This patchset implements Smwg/Smwgd/Sswg CPU extension and wgChecker device defined in WorldGuard spec v0.4. The WG v0.4 spec could be found here: https://lists.riscv.org/g/security/attachment/711/0/worldguard_rvia_spec-v0.4.pdf To enable WG in QEMU, pass "wg=on" as machine parameter to virt machine. It enables both WG CPU CSRs to apply WID of CPU and wgCheckers on the DRAM, FLASH, and UART to protect these resources. This patchset contains 5 parts: 1. Commit 1: Bugfix of IOMMUMemoryRegion 2. Commit 2 ~ 3: Extend IOMMUMemoryRegion and MemTxAttr for WG support 3. Commit 4 ~ 11: Add WG global device and CPU extensions 4. Commit 12 ~ 15: Add WG checker device 5. Commit 16: Add WG support to the virt machine Jim Shu (16): accel/tcg: Store section pointer in CPUTLBEntryFull accel/tcg: memory access from CPU will pass access_type to IOMMU exec: Add RISC-V WorldGuard WID to MemTxAttrs hw/misc: riscv_worldguard: Add RISC-V WorldGuard global config target/riscv: Add CPU options of WorldGuard CPU extension target/riscv: Add hard-coded CPU state of WG extension target/riscv: Add defines for WorldGuard CSRs target/riscv: Allow global WG config to set WG CPU callbacks target/riscv: Implement WorldGuard CSRs target/riscv: Add WID to MemTxAttrs of CPU memory transactions hw/misc: riscv_worldguard: Add API to enable WG extension of CPU hw/misc: riscv_wgchecker: Implement RISC-V WorldGuard Checker hw/misc: riscv_wgchecker: Implement wgchecker slot registers hw/misc: riscv_wgchecker: Implement correct block-access behavior hw/misc: riscv_wgchecker: Check the slot settings in translate hw/riscv: virt: Add WorldGuard support accel/tcg/cputlb.c | 34 +- docs/system/riscv/virt.rst | 10 + hw/misc/Kconfig | 3 + hw/misc/meson.build | 1 + hw/misc/riscv_wgchecker.c | 1161 ++++++++++++++++++++++++++ hw/misc/riscv_worldguard.c | 273 ++++++ hw/misc/trace-events | 9 + hw/riscv/Kconfig | 1 + hw/riscv/virt.c | 163 +++- include/exec/exec-all.h | 11 +- include/exec/memattrs.h | 5 + include/hw/core/cpu.h | 3 + include/hw/misc/riscv_worldguard.h | 123 +++ include/hw/riscv/virt.h | 17 +- system/physmem.c | 16 +- target/alpha/helper.c | 2 +- target/arm/tcg/tlb_helper.c | 2 +- target/avr/helper.c | 2 +- target/cris/helper.c | 2 +- target/hppa/mem_helper.c | 2 +- target/i386/tcg/sysemu/excp_helper.c | 3 +- target/loongarch/tcg/tlb_helper.c | 2 +- target/m68k/helper.c | 10 +- target/microblaze/helper.c | 8 +- target/mips/tcg/sysemu/tlb_helper.c | 4 +- target/openrisc/mmu.c | 2 +- target/ppc/mmu_helper.c | 2 +- target/riscv/cpu.c | 16 +- target/riscv/cpu.h | 12 + target/riscv/cpu_bits.h | 5 + target/riscv/cpu_cfg.h | 5 + target/riscv/cpu_helper.c | 69 +- target/riscv/csr.c | 107 +++ target/riscv/tcg/tcg-cpu.c | 11 + target/rx/cpu.c | 3 +- target/s390x/tcg/excp_helper.c | 2 +- target/sh4/helper.c | 2 +- target/sparc/mmu_helper.c | 6 +- target/tricore/helper.c | 2 +- target/xtensa/helper.c | 3 +- 40 files changed, 2054 insertions(+), 60 deletions(-) create mode 100644 hw/misc/riscv_wgchecker.c create mode 100644 hw/misc/riscv_worldguard.c create mode 100644 include/hw/misc/riscv_worldguard.h -- 2.17.1 'CPUTLBEntryFull.xlat_section' stores section_index in last 12 bits to find the correct section when CPU access the IO region over the IOTLB (iotlb_to_section()). However, section_index is only unique inside single AddressSpace. If address space translation is over IOMMUMemoryRegion, it could return section from other AddressSpace. 'iotlb_to_section()' API only finds the sections from CPU's AddressSpace so that it couldn't find section in other AddressSpace. Thus, using 'iotlb_to_section()' API will find the wrong section and QEMU will have wrong load/store access. To fix this bug, store complete MemoryRegionSection pointer in CPUTLBEntryFull instead of section_index. This bug occurs only when (1) IOMMUMemoryRegion is in the path of CPU access. (2) IOMMUMemoryRegion returns different target_as and the section is in the IO region. Common IOMMU devices don't have this issue since they are only in the path of DMA access. Currently, the bug only occurs when ARM MPC device (hw/misc/tz-mpc.c) returns 'blocked_io_as' to emulate blocked access handling. Upcoming RISC-V wgChecker device is also affected by this bug. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- accel/tcg/cputlb.c | 19 +++++++++---------- include/hw/core/cpu.h | 3 +++ 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index XXXXXXX..XXXXXXX 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, desc->fulltlb[index] = *full; full = &desc->fulltlb[index]; full->xlat_section = iotlb - addr_page; + full->section = section; full->phys_addr = paddr_page; /* Now calculate the new entry */ @@ -XXX,XX +XXX,XX @@ static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr, } static MemoryRegionSection * -io_prepare(hwaddr *out_offset, CPUState *cpu, hwaddr xlat, +io_prepare(hwaddr *out_offset, CPUState *cpu, CPUTLBEntryFull *full, MemTxAttrs attrs, vaddr addr, uintptr_t retaddr) { MemoryRegionSection *section; hwaddr mr_offset; - section = iotlb_to_section(cpu, xlat, attrs); - mr_offset = (xlat & TARGET_PAGE_MASK) + addr; + section = full->section; + mr_offset = (full->xlat_section & TARGET_PAGE_MASK) + addr; cpu->mem_io_pc = retaddr; if (!cpu->neg.can_do_io) { cpu_io_recompile(cpu, retaddr); @@ -XXX,XX +XXX,XX @@ bool tlb_plugin_lookup(CPUState *cpu, vaddr addr, int mmu_idx, /* We must have an iotlb entry for MMIO */ if (tlb_addr & TLB_MMIO) { - MemoryRegionSection *section = - iotlb_to_section(cpu, full->xlat_section & ~TARGET_PAGE_MASK, - full->attrs); + MemoryRegionSection *section = full->section; data->is_io = true; data->mr = section->mr; } else { @@ -XXX,XX +XXX,XX @@ static uint64_t do_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full, tcg_debug_assert(size > 0 && size <= 8); attrs = full->attrs; - section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); + section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra); mr = section->mr; BQL_LOCK_GUARD(); @@ -XXX,XX +XXX,XX @@ static Int128 do_ld16_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full, tcg_debug_assert(size > 8 && size <= 16); attrs = full->attrs; - section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); + section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra); mr = section->mr; BQL_LOCK_GUARD(); @@ -XXX,XX +XXX,XX @@ static uint64_t do_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full, tcg_debug_assert(size > 0 && size <= 8); attrs = full->attrs; - section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); + section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra); mr = section->mr; BQL_LOCK_GUARD(); @@ -XXX,XX +XXX,XX @@ static uint64_t do_st16_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full, tcg_debug_assert(size > 8 && size <= 16); attrs = full->attrs; - section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); + section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra); mr = section->mr; BQL_LOCK_GUARD(); diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/core/cpu.h +++ b/include/hw/core/cpu.h @@ -XXX,XX +XXX,XX @@ typedef struct CPUTLBEntryFull { */ hwaddr xlat_section; + /* @section contains physical section. */ + MemoryRegionSection *section; + /* * @phys_addr contains the physical address in the address space * given by cpu_asidx_from_attrs(cpu, @attrs). -- 2.17.1 It is the preparation patch for upcoming RISC-V wgChecker device. Since RISC-V wgChecker could permit access in RO/WO permission, the IOMMUMemoryRegion could return different section for read & write access. The memory access from CPU should also pass the access_type to IOMMU translate function so that IOMMU could return the correct section of specified access_type. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- accel/tcg/cputlb.c | 15 +++++++++------ include/exec/exec-all.h | 11 +++++++---- system/physmem.c | 16 +++++++++++----- target/alpha/helper.c | 2 +- target/arm/tcg/tlb_helper.c | 2 +- target/avr/helper.c | 2 +- target/cris/helper.c | 2 +- target/hppa/mem_helper.c | 2 +- target/i386/tcg/sysemu/excp_helper.c | 3 ++- target/loongarch/tcg/tlb_helper.c | 2 +- target/m68k/helper.c | 10 +++++++--- target/microblaze/helper.c | 8 ++++---- target/mips/tcg/sysemu/tlb_helper.c | 4 ++-- target/openrisc/mmu.c | 2 +- target/ppc/mmu_helper.c | 2 +- target/riscv/cpu_helper.c | 2 +- target/rx/cpu.c | 3 ++- target/s390x/tcg/excp_helper.c | 2 +- target/sh4/helper.c | 2 +- target/sparc/mmu_helper.c | 6 +++--- target/tricore/helper.c | 2 +- target/xtensa/helper.c | 3 ++- 22 files changed, 61 insertions(+), 42 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index XXXXXXX..XXXXXXX 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -XXX,XX +XXX,XX @@ static inline void tlb_set_compare(CPUTLBEntryFull *full, CPUTLBEntry *ent, * critical section. */ void tlb_set_page_full(CPUState *cpu, int mmu_idx, - vaddr addr, CPUTLBEntryFull *full) + vaddr addr, MMUAccessType access_type, + CPUTLBEntryFull *full) { CPUTLB *tlb = &cpu->neg.tlb; CPUTLBDesc *desc = &tlb->d[mmu_idx]; @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, prot = full->prot; asidx = cpu_asidx_from_attrs(cpu, full->attrs); section = address_space_translate_for_iotlb(cpu, asidx, paddr_page, - &xlat, &sz, full->attrs, &prot); + &xlat, &sz, full->attrs, &prot, + access_type); assert(sz >= TARGET_PAGE_SIZE); tlb_debug("vaddr=%016" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, hwaddr paddr, MemTxAttrs attrs, int prot, - int mmu_idx, uint64_t size) + MMUAccessType access_type, int mmu_idx, + uint64_t size) { CPUTLBEntryFull full = { .phys_addr = paddr, @@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, }; assert(is_power_of_2(size)); - tlb_set_page_full(cpu, mmu_idx, addr, &full); + tlb_set_page_full(cpu, mmu_idx, addr, access_type, &full); } void tlb_set_page(CPUState *cpu, vaddr addr, - hwaddr paddr, int prot, + hwaddr paddr, int prot, MMUAccessType access_type, int mmu_idx, uint64_t size) { tlb_set_page_with_attrs(cpu, addr, paddr, MEMTXATTRS_UNSPECIFIED, - prot, mmu_idx, size); + prot, access_type, mmu_idx, size); } /* diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h index XXXXXXX..XXXXXXX 100644 --- a/include/exec/exec-all.h +++ b/include/exec/exec-all.h @@ -XXX,XX +XXX,XX @@ void tlb_flush_range_by_mmuidx_all_cpus_synced(CPUState *cpu, * used by tlb_flush_page. */ void tlb_set_page_full(CPUState *cpu, int mmu_idx, vaddr addr, - CPUTLBEntryFull *full); + MMUAccessType access_type, CPUTLBEntryFull *full); /** * tlb_set_page_with_attrs: @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, vaddr addr, */ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, hwaddr paddr, MemTxAttrs attrs, - int prot, int mmu_idx, vaddr size); + int prot, MMUAccessType access_type, int mmu_idx, + vaddr size); /* tlb_set_page: * * This function is equivalent to calling tlb_set_page_with_attrs() @@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, */ void tlb_set_page(CPUState *cpu, vaddr addr, hwaddr paddr, int prot, - int mmu_idx, vaddr size); + MMUAccessType access_type, int mmu_idx, + vaddr size); #else static inline void tlb_init(CPUState *cpu) { @@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length); MemoryRegionSection * address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, hwaddr *xlat, hwaddr *plen, - MemTxAttrs attrs, int *prot); + MemTxAttrs attrs, int *prot, + MMUAccessType access_type); hwaddr memory_region_section_get_iotlb(CPUState *cpu, MemoryRegionSection *section); #endif diff --git a/system/physmem.c b/system/physmem.c index XXXXXXX..XXXXXXX 100644 --- a/system/physmem.c +++ b/system/physmem.c @@ -XXX,XX +XXX,XX @@ void tcg_iommu_init_notifier_list(CPUState *cpu) MemoryRegionSection * address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, hwaddr *xlat, hwaddr *plen, - MemTxAttrs attrs, int *prot) + MemTxAttrs attrs, int *prot, + MMUAccessType access_type) { MemoryRegionSection *section; IOMMUMemoryRegion *iommu_mr; IOMMUMemoryRegionClass *imrc; IOMMUTLBEntry iotlb; + IOMMUAccessFlags iommu_flags; int iommu_idx; hwaddr addr = orig_addr; AddressSpaceDispatch *d = cpu->cpu_ases[asidx].memory_dispatch; @@ -XXX,XX +XXX,XX @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, iommu_idx = imrc->attrs_to_index(iommu_mr, attrs); tcg_register_iommu_notifier(cpu, iommu_mr, iommu_idx); - /* We need all the permissions, so pass IOMMU_NONE so the IOMMU - * doesn't short-cut its translation table walk. - */ - iotlb = imrc->translate(iommu_mr, addr, IOMMU_NONE, iommu_idx); + + if (access_type == MMU_DATA_STORE) { + iommu_flags = IOMMU_WO; + } else { + iommu_flags = IOMMU_RO; + } + + iotlb = imrc->translate(iommu_mr, addr, iommu_flags, iommu_idx); addr = ((iotlb.translated_addr & ~iotlb.addr_mask) | (addr & iotlb.addr_mask)); /* Update the caller's prot bits to remove permissions the IOMMU diff --git a/target/alpha/helper.c b/target/alpha/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/alpha/helper.c +++ b/target/alpha/helper.c @@ -XXX,XX +XXX,XX @@ bool alpha_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, } tlb_set_page(cs, addr & TARGET_PAGE_MASK, phys & TARGET_PAGE_MASK, - prot, mmu_idx, TARGET_PAGE_SIZE); + prot, access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } diff --git a/target/arm/tcg/tlb_helper.c b/target/arm/tcg/tlb_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/tcg/tlb_helper.c +++ b/target/arm/tcg/tlb_helper.c @@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size, res.f.extra.arm.pte_attrs = res.cacheattrs.attrs; res.f.extra.arm.shareability = res.cacheattrs.shareability; - tlb_set_page_full(cs, mmu_idx, address, &res.f); + tlb_set_page_full(cs, mmu_idx, address, access_type, &res.f); return true; } else if (probe) { return false; diff --git a/target/avr/helper.c b/target/avr/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/avr/helper.c +++ b/target/avr/helper.c @@ -XXX,XX +XXX,XX @@ bool avr_cpu_tlb_fill(CPUState *cs, vaddr address, int size, } } - tlb_set_page(cs, address, paddr, prot, mmu_idx, page_size); + tlb_set_page(cs, address, paddr, prot, access_type, mmu_idx, page_size); return true; } diff --git a/target/cris/helper.c b/target/cris/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/cris/helper.c +++ b/target/cris/helper.c @@ -XXX,XX +XXX,XX @@ bool cris_cpu_tlb_fill(CPUState *cs, vaddr address, int size, phy = res.phy & ~0x80000000; prot = res.prot; tlb_set_page(cs, address & TARGET_PAGE_MASK, phy, - prot, mmu_idx, TARGET_PAGE_SIZE); + prot, access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } diff --git a/target/hppa/mem_helper.c b/target/hppa/mem_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/hppa/mem_helper.c +++ b/target/hppa/mem_helper.c @@ -XXX,XX +XXX,XX @@ bool hppa_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, * because we record the large page here in the hppa tlb. */ tlb_set_page(cs, addr & TARGET_PAGE_MASK, phys & TARGET_PAGE_MASK, - prot, mmu_idx, TARGET_PAGE_SIZE); + prot, type, mmu_idx, TARGET_PAGE_SIZE); return true; } diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/i386/tcg/sysemu/excp_helper.c +++ b/target/i386/tcg/sysemu/excp_helper.c @@ -XXX,XX +XXX,XX @@ bool x86_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, tlb_set_page_with_attrs(cs, addr & TARGET_PAGE_MASK, out.paddr & TARGET_PAGE_MASK, cpu_get_mem_attrs(env), - out.prot, mmu_idx, out.page_size); + out.prot, access_type, mmu_idx, + out.page_size); return true; } diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/loongarch/tcg/tlb_helper.c +++ b/target/loongarch/tcg/tlb_helper.c @@ -XXX,XX +XXX,XX @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TLBRET_MATCH) { tlb_set_page(cs, address & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); qemu_log_mask(CPU_LOG_MMU, "%s address=%" VADDR_PRIx " physical " HWADDR_FMT_plx " prot %d\n", __func__, address, physical, prot); diff --git a/target/m68k/helper.c b/target/m68k/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/m68k/helper.c +++ b/target/m68k/helper.c @@ -XXX,XX +XXX,XX @@ bool m68k_cpu_tlb_fill(CPUState *cs, vaddr address, int size, tlb_set_page(cs, address & TARGET_PAGE_MASK, address & TARGET_PAGE_MASK, PAGE_READ | PAGE_WRITE | PAGE_EXEC, - mmu_idx, TARGET_PAGE_SIZE); + qemu_access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } @@ -XXX,XX +XXX,XX @@ bool m68k_cpu_tlb_fill(CPUState *cs, vaddr address, int size, address, access_type, &page_size); if (likely(ret == 0)) { tlb_set_page(cs, address & TARGET_PAGE_MASK, - physical & TARGET_PAGE_MASK, prot, mmu_idx, page_size); + physical & TARGET_PAGE_MASK, prot, qemu_access_type, + mmu_idx, page_size); return true; } @@ -XXX,XX +XXX,XX @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read) int prot; int ret; target_ulong page_size; + MMUAccessType qemu_access_type; access_type = ACCESS_PTEST; if (env->dfc & 4) { @@ -XXX,XX +XXX,XX @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read) } if ((env->dfc & 3) == 2) { access_type |= ACCESS_CODE; + qemu_access_type = MMU_INST_FETCH; } if (!is_read) { access_type |= ACCESS_STORE; + qemu_access_type = MMU_DATA_STORE; } env->mmu.mmusr = 0; @@ -XXX,XX +XXX,XX @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read) if (ret == 0) { tlb_set_page(env_cpu(env), addr & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, - prot, access_type & ACCESS_SUPER ? + prot, qemu_access_type, access_type & ACCESS_SUPER ? MMU_KERNEL_IDX : MMU_USER_IDX, page_size); } } diff --git a/target/microblaze/helper.c b/target/microblaze/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/microblaze/helper.c +++ b/target/microblaze/helper.c @@ -XXX,XX +XXX,XX @@ bool mb_cpu_tlb_fill(CPUState *cs, vaddr address, int size, /* MMU disabled or not available. */ address &= TARGET_PAGE_MASK; prot = PAGE_RWX; - tlb_set_page_with_attrs(cs, address, address, attrs, prot, mmu_idx, - TARGET_PAGE_SIZE); + tlb_set_page_with_attrs(cs, address, address, attrs, prot, access_type, + mmu_idx, TARGET_PAGE_SIZE); return true; } @@ -XXX,XX +XXX,XX @@ bool mb_cpu_tlb_fill(CPUState *cs, vaddr address, int size, qemu_log_mask(CPU_LOG_MMU, "MMU map mmu=%d v=%x p=%x prot=%x\n", mmu_idx, vaddr, paddr, lu.prot); - tlb_set_page_with_attrs(cs, vaddr, paddr, attrs, lu.prot, mmu_idx, - TARGET_PAGE_SIZE); + tlb_set_page_with_attrs(cs, vaddr, paddr, attrs, lu.prot, access_type, + mmu_idx, TARGET_PAGE_SIZE); return true; } diff --git a/target/mips/tcg/sysemu/tlb_helper.c b/target/mips/tcg/sysemu/tlb_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/mips/tcg/sysemu/tlb_helper.c +++ b/target/mips/tcg/sysemu/tlb_helper.c @@ -XXX,XX +XXX,XX @@ bool mips_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TLBRET_MATCH) { tlb_set_page(cs, address & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } #if !defined(TARGET_MIPS64) @@ -XXX,XX +XXX,XX @@ bool mips_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TLBRET_MATCH) { tlb_set_page(cs, address & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } } diff --git a/target/openrisc/mmu.c b/target/openrisc/mmu.c index XXXXXXX..XXXXXXX 100644 --- a/target/openrisc/mmu.c +++ b/target/openrisc/mmu.c @@ -XXX,XX +XXX,XX @@ bool openrisc_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, if (likely(excp == 0)) { tlb_set_page(cs, addr & TARGET_PAGE_MASK, phys_addr & TARGET_PAGE_MASK, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } if (probe) { diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/ppc/mmu_helper.c +++ b/target/ppc/mmu_helper.c @@ -XXX,XX +XXX,XX @@ bool ppc_cpu_tlb_fill(CPUState *cs, vaddr eaddr, int size, if (ppc_xlate(cpu, eaddr, access_type, &raddr, &page_size, &prot, mmu_idx, !probe)) { tlb_set_page(cs, eaddr & TARGET_PAGE_MASK, raddr & TARGET_PAGE_MASK, - prot, mmu_idx, 1UL << page_size); + prot, access_type, mmu_idx, 1UL << page_size); return true; } if (probe) { diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TRANSLATE_SUCCESS) { tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1), - prot, mmu_idx, tlb_size); + prot, access_type, mmu_idx, tlb_size); return true; } else if (probe) { return false; diff --git a/target/rx/cpu.c b/target/rx/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/rx/cpu.c +++ b/target/rx/cpu.c @@ -XXX,XX +XXX,XX @@ static bool rx_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, /* Linear mapping */ address = physical = addr & TARGET_PAGE_MASK; prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; - tlb_set_page(cs, address, physical, prot, mmu_idx, TARGET_PAGE_SIZE); + tlb_set_page(cs, address, physical, prot, access_type, + mmu_idx, TARGET_PAGE_SIZE); return true; } diff --git a/target/s390x/tcg/excp_helper.c b/target/s390x/tcg/excp_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/s390x/tcg/excp_helper.c +++ b/target/s390x/tcg/excp_helper.c @@ -XXX,XX +XXX,XX @@ bool s390_cpu_tlb_fill(CPUState *cs, vaddr address, int size, "%s: set tlb %" PRIx64 " -> %" PRIx64 " (%x)\n", __func__, (uint64_t)vaddr, (uint64_t)raddr, prot); tlb_set_page(cs, address & TARGET_PAGE_MASK, raddr, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } if (probe) { diff --git a/target/sh4/helper.c b/target/sh4/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/sh4/helper.c +++ b/target/sh4/helper.c @@ -XXX,XX +XXX,XX @@ bool superh_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == MMU_OK) { address &= TARGET_PAGE_MASK; physical &= TARGET_PAGE_MASK; - tlb_set_page(cs, address, physical, prot, mmu_idx, TARGET_PAGE_SIZE); + tlb_set_page(cs, address, physical, prot, access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } if (probe) { diff --git a/target/sparc/mmu_helper.c b/target/sparc/mmu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/sparc/mmu_helper.c +++ b/target/sparc/mmu_helper.c @@ -XXX,XX +XXX,XX @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size, "Translate at %" VADDR_PRIx " -> " HWADDR_FMT_plx ", vaddr " TARGET_FMT_lx "\n", address, full.phys_addr, vaddr); - tlb_set_page_full(cs, mmu_idx, vaddr, &full); + tlb_set_page_full(cs, mmu_idx, vaddr, access_type, &full); return true; } @@ -XXX,XX +XXX,XX @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size, neverland. Fake/overridden mappings will be flushed when switching to normal mode. */ full.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; - tlb_set_page_full(cs, mmu_idx, vaddr, &full); + tlb_set_page_full(cs, mmu_idx, vaddr, access_type, &full); return true; } else { if (access_type == MMU_INST_FETCH) { @@ -XXX,XX +XXX,XX @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size, trace_mmu_helper_mmu_fault(address, full.phys_addr, mmu_idx, env->tl, env->dmmu.mmu_primary_context, env->dmmu.mmu_secondary_context); - tlb_set_page_full(cs, mmu_idx, address, &full); + tlb_set_page_full(cs, mmu_idx, address, access_type, &full); return true; } if (probe) { diff --git a/target/tricore/helper.c b/target/tricore/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/tricore/helper.c +++ b/target/tricore/helper.c @@ -XXX,XX +XXX,XX @@ bool tricore_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TLBRET_MATCH) { tlb_set_page(cs, address & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, prot | PAGE_EXEC, - mmu_idx, TARGET_PAGE_SIZE); + rw, mmu_idx, TARGET_PAGE_SIZE); return true; } else { assert(ret < 0); diff --git a/target/xtensa/helper.c b/target/xtensa/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/xtensa/helper.c +++ b/target/xtensa/helper.c @@ -XXX,XX +XXX,XX @@ bool xtensa_cpu_tlb_fill(CPUState *cs, vaddr address, int size, tlb_set_page(cs, address & TARGET_PAGE_MASK, paddr & TARGET_PAGE_MASK, - access, mmu_idx, page_size); + access, access_type, mmu_idx, + page_size); return true; } else if (probe) { return false; -- 2.17.1 RISC-V WorldGuard will add 5-bit world_id (WID) to the each memory transaction on the bus. The wgChecker in front of RAM or peripherals MMIO could do the access control based on the WID. It is similar to ARM TrustZone NS bit, but the WID is 5-bit. The common implementation of WID is AXI4 AxUSER signal. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- include/exec/memattrs.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h index XXXXXXX..XXXXXXX 100644 --- a/include/exec/memattrs.h +++ b/include/exec/memattrs.h @@ -XXX,XX +XXX,XX @@ typedef struct MemTxAttrs { unsigned int memory:1; /* Requester ID (for MSI for example) */ unsigned int requester_id:16; + + /* + * RISC-V WorldGuard: the 5-bit WID of memory access. + */ + uint8_t world_id; } MemTxAttrs; /* Bus masters which don't specify any attributes will get this, -- 2.17.1 Add a device for RISCV WG global config, which contains the number of worlds, reset value, and trusted WID ... etc. This global config is used by both CPU WG extension and wgChecker devices. