Hi; here's the first arm pullreq for the 8.2 cycle. These are pretty much all bug fixes (mostly for the experimental FEAT_RME), rather than any major features. -- PMM The following changes since commit b0dd9a7d6dd15a6898e9c585b521e6bec79b25aa: Open 8.2 development tree (2023-08-22 07:14:07 -0700) are available in the Git repository at: https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230824 for you to fetch changes up to cd1e4db73646006039f25879af3bff55b2295ff3: target/arm: Fix 64-bit SSRA (2023-08-22 17:31:14 +0100) ---------------------------------------------------------------- target-arm queue: * hw/gpio/nrf51: implement DETECT signal * accel/kvm: Specify default IPA size for arm64 * ptw: refactor, fix some FEAT_RME bugs * target/arm: Adjust PAR_EL1.SH for Device and Normal-NC memory types * target/arm/helper: Implement CNTHCTL_EL2.CNT[VP]MASK * Fix SME ST1Q * Fix 64-bit SSRA ---------------------------------------------------------------- Akihiko Odaki (6): kvm: Introduce kvm_arch_get_default_type hook accel/kvm: Specify default IPA size for arm64 mips: Report an error when KVM_VM_MIPS_VZ is unavailable accel/kvm: Use negative KVM type for error propagation accel/kvm: Free as when an error occurred accel/kvm: Make kvm_dirty_ring_reaper_init() void Chris Laplante (6): hw/gpio/nrf51: implement DETECT signal qtest: factor out qtest_install_gpio_out_intercept qtest: implement named interception of out-GPIO qtest: bail from irq_intercept_in if name is specified qtest: irq_intercept_[out/in]: return FAIL if no intercepts are installed qtest: microbit-test: add tests for nRF51 DETECT Jean-Philippe Brucker (6): target/arm/ptw: Load stage-2 tables from realm physical space target/arm/helper: Fix tlbmask and tlbbits for TLBI VAE2* target/arm: Skip granule protection checks for AT instructions target/arm: Pass security space rather than flag for AT instructions target/arm/helper: Check SCR_EL3.{NSE, NS} encoding for AT instructions target/arm/helper: Implement CNTHCTL_EL2.CNT[VP]MASK Peter Maydell (15): target/arm/ptw: Don't set fi->s1ptw for UnsuppAtomicUpdate fault target/arm/ptw: Don't report GPC faults on stage 1 ptw as stage2 faults target/arm/ptw: Set s1ns bit in fault info more consistently target/arm/ptw: Pass ptw into get_phys_addr_pmsa*() and get_phys_addr_disabled() target/arm/ptw: Pass ARMSecurityState to regime_translation_disabled() target/arm/ptw: Pass an ARMSecuritySpace to arm_hcr_el2_eff_secstate() target/arm: Pass an ARMSecuritySpace to arm_is_el2_enabled_secstate() target/arm/ptw: Only fold in NSTable bit effects in Secure state target/arm/ptw: Remove last uses of ptw->in_secure target/arm/ptw: Remove S1Translate::in_secure target/arm/ptw: Drop S1Translate::out_secure target/arm/ptw: Set attributes correctly for MMU disabled data accesses target/arm/ptw: Check for block descriptors at invalid levels target/arm/ptw: Report stage 2 fault level for stage 2 faults on stage 1 ptw target/arm: Adjust PAR_EL1.SH for Device and Normal-NC memory types Richard Henderson (2): target/arm: Fix SME ST1Q target/arm: Fix 64-bit SSRA include/hw/gpio/nrf51_gpio.h | 1 + include/sysemu/kvm.h | 2 + target/arm/cpu.h | 19 ++-- target/arm/internals.h | 25 ++--- target/mips/kvm_mips.h | 9 -- tests/qtest/libqtest.h | 11 +++ accel/kvm/kvm-all.c | 19 ++-- hw/arm/virt.c | 2 +- hw/gpio/nrf51_gpio.c | 14 ++- hw/mips/loongson3_virt.c | 2 - hw/ppc/spapr.c | 2 +- softmmu/qtest.c | 52 +++++++--- target/arm/cpu.c | 6 ++ target/arm/helper.c | 207 ++++++++++++++++++++++++++++---------- target/arm/kvm.c | 7 ++ target/arm/ptw.c | 231 ++++++++++++++++++++++++++----------------- target/arm/tcg/sme_helper.c | 2 +- target/arm/tcg/translate.c | 2 +- target/i386/kvm/kvm.c | 5 + target/mips/kvm.c | 3 +- target/ppc/kvm.c | 5 + target/riscv/kvm.c | 5 + target/s390x/kvm/kvm.c | 5 + tests/qtest/libqtest.c | 6 ++ tests/qtest/microbit-test.c | 44 +++++++++ target/arm/trace-events | 7 +- 26 files changed, 494 insertions(+), 199 deletions(-) From: Chris Laplante <chris@laplante.io> Implement nRF51 DETECT signal in the GPIO peripheral. The reference manual makes mention of a per-pin DETECT signal, but these are not exposed to the user. See https://devzone.nordicsemi.com/f/nordic-q-a/39858/gpio-per-pin-detect-signal-available for more information. Currently, I don't see a reason to model these. Signed-off-by: Chris Laplante <chris@laplante.io> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230728160324.1159090-2-chris@laplante.io Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/gpio/nrf51_gpio.h | 1 + hw/gpio/nrf51_gpio.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/include/hw/gpio/nrf51_gpio.h b/include/hw/gpio/nrf51_gpio.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/gpio/nrf51_gpio.h +++ b/include/hw/gpio/nrf51_gpio.h @@ -XXX,XX +XXX,XX @@ struct NRF51GPIOState { uint32_t old_out_connected; qemu_irq output[NRF51_GPIO_PINS]; + qemu_irq detect; }; diff --git a/hw/gpio/nrf51_gpio.c b/hw/gpio/nrf51_gpio.c index XXXXXXX..XXXXXXX 100644 --- a/hw/gpio/nrf51_gpio.c +++ b/hw/gpio/nrf51_gpio.c @@ -XXX,XX +XXX,XX @@ static void update_state(NRF51GPIOState *s) int pull; size_t i; bool connected_out, dir, connected_in, out, in, input; + bool assert_detect = false; for (i = 0; i < NRF51_GPIO_PINS; i++) { pull = pull_value(s->cnf[i]); @@ -XXX,XX +XXX,XX @@ static void update_state(NRF51GPIOState *s) qemu_log_mask(LOG_GUEST_ERROR, "GPIO pin %zu short circuited\n", i); } - if (!connected_in) { + if (connected_in) { + uint32_t detect_config = extract32(s->cnf[i], 16, 2); + if ((detect_config == 2) && (in == 1)) { + assert_detect = true; + } + if ((detect_config == 3) && (in == 0)) { + assert_detect = true; + } + } else { /* * Floating input: the output stimulates IN if connected, * otherwise pull-up/pull-down resistors put a value on both @@ -XXX,XX +XXX,XX @@ static void update_state(NRF51GPIOState *s) } update_output_irq(s, i, connected_out, out); } + + qemu_set_irq(s->detect, assert_detect); } /* @@ -XXX,XX +XXX,XX @@ static void nrf51_gpio_init(Object *obj) qdev_init_gpio_in(DEVICE(s), nrf51_gpio_set, NRF51_GPIO_PINS); qdev_init_gpio_out(DEVICE(s), s->output, NRF51_GPIO_PINS); + qdev_init_gpio_out_named(DEVICE(s), &s->detect, "detect", 1); } static void nrf51_gpio_class_init(ObjectClass *klass, void *data) -- 2.34.1 From: Chris Laplante <chris@laplante.io> Signed-off-by: Chris Laplante <chris@laplante.io> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230728160324.1159090-3-chris@laplante.io Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- softmmu/qtest.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/softmmu/qtest.c b/softmmu/qtest.c index XXXXXXX..XXXXXXX 100644 --- a/softmmu/qtest.c +++ b/softmmu/qtest.c @@ -XXX,XX +XXX,XX @@ void qtest_set_command_cb(bool (*pc_cb)(CharBackend *chr, gchar **words)) process_command_cb = pc_cb; } +static void qtest_install_gpio_out_intercept(DeviceState *dev, const char *name, int n) +{ + qemu_irq *disconnected = g_new0(qemu_irq, 1); + qemu_irq icpt = qemu_allocate_irq(qtest_irq_handler, + disconnected, n); + + *disconnected = qdev_intercept_gpio_out(dev, icpt, name, n); +} + static void qtest_process_command(CharBackend *chr, gchar **words) { const gchar *command; @@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words) if (words[0][14] == 'o') { int i; for (i = 0; i < ngl->num_out; ++i) { - qemu_irq *disconnected = g_new0(qemu_irq, 1); - qemu_irq icpt = qemu_allocate_irq(qtest_irq_handler, - disconnected, i); - - *disconnected = qdev_intercept_gpio_out(dev, icpt, - ngl->name, i); + qtest_install_gpio_out_intercept(dev, ngl->name, i); } } else { qemu_irq_intercept_in(ngl->in, qtest_irq_handler, -- 2.34.1 From: Chris Laplante <chris@laplante.io> Adds qtest_irq_intercept_out_named method, which utilizes a new optional name parameter to the irq_intercept_out qtest command. Signed-off-by: Chris Laplante <chris@laplante.io> Message-id: 20230728160324.1159090-4-chris@laplante.io Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- tests/qtest/libqtest.h | 11 +++++++++++ softmmu/qtest.c | 18 ++++++++++-------- tests/qtest/libqtest.c | 6 ++++++ 3 files changed, 27 insertions(+), 8 deletions(-) diff --git a/tests/qtest/libqtest.h b/tests/qtest/libqtest.h index XXXXXXX..XXXXXXX 100644 --- a/tests/qtest/libqtest.h +++ b/tests/qtest/libqtest.h @@ -XXX,XX +XXX,XX @@ void qtest_irq_intercept_in(QTestState *s, const char *string); */ void qtest_irq_intercept_out(QTestState *s, const char *string); +/** + * qtest_irq_intercept_out_named: + * @s: #QTestState instance to operate on. + * @qom_path: QOM path of a device. + * @name: Name of the GPIO out pin + * + * Associate a qtest irq with the named GPIO-out pin of the device + * whose path is specified by @string and whose name is @name. + */ +void qtest_irq_intercept_out_named(QTestState *s, const char *qom_path, const char *name); + /** * qtest_set_irq_in: * @s: QTestState instance to operate on. diff --git a/softmmu/qtest.c b/softmmu/qtest.c index XXXXXXX..XXXXXXX 100644 --- a/softmmu/qtest.c +++ b/softmmu/qtest.c @@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words) || strcmp(words[0], "irq_intercept_in") == 0) { DeviceState *dev; NamedGPIOList *ngl; + bool is_outbound; g_assert(words[1]); + is_outbound = words[0][14] == 'o'; dev = DEVICE(object_resolve_path(words[1], NULL)); if (!dev) { qtest_send_prefix(chr); @@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words) } QLIST_FOREACH(ngl, &dev->gpios, node) { - /* We don't support intercept of named GPIOs yet */ - if (ngl->name) { - continue; - } - if (words[0][14] == 'o') { - int i; - for (i = 0; i < ngl->num_out; ++i) { - qtest_install_gpio_out_intercept(dev, ngl->name, i); + /* We don't support inbound interception of named GPIOs yet */ + if (is_outbound) { + /* NULL is valid and matchable, for "unnamed GPIO" */ + if (g_strcmp0(ngl->name, words[2]) == 0) { + int i; + for (i = 0; i < ngl->num_out; ++i) { + qtest_install_gpio_out_intercept(dev, ngl->name, i); + } } } else { qemu_irq_intercept_in(ngl->in, qtest_irq_handler, diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/qtest/libqtest.c +++ b/tests/qtest/libqtest.c @@ -XXX,XX +XXX,XX @@ void qtest_irq_intercept_out(QTestState *s, const char *qom_path) qtest_rsp(s); } +void qtest_irq_intercept_out_named(QTestState *s, const char *qom_path, const char *name) +{ + qtest_sendf(s, "irq_intercept_out %s %s\n", qom_path, name); + qtest_rsp(s); +} + void qtest_irq_intercept_in(QTestState *s, const char *qom_path) { qtest_sendf(s, "irq_intercept_in %s\n", qom_path); -- 2.34.1 From: Chris Laplante <chris@laplante.io> Named interception of in-GPIOs is not supported yet. Signed-off-by: Chris Laplante <chris@laplante.io> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230728160324.1159090-5-chris@laplante.io Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- softmmu/qtest.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/softmmu/qtest.c b/softmmu/qtest.c index XXXXXXX..XXXXXXX 100644 --- a/softmmu/qtest.c +++ b/softmmu/qtest.c @@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words) || strcmp(words[0], "irq_intercept_in") == 0) { DeviceState *dev; NamedGPIOList *ngl; + bool is_named; bool is_outbound; g_assert(words[1]); + is_named = words[2] != NULL; is_outbound = words[0][14] == 'o'; dev = DEVICE(object_resolve_path(words[1], NULL)); if (!dev) { @@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words) return; } + if (is_named && !is_outbound) { + qtest_send_prefix(chr); + qtest_send(chr, "FAIL Interception of named in-GPIOs not yet supported\n"); + return; + } + if (irq_intercept_dev) { qtest_send_prefix(chr); if (irq_intercept_dev != dev) { -- 2.34.1 From: Chris Laplante <chris@laplante.io> This is much better than just silently failing with OK. Signed-off-by: Chris Laplante <chris@laplante.io> Message-id: 20230728160324.1159090-6-chris@laplante.io Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- softmmu/qtest.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/softmmu/qtest.c b/softmmu/qtest.c index XXXXXXX..XXXXXXX 100644 --- a/softmmu/qtest.c +++ b/softmmu/qtest.c @@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words) NamedGPIOList *ngl; bool is_named; bool is_outbound; + bool interception_succeeded = false; g_assert(words[1]); is_named = words[2] != NULL; @@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words) for (i = 0; i < ngl->num_out; ++i) { qtest_install_gpio_out_intercept(dev, ngl->name, i); } + interception_succeeded = true; } } else { qemu_irq_intercept_in(ngl->in, qtest_irq_handler, ngl->num_in); + interception_succeeded = true; } } - irq_intercept_dev = dev; + qtest_send_prefix(chr); - qtest_send(chr, "OK\n"); + if (interception_succeeded) { + irq_intercept_dev = dev; + qtest_send(chr, "OK\n"); + } else { + qtest_send(chr, "FAIL No intercepts installed\n"); + } } else if (strcmp(words[0], "set_irq_in") == 0) { DeviceState *dev; qemu_irq irq; -- 2.34.1 From: Chris Laplante <chris@laplante.io> Exercise the DETECT mechanism of the GPIO peripheral. Signed-off-by: Chris Laplante <chris@laplante.io> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230728160324.1159090-7-chris@laplante.io [PMM: fixed coding style nits] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- tests/qtest/microbit-test.c | 44 +++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/tests/qtest/microbit-test.c b/tests/qtest/microbit-test.c index XXXXXXX..XXXXXXX 100644 --- a/tests/qtest/microbit-test.c +++ b/tests/qtest/microbit-test.c @@ -XXX,XX +XXX,XX @@ static void test_nrf51_gpio(void) qtest_quit(qts); } +static void test_nrf51_gpio_detect(void) +{ + QTestState *qts = qtest_init("-M microbit"); + int i; + + /* Connect input buffer on pins 1-7, configure SENSE for high level */ + for (i = 1; i <= 7; i++) { + qtest_writel(qts, NRF51_GPIO_BASE + NRF51_GPIO_REG_CNF_START + i * 4, + deposit32(0, 16, 2, 2)); + } + + qtest_irq_intercept_out_named(qts, "/machine/nrf51/gpio", "detect"); + + for (i = 1; i <= 7; i++) { + /* Set pin high */ + qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", i, 1); + uint32_t actual = qtest_readl(qts, NRF51_GPIO_BASE + NRF51_GPIO_REG_IN); + g_assert_cmpuint(actual, ==, 1 << i); + + /* Check that DETECT is high */ + g_assert_true(qtest_get_irq(qts, 0)); + + /* Set pin low, check that DETECT goes low. */ + qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", i, 0); + actual = qtest_readl(qts, NRF51_GPIO_BASE + NRF51_GPIO_REG_IN); + g_assert_cmpuint(actual, ==, 0x0); + g_assert_false(qtest_get_irq(qts, 0)); + } + + /* Set pin 0 high, check that DETECT doesn't fire */ + qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", 0, 1); + g_assert_false(qtest_get_irq(qts, 0)); + qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", 0, 0); + + /* Set pins 1, 2, and 3 high, then set 3 low. Check DETECT is still high */ + for (i = 1; i <= 3; i++) { + qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", i, 1); + } + g_assert_true(qtest_get_irq(qts, 0)); + qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", 3, 0); + g_assert_true(qtest_get_irq(qts, 0)); +} + static void timer_task(QTestState *qts, hwaddr task) { qtest_writel(qts, NRF51_TIMER_BASE + task, NRF51_TRIGGER_TASK); @@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv) qtest_add_func("/microbit/nrf51/uart", test_nrf51_uart); qtest_add_func("/microbit/nrf51/gpio", test_nrf51_gpio); + qtest_add_func("/microbit/nrf51/gpio_detect", test_nrf51_gpio_detect); qtest_add_func("/microbit/nrf51/nvmc", test_nrf51_nvmc); qtest_add_func("/microbit/nrf51/timer", test_nrf51_timer); qtest_add_func("/microbit/microbit/i2c", test_microbit_i2c); -- 2.34.1 From: Akihiko Odaki <akihiko.odaki@daynix.com> kvm_arch_get_default_type() returns the default KVM type. This hook is particularly useful to derive a KVM type that is valid for "none" machine model, which is used by libvirt to probe the availability of KVM. For MIPS, the existing mips_kvm_type() is reused. This function ensures the availability of VZ which is mandatory to use KVM on the current QEMU. Cc: qemu-stable@nongnu.org Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-id: 20230727073134.134102-2-akihiko.odaki@daynix.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> [PMM: added doc comment for new function] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- include/sysemu/kvm.h | 2 ++ target/mips/kvm_mips.h | 9 --------- accel/kvm/kvm-all.c | 4 +++- hw/mips/loongson3_virt.c | 2 -- target/arm/kvm.c | 5 +++++ target/i386/kvm/kvm.c | 5 +++++ target/mips/kvm.c | 2 +- target/ppc/kvm.c | 5 +++++ target/riscv/kvm.c | 5 +++++ target/s390x/kvm/kvm.c | 5 +++++ 10 files changed, 31 insertions(+), 13 deletions(-) diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h index XXXXXXX..XXXXXXX 100644 --- a/include/sysemu/kvm.h +++ b/include/sysemu/kvm.h @@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cpu); int kvm_arch_put_registers(CPUState *cpu, int level); +int kvm_arch_get_default_type(MachineState *ms); + int kvm_arch_init(MachineState *ms, KVMState *s); int kvm_arch_init_vcpu(CPUState *cpu); diff --git a/target/mips/kvm_mips.h b/target/mips/kvm_mips.h index XXXXXXX..XXXXXXX 100644 --- a/target/mips/kvm_mips.h +++ b/target/mips/kvm_mips.h @@ -XXX,XX +XXX,XX @@ void kvm_mips_reset_vcpu(MIPSCPU *cpu); int kvm_mips_set_interrupt(MIPSCPU *cpu, int irq, int level); int kvm_mips_set_ipi_interrupt(MIPSCPU *cpu, int irq, int level); -#ifdef CONFIG_KVM -int mips_kvm_type(MachineState *machine, const char *vm_type); -#else -static inline int mips_kvm_type(MachineState *machine, const char *vm_type) -{ - return 0; -} -#endif - #endif /* KVM_MIPS_H */ diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index XXXXXXX..XXXXXXX 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms) KVMState *s; const KVMCapabilityInfo *missing_cap; int ret; - int type = 0; + int type; uint64_t dirty_log_manual_caps; qemu_mutex_init(&kml_slots_lock); @@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms) type = mc->kvm_type(ms, kvm_type); } else if (mc->kvm_type) { type = mc->kvm_type(ms, NULL); + } else { + type = kvm_arch_get_default_type(ms); } do { diff --git a/hw/mips/loongson3_virt.c b/hw/mips/loongson3_virt.c index XXXXXXX..XXXXXXX 100644 --- a/hw/mips/loongson3_virt.c +++ b/hw/mips/loongson3_virt.c @@ -XXX,XX +XXX,XX @@ #include "qemu/datadir.h" #include "qapi/error.h" #include "elf.h" -#include "kvm_mips.h" #include "hw/char/serial.h" #include "hw/intc/loongson_liointc.h" #include "hw/mips/mips.h" @@ -XXX,XX +XXX,XX @@ static void loongson3v_machine_class_init(ObjectClass *oc, void *data) mc->max_cpus = LOONGSON_MAX_VCPUS; mc->default_ram_id = "loongson3.highram"; mc->default_ram_size = 1600 * MiB; - mc->kvm_type = mips_kvm_type; mc->minimum_page_bits = 14; mc->default_nic = "virtio-net-pci"; } diff --git a/target/arm/kvm.c b/target/arm/kvm.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/kvm.c +++ b/target/arm/kvm.c @@ -XXX,XX +XXX,XX @@ int kvm_arm_get_max_vm_ipa_size(MachineState *ms, bool *fixed_ipa) return ret > 0 ? ret : 40; } +int kvm_arch_get_default_type(MachineState *ms) +{ + return 0; +} + int kvm_arch_init(MachineState *ms, KVMState *s) { int ret = 0; diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index XXXXXXX..XXXXXXX 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -XXX,XX +XXX,XX @@ static void register_smram_listener(Notifier *n, void *unused) &smram_address_space, 1, "kvm-smram"); } +int kvm_arch_get_default_type(MachineState *ms) +{ + return 0; +} + int kvm_arch_init(MachineState *ms, KVMState *s) { uint64_t identity_base = 0xfffbc000; diff --git a/target/mips/kvm.c b/target/mips/kvm.c index XXXXXXX..XXXXXXX 100644 --- a/target/mips/kvm.c +++ b/target/mips/kvm.c @@ -XXX,XX +XXX,XX @@ int kvm_arch_msi_data_to_gsi(uint32_t data) abort(); } -int mips_kvm_type(MachineState *machine, const char *vm_type) +int kvm_arch_get_default_type(MachineState *machine) { #if defined(KVM_CAP_MIPS_VZ) int r; diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c index XXXXXXX..XXXXXXX 100644 --- a/target/ppc/kvm.c +++ b/target/ppc/kvm.c @@ -XXX,XX +XXX,XX @@ static int kvm_ppc_register_host_cpu_type(void); static void kvmppc_get_cpu_characteristics(KVMState *s); static int kvmppc_get_dec_bits(void); +int kvm_arch_get_default_type(MachineState *ms) +{ + return 0; +} + int kvm_arch_init(MachineState *ms, KVMState *s) { cap_interrupt_unset = kvm_check_extension(s, KVM_CAP_PPC_UNSET_IRQ); diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/kvm.c +++ b/target/riscv/kvm.c @@ -XXX,XX +XXX,XX @@ int kvm_arch_add_msi_route_post(struct kvm_irq_routing_entry *route, return 0; } +int kvm_arch_get_default_type(MachineState *ms) +{ + return 0; +} + int kvm_arch_init(MachineState *ms, KVMState *s) { return 0; diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index XXXXXXX..XXXXXXX 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -XXX,XX +XXX,XX @@ static void ccw_machine_class_foreach(ObjectClass *oc, void *opaque) mc->default_cpu_type = S390_CPU_TYPE_NAME("host"); } +int kvm_arch_get_default_type(MachineState *ms) +{ + return 0; +} + int kvm_arch_init(MachineState *ms, KVMState *s) { object_class_foreach(ccw_machine_class_foreach, TYPE_S390_CCW_MACHINE, -- 2.34.1 From: Akihiko Odaki <akihiko.odaki@daynix.com> Before this change, the default KVM type, which is used for non-virt machine models, was 0. The kernel documentation says: > On arm64, the physical address size for a VM (IPA Size limit) is > limited to 40bits by default. The limit can be configured if the host > supports the extension KVM_CAP_ARM_VM_IPA_SIZE. When supported, use > KVM_VM_TYPE_ARM_IPA_SIZE(IPA_Bits) to set the size in the machine type > identifier, where IPA_Bits is the maximum width of any physical > address used by the VM. The IPA_Bits is encoded in bits[7-0] of the > machine type identifier. > > e.g, to configure a guest to use 48bit physical address size:: > > vm_fd = ioctl(dev_fd, KVM_CREATE_VM, KVM_VM_TYPE_ARM_IPA_SIZE(48)); > > The requested size (IPA_Bits) must be: > > == ========================================================= > 0 Implies default size, 40bits (for backward compatibility) > N Implies N bits, where N is a positive integer such that, > 32 <= N <= Host_IPA_Limit > == ========================================================= > Host_IPA_Limit is the maximum possible value for IPA_Bits on the host > and is dependent on the CPU capability and the kernel configuration. > The limit can be retrieved using KVM_CAP_ARM_VM_IPA_SIZE of the > KVM_CHECK_EXTENSION ioctl() at run-time. > > Creation of the VM will fail if the requested IPA size (whether it is > implicit or explicit) is unsupported on the host. https://docs.kernel.org/virt/kvm/api.html#kvm-create-vm So if Host_IPA_Limit < 40, specifying 0 as the type will fail. This actually confused libvirt, which uses "none" machine model to probe the KVM availability, on M2 MacBook Air. Fix this by using Host_IPA_Limit as the default type when KVM_CAP_ARM_VM_IPA_SIZE is available. Cc: qemu-stable@nongnu.org Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-id: 20230727073134.134102-3-akihiko.odaki@daynix.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/kvm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/target/arm/kvm.c b/target/arm/kvm.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/kvm.c +++ b/target/arm/kvm.c @@ -XXX,XX +XXX,XX @@ int kvm_arm_get_max_vm_ipa_size(MachineState *ms, bool *fixed_ipa) int kvm_arch_get_default_type(MachineState *ms) { - return 0; + bool fixed_ipa; + int size = kvm_arm_get_max_vm_ipa_size(ms, &fixed_ipa); + return fixed_ipa ? 0 : size; } int kvm_arch_init(MachineState *ms, KVMState *s) -- 2.34.1 From: Akihiko Odaki <akihiko.odaki@daynix.com> On MIPS, QEMU requires KVM_VM_MIPS_VZ type for KVM. Report an error in such a case as other architectures do when an error occurred during KVM type decision. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-id: 20230727073134.134102-4-akihiko.odaki@daynix.