Commit graph

2558 commits

Author SHA1 Message Date
Peter Maydell 11c6c143d7
target-arm: Reindent ancient page-table-walk code
A few of the oldest parts of the page-table-walk code have broken indent
(either hardcoded tabs or two-spaces). Reindent these sections.

For ease of review, this patch does not touch the brace style and
so is a whitespace-only change.

Backports commit 554b0b09aec4579c8164f363b18a263150e91a2c from qemu
2018-02-12 11:54:11 -05:00
Peter Maydell 0046642958
target-arm: Use mmu_idx in get_phys_addr()
Now we have the mmu_idx in get_phys_addr(), use it correctly to
determine the behaviour of virtual to physical address translations,
rather than using just an is_user flag and the current CPU state.

Some TODO comments have been added to indicate where changes will
need to be made to add EL2 and 64-bit EL3 support.

Backports commit 0480f69abf849ca0d48928cc6c669c1c7264239b from qemu
2018-02-12 11:49:55 -05:00
Peter Maydell 6031ae6540
target-arm: Pass mmu_idx to get_phys_addr()
Make all the callers of get_phys_addr() pass it the correct
mmu_idx rather than just a simple "is_user" flag. This includes
properly decoding the AT/ATS system instructions; we include the
logic for handling all the opc1/opc2 cases because we'll need
them later for supporting EL2/EL3, even if we don't have the
regdef stanzas yet.

Backports commit d364970287c0ba68979711928c15e5d37414f87f from qemu
2018-02-12 11:41:38 -05:00
Peter Maydell 04f30f91ed
target-arm: Split AArch64 cases out of ats_write()
Instead of simply reusing ats_write() as the handler for both AArch32
and AArch64 address translation operations, use a different function
for each with the common code in a third function. This is necessary
because the semantics for selecting the right translation regime are
different; we are only getting away with sharing currently because
we don't support EL2 and only support EL3 in AArch32.

Backports commit 060e8a48cb84d41d4ac36e4bb29d9c14ed7168b6 from qemu
2018-02-12 11:36:11 -05:00
Peter Maydell c0c5508a25
target-arm: Don't define any MMU_MODE*_SUFFIXes
target-arm doesn't use any of the MMU-mode specific cpu ldst
accessor functions. Suppress their generation by not defining
any of the MMU_MODE*_SUFFIX macros. ("user" and "kernel" are
too simplistic as descriptions of indexes 0 and 1 anyway.)

Backports commit 0dfef7b58f0c24b463e36630f08a45e93012b33a from qemu
2018-02-12 11:29:41 -05:00
Peter Maydell da216e211f
target-arm: Use correct mmu_idx for unprivileged loads and stores
The MMU index to use for unprivileged loads and stores is more
complicated than we currently implement:
* for A64, it should be "if at EL1, access as if EL0; otherwise
access at current EL"
* for A32/T32, it should be "if EL2, UNPREDICTABLE; otherwise
access as if at EL0".

In both cases, if we want to make the access for Secure EL0
this is not the same mmu_idx as for Non-Secure EL0.

Backports commit 579d21cce63f3dd2f6ee49c0b02a14e92cb4a836 from qemu
2018-02-12 11:28:17 -05:00
Peter Maydell 3261ed5801
target-arm: Define correct mmu_idx values and pass them in TB flags
We currently claim that for ARM the mmu_idx should simply be the current
exception level. However this isn't actually correct -- secure EL0 and EL1
should have separate indexes from non-secure EL0 and EL1 since their
VA->PA mappings may differ. We also will want an index for stage 2
translations when we properly support EL2.

Define and document all seven mmu index values that we require, and
pass the mmu index in the TB flags rather than exception level or
priv/user bit.

This change doesn't update the get_phys_addr() code, so our page
table walking still assumes a simplistic "user or priv?" model for
the moment.

