From nobody Sat Nov 15 01:24:36 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linux.alibaba.com ARC-Seal: i=1; a=rsa-sha256; t=1762930363; cv=none; d=zohomail.com; s=zohoarc; b=a+UvODWtRi7qBAmy5s8wWFZ1GY9XW4+yM0PbBMLVvAMpDcDA7MQ998e0XLiOkwpdOwM1f/0gcrzwE2t6fbypriggNgpCOfj92OVr1LH4ZN5p1eNOG9nsSI7qkG9qCqk6uIpzZ3PYi8A8k5eOf6BsR+yPGN640zmtnhbXT5T+BJs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762930363; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=D6hxXjspeNA6pycvYior6h12FLtDmYammcdZitMD384=; b=NcUhW7AdspB/tMZLq43I2N8Wk0K35szr/o230LgZsvCo9KPm4iecS7KWc/PmzKtih8gVDjyl5edniO9bDTu/kMa6BNLHZH6cOAV9/p0CeQcuaOTEbFn4RlldboULE6KRWfyVFlIrJk0gWbN095rVvfPwA0ewa7oFSU9ynTyf+Zo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1762930363506181.89412965078077; Tue, 11 Nov 2025 22:52:43 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vJ4h4-0006aV-2Y; Wed, 12 Nov 2025 01:51:02 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vJ4gC-0006Lf-M5; Wed, 12 Nov 2025 01:50:20 -0500 Received: from out30-132.freemail.mail.aliyun.com ([115.124.30.132]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vJ4g4-0001W7-LN; Wed, 12 Nov 2025 01:50:06 -0500 Received: from localhost.localdomain(mailfrom:zhiwei_liu@linux.alibaba.com fp:SMTPD_---0WsFCrAE_1762930191 cluster:ay36) by smtp.aliyun-inc.com; Wed, 12 Nov 2025 14:49:51 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1762930192; h=From:To:Subject:Date:Message-Id:MIME-Version; bh=D6hxXjspeNA6pycvYior6h12FLtDmYammcdZitMD384=; b=dzoHVROryC0cvd168JdX8AqK3xMWGbqNm/3HULFRPT1XmYMoKj2q+uz5f4mYzaUNMYLuCbqGsU3e1yRIRxb2zGroB9BaUOtpIieALds+MMo+c9t1m74G1s48Lu5VtnVRkanhYRt3xdYCVge7Gzfagfj8G401F1JUvzdwAoosYLE= From: LIU Zhiwei To: qemu-devel@nongnu.org Cc: qemu-riscv@nongnu.org, palmer@dabbelt.com, alistair.francis@wdc.com, dbarboza@ventanamicro.com, liwei1518@gmail.com, zhiwei_liu@linux.alibaba.com, Huang Tao , TANG Tiancheng Subject: [PATCH v4 3/6] target/riscv: Integrate SMMPT checks into MMU and TLB fill Date: Wed, 12 Nov 2025 14:49:42 +0800 Message-Id: <20251112064945.46533-4-zhiwei_liu@linux.alibaba.com> X-Mailer: git-send-email 2.39.3 (Apple Git-146) In-Reply-To: <20251112064945.46533-1-zhiwei_liu@linux.alibaba.com> References: <20251112064945.46533-1-zhiwei_liu@linux.alibaba.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=115.124.30.132; envelope-from=zhiwei_liu@linux.alibaba.com; helo=out30-132.freemail.mail.aliyun.com X-Spam_score_int: -174 X-Spam_score: -17.5 X-Spam_bar: ----------------- X-Spam_report: (-17.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linux.alibaba.com) X-ZM-MESSAGEID: 1762930364779153000 Content-Type: text/plain; charset="utf-8" With the core MPT lookup logic in place, this patch integrates the permission checks into QEMU's main MMU processing functions. A new helper, `get_physical_address_mpt`, is introduced to check the permissions for a given physical address against the MPT. This helper is then called at two critical points: 1. During page table walks (`get_physical_address`): The physical address of the Page Table Entry (PTE) itself is checked to ensure the supervisor has permission to read it. 2. After successful address translation (`riscv_cpu_tlb_fill`): The final guest-physical address is checked against the MPT before the access is allowed to proceed. This ensures that SMMPT protection is enforced for both the translation process and the final memory access, as required by the specification. Co-authored-by: Huang Tao Co-authored-by: TANG Tiancheng Signed-off-by: LIU Zhiwei Reviewed-by: Daniel Henrique Barboza --- target/riscv/cpu_helper.c | 76 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index