hw/arm/smmu-common.c | 151 ++++- hw/arm/smmu-internal.h | 7 + hw/arm/smmuv3-internal.h | 114 +++- hw/arm/smmuv3.c | 1130 +++++++++++++++++++++++++-------- hw/arm/trace-events | 9 +- hw/arm/virt.c | 5 + include/hw/arm/arm-security.h | 54 ++ include/hw/arm/smmu-common.h | 60 +- include/hw/arm/smmuv3.h | 35 +- target/arm/cpu.h | 25 +- 10 files changed, 1257 insertions(+), 333 deletions(-) create mode 100644 include/hw/arm/arm-security.h
Hi all,
This is the second version of the patch series to introduce initial
support for Secure SMMUv3 emulation in QEMU.
This version has been significantly restructured based on the excellent
feedback received on the RFC.
This version addresses the major points raised during the RFC review.
Nearly all issues identified in v1 have been resolved. The most
significant changes include:
- The entire series has been refactored to use a "banked register"
architecture. This new design serves as a solid base for all secure
functionality and significantly reduces code duplication.
- The large refactoring patch from v1 has been split into smaller, more
focused commits (e.g., STE parsing, page table handling, and TLB
management) to make the review process easier.
- Support for the complex SEL2 feature (Secure Stage 2) has been
deferred to a future series to reduce the scope of this RFC.
- The mechanism for propagating the security context now correctly uses
the ARMSecuritySpace attribute from the incoming transaction. This
ensures the SMMU's handling of security is aligned with the rest of the
QEMU ARM architecture.
The series now begins with two preparatory patches that fix pre-existing
bugs in the SMMUv3 model. The first of these, which corrects the CR0
reserved mask, has already been reviewed by Eric.
- hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register
- hw/arm/smmuv3: Correct SMMUEN field name in CR0
The subsequent patches implement the Secure SMMUv3 feature, refactored
to address the feedback from the v1 RFC.
Changes from v1 RFC:
- The entire feature implementation has been refactored to use a "banked
register" approach. This significantly reduces code duplication.
- Support for the SEL2 feature (Secure Stage 2) has been deferred. As
Mostafa pointed out, a correct implementation is complex and depends on
FEAT_TTST. This will be addressed in a separate, future patch series.
As a result, this series now supports the following flows:
- Non-secure Stage 1, Stage 2, and nested translations.
- Secure Stage 1-only translations.
- Nested translations (Secure Stage 1 + Non-secure Stage 2), with a
fault generated if a Secure Stage 2 translation is required.
- Writability checks for various registers (both secure and non-secure)
have been hardened to ensure that enable bits are correctly checked.
The series has been successfully validated with several test setups:
- An environment using OP-TEE, Hafnium, and a custom platform
device as V1 series described.
- A new, self-contained test device (smmu-testdev) built upon the
QTest framework, which will be submitted as a separate series as
discussed here:
https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg05365.html
- The existing non-secure functionality was regression-tested using
PCIe passthrough to a KVM guest running inside a TCG guest.
Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn>
Tao Tang (14):
hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register
hw/arm/smmuv3: Correct SMMUEN field name in CR0
hw/arm/smmuv3: Introduce secure registers and commands
refactor: Move ARMSecuritySpace to a common header
hw/arm/smmuv3: Introduce banked registers for SMMUv3 state
hw/arm/smmuv3: Add separate address space for secure SMMU accesses
hw/arm/smmuv3: Make Configuration Cache security-state aware
hw/arm/smmuv3: Add security-state handling for page table walks
hw/arm/smmuv3: Add secure TLB entry management
hw/arm/smmuv3: Add banked support for queues and error handling
hw/arm/smmuv3: Harden security checks in MMIO handlers
hw/arm/smmuv3: Use iommu_index to represent the security context
hw/arm/smmuv3: Add property to enable Secure SMMU support
hw/arm/smmuv3: Optional Secure bank migration via subsections
hw/arm/smmu-common.c | 151 ++++-
hw/arm/smmu-internal.h | 7 +
hw/arm/smmuv3-internal.h | 114 +++-
hw/arm/smmuv3.c | 1130 +++++++++++++++++++++++++--------
hw/arm/trace-events | 9 +-
hw/arm/virt.c | 5 +
include/hw/arm/arm-security.h | 54 ++
include/hw/arm/smmu-common.h | 60 +-
include/hw/arm/smmuv3.h | 35 +-
target/arm/cpu.h | 25 +-
10 files changed, 1257 insertions(+), 333 deletions(-)
create mode 100644 include/hw/arm/arm-security.h
--
2.34.1
Hi, On 9/25/25 6:26 PM, Tao Tang wrote: > Hi all, > > This is the second version of the patch series to introduce initial > support for Secure SMMUv3 emulation in QEMU. > > This version has been significantly restructured based on the excellent > feedback received on the RFC. > > This version addresses the major points raised during the RFC review. > Nearly all issues identified in v1 have been resolved. The most > significant changes include: > > - The entire series has been refactored to use a "banked register" > architecture. This new design serves as a solid base for all secure > functionality and significantly reduces code duplication. > > - The large refactoring patch from v1 has been split into smaller, more > focused commits (e.g., STE parsing, page table handling, and TLB > management) to make the review process easier. > > - Support for the complex SEL2 feature (Secure Stage 2) has been > deferred to a future series to reduce the scope of this RFC. > > - The mechanism for propagating the security context now correctly uses > the ARMSecuritySpace attribute from the incoming transaction. This > ensures the SMMU's handling of security is aligned with the rest of the > QEMU ARM architecture. > > > The series now begins with two preparatory patches that fix pre-existing > bugs in the SMMUv3 model. The first of these, which corrects the CR0 > reserved mask, has already been reviewed by Eric. > > - hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register > - hw/arm/smmuv3: Correct SMMUEN field name in CR0 > > The subsequent patches implement the Secure SMMUv3 feature, refactored > to address the feedback from the v1 RFC. could you shared a branch? It does not seem to apply on master. Thanks Eric > > > Changes from v1 RFC: > > - The entire feature implementation has been refactored to use a "banked > register" approach. This significantly reduces code duplication. > > - Support for the SEL2 feature (Secure Stage 2) has been deferred. As > Mostafa pointed out, a correct implementation is complex and depends on > FEAT_TTST. This will be addressed in a separate, future patch series. > As a result, this series now supports the following flows: > > - Non-secure Stage 1, Stage 2, and nested translations. > > - Secure Stage 1-only translations. > > - Nested translations (Secure Stage 1 + Non-secure Stage 2), with a > fault generated if a Secure Stage 2 translation is required. > > - Writability checks for various registers (both secure and non-secure) > have been hardened to ensure that enable bits are correctly checked. > > The series has been successfully validated with several test setups: > > - An environment using OP-TEE, Hafnium, and a custom platform > device as V1 series described. > > - A new, self-contained test device (smmu-testdev) built upon the > QTest framework, which will be submitted as a separate series as > discussed here: > https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg05365.html > > - The existing non-secure functionality was regression-tested using > PCIe passthrough to a KVM guest running inside a TCG guest. > > Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn> > > Tao Tang (14): > hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register > hw/arm/smmuv3: Correct SMMUEN field name in CR0 > hw/arm/smmuv3: Introduce secure registers and commands > refactor: Move ARMSecuritySpace to a common header > hw/arm/smmuv3: Introduce banked registers for SMMUv3 state > hw/arm/smmuv3: Add separate address space for secure SMMU accesses > hw/arm/smmuv3: Make Configuration Cache security-state aware > hw/arm/smmuv3: Add security-state handling for page table walks > hw/arm/smmuv3: Add secure TLB entry management > hw/arm/smmuv3: Add banked support for queues and error handling > hw/arm/smmuv3: Harden security checks in MMIO handlers > hw/arm/smmuv3: Use iommu_index to represent the security context > hw/arm/smmuv3: Add property to enable Secure SMMU support > hw/arm/smmuv3: Optional Secure bank migration via subsections > > hw/arm/smmu-common.c | 151 ++++- > hw/arm/smmu-internal.h | 7 + > hw/arm/smmuv3-internal.h | 114 +++- > hw/arm/smmuv3.c | 1130 +++++++++++++++++++++++++-------- > hw/arm/trace-events | 9 +- > hw/arm/virt.c | 5 + > include/hw/arm/arm-security.h | 54 ++ > include/hw/arm/smmu-common.h | 60 +- > include/hw/arm/smmuv3.h | 35 +- > target/arm/cpu.h | 25 +- > 10 files changed, 1257 insertions(+), 333 deletions(-) > create mode 100644 include/hw/arm/arm-security.h > > -- > 2.34.1 >
On 2025/9/26 20:24, Eric Auger wrote: > Hi, > > On 9/25/25 6:26 PM, Tao Tang wrote: >> Hi all, >> >> This is the second version of the patch series to introduce initial >> support for Secure SMMUv3 emulation in QEMU. >> >> This version has been significantly restructured based on the excellent >> feedback received on the RFC. >> >> This version addresses the major points raised during the RFC review. >> Nearly all issues identified in v1 have been resolved. The most >> significant changes include: >> >> - The entire series has been refactored to use a "banked register" >> architecture. This new design serves as a solid base for all secure >> functionality and significantly reduces code duplication. >> >> - The large refactoring patch from v1 has been split into smaller, more >> focused commits (e.g., STE parsing, page table handling, and TLB >> management) to make the review process easier. >> >> - Support for the complex SEL2 feature (Secure Stage 2) has been >> deferred to a future series to reduce the scope of this RFC. >> >> - The mechanism for propagating the security context now correctly uses >> the ARMSecuritySpace attribute from the incoming transaction. This >> ensures the SMMU's handling of security is aligned with the rest of the >> QEMU ARM architecture. >> >> >> The series now begins with two preparatory patches that fix pre-existing >> bugs in the SMMUv3 model. The first of these, which corrects the CR0 >> reserved mask, has already been reviewed by Eric. >> >> - hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register >> - hw/arm/smmuv3: Correct SMMUEN field name in CR0 >> >> The subsequent patches implement the Secure SMMUv3 feature, refactored >> to address the feedback from the v1 RFC. > could you shared a branch? It does not seem to apply on master. > > Thanks > > Eric Hi Eric, Thanks for the feedback. I've rebased the patch series onto the latest master and pushed it to a branch as you requested. Interestingly, the rebase completed cleanly without any conflicts on my end, so I'm not sure what the initial issue might have been. In any case, this branch should be up-to-date. You can find the updated branch here for review: - [v1-rebased] https://github.com/hnusdr/qemu/tree/secure-smmu-v1-community-newer For historical reference, the original branch is here. - [v1-original] https://github.com/hnusdr/qemu/tree/secure-smmu-v1-community Thanks, Tao >> >> Changes from v1 RFC: >> >> - The entire feature implementation has been refactored to use a "banked >> register" approach. This significantly reduces code duplication. >> >> - Support