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/Kconfig | 3 + hw/misc/meson.build | 1 + hw/misc/riscv_worldguard.c | 183 +++++++++++++++++++++++++++++ include/hw/misc/riscv_worldguard.h | 55 +++++++++ 4 files changed, 242 insertions(+) create mode 100644 hw/misc/riscv_worldguard.c create mode 100644 include/hw/misc/riscv_worldguard.h diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/Kconfig +++ b/hw/misc/Kconfig @@ -XXX,XX +XXX,XX @@ config IOSB config XLNX_VERSAL_TRNG bool +config RISCV_WORLDGUARD + bool + source macio/Kconfig diff --git a/hw/misc/meson.build b/hw/misc/meson.build index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/meson.build +++ b/hw/misc/meson.build @@ -XXX,XX +XXX,XX @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c')) system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c')) system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c')) system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c')) +specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c')) subdir('macio') diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/hw/misc/riscv_worldguard.c @@ -XXX,XX +XXX,XX @@ +/* + * RISC-V WorldGuard Device + * + * Copyright (c) 2022 SiFive, Inc. + * + * This provides WorldGuard global config. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2 or later, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "qemu/log.h" +#include "exec/hwaddr.h" +#include "hw/registerfields.h" +#include "hw/sysbus.h" +#include "hw/hw.h" +#include "hw/qdev-properties.h" +#include "hw/misc/riscv_worldguard.h" +#include "hw/core/cpu.h" +#include "target/riscv/cpu.h" +#include "trace.h" + +/* + * WorldGuard global config: + * List the global setting of WG, like num-of-worlds. It is unique in the machine. + * All CPUs with WG extension and wgChecker devices will use it. + */ +struct RISCVWorldGuardState *worldguard_config = NULL; + +static Property riscv_worldguard_properties[] = { + DEFINE_PROP_UINT32("nworlds", RISCVWorldGuardState, nworlds, 0), + + /* Only Trusted WID could access wgCheckers if it is enabled. */ + DEFINE_PROP_UINT32("trustedwid", RISCVWorldGuardState, trustedwid, NO_TRUSTEDWID), + + /* + * WG reset value is bypass mode in HW. All WG permission checkings are + * pass by default, so SW could correctly run on the machine w/o any WG + * programming. + */ + DEFINE_PROP_BOOL("hw-bypass", RISCVWorldGuardState, hw_bypass, false), + + /* + * TrustZone compatible mode: + * This mode is only supported in 2 worlds system. It converts WorldGuard + * WID to TZ NS signal on the bus so WG could be cooperated with + * TZ components. In QEMU, it converts WID to 'MemTxAttrs.secure' bit used + * by TZ. + */ + DEFINE_PROP_BOOL("tz-compat", RISCVWorldGuardState, tz_compat, false), + DEFINE_PROP_END_OF_LIST(), +}; + +/* WID to MemTxAttrs converter */ +static void wid_to_mem_attrs(MemTxAttrs *attrs, uint32_t wid) +{ + g_assert(wid < worldguard_config->nworlds); + + attrs->unspecified = 0; + if (worldguard_config->tz_compat) { + attrs->secure = wid; + } else { + attrs->world_id = wid; + } +} + +/* MemTxAttrs to WID converter */ +uint32_t mem_attrs_to_wid(MemTxAttrs attrs) +{ + if (attrs.unspecified) { + if (worldguard_config->trustedwid != NO_TRUSTEDWID) { + return worldguard_config->trustedwid; + } else { + return worldguard_config->nworlds - 1; + } + } + + if (worldguard_config->tz_compat) { + return attrs.secure; + } else { + return attrs.world_id; + } +} + +bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock) +{ + uint32_t wid = mem_attrs_to_wid(attrs); + uint32_t trustedwid = worldguard_config->trustedwid; + + if ((trustedwid == NO_TRUSTEDWID) || (wid == trustedwid)) { + return true; + } else { + /* + * Only Trusted WID could access WG blocks if having it. + * Access them from other WIDs will get failed. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Invalid access to %s from non-trusted WID %d\n", + __func__, wgblock, wid); + + return false; + } +} + +static void riscv_worldguard_realize(DeviceState *dev, Error **errp) +{ + RISCVWorldGuardState *s = RISCV_WORLDGUARD(dev); + + if (worldguard_config != NULL) { + error_setg(errp, "Couldn't realize multiple global WorldGuard configs."); + return; + } + + if ((s->nworlds) & (s->nworlds - 1)) { + error_setg(errp, "Current implementation only support power-of-2 NWorld."); + return; + } + + if ((s->trustedwid != NO_TRUSTEDWID) && (s->trustedwid >= s->nworlds)) { + error_setg(errp, "Trusted WID must be less than the number of world."); + return; + } + + if ((s->nworlds != 2) && (s->tz_compat)) { + error_setg(errp, "Only 2 worlds system could use TrustZone compatible mode."); + return; + } + + /* Register WG global config */ + worldguard_config = s; + + /* Initialize global data for wgChecker */ + wgc_slot_perm_mask = MAKE_64BIT_MASK(0, 2 * worldguard_config->nworlds); +} + +static void riscv_worldguard_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + + device_class_set_props(dc, riscv_worldguard_properties); + dc->user_creatable = true; + dc->realize = riscv_worldguard_realize; +} + +static const TypeInfo riscv_worldguard_info = { + .name = TYPE_RISCV_WORLDGUARD, + .parent = TYPE_DEVICE, + .instance_size = sizeof(RISCVWorldGuardState), + .class_init = riscv_worldguard_class_init, +}; + +/* + * Create WorldGuard global config + */ +DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid, + bool hw_bypass, bool tz_compat) +{ + DeviceState *dev = qdev_new(TYPE_RISCV_WORLDGUARD); + qdev_prop_set_uint32(dev, "nworlds", nworlds); + qdev_prop_set_uint32(dev, "trustedwid", trustedwid); + qdev_prop_set_bit(dev, "hw-bypass", hw_bypass); + qdev_prop_set_bit(dev, "tz-compat", tz_compat); + qdev_realize(DEVICE(dev), NULL, &error_fatal); + return dev; +} + +static void riscv_worldguard_register_types(void) +{ + type_register_static(&riscv_worldguard_info); +} + +type_init(riscv_worldguard_register_types) diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/include/hw/misc/riscv_worldguard.h @@ -XXX,XX +XXX,XX @@ +/* + * RISC-V WorldGuard Devices + * + * Copyright (c) 2022 RISCV, Inc. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2 or later, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef HW_RISCV_WORLDGUARD_H +#define HW_RISCV_WORLDGUARD_H + +#include "qom/object.h" +#include "hw/sysbus.h" +#include "exec/hwaddr.h" + +#define TYPE_RISCV_WORLDGUARD "riscv.worldguard" + +#define NO_TRUSTEDWID UINT32_MAX + +typedef struct RISCVWorldGuardState RISCVWorldGuardState; +DECLARE_INSTANCE_CHECKER(RISCVWorldGuardState, RISCV_WORLDGUARD, + TYPE_RISCV_WORLDGUARD) + +struct RISCVWorldGuardState { + /*< private >*/ + DeviceState parent_obj; + + /*< public >*/ + + /* Property */ + uint32_t nworlds; + uint32_t trustedwid; + bool hw_bypass; + bool tz_compat; +}; + +extern struct RISCVWorldGuardState *worldguard_config; + +DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid, + bool hw_bypass, bool tz_compat); + +uint32_t mem_attrs_to_wid(MemTxAttrs attrs); +bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock); + +#endif -- 2.17.1 We define CPU options for WG CSR support in RISC-V CPUs which can be set by machine/device emulation. The RISC-V CSR emulation will also check this feature for emulating WG CSRs. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.c | 8 ++++++++ target/riscv/cpu_cfg.h | 3 +++ target/riscv/tcg/tcg-cpu.c | 11 +++++++++++ 3 files changed, 22 insertions(+) diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.c +++ b/target/riscv/cpu.c @@ -XXX,XX +XXX,XX @@ const RISCVIsaExtData isa_edata_arr[] = { ISA_EXT_DATA_ENTRY(xtheadmempair, PRIV_VERSION_1_11_0, ext_xtheadmempair), ISA_EXT_DATA_ENTRY(xtheadsync, PRIV_VERSION_1_11_0, ext_xtheadsync), ISA_EXT_DATA_ENTRY(xventanacondops, PRIV_VERSION_1_12_0, ext_XVentanaCondOps), + ISA_EXT_DATA_ENTRY(smwg, PRIV_VERSION_1_12_0, ext_smwg), + ISA_EXT_DATA_ENTRY(smwgd, PRIV_VERSION_1_12_0, ext_smwgd), + ISA_EXT_DATA_ENTRY(sswg, PRIV_VERSION_1_12_0, ext_sswg), DEFINE_PROP_END_OF_LIST(), }; @@ -XXX,XX +XXX,XX @@ const RISCVCPUMultiExtConfig riscv_cpu_experimental_exts[] = { const RISCVCPUMultiExtConfig riscv_cpu_named_features[] = { MULTI_EXT_CFG_BOOL("zic64b", ext_zic64b, true), + /* RISC-V WorldGuard v0.4 */ + MULTI_EXT_CFG_BOOL("x-smwg", ext_smwg, false), + MULTI_EXT_CFG_BOOL("x-smwgd", ext_smwgd, false), + MULTI_EXT_CFG_BOOL("x-sswg", ext_sswg, false), + DEFINE_PROP_END_OF_LIST(), }; diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_cfg.h +++ b/target/riscv/cpu_cfg.h @@ -XXX,XX +XXX,XX @@ struct RISCVCPUConfig { bool ext_ssaia; bool ext_sscofpmf; bool ext_smepmp; + bool ext_smwg; + bool ext_smwgd; + bool ext_sswg; bool rvv_ta_all_1s; bool rvv_ma_all_1s; diff --git a/target/riscv/tcg/tcg-cpu.c b/target/riscv/tcg/tcg-cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/tcg/tcg-cpu.c +++ b/target/riscv/tcg/tcg-cpu.c @@ -XXX,XX +XXX,XX @@ void riscv_cpu_validate_set_extensions(RISCVCPU *cpu, Error **errp) cpu->pmu_avail_ctrs = 0; } + /* RISC-V WorldGuard */ + if (cpu->cfg.ext_sswg && !cpu->cfg.ext_smwg) { + error_setg(errp, "Sswg extension requires Smwg extension"); + return; + } + + if (cpu->cfg.ext_smwgd != cpu->cfg.ext_sswg) { + error_setg(errp, "Smwgd/Sswg extensions should be enabled together"); + return; + } + /* * Disable isa extensions based on priv spec after we * validated and set everything we need. -- 2.17.1 Add hard-coded state of WG extension. 'mwid' is the M-mode WID of CPU. 'mwidlist' is the list of allowed WID value of 'mlwid' CSR. These CPU states can be set by CPU option, or can be set by machine code via newly added APIs. If we want different WG configs of CPUs, we should set it by machine code. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.c | 2 ++ target/riscv/cpu.h | 2 ++ target/riscv/cpu_cfg.h | 2 ++ target/riscv/cpu_helper.c | 18 ++++++++++++++++++ 4 files changed, 24 insertions(+) diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.c +++ b/target/riscv/cpu.c @@ -XXX,XX +XXX,XX @@ static Property riscv_cpu_properties[] = { * it with -x and default to 'false'. */ DEFINE_PROP_BOOL("x-misa-w", RISCVCPU, cfg.misa_w, false), + DEFINE_PROP_UINT32("mwid", RISCVCPU, cfg.mwid, UINT32_MAX), + DEFINE_PROP_UINT32("mwidlist", RISCVCPU, cfg.mwidlist, UINT32_MAX), DEFINE_PROP_END_OF_LIST(), }; diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.h +++ b/target/riscv/cpu.h @@ -XXX,XX +XXX,XX @@ void riscv_cpu_set_aia_ireg_rmw_fn(CPURISCVState *env, uint32_t priv, void *rmw_fn_arg); RISCVException smstateen_acc_ok(CPURISCVState *env, int index, uint64_t bit); +void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid); +void riscv_cpu_set_wg_mwidlist(CPURISCVState *env, uint32_t mwidlist); #endif /* !CONFIG_USER_ONLY */ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong newpriv); diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_cfg.h +++ b/target/riscv/cpu_cfg.h @@ -XXX,XX +XXX,XX @@ struct RISCVCPUConfig { bool pmp; bool debug; bool misa_w; + uint32_t mwid; + uint32_t mwidlist; bool short_isa_string; diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPURISCVState *env, vaddr *pc, *pflags = flags; } +#ifndef CONFIG_USER_ONLY +void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + + cpu->cfg.mwid = mwid; +} + +void riscv_cpu_set_wg_mwidlist(CPURISCVState *env, uint32_t mwidlist) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + + cpu->cfg.mwidlist = mwidlist; +} +#endif /* CONFIG_USER_ONLY */ + void riscv_cpu_update_mask(CPURISCVState *env) { target_ulong mask = 0, base = 0; -- 2.17.1 Add CSRs for 3 WG extensions: Smwg, Smwgd, and Sswg. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu_bits.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_bits.h +++ b/target/riscv/cpu_bits.h @@ -XXX,XX +XXX,XX @@ #define CSR_DPC 0x7b1 #define CSR_DSCRATCH 0x7b2 +/* RISC-V WorldGuard */ +#define CSR_MLWID 0x390 +#define CSR_SLWID 0x190 +#define CSR_MWIDDELEG 0x748 + /* Performance Counters */ #define CSR_MHPMCOUNTER3 0xb03 #define CSR_MHPMCOUNTER4 0xb04 -- 2.17.1 Some WG CPU functions depend on global WG config (like num-of-world), so we let the global WG config device to set callbacks of a RISC-V HART. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.h +++ b/target/riscv/cpu.h @@ -XXX,XX +XXX,XX @@ struct CPUArchState { uint64_t kvm_timer_state; uint64_t kvm_timer_frequency; #endif /* CONFIG_KVM */ + + /* machine specific WorldGuard callback */ + void (*wg_reset)(CPURISCVState *env); + void (*wid_to_mem_attrs)(MemTxAttrs *attrs, uint32_t wid); }; /* -- 2.17.1 The WG v0.4 specification adds 3 CSRs to configure S/U/HS/VS-mode WIDs of CPUs in the higher privileged modes. The Smwg extension at least requires a RISC-V HART to have M/U-mode, and the Sswg/Smwgd extension at least requires a RISC-V HART to have M/S/U-mode. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.c | 4 ++ target/riscv/cpu.h | 5 +++ target/riscv/csr.c | 107 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 116 insertions(+) diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.c +++ b/target/riscv/cpu.c @@ -XXX,XX +XXX,XX @@ static void riscv_cpu_reset_hold(Object *obj, ResetType type) riscv_trigger_reset_hold(env); } + if (riscv_cpu_cfg(env)->ext_smwg && env->wg_reset) { + env->wg_reset(env); + } + if (kvm_enabled()) { kvm_riscv_reset_vcpu(cpu); } diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.h +++ b/target/riscv/cpu.h @@ -XXX,XX +XXX,XX @@ struct CPUArchState { uint64_t kvm_timer_frequency; #endif /* CONFIG_KVM */ + /* RISC-V WorldGuard */ + target_ulong mlwid; + target_ulong slwid; + target_ulong mwiddeleg; + /* machine specific WorldGuard callback */ void (*wg_reset)(CPURISCVState *env); void (*wid_to_mem_attrs)(MemTxAttrs *attrs, uint32_t wid); diff --git a/target/riscv/csr.c b/target/riscv/csr.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/csr.c +++ b/target/riscv/csr.c @@ -XXX,XX +XXX,XX @@ static RISCVException write_upmbase(CPURISCVState *env, int csrno, return RISCV_EXCP_NONE; } +/* RISC-V Worldguard */ +static RISCVException worldguard_umode(CPURISCVState *env, int csrno) +{ + if (!riscv_cpu_cfg(env)->ext_smwg) { + return RISCV_EXCP_ILLEGAL_INST; + } + + return umode(env, csrno); +} + +static RISCVException worldguard_sumode(CPURISCVState *env, int csrno) +{ + RISCVException ret; + + if (!riscv_cpu_cfg(env)->ext_sswg) { + return RISCV_EXCP_ILLEGAL_INST; + } + + ret = smode(env, csrno); + + if (ret != RISCV_EXCP_NONE) { + return ret; + } + + return umode(env, csrno); +} + +static RISCVException rmw_mlwid(CPURISCVState *env, int csrno, + target_ulong *ret_val, + target_ulong new_val, target_ulong wr_mask) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + target_ulong new_mlwid = (env->mlwid & ~wr_mask) | (new_val & wr_mask); + + if (ret_val) { + *ret_val = env->mlwid; + } + + g_assert(cpu->cfg.mwidlist); + if (!(BIT(new_mlwid) & cpu->cfg.mwidlist)) { + /* Set WID to lowest legal value if writing illegal value (WARL) */ + new_mlwid = find_first_bit((unsigned long *)&cpu->cfg.mwidlist, 32); + } + + if (env->mlwid != new_mlwid) { + env->mlwid = new_mlwid; + tlb_flush(cs); + } + + return RISCV_EXCP_NONE; +} + +static RISCVException rmw_slwid(CPURISCVState *env, int csrno, + target_ulong *ret_val, + target_ulong new_val, target_ulong wr_mask) +{ + target_ulong new_slwid = (env->slwid & ~wr_mask) | (new_val & wr_mask); + + if (!env->mwiddeleg) { + /* + * When mwiddeleg CSR is zero, access to slwid raises an illegal + * instruction exception. + */ + return RISCV_EXCP_ILLEGAL_INST; + } + + if (ret_val) { + *ret_val = env->slwid; + } + + if (!(BIT(new_slwid) & env->mwiddeleg)) { + /* Set WID to lowest legal value if writing illegal value (WARL) */ + new_slwid = find_first_bit( + (unsigned long *)&env->mwiddeleg, TARGET_LONG_BITS); + } + + if (env->slwid != new_slwid) { + env->slwid = new_slwid; + tlb_flush(env_cpu(env)); + } + + return RISCV_EXCP_NONE; +} + +static RISCVException rmw_mwiddeleg(CPURISCVState *env, int csrno, + target_ulong *ret_val, + target_ulong new_val, target_ulong wr_mask) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + + if (ret_val) { + *ret_val = env->mwiddeleg; + } + + env->mwiddeleg = (env->mwiddeleg & ~wr_mask) | (new_val & wr_mask); + + /* Core wgMarker can only have WID value in mwidlist. */ + env->mwiddeleg &= cpu->cfg.mwidlist; + + return RISCV_EXCP_NONE; +} #endif /* Crypto Extension */ @@ -XXX,XX +XXX,XX @@ riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = { [CSR_SCOUNTOVF] = { "scountovf", sscofpmf, read_scountovf, .min_priv_ver = PRIV_VERSION_1_12_0 }, + /* RISC-V WorldGuard */ + [CSR_MLWID] = { "mlwid", worldguard_umode, NULL, NULL, rmw_mlwid }, + [CSR_SLWID] = { "slwid", worldguard_sumode, NULL, NULL, rmw_slwid }, + [CSR_MWIDDELEG] = { "mwiddeleg", worldguard_sumode, NULL, NULL, rmw_mwiddeleg }, #endif /* !CONFIG_USER_ONLY */ }; -- 2.17.1 When a RISC-V HART has WG extension, their memory transactions will contain WID. Support MemTxAttrs in RISC-V target and add WID inside if a HART has WG extension. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.c | 2 +- target/riscv/cpu.h | 1 + target/riscv/cpu_helper.c | 51 ++++++++++++++++++++++++++++++++++++--- 3 files changed, 50 insertions(+), 4 deletions(-) diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.c +++ b/target/riscv/cpu.c @@ -XXX,XX +XXX,XX @@ static int64_t riscv_get_arch_id(CPUState *cs) #include "hw/core/sysemu-cpu-ops.h" static const struct SysemuCPUOps riscv_sysemu_ops = { - .get_phys_page_debug = riscv_cpu_get_phys_page_debug, + .get_phys_page_attrs_debug = riscv_cpu_get_phys_page_attrs_debug, .write_elf64_note = riscv_cpu_write_elf64_note, .write_elf32_note = riscv_cpu_write_elf32_note, .legacy_vmsd = &vmstate_riscv_cpu, diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.h +++ b/target/riscv/cpu.h @@ -XXX,XX +XXX,XX @@ void riscv_cpu_set_geilen(CPURISCVState *env, target_ulong geilen); bool riscv_cpu_vector_enabled(CPURISCVState *env); void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool enable); int riscv_env_mmu_index(CPURISCVState *env, bool ifetch); +hwaddr riscv_cpu_get_phys_page_attrs_debug(CPUState *cpu, vaddr addr, MemTxAttrs *attrs); G_NORETURN void riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr, MMUAccessType access_type, int mmu_idx, uintptr_t retaddr); diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPURISCVState *env, vaddr *pc, } #ifndef CONFIG_USER_ONLY +static uint32_t riscv_cpu_wg_get_wid(CPURISCVState *env, int mode) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + bool virt = env->virt_enabled; + + if (mode == PRV_M) { + return cpu->cfg.mwid; + } else if (mode == PRV_S) { + if (!virt || !env->mwiddeleg) { + /* HS-mode, S-mode w/o RVH, or VS-mode but mwiddeleg = 0 */ + return env->mlwid; + } else { + /* VS-mode */ + return env->slwid; + } + } else if (mode == PRV_U) { + if (!riscv_has_ext(env, RVS) || !env->mwiddeleg) { + /* M/U mode CPU or mwiddeleg = 0 */ + return env->mlwid; + } else { + return env->slwid; + } + } + + return cpu->cfg.mwid; +} + void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid) { CPUState *cs = env_cpu(env); @@ -XXX,XX +XXX,XX @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address, env->two_stage_indirect_lookup = two_stage_indirect; } -hwaddr riscv_cpu_get_phys_page_debug(CPUState *cs, vaddr addr) +hwaddr riscv_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr, MemTxAttrs *attrs) { RISCVCPU *cpu = RISCV_CPU(cs); CPURISCVState *env = &cpu->env; hwaddr phys_addr; int prot; int mmu_idx = riscv_env_mmu_index(&cpu->env, false); + int mode = mmuidx_priv(mmu_idx); + uint32_t wid; + + if (riscv_cpu_cfg(env)->ext_smwg && env->wid_to_mem_attrs) { + wid = riscv_cpu_wg_get_wid(env, mode); + env->wid_to_mem_attrs(attrs, wid); + } else { + *attrs = MEMTXATTRS_UNSPECIFIED; + } if (get_physical_address(env, &phys_addr, &prot, addr, NULL, 0, mmu_idx, true, env->virt_enabled, true)) { @@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size, int mode = mmuidx_priv(mmu_idx); /* default TLB page size */ target_ulong tlb_size = TARGET_PAGE_SIZE; + uint32_t wid; + MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; env->guest_phys_fault_addr = 0; qemu_log_mask(CPU_LOG_MMU, "%s ad %" VADDR_PRIx " rw %d mmu_idx %d\n", __func__, address, access_type, mmu_idx); + if (riscv_cpu_cfg(env)->ext_smwg && env->wid_to_mem_attrs) { + mode = mmuidx_priv(mmu_idx); + wid = riscv_cpu_wg_get_wid(env, mode); + env->wid_to_mem_attrs(&attrs, wid); + } + pmu_tlb_fill_incr_ctr(cpu, access_type); if (two_stage_lookup) { /* Two stage lookup */ @@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size, } if (ret == TRANSLATE_SUCCESS) { - tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1), - prot, access_type, mmu_idx, tlb_size); + tlb_set_page_with_attrs(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1), + attrs, prot, access_type, mmu_idx, tlb_size); return true; } else if (probe) { return false; -- 2.17.1 riscv_worldguard_apply_cpu() could enable WG CPU extension and set WG callback to CPUs. It is used by machine code after realizing global WG device. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/riscv_worldguard.c | 87 ++++++++++++++++++++++++++++++ include/hw/misc/riscv_worldguard.h | 1 + 2 files changed, 88 insertions(+) diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_worldguard.c +++ b/hw/misc/riscv_worldguard.c @@ -XXX,XX +XXX,XX @@ uint32_t mem_attrs_to_wid(MemTxAttrs attrs) } } +static void riscv_cpu_wg_reset(CPURISCVState *env) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + uint32_t mlwid, slwid, mwiddeleg; + uint32_t trustedwid; + + if (!riscv_cpu_cfg(env)->ext_smwg) { + return; + } + + if (worldguard_config == NULL) { + /* + * Note: This reset is dummy now and WG CSRs will be reset again + * after worldguard_config is realized. + */ + return; + } + + trustedwid = worldguard_config->trustedwid; + if (trustedwid == NO_TRUSTEDWID) { + trustedwid = worldguard_config->nworlds - 1; + } + + /* Reset mlwid, slwid, mwiddeleg CSRs */ + if (worldguard_config->hw_bypass) { + /* HW bypass mode */ + mlwid = trustedwid; + } else { + mlwid = 0; + } + slwid = 0; + mwiddeleg = 0; + + env->mlwid = mlwid; + if (riscv_cpu_cfg(env)->ext_sswg) { + env->slwid = slwid; + env->mwiddeleg = mwiddeleg; + } + + /* Check mwid, mwidlist config */ + if (worldguard_config != NULL) { + uint32_t valid_widlist = MAKE_64BIT_MASK(0, worldguard_config->nworlds); + + /* CPU use default mwid / mwidlist config if not set */ + if (cpu->cfg.mwidlist == UINT32_MAX) { + /* mwidlist contains all WIDs */ + cpu->cfg.mwidlist = valid_widlist; + } + if (cpu->cfg.mwid == UINT32_MAX) { + cpu->cfg.mwid = trustedwid; + } + + /* Check if mwid/mwidlist HW config is valid in NWorld. */ + g_assert((cpu->cfg.mwidlist & ~valid_widlist) == 0); + g_assert(cpu->cfg.mwid < worldguard_config->nworlds); + } +} + +/* + * riscv_worldguard_apply_cpu - Enable WG extension of CPU + * + * Note: This API should be used after global WG device is created + * (riscv_worldguard_realize()). + */ +void riscv_worldguard_apply_cpu(uint32_t hartid) +{ + /* WG global config should exist */ + g_assert(worldguard_config); + + CPUState *cpu = qemu_get_cpu(hartid); + RISCVCPU *rcpu = RISCV_CPU(cpu); + CPURISCVState *env = cpu ? cpu_env(cpu) : NULL; + + rcpu->cfg.ext_smwg = true; + if (riscv_has_ext(env, RVS) && riscv_has_ext(env, RVU)) { + rcpu->cfg.ext_sswg = true; + } + + /* Set machine specific WorldGuard callback */ + env->wg_reset = riscv_cpu_wg_reset; + env->wid_to_mem_attrs = wid_to_mem_attrs; + + /* Reset WG CSRs in CPU */ + env->wg_reset(env); +} + bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock) { uint32_t wid = mem_attrs_to_wid(attrs); diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/misc/riscv_worldguard.h +++ b/include/hw/misc/riscv_worldguard.h @@ -XXX,XX +XXX,XX @@ extern struct RISCVWorldGuardState *worldguard_config; DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid, bool hw_bypass, bool tz_compat); +void riscv_worldguard_apply_cpu(uint32_t hartid); uint32_t mem_attrs_to_wid(MemTxAttrs attrs); bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock); -- 2.17.1 Implement the RISC-V WorldGuard Checker, which sits in front of RAM or device MMIO and allow software to configure it to either pass through or reject transactions. We implement the wgChecker as a QEMU IOMMU, which will direct transactions either through to the devices and memory behind it or to a special "never works" AddressSpace if they are blocked. This initial commit implements the skeleton of the device: * it always permits accesses * it doesn't implement wgChecker's slot registers * it doesn't implement the interrupt or other behaviour for blocked transactions Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/meson.build | 2 +- hw/misc/riscv_wgchecker.c | 604 +++++++++++++++++++++++++++++ hw/misc/trace-events | 8 + include/hw/misc/riscv_worldguard.h | 63 +++ 4 files changed, 676 insertions(+), 1 deletion(-) create mode 100644 hw/misc/riscv_wgchecker.c diff --git a/hw/misc/meson.build b/hw/misc/meson.build index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/meson.build +++ b/hw/misc/meson.build @@ -XXX,XX +XXX,XX @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c')) system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c')) system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c')) system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c')) -specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c')) +specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c', 'riscv_wgchecker.c')) subdir('macio') diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/hw/misc/riscv_wgchecker.c @@ -XXX,XX +XXX,XX @@ +/* + * RISC-V WorldGuard Checker Device + * + * Copyright (c) 2022 SiFive, Inc. + * + * This provides WorldGuard Checker model. