    return have_cfg7(s);
 +}
 +
 +static const VMStateDescription vmstate_cfg7 = {
 +    .name = "mps2-scc/cfg7",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .needed = cfg7_needed,
 +    .fields = (const VMStateField[]) {
 +        VMSTATE_UINT32(cfg7, MPS2SCC),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
  static const VMStateDescription mps2_scc_vmstate = {
      .name = "mps2-scc",
      .version_id = 3,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription mps2_scc_vmstate = {
          VMSTATE_VARRAY_UINT32(oscclk, MPS2SCC, num_oscclk,
 , vmstate_info_uint32, uint32_t),
          VMSTATE_END_OF_LIST()
 +    },
 +    .subsections = (const VMStateDescription * const []) {
 +        &vmstate_cfg7,
 +        NULL
      }
- }
+ };
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          disas_sme_fa64(s, insn);
      }
 -
 -    if (!disas_a64(s, insn)) {
 +    if (!disas_a64(s, insn) &&
 +        !disas_sme(s, insn) &&
 +        !disas_sve(s, insn)) {
          disas_a64_legacy(s, insn);
      }
 --
 .34.1

-[PULL 03/29] Maintainers: add myself as reviewer for sbsa-ref
+[PULL 30/35] hw/arm/mps3r: Initial skeleton for mps3-an536 board
-From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+The AN536 is another FPGA image for the MPS3 development board. Unlike
+the existing FPGA images we already model, this board uses a Cortex-R
-At Linaro I work on sbsa-ref, know direction it goes.
+family CPU, and it does not use any equivalent to the M-profile
+"Subsystem for Embedded" SoC-equivalent that we model in hw/arm/armsse.c.
-May not get code details each time.
+It's therefore more convenient for us to model it as a completely
+separate C file.
-Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
 This commit adds the basic skeleton of the board model, and the
 code to create all the RAM and ROM. We assume that we're probably
 going to want to add more images in future, so use the same
 base class/subclass setup that mps2-tz.c uses, even though at
 the moment there's only a single subclass.
 Following commits will add the CPUs and the peripherals.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-id: 20230515143753.365591-1-marcin.juszkiewicz@linaro.org
+Message-id: 20240206132931.38376-9-peter.maydell@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- MAINTAINERS | 1 +
+ MAINTAINERS                             |   3 +-
-file changed, 1 insertion(+)
+ configs/devices/arm-softmmu/default.mak |   1 +
  hw/arm/mps3r.c                          | 239 ++++++++++++++++++++++++
  hw/arm/Kconfig                          |   5 +
  hw/arm/meson.build                      |   1 +
 files changed, 248 insertions(+), 1 deletion(-)
  create mode 100644 hw/arm/mps3r.c
 diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ SBSA-REF
+@@ -XXX,XX +XXX,XX @@ F: include/hw/misc/imx7_*.h
- M: Radoslaw Biernacki <rad@semihalf.com>
+ F: hw/pci-host/designware.c
  F: include/hw/pci-host/designware.h
 -MPS2
 +MPS2 / MPS3
  M: Peter Maydell <peter.maydell@linaro.org>
- R: Leif Lindholm <quic_llindhol@quicinc.com>
-+R: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
  L: qemu-arm@nongnu.org
  S: Maintained
- F: hw/arm/sbsa-ref.c
+ F: hw/arm/mps2.c
  F: hw/arm/mps2-tz.c
 +F: hw/arm/mps3r.c
  F: hw/misc/mps2-*.c
  F: include/hw/misc/mps2-*.h
  F: hw/arm/armsse.c
 diff --git a/configs/devices/arm-softmmu/default.mak b/configs/devices/arm-softmmu/default.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/devices/arm-softmmu/default.mak
 +++ b/configs/devices/arm-softmmu/default.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_ARM_VIRT=y
  # CONFIG_INTEGRATOR=n
  # CONFIG_FSL_IMX31=n
  # CONFIG_MUSICPAL=n
 +# CONFIG_MPS3R=n
  # CONFIG_MUSCA=n
  # CONFIG_CHEETAH=n
  # CONFIG_SX1=n
 diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/mps3r.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Arm MPS3 board emulation for Cortex-R-based FPGA images.
 + * (For M-profile images see mps2.c and mps2tz.c.)
 + *
 + * Copyright (c) 2017 Linaro Limited
 + * Written by Peter Maydell
 + *
 + *  This program is free software; you can redistribute it and/or modify
 + *  it under the terms of the GNU General Public License version 2 or
 + *  (at your option) any later version.
 + */
 +
 +/*
 + * The MPS3 is an FPGA based dev board. This file handles FPGA images
 + * which use the Cortex-R CPUs. We model these separately from the
 + * M-profile images, because on M-profile the FPGA image is based on
 + * a "Subsystem for Embedded" which is similar to an SoC, whereas
 + * the R-profile FPGA images don't have that abstraction layer.
 + *
 + * We model the following FPGA images here:
 + *  "mps3-an536" -- dual Cortex-R52 as documented in Arm Application Note AN536
 + *
 + * Application Note AN536:
 + * https://developer.arm.com/documentation/dai0536/latest/
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qemu/units.h"
 +#include "qapi/error.h"
 +#include "exec/address-spaces.h"
 +#include "cpu.h"
 +#include "hw/boards.h"
 +#include "hw/arm/boot.h"
 +
 +/* Define the layout of RAM and ROM in a board */
 +typedef struct RAMInfo {
 +    const char *name;
 +    hwaddr base;
 +    hwaddr size;
 +    int mrindex; /* index into rams[]; -1 for the system RAM block */
 +    int flags;
 +} RAMInfo;
 +
 +/*
 + * The MPS3 DDR is 3GiB, but on a 32-bit host QEMU doesn't permit
 + * emulation of that much guest RAM, so artificially make it smaller.
 + */
 +#if HOST_LONG_BITS == 32
 +#define MPS3_DDR_SIZE (1 * GiB)
 +#else
 +#define MPS3_DDR_SIZE (3 * GiB)
 +#endif
 +
 +/*
 + * Flag values:
 + * IS_MAIN: this is the main machine RAM
 + * IS_ROM: this area is read-only
 + */
 +#define IS_MAIN 1
 +#define IS_ROM 2
 +
 +#define MPS3R_RAM_MAX 9
 +
 +typedef enum MPS3RFPGAType {
 +    FPGA_AN536,
 +} MPS3RFPGAType;
 +
 +struct MPS3RMachineClass {
 +    MachineClass parent;
 +    MPS3RFPGAType fpga_type;
 +    const RAMInfo *raminfo;
 +};
 +
 +struct MPS3RMachineState {
 +    MachineState parent;
 +    MemoryRegion ram[MPS3R_RAM_MAX];
 +};
 +
 +#define TYPE_MPS3R_MACHINE "mps3r"
 +#define TYPE_MPS3R_AN536_MACHINE MACHINE_TYPE_NAME("mps3-an536")
 +
 +OBJECT_DECLARE_TYPE(MPS3RMachineState, MPS3RMachineClass, MPS3R_MACHINE)
 +
 +static const RAMInfo an536_raminfo[] = {
 +    {
 +        .name = "ATCM",
 +        .base = 0x00000000,
 +        .size = 0x00008000,
 +        .mrindex = 0,
 +    }, {
 +        /* We model the QSPI flash as simple ROM for now */
 +        .name = "QSPI",
 +        .base = 0x08000000,
 +        .size = 0x00800000,
 +        .flags = IS_ROM,
 +        .mrindex = 1,
 +    }, {
 +        .name = "BRAM",
 +        .base = 0x10000000,
 +        .size = 0x00080000,
 +        .mrindex = 2,
 +    }, {
 +        .name = "DDR",
 +        .base = 0x20000000,
 +        .size = MPS3_DDR_SIZE,
 +        .mrindex = -1,
 +    }, {
 +        .name = "ATCM0",
 +        .base = 0xee000000,
 +        .size = 0x00008000,
 +        .mrindex = 3,
 +    }, {
 +        .name = "BTCM0",
 +        .base = 0xee100000,
 +        .size = 0x00008000,
 +        .mrindex = 4,
 +    }, {
 +        .name = "CTCM0",
 +        .base = 0xee200000,
 +        .size = 0x00008000,
 +        .mrindex = 5,
 +    }, {
 +        .name = "ATCM1",
 +        .base = 0xee400000,
 +        .size = 0x00008000,
 +        .mrindex = 6,
 +    }, {
 +        .name = "BTCM1",
 +        .base = 0xee500000,
 +        .size = 0x00008000,
 +        .mrindex = 7,
 +    }, {
 +        .name = "CTCM1",
 +        .base = 0xee600000,
 +        .size = 0x00008000,
 +        .mrindex = 8,
 +    }, {
 +        .name = NULL,
 +    }
 +};
 +
 +static MemoryRegion *mr_for_raminfo(MPS3RMachineState *mms,
 +                                    const RAMInfo *raminfo)
 +{
 +    /* Return an initialized MemoryRegion for the RAMInfo. */
 +    MemoryRegion *ram;
 +
 +    if (raminfo->mrindex < 0) {
 +        /* Means this RAMInfo is for QEMU's "system memory" */
 +        MachineState *machine = MACHINE(mms);
 +        assert(!(raminfo->flags & IS_ROM));
 +        return machine->ram;
 +    }
 +
 +    assert(raminfo->mrindex < MPS3R_RAM_MAX);
 +    ram = &mms->ram[raminfo->mrindex];
 +
 +    memory_region_init_ram(ram, NULL, raminfo->name,
 +                           raminfo->size, &error_fatal);
 +    if (raminfo->flags & IS_ROM) {
 +        memory_region_set_readonly(ram, true);
 +    }
 +    return ram;
 +}
 +
 +static void mps3r_common_init(MachineState *machine)
 +{
 +    MPS3RMachineState *mms = MPS3R_MACHINE(machine);
 +    MPS3RMachineClass *mmc = MPS3R_MACHINE_GET_CLASS(mms);
 +    MemoryRegion *sysmem = get_system_memory();
 +
 +    for (const RAMInfo *ri = mmc->raminfo; ri->name; ri++) {
 +        MemoryRegion *mr = mr_for_raminfo(mms, ri);
 +        memory_region_add_subregion(sysmem, ri->base, mr);
 +    }
 +}
 +
 +static void mps3r_set_default_ram_info(MPS3RMachineClass *mmc)
 +{
 +    /*
 +     * Set mc->default_ram_size and default_ram_id from the
 +     * information in mmc->raminfo.
 +     */
 +    MachineClass *mc = MACHINE_CLASS(mmc);
 +    const RAMInfo *p;
 +
 +    for (p = mmc->raminfo; p->name; p++) {
 +        if (p->mrindex < 0) {
 +            /* Found the entry for "system memory" */
 +            mc->default_ram_size = p->size;
 +            mc->default_ram_id = p->name;
 +            return;
 +        }
 +    }
 +    g_assert_not_reached();
 +}
 +
 +static void mps3r_class_init(ObjectClass *oc, void *data)
 +{
 +    MachineClass *mc = MACHINE_CLASS(oc);
 +
 +    mc->init = mps3r_common_init;
 +}
 +
 +static void mps3r_an536_class_init(ObjectClass *oc, void *data)
 +{
 +    MachineClass *mc = MACHINE_CLASS(oc);
 +    MPS3RMachineClass *mmc = MPS3R_MACHINE_CLASS(oc);
 +    static const char * const valid_cpu_types[] = {
 +        ARM_CPU_TYPE_NAME("cortex-r52"),
 +        NULL
 +    };
 +
 +    mc->desc = "ARM MPS3 with AN536 FPGA image for Cortex-R52";
 +    mc->default_cpus = 2;
 +    mc->min_cpus = mc->default_cpus;
 +    mc->max_cpus = mc->default_cpus;
 +    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-r52");
 +    mc->valid_cpu_types = valid_cpu_types;
 +    mmc->raminfo = an536_raminfo;
 +    mps3r_set_default_ram_info(mmc);
 +}
 +
 +static const TypeInfo mps3r_machine_types[] = {
 +    {
 +        .name = TYPE_MPS3R_MACHINE,
 +        .parent = TYPE_MACHINE,
 +        .abstract = true,
 +        .instance_size = sizeof(MPS3RMachineState),
 +        .class_size = sizeof(MPS3RMachineClass),
 +        .class_init = mps3r_class_init,
 +    }, {
 +        .name = TYPE_MPS3R_AN536_MACHINE,
 +        .parent = TYPE_MPS3R_MACHINE,
 +        .class_init = mps3r_an536_class_init,
 +    },
 +};
 +
 +DEFINE_TYPES(mps3r_machine_types);
 diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/Kconfig
 +++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config MAINSTONE
      select PFLASH_CFI01
      select SMC91C111
 +config MPS3R
 +    bool
 +    default y
 +    depends on TCG && ARM
 +
  config MUSCA
      bool
      default y
 diff --git a/hw/arm/meson.build b/hw/arm/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/meson.build
 +++ b/hw/arm/meson.build
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'CONFIG_HIGHBANK', if_true: files('highbank.c'))
  arm_ss.add(when: 'CONFIG_INTEGRATOR', if_true: files('integratorcp.c'))
  arm_ss.add(when: 'CONFIG_MAINSTONE', if_true: files('mainstone.c'))
  arm_ss.add(when: 'CONFIG_MICROBIT', if_true: files('microbit.c'))
 +arm_ss.add(when: 'CONFIG_MPS3R', if_true: files('mps3r.c'))
  arm_ss.add(when: 'CONFIG_MUSICPAL', if_true: files('musicpal.c'))
  arm_ss.add(when: 'CONFIG_NETDUINOPLUS2', if_true: files('netduinoplus2.c'))
  arm_ss.add(when: 'CONFIG_OLIMEX_STM32_H405', if_true: files('olimex-stm32-h405.c'))
 --
 .34.1

-[PULL 23/29] target/arm: Convert BR, BLR, RET to decodetree
+[PULL 31/35] hw/arm/mps3r: Add CPUs, GIC, and per-CPU RAM
-Convert the simple (non-pointer-auth) BR, BLR and RET insns
+Create the CPUs, the GIC, and the per-CPU RAM block for
-to decodetree.
+the mps3-an536 board.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240206132931.38376-10-peter.maydell@linaro.org
 Message-id: 20230512144106.3608981-18-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |  5 ++++
+ hw/arm/mps3r.c | 180 ++++++++++++++++++++++++++++++++++++++++++++++++-
- target/arm/tcg/translate-a64.c | 55 ++++++++++++++++++++++++++++++----
+file changed, 177 insertions(+), 3 deletions(-)
 files changed, 54 insertions(+), 6 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/hw/arm/mps3r.c
-+++ b/target/arm/tcg/a64.decode
++++ b/hw/arm/mps3r.c
 @@ -XXX,XX +XXX,XX @@
- # This file is processed by scripts/decodetree.py
+ #include "qemu/osdep.h"
- #
+ #include "qemu/units.h"
+ #include "qapi/error.h"
-+&r               rn
++#include "qapi/qmp/qlist.h"
- &ri              rd imm
+ #include "exec/address-spaces.h"
- &rri_sf          rd rn imm sf
+ #include "cpu.h"
- &i               imm
+ #include "hw/boards.h"
-@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
++#include "hw/qdev-properties.h"
- TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
+ #include "hw/arm/boot.h"
++#include "hw/arm/bsa.h"
- B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
++#include "hw/intc/arm_gicv3.h"
-+
-+BR              1101011 0000 11111 000000 rn:5 00000 &r
+ /* Define the layout of RAM and ROM in a board */
-+BLR             1101011 0001 11111 000000 rn:5 00000 &r
+ typedef struct RAMInfo {
-+RET             1101011 0010 11111 000000 rn:5 00000 &r
+@@ -XXX,XX +XXX,XX @@ typedef struct RAMInfo {
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+ #define IS_ROM 2
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
+ #define MPS3R_RAM_MAX 9
-+++ b/target/arm/tcg/translate-a64.c
++#define MPS3R_CPU_MAX 2
-@@ -XXX,XX +XXX,XX @@ static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
++
-     return true;
++#define PERIPHBASE 0xf0000000
 +#define NUM_SPIS 96
  typedef enum MPS3RFPGAType {
      FPGA_AN536,
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineClass {
      MachineClass parent;
      MPS3RFPGAType fpga_type;
      const RAMInfo *raminfo;
 +    hwaddr loader_start;
  };
  struct MPS3RMachineState {
      MachineState parent;
 +    struct arm_boot_info bootinfo;
      MemoryRegion ram[MPS3R_RAM_MAX];
 +    Object *cpu[MPS3R_CPU_MAX];
 +    MemoryRegion cpu_sysmem[MPS3R_CPU_MAX];
 +    MemoryRegion sysmem_alias[MPS3R_CPU_MAX];
 +    MemoryRegion cpu_ram[MPS3R_CPU_MAX];
 +    GICv3State gic;
  };
  #define TYPE_MPS3R_MACHINE "mps3r"
@@ -XXX,XX +XXX,XX @@ static MemoryRegion *mr_for_raminfo(MPS3RMachineState *mms,
      return ram;
  }
-+static void set_btype_for_br(DisasContext *s, int rn)
++/*
 + * There is no defined secondary boot protocol for Linux for the AN536,
 + * because real hardware has a restriction that atomic operations between
 + * the two CPUs do not function correctly, and so true SMP is not
 + * possible. Therefore for cases where the user is directly booting
 + * a kernel, we treat the system as essentially uniprocessor, and
 + * put the secondary CPU into power-off state (as if the user on the
 + * real hardware had configured the secondary to be halted via the
 + * SCC config registers).
 + *
 + * Note that the default secondary boot code would not work here anyway
 + * as it assumes a GICv2, and we have a GICv3.
 + */
 +static void mps3r_write_secondary_boot(ARMCPU *cpu,
 +                                       const struct arm_boot_info *info)
 +{
-+    if (dc_isar_feature(aa64_bti, s)) {
++    /*
-+        /* BR to {x16,x17} or !guard -> 1, else 3.  */
++     * Power the secondary CPU off. This means we don't need to write any
-+        set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3);
++     * boot code into guest memory. Note that the 'cpu' argument to this
 +     * function is the primary CPU we passed to arm_load_kernel(), not
 +     * the secondary. Loop around all the other CPUs, as the boot.c
 +     * code does for the "disable secondaries if PSCI is enabled" case.
 +     */
 +    for (CPUState *cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
 +        if (cs != first_cpu) {
 +            object_property_set_bool(OBJECT(cs), "start-powered-off", true,
 +                                     &error_abort);
 +        }
 +    }
 +}
 +
-+static void set_btype_for_blr(DisasContext *s)
++static void mps3r_secondary_cpu_reset(ARMCPU *cpu,
 +                                      const struct arm_boot_info *info)
 +{
-+    if (dc_isar_feature(aa64_bti, s)) {
++    /* We don't need to do anything here because the CPU will be off */
-+        /* BLR sets BTYPE to 2, regardless of source guarded page.  */
++}
-+        set_btype(s, 2);
++
 +static void create_gic(MPS3RMachineState *mms, MemoryRegion *sysmem)
 +{
 +    MachineState *machine = MACHINE(mms);
 +    DeviceState *gicdev;
 +    QList *redist_region_count;
 +
 +    object_initialize_child(OBJECT(mms), "gic", &mms->gic, TYPE_ARM_GICV3);
 +    gicdev = DEVICE(&mms->gic);
 +    qdev_prop_set_uint32(gicdev, "num-cpu", machine->smp.cpus);
 +    qdev_prop_set_uint32(gicdev, "num-irq", NUM_SPIS + GIC_INTERNAL);
 +    redist_region_count = qlist_new();
 +    qlist_append_int(redist_region_count, machine->smp.cpus);
 +    qdev_prop_set_array(gicdev, "redist-region-count", redist_region_count);
 +    object_property_set_link(OBJECT(&mms->gic), "sysmem",
 +                             OBJECT(sysmem), &error_fatal);
 +    sysbus_realize(SYS_BUS_DEVICE(&mms->gic), &error_fatal);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->gic), 0, PERIPHBASE);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->gic), 1, PERIPHBASE + 0x100000);
 +    /*
 +     * Wire the outputs from each CPU's generic timer and the GICv3
 +     * maintenance interrupt signal to the appropriate GIC PPI inputs,
 +     * and the GIC's IRQ/FIQ/VIRQ/VFIQ interrupt outputs to the CPU's inputs.
 +     */
 +    for (int i = 0; i < machine->smp.cpus; i++) {
 +        DeviceState *cpudev = DEVICE(mms->cpu[i]);
 +        SysBusDevice *gicsbd = SYS_BUS_DEVICE(&mms->gic);
 +        int intidbase = NUM_SPIS + i * GIC_INTERNAL;
 +        int irq;
 +        /*
 +         * Mapping from the output timer irq lines from the CPU to the
 +         * GIC PPI inputs used for this board. This isn't a BSA board,
 +         * but it uses the standard convention for the PPI numbers.
 +         */
 +        const int timer_irq[] = {
 +            [GTIMER_PHYS] = ARCH_TIMER_NS_EL1_IRQ,
 +            [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
 +            [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
 +        };
 +
 +        for (irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
 +            qdev_connect_gpio_out(cpudev, irq,
 +                                  qdev_get_gpio_in(gicdev,
 +                                                   intidbase + timer_irq[irq]));
 +        }
 +
 +        qdev_connect_gpio_out_named(cpudev, "gicv3-maintenance-interrupt", 0,
 +                                    qdev_get_gpio_in(gicdev,
 +                                                     intidbase + ARCH_GIC_MAINT_IRQ));
 +
 +        qdev_connect_gpio_out_named(cpudev, "pmu-interrupt", 0,
 +                                    qdev_get_gpio_in(gicdev,
 +                                                     intidbase + VIRTUAL_PMU_IRQ));
 +
 +        sysbus_connect_irq(gicsbd, i,
 +                           qdev_get_gpio_in(cpudev, ARM_CPU_IRQ));
 +        sysbus_connect_irq(gicsbd, i + machine->smp.cpus,
 +                           qdev_get_gpio_in(cpudev, ARM_CPU_FIQ));
 +        sysbus_connect_irq(gicsbd, i + 2 * machine->smp.cpus,
 +                           qdev_get_gpio_in(cpudev, ARM_CPU_VIRQ));
 +        sysbus_connect_irq(gicsbd, i + 3 * machine->smp.cpus,
 +                           qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
 +    }
 +}
 +
-+static bool trans_BR(DisasContext *s, arg_r *a)
+ static void mps3r_common_init(MachineState *machine)
-+{
+ {
-+    gen_a64_set_pc(s, cpu_reg(s, a->rn));
+     MPS3RMachineState *mms = MPS3R_MACHINE(machine);
-+    set_btype_for_br(s, a->rn);
+@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
-+    s->base.is_jmp = DISAS_JUMP;
+         MemoryRegion *mr = mr_for_raminfo(mms, ri);
-+    return true;
+         memory_region_add_subregion(sysmem, ri->base, mr);
-+}
+     }
 +
-+static bool trans_BLR(DisasContext *s, arg_r *a)
++    assert(machine->smp.cpus <= MPS3R_CPU_MAX);
-+{
++    for (int i = 0; i < machine->smp.cpus; i++) {
-+    TCGv_i64 dst = cpu_reg(s, a->rn);
++        g_autofree char *sysmem_name = g_strdup_printf("cpu-%d-memory", i);
-+    TCGv_i64 lr = cpu_reg(s, 30);
++        g_autofree char *ramname = g_strdup_printf("cpu-%d-memory", i);
-+    if (dst == lr) {
++        g_autofree char *alias_name = g_strdup_printf("sysmem-alias-%d", i);
-+        TCGv_i64 tmp = tcg_temp_new_i64();
++
-+        tcg_gen_mov_i64(tmp, dst);
++        /*
-+        dst = tmp;
++         * Each CPU has some private RAM/peripherals, so create the container
 +         * which will house those, with the whole-machine system memory being
 +         * used where there's no CPU-specific device. Note that we need the
 +         * sysmem_alias aliases because we can't put one MR (the original
 +         * 'sysmem') into more than one other MR.
 +         */
 +        memory_region_init(&mms->cpu_sysmem[i], OBJECT(machine),
 +                           sysmem_name, UINT64_MAX);
 +        memory_region_init_alias(&mms->sysmem_alias[i], OBJECT(machine),
 +                                 alias_name, sysmem, 0, UINT64_MAX);
 +        memory_region_add_subregion_overlap(&mms->cpu_sysmem[i], 0,
 +                                            &mms->sysmem_alias[i], -1);
 +
 +        mms->cpu[i] = object_new(machine->cpu_type);
 +        object_property_set_link(mms->cpu[i], "memory",
 +                                 OBJECT(&mms->cpu_sysmem[i]), &error_abort);
 +        object_property_set_int(mms->cpu[i], "reset-cbar",
 +                                PERIPHBASE, &error_abort);
 +        qdev_realize(DEVICE(mms->cpu[i]), NULL, &error_fatal);
 +        object_unref(mms->cpu[i]);
 +
 +        /* Per-CPU RAM */
 +        memory_region_init_ram(&mms->cpu_ram[i], NULL, ramname,
 +                               0x1000, &error_fatal);
 +        memory_region_add_subregion(&mms->cpu_sysmem[i], 0xe7c01000,
 +                                    &mms->cpu_ram[i]);
 +    }
-+    gen_pc_plus_diff(s, lr, curr_insn_len(s));
++
-+    gen_a64_set_pc(s, dst);
++    create_gic(mms, sysmem);
-+    set_btype_for_blr(s);
++
-+    s->base.is_jmp = DISAS_JUMP;
++    mms->bootinfo.ram_size = machine->ram_size;
-+    return true;
++    mms->bootinfo.board_id = -1;
-+}
++    mms->bootinfo.loader_start = mmc->loader_start;
-+
++    mms->bootinfo.write_secondary_boot = mps3r_write_secondary_boot;
-+static bool trans_RET(DisasContext *s, arg_r *a)
++    mms->bootinfo.secondary_cpu_reset_hook = mps3r_secondary_cpu_reset;
-+{
++    arm_load_kernel(ARM_CPU(mms->cpu[0]), machine, &mms->bootinfo);
-+    gen_a64_set_pc(s, cpu_reg(s, a->rn));
+ }
-+    s->base.is_jmp = DISAS_JUMP;
-+    return true;
+ static void mps3r_set_default_ram_info(MPS3RMachineClass *mmc)
-+}
+@@ -XXX,XX +XXX,XX @@ static void mps3r_set_default_ram_info(MPS3RMachineClass *mmc)
-+
+             /* Found the entry for "system memory" */
- /* HINT instruction group, including various allocated HINTs */
+             mc->default_ram_size = p->size;
- static void handle_hint(DisasContext *s, uint32_t insn,
+             mc->default_ram_id = p->name;
-                         unsigned int op1, unsigned int op2, unsigned int crm)
++            mmc->loader_start = p->base;
-@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+             return;
-         btype_mod = opc;
+         }
-         switch (op3) {
+     }
-         case 0:
+@@ -XXX,XX +XXX,XX @@ static void mps3r_an536_class_init(ObjectClass *oc, void *data)
--            /* BR, BLR, RET */
+     };
--            if (op4 != 0) {
--                goto do_unallocated;
+     mc->desc = "ARM MPS3 with AN536 FPGA image for Cortex-R52";
--            }
+-    mc->default_cpus = 2;
--            dst = cpu_reg(s, rn);
+-    mc->min_cpus = mc->default_cpus;
--            break;
+-    mc->max_cpus = mc->default_cpus;
-+            /* BR, BLR, RET : handled in decodetree */
++    /*
-+            goto do_unallocated;
++     * In the real FPGA image there are always two cores, but the standard
++     * initial setting for the SCC SYSCON 0x000 register is 0x21, meaning
-         case 2:
++     * that the second core is held in reset and halted. Many images built for
-         case 3:
++     * the board do not expect the second core to run at startup (especially
 +     * since on the real FPGA image it is not possible to use LDREX/STREX
 +     * in RAM between the two cores, so a true SMP setup isn't supported).
 +     *
 +     * As QEMU's equivalent of this, we support both -smp 1 and -smp 2,
 +     * with the default being -smp 1. This seems a more intuitive UI for
 +     * QEMU users than, for instance, having a machine property to allow
 +     * the user to set the initial value of the SYSCON 0x000 register.
 +     */
 +    mc->default_cpus = 1;
 +    mc->min_cpus = 1;
 +    mc->max_cpus = 2;
      mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-r52");
      mc->valid_cpu_types = valid_cpu_types;
      mmc->raminfo = an536_raminfo;
 --
 .34.1

-[PULL 28/29] hw/arm/vexpress: Avoid trivial memory leak of 'flashalias'
+[PULL 32/35] hw/arm/mps3r: Add UARTs
-In the vexpress board code, we allocate a new MemoryRegion at the top
+This board has a lot of UARTs: there is one UART per CPU in the
-of vexpress_common_init() but only set it up and use it inside the
+per-CPU peripheral part of the address map, whose interrupts are
-"if (map[VE_NORFLASHALIAS] != -1)" conditional, so we leak it if not.
+connected as per-CPU interrupt lines.  Then there are 4 UARTs in the
-This isn't a very interesting leak as it's a tiny amount of memory
+normal part of the peripheral space, whose interrupts are shared
-once at startup, but it's easy to fix.
+peripheral interrupts.
-We could silence Coverity simply by moving the g_new() into the
+Connect and wire them all up; this involves some OR gates where
-if() block, but this use of g_new(MemoryRegion, 1) is a legacy from
+multiple overflow interrupts are wired into one GIC input.
 when this board model was originally written; we wouldn't do that
 if we wrote it today. The MemoryRegions are conceptually a part of
 the board and must not go away until the whole board is done with
 (at the end of the simulation), so they belong in its state struct.
 This machine already has a VexpressMachineState struct that extends
 MachineState, so statically put the MemoryRegions in there instead of
 dynamically allocating them separately at runtime.
 Spotted by Coverity (CID 1509083).
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-id: 20230512170223.3801643-3-peter.maydell@linaro.org
+Message-id: 20240206132931.38376-11-peter.maydell@linaro.org
 ---
- hw/arm/vexpress.c | 40 ++++++++++++++++++++--------------------
+ hw/arm/mps3r.c | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++
-file changed, 20 insertions(+), 20 deletions(-)
+file changed, 94 insertions(+)
-diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
+diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/vexpress.c
+--- a/hw/arm/mps3r.c
-+++ b/hw/arm/vexpress.c
++++ b/hw/arm/mps3r.c
-@@ -XXX,XX +XXX,XX @@ struct VexpressMachineClass {
+@@ -XXX,XX +XXX,XX @@
+ #include "qapi/qmp/qlist.h"
- struct VexpressMachineState {
+ #include "exec/address-spaces.h"
-     MachineState parent;
+ #include "cpu.h"
-+    MemoryRegion vram;
++#include "sysemu/sysemu.h"
-+    MemoryRegion sram;
+ #include "hw/boards.h"
-+    MemoryRegion flashalias;
++#include "hw/or-irq.h"
-+    MemoryRegion lowram;
+ #include "hw/qdev-properties.h"
-+    MemoryRegion a15sram;
+ #include "hw/arm/boot.h"
-     bool secure;
+ #include "hw/arm/bsa.h"
-     bool virt;
++#include "hw/char/cmsdk-apb-uart.h"
  #include "hw/intc/arm_gicv3.h"
  /* Define the layout of RAM and ROM in a board */
@@ -XXX,XX +XXX,XX @@ typedef struct RAMInfo {
  #define MPS3R_RAM_MAX 9
  #define MPS3R_CPU_MAX 2
 +#define MPS3R_UART_MAX 4 /* shared UART count */
  #define PERIPHBASE 0xf0000000
  #define NUM_SPIS 96
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineState {
      MemoryRegion sysmem_alias[MPS3R_CPU_MAX];
      MemoryRegion cpu_ram[MPS3R_CPU_MAX];
      GICv3State gic;
 +    /* per-CPU UARTs followed by the shared UARTs */
 +    CMSDKAPBUART uart[MPS3R_CPU_MAX + MPS3R_UART_MAX];
 +    OrIRQState cpu_uart_oflow[MPS3R_CPU_MAX];
 +    OrIRQState uart_oflow;
  };
-@@ -XXX,XX +XXX,XX @@ struct VexpressMachineState {
- #define TYPE_VEXPRESS_A15_MACHINE   MACHINE_TYPE_NAME("vexpress-a15")
+ #define TYPE_MPS3R_MACHINE "mps3r"
- OBJECT_DECLARE_TYPE(VexpressMachineState, VexpressMachineClass, VEXPRESS_MACHINE)
+@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineState {
--typedef void DBoardInitFn(const VexpressMachineState *machine,
+ OBJECT_DECLARE_TYPE(MPS3RMachineState, MPS3RMachineClass, MPS3R_MACHINE)
-+typedef void DBoardInitFn(VexpressMachineState *machine,
-                           ram_addr_t ram_size,
++/*
-                           const char *cpu_type,
++ * Main clock frequency CLK in Hz (50MHz). In the image there are also
-                           qemu_irq *pic);
++ * ACLK, MCLK, GPUCLK and PERIPHCLK at the same frequency; for our
-@@ -XXX,XX +XXX,XX @@ static void init_cpus(MachineState *ms, const char *cpu_type,
++ * model we just roll them all into one.
 + */
 +#define CLK_FRQ 50000000
 +
  static const RAMInfo an536_raminfo[] = {
      {
          .name = "ATCM",
@@ -XXX,XX +XXX,XX @@ static void create_gic(MPS3RMachineState *mms, MemoryRegion *sysmem)
      }
  }
--static void a9_daughterboard_init(const VexpressMachineState *vms,
++/*
-+static void a9_daughterboard_init(VexpressMachineState *vms,
++ * Create UART uartno, and map it into the MemoryRegion mem at address baseaddr.
-                                   ram_addr_t ram_size,
++ * The qemu_irq arguments are where we connect the various IRQs from the UART.
-                                   const char *cpu_type,
++ */
-                                   qemu_irq *pic)
++static void create_uart(MPS3RMachineState *mms, int uartno, MemoryRegion *mem,
 +                        hwaddr baseaddr, qemu_irq txirq, qemu_irq rxirq,
 +                        qemu_irq txoverirq, qemu_irq rxoverirq,
 +                        qemu_irq combirq)
 +{
 +    g_autofree char *s = g_strdup_printf("uart%d", uartno);
 +    SysBusDevice *sbd;
 +
 +    assert(uartno < ARRAY_SIZE(mms->uart));
 +    object_initialize_child(OBJECT(mms), s, &mms->uart[uartno],
 +                            TYPE_CMSDK_APB_UART);
 +    qdev_prop_set_uint32(DEVICE(&mms->uart[uartno]), "pclk-frq", CLK_FRQ);
 +    qdev_prop_set_chr(DEVICE(&mms->uart[uartno]), "chardev", serial_hd(uartno));
 +    sbd = SYS_BUS_DEVICE(&mms->uart[uartno]);
 +    sysbus_realize(sbd, &error_fatal);
 +    memory_region_add_subregion(mem, baseaddr,
 +                                sysbus_mmio_get_region(sbd, 0));
 +    sysbus_connect_irq(sbd, 0, txirq);
 +    sysbus_connect_irq(sbd, 1, rxirq);
 +    sysbus_connect_irq(sbd, 2, txoverirq);
 +    sysbus_connect_irq(sbd, 3, rxoverirq);
 +    sysbus_connect_irq(sbd, 4, combirq);
 +}
 +
  static void mps3r_common_init(MachineState *machine)
  {
-     MachineState *machine = MACHINE(vms);
+     MPS3RMachineState *mms = MPS3R_MACHINE(machine);
      MPS3RMachineClass *mmc = MPS3R_MACHINE_GET_CLASS(mms);
      MemoryRegion *sysmem = get_system_memory();
--    MemoryRegion *lowram = g_new(MemoryRegion, 1);
++    DeviceState *gicdev;
-     ram_addr_t low_ram_size;
+     for (const RAMInfo *ri = mmc->raminfo; ri->name; ri++) {
-     if (ram_size > 0x40000000) {
+         MemoryRegion *mr = mr_for_raminfo(mms, ri);
-@@ -XXX,XX +XXX,XX @@ static void a9_daughterboard_init(const VexpressMachineState *vms,
+@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
       * address space should in theory be remappable to various
       * things including ROM or RAM; we always map the RAM there.
       */
 -    memory_region_init_alias(lowram, NULL, "vexpress.lowmem", machine->ram,
 -                             0, low_ram_size);
 -    memory_region_add_subregion(sysmem, 0x0, lowram);
 +    memory_region_init_alias(&vms->lowram, NULL, "vexpress.lowmem",
 +                             machine->ram, 0, low_ram_size);
 +    memory_region_add_subregion(sysmem, 0x0, &vms->lowram);
      memory_region_add_subregion(sysmem, 0x60000000, machine->ram);
      /* 0x1e000000 A9MPCore (SCU) private memory region */
@@ -XXX,XX +XXX,XX @@ static VEDBoardInfo a9_daughterboard = {
      .init = a9_daughterboard_init,
  };
 -static void a15_daughterboard_init(const VexpressMachineState *vms,
 +static void a15_daughterboard_init(VexpressMachineState *vms,
                                     ram_addr_t ram_size,
                                     const char *cpu_type,
                                     qemu_irq *pic)
  {
      MachineState *machine = MACHINE(vms);
      MemoryRegion *sysmem = get_system_memory();
 -    MemoryRegion *sram = g_new(MemoryRegion, 1);
      {
          /* We have to use a separate 64 bit variable here to avoid the gcc
@@ -XXX,XX +XXX,XX @@ static void a15_daughterboard_init(const VexpressMachineState *vms,
      /* 0x2b060000: SP805 watchdog: not modelled */
      /* 0x2b0a0000: PL341 dynamic memory controller: not modelled */
      /* 0x2e000000: system SRAM */
 -    memory_region_init_ram(sram, NULL, "vexpress.a15sram", 0x10000,
 +    memory_region_init_ram(&vms->a15sram, NULL, "vexpress.a15sram", 0x10000,
                             &error_fatal);
 -    memory_region_add_subregion(sysmem, 0x2e000000, sram);
 +    memory_region_add_subregion(sysmem, 0x2e000000, &vms->a15sram);
      /* 0x7ffb0000: DMA330 DMA controller: not modelled */
      /* 0x7ffd0000: PL354 static memory controller: not modelled */
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
      I2CBus *i2c;
      ram_addr_t vram_size, sram_size;
      MemoryRegion *sysmem = get_system_memory();
 -    MemoryRegion *vram = g_new(MemoryRegion, 1);
 -    MemoryRegion *sram = g_new(MemoryRegion, 1);
 -    MemoryRegion *flashalias = g_new(MemoryRegion, 1);
 -    MemoryRegion *flash0mem;
      const hwaddr *map = daughterboard->motherboard_map;
      int i;
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
      if (map[VE_NORFLASHALIAS] != -1) {
          /* Map flash 0 as an alias into low memory */
 +        MemoryRegion *flash0mem;
          flash0mem = sysbus_mmio_get_region(SYS_BUS_DEVICE(pflash0), 0);
 -        memory_region_init_alias(flashalias, NULL, "vexpress.flashalias",
 +        memory_region_init_alias(&vms->flashalias, NULL, "vexpress.flashalias",
                                   flash0mem, 0, VEXPRESS_FLASH_SIZE);
 -        memory_region_add_subregion(sysmem, map[VE_NORFLASHALIAS], flashalias);
 +        memory_region_add_subregion(sysmem, map[VE_NORFLASHALIAS], &vms->flashalias);
      }
-     dinfo = drive_get(IF_PFLASH, 0, 1);
+     create_gic(mms, sysmem);
-     ve_pflash_cfi01_register(map[VE_NORFLASH1], "vexpress.flash1", dinfo);
++    gicdev = DEVICE(&mms->gic);
++
-     sram_size = 0x2000000;
++    /*
--    memory_region_init_ram(sram, NULL, "vexpress.sram", sram_size,
++     * UARTs 0 and 1 are per-CPU; their interrupts are wired to
-+    memory_region_init_ram(&vms->sram, NULL, "vexpress.sram", sram_size,
++     * the relevant CPU's PPI 0..3, aka INTID 16..19
-                            &error_fatal);
++     */
--    memory_region_add_subregion(sysmem, map[VE_SRAM], sram);
++    for (int i = 0; i < machine->smp.cpus; i++) {
-+    memory_region_add_subregion(sysmem, map[VE_SRAM], &vms->sram);
++        int intidbase = NUM_SPIS + i * GIC_INTERNAL;
++        g_autofree char *s = g_strdup_printf("cpu-uart-oflow-orgate%d", i);
-     vram_size = 0x800000;
++        DeviceState *orgate;
--    memory_region_init_ram(vram, NULL, "vexpress.vram", vram_size,
++
-+    memory_region_init_ram(&vms->vram, NULL, "vexpress.vram", vram_size,
++        /* The two overflow IRQs from the UART are ORed together into PPI 3 */
-                            &error_fatal);
++        object_initialize_child(OBJECT(mms), s, &mms->cpu_uart_oflow[i],
--    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], vram);
++                                TYPE_OR_IRQ);
-+    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], &vms->vram);
++        orgate = DEVICE(&mms->cpu_uart_oflow[i]);
++        qdev_prop_set_uint32(orgate, "num-lines", 2);
-     /* 0x4e000000 LAN9118 Ethernet */
++        qdev_realize(orgate, NULL, &error_fatal);
-     if (nd_table[0].used) {
++        qdev_connect_gpio_out(orgate, 0,
 +                              qdev_get_gpio_in(gicdev, intidbase + 19));
 +
 +        create_uart(mms, i, &mms->cpu_sysmem[i], 0xe7c00000,
 +                    qdev_get_gpio_in(gicdev, intidbase + 17), /* tx */
 +                    qdev_get_gpio_in(gicdev, intidbase + 16), /* rx */
 +                    qdev_get_gpio_in(orgate, 0), /* txover */
 +                    qdev_get_gpio_in(orgate, 1), /* rxover */
 +                    qdev_get_gpio_in(gicdev, intidbase + 18) /* combined */);
 +    }
 +    /*
 +     * UARTs 2 to 5 are whole-system; all overflow IRQs are ORed
 +     * together into IRQ 17
 +     */
 +    object_initialize_child(OBJECT(mms), "uart-oflow-orgate",
 +                            &mms->uart_oflow, TYPE_OR_IRQ);
 +    qdev_prop_set_uint32(DEVICE(&mms->uart_oflow), "num-lines",
 +                         MPS3R_UART_MAX * 2);
 +    qdev_realize(DEVICE(&mms->uart_oflow), NULL, &error_fatal);
 +    qdev_connect_gpio_out(DEVICE(&mms->uart_oflow), 0,
 +                          qdev_get_gpio_in(gicdev, 17));
 +
 +    for (int i = 0; i < MPS3R_UART_MAX; i++) {
 +        hwaddr baseaddr = 0xe0205000 + i * 0x1000;
 +        int rxirq = 5 + i * 2, txirq = 6 + i * 2, combirq = 13 + i;
 +
 +        create_uart(mms, i + MPS3R_CPU_MAX, sysmem, baseaddr,
 +                    qdev_get_gpio_in(gicdev, txirq),
 +                    qdev_get_gpio_in(gicdev, rxirq),
 +                    qdev_get_gpio_in(DEVICE(&mms->uart_oflow), i * 2),
 +                    qdev_get_gpio_in(DEVICE(&mms->uart_oflow), i * 2 + 1),
 +                    qdev_get_gpio_in(gicdev, combirq));
 +    }
      mms->bootinfo.ram_size = machine->ram_size;
      mms->bootinfo.board_id = -1;
 --
 .34.1

