Commit graph

2443 commits

Author SHA1 Message Date
Rémi Denis-Courmont 58af3e76e6 target/arm: use arm_is_el2_enabled() where applicable
Do not assume that EL2 is available in and only in non-secure context.
That equivalence is broken by ARMv8.4-SEL2.

Backports e6ef0169264b00cce552404f689ce137018ff290
2021-03-04 13:49:19 -05:00
Rémi Denis-Courmont 7a694223ca target/arm: add arm_is_el2_enabled() helper
This checks if EL2 is enabled (meaning EL2 registers take effects) in
the current security context.

Backports f3ee5160ce3c03795a28e16d1a0b4916a6c959f4
2021-03-04 13:44:04 -05:00
Rémi Denis-Courmont 7402645436 target/arm: remove redundant tests
In this context, the HCR value is the effective value, and thus is
zero in secure mode. The tests for HCR.{F,I}MO are sufficient.

Backports cc974d5cd84ea60a3dad59752aea712f3d47f8ce
2021-03-04 13:42:12 -05:00
Richard Henderson f6973abb3e target/arm: Add cpu properties to control pauth
The crypto overhead of emulating pauth can be significant for
some workloads. Add two boolean properties that allows the
feature to be turned off, on with the architected algorithm,
or on with an implementation defined algorithm.

We need two intermediate booleans to control the state while
parsing properties lest we clobber ID_AA64ISAR1 into an invalid
intermediate state.

Backports relevent members from eb94284d0812b4e7c11c5d075b584100ac1c1b9a
2021-03-04 13:40:27 -05:00
Richard Henderson 0332498752 target/arm: Implement an IMPDEF pauth algorithm
Without hardware acceleration, a cryptographically strong
algorithm is too expensive for pauth_computepac.

Even with hardware accel, we are not currently expecting
to link the linux-user binaries to any crypto libraries,
and doing so would generally make the --static build fail.

So choose XXH64 as a reasonably quick and decent hash.

Backports 283fc52ade85eb50141f3b8b85f82b07d016cb17
2021-03-04 13:38:22 -05:00
Peter Maydell 68f645dd4f target/arm: Don't decode insns in the XScale/iWMMXt space as cp insns
In commit cd8be50e58f63413c0 we converted the A32 coprocessor
insns to decodetree. This accidentally broke XScale/iWMMXt insns,
because it moved the handling of "cp insns which are handled
by looking up the cp register in the hashtable" from after the
call to the legacy disas_xscale_insn() decode to before it,
with the result that all XScale/iWMMXt insns now UNDEF.

Update valid_cp() so that it knows that on XScale cp 0 and 1
are not standard coprocessor instructions; this will cause
the decodetree trans_ functions to ignore them, so that
execution will correctly get through to the legacy decode again.

Backports e4d51ac6921dc861bfb3d20e4c7dcf345840a9da
2021-03-03 20:17:20 -05:00
Leif Lindholm 09fd12e5f2 target/arm: add aarch32 ID register fields to cpu.h
Add entries present in ARM DDI 0487F.c (August 2020).

Backports bd78b6be24f3ceb71f1a7ec2c98c7a5e49cb4a86
2021-03-03 20:16:26 -05:00
Leif Lindholm a2faae9e30 target/arm: add aarch64 ID register fields to cpu.h
Add entries present in ARM DDI 0487F.c (August 2020).

Backports 00a92832f453275ca023962c00a60dde3a4f2fed
2021-03-03 20:15:16 -05:00
Leif Lindholm ba891afd32 target/arm: add descriptions of CLIDR_EL1, CCSIDR_EL1, CTR_EL0 to cpu.h
Backports 2a14526a6f56973348d622abc572db377f5a23ef
2021-03-03 20:14:05 -05:00
Leif Lindholm fc8e5fe38d target/arm: make ARMCPU.ctr 64-bit
When FEAT_MTE is implemented, the AArch64 view of CTR_EL0 adds the
TminLine field in bits [37:32].
Extend the ctr field to be able to hold this context.

