Commit graph

2472 commits

Author SHA1 Message Date
Eduardo Habkost 03cc62e39c cpu: Move cpu_exec_* to tcg_ops
Backports 48c1a3e303b5a2cca48679645ad3fbb914db741a
2021-03-04 16:56:55 -05:00
Eduardo Habkost eb38ac1809 cpu: Move synchronize_from_tb() to tcg_ops
Backports ec62595bab1873c48a34849de70011093177e769
2021-03-04 16:48:27 -05:00
Claudio Fontana 21375463ea target/riscv: remove CONFIG_TCG, as it is always TCG
for now only TCG is allowed as an accelerator for riscv,
so remove the CONFIG_TCG use.

Backports 6a3d2e7c0654c3fb2d3368d05363d0635e8bb8ff
2021-03-04 16:40:33 -05:00
Eduardo Habkost b9b711afe3 cpu: Introduce TCGCpuOperations struct
The TCG-specific CPU methods will be moved to a separate struct,
to make it easier to move accel-specific code outside generic CPU
code in the future. Start by moving tcg_initialize().

The new CPUClass.tcg_opts field may eventually become a pointer,
but keep it an embedded struct for now, to make code conversion
easier.

Backports e9e51b7154404efc9af8735ab87c658a9c434cfd
2021-03-04 16:38:25 -05:00
Claudio Fontana 11ae599cb8 target/arm: do not use cc->do_interrupt for KVM directly
cc->do_interrupt is in theory a TCG callback used in accel/tcg only,
to prepare the emulated architecture to take an interrupt as defined
in the hardware specifications,

but in reality the _do_interrupt style of functions in targets are
also occasionally reused by KVM to prepare the architecture state in a
similar way where userspace code has identified that it needs to
deliver an exception to the guest.

In the case of ARM, that includes:

1) the vcpu thread got a SIGBUS indicating a memory error,
and we need to deliver a Synchronous External Abort to the guest to
let it know about the error.
2) the kernel told us about a debug exception (breakpoint, watchpoint)
but it is not for one of QEMU's own gdbstub breakpoints/watchpoints
so it must be a breakpoint the guest itself has set up, therefore
we need to deliver it to the guest.

So in order to reuse code, the same arm_do_interrupt function is used.
This is all fine, but we need to avoid calling it using the callback
registered in CPUClass, since that one is now TCG-only.

Fortunately this is easily solved by replacing calls to
CPUClass::do_interrupt() with explicit calls to arm_do_interrupt().

Backports 853bfef4e6d60244fd131ec55bbf1e7caa52599b. We don't support
KVM, so we just bring the comment addition over.
2021-03-04 16:33:23 -05:00
Philippe Mathieu-Daudé daafb0ba17 target/arm: Replace magic value by MMU_DATA_LOAD definition
cpu_get_phys_page_debug() uses 'DATA LOAD' MMU access type.

Backports a9dd161ff2f54446f0b0547447d8196699aca3e1
2021-03-04 15:43:47 -05:00
Richard Henderson 2c8f7b1fbc target/arm: Conditionalize DBGDIDR
Only define the register if it exists for the cpu.

Backports 54a78718be6dd5fc6b6201f84bef8de5ac3b3802
2021-03-04 15:42:03 -05:00
Richard Henderson 073923709f target/arm: Implement ID_PFR2
This was defined at some point before ARMv8.4, and will
shortly be used by new processor descriptions.

Backports 1d51bc96cc4a9b2d31a3f4cb8442ce47753088e2
2021-03-04 15:40:49 -05:00
Philippe Mathieu-Daudé d36a968f8e target/arm/m_helper: Silence GCC 10 maybe-uninitialized error
When building with GCC 10.2 configured with --extra-cflags=-Os, we get:

target/arm/m_helper.c: In function ‘arm_v7m_cpu_do_interrupt’:
target/arm/m_helper.c:1811:16: error: ‘restore_s16_s31’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
1811 | if (restore_s16_s31) {
| ^
target/arm/m_helper.c:1350:10: note: ‘restore_s16_s31’ was declared here
1350 | bool restore_s16_s31;
| ^~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

Initialize the 'restore_s16_s31' variable to silence the warning.

