target/riscv: propagate PMP permission to TLB page

Currently, PMP permission checking of TLB page is bypassed if TLB hits
Fix it by propagating PMP permission to TLB page permission.

PMP permission checking also use MMU-style API to change TLB permission
and size.

Backports b297129ae19e26d3cc0e376d2bfc33d76b06d83b
This commit is contained in:
Jim Shu 2021-03-30 15:04:10 -04:00 committed by Lioncash
parent da652cb603
commit d1ee86a6b2
6 changed files with 128 additions and 43 deletions

View file

@ -7313,6 +7313,7 @@ riscv_symbols = (
'pmp_hart_has_privs', 'pmp_hart_has_privs',
'pmp_get_num_rules', 'pmp_get_num_rules',
'pmp_is_range_in_tlb', 'pmp_is_range_in_tlb',
'pmp_priv_to_page_prot',
'pmp_update_rule_nums', 'pmp_update_rule_nums',
'pmpaddr_csr_read', 'pmpaddr_csr_read',
'pmpaddr_csr_write', 'pmpaddr_csr_write',

View file

@ -4749,6 +4749,7 @@
#define pmp_hart_has_privs pmp_hart_has_privs_riscv32 #define pmp_hart_has_privs pmp_hart_has_privs_riscv32
#define pmp_get_num_rules pmp_get_num_rules_riscv32 #define pmp_get_num_rules pmp_get_num_rules_riscv32
#define pmp_is_range_in_tlb pmp_is_range_in_tlb_riscv32 #define pmp_is_range_in_tlb pmp_is_range_in_tlb_riscv32
#define pmp_priv_to_page_prot pmp_priv_to_page_prot_riscv32
#define pmp_update_rule_nums pmp_update_rule_nums_riscv32 #define pmp_update_rule_nums pmp_update_rule_nums_riscv32
#define pmpaddr_csr_read pmpaddr_csr_read_riscv32 #define pmpaddr_csr_read pmpaddr_csr_read_riscv32
#define pmpaddr_csr_write pmpaddr_csr_write_riscv32 #define pmpaddr_csr_write pmpaddr_csr_write_riscv32

View file

@ -4749,6 +4749,7 @@
#define pmp_hart_has_privs pmp_hart_has_privs_riscv64 #define pmp_hart_has_privs pmp_hart_has_privs_riscv64
#define pmp_get_num_rules pmp_get_num_rules_riscv64 #define pmp_get_num_rules pmp_get_num_rules_riscv64
#define pmp_is_range_in_tlb pmp_is_range_in_tlb_riscv64 #define pmp_is_range_in_tlb pmp_is_range_in_tlb_riscv64
#define pmp_priv_to_page_prot pmp_priv_to_page_prot_riscv64
#define pmp_update_rule_nums pmp_update_rule_nums_riscv64 #define pmp_update_rule_nums pmp_update_rule_nums_riscv64
#define pmpaddr_csr_read pmpaddr_csr_read_riscv64 #define pmpaddr_csr_read pmpaddr_csr_read_riscv64
#define pmpaddr_csr_write pmpaddr_csr_write_riscv64 #define pmpaddr_csr_write pmpaddr_csr_write_riscv64

