From 688a3dae7828ca5ee6f45d510eed083420d72d8a Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:39:58 +0800 Subject: [PATCH 01/32] hw/nvram/aspeed_otp: Add ASPEED OTP memory device model MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce a QEMU device model for ASPEED's One-Time Programmable (OTP) memory. This model simulates a word-addressable OTP region used for secure fuse storage. The OTP memory can operate with an internal memory buffer. The OTP model provides a memory-like interface through a dedicated AddressSpace, allowing other device models (e.g., SBC) to issue transactions as if accessing a memory-mapped region. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-2-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/nvram/aspeed_otp.c | 99 +++++++++++++++++++++++++++++++++++ hw/nvram/meson.build | 4 ++ include/hw/nvram/aspeed_otp.h | 33 ++++++++++++ 3 files changed, 136 insertions(+) create mode 100644 hw/nvram/aspeed_otp.c create mode 100644 include/hw/nvram/aspeed_otp.h diff --git a/hw/nvram/aspeed_otp.c b/hw/nvram/aspeed_otp.c new file mode 100644 index 0000000000..e5b7ca9676 --- /dev/null +++ b/hw/nvram/aspeed_otp.c @@ -0,0 +1,99 @@ +/* + * ASPEED OTP (One-Time Programmable) memory + * + * Copyright (C) 2025 Aspeed + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "qemu/log.h" +#include "qapi/error.h" +#include "system/block-backend.h" +#include "hw/qdev-properties.h" +#include "hw/nvram/aspeed_otp.h" + +static uint64_t aspeed_otp_read(void *opaque, hwaddr offset, unsigned size) +{ + AspeedOTPState *s = opaque; + uint64_t val = 0; + + memcpy(&val, s->storage + offset, size); + + return val; +} + +static void aspeed_otp_write(void *opaque, hwaddr otp_addr, + uint64_t val, unsigned size) +{ + AspeedOTPState *s = opaque; + + memcpy(s->storage + otp_addr, &val, size); +} + +static bool aspeed_otp_init_storage(AspeedOTPState *s, Error **errp) +{ + uint32_t *p; + int i, num; + + num = s->size / sizeof(uint32_t); + p = (uint32_t *)s->storage; + for (i = 0; i < num; i++) { + p[i] = (i % 2 == 0) ? 0x00000000 : 0xFFFFFFFF; + } + + return true; +} + +static const MemoryRegionOps aspeed_otp_ops = { + .read = aspeed_otp_read, + .write = aspeed_otp_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid.min_access_size = 1, + .valid.max_access_size = 4, +}; + +static void aspeed_otp_realize(DeviceState *dev, Error **errp) +{ + AspeedOTPState *s = ASPEED_OTP(dev); + + if (s->size == 0) { + error_setg(errp, "aspeed.otp: 'size' property must be set"); + return; + } + + s->storage = blk_blockalign(s->blk, s->size); + + if (!aspeed_otp_init_storage(s, errp)) { + return; + } + + memory_region_init_io(&s->mmio, OBJECT(dev), &aspeed_otp_ops, + s, "aspeed.otp", s->size); + address_space_init(&s->as, &s->mmio, NULL); +} + +static const Property aspeed_otp_properties[] = { + DEFINE_PROP_UINT64("size", AspeedOTPState, size, 0), +}; + +static void aspeed_otp_class_init(ObjectClass *klass, const void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + dc->realize = aspeed_otp_realize; + device_class_set_props(dc, aspeed_otp_properties); +} + +static const TypeInfo aspeed_otp_info = { + .name = TYPE_ASPEED_OTP, + .parent = TYPE_DEVICE, + .instance_size = sizeof(AspeedOTPState), + .class_init = aspeed_otp_class_init, +}; + +static