Backports 0ae4f11ee57350dac0e705ba79516310400ff43c
2021-03-04 15:16:55 -05:00
Richard Henderson 0636518de4 target/arm: Update REV, PUNPK for pred_desc
Update all users of do_perm_pred2 for the new
predicate descriptor field definitions.

Backports 70acaafef2e053a312d54c09b6721c730690e72c
2021-03-04 15:15:47 -05:00
Richard Henderson eb315be37e target/arm: Update ZIP, UZP, TRN for pred_desc
Update all users of do_perm_pred3 for the new
predicate descriptor field definitions.

Backports f9b0fcceccfc05cde62ff7577fbf2bc13b842414
2021-03-04 15:15:10 -05:00
Richard Henderson fac4e416c9 target/arm: Update PFIRST, PNEXT for pred_desc
These two were odd, in that do_pfirst_pnext passed the
count of 64-bit words rather than bytes. Change to pass
the standard pred_full_reg_size to avoid confusion.

Backports 86300b5d044064046395ae8ed605cc19e63f2a7c
2021-03-04 15:09:47 -05:00
Richard Henderson 4ef4735cd3 target/arm: Introduce PREDDESC field definitions
SVE predicate operations cannot use the "usual" simd_desc
encoding, because the lengths are not a multiple of 8.
But we were abusing the SIMD_* fields to store values anyway.
This abuse broke when SIMD_OPRSZ_BITS was modified in e2e7168a214.

Introduce a new set of field definitions for exclusive use
of predicates, so that it is obvious what kind of predicate
we are manipulating. To be used in future patches

Backports b64ee454a4a086ed459bcda4c0bbb54e197841e4
2021-03-04 15:08:32 -05:00
Rémi Denis-Courmont 9dfa469976 target/arm: refactor vae1_tlbmask()
Backports bc944d3a8b305029196a5e1406702a92fa0b94cf
2021-03-04 15:05:54 -05:00
Rémi Denis-Courmont 8aeaff9385 target/arm: enable Secure EL2 in max CPU
Backports 24179fea7e34c4952d4878ae1b26108ba65e5933
2021-03-04 15:04:43 -05:00
Rémi Denis-Courmont e6d32dc2e0 target/arm: Implement SCR_EL2.EEL2
This adds handling for the SCR_EL3.EEL2 bit.

Backports 926c1b97895879b78ca14bca2831c08740ed1c38
2021-03-04 15:03:08 -05:00
Rémi Denis-Courmont 9690ed8236 target/arm: revector to run-time pick target EL
On ARMv8-A, accesses by 32-bit secure EL1 to monitor registers trap to
the upper (64-bit) EL. With Secure EL2 support, we can no longer assume
that that is always EL3, so make room for the value to be computed at
run-time.

Backports 6b340aeb48e4f7f983e1c38790de65ae93079840
2021-03-04 14:59:14 -05:00
Rémi Denis-Courmont ce8872709f target/arm: set HPFAR_EL2.NS on secure stage 2 faults
Backport 9861248f637ecf11113b04b0b5c7b13c9aa06f09
2021-03-04 14:54:33 -05:00
Rémi Denis-Courmont b49531cfef target/arm: secure stage 2 translation regime
b1a10c868f9b2b09e64009b43450e9a86697d9f3
2021-03-04 14:49:33 -05:00
Rémi Denis-Courmont eeefc3c4a2 target/arm: generalize 2-stage page-walk condition
The stage_1_mmu_idx() already effectively keeps track of which
translation regimes have two stages. Don't hard-code another test.