Backports commit c1e3781090b9d36c60e1a254ba297cb34011d3d4 from qemu
2018-02-12 11:21:19 -05:00
Peter Maydell 9d02c52b8a
cpu_ldst.h: Allow NB_MMU_MODES to be 7
Support guest CPUs which need 7 MMU index values.
Add a comment about what would be required to raise the limit
further (trivial for 8, TCG backend rework for 9 or more).

Backports commit 8f3ae2ae2d02727f6d56610c09d7535e43650dd4 from qemu
2018-02-12 11:21:19 -05:00
Peter Maydell ec4dae08e4
target-arm: Make arm_current_el() return sensible values for M profile
Although M profile doesn't have the same concept of exception level
as A profile, it does have a notion of privileged versus not, which
we currently track in the privmode TB flag. Support returning this
information if arm_current_el() is called on an M profile core, so
that we can identify the correct MMU index to use (and put the MMU
index in the TB flags) without having to special-case M profile.

Backports commit 6d54ed3c93f1e05a483201b087142998381c9be8 from qemu
2018-02-12 11:07:49 -05:00
Kirill Batuzov d45ea1ba3b
target-arm: check that LSB <= MSB in BFI instruction
The documentation states that if LSB > MSB in BFI instruction behaviour
is unpredictable. Currently QEMU crashes because of assertion failure in
this case:

tcg/tcg-op.h:2061: tcg_gen_deposit_i32: Assertion `len <= 32' failed.

While assertion failure may meet the "unpredictable" definition this
behaviour is undesirable because it allows an unprivileged guest program
to crash the emulator with the OS and other programs.

This patch addresses the issue by throwing illegal instruction exception
if LSB > MSB. Only ARM decoder is affected because Thumb decoder already
has this check in place.

To reproduce issue run the following program

int main(void) {
asm volatile (".long 0x07c00c12" :: );
return 0;
}

compiled with
gcc -marm -static badop_arm.c -o badop_arm

Backports commit 45140a57675ecb4b0daee71bf145c24dbdf9429c from qemu
2018-02-12 11:06:12 -05:00
Peter Maydell 1c275134ae
target-arm: Squash input denormals in FRECPS and FRSQRTS
The helper functions for FRECPS and FRSQRTS have special case
handling that includes checks for zero inputs, so squash input
denormals if necessary before those checks. This fixes incorrect
output when the FPCR DZ bit is set to enable squashing of input
denormals.

Backports commit a8eb6e19991d1a7a6a7b04ac447548d30d75eb4a from qemu
2018-02-12 11:04:28 -05:00
Peter Maydell 337e658869
target-arm: Add checks that cpreg raw accesses are handled
Add assertion checking when cpreg structures are registered that they
either forbid raw-access attempts or at least make an attempt at
handling them. Also add an assert in the raw-accessor-of-last-resort,
to avoid silently doing a read or write from offset zero, which is
actually AArch32 CPU register r0.

Backports commit 375421ccaeebae8212eb8f9a36835ad4d9dc60a8 from qemu
2018-02-12 11:02:00 -05:00
Peter Maydell 52afb392f2
target-arm: Split NO_MIGRATE into ALIAS and NO_RAW
We currently mark ARM coprocessor/system register definitions with
the flag ARM_CP_NO_MIGRATE for two different reasons:
1) register is an alias on to state that's also visible via
some other register, and that other register is the one
responsible for migrating the state
2) register is not actually state at all (for instance the TLB
or cache maintenance operation "registers") and it makes no
sense to attempt to migrate it or otherwise access the raw state

This works fine for identifying which registers should be ignored
when performing migration, but we also use the same functions for
synchronizing system register state between QEMU and the kernel
when using KVM. In this case we don't want to try to sync state
into registers in category 2, but we do want to sync into registers
in category 1, because the kernel might have picked a different
one of the aliases as its choice for which one to expose for
migration. (In particular, on 32 bit hosts the kernel will
expose the state in the AArch32 version of the register, but
TCG's convention is to mark the AArch64 version as the version
to migrate, even if the CPU being emulated happens to be 32 bit,
so almost all system registers will hit this issue now that we've
added AArch64 system emulation.)