-[PULL 26/29] target/arm: Convert ERET, ERETAA, ERETAB to decodetree
+[PULL 33/35] hw/arm/mps3r: Add GPIO, watchdog, dual-timer, I2C devices
-Convert the exception-return insns ERET, ERETA and ERETB to
+Add the GPIO, watchdog, dual-timer and I2C devices to the mps3-an536
-decodetree. These were the last insns left in the legacy
+board.  These are all simple devices that just need to be created and
-decoder function disas_uncond_reg_b(), which allows us to
+wired up.
 remove it.
 The old decoder explicitly decoded the DRPS instruction,
 only in order to call unallocated_encoding() on it, exactly
 as would have happened if it hadn't decoded it. This is
 because this insn always UNDEFs unless the CPU is in
 halting-debug state, which we don't emulate. So we list
 the pattern in a comment in a64.decode, but don't actively
 decode it.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-id: 20230512144106.3608981-21-peter.maydell@linaro.org
+Message-id: 20240206132931.38376-12-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |   8 ++
+ hw/arm/mps3r.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
- target/arm/tcg/translate-a64.c | 163 +++++++++++----------------------
+file changed, 59 insertions(+)
 files changed, 63 insertions(+), 108 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/hw/arm/mps3r.c
-+++ b/target/arm/tcg/a64.decode
++++ b/hw/arm/mps3r.c
-@@ -XXX,XX +XXX,XX @@ RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
+@@ -XXX,XX +XXX,XX @@
- &bra        rn rm m
+ #include "sysemu/sysemu.h"
- BRA             1101011 1000 11111 00001 m:1 rn:5 rm:5 &bra # BRAA, BRAB
+ #include "hw/boards.h"
- BLRA            1101011 1001 11111 00001 m:1 rn:5 rm:5 &bra # BLRAA, BLRAB
+ #include "hw/or-irq.h"
 +#include "hw/qdev-clock.h"
  #include "hw/qdev-properties.h"
  #include "hw/arm/boot.h"
  #include "hw/arm/bsa.h"
  #include "hw/char/cmsdk-apb-uart.h"
 +#include "hw/i2c/arm_sbcon_i2c.h"
  #include "hw/intc/arm_gicv3.h"
 +#include "hw/misc/unimp.h"
 +#include "hw/timer/cmsdk-apb-dualtimer.h"
 +#include "hw/watchdog/cmsdk-apb-watchdog.h"
  /* Define the layout of RAM and ROM in a board */
  typedef struct RAMInfo {
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineState {
      CMSDKAPBUART uart[MPS3R_CPU_MAX + MPS3R_UART_MAX];
      OrIRQState cpu_uart_oflow[MPS3R_CPU_MAX];
      OrIRQState uart_oflow;
 +    CMSDKAPBWatchdog watchdog;
 +    CMSDKAPBDualTimer dualtimer;
 +    ArmSbconI2CState i2c[5];
 +    Clock *clk;
  };
  #define TYPE_MPS3R_MACHINE "mps3r"
@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
      MemoryRegion *sysmem = get_system_memory();
      DeviceState *gicdev;
 +    mms->clk = clock_new(OBJECT(machine), "CLK");
 +    clock_set_hz(mms->clk, CLK_FRQ);
 +
-+ERET            1101011 0100 11111 000000 11111 00000
+     for (const RAMInfo *ri = mmc->raminfo; ri->name; ri++) {
-+ERETA           1101011 0100 11111 00001 m:1 11111 11111 &reta  # ERETAA, ERETAB
+         MemoryRegion *mr = mr_for_raminfo(mms, ri);
-+
+         memory_region_add_subregion(sysmem, ri->base, mr);
-+# We don't need to decode DRPS because it always UNDEFs except when
+@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
-+# the processor is in halting debug state (which we don't implement).
+                     qdev_get_gpio_in(gicdev, combirq));
-+# The pattern is listed here as documentation.
+     }
-+# DRPS            1101011 0101 11111 000000 11111 00000
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
++    for (int i = 0; i < 4; i++) {
-index XXXXXXX..XXXXXXX 100644
++        /* CMSDK GPIO controllers */
---- a/target/arm/tcg/translate-a64.c
++        g_autofree char *s = g_strdup_printf("gpio%d", i);
-+++ b/target/arm/tcg/translate-a64.c
++        create_unimplemented_device(s, 0xe0000000 + i * 0x1000, 0x1000);
@@ -XXX,XX +XXX,XX @@ static bool trans_BLRA(DisasContext *s, arg_bra *a)
      return true;
  }
 +static bool trans_ERET(DisasContext *s, arg_ERET *a)
 +{
 +    TCGv_i64 dst;
 +
 +    if (s->current_el == 0) {
 +        return false;
 +    }
 +    if (s->fgt_eret) {
 +        gen_exception_insn_el(s, 0, EXCP_UDEF, 0, 2);
 +        return true;
 +    }
 +    dst = tcg_temp_new_i64();
 +    tcg_gen_ld_i64(dst, cpu_env,
 +                   offsetof(CPUARMState, elr_el[s->current_el]));
 +
 +    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
 +        gen_io_start();
 +    }
 +
-+    gen_helper_exception_return(cpu_env, dst);
++    object_initialize_child(OBJECT(mms), "watchdog", &mms->watchdog,
-+    /* Must exit loop to check un-masked IRQs */
++                            TYPE_CMSDK_APB_WATCHDOG);
-+    s->base.is_jmp = DISAS_EXIT;
++    qdev_connect_clock_in(DEVICE(&mms->watchdog), "WDOGCLK", mms->clk);
-+    return true;
++    sysbus_realize(SYS_BUS_DEVICE(&mms->watchdog), &error_fatal);
-+}
++    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->watchdog), 0,
 +                       qdev_get_gpio_in(gicdev, 0));
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->watchdog), 0, 0xe0100000);
 +
-+static bool trans_ERETA(DisasContext *s, arg_reta *a)
++    object_initialize_child(OBJECT(mms), "dualtimer", &mms->dualtimer,
-+{
++                            TYPE_CMSDK_APB_DUALTIMER);
-+    TCGv_i64 dst;
++    qdev_connect_clock_in(DEVICE(&mms->dualtimer), "TIMCLK", mms->clk);
 +    sysbus_realize(SYS_BUS_DEVICE(&mms->dualtimer), &error_fatal);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->dualtimer), 0,
 +                       qdev_get_gpio_in(gicdev, 3));
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->dualtimer), 1,
 +                       qdev_get_gpio_in(gicdev, 1));
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->dualtimer), 2,
 +                       qdev_get_gpio_in(gicdev, 2));
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->dualtimer), 0, 0xe0101000);
 +
-+    if (!dc_isar_feature(aa64_pauth, s)) {
++    for (int i = 0; i < ARRAY_SIZE(mms->i2c); i++) {
-+        return false;
++        static const hwaddr i2cbase[] = {0xe0102000,    /* Touch */
-+    }
++                                         0xe0103000,    /* Audio */
-+    if (s->current_el == 0) {
++                                         0xe0107000,    /* Shield0 */
-+        return false;
++                                         0xe0108000,    /* Shield1 */
-+    }
++                                         0xe0109000};   /* DDR4 EEPROM */
-+    /* The FGT trap takes precedence over an auth trap. */
++        g_autofree char *s = g_strdup_printf("i2c%d", i);
 +    if (s->fgt_eret) {
 +        gen_exception_insn_el(s, 0, EXCP_UDEF, a->m ? 3 : 2, 2);
 +        return true;
 +    }
 +    dst = tcg_temp_new_i64();
 +    tcg_gen_ld_i64(dst, cpu_env,
 +                   offsetof(CPUARMState, elr_el[s->current_el]));
 +
-+    dst = auth_branch_target(s, dst, cpu_X[31], !a->m);
++        object_initialize_child(OBJECT(mms), s, &mms->i2c[i],
-+    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
++                                TYPE_ARM_SBCON_I2C);
-+        gen_io_start();
++        sysbus_realize(SYS_BUS_DEVICE(&mms->i2c[i]), &error_fatal);
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&mms->i2c[i]), 0, i2cbase[i]);
 +        if (i != 2 && i != 3) {
 +            /*
 +             * internal-only bus: mark it full to avoid user-created
 +             * i2c devices being plugged into it.
 +             */
 +            qbus_mark_full(qdev_get_child_bus(DEVICE(&mms->i2c[i]), "i2c"));
 +        }
 +    }
 +
-+    gen_helper_exception_return(cpu_env, dst);
+     mms->bootinfo.ram_size = machine->ram_size;
-+    /* Must exit loop to check un-masked IRQs */
+     mms->bootinfo.board_id = -1;
-+    s->base.is_jmp = DISAS_EXIT;
+     mms->bootinfo.loader_start = mmc->loader_start;
 +    return true;
 +}
 +
  /* HINT instruction group, including various allocated HINTs */
  static void handle_hint(DisasContext *s, uint32_t insn,
                          unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
      }
  }
 -/* Unconditional branch (register)
 - *  31           25 24   21 20   16 15   10 9    5 4     0
 - * +---------------+-------+-------+-------+------+-------+
 - * | 1 1 0 1 0 1 1 |  opc  |  op2  |  op3  |  Rn  |  op4  |
 - * +---------------+-------+-------+-------+------+-------+
 - */
 -static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 -{
 -    unsigned int opc, op2, op3, rn, op4;
 -    TCGv_i64 dst;
 -    TCGv_i64 modifier;
 -
 -    opc = extract32(insn, 21, 4);
 -    op2 = extract32(insn, 16, 5);
 -    op3 = extract32(insn, 10, 6);
 -    rn = extract32(insn, 5, 5);
 -    op4 = extract32(insn, 0, 5);
 -
 -    if (op2 != 0x1f) {
 -        goto do_unallocated;
 -    }
 -
 -    switch (opc) {
 -    case 0:
 -    case 1:
 -    case 2:
 -    case 8:
 -    case 9:
 -        /*
 -         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ,
 -         * BRAA, BLRAA: handled in decodetree
 -         */
 -        goto do_unallocated;
 -
 -    case 4: /* ERET */
 -        if (s->current_el == 0) {
 -            goto do_unallocated;
 -        }
 -        switch (op3) {
 -        case 0: /* ERET */
 -            if (op4 != 0) {
 -                goto do_unallocated;
 -            }
 -            if (s->fgt_eret) {
 -                gen_exception_insn_el(s, 0, EXCP_UDEF, syn_erettrap(op3), 2);
 -                return;
 -            }
 -            dst = tcg_temp_new_i64();
 -            tcg_gen_ld_i64(dst, cpu_env,
 -                           offsetof(CPUARMState, elr_el[s->current_el]));
 -            break;
 -
 -        case 2: /* ERETAA */
 -        case 3: /* ERETAB */
 -            if (!dc_isar_feature(aa64_pauth, s)) {
 -                goto do_unallocated;
 -            }
 -            if (rn != 0x1f || op4 != 0x1f) {
 -                goto do_unallocated;
 -            }
 -            /* The FGT trap takes precedence over an auth trap. */
 -            if (s->fgt_eret) {
 -                gen_exception_insn_el(s, 0, EXCP_UDEF, syn_erettrap(op3), 2);
 -                return;
 -            }
 -            dst = tcg_temp_new_i64();
 -            tcg_gen_ld_i64(dst, cpu_env,
 -                           offsetof(CPUARMState, elr_el[s->current_el]));
 -            if (s->pauth_active) {
 -                modifier = cpu_X[31];
 -                if (op3 == 2) {
 -                    gen_helper_autia(dst, cpu_env, dst, modifier);
 -                } else {
 -                    gen_helper_autib(dst, cpu_env, dst, modifier);
 -                }
 -            }
 -            break;
 -
 -        default:
 -            goto do_unallocated;
 -        }
 -        if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
 -            gen_io_start();
 -        }
 -
 -        gen_helper_exception_return(cpu_env, dst);
 -        /* Must exit loop to check un-masked IRQs */
 -        s->base.is_jmp = DISAS_EXIT;
 -        return;
 -
 -    case 5: /* DRPS */
 -        if (op3 != 0 || op4 != 0 || rn != 0x1f) {
 -            goto do_unallocated;
 -        } else {
 -            unallocated_encoding(s);
 -        }
 -        return;
 -
 -    default:
 -    do_unallocated:
 -        unallocated_encoding(s);
 -        return;
 -    }
 -}
 -
  /* Branches, exception generating and system instructions */
  static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
  {
@@ -XXX,XX +XXX,XX @@ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
              disas_exc(s, insn);
          }
          break;
 -    case 0x6b: /* Unconditional branch (register) */
 -        disas_uncond_b_reg(s, insn);
 -        break;
      default:
          unallocated_encoding(s);
          break;
 --
 .34.1

-[PULL 18/29] target/arm: Convert Extract instructions to decodetree
+[PULL 34/35] hw/arm/mps3r: Add remaining devices
-Convert the EXTR instruction to decodetree (this is the
+Add the remaining devices (or unimplemented-device stubs) for
-only one in the 'Extract" class). This is the last of
+this board: SPI controllers, SCC, FPGAIO, I2S, RTC, the
-the dp-immediate insns in the legacy decoder, so we
+QSPI write-config block, and ethernet.
 can now remove disas_data_proc_imm().
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-id: 20230512144106.3608981-13-peter.maydell@linaro.org
+Message-id: 20240206132931.38376-13-peter.maydell@linaro.org
 ---
- target/arm/tcg/a64.decode      |  7 +++
+ hw/arm/mps3r.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++
- target/arm/tcg/translate-a64.c | 94 +++++++++++-----------------------
+file changed, 74 insertions(+)
 files changed, 36 insertions(+), 65 deletions(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
+--- a/hw/arm/mps3r.c
-+++ b/target/arm/tcg/a64.decode
++++ b/hw/arm/mps3r.c
-@@ -XXX,XX +XXX,XX @@ BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_64
+@@ -XXX,XX +XXX,XX @@
- BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_32
+ #include "hw/char/cmsdk-apb-uart.h"
- UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_64
+ #include "hw/i2c/arm_sbcon_i2c.h"
- UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
+ #include "hw/intc/arm_gicv3.h"
 +#include "hw/misc/mps2-scc.h"
 +#include "hw/misc/mps2-fpgaio.h"
  #include "hw/misc/unimp.h"
 +#include "hw/net/lan9118.h"
 +#include "hw/rtc/pl031.h"
 +#include "hw/ssi/pl022.h"
  #include "hw/timer/cmsdk-apb-dualtimer.h"
  #include "hw/watchdog/cmsdk-apb-watchdog.h"
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineState {
      CMSDKAPBWatchdog watchdog;
      CMSDKAPBDualTimer dualtimer;
      ArmSbconI2CState i2c[5];
 +    PL022State spi[3];
 +    MPS2SCC scc;
 +    MPS2FPGAIO fpgaio;
 +    UnimplementedDeviceState i2s_audio;
 +    PL031State rtc;
      Clock *clk;
  };
@@ -XXX,XX +XXX,XX @@ static const RAMInfo an536_raminfo[] = {
      }
  };
 +static const int an536_oscclk[] = {
 +    24000000, /* 24MHz reference for RTC and timers */
 +    50000000, /* 50MHz ACLK */
 +    50000000, /* 50MHz MCLK */
 +    50000000, /* 50MHz GPUCLK */
 +    24576000, /* 24.576MHz AUDCLK */
 +    23750000, /* 23.75MHz HDLCDCLK */
 +    100000000, /* 100MHz DDR4_REF_CLK */
 +};
 +
-+# Extract
+ static MemoryRegion *mr_for_raminfo(MPS3RMachineState *mms,
-+
+                                     const RAMInfo *raminfo)
 +&extract        rd rn rm imm sf
 +
 +EXTR            1 00 100111 1 0 rm:5 imm:6 rn:5 rd:5     &extract sf=1
 +EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_BFM(DisasContext *s, arg_BFM *a)
      return true;
  }
 -/* Extract
 - *   31  30  29 28         23 22   21  20  16 15    10 9    5 4    0
 - * +----+------+-------------+---+----+------+--------+------+------+
 - * | sf | op21 | 1 0 0 1 1 1 | N | o0 |  Rm  |  imms  |  Rn  |  Rd  |
 - * +----+------+-------------+---+----+------+--------+------+------+
 - */
 -static void disas_extract(DisasContext *s, uint32_t insn)
 +static bool trans_EXTR(DisasContext *s, arg_extract *a)
  {
--    unsigned int sf, n, rm, imm, rn, rd, bitsize, op21, op0;
+@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
-+    TCGv_i64 tcg_rd, tcg_rm, tcg_rn;
+     MPS3RMachineClass *mmc = MPS3R_MACHINE_GET_CLASS(mms);
+     MemoryRegion *sysmem = get_system_memory();
--    sf = extract32(insn, 31, 1);
+     DeviceState *gicdev;
--    n = extract32(insn, 22, 1);
++    QList *oscclk;
--    rm = extract32(insn, 16, 5);
--    imm = extract32(insn, 10, 6);
+     mms->clk = clock_new(OBJECT(machine), "CLK");
--    rn = extract32(insn, 5, 5);
+     clock_set_hz(mms->clk, CLK_FRQ);
--    rd = extract32(insn, 0, 5);
+@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
 -    op21 = extract32(insn, 29, 2);
 -    op0 = extract32(insn, 21, 1);
 -    bitsize = sf ? 64 : 32;
 +    tcg_rd = cpu_reg(s, a->rd);
 -    if (sf != n || op21 || op0 || imm >= bitsize) {
 -        unallocated_encoding(s);
 -    } else {
 -        TCGv_i64 tcg_rd, tcg_rm, tcg_rn;
 -
 -        tcg_rd = cpu_reg(s, rd);
 -
 -        if (unlikely(imm == 0)) {
 -            /* tcg shl_i32/shl_i64 is undefined for 32/64 bit shifts,
 -             * so an extract from bit 0 is a special case.
 -             */
 -            if (sf) {
 -                tcg_gen_mov_i64(tcg_rd, cpu_reg(s, rm));
 -            } else {
 -                tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, rm));
 -            }
 +    if (unlikely(a->imm == 0)) {
 +        /*
 +         * tcg shl_i32/shl_i64 is undefined for 32/64 bit shifts,
 +         * so an extract from bit 0 is a special case.
 +         */
 +        if (a->sf) {
 +            tcg_gen_mov_i64(tcg_rd, cpu_reg(s, a->rm));
          } else {
 -            tcg_rm = cpu_reg(s, rm);
 -            tcg_rn = cpu_reg(s, rn);
 +            tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, a->rm));
 +        }
 +    } else {
 +        tcg_rm = cpu_reg(s, a->rm);
 +        tcg_rn = cpu_reg(s, a->rn);
 -            if (sf) {
 -                /* Specialization to ROR happens in EXTRACT2.  */
 -                tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, imm);
 +        if (a->sf) {
 +            /* Specialization to ROR happens in EXTRACT2.  */
 +            tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, a->imm);
 +        } else {
 +            TCGv_i32 t0 = tcg_temp_new_i32();
 +
 +            tcg_gen_extrl_i64_i32(t0, tcg_rm);
 +            if (a->rm == a->rn) {
 +                tcg_gen_rotri_i32(t0, t0, a->imm);
              } else {
 -                TCGv_i32 t0 = tcg_temp_new_i32();
 -
 -                tcg_gen_extrl_i64_i32(t0, tcg_rm);
 -                if (rm == rn) {
 -                    tcg_gen_rotri_i32(t0, t0, imm);
 -                } else {
 -                    TCGv_i32 t1 = tcg_temp_new_i32();
 -                    tcg_gen_extrl_i64_i32(t1, tcg_rn);
 -                    tcg_gen_extract2_i32(t0, t0, t1, imm);
 -                }
 -                tcg_gen_extu_i32_i64(tcg_rd, t0);
 +                TCGv_i32 t1 = tcg_temp_new_i32();
 +                tcg_gen_extrl_i64_i32(t1, tcg_rn);
 +                tcg_gen_extract2_i32(t0, t0, t1, a->imm);
              }
 +            tcg_gen_extu_i32_i64(tcg_rd, t0);
          }
      }
--}
--
++    for (int i = 0; i < ARRAY_SIZE(mms->spi); i++) {
--/* Data processing - immediate */
++        g_autofree char *s = g_strdup_printf("spi%d", i);
--static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
++        hwaddr baseaddr = 0xe0104000 + i * 0x1000;
--{
++
--    switch (extract32(insn, 23, 6)) {
++        object_initialize_child(OBJECT(mms), s, &mms->spi[i], TYPE_PL022);
--    case 0x27: /* Extract */
++        sysbus_realize(SYS_BUS_DEVICE(&mms->spi[i]), &error_fatal);
--        disas_extract(s, insn);
++        sysbus_mmio_map(SYS_BUS_DEVICE(&mms->spi[i]), 0, baseaddr);
--        break;
++        sysbus_connect_irq(SYS_BUS_DEVICE(&mms->spi[i]), 0,
--    default:
++                           qdev_get_gpio_in(gicdev, 22 + i));
--        unallocated_encoding(s);
++    }
--        break;
++
--    }
++    object_initialize_child(OBJECT(mms), "scc", &mms->scc, TYPE_MPS2_SCC);
-+    return true;
++    qdev_prop_set_uint32(DEVICE(&mms->scc), "scc-cfg0", 0);
- }
++    qdev_prop_set_uint32(DEVICE(&mms->scc), "scc-cfg4", 0x2);
++    qdev_prop_set_uint32(DEVICE(&mms->scc), "scc-aid", 0x00200008);
- /* Shift a TCGv src by TCGv shift_amount, put result in dst.
++    qdev_prop_set_uint32(DEVICE(&mms->scc), "scc-id", 0x41055360);
-@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
++    oscclk = qlist_new();
- static void disas_a64_legacy(DisasContext *s, uint32_t insn)
++    for (int i = 0; i < ARRAY_SIZE(an536_oscclk); i++) {
- {
++        qlist_append_int(oscclk, an536_oscclk[i]);
-     switch (extract32(insn, 25, 4)) {
++    }
--    case 0x8: case 0x9: /* Data processing - immediate */
++    qdev_prop_set_array(DEVICE(&mms->scc), "oscclk", oscclk);
--        disas_data_proc_imm(s, insn);
++    sysbus_realize(SYS_BUS_DEVICE(&mms->scc), &error_fatal);
--        break;
++    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->scc), 0, 0xe0200000);
-     case 0xa: case 0xb: /* Branch, exception generation and system insns */
++
-         disas_b_exc_sys(s, insn);
++    create_unimplemented_device("i2s-audio", 0xe0201000, 0x1000);
-         break;
++
 +    object_initialize_child(OBJECT(mms), "fpgaio", &mms->fpgaio,
 +                            TYPE_MPS2_FPGAIO);
 +    qdev_prop_set_uint32(DEVICE(&mms->fpgaio), "prescale-clk", an536_oscclk[1]);
 +    qdev_prop_set_uint32(DEVICE(&mms->fpgaio), "num-leds", 10);
 +    qdev_prop_set_bit(DEVICE(&mms->fpgaio), "has-switches", true);
 +    qdev_prop_set_bit(DEVICE(&mms->fpgaio), "has-dbgctrl", false);
 +    sysbus_realize(SYS_BUS_DEVICE(&mms->fpgaio), &error_fatal);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->fpgaio), 0, 0xe0202000);
 +
 +    create_unimplemented_device("clcd", 0xe0209000, 0x1000);
 +
 +    object_initialize_child(OBJECT(mms), "rtc", &mms->rtc, TYPE_PL031);
 +    sysbus_realize(SYS_BUS_DEVICE(&mms->rtc), &error_fatal);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->rtc), 0, 0xe020a000);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->rtc), 0,
 +                       qdev_get_gpio_in(gicdev, 4));
 +
 +    /*
 +     * In hardware this is a LAN9220; the LAN9118 is software compatible
 +     * except that it doesn't support the checksum-offload feature.
 +     */
 +    lan9118_init(0xe0300000,
 +                 qdev_get_gpio_in(gicdev, 18));
 +
 +    create_unimplemented_device("usb", 0xe0301000, 0x1000);
 +    create_unimplemented_device("qspi-write-config", 0xe0600000, 0x1000);
 +
      mms->bootinfo.ram_size = machine->ram_size;
      mms->bootinfo.board_id = -1;
      mms->bootinfo.loader_start = mmc->loader_start;
 --
 .34.1

-New patch
+[PULL 35/35] docs: Add documentation for the mps3-an536 board
+Add documentation for the mps3-an536 board type.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-id: 20240206132931.38376-14-peter.maydell@linaro.org
+---
+ docs/system/arm/mps2.rst | 37 ++++++++++++++++++++++++++++++++++---
+file changed, 34 insertions(+), 3 deletions(-)
+diff --git a/docs/system/arm/mps2.rst b/docs/system/arm/mps2.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/mps2.rst
++++ b/docs/system/arm/mps2.rst
+@@ -XXX,XX +XXX,XX @@
+-Arm MPS2 and MPS3 boards (``mps2-an385``, ``mps2-an386``, ``mps2-an500``, ``mps2-an505``, ``mps2-an511``, ``mps2-an521``, ``mps3-an524``, ``mps3-an547``)
+-=========================================================================================================================================================
++Arm MPS2 and MPS3 boards (``mps2-an385``, ``mps2-an386``, ``mps2-an500``, ``mps2-an505``, ``mps2-an511``, ``mps2-an521``, ``mps3-an524``, ``mps3-an536``, ``mps3-an547``)
++=========================================================================================================================================================================
+-These board models all use Arm M-profile CPUs.
++These board models use Arm M-profile or R-profile CPUs.
+ The Arm MPS2, MPS2+ and MPS3 dev boards are FPGA based (the 2+ has a
+ bigger FPGA but is otherwise the same as the 2; the 3 has a bigger
+@@ -XXX,XX +XXX,XX @@ FPGA image.
+ QEMU models the following FPGA images:
++FPGA images using M-profile CPUs:
++
+ ``mps2-an385``
+   Cortex-M3 as documented in Arm Application Note AN385
+ ``mps2-an386``
+@@ -XXX,XX +XXX,XX @@ QEMU models the following FPGA images:
+ ``mps3-an547``
+   Cortex-M55 on an MPS3, as documented in Arm Application Note AN547
++FPGA images using R-profile CPUs:
++
++``mps3-an536``
++  Dual Cortex-R52 on an MPS3, as documented in Arm Application Note AN536
++
+ Differences between QEMU and real hardware:
+ - AN385/AN386 remapping of low 16K of memory to either ZBT SSRAM1 or to
+@@ -XXX,XX +XXX,XX @@ Differences between QEMU and real hardware:
+   flash, but only as simple ROM, so attempting to rewrite the flash
+   from the guest will fail
+ - QEMU does not model the USB controller in MPS3 boards
++- AN536 does not support runtime control of CPU reset and halt via
++  the SCC CFG_REG0 register.
++- AN536 does not support enabling or disabling the flash and ATCM
++  interfaces via the SCC CFG_REG1 register.
++- AN536 does not support setting of the initial vector table
++  base address via the SCC CFG_REG6 and CFG_REG7 register config,
++  and does not provide a mechanism for specifying these values at
++  startup, so all guest images must be built to start from TCM
++  (i.e. to expect the interrupt vector base at 0 from reset).
++- AN536 defaults to only creating a single CPU; this is the equivalent
++  of the way the real FPGA image usually runs with the second Cortex-R52
++  held in halt via the initial SCC CFG_REG0 register setting. You can
++  create the second CPU with ``-smp 2``; both CPUs will then start
++  execution immediately on startup.
++
++Note that for the AN536 the first UART is accessible only by
++CPU0, and the second UART is accessible only by CPU1. The
++first UART accessible shared between both CPUs is the third
++UART. Guest software might therefore be built to use either
++the first UART or the third UART; if you don't see any output
++from the UART you are looking at, try one of the others.
++(Even if the AN536 machine is started with a single CPU and so
++no "CPU1-only UART", the UART numbering remains the same,
++with the third UART being the first of the shared ones.)
+ Machine-specific options
+ """"""""""""""""""""""""
+--
+.34.1

Hi; this mostly contains the first slice of A64 decodetree
patches, plus some other minor pieces. It also has the
enablement of MTE for KVM guests.

thanks
-- PMM

The following changes since commit d27e7c359330ba7020bdbed7ed2316cb4cf6ffc1:

qapi/parser: Drop two bad type hints for now (2023-05-17 10:18:33 -0700)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230518

for you to fetch changes up to 91608e2a44f36e79cb83f863b8a7bb57d2c98061:

docs: Convert u2f.txt to rST (2023-05-18 11:40:32 +0100)

----------------------------------------------------------------
target-arm queue:
 * Fix vd == vm overlap in sve_ldff1_z
 * Add support for MTE with KVM guests
 * Add RAZ/WI handling for DBGDTR[TX|RX]
 * Start of conversion of A64 decoder to decodetree
 * Saturate L2CTLR_EL1 core count field rather than overflowing
 * vexpress: Avoid trivial memory leak of 'flashalias'
 * sbsa-ref: switch default cpu core to Neoverse-N1
 * sbsa-ref: use Bochs graphics card instead of VGA
 * MAINTAINERS: Add Marcin Juszkiewicz to sbsa-ref reviewer list
 * docs: Convert u2f.txt to rST

----------------------------------------------------------------
Alex Bennée (1):
      target/arm: add RAZ/WI handling for DBGDTR[TX|RX]

Cornelia Huck (1):
      arm/kvm: add support for MTE

Marcin Juszkiewicz (3):
      sbsa-ref: switch default cpu core to Neoverse-N1
      Maintainers: add myself as reviewer for sbsa-ref
      sbsa-ref: use Bochs graphics card instead of VGA

Peter Maydell (14):
      target/arm: Create decodetree skeleton for A64
      target/arm: Pull calls to disas_sve() and disas_sme() out of legacy decoder
      target/arm: Convert Extract instructions to decodetree
      target/arm: Convert unconditional branch immediate to decodetree
      target/arm: Convert CBZ, CBNZ to decodetree
      target/arm: Convert TBZ, TBNZ to decodetree
      target/arm: Convert conditional branch insns to decodetree
      target/arm: Convert BR, BLR, RET to decodetree
      target/arm: Convert BRA[AB]Z, BLR[AB]Z, RETA[AB] to decodetree
      target/arm: Convert BRAA, BRAB, BLRAA, BLRAB to decodetree
      target/arm: Convert ERET, ERETAA, ERETAB to decodetree
      target/arm: Saturate L2CTLR_EL1 core count field rather than overflowing
      hw/arm/vexpress: Avoid trivial memory leak of 'flashalias'
      docs: Convert u2f.txt to rST

Richard Henderson (10):
      target/arm: Fix vd == vm overlap in sve_ldff1_z
      target/arm: Split out disas_a64_legacy
      target/arm: Convert PC-rel addressing to decodetree
      target/arm: Split gen_add_CC and gen_sub_CC
      target/arm: Convert Add/subtract (immediate) to decodetree
      target/arm: Convert Add/subtract (immediate with tags) to decodetree
      target/arm: Replace bitmask64 with MAKE_64BIT_MASK
      target/arm: Convert Logical (immediate) to decodetree
      target/arm: Convert Move wide (immediate) to decodetree
      target/arm: Convert Bitfield to decodetree

From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>

The world outside moves to newer and newer cpu cores. Let move SBSA
Reference Platform to something newer as well.

Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Message-id: 20230506183417.1360427-1-marcin.juszkiewicz@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/sbsa-ref.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_class_init(ObjectClass *oc, void *data)
 
     mc->init = sbsa_ref_init;
     mc->desc = "QEMU 'SBSA Reference' ARM Virtual Machine";
-    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a57");
+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("neoverse-n1");
     mc->max_cpus = 512;
     mc->pci_allow_0_address = true;
     mc->minimum_page_bits = 12;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

If vd == vm, copy vm to scratch, so that we can pre-zero
the output and still access the gather indicies.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1612
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230504104232.1877774-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/sve_helper.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/arm/tcg/sve_helper.c b/target/arm/tcg/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/sve_helper.c
+++ b/target/arm/tcg/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
     intptr_t reg_off;
     SVEHostPage info;
     target_ulong addr, in_page;
+    ARMVectorReg scratch;
 
     /* Skip to the first true predicate.  */
     reg_off = find_next_active(vg, 0, reg_max, esz);
@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
         return;
     }
 
+    /* Protect against overlap between vd and vm. */
+    if (unlikely(vd == vm)) {
+        vm = memcpy(&scratch, vm, reg_max);
+    }
+
     /*
      * Probe the first element, allowing faults.
      */
-- 
2.34.1

From: Cornelia Huck <cohuck@redhat.com>

Extend the 'mte' property for the virt machine to cover KVM as
well. For KVM, we don't allocate tag memory, but instead enable the
capability.

If MTE has been enabled, we need to disable migration, as we do not
yet have a way to migrate the tags as well. Therefore, MTE will stay
off with KVM unless requested explicitly.

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230428095533.21747-2-cohuck@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h     |  4 +++
 target/arm/kvm_arm.h | 19 ++++++++++++
 hw/arm/virt.c        | 73 +++++++++++++++++++++++++-------------------
 target/arm/cpu.c     |  9 +++---
 target/arm/kvm.c     | 35 +++++++++++++++++++++
 target/arm/kvm64.c   |  5 +++
 6 files changed, 109 insertions(+), 36 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
      */
     uint32_t psci_conduit;
 
+    /* CPU has Memory Tag Extension */
+    bool has_mte;
+
     /* For v8M, initial value of the Secure VTOR */
     uint32_t init_svtor;
     /* For v8M, initial value of the Non-secure VTOR */
@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
     bool prop_pauth;
     bool prop_pauth_impdef;
     bool prop_lpa2;
+    OnOffAuto prop_mte;
 
     /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */
     uint32_t dcz_blocksize;
diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_pmu_supported(void);
  */
 bool kvm_arm_sve_supported(void);
 
+/**
+ * kvm_arm_mte_supported:
+ *
+ * Returns: true if KVM can enable MTE, and false otherwise.
+ */
+bool kvm_arm_mte_supported(void);
+
 /**
  * kvm_arm_get_max_vm_ipa_size:
  * @ms: Machine state handle
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa);
 
 int kvm_arm_set_irq(int cpu, int irqtype, int irq, int level);
 
+void kvm_arm_enable_mte(Object *cpuobj, Error **errp);
+
 #else
 
 /*
@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_steal_time_supported(void)
     return false;
 }
 
+static inline bool kvm_arm_mte_supported(void)
+{
+    return false;
+}
+
 /*
  * These functions should never actually be called without KVM support.
  */
@@ -XXX,XX +XXX,XX @@ static inline uint32_t kvm_arm_sve_get_vls(CPUState *cs)
     g_assert_not_reached();
 }
 
+static inline void kvm_arm_enable_mte(Object *cpuobj, Error **errp)
+{
+    g_assert_not_reached();
+}
+
 #endif
 
 static inline const char *gic_class_name(void)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
         exit(1);
     }
 
-    if (vms->mte && (kvm_enabled() || hvf_enabled())) {
+    if (vms->mte && hvf_enabled()) {
         error_report("mach-virt: %s does not support providing "
                      "MTE to the guest CPU",
                      current_accel_name());
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
         }
 
         if (vms->mte) {
-            /* Create the memory region only once, but link to all cpus. */
-            if (!tag_sysmem) {
-                /*
-                 * The property exists only if MemTag is supported.
-                 * If it is, we must allocate the ram to back that up.
-                 */
-                if (!object_property_find(cpuobj, "tag-memory")) {
-                    error_report("MTE requested, but not supported "
-                                 "by the guest CPU");
+            if (tcg_enabled()) {
+                /* Create the memory region only once, but link to all cpus. */
+                if (!tag_sysmem) {
+                    /*
+                     * The property exists only if MemTag is supported.
+                     * If it is, we must allocate the ram to back that up.
+                     */
+                    if (!object_property_find(cpuobj, "tag-memory")) {
+                        error_report("MTE requested, but not supported "
+                                     "by the guest CPU");
+                        exit(1);
+                    }
+
+                    tag_sysmem = g_new(MemoryRegion, 1);
+                    memory_region_init(tag_sysmem, OBJECT(machine),
+                                       "tag-memory", UINT64_MAX / 32);
+
+                    if (vms->secure) {
+                        secure_tag_sysmem = g_new(MemoryRegion, 1);
+                        memory_region_init(secure_tag_sysmem, OBJECT(machine),
+                                           "secure-tag-memory",
+                                           UINT64_MAX / 32);
+
+                        /* As with ram, secure-tag takes precedence over tag. */
+                        memory_region_add_subregion_overlap(secure_tag_sysmem,
+                                                            0, tag_sysmem, -1);
+                    }
+                }
+
+                object_property_set_link(cpuobj, "tag-memory",
+                                         OBJECT(tag_sysmem), &error_abort);
+                if (vms->secure) {
+                    object_property_set_link(cpuobj, "secure-tag-memory",
+                                             OBJECT(secure_tag_sysmem),
+                                             &error_abort);
+                }
+            } else if (kvm_enabled()) {
+                if (!kvm_arm_mte_supported()) {
+                    error_report("MTE requested, but not supported by KVM");
                     exit(1);
                 }
-
-                tag_sysmem = g_new(MemoryRegion, 1);
-                memory_region_init(tag_sysmem, OBJECT(machine),
-                                   "tag-memory", UINT64_MAX / 32);
-
-                if (vms->secure) {
-                    secure_tag_sysmem = g_new(MemoryRegion, 1);
-                    memory_region_init(secure_tag_sysmem, OBJECT(machine),
-                                       "secure-tag-memory", UINT64_MAX / 32);
-
-                    /* As with ram, secure-tag takes precedence over tag.  */
-                    memory_region_add_subregion_overlap(secure_tag_sysmem, 0,
-                                                        tag_sysmem, -1);
-                }
-            }
-
-            object_property_set_link(cpuobj, "tag-memory", OBJECT(tag_sysmem),
-                                     &error_abort);
-            if (vms->secure) {
-                object_property_set_link(cpuobj, "secure-tag-memory",
-                                         OBJECT(secure_tag_sysmem),
-                                         &error_abort);
+                kvm_arm_enable_mte(cpuobj, &error_abort);
             }
         }
 
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
                                      qdev_prop_allow_set_link_before_realize,
                                      OBJ_PROP_LINK_STRONG);
         }
+        cpu->has_mte = true;
     }
 #endif
 }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
         }
         if (cpu->tag_memory) {
             error_setg(errp,
-                       "Cannot enable %s when guest CPUs has MTE enabled",
+                       "Cannot enable %s when guest CPUs has tag memory enabled",
                        current_accel_name());
             return;
         }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
     }
 
 #ifndef CONFIG_USER_ONLY
-    if (cpu->tag_memory == NULL && cpu_isar_feature(aa64_mte, cpu)) {
+    if (!cpu->has_mte && cpu_isar_feature(aa64_mte, cpu)) {
         /*
-         * Disable the MTE feature bits if we do not have tag-memory
-         * provided by the machine.
+         * Disable the MTE feature bits if we do not have the feature
+         * setup by the machine.
          */
         cpu->isar.id_aa64pfr1 =
             FIELD_DP64(cpu->isar.id_aa64pfr1, ID_AA64PFR1, MTE, 0);
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/boards.h"
 #include "hw/irq.h"
 #include "qemu/log.h"
+#include "migration/blocker.h"
 
 const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
     KVM_CAP_LAST_INFO
@@ -XXX,XX +XXX,XX @@ bool kvm_arch_cpu_check_are_resettable(void)
 void kvm_arch_accel_class_init(ObjectClass *oc)
 {
 }
+
+void kvm_arm_enable_mte(Object *cpuobj, Error **errp)
+{
+    static bool tried_to_enable;
+    static bool succeeded_to_enable;
+    Error *mte_migration_blocker = NULL;
+    int ret;
+
+    if (!tried_to_enable) {
+        /*
+         * MTE on KVM is enabled on a per-VM basis (and retrying doesn't make
+         * sense), and we only want a single migration blocker as well.
+         */
+        tried_to_enable = true;
+
+        ret = kvm_vm_enable_cap(kvm_state, KVM_CAP_ARM_MTE, 0);
+        if (ret) {
+            error_setg_errno(errp, -ret, "Failed to enable KVM_CAP_ARM_MTE");
+            return;
+        }
+
+        /* TODO: add proper migration support with MTE enabled */
+        error_setg(&mte_migration_blocker,
+                   "Live migration disabled due to MTE enabled");
+        if (migrate_add_blocker(mte_migration_blocker, errp)) {
+            error_free(mte_migration_blocker);
+            return;
+        }
+        succeeded_to_enable = true;
+    }
+    if (succeeded_to_enable) {
+        object_property_set_bool(cpuobj, "has_mte", true, NULL);
+    }
+}
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_steal_time_supported(void)
     return kvm_check_extension(kvm_state, KVM_CAP_STEAL_TIME);
 }
 
+bool kvm_arm_mte_supported(void)
+{
+    return kvm_check_extension(kvm_state, KVM_CAP_ARM_MTE);
+}
+
 QEMU_BUILD_BUG_ON(KVM_ARM64_SVE_VQ_MIN != 1);
 
 uint32_t kvm_arm_sve_get_vls(CPUState *cs)
-- 
2.34.1

From: Alex Bennée <alex.bennee@linaro.org>

The commit b3aa2f2128 (target/arm: provide stubs for more external
debug registers) was added to handle HyperV's unconditional usage of
Debug Communications Channel. It turns out that Linux will similarly
break if you enable CONFIG_HVC_DCC "ARM JTAG DCC console".

Extend the registers we RAZ/WI set to avoid this.

Cc: Anders Roxell <anders.roxell@linaro.org>
Cc: Evgeny Iakovlev <eiakovlev@linux.microsoft.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230516104420.407912-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/debug_helper.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
       .access = PL0_R, .accessfn = access_tdcc,
       .type = ARM_CP_CONST, .resetvalue = 0 },
     /*
-     * OSDTRRX_EL1/OSDTRTX_EL1 are used for save and restore of DBGDTRRX_EL0.
-     * It is a component of the Debug Communications Channel, which is not implemented.
+     * These registers belong to the Debug Communications Channel,
+     * which is not implemented. However we implement RAZ/WI behaviour
+     * with trapping to prevent spurious SIGILLs if the guest OS does
+     * access them as the support cannot be probed for.
      */
     { .name = "OSDTRRX_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14,
       .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 2,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
       .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
       .access = PL1_RW, .accessfn = access_tdcc,
       .type = ARM_CP_CONST, .resetvalue = 0 },
+    /* DBGDTRTX_EL0/DBGDTRRX_EL0 depend on direction */
+    { .name = "DBGDTR_EL0", .state = ARM_CP_STATE_BOTH, .cp = 14,
+      .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 5, .opc2 = 0,
+      .access = PL0_RW, .accessfn = access_tdcc,
+      .type = ARM_CP_CONST, .resetvalue = 0 },
     /*
      * OSECCR_EL1 provides a mechanism for an operating system
      * to access the contents of EDECCR. EDECCR is not implemented though,
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Split out all of the decode stuff from aarch64_tr_translate_insn.
Call it disas_a64_legacy to indicate it will be replaced.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-2-peter.maydell@linaro.org
[PMM: Rebased]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-a64.c | 82 ++++++++++++++++++----------------
 1 file changed, 44 insertions(+), 38 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
     return false;
 }
 
+/* C3.1 A64 instruction index by encoding */
+static void disas_a64_legacy(DisasContext *s, uint32_t insn)
+{
+    switch (extract32(insn, 25, 4)) {
+    case 0x0:
+        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+            unallocated_encoding(s);
+        }
+        break;
+    case 0x1: case 0x3: /* UNALLOCATED */
+        unallocated_encoding(s);
+        break;
+    case 0x2:
+        if (!disas_sve(s, insn)) {
+            unallocated_encoding(s);
+        }
+        break;
+    case 0x8: case 0x9: /* Data processing - immediate */
+        disas_data_proc_imm(s, insn);
+        break;
+    case 0xa: case 0xb: /* Branch, exception generation and system insns */
+        disas_b_exc_sys(s, insn);
+        break;
+    case 0x4:
+    case 0x6:
+    case 0xc:
+    case 0xe:      /* Loads and stores */
+        disas_ldst(s, insn);
+        break;
+    case 0x5:
+    case 0xd:      /* Data processing - register */
+        disas_data_proc_reg(s, insn);
+        break;
+    case 0x7:
+    case 0xf:      /* Data processing - SIMD and floating point */
+        disas_data_proc_simd_fp(s, insn);
+        break;
+    default:
+        assert(FALSE); /* all 15 cases should be handled above */
+        break;
+    }
+}
+
 static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
                                           CPUState *cpu)
 {
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         disas_sme_fa64(s, insn);
     }
 
-    switch (extract32(insn, 25, 4)) {
-    case 0x0:
-        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
-            unallocated_encoding(s);
-        }
-        break;
-    case 0x1: case 0x3: /* UNALLOCATED */
-        unallocated_encoding(s);
-        break;
-    case 0x2:
-        if (!disas_sve(s, insn)) {
-            unallocated_encoding(s);
-        }
-        break;
-    case 0x8: case 0x9: /* Data processing - immediate */
-        disas_data_proc_imm(s, insn);
-        break;
-    case 0xa: case 0xb: /* Branch, exception generation and system insns */
-        disas_b_exc_sys(s, insn);
-        break;
-    case 0x4:
-    case 0x6:
-    case 0xc:
-    case 0xe:      /* Loads and stores */
-        disas_ldst(s, insn);
-        break;
-    case 0x5:
-    case 0xd:      /* Data processing - register */
-        disas_data_proc_reg(s, insn);
-        break;
-    case 0x7:
-    case 0xf:      /* Data processing - SIMD and floating point */
-        disas_data_proc_simd_fp(s, insn);
-        break;
-    default:
-        assert(FALSE); /* all 15 cases should be handled above */
-        break;
-    }
+    disas_a64_legacy(s, insn);
 
     /*
      * After execution of most insns, btype is reset to 0.
-- 
2.34.1

The A64 translator uses a hand-written decoder for everything except
SVE or SME.  It's fairly well structured, but it's becoming obvious
that it's still more painful to add instructions to than the A32
translator, because putting a new instruction into the right place in
a hand-written decoder is much harder than adding new instruction
patterns to a decodetree file.

As the first step in conversion to decodetree, create the skeleton of
the decodetree decoder; where it does not handle instructions we will
fall back to the legacy decoder (which will be for everything at the
moment, since there are no patterns in a64.decode).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-3-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      | 20 ++++++++++++++++++++
 target/arm/tcg/translate-a64.c | 18 +++++++++++-------
 target/arm/tcg/meson.build     |  1 +
 3 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 target/arm/tcg/a64.decode

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
+# AArch64 A64 allowed instruction decoding
+#
+#  Copyright (c) 2023 Linaro, Ltd
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+#
+# This file is processed by scripts/decodetree.py
+#
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ enum a64_shift_type {
     A64_SHIFT_TYPE_ROR = 3
 };
 
+/*
+ * Include the generated decoders.
+ */
+
+#include "decode-sme-fa64.c.inc"
+#include "decode-a64.c.inc"
+
 /* Table based decoder typedefs - used when the relevant bits for decode
  * are too awkwardly scattered across the instruction (eg SIMD).
  */
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
     }
 }
 
-/*
- * Include the generated SME FA64 decoder.
- */
-
-#include "decode-sme-fa64.c.inc"
-
 static bool trans_OK(DisasContext *s, arg_OK *a)
 {
     return true;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         disas_sme_fa64(s, insn);
     }
 
-    disas_a64_legacy(s, insn);
+
+    if (!disas_a64(s, insn)) {
+        disas_a64_legacy(s, insn);
+    }
 
     /*
      * After execution of most insns, btype is reset to 0.
diff --git a/target/arm/tcg/meson.build b/target/arm/tcg/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/meson.build
+++ b/target/arm/tcg/meson.build
@@ -XXX,XX +XXX,XX @@ gen = [
   decodetree.process('a32-uncond.decode', extra_args: '--static-decode=disas_a32_uncond'),
   decodetree.process('t32.decode', extra_args: '--static-decode=disas_t32'),
   decodetree.process('t16.decode', extra_args: ['-w', '16', '--static-decode=disas_t16']),
+  decodetree.process('a64.decode', extra_args: ['--static-decode=disas_a64']),
 ]
 
 arm_ss.add(gen)
-- 
2.34.1

The SVE and SME decode is already done by decodetree.  Pull the calls
to these decoders out of the legacy decoder.  This doesn't change
behaviour because all the patterns in sve.decode and sme.decode
already require the bits that the legacy decoder is decoding to have
the correct values.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-4-peter.maydell@linaro.org
---
 target/arm/tcg/translate-a64.c | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
 static void disas_a64_legacy(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 4)) {
-    case 0x0:
-        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
-            unallocated_encoding(s);
-        }
-        break;
-    case 0x1: case 0x3: /* UNALLOCATED */
-        unallocated_encoding(s);
-        break;
-    case 0x2:
-        if (!disas_sve(s, insn)) {
-            unallocated_encoding(s);
-        }
-        break;
     case 0x8: case 0x9: /* Data processing - immediate */
         disas_data_proc_imm(s, insn);
         break;
@@ -XXX,XX +XXX,XX @@ static void disas_a64_legacy(DisasContext *s, uint32_t insn)
         disas_data_proc_simd_fp(s, insn);
         break;
     default:
-        assert(FALSE); /* all 15 cases should be handled above */
+        unallocated_encoding(s);
         break;
     }
 }
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         disas_sme_fa64(s, insn);
     }
 
-
-    if (!disas_a64(s, insn)) {
+    if (!disas_a64(s, insn) &&
+        !disas_sme(s, insn) &&
+        !disas_sve(s, insn)) {
         disas_a64_legacy(s, insn);
     }
 
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the ADR and ADRP instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-5-peter.maydell@linaro.org
[PMM: Rebased]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      | 13 ++++++++++++
 target/arm/tcg/translate-a64.c | 38 +++++++++++++---------------------
 2 files changed, 27 insertions(+), 24 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
 #
 # This file is processed by scripts/decodetree.py
 #
+
+&ri              rd imm
+
+
+### Data Processing - Immediate
+
+# PC-rel addressing
+
+%imm_pcrel      5:s19 29:2
+@pcrel          . .. ..... ................... rd:5     &ri imm=%imm_pcrel
+
+ADR             0 .. 10000 ................... .....    @pcrel
+ADRP            1 .. 10000 ................... .....    @pcrel
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
     }
 }
 
-/* PC-rel. addressing
- *   31  30   29 28       24 23                5 4    0
- * +----+-------+-----------+-------------------+------+
- * | op | immlo | 1 0 0 0 0 |       immhi       |  Rd  |
- * +----+-------+-----------+-------------------+------+
+/*
+ * PC-rel. addressing
  */
-static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
+
+static bool trans_ADR(DisasContext *s, arg_ri *a)
 {
-    unsigned int page, rd;
-    int64_t offset;
+    gen_pc_plus_diff(s, cpu_reg(s, a->rd), a->imm);
+    return true;
+}
 
-    page = extract32(insn, 31, 1);
-    /* SignExtend(immhi:immlo) -> offset */
-    offset = sextract64(insn, 5, 19);
-    offset = offset << 2 | extract32(insn, 29, 2);
-    rd = extract32(insn, 0, 5);
+static bool trans_ADRP(DisasContext *s, arg_ri *a)
+{
+    int64_t offset = (int64_t)a->imm << 12;
 
-    if (page) {
-        /* ADRP (page based) */
-        offset <<= 12;
-        /* The page offset is ok for CF_PCREL. */
-        offset -= s->pc_curr & 0xfff;
-    }
-
-    gen_pc_plus_diff(s, cpu_reg(s, rd), offset);
+    /* The page offset is ok for CF_PCREL. */
+    offset -= s->pc_curr & 0xfff;
+    gen_pc_plus_diff(s, cpu_reg(s, a->rd), offset);
+    return true;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
-    case 0x20: case 0x21: /* PC-rel. addressing */
-        disas_pc_rel_adr(s, insn);
-        break;
     case 0x22: /* Add/subtract (immediate) */
         disas_add_sub_imm(s, insn);
         break;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Split out specific 32-bit and 64-bit functions.
These carry the same signature as tcg_gen_add_i64,
and so will be easier to pass as callbacks.

Retain gen_add_CC and gen_sub_CC during conversion.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-6-peter.maydell@linaro.org
[PMM: rebased]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-a64.c | 149 +++++++++++++++++++--------------
 1 file changed, 84 insertions(+), 65 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_logic_CC(int sf, TCGv_i64 result)
 }
 
 /* dest = T0 + T1; compute C, N, V and Z flags */
+static void gen_add64_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
+{
+    TCGv_i64 result, flag, tmp;
+    result = tcg_temp_new_i64();
+    flag = tcg_temp_new_i64();
+    tmp = tcg_temp_new_i64();
+
+    tcg_gen_movi_i64(tmp, 0);
+    tcg_gen_add2_i64(result, flag, t0, tmp, t1, tmp);
+
+    tcg_gen_extrl_i64_i32(cpu_CF, flag);
+
+    gen_set_NZ64(result);
+
+    tcg_gen_xor_i64(flag, result, t0);
+    tcg_gen_xor_i64(tmp, t0, t1);
+    tcg_gen_andc_i64(flag, flag, tmp);
+    tcg_gen_extrh_i64_i32(cpu_VF, flag);
+
+    tcg_gen_mov_i64(dest, result);
+}
+
+static void gen_add32_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
+{
+    TCGv_i32 t0_32 = tcg_temp_new_i32();
+    TCGv_i32 t1_32 = tcg_temp_new_i32();
+    TCGv_i32 tmp = tcg_temp_new_i32();
+
+    tcg_gen_movi_i32(tmp, 0);
+    tcg_gen_extrl_i64_i32(t0_32, t0);
+    tcg_gen_extrl_i64_i32(t1_32, t1);
+    tcg_gen_add2_i32(cpu_NF, cpu_CF, t0_32, tmp, t1_32, tmp);
+    tcg_gen_mov_i32(cpu_ZF, cpu_NF);
+    tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
+    tcg_gen_xor_i32(tmp, t0_32, t1_32);
+    tcg_gen_andc_i32(cpu_VF, cpu_VF, tmp);
+    tcg_gen_extu_i32_i64(dest, cpu_NF);
+}
+
 static void gen_add_CC(int sf, TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
 {
     if (sf) {
-        TCGv_i64 result, flag, tmp;
-        result = tcg_temp_new_i64();
-        flag = tcg_temp_new_i64();
-        tmp = tcg_temp_new_i64();
-
-        tcg_gen_movi_i64(tmp, 0);
-        tcg_gen_add2_i64(result, flag, t0, tmp, t1, tmp);
-
-        tcg_gen_extrl_i64_i32(cpu_CF, flag);
-
-        gen_set_NZ64(result);
-
-        tcg_gen_xor_i64(flag, result, t0);
-        tcg_gen_xor_i64(tmp, t0, t1);
-        tcg_gen_andc_i64(flag, flag, tmp);
-        tcg_gen_extrh_i64_i32(cpu_VF, flag);
-
-        tcg_gen_mov_i64(dest, result);
+        gen_add64_CC(dest, t0, t1);
     } else {
-        /* 32 bit arithmetic */
-        TCGv_i32 t0_32 = tcg_temp_new_i32();
-        TCGv_i32 t1_32 = tcg_temp_new_i32();
-        TCGv_i32 tmp = tcg_temp_new_i32();
-
-        tcg_gen_movi_i32(tmp, 0);
-        tcg_gen_extrl_i64_i32(t0_32, t0);
-        tcg_gen_extrl_i64_i32(t1_32, t1);
-        tcg_gen_add2_i32(cpu_NF, cpu_CF, t0_32, tmp, t1_32, tmp);
-        tcg_gen_mov_i32(cpu_ZF, cpu_NF);
-        tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
-        tcg_gen_xor_i32(tmp, t0_32, t1_32);
-        tcg_gen_andc_i32(cpu_VF, cpu_VF, tmp);
-        tcg_gen_extu_i32_i64(dest, cpu_NF);
+        gen_add32_CC(dest, t0, t1);
     }
 }
 
 /* dest = T0 - T1; compute C, N, V and Z flags */
+static void gen_sub64_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
+{
+    /* 64 bit arithmetic */
+    TCGv_i64 result, flag, tmp;
+
+    result = tcg_temp_new_i64();
+    flag = tcg_temp_new_i64();
+    tcg_gen_sub_i64(result, t0, t1);
+
+    gen_set_NZ64(result);
+
+    tcg_gen_setcond_i64(TCG_COND_GEU, flag, t0, t1);
+    tcg_gen_extrl_i64_i32(cpu_CF, flag);
+
+    tcg_gen_xor_i64(flag, result, t0);
+    tmp = tcg_temp_new_i64();
+    tcg_gen_xor_i64(tmp, t0, t1);
+    tcg_gen_and_i64(flag, flag, tmp);
+    tcg_gen_extrh_i64_i32(cpu_VF, flag);
+    tcg_gen_mov_i64(dest, result);
+}
+
+static void gen_sub32_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
+{
+    /* 32 bit arithmetic */
+    TCGv_i32 t0_32 = tcg_temp_new_i32();
+    TCGv_i32 t1_32 = tcg_temp_new_i32();
+    TCGv_i32 tmp;
+
+    tcg_gen_extrl_i64_i32(t0_32, t0);
+    tcg_gen_extrl_i64_i32(t1_32, t1);
+    tcg_gen_sub_i32(cpu_NF, t0_32, t1_32);
+    tcg_gen_mov_i32(cpu_ZF, cpu_NF);
+    tcg_gen_setcond_i32(TCG_COND_GEU, cpu_CF, t0_32, t1_32);
+    tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
+    tmp = tcg_temp_new_i32();
+    tcg_gen_xor_i32(tmp, t0_32, t1_32);
+    tcg_gen_and_i32(cpu_VF, cpu_VF, tmp);
+    tcg_gen_extu_i32_i64(dest, cpu_NF);
+}
+
 static void gen_sub_CC(int sf, TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
 {
     if (sf) {
-        /* 64 bit arithmetic */
-        TCGv_i64 result, flag, tmp;
-
-        result = tcg_temp_new_i64();
-        flag = tcg_temp_new_i64();
-        tcg_gen_sub_i64(result, t0, t1);
-
-        gen_set_NZ64(result);
-
-        tcg_gen_setcond_i64(TCG_COND_GEU, flag, t0, t1);
-        tcg_gen_extrl_i64_i32(cpu_CF, flag);
-
-        tcg_gen_xor_i64(flag, result, t0);
-        tmp = tcg_temp_new_i64();
-        tcg_gen_xor_i64(tmp, t0, t1);
-        tcg_gen_and_i64(flag, flag, tmp);
-        tcg_gen_extrh_i64_i32(cpu_VF, flag);
-        tcg_gen_mov_i64(dest, result);
+        gen_sub64_CC(dest, t0, t1);
     } else {
-        /* 32 bit arithmetic */
-        TCGv_i32 t0_32 = tcg_temp_new_i32();
-        TCGv_i32 t1_32 = tcg_temp_new_i32();
-        TCGv_i32 tmp;
-
-        tcg_gen_extrl_i64_i32(t0_32, t0);
-        tcg_gen_extrl_i64_i32(t1_32, t1);
-        tcg_gen_sub_i32(cpu_NF, t0_32, t1_32);
-        tcg_gen_mov_i32(cpu_ZF, cpu_NF);
-        tcg_gen_setcond_i32(TCG_COND_GEU, cpu_CF, t0_32, t1_32);
-        tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
-        tmp = tcg_temp_new_i32();
-        tcg_gen_xor_i32(tmp, t0_32, t1_32);
-        tcg_gen_and_i32(cpu_VF, cpu_VF, tmp);
-        tcg_gen_extu_i32_i64(dest, cpu_NF);
+        gen_sub32_CC(dest, t0, t1);
     }
 }
 
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the ADD and SUB (immediate) instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-7-peter.maydell@linaro.org
[PMM: Rebased; adjusted to use translate.h's TRANS macro]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate.h     |  5 +++
 target/arm/tcg/a64.decode      | 17 ++++++++
 target/arm/tcg/translate-a64.c | 73 ++++++++++------------------------
 3 files changed, 42 insertions(+), 53 deletions(-)

diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate.h
+++ b/target/arm/tcg/translate.h
@@ -XXX,XX +XXX,XX @@ static inline int rsub_8(DisasContext *s, int x)
     return 8 - x;
 }
 
+static inline int shl_12(DisasContext *s, int x)
+{
+    return x << 12;
+}
+
 static inline int neon_3same_fp_size(DisasContext *s, int x)
 {
     /* Convert 0==fp32, 1==fp16 into a MO_* value */
diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
 #
 
 &ri              rd imm
+&rri_sf          rd rn imm sf
 
 
 ### Data Processing - Immediate
@@ -XXX,XX +XXX,XX @@
 
 ADR             0 .. 10000 ................... .....    @pcrel
 ADRP            1 .. 10000 ................... .....    @pcrel
+
+# Add/subtract (immediate)
+
+%imm12_sh12     10:12 !function=shl_12
+@addsub_imm     sf:1 .. ...... . imm:12 rn:5 rd:5
+@addsub_imm12   sf:1 .. ...... . ............ rn:5 rd:5 imm=%imm12_sh12
+
+ADD_i           . 00 100010 0 ............ ..... .....  @addsub_imm
+ADD_i           . 00 100010 1 ............ ..... .....  @addsub_imm12
+ADDS_i          . 01 100010 0 ............ ..... .....  @addsub_imm
+ADDS_i          . 01 100010 1 ............ ..... .....  @addsub_imm12
+
+SUB_i           . 10 100010 0 ............ ..... .....  @addsub_imm
+SUB_i           . 10 100010 1 ............ ..... .....  @addsub_imm12
+SUBS_i          . 11 100010 0 ............ ..... .....  @addsub_imm
+SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
     }
 }
 
+typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
+
+static bool gen_rri(DisasContext *s, arg_rri_sf *a,
+                    bool rd_sp, bool rn_sp, ArithTwoOp *fn)
+{
+    TCGv_i64 tcg_rn = rn_sp ? cpu_reg_sp(s, a->rn) : cpu_reg(s, a->rn);
+    TCGv_i64 tcg_rd = rd_sp ? cpu_reg_sp(s, a->rd) : cpu_reg(s, a->rd);
+    TCGv_i64 tcg_imm = tcg_constant_i64(a->imm);
+
+    fn(tcg_rd, tcg_rn, tcg_imm);
+    if (!a->sf) {
+        tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
+    }
+    return true;
+}
+
 /*
  * PC-rel. addressing
  */
@@ -XXX,XX +XXX,XX @@ static bool trans_ADRP(DisasContext *s, arg_ri *a)
 
 /*
  * Add/subtract (immediate)
- *
- *  31 30 29 28         23 22 21         10 9   5 4   0
- * +--+--+--+-------------+--+-------------+-----+-----+
- * |sf|op| S| 1 0 0 0 1 0 |sh|    imm12    |  Rn | Rd  |
- * +--+--+--+-------------+--+-------------+-----+-----+
- *
- *    sf: 0 -> 32bit, 1 -> 64bit
- *    op: 0 -> add  , 1 -> sub
- *     S: 1 -> set flags
- *    sh: 1 -> LSL imm by 12
  */
-static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
-{
-    int rd = extract32(insn, 0, 5);
-    int rn = extract32(insn, 5, 5);
-    uint64_t imm = extract32(insn, 10, 12);
-    bool shift = extract32(insn, 22, 1);
-    bool setflags = extract32(insn, 29, 1);
-    bool sub_op = extract32(insn, 30, 1);
-    bool is_64bit = extract32(insn, 31, 1);
-
-    TCGv_i64 tcg_rn = cpu_reg_sp(s, rn);
-    TCGv_i64 tcg_rd = setflags ? cpu_reg(s, rd) : cpu_reg_sp(s, rd);
-    TCGv_i64 tcg_result;
-
-    if (shift) {
-        imm <<= 12;
-    }
-
-    tcg_result = tcg_temp_new_i64();
-    if (!setflags) {
-        if (sub_op) {
-            tcg_gen_subi_i64(tcg_result, tcg_rn, imm);
-        } else {
-            tcg_gen_addi_i64(tcg_result, tcg_rn, imm);
-        }
-    } else {
-        TCGv_i64 tcg_imm = tcg_constant_i64(imm);
-        if (sub_op) {
-            gen_sub_CC(is_64bit, tcg_result, tcg_rn, tcg_imm);
-        } else {
-            gen_add_CC(is_64bit, tcg_result, tcg_rn, tcg_imm);
-        }
-    }
-
-    if (is_64bit) {
-        tcg_gen_mov_i64(tcg_rd, tcg_result);
-    } else {
-        tcg_gen_ext32u_i64(tcg_rd, tcg_result);
-    }
-}
+TRANS(ADD_i, gen_rri, a, 1, 1, tcg_gen_add_i64)
+TRANS(SUB_i, gen_rri, a, 1, 1, tcg_gen_sub_i64)
+TRANS(ADDS_i, gen_rri, a, 0, 1, a->sf ? gen_add64_CC : gen_add32_CC)
+TRANS(SUBS_i, gen_rri, a, 0, 1, a->sf ? gen_sub64_CC : gen_sub32_CC)
 
 /*
  * Add/subtract (immediate, with tags)
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
-    case 0x22: /* Add/subtract (immediate) */
-        disas_add_sub_imm(s, insn);
-        break;
     case 0x23: /* Add/subtract (immediate, with tags) */
         disas_add_sub_imm_with_tags(s, insn);
         break;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the ADDG and SUBG (immediate) instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-8-peter.maydell@linaro.org
[PMM: Rebased; use TRANS_FEAT()]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      |  8 +++++++
 target/arm/tcg/translate-a64.c | 38 ++++++++++------------------------
 2 files changed, 19 insertions(+), 27 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Use the bitops.h macro rather than rolling our own here.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-9-peter.maydell@linaro.org
---
 target/arm/tcg/translate-a64.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static uint64_t bitfield_replicate(uint64_t mask, unsigned int e)
     return mask;
 }
 
-/* Return a value with the bottom len bits set (where 0 < len <= 64) */
-static inline uint64_t bitmask64(unsigned int length)
-{
-    assert(length > 0 && length <= 64);
-    return ~0ULL >> (64 - length);
-}
-
 /* Simplified variant of pseudocode DecodeBitMasks() for the case where we
  * only require the wmask. Returns false if the imms/immr/immn are a reserved
  * value (ie should cause a guest UNDEF exception), and true if they are
@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
     /* Create the value of one element: s+1 set bits rotated
      * by r within the element (which is e bits wide)...
      */
-    mask = bitmask64(s + 1);
+    mask = MAKE_64BIT_MASK(0, s + 1);
     if (r) {
         mask = (mask >> r) | (mask << (e - r));
-        mask &= bitmask64(e);
+        mask &= MAKE_64BIT_MASK(0, e);
     }
     /* ...then replicate the element over the whole 64 bit value */
     mask = bitfield_replicate(mask, e);
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the ADD, ORR, EOR, ANDS (immediate) instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-10-peter.maydell@linaro.org
[PMM: rebased]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      | 15 ++++++
 target/arm/tcg/translate-a64.c | 94 +++++++++++-----------------------
 2 files changed, 44 insertions(+), 65 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
 
 ADDG_i          1 00 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
 SUBG_i          1 10 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
+
+# Logical (immediate)
+
+&rri_log        rd rn sf dbm
+@logic_imm_64   1 .. ...... dbm:13 rn:5 rd:5            &rri_log sf=1
+@logic_imm_32   0 .. ...... 0 dbm:12 rn:5 rd:5          &rri_log sf=0
+
+AND_i           . 00 100100 . ...... ...... ..... ..... @logic_imm_64
+AND_i           . 00 100100 . ...... ...... ..... ..... @logic_imm_32
+ORR_i           . 01 100100 . ...... ...... ..... ..... @logic_imm_64
+ORR_i           . 01 100100 . ...... ...... ..... ..... @logic_imm_32
+EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_64
+EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_32
+ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_64
+ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_32
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static uint64_t bitfield_replicate(uint64_t mask, unsigned int e)
     return mask;
 }
 
-/* Simplified variant of pseudocode DecodeBitMasks() for the case where we
+/*
+ * Logical (immediate)
+ */
+
+/*
+ * Simplified variant of pseudocode DecodeBitMasks() for the case where we
  * only require the wmask. Returns false if the imms/immr/immn are a reserved
  * value (ie should cause a guest UNDEF exception), and true if they are
  * valid, in which case the decoded bit pattern is written to result.
@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
     return true;
 }
 