a055a8ab20..e4d52a37af 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -1161,6 +1161,60 @@ static bool check_svukte_addr(CPURISCVState *env, va= ddr addr) return !high_bit; } =20 +/* + * get_physical_address_mpt - check mpt permission for this physical addre= ss + * + * Lookup the Memory Protection Table and check permission for this + * physical address. Returns 0 if the permission checking was successful + * + * @env: CPURISCVState + * @prot: The returned protection attributes + * @addr: The physical address to be checked permission + * @access_type: The type of MMU access + * @mode: Indicates current privilege level. + */ +static int get_physical_address_mpt(CPURISCVState *env, int *prot, hwaddr = addr, + MMUAccessType access_type, int mode) +{ + mpt_access_t mpt_access; + bool mpt_has_access; + + /* + * If the extension is not supported or the mmpt.mode is Bare, + * there is no protection, return success. + */ + if (!riscv_cpu_cfg(env)->ext_smmpt || env->mptmode =3D=3D 0) { + *prot =3D PAGE_READ | PAGE_WRITE | PAGE_EXEC; + return TRANSLATE_SUCCESS; + } + + /* + * MPT is checked for all accesses to physical memory, unless the + * effective privilege mode is M. + * + * Data accesses in M-mode when the MPRV bit in mstatus is set and + * the MPP field in mstatus contains S or U are subject to MPT checks. + * + * In riscv_env_mmu_index, The MPRV and MPP bits are already checked a= nd + * encoded to mmu_idx, So we do not need to check it here. + */ + if (mode =3D=3D PRV_M) { + *prot =3D PAGE_READ | PAGE_WRITE | PAGE_EXEC; + return TRANSLATE_SUCCESS; + } + + mpt_has_access =3D smmpt_check_access(env, addr, + &mpt_access, access_type); + if (!mpt_has_access) { + *prot =3D 0; + return TRANSLATE_MPT_FAIL; + } + + *prot =3D smmpt_access_to_page_prot(mpt_access); + + return TRANSLATE_SUCCESS; +} + /* * get_physical_address - get the physical address for this virtual address * @@ -1355,6 +1409,13 @@ static int get_physical_address(CPURISCVState *env, = hwaddr *physical, pte_addr =3D base + idx * ptesize; } =20 + int mpt_prot; + int mpt_ret =3D get_physical_address_mpt(env, &mpt_prot, pte_addr, + MMU_DATA_LOAD, PRV_S); + if (mpt_ret !=3D TRANSLATE_SUCCESS) { + return TRANSLATE_MPT_FAIL; + } + int pmp_prot; int pmp_ret =3D get_physical_address_pmp(env, &pmp_prot, pte_addr, sxlen_bytes, @@ -1765,7 +1826,7 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, = int size, CPURISCVState *env =3D &cpu->env; vaddr im_address; hwaddr pa =3D 0; - int prot, prot2, prot_pmp; + int prot, prot2, prot_pmp, mpt_prot; bool pmp_violation =3D false; bool first_stage_error =3D true; bool two_stage_lookup =3D mmuidx_2stage(mmu_idx); @@ -1819,6 +1880,13 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address,= int size, prot &=3D prot2; =20 if (ret =3D=3D TRANSLATE_SUCCESS) { + ret =3D get_physical_address_mpt(env, &mpt_prot, pa, + access_type, mode); + qemu_log_mask(CPU_LOG_MMU, + "%s MPT address=3D" HWADDR_FMT_plx " ret %d = prot" + " %d\n", + __func__, pa, ret, mpt_prot); + prot &=3D mpt_prot; ret =3D get_physical_address_pmp(env, &prot_pmp, pa, size, access_type, mode); tlb_size =3D pmp_get_tlb_size(env, pa); @@ -1854,6 +1922,12 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address,= int size, __func__, address, ret, pa, prot); =20 if (ret =3D=3D TRANSLATE_SUCCESS) { + ret =3D get_physical_address_mpt(env, &mpt_prot, pa, + access_type, mode); + qemu_log_mask(CPU_LOG_MMU, + "%s MPT address=3D" HWADDR_FMT_plx " ret %d prot= %d\n", + __func__, pa, ret, mpt_prot); + prot &=3D mpt_prot; ret =3D get_physical_address_pmp(env, &prot_pmp, pa, size, access_type, mode); tlb_size =3D pmp_get_tlb_size(env, pa); --=20 2.25.1