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2 or later, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "qemu/log.h" +#include "exec/hwaddr.h" +#include "exec/exec-all.h" +#include "hw/irq.h" +#include "hw/registerfields.h" +#include "hw/sysbus.h" +#include "hw/hw.h" +#include "hw/qdev-properties.h" +#include "hw/misc/riscv_worldguard.h" +#include "target/riscv/cpu.h" +#include "trace.h" + +/* Common */ +REG32(VENDOR, 0x000) +REG32(IMPID, 0x004) + +/* wgChecker */ +REG32(NSLOTS, 0x008) +REG64(ERRCAUSE, 0x010) + FIELD(ERRCAUSE, WID, 0, 8) + FIELD(ERRCAUSE, R, 8, 1) + FIELD(ERRCAUSE, W, 9, 1) + FIELD(ERRCAUSE, BE, 62, 1) + FIELD(ERRCAUSE, IP, 63, 1) + +#define ERRCAUSE_MASK \ + (R_ERRCAUSE_WID_MASK | \ + R_ERRCAUSE_R_MASK | \ + R_ERRCAUSE_W_MASK | \ + R_ERRCAUSE_BE_MASK | \ + R_ERRCAUSE_IP_MASK) + +REG64(ERRADDR, 0x018) + +/* + * Accesses only reach these read and write functions if the wgChecker + * is blocking them; non-blocked accesses go directly to the downstream + * memory region without passing through this code. + */ +static MemTxResult riscv_wgc_mem_blocked_read(void *opaque, hwaddr addr, + uint64_t *pdata, + unsigned size, MemTxAttrs attrs) +{ + uint32_t wid = mem_attrs_to_wid(attrs); + + trace_riscv_wgc_mem_blocked_read(addr, size, wid); + + *pdata = 0; + return MEMTX_OK; +} + +static MemTxResult riscv_wgc_mem_blocked_write(void *opaque, hwaddr addr, + uint64_t value, + unsigned size, MemTxAttrs attrs) +{ + uint32_t wid = mem_attrs_to_wid(attrs); + + trace_riscv_wgc_mem_blocked_write(addr, value, size, wid); + + return MEMTX_OK; +} + +static const MemoryRegionOps riscv_wgc_mem_blocked_ops = { + .read_with_attrs = riscv_wgc_mem_blocked_read, + .write_with_attrs = riscv_wgc_mem_blocked_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid.min_access_size = 1, + .valid.max_access_size = 8, + .impl.min_access_size = 1, + .impl.max_access_size = 8, +}; + +static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu, + hwaddr addr, IOMMUAccessFlags flags, + int iommu_idx) +{ + WgCheckerRegion *region = container_of(iommu, WgCheckerRegion, upstream); + RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker); + hwaddr phys_addr; + uint64_t region_size; + + IOMMUTLBEntry ret = { + .iova = addr & ~WG_ALIGNED_MASK, + .translated_addr = addr & ~WG_ALIGNED_MASK, + .addr_mask = WG_ALIGNED_MASK, + .perm = IOMMU_RW, + }; + + /* addr shouldn't exceed region size of down/upstream. */ + region_size = memory_region_size(region->downstream); + g_assert(addr < region_size); + + /* + * Look at the wgChecker configuration for this address, and + * return a TLB entry directing the transaction at either + * downstream_as or blocked_io_as, as appropriate. + * For the moment, always permit accesses. + */ + + /* Use physical address instead of offset */ + phys_addr = addr + region->region_offset; + + is_success = true; + + trace_riscv_wgc_translate(phys_addr, flags, + iommu_idx, is_success ? "pass" : "block"); + + ret.target_as = is_success ? &region->downstream_as : &region->blocked_io_as; + return ret; +} + +static int riscv_wgc_attrs_to_index(IOMMUMemoryRegion *iommu, MemTxAttrs attrs) +{ + return mem_attrs_to_wid(attrs); +} + +static int riscv_wgc_num_indexes(IOMMUMemoryRegion *iommu) +{ + return worldguard_config->nworlds; +} + +static uint64_t riscv_wgchecker_readq(void *opaque, hwaddr addr) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + uint64_t val = 0; + + switch (addr) { + case A_ERRCAUSE: + val = s->errcause & ERRCAUSE_MASK; + break; + case A_ERRADDR: + val = s->erraddr; + break; + case A_NSLOTS: + val = s->slot_count; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + break; + } + + return val; +} + +static uint64_t riscv_wgchecker_readl(void *opaque, hwaddr addr) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + uint64_t val = 0; + + switch (addr) { + case A_VENDOR: + val = 0; + break; + case A_IMPID: + val = 0; + break; + case A_NSLOTS: + val = extract64(s->slot_count, 0, 32); + break; + case A_NSLOTS + 4: + val = extract64(s->slot_count, 0, 32); + break; + case A_ERRCAUSE: + val = s->errcause & ERRCAUSE_MASK; + val = extract64(val, 0, 32); + break; + case A_ERRCAUSE + 4: + val = s->errcause & ERRCAUSE_MASK; + val = extract64(val, 32, 32); + break; + case A_ERRADDR: + val = extract64(s->erraddr, 0, 32); + break; + case A_ERRADDR + 4: + val = extract64(s->erraddr, 32, 32); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + break; + } + + return val; +} + +static uint64_t riscv_wgchecker_read(void *opaque, hwaddr addr, unsigned size) +{ + uint64_t val = 0; + + switch (size) { + case 8: + val = riscv_wgchecker_readq(opaque, addr); + break; + case 4: + val = riscv_wgchecker_readl(opaque, addr); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid read size %u to wgChecker\n", + __func__, size); + return 0; + } + + return val; +} + +static void riscv_wgchecker_writeq(void *opaque, hwaddr addr, + uint64_t value) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + + switch (addr) { + case A_ERRCAUSE: + s->errcause = value & ERRCAUSE_MASK; + break; + case A_ERRADDR: + s->erraddr = value; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + break; + } +} + +static void riscv_wgchecker_writel(void *opaque, hwaddr addr, + uint64_t value) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + + switch (addr) { + case A_ERRCAUSE: + value &= extract64(ERRCAUSE_MASK, 0, 32); + s->errcause = deposit64(s->errcause, 0, 32, value); + break; + case A_ERRCAUSE + 4: + value &= extract64(ERRCAUSE_MASK, 32, 32); + s->errcause = deposit64(s->errcause, 32, 32, value); + break; + case A_ERRADDR: + s->erraddr = deposit64(s->erraddr, 0, 32, value); + break; + case A_ERRADDR + 4: + s->erraddr = deposit64(s->erraddr, 32, 32, value); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + break; + } +} + +static void riscv_wgchecker_write(void *opaque, hwaddr addr, + uint64_t value, unsigned size) +{ + switch (size) { + case 8: + riscv_wgchecker_writeq(opaque, addr, value); + break; + case 4: + riscv_wgchecker_writel(opaque, addr, value); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid write size %u to wgChecker\n", + __func__, size); + break; + } +} + +static MemTxResult riscv_wgchecker_read_with_attrs( + void *opaque, hwaddr addr, uint64_t *pdata, unsigned size, + MemTxAttrs attrs) +{ + SysBusDevice *dev = SYS_BUS_DEVICE(opaque); + + trace_riscv_wgchecker_mmio_read(dev->mmio[0].addr, addr, size); + + *pdata = 0; + if (could_access_wgblocks(attrs, "wgChecker")) { + *pdata = riscv_wgchecker_read(opaque, addr, size); + } + + return MEMTX_OK; +} + +static MemTxResult riscv_wgchecker_write_with_attrs( + void *opaque, hwaddr addr, uint64_t data, unsigned size, + MemTxAttrs attrs) +{ + SysBusDevice *dev = SYS_BUS_DEVICE(opaque); + + trace_riscv_wgchecker_mmio_write(dev->mmio[0].addr, addr, size, data); + + if (could_access_wgblocks(attrs, "wgChecker")) { + riscv_wgchecker_write(opaque, addr, data, size); + } + + return MEMTX_OK; +} + +static const MemoryRegionOps riscv_wgchecker_ops = { + .read_with_attrs = riscv_wgchecker_read_with_attrs, + .write_with_attrs = riscv_wgchecker_write_with_attrs, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid = { + .min_access_size = 4, + .max_access_size = 8 + }, + .impl = { + .min_access_size = 4, + .max_access_size = 8 + } +}; + +static void riscv_wgc_iommu_memory_region_class_init(ObjectClass *klass, + void *data) +{ + IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass); + + imrc->translate = riscv_wgc_translate; + imrc->attrs_to_index = riscv_wgc_attrs_to_index; + imrc->num_indexes = riscv_wgc_num_indexes; +} + +static const TypeInfo riscv_wgc_iommu_memory_region_info = { + .name = TYPE_RISCV_WGC_IOMMU_MEMORY_REGION, + .parent = TYPE_IOMMU_MEMORY_REGION, + .class_init = riscv_wgc_iommu_memory_region_class_init, +}; + + +#define DEFINE_REGION(N) \ + DEFINE_PROP_LINK("downstream-mr[" #N "]", RISCVWgCheckerState, \ + mem_regions[N].downstream, \ + TYPE_MEMORY_REGION, MemoryRegion *), \ + DEFINE_PROP_UINT64("region-offset[" #N "]", RISCVWgCheckerState, \ + mem_regions[N].region_offset, 0) \ + +static Property riscv_wgchecker_properties[] = { + DEFINE_PROP_UINT32("slot-count", RISCVWgCheckerState, slot_count, 0x1), + DEFINE_PROP_UINT32("mmio-size", RISCVWgCheckerState, mmio_size, 0x1000), + + /* Assume 1 wgChecker has 16 regions at maximum (WGC_NUM_REGIONS). */ + DEFINE_REGION(0), DEFINE_REGION(1), DEFINE_REGION(2), DEFINE_REGION(3), + DEFINE_REGION(4), DEFINE_REGION(5), DEFINE_REGION(6), DEFINE_REGION(7), + DEFINE_REGION(8), DEFINE_REGION(9), DEFINE_REGION(10), DEFINE_REGION(11), + DEFINE_REGION(12), DEFINE_REGION(13), DEFINE_REGION(14), DEFINE_REGION(15), + + DEFINE_PROP_UINT64("addr-range-start", RISCVWgCheckerState, addr_range_start, 0), + DEFINE_PROP_UINT64("addr-range-size", RISCVWgCheckerState, addr_range_size, UINT64_MAX), + + /* + * We could only set individual wgChecker to hw-bypass mode. It is + * usually used in wgChecker of BootROM, since SW has no way to enable + * the permission of it. + */ + DEFINE_PROP_BOOL("hw-bypass", RISCVWgCheckerState, hw_bypass, false), + DEFINE_PROP_END_OF_LIST(), +}; + +static int int_log2_down(int n) +{ + int i = 0; + + n >>= 1; + + while (n) { + i++; + n >>= 1; + } + + return i; +} + +static int int_log2_up(int n) +{ + return int_log2_down(n - 1) + 1; +} + +/* + * Change the address range to be NAPOT alignment. + * + * New address range should totally cover the origin range, but new range + * should be configured by 1 NAPOT region (slot). + */ +static void address_range_align_napot(RISCVWgCheckerState *s) +{ + uint64_t start, end, size, new_size; + + start = s->addr_range_start; + end = s->addr_range_start + s->addr_range_size; + size = s->addr_range_size; + + if (size == UINT64_MAX) { + /* Full address range. No need of NAPOT alignment. */ + return; + } + + /* Size is the next power-of-2 number. */ + size = 1 << (int_log2_up(size)); + start = QEMU_ALIGN_DOWN(start, size); + end = QEMU_ALIGN_UP(end, size); + new_size = end - start; + + /* + * If base is not aligned to region size (new_size), + * double the region size and try it again. + */ + while ((new_size != size) && (size != 1ULL << 63)) { + size *= 2; + start = QEMU_ALIGN_DOWN(start, size); + end = QEMU_ALIGN_UP(end, size); + new_size = end - start; + } + + s->addr_range_start = start; + s->addr_range_size = size; +} + +static void riscv_wgchecker_realize(DeviceState *dev, Error **errp) +{ + Object *obj = OBJECT(dev); + RISCVWgCheckerState *s = RISCV_WGCHECKER(dev); + uint64_t size; + + if (worldguard_config == NULL) { + error_setg(errp, "Couldn't find global WorldGuard configs. " + "Please realize %s device at first.", + TYPE_RISCV_WORLDGUARD); + return; + } + + if (s->slot_count == 0) { + error_setg(errp, "wgChecker slot-count couldn't be zero."); + return; + } + + memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s, + TYPE_RISCV_WGCHECKER, s->mmio_size); + sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio); + sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq); + + /* Address range should be NAPOT alignment */ + address_range_align_napot(s); + + for (int i=0; i<WGC_NUM_REGIONS; i++) { + WgCheckerRegion *region = &s->mem_regions[i]; + + if (!region->downstream) { + continue; + } + region->wgchecker = s; + + const char *upstream_name = g_strdup_printf( + "wgchecker-upstream-%"HWADDR_PRIx, region->region_offset); + const char *downstream_name = g_strdup_printf( + "wgchecker-downstream-%"HWADDR_PRIx, region->region_offset); + + size = memory_region_size(region->downstream); + memory_region_init_iommu(&region->upstream, sizeof(region->upstream), + TYPE_RISCV_WGC_IOMMU_MEMORY_REGION, + obj, upstream_name, size); + + /* upstream MRs are 2nd ~ (n+1)th MemoryRegion. */ + sysbus_init_mmio(SYS_BUS_DEVICE(dev), MEMORY_REGION(&region->upstream)); + + /* + * This memory region is not exposed to users of this device as a + * sysbus MMIO region, but is instead used internally as something + * that our IOMMU translate function might direct accesses to. + */ + memory_region_init_io(&region->blocked_io, obj, &riscv_wgc_mem_blocked_ops, + region, "wgchecker-blocked-io", size); + + address_space_init(&region->downstream_as, region->downstream, + downstream_name); + address_space_init(&region->blocked_io_as, &region->blocked_io, + "wgchecker-blocked-io"); + } +} + +static void riscv_wgchecker_unrealize(DeviceState *dev) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(dev); + + g_free(s->slots); + if (s->num_default_slots && s->default_slots) { + g_free(s->default_slots); + } +} + +static void riscv_wgchecker_reset_enter(Object *obj, ResetType type) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(obj); + uint64_t start = s->addr_range_start; + uint64_t end = s->addr_range_start + s->addr_range_size; + int nslots = s->slot_count; + + s->errcause = 0; + s->erraddr = 0; +} + +static void riscv_wgchecker_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + + device_class_set_props(dc, riscv_wgchecker_properties); + dc->user_creatable = true; + dc->realize = riscv_wgchecker_realize; + dc->unrealize = riscv_wgchecker_unrealize; + ResettableClass *rc = RESETTABLE_CLASS(klass); + rc->phases.enter = riscv_wgchecker_reset_enter; +} + +static void riscv_wgchecker_instance_init(Object *obj) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(obj); + + s->num_default_slots = 0; +} + +static const TypeInfo riscv_wgchecker_info = { + .name = TYPE_RISCV_WGCHECKER, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_init = riscv_wgchecker_instance_init, + .instance_size = sizeof(RISCVWgCheckerState), + .class_init = riscv_wgchecker_class_init, +}; + +static void riscv_wgchecker_register_types(void) +{ + type_register_static(&riscv_wgchecker_info); + type_register_static(&riscv_wgc_iommu_memory_region_info); +} + +type_init(riscv_wgchecker_register_types) + +/* + * Create WgChecker device + */ +DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size, + qemu_irq irq, uint32_t slot_count, + uint64_t addr_range_start, + uint64_t addr_range_size, + uint32_t num_of_region, + MemoryRegion **downstream, + uint64_t *region_offset, + uint32_t num_default_slots, + WgCheckerSlot *default_slots) +{ + DeviceState *dev = qdev_new(TYPE_RISCV_WGCHECKER); + RISCVWgCheckerState *s = RISCV_WGCHECKER(dev); + char name_mr[32]; + char name_offset[32]; + int i; + + qdev_prop_set_uint32(dev, "slot-count", slot_count); + qdev_prop_set_uint32(dev, "mmio-size", size); + qdev_prop_set_uint64(dev, "addr-range-start", addr_range_start); + if (addr_range_size) { + qdev_prop_set_uint64(dev, "addr-range-size", addr_range_size); + } + + g_assert(num_of_region <= WGC_NUM_REGIONS); + for (i=0; i<num_of_region; i++) { + snprintf(name_mr, 32, "downstream-mr[%d]", i); + snprintf(name_offset, 32, "region-offset[%d]", i); + + object_property_set_link(OBJECT(dev), name_mr, + OBJECT(downstream[i]), &error_fatal); + qdev_prop_set_uint64(dev, name_offset, region_offset[i]); + } + + sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); + sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr); + sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq); + return dev; +} diff --git a/hw/misc/trace-events b/hw/misc/trace-events index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/trace-events +++ b/hw/misc/trace-events @@ -XXX,XX +XXX,XX @@ djmemc_write(int reg, uint64_t value, unsigned int size) "reg=0x%x value=0x%"PRI # iosb.c iosb_read(int reg, uint64_t value, unsigned int size) "reg=0x%x value=0x%"PRIx64" size=%u" iosb_write(int reg, uint64_t value, unsigned int size) "reg=0x%x value=0x%"PRIx64" size=%u" + +# riscv_worldguard.c +riscv_wgchecker_mmio_read(uint64_t base, uint64_t offset, unsigned int size) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x" +riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, uint64_t val) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x, val = 0x%"PRIx64 + +riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32 +riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32 +riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s" diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/misc/riscv_worldguard.h +++ b/include/hw/misc/riscv_worldguard.h @@ -XXX,XX +XXX,XX @@ void riscv_worldguard_apply_cpu(uint32_t hartid); uint32_t mem_attrs_to_wid(MemTxAttrs attrs); bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock); +#define TYPE_RISCV_WGCHECKER "riscv.wgchecker" + +typedef struct RISCVWgCheckerState RISCVWgCheckerState; +DECLARE_INSTANCE_CHECKER(RISCVWgCheckerState, RISCV_WGCHECKER, + TYPE_RISCV_WGCHECKER) + +#define TYPE_RISCV_WGC_IOMMU_MEMORY_REGION "riscv-wgc-iommu-memory-region" + +typedef struct WgCheckerSlot WgCheckerSlot; +struct WgCheckerSlot { + uint64_t addr; + uint64_t perm; + uint32_t cfg; +}; + +typedef struct WgCheckerRegion WgCheckerRegion; +struct WgCheckerRegion { + MemoryRegion *downstream; + uint64_t region_offset; + + IOMMUMemoryRegion upstream; + MemoryRegion blocked_io; + AddressSpace downstream_as; + AddressSpace blocked_io_as; + + RISCVWgCheckerState *wgchecker; +}; + +#define WGC_NUM_REGIONS 16 + +struct RISCVWgCheckerState { + /*< private >*/ + SysBusDevice parent_obj; + + /*< public >*/ + MemoryRegion mmio; + qemu_irq irq; + + /* error reg */ + uint64_t errcause; + uint64_t erraddr; + + /* Memory regions protected by wgChecker */ + WgCheckerRegion mem_regions[WGC_NUM_REGIONS]; + + /* Property */ + uint32_t slot_count; /* nslots */ + uint32_t mmio_size; + uint64_t addr_range_start; + uint64_t addr_range_size; + bool hw_bypass; +}; + +DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size, + qemu_irq irq, uint32_t slot_count, + uint64_t addr_range_start, + uint64_t addr_range_size, + uint32_t num_of_region, + MemoryRegion **downstream, + uint64_t *region_offset, + uint32_t num_default_slots, + WgCheckerSlot *default_slots); + #endif -- 2.17.1 wgChecker slot is similar to PMP region. SW could program each slot to configure the permission of address range. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/riscv_wgchecker.c | 330 +++++++++++++++++++++++++++++ hw/misc/riscv_worldguard.c | 3 + include/hw/misc/riscv_worldguard.h | 4 + 3 files changed, 337 insertions(+) diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_wgchecker.c +++ b/hw/misc/riscv_wgchecker.c @@ -XXX,XX +XXX,XX @@ REG64(ERRCAUSE, 0x010) R_ERRCAUSE_IP_MASK) REG64(ERRADDR, 0x018) +REG64(WGC_SLOT, 0x020) + +/* wgChecker slots */ +REG64(SLOT_ADDR, 0x000) +REG64(SLOT_PERM, 0x008) +REG32(SLOT_CFG, 0x010) + FIELD(SLOT_CFG, A, 0, 2) + FIELD(SLOT_CFG, ER, 8, 1) + FIELD(SLOT_CFG, EW, 9, 1) + FIELD(SLOT_CFG, IR, 10, 1) + FIELD(SLOT_CFG, IW, 11, 1) + FIELD(SLOT_CFG, LOCK, 31, 1) + +#define SLOT_SIZE 0x020 + +#define SLOT0_CFG_MASK \ + (R_SLOT_CFG_ER_MASK | \ + R_SLOT_CFG_EW_MASK | \ + R_SLOT_CFG_IR_MASK | \ + R_SLOT_CFG_IW_MASK | \ + R_SLOT_CFG_LOCK_MASK) + +#define SLOT_CFG_MASK \ + (R_SLOT_CFG_A_MASK | (SLOT0_CFG_MASK)) + +#define WGC_SLOT_END(nslots) \ + (A_WGC_SLOT + SLOT_SIZE * (nslots + 1)) + +/* wgChecker slot is 4K alignment */ +#define WG_ALIGNED_SIZE (1 << 12) +#define WG_ALIGNED_MASK MAKE_64BIT_MASK(0, 12) + +/* wgChecker slot address is (addr / 4). */ +#define TO_SLOT_ADDR(addr) ((addr) >> 2) +#define FROM_SLOT_ADDR(addr) ((addr) << 2) + +/* wgChecker slot cfg.A[1:0] */ +#define A_OFF 0 +#define A_TOR 1 +#define A_NA4 2 +#define A_NAPOT 3 + +/* wgChecker slot perm */ +#define WGC_PERM(wid, perm) ((uint64_t)(perm) << (2 * (wid))) +#define P_READ (1 << 0) +#define P_WRITE (1 << 1) /* * Accesses only reach these read and write functions if the wgChecker @@ -XXX,XX +XXX,XX @@ static uint64_t riscv_wgchecker_readq(void *opaque, hwaddr addr) RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); uint64_t val = 0; + if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) { + /* Read from WGC slot */ + int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE; + int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE; + + switch (slot_offset) { + case A_SLOT_ADDR: + val = s->slots[slot_id].addr; + break; + case A_SLOT_PERM: + val = s->slots[slot_id].perm; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + break; + } + + return val; + } + switch (addr) { case A_ERRCAUSE: val = s->errcause & ERRCAUSE_MASK; @@ -XXX,XX +XXX,XX @@ static uint64_t riscv_wgchecker_readl(void *opaque, hwaddr addr) RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); uint64_t val = 0; + if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) { + /* Read from WGC slot */ + int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE; + int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE; + + switch (slot_offset) { + case A_SLOT_ADDR: + val = extract64(s->slots[slot_id].addr, 0, 32); + break; + case A_SLOT_ADDR + 4: + val = extract64(s->slots[slot_id].addr, 32, 32); + break; + case A_SLOT_PERM: + val = extract64(s->slots[slot_id].perm, 0, 32); + break; + case A_SLOT_PERM + 4: + val = extract64(s->slots[slot_id].perm, 32, 32); + break; + case A_SLOT_CFG: + val = s->slots[slot_id].cfg & SLOT_CFG_MASK; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + break; + } + + return val; + } + switch (addr) { case A_VENDOR: val = 0; @@ -XXX,XX +XXX,XX @@ static uint64_t riscv_wgchecker_read(void *opaque, hwaddr addr, unsigned size) return val; } +/* + * Validate the WGC slot address is between address range. + * + * Fix the slot address to the start address if it's not within the address range. + * We need validation when changing "slot address" or "TOR/NAPOT mode (cfg.A)" + */ +static void validate_slot_address(void *opaque, int slot_id) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + uint64_t start = TO_SLOT_ADDR(s->addr_range_start); + uint64_t end = TO_SLOT_ADDR(s->addr_range_start + s->addr_range_size); + uint32_t cfg_a = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, A); + + /* First and last slot address are hard-coded. */ + if ((slot_id == 0) || (slot_id == s->slot_count)) { + return; + } + + /* Check WGC slot address is between address range. */ + if ((s->slots[slot_id].addr < start) || (s->slots[slot_id].addr >= end)) { + s->slots[slot_id].addr = start; + } + + /* Check WGC slot is 4k-aligned. */ + if (cfg_a == A_TOR) { + s->slots[slot_id].addr &= ~TO_SLOT_ADDR(WG_ALIGNED_MASK); + } else if (cfg_a == A_NAPOT) { + s->slots[slot_id].addr |= TO_SLOT_ADDR(WG_ALIGNED_MASK >> 1); + } else if (cfg_a == A_NA4) { + /* Forcely replace NA4 slot with 4K-aligned NAPOT slot. */ + FIELD_DP32(s->slots[slot_id].cfg, SLOT_CFG, A, A_NAPOT); + s->slots[slot_id].addr |= TO_SLOT_ADDR(WG_ALIGNED_MASK >> 1); + } +} + +static bool slots_reg_is_ro(int slot_id, int slot_offset, uint32_t nslots) +{ + /* + * Special slots: + * - slot[0]: + * - addr is RO + * - perm is RO + * - cfg.A is OFF + * + * - slot[nslots]: + * - addr is RO + * - cfg.A is OFF or TOR + */ + if (slot_id == 0) { + switch (slot_offset) { + case A_SLOT_ADDR: + case A_SLOT_ADDR + 4: + case A_SLOT_PERM: + case A_SLOT_PERM + 4: + return true; + default: + break; + } + } else if (slot_id == nslots) { + switch (slot_offset) { + case A_SLOT_ADDR: + case A_SLOT_ADDR + 4: + return true; + default: + break; + } + } + + return false; +} + static void riscv_wgchecker_writeq(void *opaque, hwaddr addr, uint64_t value) { RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) { + /* Read from WGC slot */ + int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE; + int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE; + bool locked = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, LOCK); + + if (locked) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Couldn't write access to locked wgChecker Slot: " + "slot = %d, offset = %d\n", __func__, slot_id, + slot_offset); + return; + } + + if (slots_reg_is_ro(slot_id, slot_offset, s->slot_count)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + } + + switch (slot_offset) { + case A_SLOT_ADDR: + s->slots[slot_id].addr = value; + validate_slot_address(s, slot_id); + break; + case A_SLOT_PERM: + value &= wgc_slot_perm_mask; + s->slots[slot_id].perm = value; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + break; + } + + return; + } + switch (addr) { case A_ERRCAUSE: s->errcause = value & ERRCAUSE_MASK; @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_writel(void *opaque, hwaddr addr, { RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) { + /* Write to WGC slot */ + int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE; + int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE; + bool locked = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, LOCK); + int cfg_a, old_cfg_a; + + if (locked) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Couldn't write access to locked wgChecker Slot: " + "slot = %d, offset = %d\n", __func__, slot_id, + slot_offset); + return; + } + + if (slots_reg_is_ro(slot_id, slot_offset, s->slot_count)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + } + + switch (slot_offset) { + case A_SLOT_ADDR: + s->slots[slot_id].addr = deposit64( + s->slots[slot_id].addr, 0, 32, value); + validate_slot_address(s, slot_id); + break; + case A_SLOT_ADDR + 4: + s->slots[slot_id].addr = deposit64( + s->slots[slot_id].addr, 32, 32, value); + validate_slot_address(s, slot_id); + break; + case A_SLOT_PERM: + value &= wgc_slot_perm_mask; + s->slots[slot_id].perm = deposit64( + s->slots[slot_id].perm, 0, 32, value); + break; + case A_SLOT_PERM + 4: + value &= extract64(wgc_slot_perm_mask, 32, 32); + s->slots[slot_id].perm = deposit64( + s->slots[slot_id].perm, 32, 32, value); + break; + case A_SLOT_CFG: + if (slot_id == 0) { + value &= SLOT0_CFG_MASK; + s->slots[0].cfg = value; + } else if (slot_id == s->slot_count) { + old_cfg_a = FIELD_EX32(s->slots[s->slot_count].cfg, SLOT_CFG, A); + cfg_a = FIELD_EX32(value, SLOT_CFG, A); + + value &= SLOT0_CFG_MASK; + if ((cfg_a == A_OFF) || (cfg_a == A_TOR)) { + value |= cfg_a; + } else { + /* slot[nslots] could only use OFF or TOR config. */ + value |= old_cfg_a; + } + s->slots[s->slot_count].cfg = value; + + validate_slot_address(s, slot_id); + } else { + value &= SLOT_CFG_MASK; + s->slots[slot_id].cfg = value; + } + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + break; + } + + return; + } + switch (addr) { case A_ERRCAUSE: value &= extract64(ERRCAUSE_MASK, 0, 32); @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_realize(DeviceState *dev, Error **errp) return; } + s->slots = g_new0(WgCheckerSlot, s->slot_count + 1); + memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s, TYPE_RISCV_WGCHECKER, s->mmio_size); sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio); @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_reset_enter(Object *obj, ResetType type) s->errcause = 0; s->erraddr = 0; + + for (int i = 0; i < nslots; i++) { + s->slots[i].addr = TO_SLOT_ADDR(start); + s->slots[i].perm = 0; + s->slots[i].cfg = 0; + } + s->slots[nslots].addr = TO_SLOT_ADDR(end); + s->slots[nslots].perm = 0; + s->slots[nslots].cfg = 0; + + if (s->num_default_slots != 0) { + /* + * Use default slots: + * slot[0] is hard-coded to start address, so the default slots + * start from slot[1]. + */ + memcpy(&s->slots[1], s->default_slots, + sizeof(WgCheckerSlot) * s->num_default_slots); + } else if ((s->hw_bypass) || + ((worldguard_config != NULL) && worldguard_config->hw_bypass)) { + /* HW bypass mode */ + uint32_t trustedwid = worldguard_config->trustedwid; + + if (trustedwid == NO_TRUSTEDWID) { + trustedwid = worldguard_config->nworlds - 1; + } + + s->slots[nslots].perm = WGC_PERM(trustedwid, P_READ | P_WRITE); + s->slots[nslots].perm &= wgc_slot_perm_mask; + s->slots[nslots].cfg = A_TOR; + } } static void riscv_wgchecker_class_init(ObjectClass *klass, void *data) @@ -XXX,XX +XXX,XX @@ DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size, qdev_prop_set_uint64(dev, name_offset, region_offset[i]); } + if (num_default_slots > slot_count) { + num_default_slots = slot_count; + } + + s->num_default_slots = num_default_slots; + if (s->num_default_slots) { + s->default_slots = g_new0(WgCheckerSlot, s->num_default_slots); + memcpy(s->default_slots, default_slots, + sizeof(WgCheckerSlot) * s->num_default_slots); + } else { + s->default_slots = NULL; + } + sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr); sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq); diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_worldguard.c +++ b/hw/misc/riscv_worldguard.c @@ -XXX,XX +XXX,XX @@ */ struct RISCVWorldGuardState *worldguard_config = NULL; +/* perm field bitmask of wgChecker slot, it's depends on NWorld. */ +uint64_t wgc_slot_perm_mask = 0; + static Property riscv_worldguard_properties[] = { DEFINE_PROP_UINT32("nworlds", RISCVWorldGuardState, nworlds, 0), diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/misc/riscv_worldguard.h +++ b/include/hw/misc/riscv_worldguard.h @@ -XXX,XX +XXX,XX @@ struct RISCVWorldGuardState { }; extern struct RISCVWorldGuardState *worldguard_config; +extern uint64_t wgc_slot_perm_mask; DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid, bool hw_bypass, bool tz_compat); @@ -XXX,XX +XXX,XX @@ struct WgCheckerRegion { struct RISCVWgCheckerState { /*< private >*/ SysBusDevice parent_obj; + uint32_t num_default_slots; + WgCheckerSlot *default_slots; /*< public >*/ MemoryRegion mmio; + WgCheckerSlot *slots; qemu_irq irq; /* error reg */ -- 2.17.1 The wgChecker is configurable for whether blocked accesses: * should cause a bus error or just read return zero and write ignore * should generate the interrupt or not Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/riscv_wgchecker.c | 169 +++++++++++++++++++++++++++++++++++++- 1 file changed, 167 insertions(+), 2 deletions(-) diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_wgchecker.c +++ b/hw/misc/riscv_wgchecker.c @@ -XXX,XX +XXX,XX @@ REG32(SLOT_CFG, 0x010) #define P_READ (1 << 0) #define P_WRITE (1 << 1) +static void decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea) +{ + /* + * aaaa...aaa0 8-byte NAPOT range + * aaaa...aa01 16-byte NAPOT range + * aaaa...a011 32-byte NAPOT range + * ... + * aa01...1111 2^XLEN-byte NAPOT range + * a011...1111 2^(XLEN+1)-byte NAPOT range + * 0111...1111 2^(XLEN+2)-byte NAPOT range + * 1111...1111 Reserved + */ + + a = FROM_SLOT_ADDR(a) | 0x3; + + if (sa) { + *sa = a & (a + 1); + } + if (ea) { + *ea = a | (a + 1); + } +} + +typedef struct WgAccessResult WgAccessResult; +struct WgAccessResult { + bool is_success; + bool has_bus_error; + bool has_interrupt; + uint8_t perm:2; +}; + +static WgAccessResult wgc_check_access( + RISCVWgCheckerState *s, hwaddr phys_addr, uint32_t wid, bool is_write) +{ + WgCheckerSlot *slot, *prev_slot; + uint32_t cfg_a, prev_cfg_a; + uint64_t start, end; + int slot_id, wgc_perm = 0; + WgAccessResult result = { 0 }; + + bool is_matching = false; + bool slot0_be, slot0_ip; + bool matched_slot_be = false, matched_slot_ip = false; + + for (slot_id = 0; slot_id < s->slot_count; slot_id++) { + slot = &s->slots[slot_id + 1]; + cfg_a = FIELD_EX32(slot->cfg, SLOT_CFG, A); + + if (cfg_a == A_TOR) { + prev_slot = &s->slots[slot_id]; + + prev_cfg_a = FIELD_EX32(prev_slot->cfg, SLOT_CFG, A); + if (prev_cfg_a == A_NA4) { + start = FROM_SLOT_ADDR(prev_slot->addr) + 4; + } else if (prev_cfg_a == A_NAPOT) { + decode_napot(prev_slot->addr, NULL, &start); + start += 1; + } else { /* A_TOR or A_OFF */ + start = FROM_SLOT_ADDR(prev_slot->addr); + } + end = FROM_SLOT_ADDR(slot->addr); + } else if (cfg_a == A_NA4) { + start = FROM_SLOT_ADDR(slot->addr); + end = start + 4; + } else if (cfg_a == A_NAPOT) { + decode_napot(slot->addr, &start, &end); + end += 1; + } else { + /* A_OFF: not in slot range. */ + continue; + } + + /* wgChecker slot range is between start to (end - 1). */ + if ((start <= phys_addr) && (phys_addr < end)) { + /* Match the wgC slot */ + int perm = ((slot->perm >> (wid * 2)) & 0x3); + + /* If any matching rule permits access, the access is permitted. */ + wgc_perm |= perm; + + /* + * If any matching rule wants to report error (IRQ or Bus Error), + * the denied access should report error. + */ + is_matching = true; + if (is_write) { + matched_slot_be |= FIELD_EX64(slot->cfg, SLOT_CFG, EW); + matched_slot_ip |= FIELD_EX64(slot->cfg, SLOT_CFG, IW); + } else { + matched_slot_be |= FIELD_EX64(slot->cfg, SLOT_CFG, ER); + matched_slot_ip |= FIELD_EX64(slot->cfg, SLOT_CFG, IR); + } + } + } + + /* If no matching rule, error reporting depends on the slot0's config. */ + if (is_write) { + slot0_be = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, EW); + slot0_ip = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, IW); + } else { + slot0_be = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, ER); + slot0_ip = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, IR); + } + + result.is_success = is_write ? (wgc_perm & P_WRITE) : (wgc_perm & P_READ); + result.perm = wgc_perm; + if (!result.is_success) { + if (is_matching) { + result.has_bus_error = matched_slot_be; + result.has_interrupt = matched_slot_ip; + } else { + result.has_bus_error = slot0_be; + result.has_interrupt = slot0_ip; + } + } + + return result; +} + +static MemTxResult riscv_wgc_handle_blocked_access( + WgCheckerRegion *region, hwaddr addr, uint32_t wid, bool is_write) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker); + bool be, ip; + WgAccessResult result; + hwaddr phys_addr; + + be = FIELD_EX64(s->errcause, ERRCAUSE, BE); + ip = FIELD_EX64(s->errcause, ERRCAUSE, IP); + phys_addr = addr + region->region_offset; + + /* + * Check if this blocked access trigger IRQ (Bus Error) or not. + * It depends on wgChecker slot config (cfg.IR/IW/ER/EW bits). + */ + result = wgc_check_access(s, phys_addr, wid, is_write); + + if (!be && !ip) { + /* + * With either of the be or ip bits is set, further violations do not + * update the errcause or erraddr registers. Also, new interrupts + * cannot be generated until the be and ip fields are cleared. + */ + if (result.has_interrupt || result.has_bus_error) { + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, WID, wid); + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, R, !is_write); + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, W, is_write); + s->erraddr = TO_SLOT_ADDR(phys_addr); + } + + if (result.has_interrupt) { + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, IP, 1); + qemu_irq_raise(s->irq); + } + + if (result.has_bus_error) { + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, BE, 1); + } + } + + return result.has_bus_error ? MEMTX_ERROR : MEMTX_OK; +} + /* * Accesses only reach these read and write functions if the wgChecker * is blocking them; non-blocked accesses go directly to the downstream @@ -XXX,XX +XXX,XX @@ static MemTxResult riscv_wgc_mem_blocked_read(void *opaque, hwaddr addr, uint64_t *pdata, unsigned size, MemTxAttrs attrs) { + WgCheckerRegion *region = opaque; uint32_t wid = mem_attrs_to_wid(attrs); trace_riscv_wgc_mem_blocked_read(addr, size, wid); *pdata = 0; - return MEMTX_OK; + return riscv_wgc_handle_blocked_access(region, addr, wid, false); } static MemTxResult riscv_wgc_mem_blocked_write(void *opaque, hwaddr addr, uint64_t value, unsigned size, MemTxAttrs attrs) { + WgCheckerRegion *region = opaque; uint32_t wid = mem_attrs_to_wid(attrs); trace_riscv_wgc_mem_blocked_write(addr, value, size, wid); - return MEMTX_OK; + return riscv_wgc_handle_blocked_access(region, addr, wid, true); } static const MemoryRegionOps riscv_wgc_mem_blocked_ops = { -- 2.17.1 The final part of wgChecker we need to implement is actually using the wgChecker slots programmed by guest to determine whether to block the transaction or not. Since this means we now change transaction mappings when the guest writes to wgChecker slots, we must also call the IOMMU notifiers at that point. One tricky part here is that the perm of 'blocked_io_as' is the condition of deny access. For example, if wgChecker only permits RO access, the perm of 'downstream_as' will be IOMMU_RO and the perm of 'blocked_io_as' will be IOMMU_WO. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/riscv_wgchecker.c | 70 ++++++++++++++++++++++++++++++++++++--- hw/misc/trace-events | 1 + 2 files changed, 67 insertions(+), 4 deletions(-) diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_wgchecker.c +++ b/hw/misc/riscv_wgchecker.c @@ -XXX,XX +XXX,XX @@ REG32(SLOT_CFG, 0x010) #define P_READ (1 << 0) #define P_WRITE (1 << 1) +static IOMMUAccessFlags wgc_perm_to_iommu_flags(int wgc_perm) +{ + if (wgc_perm == (P_READ | P_WRITE)) { + return IOMMU_RW; + } else if (wgc_perm & P_WRITE) { + return IOMMU_WO; + } else if (wgc_perm & P_READ) { + return IOMMU_RO; + } else { + return IOMMU_NONE; + } +} + +static void wgchecker_iommu_notify_all(RISCVWgCheckerState *s) +{ + /* + * Do tlb_flush() to whole address space via memory_region_notify_iommu() + * when wgChecker changes it's config. + */ + + IOMMUTLBEvent event = { + .entry = { + .addr_mask = -1ULL, + } + }; + + trace_riscv_wgc_iommu_notify_all(); + + for (int i=0; i<WGC_NUM_REGIONS; i++) { + WgCheckerRegion *region = &s->mem_regions[i]; + uint32_t nworlds = worldguard_config->nworlds; + + if (!region->downstream) { + continue; + } + event.entry.iova = 0; + event.entry.translated_addr = 0; + event.type = IOMMU_NOTIFIER_UNMAP; + event.entry.perm = IOMMU_NONE; + + for (int wid=0; wid<nworlds; wid++) { + memory_region_notify_iommu(&region->upstream, wid, event); + } + } +} + static void decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea) { /* @@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu, { WgCheckerRegion *region = container_of(iommu, WgCheckerRegion, upstream); RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker); + bool is_write; + WgAccessResult result; + int wgc_perm; hwaddr phys_addr; uint64_t region_size; @@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu, * Look at the wgChecker configuration for this address, and * return a TLB entry directing the transaction at either * downstream_as or blocked_io_as, as appropriate. - * For the moment, always permit accesses. */ /* Use physical address instead of offset */ phys_addr = addr + region->region_offset; + is_write = (flags == IOMMU_WO); - is_success = true; + result = wgc_check_access(s, phys_addr, iommu_idx, is_write); trace_riscv_wgc_translate(phys_addr, flags, - iommu_idx, is_success ? "pass" : "block"); + iommu_idx, result.is_success ? "pass" : "block"); - ret.target_as = is_success ? &region->downstream_as : &region->blocked_io_as; + wgc_perm = result.perm; + if (!result.is_success) { + /* if target_as is blocked_io_as, the perm is the condition of deny access. */ + wgc_perm ^= (P_READ | P_WRITE); + } + ret.perm = wgc_perm_to_iommu_flags(wgc_perm); + + ret.target_as = result.is_success ? &region->downstream_as : &region->blocked_io_as; return ret; } @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_writeq(void *opaque, hwaddr addr, break; } + /* Flush softmmu TLB when wgChecker changes config. */ + wgchecker_iommu_notify_all(s); + return; } @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_writel(void *opaque, hwaddr addr, break; } + /* Flush softmmu TLB when wgChecker changes config. */ + wgchecker_iommu_notify_all(s); + return; } diff --git a/hw/misc/trace-events b/hw/misc/trace-events index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/trace-events +++ b/hw/misc/trace-events @@ -XXX,XX +XXX,XX @@ riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, ui riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32 riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32 riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s" +riscv_wgc_iommu_notify_all(void) "wgChecker iommu: notifying UNMAP for all" -- 2.17.1 * Add 'wg=on' option to enable RISC-V WorldGuard * Add wgChecker to protect several resources: DRAM, FLASH, UART. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- docs/system/riscv/virt.rst | 10 +++ hw/riscv/Kconfig | 1 + hw/riscv/virt.c | 163 ++++++++++++++++++++++++++++++++++++- include/hw/riscv/virt.h | 17 +++- 4 files changed, 186 insertions(+), 5 deletions(-) diff --git a/docs/system/riscv/virt.rst b/docs/system/riscv/virt.rst index XXXXXXX..XXXXXXX 100644 --- a/docs/system/riscv/virt.rst +++ b/docs/system/riscv/virt.rst @@ -XXX,XX +XXX,XX @@ The following machine-specific options are supported: having AIA IMSIC (i.e. "aia=aplic-imsic" selected). When not specified, the default number of per-HART VS-level AIA IMSIC pages is 0. +- wg=[on|off] + + When this option is "on", RISC-V WorldGuard will be enabled in the system + to provide the isolation of multiple worlds. RISC-V HARTS will enable WG + extensions to have WID in memory transaction. wgCheckers in front of RAMs + and device MMIO will be enabled to provide the access control of resources + if the transaction contains WID. When not specified, this option is assumed + to be "off". + This option is restricted to the TCG accelerator. + Running Linux kernel -------------------- diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig index XXXXXXX..XXXXXXX 100644 --- a/hw/riscv/Kconfig +++ b/hw/riscv/Kconfig @@ -XXX,XX +XXX,XX @@ config RISCV_VIRT select PLATFORM_BUS select ACPI select ACPI_PCI + select RISCV_WORLDGUARD config SHAKTI_C bool diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c index XXXXXXX..XXXXXXX 100644 --- a/hw/riscv/virt.c +++ b/hw/riscv/virt.c @@ -XXX,XX +XXX,XX @@ #include "hw/acpi/aml-build.h" #include "qapi/qapi-visit-common.h" #include "hw/virtio/virtio-iommu.h" +#include "hw/misc/riscv_worldguard.h" /* KVM AIA only supports APLIC MSI. APLIC Wired is always emulated by QEMU. */ static bool virt_use_kvm_aia(RISCVVirtState *s) @@ -XXX,XX +XXX,XX @@ static const MemMapEntry virt_memmap[] = { [VIRT_ACLINT_SSWI] = { 0x2F00000, 0x4000 }, [VIRT_PCIE_PIO] = { 0x3000000, 0x10000 }, [VIRT_PLATFORM_BUS] = { 0x4000000, 0x2000000 }, + [VIRT_WGC_DRAM] = { 0x6000000, 0x1000 }, + [VIRT_WGC_FLASH] = { 0x6001000, 0x1000 }, + [VIRT_WGC_UART] = { 0x6002000, 0x1000 }, [VIRT_PLIC] = { 0xc000000, VIRT_PLIC_SIZE(VIRT_CPUS_MAX * 2) }, [VIRT_APLIC_M] = { 0xc000000, APLIC_SIZE(VIRT_CPUS_MAX) }, [VIRT_APLIC_S] = { 0xd000000, APLIC_SIZE(VIRT_CPUS_MAX) }, @@ -XXX,XX +XXX,XX @@ static MemMapEntry virt_high_pcie_memmap; #define VIRT_FLASH_SECTOR_SIZE (256 * KiB) +/* wgChecker helpers */ +typedef struct WGCInfo { + int memmap_idx; + uint32_t irq_num; + uint32_t slot_count; + + int num_of_child; + MemoryRegion *c_region[WGC_NUM_REGIONS]; + uint64_t c_offset[WGC_NUM_REGIONS]; +} WGCInfo; + +enum { + WGC_DRAM, + WGC_FLASH, + WGC_UART, + WGC_NUM, +}; + +static WGCInfo virt_wgcinfo[] = { + [WGC_DRAM] = { VIRT_WGC_DRAM, WGC_DRAM_IRQ, 16 }, + [WGC_FLASH] = { VIRT_WGC_FLASH, WGC_FLASH_IRQ, 16 }, + [WGC_UART] = { VIRT_WGC_UART, WGC_UART_IRQ, 1 }, +}; + +static void wgc_append_child(WGCInfo *info, MemoryRegion *region, + uint64_t offset) +{ + info->c_region[info->num_of_child] = region; + info->c_offset[info->num_of_child] = offset; + info->num_of_child += 1; +} + static PFlashCFI01 *virt_flash_create1(RISCVVirtState *s, const char *name, const char *alias_prop_name) @@ -XXX,XX +XXX,XX @@ static void virt_flash_map1(PFlashCFI01 *flash, } static void virt_flash_map(RISCVVirtState *s, - MemoryRegion *sysmem) + MemoryRegion *sysmem, + WGCInfo *info) { hwaddr flashsize = virt_memmap[VIRT_FLASH].size / 2; hwaddr flashbase = virt_memmap[VIRT_FLASH].base; @@ -XXX,XX +XXX,XX @@ static void virt_flash_map(RISCVVirtState *s, sysmem); virt_flash_map1(s->flash[1], flashbase + flashsize, flashsize, sysmem); + + if (info) { + wgc_append_child(info, + sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[0]), 0), + flashbase); + wgc_append_child(info, + sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[1]), 0), + flashbase + flashsize); + } } static void create_pcie_irq_map(RISCVVirtState *s, void *fdt, char *nodename, @@ -XXX,XX +XXX,XX @@ static void virt_build_smbios(RISCVVirtState *s) } } +static DeviceState *create_wgc(WGCInfo *info, DeviceState *irqchip) +{ + MemoryRegion *system_memory = get_system_memory(); + DeviceState *wgc; + MemoryRegion *upstream_mr, *downstream_mr; + qemu_irq irq = qdev_get_gpio_in(irqchip, info->irq_num); + hwaddr base, size; + + /* Unmap downstream_mr from system_memory if it is already mapped. */ + for (int i=0; i<info->num_of_child; i++) { + downstream_mr = info->c_region[i]; + + g_assert(downstream_mr); + if (downstream_mr->container == system_memory) { + memory_region_del_subregion(system_memory, downstream_mr); + } + + /* + * Clear the offset of downstream_mr, so we could correctly do + * address_space_init() to it in wgchecker. + */ + memory_region_set_address(downstream_mr, 0); + } + + base = virt_memmap[info->memmap_idx].base; + size = virt_memmap[info->memmap_idx].size; + + wgc = riscv_wgchecker_create( + base, size, irq, info->slot_count, 0, 0, + info->num_of_child, info->c_region, info->c_offset, 0, NULL); + + /* Map upstream_mr to system_memory */ + for (int i=0; i<info->num_of_child; i++) { + upstream_mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(wgc), i+1); + g_assert(upstream_mr); + memory_region_add_subregion(system_memory, info->c_offset[i], upstream_mr); + } + + return wgc; +} + +static void virt_create_worldguard(WGCInfo *wgcinfo, int wgc_num, + DeviceState *irqchip) +{ + CPUState *cpu; + + /* Global WG config */ + riscv_worldguard_create(VIRT_WG_NWORLDS, + VIRT_WG_TRUSTEDWID, + VIRT_WG_HWBYPASS, + VIRT_WG_TZCOMPAT); + + /* Enable WG extension of each CPU */ + CPU_FOREACH(cpu) { + CPURISCVState *env = cpu ? cpu_env(cpu) : NULL; + + riscv_worldguard_apply_cpu(env->mhartid); + } + + /* Create all wgChecker devices */ + for (int i=0; i<wgc_num; i++) { + create_wgc(&wgcinfo[i], DEVICE(irqchip)); + } +} + static void virt_machine_done(Notifier *notifier, void *data) { RISCVVirtState *s = container_of(notifier, RISCVVirtState, @@ -XXX,XX +XXX,XX @@ static void virt_machine_done(Notifier *notifier, void *data) static void virt_machine_init(MachineState *machine) { const MemMapEntry *memmap = virt_memmap; + WGCInfo *wgcinfo = virt_wgcinfo; RISCVVirtState *s = RISCV_VIRT_MACHINE(machine); MemoryRegion *system_memory = get_system_memory(); MemoryRegion *mask_rom = g_new(MemoryRegion, 1); DeviceState *mmio_irqchip, *virtio_irqchip, *pcie_irqchip; + SerialMM *uart; int i, base_hartid, hart_count; int socket_count = riscv_socket_count(machine); @@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine) exit(1); } + if (!tcg_enabled() && s->have_wg) { + error_report("'wg' is only available with TCG acceleration"); + exit(1); + } + /* Initialize sockets */ mmio_irqchip = virtio_irqchip = pcie_irqchip = NULL; for (i = 0; i < socket_count; i++) { @@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine) memory_region_add_subregion(system_memory, memmap[VIRT_DRAM].base, machine->ram); + if (tcg_enabled() && s->have_wg) { + wgc_append_child(&wgcinfo[WGC_DRAM], machine->ram, memmap[VIRT_DRAM].base); + } + /* boot rom */ memory_region_init_rom(mask_rom, NULL, "riscv_virt_board.mrom", memmap[VIRT_MROM].size, &error_fatal); @@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine) create_platform_bus(s, mmio_irqchip); - serial_mm_init(system_memory, memmap[VIRT_UART0].base, + uart = serial_mm_init(system_memory, memmap[VIRT_UART0].base, 0, qdev_get_gpio_in(mmio_irqchip, UART0_IRQ), 399193, serial_hd(0), DEVICE_LITTLE_ENDIAN); + if (tcg_enabled() && s->have_wg) { + wgc_append_child(&wgcinfo[WGC_UART], + sysbus_mmio_get_region(SYS_BUS_DEVICE(uart), 0), + memmap[VIRT_UART0].base); + } + sysbus_create_simple("goldfish_rtc", memmap[VIRT_RTC].base, qdev_get_gpio_in(mmio_irqchip, RTC_IRQ)); @@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine) pflash_cfi01_legacy_drive(s->flash[i], drive_get(IF_PFLASH, 0, i)); } - virt_flash_map(s, system_memory); + + if (tcg_enabled() && s->have_wg) { + virt_flash_map(s, system_memory, &wgcinfo[WGC_FLASH]); + } else { + virt_flash_map(s, system_memory, NULL); + } + + if (tcg_enabled() && s->have_wg) { + virt_create_worldguard(wgcinfo, WGC_NUM, mmio_irqchip); + } /* load/create device tree */ if (machine->dtb) { @@ -XXX,XX +XXX,XX @@ static void virt_machine_instance_init(Object *obj) s->acpi = ON_OFF_AUTO_AUTO; } +static bool virt_get_wg(Object *obj, Error **errp) +{ + RISCVVirtState *s = RISCV_VIRT_MACHINE(obj); + + return s->have_wg; +} + +static void virt_set_wg(Object *obj, bool value, Error **errp) +{ + RISCVVirtState *s = RISCV_VIRT_MACHINE(obj); + + s->have_wg = value; +} + static char *virt_get_aia_guests(Object *obj, Error **errp) { RISCVVirtState *s = RISCV_VIRT_MACHINE(obj); @@ -XXX,XX +XXX,XX @@ static void virt_machine_class_init(ObjectClass *oc, void *data) NULL, NULL); object_class_property_set_description(oc, "acpi", "Enable ACPI"); + + object_class_property_add_bool(oc, "wg", virt_get_wg, + virt_set_wg); + object_class_property_set_description(oc, "wg", + "Set on/off to enable/disable the " + "RISC-V WorldGuard."); } static const TypeInfo virt_machine_typeinfo = { diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/riscv/virt.h +++ b/include/hw/riscv/virt.h @@ -XXX,XX +XXX,XX @@ struct RISCVVirtState { bool have_aclint; RISCVVirtAIAType aia_type; int aia_guests; + bool have_wg; char *oem_id; char *oem_table_id; OnOffAuto acpi; @@ -XXX,XX +XXX,XX @@ enum { VIRT_PCIE_MMIO, VIRT_PCIE_PIO, VIRT_PLATFORM_BUS, - VIRT_PCIE_ECAM + VIRT_PCIE_ECAM, + VIRT_WGC_DRAM, + VIRT_WGC_FLASH, + VIRT_WGC_UART }; enum { UART0_IRQ = 10, RTC_IRQ = 11, + WGC_DRAM_IRQ = 15, + WGC_FLASH_IRQ = 16, + WGC_UART_IRQ = 17, VIRTIO_IRQ = 1, /* 1 to 8 */ VIRTIO_COUNT = 8, PCIE_IRQ = 0x20, /* 32 to 35 */ @@ -XXX,XX +XXX,XX @@ enum { #define VIRT_PLATFORM_BUS_NUM_IRQS 32 #define VIRT_IRQCHIP_NUM_MSIS 255 -#define VIRT_IRQCHIP_NUM_SOURCES 96 +#define VIRT_IRQCHIP_NUM_SOURCES 128 #define VIRT_IRQCHIP_NUM_PRIO_BITS 3 #define VIRT_IRQCHIP_MAX_GUESTS_BITS 3 #define VIRT_IRQCHIP_MAX_GUESTS ((1U << VIRT_IRQCHIP_MAX_GUESTS_BITS) - 1U) @@ -XXX,XX +XXX,XX @@ uint32_t imsic_num_bits(uint32_t count); #error "Can't accommodate all IMSIC groups in address space" #endif +/* WorldGuard */ +#define VIRT_WG_NWORLDS 4 +#define VIRT_WG_TRUSTEDWID 3 +#define VIRT_WG_HWBYPASS true +#define VIRT_WG_TZCOMPAT false + #endif -- 2.17.1 This patchset implements Smwg/Smwgd/Sswg CPU extension and wgChecker device defined in WorldGuard spec v0.4. The WG v0.4 spec could be found here: https://lists.riscv.org/g/security/attachment/711/0/worldguard_rvia_spec-v0.4.pdf To enable WG in QEMU, pass "wg=on" as machine parameter to virt machine. It enables both WG CPU CSRs to apply WID of CPU and wgCheckers on the DRAM, FLASH, and UART to protect these resources. This patchset contains 5 parts: 1. Commit 1: Bugfix of IOMMUMemoryRegion 2. Commit 2 ~ 3: Extend IOMMUMemoryRegion and MemTxAttr for WG support 3. Commit 4 ~ 12: Add WG global device and CPU extensions 4. Commit 13 ~ 16: Add WG checker device 5. Commit 17: Add WG support to the virt machine QEMU code can be found at [1] [1] https://github.com/cwshu/qemu/tree/riscv-wg-v1 -- Changed since RFCv1: - Rebase to latest QEMU (v10.0.0-rc3) - Add the description of HW config and CPU option of WG in the virt machine documentation - Expose CPU options of WG after WG CPU code has been implemented - Change 'mwid' and 'mwidlist' options to experimental options - Change 'world_id' to unsigned int type + bit field. Jim Shu (17): accel/tcg: Store section pointer in CPUTLBEntryFull accel/tcg: memory access from CPU will pass access_type to IOMMU exec: Add RISC-V WorldGuard WID to MemTxAttrs hw/misc: riscv_worldguard: Add RISC-V WorldGuard global config target/riscv: Add CPU options of WorldGuard CPU extension target/riscv: Add hard-coded CPU state of WG extension target/riscv: Add defines for WorldGuard CSRs target/riscv: Allow global WG config to set WG CPU callbacks target/riscv: Implement WorldGuard CSRs target/riscv: Add WID to MemTxAttrs of CPU memory transactions target/riscv: Expose CPU options of WorldGuard hw/misc: riscv_worldguard: Add API to enable WG extension of CPU hw/misc: riscv_wgchecker: Implement RISC-V WorldGuard Checker hw/misc: riscv_wgchecker: Implement wgchecker slot registers hw/misc: riscv_wgchecker: Implement correct block-access behavior hw/misc: riscv_wgchecker: Check the slot settings in translate hw/riscv: virt: Add WorldGuard support accel/tcg/cputlb.c | 36 +- docs/system/riscv/virt.rst | 20 + hw/misc/Kconfig | 3 + hw/misc/meson.build | 1 + hw/misc/riscv_wgchecker.c | 1160 ++++++++++++++++++++++++++ hw/misc/riscv_worldguard.c | 272 ++++++ hw/misc/trace-events | 9 + hw/riscv/Kconfig | 1 + hw/riscv/virt.c | 163 +++- include/exec/cputlb.h | 11 +- include/exec/exec-all.h | 3 +- include/exec/memattrs.h | 8 +- include/hw/core/cpu.h | 3 + include/hw/misc/riscv_worldguard.h | 123 +++ include/hw/riscv/virt.h | 15 +- system/physmem.c | 16 +- target/alpha/helper.c | 2 +- target/avr/helper.c | 2 +- target/hppa/mem_helper.c | 1 - target/i386/tcg/system/excp_helper.c | 3 +- target/loongarch/tcg/tlb_helper.c | 2 +- target/m68k/helper.c | 10 +- target/microblaze/helper.c | 8 +- target/mips/tcg/system/tlb_helper.c | 4 +- target/openrisc/mmu.c | 2 +- target/ppc/mmu_helper.c | 2 +- target/riscv/cpu.c | 17 +- target/riscv/cpu.h | 12 + target/riscv/cpu_bits.h | 5 + target/riscv/cpu_cfg.h | 5 + target/riscv/cpu_helper.c | 69 +- target/riscv/csr.c | 107 +++ target/riscv/tcg/tcg-cpu.c | 11 + target/rx/cpu.c | 3 +- target/s390x/tcg/excp_helper.c | 2 +- target/sh4/helper.c | 2 +- target/sparc/mmu_helper.c | 6 +- target/tricore/helper.c | 2 +- target/xtensa/helper.c | 3 +- 39 files changed, 2063 insertions(+), 61 deletions(-) create mode 100644 hw/misc/riscv_wgchecker.c create mode 100644 hw/misc/riscv_worldguard.c create mode 100644 include/hw/misc/riscv_worldguard.h -- 2.17.1 'CPUTLBEntryFull.xlat_section' stores section_index in last 12 bits to find the correct section when CPU access the IO region over the IOTLB (iotlb_to_section()). However, section_index is only unique inside single AddressSpace. If address space translation is over IOMMUMemoryRegion, it could return section from other AddressSpace. 