Fix this by splitting the NO_MIGRATE flag in two (ALIAS and NO_RAW)
corresponding to the two different reasons we might not want to
migrate a register. When setting up the TCG list of registers to
migrate we honour both flags; when populating the list from KVM,
only ignore registers which are NO_RAW.

Backports commit 7a0e58fa648736a75f2a6943afd2ab08ea15b8e0 from qemu
2018-02-12 10:59:36 -05:00
Greg Bellows 301c3737e3
target-arm: Add missing SP_ELx register definition
Added CP register definitions for SP_EL1 and SP_EL2.

Backports commit 884b4deeeb8b158ed3db5792161902bc8b41b62d from qemu
2018-02-12 10:40:53 -05:00
Greg Bellows cce21771b3
target-arm: Change reset to highest available EL
Update to arm_cpu_reset() to reset into the highest available exception level
based on the set ARM features.

Backports commit 5097227c15aa89baec1123aac25dd9500a62684d from qemu
2018-02-12 10:40:53 -05:00
Greg Bellows 2cce33295b
target-arm: Add extended RVBAR support
Added RVBAR_EL2 and RVBAR_EL3 CP register support. All RVBAR_EL# registers
point to the same location and only the highest EL version exists at any one
time.

Backports commit be8e8128595b41b9f609c1507e67d121e65e7173 from qemu
2018-02-12 10:40:53 -05:00
Greg Bellows 6c33ec25fc
target-arm: Fix RVBAR_EL1 register encoding
Fix the RVBAR_EL1 CP register opc2 encoding from 2 to 1

Backports commit 569b49f864e7593a14182acae5a7f5981f6ec24f from qemu
2018-02-12 10:40:53 -05:00
Ard Biesheuvel 9b28dc55c8
target-arm: crypto: fix BE host support
The crypto emulation code in target-arm/crypto_helper.c never worked
correctly on big endian hosts, due to the fact that it uses a union
of array types to convert between the native VFP register size (64
bits) and the types used in the algorithms (bytes and 32 bit words)

We cannot just swab between LE and BE when reading and writing the
registers, as the SHA code performs word additions, so instead, add
array accessors for the CRYPTO_STATE type whose LE and BE specific
implementations ensure that the correct array elements are referenced.

Backports commit b449ca3c1874418d948878d5417a32fc0dbf9fea from qemu
2018-02-12 10:40:52 -05:00
Fabian Aggeler 912d271a9b
target-arm: add cpu feature EL3 to CPUs with Security Extensions
Set ARM_FEATURE_EL3 feature for CPUs that implement Security Extensions.

Backports commit c0ccb02db46c72b4b0fa8a475a6890c1e28064f0 from qemu
2018-02-12 10:40:52 -05:00
Greg Bellows e1576f314e
target-arm: Add ARMCPU secure property
Added a "has_el3" state property to the ARMCPU descriptor. This property
indicates whether the ARMCPU has security extensions enabled (EL3) or not.
By default it is disabled at this time.

Backports commit 51942aee3c51ca23b0dd78f95534a57e8dc1e582 from qemu
2018-02-12 10:40:52 -05:00
Greg Bellows 1d3719a39f
target-arm: Add feature unset function
Add an unset_feature() function to compliment the set_feature() function. This
will be used to disable functions after they have been enabled during
initialization.

Backports commit 08828484a5c1ec55a6cbb4b4d377bfcf41199b5c from qemu
2018-02-12 10:40:52 -05:00
Greg Bellows c457067e47
target-arm: Merge EL3 CP15 register lists
Merge of the v8_el2_cp_reginfo and el3_cp_reginfo ARMCPRegInfo lists.
Previously, some EL3 registers were restricted to the ARMv8 list under the
impression that they were not needed on ARMv7. However, this is not the case
as the ARMv7/32-bit variants rely on the ARMv8/64-bit variants to handle
migration and reset. For this reason they must always exist.