void aspeed_otp_register_types(void) +{ + type_register_static(&aspeed_otp_info); +} + +type_init(aspeed_otp_register_types) diff --git a/hw/nvram/meson.build b/hw/nvram/meson.build index 10f3639db6..b66f23605b 100644 --- a/hw/nvram/meson.build +++ b/hw/nvram/meson.build @@ -19,3 +19,7 @@ system_ss.add(when: 'CONFIG_XLNX_BBRAM', if_true: files('xlnx-bbram.c')) specific_ss.add(when: 'CONFIG_PSERIES', if_true: files('spapr_nvram.c')) specific_ss.add(when: 'CONFIG_ACPI', if_true: files('fw_cfg-acpi.c')) + +system_ss.add(when: 'CONFIG_ASPEED_SOC', if_true: files( + 'aspeed_otp.c', + )) \ No newline at end of file diff --git a/include/hw/nvram/aspeed_otp.h b/include/hw/nvram/aspeed_otp.h new file mode 100644 index 0000000000..3752353860 --- /dev/null +++ b/include/hw/nvram/aspeed_otp.h @@ -0,0 +1,33 @@ +/* + * ASPEED OTP (One-Time Programmable) memory + * + * Copyright (C) 2025 Aspeed + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef ASPEED_OTP_H +#define ASPEED_OTP_H + +#include "system/memory.h" +#include "hw/block/block.h" +#include "system/address-spaces.h" + +#define TYPE_ASPEED_OTP "aspeed-otp" +OBJECT_DECLARE_SIMPLE_TYPE(AspeedOTPState, ASPEED_OTP) + +typedef struct AspeedOTPState { + DeviceState parent_obj; + + BlockBackend *blk; + + uint64_t size; + + AddressSpace as; + + MemoryRegion mmio; + + uint8_t *storage; +} AspeedOTPState; + +#endif /* ASPEED_OTP_H */ From 9f58dd0a8c30a6b84016db30949fe2f86f8bc38b Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:39:59 +0800 Subject: [PATCH 02/32] hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to SBC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch connects the aspeed.otp device to the ASPEED Secure Boot Controller (SBC) model. It implements OTP memory access via the SBC's command interface and enables emulation of secure fuse programming flows. The following OTP commands are supported: - READ: reads a 32-bit word from OTP memory into internal registers - PROG: programs a 32-bit word value to the specified OTP address Trace events are added to observe read/program operations and command handling flow. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-3-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/misc/aspeed_sbc.c | 111 +++++++++++++++++++++++++++++++++++ hw/misc/trace-events | 5 ++ include/hw/misc/aspeed_sbc.h | 5 ++ 3 files changed, 121 insertions(+) diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c index a7d101ba71..46a038337c 100644 --- a/hw/misc/aspeed_sbc.c +++ b/hw/misc/aspeed_sbc.c @@ -15,9 +15,13 @@ #include "hw/misc/aspeed_sbc.h" #include "qapi/error.h" #include "migration/vmstate.h" +#include "trace.h" #define R_PROT (0x000 / 4) +#define R_CMD (0x004 / 4) +#define R_ADDR (0x010 / 4) #define R_STATUS (0x014 / 4) +#define R_CAMP1 (0x020 / 4) #define R_QSR (0x040 / 4) /* R_STATUS */ @@ -41,6 +45,11 @@ #define QSR_RSA_MASK (0x3 << 12) #define QSR_HASH_MASK (0x3 << 10) +#define OTP_MEMORY_SIZE 0x4000 +/* OTP command */ +#define SBC_OTP_CMD_READ 0x23b1e361 +#define SBC_OTP_CMD_PROG 0x23b1e364 + static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size) { AspeedSBCState *s = ASPEED_SBC(opaque); @@ -57,6 +66,84 @@ static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size) return s->regs[addr]; } +static bool