'iotlb_to_section()' API only finds the sections from CPU's AddressSpace so that it couldn't find section in other AddressSpace. Thus, using 'iotlb_to_section()' API will find the wrong section and QEMU will have wrong load/store access. To fix this bug, store complete MemoryRegionSection pointer in CPUTLBEntryFull instead of section_index. This bug occurs only when (1) IOMMUMemoryRegion is in the path of CPU access. (2) IOMMUMemoryRegion returns different target_as and the section is in the IO region. Common IOMMU devices don't have this issue since they are only in the path of DMA access. Currently, the bug only occurs when ARM MPC device (hw/misc/tz-mpc.c) returns 'blocked_io_as' to emulate blocked access handling. Upcoming RISC-V wgChecker device is also affected by this bug. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- accel/tcg/cputlb.c | 19 +++++++++---------- include/hw/core/cpu.h | 3 +++ 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index XXXXXXX..XXXXXXX 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, desc->fulltlb[index] = *full; full = &desc->fulltlb[index]; full->xlat_section = iotlb - addr_page; + full->section = section; full->phys_addr = paddr_page; /* Now calculate the new entry */ @@ -XXX,XX +XXX,XX @@ static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr, } static MemoryRegionSection * -io_prepare(hwaddr *out_offset, CPUState *cpu, hwaddr xlat, +io_prepare(hwaddr *out_offset, CPUState *cpu, CPUTLBEntryFull *full, MemTxAttrs attrs, vaddr addr, uintptr_t retaddr) { MemoryRegionSection *section; hwaddr mr_offset; - section = iotlb_to_section(cpu, xlat, attrs); - mr_offset = (xlat & TARGET_PAGE_MASK) + addr; + section = full->section; + mr_offset = (full->xlat_section & TARGET_PAGE_MASK) + addr; cpu->mem_io_pc = retaddr; if (!cpu->neg.can_do_io) { cpu_io_recompile(cpu, retaddr); @@ -XXX,XX +XXX,XX @@ bool tlb_plugin_lookup(CPUState *cpu, vaddr addr, int mmu_idx, /* We must have an iotlb entry for MMIO */ if (tlb_addr & TLB_MMIO) { - MemoryRegionSection *section = - iotlb_to_section(cpu, full->xlat_section & ~TARGET_PAGE_MASK, - full->attrs); + MemoryRegionSection *section = full->section; data->is_io = true; data->mr = section->mr; } else { @@ -XXX,XX +XXX,XX @@ static uint64_t do_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full, tcg_debug_assert(size > 0 && size <= 8); attrs = full->attrs; - section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); + section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra); mr = section->mr; BQL_LOCK_GUARD(); @@ -XXX,XX +XXX,XX @@ static Int128 do_ld16_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full, tcg_debug_assert(size > 8 && size <= 16); attrs = full->attrs; - section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); + section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra); mr = section->mr; BQL_LOCK_GUARD(); @@ -XXX,XX +XXX,XX @@ static uint64_t do_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full, tcg_debug_assert(size > 0 && size <= 8); attrs = full->attrs; - section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); + section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra); mr = section->mr; BQL_LOCK_GUARD(); @@ -XXX,XX +XXX,XX @@ static uint64_t do_st16_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full, tcg_debug_assert(size > 8 && size <= 16); attrs = full->attrs; - section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); + section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra); mr = section->mr; BQL_LOCK_GUARD(); diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/core/cpu.h +++ b/include/hw/core/cpu.h @@ -XXX,XX +XXX,XX @@ struct CPUTLBEntryFull { */ hwaddr xlat_section; + /* @section contains physical section. */ + MemoryRegionSection *section; + /* * @phys_addr contains the physical address in the address space * given by cpu_asidx_from_attrs(cpu, @attrs). -- 2.17.1 It is the preparation patch for upcoming RISC-V wgChecker device. Since RISC-V wgChecker could permit access in RO/WO permission, the IOMMUMemoryRegion could return different section for read & write access. The memory access from CPU should also pass the access_type to IOMMU translate function so that IOMMU could return the correct section of specified access_type. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- accel/tcg/cputlb.c | 17 ++++++++++------- include/exec/cputlb.h | 11 +++++++---- include/exec/exec-all.h | 3 ++- system/physmem.c | 16 +++++++++++----- target/alpha/helper.c | 2 +- target/avr/helper.c | 2 +- target/hppa/mem_helper.c | 1 - target/i386/tcg/system/excp_helper.c | 3 ++- target/loongarch/tcg/tlb_helper.c | 2 +- target/m68k/helper.c | 10 +++++++--- target/microblaze/helper.c | 8 ++++---- target/mips/tcg/system/tlb_helper.c | 4 ++-- target/openrisc/mmu.c | 2 +- target/ppc/mmu_helper.c | 2 +- target/riscv/cpu_helper.c | 2 +- target/rx/cpu.c | 3 ++- target/s390x/tcg/excp_helper.c | 2 +- target/sh4/helper.c | 2 +- target/sparc/mmu_helper.c | 6 +++--- target/tricore/helper.c | 2 +- target/xtensa/helper.c | 3 ++- 21 files changed, 61 insertions(+), 42 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index XXXXXXX..XXXXXXX 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -XXX,XX +XXX,XX @@ static inline void tlb_set_compare(CPUTLBEntryFull *full, CPUTLBEntry *ent, * critical section. */ void tlb_set_page_full(CPUState *cpu, int mmu_idx, - vaddr addr, CPUTLBEntryFull *full) + vaddr addr, MMUAccessType access_type, + CPUTLBEntryFull *full) { CPUTLB *tlb = &cpu->neg.tlb; CPUTLBDesc *desc = &tlb->d[mmu_idx]; @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, prot = full->prot; asidx = cpu_asidx_from_attrs(cpu, full->attrs); section = address_space_translate_for_iotlb(cpu, asidx, paddr_page, - &xlat, &sz, full->attrs, &prot); + &xlat, &sz, full->attrs, &prot, + access_type); assert(sz >= TARGET_PAGE_SIZE); tlb_debug("vaddr=%016" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, hwaddr paddr, MemTxAttrs attrs, int prot, - int mmu_idx, vaddr size) + MMUAccessType access_type, int mmu_idx, + vaddr size) { CPUTLBEntryFull full = { .phys_addr = paddr, @@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, }; assert(is_power_of_2(size)); - tlb_set_page_full(cpu, mmu_idx, addr, &full); + tlb_set_page_full(cpu, mmu_idx, addr, access_type, &full); } void tlb_set_page(CPUState *cpu, vaddr addr, - hwaddr paddr, int prot, + hwaddr paddr, int prot, MMUAccessType access_type, int mmu_idx, vaddr size) { tlb_set_page_with_attrs(cpu, addr, paddr, MEMTXATTRS_UNSPECIFIED, - prot, mmu_idx, size); + prot, access_type, mmu_idx, size); } /** @@ -XXX,XX +XXX,XX @@ static bool tlb_fill_align(CPUState *cpu, vaddr addr, MMUAccessType type, if (ops->tlb_fill_align) { if (ops->tlb_fill_align(cpu, &full, addr, type, mmu_idx, memop, size, probe, ra)) { - tlb_set_page_full(cpu, mmu_idx, addr, &full); + tlb_set_page_full(cpu, mmu_idx, addr, type, &full); return true; } } else { diff --git a/include/exec/cputlb.h b/include/exec/cputlb.h index XXXXXXX..XXXXXXX 100644 --- a/include/exec/cputlb.h +++ b/include/exec/cputlb.h @@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length); * @cpu: CPU context * @mmu_idx: mmu index of the tlb to modify * @addr: virtual address of the entry to add + * @access_type: access was read/write/execute * @full: the details of the tlb entry * * Add an entry to @cpu tlb index @mmu_idx. All of the fields of @@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length); * used by tlb_flush_page. */ void tlb_set_page_full(CPUState *cpu, int mmu_idx, vaddr addr, + MMUAccessType access_type, CPUTLBEntryFull *full); /** @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, vaddr addr, * @paddr: physical address of the page * @attrs: memory transaction attributes * @prot: access permissions (PAGE_READ/PAGE_WRITE/PAGE_EXEC bits) + * @access_type: access was read/write/execute * @mmu_idx: MMU index to insert TLB entry for * @size: size of the page in bytes * @@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, vaddr addr, * used by tlb_flush_page. */ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, - hwaddr paddr, MemTxAttrs attrs, - int prot, int mmu_idx, vaddr size); - + hwaddr paddr, MemTxAttrs attrs, int prot, + MMUAccessType access_type, int mmu_idx, + vaddr size); /** * tlb_set_page: * @@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, * as a convenience for CPUs which don't use memory transaction attributes. */ void tlb_set_page(CPUState *cpu, vaddr addr, - hwaddr paddr, int prot, + hwaddr paddr, int prot, MMUAccessType access_type, int mmu_idx, vaddr size); #if defined(CONFIG_TCG) && !defined(CONFIG_USER_ONLY) diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h index XXXXXXX..XXXXXXX 100644 --- a/include/exec/exec-all.h +++ b/include/exec/exec-all.h @@ -XXX,XX +XXX,XX @@ static inline tb_page_addr_t get_page_addr_code(CPUArchState *env, MemoryRegionSection * address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, hwaddr *xlat, hwaddr *plen, - MemTxAttrs attrs, int *prot); + MemTxAttrs attrs, int *prot, + MMUAccessType access_type); hwaddr memory_region_section_get_iotlb(CPUState *cpu, MemoryRegionSection *section); #endif diff --git a/system/physmem.c b/system/physmem.c index XXXXXXX..XXXXXXX 100644 --- a/system/physmem.c +++ b/system/physmem.c @@ -XXX,XX +XXX,XX @@ void tcg_iommu_init_notifier_list(CPUState *cpu) MemoryRegionSection * address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, hwaddr *xlat, hwaddr *plen, - MemTxAttrs attrs, int *prot) + MemTxAttrs attrs, int *prot, + MMUAccessType access_type) { MemoryRegionSection *section; IOMMUMemoryRegion *iommu_mr; IOMMUMemoryRegionClass *imrc; IOMMUTLBEntry iotlb; + IOMMUAccessFlags iommu_flags; int iommu_idx; hwaddr addr = orig_addr; AddressSpaceDispatch *d = cpu->cpu_ases[asidx].memory_dispatch; @@ -XXX,XX +XXX,XX @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, iommu_idx = imrc->attrs_to_index(iommu_mr, attrs); tcg_register_iommu_notifier(cpu, iommu_mr, iommu_idx); - /* We need all the permissions, so pass IOMMU_NONE so the IOMMU - * doesn't short-cut its translation table walk. - */ - iotlb = imrc->translate(iommu_mr, addr, IOMMU_NONE, iommu_idx); + + if (access_type == MMU_DATA_STORE) { + iommu_flags = IOMMU_WO; + } else { + iommu_flags = IOMMU_RO; + } + + iotlb = imrc->translate(iommu_mr, addr, iommu_flags, iommu_idx); addr = ((iotlb.translated_addr & ~iotlb.addr_mask) | (addr & iotlb.addr_mask)); /* Update the caller's prot bits to remove permissions the IOMMU diff --git a/target/alpha/helper.c b/target/alpha/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/alpha/helper.c +++ b/target/alpha/helper.c @@ -XXX,XX +XXX,XX @@ bool alpha_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, } tlb_set_page(cs, addr & TARGET_PAGE_MASK, phys & TARGET_PAGE_MASK, - prot, mmu_idx, TARGET_PAGE_SIZE); + prot, access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } diff --git a/target/avr/helper.c b/target/avr/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/avr/helper.c +++ b/target/avr/helper.c @@ -XXX,XX +XXX,XX @@ bool avr_cpu_tlb_fill(CPUState *cs, vaddr address, int size, } } - tlb_set_page(cs, address, paddr, prot, mmu_idx, page_size); + tlb_set_page(cs, address, paddr, prot, access_type, mmu_idx, page_size); return true; } diff --git a/target/hppa/mem_helper.c b/target/hppa/mem_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/hppa/mem_helper.c +++ b/target/hppa/mem_helper.c @@ -XXX,XX +XXX,XX @@ bool hppa_cpu_tlb_fill_align(CPUState *cs, CPUTLBEntryFull *out, vaddr addr, out->prot = prot; out->attrs = MEMTXATTRS_UNSPECIFIED; out->lg_page_size = TARGET_PAGE_BITS; - return true; } diff --git a/target/i386/tcg/system/excp_helper.c b/target/i386/tcg/system/excp_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/i386/tcg/system/excp_helper.c +++ b/target/i386/tcg/system/excp_helper.c @@ -XXX,XX +XXX,XX @@ bool x86_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, tlb_set_page_with_attrs(cs, addr & TARGET_PAGE_MASK, out.paddr & TARGET_PAGE_MASK, cpu_get_mem_attrs(env), - out.prot, mmu_idx, out.page_size); + out.prot, access_type, mmu_idx, + out.page_size); return true; } diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/loongarch/tcg/tlb_helper.c +++ b/target/loongarch/tcg/tlb_helper.c @@ -XXX,XX +XXX,XX @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TLBRET_MATCH) { tlb_set_page(cs, address & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); qemu_log_mask(CPU_LOG_MMU, "%s address=%" VADDR_PRIx " physical " HWADDR_FMT_plx " prot %d\n", __func__, address, physical, prot); diff --git a/target/m68k/helper.c b/target/m68k/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/m68k/helper.c +++ b/target/m68k/helper.c @@ -XXX,XX +XXX,XX @@ bool m68k_cpu_tlb_fill(CPUState *cs, vaddr address, int size, tlb_set_page(cs, address & TARGET_PAGE_MASK, address & TARGET_PAGE_MASK, PAGE_READ | PAGE_WRITE | PAGE_EXEC, - mmu_idx, TARGET_PAGE_SIZE); + qemu_access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } @@ -XXX,XX +XXX,XX @@ bool m68k_cpu_tlb_fill(CPUState *cs, vaddr address, int size, address, access_type, &page_size); if (likely(ret == 0)) { tlb_set_page(cs, address & TARGET_PAGE_MASK, - physical & TARGET_PAGE_MASK, prot, mmu_idx, page_size); + physical & TARGET_PAGE_MASK, prot, qemu_access_type, + mmu_idx, page_size); return true; } @@ -XXX,XX +XXX,XX @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read) int prot; int ret; target_ulong page_size; + MMUAccessType qemu_access_type; access_type = ACCESS_PTEST; if (env->dfc & 4) { @@ -XXX,XX +XXX,XX @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read) } if ((env->dfc & 3) == 2) { access_type |= ACCESS_CODE; + qemu_access_type = MMU_INST_FETCH; } if (!is_read) { access_type |= ACCESS_STORE; + qemu_access_type = MMU_DATA_STORE; } env->mmu.mmusr = 0; @@ -XXX,XX +XXX,XX @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read) if (ret == 0) { tlb_set_page(env_cpu(env), addr & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, - prot, access_type & ACCESS_SUPER ? + prot, qemu_access_type, access_type & ACCESS_SUPER ? MMU_KERNEL_IDX : MMU_USER_IDX, page_size); } } diff --git a/target/microblaze/helper.c b/target/microblaze/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/microblaze/helper.c +++ b/target/microblaze/helper.c @@ -XXX,XX +XXX,XX @@ bool mb_cpu_tlb_fill(CPUState *cs, vaddr address, int size, /* MMU disabled or not available. */ address &= TARGET_PAGE_MASK; prot = PAGE_RWX; - tlb_set_page_with_attrs(cs, address, address, attrs, prot, mmu_idx, - TARGET_PAGE_SIZE); + tlb_set_page_with_attrs(cs, address, address, attrs, prot, access_type, + mmu_idx, TARGET_PAGE_SIZE); return true; } @@ -XXX,XX +XXX,XX @@ bool mb_cpu_tlb_fill(CPUState *cs, vaddr address, int size, qemu_log_mask(CPU_LOG_MMU, "MMU map mmu=%d v=%x p=%x prot=%x\n", mmu_idx, vaddr, paddr, lu.prot); - tlb_set_page_with_attrs(cs, vaddr, paddr, attrs, lu.prot, mmu_idx, - TARGET_PAGE_SIZE); + tlb_set_page_with_attrs(cs, vaddr, paddr, attrs, lu.prot, access_type, + mmu_idx, TARGET_PAGE_SIZE); return true; } diff --git a/target/mips/tcg/system/tlb_helper.c b/target/mips/tcg/system/tlb_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/mips/tcg/system/tlb_helper.c +++ b/target/mips/tcg/system/tlb_helper.c @@ -XXX,XX +XXX,XX @@ bool mips_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TLBRET_MATCH) { tlb_set_page(cs, address & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } #if !defined(TARGET_MIPS64) @@ -XXX,XX +XXX,XX @@ bool mips_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TLBRET_MATCH) { tlb_set_page(cs, address & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } } diff --git a/target/openrisc/mmu.c b/target/openrisc/mmu.c index XXXXXXX..XXXXXXX 100644 --- a/target/openrisc/mmu.c +++ b/target/openrisc/mmu.c @@ -XXX,XX +XXX,XX @@ bool openrisc_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, if (likely(excp == 0)) { tlb_set_page(cs, addr & TARGET_PAGE_MASK, phys_addr & TARGET_PAGE_MASK, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } if (probe) { diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/ppc/mmu_helper.c +++ b/target/ppc/mmu_helper.c @@ -XXX,XX +XXX,XX @@ bool ppc_cpu_tlb_fill(CPUState *cs, vaddr eaddr, int size, if (ppc_xlate(cpu, eaddr, access_type, &raddr, &page_size, &prot, mmu_idx, !probe)) { tlb_set_page(cs, eaddr & TARGET_PAGE_MASK, raddr & TARGET_PAGE_MASK, - prot, mmu_idx, 1UL << page_size); + prot, access_type, mmu_idx, 1UL << page_size); return true; } if (probe) { diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TRANSLATE_SUCCESS) { tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1), - prot, mmu_idx, tlb_size); + prot, access_type, mmu_idx, tlb_size); return true; } else if (probe) { return false; diff --git a/target/rx/cpu.c b/target/rx/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/rx/cpu.c +++ b/target/rx/cpu.c @@ -XXX,XX +XXX,XX @@ static bool rx_cpu_tlb_fill(CPUState *cs, vaddr addr, int size, /* Linear mapping */ address = physical = addr & TARGET_PAGE_MASK; prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; - tlb_set_page(cs, address, physical, prot, mmu_idx, TARGET_PAGE_SIZE); + tlb_set_page(cs, address, physical, prot, access_type, + mmu_idx, TARGET_PAGE_SIZE); return true; } diff --git a/target/s390x/tcg/excp_helper.c b/target/s390x/tcg/excp_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/s390x/tcg/excp_helper.c +++ b/target/s390x/tcg/excp_helper.c @@ -XXX,XX +XXX,XX @@ bool s390_cpu_tlb_fill(CPUState *cs, vaddr address, int size, "%s: set tlb %" PRIx64 " -> %" PRIx64 " (%x)\n", __func__, (uint64_t)vaddr, (uint64_t)raddr, prot); tlb_set_page(cs, address & TARGET_PAGE_MASK, raddr, prot, - mmu_idx, TARGET_PAGE_SIZE); + access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } if (probe) { diff --git a/target/sh4/helper.c b/target/sh4/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/sh4/helper.c +++ b/target/sh4/helper.c @@ -XXX,XX +XXX,XX @@ bool superh_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == MMU_OK) { address &= TARGET_PAGE_MASK; physical &= TARGET_PAGE_MASK; - tlb_set_page(cs, address, physical, prot, mmu_idx, TARGET_PAGE_SIZE); + tlb_set_page(cs, address, physical, prot, access_type, mmu_idx, TARGET_PAGE_SIZE); return true; } if (probe) { diff --git a/target/sparc/mmu_helper.c b/target/sparc/mmu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/sparc/mmu_helper.c +++ b/target/sparc/mmu_helper.c @@ -XXX,XX +XXX,XX @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size, "Translate at %" VADDR_PRIx " -> " HWADDR_FMT_plx ", vaddr " TARGET_FMT_lx "\n", address, full.phys_addr, vaddr); - tlb_set_page_full(cs, mmu_idx, vaddr, &full); + tlb_set_page_full(cs, mmu_idx, vaddr, access_type, &full); return true; } @@ -XXX,XX +XXX,XX @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size, neverland. Fake/overridden mappings will be flushed when switching to normal mode. */ full.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; - tlb_set_page_full(cs, mmu_idx, vaddr, &full); + tlb_set_page_full(cs, mmu_idx, vaddr, access_type, &full); return true; } else { if (access_type == MMU_INST_FETCH) { @@ -XXX,XX +XXX,XX @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size, trace_mmu_helper_mmu_fault(address, full.phys_addr, mmu_idx, env->tl, env->dmmu.mmu_primary_context, env->dmmu.mmu_secondary_context); - tlb_set_page_full(cs, mmu_idx, address, &full); + tlb_set_page_full(cs, mmu_idx, address, access_type, &full); return true; } if (probe) { diff --git a/target/tricore/helper.c b/target/tricore/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/tricore/helper.c +++ b/target/tricore/helper.c @@ -XXX,XX +XXX,XX @@ bool tricore_cpu_tlb_fill(CPUState *cs, vaddr address, int size, if (ret == TLBRET_MATCH) { tlb_set_page(cs, address & TARGET_PAGE_MASK, physical & TARGET_PAGE_MASK, prot | PAGE_EXEC, - mmu_idx, TARGET_PAGE_SIZE); + rw, mmu_idx, TARGET_PAGE_SIZE); return true; } else { assert(ret < 0); diff --git a/target/xtensa/helper.c b/target/xtensa/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/xtensa/helper.c +++ b/target/xtensa/helper.c @@ -XXX,XX +XXX,XX @@ bool xtensa_cpu_tlb_fill(CPUState *cs, vaddr address, int size, tlb_set_page(cs, address & TARGET_PAGE_MASK, paddr & TARGET_PAGE_MASK, - access, mmu_idx, page_size); + access, access_type, mmu_idx, + page_size); return true; } else if (probe) { return false; -- 2.17.1 RISC-V WorldGuard will add 5-bit world_id (WID) to the each memory transaction on the bus. The wgChecker in front of RAM or peripherals MMIO could do the access control based on the WID. It is similar to ARM TrustZone NS bit, but the WID is 5-bit. The common implementation of WID is AXI4 AxUSER signal. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- include/exec/memattrs.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h index XXXXXXX..XXXXXXX 100644 --- a/include/exec/memattrs.h +++ b/include/exec/memattrs.h @@ -XXX,XX +XXX,XX @@ typedef struct MemTxAttrs { */ unsigned int pid:8; + /* + * RISC-V WorldGuard: the 5-bit WID field of memory access. + */ + unsigned int world_id:5; + /* * Bus masters which don't specify any attributes will get this * (via the MEMTXATTRS_UNSPECIFIED constant), so that we can @@ -XXX,XX +XXX,XX @@ typedef struct MemTxAttrs { */ bool unspecified; - uint8_t _reserved1; - uint16_t _reserved2; + uint16_t _reserved1; } MemTxAttrs; QEMU_BUILD_BUG_ON(sizeof(MemTxAttrs) > 8); -- 2.17.1 Add a device for RISCV WG global config, which contains the number of worlds, reset value, and trusted WID ... etc. This global config is used by both CPU WG extension and wgChecker devices. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/Kconfig | 3 + hw/misc/meson.build | 1 + hw/misc/riscv_worldguard.c | 182 +++++++++++++++++++++++++++++ include/hw/misc/riscv_worldguard.h | 55 +++++++++ 4 files changed, 241 insertions(+) create mode 100644 hw/misc/riscv_worldguard.c create mode 100644 include/hw/misc/riscv_worldguard.h diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/Kconfig +++ b/hw/misc/Kconfig @@ -XXX,XX +XXX,XX @@ config IOSB config XLNX_VERSAL_TRNG bool +config RISCV_WORLDGUARD + bool + source macio/Kconfig diff --git a/hw/misc/meson.build b/hw/misc/meson.build index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/meson.build +++ b/hw/misc/meson.build @@ -XXX,XX +XXX,XX @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c')) system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c')) system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c')) system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c')) +specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c')) subdir('macio') diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/hw/misc/riscv_worldguard.c @@ -XXX,XX +XXX,XX @@ +/* + * RISC-V WorldGuard Device + * + * Copyright (c) 2022 SiFive, Inc. + * + * This provides WorldGuard global config. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2 or later, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "qemu/log.h" +#include "exec/hwaddr.h" +#include "hw/registerfields.h" +#include "hw/sysbus.h" +#include "hw/hw.h" +#include "hw/qdev-properties.h" +#include "hw/misc/riscv_worldguard.h" +#include "hw/core/cpu.h" +#include "target/riscv/cpu.h" +#include "trace.h" + +/* + * WorldGuard global config: + * List the global setting of WG, like num-of-worlds. It is unique in the machine. + * All CPUs with WG extension and wgChecker devices will use it. + */ +struct RISCVWorldGuardState *worldguard_config = NULL; + +static Property riscv_worldguard_properties[] = { + DEFINE_PROP_UINT32("nworlds", RISCVWorldGuardState, nworlds, 0), + + /* Only Trusted WID could access wgCheckers if it is enabled. */ + DEFINE_PROP_UINT32("trustedwid", RISCVWorldGuardState, trustedwid, NO_TRUSTEDWID), + + /* + * WG reset value is bypass mode in HW. All WG permission checkings are + * pass by default, so SW could correctly run on the machine w/o any WG + * programming. + */ + DEFINE_PROP_BOOL("hw-bypass", RISCVWorldGuardState, hw_bypass, false), + + /* + * TrustZone compatible mode: + * This mode is only supported in 2 worlds system. It converts WorldGuard + * WID to TZ NS signal on the bus so WG could be cooperated with + * TZ components. In QEMU, it converts WID to 'MemTxAttrs.secure' bit used + * by TZ. + */ + DEFINE_PROP_BOOL("tz-compat", RISCVWorldGuardState, tz_compat, false), +}; + +/* WID to MemTxAttrs converter */ +static void wid_to_mem_attrs(MemTxAttrs *attrs, uint32_t wid) +{ + g_assert(wid < worldguard_config->nworlds); + + attrs->unspecified = 0; + if (worldguard_config->tz_compat) { + attrs->secure = wid; + } else { + attrs->world_id = wid; + } +} + +/* MemTxAttrs to WID converter */ +uint32_t mem_attrs_to_wid(MemTxAttrs attrs) +{ + if (attrs.unspecified) { + if (worldguard_config->trustedwid != NO_TRUSTEDWID) { + return worldguard_config->trustedwid; + } else { + return worldguard_config->nworlds - 1; + } + } + + if (worldguard_config->tz_compat) { + return attrs.secure; + } else { + return attrs.world_id; + } +} + +bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock) +{ + uint32_t wid = mem_attrs_to_wid(attrs); + uint32_t trustedwid = worldguard_config->trustedwid; + + if ((trustedwid == NO_TRUSTEDWID) || (wid == trustedwid)) { + return true; + } else { + /* + * Only Trusted WID could access WG blocks if having it. + * Access them from other WIDs will get failed. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Invalid access to %s from non-trusted WID %d\n", + __func__, wgblock, wid); + + return false; + } +} + +static void riscv_worldguard_realize(DeviceState *dev, Error **errp) +{ + RISCVWorldGuardState *s = RISCV_WORLDGUARD(dev); + + if (worldguard_config != NULL) { + error_setg(errp, "Couldn't realize multiple global WorldGuard configs."); + return; + } + + if ((s->nworlds) & (s->nworlds - 1)) { + error_setg(errp, "Current implementation only support power-of-2 NWorld."); + return; + } + + if ((s->trustedwid != NO_TRUSTEDWID) && (s->trustedwid >= s->nworlds)) { + error_setg(errp, "Trusted WID must be less than the number of world."); + return; + } + + if ((s->nworlds != 2) && (s->tz_compat)) { + error_setg(errp, "Only 2 worlds system could use TrustZone compatible mode."); + return; + } + + /* Register WG global config */ + worldguard_config = s; + + /* Initialize global data for wgChecker */ + wgc_slot_perm_mask = MAKE_64BIT_MASK(0, 2 * worldguard_config->nworlds); +} + +static void riscv_worldguard_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + + device_class_set_props(dc, riscv_worldguard_properties); + dc->user_creatable = true; + dc->realize = riscv_worldguard_realize; +} + +static const TypeInfo riscv_worldguard_info = { + .name = TYPE_RISCV_WORLDGUARD, + .parent = TYPE_DEVICE, + .instance_size = sizeof(RISCVWorldGuardState), + .class_init = riscv_worldguard_class_init, +}; + +/* + * Create WorldGuard global config + */ +DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid, + bool hw_bypass, bool tz_compat) +{ + DeviceState *dev = qdev_new(TYPE_RISCV_WORLDGUARD); + qdev_prop_set_uint32(dev, "nworlds", nworlds); + qdev_prop_set_uint32(dev, "trustedwid", trustedwid); + qdev_prop_set_bit(dev, "hw-bypass", hw_bypass); + qdev_prop_set_bit(dev, "tz-compat", tz_compat); + qdev_realize(DEVICE(dev), NULL, &error_fatal); + return dev; +} + +static void riscv_worldguard_register_types(void) +{ + type_register_static(&riscv_worldguard_info); +} + +type_init(riscv_worldguard_register_types) diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/include/hw/misc/riscv_worldguard.h @@ -XXX,XX +XXX,XX @@ +/* + * RISC-V WorldGuard Devices + * + * Copyright (c) 2022 RISCV, Inc. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2 or later, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef HW_RISCV_WORLDGUARD_H +#define HW_RISCV_WORLDGUARD_H + +#include "qom/object.h" +#include "hw/sysbus.h" +#include "exec/hwaddr.h" + +#define TYPE_RISCV_WORLDGUARD "riscv.worldguard" + +#define NO_TRUSTEDWID UINT32_MAX + +typedef struct RISCVWorldGuardState RISCVWorldGuardState; +DECLARE_INSTANCE_CHECKER(RISCVWorldGuardState, RISCV_WORLDGUARD, + TYPE_RISCV_WORLDGUARD) + +struct RISCVWorldGuardState { + /*< private >*/ + DeviceState parent_obj; + + /*< public >*/ + + /* Property */ + uint32_t nworlds; + uint32_t trustedwid; + bool hw_bypass; + bool tz_compat; +}; + +extern struct RISCVWorldGuardState *worldguard_config; + +DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid, + bool hw_bypass, bool tz_compat); + +uint32_t mem_attrs_to_wid(MemTxAttrs attrs); +bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock); + +#endif -- 2.17.1 We define CPU options for WG CSR support in RISC-V CPUs which can be set by machine/device emulation. The RISC-V CSR emulation will also check this feature for emulating WG CSRs. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.c | 3 +++ target/riscv/cpu_cfg.h | 3 +++ target/riscv/tcg/tcg-cpu.c | 11 +++++++++++ 3 files changed, 17 insertions(+) diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.c +++ b/target/riscv/cpu.c @@ -XXX,XX +XXX,XX @@ const RISCVIsaExtData isa_edata_arr[] = { ISA_EXT_DATA_ENTRY(xtheadmempair, PRIV_VERSION_1_11_0, ext_xtheadmempair), ISA_EXT_DATA_ENTRY(xtheadsync, PRIV_VERSION_1_11_0, ext_xtheadsync), ISA_EXT_DATA_ENTRY(xventanacondops, PRIV_VERSION_1_12_0, ext_XVentanaCondOps), + ISA_EXT_DATA_ENTRY(smwg, PRIV_VERSION_1_12_0, ext_smwg), + ISA_EXT_DATA_ENTRY(smwgd, PRIV_VERSION_1_12_0, ext_smwgd), + ISA_EXT_DATA_ENTRY(sswg, PRIV_VERSION_1_12_0, ext_sswg), { }, }; diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_cfg.h +++ b/target/riscv/cpu_cfg.h @@ -XXX,XX +XXX,XX @@ struct RISCVCPUConfig { bool ext_smmpm; bool ext_sspm; bool ext_supm; + bool ext_smwg; + bool ext_smwgd; + bool ext_sswg; bool rvv_ta_all_1s; bool rvv_ma_all_1s; bool rvv_vl_half_avl; diff --git a/target/riscv/tcg/tcg-cpu.c b/target/riscv/tcg/tcg-cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/tcg/tcg-cpu.c +++ b/target/riscv/tcg/tcg-cpu.c @@ -XXX,XX +XXX,XX @@ void riscv_cpu_validate_set_extensions(RISCVCPU *cpu, Error **errp) cpu->cfg.ext_ssctr = false; } + /* RISC-V WorldGuard */ + if (cpu->cfg.ext_sswg && !cpu->cfg.ext_smwg) { + error_setg(errp, "Sswg extension requires Smwg extension"); + return; + } + + if (cpu->cfg.ext_smwgd != cpu->cfg.ext_sswg) { + error_setg(errp, "Smwgd/Sswg extensions should be enabled together"); + return; + } + /* * Disable isa extensions based on priv spec after we * validated and set everything we need. -- 2.17.1 Add hard-coded state of WG extension. 'mwid' is the M-mode WID of CPU. 'mwidlist' is the list of allowed WID value of 'mlwid' CSR. These CPU states can be set by CPU option, or can be set by machine code via newly added APIs. If we want different WG configs of CPUs, we should set it by machine code. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.h | 2 ++ target/riscv/cpu_cfg.h | 2 ++ target/riscv/cpu_helper.c | 18 ++++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.h +++ b/target/riscv/cpu.h @@ -XXX,XX +XXX,XX @@ void riscv_cpu_set_aia_ireg_rmw_fn(CPURISCVState *env, uint32_t priv, void *rmw_fn_arg); RISCVException smstateen_acc_ok(CPURISCVState *env, int index, uint64_t bit); +void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid); +void riscv_cpu_set_wg_mwidlist(CPURISCVState *env, uint32_t mwidlist); #endif /* !CONFIG_USER_ONLY */ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong newpriv, bool virt_en); diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_cfg.h +++ b/target/riscv/cpu_cfg.h @@ -XXX,XX +XXX,XX @@ struct RISCVCPUConfig { bool pmp; bool debug; bool misa_w; + uint32_t mwid; + uint32_t mwidlist; bool short_isa_string; diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPURISCVState *env, vaddr *pc, *pflags = flags; } +#ifndef CONFIG_USER_ONLY +void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + + cpu->cfg.mwid = mwid; +} + +void riscv_cpu_set_wg_mwidlist(CPURISCVState *env, uint32_t mwidlist) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + + cpu->cfg.mwidlist = mwidlist; +} +#endif /* CONFIG_USER_ONLY */ + RISCVPmPmm riscv_pm_get_pmm(CPURISCVState *env) { #ifndef CONFIG_USER_ONLY -- 2.17.1 Add CSRs for 3 WG extensions: Smwg, Smwgd, and Sswg. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu_bits.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_bits.h +++ b/target/riscv/cpu_bits.h @@ -XXX,XX +XXX,XX @@ #define CSR_DPC 0x7b1 #define CSR_DSCRATCH 0x7b2 +/* RISC-V WorldGuard */ +#define CSR_MLWID 0x390 +#define CSR_SLWID 0x190 +#define CSR_MWIDDELEG 0x748 + /* Performance Counters */ #define CSR_MHPMCOUNTER3 0xb03 #define CSR_MHPMCOUNTER4 0xb04 -- 2.17.1 Some WG CPU functions depend on global WG config (like num-of-world), so we let the global WG config device to set callbacks of a RISC-V HART. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.h +++ b/target/riscv/cpu.h @@ -XXX,XX +XXX,XX @@ struct CPUArchState { target_ulong rnmip; uint64_t rnmi_irqvec; uint64_t rnmi_excpvec; + + /* machine specific WorldGuard callback */ + void (*wg_reset)(CPURISCVState *env); + void (*wid_to_mem_attrs)(MemTxAttrs *attrs, uint32_t wid); }; /* -- 2.17.1 The WG v0.4 specification adds 3 CSRs to configure S/U/HS/VS-mode WIDs of CPUs in the higher privileged modes. The Smwg extension at least requires a RISC-V HART to have M/U-mode, and the Sswg/Smwgd extension at least requires a RISC-V HART to have M/S/U-mode. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.c | 4 ++ target/riscv/cpu.h | 5 +++ target/riscv/csr.c | 107 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 116 insertions(+) diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.c +++ b/target/riscv/cpu.c @@ -XXX,XX +XXX,XX @@ static void riscv_cpu_reset_hold(Object *obj, ResetType type) env->mnstatus = set_field(env->mnstatus, MNSTATUS_NMIE, false); } + if (riscv_cpu_cfg(env)->ext_smwg && env->wg_reset) { + env->wg_reset(env); + } + if (kvm_enabled()) { kvm_riscv_reset_vcpu(cpu); } diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.h +++ b/target/riscv/cpu.h @@ -XXX,XX +XXX,XX @@ struct CPUArchState { uint64_t rnmi_irqvec; uint64_t rnmi_excpvec; + /* RISC-V WorldGuard */ + target_ulong mlwid; + target_ulong slwid; + target_ulong mwiddeleg; + /* machine specific WorldGuard callback */ void (*wg_reset)(CPURISCVState *env); void (*wid_to_mem_attrs)(MemTxAttrs *attrs, uint32_t wid); diff --git a/target/riscv/csr.c b/target/riscv/csr.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/csr.c +++ b/target/riscv/csr.c @@ -XXX,XX +XXX,XX @@ static int write_mnstatus(CPURISCVState *env, int csrno, target_ulong val) return RISCV_EXCP_NONE; } +/* RISC-V Worldguard */ +static RISCVException worldguard_umode(CPURISCVState *env, int csrno) +{ + if (!riscv_cpu_cfg(env)->ext_smwg) { + return RISCV_EXCP_ILLEGAL_INST; + } + + return umode(env, csrno); +} + +static RISCVException worldguard_sumode(CPURISCVState *env, int csrno) +{ + RISCVException ret; + + if (!riscv_cpu_cfg(env)->ext_sswg) { + return RISCV_EXCP_ILLEGAL_INST; + } + + ret = smode(env, csrno); + + if (ret != RISCV_EXCP_NONE) { + return ret; + } + + return umode(env, csrno); +} + +static RISCVException rmw_mlwid(CPURISCVState *env, int csrno, + target_ulong *ret_val, + target_ulong new_val, target_ulong wr_mask) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + target_ulong new_mlwid = (env->mlwid & ~wr_mask) | (new_val & wr_mask); + + if (ret_val) { + *ret_val = env->mlwid; + } + + g_assert(cpu->cfg.mwidlist); + if (!(BIT(new_mlwid) & cpu->cfg.mwidlist)) { + /* Set WID to lowest legal value if writing illegal value (WARL) */ + new_mlwid = find_first_bit((unsigned long *)&cpu->cfg.mwidlist, 32); + } + + if (env->mlwid != new_mlwid) { + env->mlwid = new_mlwid; + tlb_flush(cs); + } + + return RISCV_EXCP_NONE; +} + +static RISCVException rmw_slwid(CPURISCVState *env, int csrno, + target_ulong *ret_val, + target_ulong new_val, target_ulong wr_mask) +{ + target_ulong new_slwid = (env->slwid & ~wr_mask) | (new_val & wr_mask); + + if (!env->mwiddeleg) { + /* + * When mwiddeleg CSR is zero, access to slwid raises an illegal + * instruction exception. + */ + return RISCV_EXCP_ILLEGAL_INST; + } + + if (ret_val) { + *ret_val = env->slwid; + } + + if (!(BIT(new_slwid) & env->mwiddeleg)) { + /* Set WID to lowest legal value if writing illegal value (WARL) */ + new_slwid = find_first_bit( + (unsigned long *)&env->mwiddeleg, TARGET_LONG_BITS); + } + + if (env->slwid != new_slwid) { + env->slwid = new_slwid; + tlb_flush(env_cpu(env)); + } + + return RISCV_EXCP_NONE; +} + +static RISCVException rmw_mwiddeleg(CPURISCVState *env, int csrno, + target_ulong *ret_val, + target_ulong new_val, target_ulong wr_mask) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + + if (ret_val) { + *ret_val = env->mwiddeleg; + } + + env->mwiddeleg = (env->mwiddeleg & ~wr_mask) | (new_val & wr_mask); + + /* Core wgMarker can only have WID value in mwidlist. */ + env->mwiddeleg &= cpu->cfg.mwidlist; + + return RISCV_EXCP_NONE; +} #endif /* Crypto Extension */ @@ -XXX,XX +XXX,XX @@ riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = { [CSR_SCOUNTOVF] = { "scountovf", sscofpmf, read_scountovf, .min_priv_ver = PRIV_VERSION_1_12_0 }, + /* RISC-V WorldGuard */ + [CSR_MLWID] = { "mlwid", worldguard_umode, NULL, NULL, rmw_mlwid }, + [CSR_SLWID] = { "slwid", worldguard_sumode, NULL, NULL, rmw_slwid }, + [CSR_MWIDDELEG] = { "mwiddeleg", worldguard_sumode, NULL, NULL, rmw_mwiddeleg }, #endif /* !CONFIG_USER_ONLY */ }; -- 2.17.1 When a RISC-V HART has WG extension, their memory transactions will contain WID. Support MemTxAttrs in RISC-V target and add WID inside if a HART has WG extension. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.c | 2 +- target/riscv/cpu.h | 1 + target/riscv/cpu_helper.c | 51 ++++++++++++++++++++++++++++++++++++--- 3 files changed, 50 insertions(+), 4 deletions(-) diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.c +++ b/target/riscv/cpu.c @@ -XXX,XX +XXX,XX @@ static int64_t riscv_get_arch_id(CPUState *cs) static const struct SysemuCPUOps riscv_sysemu_ops = { .has_work = riscv_cpu_has_work, - .get_phys_page_debug = riscv_cpu_get_phys_page_debug, + .get_phys_page_attrs_debug = riscv_cpu_get_phys_page_attrs_debug, .write_elf64_note = riscv_cpu_write_elf64_note, .write_elf32_note = riscv_cpu_write_elf32_note, .legacy_vmsd = &vmstate_riscv_cpu, diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.h +++ b/target/riscv/cpu.h @@ -XXX,XX +XXX,XX @@ int riscv_env_mmu_index(CPURISCVState *env, bool ifetch); bool cpu_get_fcfien(CPURISCVState *env); bool cpu_get_bcfien(CPURISCVState *env); bool riscv_env_smode_dbltrp_enabled(CPURISCVState *env, bool virt); +hwaddr riscv_cpu_get_phys_page_attrs_debug(CPUState *cpu, vaddr addr, MemTxAttrs *attrs); G_NORETURN void riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr, MMUAccessType access_type, int mmu_idx, uintptr_t retaddr); diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPURISCVState *env, vaddr *pc, } #ifndef CONFIG_USER_ONLY +static uint32_t riscv_cpu_wg_get_wid(CPURISCVState *env, int mode) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + bool virt = env->virt_enabled; + + if (mode == PRV_M) { + return cpu->cfg.mwid; + } else if (mode == PRV_S) { + if (!virt || !env->mwiddeleg) { + /* HS-mode, S-mode w/o RVH, or VS-mode but mwiddeleg = 0 */ + return env->mlwid; + } else { + /* VS-mode */ + return env->slwid; + } + } else if (mode == PRV_U) { + if (!riscv_has_ext(env, RVS) || !env->mwiddeleg) { + /* M/U mode CPU or mwiddeleg = 0 */ + return env->mlwid; + } else { + return env->slwid; + } + } + + return cpu->cfg.mwid; +} + void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid) { CPUState *cs = env_cpu(env); @@ -XXX,XX +XXX,XX @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address, env->two_stage_indirect_lookup = two_stage_indirect; } -hwaddr riscv_cpu_get_phys_page_debug(CPUState *cs, vaddr addr) +hwaddr riscv_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr, MemTxAttrs *attrs) { RISCVCPU *cpu = RISCV_CPU(cs); CPURISCVState *env = &cpu->env; hwaddr phys_addr; int prot; int mmu_idx = riscv_env_mmu_index(&cpu->env, false); + int mode = mmuidx_priv(mmu_idx); + uint32_t wid; + + if (riscv_cpu_cfg(env)->ext_smwg && env->wid_to_mem_attrs) { + wid = riscv_cpu_wg_get_wid(env, mode); + env->wid_to_mem_attrs(attrs, wid); + } else { + *attrs = MEMTXATTRS_UNSPECIFIED; + } if (get_physical_address(env, &phys_addr, &prot, addr, NULL, 0, mmu_idx, true, env->virt_enabled, true, false)) { @@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size, int mode = mmuidx_priv(mmu_idx); /* default TLB page size */ hwaddr tlb_size = TARGET_PAGE_SIZE; + uint32_t wid; + MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; env->guest_phys_fault_addr = 0; qemu_log_mask(CPU_LOG_MMU, "%s ad %" VADDR_PRIx " rw %d mmu_idx %d\n", __func__, address, access_type, mmu_idx); + if (riscv_cpu_cfg(env)->ext_smwg && env->wid_to_mem_attrs) { + mode = mmuidx_priv(mmu_idx); + wid = riscv_cpu_wg_get_wid(env, mode); + env->wid_to_mem_attrs(&attrs, wid); + } + pmu_tlb_fill_incr_ctr(cpu, access_type); if (two_stage_lookup) { /* Two stage lookup */ @@ -XXX,XX +XXX,XX @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size, } if (ret == TRANSLATE_SUCCESS) { - tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1), - prot, access_type, mmu_idx, tlb_size); + tlb_set_page_with_attrs(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1), + attrs, prot, access_type, mmu_idx, tlb_size); return true; } else if (probe) { return false; -- 2.17.1 Expose WG CPU extensions (Smwg, Sswg, Smwgd) and WG CPU configs (mwid, mwidlist). Signed-off-by: Jim Shu <jim.shu@sifive.com> --- target/riscv/cpu.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/riscv/cpu.c +++ b/target/riscv/cpu.c @@ -XXX,XX +XXX,XX @@ const RISCVCPUMultiExtConfig riscv_cpu_vendor_exts[] = { const RISCVCPUMultiExtConfig riscv_cpu_experimental_exts[] = { MULTI_EXT_CFG_BOOL("x-svukte", ext_svukte, false), + /* RISC-V WorldGuard v0.4 */ + MULTI_EXT_CFG_BOOL("x-smwg", ext_smwg, false), + MULTI_EXT_CFG_BOOL("x-smwgd", ext_smwgd, false), + MULTI_EXT_CFG_BOOL("x-sswg", ext_sswg, false), + { }, }; @@ -XXX,XX +XXX,XX @@ static const Property riscv_cpu_properties[] = { * it with -x and default to 'false'. */ DEFINE_PROP_BOOL("x-misa-w", RISCVCPU, cfg.misa_w, false), + + DEFINE_PROP_UINT32("x-mwid", RISCVCPU, cfg.mwid, UINT32_MAX), + DEFINE_PROP_UINT32("x-mwidlist", RISCVCPU, cfg.mwidlist, UINT32_MAX), }; #if defined(TARGET_RISCV64) -- 2.17.1 riscv_worldguard_apply_cpu() could enable WG CPU extension and set WG callback to CPUs. It is used by machine code after realizing global WG device. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/riscv_worldguard.c | 87 ++++++++++++++++++++++++++++++ include/hw/misc/riscv_worldguard.h | 1 + 2 files changed, 88 insertions(+) diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_worldguard.c +++ b/hw/misc/riscv_worldguard.c @@ -XXX,XX +XXX,XX @@ uint32_t mem_attrs_to_wid(MemTxAttrs attrs) } } +static void riscv_cpu_wg_reset(CPURISCVState *env) +{ + CPUState *cs = env_cpu(env); + RISCVCPU *cpu = RISCV_CPU(cs); + uint32_t mlwid, slwid, mwiddeleg; + uint32_t trustedwid; + + if (!riscv_cpu_cfg(env)->ext_smwg) { + return; + } + + if (worldguard_config == NULL) { + /* + * Note: This reset is dummy now and WG CSRs will be reset again + * after worldguard_config is realized. + */ + return; + } + + trustedwid = worldguard_config->trustedwid; + if (trustedwid == NO_TRUSTEDWID) { + trustedwid = worldguard_config->nworlds - 1; + } + + /* Reset mlwid, slwid, mwiddeleg CSRs */ + if (worldguard_config->hw_bypass) { + /* HW bypass mode */ + mlwid = trustedwid; + } else { + mlwid = 0; + } + slwid = 0; + mwiddeleg = 0; + + env->mlwid = mlwid; + if (riscv_cpu_cfg(env)->ext_sswg) { + env->slwid = slwid; + env->mwiddeleg = mwiddeleg; + } + + /* Check mwid, mwidlist config */ + if (worldguard_config != NULL) { + uint32_t valid_widlist = MAKE_64BIT_MASK(0, worldguard_config->nworlds); + + /* CPU use default mwid / mwidlist config if not set */ + if (cpu->cfg.mwidlist == UINT32_MAX) { + /* mwidlist contains all WIDs */ + cpu->cfg.mwidlist = valid_widlist; + } + if (cpu->cfg.mwid == UINT32_MAX) { + cpu->cfg.mwid = trustedwid; + } + + /* Check if mwid/mwidlist HW config is valid in NWorld. */ + g_assert((cpu->cfg.mwidlist & ~valid_widlist) == 0); + g_assert(cpu->cfg.mwid < worldguard_config->nworlds); + } +} + +/* + * riscv_worldguard_apply_cpu - Enable WG extension of CPU + * + * Note: This API should be used after global WG device is created + * (riscv_worldguard_realize()). + */ +void riscv_worldguard_apply_cpu(uint32_t hartid) +{ + /* WG global config should exist */ + g_assert(worldguard_config); + + CPUState *cpu = qemu_get_cpu(hartid); + RISCVCPU *rcpu = RISCV_CPU(cpu); + CPURISCVState *env = cpu ? cpu_env(cpu) : NULL; + + rcpu->cfg.ext_smwg = true; + if (riscv_has_ext(env, RVS) && riscv_has_ext(env, RVU)) { + rcpu->cfg.ext_sswg = true; + } + + /* Set machine specific WorldGuard callback */ + env->wg_reset = riscv_cpu_wg_reset; + env->wid_to_mem_attrs = wid_to_mem_attrs; + + /* Reset WG CSRs in CPU */ + env->wg_reset(env); +} + bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock) { uint32_t wid = mem_attrs_to_wid(attrs); diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/misc/riscv_worldguard.h +++ b/include/hw/misc/riscv_worldguard.h @@ -XXX,XX +XXX,XX @@ extern struct RISCVWorldGuardState *worldguard_config; DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid, bool hw_bypass, bool tz_compat); +void riscv_worldguard_apply_cpu(uint32_t hartid); uint32_t mem_attrs_to_wid(MemTxAttrs attrs); bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock); -- 2.17.1 Implement the RISC-V WorldGuard Checker, which sits in front of RAM or device MMIO and allow software to configure it to either pass through or reject transactions. We implement the wgChecker as a QEMU IOMMU, which will direct transactions either through to the devices and memory behind it or to a special "never works" AddressSpace if they are blocked. This initial commit implements the skeleton of the device: * it always permits accesses * it doesn't implement wgChecker's slot registers * it doesn't implement the interrupt or other behaviour for blocked transactions Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/meson.build | 2 +- hw/misc/riscv_wgchecker.c | 603 +++++++++++++++++++++++++++++ hw/misc/trace-events | 8 + include/hw/misc/riscv_worldguard.h | 63 +++ 4 files changed, 675 insertions(+), 1 deletion(-) create mode 100644 hw/misc/riscv_wgchecker.c diff --git a/hw/misc/meson.build b/hw/misc/meson.build index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/meson.build +++ b/hw/misc/meson.build @@ -XXX,XX +XXX,XX @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c')) system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c')) system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c')) system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c')) -specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c')) +specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c', 'riscv_wgchecker.c')) subdir('macio') diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/hw/misc/riscv_wgchecker.c @@ -XXX,XX +XXX,XX @@ +/* + * RISC-V WorldGuard Checker Device + * + * Copyright (c) 2022 SiFive, Inc. + * + * This provides WorldGuard Checker model. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2 or later, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "qemu/log.h" +#include "exec/hwaddr.h" +#include "exec/exec-all.h" +#include "hw/irq.h" +#include "hw/registerfields.h" +#include "hw/sysbus.h" +#include "hw/hw.h" +#include "hw/qdev-properties.h" +#include "hw/misc/riscv_worldguard.h" +#include "target/riscv/cpu.h" +#include "trace.h" + +/* Common */ +REG32(VENDOR, 0x000) +REG32(IMPID, 0x004) + +/* wgChecker */ +REG32(NSLOTS, 0x008) +REG64(ERRCAUSE, 0x010) + FIELD(ERRCAUSE, WID, 0, 8) + FIELD(ERRCAUSE, R, 8, 1) + FIELD(ERRCAUSE, W, 9, 1) + FIELD(ERRCAUSE, BE, 62, 1) + FIELD(ERRCAUSE, IP, 63, 1) + +#define ERRCAUSE_MASK \ + (R_ERRCAUSE_WID_MASK | \ + R_ERRCAUSE_R_MASK | \ + R_ERRCAUSE_W_MASK | \ + R_ERRCAUSE_BE_MASK | \ + R_ERRCAUSE_IP_MASK) + +REG64(ERRADDR, 0x018) + +/* + * Accesses only reach these read and write functions if the wgChecker + * is blocking them; non-blocked accesses go directly to the downstream + * memory region without passing through this code. + */ +static MemTxResult riscv_wgc_mem_blocked_read(void *opaque, hwaddr addr, + uint64_t *pdata, + unsigned size, MemTxAttrs attrs) +{ + uint32_t wid = mem_attrs_to_wid(attrs); + + trace_riscv_wgc_mem_blocked_read(addr, size, wid); + + *pdata = 0; + return MEMTX_OK; +} + +static MemTxResult riscv_wgc_mem_blocked_write(void *opaque, hwaddr addr, + uint64_t value, + unsigned size, MemTxAttrs attrs) +{ + uint32_t wid = mem_attrs_to_wid(attrs); + + trace_riscv_wgc_mem_blocked_write(addr, value, size, wid); + + return MEMTX_OK; +} + +static const MemoryRegionOps riscv_wgc_mem_blocked_ops = { + .read_with_attrs = riscv_wgc_mem_blocked_read, + .write_with_attrs = riscv_wgc_mem_blocked_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid.min_access_size = 1, + .valid.max_access_size = 8, + .impl.min_access_size = 1, + .impl.max_access_size = 8, +}; + +static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu, + hwaddr addr, IOMMUAccessFlags flags, + int iommu_idx) +{ + WgCheckerRegion *region = container_of(iommu, WgCheckerRegion, upstream); + RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker); + hwaddr phys_addr; + uint64_t region_size; + + IOMMUTLBEntry ret = { + .iova = addr & ~WG_ALIGNED_MASK, + .translated_addr = addr & ~WG_ALIGNED_MASK, + .addr_mask = WG_ALIGNED_MASK, + .perm = IOMMU_RW, + }; + + /* addr shouldn't exceed region size of down/upstream. */ + region_size = memory_region_size(region->downstream); + g_assert(addr < region_size); + + /* + * Look at the wgChecker configuration for this address, and + * return a TLB entry directing the transaction at either + * downstream_as or blocked_io_as, as appropriate. + * For the moment, always permit accesses. + */ + + /* Use physical address instead of offset */ + phys_addr = addr + region->region_offset; + + is_success = true; + + trace_riscv_wgc_translate(phys_addr, flags, + iommu_idx, is_success ? "pass" : "block"); + + ret.target_as = is_success ? &region->downstream_as : &region->blocked_io_as; + return ret; +} + +static int riscv_wgc_attrs_to_index(IOMMUMemoryRegion *iommu, MemTxAttrs attrs) +{ + return mem_attrs_to_wid(attrs); +} + +static int riscv_wgc_num_indexes(IOMMUMemoryRegion *iommu) +{ + return worldguard_config->nworlds; +} + +static uint64_t riscv_wgchecker_readq(void *opaque, hwaddr addr) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + uint64_t val = 0; + + switch (addr) { + case A_ERRCAUSE: + val = s->errcause & ERRCAUSE_MASK; + break; + case A_ERRADDR: + val = s->erraddr; + break; + case A_NSLOTS: + val = s->slot_count; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + break; + } + + return val; +} + +static uint64_t riscv_wgchecker_readl(void *opaque, hwaddr addr) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + uint64_t val = 0; + + switch (addr) { + case A_VENDOR: + val = 0; + break; + case A_IMPID: + val = 0; + break; + case A_NSLOTS: + val = extract64(s->slot_count, 0, 32); + break; + case A_NSLOTS + 4: + val = extract64(s->slot_count, 0, 32); + break; + case A_ERRCAUSE: + val = s->errcause & ERRCAUSE_MASK; + val = extract64(val, 0, 32); + break; + case A_ERRCAUSE + 4: + val = s->errcause & ERRCAUSE_MASK; + val = extract64(val, 32, 32); + break; + case A_ERRADDR: + val = extract64(s->erraddr, 0, 32); + break; + case A_ERRADDR + 4: + val = extract64(s->erraddr, 32, 32); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + break; + } + + return val; +} + +static uint64_t riscv_wgchecker_read(void *opaque, hwaddr addr, unsigned size) +{ + uint64_t val = 0; + + switch (size) { + case 8: + val = riscv_wgchecker_readq(opaque, addr); + break; + case 4: + val = riscv_wgchecker_readl(opaque, addr); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid read size %u to wgChecker\n", + __func__, size); + return 0; + } + + return val; +} + +static void riscv_wgchecker_writeq(void *opaque, hwaddr addr, + uint64_t value) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + + switch (addr) { + case A_ERRCAUSE: + s->errcause = value & ERRCAUSE_MASK; + break; + case A_ERRADDR: + s->erraddr = value; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + break; + } +} + +static void riscv_wgchecker_writel(void *opaque, hwaddr addr, + uint64_t value) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + + switch (addr) { + case A_ERRCAUSE: + value &= extract64(ERRCAUSE_MASK, 0, 32); + s->errcause = deposit64(s->errcause, 0, 32, value); + break; + case A_ERRCAUSE + 4: + value &= extract64(ERRCAUSE_MASK, 32, 32); + s->errcause = deposit64(s->errcause, 32, 32, value); + break; + case A_ERRADDR: + s->erraddr = deposit64(s->erraddr, 0, 32, value); + break; + case A_ERRADDR + 4: + s->erraddr = deposit64(s->erraddr, 32, 32, value); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + break; + } +} + +static void riscv_wgchecker_write(void *opaque, hwaddr addr, + uint64_t value, unsigned size) +{ + switch (size) { + case 8: + riscv_wgchecker_writeq(opaque, addr, value); + break; + case 4: + riscv_wgchecker_writel(opaque, addr, value); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid write size %u to wgChecker\n", + __func__, size); + break; + } +} + +static MemTxResult riscv_wgchecker_read_with_attrs( + void *opaque, hwaddr addr, uint64_t *pdata, unsigned size, + MemTxAttrs attrs) +{ + SysBusDevice *dev = SYS_BUS_DEVICE(opaque); + + trace_riscv_wgchecker_mmio_read(dev->mmio[0].addr, addr, size); + + *pdata = 0; + if (could_access_wgblocks(attrs, "wgChecker")) { + *pdata = riscv_wgchecker_read(opaque, addr, size); + } + + return MEMTX_OK; +} + +static MemTxResult riscv_wgchecker_write_with_attrs( + void *opaque, hwaddr addr, uint64_t data, unsigned size, + MemTxAttrs attrs) +{ + SysBusDevice *dev = SYS_BUS_DEVICE(opaque); + + trace_riscv_wgchecker_mmio_write(dev->mmio[0].addr, addr, size, data); + + if (could_access_wgblocks(attrs, "wgChecker")) { + riscv_wgchecker_write(opaque, addr, data, size); + } + + return MEMTX_OK; +} + +static const MemoryRegionOps riscv_wgchecker_ops = { + .read_with_attrs = riscv_wgchecker_read_with_attrs, + .write_with_attrs = riscv_wgchecker_write_with_attrs, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid = { + .min_access_size = 4, + .max_access_size = 8 + }, + .impl = { + .min_access_size = 4, + .max_access_size = 8 + } +}; + +static void riscv_wgc_iommu_memory_region_class_init(ObjectClass *klass, + void *data) +{ + IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass); + + imrc->translate = riscv_wgc_translate; + imrc->attrs_to_index = riscv_wgc_attrs_to_index; + imrc->num_indexes = riscv_wgc_num_indexes; +} + +static const TypeInfo riscv_wgc_iommu_memory_region_info = { + .name = TYPE_RISCV_WGC_IOMMU_MEMORY_REGION, + .parent = TYPE_IOMMU_MEMORY_REGION, + .class_init = riscv_wgc_iommu_memory_region_class_init, +}; + + +#define DEFINE_REGION(N) \ + DEFINE_PROP_LINK("downstream-mr[" #N "]", RISCVWgCheckerState, \ + mem_regions[N].downstream, \ + TYPE_MEMORY_REGION, MemoryRegion *), \ + DEFINE_PROP_UINT64("region-offset[" #N "]", RISCVWgCheckerState, \ + mem_regions[N].region_offset, 0) \ + +static Property riscv_wgchecker_properties[] = { + DEFINE_PROP_UINT32("slot-count", RISCVWgCheckerState, slot_count, 0x1), + DEFINE_PROP_UINT32("mmio-size", RISCVWgCheckerState, mmio_size, 0x1000), + + /* Assume 1 wgChecker has 16 regions at maximum (WGC_NUM_REGIONS). */ + DEFINE_REGION(0), DEFINE_REGION(1), DEFINE_REGION(2), DEFINE_REGION(3), + DEFINE_REGION(4), DEFINE_REGION(5), DEFINE_REGION(6), DEFINE_REGION(7), + DEFINE_REGION(8), DEFINE_REGION(9), DEFINE_REGION(10), DEFINE_REGION(11), + DEFINE_REGION(12), DEFINE_REGION(13), DEFINE_REGION(14), DEFINE_REGION(15), + + DEFINE_PROP_UINT64("addr-range-start", RISCVWgCheckerState, addr_range_start, 0), + DEFINE_PROP_UINT64("addr-range-size", RISCVWgCheckerState, addr_range_size, UINT64_MAX), + + /* + * We could only set individual wgChecker to hw-bypass mode. It is + * usually used in wgChecker of BootROM, since SW has no way to enable + * the permission of it. + */ + DEFINE_PROP_BOOL("hw-bypass", RISCVWgCheckerState, hw_bypass, false), +}; + +static int int_log2_down(int n) +{ + int i = 0; + + n >>= 1; + + while (n) { + i++; + n >>= 1; + } + + return i; +} + +static int int_log2_up(int n) +{ + return int_log2_down(n - 1) + 1; +} + +/* + * Change the address range to be NAPOT alignment. + * + * New address range should totally cover the origin range, but new range + * should be configured by 1 NAPOT region (slot). + */ +static void address_range_align_napot(RISCVWgCheckerState *s) +{ + uint64_t start, end, size, new_size; + + start = s->addr_range_start; + end = s->addr_range_start + s->addr_range_size; + size = s->addr_range_size; + + if (size == UINT64_MAX) { + /* Full address range. No need of NAPOT alignment. */ + return; + } + + /* Size is the next power-of-2 number. */ + size = 1 << (int_log2_up(size)); + start = QEMU_ALIGN_DOWN(start, size); + end = QEMU_ALIGN_UP(end, size); + new_size = end - start; + + /* + * If base is not aligned to region size (new_size), + * double the region size and try it again. + */ + while ((new_size != size) && (size != 1ULL << 63)) { + size *= 2; + start = QEMU_ALIGN_DOWN(start, size); + end = QEMU_ALIGN_UP(end, size); + new_size = end - start; + } + + s->addr_range_start = start; + s->addr_range_size = size; +} + +static void riscv_wgchecker_realize(DeviceState *dev, Error **errp) +{ + Object *obj = OBJECT(dev); + RISCVWgCheckerState *s = RISCV_WGCHECKER(dev); + uint64_t size; + + if (worldguard_config == NULL) { + error_setg(errp, "Couldn't find global WorldGuard configs. " + "Please realize %s device at first.", + TYPE_RISCV_WORLDGUARD); + return; + } + + if (s->slot_count == 0) { + error_setg(errp, "wgChecker slot-count couldn't be zero."); + return; + } + + memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s, + TYPE_RISCV_WGCHECKER, s->mmio_size); + sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio); + sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq); + + /* Address range should be NAPOT alignment */ + address_range_align_napot(s); + + for (int i=0; i<WGC_NUM_REGIONS; i++) { + WgCheckerRegion *region = &s->mem_regions[i]; + + if (!region->downstream) { + continue; + } + region->wgchecker = s; + + const char *upstream_name = g_strdup_printf( + "wgchecker-upstream-%"HWADDR_PRIx, region->region_offset); + const char *downstream_name = g_strdup_printf( + "wgchecker-downstream-%"HWADDR_PRIx, region->region_offset); + + size = memory_region_size(region->downstream); + memory_region_init_iommu(&region->upstream, sizeof(region->upstream), + TYPE_RISCV_WGC_IOMMU_MEMORY_REGION, + obj, upstream_name, size); + + /* upstream MRs are 2nd ~ (n+1)th MemoryRegion. */ + sysbus_init_mmio(SYS_BUS_DEVICE(dev), MEMORY_REGION(&region->upstream)); + + /* + * This memory region is not exposed to users of this device as a + * sysbus MMIO region, but is instead used internally as something + * that our IOMMU translate function might direct accesses to. + */ + memory_region_init_io(&region->blocked_io, obj, &riscv_wgc_mem_blocked_ops, + region, "wgchecker-blocked-io", size); + + address_space_init(&region->downstream_as, region->downstream, + downstream_name); + address_space_init(&region->blocked_io_as, &region->blocked_io, + "wgchecker-blocked-io"); + } +} + +static void riscv_wgchecker_unrealize(DeviceState *dev) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(dev); + + g_free(s->slots); + if (s->num_default_slots && s->default_slots) { + g_free(s->default_slots); + } +} + +static void riscv_wgchecker_reset_enter(Object *obj, ResetType type) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(obj); + uint64_t start = s->addr_range_start; + uint64_t end = s->addr_range_start + s->addr_range_size; + int nslots = s->slot_count; + + s->errcause = 0; + s->erraddr = 0; +} + +static void riscv_wgchecker_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + + device_class_set_props(dc, riscv_wgchecker_properties); + dc->user_creatable = true; + dc->realize = riscv_wgchecker_realize; + dc->unrealize = riscv_wgchecker_unrealize; + ResettableClass *rc = RESETTABLE_CLASS(klass); + rc->phases.enter = riscv_wgchecker_reset_enter; +} + +static void riscv_wgchecker_instance_init(Object *obj) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(obj); + + s->num_default_slots = 0; +} + +static const TypeInfo riscv_wgchecker_info = { + .name = TYPE_RISCV_WGCHECKER, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_init = riscv_wgchecker_instance_init, + .instance_size = sizeof(RISCVWgCheckerState), + .class_init = riscv_wgchecker_class_init, +}; + +static void riscv_wgchecker_register_types(void) +{ + type_register_static(&riscv_wgchecker_info); + type_register_static(&riscv_wgc_iommu_memory_region_info); +} + +type_init(riscv_wgchecker_register_types) + +/* + * Create WgChecker device + */ +DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size, + qemu_irq irq, uint32_t slot_count, + uint64_t addr_range_start, + uint64_t addr_range_size, + uint32_t num_of_region, + MemoryRegion **downstream, + uint64_t *region_offset, + uint32_t num_default_slots, + WgCheckerSlot *default_slots) +{ + DeviceState *dev = qdev_new(TYPE_RISCV_WGCHECKER); + RISCVWgCheckerState *s = RISCV_WGCHECKER(dev); + char name_mr[32]; + char name_offset[32]; + int i; + + qdev_prop_set_uint32(dev, "slot-count", slot_count); + qdev_prop_set_uint32(dev, "mmio-size", size); + qdev_prop_set_uint64(dev, "addr-range-start", addr_range_start); + if (addr_range_size) { + qdev_prop_set_uint64(dev, "addr-range-size", addr_range_size); + } + + g_assert(num_of_region <= WGC_NUM_REGIONS); + for (i=0; i<num_of_region; i++) { + snprintf(name_mr, 32, "downstream-mr[%d]", i); + snprintf(name_offset, 32, "region-offset[%d]", i); + + object_property_set_link(OBJECT(dev), name_mr, + OBJECT(downstream[i]), &error_fatal); + qdev_prop_set_uint64(dev, name_offset, region_offset[i]); + } + + sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); + sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr); + sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq); + return dev; +} diff --git a/hw/misc/trace-events b/hw/misc/trace-events index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/trace-events +++ b/hw/misc/trace-events @@ -XXX,XX +XXX,XX @@ ivshmem_flat_interrupt_peer(uint16_t peer_id, uint16_t vector_id) "Interrupting i2c_echo_event(const char *id, const char *event) "%s: %s" i2c_echo_recv(const char *id, uint8_t data) "%s: recv 0x%02" PRIx8 i2c_echo_send(const char *id, uint8_t data) "%s: send 0x%02" PRIx8 + +# riscv_worldguard.c +riscv_wgchecker_mmio_read(uint64_t base, uint64_t offset, unsigned int size) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x" +riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, uint64_t val) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x, val = 0x%"PRIx64 + +riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32 +riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32 +riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s" diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/misc/riscv_worldguard.h +++ b/include/hw/misc/riscv_worldguard.h @@ -XXX,XX +XXX,XX @@ void riscv_worldguard_apply_cpu(uint32_t hartid); uint32_t mem_attrs_to_wid(MemTxAttrs attrs); bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock); +#define TYPE_RISCV_WGCHECKER "riscv.wgchecker" + +typedef struct RISCVWgCheckerState RISCVWgCheckerState; +DECLARE_INSTANCE_CHECKER(RISCVWgCheckerState, RISCV_WGCHECKER, + TYPE_RISCV_WGCHECKER) + +#define TYPE_RISCV_WGC_IOMMU_MEMORY_REGION "riscv-wgc-iommu-memory-region" + +typedef struct WgCheckerSlot WgCheckerSlot; +struct WgCheckerSlot { + uint64_t addr; + uint64_t perm; + uint32_t cfg; +}; + +typedef struct WgCheckerRegion WgCheckerRegion; +struct WgCheckerRegion { + MemoryRegion *downstream; + uint64_t region_offset; + + IOMMUMemoryRegion upstream; + MemoryRegion blocked_io; + AddressSpace downstream_as; + AddressSpace blocked_io_as; + + RISCVWgCheckerState *wgchecker; +}; + +#define WGC_NUM_REGIONS 16 + +struct RISCVWgCheckerState { + /*< private >*/ + SysBusDevice parent_obj; + + /*< public >*/ + MemoryRegion mmio; + qemu_irq irq; + + /* error reg */ + uint64_t errcause; + uint64_t erraddr; + + /* Memory regions protected by wgChecker */ + WgCheckerRegion mem_regions[WGC_NUM_REGIONS]; + + /* Property */ + uint32_t slot_count; /* nslots */ + uint32_t mmio_size; + uint64_t addr_range_start; + uint64_t addr_range_size; + bool hw_bypass; +}; + +DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size, + qemu_irq irq, uint32_t slot_count, + uint64_t addr_range_start, + uint64_t addr_range_size, + uint32_t num_of_region, + MemoryRegion **downstream, + uint64_t *region_offset, + uint32_t num_default_slots, + WgCheckerSlot *default_slots); + #endif -- 2.17.1 wgChecker slot is similar to PMP region. SW could program each slot to configure the permission of address range. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/riscv_wgchecker.c | 330 +++++++++++++++++++++++++++++ hw/misc/riscv_worldguard.c | 3 + include/hw/misc/riscv_worldguard.h | 4 + 3 files changed, 337 insertions(+) diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_wgchecker.c +++ b/hw/misc/riscv_wgchecker.c @@ -XXX,XX +XXX,XX @@ REG64(ERRCAUSE, 0x010) R_ERRCAUSE_IP_MASK) REG64(ERRADDR, 0x018) +REG64(WGC_SLOT, 0x020) + +/* wgChecker slots */ +REG64(SLOT_ADDR, 0x000) +REG64(SLOT_PERM, 0x008) +REG32(SLOT_CFG, 0x010) + FIELD(SLOT_CFG, A, 0, 2) + FIELD(SLOT_CFG, ER, 8, 1) + FIELD(SLOT_CFG, EW, 9, 1) + FIELD(SLOT_CFG, IR, 10, 1) + FIELD(SLOT_CFG, IW, 11, 1) + FIELD(SLOT_CFG, LOCK, 31, 1) + +#define SLOT_SIZE 0x020 + +#define SLOT0_CFG_MASK \ + (R_SLOT_CFG_ER_MASK | \ + R_SLOT_CFG_EW_MASK | \ + R_SLOT_CFG_IR_MASK | \ + R_SLOT_CFG_IW_MASK | \ + R_SLOT_CFG_LOCK_MASK) + +#define SLOT_CFG_MASK \ + (R_SLOT_CFG_A_MASK | (SLOT0_CFG_MASK)) + +#define WGC_SLOT_END(nslots) \ + (A_WGC_SLOT + SLOT_SIZE * (nslots + 1)) + +/* wgChecker slot is 4K alignment */ +#define WG_ALIGNED_SIZE (1 << 12) +#define WG_ALIGNED_MASK MAKE_64BIT_MASK(0, 12) + +/* wgChecker slot address is (addr / 4). */ +#define TO_SLOT_ADDR(addr) ((addr) >> 2) +#define FROM_SLOT_ADDR(addr) ((addr) << 2) + +/* wgChecker slot cfg.A[1:0] */ +#define A_OFF 0 +#define A_TOR 1 +#define A_NA4 2 +#define A_NAPOT 3 + +/* wgChecker slot perm */ +#define WGC_PERM(wid, perm) ((uint64_t)(perm) << (2 * (wid))) +#define P_READ (1 << 0) +#define P_WRITE (1 << 1) /* * Accesses only reach these read and write functions if the wgChecker @@ -XXX,XX +XXX,XX @@ static uint64_t riscv_wgchecker_readq(void *opaque, hwaddr addr) RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); uint64_t val = 0; + if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) { + /* Read from WGC slot */ + int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE; + int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE; + + switch (slot_offset) { + case A_SLOT_ADDR: + val = s->slots[slot_id].addr; + break; + case A_SLOT_PERM: + val = s->slots[slot_id].perm; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + break; + } + + return val; + } + switch (addr) { case A_ERRCAUSE: val = s->errcause & ERRCAUSE_MASK; @@ -XXX,XX +XXX,XX @@ static uint64_t riscv_wgchecker_readl(void *opaque, hwaddr addr) RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); uint64_t val = 0; + if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) { + /* Read from WGC slot */ + int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE; + int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE; + + switch (slot_offset) { + case A_SLOT_ADDR: + val = extract64(s->slots[slot_id].addr, 0, 32); + break; + case A_SLOT_ADDR + 4: + val = extract64(s->slots[slot_id].addr, 32, 32); + break; + case A_SLOT_PERM: + val = extract64(s->slots[slot_id].perm, 0, 32); + break; + case A_SLOT_PERM + 4: + val = extract64(s->slots[slot_id].perm, 32, 32); + break; + case A_SLOT_CFG: + val = s->slots[slot_id].cfg & SLOT_CFG_MASK; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + break; + } + + return val; + } + switch (addr) { case A_VENDOR: val = 0; @@ -XXX,XX +XXX,XX @@ static uint64_t riscv_wgchecker_read(void *opaque, hwaddr addr, unsigned size) return val; } +/* + * Validate the WGC slot address is between address range. + * + * Fix the slot address to the start address if it's not within the address range. + * We need validation when changing "slot address" or "TOR/NAPOT mode (cfg.A)" + */ +static void validate_slot_address(void *opaque, int slot_id) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + uint64_t start = TO_SLOT_ADDR(s->addr_range_start); + uint64_t end = TO_SLOT_ADDR(s->addr_range_start + s->addr_range_size); + uint32_t cfg_a = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, A); + + /* First and last slot address are hard-coded. */ + if ((slot_id == 0) || (slot_id == s->slot_count)) { + return; + } + + /* Check WGC slot address is between address range. */ + if ((s->slots[slot_id].addr < start) || (s->slots[slot_id].addr >= end)) { + s->slots[slot_id].addr = start; + } + + /* Check WGC slot is 4k-aligned. */ + if (cfg_a == A_TOR) { + s->slots[slot_id].addr &= ~TO_SLOT_ADDR(WG_ALIGNED_MASK); + } else if (cfg_a == A_NAPOT) { + s->slots[slot_id].addr |= TO_SLOT_ADDR(WG_ALIGNED_MASK >> 1); + } else if (cfg_a == A_NA4) { + /* Forcely replace NA4 slot with 4K-aligned NAPOT slot. */ + FIELD_DP32(s->slots[slot_id].cfg, SLOT_CFG, A, A_NAPOT); + s->slots[slot_id].addr |= TO_SLOT_ADDR(WG_ALIGNED_MASK >> 1); + } +} + +static bool slots_reg_is_ro(int slot_id, int slot_offset, uint32_t nslots) +{ + /* + * Special slots: + * - slot[0]: + * - addr is RO + * - perm is RO + * - cfg.A is OFF + * + * - slot[nslots]: + * - addr is RO + * - cfg.A is OFF or TOR + */ + if (slot_id == 0) { + switch (slot_offset) { + case A_SLOT_ADDR: + case A_SLOT_ADDR + 4: + case A_SLOT_PERM: + case A_SLOT_PERM + 4: + return true; + default: + break; + } + } else if (slot_id == nslots) { + switch (slot_offset) { + case A_SLOT_ADDR: + case A_SLOT_ADDR + 4: + return true; + default: + break; + } + } + + return false; +} + static void riscv_wgchecker_writeq(void *opaque, hwaddr addr, uint64_t value) { RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) { + /* Read from WGC slot */ + int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE; + int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE; + bool locked = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, LOCK); + + if (locked) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Couldn't write access to locked wgChecker Slot: " + "slot = %d, offset = %d\n", __func__, slot_id, + slot_offset); + return; + } + + if (slots_reg_is_ro(slot_id, slot_offset, s->slot_count)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + } + + switch (slot_offset) { + case A_SLOT_ADDR: + s->slots[slot_id].addr = value; + validate_slot_address(s, slot_id); + break; + case A_SLOT_PERM: + value &= wgc_slot_perm_mask; + s->slots[slot_id].perm = value; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 8); + break; + } + + return; + } + switch (addr) { case A_ERRCAUSE: s->errcause = value & ERRCAUSE_MASK; @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_writel(void *opaque, hwaddr addr, { RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque); + if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) { + /* Write to WGC slot */ + int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE; + int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE; + bool locked = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, LOCK); + int cfg_a, old_cfg_a; + + if (locked) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Couldn't write access to locked wgChecker Slot: " + "slot = %d, offset = %d\n", __func__, slot_id, + slot_offset); + return; + } + + if (slots_reg_is_ro(slot_id, slot_offset, s->slot_count)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + } + + switch (slot_offset) { + case A_SLOT_ADDR: + s->slots[slot_id].addr = deposit64( + s->slots[slot_id].addr, 0, 32, value); + validate_slot_address(s, slot_id); + break; + case A_SLOT_ADDR + 4: + s->slots[slot_id].addr = deposit64( + s->slots[slot_id].addr, 32, 32, value); + validate_slot_address(s, slot_id); + break; + case A_SLOT_PERM: + value &= wgc_slot_perm_mask; + s->slots[slot_id].perm = deposit64( + s->slots[slot_id].perm, 0, 32, value); + break; + case A_SLOT_PERM + 4: + value &= extract64(wgc_slot_perm_mask, 