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- target/mips/kvm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/target/mips/kvm.c b/target/mips/kvm.c index XXXXXXX..XXXXXXX 100644 --- a/target/mips/kvm.c +++ b/target/mips/kvm.c @@ -XXX,XX +XXX,XX @@ int kvm_arch_get_default_type(MachineState *machine) } #endif + error_report("KVM_VM_MIPS_VZ type is not available"); return -1; } -- 2.34.1 From: Akihiko Odaki <akihiko.odaki@daynix.com> On MIPS, kvm_arch_get_default_type() returns a negative value when an error occurred so handle the case. Also, let other machines return negative values when errors occur and declare returning a negative value as the correct way to propagate an error that happened when determining KVM type. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-id: 20230727073134.134102-5-akihiko.odaki@daynix.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- accel/kvm/kvm-all.c | 5 +++++ hw/arm/virt.c | 2 +- hw/ppc/spapr.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index XXXXXXX..XXXXXXX 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms) type = kvm_arch_get_default_type(ms); } + if (type < 0) { + ret = -EINVAL; + goto err; + } + do { ret = kvm_ioctl(s, KVM_CREATE_VM, type); } while (ret == -EINTR); diff --git a/hw/arm/virt.c b/hw/arm/virt.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/virt.c +++ b/hw/arm/virt.c @@ -XXX,XX +XXX,XX @@ static int virt_kvm_type(MachineState *ms, const char *type_str) "require an IPA range (%d bits) larger than " "the one supported by the host (%d bits)", requested_pa_size, max_vm_pa_size); - exit(1); + return -1; } /* * We return the requested PA log size, unless KVM only supports diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -XXX,XX +XXX,XX @@ static int spapr_kvm_type(MachineState *machine, const char *vm_type) } error_report("Unknown kvm-type specified '%s'", vm_type); - exit(1); + return -1; } /* -- 2.34.1 From: Akihiko Odaki <akihiko.odaki@daynix.com> An error may occur after s->as is allocated, for example if the KVM_CREATE_VM ioctl call fails. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-id: 20230727073134.134102-6-akihiko.odaki@daynix.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> [PMM: tweaked commit message] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- accel/kvm/kvm-all.c | 1 + 1 file changed, 1 insertion(+) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index XXXXXXX..XXXXXXX 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -XXX,XX +XXX,XX @@ err: if (s->fd != -1) { close(s->fd); } + g_free(s->as); g_free(s->memory_listener.slots); return ret; -- 2.34.1 From: Akihiko Odaki <akihiko.odaki@daynix.com> The returned value was always zero and had no meaning. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-id: 20230727073134.134102-7-akihiko.odaki@daynix.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- accel/kvm/kvm-all.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index XXXXXXX..XXXXXXX 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -XXX,XX +XXX,XX @@ static void *kvm_dirty_ring_reaper_thread(void *data) return NULL; } -static int kvm_dirty_ring_reaper_init(KVMState *s) +static void kvm_dirty_ring_reaper_init(KVMState *s) { struct KVMDirtyRingReaper *r = &s->reaper; qemu_thread_create(&r->reaper_thr, "kvm-reaper", kvm_dirty_ring_reaper_thread, s, QEMU_THREAD_JOINABLE); - - return 0; } static int kvm_dirty_ring_init(KVMState *s) @@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms) } if (s->kvm_dirty_ring_size) { - ret = kvm_dirty_ring_reaper_init(s); - if (ret) { - goto err; - } + kvm_dirty_ring_reaper_init(s); } if (kvm_check_extension(kvm_state, KVM_CAP_BINARY_STATS_FD)) { -- 2.34.1 For an Unsupported Atomic Update fault where the stage 1 translation table descriptor update can't be done because it's to an unsupported memory type, this is a stage 1 abort (per the Arm ARM R_VSXXT). This means we should not set fi->s1ptw, because this will cause the code in the get_phys_addr_lpae() error-exit path to mark it as stage 2. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-2-peter.maydell@linaro.org --- target/arm/ptw.c | 1 - 1 file changed, 1 deletion(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static uint64_t arm_casq_ptw(CPUARMState *env, uint64_t old_val, if (unlikely(!host)) { fi->type = ARMFault_UnsuppAtomicUpdate; - fi->s1ptw = true; return 0; } -- 2.34.1 In S1_ptw_translate() we set up the ARMMMUFaultInfo if the attempt to translate the page descriptor address into a physical address fails. This used to only be possible if we are doing a stage 2 ptw for that descriptor address, and so the code always sets fi->stage2 and fi->s1ptw to true. However, with FEAT_RME it is also possible for the lookup of the page descriptor address to fail because of a Granule Protection Check fault. These should not be reported as stage 2, otherwise arm_deliver_fault() will incorrectly set HPFAR_EL2. Similarly the s1ptw bit should only be set for stage 2 faults on stage 1 translation table walks, i.e. not for GPC faults. Add a comment to the the other place where we might detect a stage2-fault-on-stage-1-ptw, in arm_casq_ptw(), noting why we know in that case that it must really be a stage 2 fault and not a GPC fault. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-3-peter.maydell@linaro.org --- target/arm/ptw.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, fi->type = ARMFault_GPCFOnWalk; } fi->s2addr = addr; - fi->stage2 = true; - fi->s1ptw = true; + fi->stage2 = regime_is_stage2(s2_mmu_idx); + fi->s1ptw = fi->stage2; fi->s1ns = !is_secure; return false; } @@ -XXX,XX +XXX,XX @@ static uint64_t arm_casq_ptw(CPUARMState *env, uint64_t old_val, env->tlb_fi = NULL; if (unlikely(flags & TLB_INVALID_MASK)) { + /* + * We know this must be a stage 2 fault because the granule + * protection table does not separately track read and write + * permission, so all GPC faults are caught in S1_ptw_translate(): + * we only get here for "readable but not writeable". + */ assert(fi->type != ARMFault_None); fi->s2addr = ptw->out_virt; fi->stage2 = true; -- 2.34.1 The s1ns bit in ARMMMUFaultInfo is documented as "true if we faulted on a non-secure IPA while in secure state". Both the places which look at this bit only do so after having confirmed that this is a stage 2 fault and we're dealing with Secure EL2, which leaves the ptw.c code free to set the bit to any random value in the other cases. Instead of taking advantage of that freedom, consistently make the bit be set to false for the "not a stage 2 fault for Secure EL2" cases. This removes some cases where we were using an 'is_secure' boolean and leaving the reader guessing about whether that was the right thing for Realm and Root cases. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-4-peter.maydell@linaro.org --- target/arm/ptw.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static ARMSecuritySpace S2_security_space(ARMSecuritySpace s1_space, } } +static bool fault_s1ns(ARMSecuritySpace space, ARMMMUIdx s2_mmu_idx) +{ + /* + * For stage 2 faults in Secure EL22, S1NS indicates + * whether the faulting IPA is in the Secure or NonSecure + * IPA space. For all other kinds of fault, it is false. + */ + return space == ARMSS_Secure && regime_is_stage2(s2_mmu_idx) + && s2_mmu_idx == ARMMMUIdx_Stage2_S; +} + /* Translate a S1 pagetable walk through S2 if needed. */ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, hwaddr addr, ARMMMUFaultInfo *fi) @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, fi->s2addr = addr; fi->stage2 = true; fi->s1ptw = true; - fi->s1ns = !is_secure; + fi->s1ns = fault_s1ns(ptw->in_space, s2_mmu_idx); return false; } } @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, fi->s2addr = addr; fi->stage2 = regime_is_stage2(s2_mmu_idx); fi->s1ptw = fi->stage2; - fi->s1ns = !is_secure; + fi->s1ns = fault_s1ns(ptw->in_space, s2_mmu_idx); return false; } @@ -XXX,XX +XXX,XX @@ static uint64_t arm_casq_ptw(CPUARMState *env, uint64_t old_val, fi->s2addr = ptw->out_virt; fi->stage2 = true; fi->s1ptw = true; - fi->s1ns = !ptw->in_secure; + fi->s1ns = fault_s1ns(ptw->in_space, ptw->in_ptw_idx); return 0; } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, fi->level = level; /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2. */ fi->stage2 = fi->s1ptw || regime_is_stage2(mmu_idx); - fi->s1ns = mmu_idx == ARMMMUIdx_Stage2; + fi->s1ns = fault_s1ns(ptw->in_space, mmu_idx); return true; } -- 2.34.1 In commit 6d2654ffacea813916176 we created the S1Translate struct and used it to plumb through various arguments that we were previously passing one-at-a-time to get_phys_addr_v5(), get_phys_addr_v6(), and get_phys_addr_lpae(). Extend that pattern to get_phys_addr_pmsav5(), get_phys_addr_pmsav7(), get_phys_addr_pmsav8() and get_phys_addr_disabled(), so that all the get_phys_addr_* functions we call from get_phys_addr_nogpc() take the S1Translate struct rather than the mmu_idx and is_secure bool. (This refactoring is a prelude to having the called functions look at ptw->is_space rather than using an is_secure boolean.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-5-peter.maydell@linaro.org --- target/arm/ptw.c | 57 ++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, return true; } -static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address, - MMUAccessType access_type, ARMMMUIdx mmu_idx, - bool is_secure, GetPhysAddrResult *result, +static bool get_phys_addr_pmsav5(CPUARMState *env, + S1Translate *ptw, + uint32_t address, + MMUAccessType access_type, + GetPhysAddrResult *result, ARMMMUFaultInfo *fi) { int n; uint32_t mask; uint32_t base; + ARMMMUIdx mmu_idx = ptw->in_mmu_idx; bool is_user = regime_is_user(env, mmu_idx); + bool is_secure = arm_space_is_secure(ptw->in_space); if (regime_translation_disabled(env, mmu_idx, is_secure)) { /* MPU disabled. */ @@ -XXX,XX +XXX,XX @@ static bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx, return regime_sctlr(env, mmu_idx) & SCTLR_BR; } -static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, - MMUAccessType access_type, ARMMMUIdx mmu_idx, - bool secure, GetPhysAddrResult *result, +static bool get_phys_addr_pmsav7(CPUARMState *env, + S1Translate *ptw, + uint32_t address, + MMUAccessType access_type, + GetPhysAddrResult *result, ARMMMUFaultInfo *fi) { ARMCPU *cpu = env_archcpu(env); int n; + ARMMMUIdx mmu_idx = ptw->in_mmu_idx; bool is_user = regime_is_user(env, mmu_idx); + bool secure = arm_space_is_secure(ptw->in_space); result->f.phys_addr = address; result->f.lg_page_size = TARGET_PAGE_BITS; @@ -XXX,XX +XXX,XX @@ void v8m_security_lookup(CPUARMState *env, uint32_t address, } } -static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, - MMUAccessType access_type, ARMMMUIdx mmu_idx, - bool secure, GetPhysAddrResult *result, +static bool get_phys_addr_pmsav8(CPUARMState *env, + S1Translate *ptw, + uint32_t address, + MMUAccessType access_type, + GetPhysAddrResult *result, ARMMMUFaultInfo *fi) { V8M_SAttributes sattrs = {}; + ARMMMUIdx mmu_idx = ptw->in_mmu_idx; + bool secure = arm_space_is_secure(ptw->in_space); bool ret; if (arm_feature(env, ARM_FEATURE_M_SECURITY)) { @@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(uint64_t hcr, * MMU disabled. S1 addresses within aa64 translation regimes are * still checked for bounds -- see AArch64.S1DisabledOutput(). */ -static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address, +static bool get_phys_addr_disabled(CPUARMState *env, + S1Translate *ptw, + target_ulong address, MMUAccessType access_type, - ARMMMUIdx mmu_idx, bool is_secure, GetPhysAddrResult *result, ARMMMUFaultInfo *fi) { + ARMMMUIdx mmu_idx = ptw->in_mmu_idx; + bool is_secure = arm_space_is_secure(ptw->in_space); uint8_t memattr = 0x00; /* Device nGnRnE */ uint8_t shareability = 0; /* non-shareable */ int r_el; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, case ARMMMUIdx_Phys_Root: case ARMMMUIdx_Phys_Realm: /* Checking Phys early avoids special casing later vs regime_el. */ - return get_phys_addr_disabled(env, address, access_type, mmu_idx, - is_secure, result, fi); + return get_phys_addr_disabled(env, ptw, address, access_type, + result, fi); case ARMMMUIdx_Stage1_E0: case ARMMMUIdx_Stage1_E1: @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, if (arm_feature(env, ARM_FEATURE_V8)) { /* PMSAv8 */ - ret = get_phys_addr_pmsav8(env, address, access_type, mmu_idx, - is_secure, result, fi); + ret = get_phys_addr_pmsav8(env, ptw, address, access_type, + result, fi); } else if (arm_feature(env, ARM_FEATURE_V7)) { /* PMSAv7 */ - ret = get_phys_addr_pmsav7(env, address, access_type, mmu_idx, - is_secure, result, fi); + ret = get_phys_addr_pmsav7(env, ptw, address, access_type, + result, fi); } else { /* Pre-v7 MPU */ - ret = get_phys_addr_pmsav5(env, address, access_type, mmu_idx, - is_secure, result, fi); + ret = get_phys_addr_pmsav5(env, ptw, address, access_type, + result, fi); } qemu_log_mask(CPU_LOG_MMU, "PMSA MPU lookup for %s at 0x%08" PRIx32 " mmu_idx %u -> %s (prot %c%c%c)\n", @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, /* Definitely a real MMU, not an MPU */ if (regime_translation_disabled(env, mmu_idx, is_secure)) { - return get_phys_addr_disabled(env, address, access_type, mmu_idx, - is_secure, result, fi); + return get_phys_addr_disabled(env, ptw, address, access_type, + result, fi); } if (regime_using_lpae_format(env, mmu_idx)) { -- 2.34.1 Plumb the ARMSecurityState through to regime_translation_disabled() rather than just a bool is_secure. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-6-peter.maydell@linaro.org --- target/arm/ptw.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn) /* Return true if the specified stage of address translation is disabled */ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx, - bool is_secure) + ARMSecuritySpace space) { uint64_t hcr_el2; + bool is_secure = arm_space_is_secure(space); if (arm_feature(env, ARM_FEATURE_M)) { switch (env->v7m.mpu_ctrl[is_secure] & @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t base; ARMMMUIdx mmu_idx = ptw->in_mmu_idx; bool is_user = regime_is_user(env, mmu_idx); - bool is_secure = arm_space_is_secure(ptw->in_space); - if (regime_translation_disabled(env, mmu_idx, is_secure)) { + if (regime_translation_disabled(env, mmu_idx, ptw->in_space)) { /* MPU disabled. */ result->f.phys_addr = address; result->f.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, result->f.lg_page_size = TARGET_PAGE_BITS; result->f.prot = 0; - if (regime_translation_disabled(env, mmu_idx, secure) || + if (regime_translation_disabled(env, mmu_idx, ptw->in_space) || m_is_ppb_region(env, address)) { /* * MPU disabled or M profile PPB access: use default memory map. @@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, * are done in arm_v7m_load_vector(), which always does a direct * read using address_space_ldl(), rather than going via this function. */ - if (regime_translation_disabled(env, mmu_idx, secure)) { /* MPU disabled */ + if (regime_translation_disabled(env, mmu_idx, arm_secure_to_space(secure))) { + /* MPU disabled */ hit = true; } else if (m_is_ppb_region(env, address)) { hit = true; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, */ ptw->in_mmu_idx = mmu_idx = s1_mmu_idx; if (arm_feature(env, ARM_FEATURE_EL2) && - !regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) { + !regime_translation_disabled(env, ARMMMUIdx_Stage2, ptw->in_space)) { return get_phys_addr_twostage(env, ptw, address, access_type, result, fi); } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, /* Definitely a real MMU, not an MPU */ - if (regime_translation_disabled(env, mmu_idx, is_secure)) { + if (regime_translation_disabled(env, mmu_idx, ptw->in_space)) { return get_phys_addr_disabled(env, ptw, address, access_type, result, fi); } -- 2.34.1 arm_hcr_el2_eff_secstate() takes a bool secure, which it uses to determine whether EL2 is enabled in the current security state. With the advent of FEAT_RME this is no longer sufficient, because EL2 can be enabled for Secure state but not for Root, and both of those will pass 'secure == true' in the callsites in ptw.c. As it happens in all of our callsites in ptw.c we either avoid making the call or else avoid using the returned value if we're doing a translation for Root, so this is not a behaviour change even if the experimental FEAT_RME is enabled. But it is less confusing in the ptw.c code if we avoid the use of a bool secure that duplicates some of the information in the ArmSecuritySpace argument. Make arm_hcr_el2_eff_secstate() take an ARMSecuritySpace argument instead. Because we always want to know the HCR_EL2 for the security state defined by the current effective value of SCR_EL3.{NSE,NS}, it makes no sense to pass ARMSS_Root here, and we assert that callers don't do that. To avoid the assert(), we thus push the call to arm_hcr_el2_eff_secstate() down into the cases in regime_translation_disabled() that need it, rather than calling the function and ignoring the result for the Root space translations. All other calls to this function in ptw.c are already in places where we have confirmed that the mmu_idx is a stage 2 translation or that the regime EL is not 3. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-7-peter.maydell@linaro.org --- target/arm/cpu.h | 2 +- target/arm/helper.c | 8 +++++--- target/arm/ptw.c | 15 +++++++-------- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ static inline bool arm_is_el2_enabled(CPUARMState *env) * "for all purposes other than a direct read or write access of HCR_EL2." * Not included here is HCR_RW. */ -uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, bool secure); +uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space); uint64_t arm_hcr_el2_eff(CPUARMState *env); uint64_t arm_hcrx_el2_eff(CPUARMState *env); diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri, * Bits that are not included here: * RW (read from SCR_EL3.RW as needed) */ -uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, bool secure) +uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space) { uint64_t ret = env->cp15.hcr_el2; - if (!arm_is_el2_enabled_secstate(env, secure)) { + assert(space != ARMSS_Root); + + if (!arm_is_el2_enabled_secstate(env, arm_space_is_secure(space))) { /* * "This register has no effect if EL2 is not enabled in the * current Security state". This is ARMv8.4-SecEL2 speak for @@ -XXX,XX +XXX,XX @@ uint64_t arm_hcr_el2_eff(CPUARMState *env) if (arm_feature(env, ARM_FEATURE_M)) { return 0; } - return arm_hcr_el2_eff_secstate(env, arm_is_secure_below_el3(env)); + return arm_hcr_el2_eff_secstate(env, arm_security_space_below_el3(env)); } /* diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx, ARMSecuritySpace space) { uint64_t hcr_el2; - bool is_secure = arm_space_is_secure(space); if (arm_feature(env, ARM_FEATURE_M)) { + bool is_secure = arm_space_is_secure(space); switch (env->v7m.mpu_ctrl[is_secure] & (R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK)) { case R_V7M_MPU_CTRL_ENABLE_MASK: @@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx, } } - hcr_el2 = arm_hcr_el2_eff_secstate(env, is_secure); switch (mmu_idx) { case ARMMMUIdx_Stage2: case ARMMMUIdx_Stage2_S: /* HCR.DC means HCR.VM behaves as 1 */ + hcr_el2 = arm_hcr_el2_eff_secstate(env, space); return (hcr_el2 & (HCR_DC | HCR_VM)) == 0; case ARMMMUIdx_E10_0: case ARMMMUIdx_E10_1: case ARMMMUIdx_E10_1_PAN: /* TGE means that EL0/1 act as if SCTLR_EL1.M is zero */ + hcr_el2 = arm_hcr_el2_eff_secstate(env, space); if (hcr_el2 & HCR_TGE) { return true; } @@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx, case ARMMMUIdx_Stage1_E1: case ARMMMUIdx_Stage1_E1_PAN: /* HCR.DC means SCTLR_EL1.M behaves as 0 */ + hcr_el2 = arm_hcr_el2_eff_secstate(env, space); if (hcr_el2 & HCR_DC) { return true; } @@ -XXX,XX +XXX,XX @@ static bool fault_s1ns(ARMSecuritySpace space, ARMMMUIdx s2_mmu_idx) static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, hwaddr addr, ARMMMUFaultInfo *fi) { - bool is_secure = ptw->in_secure; ARMMMUIdx mmu_idx = ptw->in_mmu_idx; ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx; uint8_t pte_attrs; @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, } if (regime_is_stage2(s2_mmu_idx)) { - uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure); + uint64_t hcr = arm_hcr_el2_eff_secstate(env, ptw->in_space); if ((hcr & HCR_PTW) && S2_attrs_are_device(hcr, pte_attrs)) { /* @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, ARMMMUFaultInfo *fi) { ARMMMUIdx mmu_idx = ptw->in_mmu_idx; - bool is_secure = arm_space_is_secure(ptw->in_space); uint8_t memattr = 0x00; /* Device nGnRnE */ uint8_t shareability = 0; /* non-shareable */ int r_el; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */ if (r_el == 1) { - uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure); + uint64_t hcr = arm_hcr_el2_eff_secstate(env, ptw->in_space); if (hcr & HCR_DC) { if (hcr & HCR_DCT) { memattr = 0xf0; /* Tagged, Normal, WB, RWA */ @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw, { hwaddr ipa; int s1_prot, s1_lgpgsz; - bool is_secure = ptw->in_secure; ARMSecuritySpace in_space = ptw->in_space; bool ret, ipa_secure; ARMCacheAttrs cacheattrs1; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw, } /* Combine the S1 and S2 cache attributes. */ - hcr = arm_hcr_el2_eff_secstate(env, is_secure); + hcr = arm_hcr_el2_eff_secstate(env, in_space); if (hcr & HCR_DC) { /* * HCR.DC forces the first stage attributes to -- 2.34.1 Pass an ARMSecuritySpace instead of a bool secure to arm_is_el2_enabled_secstate(). This doesn't change behaviour. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-8-peter.maydell@linaro.org --- target/arm/cpu.h | 13 ++++++++----- target/arm/helper.c | 2 +- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env) /* * Return true if the current security state has AArch64 EL2 or AArch32 Hyp. - * This corresponds to the pseudocode EL2Enabled() + * This corresponds to the pseudocode EL2Enabled(). */ -static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, bool secure) +static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, + ARMSecuritySpace space) { + assert(space != ARMSS_Root); return arm_feature(env, ARM_FEATURE_EL2) - && (!secure || (env->cp15.scr_el3 & SCR_EEL2)); + && (space != ARMSS_Secure || (env->cp15.scr_el3 & SCR_EEL2)); } static inline bool arm_is_el2_enabled(CPUARMState *env) { - return arm_is_el2_enabled_secstate(env, arm_is_secure_below_el3(env)); + return arm_is_el2_enabled_secstate(env, arm_security_space_below_el3(env)); } #else @@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env) return false; } -static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, bool secure) +static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, + ARMSecuritySpace space) { return false; } diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space) assert(space != ARMSS_Root); - if (!arm_is_el2_enabled_secstate(env, arm_space_is_secure(space))) { + if (!arm_is_el2_enabled_secstate(env, space)) { /* * "This register has no effect if EL2 is not enabled in the * current Security state". This is ARMv8.4-SecEL2 speak for -- 2.34.1 When we do a translation in Secure state, the NSTable bits in table descriptors may downgrade us to NonSecure; we update ptw->in_secure and ptw->in_space accordingly. We guard that check correctly with a conditional that means it's only applied for Secure stage 1 translations. However, later on in get_phys_addr_lpae() we fold the effects of the NSTable bits into the final descriptor attributes bits, and there we do it unconditionally regardless of the CPU state. That means that in Realm state (where in_secure is false) we will set bit 5 in attrs, and later use it to decide to output to non-secure space. We don't in fact need to do this folding in at all any more (since commit 2f1ff4e7b9f30c): if an NSTable bit was set then we have already set ptw->in_space to ARMSS_NonSecure, and in that situation we don't look at attrs bit 5. The only thing we still need to deal with is the real NS bit in the final descriptor word, so we can just drop the code that ORed in the NSTable bit. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-9-peter.maydell@linaro.org --- target/arm/ptw.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, * Extract attributes from the (modified) descriptor, and apply * table descriptors. Stage 2 table descriptors do not include * any attribute fields. HPD disables all the table attributes - * except NSTable. + * except NSTable (which we have already handled). */ attrs = new_descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14)); if (!regime_is_stage2(mmu_idx)) { - attrs |= !ptw->in_secure << 5; /* NS */ if (!param.hpd) { attrs |= extract64(tableattrs, 0, 2) << 53; /* XN, PXN */ /* -- 2.34.1 Replace the last uses of ptw->in_secure with appropriate checks on ptw->in_space. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-10-peter.maydell@linaro.org --- target/arm/ptw.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, ARMMMUFaultInfo *fi) { ARMMMUIdx mmu_idx = ptw->in_mmu_idx; - bool is_secure = ptw->in_secure; ARMMMUIdx s1_mmu_idx; /* @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, * cannot upgrade a NonSecure translation regime's attributes * to Secure or Realm. */ - result->f.attrs.secure = is_secure; result->f.attrs.space = ptw->in_space; + result->f.attrs.secure = arm_space_is_secure(ptw->in_space); switch (mmu_idx) { case ARMMMUIdx_Phys_S: @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, case ARMMMUIdx_Stage1_E0: case ARMMMUIdx_Stage1_E1: case ARMMMUIdx_Stage1_E1_PAN: - /* First stage lookup uses second stage for ptw. */ - ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2; + /* + * First stage lookup uses second stage for ptw; only + * Secure has both S and NS IPA and starts with Stage2_S. + */ + ptw->in_ptw_idx = (ptw->in_space == ARMSS_Secure) ? + ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2; break; case ARMMMUIdx_Stage2: -- 2.34.1 We no longer look at the in_secure field of the S1Translate struct anyway, so we can remove it and all the code which sets it. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-11-peter.maydell@linaro.org --- target/arm/ptw.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ typedef struct S1Translate { * value being Stage2 vs Stage2_S distinguishes those. */ ARMSecuritySpace in_space; - /* - * in_secure: whether the translation regime is a Secure one. - * This is always equal to arm_space_is_secure(in_space). - * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit, - * this field is updated accordingly. - */ - bool in_secure; /* * in_debug: is this a QEMU debug access (gdbstub, etc)? Debug * accesses will not update the guest page table access flags @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, S1Translate s2ptw = { .in_mmu_idx = s2_mmu_idx, .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx), - .in_secure = arm_space_is_secure(s2_space), .in_space = s2_space, .in_debug = true, }; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_S + 1 != ARMMMUIdx_Phys_NS); QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2_S + 1 != ARMMMUIdx_Stage2); ptw->in_ptw_idx += 1; - ptw->in_secure = false; ptw->in_space = ARMSS_NonSecure; } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw, ptw->in_s1_is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0; ptw->in_mmu_idx = ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2; - ptw->in_secure = ipa_secure; ptw->in_space = ipa_space; ptw->in_ptw_idx = ptw_idx_for_stage_2(env, ptw->in_mmu_idx); @@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address, { S1Translate ptw = { .in_mmu_idx = mmu_idx, - .in_secure = is_secure, .in_space = arm_secure_to_space(is_secure), }; return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi); @@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address, } ptw.in_space = ss; - ptw.in_secure = arm_space_is_secure(ss); return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi); } @@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr, S1Translate ptw = { .in_mmu_idx = mmu_idx, .in_space = ss, - .in_secure = arm_space_is_secure(ss), .in_debug = true, }; GetPhysAddrResult res = {}; -- 2.34.1 We only use S1Translate::out_secure in two places, where we are setting up MemTxAttrs for a page table load. We can use arm_space_is_secure(ptw->out_space) instead, which guarantees that we're setting the MemTxAttrs secure and space fields consistently, and allows us to drop the out_secure field in S1Translate entirely. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-12-peter.maydell@linaro.org --- target/arm/ptw.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ typedef struct S1Translate { * Stage 2 is indicated by in_mmu_idx set to ARMMMUIdx_Stage2{,_S}. */ bool in_s1_is_el0; - bool out_secure; bool out_rw; bool out_be; ARMSecuritySpace out_space; @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, pte_attrs = s2.cacheattrs.attrs; ptw->out_host = NULL; ptw->out_rw = false; - ptw->out_secure = s2.f.attrs.secure; ptw->out_space = s2.f.attrs.space; } else { #ifdef CONFIG_TCG @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, ptw->out_phys = full->phys_addr | (addr & ~TARGET_PAGE_MASK); ptw->out_rw = full->prot & PAGE_WRITE; pte_attrs = full->pte_attrs; - ptw->out_secure = full->attrs.secure; ptw->out_space = full->attrs.space; #else g_assert_not_reached(); @@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, } else { /* Page tables are in MMIO. */ MemTxAttrs attrs = { - .secure = ptw->out_secure, .space = ptw->out_space, + .secure = arm_space_is_secure(ptw->out_space), }; AddressSpace *as = arm_addressspace(cs, attrs); MemTxResult result = MEMTX_OK; @@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw, } else { /* Page tables are in MMIO. */ MemTxAttrs attrs = { - .secure = ptw->out_secure, .space = ptw->out_space, + .secure = arm_space_is_secure(ptw->out_space), }; AddressSpace *as = arm_addressspace(cs, attrs); MemTxResult result = MEMTX_OK; -- 2.34.1 When the MMU is disabled, data accesses should be Device nGnRnE, Outer Shareable, Untagged. We handle the other cases from AArch64.S1DisabledOutput() correctly but missed this one. Device nGnRnE is memattr == 0, so the only part we were missing was that shareability should be set to 2 for both insn fetches and data accesses. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-13-peter.maydell@linaro.org --- target/arm/ptw.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, } } } - if (memattr == 0 && access_type == MMU_INST_FETCH) { - if (regime_sctlr(env, mmu_idx) & SCTLR_I) { - memattr = 0xee; /* Normal, WT, RA, NT */ - } else { - memattr = 0x44; /* Normal, NC, No */ + if (memattr == 0) { + if (access_type == MMU_INST_FETCH) { + if (regime_sctlr(env, mmu_idx) & SCTLR_I) { + memattr = 0xee; /* Normal, WT, RA, NT */ + } else { + memattr = 0x44; /* Normal, NC, No */ + } } shareability = 2; /* outer shareable */ } -- 2.34.1 The architecture doesn't permit block descriptors at any arbitrary level of the page table walk; it depends on the granule size which levels are permitted. We implemented only a partial version of this check which assumes that block descriptors are valid at all levels except level 3, which meant that we wouldn't deliver the Translation fault for all cases of this sort of guest page table error. Implement the logic corresponding to the pseudocode AArch64.DecodeDescriptorType() and AArch64.BlockDescSupported(). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-14-peter.maydell@linaro.org --- target/arm/ptw.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static int check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, uint64_t tcr, return INT_MIN; } +static bool lpae_block_desc_valid(ARMCPU *cpu, bool ds, + ARMGranuleSize gran, int level) +{ + /* + * See pseudocode AArch46.BlockDescSupported(): block descriptors + * are not valid at all levels, depending on the page size. + */ + switch (gran) { + case Gran4K: + return (level == 0 && ds) || level == 1 || level == 2; + case Gran16K: + return (level == 1 && ds) || level == 2; + case Gran64K: + return (level == 1 && arm_pamax(cpu) == 52) || level == 2; + default: + g_assert_not_reached(); + } +} + /** * get_phys_addr_lpae: perform one stage of page table walk, LPAE format * @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, new_descriptor = descriptor; restart_atomic_update: - if (!(descriptor & 1) || (!(descriptor & 2) && (level == 3))) { - /* Invalid, or the Reserved level 3 encoding */ + if (!(descriptor & 1) || + (!(descriptor & 2) && + !lpae_block_desc_valid(cpu, param.ds, param.gran, level))) { + /* Invalid, or a block descriptor at an invalid level */ goto do_translation_fault; } -- 2.34.1 When we report faults due to stage 2 faults during a stage 1 page table walk, the 'level' parameter should be the level of the walk in stage 2 that faulted, not the level of the walk in stage 1. Correct the reporting of these faults. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-15-peter.maydell@linaro.org --- target/arm/ptw.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, do_translation_fault: fi->type = ARMFault_Translation; do_fault: - fi->level = level; - /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2. */ - fi->stage2 = fi->s1ptw || regime_is_stage2(mmu_idx); + if (fi->s1ptw) { + /* Retain the existing stage 2 fi->level */ + assert(fi->stage2); + } else { + fi->level = level; + fi->stage2 = regime_is_stage2(mmu_idx); + } fi->s1ns = fault_s1ns(ptw->in_space, mmu_idx); return true; } -- 2.34.1 The PAR_EL1.SH field documents that for the cases of: * Device memory * Normal memory with both Inner and Outer Non-Cacheable the field should be 0b10 rather than whatever was in the translation table descriptor field. (In the pseudocode this is handled by PAREncodeShareability().) Perform this adjustment when assembling a PAR value. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807141514.19075-16-peter.maydell@linaro.org --- target/arm/helper.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri, } #ifdef CONFIG_TCG +static int par_el1_shareability(GetPhysAddrResult *res) +{ + /* + * The PAR_EL1.SH field must be 0b10 for Device or Normal-NC + * memory -- see pseudocode PAREncodeShareability(). + */ + if (((res->cacheattrs.attrs & 0xf0) == 0) || + res->cacheattrs.attrs == 0x44 || res->cacheattrs.attrs == 0x40) { + return 2; + } + return res->cacheattrs.shareability; +} + static uint64_t do_ats_write(CPUARMState *env, uint64_t value, MMUAccessType access_type, ARMMMUIdx mmu_idx, bool is_secure) @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, par64 |= (1 << 9); /* NS */ } par64 |= (uint64_t)res.cacheattrs.attrs << 56; /* ATTR */ - par64 |= res.cacheattrs.shareability << 7; /* SH */ + par64 |= par_el1_shareability(&res) << 7; /* SH */ } else { uint32_t fsr = arm_fi_to_lfsc(&fi); -- 2.34.1 From: Jean-Philippe Brucker <jean-philippe@linaro.org> In realm state, stage-2 translation tables are fetched from the realm physical address space (R_PGRQD). Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230809123706.1842548-2-jean-philippe@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/ptw.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static ARMMMUIdx ptw_idx_for_stage_2(CPUARMState *env, ARMMMUIdx stage2idx) /* * We're OK to check the current state of the CPU here because - * (1) we always invalidate all TLBs when the SCR_EL3.NS bit changes + * (1) we always invalidate all TLBs when the SCR_EL3.NS or SCR_EL3.NSE bit + * changes. * (2) there's no way to do a lookup that cares about Stage 2 for a * different security state to the current one for AArch64, and AArch32 * never has a secure EL2. (AArch32 ATS12NSO[UP][RW] allow EL3 to do * an NS stage 1+2 lookup while the NS bit is 0.) */ - if (!arm_is_secure_below_el3(env) || !arm_el_is_aa64(env, 3)) { + if (!arm_el_is_aa64(env, 3)) { return ARMMMUIdx_Phys_NS; } - if (stage2idx == ARMMMUIdx_Stage2_S) { - s2walk_secure = !(env->cp15.vstcr_el2 & VSTCR_SW); - } else { - s2walk_secure = !(env->cp15.vtcr_el2 & VTCR_NSW); - } - return s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS; + switch (arm_security_space_below_el3(env)) { + case ARMSS_NonSecure: + return ARMMMUIdx_Phys_NS; + case ARMSS_Realm: + return ARMMMUIdx_Phys_Realm; + case ARMSS_Secure: + if (stage2idx == ARMMMUIdx_Stage2_S) { + s2walk_secure = !(env->cp15.vstcr_el2 & VSTCR_SW); + } else { + s2walk_secure = !(env->cp15.vtcr_el2 & VTCR_NSW); + } + return s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS; + default: + g_assert_not_reached(); + } } static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx) -- 2.34.1 From: Jean-Philippe Brucker <jean-philippe@linaro.org> When HCR_EL2.E2H is enabled, TLB entries are formed using the EL2&0 translation regime, instead of the EL2 translation regime. The TLB VAE2* instructions invalidate the regime that corresponds to the current value of HCR_EL2.E2H. At the moment we only invalidate the EL2 translation regime. This causes problems with RMM, which issues TLBI VAE2IS instructions with HCR_EL2.E2H enabled. Update vae2_tlbmask() to take HCR_EL2.E2H into account. Add vae2_tlbbits() as well, since the top-byte-ignore configuration is different between the EL2&0 and EL2 regime. Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230809123706.1842548-3-jean-philippe@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 50 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static int vae1_tlbmask(CPUARMState *env) return mask; } +static int vae2_tlbmask(CPUARMState *env) +{ + uint64_t hcr = arm_hcr_el2_eff(env); + uint16_t mask; + + if (hcr & HCR_E2H) { + mask = ARMMMUIdxBit_E20_2 | + ARMMMUIdxBit_E20_2_PAN | + ARMMMUIdxBit_E20_0; + } else { + mask = ARMMMUIdxBit_E2; + } + return mask; +} + /* Return 56 if TBI is enabled, 64 otherwise. */ static int tlbbits_for_regime(CPUARMState *env, ARMMMUIdx mmu_idx, uint64_t addr) @@ -XXX,XX +XXX,XX @@ static int vae1_tlbbits(CPUARMState *env, uint64_t addr) return tlbbits_for_regime(env, mmu_idx, addr); } +static int vae2_tlbbits(CPUARMState *env, uint64_t addr) +{ + uint64_t hcr = arm_hcr_el2_eff(env); + ARMMMUIdx mmu_idx; + + /* + * Only the regime of the mmu_idx below is significant. + * Regime EL2&0 has two ranges with separate TBI configuration, while EL2 + * only has one. + */ + if (hcr & HCR_E2H) { + mmu_idx = ARMMMUIdx_E20_2; + } else { + mmu_idx = ARMMMUIdx_E2; + } + + return tlbbits_for_regime(env, mmu_idx, addr); +} + static void tlbi_aa64_vmalle1is_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { @@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae2_write(CPUARMState *env, const ARMCPRegInfo *ri, * flush-last-level-only. */ CPUState *cs = env_cpu(env); - int mask = e2_tlbmask(env); + int mask = vae2_tlbmask(env); uint64_t pageaddr = sextract64(value << 12, 0, 56); + int bits = vae2_tlbbits(env, pageaddr); - tlb_flush_page_by_mmuidx(cs, pageaddr, mask); + tlb_flush_page_bits_by_mmuidx(cs, pageaddr, mask, bits); } static void tlbi_aa64_vae3_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae2is_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { CPUState *cs = env_cpu(env); + int mask = vae2_tlbmask(env); uint64_t pageaddr = sextract64(value << 12, 0, 56); - int bits = tlbbits_for_regime(env, ARMMMUIdx_E2, pageaddr); + int bits = vae2_tlbbits(env, pageaddr); - tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, - ARMMMUIdxBit_E2, bits); + tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, mask, bits); } static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae1is_write(CPUARMState *env, do_rvae_write(env, value, vae1_tlbmask(env), true); } -static int vae2_tlbmask(CPUARMState *env) -{ - return ARMMMUIdxBit_E2; -} - static void tlbi_aa64_rvae2_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) -- 2.34.1 From: Jean-Philippe Brucker <jean-philippe@linaro.org> GPC checks are not performed on the output address for AT instructions, as stated by ARM DDI 0487J in D8.12.2: When populating PAR_EL1 with the result of an address translation instruction, granule protection checks are not performed on the final output address of a successful translation. Rename get_phys_addr_with_secure(), since it's only used to handle AT instructions. Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230809123706.1842548-4-jean-philippe@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/internals.h | 25 ++++++++++++++----------- target/arm/helper.c | 8 ++++++-- target/arm/ptw.c | 11 ++++++----- 3 files changed, 26 insertions(+), 18 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -XXX,XX +XXX,XX @@ typedef struct GetPhysAddrResult { } GetPhysAddrResult; /** - * get_phys_addr_with_secure: get the physical address for a virtual address + * get_phys_addr: get the physical address for a virtual address * @env: CPUARMState * @address: virtual address to get physical address for * @access_type: 0 for read, 1 for write, 2 for execute * @mmu_idx: MMU index indicating required translation regime - * @is_secure: security state for the access * @result: set on translation success. * @fi: set to fault info if the translation fails * @@ -XXX,XX +XXX,XX @@ typedef struct GetPhysAddrResult { * * for PSMAv5 based systems we don't bother to return a full FSR format * value. */ -bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address, - MMUAccessType access_type, - ARMMMUIdx mmu_idx, bool is_secure, - GetPhysAddrResult *result, ARMMMUFaultInfo *fi) +bool get_phys_addr(CPUARMState *env, target_ulong address, + MMUAccessType access_type, ARMMMUIdx mmu_idx, + GetPhysAddrResult *result, ARMMMUFaultInfo *fi) __attribute__((nonnull)); /** - * get_phys_addr: get the physical address for a virtual address + * get_phys_addr_with_secure_nogpc: get the physical address for a virtual + * address * @env: CPUARMState * @address: virtual address to get physical address for * @access_type: 0 for read, 1 for write, 2 for execute * @mmu_idx: MMU index indicating required translation regime + * @is_secure: security state for the access * @result: set on translation success. * @fi: set to fault info if the translation fails * - * Similarly, but use the security regime of @mmu_idx. + * Similar to get_phys_addr, but use the given security regime and don't perform + * a Granule Protection Check on the resulting address. */ -bool get_phys_addr(CPUARMState *env, target_ulong address, - MMUAccessType access_type, ARMMMUIdx mmu_idx, - GetPhysAddrResult *result, ARMMMUFaultInfo *fi) +bool get_phys_addr_with_secure_nogpc(CPUARMState *env, target_ulong address, + MMUAccessType access_type, + ARMMMUIdx mmu_idx, bool is_secure, + GetPhysAddrResult *result, + ARMMMUFaultInfo *fi) __attribute__((nonnull)); bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, ARMMMUFaultInfo fi = {}; GetPhysAddrResult res = {}; - ret = get_phys_addr_with_secure(env, value, access_type, mmu_idx, - is_secure, &res, &fi); + /* + * I_MXTJT: Granule protection checks are not performed on the final address + * of a successful translation. + */ + ret = get_phys_addr_with_secure_nogpc(env, value, access_type, mmu_idx, + is_secure, &res, &fi); /* * ATS operations only do S1 or S1+S2 translations, so we never diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_gpc(CPUARMState *env, S1Translate *ptw, return false; } -bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address, - MMUAccessType access_type, ARMMMUIdx mmu_idx, - bool is_secure, GetPhysAddrResult *result, - ARMMMUFaultInfo *fi) +bool get_phys_addr_with_secure_nogpc(CPUARMState *env, target_ulong address, + MMUAccessType access_type, + ARMMMUIdx mmu_idx, bool is_secure, + GetPhysAddrResult *result, + ARMMMUFaultInfo *fi) { S1Translate ptw = { .in_mmu_idx = mmu_idx, .in_space = arm_secure_to_space(is_secure), }; - return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi); + return get_phys_addr_nogpc(env, &ptw, address, access_type, result, fi); } bool get_phys_addr(CPUARMState *env, target_ulong address, -- 2.34.1 From: Jean-Philippe Brucker <jean-philippe@linaro.org> At the moment we only handle Secure and Nonsecure security spaces for the AT instructions. Add support for Realm and Root. For AArch64, arm_security_space() gives the desired space. ARM DDI0487J says (R_NYXTL): If EL3 is implemented, then when an address translation instruction that applies to an Exception level lower than EL3 is executed, the Effective value of SCR_EL3.{NSE, NS} determines the target Security state that the instruction applies to. For AArch32, some instructions can access NonSecure space from Secure, so we still need to pass the state explicitly to do_ats_write(). Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230809123706.1842548-5-jean-philippe@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/internals.h | 18 +++++++++--------- target/arm/helper.c | 27 ++++++++++++--------------- target/arm/ptw.c | 12 ++++++------ 3 files changed, 27 insertions(+), 30 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address, __attribute__((nonnull)); /** - * get_phys_addr_with_secure_nogpc: get the physical address for a virtual - * address + * get_phys_addr_with_space_nogpc: get the physical address for a virtual + * address * @env: CPUARMState * @address: virtual address to get physical address for * @access_type: 0 for read, 1 for write, 2 for execute * @mmu_idx: MMU index indicating required translation regime - * @is_secure: security state for the access + * @space: security space for the access * @result: set on translation success. * @fi: set to fault info if the translation fails * - * Similar to get_phys_addr, but use the given security regime and don't perform + * Similar to get_phys_addr, but use the given security space and don't perform * a Granule Protection Check on the resulting address. */ -bool get_phys_addr_with_secure_nogpc(CPUARMState *env, target_ulong address, - MMUAccessType access_type, - ARMMMUIdx mmu_idx, bool is_secure, - GetPhysAddrResult *result, - ARMMMUFaultInfo *fi) +bool get_phys_addr_with_space_nogpc(CPUARMState *env, target_ulong address, + MMUAccessType access_type, + ARMMMUIdx mmu_idx, ARMSecuritySpace space, + GetPhysAddrResult *result, + ARMMMUFaultInfo *fi) __attribute__((nonnull)); bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static int par_el1_shareability(GetPhysAddrResult *res) static uint64_t do_ats_write(CPUARMState *env, uint64_t value, MMUAccessType access_type, ARMMMUIdx mmu_idx, - bool is_secure) + ARMSecuritySpace ss) { bool ret; uint64_t par64; @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, * I_MXTJT: Granule protection checks are not performed on the final address * of a successful translation. */ - ret = get_phys_addr_with_secure_nogpc(env, value, access_type, mmu_idx, - is_secure, &res, &fi); + ret = get_phys_addr_with_space_nogpc(env, value, access_type, mmu_idx, ss, + &res, &fi); /* * ATS operations only do S1 or S1+S2 translations, so we never @@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) uint64_t par64; ARMMMUIdx mmu_idx; int el = arm_current_el(env); - bool secure = arm_is_secure_below_el3(env); + ARMSecuritySpace ss = arm_security_space(env); switch (ri->opc2 & 6) { case 0: @@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) switch (el) { case 3: mmu_idx = ARMMMUIdx_E3; - secure = true; break; case 2: - g_assert(!secure); /* ARMv8.4-SecEL2 is 64-bit only */ + g_assert(ss != ARMSS_Secure); /* ARMv8.4-SecEL2 is 64-bit only */ /* fall through */ case 1: if (ri->crm == 9 && (env->uncached_cpsr & CPSR_PAN)) { @@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) switch (el) { case 3: mmu_idx = ARMMMUIdx_E10_0; - secure = true; break; case 2: - g_assert(!secure); /* ARMv8.4-SecEL2 is 64-bit only */ + g_assert(ss != ARMSS_Secure); /* ARMv8.4-SecEL2 is 64-bit only */ mmu_idx = ARMMMUIdx_Stage1_E0; break; case 1: @@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) case 4: /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */ mmu_idx = ARMMMUIdx_E10_1; - secure = false; + ss = ARMSS_NonSecure; break; case 6: /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */ mmu_idx = ARMMMUIdx_E10_0; - secure = false; + ss = ARMSS_NonSecure; break; default: g_assert_not_reached(); } - par64 = do_ats_write(env, value, access_type, mmu_idx, secure); + par64 = do_ats_write(env, value, access_type, mmu_idx, ss); A32_BANKED_CURRENT_REG_SET(env, par, par64); #else @@ -XXX,XX +XXX,XX @@ static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t par64; /* There is no SecureEL2 for AArch32. */ - par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2, false); + par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2, + ARMSS_NonSecure); A32_BANKED_CURRENT_REG_SET(env, par, par64); #else @@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, #ifdef CONFIG_TCG MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD; ARMMMUIdx mmu_idx; - int secure = arm_is_secure_below_el3(env); uint64_t hcr_el2 = arm_hcr_el2_eff(env); bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE); @@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, break; case 6: /* AT S1E3R, AT S1E3W */ mmu_idx = ARMMMUIdx_E3; - secure = true; break; default: g_assert_not_reached(); @@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, } env->cp15.par_el[1] = do_ats_write(env, value, access_type, - mmu_idx, secure); + mmu_idx, arm_security_space(env)); #else /* Handled by hardware accelerator. */ g_assert_not_reached(); diff --git a/target/arm/ptw.c b/target/arm/ptw.