for the SEL2 feature (Secure Stage 2) has been deferred. As >> Mostafa pointed out, a correct implementation is complex and depends on >> FEAT_TTST. This will be addressed in a separate, future patch series. >> As a result, this series now supports the following flows: >> >> - Non-secure Stage 1, Stage 2, and nested translations. >> >> - Secure Stage 1-only translations. >> >> - Nested translations (Secure Stage 1 + Non-secure Stage 2), with a >> fault generated if a Secure Stage 2 translation is required. >> >> - Writability checks for various registers (both secure and non-secure) >> have been hardened to ensure that enable bits are correctly checked. >> >> The series has been successfully validated with several test setups: >> >> - An environment using OP-TEE, Hafnium, and a custom platform >> device as V1 series described. >> >> - A new, self-contained test device (smmu-testdev) built upon the >> QTest framework, which will be submitted as a separate series as >> discussed here: >> https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg05365.html >> >> - The existing non-secure functionality was regression-tested using >> PCIe passthrough to a KVM guest running inside a TCG guest. >> >> Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn> >> >> Tao Tang (14): >> hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register >> hw/arm/smmuv3: Correct SMMUEN field name in CR0 >> hw/arm/smmuv3: Introduce secure registers and commands >> refactor: Move ARMSecuritySpace to a common header >> hw/arm/smmuv3: Introduce banked registers for SMMUv3 state >> hw/arm/smmuv3: Add separate address space for secure SMMU accesses >> hw/arm/smmuv3: Make Configuration Cache security-state aware >> hw/arm/smmuv3: Add security-state handling for page table walks >> hw/arm/smmuv3: Add secure TLB entry management >> hw/arm/smmuv3: Add banked support for queues and error handling >> hw/arm/smmuv3: Harden security checks in MMIO handlers >> hw/arm/smmuv3: Use iommu_index to represent the security context >> hw/arm/smmuv3: Add property to enable Secure SMMU support >> hw/arm/smmuv3: Optional Secure bank migration via subsections >> >> hw/arm/smmu-common.c | 151 ++++- >> hw/arm/smmu-internal.h | 7 + >> hw/arm/smmuv3-internal.h | 114 +++- >> hw/arm/smmuv3.c | 1130 +++++++++++++++++++++++++-------- >> hw/arm/trace-events | 9 +- >> hw/arm/virt.c | 5 + >> include/hw/arm/arm-security.h | 54 ++ >> include/hw/arm/smmu-common.h | 60 +- >> include/hw/arm/smmuv3.h | 35 +- >> target/arm/cpu.h | 25 +- >> 10 files changed, 1257 insertions(+), 333 deletions(-) >> create mode 100644 include/hw/arm/arm-security.h >> >> -- >> 2.34.1 >>
On 9/26/25 4:54 PM, Tao Tang wrote: > > On 2025/9/26 20:24, Eric Auger wrote: >> Hi, >> >> On 9/25/25 6:26 PM, Tao Tang wrote: >>> Hi all, >>> >>> This is the second version of the patch series to introduce initial >>> support for Secure SMMUv3 emulation in QEMU. >>> >>> This version has been significantly restructured based on the excellent >>> feedback received on the RFC. >>> >>> This version addresses the major points raised during the RFC review. >>> Nearly all issues identified in v1 have been resolved. The most >>> significant changes include: >>> >>> - The entire series has been refactored to use a "banked register" >>> architecture. This new design serves as a solid base for all secure >>> functionality and significantly reduces code duplication. >>> >>> - The large refactoring patch from v1 has been split into >>> smaller, more >>> focused commits (e.g., STE parsing, page table handling, and TLB >>> management) to make the review process easier. >>> >>> - Support for the complex SEL2 feature (Secure Stage 2) has been >>> deferred to a future series to reduce the scope of this RFC. >>> >>> - The mechanism for propagating the security context now >>> correctly uses >>> the ARMSecuritySpace attribute from the incoming transaction. This >>> ensures the SMMU's handling of security is aligned with the rest >>> of the >>> QEMU ARM architecture. >>> >>> >>> The series now begins with two preparatory patches that fix >>> pre-existing >>> bugs in the SMMUv3 model. The first of these, which corrects the CR0 >>> reserved mask, has