Backports 7879460a6149ed5e80c29cac85449191d9c5754a
2021-03-04 14:26:22 -05:00
Rémi Denis-Courmont 07ebb7f7ba target/arm: translate NS bit in page-walks
588c6dd113b27b8db393c7264297b9d33261692e
2021-03-04 14:25:13 -05:00
Rémi Denis-Courmont 6f57520b1d target/arm: do S1_ptw_translate() before address space lookup
In the secure stage 2 translation regime, the VSTCR.SW and VTCR.NSW
bits can invert the secure flag for pagetable walks. This patchset
allows S1_ptw_translate() to change the non-secure bit.

Backports 3d4bd397433b12b148d150c8bc5655a696389bd1
2021-03-04 14:23:43 -05:00
Rémi Denis-Courmont ce50ba6d07 target/arm: handle VMID change in secure state
The VTTBR write callback so far assumes that the underlying VM lies in
non-secure state. This handles the secure state scenario.

backports c4f060e89effd70ebdb23d3315495d33af377a09
2021-03-04 14:20:47 -05:00
Rémi Denis-Courmont a78c31e36a target/arm: add ARMv8.4-SEL2 system registers
Backports e9152ee91cc39ed8a53d03607e6e980a7e9444e6
2021-03-04 14:20:10 -05:00
Rémi Denis-Courmont edd5f021e6 target/arm: add MMU stage 1 for Secure EL2
This adds the MMU indices for EL2 stage 1 in secure state.

To keep code contained, which is largelly identical between secure and
non-secure modes, the MMU indices are reassigned. The new assignments
provide a systematic pattern with a non-secure bit.

Backports b6ad6062f1e55bd5b9407ce89e55e3a08b83827c
2021-03-04 14:16:31 -05:00
Rémi Denis-Courmont fbdcef3ca5 target/arm: add 64-bit S-EL2 to EL exception table
With the ARMv8.4-SEL2 extension, EL2 is a legal exception level in
secure mode, though it can only be AArch64.

This patch adds the target EL for exceptions from 64-bit S-EL2.

It also fixes the target EL to EL2 when HCR.{A,F,I}MO are set in secure
mode. Those values were never used in practice as the effective value of
HCR was always 0 in secure mode.

Backports 6c85f906261226e87211506bd9f787fd48a09f17
2021-03-04 14:00:23 -05:00
Rémi Denis-Courmont 159043008f target/arm: Define isar_feature function to test for presence of SEL2
Backports 5ca192dfc551c8a40871c4e30a8b8ceb879adc31
2021-03-04 13:58:57 -05:00
Rémi Denis-Courmont b42e6d6036 target/arm: factor MDCR_EL2 common handling
This adds a common helper to compute the effective value of MDCR_EL2.
That is the actual value if EL2 is enabled in the current security
context, or 0 elsewise.

Backports 59dd089cf9e4a9cddee596c8a1378620df51b9bb
2021-03-04 13:57:34 -05:00
Rémi Denis-Courmont b657bfc59b target/arm: use arm_hcr_el2_eff() where applicable
This will simplify accessing HCR conditionally in secure state.

Backports e04a5752cb03e066d7b1e583e340c7982fcd5e4e
2021-03-04 13:53:30 -05:00
Rémi Denis-Courmont 58af3e76e6 target/arm: use arm_is_el2_enabled() where applicable
Do not assume that EL2 is available in and only in non-secure context.
That equivalence is broken by ARMv8.4-SEL2.

Backports e6ef0169264b00cce552404f689ce137018ff290
2021-03-04 13:49:19 -05:00
Rémi Denis-Courmont 7a694223ca target/arm: add arm_is_el2_enabled() helper
This checks if EL2 is enabled (meaning EL2 registers take effects) in
the current security context.

Backports f3ee5160ce3c03795a28e16d1a0b4916a6c959f4
2021-03-04 13:44:04 -05:00
Rémi Denis-Courmont 7402645436 target/arm: remove redundant tests
In this context, the HCR value is the effective value, and thus is
zero in secure mode. The tests for HCR.{F,I}MO are sufficient.

Backports cc974d5cd84ea60a3dad59752aea712f3d47f8ce
2021-03-04 13:42:12 -05:00
Richard Henderson f6973abb3e target/arm: Add cpu properties to control pauth
The crypto overhead of emulating pauth can be significant for
some workloads. Add two boolean properties that allows the
feature to be turned off, on with the architected algorithm,
or on with an implementation defined algorithm.