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_gpc(CPUARMState *env, S1Translate *ptw, return false; } -bool get_phys_addr_with_secure_nogpc(CPUARMState *env, target_ulong address, - MMUAccessType access_type, - ARMMMUIdx mmu_idx, bool is_secure, - GetPhysAddrResult *result, - ARMMMUFaultInfo *fi) +bool get_phys_addr_with_space_nogpc(CPUARMState *env, target_ulong address, + MMUAccessType access_type, + ARMMMUIdx mmu_idx, ARMSecuritySpace space, + GetPhysAddrResult *result, + ARMMMUFaultInfo *fi) { S1Translate ptw = { .in_mmu_idx = mmu_idx, - .in_space = arm_secure_to_space(is_secure), + .in_space = space, }; return get_phys_addr_nogpc(env, &ptw, address, access_type, result, fi); } -- 2.34.1 From: Jean-Philippe Brucker <jean-philippe@linaro.org> The AT instruction is UNDEFINED if the {NSE,NS} configuration is invalid. Add a function to check this on all AT instructions that apply to an EL lower than 3. Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Message-id: 20230809123706.1842548-6-jean-philippe@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 38 +++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri, #endif /* CONFIG_TCG */ } +static CPAccessResult at_e012_access(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + /* + * R_NYXTL: instruction is UNDEFINED if it applies to an Exception level + * lower than EL3 and the combination SCR_EL3.{NSE,NS} is reserved. This can + * only happen when executing at EL3 because that combination also causes an + * illegal exception return. We don't need to check FEAT_RME either, because + * scr_write() ensures that the NSE bit is not set otherwise. + */ + if ((env->cp15.scr_el3 & (SCR_NSE | SCR_NS)) == SCR_NSE) { + return CP_ACCESS_TRAP; + } + return CP_ACCESS_OK; +} + static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri, bool isread) { @@ -XXX,XX +XXX,XX @@ static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri, !(env->cp15.scr_el3 & (SCR_NS | SCR_EEL2))) { return CP_ACCESS_TRAP; } - return CP_ACCESS_OK; + return at_e012_access(env, ri, isread); } static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0, .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .fgt = FGT_ATS1E1R, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1, .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .fgt = FGT_ATS1E1W, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2, .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .fgt = FGT_ATS1E0R, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3, .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .fgt = FGT_ATS1E0W, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4, .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5, .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6, .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7, .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */ { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ats1e1_reginfo[] = { .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 0, .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .fgt = FGT_ATS1E1RP, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, { .name = "AT_S1E1WP", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1, .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .fgt = FGT_ATS1E1WP, - .writefn = ats_write64 }, + .accessfn = at_e012_access, .writefn = ats_write64 }, }; static const ARMCPRegInfo ats1cp_reginfo[] = { -- 2.34.1 From: Jean-Philippe Brucker <jean-philippe@linaro.org> When FEAT_RME is implemented, these bits override the value of CNT[VP]_CTL_EL0.IMASK in Realm and Root state. Move the IRQ state update into a new gt_update_irq() function and test those bits every time we recompute the IRQ state. Since we're removing the IRQ state from some trace events, add a new trace event for gt_update_irq(). Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Message-id: 20230809123706.1842548-7-jean-philippe@linaro.org [PMM: only register change hook if not USER_ONLY and if TCG] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.h | 4 +++ target/arm/cpu.c | 6 ++++ target/arm/helper.c | 65 ++++++++++++++++++++++++++++++++++------- target/arm/trace-events | 7 +++-- 4 files changed, 68 insertions(+), 14 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ struct ArchCPU { }; unsigned int gt_cntfrq_period_ns(ARMCPU *cpu); +void gt_rme_post_el_change(ARMCPU *cpu, void *opaque); void arm_cpu_post_init(Object *obj); @@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask) #define HSTR_TTEE (1 << 16) #define HSTR_TJDBX (1 << 17) +#define CNTHCTL_CNTVMASK (1 << 18) +#define CNTHCTL_CNTPMASK (1 << 19) + /* Return the current FPSCR value. */ uint32_t vfp_get_fpscr(CPUARMState *env); void vfp_set_fpscr(CPUARMState *env, uint32_t val); diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp) set_feature(env, ARM_FEATURE_VBAR); } +#ifndef CONFIG_USER_ONLY + if (tcg_enabled() && cpu_isar_feature(aa64_rme, cpu)) { + arm_register_el_change_hook(cpu, &gt_rme_post_el_change, 0); + } +#endif + register_cp_regs_for_features(cpu); arm_cpu_register_gdb_regs_for_features(cpu); diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static uint64_t gt_get_countervalue(CPUARMState *env) return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / gt_cntfrq_period_ns(cpu); } +static void gt_update_irq(ARMCPU *cpu, int timeridx) +{ + CPUARMState *env = &cpu->env; + uint64_t cnthctl = env->cp15.cnthctl_el2; + ARMSecuritySpace ss = arm_security_space(env); + /* ISTATUS && !IMASK */ + int irqstate = (env->cp15.c14_timer[timeridx].ctl & 6) == 4; + + /* + * If bit CNTHCTL_EL2.CNT[VP]MASK is set, it overrides IMASK. + * It is RES0 in Secure and NonSecure state. + */ + if ((ss == ARMSS_Root || ss == ARMSS_Realm) && + ((timeridx == GTIMER_VIRT && (cnthctl & CNTHCTL_CNTVMASK)) || + (timeridx == GTIMER_PHYS && (cnthctl & CNTHCTL_CNTPMASK)))) { + irqstate = 0; + } + + qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate); + trace_arm_gt_update_irq(timeridx, irqstate); +} + +void gt_rme_post_el_change(ARMCPU *cpu, void *ignored) +{ + /* + * Changing security state between Root and Secure/NonSecure, which may + * happen when switching EL, can change the effective value of CNTHCTL_EL2 + * mask bits. Update the IRQ state accordingly. + */ + gt_update_irq(cpu, GTIMER_VIRT); + gt_update_irq(cpu, GTIMER_PHYS); +} + static void gt_recalc_timer(ARMCPU *cpu, int timeridx) { ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx]; @@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx) /* Note that this must be unsigned 64 bit arithmetic: */ int istatus = count - offset >= gt->cval; uint64_t nexttick; - int irqstate; gt->ctl = deposit32(gt->ctl, 2, 1, istatus); - irqstate = (istatus && !(gt->ctl & 2)); - qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate); - if (istatus) { /* Next transition is when count rolls back over to zero */ nexttick = UINT64_MAX; @@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx) } else { timer_mod(cpu->gt_timer[timeridx], nexttick); } - trace_arm_gt_recalc(timeridx, irqstate, nexttick); + trace_arm_gt_recalc(timeridx, nexttick); } else { /* Timer disabled: ISTATUS and timer output always clear */ gt->ctl &= ~4; - qemu_set_irq(cpu->gt_timer_outputs[timeridx], 0); timer_del(cpu->gt_timer[timeridx]); trace_arm_gt_recalc_disabled(timeridx); } + gt_update_irq(cpu, timeridx); } static void gt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri, @@ -XXX,XX +XXX,XX @@ static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, * IMASK toggled: don't need to recalculate, * just set the interrupt line based on ISTATUS */ - int irqstate = (oldval & 4) && !(value & 2); - - trace_arm_gt_imask_toggle(timeridx, irqstate); - qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate); + trace_arm_gt_imask_toggle(timeridx); + gt_update_irq(cpu, timeridx); } } @@ -XXX,XX +XXX,XX @@ static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, gt_ctl_write(env, ri, GTIMER_VIRT, value); } +static void gt_cnthctl_write(CPUARMState *env, const ARMCPRegInfo *ri, + uint64_t value) +{ + ARMCPU *cpu = env_archcpu(env); + uint32_t oldval = env->cp15.cnthctl_el2; + + raw_write(env, ri, value); + + if ((oldval ^ value) & CNTHCTL_CNTVMASK) { + gt_update_irq(cpu, GTIMER_VIRT); + } else if ((oldval ^ value) & CNTHCTL_CNTPMASK) { + gt_update_irq(cpu, GTIMER_PHYS); + } +} + static void gt_cntvoff_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = { * reset values as IMPDEF. We choose to reset to 3 to comply with * both ARMv7 and ARMv8. */ - .access = PL2_RW, .resetvalue = 3, + .access = PL2_RW, .type = ARM_CP_IO, .resetvalue = 3, + .writefn = gt_cnthctl_write, .raw_writefn = raw_write, .fieldoffset = offsetof(CPUARMState, cp15.cnthctl_el2) }, { .name = "CNTVOFF_EL2", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 3, diff --git a/target/arm/trace-events b/target/arm/trace-events index XXXXXXX..XXXXXXX 100644 --- a/target/arm/trace-events +++ b/target/arm/trace-events @@ -XXX,XX +XXX,XX @@ # See docs/devel/tracing.rst for syntax documentation. # helper.c -arm_gt_recalc(int timer, int irqstate, uint64_t nexttick) "gt recalc: timer %d irqstate %d next tick 0x%" PRIx64 -arm_gt_recalc_disabled(int timer) "gt recalc: timer %d irqstate 0 timer disabled" +arm_gt_recalc(int timer, uint64_t nexttick) "gt recalc: timer %d next tick 0x%" PRIx64 +arm_gt_recalc_disabled(int timer) "gt recalc: timer %d timer disabled" arm_gt_cval_write(int timer, uint64_t value) "gt_cval_write: timer %d value 0x%" PRIx64 arm_gt_tval_write(int timer, uint64_t value) "gt_tval_write: timer %d value 0x%" PRIx64 arm_gt_ctl_write(int timer, uint64_t value) "gt_ctl_write: timer %d value 0x%" PRIx64 -arm_gt_imask_toggle(int timer, int irqstate) "gt_ctl_write: timer %d IMASK toggle, new irqstate %d" +arm_gt_imask_toggle(int timer) "gt_ctl_write: timer %d IMASK toggle" arm_gt_cntvoff_write(uint64_t value) "gt_cntvoff_write: value 0x%" PRIx64 +arm_gt_update_irq(int timer, int irqstate) "gt_update_irq: timer %d irqstate %d" # kvm.c kvm_arm_fixup_msi_route(uint64_t iova, uint64_t gpa) "MSI iova = 0x%"PRIx64" is translated into 0x%"PRIx64 -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> A typo, noted in the bug report, resulting in an incorrect write offset. Cc: qemu-stable@nongnu.org Fixes: 7390e0e9ab8 ("target/arm: Implement SME LD1, ST1") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1833 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20230818214255.146905-1-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/tcg/sme_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/sme_helper.c +++ b/target/arm/tcg/sme_helper.c @@ -XXX,XX +XXX,XX @@ static inline void HNAME##_host(void *za, intptr_t off, void *host) \ { \ uint64_t *ptr = za + off; \ HOST(host, ptr[BE]); \ - HOST(host + 1, ptr[!BE]); \ + HOST(host + 8, ptr[!BE]); \ } \ static inline void VNAME##_v_host(void *za, intptr_t off, void *host) \ { \ -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> Typo applied byte-wise shift instead of double-word shift. Cc: qemu-stable@nongnu.org Fixes: 631e565450c ("target/arm: Create gen_gvec_[us]sra") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1737 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20230821022025.397682-1-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/tcg/translate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/translate.c +++ b/target/arm/tcg/translate.c @@ -XXX,XX +XXX,XX @@ void gen_gvec_ssra(unsigned vece, uint32_t rd_ofs, uint32_t rm_ofs, .vece = MO_32 }, { .fni8 = gen_ssra64_i64, .fniv = gen_ssra_vec, - .fno = gen_helper_gvec_ssra_b, + .fno = gen_helper_gvec_ssra_d, .prefer_i64 = TCG_TARGET_REG_BITS == 64, .opt_opc = vecop_list, .load_dest = true, -- 2.34.1 Hi; here's the latest round of arm patches. I have included also my patchset for the RTC devices to avoid keeping time_t and time_t diffs in 32-bit variables. thanks -- PMM The following changes since commit 156618d9ea67f2f2e31d9dedd97f2dcccbe6808c: Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2023-08-30 09:20:27 -0400) are available in the Git repository at: https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230831 for you to fetch changes up to e73b8bb8a3e9a162f70e9ffbf922d4fafc96bbfb: hw/arm: Set number of MPU regions correctly for an505, an521, an524 (2023-08-31 11:07:02 +0100) ---------------------------------------------------------------- target-arm queue: * Some of the preliminary patches for Cortex-A710 support * i.MX7 and i.MX6UL refactoring * Implement SRC device for i.MX7 * Catch illegal-exception-return from EL3 with bad NSE/NS * Use 64-bit offsets for holding time_t differences in RTC devices * Model correct number of MPU regions for an505, an521, an524 boards ---------------------------------------------------------------- Alex Bennée (1): target/arm: properly document FEAT_CRC32 Jean-Christophe Dubois (6): Remove i.MX7 IOMUX GPR device from i.MX6UL Refactor i.MX6UL processor code Add i.MX6UL missing devices. Refactor i.MX7 processor code Add i.MX7 missing TZ devices and memory regions Add i.MX7 SRC device implementation Peter Maydell (8): target/arm: Catch illegal-exception-return from EL3 with bad NSE/NS hw/rtc/m48t59: Use 64-bit arithmetic in set_alarm() hw/rtc/twl92230: Use int64_t for sec_offset and alm_sec hw/rtc/aspeed_rtc: Use 64-bit offset for holding time_t difference rtc: Use time_t for passing and returning time offsets target/arm: Do all "ARM_FEATURE_X implies Y" checks in post_init hw/arm/armv7m: Add mpu-ns-regions and mpu-s-regions properties hw/arm: Set number of MPU regions correctly for an505, an521, an524 Richard Henderson (9): target/arm: Reduce dcz_blocksize to uint8_t target/arm: Allow cpu to configure GM blocksize target/arm: Support more GM blocksizes target/arm: When tag memory is not present, set MTE=1 target/arm: Introduce make_ccsidr64 target/arm: Apply access checks to neoverse-n1 special registers target/arm: Apply access checks to neoverse-v1 special registers target/arm: Suppress FEAT_TRBE (Trace Buffer Extension) target/arm: Implement FEAT_HPDS2 as a no-op docs/system/arm/emulation.rst | 2 + include/hw/arm/armsse.h | 5 + include/hw/arm/armv7m.h | 8 + include/hw/arm/fsl-imx6ul.h | 158 ++++++++++++++++--- include/hw/arm/fsl-imx7.h | 338 ++++++++++++++++++++++++++++++----------- include/hw/misc/imx7_src.h | 66 ++++++++ include/hw/rtc/aspeed_rtc.h | 2 +- include/sysemu/rtc.h | 4 +- target/arm/cpregs.h | 2 + target/arm/cpu.h | 5 +- target/arm/internals.h | 6 - target/arm/tcg/translate.h | 2 + hw/arm/armsse.c | 16 ++ hw/arm/armv7m.c | 21 +++ hw/arm/fsl-imx6ul.c | 174 +++++++++++++-------- hw/arm/fsl-imx7.c | 201 +++++++++++++++++++----- hw/arm/mps2-tz.c | 29 ++++ hw/misc/imx7_src.c | 276 +++++++++++++++++++++++++++++++++ hw/rtc/aspeed_rtc.c | 5 +- hw/rtc/m48t59.c | 2 +- hw/rtc/twl92230.c | 4 +- softmmu/rtc.c | 4 +- target/arm/cpu.c | 207 ++++++++++++++----------- target/arm/helper.c | 15 +- target/arm/tcg/cpu32.c | 2 +- target/arm/tcg/cpu64.c | 102 +++++++++---- target/arm/tcg/helper-a64.c | 9 ++ target/arm/tcg/mte_helper.c | 90 ++++++++--- target/arm/tcg/translate-a64.c | 5 +- hw/misc/meson.build | 1 + hw/misc/trace-events | 4 + 31 files changed, 1393 insertions(+), 372 deletions(-) create mode 100644 include/hw/misc/imx7_src.h create mode 100644 hw/misc/imx7_src.c From: Richard Henderson <richard.henderson@linaro.org> This value is only 4 bits wide. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20230811214031.171020-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ struct ArchCPU { bool prop_lpa2; /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */ - uint32_t dcz_blocksize; + uint8_t dcz_blocksize; + uint64_t rvbar_prop; /* Property/input signals. */ /* Configurable aspects of GIC cpu interface (which is part of the CPU) */ -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> Previously we hard-coded the blocksize with GMID_EL1_BS. But the value we choose for -cpu max does not match the value that cortex-a710 uses. Mirror the way we handle dcz_blocksize. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230811214031.171020-3-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.h | 2 ++ target/arm/internals.h | 6 ----- target/arm/tcg/translate.h | 2 ++ target/arm/helper.c | 11 +++++--- target/arm/tcg/cpu64.c | 1 + target/arm/tcg/mte_helper.c | 46 ++++++++++++++++++++++------------ target/arm/tcg/translate-a64.c | 5 ++-- 7 files changed, 45 insertions(+), 28 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ struct ArchCPU { /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */ uint8_t dcz_blocksize; + /* GM blocksize, in log_2(words), ie low 4 bits of GMID_EL0 */ + uint8_t gm_blocksize; uint64_t rvbar_prop; /* Property/input signals. */ diff --git a/target/arm/internals.h b/target/arm/internals.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -XXX,XX +XXX,XX @@ void arm_log_exception(CPUState *cs); #endif /* !CONFIG_USER_ONLY */ -/* - * The log2 of the words in the tag block, for GMID_EL1.BS. - * The is the maximum, 256 bytes, which manipulates 64-bits of tags. - */ -#define GMID_EL1_BS 6 - /* * SVE predicates are 1/8 the size of SVE vectors, and cannot use * the same simd_desc() encoding due to restrictions on size. diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/translate.h +++ b/target/arm/tcg/translate.h @@ -XXX,XX +XXX,XX @@ typedef struct DisasContext { int8_t btype; /* A copy of cpu->dcz_blocksize. */ uint8_t dcz_blocksize; + /* A copy of cpu->gm_blocksize. */ + uint8_t gm_blocksize; /* True if this page is guarded. */ bool guarded_page; /* Bottom two bits of XScale c15_cpar coprocessor access control reg */ diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo mte_reginfo[] = { .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 6, .access = PL1_RW, .accessfn = access_mte, .fieldoffset = offsetof(CPUARMState, cp15.gcr_el1) }, - { .name = "GMID_EL1", .state = ARM_CP_STATE_AA64, - .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 4, - .access = PL1_R, .accessfn = access_aa64_tid5, - .type = ARM_CP_CONST, .resetvalue = GMID_EL1_BS }, { .name = "TCO", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 7, .type = ARM_CP_NO_RAW, @@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu) * then define only a RAZ/WI version of PSTATE.TCO. */ if (cpu_isar_feature(aa64_mte, cpu)) { + ARMCPRegInfo gmid_reginfo = { + .name = "GMID_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 4, + .access = PL1_R, .accessfn = access_aa64_tid5, + .type = ARM_CP_CONST, .resetvalue = cpu->gm_blocksize, + }; + define_one_arm_cp_reg(cpu, &gmid_reginfo); define_arm_cp_regs(cpu, mte_reginfo); define_arm_cp_regs(cpu, mte_el0_cacheop_reginfo); } else if (cpu_isar_feature(aa64_mte_insn_reg, cpu)) { diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -XXX,XX +XXX,XX @@ void aarch64_max_tcg_initfn(Object *obj) cpu->ctr = 0x80038003; /* 32 byte I and D cacheline size, VIPT icache */ cpu->dcz_blocksize = 7; /* 512 bytes */ #endif + cpu->gm_blocksize = 6; /* 256 bytes */ cpu->sve_vq.supported = MAKE_64BIT_MASK(0, ARM_MAX_VQ); cpu->sme_vq.supported = SVE_VQ_POW2_MAP; diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/mte_helper.c +++ b/target/arm/tcg/mte_helper.c @@ -XXX,XX +XXX,XX @@ void HELPER(st2g_stub)(CPUARMState *env, uint64_t ptr) } } -#define LDGM_STGM_SIZE (4 << GMID_EL1_BS) - uint64_t HELPER(ldgm)(CPUARMState *env, uint64_t ptr) { int mmu_idx = cpu_mmu_index(env, false); uintptr_t ra = GETPC(); + int gm_bs = env_archcpu(env)->gm_blocksize; + int gm_bs_bytes = 4 << gm_bs; void *tag_mem; - ptr = QEMU_ALIGN_DOWN(ptr, LDGM_STGM_SIZE); + ptr = QEMU_ALIGN_DOWN(ptr, gm_bs_bytes); /* Trap if accessing an invalid page. */ tag_mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_LOAD, - LDGM_STGM_SIZE, MMU_DATA_LOAD, - LDGM_STGM_SIZE / (2 * TAG_GRANULE), ra); + gm_bs_bytes, MMU_DATA_LOAD, + gm_bs_bytes / (2 * TAG_GRANULE), ra); /* The tag is squashed to zero if the page does not support tags. */ if (!tag_mem) { return 0; } - QEMU_BUILD_BUG_ON(GMID_EL1_BS != 6); /* - * We are loading 64-bits worth of tags. The ordering of elements - * within the word corresponds to a 64-bit little-endian operation. + * The ordering of elements within the word corresponds to + * a little-endian operation. */ - return ldq_le_p(tag_mem); + switch (gm_bs) { + case 6: + /* 256 bytes -> 16 tags -> 64 result bits */ + return ldq_le_p(tag_mem); + default: + /* cpu configured with unsupported gm blocksize. */ + g_assert_not_reached(); + } } void HELPER(stgm)(CPUARMState *env, uint64_t ptr, uint64_t val) { int mmu_idx = cpu_mmu_index(env, false); uintptr_t ra = GETPC(); + int gm_bs = env_archcpu(env)->gm_blocksize; + int gm_bs_bytes = 4 << gm_bs; void *tag_mem; - ptr = QEMU_ALIGN_DOWN(ptr, LDGM_STGM_SIZE); + ptr = QEMU_ALIGN_DOWN(ptr, gm_bs_bytes); /* Trap if accessing an invalid page. */ tag_mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE, - LDGM_STGM_SIZE, MMU_DATA_LOAD, - LDGM_STGM_SIZE / (2 * TAG_GRANULE), ra); + gm_bs_bytes, MMU_DATA_LOAD, + gm_bs_bytes / (2 * TAG_GRANULE), ra); /* * Tag store only happens if the page support tags, @@ -XXX,XX +XXX,XX @@ void HELPER(stgm)(CPUARMState *env, uint64_t ptr, uint64_t val) return; } - QEMU_BUILD_BUG_ON(GMID_EL1_BS != 6); /* - * We are storing 64-bits worth of tags. The ordering of elements - * within the word corresponds to a 64-bit little-endian operation. + * The ordering of elements within the word corresponds to + * a little-endian operation. */ - stq_le_p(tag_mem, val); + switch (gm_bs) { + case 6: + stq_le_p(tag_mem, val); + break; + default: + /* cpu configured with unsupported gm blocksize. */ + g_assert_not_reached(); + } } void HELPER(stzgm_tags)(CPUARMState *env, uint64_t ptr, uint64_t val) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -XXX,XX +XXX,XX @@ static bool trans_STGM(DisasContext *s, arg_ldst_tag *a) gen_helper_stgm(cpu_env, addr, tcg_rt); } else { MMUAccessType acc = MMU_DATA_STORE; - int size = 4 << GMID_EL1_BS; + int size = 4 << s->gm_blocksize; clean_addr = clean_data_tbi(s, addr); tcg_gen_andi_i64(clean_addr, clean_addr, -size); @@ -XXX,XX +XXX,XX @@ static bool trans_LDGM(DisasContext *s, arg_ldst_tag *a) gen_helper_ldgm(tcg_rt, cpu_env, addr); } else { MMUAccessType acc = MMU_DATA_LOAD; - int size = 4 << GMID_EL1_BS; + int size = 4 << s->gm_blocksize; clean_addr = clean_data_tbi(s, addr); tcg_gen_andi_i64(clean_addr, clean_addr, -size); @@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase, dc->cp_regs = arm_cpu->cp_regs; dc->features = env->features; dc->dcz_blocksize = arm_cpu->dcz_blocksize; + dc->gm_blocksize = arm_cpu->gm_blocksize; #ifdef CONFIG_USER_ONLY /* In sve_probe_page, we assume TBI is enabled. */ -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> Support all of the easy GM block sizes. Use direct memory operations, since the pointers are aligned. While BS=2 (16 bytes, 1 tag) is a legal setting, that requires an atomic store of one nibble. This is not difficult, but there is also no point in supporting it until required. Note that cortex-a710 sets GM blocksize to match its cacheline size of 64 bytes. I expect many implementations will also match the cacheline, which makes 16 bytes very unlikely. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230811214031.171020-4-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.c | 18 +++++++++--- target/arm/tcg/mte_helper.c | 56 +++++++++++++++++++++++++++++++------ 2 files changed, 62 insertions(+), 12 deletions(-) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp) ID_PFR1, VIRTUALIZATION, 0); } + if (cpu_isar_feature(aa64_mte, cpu)) { + /* + * The architectural range of GM blocksize is 2-6, however qemu + * doesn't support blocksize of 2 (see HELPER(ldgm)). + */ + if (tcg_enabled()) { + assert(cpu->gm_blocksize >= 3 && cpu->gm_blocksize <= 6); + } + #ifndef CONFIG_USER_ONLY - if (cpu->tag_memory == NULL && cpu_isar_feature(aa64_mte, cpu)) { /* * Disable the MTE feature bits if we do not have tag-memory * provided by the machine. */ - cpu->isar.id_aa64pfr1 = - FIELD_DP64(cpu->isar.id_aa64pfr1, ID_AA64PFR1, MTE, 0); - } + if (cpu->tag_memory == NULL) { + cpu->isar.id_aa64pfr1 = + FIELD_DP64(cpu->isar.id_aa64pfr1, ID_AA64PFR1, MTE, 0); + } #endif + } if (tcg_enabled()) { /* diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/mte_helper.c +++ b/target/arm/tcg/mte_helper.c @@ -XXX,XX +XXX,XX @@ uint64_t HELPER(ldgm)(CPUARMState *env, uint64_t ptr) int gm_bs = env_archcpu(env)->gm_blocksize; int gm_bs_bytes = 4 << gm_bs; void *tag_mem; + uint64_t ret; + int shift; ptr = QEMU_ALIGN_DOWN(ptr, gm_bs_bytes); @@ -XXX,XX +XXX,XX @@ uint64_t HELPER(ldgm)(CPUARMState *env, uint64_t ptr) /* * The ordering of elements within the word corresponds to - * a little-endian operation. + * a little-endian operation. Computation of shift comes from + * + * index = address<LOG2_TAG_GRANULE+3:LOG2_TAG_GRANULE> + * data<index*4+3:index*4> = tag + * + * Because of the alignment of ptr above, BS=6 has shift=0. + * All memory operations are aligned. Defer support for BS=2, + * requiring insertion or extraction of a nibble, until we + * support a cpu that requires it. */ switch (gm_bs) { + case 3: + /* 32 bytes -> 2 tags -> 8 result bits */ + ret = *(uint8_t *)tag_mem; + break; + case 4: + /* 64 bytes -> 4 tags -> 16 result bits */ + ret = cpu_to_le16(*(uint16_t *)tag_mem); + break; + case 5: + /* 128 bytes -> 8 tags -> 32 result bits */ + ret = cpu_to_le32(*(uint32_t *)tag_mem); + break; case 6: /* 256 bytes -> 16 tags -> 64 result bits */ - return ldq_le_p(tag_mem); + return cpu_to_le64(*(uint64_t *)tag_mem); default: - /* cpu configured with unsupported gm blocksize. */ + /* + * CPU configured with unsupported/invalid gm blocksize. + * This is detected early in arm_cpu_realizefn. + */ g_assert_not_reached(); } + shift = extract64(ptr, LOG2_TAG_GRANULE, 4) * 4; + return ret << shift; } void HELPER(stgm)(CPUARMState *env, uint64_t ptr, uint64_t val) @@ -XXX,XX +XXX,XX @@ void HELPER(stgm)(CPUARMState *env, uint64_t ptr, uint64_t val) int gm_bs = env_archcpu(env)->gm_blocksize; int gm_bs_bytes = 4 << gm_bs; void *tag_mem; + int shift; ptr = QEMU_ALIGN_DOWN(ptr, gm_bs_bytes); @@ -XXX,XX +XXX,XX @@ void HELPER(stgm)(CPUARMState *env, uint64_t ptr, uint64_t val) return; } - /* - * The ordering of elements within the word corresponds to - * a little-endian operation. - */ + /* See LDGM for comments on BS and on shift. */ + shift = extract64(ptr, LOG2_TAG_GRANULE, 4) * 4; + val >>= shift; switch (gm_bs) { + case 3: + /* 32 bytes -> 2 tags -> 8 result bits */ + *(uint8_t *)tag_mem = val; + break; + case 4: + /* 64 bytes -> 4 tags -> 16 result bits */ + *(uint16_t *)tag_mem = cpu_to_le16(val); + break; + case 5: + /* 128 bytes -> 8 tags -> 32 result bits */ + *(uint32_t *)tag_mem = cpu_to_le32(val); + break; case 6: - stq_le_p(tag_mem, val); + /* 256 bytes -> 16 tags -> 64 result bits */ + *(uint64_t *)tag_mem = cpu_to_le64(val); break; default: /* cpu configured with unsupported gm blocksize. */ -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> When the cpu support MTE, but the system does not, reduce cpu support to user instructions at EL0 instead of completely disabling MTE. If we encounter a cpu implementation which does something else, we can revisit this setting. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230811214031.171020-5-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp) #ifndef CONFIG_USER_ONLY /* - * Disable the MTE feature bits if we do not have tag-memory - * provided by the machine. + * If we do not have tag-memory provided by the machine, + * reduce MTE support to instructions enabled at EL0. + * This matches Cortex-A710 BROADCASTMTE input being LOW. */ if (cpu->tag_memory == NULL) { cpu->isar.id_aa64pfr1 = - FIELD_DP64(cpu->isar.id_aa64pfr1, ID_AA64PFR1, MTE, 0); + FIELD_DP64(cpu->isar.id_aa64pfr1, ID_AA64PFR1, MTE, 1); } #endif } -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> Do not hard-code the constants for Neoverse V1. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230811214031.171020-6-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/tcg/cpu64.c | 48 ++++++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -XXX,XX +XXX,XX @@ #include "qemu/module.h" #include "qapi/visitor.h" #include "hw/qdev-properties.h" +#include "qemu/units.h" #include "internals.h" #include "cpregs.h" +static uint64_t make_ccsidr64(unsigned assoc, unsigned linesize, + unsigned cachesize) +{ + unsigned lg_linesize = ctz32(linesize); + unsigned sets; + + /* + * The 64-bit CCSIDR_EL1 format is: + * [55:32] number of sets - 1 + * [23:3] associativity - 1 + * [2:0] log2(linesize) - 4 + * so 0 == 16 bytes, 1 == 32 bytes, 2 == 64 bytes, etc + */ + assert(assoc != 0); + assert(is_power_of_2(linesize)); + assert(lg_linesize >= 4 && lg_linesize <= 7 + 4); + + /* sets * associativity * linesize == cachesize. */ + sets = cachesize / (assoc * linesize); + assert(cachesize % (assoc * linesize) == 0); + + return ((uint64_t)(sets - 1) << 32) + | ((assoc - 1) << 3) + | (lg_linesize - 4); +} + static void aarch64_a35_initfn(Object *obj) { ARMCPU *cpu = ARM_CPU(obj); @@ -XXX,XX +XXX,XX @@ static void aarch64_neoverse_v1_initfn(Object *obj) * The Neoverse-V1 r1p2 TRM lists 32-bit format CCSIDR_EL1 values, * but also says it implements CCIDX, which means they should be * 64-bit format. So we here use values which are based on the textual - * information in chapter 2 of the TRM (and on the fact that - * sets * associativity * linesize == cachesize). - * - * The 64-bit CCSIDR_EL1 format is: - * [55:32] number of sets - 1 - * [23:3] associativity - 1 - * [2:0] log2(linesize) - 4 - * so 0 == 16 bytes, 1 == 32 bytes, 2 == 64 bytes, etc - * - * L1: 4-way set associative 64-byte line size, total size 64K, - * so sets is 256. + * information in chapter 2 of the TRM: * + * L1: 4-way set associative 64-byte line size, total size 64K. * L2: 8-way set associative, 64 byte line size, either 512K or 1MB. - * We pick 1MB, so this has 2048 sets. - * * L3: No L3 (this matches the CLIDR_EL1 value). */ - cpu->ccsidr[0] = 0x000000ff0000001aull; /* 64KB L1 dcache */ - cpu->ccsidr[1] = 0x000000ff0000001aull; /* 64KB L1 icache */ - cpu->ccsidr[2] = 0x000007ff0000003aull; /* 1MB L2 cache */ + cpu->ccsidr[0] = make_ccsidr64(4, 64, 64 * KiB); /* L1 dcache */ + cpu->ccsidr[1] = cpu->ccsidr[0]; /* L1 icache */ + cpu->ccsidr[2] = make_ccsidr64(8, 64, 1 * MiB); /* L2 cache */ /* From 3.2.115 SCTLR_EL3 */ cpu->reset_sctlr = 0x30c50838; -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> Access to many of the special registers is enabled or disabled by ACTLR_EL[23], which we implement as constant 0, which means that all writes outside EL3 should trap. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230811214031.171020-7-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpregs.h | 2 ++ target/arm/helper.c | 4 ++-- target/arm/tcg/cpu64.c | 46 +++++++++++++++++++++++++++++++++--------- 3 files changed, 41 insertions(+), 11 deletions(-) diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -XXX,XX +XXX,XX @@ static inline void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu) { } void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu); #endif +CPAccessResult access_tvm_trvm(CPUARMState *, const ARMCPRegInfo *, bool); + #endif /* TARGET_ARM_CPREGS_H */ diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tpm(CPUARMState *env, const ARMCPRegInfo *ri, } /* Check for traps from EL1 due to HCR_EL2.TVM and HCR_EL2.TRVM. */ -static CPAccessResult access_tvm_trvm(CPUARMState *env, const ARMCPRegInfo *ri, - bool isread) +CPAccessResult access_tvm_trvm(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) { if (arm_current_el(env) == 1) { uint64_t trap = isread ? HCR_TRVM : HCR_TVM; diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -XXX,XX +XXX,XX @@ static void aarch64_a64fx_initfn(Object *obj) /* TODO: Add A64FX specific HPC extension registers */ } +static CPAccessResult access_actlr_w(CPUARMState *env, const ARMCPRegInfo *r, + bool read) +{ + if (!read) { + int el = arm_current_el(env); + + /* Because ACTLR_EL2 is constant 0, writes below EL2 trap to EL2. */ + if (el < 2 && arm_is_el2_enabled(env)) { + return CP_ACCESS_TRAP_EL2; + } + /* Because ACTLR_EL3 is constant 0, writes below EL3 trap to EL3. */ + if (el < 3 && arm_feature(env, ARM_FEATURE_EL3)) { + return CP_ACCESS_TRAP_EL3; + } + } + return CP_ACCESS_OK; +} + static const ARMCPRegInfo neoverse_n1_cp_reginfo[] = { { .name = "ATCR_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 7, .opc2 = 0, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + /* Traps and enables are the same as for TCR_EL1. */ + .accessfn = access_tvm_trvm, .fgt = FGT_TCR_EL1, }, { .name = "ATCR_EL2", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 7, .opc2 = 0, .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo neoverse_n1_cp_reginfo[] = { .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, { .name = "CPUACTLR_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 0, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + .accessfn = access_actlr_w }, { .name = "CPUACTLR2_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 1, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + .accessfn = access_actlr_w }, { .name = "CPUACTLR3_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 2, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + .accessfn = access_actlr_w }, /* * Report CPUCFR_EL1.SCU as 1, as we do not implement the DSU * (and in particular its system registers). @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo neoverse_n1_cp_reginfo[] = { .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 4 }, { .name = "CPUECTLR_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 4, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0x961563010 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0x961563010, + .accessfn = access_actlr_w }, { .name = "CPUPCR_EL3", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 1, .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo neoverse_n1_cp_reginfo[] = { .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, { .name = "CPUPWRCTLR_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 7, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + .accessfn = access_actlr_w }, { .name = "ERXPFGCDN_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 2, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + .accessfn = access_actlr_w }, { .name = "ERXPFGCTL_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 1, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + .accessfn = access_actlr_w }, { .name = "ERXPFGF_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 0, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + .accessfn = access_actlr_w }, }; static void define_neoverse_n1_cp_reginfo(ARMCPU *cpu) -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> There is only one additional EL1 register modeled, which also needs to use access_actlr_w. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230811214031.171020-8-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/tcg/cpu64.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -XXX,XX +XXX,XX @@ static void define_neoverse_n1_cp_reginfo(ARMCPU *cpu) static const ARMCPRegInfo neoverse_v1_cp_reginfo[] = { { .name = "CPUECTLR2_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 5, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, + .accessfn = access_actlr_w }, { .name = "CPUPPMCR_EL3", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 2, .opc2 = 0, .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> Like FEAT_TRF (Self-hosted Trace Extension), suppress tracing external to the cpu, which is out of scope for QEMU. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230811214031.171020-10-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp) /* FEAT_SPE (Statistical Profiling Extension) */ cpu->isar.id_aa64dfr0 = FIELD_DP64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, PMSVER, 0); + /* FEAT_TRBE (Trace Buffer Extension) */ + cpu->isar.id_aa64dfr0 = + FIELD_DP64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, TRACEBUFFER, 0); /* FEAT_TRF (Self-hosted Trace Extension) */ cpu->isar.id_aa64dfr0 = FIELD_DP64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, TRACEFILT, 0); -- 2.34.1 From: Richard Henderson <richard.henderson@linaro.org> This feature allows the operating system to set TCR_ELx.HWU* to allow the implementation to use the PBHA bits from the block and page descriptors for for IMPLEMENTATION DEFINED purposes. Since QEMU has no need to use these bits, we may simply ignore them. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20230811214031.171020-11-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- docs/system/arm/emulation.rst | 1 + target/arm/tcg/cpu32.c | 2 +- target/arm/tcg/cpu64.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst index XXXXXXX..XXXXXXX 100644 --- a/docs/system/arm/emulation.rst +++ b/docs/system/arm/emulation.rst @@ -XXX,XX +XXX,XX @@ the following architecture extensions: - FEAT_HAFDBS (Hardware management of the access flag and dirty bit state) - FEAT_HCX (Support for the HCRX_EL2 register) - FEAT_HPDS (Hierarchical permission disables) +- FEAT_HPDS2 (Translation table page-based hardware attributes) - FEAT_I8MM (AArch64 Int8 matrix multiplication instructions) - FEAT_IDST (ID space trap handling) - FEAT_IESB (Implicit error synchronization event) diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/cpu32.c +++ b/target/arm/tcg/cpu32.c @@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu) cpu->isar.id_mmfr3 = t; t = cpu->isar.id_mmfr4; - t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* FEAT_AA32HPD */ + t = FIELD_DP32(t, ID_MMFR4, HPDS, 2); /* FEAT_HPDS2 */ t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */ t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* FEAT_TTCNP */ t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* FEAT_XNX */ diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -XXX,XX +XXX,XX @@ void aarch64_max_tcg_initfn(Object *obj) t = FIELD_DP64(t, ID_AA64MMFR1, HAFDBS, 2); /* FEAT_HAFDBS */ t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* FEAT_VMID16 */ t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1); /* FEAT_VHE */ - t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* FEAT_HPDS */ + t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 2); /* FEAT_HPDS2 */ t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1); /* FEAT_LOR */ t = FIELD_DP64(t, ID_AA64MMFR1, PAN, 3); /* FEAT_PAN3 */ t = FIELD_DP64(t, ID_AA64MMFR1, XNX, 1); /* FEAT_XNX */ -- 2.34.1 From: Alex Bennée <alex.bennee@linaro.org> This is a mandatory feature for Armv8.1 architectures but we don't state the feature clearly in our emulation list. Also include FEAT_CRC32 comment in aarch64_max_tcg_initfn for ease of grepping. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-id: 20230824075406.1515566-1-alex.bennee@linaro.org Cc: qemu-stable@nongnu.org Message-Id: <20230222110104.3996971-1-alex.bennee@linaro.org> [PMM: pluralize 'instructions' in docs] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- docs/system/arm/emulation.rst | 1 + target/arm/tcg/cpu64.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst index XXXXXXX..XXXXXXX 100644 --- a/docs/system/arm/emulation.rst +++ b/docs/system/arm/emulation.rst @@ -XXX,XX +XXX,XX @@ the following architecture extensions: - FEAT_BBM at level 2 (Translation table break-before-make levels) - FEAT_BF16 (AArch64 BFloat16 instructions) - FEAT_BTI (Branch Target Identification) +- FEAT_CRC32 (CRC32 instructions) - FEAT_CSV2 (Cache speculation variant 2) - FEAT_CSV2_1p1 (Cache speculation variant 2, version 1.1) - FEAT_CSV2_1p2 (Cache speculation variant 2, version 1.2) diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -XXX,XX +XXX,XX @@ void aarch64_max_tcg_initfn(Object *obj) t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2); /* FEAT_PMULL */ t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1); /* FEAT_SHA1 */ t = FIELD_DP64(t, ID_AA64ISAR0, SHA2, 2); /* FEAT_SHA512 */ - t = FIELD_DP64(t, ID_AA64ISAR0, CRC32, 1); + t = FIELD_DP64(t, ID_AA64ISAR0, CRC32, 1); /* FEAT_CRC32 */ t = FIELD_DP64(t, ID_AA64ISAR0, ATOMIC, 2); /* FEAT_LSE */ t = FIELD_DP64(t, ID_AA64ISAR0, RDM, 1); /* FEAT_RDM */ t = FIELD_DP64(t, ID_AA64ISAR0, SHA3, 1); /* FEAT_SHA3 */ -- 2.34.1 From: Jean-Christophe Dubois <jcd@tribudubois.net> i.MX7 IOMUX GPR device is not equivalent to i.MX6UL IOMUXC GPR device. In particular, register 22 is not present on i.MX6UL and this is actualy The only register that is really emulated in the i.MX7 IOMUX GPR device. Note: The i.MX6UL code is actually also implementing the IOMUX GPR device as an unimplemented device at the same bus adress and the 2 instantiations were actualy colliding. So we go back to the unimplemented device for now. Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Message-id: 48681bf51ee97646479bb261bee19abebbc8074e.1692964892.git.jcd@tribudubois.net Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/fsl-imx6ul.h | 2 -- hw/arm/fsl-imx6ul.c | 11 ----------- 2 files changed, 13 deletions(-) diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/fsl-imx6ul.h +++ b/include/hw/arm/fsl-imx6ul.h @@ -XXX,XX +XXX,XX @@ #include "hw/misc/imx6ul_ccm.h" #include "hw/misc/imx6_src.h" #include "hw/misc/imx7_snvs.h" -#include "hw/misc/imx7_gpr.h" #include "hw/intc/imx_gpcv2.h" #include "hw/watchdog/wdt_imx2.h" #include "hw/gpio/imx_gpio.h" @@ -XXX,XX +XXX,XX @@ struct FslIMX6ULState { IMX6SRCState src; IMX7SNVSState snvs; IMXGPCv2State gpcv2; - IMX7GPRState gpr; IMXSPIState spi[FSL_IMX6UL_NUM_ECSPIS]; IMXI2CState i2c[FSL_IMX6UL_NUM_I2CS]; IMXSerialState uart[FSL_IMX6UL_NUM_UARTS]; diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/fsl-imx6ul.c +++ b/hw/arm/fsl-imx6ul.c @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) */ object_initialize_child(obj, "snvs", &s->snvs, TYPE_IMX7_SNVS); - /* - * GPR - */ - object_initialize_child(obj, "gpr", &s->gpr, TYPE_IMX7_GPR); - /* * GPIOs 1 to 5 */ @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) FSL_IMX6UL_WDOGn_IRQ[i])); } - /* - * GPR - */ - sysbus_realize(SYS_BUS_DEVICE(&s->gpr), &error_abort); - sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpr), 0, FSL_IMX6UL_IOMUXC_GPR_ADDR); - /* * SDMA */ -- 2.34.1 From: Jean-Christophe Dubois <jcd@tribudubois.net> * Add Addr and size definition for most i.MX6UL devices in i.MX6UL header file. * Use those newly defined named constants whenever possible. * Standardize the way we init a familly of unimplemented devices - SAI - PWM - CAN * Add/rework few comments Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Message-id: d579043fbd4e4b490370783fda43fc02c8e9be75.1692964892.git.jcd@tribudubois.net Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/fsl-imx6ul.h | 156 +++++++++++++++++++++++++++++++----- hw/arm/fsl-imx6ul.c | 147 ++++++++++++++++++++++----------- 2 files changed, 232 insertions(+), 71 deletions(-) diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/fsl-imx6ul.h +++ b/include/hw/arm/fsl-imx6ul.h @@ -XXX,XX +XXX,XX @@ #include "exec/memory.h" #include "cpu.h" #include "qom/object.h" +#include "qemu/units.h" #define TYPE_FSL_IMX6UL "fsl-imx6ul" OBJECT_DECLARE_SIMPLE_TYPE(FslIMX6ULState, FSL_IMX6UL) @@ -XXX,XX +XXX,XX @@ enum FslIMX6ULConfiguration { FSL_IMX6UL_NUM_ADCS = 2, FSL_IMX6UL_NUM_USB_PHYS = 2, FSL_IMX6UL_NUM_USBS = 2, + FSL_IMX6UL_NUM_SAIS = 3, + FSL_IMX6UL_NUM_CANS = 2, + FSL_IMX6UL_NUM_PWMS = 4, }; struct FslIMX6ULState { @@ -XXX,XX +XXX,XX @@ struct FslIMX6ULState { enum FslIMX6ULMemoryMap { FSL_IMX6UL_MMDC_ADDR = 0x80000000, - FSL_IMX6UL_MMDC_SIZE = 2 * 1024 * 1024 * 1024UL, + FSL_IMX6UL_MMDC_SIZE = (2 * GiB), FSL_IMX6UL_QSPI1_MEM_ADDR = 0x60000000, - FSL_IMX6UL_EIM_ALIAS_ADDR = 0x58000000, - FSL_IMX6UL_EIM_CS_ADDR = 0x50000000, - FSL_IMX6UL_AES_ENCRYPT_ADDR = 0x10000000, - FSL_IMX6UL_QSPI1_RX_ADDR = 0x0C000000, + FSL_IMX6UL_QSPI1_MEM_SIZE = (256 * MiB), - /* AIPS-2 */ + FSL_IMX6UL_EIM_ALIAS_ADDR = 0x58000000, + FSL_IMX6UL_EIM_ALIAS_SIZE = (128 * MiB), + + FSL_IMX6UL_EIM_CS_ADDR = 0x50000000, + FSL_IMX6UL_EIM_CS_SIZE = (128 * MiB), + + FSL_IMX6UL_AES_ENCRYPT_ADDR = 0x10000000, + FSL_IMX6UL_AES_ENCRYPT_SIZE = (1 * MiB), + + FSL_IMX6UL_QSPI1_RX_ADDR = 0x0C000000, + FSL_IMX6UL_QSPI1_RX_SIZE = (32 * MiB), + + /* AIPS-2 Begin */ FSL_IMX6UL_UART6_ADDR = 0x021FC000, + FSL_IMX6UL_I2C4_ADDR = 0x021F8000, + FSL_IMX6UL_UART5_ADDR = 0x021F4000, FSL_IMX6UL_UART4_ADDR = 0x021F0000, FSL_IMX6UL_UART3_ADDR = 0x021EC000, FSL_IMX6UL_UART2_ADDR = 0x021E8000, + FSL_IMX6UL_WDOG3_ADDR = 0x021E4000, + FSL_IMX6UL_QSPI_ADDR = 0x021E0000, + FSL_IMX6UL_QSPI_SIZE = 0x500, + FSL_IMX6UL_SYS_CNT_CTRL_ADDR = 0x021DC000, + FSL_IMX6UL_SYS_CNT_CTRL_SIZE = (16 * KiB), + FSL_IMX6UL_SYS_CNT_CMP_ADDR = 0x021D8000, + FSL_IMX6UL_SYS_CNT_CMP_SIZE = (16 * KiB), + FSL_IMX6UL_SYS_CNT_RD_ADDR = 0x021D4000, + FSL_IMX6UL_SYS_CNT_RD_SIZE = (16 * KiB), + FSL_IMX6UL_TZASC_ADDR = 0x021D0000, + FSL_IMX6UL_TZASC_SIZE = (16 * KiB), + FSL_IMX6UL_PXP_ADDR = 0x021CC000, + FSL_IMX6UL_PXP_SIZE = (16 * KiB), + FSL_IMX6UL_LCDIF_ADDR = 0x021C8000, + FSL_IMX6UL_LCDIF_SIZE = 0x100, + FSL_IMX6UL_CSI_ADDR = 0x021C4000, + FSL_IMX6UL_CSI_SIZE = 0x100, + FSL_IMX6UL_CSU_ADDR = 0x021C0000, + FSL_IMX6UL_CSU_SIZE = (16 * KiB), + FSL_IMX6UL_OCOTP_CTRL_ADDR = 0x021BC000, + FSL_IMX6UL_OCOTP_CTRL_SIZE = (4 * KiB), + FSL_IMX6UL_EIM_ADDR = 0x021B8000, + FSL_IMX6UL_EIM_SIZE = 0x100, + FSL_IMX6UL_SIM2_ADDR = 0x021B4000, + FSL_IMX6UL_MMDC_CFG_ADDR = 0x021B0000, + FSL_IMX6UL_MMDC_CFG_SIZE = (4 * KiB), + FSL_IMX6UL_ROMCP_ADDR = 0x021AC000, + FSL_IMX6UL_ROMCP_SIZE = 0x300, + FSL_IMX6UL_I2C3_ADDR = 0x021A8000, FSL_IMX6UL_I2C2_ADDR = 0x021A4000, FSL_IMX6UL_I2C1_ADDR = 0x021A0000, + FSL_IMX6UL_ADC2_ADDR = 0x0219C000, FSL_IMX6UL_ADC1_ADDR = 0x02198000, + FSL_IMX6UL_ADCn_SIZE = 0x100, + FSL_IMX6UL_USDHC2_ADDR = 0x02194000, FSL_IMX6UL_USDHC1_ADDR = 0x02190000, - FSL_IMX6UL_SIM1_ADDR = 0x0218C000, - FSL_IMX6UL_ENET1_ADDR = 0x02188000, - FSL_IMX6UL_USBO2_USBMISC_ADDR = 0x02184800, - FSL_IMX6UL_USBO2_USB_ADDR = 0x02184000, - FSL_IMX6UL_USBO2_PL301_ADDR = 0x02180000, - FSL_IMX6UL_AIPS2_CFG_ADDR = 0x0217C000, - FSL_IMX6UL_CAAM_ADDR = 0x02140000, - FSL_IMX6UL_A7MPCORE_DAP_ADDR = 0x02100000, - /* AIPS-1 */ + FSL_IMX6UL_SIM1_ADDR = 0x0218C000, + FSL_IMX6UL_SIMn_SIZE = (16 * KiB), + + FSL_IMX6UL_ENET1_ADDR = 0x02188000, + + FSL_IMX6UL_USBO2_USBMISC_ADDR = 0x02184800, + FSL_IMX6UL_USBO2_USB1_ADDR = 0x02184000, + FSL_IMX6UL_USBO2_USB2_ADDR = 0x02184200, + + FSL_IMX6UL_USBO2_PL301_ADDR = 0x02180000, + FSL_IMX6UL_USBO2_PL301_SIZE = (16 * KiB), + + FSL_IMX6UL_AIPS2_CFG_ADDR = 0x0217C000, + FSL_IMX6UL_AIPS2_CFG_SIZE = 0x100, + + FSL_IMX6UL_CAAM_ADDR = 0x02140000, + FSL_IMX6UL_CAAM_SIZE = (16 * KiB), + + FSL_IMX6UL_A7MPCORE_DAP_ADDR = 0x02100000, + FSL_IMX6UL_A7MPCORE_DAP_SIZE = (4 * KiB), + /* AIPS-2 End */ + + /* AIPS-1 Begin */ FSL_IMX6UL_PWM8_ADDR = 0x020FC000, FSL_IMX6UL_PWM7_ADDR = 0x020F8000, FSL_IMX6UL_PWM6_ADDR = 0x020F4000, FSL_IMX6UL_PWM5_ADDR = 0x020F0000, + FSL_IMX6UL_SDMA_ADDR = 0x020EC000, + FSL_IMX6UL_SDMA_SIZE = 0x300, + FSL_IMX6UL_GPT2_ADDR = 0x020E8000, + FSL_IMX6UL_IOMUXC_GPR_ADDR = 0x020E4000, + FSL_IMX6UL_IOMUXC_GPR_SIZE = 0x40, + FSL_IMX6UL_IOMUXC_ADDR = 0x020E0000, + FSL_IMX6UL_IOMUXC_SIZE = 0x700, + FSL_IMX6UL_GPC_ADDR = 0x020DC000, + FSL_IMX6UL_SRC_ADDR = 0x020D8000, + FSL_IMX6UL_EPIT2_ADDR = 0x020D4000, FSL_IMX6UL_EPIT1_ADDR = 0x020D0000, + FSL_IMX6UL_SNVS_HP_ADDR = 0x020CC000, + FSL_IMX6UL_USBPHY2_ADDR = 0x020CA000, - FSL_IMX6UL_USBPHY2_SIZE = (4 * 1024), FSL_IMX6UL_USBPHY1_ADDR = 0x020C9000, - FSL_IMX6UL_USBPHY1_SIZE = (4 * 1024), + FSL_IMX6UL_ANALOG_ADDR = 0x020C8000, + FSL_IMX6UL_ANALOG_SIZE = 0x300, + FSL_IMX6UL_CCM_ADDR = 0x020C4000, + FSL_IMX6UL_WDOG2_ADDR = 0x020C0000, FSL_IMX6UL_WDOG1_ADDR = 0x020BC000, + FSL_IMX6UL_KPP_ADDR = 0x020B8000, + FSL_IMX6UL_KPP_SIZE = 0x10, + FSL_IMX6UL_ENET2_ADDR = 0x020B4000, + FSL_IMX6UL_SNVS_LP_ADDR = 0x020B0000, + FSL_IMX6UL_SNVS_LP_SIZE = (16 * KiB), + FSL_IMX6UL_GPIO5_ADDR = 0x020AC000, FSL_IMX6UL_GPIO4_ADDR = 0x020A8000, FSL_IMX6UL_GPIO3_ADDR = 0x020A4000, FSL_IMX6UL_GPIO2_ADDR = 0x020A0000, FSL_IMX6UL_GPIO1_ADDR = 0x0209C000, + FSL_IMX6UL_GPT1_ADDR = 0x02098000, + FSL_IMX6UL_CAN2_ADDR = 0x02094000, FSL_IMX6UL_CAN1_ADDR = 0x02090000, + FSL_IMX6UL_CANn_SIZE = (4 * KiB), + FSL_IMX6UL_PWM4_ADDR = 0x0208C000, FSL_IMX6UL_PWM3_ADDR = 0x02088000, FSL_IMX6UL_PWM2_ADDR = 0x02084000, FSL_IMX6UL_PWM1_ADDR = 0x02080000, + FSL_IMX6UL_PWMn_SIZE = 0x20, + FSL_IMX6UL_AIPS1_CFG_ADDR = 0x0207C000, + FSL_IMX6UL_AIPS1_CFG_SIZE = (16 * KiB), + FSL_IMX6UL_BEE_ADDR = 0x02044000, + FSL_IMX6UL_BEE_SIZE = (16 * KiB), + FSL_IMX6UL_TOUCH_CTRL_ADDR = 0x02040000, + FSL_IMX6UL_TOUCH_CTRL_SIZE = 0x100, + FSL_IMX6UL_SPBA_ADDR = 0x0203C000, + FSL_IMX6UL_SPBA_SIZE = 0x100, + FSL_IMX6UL_ASRC_ADDR = 0x02034000, + FSL_IMX6UL_ASRC_SIZE = 0x100, + FSL_IMX6UL_SAI3_ADDR = 0x02030000, FSL_IMX6UL_SAI2_ADDR = 0x0202C000, FSL_IMX6UL_SAI1_ADDR = 0x02028000, + FSL_IMX6UL_SAIn_SIZE = 0x200, + FSL_IMX6UL_UART8_ADDR = 0x02024000, FSL_IMX6UL_UART1_ADDR = 0x02020000, FSL_IMX6UL_UART7_ADDR = 0x02018000, + FSL_IMX6UL_ECSPI4_ADDR = 0x02014000, FSL_IMX6UL_ECSPI3_ADDR = 0x02010000, FSL_IMX6UL_ECSPI2_ADDR = 0x0200C000, FSL_IMX6UL_ECSPI1_ADDR = 0x02008000, + FSL_IMX6UL_SPDIF_ADDR = 0x02004000, + FSL_IMX6UL_SPDIF_SIZE = 0x100, + /* AIPS-1 End */ + + FSL_IMX6UL_BCH_ADDR = 0x01808000, + FSL_IMX6UL_BCH_SIZE = 0x200, + + FSL_IMX6UL_GPMI_ADDR = 0x01806000, + FSL_IMX6UL_GPMI_SIZE = 0x200, FSL_IMX6UL_APBH_DMA_ADDR = 0x01804000, - FSL_IMX6UL_APBH_DMA_SIZE = (32 * 1024), + FSL_IMX6UL_APBH_DMA_SIZE = (4 * KiB), FSL_IMX6UL_A7MPCORE_ADDR = 0x00A00000, FSL_IMX6UL_OCRAM_ALIAS_ADDR = 0x00920000, - FSL_IMX6UL_OCRAM_ALIAS_SIZE = 0x00060000, + FSL_IMX6UL_OCRAM_ALIAS_SIZE = (384 * KiB), + FSL_IMX6UL_OCRAM_MEM_ADDR = 0x00900000, - FSL_IMX6UL_OCRAM_MEM_SIZE = 0x00020000, + FSL_IMX6UL_OCRAM_MEM_SIZE = (128 * KiB), + FSL_IMX6UL_CAAM_MEM_ADDR = 0x00100000, - FSL_IMX6UL_CAAM_MEM_SIZE = 0x00008000, + FSL_IMX6UL_CAAM_MEM_SIZE = (32 * KiB), + FSL_IMX6UL_ROM_ADDR = 0x00000000, - FSL_IMX6UL_ROM_SIZE = 0x00018000, + FSL_IMX6UL_ROM_SIZE = (96 * KiB), }; enum FslIMX6ULIRQs { diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/fsl-imx6ul.c +++ b/hw/arm/fsl-imx6ul.c @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) object_initialize_child(obj, "snvs", &s->snvs, TYPE_IMX7_SNVS); /* - * GPIOs 1 to 5 + * GPIOs */ for (i = 0; i < FSL_IMX6UL_NUM_GPIOS; i++) { snprintf(name, NAME_SIZE, "gpio%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) } /* - * GPT 1, 2 + * GPTs */ for (i = 0; i < FSL_IMX6UL_NUM_GPTS; i++) { snprintf(name, NAME_SIZE, "gpt%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) } /* - * EPIT 1, 2 + * EPITs */ for (i = 0; i < FSL_IMX6UL_NUM_EPITS; i++) { snprintf(name, NAME_SIZE, "epit%d", i + 1); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) } /* - * eCSPI + * eCSPIs */ for (i = 0; i < FSL_IMX6UL_NUM_ECSPIS; i++) { snprintf(name, NAME_SIZE, "spi%d", i + 1); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) } /* - * I2C + * I2Cs */ for (i = 0; i < FSL_IMX6UL_NUM_I2CS; i++) { snprintf(name, NAME_SIZE, "i2c%d", i + 1); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) } /* - * UART + * UARTs */ for (i = 0; i < FSL_IMX6UL_NUM_UARTS; i++) { snprintf(name, NAME_SIZE, "uart%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) } /* - * Ethernet + * Ethernets */ for (i = 0; i < FSL_IMX6UL_NUM_ETHS; i++) { snprintf(name, NAME_SIZE, "eth%d", i); object_initialize_child(obj, name, &s->eth[i], TYPE_IMX_ENET); } - /* USB */ + /* + * USB PHYs + */ for (i = 0; i < FSL_IMX6UL_NUM_USB_PHYS; i++) { snprintf(name, NAME_SIZE, "usbphy%d", i); object_initialize_child(obj, name, &s->usbphy[i], TYPE_IMX_USBPHY); } + + /* + * USBs + */ for (i = 0; i < FSL_IMX6UL_NUM_USBS; i++) { snprintf(name, NAME_SIZE, "usb%d", i); object_initialize_child(obj, name, &s->usb[i], TYPE_CHIPIDEA); } /* - * SDHCI + * SDHCIs */ for (i = 0; i < FSL_IMX6UL_NUM_USDHCS; i++) { snprintf(name, NAME_SIZE, "usdhc%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj) } /* - * Watchdog + * Watchdogs */ for (i = 0; i < FSL_IMX6UL_NUM_WDTS; i++) { snprintf(name, NAME_SIZE, "wdt%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) * A7MPCORE DAP */ create_unimplemented_device("a7mpcore-dap", FSL_IMX6UL_A7MPCORE_DAP_ADDR, - 0x100000); + FSL_IMX6UL_A7MPCORE_DAP_SIZE); /* - * GPT 1, 2 + * GPTs */ for (i = 0; i < FSL_IMX6UL_NUM_GPTS; i++) { static const hwaddr FSL_IMX6UL_GPTn_ADDR[FSL_IMX6UL_NUM_GPTS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) } /* - * EPIT 1, 2 + * EPITs */ for (i = 0; i < FSL_IMX6UL_NUM_EPITS; i++) { static const hwaddr FSL_IMX6UL_EPITn_ADDR[FSL_IMX6UL_NUM_EPITS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) } /* - * GPIO + * GPIOs */ for (i = 0; i < FSL_IMX6UL_NUM_GPIOS; i++) { static const hwaddr FSL_IMX6UL_GPIOn_ADDR[FSL_IMX6UL_NUM_GPIOS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) } /* - * IOMUXC and IOMUXC_GPR + * IOMUXC */ - for (i = 0; i < 1; i++) { - static const hwaddr FSL_IMX6UL_IOMUXCn_ADDR[FSL_IMX6UL_NUM_IOMUXCS] = { - FSL_IMX6UL_IOMUXC_ADDR, - FSL_IMX6UL_IOMUXC_GPR_ADDR, - }; - - snprintf(name, NAME_SIZE, "iomuxc%d", i); - create_unimplemented_device(name, FSL_IMX6UL_IOMUXCn_ADDR[i], 0x4000); - } + create_unimplemented_device("iomuxc", FSL_IMX6UL_IOMUXC_ADDR, + FSL_IMX6UL_IOMUXC_SIZE); + create_unimplemented_device("iomuxc_gpr", FSL_IMX6UL_IOMUXC_GPR_ADDR, + FSL_IMX6UL_IOMUXC_GPR_SIZE); /* * CCM @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) sysbus_realize(SYS_BUS_DEVICE(&s->gpcv2), &error_abort); sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpcv2), 0, FSL_IMX6UL_GPC_ADDR); - /* Initialize all ECSPI */ + /* + * ECSPIs + */ for (i = 0; i < FSL_IMX6UL_NUM_ECSPIS; i++) { static const hwaddr FSL_IMX6UL_SPIn_ADDR[FSL_IMX6UL_NUM_ECSPIS] = { FSL_IMX6UL_ECSPI1_ADDR, @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) } /* - * I2C + * I2Cs */ for (i = 0; i < FSL_IMX6UL_NUM_I2CS; i++) { static const hwaddr FSL_IMX6UL_I2Cn_ADDR[FSL_IMX6UL_NUM_I2CS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) } /* - * UART + * UARTs */ for (i = 0; i < FSL_IMX6UL_NUM_UARTS; i++) { static const hwaddr FSL_IMX6UL_UARTn_ADDR[FSL_IMX6UL_NUM_UARTS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) } /* - * Ethernet + * Ethernets * * We must use two loops since phy_connected affects the other interface * and we have to set all properties before calling sysbus_realize(). @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) FSL_IMX6UL_ENETn_TIMER_IRQ[i])); } - /* USB */ + /* + * USB PHYs + */ for (i = 0; i < FSL_IMX6UL_NUM_USB_PHYS; i++) { + static const hwaddr + FSL_IMX6UL_USB_PHYn_ADDR[FSL_IMX6UL_NUM_USB_PHYS] = { + FSL_IMX6UL_USBPHY1_ADDR, + FSL_IMX6UL_USBPHY2_ADDR, + }; + sysbus_realize(SYS_BUS_DEVICE(&s->usbphy[i]), &error_abort); sysbus_mmio_map(SYS_BUS_DEVICE(&s->usbphy[i]), 0, - FSL_IMX6UL_USBPHY1_ADDR + i * 0x1000); + FSL_IMX6UL_USB_PHYn_ADDR[i]); } + /* + * USBs + */ for (i = 0; i < FSL_IMX6UL_NUM_USBS; i++) { + static const hwaddr FSL_IMX6UL_USB02_USBn_ADDR[FSL_IMX6UL_NUM_USBS] = { + FSL_IMX6UL_USBO2_USB1_ADDR, + FSL_IMX6UL_USBO2_USB2_ADDR, + }; + static const int FSL_IMX6UL_USBn_IRQ[] = { FSL_IMX6UL_USB1_IRQ, FSL_IMX6UL_USB2_IRQ, }; + sysbus_realize(SYS_BUS_DEVICE(&s->usb[i]), &error_abort); sysbus_mmio_map(SYS_BUS_DEVICE(&s->usb[i]), 0, - FSL_IMX6UL_USBO2_USB_ADDR + i * 0x200); + FSL_IMX6UL_USB02_USBn_ADDR[i]); sysbus_connect_irq(SYS_BUS_DEVICE(&s->usb[i]), 0, qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX6UL_USBn_IRQ[i])); } /* - * USDHC + * USDHCs */ for (i = 0; i < FSL_IMX6UL_NUM_USDHCS; i++) { static const hwaddr FSL_IMX6UL_USDHCn_ADDR[FSL_IMX6UL_NUM_USDHCS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) sysbus_mmio_map(SYS_BUS_DEVICE(&s->snvs), 0, FSL_IMX6UL_SNVS_HP_ADDR); /* - * Watchdog + * Watchdogs */ for (i = 0; i < FSL_IMX6UL_NUM_WDTS; i++) { static const hwaddr FSL_IMX6UL_WDOGn_ADDR[FSL_IMX6UL_NUM_WDTS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) FSL_IMX6UL_WDOG2_ADDR, FSL_IMX6UL_WDOG3_ADDR, }; + static const int FSL_IMX6UL_WDOGn_IRQ[FSL_IMX6UL_NUM_WDTS] = { FSL_IMX6UL_WDOG1_IRQ, FSL_IMX6UL_WDOG2_IRQ, @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) /* * SDMA */ - create_unimplemented_device("sdma", FSL_IMX6UL_SDMA_ADDR, 0x4000); + create_unimplemented_device("sdma", FSL_IMX6UL_SDMA_ADDR, + FSL_IMX6UL_SDMA_SIZE); /* - * SAI (Audio SSI (Synchronous Serial Interface)) + * SAIs (Audio SSI (Synchronous Serial Interface)) */ - create_unimplemented_device("sai1", FSL_IMX6UL_SAI1_ADDR, 0x4000); - create_unimplemented_device("sai2", FSL_IMX6UL_SAI2_ADDR, 0x4000); - create_unimplemented_device("sai3", FSL_IMX6UL_SAI3_ADDR, 0x4000); + for (i = 0; i < FSL_IMX6UL_NUM_SAIS; i++) { + static const hwaddr FSL_IMX6UL_SAIn_ADDR[FSL_IMX6UL_NUM_SAIS] = { + FSL_IMX6UL_SAI1_ADDR, + FSL_IMX6UL_SAI2_ADDR, + FSL_IMX6UL_SAI3_ADDR, + }; + + snprintf(name, NAME_SIZE, "sai%d", i); + create_unimplemented_device(name, FSL_IMX6UL_SAIn_ADDR[i], + FSL_IMX6UL_SAIn_SIZE); + } /* - * PWM + * PWMs */ - create_unimplemented_device("pwm1", FSL_IMX6UL_PWM1_ADDR, 0x4000); - create_unimplemented_device("pwm2", FSL_IMX6UL_PWM2_ADDR, 0x4000); - create_unimplemented_device("pwm3", FSL_IMX6UL_PWM3_ADDR, 0x4000); - create_unimplemented_device("pwm4", FSL_IMX6UL_PWM4_ADDR, 0x4000); + for (i = 0; i < FSL_IMX6UL_NUM_PWMS; i++) { + static const hwaddr FSL_IMX6UL_PWMn_ADDR[FSL_IMX6UL_NUM_PWMS] = { + FSL_IMX6UL_PWM1_ADDR, + FSL_IMX6UL_PWM2_ADDR, + FSL_IMX6UL_PWM3_ADDR, + FSL_IMX6UL_PWM4_ADDR, + }; + + snprintf(name, NAME_SIZE, "pwm%d", i); + create_unimplemented_device(name, FSL_IMX6UL_PWMn_ADDR[i], + FSL_IMX6UL_PWMn_SIZE); + } /* * Audio ASRC (asynchronous sample rate converter) */ - create_unimplemented_device("asrc", FSL_IMX6UL_ASRC_ADDR, 0x4000); + create_unimplemented_device("asrc", FSL_IMX6UL_ASRC_ADDR, + FSL_IMX6UL_ASRC_SIZE); /* - * CAN + * CANs */ - create_unimplemented_device("can1", FSL_IMX6UL_CAN1_ADDR, 0x4000); - create_unimplemented_device("can2", FSL_IMX6UL_CAN2_ADDR, 0x4000); + for (i = 0; i < FSL_IMX6UL_NUM_CANS; i++) { + static const hwaddr FSL_IMX6UL_CANn_ADDR[FSL_IMX6UL_NUM_CANS] = { + FSL_IMX6UL_CAN1_ADDR, + FSL_IMX6UL_CAN2_ADDR, + }; + + snprintf(name, NAME_SIZE, "can%d", i); + create_unimplemented_device(name, FSL_IMX6UL_CANn_ADDR[i], + FSL_IMX6UL_CANn_SIZE); + } /* * APHB_DMA @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) }; snprintf(name, NAME_SIZE, "adc%d", i); - create_unimplemented_device(name, FSL_IMX6UL_ADCn_ADDR[i], 0x4000); + create_unimplemented_device(name, FSL_IMX6UL_ADCn_ADDR[i], + FSL_IMX6UL_ADCn_SIZE); } /* * LCD */ - create_unimplemented_device("lcdif", FSL_IMX6UL_LCDIF_ADDR, 0x4000); + create_unimplemented_device("lcdif", FSL_IMX6UL_LCDIF_ADDR, + FSL_IMX6UL_LCDIF_SIZE); /* * ROM memory -- 2.34.1 From: Jean-Christophe Dubois <jcd@tribudubois.net> * Add TZASC as unimplemented device. - Allow bare metal application to access this (unimplemented) device * Add CSU as unimplemented device. - Allow bare metal application to access this (unimplemented) device * Add 4 missing PWM devices Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 59e4dc56e14eccfefd379275ec19048dff9c10b3.1692964892.git.jcd@tribudubois.net Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/fsl-imx6ul.h | 2 +- hw/arm/fsl-imx6ul.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/fsl-imx6ul.h +++ b/include/hw/arm/fsl-imx6ul.h @@ -XXX,XX +XXX,XX @@ enum FslIMX6ULConfiguration { FSL_IMX6UL_NUM_USBS = 2, FSL_IMX6UL_NUM_SAIS = 3, FSL_IMX6UL_NUM_CANS = 2, - FSL_IMX6UL_NUM_PWMS = 4, + FSL_IMX6UL_NUM_PWMS = 8, }; struct FslIMX6ULState { diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/fsl-imx6ul.c +++ b/hw/arm/fsl-imx6ul.c @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) FSL_IMX6UL_PWM2_ADDR, FSL_IMX6UL_PWM3_ADDR, FSL_IMX6UL_PWM4_ADDR, + FSL_IMX6UL_PWM5_ADDR, + FSL_IMX6UL_PWM6_ADDR, + FSL_IMX6UL_PWM7_ADDR, + FSL_IMX6UL_PWM8_ADDR, }; snprintf(name, NAME_SIZE, "pwm%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp) create_unimplemented_device("lcdif", FSL_IMX6UL_LCDIF_ADDR, FSL_IMX6UL_LCDIF_SIZE); + /* + * CSU + */ + create_unimplemented_device("csu", FSL_IMX6UL_CSU_ADDR, + FSL_IMX6UL_CSU_SIZE); + + /* + * TZASC + */ + create_unimplemented_device("tzasc", FSL_IMX6UL_TZASC_ADDR, + FSL_IMX6UL_TZASC_SIZE); + /* * ROM memory */ -- 2.34.1 From: Jean-Christophe Dubois <jcd@tribudubois.net> * Add Addr and size definition for all i.MX7 devices in i.MX7 header file. * Use those newly defined named constants whenever possible. * Standardize the way we init a familly of unimplemented devices - SAI - PWM - CAN * Add/rework few comments Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Message-id: 59e195d33e4d486a8d131392acd46633c8c10ed7.1692964892.git.jcd@tribudubois.net Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/fsl-imx7.h | 330 ++++++++++++++++++++++++++++---------- hw/arm/fsl-imx7.c | 130 ++++++++++----- 2 files changed, 335 insertions(+), 125 deletions(-) diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/fsl-imx7.h +++ b/include/hw/arm/fsl-imx7.h @@ -XXX,XX +XXX,XX @@ #include "hw/misc/imx7_ccm.h" #include "hw/misc/imx7_snvs.h" #include "hw/misc/imx7_gpr.h" -#include "hw/misc/imx6_src.h" #include "hw/watchdog/wdt_imx2.h" #include "hw/gpio/imx_gpio.h" #include "hw/char/imx_serial.h" @@ -XXX,XX +XXX,XX @@ #include "hw/usb/chipidea.h" #include "cpu.h" #include "qom/object.h" +#include "qemu/units.h" #define TYPE_FSL_IMX7 "fsl-imx7" OBJECT_DECLARE_SIMPLE_TYPE(FslIMX7State, FSL_IMX7) @@ -XXX,XX +XXX,XX @@ enum FslIMX7Configuration { FSL_IMX7_NUM_ECSPIS = 4, FSL_IMX7_NUM_USBS = 3, FSL_IMX7_NUM_ADCS = 2, + FSL_IMX7_NUM_SAIS = 3, + FSL_IMX7_NUM_CANS = 2, + FSL_IMX7_NUM_PWMS = 4, }; struct FslIMX7State { @@ -XXX,XX +XXX,XX @@ struct FslIMX7State { enum FslIMX7MemoryMap { FSL_IMX7_MMDC_ADDR = 0x80000000, - FSL_IMX7_MMDC_SIZE = 2 * 1024 * 1024 * 1024UL, + FSL_IMX7_MMDC_SIZE = (2 * GiB), - FSL_IMX7_GPIO1_ADDR = 0x30200000, - FSL_IMX7_GPIO2_ADDR = 0x30210000, - FSL_IMX7_GPIO3_ADDR = 0x30220000, - FSL_IMX7_GPIO4_ADDR = 0x30230000, - FSL_IMX7_GPIO5_ADDR = 0x30240000, - FSL_IMX7_GPIO6_ADDR = 0x30250000, - FSL_IMX7_GPIO7_ADDR = 0x30260000, + FSL_IMX7_QSPI1_MEM_ADDR = 0x60000000, + FSL_IMX7_QSPI1_MEM_SIZE = (256 * MiB), - FSL_IMX7_IOMUXC_LPSR_GPR_ADDR = 0x30270000, + FSL_IMX7_PCIE1_MEM_ADDR = 0x40000000, + FSL_IMX7_PCIE1_MEM_SIZE = (256 * MiB), - FSL_IMX7_WDOG1_ADDR = 0x30280000, - FSL_IMX7_WDOG2_ADDR = 0x30290000, - FSL_IMX7_WDOG3_ADDR = 0x302A0000, - FSL_IMX7_WDOG4_ADDR = 0x302B0000, + FSL_IMX7_QSPI1_RX_BUF_ADDR = 0x34000000, + FSL_IMX7_QSPI1_RX_BUF_SIZE = (32 * MiB), - FSL_IMX7_IOMUXC_LPSR_ADDR = 0x302C0000, + /* PCIe Peripherals */ + FSL_IMX7_PCIE_REG_ADDR = 0x33800000, - FSL_IMX7_GPT1_ADDR = 0x302D0000, - FSL_IMX7_GPT2_ADDR = 0x302E0000, - FSL_IMX7_GPT3_ADDR = 0x302F0000, - FSL_IMX7_GPT4_ADDR = 0x30300000, + /* MMAP Peripherals */ + FSL_IMX7_DMA_APBH_ADDR = 0x33000000, + FSL_IMX7_DMA_APBH_SIZE = 0x8000, - FSL_IMX7_IOMUXC_ADDR = 0x30330000, - FSL_IMX7_IOMUXC_GPR_ADDR = 0x30340000, - FSL_IMX7_IOMUXCn_SIZE = 0x1000, + /* GPV configuration */ + FSL_IMX7_GPV6_ADDR = 0x32600000, + FSL_IMX7_GPV5_ADDR = 0x32500000, + FSL_IMX7_GPV4_ADDR = 0x32400000, + FSL_IMX7_GPV3_ADDR = 0x32300000, + FSL_IMX7_GPV2_ADDR = 0x32200000, + FSL_IMX7_GPV1_ADDR = 0x32100000, + FSL_IMX7_GPV0_ADDR = 0x32000000, + FSL_IMX7_GPVn_SIZE = (1 * MiB), - FSL_IMX7_OCOTP_ADDR = 0x30350000, - FSL_IMX7_OCOTP_SIZE = 0x10000, + /* Arm Peripherals */ + FSL_IMX7_A7MPCORE_ADDR = 0x31000000, - FSL_IMX7_ANALOG_ADDR = 0x30360000, - FSL_IMX7_SNVS_ADDR = 0x30370000, - FSL_IMX7_CCM_ADDR = 0x30380000, + /* AIPS-3 Begin */ - FSL_IMX7_SRC_ADDR = 0x30390000, - FSL_IMX7_SRC_SIZE = 0x1000, + FSL_IMX7_ENET2_ADDR = 0x30BF0000, + FSL_IMX7_ENET1_ADDR = 0x30BE0000, - FSL_IMX7_ADC1_ADDR = 0x30610000, - FSL_IMX7_ADC2_ADDR = 0x30620000, - FSL_IMX7_ADCn_SIZE = 0x1000, + FSL_IMX7_SDMA_ADDR = 0x30BD0000, + FSL_IMX7_SDMA_SIZE = (4 * KiB), - FSL_IMX7_PWM1_ADDR = 0x30660000, - FSL_IMX7_PWM2_ADDR = 0x30670000, - FSL_IMX7_PWM3_ADDR = 0x30680000, - FSL_IMX7_PWM4_ADDR = 0x30690000, - FSL_IMX7_PWMn_SIZE = 0x10000, + FSL_IMX7_EIM_ADDR = 0x30BC0000, + FSL_IMX7_EIM_SIZE = (4 * KiB), - FSL_IMX7_PCIE_PHY_ADDR = 0x306D0000, - FSL_IMX7_PCIE_PHY_SIZE = 0x10000, + FSL_IMX7_QSPI_ADDR = 0x30BB0000, + FSL_IMX7_QSPI_SIZE = 0x8000, - FSL_IMX7_GPC_ADDR = 0x303A0000, + FSL_IMX7_SIM2_ADDR = 0x30BA0000, + FSL_IMX7_SIM1_ADDR = 0x30B90000, + FSL_IMX7_SIMn_SIZE = (4 * KiB), + + FSL_IMX7_USDHC3_ADDR = 0x30B60000, + FSL_IMX7_USDHC2_ADDR = 0x30B50000, + FSL_IMX7_USDHC1_ADDR = 0x30B40000, + + FSL_IMX7_USB3_ADDR = 0x30B30000, + FSL_IMX7_USBMISC3_ADDR = 0x30B30200, + FSL_IMX7_USB2_ADDR = 0x30B20000, + FSL_IMX7_USBMISC2_ADDR = 0x30B20200, + FSL_IMX7_USB1_ADDR = 0x30B10000, + FSL_IMX7_USBMISC1_ADDR = 0x30B10200, + FSL_IMX7_USBMISCn_SIZE = 0x200, + + FSL_IMX7_USB_PL301_ADDR = 0x30AD0000, + FSL_IMX7_USB_PL301_SIZE = (64 * KiB), + + FSL_IMX7_SEMAPHORE_HS_ADDR = 0x30AC0000, + FSL_IMX7_SEMAPHORE_HS_SIZE = (64 * KiB), + + FSL_IMX7_MUB_ADDR = 0x30AB0000, + FSL_IMX7_MUA_ADDR = 0x30AA0000, + FSL_IMX7_MUn_SIZE = (KiB), + + FSL_IMX7_UART7_ADDR = 0x30A90000, + FSL_IMX7_UART6_ADDR = 0x30A80000, + FSL_IMX7_UART5_ADDR = 0x30A70000, + FSL_IMX7_UART4_ADDR = 0x30A60000, + + FSL_IMX7_I2C4_ADDR = 0x30A50000, + FSL_IMX7_I2C3_ADDR = 0x30A40000, + FSL_IMX7_I2C2_ADDR = 0x30A30000, + FSL_IMX7_I2C1_ADDR = 0x30A20000, + + FSL_IMX7_CAN2_ADDR = 0x30A10000, + FSL_IMX7_CAN1_ADDR = 0x30A00000, + FSL_IMX7_CANn_SIZE = (4 * KiB), + + FSL_IMX7_AIPS3_CONF_ADDR = 0x309F0000, + FSL_IMX7_AIPS3_CONF_SIZE = (64 * KiB), FSL_IMX7_CAAM_ADDR = 0x30900000, - FSL_IMX7_CAAM_SIZE = 0x40000, + FSL_IMX7_CAAM_SIZE = (256 * KiB), - FSL_IMX7_CAN1_ADDR = 0x30A00000, - FSL_IMX7_CAN2_ADDR = 0x30A10000, - FSL_IMX7_CANn_SIZE = 0x10000, + FSL_IMX7_SPBA_ADDR = 0x308F0000, + FSL_IMX7_SPBA_SIZE = (4 * KiB), - FSL_IMX7_I2C1_ADDR = 0x30A20000, - FSL_IMX7_I2C2_ADDR = 0x30A30000, - FSL_IMX7_I2C3_ADDR = 0x30A40000, - FSL_IMX7_I2C4_ADDR = 0x30A50000, + FSL_IMX7_SAI3_ADDR = 0x308C0000, + FSL_IMX7_SAI2_ADDR = 0x308B0000, + FSL_IMX7_SAI1_ADDR = 0x308A0000, + FSL_IMX7_SAIn_SIZE = (4 * KiB), - FSL_IMX7_ECSPI1_ADDR = 0x30820000, - FSL_IMX7_ECSPI2_ADDR = 0x30830000, - FSL_IMX7_ECSPI3_ADDR = 0x30840000, - FSL_IMX7_ECSPI4_ADDR = 0x30630000, - - FSL_IMX7_LCDIF_ADDR = 0x30730000, - FSL_IMX7_LCDIF_SIZE = 0x1000, - - FSL_IMX7_UART1_ADDR = 0x30860000, + FSL_IMX7_UART3_ADDR = 0x30880000, /* * Some versions of the reference manual claim that UART2 is @ * 0x30870000, but experiments with HW + DT files in upstream @@ -XXX,XX +XXX,XX @@ enum FslIMX7MemoryMap { * actually located @ 0x30890000 */ FSL_IMX7_UART2_ADDR = 0x30890000, - FSL_IMX7_UART3_ADDR = 0x30880000, - FSL_IMX7_UART4_ADDR = 0x30A60000, - FSL_IMX7_UART5_ADDR = 0x30A70000, - FSL_IMX7_UART6_ADDR = 0x30A80000, - FSL_IMX7_UART7_ADDR = 0x30A90000, + FSL_IMX7_UART1_ADDR = 0x30860000, - FSL_IMX7_SAI1_ADDR = 0x308A0000, - FSL_IMX7_SAI2_ADDR = 0x308B0000, - FSL_IMX7_SAI3_ADDR = 0x308C0000, - FSL_IMX7_SAIn_SIZE = 0x10000, + FSL_IMX7_ECSPI3_ADDR = 0x30840000, + FSL_IMX7_ECSPI2_ADDR = 0x30830000, + FSL_IMX7_ECSPI1_ADDR = 0x30820000, + FSL_IMX7_ECSPIn_SIZE = (4 * KiB), - FSL_IMX7_ENET1_ADDR = 0x30BE0000, - FSL_IMX7_ENET2_ADDR = 0x30BF0000, + /* AIPS-3 End */ - FSL_IMX7_USB1_ADDR = 0x30B10000, - FSL_IMX7_USBMISC1_ADDR = 0x30B10200, - FSL_IMX7_USB2_ADDR = 0x30B20000, - FSL_IMX7_USBMISC2_ADDR = 0x30B20200, - FSL_IMX7_USB3_ADDR = 0x30B30000, - FSL_IMX7_USBMISC3_ADDR = 0x30B30200, - FSL_IMX7_USBMISCn_SIZE = 0x200, + /* AIPS-2 Begin */ - FSL_IMX7_USDHC1_ADDR = 0x30B40000, - FSL_IMX7_USDHC2_ADDR = 0x30B50000, - FSL_IMX7_USDHC3_ADDR = 0x30B60000, + FSL_IMX7_AXI_DEBUG_MON_ADDR = 0x307E0000, + FSL_IMX7_AXI_DEBUG_MON_SIZE = (64 * KiB), - FSL_IMX7_SDMA_ADDR = 0x30BD0000, - FSL_IMX7_SDMA_SIZE = 0x1000, + FSL_IMX7_PERFMON2_ADDR = 0x307D0000, + FSL_IMX7_PERFMON1_ADDR = 0x307C0000, + FSL_IMX7_PERFMONn_SIZE = (64 * KiB), + + FSL_IMX7_DDRC_ADDR = 0x307A0000, + FSL_IMX7_DDRC_SIZE = (4 * KiB), + + FSL_IMX7_DDRC_PHY_ADDR = 0x30790000, + FSL_IMX7_DDRC_PHY_SIZE = (4 * KiB), + + FSL_IMX7_TZASC_ADDR = 0x30780000, + FSL_IMX7_TZASC_SIZE = (64 * KiB), + + FSL_IMX7_MIPI_DSI_ADDR = 0x30760000, + FSL_IMX7_MIPI_DSI_SIZE = (4 * KiB), + + FSL_IMX7_MIPI_CSI_ADDR = 0x30750000, + FSL_IMX7_MIPI_CSI_SIZE = 0x4000, + + FSL_IMX7_LCDIF_ADDR = 0x30730000, + FSL_IMX7_LCDIF_SIZE = 0x8000, + + FSL_IMX7_CSI_ADDR = 0x30710000, + FSL_IMX7_CSI_SIZE = (4 * KiB), + + FSL_IMX7_PXP_ADDR = 0x30700000, + FSL_IMX7_PXP_SIZE = 0x4000, + + FSL_IMX7_EPDC_ADDR = 0x306F0000, + FSL_IMX7_EPDC_SIZE = (4 * KiB), + + FSL_IMX7_PCIE_PHY_ADDR = 0x306D0000, + FSL_IMX7_PCIE_PHY_SIZE = (4 * KiB), + + FSL_IMX7_SYSCNT_CTRL_ADDR = 0x306C0000, + FSL_IMX7_SYSCNT_CMP_ADDR = 0x306B0000, + FSL_IMX7_SYSCNT_RD_ADDR = 0x306A0000, + + FSL_IMX7_PWM4_ADDR = 0x30690000, + FSL_IMX7_PWM3_ADDR = 0x30680000, + FSL_IMX7_PWM2_ADDR = 0x30670000, + FSL_IMX7_PWM1_ADDR = 0x30660000, + FSL_IMX7_PWMn_SIZE = (4 * KiB), + + FSL_IMX7_FlEXTIMER2_ADDR = 0x30650000, + FSL_IMX7_FlEXTIMER1_ADDR = 0x30640000, + FSL_IMX7_FLEXTIMERn_SIZE = (4 * KiB), + + FSL_IMX7_ECSPI4_ADDR = 0x30630000, + + FSL_IMX7_ADC2_ADDR = 0x30620000, + FSL_IMX7_ADC1_ADDR = 0x30610000, + FSL_IMX7_ADCn_SIZE = (4 * KiB), + + FSL_IMX7_AIPS2_CONF_ADDR = 0x305F0000, + FSL_IMX7_AIPS2_CONF_SIZE = (64 * KiB), + + /* AIPS-2 End */ + + /* AIPS-1 Begin */ + + FSL_IMX7_CSU_ADDR = 0x303E0000, + FSL_IMX7_CSU_SIZE = (64 * KiB), + + FSL_IMX7_RDC_ADDR = 0x303D0000, + FSL_IMX7_RDC_SIZE = (4 * KiB), + + FSL_IMX7_SEMAPHORE2_ADDR = 0x303C0000, + FSL_IMX7_SEMAPHORE1_ADDR = 0x303B0000, + FSL_IMX7_SEMAPHOREn_SIZE = (4 * KiB), + + FSL_IMX7_GPC_ADDR = 0x303A0000, + + FSL_IMX7_SRC_ADDR = 0x30390000, + FSL_IMX7_SRC_SIZE = (4 * KiB), + + FSL_IMX7_CCM_ADDR = 0x30380000, + + FSL_IMX7_SNVS_HP_ADDR = 0x30370000, + + FSL_IMX7_ANALOG_ADDR = 0x30360000, + + FSL_IMX7_OCOTP_ADDR = 0x30350000, + FSL_IMX7_OCOTP_SIZE = 0x10000, + + FSL_IMX7_IOMUXC_GPR_ADDR = 0x30340000, + FSL_IMX7_IOMUXC_GPR_SIZE = (4 * KiB), + + FSL_IMX7_IOMUXC_ADDR = 0x30330000, + FSL_IMX7_IOMUXC_SIZE = (4 * KiB), + + FSL_IMX7_KPP_ADDR = 0x30320000, + FSL_IMX7_KPP_SIZE = (4 * KiB), + + FSL_IMX7_ROMCP_ADDR = 0x30310000, + FSL_IMX7_ROMCP_SIZE = (4 * KiB), + + FSL_IMX7_GPT4_ADDR = 0x30300000, + FSL_IMX7_GPT3_ADDR = 0x302F0000, + FSL_IMX7_GPT2_ADDR = 0x302E0000, + FSL_IMX7_GPT1_ADDR = 0x302D0000, + + FSL_IMX7_IOMUXC_LPSR_ADDR = 0x302C0000, + FSL_IMX7_IOMUXC_LPSR_SIZE = (4 * KiB), + + FSL_IMX7_WDOG4_ADDR = 0x302B0000, + FSL_IMX7_WDOG3_ADDR = 0x302A0000, + FSL_IMX7_WDOG2_ADDR = 0x30290000, + FSL_IMX7_WDOG1_ADDR = 0x30280000, + + FSL_IMX7_IOMUXC_LPSR_GPR_ADDR = 0x30270000, + + FSL_IMX7_GPIO7_ADDR = 0x30260000, + FSL_IMX7_GPIO6_ADDR = 0x30250000, + FSL_IMX7_GPIO5_ADDR = 0x30240000, + FSL_IMX7_GPIO4_ADDR = 0x30230000, + FSL_IMX7_GPIO3_ADDR = 0x30220000, + FSL_IMX7_GPIO2_ADDR = 0x30210000, + FSL_IMX7_GPIO1_ADDR = 0x30200000, + + FSL_IMX7_AIPS1_CONF_ADDR = 0x301F0000, + FSL_IMX7_AIPS1_CONF_SIZE = (64 * KiB), - FSL_IMX7_A7MPCORE_ADDR = 0x31000000, FSL_IMX7_A7MPCORE_DAP_ADDR = 0x30000000, + FSL_IMX7_A7MPCORE_DAP_SIZE = (1 * MiB), - FSL_IMX7_PCIE_REG_ADDR = 0x33800000, - FSL_IMX7_PCIE_REG_SIZE = 16 * 1024, + /* AIPS-1 End */ - FSL_IMX7_GPR_ADDR = 0x30340000, + FSL_IMX7_EIM_CS0_ADDR = 0x28000000, + FSL_IMX7_EIM_CS0_SIZE = (128 * MiB), - FSL_IMX7_DMA_APBH_ADDR = 0x33000000, - FSL_IMX7_DMA_APBH_SIZE = 0x2000, + FSL_IMX7_OCRAM_PXP_ADDR = 0x00940000, + FSL_IMX7_OCRAM_PXP_SIZE = (32 * KiB), + + FSL_IMX7_OCRAM_EPDC_ADDR = 0x00920000, + FSL_IMX7_OCRAM_EPDC_SIZE = (128 * KiB), + + FSL_IMX7_OCRAM_MEM_ADDR = 0x00900000, + FSL_IMX7_OCRAM_MEM_SIZE = (128 * KiB), + + FSL_IMX7_TCMU_ADDR = 0x00800000, + FSL_IMX7_TCMU_SIZE = (32 * KiB), + + FSL_IMX7_TCML_ADDR = 0x007F8000, + FSL_IMX7_TCML_SIZE = (32 * KiB), + + FSL_IMX7_OCRAM_S_ADDR = 0x00180000, + FSL_IMX7_OCRAM_S_SIZE = (32 * KiB), + + FSL_IMX7_CAAM_MEM_ADDR = 0x00100000, + FSL_IMX7_CAAM_MEM_SIZE = (32 * KiB), + + FSL_IMX7_ROM_ADDR = 0x00000000, + FSL_IMX7_ROM_SIZE = (96 * KiB), }; enum FslIMX7IRQs { diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/fsl-imx7.c +++ b/hw/arm/fsl-imx7.c @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) char name[NAME_SIZE]; int i; + /* + * CPUs + */ for (i = 0; i < MIN(ms->smp.cpus, FSL_IMX7_NUM_CPUS); i++) { snprintf(name, NAME_SIZE, "cpu%d", i); object_initialize_child(obj, name, &s->cpu[i], @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) TYPE_A15MPCORE_PRIV); /* - * GPIOs 