-/* Logical (immediate)
- *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
- * +----+-----+-------------+---+------+------+------+------+
- * | sf | opc | 1 0 0 1 0 0 | N | immr | imms |  Rn  |  Rd  |
- * +----+-----+-------------+---+------+------+------+------+
- */
-static void disas_logic_imm(DisasContext *s, uint32_t insn)
+static bool gen_rri_log(DisasContext *s, arg_rri_log *a, bool set_cc,
+                        void (*fn)(TCGv_i64, TCGv_i64, int64_t))
 {
-    unsigned int sf, opc, is_n, immr, imms, rn, rd;
     TCGv_i64 tcg_rd, tcg_rn;
-    uint64_t wmask;
-    bool is_and = false;
+    uint64_t imm;
 
-    sf = extract32(insn, 31, 1);
-    opc = extract32(insn, 29, 2);
-    is_n = extract32(insn, 22, 1);
-    immr = extract32(insn, 16, 6);
-    imms = extract32(insn, 10, 6);
-    rn = extract32(insn, 5, 5);
-    rd = extract32(insn, 0, 5);
-
-    if (!sf && is_n) {
-        unallocated_encoding(s);
-        return;
+    /* Some immediate field values are reserved. */
+    if (!logic_imm_decode_wmask(&imm, extract32(a->dbm, 12, 1),
+                                extract32(a->dbm, 0, 6),
+                                extract32(a->dbm, 6, 6))) {
+        return false;
+    }
+    if (!a->sf) {
+        imm &= 0xffffffffull;
     }
 
-    if (opc == 0x3) { /* ANDS */
-        tcg_rd = cpu_reg(s, rd);
-    } else {
-        tcg_rd = cpu_reg_sp(s, rd);
-    }
-    tcg_rn = cpu_reg(s, rn);
+    tcg_rd = set_cc ? cpu_reg(s, a->rd) : cpu_reg_sp(s, a->rd);
+    tcg_rn = cpu_reg(s, a->rn);
 
-    if (!logic_imm_decode_wmask(&wmask, is_n, imms, immr)) {
-        /* some immediate field values are reserved */
-        unallocated_encoding(s);
-        return;
+    fn(tcg_rd, tcg_rn, imm);
+    if (set_cc) {
+        gen_logic_CC(a->sf, tcg_rd);
     }
-
-    if (!sf) {
-        wmask &= 0xffffffff;
-    }
-
-    switch (opc) {
-    case 0x3: /* ANDS */
-    case 0x0: /* AND */
-        tcg_gen_andi_i64(tcg_rd, tcg_rn, wmask);
-        is_and = true;
-        break;
-    case 0x1: /* ORR */
-        tcg_gen_ori_i64(tcg_rd, tcg_rn, wmask);
-        break;
-    case 0x2: /* EOR */
-        tcg_gen_xori_i64(tcg_rd, tcg_rn, wmask);
-        break;
-    default:
-        assert(FALSE); /* must handle all above */
-        break;
-    }
-
-    if (!sf && !is_and) {
-        /* zero extend final result; we know we can skip this for AND
-         * since the immediate had the high 32 bits clear.
-         */
+    if (!a->sf) {
         tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
     }
-
-    if (opc == 3) { /* ANDS */
-        gen_logic_CC(sf, tcg_rd);
-    }
+    return true;
 }
 
+TRANS(AND_i, gen_rri_log, a, false, tcg_gen_andi_i64)
+TRANS(ORR_i, gen_rri_log, a, false, tcg_gen_ori_i64)
+TRANS(EOR_i, gen_rri_log, a, false, tcg_gen_xori_i64)
+TRANS(ANDS_i, gen_rri_log, a, true, tcg_gen_andi_i64)
+
 /*
  * Move wide (immediate)
  *
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
-    case 0x24: /* Logical (immediate) */
-        disas_logic_imm(s, insn);
-        break;
     case 0x25: /* Move wide (immediate) */
         disas_movw_imm(s, insn);
         break;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the MON, MOVZ, MOVK instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-11-peter.maydell@linaro.org
[PMM: Rebased]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      | 13 ++++++
 target/arm/tcg/translate-a64.c | 73 ++++++++++++++--------------------
 2 files changed, 42 insertions(+), 44 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Convert the BFM, SBFM, UBFM instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-12-peter.maydell@linaro.org
[PMM: Rebased]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      |  13 +++
 target/arm/tcg/translate-a64.c | 144 ++++++++++++++++++---------------
 2 files changed, 94 insertions(+), 63 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ MOVZ            . 10 100101 .. ................ .....   @movw_64
 MOVZ            . 10 100101 .. ................ .....   @movw_32
 MOVK            . 11 100101 .. ................ .....   @movw_64
 MOVK            . 11 100101 .. ................ .....   @movw_32
+
+# Bitfield
+
+&bitfield       rd rn sf immr imms
+@bitfield_64    1 .. ...... 1 immr:6 imms:6 rn:5 rd:5      &bitfield sf=1
+@bitfield_32    0 .. ...... 0 0 immr:5 0 imms:5 rn:5 rd:5  &bitfield sf=0
+
+SBFM            . 00 100110 . ...... ...... ..... ..... @bitfield_64
+SBFM            . 00 100110 . ...... ...... ..... ..... @bitfield_32
+BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_64
+BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_32
+UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_64
+UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_MOVK(DisasContext *s, arg_movw *a)
     return true;
 }
 
-/* Bitfield
- *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
- * +----+-----+-------------+---+------+------+------+------+
- * | sf | opc | 1 0 0 1 1 0 | N | immr | imms |  Rn  |  Rd  |
- * +----+-----+-------------+---+------+------+------+------+
+/*
+ * Bitfield
  */
-static void disas_bitfield(DisasContext *s, uint32_t insn)
+
+static bool trans_SBFM(DisasContext *s, arg_SBFM *a)
 {
-    unsigned int sf, n, opc, ri, si, rn, rd, bitsize, pos, len;
-    TCGv_i64 tcg_rd, tcg_tmp;
+    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
+    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
+    unsigned int bitsize = a->sf ? 64 : 32;
+    unsigned int ri = a->immr;
+    unsigned int si = a->imms;
+    unsigned int pos, len;
 
-    sf = extract32(insn, 31, 1);
-    opc = extract32(insn, 29, 2);
-    n = extract32(insn, 22, 1);
-    ri = extract32(insn, 16, 6);
-    si = extract32(insn, 10, 6);
-    rn = extract32(insn, 5, 5);
-    rd = extract32(insn, 0, 5);
-    bitsize = sf ? 64 : 32;
-
-    if (sf != n || ri >= bitsize || si >= bitsize || opc > 2) {
-        unallocated_encoding(s);
-        return;
-    }
-
-    tcg_rd = cpu_reg(s, rd);
-
-    /* Suppress the zero-extend for !sf.  Since RI and SI are constrained
-       to be smaller than bitsize, we'll never reference data outside the
-       low 32-bits anyway.  */
-    tcg_tmp = read_cpu_reg(s, rn, 1);
-
-    /* Recognize simple(r) extractions.  */
     if (si >= ri) {
         /* Wd<s-r:0> = Wn<s:r> */
         len = (si - ri) + 1;
-        if (opc == 0) { /* SBFM: ASR, SBFX, SXTB, SXTH, SXTW */
-            tcg_gen_sextract_i64(tcg_rd, tcg_tmp, ri, len);
-            goto done;
-        } else if (opc == 2) { /* UBFM: UBFX, LSR, UXTB, UXTH */
-            tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
-            return;
+        tcg_gen_sextract_i64(tcg_rd, tcg_tmp, ri, len);
+        if (!a->sf) {
+            tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
         }
-        /* opc == 1, BFXIL fall through to deposit */
+    } else {
+        /* Wd<32+s-r,32-r> = Wn<s:0> */
+        len = si + 1;
+        pos = (bitsize - ri) & (bitsize - 1);
+
+        if (len < ri) {
+            /*
+             * Sign extend the destination field from len to fill the
+             * balance of the word.  Let the deposit below insert all
+             * of those sign bits.
+             */
+            tcg_gen_sextract_i64(tcg_tmp, tcg_tmp, 0, len);
+            len = ri;
+        }
+
+        /*
+         * We start with zero, and we haven't modified any bits outside
+         * bitsize, therefore no final zero-extension is unneeded for !sf.
+         */
+        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
+    }
+    return true;
+}
+
+static bool trans_UBFM(DisasContext *s, arg_UBFM *a)
+{
+    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
+    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
+    unsigned int bitsize = a->sf ? 64 : 32;
+    unsigned int ri = a->immr;
+    unsigned int si = a->imms;
+    unsigned int pos, len;
+
+    tcg_rd = cpu_reg(s, a->rd);
+    tcg_tmp = read_cpu_reg(s, a->rn, 1);
+
+    if (si >= ri) {
+        /* Wd<s-r:0> = Wn<s:r> */
+        len = (si - ri) + 1;
+        tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
+    } else {
+        /* Wd<32+s-r,32-r> = Wn<s:0> */
+        len = si + 1;
+        pos = (bitsize - ri) & (bitsize - 1);
+        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
+    }
+    return true;
+}
+
+static bool trans_BFM(DisasContext *s, arg_BFM *a)
+{
+    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
+    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
+    unsigned int bitsize = a->sf ? 64 : 32;
+    unsigned int ri = a->immr;
+    unsigned int si = a->imms;
+    unsigned int pos, len;
+
+    tcg_rd = cpu_reg(s, a->rd);
+    tcg_tmp = read_cpu_reg(s, a->rn, 1);
+
+    if (si >= ri) {
+        /* Wd<s-r:0> = Wn<s:r> */
         tcg_gen_shri_i64(tcg_tmp, tcg_tmp, ri);
+        len = (si - ri) + 1;
         pos = 0;
     } else {
-        /* Handle the ri > si case with a deposit
-         * Wd<32+s-r,32-r> = Wn<s:0>
-         */
+        /* Wd<32+s-r,32-r> = Wn<s:0> */
         len = si + 1;
         pos = (bitsize - ri) & (bitsize - 1);
     }
 
-    if (opc == 0 && len < ri) {
-        /* SBFM: sign extend the destination field from len to fill
-           the balance of the word.  Let the deposit below insert all
-           of those sign bits.  */
-        tcg_gen_sextract_i64(tcg_tmp, tcg_tmp, 0, len);
-        len = ri;
-    }
-
-    if (opc == 1) { /* BFM, BFXIL */
-        tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
-    } else {
-        /* SBFM or UBFM: We start with zero, and we haven't modified
-           any bits outside bitsize, therefore the zero-extension
-           below is unneeded.  */
-        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
-        return;
-    }
-
- done:
-    if (!sf) { /* zero extend final result */
+    tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
+    if (!a->sf) {
         tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
     }
+    return true;
 }
 
 /* Extract
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
-    case 0x26: /* Bitfield */
-        disas_bitfield(s, insn);
-        break;
     case 0x27: /* Extract */
         disas_extract(s, insn);
         break;
-- 
2.34.1

Convert the EXTR instruction to decodetree (this is the
only one in the 'Extract" class). This is the last of
the dp-immediate insns in the legacy decoder, so we
can now remove disas_data_proc_imm().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-13-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  7 +++
 target/arm/tcg/translate-a64.c | 94 +++++++++++-----------------------
 2 files changed, 36 insertions(+), 65 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_64
 BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_32
 UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_64
 UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
+
+# Extract
+
+&extract        rd rn rm imm sf
+
+EXTR            1 00 100111 1 0 rm:5 imm:6 rn:5 rd:5     &extract sf=1
+EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_BFM(DisasContext *s, arg_BFM *a)
     return true;
 }
 
-/* Extract
- *   31  30  29 28         23 22   21  20  16 15    10 9    5 4    0
- * +----+------+-------------+---+----+------+--------+------+------+
- * | sf | op21 | 1 0 0 1 1 1 | N | o0 |  Rm  |  imms  |  Rn  |  Rd  |
- * +----+------+-------------+---+----+------+--------+------+------+
- */
-static void disas_extract(DisasContext *s, uint32_t insn)
+static bool trans_EXTR(DisasContext *s, arg_extract *a)
 {
-    unsigned int sf, n, rm, imm, rn, rd, bitsize, op21, op0;
+    TCGv_i64 tcg_rd, tcg_rm, tcg_rn;
 
-    sf = extract32(insn, 31, 1);
-    n = extract32(insn, 22, 1);
-    rm = extract32(insn, 16, 5);
-    imm = extract32(insn, 10, 6);
-    rn = extract32(insn, 5, 5);
-    rd = extract32(insn, 0, 5);
-    op21 = extract32(insn, 29, 2);
-    op0 = extract32(insn, 21, 1);
-    bitsize = sf ? 64 : 32;
+    tcg_rd = cpu_reg(s, a->rd);
 
-    if (sf != n || op21 || op0 || imm >= bitsize) {
-        unallocated_encoding(s);
-    } else {
-        TCGv_i64 tcg_rd, tcg_rm, tcg_rn;
-
-        tcg_rd = cpu_reg(s, rd);
-
-        if (unlikely(imm == 0)) {
-            /* tcg shl_i32/shl_i64 is undefined for 32/64 bit shifts,
-             * so an extract from bit 0 is a special case.
-             */
-            if (sf) {
-                tcg_gen_mov_i64(tcg_rd, cpu_reg(s, rm));
-            } else {
-                tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, rm));
-            }
+    if (unlikely(a->imm == 0)) {
+        /*
+         * tcg shl_i32/shl_i64 is undefined for 32/64 bit shifts,
+         * so an extract from bit 0 is a special case.
+         */
+        if (a->sf) {
+            tcg_gen_mov_i64(tcg_rd, cpu_reg(s, a->rm));
         } else {
-            tcg_rm = cpu_reg(s, rm);
-            tcg_rn = cpu_reg(s, rn);
+            tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, a->rm));
+        }
+    } else {
+        tcg_rm = cpu_reg(s, a->rm);
+        tcg_rn = cpu_reg(s, a->rn);
 
-            if (sf) {
-                /* Specialization to ROR happens in EXTRACT2.  */
-                tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, imm);
+        if (a->sf) {
+            /* Specialization to ROR happens in EXTRACT2.  */
+            tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, a->imm);
+        } else {
+            TCGv_i32 t0 = tcg_temp_new_i32();
+
+            tcg_gen_extrl_i64_i32(t0, tcg_rm);
+            if (a->rm == a->rn) {
+                tcg_gen_rotri_i32(t0, t0, a->imm);
             } else {
-                TCGv_i32 t0 = tcg_temp_new_i32();
-
-                tcg_gen_extrl_i64_i32(t0, tcg_rm);
-                if (rm == rn) {
-                    tcg_gen_rotri_i32(t0, t0, imm);
-                } else {
-                    TCGv_i32 t1 = tcg_temp_new_i32();
-                    tcg_gen_extrl_i64_i32(t1, tcg_rn);
-                    tcg_gen_extract2_i32(t0, t0, t1, imm);
-                }
-                tcg_gen_extu_i32_i64(tcg_rd, t0);
+                TCGv_i32 t1 = tcg_temp_new_i32();
+                tcg_gen_extrl_i64_i32(t1, tcg_rn);
+                tcg_gen_extract2_i32(t0, t0, t1, a->imm);
             }
+            tcg_gen_extu_i32_i64(tcg_rd, t0);
         }
     }
-}
-
-/* Data processing - immediate */
-static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
-{
-    switch (extract32(insn, 23, 6)) {
-    case 0x27: /* Extract */
-        disas_extract(s, insn);
-        break;
-    default:
-        unallocated_encoding(s);
-        break;
-    }
+    return true;
 }
 
 /* Shift a TCGv src by TCGv shift_amount, put result in dst.
@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
 static void disas_a64_legacy(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 4)) {
-    case 0x8: case 0x9: /* Data processing - immediate */
-        disas_data_proc_imm(s, insn);
-        break;
     case 0xa: case 0xb: /* Branch, exception generation and system insns */
         disas_b_exc_sys(s, insn);
         break;
-- 
2.34.1

Convert the unconditional branch immediate insns B and BL to
decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-14-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  9 +++++++++
 target/arm/tcg/translate-a64.c | 31 +++++++++++--------------------
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
 
 &ri              rd imm
 &rri_sf          rd rn imm sf
+&i               imm
 
 
 ### Data Processing - Immediate
@@ -XXX,XX +XXX,XX @@ UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
 
 EXTR            1 00 100111 1 0 rm:5 imm:6 rn:5 rd:5     &extract sf=1
 EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
+
+# Branches
+
+%imm26   0:s26 !function=times_4
+@branch         . ..... .......................... &i imm=%imm26
+
+B               0 00101 .......................... @branch
+BL              1 00101 .......................... @branch
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
  * match up with those in the manual.
  */
 
-/* Unconditional branch (immediate)
- *   31  30       26 25                                  0
- * +----+-----------+-------------------------------------+
- * | op | 0 0 1 0 1 |                 imm26               |
- * +----+-----------+-------------------------------------+
- */
-static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
+static bool trans_B(DisasContext *s, arg_i *a)
 {
-    int64_t diff = sextract32(insn, 0, 26) * 4;
-
-    if (insn & (1U << 31)) {
-        /* BL Branch with link */
-        gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
-    }
-
-    /* B Branch / BL Branch with link */
     reset_btype(s);
-    gen_goto_tb(s, 0, diff);
+    gen_goto_tb(s, 0, a->imm);
+    return true;
+}
+
+static bool trans_BL(DisasContext *s, arg_i *a)
+{
+    gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
+    reset_btype(s);
+    gen_goto_tb(s, 0, a->imm);
+    return true;
 }
 
 /* Compare and branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 7)) {
-    case 0x0a: case 0x0b:
-    case 0x4a: case 0x4b: /* Unconditional branch (immediate) */
-        disas_uncond_b_imm(s, insn);
-        break;
     case 0x1a: case 0x5a: /* Compare & branch (immediate) */
         disas_comp_b_imm(s, insn);
         break;
-- 
2.34.1

Convert the compare-and-branch-immediate insns CBZ and CBNZ
to decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-15-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  5 +++++
 target/arm/tcg/translate-a64.c | 26 ++++++--------------------
 2 files changed, 11 insertions(+), 20 deletions(-)

Convert the test-and-branch-immediate insns TBZ and TBNZ
to decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-16-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  6 ++++++
 target/arm/tcg/translate-a64.c | 25 +++++--------------------
 2 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ BL              1 00101 .......................... @branch
 &cbz     rt imm sf nz
 
 CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
+
+%imm14     5:s14 !function=times_4
+%imm31_19  31:1 19:5
+&tbz       rt imm nz bitpos
+
+TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_CBZ(DisasContext *s, arg_cbz *a)
     return true;
 }
 
-/* Test and branch (immediate)
- *   31  30         25  24  23   19 18          5 4    0
- * +----+-------------+----+-------+-------------+------+
- * | b5 | 0 1 1 0 1 1 | op |  b40  |    imm14    |  Rt  |
- * +----+-------------+----+-------+-------------+------+
- */
-static void disas_test_b_imm(DisasContext *s, uint32_t insn)
+static bool trans_TBZ(DisasContext *s, arg_tbz *a)
 {
-    unsigned int bit_pos, op, rt;
-    int64_t diff;
     DisasLabel match;
     TCGv_i64 tcg_cmp;
 
-    bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
-    op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
-    diff = sextract32(insn, 5, 14) * 4;
-    rt = extract32(insn, 0, 5);
-
     tcg_cmp = tcg_temp_new_i64();
-    tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, rt), (1ULL << bit_pos));
+    tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, a->rt), 1ULL << a->bitpos);
 
     reset_btype(s);
 
     match = gen_disas_label(s);
-    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
+    tcg_gen_brcondi_i64(a->nz ? TCG_COND_NE : TCG_COND_EQ,
                         tcg_cmp, 0, match.label);
     gen_goto_tb(s, 0, 4);
     set_disas_label(s, match);
-    gen_goto_tb(s, 1, diff);
+    gen_goto_tb(s, 1, a->imm);
+    return true;
 }
 
 /* Conditional branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 7)) {
-    case 0x1b: case 0x5b: /* Test & branch (immediate) */
-        disas_test_b_imm(s, insn);
-        break;
     case 0x2a: /* Conditional branch (immediate) */
         disas_cond_b_imm(s, insn);
         break;
-- 
2.34.1

Convert the immediate conditional branch insn B.cond to
decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-17-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  2 ++
 target/arm/tcg/translate-a64.c | 30 ++++++------------------------
 2 files changed, 8 insertions(+), 24 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
 &tbz       rt imm nz bitpos
 
 TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
+
+B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_TBZ(DisasContext *s, arg_tbz *a)
     return true;
 }
 
-/* Conditional branch (immediate)
- *  31           25  24  23                  5   4  3    0
- * +---------------+----+---------------------+----+------+
- * | 0 1 0 1 0 1 0 | o1 |         imm19       | o0 | cond |
- * +---------------+----+---------------------+----+------+
- */
-static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
+static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
 {
-    unsigned int cond;
-    int64_t diff;
-
-    if ((insn & (1 << 4)) || (insn & (1 << 24))) {
-        unallocated_encoding(s);
-        return;
-    }
-    diff = sextract32(insn, 5, 19) * 4;
-    cond = extract32(insn, 0, 4);
-
     reset_btype(s);
-    if (cond < 0x0e) {
+    if (a->cond < 0x0e) {
         /* genuinely conditional branches */
         DisasLabel match = gen_disas_label(s);
-        arm_gen_test_cc(cond, match.label);
+        arm_gen_test_cc(a->cond, match.label);
         gen_goto_tb(s, 0, 4);
         set_disas_label(s, match);
-        gen_goto_tb(s, 1, diff);
+        gen_goto_tb(s, 1, a->imm);
     } else {
         /* 0xe and 0xf are both "always" conditions */
-        gen_goto_tb(s, 0, diff);
+        gen_goto_tb(s, 0, a->imm);
     }
+    return true;
 }
 
 /* HINT instruction group, including various allocated HINTs */
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 7)) {
-    case 0x2a: /* Conditional branch (immediate) */
-        disas_cond_b_imm(s, insn);
-        break;
     case 0x6a: /* Exception generation / System */
         if (insn & (1 << 24)) {
             if (extract32(insn, 22, 2) == 0) {
-- 
2.34.1

Convert the simple (non-pointer-auth) BR, BLR and RET insns
to decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-18-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  5 ++++
 target/arm/tcg/translate-a64.c | 55 ++++++++++++++++++++++++++++++----
 2 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
 # This file is processed by scripts/decodetree.py
 #
 
+&r               rn
 &ri              rd imm
 &rri_sf          rd rn imm sf
 &i               imm
@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
 TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
 
 B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
+
+BR              1101011 0000 11111 000000 rn:5 00000 &r
+BLR             1101011 0001 11111 000000 rn:5 00000 &r
+RET             1101011 0010 11111 000000 rn:5 00000 &r
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
     return true;
 }
 
+static void set_btype_for_br(DisasContext *s, int rn)
+{
+    if (dc_isar_feature(aa64_bti, s)) {
+        /* BR to {x16,x17} or !guard -> 1, else 3.  */
+        set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3);
+    }
+}
+
+static void set_btype_for_blr(DisasContext *s)
+{
+    if (dc_isar_feature(aa64_bti, s)) {
+        /* BLR sets BTYPE to 2, regardless of source guarded page.  */
+        set_btype(s, 2);
+    }
+}
+
+static bool trans_BR(DisasContext *s, arg_r *a)
+{
+    gen_a64_set_pc(s, cpu_reg(s, a->rn));
+    set_btype_for_br(s, a->rn);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_BLR(DisasContext *s, arg_r *a)
+{
+    TCGv_i64 dst = cpu_reg(s, a->rn);
+    TCGv_i64 lr = cpu_reg(s, 30);
+    if (dst == lr) {
+        TCGv_i64 tmp = tcg_temp_new_i64();
+        tcg_gen_mov_i64(tmp, dst);
+        dst = tmp;
+    }
+    gen_pc_plus_diff(s, lr, curr_insn_len(s));
+    gen_a64_set_pc(s, dst);
+    set_btype_for_blr(s);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_RET(DisasContext *s, arg_r *a)
+{
+    gen_a64_set_pc(s, cpu_reg(s, a->rn));
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
 /* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         btype_mod = opc;
         switch (op3) {
         case 0:
-            /* BR, BLR, RET */
-            if (op4 != 0) {
-                goto do_unallocated;
-            }
-            dst = cpu_reg(s, rn);
-            break;
+            /* BR, BLR, RET : handled in decodetree */
+            goto do_unallocated;
 
         case 2:
         case 3:
-- 
2.34.1

Convert the single-register pointer-authentication variants of BR,
BLR, RET to decodetree. (BRAA/BLRAA are in a different branch of
the legacy decoder and will be dealt with in the next commit.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-19-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |   7 ++
 target/arm/tcg/translate-a64.c | 132 +++++++++++++++++++--------------
 2 files changed, 84 insertions(+), 55 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
 BR              1101011 0000 11111 000000 rn:5 00000 &r
 BLR             1101011 0001 11111 000000 rn:5 00000 &r
 RET             1101011 0010 11111 000000 rn:5 00000 &r
+
+&braz       rn m
+BRAZ            1101011 0000 11111 00001 m:1 rn:5 11111 &braz   # BRAAZ, BRABZ
+BLRAZ           1101011 0001 11111 00001 m:1 rn:5 11111 &braz   # BLRAAZ, BLRABZ
+
+&reta       m
+RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_RET(DisasContext *s, arg_r *a)
     return true;
 }
 
+static TCGv_i64 auth_branch_target(DisasContext *s, TCGv_i64 dst,
+                                   TCGv_i64 modifier, bool use_key_a)
+{
+    TCGv_i64 truedst;
+    /*
+     * Return the branch target for a BRAA/RETA/etc, which is either
+     * just the destination dst, or that value with the pauth check
+     * done and the code removed from the high bits.
+     */
+    if (!s->pauth_active) {
+        return dst;
+    }
+
+    truedst = tcg_temp_new_i64();
+    if (use_key_a) {
+        gen_helper_autia(truedst, cpu_env, dst, modifier);
+    } else {
+        gen_helper_autib(truedst, cpu_env, dst, modifier);
+    }
+    return truedst;
+}
+
+static bool trans_BRAZ(DisasContext *s, arg_braz *a)
+{
+    TCGv_i64 dst;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+
+    dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m);
+    gen_a64_set_pc(s, dst);
+    set_btype_for_br(s, a->rn);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_BLRAZ(DisasContext *s, arg_braz *a)
+{
+    TCGv_i64 dst, lr;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+
+    dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m);
+    lr = cpu_reg(s, 30);
+    if (dst == lr) {
+        TCGv_i64 tmp = tcg_temp_new_i64();
+        tcg_gen_mov_i64(tmp, dst);
+        dst = tmp;
+    }
+    gen_pc_plus_diff(s, lr, curr_insn_len(s));
+    gen_a64_set_pc(s, dst);
+    set_btype_for_blr(s);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_RETA(DisasContext *s, arg_reta *a)
+{
+    TCGv_i64 dst;
+
+    dst = auth_branch_target(s, cpu_reg(s, 30), cpu_X[31], !a->m);
+    gen_a64_set_pc(s, dst);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
 /* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
     }
 
     switch (opc) {
-    case 0: /* BR */
-    case 1: /* BLR */
-    case 2: /* RET */
-        btype_mod = opc;
-        switch (op3) {
-        case 0:
-            /* BR, BLR, RET : handled in decodetree */
-            goto do_unallocated;
-
-        case 2:
-        case 3:
-            if (!dc_isar_feature(aa64_pauth, s)) {
-                goto do_unallocated;
-            }
-            if (opc == 2) {
-                /* RETAA, RETAB */
-                if (rn != 0x1f || op4 != 0x1f) {
-                    goto do_unallocated;
-                }
-                rn = 30;
-                modifier = cpu_X[31];
-            } else {
-                /* BRAAZ, BRABZ, BLRAAZ, BLRABZ */
-                if (op4 != 0x1f) {
-                    goto do_unallocated;
-                }
-                modifier = tcg_constant_i64(0);
-            }
-            if (s->pauth_active) {
-                dst = tcg_temp_new_i64();
-                if (op3 == 2) {
-                    gen_helper_autia(dst, cpu_env, cpu_reg(s, rn), modifier);
-                } else {
-                    gen_helper_autib(dst, cpu_env, cpu_reg(s, rn), modifier);
-                }
-            } else {
-                dst = cpu_reg(s, rn);
-            }
-            break;
-
-        default:
-            goto do_unallocated;
-        }
-        /* BLR also needs to load return address */
-        if (opc == 1) {
-            TCGv_i64 lr = cpu_reg(s, 30);
-            if (dst == lr) {
-                TCGv_i64 tmp = tcg_temp_new_i64();
-                tcg_gen_mov_i64(tmp, dst);
-                dst = tmp;
-            }
-            gen_pc_plus_diff(s, lr, curr_insn_len(s));
-        }
-        gen_a64_set_pc(s, dst);
-        break;
+    case 0:
+    case 1:
+    case 2:
+        /*
+         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ:
+         * handled in decodetree
+         */
+        goto do_unallocated;
 
     case 8: /* BRAA */
     case 9: /* BLRAA */
-- 
2.34.1

Convert the last four BR-with-pointer-auth insns to decodetree.
The remaining cases in the outer switch in disas_uncond_b_reg()
all return early rather than leaving the case statement, so we
can delete the now-unused code at the end of that function.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-20-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  4 ++
 target/arm/tcg/translate-a64.c | 97 ++++++++++++++--------------------
 2 files changed, 43 insertions(+), 58 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ BLRAZ           1101011 0001 11111 00001 m:1 rn:5 11111 &braz   # BLRAAZ, BLRABZ
 
 &reta       m
 RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
+
+&bra        rn rm m
+BRA             1101011 1000 11111 00001 m:1 rn:5 rm:5 &bra # BRAA, BRAB
+BLRA            1101011 1001 11111 00001 m:1 rn:5 rm:5 &bra # BLRAA, BLRAB
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_RETA(DisasContext *s, arg_reta *a)
     return true;
 }
 
+static bool trans_BRA(DisasContext *s, arg_bra *a)
+{
+    TCGv_i64 dst;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+    dst = auth_branch_target(s, cpu_reg(s,a->rn), cpu_reg_sp(s, a->rm), !a->m);
+    gen_a64_set_pc(s, dst);
+    set_btype_for_br(s, a->rn);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_BLRA(DisasContext *s, arg_bra *a)
+{
+    TCGv_i64 dst, lr;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+    dst = auth_branch_target(s, cpu_reg(s, a->rn), cpu_reg_sp(s, a->rm), !a->m);
+    lr = cpu_reg(s, 30);
+    if (dst == lr) {
+        TCGv_i64 tmp = tcg_temp_new_i64();
+        tcg_gen_mov_i64(tmp, dst);
+        dst = tmp;
+    }
+    gen_pc_plus_diff(s, lr, curr_insn_len(s));
+    gen_a64_set_pc(s, dst);
+    set_btype_for_blr(s);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
 /* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
 static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 {
     unsigned int opc, op2, op3, rn, op4;
-    unsigned btype_mod = 2;   /* 0: BR, 1: BLR, 2: other */
     TCGv_i64 dst;
     TCGv_i64 modifier;
 
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
     case 0:
     case 1:
     case 2:
+    case 8:
+    case 9:
         /*
-         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ:
-         * handled in decodetree
+         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ,
+         * BRAA, BLRAA: handled in decodetree
          */
         goto do_unallocated;
 
-    case 8: /* BRAA */
-    case 9: /* BLRAA */
-        if (!dc_isar_feature(aa64_pauth, s)) {
-            goto do_unallocated;
-        }
-        if ((op3 & ~1) != 2) {
-            goto do_unallocated;
-        }
-        btype_mod = opc & 1;
-        if (s->pauth_active) {
-            dst = tcg_temp_new_i64();
-            modifier = cpu_reg_sp(s, op4);
-            if (op3 == 2) {
-                gen_helper_autia(dst, cpu_env, cpu_reg(s, rn), modifier);
-            } else {
-                gen_helper_autib(dst, cpu_env, cpu_reg(s, rn), modifier);
-            }
-        } else {
-            dst = cpu_reg(s, rn);
-        }
-        /* BLRAA also needs to load return address */
-        if (opc == 9) {
-            TCGv_i64 lr = cpu_reg(s, 30);
-            if (dst == lr) {
-                TCGv_i64 tmp = tcg_temp_new_i64();
-                tcg_gen_mov_i64(tmp, dst);
-                dst = tmp;
-            }
-            gen_pc_plus_diff(s, lr, curr_insn_len(s));
-        }
-        gen_a64_set_pc(s, dst);
-        break;
-
     case 4: /* ERET */
         if (s->current_el == 0) {
             goto do_unallocated;
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         unallocated_encoding(s);
         return;
     }
-
-    switch (btype_mod) {
-    case 0: /* BR */
-        if (dc_isar_feature(aa64_bti, s)) {
-            /* BR to {x16,x17} or !guard -> 1, else 3.  */
-            set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3);
-        }
-        break;
-
-    case 1: /* BLR */
-        if (dc_isar_feature(aa64_bti, s)) {
-            /* BLR sets BTYPE to 2, regardless of source guarded page.  */
-            set_btype(s, 2);
-        }
-        break;
-
-    default: /* RET or none of the above.  */
-        /* BTYPE will be set to 0 by normal end-of-insn processing.  */
-        break;
-    }
-
-    s->base.is_jmp = DISAS_JUMP;
 }
 
 /* Branches, exception generating and system instructions */
-- 
2.34.1

Convert the exception-return insns ERET, ERETA and ERETB to
decodetree. These were the last insns left in the legacy
decoder function disas_uncond_reg_b(), which allows us to
remove it.

The old decoder explicitly decoded the DRPS instruction,
only in order to call unallocated_encoding() on it, exactly
as would have happened if it hadn't decoded it. This is
because this insn always UNDEFs unless the CPU is in
halting-debug state, which we don't emulate. So we list
the pattern in a comment in a64.decode, but don't actively
decode it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-21-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |   8 ++
 target/arm/tcg/translate-a64.c | 163 +++++++++++----------------------
 2 files changed, 63 insertions(+), 108 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
 &bra        rn rm m
 BRA             1101011 1000 11111 00001 m:1 rn:5 rm:5 &bra # BRAA, BRAB
 BLRA            1101011 1001 11111 00001 m:1 rn:5 rm:5 &bra # BLRAA, BLRAB
+
+ERET            1101011 0100 11111 000000 11111 00000
+ERETA           1101011 0100 11111 00001 m:1 11111 11111 &reta  # ERETAA, ERETAB
+
+# We don't need to decode DRPS because it always UNDEFs except when
+# the processor is in halting debug state (which we don't implement).
+# The pattern is listed here as documentation.
+# DRPS            1101011 0101 11111 000000 11111 00000
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_BLRA(DisasContext *s, arg_bra *a)
     return true;
 }
 
+static bool trans_ERET(DisasContext *s, arg_ERET *a)
+{
+    TCGv_i64 dst;
+
+    if (s->current_el == 0) {
+        return false;
+    }
+    if (s->fgt_eret) {
+        gen_exception_insn_el(s, 0, EXCP_UDEF, 0, 2);
+        return true;
+    }
+    dst = tcg_temp_new_i64();
+    tcg_gen_ld_i64(dst, cpu_env,
+                   offsetof(CPUARMState, elr_el[s->current_el]));
+
+    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
+        gen_io_start();
+    }
+
+    gen_helper_exception_return(cpu_env, dst);
+    /* Must exit loop to check un-masked IRQs */
+    s->base.is_jmp = DISAS_EXIT;
+    return true;
+}
+
+static bool trans_ERETA(DisasContext *s, arg_reta *a)
+{
+    TCGv_i64 dst;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+    if (s->current_el == 0) {
+        return false;
+    }
+    /* The FGT trap takes precedence over an auth trap. */
+    if (s->fgt_eret) {
+        gen_exception_insn_el(s, 0, EXCP_UDEF, a->m ? 3 : 2, 2);
+        return true;
+    }
+    dst = tcg_temp_new_i64();
+    tcg_gen_ld_i64(dst, cpu_env,
+                   offsetof(CPUARMState, elr_el[s->current_el]));
+
+    dst = auth_branch_target(s, dst, cpu_X[31], !a->m);
+    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
+        gen_io_start();
+    }
+
+    gen_helper_exception_return(cpu_env, dst);
+    /* Must exit loop to check un-masked IRQs */
+    s->base.is_jmp = DISAS_EXIT;
+    return true;
+}
+
 /* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
     }
 }
 
-/* Unconditional branch (register)
- *  31           25 24   21 20   16 15   10 9    5 4     0
- * +---------------+-------+-------+-------+------+-------+
- * | 1 1 0 1 0 1 1 |  opc  |  op2  |  op3  |  Rn  |  op4  |
- * +---------------+-------+-------+-------+------+-------+
- */
-static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
-{
-    unsigned int opc, op2, op3, rn, op4;
-    TCGv_i64 dst;
-    TCGv_i64 modifier;
-
-    opc = extract32(insn, 21, 4);
-    op2 = extract32(insn, 16, 5);
-    op3 = extract32(insn, 10, 6);
-    rn = extract32(insn, 5, 5);
-    op4 = extract32(insn, 0, 5);
-
-    if (op2 != 0x1f) {
-        goto do_unallocated;
-    }
-
-    switch (opc) {
-    case 0:
-    case 1:
-    case 2:
-    case 8:
-    case 9:
-        /*
-         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ,
-         * BRAA, BLRAA: handled in decodetree
-         */
-        goto do_unallocated;
-
-    case 4: /* ERET */
-        if (s->current_el == 0) {
-            goto do_unallocated;
-        }
-        switch (op3) {
-        case 0: /* ERET */
-            if (op4 != 0) {
-                goto do_unallocated;
-            }
-            if (s->fgt_eret) {
-                gen_exception_insn_el(s, 0, EXCP_UDEF, syn_erettrap(op3), 2);
-                return;
-            }
-            dst = tcg_temp_new_i64();
-            tcg_gen_ld_i64(dst, cpu_env,
-                           offsetof(CPUARMState, elr_el[s->current_el]));
-            break;
-
-        case 2: /* ERETAA */
-        case 3: /* ERETAB */
-            if (!dc_isar_feature(aa64_pauth, s)) {
-                goto do_unallocated;
-            }
-            if (rn != 0x1f || op4 != 0x1f) {
-                goto do_unallocated;
-            }
-            /* The FGT trap takes precedence over an auth trap. */
-            if (s->fgt_eret) {
-                gen_exception_insn_el(s, 0, EXCP_UDEF, syn_erettrap(op3), 2);
-                return;
-            }
-            dst = tcg_temp_new_i64();
-            tcg_gen_ld_i64(dst, cpu_env,
-                           offsetof(CPUARMState, elr_el[s->current_el]));
-            if (s->pauth_active) {
-                modifier = cpu_X[31];
-                if (op3 == 2) {
-                    gen_helper_autia(dst, cpu_env, dst, modifier);
-                } else {
-                    gen_helper_autib(dst, cpu_env, dst, modifier);
-                }
-            }
-            break;
-
-        default:
-            goto do_unallocated;
-        }
-        if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-            gen_io_start();
-        }
-
-        gen_helper_exception_return(cpu_env, dst);
-        /* Must exit loop to check un-masked IRQs */
-        s->base.is_jmp = DISAS_EXIT;
-        return;
-
-    case 5: /* DRPS */
-        if (op3 != 0 || op4 != 0 || rn != 0x1f) {
-            goto do_unallocated;
-        } else {
-            unallocated_encoding(s);
-        }
-        return;
-
-    default:
-    do_unallocated:
-        unallocated_encoding(s);
-        return;
-    }
-}
-
 /* Branches, exception generating and system instructions */
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
@@ -XXX,XX +XXX,XX @@ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
             disas_exc(s, insn);
         }
         break;
-    case 0x6b: /* Unconditional branch (register) */
-        disas_uncond_b_reg(s, insn);
-        break;
     default:
         unallocated_encoding(s);
         break;
-- 
2.34.1

The IMPDEF sysreg L2CTLR_EL1 found on the Cortex-A35, A53, A57, A72
and which we (arguably dubiously) also provide in '-cpu max' has a
2 bit field for the number of processors in the cluster. On real
hardware this must be sufficient because it can only be configured
with up to 4 CPUs in the cluster. However on QEMU if the board code
does not explicitly configure the code into clusters with the right
CPU count we default to "give the value assuming that all CPUs in
the system are in a single cluster", which might be too big to fit
in the field.