We need two intermediate booleans to control the state while
parsing properties lest we clobber ID_AA64ISAR1 into an invalid
intermediate state.

Backports relevent members from eb94284d0812b4e7c11c5d075b584100ac1c1b9a
2021-03-04 13:40:27 -05:00
Richard Henderson 0332498752 target/arm: Implement an IMPDEF pauth algorithm
Without hardware acceleration, a cryptographically strong
algorithm is too expensive for pauth_computepac.

Even with hardware accel, we are not currently expecting
to link the linux-user binaries to any crypto libraries,
and doing so would generally make the --static build fail.

So choose XXH64 as a reasonably quick and decent hash.

Backports 283fc52ade85eb50141f3b8b85f82b07d016cb17
2021-03-04 13:38:22 -05:00
Peter Maydell 68f645dd4f target/arm: Don't decode insns in the XScale/iWMMXt space as cp insns
In commit cd8be50e58f63413c0 we converted the A32 coprocessor
insns to decodetree. This accidentally broke XScale/iWMMXt insns,
because it moved the handling of "cp insns which are handled
by looking up the cp register in the hashtable" from after the
call to the legacy disas_xscale_insn() decode to before it,
with the result that all XScale/iWMMXt insns now UNDEF.

Update valid_cp() so that it knows that on XScale cp 0 and 1
are not standard coprocessor instructions; this will cause
the decodetree trans_ functions to ignore them, so that
execution will correctly get through to the legacy decode again.

Backports e4d51ac6921dc861bfb3d20e4c7dcf345840a9da
2021-03-03 20:17:20 -05:00
Leif Lindholm 09fd12e5f2 target/arm: add aarch32 ID register fields to cpu.h
Add entries present in ARM DDI 0487F.c (August 2020).

Backports bd78b6be24f3ceb71f1a7ec2c98c7a5e49cb4a86
2021-03-03 20:16:26 -05:00
Leif Lindholm a2faae9e30 target/arm: add aarch64 ID register fields to cpu.h
Add entries present in ARM DDI 0487F.c (August 2020).

Backports 00a92832f453275ca023962c00a60dde3a4f2fed
2021-03-03 20:15:16 -05:00
Leif Lindholm ba891afd32 target/arm: add descriptions of CLIDR_EL1, CCSIDR_EL1, CTR_EL0 to cpu.h
Backports 2a14526a6f56973348d622abc572db377f5a23ef
2021-03-03 20:14:05 -05:00
Leif Lindholm fc8e5fe38d target/arm: make ARMCPU.ctr 64-bit
When FEAT_MTE is implemented, the AArch64 view of CTR_EL0 adds the
TminLine field in bits [37:32].
Extend the ctr field to be able to hold this context.

Backports a5fd319ae7f6d496ff5448ec1dedcae8e2f59e9f
2021-03-03 20:13:20 -05:00
Leif Lindholm e6eb25f75a target/arm: make ARMCPU.clidr 64-bit
The AArch64 view of CLIDR_EL1 extends the ICB field to include also bit
32, as well as adding a Ttype<n> field when FEAT_MTE is implemented.
Extend the clidr field to be able to hold this context.

Backports f6450bcb6b2d3e4beae77141edce9e99cb8c277e
2021-03-03 20:12:48 -05:00
Leif Lindholm 3fff83e48f target/arm: fix typo in cpu.h ID_AA64PFR1 field name
SBSS -> SSBS

Backports 9a286bcdfd2b04afca9a668a6d6e0feb809d2d63
2021-03-03 20:12:08 -05:00
Rémi Denis-Courmont 6f06f383ea target/arm: enable Small Translation tables in max CPU
Backports 078e9fe3cbd6894fb6e420d8b53f304a3d5c0464
2021-03-03 20:11:10 -05:00
Rémi Denis-Courmont c7415c92d5 target/arm: ARMv8.4-TTST extension
This adds for the Small Translation tables extension in AArch64 state.