Backports a5fd319ae7f6d496ff5448ec1dedcae8e2f59e9f
2021-03-03 20:13:20 -05:00
Leif Lindholm e6eb25f75a target/arm: make ARMCPU.clidr 64-bit
The AArch64 view of CLIDR_EL1 extends the ICB field to include also bit
32, as well as adding a Ttype<n> field when FEAT_MTE is implemented.
Extend the clidr field to be able to hold this context.

Backports f6450bcb6b2d3e4beae77141edce9e99cb8c277e
2021-03-03 20:12:48 -05:00
Leif Lindholm 3fff83e48f target/arm: fix typo in cpu.h ID_AA64PFR1 field name
SBSS -> SSBS

Backports 9a286bcdfd2b04afca9a668a6d6e0feb809d2d63
2021-03-03 20:12:08 -05:00
Rémi Denis-Courmont 6f06f383ea target/arm: enable Small Translation tables in max CPU
Backports 078e9fe3cbd6894fb6e420d8b53f304a3d5c0464
2021-03-03 20:11:10 -05:00
Rémi Denis-Courmont c7415c92d5 target/arm: ARMv8.4-TTST extension
This adds for the Small Translation tables extension in AArch64 state.

Backports c36c65ea3c35b309d524c05a1c05fdeabf83ddd5
2021-03-03 20:09:01 -05:00
Peter Maydell f7939926dc target/arm: Implement Cortex-M55 model
Now that we have implemented all the features needed by the v8.1M
architecture, we can add the model of the Cortex-M55. This is the
configuration without MVE support; we'll add MVE later

Backports 590e05d6b48937f6d3c631354fd706f8e005b8f6
2021-03-03 20:06:06 -05:00
Peter Maydell e586a27a7b target/arm: Implement FPCXT_NS fp system register
Implement the v8.1M FPCXT_NS floating-point system register. This is
a little more complicated than FPCXT_S, because it has specific
handling for "current FP state is inactive", and it only wants to do
PreserveFPState(), not the full set of actions done by
ExecuteFPCheck() which vfp_access_check() implements.

Backports eb20dafdbff92063a88624176fdc396e01961bf3
2021-03-03 20:02:36 -05:00
Peter Maydell 311b6fd74c target/arm: Correct store of FPSCR value via FPCXT_S
In commit 64f863baeedc8659 we implemented the v8.1M FPCXT_S register,
but we got the write behaviour wrong. On read, this register reads
bits [27:0] of FPSCR plus the CONTROL.SFPA bit. On write, it doesn't
just write back those bits -- it writes a value to the whole FPSCR,
whose upper 4 bits are zeroes.

We also incorrectly implemented the write-to-FPSCR as a simple store
to vfp.xregs; this skips the "update the softfloat flags" part of
the vfp_set_fpscr helper so the value would read back correctly but
not actually take effect.

Fix both of these things by doing a complete write to the FPSCR
using the helper function.

Backports 7fbf95a037d79c5e923ffb51ac902dbe9599c87f
2021-03-03 19:57:56 -05:00
Richard Henderson 85b417d438 target/arm: Fix MTE0_ACTIVE
In 50244cc76abc we updated mte_check_fail to match the ARM
pseudocode, using the correct EL to select the TCF field.
But we failed to update MTE0_ACTIVE the same way, which led
to g_assert_not_reached().

Backports cc97b0019bb590b9b3c2a623e9ebee48831e0ce3
2021-03-03 19:56:23 -05:00
Peter Maydell 1a3abaa81a target/i386: Check privilege level for protected mode 'int N' task gate
When the 'int N' instruction is executed in protected mode, the
pseudocode in the architecture manual specifies that we need to check:

* vector number within IDT limits
* selected IDT descriptor is a valid type (interrupt, trap or task gate)
* if this was a software interrupt then gate DPL < CPL

The way we had structured the code meant that the privilege check for
software interrupts ended up not in the code path taken for task gate
handling, because all of the task gate handling code was in the 'case 5'
of the switch which was checking "is this descriptor a valid type".

Move the task gate handling code out of that switch (so that it is now
purely doing the "valid type?" check) and below the software interrupt
privilege check.