Backports commit 60fb1a87b47b14e4ea67043aa56f353e77fbd70a from qemu
2018-02-12 10:40:52 -05:00
Greg Bellows b711147cc3
target-arm: make MAIR0/1 banked
Added CP register info entries for the ARMv7 MAIR0/1 secure banks.

Backports commit be693c87e440e671ed913784554384349ce8331d from qemu
2018-02-12 10:40:52 -05:00
Fabian Aggeler 4bf69e19c6
target-arm: make c13 cp regs banked (FCSEIDR, ...)
When EL3 is running in AArch32 (or ARMv7 with Security Extensions)
FCSEIDR, CONTEXTIDR, TPIDRURW, TPIDRURO and TPIDRPRW have a secure
and a non-secure instance.

Backports commit 54bf36ed351c526cde0c853079f9ff1ab7e2ff89 from qemu
2018-02-12 10:40:51 -05:00
Greg Bellows 153e7e7331
target-arm: make VBAR banked
When EL3 is running in Aarch32 (or ARMv7 with Security Extensions)
VBAR has a secure and a non-secure instance, which are mapped to
VBAR_EL1 and VBAR_EL3.

Backports commit fb6c91ba2bb0b1c1b8662ceeeeb9474a025f9a6b from qemu
2018-02-12 10:40:51 -05:00
Fabian Aggeler ccccef3d41
target-arm: make PAR banked
When EL3 is running in AArch32 (or ARMv7 with Security Extensions)
PAR has a secure and a non-secure instance.

Backports commit 01c097f7960b330c4bf038d34bae17ad6c1ba499 from qemu
2018-02-12 10:40:51 -05:00
Fabian Aggeler ff1ca0608d
target-arm: make IFAR/DFAR banked
When EL3 is running in AArch32 (or ARMv7 with Security Extensions)
IFAR and DFAR have a secure and a non-secure instance.

Backports commit b848ce2b9cbd38da3f2530fd93dba76dba0621c0 from qemu
2018-02-12 10:40:51 -05:00
Fabian Aggeler 27ba8b30c5
target-arm: make DFSR banked
When EL3 is running in AArch32 (or ARMv7 with Security Extensions)
DFSR has a secure and a non-secure instance.

Backports commit 4a7e2d7315bd2ce28e49ccd0bde73eabdfd7437b from qemu
2018-02-12 10:40:51 -05:00
Fabian Aggeler 192c5c665a
target-arm: make IFSR banked
When EL3 is running in AArch32 (or ARMv7 with Security Extensions)
IFSR has a secure and a non-secure instance. Adds IFSR32_EL2 definition and
storage.

Backports commit 88ca1c2d70523486a952065f3ed7b8fc823b5863 from qemu
2018-02-12 10:40:45 -05:00
Fabian Aggeler e955687ca5
target-arm: make DACR banked
When EL3 is running in AArch32 (or ARMv7 with Security Extensions)
DACR has a secure and a non-secure instance. Adds definition for DACR32_EL2.

Backports commit 0c17d68c1d3d6c35f37f5692042d2edb65c8bcc0 from qemu
2018-02-12 09:01:38 -05:00
Fabian Aggeler e90e4b7190
target-arm: make TTBCR banked
Adds secure and non-secure bank register suport for TTBCR.
Added new struct to compartmentalize the TCR data and masks. Removed old
tcr/ttbcr data and added a 4 element array of the new structs in cp15. This
allows for one entry per EL. Added a CP register definition for TCR_EL3.

Backports commit 11f136ee25232a00f433cefe98ee33cd614ecccc from qemu
2018-02-11 19:59:03 -05:00
Fabian Aggeler adf48a1f81
target-arm: make TTBR0/1 banked
Adds secure and non-secure bank register suport for TTBR0 and TTBR1.
Changes include adding secure and non-secure instances of ttbr0 and ttbr1 as
well as a CP register definition for TTBR0_EL3. Added a union containing
both EL based array fields and secure and non-secure fields mapped to them.
Updated accesses to use A32_BANKED_CURRENT_REG_GET macro.