Backports c36c65ea3c35b309d524c05a1c05fdeabf83ddd5
2021-03-03 20:09:01 -05:00
Peter Maydell f7939926dc target/arm: Implement Cortex-M55 model
Now that we have implemented all the features needed by the v8.1M
architecture, we can add the model of the Cortex-M55. This is the
configuration without MVE support; we'll add MVE later

Backports 590e05d6b48937f6d3c631354fd706f8e005b8f6
2021-03-03 20:06:06 -05:00
Peter Maydell e586a27a7b target/arm: Implement FPCXT_NS fp system register
Implement the v8.1M FPCXT_NS floating-point system register. This is
a little more complicated than FPCXT_S, because it has specific
handling for "current FP state is inactive", and it only wants to do
PreserveFPState(), not the full set of actions done by
ExecuteFPCheck() which vfp_access_check() implements.

Backports eb20dafdbff92063a88624176fdc396e01961bf3
2021-03-03 20:02:36 -05:00
Peter Maydell 311b6fd74c target/arm: Correct store of FPSCR value via FPCXT_S
In commit 64f863baeedc8659 we implemented the v8.1M FPCXT_S register,
but we got the write behaviour wrong. On read, this register reads
bits [27:0] of FPSCR plus the CONTROL.SFPA bit. On write, it doesn't
just write back those bits -- it writes a value to the whole FPSCR,
whose upper 4 bits are zeroes.

We also incorrectly implemented the write-to-FPSCR as a simple store
to vfp.xregs; this skips the "update the softfloat flags" part of
the vfp_set_fpscr helper so the value would read back correctly but
not actually take effect.

Fix both of these things by doing a complete write to the FPSCR
using the helper function.

Backports 7fbf95a037d79c5e923ffb51ac902dbe9599c87f
2021-03-03 19:57:56 -05:00
Richard Henderson 85b417d438 target/arm: Fix MTE0_ACTIVE
In 50244cc76abc we updated mte_check_fail to match the ARM
pseudocode, using the correct EL to select the TCF field.
But we failed to update MTE0_ACTIVE the same way, which led
to g_assert_not_reached().

Backports cc97b0019bb590b9b3c2a623e9ebee48831e0ce3
2021-03-03 19:56:23 -05:00
Peter Maydell 1a3abaa81a target/i386: Check privilege level for protected mode 'int N' task gate
When the 'int N' instruction is executed in protected mode, the
pseudocode in the architecture manual specifies that we need to check:

* vector number within IDT limits
* selected IDT descriptor is a valid type (interrupt, trap or task gate)
* if this was a software interrupt then gate DPL < CPL

The way we had structured the code meant that the privilege check for
software interrupts ended up not in the code path taken for task gate
handling, because all of the task gate handling code was in the 'case 5'
of the switch which was checking "is this descriptor a valid type".

Move the task gate handling code out of that switch (so that it is now
purely doing the "valid type?" check) and below the software interrupt
privilege check.

The effect of this missing check was that in a guest userspace binary
executing 'int 8' would cause a guest kernel panic rather than the
userspace binary being handed a SEGV.

This is essentially the same bug fixed in VirtualBox in 2012:
https://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/

Note that for QEMU this is not a security issue because it is only
present when using TCG.

Backports 3df1a3d070575419859cbbab1083fafa7ec2669a
2021-03-03 19:32:10 -05:00
zhaolichang f526d4455c m68k: fix some comment spelling errors
I found that there are many spelling errors in the comments of qemu/target/m68k.
I used spellcheck to check the spelling errors and found some errors in the folder.

Backports ce00ff729ee8461dc94a1593d25ceda65d973d3c
2021-03-03 19:13:26 -05:00
Laurent Vivier bf2c52bc83 target/m68k: remove useless qregs array
They are unused since the target has been converted to TCG.

Backports 4160d5e6bd347e5d27804912b61d02df0a90ba8e
2021-03-03 19:11:44 -05:00