The effect of this missing check was that in a guest userspace binary
executing 'int 8' would cause a guest kernel panic rather than the
userspace binary being handed a SEGV.

This is essentially the same bug fixed in VirtualBox in 2012:
https://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/

Note that for QEMU this is not a security issue because it is only
present when using TCG.

Backports 3df1a3d070575419859cbbab1083fafa7ec2669a
2021-03-03 19:32:10 -05:00
zhaolichang f526d4455c m68k: fix some comment spelling errors
I found that there are many spelling errors in the comments of qemu/target/m68k.
I used spellcheck to check the spelling errors and found some errors in the folder.

Backports ce00ff729ee8461dc94a1593d25ceda65d973d3c
2021-03-03 19:13:26 -05:00
Laurent Vivier bf2c52bc83 target/m68k: remove useless qregs array
They are unused since the target has been converted to TCG.

Backports 4160d5e6bd347e5d27804912b61d02df0a90ba8e
2021-03-03 19:11:44 -05:00
Bin Meng c59e391194 target/i386: seg_helper: Correct segment selector nullification in the RET/IRET helper
Per the SDM, when returning to outer privilege level, for segment
registers (ES, FS, GS, and DS) if the check fails, the segment
selector becomes null, but QEMU clears the base/limit/flags as well
as nullifying the segment selector, which should be a spec violation.

Real hardware seems to be compliant with the spec, at least on one
Coffee Lake board I tested.

Backports c2ba0515f2df58a661fcb5d6485139877d92ab1b
2021-03-03 19:10:24 -05:00
Paolo Bonzini 1da5d669a7 target/i386: fix operand order for PDEP and PEXT
For PDEP and PEXT, the mask is provided in the memory (mod+r/m)
operand, and therefore is loaded in s->T0 by gen_ldst_modrm.
The source is provided in the second source operand (VEX.vvvv)
and therefore is loaded in s->T1. Fix the order in which
they are passed to the helpers.

Backports 75b208c28316095c4685e8596ceb9e3f656592e2
2021-03-03 19:09:21 -05:00
Peter Maydell a9abb7c647 target/arm: Implement M-profile "minimal RAS implementation"
For v8.1M the architecture mandates that CPUs must provide at
least the "minimal RAS implementation" from the Reliability,
Availability and Serviceability extension. This consists of:
* an ESB instruction which is a NOP
-- since it is in the HINT space we need only add a comment
* an RFSR register which will RAZ/WI
* a RAZ/WI AIRCR.IESB bit
-- the code which handles writes to AIRCR does not allow setting
of RES0 bits, so we already treat this as RAZ/WI; add a comment
noting that this is deliberate
* minimal implementation of the RAS register block at 0xe0005000
-- this will be in a subsequent commit
* setting the ID_PFR0.RAS field to 0b0010
-- we will do this when we add the Cortex-M55 CPU model

Backports 46f4976f22a4549322307b34272e053d38653243
2021-03-03 19:07:27 -05:00
Peter Maydell 543483444d target/arm: Implement CCR_S.TRD behaviour for SG insns
v8.1M introduces a new TRD flag in the CCR register, which enables
checking for stack frame integrity signatures on SG instructions.
Add the code in the SG insn implementation for the new behaviour.

Backports 7f484147369080d36c411c4ba969f90d025aed55
2021-03-03 19:05:25 -05:00
Peter Maydell 7aa516aff2 target/arm: Implement new v8.1M VLLDM and VLSTM encodings
v8.1M adds new encodings of VLLDM and VLSTM (where bit 7 is set).
The only difference is that:
* the old T1 encodings UNDEF if the implementation implements 32
Dregs (this is currently architecturally impossible for M-profile)
* the new T2 encodings have the implementation-defined option to
read from memory (discarding the data) or write UNKNOWN values to
memory for the stack slots that would be D16-D31

We choose not to make those accesses, so for us the two
instructions behave identically assuming they don't UNDEF.