View file

@ -273,6 +273,49 @@ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong newpriv)
env->load_res = -1; env->load_res = -1;
} }
/*
* get_physical_address_pmp - check PMP permission for this physical address
*
* Match the PMP region and check permission for this physical address and it's
* TLB page. Returns 0 if the permission checking was successful
*
* @env: CPURISCVState
* @prot: The returned protection attributes
* @tlb_size: TLB page size containing addr. It could be modified after PMP
* permission checking. NULL if not set TLB page for addr.
* @addr: The physical address to be checked permission
* @access_type: The type of MMU access
* @mode: Indicates current privilege level.
*/
static int get_physical_address_pmp(CPURISCVState *env, int *prot,
target_ulong *tlb_size, hwaddr addr,
int size, MMUAccessType access_type,
int mode)
{
pmp_priv_t pmp_priv;
target_ulong tlb_size_pmp = 0;
if (!riscv_feature(env, RISCV_FEATURE_PMP)) {
*prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
return TRANSLATE_SUCCESS;
}
if (!pmp_hart_has_privs(env, addr, size, 1 << access_type, &pmp_priv,
mode)) {
*prot = 0;
return TRANSLATE_PMP_FAIL;
}
*prot = pmp_priv_to_page_prot(pmp_priv);
if (tlb_size != NULL) {
if (pmp_is_range_in_tlb(env, addr & ~(*tlb_size - 1), &tlb_size_pmp)) {
*tlb_size = tlb_size_pmp;
}
}
return TRANSLATE_SUCCESS;
}
/* get_physical_address - get the physical address for this virtual address /* get_physical_address - get the physical address for this virtual address
* *
* Do a page table walk to obtain the physical address corresponding to a * Do a page table walk to obtain the physical address corresponding to a
@ -435,9 +478,11 @@ restart:
pte_addr = base + idx * ptesize; pte_addr = base + idx * ptesize;
} }
if (riscv_feature(env, RISCV_FEATURE_PMP) && int pmp_prot;
!pmp_hart_has_privs(env, pte_addr, sizeof(target_ulong), int pmp_ret = get_physical_address_pmp(env, &pmp_prot, NULL, pte_addr,
1 << MMU_DATA_LOAD, PRV_S)) { sizeof(target_ulong),
MMU_DATA_LOAD, PRV_S);
if (pmp_ret != TRANSLATE_SUCCESS) {
return TRANSLATE_PMP_FAIL; return TRANSLATE_PMP_FAIL;
} }
@ -672,13 +717,14 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
RISCVCPU *cpu = RISCV_CPU(cs->uc, cs); RISCVCPU *cpu = RISCV_CPU(cs->uc, cs);
CPURISCVState *env = &cpu->env; CPURISCVState *env = &cpu->env;
hwaddr pa = 0; hwaddr pa = 0;
int prot, prot2; int prot, prot2, prot_pmp;
bool pmp_violation = false; bool pmp_violation = false;
bool first_stage_error = true; bool first_stage_error = true;
bool two_stage_lookup = false; bool two_stage_lookup = false;
int ret = TRANSLATE_FAIL; int ret = TRANSLATE_FAIL;
int mode = mmu_idx; int mode = mmu_idx;
target_ulong tlb_size = 0; /* default TLB page size */
target_ulong tlb_size = TARGET_PAGE_SIZE;
env->guest_phys_fault_addr = 0; env->guest_phys_fault_addr = 0;
@ -735,10 +781,10 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
prot &= prot2; prot &= prot2;
if (riscv_feature(env, RISCV_FEATURE_PMP) && if (ret == TRANSLATE_SUCCESS) {
(ret == TRANSLATE_SUCCESS) && ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
!pmp_hart_has_privs(env, pa, size, 1 << access_type, mode)) { size, access_type, mode);
ret = TRANSLATE_PMP_FAIL; prot &= prot_pmp;
} }
if (ret != TRANSLATE_SUCCESS) { if (ret != TRANSLATE_SUCCESS) {
@ -761,25 +807,21 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
"%s address=%" VADDR_PRIx " ret %d physical " "%s address=%" VADDR_PRIx " ret %d physical "
TARGET_FMT_plx " prot %d\n", TARGET_FMT_plx " prot %d\n",
__func__, address, ret, pa, prot); __func__, address, ret, pa, prot);
if (ret == TRANSLATE_SUCCESS) {
ret = get_physical_address_pmp(env, &prot_pmp, &tlb_size, pa,
size, access_type, mode);
prot &= prot_pmp;
}
} }
if (riscv_feature(env, RISCV_FEATURE_PMP) &&
(ret == TRANSLATE_SUCCESS) &&
!pmp_hart_has_privs(env, pa, size, 1 << access_type, mode)) {
ret = TRANSLATE_PMP_FAIL;
}
if (ret == TRANSLATE_PMP_FAIL) { if (ret == TRANSLATE_PMP_FAIL) {
pmp_violation = true; pmp_violation = true;
} }
if (ret == TRANSLATE_SUCCESS) { if (ret == TRANSLATE_SUCCESS) {
if (pmp_is_range_in_tlb(env, pa & TARGET_PAGE_MASK, &tlb_size)) {
tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1), tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1),
prot, mmu_idx, tlb_size); prot, mmu_idx, tlb_size);
} else {
tlb_set_page(cs, address & TARGET_PAGE_MASK, pa & TARGET_PAGE_MASK,
prot, mmu_idx, TARGET_PAGE_SIZE);
}
return true; return true;
} else if (probe) { } else if (probe) {
return false; return false;

