From nobody Sun Apr 12 02:49:55 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1771669052206511.47530933402004; Sat, 21 Feb 2026 02:17:32 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vtk3D-0007aB-Bx; Sat, 21 Feb 2026 05:17:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vtk3B-0007Uf-Rf; Sat, 21 Feb 2026 05:17:25 -0500 Received: from zg8tmja5ljk3lje4ms43mwaa.icoremail.net ([209.97.181.73]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vtk39-00071R-Os; Sat, 21 Feb 2026 05:17:25 -0500 Received: from prodtpl.icoremail.net (unknown [10.12.1.20]) by hzbj-icmmx-7 (Coremail) with SMTP id AQAAfwAnLZkvhplp0q5VBw--.3938S2; Sat, 21 Feb 2026 18:17:19 +0800 (CST) Received: from phytium.com.cn (unknown [218.76.62.144]) by mail (Coremail) with SMTP id AQAAfwDXL+0thplpb04cAA--.34326S3; Sat, 21 Feb 2026 18:17:18 +0800 (CST) From: Tao Tang To: Eric Auger , Peter Maydell , "Michael S . Tsirkin" , Marcel Apfelbaum Cc: qemu-devel@nongnu.org, qemu-arm@nongnu.org, Chen Baozi , Pierrick Bouvier , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Mostafa Saleh , Chao Liu , Tao Tang Subject: [RFC v4 17/31] hw/arm/smmuv3: Pass sec_sid into cmdq consume path Date: Sat, 21 Feb 2026 18:17:14 +0800 Message-Id: <20260221101714.2994490-1-tangtao1634@phytium.com.cn> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260221100250.2976287-1-tangtao1634@phytium.com.cn> References: <20260221100250.2976287-1-tangtao1634@phytium.com.cn> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: AQAAfwDXL+0thplpb04cAA--.34326S3 X-CM-SenderInfo: pwdqw3tdrrljuu6sx5pwlxzhxfrphubq/1tbiAQANBWmYzyUANwAAsl Authentication-Results: hzbj-icmmx-7; spf=neutral smtp.mail=tangtao163 4@phytium.com.cn; X-Coremail-Antispam: 1Uk129KBjvJXoWxtFW3uF15KF4UKFWkAFy8Grg_yoWxGF4Dpr WDJwnI9r18Jan3ZF9Iv3y8ur13J34DtFyUtr1UW3WfA3ZrAr15Xrs09r1ru34DWryxAws3 uay3Wan8ZF12y37anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUj1kv1TuYvTs0mT0YCTnIWj DUYxn0WfASr-VFAU7a7-sFnT9fnUUIcSsGvfJ3UbIYCTnIWIevJa73UjIFyTuYvj4RJUUU UUUUU Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=209.97.181.73; envelope-from=tangtao1634@phytium.com.cn; helo=zg8tmja5ljk3lje4ms43mwaa.icoremail.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1771669054751158500 Content-Type: text/plain; charset="utf-8" Make smmuv3_cmdq_consume() security-state aware by passing sec_sid from smmu_writel() call sites (CR0/GERRORN/CMDQ_PROD paths), instead of hardcoding non-secure state. The related AddressSpace and MemTxAttrs are also obtained based on sec_sid. Also move CMD_SSEC legality checking to a single early check before command dispatch: secure commands are rejected on non-secure queues (including future Realm queue) with CERROR_ILL. This removes duplicated per-command checks in CFGI handlers. Finally, extend cmdq trace output with sec_sid so command processing can be correlated with the correct security bank. Signed-off-by: Tao Tang Reviewed-by: Eric Auger Reviewed-by: Pierrick Bouvier --- hw/arm/smmuv3.c | 50 ++++++++++++++++++++++----------------------- hw/arm/trace-events | 2 +- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c index e33a7babd1c..b2559e80f24 100644 --- a/hw/arm/smmuv3.c +++ b/hw/arm/smmuv3.c @@ -111,14 +111,14 @@ static void smmuv3_write_gerrorn(SMMUv3State *s, uint= 32_t new_gerrorn) trace_smmuv3_write_gerrorn(toggled & pending, bank->gerrorn); } =20 -static inline MemTxResult queue_read(SMMUQueue *q, Cmd *cmd) +static inline MemTxResult queue_read(SMMUQueue *q, Cmd *cmd, + AddressSpace *as, MemTxAttrs attrs) { dma_addr_t addr =3D Q_CONS_ENTRY(q); MemTxResult ret; int i; =20 - ret =3D dma_memory_read(&address_space_memory, addr, cmd, sizeof(Cmd), - MEMTXATTRS_UNSPECIFIED); + ret =3D dma_memory_read(as, addr, cmd, sizeof(Cmd), attrs); if (ret !