Instead of just overflowing this 2-bit field, saturate to 3 (meaning
"4 CPUs", so at least we don't overwrite other fields in the register.
It's unlikely that any guest code really cares about the value in
this field; at least, if it does it probably also wants the system
to be more closely matching real hardware, i.e. not to have more
than 4 CPUs.

This issue has been present since the L2CTLR was first added in
commit 377a44ec8f2fac5b back in 2014. It was only noticed because
Coverity complains (CID 1509227) that the shift might overflow 32 bits
and inadvertently sign extend into the top half of the 64 bit value.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512170223.3801643-2-peter.maydell@linaro.org
---
 target/arm/cortex-regs.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/target/arm/cortex-regs.c b/target/arm/cortex-regs.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cortex-regs.c
+++ b/target/arm/cortex-regs.c
@@ -XXX,XX +XXX,XX @@ static uint64_t l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     ARMCPU *cpu = env_archcpu(env);
 
-    /* Number of cores is in [25:24]; otherwise we RAZ */
-    return (cpu->core_count - 1) << 24;
+    /*
+     * Number of cores is in [25:24]; otherwise we RAZ.
+     * If the board didn't configure the CPUs into clusters,
+     * we default to "all CPUs in one cluster", which might be
+     * more than the 4 that the hardware permits and which is
+     * all you can report in this two-bit field. Saturate to
+     * 0b11 (== 4 CPUs) rather than overflowing the field.
+     */
+    return MIN(cpu->core_count - 1, 3) << 24;
 }
 
 static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
-- 
2.34.1

In the vexpress board code, we allocate a new MemoryRegion at the top
of vexpress_common_init() but only set it up and use it inside the
"if (map[VE_NORFLASHALIAS] != -1)" conditional, so we leak it if not.
This isn't a very interesting leak as it's a tiny amount of memory
once at startup, but it's easy to fix.

We could silence Coverity simply by moving the g_new() into the
if() block, but this use of g_new(MemoryRegion, 1) is a legacy from
when this board model was originally written; we wouldn't do that
if we wrote it today. The MemoryRegions are conceptually a part of
the board and must not go away until the whole board is done with
(at the end of the simulation), so they belong in its state struct.

This machine already has a VexpressMachineState struct that extends
MachineState, so statically put the MemoryRegions in there instead of
dynamically allocating them separately at runtime.

Spotted by Coverity (CID 1509083).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230512170223.3801643-3-peter.maydell@linaro.org
---
 hw/arm/vexpress.c | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@ struct VexpressMachineClass {
 
 struct VexpressMachineState {
     MachineState parent;
+    MemoryRegion vram;
+    MemoryRegion sram;
+    MemoryRegion flashalias;
+    MemoryRegion lowram;
+    MemoryRegion a15sram;
     bool secure;
     bool virt;
 };
@@ -XXX,XX +XXX,XX @@ struct VexpressMachineState {
 #define TYPE_VEXPRESS_A15_MACHINE   MACHINE_TYPE_NAME("vexpress-a15")
 OBJECT_DECLARE_TYPE(VexpressMachineState, VexpressMachineClass, VEXPRESS_MACHINE)
 
-typedef void DBoardInitFn(const VexpressMachineState *machine,
+typedef void DBoardInitFn(VexpressMachineState *machine,
                           ram_addr_t ram_size,
                           const char *cpu_type,
                           qemu_irq *pic);
@@ -XXX,XX +XXX,XX @@ static void init_cpus(MachineState *ms, const char *cpu_type,
     }
 }
 
-static void a9_daughterboard_init(const VexpressMachineState *vms,
+static void a9_daughterboard_init(VexpressMachineState *vms,
                                   ram_addr_t ram_size,
                                   const char *cpu_type,
                                   qemu_irq *pic)
 {
     MachineState *machine = MACHINE(vms);
     MemoryRegion *sysmem = get_system_memory();
-    MemoryRegion *lowram = g_new(MemoryRegion, 1);
     ram_addr_t low_ram_size;
 
     if (ram_size > 0x40000000) {
@@ -XXX,XX +XXX,XX @@ static void a9_daughterboard_init(const VexpressMachineState *vms,
      * address space should in theory be remappable to various
      * things including ROM or RAM; we always map the RAM there.
      */
-    memory_region_init_alias(lowram, NULL, "vexpress.lowmem", machine->ram,
-                             0, low_ram_size);
-    memory_region_add_subregion(sysmem, 0x0, lowram);
+    memory_region_init_alias(&vms->lowram, NULL, "vexpress.lowmem",
+                             machine->ram, 0, low_ram_size);
+    memory_region_add_subregion(sysmem, 0x0, &vms->lowram);
     memory_region_add_subregion(sysmem, 0x60000000, machine->ram);
 
     /* 0x1e000000 A9MPCore (SCU) private memory region */
@@ -XXX,XX +XXX,XX @@ static VEDBoardInfo a9_daughterboard = {
     .init = a9_daughterboard_init,
 };
 
-static void a15_daughterboard_init(const VexpressMachineState *vms,
+static void a15_daughterboard_init(VexpressMachineState *vms,
                                    ram_addr_t ram_size,
                                    const char *cpu_type,
                                    qemu_irq *pic)
 {
     MachineState *machine = MACHINE(vms);
     MemoryRegion *sysmem = get_system_memory();
-    MemoryRegion *sram = g_new(MemoryRegion, 1);
 
     {
         /* We have to use a separate 64 bit variable here to avoid the gcc
@@ -XXX,XX +XXX,XX @@ static void a15_daughterboard_init(const VexpressMachineState *vms,
     /* 0x2b060000: SP805 watchdog: not modelled */
     /* 0x2b0a0000: PL341 dynamic memory controller: not modelled */
     /* 0x2e000000: system SRAM */
-    memory_region_init_ram(sram, NULL, "vexpress.a15sram", 0x10000,
+    memory_region_init_ram(&vms->a15sram, NULL, "vexpress.a15sram", 0x10000,
                            &error_fatal);
-    memory_region_add_subregion(sysmem, 0x2e000000, sram);
+    memory_region_add_subregion(sysmem, 0x2e000000, &vms->a15sram);
 
     /* 0x7ffb0000: DMA330 DMA controller: not modelled */
     /* 0x7ffd0000: PL354 static memory controller: not modelled */
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
     I2CBus *i2c;
     ram_addr_t vram_size, sram_size;
     MemoryRegion *sysmem = get_system_memory();
-    MemoryRegion *vram = g_new(MemoryRegion, 1);
-    MemoryRegion *sram = g_new(MemoryRegion, 1);
-    MemoryRegion *flashalias = g_new(MemoryRegion, 1);
-    MemoryRegion *flash0mem;
     const hwaddr *map = daughterboard->motherboard_map;
     int i;
 
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
 
     if (map[VE_NORFLASHALIAS] != -1) {
         /* Map flash 0 as an alias into low memory */
+        MemoryRegion *flash0mem;
         flash0mem = sysbus_mmio_get_region(SYS_BUS_DEVICE(pflash0), 0);
-        memory_region_init_alias(flashalias, NULL, "vexpress.flashalias",
+        memory_region_init_alias(&vms->flashalias, NULL, "vexpress.flashalias",
                                  flash0mem, 0, VEXPRESS_FLASH_SIZE);
-        memory_region_add_subregion(sysmem, map[VE_NORFLASHALIAS], flashalias);
+        memory_region_add_subregion(sysmem, map[VE_NORFLASHALIAS], &vms->flashalias);
     }
 
     dinfo = drive_get(IF_PFLASH, 0, 1);
     ve_pflash_cfi01_register(map[VE_NORFLASH1], "vexpress.flash1", dinfo);
 
     sram_size = 0x2000000;
-    memory_region_init_ram(sram, NULL, "vexpress.sram", sram_size,
+    memory_region_init_ram(&vms->sram, NULL, "vexpress.sram", sram_size,
                            &error_fatal);
-    memory_region_add_subregion(sysmem, map[VE_SRAM], sram);
+    memory_region_add_subregion(sysmem, map[VE_SRAM], &vms->sram);
 
     vram_size = 0x800000;
-    memory_region_init_ram(vram, NULL, "vexpress.vram", vram_size,
+    memory_region_init_ram(&vms->vram, NULL, "vexpress.vram", vram_size,
                            &error_fatal);
-    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], vram);
+    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], &vms->vram);
 
     /* 0x4e000000 LAN9118 Ethernet */
     if (nd_table[0].used) {
-- 
2.34.1

Convert the u2f.txt file to rST, and place it in the right place
in our manual layout. The old text didn't fit very well into our
manual style, so the new version ends up looking like a rewrite,
although some of the original text is preserved:

* the 'building' section of the old file is removed, since we
   generally assume that users have already built QEMU
 * some rather verbose text has been cut back
 * document the passthrough device first, on the assumption
   that's most likely to be of interest to users
 * cut back on the duplication of text between sections
 * format example command lines etc with rST

As it's a short document it seemed simplest to do this all
in one go rather than try to do a minimal syntactic conversion
and then clean up the wording and layout.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20230421163734.1152076-1-peter.maydell@linaro.org
---
 docs/system/device-emulation.rst |   1 +
 docs/system/devices/usb-u2f.rst  |  93 ++++++++++++++++++++++++++
 docs/system/devices/usb.rst      |   2 +-
 docs/u2f.txt                     | 110 -------------------------------
 4 files changed, 95 insertions(+), 111 deletions(-)
 create mode 100644 docs/system/devices/usb-u2f.rst
 delete mode 100644 docs/u2f.txt

diff --git a/docs/system/device-emulation.rst b/docs/system/device-emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/device-emulation.rst
+++ b/docs/system/device-emulation.rst
@@ -XXX,XX +XXX,XX @@ Emulated Devices
    devices/virtio-pmem.rst
    devices/vhost-user-rng.rst
    devices/canokey.rst
+   devices/usb-u2f.rst
    devices/igb.rst
diff --git a/docs/system/devices/usb-u2f.rst b/docs/system/devices/usb-u2f.rst
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/docs/system/devices/usb-u2f.rst
@@ -XXX,XX +XXX,XX @@
+Universal Second Factor (U2F) USB Key Device
+============================================
+
+U2F is an open authentication standard that enables relying parties
+exposed to the internet to offer a strong second factor option for end
+user authentication.
+
+The second factor is provided by a device implementing the U2F
+protocol. In case of a USB U2F security key, it is a USB HID device
+that implements the U2F protocol.
+
+QEMU supports both pass-through of a host U2F key device to a VM,
+and software emulation of a U2F key.
+
+``u2f-passthru``
+----------------
+
+The ``u2f-passthru`` device allows you to connect a real hardware
+U2F key on your host to a guest VM. All requests made from the guest
+are passed through to the physical security key connected to the
+host machine and vice versa.
+
+In addition, the dedicated pass-through allows you to share a single
+U2F security key with several guest VMs, which is not possible with a
+simple host device assignment pass-through.
+
+You can specify the host U2F key to use with the ``hidraw``
+option, which takes the host path to a Linux ``/dev/hidrawN`` device:
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-passthru,hidraw=/dev/hidraw0
+
+If you don't specify the device, the ``u2f-passthru`` device will
+autoscan to take the first U2F device it finds on the host (this
+requires a working libudev):
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-passthru
+
+``u2f-emulated``
+----------------
+
+``u2f-emulated`` is a completely software emulated U2F device.
+It uses `libu2f-emu <https://github.com/MattGorko/libu2f-emu>`__
+for the U2F key emulation. libu2f-emu
+provides a complete implementation of the U2F protocol device part for
+all specified transports given by the FIDO Alliance.
+
+To work, an emulated U2F device must have four elements:
+
+ * ec x509 certificate
+ * ec private key
+ * counter (four bytes value)
+ * 48 bytes of entropy (random bits)
+
+To use this type of device, these have to be configured, and these
+four elements must be passed one way or another.
+
+Assuming that you have a working libu2f-emu installed on the host,
+there are three possible ways to configure the ``u2f-emulated`` device:
+
+ * ephemeral
+ * setup directory
+ * manual
+
+Ephemeral is the simplest way to configure; it lets the device generate
+all the elements it needs for a single use of the lifetime of the device.
+It is the default if you do not pass any other options to the device.
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-emulated
+
+You can pass the device the path of a setup directory on the host
+using the ``dir`` option; the directory must contain these four files:
+
+ * ``certificate.pem``: ec x509 certificate
+ * ``private-key.pem``: ec private key
+ * ``counter``: counter value
+ * ``entropy``: 48 bytes of entropy
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-emulated,dir=$dir
+
+You can also manually pass the device the paths to each of these files,
+if you don't want them all to be in the same directory, using the options
+
+ * ``cert``
+ * ``priv``
+ * ``counter``
+ * ``entropy``
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
diff --git a/docs/system/devices/usb.rst b/docs/system/devices/usb.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/devices/usb.rst
+++ b/docs/system/devices/usb.rst
@@ -XXX,XX +XXX,XX @@ option or the ``device_add`` monitor command. Available devices are:
    USB audio device
 
 ``u2f-{emulated,passthru}``
-   Universal Second Factor device
+   :doc:`usb-u2f`
 
 ``canokey``
    An Open-source Secure Key implementing FIDO2, OpenPGP, PIV and more.
diff --git a/docs/u2f.txt b/docs/u2f.txt
deleted file mode 100644
index XXXXXXX..XXXXXXX
--- a/docs/u2f.txt
+++ /dev/null
@@ -XXX,XX +XXX,XX @@
-QEMU U2F Key Device Documentation.
-
-Contents
-1. USB U2F key device
-2. Building
-3. Using u2f-emulated
-4. Using u2f-passthru
-5. Libu2f-emu
-
-1. USB U2F key device
-
-U2F is an open authentication standard that enables relying parties
-exposed to the internet to offer a strong second factor option for end
-user authentication.
-
-The standard brings many advantages to both parties, client and server,
-allowing to reduce over-reliance on passwords, it increases authentication
-security and simplifies passwords.
-
-The second factor is materialized by a device implementing the U2F
-protocol. In case of a USB U2F security key, it is a USB HID device
-that implements the U2F protocol.
-
-In QEMU, the USB U2F key device offers a dedicated support of U2F, allowing
-guest USB FIDO/U2F security keys operating in two possible modes:
-pass-through and emulated.
-
-The pass-through mode consists of passing all requests made from the guest
-to the physical security key connected to the host machine and vice versa.
-In addition, the dedicated pass-through allows to have a U2F security key
-shared on several guests which is not possible with a simple host device
-assignment pass-through.
-
-The emulated mode consists of completely emulating the behavior of an
-U2F device through software part. Libu2f-emu is used for that.
-
-
-2. Building
-
-To ensure the build of the u2f-emulated device variant which depends
-on libu2f-emu: configuring and building:
-
-    ./configure --enable-u2f && make
-
-The pass-through mode is built by default on Linux. To take advantage
-of the autoscan option it provides, make sure you have a working libudev
-installed on the host.
-
-
-3. Using u2f-emulated
-
-To work, an emulated U2F device must have four elements:
- * ec x509 certificate
- * ec private key
- * counter (four bytes value)
- * 48 bytes of entropy (random bits)
-
-To use this type of device, this one has to be configured, and these
-four elements must be passed one way or another.
-
-Assuming that you have a working libu2f-emu installed on the host.
-There are three possible ways of configurations:
- * ephemeral
- * setup directory
- * manual
-
-Ephemeral is the simplest way to configure, it lets the device generate
-all the elements it needs for a single use of the lifetime of the device.
-
-    qemu -usb -device u2f-emulated
-
-Setup directory allows to configure the device from a directory containing
-four files:
- * certificate.pem: ec x509 certificate
- * private-key.pem: ec private key
- * counter: counter value
- * entropy: 48 bytes of entropy
-
-    qemu -usb -device u2f-emulated,dir=$dir
-
-Manual allows to configure the device more finely by specifying each
-of the elements necessary for the device:
- * cert
- * priv
- * counter
- * entropy
-
-    qemu -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
-
-
-4. Using u2f-passthru
-
-On the host specify the u2f-passthru device with a suitable hidraw:
-
-    qemu -usb -device u2f-passthru,hidraw=/dev/hidraw0
-
-Alternately, the u2f-passthru device can autoscan to take the first
-U2F device it finds on the host (this requires a working libudev):
-
-    qemu -usb -device u2f-passthru
-
-
-5. Libu2f-emu
-
-The u2f-emulated device uses libu2f-emu for the U2F key emulation. Libu2f-emu
-implements completely the U2F protocol device part for all specified
-transport given by the FIDO Alliance.
-
-For more information about libu2f-emu see this page:
-https://github.com/MattGorko/libu2f-emu.
-- 
2.34.1

The following changes since commit 5767815218efd3cbfd409505ed824d5f356044ae:

Merge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu into staging (2024-02-14 15:45:52 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240215

for you to fetch changes up to f780e63fe731b058fe52d43653600d8729a1b5f2:

docs: Add documentation for the mps3-an536 board (2024-02-15 14:32:39 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/xilinx_zynq: Wire FIQ between CPU <> GIC
 * linux-user/aarch64: Choose SYNC as the preferred MTE mode
 * Fix some errors in SVE/SME handling of MTE tags
 * hw/pci-host/raven.c: Mark raven_io_ops as implementing unaligned accesses
 * hw/block/tc58128: Don't emit deprecation warning under qtest
 * tests/qtest: Fix handling of npcm7xx and GMAC tests
 * hw/arm/virt: Wire up non-secure EL2 virtual timer IRQ
 * tests/qtest/npcm7xx_emc-test: Connect all NICs to a backend
 * Don't assert on vmload/vmsave of M-profile CPUs
 * hw/arm/smmuv3: add support for stage 1 access fault
 * hw/arm/stellaris: QOM cleanups
 * Use new CBAR encoding for all v8 CPUs, not all aarch64 CPUs
 * Improve Cortex_R52 IMPDEF sysreg modelling
 * Allow access to SPSR_hyp from hyp mode
 * New board model mps3-an536 (Cortex-R52)

----------------------------------------------------------------
Luc Michel (1):
      hw/arm/smmuv3: add support for stage 1 access fault

Nabih Estefan (1):
      tests/qtest: Fix GMAC test to run on a machine in upstream QEMU

Peter Maydell (22):
      hw/pci-host/raven.c: Mark raven_io_ops as implementing unaligned accesses
      hw/block/tc58128: Don't emit deprecation warning under qtest
      tests/qtest/meson.build: Don't include qtests_npcm7xx in qtests_aarch64
      tests/qtest/bios-tables-test: Allow changes to virt GTDT
      hw/arm/virt: Wire up non-secure EL2 virtual timer IRQ
      tests/qtest/bios-tables-tests: Update virt golden reference
      hw/arm/npcm7xx: Call qemu_configure_nic_device() for GMAC modules
      tests/qtest/npcm7xx_emc-test: Connect all NICs to a backend
      target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ARM_FEATURE_PMU
      target/arm: Use new CBAR encoding for all v8 CPUs, not all aarch64 CPUs
      target/arm: The Cortex-R52 has a read-only CBAR
      target/arm: Add Cortex-R52 IMPDEF sysregs
      target/arm: Allow access to SPSR_hyp from hyp mode
      hw/misc/mps2-scc: Fix condition for CFG3 register
      hw/misc/mps2-scc: Factor out which-board conditionals
      hw/misc/mps2-scc: Make changes needed for AN536 FPGA image
      hw/arm/mps3r: Initial skeleton for mps3-an536 board
      hw/arm/mps3r: Add CPUs, GIC, and per-CPU RAM
      hw/arm/mps3r: Add UARTs
      hw/arm/mps3r: Add GPIO, watchdog, dual-timer, I2C devices
      hw/arm/mps3r: Add remaining devices
      docs: Add documentation for the mps3-an536 board

Philippe Mathieu-Daudé (5):
      hw/arm/xilinx_zynq: Wire FIQ between CPU <> GIC
      hw/arm/stellaris: Convert ADC controller to Resettable interface
      hw/arm/stellaris: Convert I2C controller to Resettable interface
      hw/arm/stellaris: Add missing QOM 'machine' parent
      hw/arm/stellaris: Add missing QOM 'SoC' parent

Richard Henderson (6):
      linux-user/aarch64: Choose SYNC as the preferred MTE mode
      target/arm: Fix nregs computation in do_{ld,st}_zpa
      target/arm: Adjust and validate mtedesc sizem1
      target/arm: Split out make_svemte_desc
      target/arm: Handle mte in do_ldrq, do_ldro
      target/arm: Fix SVE/SME gross MTE suppression checks

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Similarly to commits dadbb58f59..5ae79fe825 for other ARM boards,
connect FIQ output of the GIC CPU interfaces to the CPU.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240130152548.17855-1-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/xilinx_zynq.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xilinx_zynq.c
+++ b/hw/arm/xilinx_zynq.c
@@ -XXX,XX +XXX,XX @@ static void zynq_init(MachineState *machine)
     sysbus_mmio_map(busdev, 0, MPCORE_PERIPHBASE);
     sysbus_connect_irq(busdev, 0,
                        qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
+    sysbus_connect_irq(busdev, 1,
+                       qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_FIQ));
 
     for (n = 0; n < 64; n++) {
         pic[n] = qdev_get_gpio_in(dev, n);
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

The API does not generate an error for setting ASYNC | SYNC; that merely
constrains the selection vs the per-cpu default.  For qemu linux-user,
choose SYNC as the default.

Cc: qemu-stable@nongnu.org
Reported-by: Gustavo Romero <gustavo.romero@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-id: 20240207025210.8837-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_prctl.h | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_prctl.h
+++ b/linux-user/aarch64/target_prctl.h
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_tagged_addr_ctrl(CPUArchState *env, abi_long arg2)
     env->tagged_addr_enable = arg2 & PR_TAGGED_ADDR_ENABLE;
 
     if (cpu_isar_feature(aa64_mte, cpu)) {
-        switch (arg2 & PR_MTE_TCF_MASK) {
-        case PR_MTE_TCF_NONE:
-        case PR_MTE_TCF_SYNC:
-        case PR_MTE_TCF_ASYNC:
-            break;
-        default:
-            return -EINVAL;
-        }
-
         /*
          * Write PR_MTE_TCF to SCTLR_EL1[TCF0].
-         * Note that the syscall values are consistent with hw.
+         *
+         * The kernel has a per-cpu configuration for the sysadmin,
+         * /sys/devices/system/cpu/cpu<N>/mte_tcf_preferred,
+         * which qemu does not implement.
+         *
+         * Because there is no performance difference between the modes, and
+         * because SYNC is most useful for debugging MTE errors, choose SYNC
+         * as the preferred mode.  With this preference, and the way the API
+         * uses only two bits, there is no way for the program to select
+         * ASYMM mode.
          */
-        env->cp15.sctlr_el[1] =
-            deposit64(env->cp15.sctlr_el[1], 38, 2, arg2 >> PR_MTE_TCF_SHIFT);
+        unsigned tcf = 0;
+        if (arg2 & PR_MTE_TCF_SYNC) {
+            tcf = 1;
+        } else if (arg2 & PR_MTE_TCF_ASYNC) {
+            tcf = 2;
+        }
+        env->cp15.sctlr_el[1] = deposit64(env->cp15.sctlr_el[1], 38, 2, tcf);
 
         /*
          * Write PR_MTE_TAG to GCR_EL1[Exclude].
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

The field is encoded as [0-3], which is convenient for
indexing our array of function pointers, but the true
value is [1-4].  Adjust before calling do_mem_zpa.

Add an assert, and move the comment re passing ZT to
the helper back next to the relevant code.

Cc: qemu-stable@nongnu.org
Fixes: 206adacfb8d ("target/arm: Add mte helpers for sve scalar + int loads")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-id: 20240207025210.8837-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-sve.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
     TCGv_ptr t_pg;
     int desc = 0;
 
-    /*
-     * For e.g. LD4, there are not enough arguments to pass all 4
-     * registers as pointers, so encode the regno into the data field.
-     * For consistency, do this even for LD1.
-     */
+    assert(mte_n >= 1 && mte_n <= 4);
     if (s->mte_active[0]) {
         int msz = dtype_msz(dtype);
 
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
         addr = clean_data_tbi(s, addr);
     }
 
+    /*
+     * For e.g. LD4, there are not enough arguments to pass all 4
+     * registers as pointers, so encode the regno into the data field.
+     * For consistency, do this even for LD1.
+     */
     desc = simd_desc(vsz, vsz, zt | desc);
     t_pg = tcg_temp_new_ptr();
 
@@ -XXX,XX +XXX,XX @@ static void do_ld_zpa(DisasContext *s, int zt, int pg,
      * accessible via the instruction encoding.
      */
     assert(fn != NULL);
-    do_mem_zpa(s, zt, pg, addr, dtype, nreg, false, fn);
+    do_mem_zpa(s, zt, pg, addr, dtype, nreg + 1, false, fn);
 }
 
 static bool trans_LD_zprr(DisasContext *s, arg_rprr_load *a)
@@ -XXX,XX +XXX,XX @@ static void do_st_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
     if (nreg == 0) {
         /* ST1 */
         fn = fn_single[s->mte_active[0]][be][msz][esz];
-        nreg = 1;
     } else {
         /* ST2, ST3, ST4 -- msz == esz, enforced by encoding */
         assert(msz == esz);
         fn = fn_multiple[s->mte_active[0]][be][nreg - 1][msz];
     }
     assert(fn != NULL);
-    do_mem_zpa(s, zt, pg, addr, msz_dtype(s, msz), nreg, true, fn);
+    do_mem_zpa(s, zt, pg, addr, msz_dtype(s, msz), nreg + 1, true, fn);
 }
 
 static bool trans_ST_zprr(DisasContext *s, arg_rprr_store *a)
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

When we added SVE_MTEDESC_SHIFT, we effectively limited the
maximum size of MTEDESC.  Adjust SIZEM1 to consume the remaining
bits (32 - 10 - 5 - 12 == 5).  Assert that the data to be stored
fits within the field (expecting 8 * 4 - 1 == 31, exact fit).

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-id: 20240207025210.8837-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h         | 2 +-
 target/arm/tcg/translate-sve.c | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ FIELD(MTEDESC, TBI,   4, 2)
 FIELD(MTEDESC, TCMA,  6, 2)
 FIELD(MTEDESC, WRITE, 8, 1)
 FIELD(MTEDESC, ALIGN, 9, 3)
-FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - 12)  /* size - 1 */
+FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - SVE_MTEDESC_SHIFT - 12)  /* size - 1 */
 
 bool mte_probe(CPUARMState *env, uint32_t desc, uint64_t ptr);
 uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
 {
     unsigned vsz = vec_full_reg_size(s);
     TCGv_ptr t_pg;
+    uint32_t sizem1;
     int desc = 0;
 
     assert(mte_n >= 1 && mte_n <= 4);
+    sizem1 = (mte_n << dtype_msz(dtype)) - 1;
+    assert(sizem1 <= R_MTEDESC_SIZEM1_MASK >> R_MTEDESC_SIZEM1_SHIFT);
     if (s->mte_active[0]) {
-        int msz = dtype_msz(dtype);
-
         desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
         desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
         desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
         desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);
-        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (mte_n << msz) - 1);
+        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, sizem1);
         desc <<= SVE_MTEDESC_SHIFT;
     } else {
         addr = clean_data_tbi(s, addr);
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Share code that creates mtedesc and embeds within simd_desc.

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-id: 20240207025210.8837-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-a64.h |  2 ++
 target/arm/tcg/translate-sme.c | 15 +++--------
 target/arm/tcg/translate-sve.c | 47 ++++++++++++++++++----------------
 3 files changed, 31 insertions(+), 33 deletions(-)

diff --git a/target/arm/tcg/translate-a64.h b/target/arm/tcg/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.h
+++ b/target/arm/tcg/translate-a64.h
@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
 bool sve_access_check(DisasContext *s);
 bool sme_enabled_check(DisasContext *s);
 bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);
+uint32_t make_svemte_desc(DisasContext *s, unsigned vsz, uint32_t nregs,
+                          uint32_t msz, bool is_write, uint32_t data);
 
 /* This function corresponds to CheckStreamingSVEEnabled. */
 static inline bool sme_sm_enabled_check(DisasContext *s)
diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-sme.c
+++ b/target/arm/tcg/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
 
     TCGv_ptr t_za, t_pg;
     TCGv_i64 addr;
-    int svl, desc = 0;
+    uint32_t desc;
     bool be = s->be_data == MO_BE;
     bool mte = s->mte_active[0];
 
@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
     tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);
     tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));
 
-    if (mte) {
-        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
-        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
-        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
-        desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);
-        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);
-        desc <<= SVE_MTEDESC_SHIFT;
-    } else {
+    if (!mte) {
         addr = clean_data_tbi(s, addr);
     }
-    svl = streaming_vec_reg_size(s);
-    desc = simd_desc(svl, svl, desc);
+
+    desc = make_svemte_desc(s, streaming_vec_reg_size(s), 1, a->esz, a->st, 0);
 
     fns[a->esz][be][a->v][mte][a->st](tcg_env, t_za, t_pg, addr,
                                       tcg_constant_i32(desc));
diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t dtype_esz[16] = {
     3, 2, 1, 3
 };
 
-static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
-                       int dtype, uint32_t mte_n, bool is_write,
-                       gen_helper_gvec_mem *fn)
+uint32_t make_svemte_desc(DisasContext *s, unsigned vsz, uint32_t nregs,
+                          uint32_t msz, bool is_write, uint32_t data)
 {
-    unsigned vsz = vec_full_reg_size(s);
-    TCGv_ptr t_pg;
     uint32_t sizem1;
-    int desc = 0;
+    uint32_t desc = 0;
 
-    assert(mte_n >= 1 && mte_n <= 4);
-    sizem1 = (mte_n << dtype_msz(dtype)) - 1;
+    /* Assert all of the data fits, with or without MTE enabled. */
+    assert(nregs >= 1 && nregs <= 4);
+    sizem1 = (nregs << msz) - 1;
     assert(sizem1 <= R_MTEDESC_SIZEM1_MASK >> R_MTEDESC_SIZEM1_SHIFT);
+    assert(data < 1u << SVE_MTEDESC_SHIFT);
+
     if (s->mte_active[0]) {
         desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
         desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
         desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);
         desc = FIELD_DP32(desc, MTEDESC, SIZEM1, sizem1);
         desc <<= SVE_MTEDESC_SHIFT;
-    } else {
+    }
+    return simd_desc(vsz, vsz, desc | data);
+}
+
+static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
+                       int dtype, uint32_t nregs, bool is_write,
+                       gen_helper_gvec_mem *fn)
+{
+    TCGv_ptr t_pg;
+    uint32_t desc;
+
+    if (!s->mte_active[0]) {
         addr = clean_data_tbi(s, addr);
     }
 
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
      * registers as pointers, so encode the regno into the data field.
      * For consistency, do this even for LD1.
      */
-    desc = simd_desc(vsz, vsz, zt | desc);
+    desc = make_svemte_desc(s, vec_full_reg_size(s), nregs,
+                            dtype_msz(dtype), is_write, zt);
     t_pg = tcg_temp_new_ptr();
 
     tcg_gen_addi_ptr(t_pg, tcg_env, pred_full_reg_offset(s, pg));
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpz(DisasContext *s, int zt, int pg, int zm,
                        int scale, TCGv_i64 scalar, int msz, bool is_write,
                        gen_helper_gvec_mem_scatter *fn)
 {
-    unsigned vsz = vec_full_reg_size(s);
     TCGv_ptr t_zm = tcg_temp_new_ptr();
     TCGv_ptr t_pg = tcg_temp_new_ptr();
     TCGv_ptr t_zt = tcg_temp_new_ptr();
-    int desc = 0;
-
-    if (s->mte_active[0]) {
-        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
-        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
-        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
-        desc = FIELD_DP32(desc, MTEDESC, WRITE, is_write);
-        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << msz) - 1);
-        desc <<= SVE_MTEDESC_SHIFT;
-    }
-    desc = simd_desc(vsz, vsz, desc | scale);
+    uint32_t desc;
 
     tcg_gen_addi_ptr(t_pg, tcg_env, pred_full_reg_offset(s, pg));
     tcg_gen_addi_ptr(t_zm, tcg_env, vec_full_reg_offset(s, zm));
     tcg_gen_addi_ptr(t_zt, tcg_env, vec_full_reg_offset(s, zt));
+
+    desc = make_svemte_desc(s, vec_full_reg_size(s), 1, msz, is_write, scale);
     fn(tcg_env, t_zt, t_pg, t_zm, scalar, tcg_constant_i32(desc));
 }
 
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

These functions "use the standard load helpers", but
fail to clean_data_tbi or populate mtedesc.

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-id: 20240207025210.8837-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-sve.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static void do_ldrq(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
     unsigned vsz = vec_full_reg_size(s);
     TCGv_ptr t_pg;
     int poff;
+    uint32_t desc;
 
     /* Load the first quadword using the normal predicated load helpers.  */
+    if (!s->mte_active[0]) {
+        addr = clean_data_tbi(s, addr);
+    }
+
     poff = pred_full_reg_offset(s, pg);
     if (vsz > 16) {
         /*
@@ -XXX,XX +XXX,XX @@ static void do_ldrq(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
 
     gen_helper_gvec_mem *fn
         = ldr_fns[s->mte_active[0]][s->be_data == MO_BE][dtype][0];
-    fn(tcg_env, t_pg, addr, tcg_constant_i32(simd_desc(16, 16, zt)));
+    desc = make_svemte_desc(s, 16, 1, dtype_msz(dtype), false, zt);
+    fn(tcg_env, t_pg, addr, tcg_constant_i32(desc));
 
     /* Replicate that first quadword.  */
     if (vsz > 16) {
@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
     unsigned vsz_r32;
     TCGv_ptr t_pg;
     int poff, doff;
+    uint32_t desc;
 
     if (vsz < 32) {
         /*
@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
     }
 
     /* Load the first octaword using the normal predicated load helpers.  */
+    if (!s->mte_active[0]) {
+        addr = clean_data_tbi(s, addr);
+    }
 
     poff = pred_full_reg_offset(s, pg);
     if (vsz > 32) {
@@ -XXX,XX +XXX,XX @@ static void do_ldro(DisasContext *s, int zt, int pg, TCGv_i64 addr, int dtype)
 
     gen_helper_gvec_mem *fn
         = ldr_fns[s->mte_active[0]][s->be_data == MO_BE][dtype][0];
-    fn(tcg_env, t_pg, addr, tcg_constant_i32(simd_desc(32, 32, zt)));
+    desc = make_svemte_desc(s, 32, 1, dtype_msz(dtype), false, zt);
+    fn(tcg_env, t_pg, addr, tcg_constant_i32(desc));
 
     /*
      * Replicate that first octaword.
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

The TBI and TCMA bits are located within mtedesc, not desc.