Backports fe6fa228a71f0eb8b8ee315452e6a7736c537b1f
2021-03-03 19:01:33 -05:00
Peter Maydell f02045f5f5 target/arm: Implement new v8.1M NOCP check for exception return
In v8.1M a new exception return check is added which may cause a NOCP
UsageFault (see rule R_XLTP): before we clear s0..s15 and the FPSCR
we must check whether access to CP10 from the Security state of the
returning exception is disabled; if it is then we must take a fault.

(Note that for our implementation CPPWR is always RAZ/WI and so can
never cause CP10 accesses to fail.)

The other v8.1M change to this register-clearing code is that if MVE
is implemented VPR must also be cleared, so add a TODO comment to
that effect.

Backports 3423fbf10427db7680d3237d4f62d8370052fca0
2021-03-03 18:59:37 -05:00
Peter Maydell 05d479a8c0 target/arm: For v8.1M, always clear R0-R3, R12, APSR, EPSR on exception entry
In v8.0M, on exception entry the registers R0-R3, R12, APSR and EPSR
are zeroed for an exception taken to Non-secure state; for an
exception taken to Secure state they become UNKNOWN, and we chose to
leave them at their previous values.

In v8.1M the behaviour is specified more tightly and these registers
are always zeroed regardless of the security state that the exception
targets (see rule R_KPZV). Implement this.

Backports a59b1ed618415212c5f0f05abc1192e14ad5fdbb
2021-03-03 18:55:56 -05:00
Peter Maydell 94b36be626 target/arm: Implement FPCXT_S fp system register
Implement the new-in-v8.1M FPCXT_S floating point system register.
This is for saving and restoring the secure floating point context,
and it reads and writes bits [27:0] from the FPSCR and the
CONTROL.SFPA bit in bit [31].

Backports 64f863baeedc86590a608e2f1722dd8640aa9431
2021-03-03 18:53:23 -05:00
Peter Maydell 362379a9e1 target/arm: Factor out preserve-fp-state from full_vfp_access_check()
Factor out the code which handles M-profile lazy FP state preservation
from full_vfp_access_check(); accesses to the FPCXT_NS register are
a special case which need to do just this part (corresponding in the
pseudocode to the PreserveFPState() function), and not the full
set of actions matching the pseudocode ExecuteFPCheck() which
normal FP instructions need to do.

Backports 96dfae686628fc14ba4f993824322b93395e221b
2021-03-03 18:48:47 -05:00
Peter Maydell 2de945ba4d target/arm: Use new FPCR_NZCV_MASK constant
We defined a constant name for the mask of NZCV bits in the FPCR/FPSCR
in the previous commit; use it in a couple of places in existing code,
where we're masking out everything except NZCV for the "load to Rt=15
sets CPSR.NZCV" special case.

Backports 6a017acdf83e3bb6bd5e85289ca90b2ea3282b7e
2021-03-03 18:47:30 -05:00
Peter Maydell 2c6e54d1cd target/arm: Implement M-profile FPSCR_nzcvqc
v8.1M defines a new FP system register FPSCR_nzcvqc; this behaves
like the existing FPSCR, except that it reads and writes only bits
[31:27] of the FPSCR (the N, Z, C, V and QC flag bits). (Unlike the
FPSCR, the special case for Rt=15 of writing the CPSR.NZCV is not
permitted.)

Implement the register. Since we don't yet implement MVE, we handle
the QC bit as RES0, with todo comments for where we will need to add
support later.

Backports 9542c30bcf13c495400d63616dd8dfa825b04685
2021-03-03 18:45:38 -05:00
Peter Maydell 56532aa94c target/arm: Implement VLDR/VSTR system register
Implement the new-in-v8.1M VLDR/VSTR variants which directly
read or write FP system registers to memory.

Backports 0bf0dd4dcbd9fab324700ac6e0cd061cd043de0d
2021-03-03 18:42:05 -05:00
Peter Maydell edae732810 target/arm: Move general-use constant expanders up in translate.c
The constant-expander functions like negate, plus_2, etc, are
generally useful; move them up in translate.c so we can use them in
the VFP/Neon decoders as well as in the A32/T32/T16 decoders.

