1. Patchew
  2. QEMU
  3. [RFC v4 00/31] hw/arm/smmuv3: Support Secure state for SMMUv3
  4. View patch

[RFC v4 31/31] [NOT-MERGE] hw/arm/smmuv3: temporarily enable SEL2 bit and sone other features

Tao Tang posted 31 patches 1 month, 2 weeks ago
Maintainers: Eric Auger <eric.auger@redhat.com>, Peter Maydell <peter.maydell@linaro.org>, "Michael S. Tsirkin" <mst@redhat.com>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
[RFC v4 31/31] [NOT-MERGE] hw/arm/smmuv3: temporarily enable SEL2 bit and sone other features
Posted by Tao Tang 1 month, 2 weeks ago 
Temporarily:
- enable S_IDR1.SEL2,
- change AIDR to 0x2 to indicate SMMUv3.2,
- use smaller SID size and Cmd/Evt queue size.

Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn>
---
 hw/arm/smmuv3.c                | 3 ++-
 include/hw/arm/smmuv3-common.h | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index 678cbd584e2..332feb28787 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -328,6 +328,7 @@ static void smmuv3_init_id_regs(SMMUv3State *s)
     sbk->idr[0] = FIELD_DP32(bk->idr[0], S_IDR0, STALL_MODEL, 1); /* No stall */
     sbk->idr[1] = FIELD_DP32(sbk->idr[1], S_IDR1, S_SIDSIZE, SMMU_IDR1_SIDSIZE);
     sbk->idr[1] = FIELD_DP32(sbk->idr[1], S_IDR1, SECURE_IMPL, s->secure_impl);
+    sbk->idr[1] = FIELD_DP32(sbk->idr[1], S_IDR1, SEL2, 1);
     smmuv3_accel_idr_override(s);
 }
 
@@ -373,7 +374,7 @@ static void smmuv3_reset(SMMUv3State *s)
     sbk->gerrorn = 0;
     sbk->gbpa = SMMU_GBPA_RESET_VAL;
 
-    s->aidr = 0x1;
+    s->aidr = 0x2; /* SMMUv3.2 */
     s->statusr = 0;
 }
 
diff --git a/include/hw/arm/smmuv3-common.h b/include/hw/arm/smmuv3-common.h
index c40fa46fb88..57ce32aef7b 100644
--- a/include/hw/arm/smmuv3-common.h
+++ b/include/hw/arm/smmuv3-common.h
@@ -312,9 +312,9 @@ REG32(IDR1,                0x4)
     FIELD(IDR1, ECMDQ,        31, 1)
 
 #define SMMU_SSID_MAX_BITS 20
-#define SMMU_IDR1_SIDSIZE 16
-#define SMMU_CMDQS   19
-#define SMMU_EVENTQS 19
+#define SMMU_IDR1_SIDSIZE 6
+#define SMMU_CMDQS   10
+#define SMMU_EVENTQS 10
 
 REG32(IDR2,                0x8)
      FIELD(IDR2, BA_VATOS, 0, 10)
-- 
2.34.1
Re: [RFC v4 31/31] [NOT-MERGE] hw/arm/smmuv3: temporarily enable SEL2 bit and sone other features
Posted by Pierrick Bouvier 1 month, 2 weeks ago 
On 2/21/26 2:19 AM, Tao Tang wrote:
> Temporarily:
> - enable S_IDR1.SEL2,
> - change AIDR to 0x2 to indicate SMMUv3.2,
> - use smaller SID size and Cmd/Evt queue size.
> 
> Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn>
> ---
>   hw/arm/smmuv3.c                | 3 ++-
>   include/hw/arm/smmuv3-common.h | 6 +++---
>   2 files changed, 5 insertions(+), 4 deletions(-)
> 

I have been able to boot hafnium with:
- instructions at 
https://hnusdr.github.io/2025/08/09/Test-Secure-SMMU-with-Hafnium-ENG/
- the current patch
- qemu-system-aarch64 -global arm-smmuv3.secure-impl=on ...

In case someone else wants to reproduce this easily:

```
git clone https://github.com/p-b-o/qemu-linux-stack
cd qemu-linux-stack
git checkout optee-secure-smmu
./build.sh # only requires podman and qemu-user-static
./run.sh /path/to/qemu-system-aarch64
```

Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Re: [RFC v4 31/31] [NOT-MERGE] hw/arm/smmuv3: temporarily enable SEL2 bit and sone other features
Posted by Tao Tang 1 month, 1 week ago 
Hi Pierrick,

On 2026/2/26 05:31, Pierrick Bouvier wrote:
> On 2/21/26 2:19 AM, Tao Tang wrote:
>> Temporarily:
>> - enable S_IDR1.SEL2,
>> - change AIDR to 0x2 to indicate SMMUv3.2,
>> - use smaller SID size and Cmd/Evt queue size.
>>
>> Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn>
>> ---
>>   hw/arm/smmuv3.c                | 3 ++-
>>   include/hw/arm/smmuv3-common.h | 6 +++---
>>   2 files changed, 5 insertions(+), 4 deletions(-)
>>
>
> I have been able to boot hafnium with:
> - instructions at 
> https://hnusdr.github.io/2025/08/09/Test-Secure-SMMU-with-Hafnium-ENG/
> - the current patch
> - qemu-system-aarch64 -global arm-smmuv3.secure-impl=on ...
>
> In case someone else wants to reproduce this easily:
>
> ```
> git clone https://github.com/p-b-o/qemu-linux-stack
> cd qemu-linux-stack
> git checkout optee-secure-smmu
> ./build.sh # only requires podman and qemu-user-static
> ./run.sh /path/to/qemu-system-aarch64
> ```
>
> Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>


Thanks for the test!


Hafnium is indeed a good way to exercise Secure register and Secure 
command queue access.


Best regards,

Tao
Re: [RFC v4 31/31] [NOT-MERGE] hw/arm/smmuv3: temporarily enable SEL2 bit and sone other features
Posted by Pierrick Bouvier 1 month, 2 weeks ago 
On 2/25/26 1:31 PM, Pierrick Bouvier wrote:
> On 2/21/26 2:19 AM, Tao Tang wrote:
>> Temporarily:
>> - enable S_IDR1.SEL2,
>> - change AIDR to 0x2 to indicate SMMUv3.2,
>> - use smaller SID size and Cmd/Evt queue size.
>>
>> Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn>
>> ---
>>    hw/arm/smmuv3.c                | 3 ++-
>>    include/hw/arm/smmuv3-common.h | 6 +++---
>>    2 files changed, 5 insertions(+), 4 deletions(-)
>>
> 
> I have been able to boot hafnium with:
> - instructions at
> https://hnusdr.github.io/2025/08/09/Test-Secure-SMMU-with-Hafnium-ENG/
> - the current patch
> - qemu-system-aarch64 -global arm-smmuv3.secure-impl=on ...
> 
> In case someone else wants to reproduce this easily:
> 
> ```
> git clone https://github.com/p-b-o/qemu-linux-stack
> cd qemu-linux-stack
> git checkout optee-secure-smmu
> ./build.sh # only requires podman and qemu-user-static
> ./run.sh /path/to/qemu-system-aarch64
> ```
> 
> Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>

If we could have a device access directly from optee, it could be used 
to exercise secure translation as well.
However, I'm not really sure it's how optee is supposed to be used, and 
it has very limited hardware support and abstractions.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.