=3D MEMTX_OK) { return ret; } @@ -1346,14 +1346,17 @@ static void smmuv3_range_inval(SMMUState *s, Cmd *c= md, SMMUStage stage, } } =20 -static int smmuv3_cmdq_consume(SMMUv3State *s, Error **errp) +static int smmuv3_cmdq_consume(SMMUv3State *s, Error **errp, SMMUSecSID se= c_sid) { SMMUState *bs =3D ARM_SMMU(s); SMMUCmdError cmd_error =3D SMMU_CERROR_NONE; - SMMUSecSID sec_sid =3D SMMU_SEC_SID_NS; SMMUv3RegBank *bank =3D smmuv3_bank(s, sec_sid); SMMUQueue *q =3D &bank->cmdq; SMMUCommandType type =3D 0; + MemTxAttrs attrs =3D smmu_get_txattrs(sec_sid); + AddressSpace *as =3D smmu_get_address_space(bs, sec_sid); + /* Secure AddressSpace must be available, assert if not. */ + g_assert(as); =20 if (!smmuv3_cmdq_enabled(s, sec_sid)) { return 0; @@ -1369,18 +1372,30 @@ static int smmuv3_cmdq_consume(SMMUv3State *s, Erro= r **errp) uint32_t pending =3D bank->gerror ^ bank->gerrorn; Cmd cmd; =20 - trace_smmuv3_cmdq_consume(Q_PROD(q), Q_CONS(q), + trace_smmuv3_cmdq_consume(sec_sid, Q_PROD(q), Q_CONS(q), Q_PROD_WRAP(q), Q_CONS_WRAP(q)); =20 if (FIELD_EX32(pending, GERROR, CMDQ_ERR)) { break; } =20 - if (queue_read(q, &cmd) !=3D MEMTX_OK) { + if (queue_read(q, &cmd, as, attrs) !=3D MEMTX_OK) { cmd_error =3D SMMU_CERROR_ABT; break; } =20 + /* + * Secure Command on Non-secure Command queue, including Realm Com= mand + * queue, is not allowed. CERROR_ILL will be raised according to + * (IHI 0070G.b) 4.1.6 Common command fields, Page 168. + */ + if (CMD_SSEC(&cmd)) { + if (sec_sid !=3D SMMU_SEC_SID_S) { + cmd_error =3D SMMU_CERROR_ILL; + break; + } + } + type =3D CMD_TYPE(&cmd); =20 trace_smmuv3_cmdq_opcode(smmu_cmd_string(type)); @@ -1400,11 +1415,6 @@ static int smmuv3_cmdq_consume(SMMUv3State *s, Error= **errp) uint32_t sid =3D CMD_SID(&cmd); SMMUDevice *sdev =3D smmu_find_sdev(bs, sid); =20 - if (CMD_SSEC(&cmd)) { - cmd_error =3D SMMU_CERROR_ILL; - break; - } - if (!sdev) { break; } @@ -1424,11 +1434,6 @@ static int smmuv3_cmdq_consume(SMMUv3State *s, Error= **errp) uint8_t range =3D CMD_STE_RANGE(&cmd); SMMUSIDRange sid_range; =20 - if (CMD_SSEC(&cmd)) { - cmd_error =3D SMMU_CERROR_ILL; - break; - } - mask =3D (1ULL << (range + 1)) - 1; sid_range.start =3D sid & ~mask; sid_range.end =3D sid_range.start + mask; @@ -1447,11 +1452,6 @@ static int smmuv3_cmdq_consume(SMMUv3State *s, Error= **errp) uint32_t sid =3D CMD_SID(&cmd); SMMUDevice *sdev =3D smmu_find_sdev(bs, sid); =20 - if (CMD_SSEC(&cmd)) { - cmd_error =3D SMMU_CERROR_ILL; - break; - } - if (!sdev) { break; } @@ -1666,7 +1666,7 @@ static MemTxResult smmu_writel(SMMUv3State *s, hwaddr= offset, bank->cr[0] =3D data; bank->cr0ack =3D data & ~SMMU_CR0_RESERVED; /* in case the command queue has been enabled */ - smmuv3_cmdq_consume(s, &local_err); + smmuv3_cmdq_consume(s, &local_err, reg_sec_sid); break; case A_CR1: bank->cr[1] =3D data; @@ -1683,7 +1683,7 @@ static MemTxResult smmu_writel(SMMUv3State *s, hwaddr= offset, * By acknowledging the CMDQ_ERR, SW may notify cmds can * be processed again */ - smmuv3_cmdq_consume(s, &local_err); + smmuv3_cmdq_consume(s, &local_err, reg_sec_sid); break; case A_GERROR_IRQ_CFG0: /* 64b */ bank->gerror_irq_cfg0 =3D deposit64(bank->gerror_irq_cfg0, 0, 32, = data); @@ -1733,7 +1733,7 @@ static MemTxResult smmu_writel(SMMUv3State *s, hwaddr= offset, break; case A_CMDQ_PROD: bank->cmdq.prod =3D data; - smmuv3_cmdq_consume(s, &local_err); + smmuv3_cmdq_consume(s, &local_err, reg_sec_sid); break; case A_CMDQ_CONS: bank->cmdq.cons =3D data; diff --git a/hw/arm/trace-events b/hw/arm/trace-events index 4e360b3c0d3..ca8485c96af 100644 --- a/hw/arm/trace-events +++ b/hw/arm/trace-events @@ -35,7 +35,7 @@ smmuv3_trigger_irq(int irq) "irq=3D%d" smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=3D0x%x, ne= w GERROR=3D0x%x" smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=3D0x%x, new = GERRORN=3D0x%x" smmuv3_unhandled_cmd(uint32_t type) "Unhandled command type=3D%d" -smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8= _t cons_wrap) "prod=3D%d cons=3D%d prod.wrap=3D%d cons.wrap=3D%d" +smmuv3_cmdq_consume(int sec_sid, uint32_t prod, uint32_t cons, uint8_t pro= d_wrap, uint8_t cons_wrap) "sec_sid=3D%d prod=3D%d cons=3D%d prod.wrap=3D%d= cons.wrap=3D%d" smmuv3_cmdq_opcode(const char *opcode) "<--- %s" smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, u= int8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d " smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error = on %s command execution: %d" --=20 2.34.1