Backports f7ed0c9433e7c5c157d2e6235eb5c8b93234a71a
2021-03-03 18:29:32 -05:00
Peter Maydell a72c744370 target/arm: Refactor M-profile VMSR/VMRS handling
Currently M-profile borrows the A-profile code for VMSR and VMRS
(access to the FP system registers), because all it needs to support
is the FPSCR. In v8.1M things become significantly more complicated
in two ways:

* there are several new FP system registers; some have side effects
on read, and one (FPCXT_NS) needs to avoid the usual
vfp_access_check() and the "only if FPU implemented" check

* all sysregs are now accessible both by VMRS/VMSR (which
reads/writes a general purpose register) and also by VLDR/VSTR
(which reads/writes them directly to memory)

Refactor the structure of how we handle VMSR/VMRS to cope with this:

* keep the M-profile code entirely separate from the A-profile code

* abstract out the "read or write the general purpose register" part
of the code into a loadfn or storefn function pointer, so we can
reuse it for VLDR/VSTR.

Backports 32a290b8c3c2dc85cd88bd8983baf900d575cab
2021-03-03 18:13:17 -05:00
Peter Maydell 4eafe42d67 target/arm: Enforce M-profile VMRS/VMSR register restrictions
For M-profile before v8.1M, the only valid register for VMSR/VMRS is
the FPSCR. We have a comment that states this, but the actual logic
to forbid accesses for any other register value is missing, so we
would end up with A-profile style behaviour. Add the missing check.

Backports ede97c9d71110821738a48f88ff9f10d6bec017f
2021-03-03 18:06:23 -05:00
Peter Maydell 2e3bd010a8 target/arm: Implement CLRM instruction
In v8.1M the new CLRM instruction allows zeroing an arbitrary set of
the general-purpose registers and APSR. Implement this.

The encoding is a subset of the LDMIA T2 encoding, using what would
be Rn=0b1111 (which UNDEFs for LDMIA).

Backports 6e21a013fbdf54960a079dccc90772bb622e28e8
2021-03-03 18:00:28 -05:00
Peter Maydell 43d8441881 target/arm: Implement VSCCLRM insn
Implement the v8.1M VSCCLRM insn, which zeros floating point
registers if there is an active floating point context.
This requires support in write_neon_element32() for the MO_32
element size, so add it.

Because we want to use arm_gen_condlabel(), we need to move
the definition of that function up in translate.c so it is
before the #include of translate-vfp.c.inc.

Backports 83ff3d6add965c9752324de11eac5687121ea826
2021-03-03 17:57:30 -05:00
Peter Maydell 952ebdc207 target/arm: Don't clobber ID_PFR1.Security on M-profile cores
In arm_cpu_realizefn() we check whether the board code disabled EL3
via the has_el3 CPU object property, which we create if the CPU
starts with the ARM_FEATURE_EL3 feature bit. If it is disabled, then
we turn off ARM_FEATURE_EL3 and also zero out the relevant fields in
the ID_PFR1 and ID_AA64PFR0 registers.

This codepath was incorrectly being taken for M-profile CPUs, which
do not have an EL3 and don't set ARM_FEATURE_EL3, but which may have
the M-profile Security extension and so should have non-zero values
in the ID_PFR1.Security field.

Restrict the handling of the feature flag to A/R-profile cores.

Backports 4018818840f499d0a478508aedbb6802c8eae928
2021-03-03 17:52:30 -05:00
Peter Maydell cfefada296 target/arm: Implement v8.1M PXN extension
In v8.1M the PXN architecture extension adds a new PXN bit to the
MPU_RLAR registers, which forbids execution of code in the region
from a privileged mode.

This is another feature which is just in the generic "in v8.1M" set
and has no ID register field indicating its presence.

Backports cad8e2e3160dd10371552fce6cd8c6e171503e13
2021-03-03 17:50:26 -05:00
Rémi Denis-Courmont d9592046ef target/arm: fix stage 2 page-walks in 32-bit emulation
Using a target unsigned long would limit the Input Address to a LPAE
page-walk to 32 bits on AArch32 and 64 bits on AArch64. This is okay
for stage 1 or on AArch64, but it is insufficient for stage 2 on
AArch32. In that later case, the Input Address can have up to 40 bits.