View file

@ -234,6 +234,35 @@ static int pmp_is_in_range(CPURISCVState *env, int pmp_index, target_ulong addr)
return result; return result;
} }
/*
* Check if the address has required RWX privs when no PMP entry is matched.
*/
static bool pmp_hart_has_privs_default(CPURISCVState *env, target_ulong addr,
target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
target_ulong mode)
{
bool ret;
if ((!riscv_feature(env, RISCV_FEATURE_PMP)) || (mode == PRV_M)) {
/*
* Privileged spec v1.10 states if HW doesn't implement any PMP entry
* or no PMP entry matches an M-Mode access, the access succeeds.
*/
ret = true;
*allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
} else {
/*
* Other modes are not allowed to succeed if they don't * match a rule,
* but there are rules. We've checked for no rule earlier in this
* function.
*/
ret = false;
*allowed_privs = 0;
}
return ret;
}
/* /*
* Public Interface * Public Interface
@ -243,17 +272,18 @@ static int pmp_is_in_range(CPURISCVState *env, int pmp_index, target_ulong addr)
* Check if the address has required RWX privs to complete desired operation * Check if the address has required RWX privs to complete desired operation
*/ */
bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr, bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
target_ulong size, pmp_priv_t privs, target_ulong mode) target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
target_ulong mode)
{ {
int i = 0; int i = 0;
int ret = -1; int ret = -1;
target_ulong s = 0; target_ulong s = 0;
target_ulong e = 0; target_ulong e = 0;
pmp_priv_t allowed_privs = 0;
/* Short cut if no rules */ /* Short cut if no rules */
if (0 == pmp_get_num_rules(env)) { if (0 == pmp_get_num_rules(env)) {
return (env->priv == PRV_M) ? true : false; return pmp_hart_has_privs_default(env, addr, size, privs,
allowed_privs, mode);
} }
/* 1.10 draft priv spec states there is an implicit order /* 1.10 draft priv spec states there is an implicit order
@ -279,37 +309,25 @@ bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
* check * check
*/ */
if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) { if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) {
allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
if ((mode != PRV_M) || pmp_is_locked(env, i)) { if ((mode != PRV_M) || pmp_is_locked(env, i)) {
allowed_privs &= env->pmp_state.pmp[i].cfg_reg; *allowed_privs &= env->pmp_state.pmp[i].cfg_reg;
} }
if ((privs & allowed_privs) == privs) { ret = ((privs & *allowed_privs) == privs);
ret = 1;
break; break;
} else {
ret = 0;
break;
}
} }
} }
/* No rule matched */ /* No rule matched */
if (ret == -1) { if (ret == -1) {
if (mode == PRV_M) { return pmp_hart_has_privs_default(env, addr, size, privs,
ret = 1; /* Privileged spec v1.10 states if no PMP entry matches an allowed_privs, mode);
* M-Mode access, the access succeeds */
} else {
ret = 0; /* Other modes are not allowed to succeed if they don't
* match a rule, but there are rules. We've checked for
* no rule earlier in this function. */
}
} }
return ret == 1 ? true : false; return ret == 1 ? true : false;
} }
/* /*
* Handle a write to a pmpcfg CSP * Handle a write to a pmpcfg CSP
*/ */
@ -449,4 +467,24 @@ bool pmp_is_range_in_tlb(CPURISCVState *env, hwaddr tlb_sa,
return false; return false;
} }
/*
* Convert PMP privilege to TLB page privilege.
*/
int pmp_priv_to_page_prot(pmp_priv_t pmp_priv)
{
int prot = 0;
if (pmp_priv & PMP_READ) {
prot |= PAGE_READ;
}
if (pmp_priv & PMP_WRITE) {
prot |= PAGE_WRITE;
}
if (pmp_priv & PMP_EXEC) {
prot |= PAGE_EXEC;
}
return prot;
}
#endif #endif

View file

@ -59,11 +59,13 @@ void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index,
target_ulong val); target_ulong val);
target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index); target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index);
bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr, bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr,
target_ulong size, pmp_priv_t priv, target_ulong mode); target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs,
target_ulong mode);
bool pmp_is_range_in_tlb(CPURISCVState *env, hwaddr tlb_sa, bool pmp_is_range_in_tlb(CPURISCVState *env, hwaddr tlb_sa,
target_ulong *tlb_size); target_ulong *tlb_size);
void pmp_update_rule_nums(CPURISCVState *env); void pmp_update_rule_nums(CPURISCVState *env);
uint32_t pmp_get_num_rules(CPURISCVState *env); uint32_t pmp_get_num_rules(CPURISCVState *env);
int pmp_priv_to_page_prot(pmp_priv_t pmp_priv);
#endif #endif