aspeed_sbc_otp_read(AspeedSBCState *s, + uint32_t otp_addr) +{ + MemTxResult ret; + AspeedOTPState *otp = &s->otp; + uint32_t value, otp_offset; + + otp_offset = otp_addr << 2; + ret = address_space_read(&otp->as, otp_offset, MEMTXATTRS_UNSPECIFIED, + &value, sizeof(value)); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to read OTP memory, addr = %x\n", + otp_addr); + return false; + } + s->regs[R_CAMP1] = value; + trace_aspeed_sbc_otp_read(otp_addr, value); + + return true; +} + +static bool aspeed_sbc_otp_prog(AspeedSBCState *s, + uint32_t otp_addr) +{ + MemTxResult ret; + AspeedOTPState *otp = &s->otp; + uint32_t value = s->regs[R_CAMP1]; + + ret = address_space_write(&otp->as, otp_addr, MEMTXATTRS_UNSPECIFIED, + &value, sizeof(value)); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write OTP memory, addr = %x\n", + otp_addr); + return false; + } + + trace_aspeed_sbc_otp_prog(otp_addr, value); + + return true; +} + +static void aspeed_sbc_handle_command(void *opaque, uint32_t cmd) +{ + AspeedSBCState *s = ASPEED_SBC(opaque); + AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(opaque); + bool ret = false; + uint32_t otp_addr; + + if (!sc->has_otp) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: OTP memory is not supported\n", + __func__); + return; + } + + s->regs[R_STATUS] &= ~(OTP_MEM_IDLE | OTP_IDLE); + otp_addr = s->regs[R_ADDR]; + + switch (cmd) { + case SBC_OTP_CMD_READ: + ret = aspeed_sbc_otp_read(s, otp_addr); + break; + case SBC_OTP_CMD_PROG: + ret = aspeed_sbc_otp_prog(s, otp_addr); + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Unknown command 0x%x\n", + __func__, cmd); + break; + } + + trace_aspeed_sbc_handle_cmd(cmd, otp_addr, ret); + s->regs[R_STATUS] |= (OTP_MEM_IDLE | OTP_IDLE); +} + static void aspeed_sbc_write(void *opaque, hwaddr addr, uint64_t data, unsigned int size) { @@ -78,6 +165,9 @@ static void aspeed_sbc_write(void *opaque, hwaddr addr, uint64_t data, "%s: write to read only register 0x%" HWADDR_PRIx "\n", __func__, addr << 2); return; + case R_CMD: + aspeed_sbc_handle_command(opaque, data); + return; default: break; } @@ -115,10 +205,30 @@ static void aspeed_sbc_reset(DeviceState *dev) s->regs[R_QSR] = s->signing_settings; } +static void aspeed_sbc_instance_init(Object *obj) +{ + AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(obj); + AspeedSBCState *s = ASPEED_SBC(obj); + + if (sc->has_otp) { + object_initialize_child(OBJECT(s), "otp", &s->otp, + TYPE_ASPEED_OTP); + } +} + static void aspeed_sbc_realize(DeviceState *dev, Error **errp) { AspeedSBCState *s = ASPEED_SBC(dev); SysBusDevice *sbd = SYS_BUS_DEVICE(dev); + AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(dev); + + if (sc->has_otp) { + object_property_set_int(OBJECT(&s->otp), "size", + OTP_MEMORY_SIZE, &error_abort); + if (!qdev_realize(DEVICE(&s->otp), NULL, errp)) { + return; + } + } memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_sbc_ops, s, TYPE_ASPEED_SBC, 0x1000); @@ -155,6 +265,7 @@ static const TypeInfo aspeed_sbc_info = { .name = TYPE_ASPEED_SBC, .parent = TYPE_SYS_BUS_DEVICE, .instance_size = sizeof(AspeedSBCState), + .instance_init = aspeed_sbc_instance_init, .class_init = aspeed_sbc_class_init, .class_size = sizeof(AspeedSBCClass) }; diff --git a/hw/misc/trace-events b/hw/misc/trace-events