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-id: 20240207025210.8837-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/sme_helper.c |  8 ++++----
 target/arm/tcg/sve_helper.c | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/sme_helper.c
+++ b/target/arm/tcg/sme_helper.c
@@ -XXX,XX +XXX,XX @@ void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 
     /* Perform gross MTE suppression early. */
-    if (!tbi_check(desc, bit55) ||
-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+    if (!tbi_check(mtedesc, bit55) ||
+        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
         mtedesc = 0;
     }
 
@@ -XXX,XX +XXX,XX @@ void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 
     /* Perform gross MTE suppression early. */
-    if (!tbi_check(desc, bit55) ||
-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+    if (!tbi_check(mtedesc, bit55) ||
+        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
         mtedesc = 0;
     }
 
diff --git a/target/arm/tcg/sve_helper.c b/target/arm/tcg/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/sve_helper.c
+++ b/target/arm/tcg/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void sve_ldN_r_mte(CPUARMState *env, uint64_t *vg, target_ulong addr,
     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 
     /* Perform gross MTE suppression early. */
-    if (!tbi_check(desc, bit55) ||
-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+    if (!tbi_check(mtedesc, bit55) ||
+        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
         mtedesc = 0;
     }
 
@@ -XXX,XX +XXX,XX @@ void sve_ldnfff1_r_mte(CPUARMState *env, void *vg, target_ulong addr,
     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 
     /* Perform gross MTE suppression early. */
-    if (!tbi_check(desc, bit55) ||
-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+    if (!tbi_check(mtedesc, bit55) ||
+        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
         mtedesc = 0;
     }
 
@@ -XXX,XX +XXX,XX @@ void sve_stN_r_mte(CPUARMState *env, uint64_t *vg, target_ulong addr,
     desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 
     /* Perform gross MTE suppression early. */
-    if (!tbi_check(desc, bit55) ||
-        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+    if (!tbi_check(mtedesc, bit55) ||
+        tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
         mtedesc = 0;
     }
 
-- 
2.34.1

The raven_io_ops MemoryRegionOps is the only one in the source tree
which sets .valid.unaligned to indicate that it should support
unaligned accesses and which does not also set .impl.unaligned to
indicate that its read and write functions can do the unaligned
handling themselves.  This is a problem, because at the moment the
core memory system does not implement the support for handling
unaligned accesses by doing a series of aligned accesses and
combining them (system/memory.c:access_with_adjusted_size() has a
TODO comment noting this).

Fortunately raven_io_read() and raven_io_write() will correctly deal
with the case of being passed an unaligned address, so we can fix the
missing unaligned access support by setting .impl.unaligned in the
MemoryRegionOps struct.

Fixes: 9a1839164c9c8f06 ("raven: Implement non-contiguous I/O region")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Message-id: 20240112134640.1775041-1-peter.maydell@linaro.org
---
 hw/pci-host/raven.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/pci-host/raven.c b/hw/pci-host/raven.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/pci-host/raven.c
+++ b/hw/pci-host/raven.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps raven_io_ops = {
     .write = raven_io_write,
     .endianness = DEVICE_LITTLE_ENDIAN,
     .impl.max_access_size = 4,
+    .impl.unaligned = true,
     .valid.unaligned = true,
 };
 
-- 
2.34.1

We deliberately don't include qtests_npcm7xx in qtests_aarch64,
because we already get the coverage of those tests via qtests_arm,
and we don't want to use extra CI minutes testing them twice.

In commit 327b680877b79c4b we added it to qtests_aarch64; revert
that change.

Fixes: 327b680877b79c4b ("tests/qtest: Creating qtest for GMAC Module")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240206163043.315535-1-peter.maydell@linaro.org
---
 tests/qtest/meson.build | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -XXX,XX +XXX,XX @@ qtests_aarch64 = \
   (config_all_devices.has_key('CONFIG_RASPI') ? ['bcm2835-dma-test'] : []) +  \
   (config_all_accel.has_key('CONFIG_TCG') and                                            \
    config_all_devices.has_key('CONFIG_TPM_TIS_I2C') ? ['tpm-tis-i2c-test'] : []) + \
-  (config_all_devices.has_key('CONFIG_NPCM7XX') ? qtests_npcm7xx : []) + \
   ['arm-cpu-features',
    'numa-test',
    'boot-serial-test',
-- 
2.34.1

Armv8.1+ CPUs have the Virtual Host Extension (VHE) which adds a
non-secure EL2 virtual timer.  We implemented the timer itself in the
CPU model, but never wired up its IRQ line to the GIC.

Wire up the IRQ line (this is always safe whether the CPU has the
interrupt or not, since it always creates the outbound IRQ line).
Report it to the guest via dtb and ACPI if the CPU has the feature.

The DTB binding is documented in the kernel's
Documentation/devicetree/bindings/timer/arm\,arch_timer.yaml
and the ACPI table entries are documented in the ACPI specification
version 6.3 or later.

Because the IRQ line ACPI binding is new in 6.3, we need to bump the
FADT table rev to show that we might be using 6.3 features.

Note that exposing this IRQ in the DTB will trigger a bug in EDK2
versions prior to edk2-stable202311, for users who use the virt board
with 'virtualization=on' to enable EL2 emulation and are booting an
EDK2 guest BIOS, if that EDK2 has assertions enabled.  The effect is
that EDK2 will assert on bootup:

ASSERT [ArmTimerDxe] /home/kraxel/projects/qemu/roms/edk2/ArmVirtPkg/Library/ArmVirtTimerFdtClientLib/ArmVirtTimerFdtClientLib.c(72): PropSize == 36 || PropSize == 48

If you see that assertion you should do one of:
 * update your EDK2 binaries to edk2-stable202311 or newer
 * use the 'virt-8.2' versioned machine type
 * not use 'virtualization=on'

(The versions shipped with QEMU itself have the fix.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Message-id: 20240122143537.233498-3-peter.maydell@linaro.org
---
 include/hw/arm/virt.h    |  2 ++
 hw/arm/virt-acpi-build.c | 20 ++++++++++----
 hw/arm/virt.c            | 60 ++++++++++++++++++++++++++++++++++------
 3 files changed, 67 insertions(+), 15 deletions(-)

diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -XXX,XX +XXX,XX @@ struct VirtMachineClass {
     /* Machines < 6.2 have no support for describing cpu topology to guest */
     bool no_cpu_topology;
     bool no_tcg_lpa2;
+    bool no_ns_el2_virt_timer_irq;
 };
 
 struct VirtMachineState {
@@ -XXX,XX +XXX,XX @@ struct VirtMachineState {
     PCIBus *bus;
     char *oem_id;
     char *oem_table_id;
+    bool ns_el2_virt_timer_irq;
 };
 
 #define VIRT_ECAM_ID(high) (high ? VIRT_HIGH_PCIE_ECAM : VIRT_PCIE_ECAM)
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_srat(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 }
 
 /*
- * ACPI spec, Revision 5.1
- * 5.2.24 Generic Timer Description Table (GTDT)
+ * ACPI spec, Revision 6.5
+ * 5.2.25 Generic Timer Description Table (GTDT)
  */
 static void
 build_gtdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
@@ -XXX,XX +XXX,XX @@ build_gtdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     uint32_t irqflags = vmc->claim_edge_triggered_timers ?
         1 : /* Interrupt is Edge triggered */
         0;  /* Interrupt is Level triggered  */
-    AcpiTable table = { .sig = "GTDT", .rev = 2, .oem_id = vms->oem_id,
+    AcpiTable table = { .sig = "GTDT", .rev = 3, .oem_id = vms->oem_id,
                         .oem_table_id = vms->oem_table_id };
 
     acpi_table_begin(&table, table_data);
@@ -XXX,XX +XXX,XX @@ build_gtdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     build_append_int_noprefix(table_data, 0, 4);
     /* Platform Timer Offset */
     build_append_int_noprefix(table_data, 0, 4);
-
+    if (vms->ns_el2_virt_timer_irq) {
+        /* Virtual EL2 Timer GSIV */
+        build_append_int_noprefix(table_data, ARCH_TIMER_NS_EL2_VIRT_IRQ, 4);
+        /* Virtual EL2 Timer Flags */
+        build_append_int_noprefix(table_data, irqflags, 4);
+    } else {
+        build_append_int_noprefix(table_data, 0, 4);
+        build_append_int_noprefix(table_data, 0, 4);
+    }
     acpi_table_end(linker, &table);
 }
 
@@ -XXX,XX +XXX,XX @@ build_madt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 static void build_fadt_rev6(GArray *table_data, BIOSLinker *linker,
                             VirtMachineState *vms, unsigned dsdt_tbl_offset)
 {
-    /* ACPI v6.0 */
+    /* ACPI v6.3 */
     AcpiFadtData fadt = {
         .rev = 6,
-        .minor_ver = 0,
+        .minor_ver = 3,
         .flags = 1 << ACPI_FADT_F_HW_REDUCED_ACPI,
         .xdsdt_tbl_offset = &dsdt_tbl_offset,
     };
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_randomness(MachineState *ms, const char *node)
     qemu_fdt_setprop(ms->fdt, node, "rng-seed", seed.rng, sizeof(seed.rng));
 }
 
+/*
+ * The CPU object always exposes the NS EL2 virt timer IRQ line,
+ * but we don't want to advertise it to the guest in the dtb or ACPI
+ * table unless it's really going to do something.
+ */
+static bool ns_el2_virt_timer_present(void)
+{
+    ARMCPU *cpu = ARM_CPU(qemu_get_cpu(0));
+    CPUARMState *env = &cpu->env;
+
+    return arm_feature(env, ARM_FEATURE_AARCH64) &&
+        arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu);
+}
+
 static void create_fdt(VirtMachineState *vms)
 {
     MachineState *ms = MACHINE(vms);
@@ -XXX,XX +XXX,XX @@ static void fdt_add_timer_nodes(const VirtMachineState *vms)
                                 "arm,armv7-timer");
     }
     qemu_fdt_setprop(ms->fdt, "/timer", "always-on", NULL, 0);
-    qemu_fdt_setprop_cells(ms->fdt, "/timer", "interrupts",
-                           GIC_FDT_IRQ_TYPE_PPI,
-                           INTID_TO_PPI(ARCH_TIMER_S_EL1_IRQ), irqflags,
-                           GIC_FDT_IRQ_TYPE_PPI,
-                           INTID_TO_PPI(ARCH_TIMER_NS_EL1_IRQ), irqflags,
-                           GIC_FDT_IRQ_TYPE_PPI,
-                           INTID_TO_PPI(ARCH_TIMER_VIRT_IRQ), irqflags,
-                           GIC_FDT_IRQ_TYPE_PPI,
-                           INTID_TO_PPI(ARCH_TIMER_NS_EL2_IRQ), irqflags);
+    if (vms->ns_el2_virt_timer_irq) {
+        qemu_fdt_setprop_cells(ms->fdt, "/timer", "interrupts",
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_S_EL1_IRQ), irqflags,
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_NS_EL1_IRQ), irqflags,
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_VIRT_IRQ), irqflags,
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_NS_EL2_IRQ), irqflags,
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_NS_EL2_VIRT_IRQ), irqflags);
+    } else {
+        qemu_fdt_setprop_cells(ms->fdt, "/timer", "interrupts",
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_S_EL1_IRQ), irqflags,
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_NS_EL1_IRQ), irqflags,
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_VIRT_IRQ), irqflags,
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(ARCH_TIMER_NS_EL2_IRQ), irqflags);
+    }
 }
 
 static void fdt_add_cpu_nodes(const VirtMachineState *vms)
@@ -XXX,XX +XXX,XX @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
             [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
             [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
             [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
+            [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
         };
 
         for (unsigned irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
         qdev_realize(DEVICE(cpuobj), NULL, &error_fatal);
         object_unref(cpuobj);
     }
+
+    /* Now we've created the CPUs we can see if they have the hypvirt timer */
+    vms->ns_el2_virt_timer_irq = ns_el2_virt_timer_present() &&
+        !vmc->no_ns_el2_virt_timer_irq;
+
     fdt_add_timer_nodes(vms);
     fdt_add_cpu_nodes(vms);
 
@@ -XXX,XX +XXX,XX @@ DEFINE_VIRT_MACHINE_AS_LATEST(9, 0)
 
 static void virt_machine_8_2_options(MachineClass *mc)
 {
+    VirtMachineClass *vmc = VIRT_MACHINE_CLASS(OBJECT_CLASS(mc));
+
     virt_machine_9_0_options(mc);
     compat_props_add(mc->compat_props, hw_compat_8_2, hw_compat_8_2_len);
+    /*
+     * Don't expose NS_EL2_VIRT timer IRQ in DTB on ACPI on 8.2 and
+     * earlier machines. (Exposing it tickles a bug in older EDK2
+     * guest BIOS binaries.)
+     */
+    vmc->no_ns_el2_virt_timer_irq = true;
 }
 DEFINE_VIRT_MACHINE(8, 2)
 
-- 
2.34.1

Update the virt golden reference files to say that the FACP is ACPI
v6.3, and the GTDT table is a revision 3 table with space for the
virtual EL2 timer.

Diffs from iasl:

@@ -XXX,XX +XXX,XX @@
 /*
  * Intel ACPI Component Architecture
  * AML/ASL+ Disassembler version 20200925 (64-bit version)
  * Copyright (c) 2000 - 2020 Intel Corporation
  *
- * Disassembly of tests/data/acpi/virt/FACP, Mon Jan 22 13:48:40 2024
+ * Disassembly of /tmp/aml-W8RZH2, Mon Jan 22 13:48:40 2024
  *
  * ACPI Data Table [FACP]
  *
  * Format: [HexOffset DecimalOffset ByteLength]  FieldName : FieldValue
  */

[000h 0000   4]                    Signature : "FACP"    [Fixed ACPI Description Table (FADT)]
 [004h 0004   4]                 Table Length : 00000114
 [008h 0008   1]                     Revision : 06
-[009h 0009   1]                     Checksum : 15
+[009h 0009   1]                     Checksum : 12
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001

[024h 0036   4]                 FACS Address : 00000000
 [028h 0040   4]                 DSDT Address : 00000000
 [02Ch 0044   1]                        Model : 00
 [02Dh 0045   1]                   PM Profile : 00 [Unspecified]
 [02Eh 0046   2]                SCI Interrupt : 0000
 [030h 0048   4]             SMI Command Port : 00000000
 [034h 0052   1]            ACPI Enable Value : 00
 [035h 0053   1]           ACPI Disable Value : 00
 [036h 0054   1]               S4BIOS Command : 00
 [037h 0055   1]              P-State Control : 00
@@ -XXX,XX +XXX,XX @@
      Use APIC Physical Destination Mode (V4) : 0
                        Hardware Reduced (V5) : 1
                       Low Power S0 Idle (V5) : 0

[074h 0116  12]               Reset Register : [Generic Address Structure]
 [074h 0116   1]                     Space ID : 00 [SystemMemory]
 [075h 0117   1]                    Bit Width : 00
 [076h 0118   1]                   Bit Offset : 00
 [077h 0119   1]         Encoded Access Width : 00 [Undefined/Legacy]
 [078h 0120   8]                      Address : 0000000000000000

[080h 0128   1]         Value to cause reset : 00
 [081h 0129   2]    ARM Flags (decoded below) : 0003
                               PSCI Compliant : 1
                        Must use HVC for PSCI : 1

-[083h 0131   1]          FADT Minor Revision : 00
+[083h 0131   1]          FADT Minor Revision : 03
 [084h 0132   8]                 FACS Address : 0000000000000000
 [08Ch 0140   8]                 DSDT Address : 0000000000000000
 [094h 0148  12]             PM1A Event Block : [Generic Address Structure]
 [094h 0148   1]                     Space ID : 00 [SystemMemory]
 [095h 0149   1]                    Bit Width : 00
 [096h 0150   1]                   Bit Offset : 00
 [097h 0151   1]         Encoded Access Width : 00 [Undefined/Legacy]
 [098h 0152   8]                      Address : 0000000000000000

[0A0h 0160  12]             PM1B Event Block : [Generic Address Structure]
 [0A0h 0160   1]                     Space ID : 00 [SystemMemory]
 [0A1h 0161   1]                    Bit Width : 00
 [0A2h 0162   1]                   Bit Offset : 00
 [0A3h 0163   1]         Encoded Access Width : 00 [Undefined/Legacy]
 [0A4h 0164   8]                      Address : 0000000000000000

@@ -XXX,XX +XXX,XX @@
 [0F5h 0245   1]                    Bit Width : 00
 [0F6h 0246   1]                   Bit Offset : 00
 [0F7h 0247   1]         Encoded Access Width : 00 [Undefined/Legacy]
 [0F8h 0248   8]                      Address : 0000000000000000

[100h 0256  12]        Sleep Status Register : [Generic Address Structure]
 [100h 0256   1]                     Space ID : 00 [SystemMemory]
 [101h 0257   1]                    Bit Width : 00
 [102h 0258   1]                   Bit Offset : 00
 [103h 0259   1]         Encoded Access Width : 00 [Undefined/Legacy]
 [104h 0260   8]                      Address : 0000000000000000

[10Ch 0268   8]                Hypervisor ID : 00000000554D4551

Raw Table Data: Length 276 (0x114)

-    0000: 46 41 43 50 14 01 00 00 06 15 42 4F 43 48 53 20  // FACP......BOCHS
+    0000: 46 41 43 50 14 01 00 00 06 12 42 4F 43 48 53 20  // FACP......BOCHS
     0010: 42 58 50 43 20 20 20 20 01 00 00 00 42 58 50 43  // BXPC    ....BXPC
     0020: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     0070: 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
-    0080: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
+    0080: 00 03 00 03 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     00C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     00D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     00E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     00F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  // ................
     0100: 00 00 00 00 00 00 00 00 00 00 00 00 51 45 4D 55  // ............QEMU
     0110: 00 00 00 00                                      // ....

@@ -XXX,XX +XXX,XX @@
 /*
  * Intel ACPI Component Architecture
  * AML/ASL+ Disassembler version 20200925 (64-bit version)
  * Copyright (c) 2000 - 2020 Intel Corporation
  *
- * Disassembly of tests/data/acpi/virt/GTDT, Mon Jan 22 13:48:40 2024
+ * Disassembly of /tmp/aml-XDSZH2, Mon Jan 22 13:48:40 2024
  *
  * ACPI Data Table [GTDT]
  *
  * Format: [HexOffset DecimalOffset ByteLength]  FieldName : FieldValue
  */

[000h 0000   4]                    Signature : "GTDT"    [Generic Timer Description Table]
-[004h 0004   4]                 Table Length : 00000060
-[008h 0008   1]                     Revision : 02
-[009h 0009   1]                     Checksum : 9C
+[004h 0004   4]                 Table Length : 00000068
+[008h 0008   1]                     Revision : 03
+[009h 0009   1]                     Checksum : 93
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001

[024h 0036   8]        Counter Block Address : FFFFFFFFFFFFFFFF
 [02Ch 0044   4]                     Reserved : 00000000

[030h 0048   4]         Secure EL1 Interrupt : 0000001D
 [034h 0052   4]    EL1 Flags (decoded below) : 00000000
                                 Trigger Mode : 0
                                     Polarity : 0
                                    Always On : 0

[038h 0056   4]     Non-Secure EL1 Interrupt : 0000001E
@@ -XXX,XX +XXX,XX @@

[040h 0064   4]      Virtual Timer Interrupt : 0000001B
 [044h 0068   4]     VT Flags (decoded below) : 00000000
                                 Trigger Mode : 0
                                     Polarity : 0
                                    Always On : 0

[048h 0072   4]     Non-Secure EL2 Interrupt : 0000001A
 [04Ch 0076   4]   NEL2 Flags (decoded below) : 00000000
                                 Trigger Mode : 0
                                     Polarity : 0
                                    Always On : 0
 [050h 0080   8]   Counter Read Block Address : FFFFFFFFFFFFFFFF

[058h 0088   4]         Platform Timer Count : 00000000
 [05Ch 0092   4]        Platform Timer Offset : 00000000
+[060h 0096   4]       Virtual EL2 Timer GSIV : 00000000
+[064h 0100   4]      Virtual EL2 Timer Flags : 00000000

-Raw Table Data: Length 96 (0x60)
+Raw Table Data: Length 104 (0x68)

-    0000: 47 54 44 54 60 00 00 00 02 9C 42 4F 43 48 53 20  // GTDT`.....BOCHS
+    0000: 47 54 44 54 68 00 00 00 03 93 42 4F 43 48 53 20  // GTDTh.....BOCHS
     0010: 42 58 50 43 20 20 20 20 01 00 00 00 42 58 50 43  // BXPC    ....BXPC
     0020: 01 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00  // ................
     0030: 1D 00 00 00 00 00 00 00 1E 00 00 00 04 00 00 00  // ................
     0040: 1B 00 00 00 00 00 00 00 1A 00 00 00 00 00 00 00  // ................
     0050: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00  // ................
+    0060: 00 00 00 00 00 00 00 00                          // ........

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Message-id: 20240122143537.233498-4-peter.maydell@linaro.org
---
 tests/qtest/bios-tables-test-allowed-diff.h |   2 --
 tests/data/acpi/virt/FACP                   | Bin 276 -> 276 bytes
 tests/data/acpi/virt/GTDT                   | Bin 96 -> 104 bytes
 3 files changed, 2 deletions(-)

diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1,3 +1 @@
 /* List of comma-separated changed AML files to ignore */
-"tests/data/acpi/virt/FACP",
-"tests/data/acpi/virt/GTDT",
diff --git a/tests/data/acpi/virt/FACP b/tests/data/acpi/virt/FACP
index XXXXXXX..XXXXXXX 100644
GIT binary patch
delta 25
gcmbQjG=+)F&CxkPgpq-PO=u!l<;2F$$vli407<0<)c^nh

delta 28
kcmbQjG=+)F&CxkPgpq-PO>`nx<-|!<6Akz$^DuG%0AAS!ssI20

diff --git a/tests/data/acpi/virt/GTDT b/tests/data/acpi/virt/GTDT
index XXXXXXX..XXXXXXX 100644
GIT binary patch
delta 25
bcmYeu;BpUf3CUn!U|^m+kt>V?$N&QXMtB4L

delta 16
Xcmc~u;BpUf2}xjJU|^avkt+-UB60)u

-- 
2.34.1

The patchset adding the GMAC ethernet to this SoC crossed in the
mail with the patchset cleaning up the NIC handling. When we
create the GMAC modules we must call qemu_configure_nic_device()
so that the user has the opportunity to use the -nic commandline
option to create a network backend and connect it to the GMACs.

Add the missing call.

Fixes: 21e5326a7c ("hw/arm: Add GMAC devices to NPCM7XX SoC")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Message-id: 20240206171231.396392-2-peter.maydell@linaro.org
---
 hw/arm/npcm7xx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/npcm7xx.c
+++ b/hw/arm/npcm7xx.c
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_realize(DeviceState *dev, Error **errp)
     for (i = 0; i < ARRAY_SIZE(s->gmac); i++) {
         SysBusDevice *sbd = SYS_BUS_DEVICE(&s->gmac[i]);
 
+        qemu_configure_nic_device(DEVICE(sbd), false, NULL);
         /*
          * The device exists regardless of whether it's connected to a QEMU
          * netdev backend. So always instantiate it even if there is no
-- 
2.34.1

Currently QEMU will warn if there is a NIC on the board that
is not connected to a backend. By default the '-nic user' will
get used for all NICs, but if you manually connect a specific
NIC to a specific backend, then the other NICs on the board
have no backend and will be warned about:

qemu-system-arm: warning: nic npcm7xx-emc.1 has no peer
qemu-system-arm: warning: nic npcm-gmac.0 has no peer
qemu-system-arm: warning: nic npcm-gmac.1 has no peer

So suppress those warnings by manually connecting every NIC
on the board to some backend.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20240206171231.396392-3-peter.maydell@linaro.org
---
 tests/qtest/npcm7xx_emc-test.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/npcm7xx_emc-test.c b/tests/qtest/npcm7xx_emc-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/npcm7xx_emc-test.c
+++ b/tests/qtest/npcm7xx_emc-test.c
@@ -XXX,XX +XXX,XX @@ static int *packet_test_init(int module_num, GString *cmd_line)
      * KISS and use -nic. The driver accepts 'emc0' and 'emc1' as aliases
      * in the 'model' field to specify the device to match.
      */
-    g_string_append_printf(cmd_line, " -nic socket,fd=%d,model=emc%d ",
+    g_string_append_printf(cmd_line, " -nic socket,fd=%d,model=emc%d "
+                           "-nic user,model=npcm7xx-emc "
+                           "-nic user,model=npcm-gmac "
+                           "-nic user,model=npcm-gmac",
                            test_sockets[1], module_num);
 
     g_test_queue_destroy(packet_test_clear, test_sockets);
-- 
2.34.1

It doesn't make sense to read the value of MDCR_EL2 on a non-A-profile
CPU, and in fact if you try to do it we will assert:

#6  0x00007ffff4b95e96 in __GI___assert_fail
    (assertion=0x5555565a8c70 "!arm_feature(env, ARM_FEATURE_M)", file=0x5555565a6e5c "../../target/arm/helper.c", line=12600, function=0x5555565a9560 <__PRETTY_FUNCTION__.0> "arm_security_space_below_el3") at ./assert/assert.c:101
#7  0x0000555555ebf412 in arm_security_space_below_el3 (env=0x555557bc8190) at ../../target/arm/helper.c:12600
#8  0x0000555555ea6f89 in arm_is_el2_enabled (env=0x555557bc8190) at ../../target/arm/cpu.h:2595
#9  0x0000555555ea942f in arm_mdcr_el2_eff (env=0x555557bc8190) at ../../target/arm/internals.h:1512

We might call pmu_counter_enabled() on an M-profile CPU (for example
from the migration pre/post hooks in machine.c); this should always
return false because these CPUs don't set ARM_FEATURE_PMU.

Avoid the assertion by not calling arm_mdcr_el2_eff() before we
have done the early return for "PMU not present".

This fixes an assertion failure if you try to do a loadvm or
savevm for an M-profile board.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2155
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240208153346.970021-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter)
     bool enabled, prohibited = false, filtered;
     bool secure = arm_is_secure(env);
     int el = arm_current_el(env);
-    uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
-    uint8_t hpmn = mdcr_el2 & MDCR_HPMN;
+    uint64_t mdcr_el2;
+    uint8_t hpmn;
 
+    /*
+     * We might be called for M-profile cores where MDCR_EL2 doesn't
+     * exist and arm_mdcr_el2_eff() will assert, so this early-exit check
+     * must be before we read that value.
+     */
     if (!arm_feature(env, ARM_FEATURE_PMU)) {
         return false;
     }
 
+    mdcr_el2 = arm_mdcr_el2_eff(env);
+    hpmn = mdcr_el2 & MDCR_HPMN;
+
     if (!arm_feature(env, ARM_FEATURE_EL2) ||
             (counter < hpmn || counter == 31)) {
         e = env->cp15.c9_pmcr & PMCRE;
-- 
2.34.1

From: Nabih Estefan <nabihestefan@google.com>

Fix the nocm_gmac-test.c file to run on a nuvoton 7xx machine instead
of 8xx. Also fix comments referencing this and values expecting 8xx.

Change-Id: Iabd0fba14910c3f1e883c4a9521350f3db9ffab8
Signed-Off-By: Nabih Estefan <nabihestefan@google.com>
Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
Message-id: 20240208194759.2858582-2-nabihestefan@google.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: commit message tweaks]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/npcm_gmac-test.c | 84 +-----------------------------------
 tests/qtest/meson.build      |  3 +-
 2 files changed, 4 insertions(+), 83 deletions(-)

diff --git a/tests/qtest/npcm_gmac-test.c b/tests/qtest/npcm_gmac-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/npcm_gmac-test.c
+++ b/tests/qtest/npcm_gmac-test.c
@@ -XXX,XX +XXX,XX @@ typedef struct TestData {
     const GMACModule *module;
 } TestData;
 
-/* Values extracted from hw/arm/npcm8xx.c */
+/* Values extracted from hw/arm/npcm7xx.c */
 static const GMACModule gmac_module_list[] = {
     {
         .irq        = 14,
@@ -XXX,XX +XXX,XX @@ static const GMACModule gmac_module_list[] = {
         .irq        = 15,
         .base_addr  = 0xf0804000
     },
-    {
-        .irq        = 16,
-        .base_addr  = 0xf0806000
-    },
-    {
-        .irq        = 17,
-        .base_addr  = 0xf0808000
-    }
 };
 
 /* Returns the index of the GMAC module. */
@@ -XXX,XX +XXX,XX @@ static uint32_t gmac_read(QTestState *qts, const GMACModule *mod,
     return qtest_readl(qts, mod->base_addr + regno);
 }
 
-static uint16_t pcs_read(QTestState *qts, const GMACModule *mod,
-                          NPCMRegister regno)
-{
-    uint32_t write_value = (regno & 0x3ffe00) >> 9;
-    qtest_writel(qts, PCS_BASE_ADDRESS + NPCM_PCS_IND_AC_BA, write_value);
-    uint32_t read_offset = regno & 0x1ff;
-    return qtest_readl(qts, PCS_BASE_ADDRESS + read_offset);
-}
-
 /* Check that GMAC registers are reset to default value */
 static void test_init(gconstpointer test_data)
 {
     const TestData *td = test_data;
     const GMACModule *mod = td->module;
-    QTestState *qts = qtest_init("-machine npcm845-evb");
+    QTestState *qts = qtest_init("-machine npcm750-evb");
 
 #define CHECK_REG32(regno, value) \
     do { \
         g_assert_cmphex(gmac_read(qts, mod, (regno)), ==, (value)); \
     } while (0)
 
-#define CHECK_REG_PCS(regno, value) \
-    do { \
-        g_assert_cmphex(pcs_read(qts, mod, (regno)), ==, (value)); \
-    } while (0)
-
     CHECK_REG32(NPCM_DMA_BUS_MODE, 0x00020100);
     CHECK_REG32(NPCM_DMA_XMT_POLL_DEMAND, 0);
     CHECK_REG32(NPCM_DMA_RCV_POLL_DEMAND, 0);
@@ -XXX,XX +XXX,XX @@ static void test_init(gconstpointer test_data)
     CHECK_REG32(NPCM_GMAC_PTP_TAR, 0);
     CHECK_REG32(NPCM_GMAC_PTP_TTSR, 0);
 
-    /* TODO Add registers PCS */
-    if (mod->base_addr == 0xf0802000) {
-        CHECK_REG_PCS(NPCM_PCS_SR_CTL_ID1, 0x699e);
-        CHECK_REG_PCS(NPCM_PCS_SR_CTL_ID2, 0);
-        CHECK_REG_PCS(NPCM_PCS_SR_CTL_STS, 0x8000);
-
-        CHECK_REG_PCS(NPCM_PCS_SR_MII_CTRL, 0x1140);
-        CHECK_REG_PCS(NPCM_PCS_SR_MII_STS, 0x0109);
-        CHECK_REG_PCS(NPCM_PCS_SR_MII_DEV_ID1, 0x699e);
-        CHECK_REG_PCS(NPCM_PCS_SR_MII_DEV_ID2, 0x0ced0);
-        CHECK_REG_PCS(NPCM_PCS_SR_MII_AN_ADV, 0x0020);
-        CHECK_REG_PCS(NPCM_PCS_SR_MII_LP_BABL, 0);
-        CHECK_REG_PCS(NPCM_PCS_SR_MII_AN_EXPN, 0);
-        CHECK_REG_PCS(NPCM_PCS_SR_MII_EXT_STS, 0xc000);
-
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_ABL, 0x0003);
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_TX_MAX_DLY_LWR, 0x0038);
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_TX_MAX_DLY_UPR, 0);
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_TX_MIN_DLY_LWR, 0x0038);
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_TX_MIN_DLY_UPR, 0);
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_RX_MAX_DLY_LWR, 0x0058);
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_RX_MAX_DLY_UPR, 0);
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_RX_MIN_DLY_LWR, 0x0048);
-        CHECK_REG_PCS(NPCM_PCS_SR_TIM_SYNC_RX_MIN_DLY_UPR, 0);
-
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MMD_DIG_CTRL1, 0x2400);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_AN_CTRL, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_AN_INTR_STS, 0x000a);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_TC, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_DBG_CTRL, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_EEE_MCTRL0, 0x899c);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_EEE_TXTIMER, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_EEE_RXTIMER, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_LINK_TIMER_CTRL, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_EEE_MCTRL1, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_DIG_STS, 0x0010);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_ICG_ERRCNT1, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MISC_STS, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_RX_LSTS, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_BSTCTRL0, 0x00a);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_LVLCTRL0, 0x007f);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_GENCTRL0, 0x0001);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_GENCTRL1, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_TX_STS, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_RX_GENCTRL0, 0x0100);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_RX_GENCTRL1, 0x1100);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_RX_LOS_CTRL0, 0x000e);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MPLL_CTRL0, 0x0100);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MPLL_CTRL1, 0x0032);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MPLL_STS, 0x0001);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MISC_CTRL2, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_LVL_CTRL, 0x0019);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MISC_CTRL0, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_MP_MISC_CTRL1, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_DIG_CTRL2, 0);
-        CHECK_REG_PCS(NPCM_PCS_VR_MII_DIG_ERRCNT_SEL, 0);
-    }
-
     qtest_quit(qts);
 }
 
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -XXX,XX +XXX,XX @@ qtests_npcm7xx = \
    'npcm7xx_sdhci-test',
    'npcm7xx_smbus-test',
    'npcm7xx_timer-test',
-   'npcm7xx_watchdog_timer-test'] + \
+   'npcm7xx_watchdog_timer-test',
+   'npcm_gmac-test'] + \
    (slirp.found() ? ['npcm7xx_emc-test'] : [])
 qtests_aspeed = \
   ['aspeed_hace-test',
-- 
2.34.1

From: Luc Michel <luc.michel@amd.com>

An access fault is raised when the Access Flag is not set in the
looked-up PTE and the AFFD field is not set in the corresponding context
descriptor. This was already implemented for stage 2. Implement it for
stage 1 as well.

Signed-off-by: Luc Michel <luc.michel@amd.com>
Reviewed-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Mostafa Saleh <smostafa@google.com>
Message-id: 20240213082211.3330400-1-luc.michel@amd.com
[PMM: tweaked comment text]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h     |  1 +
 include/hw/arm/smmu-common.h |  1 +
 hw/arm/smmu-common.c         | 11 +++++++++++
 hw/arm/smmuv3.c              |  1 +
 4 files changed, 14 insertions(+)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline int pa_range(STE *ste)
 #define CD_EPD(x, sel)   extract32((x)->word[0], (16 * (sel)) + 14, 1)
 #define CD_ENDI(x)       extract32((x)->word[0], 15, 1)
 #define CD_IPS(x)        extract32((x)->word[1], 0 , 3)
+#define CD_AFFD(x)       extract32((x)->word[1], 3 , 1)
 #define CD_TBI(x)        extract32((x)->word[1], 6 , 2)
 #define CD_HD(x)         extract32((x)->word[1], 10 , 1)
 #define CD_HA(x)         extract32((x)->word[1], 11 , 1)
diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTransCfg {
     bool disabled;             /* smmu is disabled */
     bool bypassed;             /* translation is bypassed */
     bool aborted;              /* translation is aborted */
+    bool affd;                 /* AF fault disable */
     uint32_t iotlb_hits;       /* counts IOTLB hits */
     uint32_t iotlb_misses;     /* counts IOTLB misses*/
     /* Used by stage-1 only. */
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
                                      pte_addr, pte, iova, gpa,
                                      block_size >> 20);
         }
+
+        /*
+         * QEMU does not currently implement HTTU, so if AFFD and PTE.AF
+         * are 0 we take an Access flag fault. (5.4. Context Descriptor)
+         * An Access flag fault takes priority over a Permission fault.
+         */
+        if (!PTE_AF(pte) && !cfg->affd) {
+            info->type = SMMU_PTW_ERR_ACCESS;
+            goto error;
+        }
+
         ap = PTE_AP(pte);
         if (is_permission_fault(ap, perm)) {
             info->type = SMMU_PTW_ERR_PERMISSION;
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
     cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
     cfg->tbi = CD_TBI(cd);
     cfg->asid = CD_ASID(cd);
+    cfg->affd = CD_AFFD(cd);
 
     trace_smmuv3_decode_cd(cfg->oas);
 
-- 
2.34.1

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20240213155214.13619-2-philmd@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/stellaris.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_trigger(void *opaque, int irq, int level)
     }
 }
 
-static void stellaris_adc_reset(StellarisADCState *s)
+static void stellaris_adc_reset_hold(Object *obj)
 {
+    StellarisADCState *s = STELLARIS_ADC(obj);
     int n;
 
     for (n = 0; n < 4; n++) {
@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_init(Object *obj)
     memory_region_init_io(&s->iomem, obj, &stellaris_adc_ops, s,
                           "adc", 0x1000);
     sysbus_init_mmio(sbd, &s->iomem);
-    stellaris_adc_reset(s);
     qdev_init_gpio_in(dev, stellaris_adc_trigger, 1);
 }
 
@@ -XXX,XX +XXX,XX @@ static const TypeInfo stellaris_i2c_info = {
 static void stellaris_adc_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
+    ResettableClass *rc = RESETTABLE_CLASS(klass);
 
+    rc->phases.hold = stellaris_adc_reset_hold;
     dc->vmsd = &vmstate_stellaris_adc;
 }
 
-- 
2.34.1

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240213155214.13619-3-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/stellaris.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@ static void stellaris_sys_instance_init(Object *obj)
     s->sysclk = qdev_init_clock_out(DEVICE(s), "SYSCLK");
 }
 
-/* I2C controller.  */
+/*
+ * I2C controller.
+ * ??? For now we only implement the master interface.
+ */
 
 #define TYPE_STELLARIS_I2C "stellaris-i2c"
 OBJECT_DECLARE_SIMPLE_TYPE(stellaris_i2c_state, STELLARIS_I2C)
@@ -XXX,XX +XXX,XX @@ static void stellaris_i2c_write(void *opaque, hwaddr offset,
     stellaris_i2c_update(s);
 }
 
-static void stellaris_i2c_reset(stellaris_i2c_state *s)
+static void stellaris_i2c_reset_enter(Object *obj, ResetType type)
 {
+    stellaris_i2c_state *s = STELLARIS_I2C(obj);
+
     if (s->mcs & STELLARIS_I2C_MCS_BUSBSY)
         i2c_end_transfer(s->bus);
+}
+
+static void stellaris_i2c_reset_hold(Object *obj)
+{
+    stellaris_i2c_state *s = STELLARIS_I2C(obj);
 
     s->msa = 0;
     s->mcs = 0;
@@ -XXX,XX +XXX,XX @@ static void stellaris_i2c_reset(stellaris_i2c_state *s)
     s->mimr = 0;
     s->mris = 0;
     s->mcr = 0;
+}
+
+static void stellaris_i2c_reset_exit(Object *obj)
+{
+    stellaris_i2c_state *s = STELLARIS_I2C(obj);
+
     stellaris_i2c_update(s);
 }
 
@@ -XXX,XX +XXX,XX @@ static void stellaris_i2c_init(Object *obj)
     memory_region_init_io(&s->iomem, obj, &stellaris_i2c_ops, s,
                           "i2c", 0x1000);
     sysbus_init_mmio(sbd, &s->iomem);
-    /* ??? For now we only implement the master interface.  */
-    stellaris_i2c_reset(s);
 }
 
 /* Analogue to Digital Converter.  This is only partially implemented,
@@ -XXX,XX +XXX,XX @@ type_init(stellaris_machine_init)
 static void stellaris_i2c_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
+    ResettableClass *rc = RESETTABLE_CLASS(klass);
 
+    rc->phases.enter = stellaris_i2c_reset_enter;
+    rc->phases.hold = stellaris_i2c_reset_hold;
+    rc->phases.exit = stellaris_i2c_reset_exit;
     dc->vmsd = &vmstate_stellaris_i2c;
 }
 
-- 
2.34.1

From: Philippe Mathieu-Daudé <philmd@linaro.org>

QDev objects created with qdev_new() need to manually add
their parent relationship with object_property_add_child().