1 to 7 + * GPIOs */ for (i = 0; i < FSL_IMX7_NUM_GPIOS; i++) { snprintf(name, NAME_SIZE, "gpio%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) } /* - * GPT1, 2, 3, 4 + * GPTs */ for (i = 0; i < FSL_IMX7_NUM_GPTS; i++) { snprintf(name, NAME_SIZE, "gpt%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) */ object_initialize_child(obj, "gpcv2", &s->gpcv2, TYPE_IMX_GPCV2); + /* + * ECSPIs + */ for (i = 0; i < FSL_IMX7_NUM_ECSPIS; i++) { snprintf(name, NAME_SIZE, "spi%d", i + 1); object_initialize_child(obj, name, &s->spi[i], TYPE_IMX_SPI); } - + /* + * I2Cs + */ for (i = 0; i < FSL_IMX7_NUM_I2CS; i++) { snprintf(name, NAME_SIZE, "i2c%d", i + 1); object_initialize_child(obj, name, &s->i2c[i], TYPE_IMX_I2C); } /* - * UART + * UARTs */ for (i = 0; i < FSL_IMX7_NUM_UARTS; i++) { snprintf(name, NAME_SIZE, "uart%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) } /* - * Ethernet + * Ethernets */ for (i = 0; i < FSL_IMX7_NUM_ETHS; i++) { snprintf(name, NAME_SIZE, "eth%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) } /* - * SDHCI + * SDHCIs */ for (i = 0; i < FSL_IMX7_NUM_USDHCS; i++) { snprintf(name, NAME_SIZE, "usdhc%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) object_initialize_child(obj, "snvs", &s->snvs, TYPE_IMX7_SNVS); /* - * Watchdog + * Watchdogs */ for (i = 0; i < FSL_IMX7_NUM_WDTS; i++) { snprintf(name, NAME_SIZE, "wdt%d", i); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) */ object_initialize_child(obj, "gpr", &s->gpr, TYPE_IMX7_GPR); + /* + * PCIE + */ object_initialize_child(obj, "pcie", &s->pcie, TYPE_DESIGNWARE_PCIE_HOST); + /* + * USBs + */ for (i = 0; i < FSL_IMX7_NUM_USBS; i++) { snprintf(name, NAME_SIZE, "usb%d", i); object_initialize_child(obj, name, &s->usb[i], TYPE_CHIPIDEA); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) return; } + /* + * CPUs + */ for (i = 0; i < smp_cpus; i++) { o = OBJECT(&s->cpu[i]); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) * A7MPCORE DAP */ create_unimplemented_device("a7mpcore-dap", FSL_IMX7_A7MPCORE_DAP_ADDR, - 0x100000); + FSL_IMX7_A7MPCORE_DAP_SIZE); /* - * GPT1, 2, 3, 4 + * GPTs */ for (i = 0; i < FSL_IMX7_NUM_GPTS; i++) { static const hwaddr FSL_IMX7_GPTn_ADDR[FSL_IMX7_NUM_GPTS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) FSL_IMX7_GPTn_IRQ[i])); } + /* + * GPIOs + */ for (i = 0; i < FSL_IMX7_NUM_GPIOS; i++) { static const hwaddr FSL_IMX7_GPIOn_ADDR[FSL_IMX7_NUM_GPIOS] = { FSL_IMX7_GPIO1_ADDR, @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) /* * IOMUXC and IOMUXC_LPSR */ - for (i = 0; i < FSL_IMX7_NUM_IOMUXCS; i++) { - static const hwaddr FSL_IMX7_IOMUXCn_ADDR[FSL_IMX7_NUM_IOMUXCS] = { - FSL_IMX7_IOMUXC_ADDR, - FSL_IMX7_IOMUXC_LPSR_ADDR, - }; - - snprintf(name, NAME_SIZE, "iomuxc%d", i); - create_unimplemented_device(name, FSL_IMX7_IOMUXCn_ADDR[i], - FSL_IMX7_IOMUXCn_SIZE); - } + create_unimplemented_device("iomuxc", FSL_IMX7_IOMUXC_ADDR, + FSL_IMX7_IOMUXC_SIZE); + create_unimplemented_device("iomuxc_lspr", FSL_IMX7_IOMUXC_LPSR_ADDR, + FSL_IMX7_IOMUXC_LPSR_SIZE); /* * CCM @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) sysbus_realize(SYS_BUS_DEVICE(&s->gpcv2), &error_abort); sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpcv2), 0, FSL_IMX7_GPC_ADDR); - /* Initialize all ECSPI */ + /* + * ECSPIs + */ for (i = 0; i < FSL_IMX7_NUM_ECSPIS; i++) { static const hwaddr FSL_IMX7_SPIn_ADDR[FSL_IMX7_NUM_ECSPIS] = { FSL_IMX7_ECSPI1_ADDR, @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) FSL_IMX7_SPIn_IRQ[i])); } + /* + * I2Cs + */ for (i = 0; i < FSL_IMX7_NUM_I2CS; i++) { static const hwaddr FSL_IMX7_I2Cn_ADDR[FSL_IMX7_NUM_I2CS] = { FSL_IMX7_I2C1_ADDR, @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) } /* - * UART + * UARTs */ for (i = 0; i < FSL_IMX7_NUM_UARTS; i++) { static const hwaddr FSL_IMX7_UARTn_ADDR[FSL_IMX7_NUM_UARTS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) } /* - * Ethernet + * Ethernets * * We must use two loops since phy_connected affects the other interface * and we have to set all properties before calling sysbus_realize(). @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) } /* - * USDHC + * USDHCs */ for (i = 0; i < FSL_IMX7_NUM_USDHCS; i++) { static const hwaddr FSL_IMX7_USDHCn_ADDR[FSL_IMX7_NUM_USDHCS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) * SNVS */ sysbus_realize(SYS_BUS_DEVICE(&s->snvs), &error_abort); - sysbus_mmio_map(SYS_BUS_DEVICE(&s->snvs), 0, FSL_IMX7_SNVS_ADDR); + sysbus_mmio_map(SYS_BUS_DEVICE(&s->snvs), 0, FSL_IMX7_SNVS_HP_ADDR); /* * SRC @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) create_unimplemented_device("src", FSL_IMX7_SRC_ADDR, FSL_IMX7_SRC_SIZE); /* - * Watchdog + * Watchdogs */ for (i = 0; i < FSL_IMX7_NUM_WDTS; i++) { static const hwaddr FSL_IMX7_WDOGn_ADDR[FSL_IMX7_NUM_WDTS] = { @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) create_unimplemented_device("caam", FSL_IMX7_CAAM_ADDR, FSL_IMX7_CAAM_SIZE); /* - * PWM + * PWMs */ - create_unimplemented_device("pwm1", FSL_IMX7_PWM1_ADDR, FSL_IMX7_PWMn_SIZE); - create_unimplemented_device("pwm2", FSL_IMX7_PWM2_ADDR, FSL_IMX7_PWMn_SIZE); - create_unimplemented_device("pwm3", FSL_IMX7_PWM3_ADDR, FSL_IMX7_PWMn_SIZE); - create_unimplemented_device("pwm4", FSL_IMX7_PWM4_ADDR, FSL_IMX7_PWMn_SIZE); + for (i = 0; i < FSL_IMX7_NUM_PWMS; i++) { + static const hwaddr FSL_IMX7_PWMn_ADDR[FSL_IMX7_NUM_PWMS] = { + FSL_IMX7_PWM1_ADDR, + FSL_IMX7_PWM2_ADDR, + FSL_IMX7_PWM3_ADDR, + FSL_IMX7_PWM4_ADDR, + }; + + snprintf(name, NAME_SIZE, "pwm%d", i); + create_unimplemented_device(name, FSL_IMX7_PWMn_ADDR[i], + FSL_IMX7_PWMn_SIZE); + } /* - * CAN + * CANs */ - create_unimplemented_device("can1", FSL_IMX7_CAN1_ADDR, FSL_IMX7_CANn_SIZE); - create_unimplemented_device("can2", FSL_IMX7_CAN2_ADDR, FSL_IMX7_CANn_SIZE); + for (i = 0; i < FSL_IMX7_NUM_CANS; i++) { + static const hwaddr FSL_IMX7_CANn_ADDR[FSL_IMX7_NUM_CANS] = { + FSL_IMX7_CAN1_ADDR, + FSL_IMX7_CAN2_ADDR, + }; + + snprintf(name, NAME_SIZE, "can%d", i); + create_unimplemented_device(name, FSL_IMX7_CANn_ADDR[i], + FSL_IMX7_CANn_SIZE); + } /* - * SAI (Audio SSI (Synchronous Serial Interface)) + * SAIs (Audio SSI (Synchronous Serial Interface)) */ - create_unimplemented_device("sai1", FSL_IMX7_SAI1_ADDR, FSL_IMX7_SAIn_SIZE); - create_unimplemented_device("sai2", FSL_IMX7_SAI2_ADDR, FSL_IMX7_SAIn_SIZE); - create_unimplemented_device("sai2", FSL_IMX7_SAI3_ADDR, FSL_IMX7_SAIn_SIZE); + for (i = 0; i < FSL_IMX7_NUM_SAIS; i++) { + static const hwaddr FSL_IMX7_SAIn_ADDR[FSL_IMX7_NUM_SAIS] = { + FSL_IMX7_SAI1_ADDR, + FSL_IMX7_SAI2_ADDR, + FSL_IMX7_SAI3_ADDR, + }; + + snprintf(name, NAME_SIZE, "sai%d", i); + create_unimplemented_device(name, FSL_IMX7_SAIn_ADDR[i], + FSL_IMX7_SAIn_SIZE); + } /* * OCOTP @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) create_unimplemented_device("ocotp", FSL_IMX7_OCOTP_ADDR, FSL_IMX7_OCOTP_SIZE); + /* + * GPR + */ sysbus_realize(SYS_BUS_DEVICE(&s->gpr), &error_abort); - sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpr), 0, FSL_IMX7_GPR_ADDR); + sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpr), 0, FSL_IMX7_IOMUXC_GPR_ADDR); + /* + * PCIE + */ sysbus_realize(SYS_BUS_DEVICE(&s->pcie), &error_abort); sysbus_mmio_map(SYS_BUS_DEVICE(&s->pcie), 0, FSL_IMX7_PCIE_REG_ADDR); @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTD_IRQ); sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 3, irq); - + /* + * USBs + */ for (i = 0; i < FSL_IMX7_NUM_USBS; i++) { static const hwaddr FSL_IMX7_USBMISCn_ADDR[FSL_IMX7_NUM_USBS] = { FSL_IMX7_USBMISC1_ADDR, @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) */ create_unimplemented_device("pcie-phy", FSL_IMX7_PCIE_PHY_ADDR, FSL_IMX7_PCIE_PHY_SIZE); + } static Property fsl_imx7_properties[] = { -- 2.34.1 From: Jean-Christophe Dubois <jcd@tribudubois.net> * Add TZASC as unimplemented device. - Allow bare metal application to access this (unimplemented) device * Add CSU as unimplemented device. - Allow bare metal application to access this (unimplemented) device * Add various memory segments - OCRAM - OCRAM EPDC - OCRAM PXP - OCRAM S - ROM - CAAM Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: f887a3483996ba06d40bd62ffdfb0ecf68621987.1692964892.git.jcd@tribudubois.net Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/fsl-imx7.h | 7 +++++ hw/arm/fsl-imx7.c | 63 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/fsl-imx7.h +++ b/include/hw/arm/fsl-imx7.h @@ -XXX,XX +XXX,XX @@ struct FslIMX7State { IMX7GPRState gpr; ChipideaState usb[FSL_IMX7_NUM_USBS]; DesignwarePCIEHost pcie; + MemoryRegion rom; + MemoryRegion caam; + MemoryRegion ocram; + MemoryRegion ocram_epdc; + MemoryRegion ocram_pxp; + MemoryRegion ocram_s; + uint32_t phy_num[FSL_IMX7_NUM_ETHS]; bool phy_connected[FSL_IMX7_NUM_ETHS]; }; diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/fsl-imx7.c +++ b/hw/arm/fsl-imx7.c @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) create_unimplemented_device("pcie-phy", FSL_IMX7_PCIE_PHY_ADDR, FSL_IMX7_PCIE_PHY_SIZE); + /* + * CSU + */ + create_unimplemented_device("csu", FSL_IMX7_CSU_ADDR, + FSL_IMX7_CSU_SIZE); + + /* + * TZASC + */ + create_unimplemented_device("tzasc", FSL_IMX7_TZASC_ADDR, + FSL_IMX7_TZASC_SIZE); + + /* + * OCRAM memory + */ + memory_region_init_ram(&s->ocram, NULL, "imx7.ocram", + FSL_IMX7_OCRAM_MEM_SIZE, + &error_abort); + memory_region_add_subregion(get_system_memory(), FSL_IMX7_OCRAM_MEM_ADDR, + &s->ocram); + + /* + * OCRAM EPDC memory + */ + memory_region_init_ram(&s->ocram_epdc, NULL, "imx7.ocram_epdc", + FSL_IMX7_OCRAM_EPDC_SIZE, + &error_abort); + memory_region_add_subregion(get_system_memory(), FSL_IMX7_OCRAM_EPDC_ADDR, + &s->ocram_epdc); + + /* + * OCRAM PXP memory + */ + memory_region_init_ram(&s->ocram_pxp, NULL, "imx7.ocram_pxp", + FSL_IMX7_OCRAM_PXP_SIZE, + &error_abort); + memory_region_add_subregion(get_system_memory(), FSL_IMX7_OCRAM_PXP_ADDR, + &s->ocram_pxp); + + /* + * OCRAM_S memory + */ + memory_region_init_ram(&s->ocram_s, NULL, "imx7.ocram_s", + FSL_IMX7_OCRAM_S_SIZE, + &error_abort); + memory_region_add_subregion(get_system_memory(), FSL_IMX7_OCRAM_S_ADDR, + &s->ocram_s); + + /* + * ROM memory + */ + memory_region_init_rom(&s->rom, OBJECT(dev), "imx7.rom", + FSL_IMX7_ROM_SIZE, &error_abort); + memory_region_add_subregion(get_system_memory(), FSL_IMX7_ROM_ADDR, + &s->rom); + + /* + * CAAM memory + */ + memory_region_init_rom(&s->caam, OBJECT(dev), "imx7.caam", + FSL_IMX7_CAAM_MEM_SIZE, &error_abort); + memory_region_add_subregion(get_system_memory(), FSL_IMX7_CAAM_MEM_ADDR, + &s->caam); } static Property fsl_imx7_properties[] = { -- 2.34.1 From: Jean-Christophe Dubois <jcd@tribudubois.net> The SRC device is normally used to start the secondary CPU. When running Linux directly, QEMU is emulating a PSCI interface that UBOOT is installing at boot time and therefore the fact that the SRC device is unimplemented is hidden as Qemu respond directly to PSCI requets without using the SRC device. But if you try to run a more bare metal application (maybe uboot itself), then it is not possible to start the secondary CPU as the SRC is an unimplemented device. This patch adds the ability to start the secondary CPU through the SRC device so that you can use this feature in bare metal applications. Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: ce9a0162defd2acee5dc7f8a674743de0cded569.1692964892.git.jcd@tribudubois.net Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/fsl-imx7.h | 3 +- include/hw/misc/imx7_src.h | 66 +++++++++ hw/arm/fsl-imx7.c | 8 +- hw/misc/imx7_src.c | 276 +++++++++++++++++++++++++++++++++++++ hw/misc/meson.build | 1 + hw/misc/trace-events | 4 + 6 files changed, 356 insertions(+), 2 deletions(-) create mode 100644 include/hw/misc/imx7_src.h create mode 100644 hw/misc/imx7_src.c diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/fsl-imx7.h +++ b/include/hw/arm/fsl-imx7.h @@ -XXX,XX +XXX,XX @@ #include "hw/misc/imx7_ccm.h" #include "hw/misc/imx7_snvs.h" #include "hw/misc/imx7_gpr.h" +#include "hw/misc/imx7_src.h" #include "hw/watchdog/wdt_imx2.h" #include "hw/gpio/imx_gpio.h" #include "hw/char/imx_serial.h" @@ -XXX,XX +XXX,XX @@ struct FslIMX7State { IMX7CCMState ccm; IMX7AnalogState analog; IMX7SNVSState snvs; + IMX7SRCState src; IMXGPCv2State gpcv2; IMXSPIState spi[FSL_IMX7_NUM_ECSPIS]; IMXI2CState i2c[FSL_IMX7_NUM_I2CS]; @@ -XXX,XX +XXX,XX @@ enum FslIMX7MemoryMap { FSL_IMX7_GPC_ADDR = 0x303A0000, FSL_IMX7_SRC_ADDR = 0x30390000, - FSL_IMX7_SRC_SIZE = (4 * KiB), FSL_IMX7_CCM_ADDR = 0x30380000, diff --git a/include/hw/misc/imx7_src.h b/include/hw/misc/imx7_src.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/include/hw/misc/imx7_src.h @@ -XXX,XX +XXX,XX @@ +/* + * IMX7 System Reset Controller + * + * Copyright (C) 2023 Jean-Christophe Dubois <jcd@tribudubois.net> + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#ifndef IMX7_SRC_H +#define IMX7_SRC_H + +#include "hw/sysbus.h" +#include "qemu/bitops.h" +#include "qom/object.h" + +#define SRC_SCR 0 +#define SRC_A7RCR0 1 +#define SRC_A7RCR1 2 +#define SRC_M4RCR 3 +#define SRC_ERCR 5 +#define SRC_HSICPHY_RCR 7 +#define SRC_USBOPHY1_RCR 8 +#define SRC_USBOPHY2_RCR 9 +#define SRC_MPIPHY_RCR 10 +#define SRC_PCIEPHY_RCR 11 +#define SRC_SBMR1 22 +#define SRC_SRSR 23 +#define SRC_SISR 26 +#define SRC_SIMR 27 +#define SRC_SBMR2 28 +#define SRC_GPR1 29 +#define SRC_GPR2 30 +#define SRC_GPR3 31 +#define SRC_GPR4 32 +#define SRC_GPR5 33 +#define SRC_GPR6 34 +#define SRC_GPR7 35 +#define SRC_GPR8 36 +#define SRC_GPR9 37 +#define SRC_GPR10 38 +#define SRC_MAX 39 + +/* SRC_A7SCR1 */ +#define R_CORE1_ENABLE_SHIFT 1 +#define R_CORE1_ENABLE_LENGTH 1 +/* SRC_A7SCR0 */ +#define R_CORE1_RST_SHIFT 5 +#define R_CORE1_RST_LENGTH 1 +#define R_CORE0_RST_SHIFT 4 +#define R_CORE0_RST_LENGTH 1 + +#define TYPE_IMX7_SRC "imx7.src" +OBJECT_DECLARE_SIMPLE_TYPE(IMX7SRCState, IMX7_SRC) + +struct IMX7SRCState { + /* <private> */ + SysBusDevice parent_obj; + + /* <public> */ + MemoryRegion iomem; + + uint32_t regs[SRC_MAX]; +}; + +#endif /* IMX7_SRC_H */ diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/fsl-imx7.c +++ b/hw/arm/fsl-imx7.c @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj) */ object_initialize_child(obj, "gpcv2", &s->gpcv2, TYPE_IMX_GPCV2); + /* + * SRC + */ + object_initialize_child(obj, "src", &s->src, TYPE_IMX7_SRC); + /* * ECSPIs */ @@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp) /* * SRC */ - create_unimplemented_device("src", FSL_IMX7_SRC_ADDR, FSL_IMX7_SRC_SIZE); + sysbus_realize(SYS_BUS_DEVICE(&s->src), &error_abort); + sysbus_mmio_map(SYS_BUS_DEVICE(&s->src), 0, FSL_IMX7_SRC_ADDR); /* * Watchdogs diff --git a/hw/misc/imx7_src.c b/hw/misc/imx7_src.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/hw/misc/imx7_src.c @@ -XXX,XX +XXX,XX @@ +/* + * IMX7 System Reset Controller + * + * Copyright (c) 2023 Jean-Christophe Dubois <jcd@tribudubois.net> + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + * + */ + +#include "qemu/osdep.h" +#include "hw/misc/imx7_src.h" +#include "migration/vmstate.h" +#include "qemu/bitops.h" +#include "qemu/log.h" +#include "qemu/main-loop.h" +#include "qemu/module.h" +#include "target/arm/arm-powerctl.h" +#include "hw/core/cpu.h" +#include "hw/registerfields.h" + +#include "trace.h" + +static const char *imx7_src_reg_name(uint32_t reg) +{ + static char unknown[20]; + + switch (reg) { + case SRC_SCR: + return "SRC_SCR"; + case SRC_A7RCR0: + return "SRC_A7RCR0"; + case SRC_A7RCR1: + return "SRC_A7RCR1"; + case SRC_M4RCR: + return "SRC_M4RCR"; + case SRC_ERCR: + return "SRC_ERCR"; + case SRC_HSICPHY_RCR: + return "SRC_HSICPHY_RCR"; + case SRC_USBOPHY1_RCR: + return "SRC_USBOPHY1_RCR"; + case SRC_USBOPHY2_RCR: + return "SRC_USBOPHY2_RCR"; + case SRC_PCIEPHY_RCR: + return "SRC_PCIEPHY_RCR"; + case SRC_SBMR1: + return "SRC_SBMR1"; + case SRC_SRSR: + return "SRC_SRSR"; + case SRC_SISR: + return "SRC_SISR"; + case SRC_SIMR: + return "SRC_SIMR"; + case SRC_SBMR2: + return "SRC_SBMR2"; + case SRC_GPR1: + return "SRC_GPR1"; + case SRC_GPR2: + return "SRC_GPR2"; + case SRC_GPR3: + return "SRC_GPR3"; + case SRC_GPR4: + return "SRC_GPR4"; + case SRC_GPR5: + return "SRC_GPR5"; + case SRC_GPR6: + return "SRC_GPR6"; + case SRC_GPR7: + return "SRC_GPR7"; + case SRC_GPR8: + return "SRC_GPR8"; + case SRC_GPR9: + return "SRC_GPR9"; + case SRC_GPR10: + return "SRC_GPR10"; + default: + sprintf(unknown, "%u ?", reg); + return unknown; + } +} + +static const VMStateDescription vmstate_imx7_src = { + .name = TYPE_IMX7_SRC, + .version_id = 1, + .minimum_version_id = 1, + .fields = (VMStateField[]) { + VMSTATE_UINT32_ARRAY(regs, IMX7SRCState, SRC_MAX), + VMSTATE_END_OF_LIST() + }, +}; + +static void imx7_src_reset(DeviceState *dev) +{ + IMX7SRCState *s = IMX7_SRC(dev); + + memset(s->regs, 0, sizeof(s->regs)); + + /* Set reset values */ + s->regs[SRC_SCR] = 0xA0; + s->regs[SRC_SRSR] = 0x1; + s->regs[SRC_SIMR] = 0x1F; +} + +static uint64_t imx7_src_read(void *opaque, hwaddr offset, unsigned size) +{ + uint32_t value = 0; + IMX7SRCState *s = (IMX7SRCState *)opaque; + uint32_t index = offset >> 2; + + if (index < SRC_MAX) { + value = s->regs[index]; + } else { + qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Bad register at offset 0x%" + HWADDR_PRIx "\n", TYPE_IMX7_SRC, __func__, offset); + } + + trace_imx7_src_read(imx7_src_reg_name(index), value); + + return value; +} + + +/* + * The reset is asynchronous so we need to defer clearing the reset + * bit until the work is completed. + */ + +struct SRCSCRResetInfo { + IMX7SRCState *s; + uint32_t reset_bit; +}; + +static void imx7_clear_reset_bit(CPUState *cpu, run_on_cpu_data data) +{ + struct SRCSCRResetInfo *ri = data.host_ptr; + IMX7SRCState *s = ri->s; + + assert(qemu_mutex_iothread_locked()); + + s->regs[SRC_A7RCR0] = deposit32(s->regs[SRC_A7RCR0], ri->reset_bit, 1, 0); + + trace_imx7_src_write(imx7_src_reg_name(SRC_A7RCR0), s->regs[SRC_A7RCR0]); + + g_free(ri); +} + +static void imx7_defer_clear_reset_bit(uint32_t cpuid, + IMX7SRCState *s, + uint32_t reset_shift) +{ + struct SRCSCRResetInfo *ri; + CPUState *cpu = arm_get_cpu_by_id(cpuid); + + if (!cpu) { + return; + } + + ri = g_new(struct SRCSCRResetInfo, 1); + ri->s = s; + ri->reset_bit = reset_shift; + + async_run_on_cpu(cpu, imx7_clear_reset_bit, RUN_ON_CPU_HOST_PTR(ri)); +} + + +static void imx7_src_write(void *opaque, hwaddr offset, uint64_t value, + unsigned size) +{ + IMX7SRCState *s = (IMX7SRCState *)opaque; + uint32_t index = offset >> 2; + long unsigned int change_mask; + uint32_t current_value = value; + + if (index >= SRC_MAX) { + qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Bad register at offset 0x%" + HWADDR_PRIx "\n", TYPE_IMX7_SRC, __func__, offset); + return; + } + + trace_imx7_src_write(imx7_src_reg_name(SRC_A7RCR0), s->regs[SRC_A7RCR0]); + + change_mask = s->regs[index] ^ (uint32_t)current_value; + + switch (index) { + case SRC_A7RCR0: + if (FIELD_EX32(change_mask, CORE0, RST)) { + arm_reset_cpu(0); + imx7_defer_clear_reset_bit(0, s, R_CORE0_RST_SHIFT); + } + if (FIELD_EX32(change_mask, CORE1, RST)) { + arm_reset_cpu(1); + imx7_defer_clear_reset_bit(1, s, R_CORE1_RST_SHIFT); + } + s->regs[index] = current_value; + break; + case SRC_A7RCR1: + /* + * On real hardware when the system reset controller starts a + * secondary CPU it runs through some boot ROM code which reads + * the SRC_GPRX registers controlling the start address and branches + * to it. + * Here we are taking a short cut and branching directly to the + * requested address (we don't want to run the boot ROM code inside + * QEMU) + */ + if (FIELD_EX32(change_mask, CORE1, ENABLE)) { + if (FIELD_EX32(current_value, CORE1, ENABLE)) { + /* CORE 1 is brought up */ + arm_set_cpu_on(1, s->regs[SRC_GPR3], s->regs[SRC_GPR4], + 3, false); + } else { + /* CORE 1 is shut down */ + arm_set_cpu_off(1); + } + /* We clear the reset bits as the processor changed state */ + imx7_defer_clear_reset_bit(1, s, R_CORE1_RST_SHIFT); + clear_bit(R_CORE1_RST_SHIFT, &change_mask); + } + s->regs[index] = current_value; + break; + default: + s->regs[index] = current_value; + break; + } +} + +static const struct MemoryRegionOps imx7_src_ops = { + .read = imx7_src_read, + .write = imx7_src_write, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid = { + /* + * Our device would not work correctly if the guest was doing + * unaligned access. This might not be a limitation on the real + * device but in practice there is no reason for a guest to access + * this device unaligned. + */ + .min_access_size = 4, + .max_access_size = 4, + .unaligned = false, + }, +}; + +static void imx7_src_realize(DeviceState *dev, Error **errp) +{ + IMX7SRCState *s = IMX7_SRC(dev); + + memory_region_init_io(&s->iomem, OBJECT(dev), &imx7_src_ops, s, + TYPE_IMX7_SRC, 0x1000); + sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem); +} + +static void imx7_src_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + + dc->realize = imx7_src_realize; + dc->reset = imx7_src_reset; + dc->vmsd = &vmstate_imx7_src; + dc->desc = "i.MX6 System Reset Controller"; +} + +static const TypeInfo imx7_src_info = { + .name = TYPE_IMX7_SRC, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_size = sizeof(IMX7SRCState), + .class_init = imx7_src_class_init, +}; + +static void imx7_src_register_types(void) +{ + type_register_static(&imx7_src_info); +} + +type_init(imx7_src_register_types) diff --git a/hw/misc/meson.build b/hw/misc/meson.build index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/meson.build +++ b/hw/misc/meson.build @@ -XXX,XX +XXX,XX @@ system_ss.add(when: 'CONFIG_IMX', if_true: files( 'imx6_src.c', 'imx6ul_ccm.c', 'imx7_ccm.c', + 'imx7_src.c', 'imx7_gpr.c', 'imx7_snvs.c', 'imx_ccm.c', diff --git a/hw/misc/trace-events b/hw/misc/trace-events index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/trace-events +++ b/hw/misc/trace-events @@ -XXX,XX +XXX,XX @@ ccm_clock_freq(uint32_t clock, uint32_t freq) "(Clock = %d) = %d" ccm_read_reg(const char *reg_name, uint32_t value) "reg[%s] <= 0x%" PRIx32 ccm_write_reg(const char *reg_name, uint32_t value) "reg[%s] => 0x%" PRIx32 +# imx7_src.c +imx7_src_read(const char *reg_name, uint32_t value) "reg[%s] => 0x%" PRIx32 +imx7_src_write(const char *reg_name, uint32_t value) "reg[%s] <= 0x%" PRIx32 + # iotkit-sysinfo.c iotkit_sysinfo_read(uint64_t offset, uint64_t data, unsigned size) "IoTKit SysInfo read: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u" iotkit_sysinfo_write(uint64_t offset, uint64_t data, unsigned size) "IoTKit SysInfo write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u" -- 2.34.1 The architecture requires (R_TYTWB) that an attempt to return from EL3 when SCR_EL3.{NSE,NS} are {1,0} is an illegal exception return. (This enforces that the CPU can't ever be executing below EL3 with the NSE,NS bits indicating an invalid security state.) We were missing this check; add it. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230807150618.101357-1-peter.maydell@linaro.org --- target/arm/tcg/helper-a64.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/helper-a64.c +++ b/target/arm/tcg/helper-a64.c @@ -XXX,XX +XXX,XX @@ void HELPER(exception_return)(CPUARMState *env, uint64_t new_pc) spsr &= ~PSTATE_SS; } + /* + * FEAT_RME forbids return from EL3 with an invalid security state. + * We don't need an explicit check for FEAT_RME here because we enforce + * in scr_write() that you can't set the NSE bit without it. + */ + if (cur_el == 3 && (env->cp15.scr_el3 & (SCR_NS | SCR_NSE)) == SCR_NSE) { + goto illegal_return; + } + new_el = el_from_spsr(spsr); if (new_el == -1) { goto illegal_return; -- 2.34.1 In the m48t59 device we almost always use 64-bit arithmetic when dealing with time_t deltas. The one exception is in set_alarm(), which currently uses a plain 'int' to hold the difference between two time_t values. Switch to int64_t instead to avoid any possible overflow issues. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- hw/rtc/m48t59.