Backports commit 7dd8c9af0d9d18fb3e54a4843b3bb1398bd330bc to qemu
2018-02-11 19:46:15 -05:00
Fabian Aggeler 673cb7d93e
target-arm: make CSSELR banked
Rename CSSELR (cache size selection register) and add secure
instance (AArch32).

Backports commit b85a1fd61c4d72c7928cd9b70f9f59fb2895936d from qemu
2018-02-11 19:35:02 -05:00
Fabian Aggeler 44fc779c6a
target-arm: respect SCR.FW, SCR.AW and SCTLR.NMFI
Add checks of SCR AW/FW bits when performing writes of CPSR. These SCR bits
are used to control whether the CPSR masking bits can be adjusted from
non-secure state.

Backports commit 6e8801f9dea9e10449f4fd7d85dbe8cab708a686 from qemu
2018-02-11 19:30:21 -05:00
Fabian Aggeler 9087027b85
target-arm: add SCTLR_EL3 and make SCTLR banked
Implements SCTLR_EL3 and uses secure/non-secure instance when
needed.

Backports commit 137feaa9a1622620adf19c0b707883dd990738e2 from qemu
2018-02-11 19:28:34 -05:00
Fabian Aggeler ca0608f68d
target-arm: add MVBAR support
Use MVBAR register as exception vector base address for
exceptions taken to CPU monitor mode.

Backports commit e89e51a17ea0d8aef9bf9b766c98f963e835fbf2 from qemu
2018-02-11 19:09:28 -05:00
Greg Bellows e49d9d3f30
target-arm: add SDER definition
Added CP register defintions for SDER and SDER32_EL3 as well as cp15.sder for
register storage.

Backports commit 144634ae6c1618dcee6aced9c0d4427844154091 from qemu
2018-02-11 19:03:18 -05:00
Fabian Aggeler 461944980c
target-arm: add NSACR register
Implements NSACR register with corresponding read/write functions
for ARMv7 and ARMv8.

Backports commit 770225764f831031d2e1453f69c365eb1b647d87 from qemu
2018-02-11 18:57:34 -05:00
Fabian Aggeler f120ad5308
target-arm: implement IRQ/FIQ routing to Monitor mode
SCR.{IRQ/FIQ} bits allow to route IRQ/FIQ exceptions to monitor CPU
mode. When taking IRQ exception to monitor mode FIQ exception is
additionally masked.

Backports commit de38d23b542efca54108ef28bcc0efe96f378d2e from qemu
2018-02-11 18:51:21 -05:00
Fabian Aggeler 4d9c9f893e
target-arm: move AArch32 SCR into security reglist
Define a new ARM CP register info list for the ARMv7 Security Extension
feature. Register that list only for ARM cores with Security Extension/EL3
support. Moving AArch32 SCR into Security Extension register group.

Backports commit 0f1a3b2470d798ad5335eb9d6236f02ff64e31a8 from qemu
2018-02-11 18:48:33 -05:00
Fabian Aggeler 3494160ea6
target-arm: insert AArch32 cpregs twice into hashtable
Prepare for cp register banking by inserting every cp register twice,
once for secure world and once for non-secure world.

Backports commit 3f3c82a57d128aa3ec823aa8032867c3a6e2e795 from qemu
2018-02-11 18:41:25 -05:00
Peter Maydell fb78e79d72
target-arm: add secure state bit to CPREG hash
Added additional NS-bit to CPREG hash encoding. Updated hash lookup
locations to specify hash bit currently set to non-secure.

