target-arm: correct CNTFRQ access rights

Correct some corner cases we were getting wrong for CNTFRQ access rights: * should UNDEF from 32-bit Secure EL1 * only writable from the highest implemented exception level, which might not be EL1 now To clarify the code, provide a new utility function arm_highest_el() which returns the highest implemented exception level. Backports commit 755026728abb19fba70e6b4396a27fa2e7550d74 from qemu
2025-03-23 06:25:12 +00:00 · 2018-02-20 14:49:02 -05:00 · 2018-02-20 14:49:02 -05:00 · 7b503db3c6
parent 22d4f95912
commit 7b503db3c6
2 changed files with 38 additions and 3 deletions
--- a/qemu/target-arm/cpu.h
+++ b/qemu/target-arm/cpu.h
@ -1268,6 +1268,18 @@ static inline bool cptype_valid(int cptype)
 #define PL1_RW (PL1_R | PL1_W)
 #define PL0_RW (PL0_R | PL0_W)

+/* Return the highest implemented Exception Level */
+static inline int arm_highest_el(CPUARMState *env)
+{
+    if (arm_feature(env, ARM_FEATURE_EL3)) {
+        return 3;
+    }
+    if (arm_feature(env, ARM_FEATURE_EL2)) {
+        return 2;
+    }
+    return 1;
+}
+
 /* Return the current Exception Level (as per ARMv8; note that this differs
 * from the ARMv7 Privilege Level).
 */
--- a/qemu/target-arm/helper.c
+++ b/qemu/target-arm/helper.c
@ -1061,10 +1061,33 @@ static const ARMCPRegInfo v6k_cp_reginfo[] = {
 static CPAccessResult gt_cntfrq_access(CPUARMState *env, const ARMCPRegInfo *ri,
                                       bool isread)
 {
-    /* CNTFRQ: not visible from PL0 if both PL0PCTEN and PL0VCTEN are zero */
-    if (arm_current_el(env) == 0 && !extract32(env->cp15.c14_cntkctl, 0, 2)) {
-        return CP_ACCESS_TRAP;
+    /* CNTFRQ: not visible from PL0 if both PL0PCTEN and PL0VCTEN are zero.
+     * Writable only at the highest implemented exception level.
+     */
+    int el = arm_current_el(env);
+
+    switch (el) {
+    case 0:
+        if (!extract32(env->cp15.c14_cntkctl, 0, 2)) {
+            return CP_ACCESS_TRAP;
+        }
+        break;
+    case 1:
+        if (!isread && ri->state == ARM_CP_STATE_AA32 &&
+            arm_is_secure_below_el3(env)) {
+            /* Accesses from 32-bit Secure EL1 UNDEF (*not* trap to EL3!) */
+            return CP_ACCESS_TRAP_UNCATEGORIZED;
+        }
+        break;
+    case 2:
+    case 3:
+        break;
    }
+
+    if (!isread && el < arm_highest_el(env)) {
+        return CP_ACCESS_TRAP_UNCATEGORIZED;
+    }
+
    return CP_ACCESS_OK;
 }