Backports commit 98e8779770c40901ed585745aacc9a8e2b934a28
2021-03-02 13:37:02 -05:00
Chetan Pant 3e25486110 x86 tcg cpus: Fix Lesser GPL version number
There is no "version 2" of the "Lesser" General Public License.
It is either "GPL version 2.0" or "Lesser GPL version 2.1".
This patch replaces all occurrences of "Lesser GPL version 2" with
"Lesser GPL version 2.1" in comment section.

Backport d9ff33ada7f32ca59f99b270a2d0eb223b3c9c8f
2021-03-02 13:33:10 -05:00
Chetan Pant c7f6786089 arm tcg cpus: Fix Lesser GPL version number
There is no "version 2" of the "Lesser" General Public License.
It is either "GPL version 2.0" or "Lesser GPL version 2.1".
This patch replaces all occurrences of "Lesser GPL version 2" with
"Lesser GPL version 2.1" in comment section.

Backports 50f57e09fda4b7ffbc5ba62aad6cebf660824023
2021-03-02 13:30:35 -05:00
Peter Maydell f991d945d3 target/arm/translate-neon.c: Handle VTBL UNDEF case before VFP access check
Checks for UNDEF cases should go before the "is VFP enabled?" access
check, except in special cases. Move a stray UNDEF check in the VTBL
trans function up above the access check.

Backports b6c56c8a9a4064ea783f352f43c5df6231a110fa
2021-03-02 13:24:51 -05:00
Richard Henderson 9623047097 target/arm: Fix neon VTBL/VTBX for len > 1
The helper function did not get updated when we reorganized
the vector register file for SVE. Since then, the neon dregs
are non-sequential and cannot be simply indexed.

At the same time, make the helper function operate on 64-bit
quantities so that we do not have to call it twice.

Backports 604cef3e57eaeeef77074d78f6cf2eca1be11c62
2021-03-02 13:23:13 -05:00
Xinhao Zhang b3f63b72a2 target/arm: add space before the open parenthesis '('
Fix code style. Space required before the open parenthesis '('.

Backports 7f350a87e3a85e8a260ce4b133d549a7b2789213
2021-03-02 13:17:48 -05:00
Xinhao Zhang 71d4aced5d target/arm: Don't use '#' flag of printf format
Fix code style. Don't use '#' flag of printf format ('%#') in
format strings, use '0x' prefix instead

Backports 6eb55edbabb9eed1e4c7dfb233e7d738e8b5fa89
2021-03-02 13:16:09 -05:00
Xinhao Zhang 492fbc4d2c target/arm: add spaces around operator
Fix code style. Operator needs spaces both sides.

Backports bdc3b6f570e8bd219aa6a24a149b35a691e6986c
2021-03-02 13:15:12 -05:00
Peter Maydell e528c8229e target/arm: Get correct MMU index for other-security-state
In arm_v7m_mmu_idx_for_secstate() we get the 'priv' level to pass to
armv7m_mmu_idx_for_secstate_and_priv() by calling arm_current_el().
This is incorrect when the security state being queried is not the
current one, because arm_current_el() uses the current security state
to determine which of the banked CONTROL.nPRIV bits to look at.
The effect was that if (for instance) Secure state was in privileged
mode but Non-Secure was not then we would return the wrong MMU index.

The only places where we are using this function in a way that could
trigger this bug are for the stack loads during a v8M function-return
and for the instruction fetch of a v8M SG insn.

Fix the bug by expanding out the M-profile version of the
arm_current_el() logic inline so it can use the passed in secstate
rather than env->v7m.secure.

Backports 7142eb9e24b4aa5118cd67038057f15694d782aa
2021-03-02 13:08:44 -05:00
Rémi Denis-Courmont a4053565d6 target/arm: fix LORID_EL1 access check
Secure mode is not exempted from checking SCR_EL3.TLOR, and in the
future HCR_EL2.TLOR when S-EL2 is enabled.

Backports 9bd268bae5c4760870522292fb1d46e7da7e372a
2021-03-02 13:06:50 -05:00