Backports commit 51a79b039728277e35fd19f7a7b4bc6cb323697f from qemu
2018-02-11 18:35:52 -05:00
Fabian Aggeler 4f5106b56d
target-arm: add CPREG secure state support
Prepare ARMCPRegInfo to support specifying two fieldoffsets per
register definition. This will allow us to keep one register
definition for banked registers (different offsets for secure/
non-secure world).

Also added secure state tracking field and flags. This allows for
identification of the register info secure state.

Backports commit c3e302606253a17568dc3ef30238f102468f7ee1 from qemu
2018-02-11 18:29:35 -05:00
Sergey Fedorov acdd665668
target-arm: add non-secure Translation Block flag
This patch is based on idea found in patch at
git://github.com/jowinter/qemu-trustzone.git
f3d955c6c0ed8c46bc0eb10b634201032a651dd2 by
Johannes Winter <johannes.winter@iaik.tugraz.at>.

The TBFLAG captures the SCR NS secure state at the time when a TB is created so
the correct bank is accessed on system register accesses.

Backports commit 3f342b9e0e64ad681cd39840bfa75ef12d2807c1 from qemu
2018-02-11 17:50:46 -05:00
Fabian Aggeler 90c47cb40f
target-arm: add banked register accessors
If EL3 is in AArch32 state certain cp registers are banked (secure and
non-secure instance). When reading or writing to coprocessor registers
the following macros can be used.

- A32_BANKED macros are used for choosing the banked register based on provided
input security argument. This macro is used to choose the bank during
translation of MRC/MCR instructions that are dependent on something other
than the current secure state.
- A32_BANKED_CURRENT macros are used for choosing the banked register based on
current secure state. This is NOT to be used for choosing the bank used
during translation as it breaks monitor mode.

If EL3 is operating in AArch64 state coprocessor registers are not
banked anymore. The macros use the non-secure instance (_ns) in this
case, which is architecturally mapped to the AArch64 EL register.

Backports commit ea30a4b824ecc3c829b70eb9999ac5457dc5790f from qemu
2018-02-11 17:46:52 -05:00
Greg Bellows 67d68df401
target-arm: add async excp target_el function
Adds a dedicated function and a lookup table for determining the target
exception level of IRQ and FIQ exceptions. The lookup table is taken from the
ARMv7 and ARMv8 specification exception routing tables.

Backports commit 0eeb17d618361a0f4faddc160e33598b23da6dd5 from qemu
2018-02-11 17:45:09 -05:00
Lioncash 2d8f0be9f8
target-arm: extend async excp masking
This patch extends arm_excp_unmasked() to use lookup tables for determining
whether IRQ and FIQ exceptions are masked. The lookup tables are based on the
ARMv8 and ARMv7 specification physical interrupt masking tables.

If EL3 is using AArch64 IRQ/FIQ masking is ignored in all exception levels
other than EL3 if SCR.{FIQ|IRQ} is set to 1 (routed to EL3).

Backports commit 57e3a0c7cb0ac2f0288890482e0a463adce2080a from qemu
2018-02-11 17:38:59 -05:00
Leon Alrae da22a00c10
target-mips: pass 0 instead of -1 as rs in microMIPS LUI instruction
Using rs = -1 in gen_logic_imm() for microMIPS LUI instruction is dangerous
and may bite us when implementing microMIPS R6 because in R6 AUI and LUI
are distinguished by rs value. Therefore use 0 for safety.

Backports commit 5e88759a52934a32502298f2c78c6dfaa144364b from qemu
2018-02-11 17:18:08 -05:00
Leon Alrae 69974ce1dc
target-mips: use CP0EnLo_XI instead of magic number
Backports commit d3b1979d7b37c7fa6b187442e0990afa6f88fe3b from qemu
2018-02-11 17:16:31 -05:00
Leon Alrae 4d259dda9a
target-mips: ll and lld cause AdEL exception for unaligned address
Backports commit 6489dd250a4d6e86ecbb4badf82cc102afe26f33 from qemu
2018-02-11 17:14:43 -05:00