This commit plug the devices which aren't part of the SoC;
they will be plugged into a SoC container in the next one.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20240213155214.13619-4-philmd@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/stellaris.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
                                    &error_fatal);
 
             ssddev = qdev_new("ssd0323");
+            object_property_add_child(OBJECT(ms), "oled", OBJECT(ssddev));
             qdev_prop_set_uint8(ssddev, "cs", 1);
             qdev_realize_and_unref(ssddev, bus, &error_fatal);
 
             gpio_d_splitter = qdev_new(TYPE_SPLIT_IRQ);
+            object_property_add_child(OBJECT(ms), "splitter",
+                                      OBJECT(gpio_d_splitter));
             qdev_prop_set_uint32(gpio_d_splitter, "num-lines", 2);
             qdev_realize_and_unref(gpio_d_splitter, NULL, &error_fatal);
             qdev_connect_gpio_out(
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
         DeviceState *gpad;
 
         gpad = qdev_new(TYPE_STELLARIS_GAMEPAD);
+        object_property_add_child(OBJECT(ms), "gamepad", OBJECT(gpad));
         for (i = 0; i < ARRAY_SIZE(gpad_keycode); i++) {
             qlist_append_int(gpad_keycode_list, gpad_keycode[i]);
         }
-- 
2.34.1

From: Philippe Mathieu-Daudé <philmd@linaro.org>

QDev objects created with qdev_new() need to manually add
their parent relationship with object_property_add_child().

Since we don't model the SoC, just use a QOM container.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20240213155214.13619-5-philmd@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/stellaris.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
      * 400fe000 system control
      */
 
+    Object *soc_container;
     DeviceState *gpio_dev[7], *nvic;
     qemu_irq gpio_in[7][8];
     qemu_irq gpio_out[7][8];
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
     flash_size = (((board->dc0 & 0xffff) + 1) << 1) * 1024;
     sram_size = ((board->dc0 >> 18) + 1) * 1024;
 
+    soc_container = object_new("container");
+    object_property_add_child(OBJECT(ms), "soc", soc_container);
+
     /* Flash programming is done via the SCU, so pretend it is ROM.  */
     memory_region_init_rom(flash, NULL, "stellaris.flash", flash_size,
                            &error_fatal);
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
      * need its sysclk output.
      */
     ssys_dev = qdev_new(TYPE_STELLARIS_SYS);
+    object_property_add_child(soc_container, "sys", OBJECT(ssys_dev));
 
     /*
      * Most devices come preprogrammed with a MAC address in the user data.
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
     sysbus_realize_and_unref(SYS_BUS_DEVICE(ssys_dev), &error_fatal);
 
     nvic = qdev_new(TYPE_ARMV7M);
+    object_property_add_child(soc_container, "v7m", OBJECT(nvic));
     qdev_prop_set_uint32(nvic, "num-irq", NUM_IRQ_LINES);
     qdev_prop_set_uint8(nvic, "num-prio-bits", NUM_PRIO_BITS);
     qdev_prop_set_string(nvic, "cpu-type", ms->cpu_type);
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
 
             dev = qdev_new(TYPE_STELLARIS_GPTM);
             sbd = SYS_BUS_DEVICE(dev);
+            object_property_add_child(soc_container, "gptm[*]", OBJECT(dev));
             qdev_connect_clock_in(dev, "clk",
                                   qdev_get_clock_out(ssys_dev, "SYSCLK"));
             sysbus_realize_and_unref(sbd, &error_fatal);
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
 
     if (board->dc1 & (1 << 3)) { /* watchdog present */
         dev = qdev_new(TYPE_LUMINARY_WATCHDOG);
-
+        object_property_add_child(soc_container, "wdg", OBJECT(dev));
         qdev_connect_clock_in(dev, "WDOGCLK",
                               qdev_get_clock_out(ssys_dev, "SYSCLK"));
 
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
             SysBusDevice *sbd;
 
             dev = qdev_new("pl011_luminary");
+            object_property_add_child(soc_container, "uart[*]", OBJECT(dev));
             sbd = SYS_BUS_DEVICE(dev);
             qdev_prop_set_chr(dev, "chardev", serial_hd(i));
             sysbus_realize_and_unref(sbd, &error_fatal);
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
         DeviceState *enet;
 
         enet = qdev_new("stellaris_enet");
+        object_property_add_child(soc_container, "enet", OBJECT(enet));
         if (nd) {
             qdev_set_nic_properties(enet, nd);
         } else {
-- 
2.34.1

We support two different encodings for the AArch32 IMPDEF
CBAR register -- older cores like the Cortex A9, A7, A15
have this at 4, c15, c0, 0; newer cores like the
Cortex A35, A53, A57 and A72 have it at 1 c15 c0 0.

When we implemented this we picked which encoding to
use based on whether the CPU set ARM_FEATURE_AARCH64.
However this isn't right for three cases:
 * the qemu-system-arm 'max' CPU, which is supposed to be
   a variant on a Cortex-A57; it ought to use the same
   encoding the A57 does and which the AArch64 'max'
   exposes to AArch32 guest code
 * the Cortex-R52, which is AArch32-only but has the CBAR
   at the newer encoding (and where we incorrectly are
   not yet setting ARM_FEATURE_CBAR_RO anyway)
 * any possible future support for other v8 AArch32
   only CPUs, or for supporting "boot the CPU into
   AArch32 mode" on our existing cores like the A57 etc

Make the decision of the encoding be based on whether
the CPU implements the ARM_FEATURE_V8 flag instead.

This changes the behaviour only for the qemu-system-arm
'-cpu max'. We don't expect anybody to be relying on the
old behaviour because:
 * it's not what the real hardware Cortex-A57 does
   (and that's what our ID register claims we are)
 * we don't implement the memory-mapped GICv3 support
   which is the only thing that exists at the peripheral
   base address pointed to by the register

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240206132931.38376-2-peter.maydell@linaro.org
---
 target/arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
          * AArch64 cores we might need to add a specific feature flag
          * to indicate cores with "flavour 2" CBAR.
          */
-        if (arm_feature(env, ARM_FEATURE_AARCH64)) {
+        if (arm_feature(env, ARM_FEATURE_V8)) {
             /* 32 bit view is [31:18] 0...0 [43:32]. */
             uint32_t cbar32 = (extract64(cpu->reset_cbar, 18, 14) << 18)
                 | extract64(cpu->reset_cbar, 32, 12);
-- 
2.34.1

The Cortex-R52 implements the Configuration Base Address Register
(CBAR), as a read-only register.  Add ARM_FEATURE_CBAR_RO to this CPU
type, so that our implementation provides the register and the
associated qdev property.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240206132931.38376-3-peter.maydell@linaro.org
---
 target/arm/tcg/cpu32.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/cpu32.c
+++ b/target/arm/tcg/cpu32.c
@@ -XXX,XX +XXX,XX @@ static void cortex_r52_initfn(Object *obj)
     set_feature(&cpu->env, ARM_FEATURE_PMSA);
     set_feature(&cpu->env, ARM_FEATURE_NEON);
     set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
+    set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
     cpu->midr = 0x411fd133; /* r1p3 */
     cpu->revidr = 0x00000000;
     cpu->reset_fpsid = 0x41034023;
-- 
2.34.1

Add the Cortex-R52 IMPDEF sysregs, by defining them here and
also by enabling the AUXCR feature which defines the ACTLR
and HACTLR registers. As is our usual practice, we make these
simple reads-as-zero stubs for now.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240206132931.38376-4-peter.maydell@linaro.org
---
 target/arm/tcg/cpu32.c | 108 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)

diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/cpu32.c
+++ b/target/arm/tcg/cpu32.c
@@ -XXX,XX +XXX,XX @@ static void cortex_r5_initfn(Object *obj)
     define_arm_cp_regs(cpu, cortexr5_cp_reginfo);
 }
 
+static const ARMCPRegInfo cortex_r52_cp_reginfo[] = {
+    { .name = "CPUACTLR", .cp = 15, .opc1 = 0, .crm = 15,
+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
+    { .name = "IMP_ATCMREGIONR",
+      .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_BTCMREGIONR",
+      .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_CTCMREGIONR",
+      .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 2,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_CSCTLR",
+      .cp = 15, .opc1 = 1, .crn = 9, .crm = 1, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_BPCTLR",
+      .cp = 15, .opc1 = 1, .crn = 9, .crm = 1, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_MEMPROTCLR",
+      .cp = 15, .opc1 = 1, .crn = 9, .crm = 1, .opc2 = 2,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_SLAVEPCTLR",
+      .cp = 15, .opc1 = 0, .crn = 11, .crm = 0, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_PERIPHREGIONR",
+      .cp = 15, .opc1 = 0, .crn = 15, .crm = 0, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_FLASHIFREGIONR",
+      .cp = 15, .opc1 = 0, .crn = 15, .crm = 0, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_BUILDOPTR",
+      .cp = 15, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 0,
+      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_PINOPTR",
+      .cp = 15, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 7,
+      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_QOSR",
+      .cp = 15, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_BUSTIMEOUTR",
+      .cp = 15, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 2,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_INTMONR",
+      .cp = 15, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 4,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_ICERR0",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 0, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_ICERR1",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 0, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_DCERR0",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 1, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_DCERR1",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 1, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_TCMERR0",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 2, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_TCMERR1",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 2, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_TCMSYNDR0",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 2, .opc2 = 2,
+      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_TCMSYNDR1",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 2, .opc2 = 3,
+      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_FLASHERR0",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 3, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_FLASHERR1",
+      .cp = 15, .opc1 = 2, .crn = 15, .crm = 3, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_CDBGDR0",
+      .cp = 15, .opc1 = 3, .crn = 15, .crm = 0, .opc2 = 0,
+      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_CBDGBR1",
+      .cp = 15, .opc1 = 3, .crn = 15, .crm = 0, .opc2 = 1,
+      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_TESTR0",
+      .cp = 15, .opc1 = 4, .crn = 15, .crm = 0, .opc2 = 0,
+      .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "IMP_TESTR1",
+      .cp = 15, .opc1 = 4, .crn = 15, .crm = 0, .opc2 = 1,
+      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
+    { .name = "IMP_CDBGDCI",
+      .cp = 15, .opc1 = 0, .crn = 15, .crm = 15, .opc2 = 0,
+      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
+    { .name = "IMP_CDBGDCT",
+      .cp = 15, .opc1 = 3, .crn = 15, .crm = 2, .opc2 = 0,
+      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
+    { .name = "IMP_CDBGICT",
+      .cp = 15, .opc1 = 3, .crn = 15, .crm = 2, .opc2 = 1,
+      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
+    { .name = "IMP_CDBGDCD",
+      .cp = 15, .opc1 = 3, .crn = 15, .crm = 4, .opc2 = 0,
+      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
+    { .name = "IMP_CDBGICD",
+      .cp = 15, .opc1 = 3, .crn = 15, .crm = 4, .opc2 = 1,
+      .access = PL1_W, .type = ARM_CP_NOP, .resetvalue = 0 },
+};
+
+
 static void cortex_r52_initfn(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
@@ -XXX,XX +XXX,XX @@ static void cortex_r52_initfn(Object *obj)
     set_feature(&cpu->env, ARM_FEATURE_NEON);
     set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
     set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
+    set_feature(&cpu->env, ARM_FEATURE_AUXCR);
     cpu->midr = 0x411fd133; /* r1p3 */
     cpu->revidr = 0x00000000;
     cpu->reset_fpsid = 0x41034023;
@@ -XXX,XX +XXX,XX @@ static void cortex_r52_initfn(Object *obj)
 
     cpu->pmsav7_dregion = 16;
     cpu->pmsav8r_hdregion = 16;
+
+    define_arm_cp_regs(cpu, cortex_r52_cp_reginfo);
 }
 
 static void cortex_r5f_initfn(Object *obj)
-- 
2.34.1

Architecturally, the AArch32 MSR/MRS to/from banked register
instructions are UNPREDICTABLE for attempts to access a banked
register that the guest could access in a more direct way (e.g.
using this insn to access r8_fiq when already in FIQ mode).  QEMU has
chosen to UNDEF on all of these.

However, for the case of accessing SPSR_hyp from hyp mode, it turns
out that real hardware permits this, with the same effect as if the
guest had directly written to SPSR. Further, there is some
guest code out there that assumes it can do this, because it
happens to work on hardware: an example Cortex-R52 startup code
fragment uses this, and it got copied into various other places,
including Zephyr. Zephyr was fixed to not use this:
 https://github.com/zephyrproject-rtos/zephyr/issues/47330
but other examples are still out there, like the selftest
binary for the MPS3-AN536.

For convenience of being able to run guest code, permit
this UNPREDICTABLE access instead of UNDEFing it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240206132931.38376-5-peter.maydell@linaro.org
---
 target/arm/tcg/op_helper.c | 43 ++++++++++++++++++++++++++------------
 target/arm/tcg/translate.c | 19 +++++++++++------
 2 files changed, 43 insertions(+), 19 deletions(-)

diff --git a/target/arm/tcg/op_helper.c b/target/arm/tcg/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/op_helper.c
+++ b/target/arm/tcg/op_helper.c
@@ -XXX,XX +XXX,XX @@ static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
      */
     int curmode = env->uncached_cpsr & CPSR_M;
 
-    if (regno == 17) {
-        /* ELR_Hyp: a special case because access from tgtmode is OK */
-        if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
-            goto undef;
+    if (tgtmode == ARM_CPU_MODE_HYP) {
+        /*
+         * Handle Hyp target regs first because some are special cases
+         * which don't want the usual "not accessible from tgtmode" check.
+         */
+        switch (regno) {
+        case 16 ... 17: /* ELR_Hyp, SPSR_Hyp */
+            if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
+                goto undef;
+            }
+            break;
+        case 13:
+            if (curmode != ARM_CPU_MODE_MON) {
+                goto undef;
+            }
+            break;
+        default:
+            g_assert_not_reached();
         }
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
         }
     }
 
-    if (tgtmode == ARM_CPU_MODE_HYP) {
-        /* SPSR_Hyp, r13_hyp: accessible from Monitor mode only */
-        if (curmode != ARM_CPU_MODE_MON) {
-            goto undef;
-        }
-    }
-
     return;
 
 undef:
@@ -XXX,XX +XXX,XX @@ void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode,
 
     switch (regno) {
     case 16: /* SPSRs */
-        env->banked_spsr[bank_number(tgtmode)] = value;
+        if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
+            /* Only happens for SPSR_Hyp access in Hyp mode */
+            env->spsr = value;
+        } else {
+            env->banked_spsr[bank_number(tgtmode)] = value;
+        }
         break;
     case 17: /* ELR_Hyp */
         env->elr_el[2] = value;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno)
 
     switch (regno) {
     case 16: /* SPSRs */
-        return env->banked_spsr[bank_number(tgtmode)];
+        if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
+            /* Only happens for SPSR_Hyp access in Hyp mode */
+            return env->spsr;
+        } else {
+            return env->banked_spsr[bank_number(tgtmode)];
+        }
     case 17: /* ELR_Hyp */
         return env->elr_el[2];
     case 13:
diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
         break;
     case ARM_CPU_MODE_HYP:
         /*
-         * SPSR_hyp and r13_hyp can only be accessed from Monitor mode
-         * (and so we can forbid accesses from EL2 or below). elr_hyp
-         * can be accessed also from Hyp mode, so forbid accesses from
-         * EL0 or EL1.
+         * r13_hyp can only be accessed from Monitor mode, and so we
+         * can forbid accesses from EL2 or below.
+         * elr_hyp can be accessed also from Hyp mode, so forbid
+         * accesses from EL0 or EL1.
+         * SPSR_hyp is supposed to be in the same category as r13_hyp
+         * and UNPREDICTABLE if accessed from anything except Monitor
+         * mode. However there is some real-world code that will do
+         * it because at least some hardware happens to permit the
+         * access. (Notably a standard Cortex-R52 startup code fragment
+         * does this.) So we permit SPSR_hyp from Hyp mode also, to allow
+         * this (incorrect) guest code to run.
          */
-        if (!arm_dc_feature(s, ARM_FEATURE_EL2) || s->current_el < 2 ||
-            (s->current_el < 3 && *regno != 17)) {
+        if (!arm_dc_feature(s, ARM_FEATURE_EL2) || s->current_el < 2
+            || (s->current_el < 3 && *regno != 16 && *regno != 17)) {
             goto undef;
         }
         break;
-- 
2.34.1

We currently guard the CFG3 register read with
 (scc_partno(s) == 0x524 && scc_partno(s) == 0x547)
which is clearly wrong as it is never true.

This register is present on all board types except AN524
and AN527; correct the condition.

Fixes: 6ac80818941829c0 ("hw/misc/mps2-scc: Implement changes for AN547")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240206132931.38376-6-peter.maydell@linaro.org
---
 hw/misc/mps2-scc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/mps2-scc.c
+++ b/hw/misc/mps2-scc.c
@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
         r = s->cfg2;
         break;
     case A_CFG3:
-        if (scc_partno(s) == 0x524 && scc_partno(s) == 0x547) {
+        if (scc_partno(s) == 0x524 || scc_partno(s) == 0x547) {
             /* CFG3 reserved on AN524 */
             goto bad_offset;
         }
-- 
2.34.1

The MPS SCC device has a lot of different flavours for the various
different MPS FPGA images, which look mostly similar but have
differences in how particular registers are handled.  Currently we
deal with this with a lot of open-coded checks on scc_partno(), but
as we add more board types this is getting a bit hard to read.

Factor out the conditions into some functions which we can
give more descriptive names to.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240206132931.38376-7-peter.maydell@linaro.org
---
 hw/misc/mps2-scc.c | 45 +++++++++++++++++++++++++++++++--------------
 1 file changed, 31 insertions(+), 14 deletions(-)

diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/mps2-scc.c
+++ b/hw/misc/mps2-scc.c
@@ -XXX,XX +XXX,XX @@ static int scc_partno(MPS2SCC *s)
     return extract32(s->id, 4, 8);
 }
 
+/* Is CFG_REG2 present? */
+static bool have_cfg2(MPS2SCC *s)
+{
+    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547;
+}
+
+/* Is CFG_REG3 present? */
+static bool have_cfg3(MPS2SCC *s)
+{
+    return scc_partno(s) != 0x524 && scc_partno(s) != 0x547;
+}
+
+/* Is CFG_REG5 present? */
+static bool have_cfg5(MPS2SCC *s)
+{
+    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547;
+}
+
+/* Is CFG_REG6 present? */
+static bool have_cfg6(MPS2SCC *s)
+{
+    return scc_partno(s) == 0x524;
+}
+
 /* Handle a write via the SYS_CFG channel to the specified function/device.
  * Return false on error (reported to guest via SYS_CFGCTRL ERROR bit).
  */
@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
         r = s->cfg1;
         break;
     case A_CFG2:
-        if (scc_partno(s) != 0x524 && scc_partno(s) != 0x547) {
-            /* CFG2 reserved on other boards */
+        if (!have_cfg2(s)) {
             goto bad_offset;
         }
         r = s->cfg2;
         break;
     case A_CFG3:
-        if (scc_partno(s) == 0x524 || scc_partno(s) == 0x547) {
-            /* CFG3 reserved on AN524 */
+        if (!have_cfg3(s)) {
             goto bad_offset;
         }
         /* These are user-settable DIP switches on the board. We don't
@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
         r = s->cfg4;
         break;
     case A_CFG5:
-        if (scc_partno(s) != 0x524 && scc_partno(s) != 0x547) {
-            /* CFG5 reserved on other boards */
+        if (!have_cfg5(s)) {
             goto bad_offset;
         }
         r = s->cfg5;
         break;
     case A_CFG6:
-        if (scc_partno(s) != 0x524) {
-            /* CFG6 reserved on other boards */
+        if (!have_cfg6(s)) {
             goto bad_offset;
         }
         r = s->cfg6;
@@ -XXX,XX +XXX,XX @@ static void mps2_scc_write(void *opaque, hwaddr offset, uint64_t value,
         }
         break;
     case A_CFG2:
-        if (scc_partno(s) != 0x524 && scc_partno(s) != 0x547) {
-            /* CFG2 reserved on other boards */
+        if (!have_cfg2(s)) {
             goto bad_offset;
         }
         /* AN524: QSPI Select signal */
         s->cfg2 = value;
         break;
     case A_CFG5:
-        if (scc_partno(s) != 0x524 && scc_partno(s) != 0x547) {
-            /* CFG5 reserved on other boards */
+        if (!have_cfg5(s)) {
             goto bad_offset;
         }
         /* AN524: ACLK frequency in Hz */
         s->cfg5 = value;
         break;
     case A_CFG6:
-        if (scc_partno(s) != 0x524) {
-            /* CFG6 reserved on other boards */
+        if (!have_cfg6(s)) {
             goto bad_offset;
         }
         /* AN524: Clock divider for BRAM */
-- 
2.34.1

The MPS2 SCC device is broadly the same for all FPGA images, but has
minor differences in the behaviour of the CFG registers depending on
the image. In many cases we don't really care about the functionality
controlled by these registers and a reads-as-written or similar
behaviour is sufficient for the moment.

For the AN536 the required behaviour is:

* A_CFG0 has CPU reset and halt bits
    - implement as reads-as-written for the moment
 * A_CFG1 has flash or ATCM address 0 remap handling
    - QEMU doesn't model this; implement as reads-as-written
 * A_CFG2 has QSPI select (like AN524)
    - implemented (no behaviour, as with AN524)
 * A_CFG3 is MCC_MSB_ADDR "additional MCC addressing bits"
    - QEMU doesn't care about these, so use the existing
      RAZ behaviour for convenience
 * A_CFG4 is board rev (like all other images)
    - no change needed
 * A_CFG5 is ACLK frq in hz (like AN524)
    - implemented as reads-as-written, as for other boards
 * A_CFG6 is core 0 vector table base address
    - implemented as reads-as-written for the moment
 * A_CFG7 is core 1 vector table base address
    - implemented as reads-as-written for the moment

Make the changes necessary for this; leave TODO comments where
appropriate to indicate where we might want to come back and
implement things like CPU reset.

The other aspects of the device specific to this FPGA image (like the
values of the board ID and similar registers) will be set via the
device's qdev properties.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240206132931.38376-8-peter.maydell@linaro.org
---
 include/hw/misc/mps2-scc.h |   1 +
 hw/misc/mps2-scc.c         | 101 +++++++++++++++++++++++++++++++++----
 2 files changed, 92 insertions(+), 10 deletions(-)

diff --git a/include/hw/misc/mps2-scc.h b/include/hw/misc/mps2-scc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/misc/mps2-scc.h
+++ b/include/hw/misc/mps2-scc.h
@@ -XXX,XX +XXX,XX @@ struct MPS2SCC {
     uint32_t cfg4;
     uint32_t cfg5;
     uint32_t cfg6;
+    uint32_t cfg7;
     uint32_t cfgdata_rtn;
     uint32_t cfgdata_out;
     uint32_t cfgctrl;
diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/mps2-scc.c
+++ b/hw/misc/mps2-scc.c
@@ -XXX,XX +XXX,XX @@ REG32(CFG3, 0xc)
 REG32(CFG4, 0x10)
 REG32(CFG5, 0x14)
 REG32(CFG6, 0x18)
+REG32(CFG7, 0x1c)
 REG32(CFGDATA_RTN, 0xa0)
 REG32(CFGDATA_OUT, 0xa4)
 REG32(CFGCTRL, 0xa8)
@@ -XXX,XX +XXX,XX @@ static int scc_partno(MPS2SCC *s)
 /* Is CFG_REG2 present? */
 static bool have_cfg2(MPS2SCC *s)
 {
-    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547;
+    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547 ||
+        scc_partno(s) == 0x536;
 }
 
 /* Is CFG_REG3 present? */
 static bool have_cfg3(MPS2SCC *s)
 {
-    return scc_partno(s) != 0x524 && scc_partno(s) != 0x547;
+    return scc_partno(s) != 0x524 && scc_partno(s) != 0x547 &&
+        scc_partno(s) != 0x536;
 }
 
 /* Is CFG_REG5 present? */
 static bool have_cfg5(MPS2SCC *s)
 {
-    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547;
+    return scc_partno(s) == 0x524 || scc_partno(s) == 0x547 ||
+        scc_partno(s) == 0x536;
 }
 
 /* Is CFG_REG6 present? */
 static bool have_cfg6(MPS2SCC *s)
 {
-    return scc_partno(s) == 0x524;
+    return scc_partno(s) == 0x524 || scc_partno(s) == 0x536;
+}
+
+/* Is CFG_REG7 present? */
+static bool have_cfg7(MPS2SCC *s)
+{
+    return scc_partno(s) == 0x536;
+}
+
+/* Does CFG_REG0 drive the 'remap' GPIO output? */
+static bool cfg0_is_remap(MPS2SCC *s)
+{
+    return scc_partno(s) != 0x536;
+}
+
+/* Is CFG_REG1 driving a set of LEDs? */
+static bool cfg1_is_leds(MPS2SCC *s)
+{
+    return scc_partno(s) != 0x536;
 }
 
 /* Handle a write via the SYS_CFG channel to the specified function/device.
@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
         if (!have_cfg3(s)) {
             goto bad_offset;
         }
-        /* These are user-settable DIP switches on the board. We don't
+        /*
+         * These are user-settable DIP switches on the board. We don't
          * model that, so just return zeroes.
+         *
+         * TODO: for AN536 this is MCC_MSB_ADDR "additional MCC addressing
+         * bits". These change which part of the DDR4 the motherboard
+         * configuration controller can see in its memory map (see the
+         * appnote section 2.4). QEMU doesn't model the MCC at all, so these
+         * bits are not interesting to us; read-as-zero is as good as anything
+         * else.
          */
         r = 0;
         break;
@@ -XXX,XX +XXX,XX @@ static uint64_t mps2_scc_read(void *opaque, hwaddr offset, unsigned size)
         }
         r = s->cfg6;
         break;
+    case A_CFG7:
+        if (!have_cfg7(s)) {
+            goto bad_offset;
+        }
+        r = s->cfg7;
+        break;
     case A_CFGDATA_RTN:
         r = s->cfgdata_rtn;
         break;
@@ -XXX,XX +XXX,XX @@ static void mps2_scc_write(void *opaque, hwaddr offset, uint64_t value,
          * we always reflect bit 0 in the 'remap' GPIO output line,
          * and let the board wire it up or not as it chooses.
          * TODO on some boards bit 1 is CPU_WAIT.
+         *
+         * TODO: on the AN536 this register controls reset and halt
+         * for both CPUs. For the moment we don't implement this, so the
+         * register just reads as written.
          */
         s->cfg0 = value;
-        qemu_set_irq(s->remap, s->cfg0 & 1);
+        if (cfg0_is_remap(s)) {
+            qemu_set_irq(s->remap, s->cfg0 & 1);
+        }
         break;
     case A_CFG1:
         s->cfg1 = value;
-        for (size_t i = 0; i < ARRAY_SIZE(s->led); i++) {
-            led_set_state(s->led[i], extract32(value, i, 1));
+        /*
+         * On most boards this register drives LEDs.
+         *
+         * TODO: for AN536 this controls whether flash and ATCM are
+         * enabled or disabled on reset. QEMU doesn't model this, and
+         * always wires up RAM in the ATCM area and ROM in the flash area.
+         */
+        if (cfg1_is_leds(s)) {
+            for (size_t i = 0; i < ARRAY_SIZE(s->led); i++) {
+                led_set_state(s->led[i], extract32(value, i, 1));
+            }
         }
         break;
     case A_CFG2:
         if (!have_cfg2(s)) {
             goto bad_offset;
         }
-        /* AN524: QSPI Select signal */
+        /* AN524, AN536: QSPI Select signal */
         s->cfg2 = value;
         break;
     case A_CFG5:
         if (!have_cfg5(s)) {
             goto bad_offset;
         }
-        /* AN524: ACLK frequency in Hz */
+        /* AN524, AN536: ACLK frequency in Hz */
         s->cfg5 = value;
         break;
     case A_CFG6:
@@ -XXX,XX +XXX,XX @@ static void mps2_scc_write(void *opaque, hwaddr offset, uint64_t value,
             goto bad_offset;
         }
         /* AN524: Clock divider for BRAM */
+        /* AN536: Core 0 vector table base address */
+        s->cfg6 = value;
+        break;
+    case A_CFG7:
+        if (!have_cfg7(s)) {
+            goto bad_offset;
+        }
+        /* AN536: Core 1 vector table base address */
         s->cfg6 = value;
         break;
     case A_CFGDATA_OUT:
@@ -XXX,XX +XXX,XX @@ static void mps2_scc_finalize(Object *obj)
     g_free(s->oscclk_reset);
 }
 
+static bool cfg7_needed(void *opaque)
+{
+    MPS2SCC *s = opaque;
+
+    return have_cfg7(s);
+}
+
+static const VMStateDescription vmstate_cfg7 = {
+    .name = "mps2-scc/cfg7",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = cfg7_needed,
+    .fields = (const VMStateField[]) {
+        VMSTATE_UINT32(cfg7, MPS2SCC),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription mps2_scc_vmstate = {
     .name = "mps2-scc",
     .version_id = 3,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription mps2_scc_vmstate = {
         VMSTATE_VARRAY_UINT32(oscclk, MPS2SCC, num_oscclk,
                               0, vmstate_info_uint32, uint32_t),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription * const []) {
+        &vmstate_cfg7,
+        NULL
     }
 };
 
-- 
2.34.1

The AN536 is another FPGA image for the MPS3 development board. Unlike
the existing FPGA images we already model, this board uses a Cortex-R
family CPU, and it does not use any equivalent to the M-profile
"Subsystem for Embedded" SoC-equivalent that we model in hw/arm/armsse.c.
It's therefore more convenient for us to model it as a completely
separate C file.

This commit adds the basic skeleton of the board model, and the
code to create all the RAM and ROM. We assume that we're probably
going to want to add more images in future, so use the same
base class/subclass setup that mps2-tz.c uses, even though at
the moment there's only a single subclass.