already been reviewed by Eric. >>> >>> - hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register >>> - hw/arm/smmuv3: Correct SMMUEN field name in CR0 >>> >>> The subsequent patches implement the Secure SMMUv3 feature, refactored >>> to address the feedback from the v1 RFC. >> could you shared a branch? It does not seem to apply on master. >> >> Thanks >> >> Eric > > > Hi Eric, > > Thanks for the feedback. I've rebased the patch series onto the latest > master and pushed it to a branch as you requested. > > Interestingly, the rebase completed cleanly without any conflicts on > my end, so I'm not sure what the initial issue might have been. In any > case, this branch should be up-to-date. > > > You can find the updated branch here for review: > > - [v1-rebased] > https://github.com/hnusdr/qemu/tree/secure-smmu-v1-community-newer Thanks for the branches. I guess it is due to [PATCH v9 00/11] hw/arm/virt: Add support for user creatable SMMUv3 device <https://lore.kernel.org/all/20250829082543.7680-1-skolothumtho@nvidia.com/#r> which landed ~ 10d ago. Thanks Eric > > > For historical reference, the original branch is here. > > - > [v1-original] https://github.com/hnusdr/qemu/tree/secure-smmu-v1-community > > > Thanks, > > Tao > > >>> >>> Changes from v1 RFC: >>> >>> - The entire feature implementation has been refactored to use a >>> "banked >>> register" approach. This significantly reduces code duplication. >>> >>> - Support for the SEL2 feature (Secure Stage 2) has been >>> deferred. As >>> Mostafa pointed out, a correct implementation is complex and >>> depends on >>> FEAT_TTST. This will be addressed in a separate, future patch >>> series. >>> As a result, this series now supports the following flows: >>> >>> - Non-secure Stage 1, Stage 2, and nested translations. >>> >>> - Secure Stage 1-only translations. >>> >>> - Nested translations (Secure Stage 1 + Non-secure Stage 2), >>> with a >>> fault generated if a Secure Stage 2 translation is required. >>> >>> - Writability checks for various registers (both secure and >>> non-secure) >>> have been hardened to ensure that enable bits are correctly checked. >>> >>> The series has been successfully validated with several test setups: >>> >>> - An environment using OP-TEE, Hafnium, and a custom platform >>> device as V1 series described. >>> >>> - A new, self-contained test device (smmu-testdev) built upon the >>> QTest framework, which will be submitted as a separate series as >>> discussed here: >>> >>> https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg05365.html >>> >>> - The existing non-secure functionality was regression-tested using >>> PCIe passthrough to a KVM guest running inside a TCG guest. >>> >>> Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn> >>> >>> Tao Tang (14): >>> hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register >>> hw/arm/smmuv3: Correct SMMUEN field name in CR0 >>> hw/arm/smmuv3: Introduce secure registers and commands >>> refactor: Move ARMSecuritySpace to a common header >>> hw/arm/smmuv3: Introduce banked registers for SMMUv3 state >>> hw/arm/smmuv3: Add separate address space for secure SMMU accesses >>> hw/arm/smmuv3: Make Configuration Cache security-state aware >>> hw/arm/smmuv3: Add security-state handling for page table walks >>> hw/arm/smmuv3: Add secure TLB entry management >>> hw/arm/smmuv3: Add banked support for queues and error handling >>> hw/arm/smmuv3: Harden security checks in MMIO handlers >>> hw/arm/smmuv3: Use iommu_index to represent the security context >>> hw/arm/smmuv3: Add property to enable Secure SMMU support >>> hw/arm/smmuv3: Optional Secure bank migration via subsections >>> >>> hw/arm/smmu-common.c | 151 ++++- >>> hw/arm/smmu-internal.h | 7 + >>> hw/arm/smmuv3-internal.h | 114 +++- >>> hw/arm/smmuv3.c | 1130 >>> +++++++++++++++++++++++++-------- >>> hw/arm/trace-events | 9 +- >>> hw/arm/virt.c | 5 + >>> include/hw/arm/arm-security.h | 54 ++ >>> include/hw/arm/smmu-common.h | 60 +- >>> include/hw/arm/smmuv3.h | 35 +- >>> target/arm/cpu.h | 25 +- >>> 10 files changed, 1257 insertions(+), 333 deletions(-) >>> create mode 100644 include/hw/arm/arm-security.h >>> >>> -- >>> 2.34.1 >>> >
© 2016 - 2025 Red Hat, Inc.