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/rtc/m48t59.c b/hw/rtc/m48t59.c index XXXXXXX..XXXXXXX 100644 --- a/hw/rtc/m48t59.c +++ b/hw/rtc/m48t59.c @@ -XXX,XX +XXX,XX @@ static void alarm_cb (void *opaque) static void set_alarm(M48t59State *NVRAM) { - int diff; + int64_t diff; if (NVRAM->alrm_timer != NULL) { timer_del(NVRAM->alrm_timer); diff = qemu_timedate_diff(&NVRAM->alarm) - NVRAM->time_offset; -- 2.34.1 In the twl92230 device, use int64_t for the two state fields sec_offset and alm_sec, because we set these to values that are either time_t or differences between two time_t values. These fields aren't saved in vmstate anywhere, so we can safely widen them. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- hw/rtc/twl92230.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/rtc/twl92230.c b/hw/rtc/twl92230.c index XXXXXXX..XXXXXXX 100644 --- a/hw/rtc/twl92230.c +++ b/hw/rtc/twl92230.c @@ -XXX,XX +XXX,XX @@ struct MenelausState { struct tm tm; struct tm new; struct tm alm; - int sec_offset; - int alm_sec; + int64_t sec_offset; + int64_t alm_sec; int next_comp; } rtc; uint16_t rtc_next_vmstate; -- 2.34.1 In the aspeed_rtc device we store a difference between two time_t values in an 'int'. This is not really correct when time_t could be 64 bits. Enlarge the field to 'int64_t'. This is a migration compatibility break for the aspeed boards. While we are changing the vmstate, remove the accidental duplicate of the offset field. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Cédric Le Goater <clg@kaod.org> --- include/hw/rtc/aspeed_rtc.h | 2 +- hw/rtc/aspeed_rtc.c | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/include/hw/rtc/aspeed_rtc.h b/include/hw/rtc/aspeed_rtc.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/rtc/aspeed_rtc.h +++ b/include/hw/rtc/aspeed_rtc.h @@ -XXX,XX +XXX,XX @@ struct AspeedRtcState { qemu_irq irq; uint32_t reg[0x18]; - int offset; + int64_t offset; }; diff --git a/hw/rtc/aspeed_rtc.c b/hw/rtc/aspeed_rtc.c index XXXXXXX..XXXXXXX 100644 --- a/hw/rtc/aspeed_rtc.c +++ b/hw/rtc/aspeed_rtc.c @@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps aspeed_rtc_ops = { static const VMStateDescription vmstate_aspeed_rtc = { .name = TYPE_ASPEED_RTC, - .version_id = 1, + .version_id = 2, .fields = (VMStateField[]) { VMSTATE_UINT32_ARRAY(reg, AspeedRtcState, 0x18), - VMSTATE_INT32(offset, AspeedRtcState), - VMSTATE_INT32(offset, AspeedRtcState), + VMSTATE_INT64(offset, AspeedRtcState), VMSTATE_END_OF_LIST() } }; -- 2.34.1 The functions qemu_get_timedate() and qemu_timedate_diff() take and return a time offset as an integer. Coverity points out that means that when an RTC device implementation holds an offset as a time_t, as the m48t59 does, the time_t will get truncated. (CID 1507157, 1517772). The functions work with time_t internally, so make them use that type in their APIs. Note that this won't help any Y2038 issues where either the device model itself is keeping the offset in a 32-bit integer, or where the hardware under emulation has Y2038 or other rollover problems. If we missed any cases of the former then hopefully Coverity will warn us about them since after this patch we'd be truncating a time_t in assignments from qemu_timedate_diff().) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- include/sysemu/rtc.h | 4 ++-- softmmu/rtc.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/sysemu/rtc.h b/include/sysemu/rtc.h index XXXXXXX..XXXXXXX 100644 --- a/include/sysemu/rtc.h +++ b/include/sysemu/rtc.h @@ -XXX,XX +XXX,XX @@ * The behaviour of the clock whose value this function returns will * depend on the -rtc command line option passed by the user. */ -void qemu_get_timedate(struct tm *tm, int offset); +void qemu_get_timedate(struct tm *tm, time_t offset); /** * qemu_timedate_diff: Return difference between a struct tm and the RTC @@ -XXX,XX +XXX,XX @@ void qemu_get_timedate(struct tm *tm, int offset); * a timestamp one hour further ahead than the current RTC time * then this function will return 3600. */ -int qemu_timedate_diff(struct tm *tm); +time_t qemu_timedate_diff(struct tm *tm); #endif diff --git a/softmmu/rtc.c b/softmmu/rtc.c index XXXXXXX..XXXXXXX 100644 --- a/softmmu/rtc.c +++ b/softmmu/rtc.c @@ -XXX,XX +XXX,XX @@ static time_t qemu_ref_timedate(QEMUClockType clock) return value; } -void qemu_get_timedate(struct tm *tm, int offset) +void qemu_get_timedate(struct tm *tm, time_t offset) { time_t ti = qemu_ref_timedate(rtc_clock); @@ -XXX,XX +XXX,XX @@ void qemu_get_timedate(struct tm *tm, int offset) } } -int qemu_timedate_diff(struct tm *tm) +time_t qemu_timedate_diff(struct tm *tm) { time_t seconds; -- 2.34.1 Where architecturally one ARM_FEATURE_X flag implies another ARM_FEATURE_Y, we allow the CPU init function to only set X, and then set Y for it. Currently we do this in two places -- we set a few flags in arm_cpu_post_init() because we need them to decide which properties to create on the CPU object, and then we do the rest in arm_cpu_realizefn(). However, this is fragile, because it's easy to add a new property and not notice that this means that an X-implies-Y check now has to move from realize to post-init. As a specific example, the pmsav7-dregion property is conditional on ARM_FEATURE_PMSA && ARM_FEATURE_V7, which means it won't appear on the Cortex-M33 and -M55, because they set ARM_FEATURE_V8 and rely on V8-implies-V7, which doesn't happen until the realizefn. Move all of these X-implies-Y checks into a new function, which we call at the top of arm_cpu_post_init(), so the feature bits are available at that point. This does now give us the reverse issue, that if there's a feature bit which is enabled or disabled by the setting of a property then then X-implies-Y features that are dependent on that property need to be in realize, not in this new function. But the only one of those is the "EL3 implies VBAR" which is already in the right place, so putting things this way round seems better to me. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230724174335.2150499-2-peter.maydell@linaro.org --- target/arm/cpu.c | 179 +++++++++++++++++++++++++---------------------- 1 file changed, 97 insertions(+), 82 deletions(-) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ unsigned int gt_cntfrq_period_ns(ARMCPU *cpu) NANOSECONDS_PER_SECOND / cpu->gt_cntfrq_hz : 1; } +static void arm_cpu_propagate_feature_implications(ARMCPU *cpu) +{ + CPUARMState *env = &cpu->env; + bool no_aa32 = false; + + /* + * Some features automatically imply others: set the feature + * bits explicitly for these cases. + */ + + if (arm_feature(env, ARM_FEATURE_M)) { + set_feature(env, ARM_FEATURE_PMSA); + } + + if (arm_feature(env, ARM_FEATURE_V8)) { + if (arm_feature(env, ARM_FEATURE_M)) { + set_feature(env, ARM_FEATURE_V7); + } else { + set_feature(env, ARM_FEATURE_V7VE); + } + } + + /* + * There exist AArch64 cpus without AArch32 support. When KVM + * queries ID_ISAR0_EL1 on such a host, the value is UNKNOWN. + * Similarly, we cannot check ID_AA64PFR0 without AArch64 support. + * As a general principle, we also do not make ID register + * consistency checks anywhere unless using TCG, because only + * for TCG would a consistency-check failure be a QEMU bug. + */ + if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) { + no_aa32 = !cpu_isar_feature(aa64_aa32, cpu); + } + + if (arm_feature(env, ARM_FEATURE_V7VE)) { + /* + * v7 Virtualization Extensions. In real hardware this implies + * EL2 and also the presence of the Security Extensions. + * For QEMU, for backwards-compatibility we implement some + * CPUs or CPU configs which have no actual EL2 or EL3 but do + * include the various other features that V7VE implies. + * Presence of EL2 itself is ARM_FEATURE_EL2, and of the + * Security Extensions is ARM_FEATURE_EL3. + */ + assert(!tcg_enabled() || no_aa32 || + cpu_isar_feature(aa32_arm_div, cpu)); + set_feature(env, ARM_FEATURE_LPAE); + set_feature(env, ARM_FEATURE_V7); + } + if (arm_feature(env, ARM_FEATURE_V7)) { + set_feature(env, ARM_FEATURE_VAPA); + set_feature(env, ARM_FEATURE_THUMB2); + set_feature(env, ARM_FEATURE_MPIDR); + if (!arm_feature(env, ARM_FEATURE_M)) { + set_feature(env, ARM_FEATURE_V6K); + } else { + set_feature(env, ARM_FEATURE_V6); + } + + /* + * Always define VBAR for V7 CPUs even if it doesn't exist in + * non-EL3 configs. This is needed by some legacy boards. + */ + set_feature(env, ARM_FEATURE_VBAR); + } + if (arm_feature(env, ARM_FEATURE_V6K)) { + set_feature(env, ARM_FEATURE_V6); + set_feature(env, ARM_FEATURE_MVFR); + } + if (arm_feature(env, ARM_FEATURE_V6)) { + set_feature(env, ARM_FEATURE_V5); + if (!arm_feature(env, ARM_FEATURE_M)) { + assert(!tcg_enabled() || no_aa32 || + cpu_isar_feature(aa32_jazelle, cpu)); + set_feature(env, ARM_FEATURE_AUXCR); + } + } + if (arm_feature(env, ARM_FEATURE_V5)) { + set_feature(env, ARM_FEATURE_V4T); + } + if (arm_feature(env, ARM_FEATURE_LPAE)) { + set_feature(env, ARM_FEATURE_V7MP); + } + if (arm_feature(env, ARM_FEATURE_CBAR_RO)) { + set_feature(env, ARM_FEATURE_CBAR); + } + if (arm_feature(env, ARM_FEATURE_THUMB2) && + !arm_feature(env, ARM_FEATURE_M)) { + set_feature(env, ARM_FEATURE_THUMB_DSP); + } +} + void arm_cpu_post_init(Object *obj) { ARMCPU *cpu = ARM_CPU(obj); - /* M profile implies PMSA. We have to do this here rather than - * in realize with the other feature-implication checks because - * we look at the PMSA bit to see if we should add some properties. + /* + * Some features imply others. Figure this out now, because we + * are going to look at the feature bits in deciding which + * properties to add. */ - if (arm_feature(&cpu->env, ARM_FEATURE_M)) { - set_feature(&cpu->env, ARM_FEATURE_PMSA); - } + arm_cpu_propagate_feature_implications(cpu); if (arm_feature(&cpu->env, ARM_FEATURE_CBAR) || arm_feature(&cpu->env, ARM_FEATURE_CBAR_RO)) { @@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp) CPUARMState *env = &cpu->env; int pagebits; Error *local_err = NULL; - bool no_aa32 = false; /* Use pc-relative instructions in system-mode */ #ifndef CONFIG_USER_ONLY @@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp) cpu->isar.id_isar3 = u; } - /* Some features automatically imply others: */ - if (arm_feature(env, ARM_FEATURE_V8)) { - if (arm_feature(env, ARM_FEATURE_M)) { - set_feature(env, ARM_FEATURE_V7); - } else { - set_feature(env, ARM_FEATURE_V7VE); - } - } - - /* - * There exist AArch64 cpus without AArch32 support. When KVM - * queries ID_ISAR0_EL1 on such a host, the value is UNKNOWN. - * Similarly, we cannot check ID_AA64PFR0 without AArch64 support. - * As a general principle, we also do not make ID register - * consistency checks anywhere unless using TCG, because only - * for TCG would a consistency-check failure be a QEMU bug. - */ - if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) { - no_aa32 = !cpu_isar_feature(aa64_aa32, cpu); - } - - if (arm_feature(env, ARM_FEATURE_V7VE)) { - /* v7 Virtualization Extensions. In real hardware this implies - * EL2 and also the presence of the Security Extensions. - * For QEMU, for backwards-compatibility we implement some - * CPUs or CPU configs which have no actual EL2 or EL3 but do - * include the various other features that V7VE implies. - * Presence of EL2 itself is ARM_FEATURE_EL2, and of the - * Security Extensions is ARM_FEATURE_EL3. - */ - assert(!tcg_enabled() || no_aa32 || - cpu_isar_feature(aa32_arm_div, cpu)); - set_feature(env, ARM_FEATURE_LPAE); - set_feature(env, ARM_FEATURE_V7); - } - if (arm_feature(env, ARM_FEATURE_V7)) { - set_feature(env, ARM_FEATURE_VAPA); - set_feature(env, ARM_FEATURE_THUMB2); - set_feature(env, ARM_FEATURE_MPIDR); - if (!arm_feature(env, ARM_FEATURE_M)) { - set_feature(env, ARM_FEATURE_V6K); - } else { - set_feature(env, ARM_FEATURE_V6); - } - - /* Always define VBAR for V7 CPUs even if it doesn't exist in - * non-EL3 configs. This is needed by some legacy boards. - */ - set_feature(env, ARM_FEATURE_VBAR); - } - if (arm_feature(env, ARM_FEATURE_V6K)) { - set_feature(env, ARM_FEATURE_V6); - set_feature(env, ARM_FEATURE_MVFR); - } - if (arm_feature(env, ARM_FEATURE_V6)) { - set_feature(env, ARM_FEATURE_V5); - if (!arm_feature(env, ARM_FEATURE_M)) { - assert(!tcg_enabled() || no_aa32 || - cpu_isar_feature(aa32_jazelle, cpu)); - set_feature(env, ARM_FEATURE_AUXCR); - } - } - if (arm_feature(env, ARM_FEATURE_V5)) { - set_feature(env, ARM_FEATURE_V4T); - } - if (arm_feature(env, ARM_FEATURE_LPAE)) { - set_feature(env, ARM_FEATURE_V7MP); - } - if (arm_feature(env, ARM_FEATURE_CBAR_RO)) { - set_feature(env, ARM_FEATURE_CBAR); - } - if (arm_feature(env, ARM_FEATURE_THUMB2) && - !arm_feature(env, ARM_FEATURE_M)) { - set_feature(env, ARM_FEATURE_THUMB_DSP); - } /* * We rely on no XScale CPU having VFP so we can use the same bits in the -- 2.34.1 M-profile CPUs generally allow configuration of the number of MPU regions that they have. We don't currently model this, so our implementations of some of the board models provide CPUs with the wrong number of regions. RTOSes like Zephyr that hardcode the expected number of regions may therefore not run on the model if they are set up to run on real hardware. Add properties mpu-ns-regions and mpu-s-regions to the ARMV7M object, matching the ability of hardware to configure the number of Secure and NonSecure regions separately. Our actual CPU implementation doesn't currently support that, and it happens that none of the MPS boards we model set the number of regions differently for Secure vs NonSecure, so we provide an interface to the boards and SoCs that won't need to change if we ever do add that functionality in future, but make it an error to configure the two properties to different values. (The property name on the CPU is the somewhat misnamed-for-M-profile "pmsav7-dregion", so we don't follow that naming convention for the properties here. The TRM doesn't say what the CPU configuration variable names are, so we pick something, and follow the lowercase convention we already have for properties here.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20230724174335.2150499-3-peter.maydell@linaro.org --- include/hw/arm/armv7m.h | 8 ++++++++ hw/arm/armv7m.c | 21 +++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/include/hw/arm/armv7m.h b/include/hw/arm/armv7m.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/armv7m.h +++ b/include/hw/arm/armv7m.h @@ -XXX,XX +XXX,XX @@ OBJECT_DECLARE_SIMPLE_TYPE(ARMv7MState, ARMV7M) * + Property "vfp": enable VFP (forwarded to CPU object) * + Property "dsp": enable DSP (forwarded to CPU object) * + Property "enable-bitband": expose bitbanded IO + * + Property "mpu-ns-regions": number of Non-Secure MPU regions (forwarded + * to CPU object pmsav7-dregion property; default is whatever the default + * for the CPU is) + * + Property "mpu-s-regions": number of Secure MPU regions (default is + * whatever the default for the CPU is; must currently be set to the same + * value as mpu-ns-regions if the CPU implements the Security Extension) * + Clock input "refclk" is the external reference clock for the systick timers * + Clock input "cpuclk" is the main CPU clock */ @@ -XXX,XX +XXX,XX @@ struct ARMv7MState { Object *idau; uint32_t init_svtor; uint32_t init_nsvtor; + uint32_t mpu_ns_regions; + uint32_t mpu_s_regions; bool enable_bitband; bool start_powered_off; bool vfp; diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/armv7m.c +++ b/hw/arm/armv7m.c @@ -XXX,XX +XXX,XX @@ static void armv7m_realize(DeviceState *dev, Error **errp) } } + /* + * Real M-profile hardware can be configured with a different number of + * MPU regions for Secure vs NonSecure. QEMU's CPU implementation doesn't + * support that yet, so catch attempts to select that. + */ + if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY) && + s->mpu_ns_regions != s->mpu_s_regions) { + error_setg(errp, + "mpu-ns-regions and mpu-s-regions properties must have the same value"); + return; + } + if (s->mpu_ns_regions != UINT_MAX && + object_property_find(OBJECT(s->cpu), "pmsav7-dregion")) { + if (!object_property_set_uint(OBJECT(s->cpu), "pmsav7-dregion", + s->mpu_ns_regions, errp)) { + return; + } + } + /* * Tell the CPU where the NVIC is; it will fail realize if it doesn't * have one. Similarly, tell the NVIC where its CPU is. @@ -XXX,XX +XXX,XX @@ static Property armv7m_properties[] = { false), DEFINE_PROP_BOOL("vfp", ARMv7MState, vfp, true), DEFINE_PROP_BOOL("dsp", ARMv7MState, dsp, true), + DEFINE_PROP_UINT32("mpu-ns-regions", ARMv7MState, mpu_ns_regions, UINT_MAX), + DEFINE_PROP_UINT32("mpu-s-regions", ARMv7MState, mpu_s_regions, UINT_MAX), DEFINE_PROP_END_OF_LIST(), }; -- 2.34.1 The IoTKit, SSE200 and SSE300 all default to 8 MPU regions. The MPS2/MPS3 FPGA images don't override these except in the case of AN547, which uses 16 MPU regions. Define properties on the ARMSSE object for the MPU regions (using the same names as the documented RTL configuration settings, and following the pattern we already have for this device of using all-caps names as the RTL does), and set them in the board code. We don't actually need to override the default except on AN547, but it's simpler code to have the board code set them always rather than tracking which board subtypes want to set them to a non-default value separately from what that value is. Tho overall effect is that for mps2-an505, mps2-an521 and mps3-an524 we now correctly use 8 MPU regions, while mps3-an547 stays at its current 16 regions. It's possible some guest code wrongly depended on the previous incorrectly modeled number of memory regions. (Such guest code should ideally check the number of regions via the MPU_TYPE register.) The old behaviour can be obtained with additional -global arguments to QEMU: For mps2-an521 and mps2-an524: -global sse-200.CPU0_MPU_NS=16 -global sse-200.CPU0_MPU_S=16 -global sse-200.CPU1_MPU_NS=16 -global sse-200.CPU1_MPU_S=16 For mps2-an505: -global sse-200.CPU0_MPU_NS=16 -global sse-200.CPU0_MPU_S=16 NB that the way the implementation allows this use of -global is slightly fragile: if the board code explicitly sets the properties on the sse-200 object, this overrides the -global command line option. So we rely on: - the boards that need fixing all happen to use the SSE defaults - we can write the board code to only set the property if it is different from the default, rather than having all boards explicitly set the property - the board that does need to use a non-default value happens to need to set it to the same value (16) we previously used This works, but there are some kinds of refactoring of the mps2-tz.c code that would break the support for -global here. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1772 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20230724174335.2150499-4-peter.maydell@linaro.org --- include/hw/arm/armsse.h | 5 +++++ hw/arm/armsse.c | 16 ++++++++++++++++ hw/arm/mps2-tz.c | 29 +++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+) diff --git a/include/hw/arm/armsse.h b/include/hw/arm/armsse.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/armsse.h +++ b/include/hw/arm/armsse.h @@ -XXX,XX +XXX,XX @@ * (matching the hardware) is that for CPU0 in an IoTKit and CPU1 in an * SSE-200 both are present; CPU0 in an SSE-200 has neither. * Since the IoTKit has only one CPU, it does not have the CPU1_* properties. + * + QOM properties "CPU0_MPU_NS", "CPU0_MPU_S", "CPU1_MPU_NS" and "CPU1_MPU_S" + * which set the number of MPU regions on the CPUs. If there is only one + * CPU the CPU1 properties are not present. * + Named GPIO inputs "EXP_IRQ" 0..n are the expansion interrupts for CPU 0, * which are wired to its NVIC lines 32 .. n+32 * + Named GPIO inputs "EXP_CPU1_IRQ" 0..n are the expansion interrupts for @@ -XXX,XX +XXX,XX @@ struct ARMSSE { uint32_t exp_numirq; uint32_t sram_addr_width; uint32_t init_svtor; + uint32_t cpu_mpu_ns[SSE_MAX_CPUS]; + uint32_t cpu_mpu_s[SSE_MAX_CPUS]; bool cpu_fpu[SSE_MAX_CPUS]; bool cpu_dsp[SSE_MAX_CPUS]; }; diff --git a/hw/arm/armsse.c b/hw/arm/armsse.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/armsse.c +++ b/hw/arm/armsse.c @@ -XXX,XX +XXX,XX @@ static Property iotkit_properties[] = { DEFINE_PROP_UINT32("init-svtor", ARMSSE, init_svtor, 0x10000000), DEFINE_PROP_BOOL("CPU0_FPU", ARMSSE, cpu_fpu[0], true), DEFINE_PROP_BOOL("CPU0_DSP", ARMSSE, cpu_dsp[0], true), + DEFINE_PROP_UINT32("CPU0_MPU_NS", ARMSSE, cpu_mpu_ns[0], 8), + DEFINE_PROP_UINT32("CPU0_MPU_S", ARMSSE, cpu_mpu_s[0], 8), DEFINE_PROP_END_OF_LIST() }; @@ -XXX,XX +XXX,XX @@ static Property sse200_properties[] = { DEFINE_PROP_BOOL("CPU0_DSP", ARMSSE, cpu_dsp[0], false), DEFINE_PROP_BOOL("CPU1_FPU", ARMSSE, cpu_fpu[1], true), DEFINE_PROP_BOOL("CPU1_DSP", ARMSSE, cpu_dsp[1], true), + DEFINE_PROP_UINT32("CPU0_MPU_NS", ARMSSE, cpu_mpu_ns[0], 8), + DEFINE_PROP_UINT32("CPU0_MPU_S", ARMSSE, cpu_mpu_s[0], 8), + DEFINE_PROP_UINT32("CPU1_MPU_NS", ARMSSE, cpu_mpu_ns[1], 8), + DEFINE_PROP_UINT32("CPU1_MPU_S", ARMSSE, cpu_mpu_s[1], 8), DEFINE_PROP_END_OF_LIST() }; @@ -XXX,XX +XXX,XX @@ static Property sse300_properties[] = { DEFINE_PROP_UINT32("init-svtor", ARMSSE, init_svtor, 0x10000000), DEFINE_PROP_BOOL("CPU0_FPU", ARMSSE, cpu_fpu[0], true), DEFINE_PROP_BOOL("CPU0_DSP", ARMSSE, cpu_dsp[0], true), + DEFINE_PROP_UINT32("CPU0_MPU_NS", ARMSSE, cpu_mpu_ns[0], 8), + DEFINE_PROP_UINT32("CPU0_MPU_S", ARMSSE, cpu_mpu_s[0], 8), DEFINE_PROP_END_OF_LIST() }; @@ -XXX,XX +XXX,XX @@ static void armsse_realize(DeviceState *dev, Error **errp) return; } } + if (!object_property_set_uint(cpuobj, "mpu-ns-regions", + s->cpu_mpu_ns[i], errp)) { + return; + } + if (!object_property_set_uint(cpuobj, "mpu-s-regions", + s->cpu_mpu_s[i], errp)) { + return; + } if (i > 0) { memory_region_add_subregion_overlap(&s->cpu_container[i], 0, diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/mps2-tz.c +++ b/hw/arm/mps2-tz.c @@ -XXX,XX +XXX,XX @@ struct MPS2TZMachineClass { int uart_overflow_irq; /* number of the combined UART overflow IRQ */ uint32_t init_svtor; /* init-svtor setting for SSE */ uint32_t sram_addr_width; /* SRAM_ADDR_WIDTH setting for SSE */ + uint32_t cpu0_mpu_ns; /* CPU0_MPU_NS setting for SSE */ + uint32_t cpu0_mpu_s; /* CPU0_MPU_S setting for SSE */ + uint32_t cpu1_mpu_ns; /* CPU1_MPU_NS setting for SSE */ + uint32_t cpu1_mpu_s; /* CPU1_MPU_S setting for SSE */ const RAMInfo *raminfo; const char *armsse_type; uint32_t boot_ram_size; /* size of ram at address 0; 0 == find in raminfo */ @@ -XXX,XX +XXX,XX @@ OBJECT_DECLARE_TYPE(MPS2TZMachineState, MPS2TZMachineClass, MPS2TZ_MACHINE) #define MPS3_DDR_SIZE (2 * GiB) #endif +/* For cpu{0,1}_mpu_{ns,s}, means "leave at SSE's default value" */ +#define MPU_REGION_DEFAULT UINT32_MAX + static const uint32_t an505_oscclk[] = { 40000000, 24580000, @@ -XXX,XX +XXX,XX @@ static void mps2tz_common_init(MachineState *machine) OBJECT(system_memory), &error_abort); qdev_prop_set_uint32(iotkitdev, "EXP_NUMIRQ", mmc->numirq); qdev_prop_set_uint32(iotkitdev, "init-svtor", mmc->init_svtor); + if (mmc->cpu0_mpu_ns != MPU_REGION_DEFAULT) { + qdev_prop_set_uint32(iotkitdev, "CPU0_MPU_NS", mmc->cpu0_mpu_ns); + } + if (mmc->cpu0_mpu_s != MPU_REGION_DEFAULT) { + qdev_prop_set_uint32(iotkitdev, "CPU0_MPU_S", mmc->cpu0_mpu_s); + } + if (object_property_find(OBJECT(iotkitdev), "CPU1_MPU_NS")) { + if (mmc->cpu1_mpu_ns != MPU_REGION_DEFAULT) { + qdev_prop_set_uint32(iotkitdev, "CPU1_MPU_NS", mmc->cpu1_mpu_ns); + } + if (mmc->cpu1_mpu_s != MPU_REGION_DEFAULT) { + qdev_prop_set_uint32(iotkitdev, "CPU1_MPU_S", mmc->cpu1_mpu_s); + } + } qdev_prop_set_uint32(iotkitdev, "SRAM_ADDR_WIDTH", mmc->sram_addr_width); qdev_connect_clock_in(iotkitdev, "MAINCLK", mms->sysclk); qdev_connect_clock_in(iotkitdev, "S32KCLK", mms->s32kclk); @@ -XXX,XX +XXX,XX @@ static void mps2tz_class_init(ObjectClass *oc, void *data) { MachineClass *mc = MACHINE_CLASS(oc); IDAUInterfaceClass *iic = IDAU_INTERFACE_CLASS(oc); + MPS2TZMachineClass *mmc = MPS2TZ_MACHINE_CLASS(oc); mc->init = mps2tz_common_init; mc->reset = mps2_machine_reset; iic->check = mps2_tz_idau_check; + + /* Most machines leave these at the SSE defaults */ + mmc->cpu0_mpu_ns = MPU_REGION_DEFAULT; + mmc->cpu0_mpu_s = MPU_REGION_DEFAULT; + mmc->cpu1_mpu_ns = MPU_REGION_DEFAULT; + mmc->cpu1_mpu_s = MPU_REGION_DEFAULT; } static void mps2tz_set_default_ram_info(MPS2TZMachineClass *mmc) @@ -XXX,XX +XXX,XX @@ static void mps3tz_an547_class_init(ObjectClass *oc, void *data) mmc->numirq = 96; mmc->uart_overflow_irq = 48; mmc->init_svtor = 0x00000000; + mmc->cpu0_mpu_s = mmc->cpu0_mpu_ns = 16; mmc->sram_addr_width = 21; mmc->raminfo = an547_raminfo; mmc->armsse_type = TYPE_SSE300; -- 2.34.1