32, 32); + s->slots[slot_id].perm = deposit64( + s->slots[slot_id].perm, 32, 32, value); + break; + case A_SLOT_CFG: + if (slot_id == 0) { + value &= SLOT0_CFG_MASK; + s->slots[0].cfg = value; + } else if (slot_id == s->slot_count) { + old_cfg_a = FIELD_EX32(s->slots[s->slot_count].cfg, SLOT_CFG, A); + cfg_a = FIELD_EX32(value, SLOT_CFG, A); + + value &= SLOT0_CFG_MASK; + if ((cfg_a == A_OFF) || (cfg_a == A_TOR)) { + value |= cfg_a; + } else { + /* slot[nslots] could only use OFF or TOR config. */ + value |= old_cfg_a; + } + s->slots[s->slot_count].cfg = value; + + validate_slot_address(s, slot_id); + } else { + value &= SLOT_CFG_MASK; + s->slots[slot_id].cfg = value; + } + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n", + __func__, addr, 4); + break; + } + + return; + } + switch (addr) { case A_ERRCAUSE: value &= extract64(ERRCAUSE_MASK, 0, 32); @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_realize(DeviceState *dev, Error **errp) return; } + s->slots = g_new0(WgCheckerSlot, s->slot_count + 1); + memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s, TYPE_RISCV_WGCHECKER, s->mmio_size); sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio); @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_reset_enter(Object *obj, ResetType type) s->errcause = 0; s->erraddr = 0; + + for (int i = 0; i < nslots; i++) { + s->slots[i].addr = TO_SLOT_ADDR(start); + s->slots[i].perm = 0; + s->slots[i].cfg = 0; + } + s->slots[nslots].addr = TO_SLOT_ADDR(end); + s->slots[nslots].perm = 0; + s->slots[nslots].cfg = 0; + + if (s->num_default_slots != 0) { + /* + * Use default slots: + * slot[0] is hard-coded to start address, so the default slots + * start from slot[1]. + */ + memcpy(&s->slots[1], s->default_slots, + sizeof(WgCheckerSlot) * s->num_default_slots); + } else if ((s->hw_bypass) || + ((worldguard_config != NULL) && worldguard_config->hw_bypass)) { + /* HW bypass mode */ + uint32_t trustedwid = worldguard_config->trustedwid; + + if (trustedwid == NO_TRUSTEDWID) { + trustedwid = worldguard_config->nworlds - 1; + } + + s->slots[nslots].perm = WGC_PERM(trustedwid, P_READ | P_WRITE); + s->slots[nslots].perm &= wgc_slot_perm_mask; + s->slots[nslots].cfg = A_TOR; + } } static void riscv_wgchecker_class_init(ObjectClass *klass, void *data) @@ -XXX,XX +XXX,XX @@ DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size, qdev_prop_set_uint64(dev, name_offset, region_offset[i]); } + if (num_default_slots > slot_count) { + num_default_slots = slot_count; + } + + s->num_default_slots = num_default_slots; + if (s->num_default_slots) { + s->default_slots = g_new0(WgCheckerSlot, s->num_default_slots); + memcpy(s->default_slots, default_slots, + sizeof(WgCheckerSlot) * s->num_default_slots); + } else { + s->default_slots = NULL; + } + sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr); sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq); diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_worldguard.c +++ b/hw/misc/riscv_worldguard.c @@ -XXX,XX +XXX,XX @@ */ struct RISCVWorldGuardState *worldguard_config = NULL; +/* perm field bitmask of wgChecker slot, it's depends on NWorld. */ +uint64_t wgc_slot_perm_mask = 0; + static Property riscv_worldguard_properties[] = { DEFINE_PROP_UINT32("nworlds", RISCVWorldGuardState, nworlds, 0), diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/misc/riscv_worldguard.h +++ b/include/hw/misc/riscv_worldguard.h @@ -XXX,XX +XXX,XX @@ struct RISCVWorldGuardState { }; extern struct RISCVWorldGuardState *worldguard_config; +extern uint64_t wgc_slot_perm_mask; DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid, bool hw_bypass, bool tz_compat); @@ -XXX,XX +XXX,XX @@ struct WgCheckerRegion { struct RISCVWgCheckerState { /*< private >*/ SysBusDevice parent_obj; + uint32_t num_default_slots; + WgCheckerSlot *default_slots; /*< public >*/ MemoryRegion mmio; + WgCheckerSlot *slots; qemu_irq irq; /* error reg */ -- 2.17.1 The wgChecker is configurable for whether blocked accesses: * should cause a bus error or just read return zero and write ignore * should generate the interrupt or not Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/riscv_wgchecker.c | 169 +++++++++++++++++++++++++++++++++++++- 1 file changed, 167 insertions(+), 2 deletions(-) diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_wgchecker.c +++ b/hw/misc/riscv_wgchecker.c @@ -XXX,XX +XXX,XX @@ REG32(SLOT_CFG, 0x010) #define P_READ (1 << 0) #define P_WRITE (1 << 1) +static void decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea) +{ + /* + * aaaa...aaa0 8-byte NAPOT range + * aaaa...aa01 16-byte NAPOT range + * aaaa...a011 32-byte NAPOT range + * ... + * aa01...1111 2^XLEN-byte NAPOT range + * a011...1111 2^(XLEN+1)-byte NAPOT range + * 0111...1111 2^(XLEN+2)-byte NAPOT range + * 1111...1111 Reserved + */ + + a = FROM_SLOT_ADDR(a) | 0x3; + + if (sa) { + *sa = a & (a + 1); + } + if (ea) { + *ea = a | (a + 1); + } +} + +typedef struct WgAccessResult WgAccessResult; +struct WgAccessResult { + bool is_success; + bool has_bus_error; + bool has_interrupt; + uint8_t perm:2; +}; + +static WgAccessResult wgc_check_access( + RISCVWgCheckerState *s, hwaddr phys_addr, uint32_t wid, bool is_write) +{ + WgCheckerSlot *slot, *prev_slot; + uint32_t cfg_a, prev_cfg_a; + uint64_t start, end; + int slot_id, wgc_perm = 0; + WgAccessResult result = { 0 }; + + bool is_matching = false; + bool slot0_be, slot0_ip; + bool matched_slot_be = false, matched_slot_ip = false; + + for (slot_id = 0; slot_id < s->slot_count; slot_id++) { + slot = &s->slots[slot_id + 1]; + cfg_a = FIELD_EX32(slot->cfg, SLOT_CFG, A); + + if (cfg_a == A_TOR) { + prev_slot = &s->slots[slot_id]; + + prev_cfg_a = FIELD_EX32(prev_slot->cfg, SLOT_CFG, A); + if (prev_cfg_a == A_NA4) { + start = FROM_SLOT_ADDR(prev_slot->addr) + 4; + } else if (prev_cfg_a == A_NAPOT) { + decode_napot(prev_slot->addr, NULL, &start); + start += 1; + } else { /* A_TOR or A_OFF */ + start = FROM_SLOT_ADDR(prev_slot->addr); + } + end = FROM_SLOT_ADDR(slot->addr); + } else if (cfg_a == A_NA4) { + start = FROM_SLOT_ADDR(slot->addr); + end = start + 4; + } else if (cfg_a == A_NAPOT) { + decode_napot(slot->addr, &start, &end); + end += 1; + } else { + /* A_OFF: not in slot range. */ + continue; + } + + /* wgChecker slot range is between start to (end - 1). */ + if ((start <= phys_addr) && (phys_addr < end)) { + /* Match the wgC slot */ + int perm = ((slot->perm >> (wid * 2)) & 0x3); + + /* If any matching rule permits access, the access is permitted. */ + wgc_perm |= perm; + + /* + * If any matching rule wants to report error (IRQ or Bus Error), + * the denied access should report error. + */ + is_matching = true; + if (is_write) { + matched_slot_be |= FIELD_EX64(slot->cfg, SLOT_CFG, EW); + matched_slot_ip |= FIELD_EX64(slot->cfg, SLOT_CFG, IW); + } else { + matched_slot_be |= FIELD_EX64(slot->cfg, SLOT_CFG, ER); + matched_slot_ip |= FIELD_EX64(slot->cfg, SLOT_CFG, IR); + } + } + } + + /* If no matching rule, error reporting depends on the slot0's config. */ + if (is_write) { + slot0_be = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, EW); + slot0_ip = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, IW); + } else { + slot0_be = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, ER); + slot0_ip = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, IR); + } + + result.is_success = is_write ? (wgc_perm & P_WRITE) : (wgc_perm & P_READ); + result.perm = wgc_perm; + if (!result.is_success) { + if (is_matching) { + result.has_bus_error = matched_slot_be; + result.has_interrupt = matched_slot_ip; + } else { + result.has_bus_error = slot0_be; + result.has_interrupt = slot0_ip; + } + } + + return result; +} + +static MemTxResult riscv_wgc_handle_blocked_access( + WgCheckerRegion *region, hwaddr addr, uint32_t wid, bool is_write) +{ + RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker); + bool be, ip; + WgAccessResult result; + hwaddr phys_addr; + + be = FIELD_EX64(s->errcause, ERRCAUSE, BE); + ip = FIELD_EX64(s->errcause, ERRCAUSE, IP); + phys_addr = addr + region->region_offset; + + /* + * Check if this blocked access trigger IRQ (Bus Error) or not. + * It depends on wgChecker slot config (cfg.IR/IW/ER/EW bits). + */ + result = wgc_check_access(s, phys_addr, wid, is_write); + + if (!be && !ip) { + /* + * With either of the be or ip bits is set, further violations do not + * update the errcause or erraddr registers. Also, new interrupts + * cannot be generated until the be and ip fields are cleared. + */ + if (result.has_interrupt || result.has_bus_error) { + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, WID, wid); + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, R, !is_write); + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, W, is_write); + s->erraddr = TO_SLOT_ADDR(phys_addr); + } + + if (result.has_interrupt) { + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, IP, 1); + qemu_irq_raise(s->irq); + } + + if (result.has_bus_error) { + s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, BE, 1); + } + } + + return result.has_bus_error ? MEMTX_ERROR : MEMTX_OK; +} + /* * Accesses only reach these read and write functions if the wgChecker * is blocking them; non-blocked accesses go directly to the downstream @@ -XXX,XX +XXX,XX @@ static MemTxResult riscv_wgc_mem_blocked_read(void *opaque, hwaddr addr, uint64_t *pdata, unsigned size, MemTxAttrs attrs) { + WgCheckerRegion *region = opaque; uint32_t wid = mem_attrs_to_wid(attrs); trace_riscv_wgc_mem_blocked_read(addr, size, wid); *pdata = 0; - return MEMTX_OK; + return riscv_wgc_handle_blocked_access(region, addr, wid, false); } static MemTxResult riscv_wgc_mem_blocked_write(void *opaque, hwaddr addr, uint64_t value, unsigned size, MemTxAttrs attrs) { + WgCheckerRegion *region = opaque; uint32_t wid = mem_attrs_to_wid(attrs); trace_riscv_wgc_mem_blocked_write(addr, value, size, wid); - return MEMTX_OK; + return riscv_wgc_handle_blocked_access(region, addr, wid, true); } static const MemoryRegionOps riscv_wgc_mem_blocked_ops = { -- 2.17.1 The final part of wgChecker we need to implement is actually using the wgChecker slots programmed by guest to determine whether to block the transaction or not. Since this means we now change transaction mappings when the guest writes to wgChecker slots, we must also call the IOMMU notifiers at that point. One tricky part here is that the perm of 'blocked_io_as' is the condition of deny access. For example, if wgChecker only permits RO access, the perm of 'downstream_as' will be IOMMU_RO and the perm of 'blocked_io_as' will be IOMMU_WO. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/misc/riscv_wgchecker.c | 70 ++++++++++++++++++++++++++++++++++++--- hw/misc/trace-events | 1 + 2 files changed, 67 insertions(+), 4 deletions(-) diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/riscv_wgchecker.c +++ b/hw/misc/riscv_wgchecker.c @@ -XXX,XX +XXX,XX @@ REG32(SLOT_CFG, 0x010) #define P_READ (1 << 0) #define P_WRITE (1 << 1) +static IOMMUAccessFlags wgc_perm_to_iommu_flags(int wgc_perm) +{ + if (wgc_perm == (P_READ | P_WRITE)) { + return IOMMU_RW; + } else if (wgc_perm & P_WRITE) { + return IOMMU_WO; + } else if (wgc_perm & P_READ) { + return IOMMU_RO; + } else { + return IOMMU_NONE; + } +} + +static void wgchecker_iommu_notify_all(RISCVWgCheckerState *s) +{ + /* + * Do tlb_flush() to whole address space via memory_region_notify_iommu() + * when wgChecker changes it's config. + */ + + IOMMUTLBEvent event = { + .entry = { + .addr_mask = -1ULL, + } + }; + + trace_riscv_wgc_iommu_notify_all(); + + for (int i=0; i<WGC_NUM_REGIONS; i++) { + WgCheckerRegion *region = &s->mem_regions[i]; + uint32_t nworlds = worldguard_config->nworlds; + + if (!region->downstream) { + continue; + } + event.entry.iova = 0; + event.entry.translated_addr = 0; + event.type = IOMMU_NOTIFIER_UNMAP; + event.entry.perm = IOMMU_NONE; + + for (int wid=0; wid<nworlds; wid++) { + memory_region_notify_iommu(&region->upstream, wid, event); + } + } +} + static void decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea) { /* @@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu, { WgCheckerRegion *region = container_of(iommu, WgCheckerRegion, upstream); RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker); + bool is_write; + WgAccessResult result; + int wgc_perm; hwaddr phys_addr; uint64_t region_size; @@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu, * Look at the wgChecker configuration for this address, and * return a TLB entry directing the transaction at either * downstream_as or blocked_io_as, as appropriate. - * For the moment, always permit accesses. */ /* Use physical address instead of offset */ phys_addr = addr + region->region_offset; + is_write = (flags == IOMMU_WO); - is_success = true; + result = wgc_check_access(s, phys_addr, iommu_idx, is_write); trace_riscv_wgc_translate(phys_addr, flags, - iommu_idx, is_success ? "pass" : "block"); + iommu_idx, result.is_success ? "pass" : "block"); - ret.target_as = is_success ? &region->downstream_as : &region->blocked_io_as; + wgc_perm = result.perm; + if (!result.is_success) { + /* if target_as is blocked_io_as, the perm is the condition of deny access. */ + wgc_perm ^= (P_READ | P_WRITE); + } + ret.perm = wgc_perm_to_iommu_flags(wgc_perm); + + ret.target_as = result.is_success ? &region->downstream_as : &region->blocked_io_as; return ret; } @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_writeq(void *opaque, hwaddr addr, break; } + /* Flush softmmu TLB when wgChecker changes config. */ + wgchecker_iommu_notify_all(s); + return; } @@ -XXX,XX +XXX,XX @@ static void riscv_wgchecker_writel(void *opaque, hwaddr addr, break; } + /* Flush softmmu TLB when wgChecker changes config. */ + wgchecker_iommu_notify_all(s); + return; } diff --git a/hw/misc/trace-events b/hw/misc/trace-events index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/trace-events +++ b/hw/misc/trace-events @@ -XXX,XX +XXX,XX @@ riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, ui riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32 riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32 riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s" +riscv_wgc_iommu_notify_all(void) "wgChecker iommu: notifying UNMAP for all" -- 2.17.1 * Add 'wg=on' option to enable RISC-V WorldGuard * Add wgChecker to protect several resources: DRAM, FLASH, UART. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- docs/system/riscv/virt.rst | 20 +++++ hw/riscv/Kconfig | 1 + hw/riscv/virt.c | 163 ++++++++++++++++++++++++++++++++++++- include/hw/riscv/virt.h | 15 +++- 4 files changed, 195 insertions(+), 4 deletions(-) diff --git a/docs/system/riscv/virt.rst b/docs/system/riscv/virt.rst index XXXXXXX..XXXXXXX 100644 --- a/docs/system/riscv/virt.rst +++ b/docs/system/riscv/virt.rst @@ -XXX,XX +XXX,XX @@ The following machine-specific options are supported: Enables the riscv-iommu-sys platform device. Defaults to 'off'. +- wg=[on|off] + + When this option is "on", RISC-V WorldGuard will be enabled in the system + to provide the isolation of multiple worlds. RISC-V HARTs will enable WG + extensions to have WID in memory transaction. wgCheckers in front of RAMs + and device MMIO will be enabled to provide the access control of resources + if the transaction contains WID. When not specified, this option is assumed + to be "off". + + The WG configuration of virt machine includes 4 worlds. For WG configuration + of CPUs, the M-mode WID of CPU (`mwid`) is set to the largest WID number, + and the authorized WID list of CPU (`mwidlist`) includes all WIDs. We can + modify the configuration of all CPUs via `x-mwid` and `x-mwidlist` + CPU options. There are 3 wgCheckers in the virt machine, which seperately + protects DRAM, FLASH, and UART. Default WG configuration on the virt machine + is enough to run the demo of dual OSes in the different worlds. For example, + running both Linux kernel and Secure OS (e.g. OP-TEE) in it's own world. + + This option is restricted to the TCG accelerator. + Running Linux kernel -------------------- diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig index XXXXXXX..XXXXXXX 100644 --- a/hw/riscv/Kconfig +++ b/hw/riscv/Kconfig @@ -XXX,XX +XXX,XX @@ config RISCV_VIRT select PLATFORM_BUS select ACPI select ACPI_PCI + select RISCV_WORLDGUARD config SHAKTI_C bool diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c index XXXXXXX..XXXXXXX 100644 --- a/hw/riscv/virt.c +++ b/hw/riscv/virt.c @@ -XXX,XX +XXX,XX @@ #include "qapi/qapi-visit-common.h" #include "hw/virtio/virtio-iommu.h" #include "hw/uefi/var-service-api.h" +#include "hw/misc/riscv_worldguard.h" /* KVM AIA only supports APLIC MSI. APLIC Wired is always emulated by QEMU. */ static bool virt_use_kvm_aia_aplic_imsic(RISCVVirtAIAType aia_type) @@ -XXX,XX +XXX,XX @@ static const MemMapEntry virt_memmap[] = { [VIRT_PCIE_PIO] = { 0x3000000, 0x10000 }, [VIRT_IOMMU_SYS] = { 0x3010000, 0x1000 }, [VIRT_PLATFORM_BUS] = { 0x4000000, 0x2000000 }, + [VIRT_WGC_DRAM] = { 0x6000000, 0x1000 }, + [VIRT_WGC_FLASH] = { 0x6001000, 0x1000 }, + [VIRT_WGC_UART] = { 0x6002000, 0x1000 }, [VIRT_PLIC] = { 0xc000000, VIRT_PLIC_SIZE(VIRT_CPUS_MAX * 2) }, [VIRT_APLIC_M] = { 0xc000000, APLIC_SIZE(VIRT_CPUS_MAX) }, [VIRT_APLIC_S] = { 0xd000000, APLIC_SIZE(VIRT_CPUS_MAX) }, @@ -XXX,XX +XXX,XX @@ static MemMapEntry virt_high_pcie_memmap; #define VIRT_FLASH_SECTOR_SIZE (256 * KiB) +/* wgChecker helpers */ +typedef struct WGCInfo { + int memmap_idx; + uint32_t irq_num; + uint32_t slot_count; + + int num_of_child; + MemoryRegion *c_region[WGC_NUM_REGIONS]; + uint64_t c_offset[WGC_NUM_REGIONS]; +} WGCInfo; + +enum { + WGC_DRAM, + WGC_FLASH, + WGC_UART, + WGC_NUM, +}; + +static WGCInfo virt_wgcinfo[] = { + [WGC_DRAM] = { VIRT_WGC_DRAM, WGC_DRAM_IRQ, 16 }, + [WGC_FLASH] = { VIRT_WGC_FLASH, WGC_FLASH_IRQ, 16 }, + [WGC_UART] = { VIRT_WGC_UART, WGC_UART_IRQ, 1 }, +}; + +static void wgc_append_child(WGCInfo *info, MemoryRegion *region, + uint64_t offset) +{ + info->c_region[info->num_of_child] = region; + info->c_offset[info->num_of_child] = offset; + info->num_of_child += 1; +} + static PFlashCFI01 *virt_flash_create1(RISCVVirtState *s, const char *name, const char *alias_prop_name) @@ -XXX,XX +XXX,XX @@ static void virt_flash_map1(PFlashCFI01 *flash, } static void virt_flash_map(RISCVVirtState *s, - MemoryRegion *sysmem) + MemoryRegion *sysmem, + WGCInfo *info) { hwaddr flashsize = virt_memmap[VIRT_FLASH].size / 2; hwaddr flashbase = virt_memmap[VIRT_FLASH].base; @@ -XXX,XX +XXX,XX @@ static void virt_flash_map(RISCVVirtState *s, sysmem); virt_flash_map1(s->flash[1], flashbase + flashsize, flashsize, sysmem); + + if (info) { + wgc_append_child(info, + sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[0]), 0), + flashbase); + wgc_append_child(info, + sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[1]), 0), + flashbase + flashsize); + } } static void create_pcie_irq_map(RISCVVirtState *s, void *fdt, char *nodename, @@ -XXX,XX +XXX,XX @@ static void virt_build_smbios(RISCVVirtState *s) } } +static DeviceState *create_wgc(WGCInfo *info, DeviceState *irqchip) +{ + MemoryRegion *system_memory = get_system_memory(); + DeviceState *wgc; + MemoryRegion *upstream_mr, *downstream_mr; + qemu_irq irq = qdev_get_gpio_in(irqchip, info->irq_num); + hwaddr base, size; + + /* Unmap downstream_mr from system_memory if it is already mapped. */ + for (int i=0; i<info->num_of_child; i++) { + downstream_mr = info->c_region[i]; + + g_assert(downstream_mr); + if (downstream_mr->container == system_memory) { + memory_region_del_subregion(system_memory, downstream_mr); + } + + /* + * Clear the offset of downstream_mr, so we could correctly do + * address_space_init() to it in wgchecker. + */ + memory_region_set_address(downstream_mr, 0); + } + + base = virt_memmap[info->memmap_idx].base; + size = virt_memmap[info->memmap_idx].size; + + wgc = riscv_wgchecker_create( + base, size, irq, info->slot_count, 0, 0, + info->num_of_child, info->c_region, info->c_offset, 0, NULL); + + /* Map upstream_mr to system_memory */ + for (int i=0; i<info->num_of_child; i++) { + upstream_mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(wgc), i+1); + g_assert(upstream_mr); + memory_region_add_subregion(system_memory, info->c_offset[i], upstream_mr); + } + + return wgc; +} + +static void virt_create_worldguard(WGCInfo *wgcinfo, int wgc_num, + DeviceState *irqchip) +{ + CPUState *cpu; + + /* Global WG config */ + riscv_worldguard_create(VIRT_WG_NWORLDS, + VIRT_WG_TRUSTEDWID, + VIRT_WG_HWBYPASS, + VIRT_WG_TZCOMPAT); + + /* Enable WG extension of each CPU */ + CPU_FOREACH(cpu) { + CPURISCVState *env = cpu ? cpu_env(cpu) : NULL; + + riscv_worldguard_apply_cpu(env->mhartid); + } + + /* Create all wgChecker devices */ + for (int i=0; i<wgc_num; i++) { + create_wgc(&wgcinfo[i], DEVICE(irqchip)); + } +} + static void virt_machine_done(Notifier *notifier, void *data) { RISCVVirtState *s = container_of(notifier, RISCVVirtState, @@ -XXX,XX +XXX,XX @@ static void virt_machine_done(Notifier *notifier, void *data) static void virt_machine_init(MachineState *machine) { const MemMapEntry *memmap = virt_memmap; + WGCInfo *wgcinfo = virt_wgcinfo; RISCVVirtState *s = RISCV_VIRT_MACHINE(machine); MemoryRegion *system_memory = get_system_memory(); MemoryRegion *mask_rom = g_new(MemoryRegion, 1); DeviceState *mmio_irqchip, *virtio_irqchip, *pcie_irqchip; + SerialMM *uart; int i, base_hartid, hart_count; int socket_count = riscv_socket_count(machine); @@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine) exit(1); } + if (!tcg_enabled() && s->have_wg) { + error_report("'wg' is only available with TCG acceleration"); + exit(1); + } + /* Initialize sockets */ mmio_irqchip = virtio_irqchip = pcie_irqchip = NULL; for (i = 0; i < socket_count; i++) { @@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine) memory_region_add_subregion(system_memory, memmap[VIRT_DRAM].base, machine->ram); + if (tcg_enabled() && s->have_wg) { + wgc_append_child(&wgcinfo[WGC_DRAM], machine->ram, memmap[VIRT_DRAM].base); + } + /* boot rom */ memory_region_init_rom(mask_rom, NULL, "riscv_virt_board.mrom", memmap[VIRT_MROM].size, &error_fatal); @@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine) create_platform_bus(s, mmio_irqchip); - serial_mm_init(system_memory, memmap[VIRT_UART0].base, + uart = serial_mm_init(system_memory, memmap[VIRT_UART0].base, 0, qdev_get_gpio_in(mmio_irqchip, UART0_IRQ), 399193, serial_hd(0), DEVICE_LITTLE_ENDIAN); + if (tcg_enabled() && s->have_wg) { + wgc_append_child(&wgcinfo[WGC_UART], + sysbus_mmio_get_region(SYS_BUS_DEVICE(uart), 0), + memmap[VIRT_UART0].base); + } + sysbus_create_simple("goldfish_rtc", memmap[VIRT_RTC].base, qdev_get_gpio_in(mmio_irqchip, RTC_IRQ)); @@ -XXX,XX +XXX,XX @@ static void virt_machine_init(MachineState *machine) pflash_cfi01_legacy_drive(s->flash[i], drive_get(IF_PFLASH, 0, i)); } - virt_flash_map(s, system_memory); + + if (tcg_enabled() && s->have_wg) { + virt_flash_map(s, system_memory, &wgcinfo[WGC_FLASH]); + } else { + virt_flash_map(s, system_memory, NULL); + } + + if (tcg_enabled() && s->have_wg) { + virt_create_worldguard(wgcinfo, WGC_NUM, mmio_irqchip); + } /* load/create device tree */ if (machine->dtb) { @@ -XXX,XX +XXX,XX @@ static void virt_machine_instance_init(Object *obj) s->iommu_sys = ON_OFF_AUTO_AUTO; } +static bool virt_get_wg(Object *obj, Error **errp) +{ + RISCVVirtState *s = RISCV_VIRT_MACHINE(obj); + + return s->have_wg; +} + +static void virt_set_wg(Object *obj, bool value, Error **errp) +{ + RISCVVirtState *s = RISCV_VIRT_MACHINE(obj); + + s->have_wg = value; +} + static char *virt_get_aia_guests(Object *obj, Error **errp) { RISCVVirtState *s = RISCV_VIRT_MACHINE(obj); @@ -XXX,XX +XXX,XX @@ static void virt_machine_class_init(ObjectClass *oc, void *data) NULL, NULL); object_class_property_set_description(oc, "iommu-sys", "Enable IOMMU platform device"); + + object_class_property_add_bool(oc, "wg", virt_get_wg, + virt_set_wg); + object_class_property_set_description(oc, "wg", + "Set on/off to enable/disable the " + "RISC-V WorldGuard."); } static const TypeInfo virt_machine_typeinfo = { diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/riscv/virt.h +++ b/include/hw/riscv/virt.h @@ -XXX,XX +XXX,XX @@ struct RISCVVirtState { bool have_aclint; RISCVVirtAIAType aia_type; int aia_guests; + bool have_wg; char *oem_id; char *oem_table_id; OnOffAuto acpi; @@ -XXX,XX +XXX,XX @@ enum { VIRT_PLATFORM_BUS, VIRT_PCIE_ECAM, VIRT_IOMMU_SYS, + VIRT_WGC_DRAM, + VIRT_WGC_FLASH, + VIRT_WGC_UART }; enum { UART0_IRQ = 10, RTC_IRQ = 11, + WGC_DRAM_IRQ = 15, + WGC_FLASH_IRQ = 16, + WGC_UART_IRQ = 17, VIRTIO_IRQ = 1, /* 1 to 8 */ VIRTIO_COUNT = 8, PCIE_IRQ = 0x20, /* 32 to 35 */ @@ -XXX,XX +XXX,XX @@ enum { #define VIRT_PLATFORM_BUS_NUM_IRQS 32 #define VIRT_IRQCHIP_NUM_MSIS 255 -#define VIRT_IRQCHIP_NUM_SOURCES 96 +#define VIRT_IRQCHIP_NUM_SOURCES 128 #define VIRT_IRQCHIP_NUM_PRIO_BITS 3 #define VIRT_IRQCHIP_MAX_GUESTS_BITS 3 #define VIRT_IRQCHIP_MAX_GUESTS ((1U << VIRT_IRQCHIP_MAX_GUESTS_BITS) - 1U) @@ -XXX,XX +XXX,XX @@ uint32_t imsic_num_bits(uint32_t count); #error "Can't accommodate all IMSIC groups in address space" #endif +/* WorldGuard */ +#define VIRT_WG_NWORLDS 4 +#define VIRT_WG_TRUSTEDWID 3 +#define VIRT_WG_HWBYPASS true +#define VIRT_WG_TZCOMPAT false + #endif -- 2.17.1