Following commits will add the CPUs and the peripherals.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240206132931.38376-9-peter.maydell@linaro.org
---
 MAINTAINERS                             |   3 +-
 configs/devices/arm-softmmu/default.mak |   1 +
 hw/arm/mps3r.c                          | 239 ++++++++++++++++++++++++
 hw/arm/Kconfig                          |   5 +
 hw/arm/meson.build                      |   1 +
 5 files changed, 248 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/mps3r.c

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: include/hw/misc/imx7_*.h
 F: hw/pci-host/designware.c
 F: include/hw/pci-host/designware.h
 
-MPS2
+MPS2 / MPS3
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/mps2.c
 F: hw/arm/mps2-tz.c
+F: hw/arm/mps3r.c
 F: hw/misc/mps2-*.c
 F: include/hw/misc/mps2-*.h
 F: hw/arm/armsse.c
diff --git a/configs/devices/arm-softmmu/default.mak b/configs/devices/arm-softmmu/default.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/devices/arm-softmmu/default.mak
+++ b/configs/devices/arm-softmmu/default.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_ARM_VIRT=y
 # CONFIG_INTEGRATOR=n
 # CONFIG_FSL_IMX31=n
 # CONFIG_MUSICPAL=n
+# CONFIG_MPS3R=n
 # CONFIG_MUSCA=n
 # CONFIG_CHEETAH=n
 # CONFIG_SX1=n
diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/mps3r.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Arm MPS3 board emulation for Cortex-R-based FPGA images.
+ * (For M-profile images see mps2.c and mps2tz.c.)
+ *
+ * Copyright (c) 2017 Linaro Limited
+ * Written by Peter Maydell
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 or
+ *  (at your option) any later version.
+ */
+
+/*
+ * The MPS3 is an FPGA based dev board. This file handles FPGA images
+ * which use the Cortex-R CPUs. We model these separately from the
+ * M-profile images, because on M-profile the FPGA image is based on
+ * a "Subsystem for Embedded" which is similar to an SoC, whereas
+ * the R-profile FPGA images don't have that abstraction layer.
+ *
+ * We model the following FPGA images here:
+ *  "mps3-an536" -- dual Cortex-R52 as documented in Arm Application Note AN536
+ *
+ * Application Note AN536:
+ * https://developer.arm.com/documentation/dai0536/latest/
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "exec/address-spaces.h"
+#include "cpu.h"
+#include "hw/boards.h"
+#include "hw/arm/boot.h"
+
+/* Define the layout of RAM and ROM in a board */
+typedef struct RAMInfo {
+    const char *name;
+    hwaddr base;
+    hwaddr size;
+    int mrindex; /* index into rams[]; -1 for the system RAM block */
+    int flags;
+} RAMInfo;
+
+/*
+ * The MPS3 DDR is 3GiB, but on a 32-bit host QEMU doesn't permit
+ * emulation of that much guest RAM, so artificially make it smaller.
+ */
+#if HOST_LONG_BITS == 32
+#define MPS3_DDR_SIZE (1 * GiB)
+#else
+#define MPS3_DDR_SIZE (3 * GiB)
+#endif
+
+/*
+ * Flag values:
+ * IS_MAIN: this is the main machine RAM
+ * IS_ROM: this area is read-only
+ */
+#define IS_MAIN 1
+#define IS_ROM 2
+
+#define MPS3R_RAM_MAX 9
+
+typedef enum MPS3RFPGAType {
+    FPGA_AN536,
+} MPS3RFPGAType;
+
+struct MPS3RMachineClass {
+    MachineClass parent;
+    MPS3RFPGAType fpga_type;
+    const RAMInfo *raminfo;
+};
+
+struct MPS3RMachineState {
+    MachineState parent;
+    MemoryRegion ram[MPS3R_RAM_MAX];
+};
+
+#define TYPE_MPS3R_MACHINE "mps3r"
+#define TYPE_MPS3R_AN536_MACHINE MACHINE_TYPE_NAME("mps3-an536")
+
+OBJECT_DECLARE_TYPE(MPS3RMachineState, MPS3RMachineClass, MPS3R_MACHINE)
+
+static const RAMInfo an536_raminfo[] = {
+    {
+        .name = "ATCM",
+        .base = 0x00000000,
+        .size = 0x00008000,
+        .mrindex = 0,
+    }, {
+        /* We model the QSPI flash as simple ROM for now */
+        .name = "QSPI",
+        .base = 0x08000000,
+        .size = 0x00800000,
+        .flags = IS_ROM,
+        .mrindex = 1,
+    }, {
+        .name = "BRAM",
+        .base = 0x10000000,
+        .size = 0x00080000,
+        .mrindex = 2,
+    }, {
+        .name = "DDR",
+        .base = 0x20000000,
+        .size = MPS3_DDR_SIZE,
+        .mrindex = -1,
+    }, {
+        .name = "ATCM0",
+        .base = 0xee000000,
+        .size = 0x00008000,
+        .mrindex = 3,
+    }, {
+        .name = "BTCM0",
+        .base = 0xee100000,
+        .size = 0x00008000,
+        .mrindex = 4,
+    }, {
+        .name = "CTCM0",
+        .base = 0xee200000,
+        .size = 0x00008000,
+        .mrindex = 5,
+    }, {
+        .name = "ATCM1",
+        .base = 0xee400000,
+        .size = 0x00008000,
+        .mrindex = 6,
+    }, {
+        .name = "BTCM1",
+        .base = 0xee500000,
+        .size = 0x00008000,
+        .mrindex = 7,
+    }, {
+        .name = "CTCM1",
+        .base = 0xee600000,
+        .size = 0x00008000,
+        .mrindex = 8,
+    }, {
+        .name = NULL,
+    }
+};
+
+static MemoryRegion *mr_for_raminfo(MPS3RMachineState *mms,
+                                    const RAMInfo *raminfo)
+{
+    /* Return an initialized MemoryRegion for the RAMInfo. */
+    MemoryRegion *ram;
+
+    if (raminfo->mrindex < 0) {
+        /* Means this RAMInfo is for QEMU's "system memory" */
+        MachineState *machine = MACHINE(mms);
+        assert(!(raminfo->flags & IS_ROM));
+        return machine->ram;
+    }
+
+    assert(raminfo->mrindex < MPS3R_RAM_MAX);
+    ram = &mms->ram[raminfo->mrindex];
+
+    memory_region_init_ram(ram, NULL, raminfo->name,
+                           raminfo->size, &error_fatal);
+    if (raminfo->flags & IS_ROM) {
+        memory_region_set_readonly(ram, true);
+    }
+    return ram;
+}
+
+static void mps3r_common_init(MachineState *machine)
+{
+    MPS3RMachineState *mms = MPS3R_MACHINE(machine);
+    MPS3RMachineClass *mmc = MPS3R_MACHINE_GET_CLASS(mms);
+    MemoryRegion *sysmem = get_system_memory();
+
+    for (const RAMInfo *ri = mmc->raminfo; ri->name; ri++) {
+        MemoryRegion *mr = mr_for_raminfo(mms, ri);
+        memory_region_add_subregion(sysmem, ri->base, mr);
+    }
+}
+
+static void mps3r_set_default_ram_info(MPS3RMachineClass *mmc)
+{
+    /*
+     * Set mc->default_ram_size and default_ram_id from the
+     * information in mmc->raminfo.
+     */
+    MachineClass *mc = MACHINE_CLASS(mmc);
+    const RAMInfo *p;
+
+    for (p = mmc->raminfo; p->name; p++) {
+        if (p->mrindex < 0) {
+            /* Found the entry for "system memory" */
+            mc->default_ram_size = p->size;
+            mc->default_ram_id = p->name;
+            return;
+        }
+    }
+    g_assert_not_reached();
+}
+
+static void mps3r_class_init(ObjectClass *oc, void *data)
+{
+    MachineClass *mc = MACHINE_CLASS(oc);
+
+    mc->init = mps3r_common_init;
+}
+
+static void mps3r_an536_class_init(ObjectClass *oc, void *data)
+{
+    MachineClass *mc = MACHINE_CLASS(oc);
+    MPS3RMachineClass *mmc = MPS3R_MACHINE_CLASS(oc);
+    static const char * const valid_cpu_types[] = {
+        ARM_CPU_TYPE_NAME("cortex-r52"),
+        NULL
+    };
+
+    mc->desc = "ARM MPS3 with AN536 FPGA image for Cortex-R52";
+    mc->default_cpus = 2;
+    mc->min_cpus = mc->default_cpus;
+    mc->max_cpus = mc->default_cpus;
+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-r52");
+    mc->valid_cpu_types = valid_cpu_types;
+    mmc->raminfo = an536_raminfo;
+    mps3r_set_default_ram_info(mmc);
+}
+
+static const TypeInfo mps3r_machine_types[] = {
+    {
+        .name = TYPE_MPS3R_MACHINE,
+        .parent = TYPE_MACHINE,
+        .abstract = true,
+        .instance_size = sizeof(MPS3RMachineState),
+        .class_size = sizeof(MPS3RMachineClass),
+        .class_init = mps3r_class_init,
+    }, {
+        .name = TYPE_MPS3R_AN536_MACHINE,
+        .parent = TYPE_MPS3R_MACHINE,
+        .class_init = mps3r_an536_class_init,
+    },
+};
+
+DEFINE_TYPES(mps3r_machine_types);
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config MAINSTONE
     select PFLASH_CFI01
     select SMC91C111
 
+config MPS3R
+    bool
+    default y
+    depends on TCG && ARM
+
 config MUSCA
     bool
     default y
diff --git a/hw/arm/meson.build b/hw/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/meson.build
+++ b/hw/arm/meson.build
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'CONFIG_HIGHBANK', if_true: files('highbank.c'))
 arm_ss.add(when: 'CONFIG_INTEGRATOR', if_true: files('integratorcp.c'))
 arm_ss.add(when: 'CONFIG_MAINSTONE', if_true: files('mainstone.c'))
 arm_ss.add(when: 'CONFIG_MICROBIT', if_true: files('microbit.c'))
+arm_ss.add(when: 'CONFIG_MPS3R', if_true: files('mps3r.c'))
 arm_ss.add(when: 'CONFIG_MUSICPAL', if_true: files('musicpal.c'))
 arm_ss.add(when: 'CONFIG_NETDUINOPLUS2', if_true: files('netduinoplus2.c'))
 arm_ss.add(when: 'CONFIG_OLIMEX_STM32_H405', if_true: files('olimex-stm32-h405.c'))
-- 
2.34.1

Create the CPUs, the GIC, and the per-CPU RAM block for
the mps3-an536 board.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20240206132931.38376-10-peter.maydell@linaro.org
---
 hw/arm/mps3r.c | 180 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 177 insertions(+), 3 deletions(-)

diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps3r.c
+++ b/hw/arm/mps3r.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qemu/units.h"
 #include "qapi/error.h"
+#include "qapi/qmp/qlist.h"
 #include "exec/address-spaces.h"
 #include "cpu.h"
 #include "hw/boards.h"
+#include "hw/qdev-properties.h"
 #include "hw/arm/boot.h"
+#include "hw/arm/bsa.h"
+#include "hw/intc/arm_gicv3.h"
 
 /* Define the layout of RAM and ROM in a board */
 typedef struct RAMInfo {
@@ -XXX,XX +XXX,XX @@ typedef struct RAMInfo {
 #define IS_ROM 2
 
 #define MPS3R_RAM_MAX 9
+#define MPS3R_CPU_MAX 2
+
+#define PERIPHBASE 0xf0000000
+#define NUM_SPIS 96
 
 typedef enum MPS3RFPGAType {
     FPGA_AN536,
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineClass {
     MachineClass parent;
     MPS3RFPGAType fpga_type;
     const RAMInfo *raminfo;
+    hwaddr loader_start;
 };
 
 struct MPS3RMachineState {
     MachineState parent;
+    struct arm_boot_info bootinfo;
     MemoryRegion ram[MPS3R_RAM_MAX];
+    Object *cpu[MPS3R_CPU_MAX];
+    MemoryRegion cpu_sysmem[MPS3R_CPU_MAX];
+    MemoryRegion sysmem_alias[MPS3R_CPU_MAX];
+    MemoryRegion cpu_ram[MPS3R_CPU_MAX];
+    GICv3State gic;
 };
 
 #define TYPE_MPS3R_MACHINE "mps3r"
@@ -XXX,XX +XXX,XX @@ static MemoryRegion *mr_for_raminfo(MPS3RMachineState *mms,
     return ram;
 }
 
+/*
+ * There is no defined secondary boot protocol for Linux for the AN536,
+ * because real hardware has a restriction that atomic operations between
+ * the two CPUs do not function correctly, and so true SMP is not
+ * possible. Therefore for cases where the user is directly booting
+ * a kernel, we treat the system as essentially uniprocessor, and
+ * put the secondary CPU into power-off state (as if the user on the
+ * real hardware had configured the secondary to be halted via the
+ * SCC config registers).
+ *
+ * Note that the default secondary boot code would not work here anyway
+ * as it assumes a GICv2, and we have a GICv3.
+ */
+static void mps3r_write_secondary_boot(ARMCPU *cpu,
+                                       const struct arm_boot_info *info)
+{
+    /*
+     * Power the secondary CPU off. This means we don't need to write any
+     * boot code into guest memory. Note that the 'cpu' argument to this
+     * function is the primary CPU we passed to arm_load_kernel(), not
+     * the secondary. Loop around all the other CPUs, as the boot.c
+     * code does for the "disable secondaries if PSCI is enabled" case.
+     */
+    for (CPUState *cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
+        if (cs != first_cpu) {
+            object_property_set_bool(OBJECT(cs), "start-powered-off", true,
+                                     &error_abort);
+        }
+    }
+}
+
+static void mps3r_secondary_cpu_reset(ARMCPU *cpu,
+                                      const struct arm_boot_info *info)
+{
+    /* We don't need to do anything here because the CPU will be off */
+}
+
+static void create_gic(MPS3RMachineState *mms, MemoryRegion *sysmem)
+{
+    MachineState *machine = MACHINE(mms);
+    DeviceState *gicdev;
+    QList *redist_region_count;
+
+    object_initialize_child(OBJECT(mms), "gic", &mms->gic, TYPE_ARM_GICV3);
+    gicdev = DEVICE(&mms->gic);
+    qdev_prop_set_uint32(gicdev, "num-cpu", machine->smp.cpus);
+    qdev_prop_set_uint32(gicdev, "num-irq", NUM_SPIS + GIC_INTERNAL);
+    redist_region_count = qlist_new();
+    qlist_append_int(redist_region_count, machine->smp.cpus);
+    qdev_prop_set_array(gicdev, "redist-region-count", redist_region_count);
+    object_property_set_link(OBJECT(&mms->gic), "sysmem",
+                             OBJECT(sysmem), &error_fatal);
+    sysbus_realize(SYS_BUS_DEVICE(&mms->gic), &error_fatal);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->gic), 0, PERIPHBASE);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->gic), 1, PERIPHBASE + 0x100000);
+    /*
+     * Wire the outputs from each CPU's generic timer and the GICv3
+     * maintenance interrupt signal to the appropriate GIC PPI inputs,
+     * and the GIC's IRQ/FIQ/VIRQ/VFIQ interrupt outputs to the CPU's inputs.
+     */
+    for (int i = 0; i < machine->smp.cpus; i++) {
+        DeviceState *cpudev = DEVICE(mms->cpu[i]);
+        SysBusDevice *gicsbd = SYS_BUS_DEVICE(&mms->gic);
+        int intidbase = NUM_SPIS + i * GIC_INTERNAL;
+        int irq;
+        /*
+         * Mapping from the output timer irq lines from the CPU to the
+         * GIC PPI inputs used for this board. This isn't a BSA board,
+         * but it uses the standard convention for the PPI numbers.
+         */
+        const int timer_irq[] = {
+            [GTIMER_PHYS] = ARCH_TIMER_NS_EL1_IRQ,
+            [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
+            [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
+        };
+
+        for (irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
+            qdev_connect_gpio_out(cpudev, irq,
+                                  qdev_get_gpio_in(gicdev,
+                                                   intidbase + timer_irq[irq]));
+        }
+
+        qdev_connect_gpio_out_named(cpudev, "gicv3-maintenance-interrupt", 0,
+                                    qdev_get_gpio_in(gicdev,
+                                                     intidbase + ARCH_GIC_MAINT_IRQ));
+
+        qdev_connect_gpio_out_named(cpudev, "pmu-interrupt", 0,
+                                    qdev_get_gpio_in(gicdev,
+                                                     intidbase + VIRTUAL_PMU_IRQ));
+
+        sysbus_connect_irq(gicsbd, i,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_IRQ));
+        sysbus_connect_irq(gicsbd, i + machine->smp.cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_FIQ));
+        sysbus_connect_irq(gicsbd, i + 2 * machine->smp.cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_VIRQ));
+        sysbus_connect_irq(gicsbd, i + 3 * machine->smp.cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
+    }
+}
+
 static void mps3r_common_init(MachineState *machine)
 {
     MPS3RMachineState *mms = MPS3R_MACHINE(machine);
@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
         MemoryRegion *mr = mr_for_raminfo(mms, ri);
         memory_region_add_subregion(sysmem, ri->base, mr);
     }
+
+    assert(machine->smp.cpus <= MPS3R_CPU_MAX);
+    for (int i = 0; i < machine->smp.cpus; i++) {
+        g_autofree char *sysmem_name = g_strdup_printf("cpu-%d-memory", i);
+        g_autofree char *ramname = g_strdup_printf("cpu-%d-memory", i);
+        g_autofree char *alias_name = g_strdup_printf("sysmem-alias-%d", i);
+
+        /*
+         * Each CPU has some private RAM/peripherals, so create the container
+         * which will house those, with the whole-machine system memory being
+         * used where there's no CPU-specific device. Note that we need the
+         * sysmem_alias aliases because we can't put one MR (the original
+         * 'sysmem') into more than one other MR.
+         */
+        memory_region_init(&mms->cpu_sysmem[i], OBJECT(machine),
+                           sysmem_name, UINT64_MAX);
+        memory_region_init_alias(&mms->sysmem_alias[i], OBJECT(machine),
+                                 alias_name, sysmem, 0, UINT64_MAX);
+        memory_region_add_subregion_overlap(&mms->cpu_sysmem[i], 0,
+                                            &mms->sysmem_alias[i], -1);
+
+        mms->cpu[i] = object_new(machine->cpu_type);
+        object_property_set_link(mms->cpu[i], "memory",
+                                 OBJECT(&mms->cpu_sysmem[i]), &error_abort);
+        object_property_set_int(mms->cpu[i], "reset-cbar",
+                                PERIPHBASE, &error_abort);
+        qdev_realize(DEVICE(mms->cpu[i]), NULL, &error_fatal);
+        object_unref(mms->cpu[i]);
+
+        /* Per-CPU RAM */
+        memory_region_init_ram(&mms->cpu_ram[i], NULL, ramname,
+                               0x1000, &error_fatal);
+        memory_region_add_subregion(&mms->cpu_sysmem[i], 0xe7c01000,
+                                    &mms->cpu_ram[i]);
+    }
+
+    create_gic(mms, sysmem);
+
+    mms->bootinfo.ram_size = machine->ram_size;
+    mms->bootinfo.board_id = -1;
+    mms->bootinfo.loader_start = mmc->loader_start;
+    mms->bootinfo.write_secondary_boot = mps3r_write_secondary_boot;
+    mms->bootinfo.secondary_cpu_reset_hook = mps3r_secondary_cpu_reset;
+    arm_load_kernel(ARM_CPU(mms->cpu[0]), machine, &mms->bootinfo);
 }
 
 static void mps3r_set_default_ram_info(MPS3RMachineClass *mmc)
@@ -XXX,XX +XXX,XX @@ static void mps3r_set_default_ram_info(MPS3RMachineClass *mmc)
             /* Found the entry for "system memory" */
             mc->default_ram_size = p->size;
             mc->default_ram_id = p->name;
+            mmc->loader_start = p->base;
             return;
         }
     }
@@ -XXX,XX +XXX,XX @@ static void mps3r_an536_class_init(ObjectClass *oc, void *data)
     };
 
     mc->desc = "ARM MPS3 with AN536 FPGA image for Cortex-R52";
-    mc->default_cpus = 2;
-    mc->min_cpus = mc->default_cpus;
-    mc->max_cpus = mc->default_cpus;
+    /*
+     * In the real FPGA image there are always two cores, but the standard
+     * initial setting for the SCC SYSCON 0x000 register is 0x21, meaning
+     * that the second core is held in reset and halted. Many images built for
+     * the board do not expect the second core to run at startup (especially
+     * since on the real FPGA image it is not possible to use LDREX/STREX
+     * in RAM between the two cores, so a true SMP setup isn't supported).
+     *
+     * As QEMU's equivalent of this, we support both -smp 1 and -smp 2,
+     * with the default being -smp 1. This seems a more intuitive UI for
+     * QEMU users than, for instance, having a machine property to allow
+     * the user to set the initial value of the SYSCON 0x000 register.
+     */
+    mc->default_cpus = 1;
+    mc->min_cpus = 1;
+    mc->max_cpus = 2;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-r52");
     mc->valid_cpu_types = valid_cpu_types;
     mmc->raminfo = an536_raminfo;
-- 
2.34.1

This board has a lot of UARTs: there is one UART per CPU in the
per-CPU peripheral part of the address map, whose interrupts are
connected as per-CPU interrupt lines.  Then there are 4 UARTs in the
normal part of the peripheral space, whose interrupts are shared
peripheral interrupts.

Connect and wire them all up; this involves some OR gates where
multiple overflow interrupts are wired into one GIC input.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240206132931.38376-11-peter.maydell@linaro.org
---
 hw/arm/mps3r.c | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps3r.c
+++ b/hw/arm/mps3r.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/qmp/qlist.h"
 #include "exec/address-spaces.h"
 #include "cpu.h"
+#include "sysemu/sysemu.h"
 #include "hw/boards.h"
+#include "hw/or-irq.h"
 #include "hw/qdev-properties.h"
 #include "hw/arm/boot.h"
 #include "hw/arm/bsa.h"
+#include "hw/char/cmsdk-apb-uart.h"
 #include "hw/intc/arm_gicv3.h"
 
 /* Define the layout of RAM and ROM in a board */
@@ -XXX,XX +XXX,XX @@ typedef struct RAMInfo {
 
 #define MPS3R_RAM_MAX 9
 #define MPS3R_CPU_MAX 2
+#define MPS3R_UART_MAX 4 /* shared UART count */
 
 #define PERIPHBASE 0xf0000000
 #define NUM_SPIS 96
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineState {
     MemoryRegion sysmem_alias[MPS3R_CPU_MAX];
     MemoryRegion cpu_ram[MPS3R_CPU_MAX];
     GICv3State gic;
+    /* per-CPU UARTs followed by the shared UARTs */
+    CMSDKAPBUART uart[MPS3R_CPU_MAX + MPS3R_UART_MAX];
+    OrIRQState cpu_uart_oflow[MPS3R_CPU_MAX];
+    OrIRQState uart_oflow;
 };
 
 #define TYPE_MPS3R_MACHINE "mps3r"
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineState {
 
 OBJECT_DECLARE_TYPE(MPS3RMachineState, MPS3RMachineClass, MPS3R_MACHINE)
 
+/*
+ * Main clock frequency CLK in Hz (50MHz). In the image there are also
+ * ACLK, MCLK, GPUCLK and PERIPHCLK at the same frequency; for our
+ * model we just roll them all into one.
+ */
+#define CLK_FRQ 50000000
+
 static const RAMInfo an536_raminfo[] = {
     {
         .name = "ATCM",
@@ -XXX,XX +XXX,XX @@ static void create_gic(MPS3RMachineState *mms, MemoryRegion *sysmem)
     }
 }
 
+/*
+ * Create UART uartno, and map it into the MemoryRegion mem at address baseaddr.
+ * The qemu_irq arguments are where we connect the various IRQs from the UART.
+ */
+static void create_uart(MPS3RMachineState *mms, int uartno, MemoryRegion *mem,
+                        hwaddr baseaddr, qemu_irq txirq, qemu_irq rxirq,
+                        qemu_irq txoverirq, qemu_irq rxoverirq,
+                        qemu_irq combirq)
+{
+    g_autofree char *s = g_strdup_printf("uart%d", uartno);
+    SysBusDevice *sbd;
+
+    assert(uartno < ARRAY_SIZE(mms->uart));
+    object_initialize_child(OBJECT(mms), s, &mms->uart[uartno],
+                            TYPE_CMSDK_APB_UART);
+    qdev_prop_set_uint32(DEVICE(&mms->uart[uartno]), "pclk-frq", CLK_FRQ);
+    qdev_prop_set_chr(DEVICE(&mms->uart[uartno]), "chardev", serial_hd(uartno));
+    sbd = SYS_BUS_DEVICE(&mms->uart[uartno]);
+    sysbus_realize(sbd, &error_fatal);
+    memory_region_add_subregion(mem, baseaddr,
+                                sysbus_mmio_get_region(sbd, 0));
+    sysbus_connect_irq(sbd, 0, txirq);
+    sysbus_connect_irq(sbd, 1, rxirq);
+    sysbus_connect_irq(sbd, 2, txoverirq);
+    sysbus_connect_irq(sbd, 3, rxoverirq);
+    sysbus_connect_irq(sbd, 4, combirq);
+}
+
 static void mps3r_common_init(MachineState *machine)
 {
     MPS3RMachineState *mms = MPS3R_MACHINE(machine);
     MPS3RMachineClass *mmc = MPS3R_MACHINE_GET_CLASS(mms);
     MemoryRegion *sysmem = get_system_memory();
+    DeviceState *gicdev;
 
     for (const RAMInfo *ri = mmc->raminfo; ri->name; ri++) {
         MemoryRegion *mr = mr_for_raminfo(mms, ri);
@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
     }
 
     create_gic(mms, sysmem);
+    gicdev = DEVICE(&mms->gic);
+
+    /*
+     * UARTs 0 and 1 are per-CPU; their interrupts are wired to
+     * the relevant CPU's PPI 0..3, aka INTID 16..19
+     */
+    for (int i = 0; i < machine->smp.cpus; i++) {
+        int intidbase = NUM_SPIS + i * GIC_INTERNAL;
+        g_autofree char *s = g_strdup_printf("cpu-uart-oflow-orgate%d", i);
+        DeviceState *orgate;
+
+        /* The two overflow IRQs from the UART are ORed together into PPI 3 */
+        object_initialize_child(OBJECT(mms), s, &mms->cpu_uart_oflow[i],
+                                TYPE_OR_IRQ);
+        orgate = DEVICE(&mms->cpu_uart_oflow[i]);
+        qdev_prop_set_uint32(orgate, "num-lines", 2);
+        qdev_realize(orgate, NULL, &error_fatal);
+        qdev_connect_gpio_out(orgate, 0,
+                              qdev_get_gpio_in(gicdev, intidbase + 19));
+
+        create_uart(mms, i, &mms->cpu_sysmem[i], 0xe7c00000,
+                    qdev_get_gpio_in(gicdev, intidbase + 17), /* tx */
+                    qdev_get_gpio_in(gicdev, intidbase + 16), /* rx */
+                    qdev_get_gpio_in(orgate, 0), /* txover */
+                    qdev_get_gpio_in(orgate, 1), /* rxover */
+                    qdev_get_gpio_in(gicdev, intidbase + 18) /* combined */);
+    }
+    /*
+     * UARTs 2 to 5 are whole-system; all overflow IRQs are ORed
+     * together into IRQ 17
+     */
+    object_initialize_child(OBJECT(mms), "uart-oflow-orgate",
+                            &mms->uart_oflow, TYPE_OR_IRQ);
+    qdev_prop_set_uint32(DEVICE(&mms->uart_oflow), "num-lines",
+                         MPS3R_UART_MAX * 2);
+    qdev_realize(DEVICE(&mms->uart_oflow), NULL, &error_fatal);
+    qdev_connect_gpio_out(DEVICE(&mms->uart_oflow), 0,
+                          qdev_get_gpio_in(gicdev, 17));
+
+    for (int i = 0; i < MPS3R_UART_MAX; i++) {
+        hwaddr baseaddr = 0xe0205000 + i * 0x1000;
+        int rxirq = 5 + i * 2, txirq = 6 + i * 2, combirq = 13 + i;
+
+        create_uart(mms, i + MPS3R_CPU_MAX, sysmem, baseaddr,
+                    qdev_get_gpio_in(gicdev, txirq),
+                    qdev_get_gpio_in(gicdev, rxirq),
+                    qdev_get_gpio_in(DEVICE(&mms->uart_oflow), i * 2),
+                    qdev_get_gpio_in(DEVICE(&mms->uart_oflow), i * 2 + 1),
+                    qdev_get_gpio_in(gicdev, combirq));
+    }
 
     mms->bootinfo.ram_size = machine->ram_size;
     mms->bootinfo.board_id = -1;
-- 
2.34.1

Add the GPIO, watchdog, dual-timer and I2C devices to the mps3-an536
board.  These are all simple devices that just need to be created and
wired up.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240206132931.38376-12-peter.maydell@linaro.org
---
 hw/arm/mps3r.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps3r.c
+++ b/hw/arm/mps3r.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/sysemu.h"
 #include "hw/boards.h"
 #include "hw/or-irq.h"
+#include "hw/qdev-clock.h"
 #include "hw/qdev-properties.h"
 #include "hw/arm/boot.h"
 #include "hw/arm/bsa.h"
 #include "hw/char/cmsdk-apb-uart.h"
+#include "hw/i2c/arm_sbcon_i2c.h"
 #include "hw/intc/arm_gicv3.h"
+#include "hw/misc/unimp.h"
+#include "hw/timer/cmsdk-apb-dualtimer.h"
+#include "hw/watchdog/cmsdk-apb-watchdog.h"
 
 /* Define the layout of RAM and ROM in a board */
 typedef struct RAMInfo {
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineState {
     CMSDKAPBUART uart[MPS3R_CPU_MAX + MPS3R_UART_MAX];
     OrIRQState cpu_uart_oflow[MPS3R_CPU_MAX];
     OrIRQState uart_oflow;
+    CMSDKAPBWatchdog watchdog;
+    CMSDKAPBDualTimer dualtimer;
+    ArmSbconI2CState i2c[5];
+    Clock *clk;
 };
 
 #define TYPE_MPS3R_MACHINE "mps3r"
@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
     MemoryRegion *sysmem = get_system_memory();
     DeviceState *gicdev;
 
+    mms->clk = clock_new(OBJECT(machine), "CLK");
+    clock_set_hz(mms->clk, CLK_FRQ);
+
     for (const RAMInfo *ri = mmc->raminfo; ri->name; ri++) {
         MemoryRegion *mr = mr_for_raminfo(mms, ri);
         memory_region_add_subregion(sysmem, ri->base, mr);
@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
                     qdev_get_gpio_in(gicdev, combirq));
     }
 
+    for (int i = 0; i < 4; i++) {
+        /* CMSDK GPIO controllers */
+        g_autofree char *s = g_strdup_printf("gpio%d", i);
+        create_unimplemented_device(s, 0xe0000000 + i * 0x1000, 0x1000);
+    }
+
+    object_initialize_child(OBJECT(mms), "watchdog", &mms->watchdog,
+                            TYPE_CMSDK_APB_WATCHDOG);
+    qdev_connect_clock_in(DEVICE(&mms->watchdog), "WDOGCLK", mms->clk);
+    sysbus_realize(SYS_BUS_DEVICE(&mms->watchdog), &error_fatal);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->watchdog), 0,
+                       qdev_get_gpio_in(gicdev, 0));
+    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->watchdog), 0, 0xe0100000);
+
+    object_initialize_child(OBJECT(mms), "dualtimer", &mms->dualtimer,
+                            TYPE_CMSDK_APB_DUALTIMER);
+    qdev_connect_clock_in(DEVICE(&mms->dualtimer), "TIMCLK", mms->clk);
+    sysbus_realize(SYS_BUS_DEVICE(&mms->dualtimer), &error_fatal);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->dualtimer), 0,
+                       qdev_get_gpio_in(gicdev, 3));
+    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->dualtimer), 1,
+                       qdev_get_gpio_in(gicdev, 1));
+    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->dualtimer), 2,
+                       qdev_get_gpio_in(gicdev, 2));
+    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->dualtimer), 0, 0xe0101000);
+
+    for (int i = 0; i < ARRAY_SIZE(mms->i2c); i++) {
+        static const hwaddr i2cbase[] = {0xe0102000,    /* Touch */
+                                         0xe0103000,    /* Audio */
+                                         0xe0107000,    /* Shield0 */
+                                         0xe0108000,    /* Shield1 */
+                                         0xe0109000};   /* DDR4 EEPROM */
+        g_autofree char *s = g_strdup_printf("i2c%d", i);
+
+        object_initialize_child(OBJECT(mms), s, &mms->i2c[i],
+                                TYPE_ARM_SBCON_I2C);
+        sysbus_realize(SYS_BUS_DEVICE(&mms->i2c[i]), &error_fatal);
+        sysbus_mmio_map(SYS_BUS_DEVICE(&mms->i2c[i]), 0, i2cbase[i]);
+        if (i != 2 && i != 3) {
+            /*
+             * internal-only bus: mark it full to avoid user-created
+             * i2c devices being plugged into it.
+             */
+            qbus_mark_full(qdev_get_child_bus(DEVICE(&mms->i2c[i]), "i2c"));
+        }
+    }
+
     mms->bootinfo.ram_size = machine->ram_size;
     mms->bootinfo.board_id = -1;
     mms->bootinfo.loader_start = mmc->loader_start;
-- 
2.34.1

Add the remaining devices (or unimplemented-device stubs) for
this board: SPI controllers, SCC, FPGAIO, I2S, RTC, the
QSPI write-config block, and ethernet.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240206132931.38376-13-peter.maydell@linaro.org
---
 hw/arm/mps3r.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps3r.c
+++ b/hw/arm/mps3r.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/char/cmsdk-apb-uart.h"
 #include "hw/i2c/arm_sbcon_i2c.h"
 #include "hw/intc/arm_gicv3.h"
+#include "hw/misc/mps2-scc.h"
+#include "hw/misc/mps2-fpgaio.h"
 #include "hw/misc/unimp.h"
+#include "hw/net/lan9118.h"
+#include "hw/rtc/pl031.h"
+#include "hw/ssi/pl022.h"
 #include "hw/timer/cmsdk-apb-dualtimer.h"
 #include "hw/watchdog/cmsdk-apb-watchdog.h"
 
@@ -XXX,XX +XXX,XX @@ struct MPS3RMachineState {
     CMSDKAPBWatchdog watchdog;
     CMSDKAPBDualTimer dualtimer;
     ArmSbconI2CState i2c[5];
+    PL022State spi[3];
+    MPS2SCC scc;
+    MPS2FPGAIO fpgaio;
+    UnimplementedDeviceState i2s_audio;
+    PL031State rtc;
     Clock *clk;
 };
 
@@ -XXX,XX +XXX,XX @@ static const RAMInfo an536_raminfo[] = {
     }
 };
 
+static const int an536_oscclk[] = {
+    24000000, /* 24MHz reference for RTC and timers */
+    50000000, /* 50MHz ACLK */
+    50000000, /* 50MHz MCLK */
+    50000000, /* 50MHz GPUCLK */
+    24576000, /* 24.576MHz AUDCLK */
+    23750000, /* 23.75MHz HDLCDCLK */
+    100000000, /* 100MHz DDR4_REF_CLK */
+};
+
 static MemoryRegion *mr_for_raminfo(MPS3RMachineState *mms,
                                     const RAMInfo *raminfo)
 {
@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
     MPS3RMachineClass *mmc = MPS3R_MACHINE_GET_CLASS(mms);
     MemoryRegion *sysmem = get_system_memory();
     DeviceState *gicdev;
+    QList *oscclk;
 
     mms->clk = clock_new(OBJECT(machine), "CLK");
     clock_set_hz(mms->clk, CLK_FRQ);
@@ -XXX,XX +XXX,XX @@ static void mps3r_common_init(MachineState *machine)
         }
     }
 
+    for (int i = 0; i < ARRAY_SIZE(mms->spi); i++) {
+        g_autofree char *s = g_strdup_printf("spi%d", i);
+        hwaddr baseaddr = 0xe0104000 + i * 0x1000;
+
+        object_initialize_child(OBJECT(mms), s, &mms->spi[i], TYPE_PL022);
+        sysbus_realize(SYS_BUS_DEVICE(&mms->spi[i]), &error_fatal);
+        sysbus_mmio_map(SYS_BUS_DEVICE(&mms->spi[i]), 0, baseaddr);
+        sysbus_connect_irq(SYS_BUS_DEVICE(&mms->spi[i]), 0,
+                           qdev_get_gpio_in(gicdev, 22 + i));
+    }
+
+    object_initialize_child(OBJECT(mms), "scc", &mms->scc, TYPE_MPS2_SCC);
+    qdev_prop_set_uint32(DEVICE(&mms->scc), "scc-cfg0", 0);
+    qdev_prop_set_uint32(DEVICE(&mms->scc), "scc-cfg4", 0x2);
+    qdev_prop_set_uint32(DEVICE(&mms->scc), "scc-aid", 0x00200008);
+    qdev_prop_set_uint32(DEVICE(&mms->scc), "scc-id", 0x41055360);
+    oscclk = qlist_new();
+    for (int i = 0; i < ARRAY_SIZE(an536_oscclk); i++) {
+        qlist_append_int(oscclk, an536_oscclk[i]);
+    }
+    qdev_prop_set_array(DEVICE(&mms->scc), "oscclk", oscclk);
+    sysbus_realize(SYS_BUS_DEVICE(&mms->scc), &error_fatal);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->scc), 0, 0xe0200000);
+
+    create_unimplemented_device("i2s-audio", 0xe0201000, 0x1000);
+
+    object_initialize_child(OBJECT(mms), "fpgaio", &mms->fpgaio,
+                            TYPE_MPS2_FPGAIO);
+    qdev_prop_set_uint32(DEVICE(&mms->fpgaio), "prescale-clk", an536_oscclk[1]);
+    qdev_prop_set_uint32(DEVICE(&mms->fpgaio), "num-leds", 10);
+    qdev_prop_set_bit(DEVICE(&mms->fpgaio), "has-switches", true);
+    qdev_prop_set_bit(DEVICE(&mms->fpgaio), "has-dbgctrl", false);
+    sysbus_realize(SYS_BUS_DEVICE(&mms->fpgaio), &error_fatal);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->fpgaio), 0, 0xe0202000);
+
+    create_unimplemented_device("clcd", 0xe0209000, 0x1000);
+
+    object_initialize_child(OBJECT(mms), "rtc", &mms->rtc, TYPE_PL031);
+    sysbus_realize(SYS_BUS_DEVICE(&mms->rtc), &error_fatal);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&mms->rtc), 0, 0xe020a000);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&mms->rtc), 0,
+                       qdev_get_gpio_in(gicdev, 4));
+
+    /*
+     * In hardware this is a LAN9220; the LAN9118 is software compatible
+     * except that it doesn't support the checksum-offload feature.
+     */
+    lan9118_init(0xe0300000,
+                 qdev_get_gpio_in(gicdev, 18));
+
+    create_unimplemented_device("usb", 0xe0301000, 0x1000);
+    create_unimplemented_device("qspi-write-config", 0xe0600000, 0x1000);
+
     mms->bootinfo.ram_size = machine->ram_size;
     mms->bootinfo.board_id = -1;
     mms->bootinfo.loader_start = mmc->loader_start;
-- 
2.34.1

Add documentation for the mps3-an536 board type.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240206132931.38376-14-peter.maydell@linaro.org
---
 docs/system/arm/mps2.rst | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/docs/system/arm/mps2.rst b/docs/system/arm/mps2.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/mps2.rst
+++ b/docs/system/arm/mps2.rst
@@ -XXX,XX +XXX,XX @@
-Arm MPS2 and MPS3 boards (``mps2-an385``, ``mps2-an386``, ``mps2-an500``, ``mps2-an505``, ``mps2-an511``, ``mps2-an521``, ``mps3-an524``, ``mps3-an547``)
-=========================================================================================================================================================
+Arm MPS2 and MPS3 boards (``mps2-an385``, ``mps2-an386``, ``mps2-an500``, ``mps2-an505``, ``mps2-an511``, ``mps2-an521``, ``mps3-an524``, ``mps3-an536``, ``mps3-an547``)
+=========================================================================================================================================================================
 
-These board models all use Arm M-profile CPUs.
+These board models use Arm M-profile or R-profile CPUs.
 
 The Arm MPS2, MPS2+ and MPS3 dev boards are FPGA based (the 2+ has a
 bigger FPGA but is otherwise the same as the 2; the 3 has a bigger
@@ -XXX,XX +XXX,XX @@ FPGA image.
 
 QEMU models the following FPGA images:
 
+FPGA images using M-profile CPUs:
+
 ``mps2-an385``
   Cortex-M3 as documented in Arm Application Note AN385
 ``mps2-an386``
@@ -XXX,XX +XXX,XX @@ QEMU models the following FPGA images:
 ``mps3-an547``
   Cortex-M55 on an MPS3, as documented in Arm Application Note AN547
 
+FPGA images using R-profile CPUs:
+
+``mps3-an536``
+  Dual Cortex-R52 on an MPS3, as documented in Arm Application Note AN536
+
 Differences between QEMU and real hardware:
 
 - AN385/AN386 remapping of low 16K of memory to either ZBT SSRAM1 or to
@@ -XXX,XX +XXX,XX @@ Differences between QEMU and real hardware:
   flash, but only as simple ROM, so attempting to rewrite the flash
   from the guest will fail
 - QEMU does not model the USB controller in MPS3 boards
+- AN536 does not support runtime control of CPU reset and halt via
+  the SCC CFG_REG0 register.
+- AN536 does not support enabling or disabling the flash and ATCM
+  interfaces via the SCC CFG_REG1 register.
+- AN536 does not support setting of the initial vector table
+  base address via the SCC CFG_REG6 and CFG_REG7 register config,
+  and does not provide a mechanism for specifying these values at
+  startup, so all guest images must be built to start from TCM
+  (i.e. to expect the interrupt vector base at 0 from reset).
+- AN536 defaults to only creating a single CPU; this is the equivalent
+  of the way the real FPGA image usually runs with the second Cortex-R52
+  held in halt via the initial SCC CFG_REG0 register setting. You can
+  create the second CPU with ``-smp 2``; both CPUs will then start
+  execution immediately on startup.
+
+Note that for the AN536 the first UART is accessible only by
+CPU0, and the second UART is accessible only by CPU1. The
+first UART accessible shared between both CPUs is the third
+UART. Guest software might therefore be built to use either
+the first UART or the third UART; if you don't see any output
+from the UART you are looking at, try one of the others.
+(Even if the AN536 machine is started with a single CPU and so
+no "CPU1-only UART", the UART numbering remains the same,
+with the third UART being the first of the shared ones.)
 
 Machine-specific options
 """"""""""""""""""""""""
-- 
2.34.1