index e3f64c0ff6..9e05b82f37 100644 --- a/hw/misc/trace-events +++ b/hw/misc/trace-events @@ -90,6 +90,11 @@ slavio_sysctrl_mem_readl(uint32_t ret) "Read system control 0x%08x" slavio_led_mem_writew(uint32_t val) "Write diagnostic LED 0x%04x" slavio_led_mem_readw(uint32_t ret) "Read diagnostic LED 0x%04x" +# aspeed_sbc.c +aspeed_sbc_handle_cmd(uint32_t cmd, uint32_t addr, bool ret) "Handling command 0x%" PRIx32 " for OTP addr 0x%" PRIx32 " Result: %d" +aspeed_sbc_otp_read(uint32_t addr, uint32_t value) "OTP Memory read: addr 0x%" PRIx32 " value 0x%" PRIx32 +aspeed_sbc_otp_prog(uint32_t addr, uint32_t value) "OTP Memory write: addr 0x%" PRIx32 " value 0x%" PRIx32 + # aspeed_scu.c aspeed_scu_write(uint64_t offset, unsigned size, uint32_t data) "To 0x%" PRIx64 " of size %u: 0x%" PRIx32 aspeed_scu_read(uint64_t offset, unsigned size, uint32_t data) "To 0x%" PRIx64 " of size %u: 0x%" PRIx32 diff --git a/include/hw/misc/aspeed_sbc.h b/include/hw/misc/aspeed_sbc.h index 405e6782b9..0c2746d392 100644 --- a/include/hw/misc/aspeed_sbc.h +++ b/include/hw/misc/aspeed_sbc.h @@ -10,6 +10,7 @@ #define ASPEED_SBC_H #include "hw/sysbus.h" +#include "hw/nvram/aspeed_otp.h" #define TYPE_ASPEED_SBC "aspeed.sbc" #define TYPE_ASPEED_AST2600_SBC TYPE_ASPEED_SBC "-ast2600" @@ -36,10 +37,14 @@ struct AspeedSBCState { MemoryRegion iomem; uint32_t regs[ASPEED_SBC_NR_REGS]; + + AspeedOTPState otp; }; struct AspeedSBCClass { SysBusDeviceClass parent_class; + + bool has_otp; }; #endif /* ASPEED_SBC_H */ From fe4159cb34f36a63a1759b907f51f8d458f5c940 Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:40:00 +0800 Subject: [PATCH 03/32] hw/arm: Integrate ASPEED OTP memory support into AST2600 SoCs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The has_otp attribute is enabled in the SBC subclasses for AST2600 to control the presence of OTP support per SoC type. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-4-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed_ast2600.c | 2 +- hw/misc/aspeed_sbc.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c index d12707f0ab..59ffd41a4a 100644 --- a/hw/arm/aspeed_ast2600.c +++ b/hw/arm/aspeed_ast2600.c @@ -261,7 +261,7 @@ static void aspeed_soc_ast2600_init(Object *obj) object_initialize_child(obj, "i3c", &s->i3c, TYPE_ASPEED_I3C); - object_initialize_child(obj, "sbc", &s->sbc, TYPE_ASPEED_SBC); + object_initialize_child(obj, "sbc", &s->sbc, TYPE_ASPEED_AST2600_SBC); object_initialize_child(obj, "iomem", &s->iomem, TYPE_UNIMPLEMENTED_DEVICE); object_initialize_child(obj, "video", &s->video, TYPE_UNIMPLEMENTED_DEVICE); diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c index 46a038337c..b56a8b7678 100644 --- a/hw/misc/aspeed_sbc.c +++ b/hw/misc/aspeed_sbc.c @@ -273,8 +273,10 @@ static const TypeInfo aspeed_sbc_info = { static void aspeed_ast2600_sbc_class_init(ObjectClass *klass, const void *data) { DeviceClass *dc = DEVICE_CLASS(klass); + AspeedSBCClass *sc = ASPEED_SBC_CLASS(klass); dc->desc = "AST2600 Secure Boot Controller"; + sc->has_otp = true; } static const TypeInfo aspeed_ast2600_sbc_info = { From c6b4279a9240a838632e2d689a138da96545c540 Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:40:01 +0800 Subject: [PATCH 04/32] hw/nvram/aspeed_otp: Add 'drive' property to support block backend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch introduces a 'drive' property to the Aspeed OTP device, allowing it to be backed by a block device. Users can now preload OTP data via QEMU CLI using a block backend. Example usage: ./qemu-system-arm \ -blockdev driver=file,filename=otpmem.img,node-name=otp \ -global aspeed-otp.drive=otp \ ... If the drive is provided, its content will be loaded as the initial OTP state. Otherwise, an internal memory buffer will be used. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-5-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/nvram/aspeed_otp.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/hw/nvram/aspeed_otp.c b/hw/nvram/aspeed_otp.c index e5b7ca9676..abb3731823 100644 --- a/hw/nvram/aspeed_otp.c +++ b/hw/nvram/aspeed_otp.c @@ -35,13 +35,25 @@ static bool aspeed_otp_init_storage(AspeedOTPState *s, Error **errp) { uint32_t *p; int i, num; + uint64_t perm; + if (s->blk) { + perm = BLK_PERM_CONSISTENT_READ | + (blk_supports_write_perm(s->blk) ? BLK_PERM_WRITE : 0); + if (blk_set_perm(s->blk, perm, BLK_PERM_ALL, errp) < 0) { + return false; + } + if (blk_pread(s->blk, 0, s->size, s->storage, 0) < 0) { + error_setg(errp, "Failed to read the initial flash content"); + return false; + } + } else { num = s->size / sizeof(uint32_t); p = (uint32_t *)s->storage; for (i = 0; i < num; i++) { p[i] = (i % 2 == 0) ? 0x00000000 : 0xFFFFFFFF; } - + } return true; } @@ -75,6 +87,7 @@ static void aspeed_otp_realize(DeviceState *dev, Error **errp) static const Property aspeed_otp_properties[] = { DEFINE_PROP_UINT64("size", AspeedOTPState, size, 0), + DEFINE_PROP_DRIVE("drive", AspeedOTPState, blk), }; static void aspeed_otp_class_init(ObjectClass *klass, const void *data) From 8970c95c4db99dd44ff463acc14c69510776cdee Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:40:02 +0800 Subject: [PATCH 05/32] hw/nvram/aspeed_otp: Add OTP programming semantics and tracing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implement correct OTP programming behavior for Aspeed OTP: - Support read-modify-write flow with one-way bit programming: * prog_bit uses 0s as the "to-be-programmed" mask. * Even-indexed words: 0->1, odd-indexed words: 1->0. * Reject non-programmable requests and log conflicts. - Enable unaligned accesses in MemoryRegionOps. Since each OTP address maps to a 1DW (4B) or 2DW (8B) block in the backing store, upper-layer accesses may be unaligned to block boundaries. This matches the irreversible, word-parity-dependent programming rules of Aspeed SoCs and exposes changes via QEMU trace events. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-6-kane_chen@aspeedtech.com [ clg: Fixed PRIx64 format in aspeed_otp_write() ] Signed-off-by: Cédric Le Goater --- hw/nvram/aspeed_otp.c | 80 ++++++++++++++++++++++++++++++++++++++++++- hw/nvram/trace-events | 5 +++ 2 files changed, 84 insertions(+), 1 deletion(-) diff --git a/hw/nvram/aspeed_otp.c b/hw/nvram/aspeed_otp.c index abb3731823..dcf8ed3917 100644 --- a/hw/nvram/aspeed_otp.c +++ b/hw/nvram/aspeed_otp.c @@ -12,6 +12,7 @@ #include "system/block-backend.h" #include "hw/qdev-properties.h" #include "hw/nvram/aspeed_otp.h" +#include "hw/nvram/trace.h" static uint64_t aspeed_otp_read(void *opaque, hwaddr offset, unsigned size) { @@ -23,12 +24,87 @@ static uint64_t aspeed_otp_read(void *opaque, hwaddr offset, unsigned size) return val; } +static bool valid_program_data(uint32_t otp_addr, + uint32_t value, uint32_t prog_bit) +{ + uint32_t programmed_bits, has_programmable_bits; + bool is_odd = otp_addr & 1; + + /* + * prog_bit uses 0s to indicate target bits to program: + * - if OTP word is even-indexed, programmed bits flip 0->1 + * - if odd, bits flip 1->0 + * Bit programming is one-way only and irreversible. + */ + if (is_odd) { + programmed_bits = ~value & prog_bit; + } else { + programmed_bits = value & (~prog_bit); + } + + /* If any bit can be programmed, accept the request */ + has_programmable_bits = value ^ (~prog_bit); + + if (programmed_bits) { + trace_aspeed_otp_prog_conflict(otp_addr, programmed_bits); + for (int i = 0; i < 32; ++i) { + if (programmed_bits & (1U << i)) { + trace_aspeed_otp_prog_bit(i); + } + } + } + + return has_programmable_bits != 0; +} + +static bool program_otpmem_data(void *opaque, uint32_t otp_addr, + uint32_t prog_bit, uint32_t *value) +{ + AspeedOTPState *s = opaque; + bool is_odd = otp_addr & 1; + uint32_t otp_offset = otp_addr << 2; + + memcpy(value, s->storage + otp_offset, sizeof(uint32_t)); + + if (!valid_program_data(otp_addr, *value, prog_bit)) { + return false; + } + + if (is_odd) { + *value &= ~prog_bit; + } else { + *value |= ~prog_bit; + } + + return true; +} + static void aspeed_otp_write(void *opaque, hwaddr otp_addr, uint64_t val, unsigned size) { AspeedOTPState *s = opaque; + uint32_t otp_offset, value; - memcpy(s->storage + otp_addr, &val, size); + if (!program_otpmem_data(s, otp_addr, val, &value)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Failed to program data, value = %x, bit = %"PRIx64"\n", + __func__, value, val); + return; + } + + otp_offset = otp_addr << 2; + memcpy(s->storage + otp_offset, &value, size); + + if (s->blk) { + if (blk_pwrite(s->blk, otp_offset, size, &value, 0) < 0) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Failed to write %x to %x\n", + __func__, value, otp_offset); + + return; + } + } + trace_aspeed_otp_prog(otp_offset, val, value); } static bool aspeed_otp_init_storage(AspeedOTPState *s, Error **errp) @@ -63,6 +139,8 @@ static const MemoryRegionOps aspeed_otp_ops = { .endianness = DEVICE_LITTLE_ENDIAN, .valid.min_access_size = 1, .valid.max_access_size = 4, + .valid.unaligned = true, + .impl.unaligned = true }; static void aspeed_otp_realize(DeviceState *dev, Error **errp) diff --git a/hw/nvram/trace-events b/hw/nvram/trace-events index 5e33b24d47..7084bf70d3 100644 --- a/hw/nvram/trace-events +++ b/hw/nvram/trace-events @@ -1,5 +1,10 @@ # See docs/devel/tracing.rst for syntax documentation. +# aspeed_otp.c +aspeed_otp_prog(uint32_t addr, uint32_t prog_value, uint32_t value) "OTP Memory program: addr 0x%" PRIx32 " prog_value 0x%" PRIx32 " value 0x%" PRIx32 +aspeed_otp_prog_conflict(uint32_t addr, uint32_t bits) "Conflict at addr=0x%x, bits=0x%08x" +aspeed_otp_prog_bit(int bit) "Programmed bit %d" + # ds1225y.c nvram_read(uint32_t addr, uint32_t ret) "read addr %d: 0x%02x" nvram_write(uint32_t addr, uint32_t old, uint32_t val) "write addr %d: 0x%02x -> 0x%02x" From fdad6ec30dfb87df0980887a4c22e55ccf65f9c3 Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:40:03 +0800 Subject: [PATCH 06/32] hw/arm: Integrate ASPEED OTP memory support into AST1030 SoCs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The has_otp attribute is enabled in the SBC subclasses for AST1030 to control the presence of OTP support per SoC type. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-7-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed_ast10x0.c | 2 +- hw/misc/aspeed_sbc.c | 16 ++++++++++++++++ include/hw/misc/aspeed_sbc.h | 1 + 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/hw/arm/aspeed_ast10x0.c b/hw/arm/aspeed_ast10x0.c index e6e1ee63c1..c446e70b24 100644 --- a/hw/arm/aspeed_ast10x0.c +++ b/hw/arm/aspeed_ast10x0.c @@ -154,7 +154,7 @@ static void aspeed_soc_ast1030_init(Object *obj) object_initialize_child(obj, "peci", &s->peci, TYPE_ASPEED_PECI); - object_initialize_child(obj, "sbc", &s->sbc, TYPE_ASPEED_SBC); + object_initialize_child(obj, "sbc", &s->sbc, TYPE_ASPEED_AST10X0_SBC); for (i = 0; i < sc->wdts_num; i++) { snprintf(typename, sizeof(typename), "aspeed.wdt-%s", socname); diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c index b56a8b7678..052c70fd42 100644 --- a/hw/misc/aspeed_sbc.c +++ b/hw/misc/aspeed_sbc.c @@ -285,9 +285,25 @@ static const TypeInfo aspeed_ast2600_sbc_info = { .class_init = aspeed_ast2600_sbc_class_init, }; +static void aspeed_ast10x0_sbc_class_init(ObjectClass *klass, const void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + AspeedSBCClass *sc = ASPEED_SBC_CLASS(klass); + + dc->desc = "AST10X0 Secure Boot Controller"; + sc->has_otp = true; +} + +static const TypeInfo aspeed_ast10x0_sbc_info = { + .name = TYPE_ASPEED_AST10X0_SBC, + .parent = TYPE_ASPEED_SBC, + .class_init = aspeed_ast10x0_sbc_class_init, +}; + static void aspeed_sbc_register_types(void) { type_register_static(&aspeed_ast2600_sbc_info); + type_register_static(&aspeed_ast10x0_sbc_info); type_register_static(&aspeed_sbc_info); } diff --git a/include/hw/misc/aspeed_sbc.h b/include/hw/misc/aspeed_sbc.h index 0c2746d392..7d640a022e 100644 --- a/include/hw/misc/aspeed_sbc.h +++ b/include/hw/misc/aspeed_sbc.h @@ -14,6 +14,7 @@ #define TYPE_ASPEED_SBC "aspeed.sbc" #define TYPE_ASPEED_AST2600_SBC TYPE_ASPEED_SBC "-ast2600" +#define TYPE_ASPEED_AST10X0_SBC TYPE_ASPEED_SBC "-ast10x0" OBJECT_DECLARE_TYPE(AspeedSBCState, AspeedSBCClass, ASPEED_SBC) #define ASPEED_SBC_NR_REGS (0x93c >> 2) From 02cebef5a140a0008a8bb0d3db6e33a4e7e4a9d2 Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:40:04 +0800 Subject: [PATCH 07/32] hw/misc/aspeed_sbc: Add CAMP2 support for OTP data reads MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The OTP space contains three types of entries: data, conf, and strap. Data entries consist of two DWORDs, while the other types contain only one DWORD. This change adds the R_CAMP2 register (0x024 / 4) to store the second DWORD when reading from the OTP data region. With this enhancement, OTP reads now correctly return both DWORDs for data entries via the CAMP registers, along with improved address validation and error handling. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-8-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/misc/aspeed_sbc.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c index 052c70fd42..787e2d0489 100644 --- a/hw/misc/aspeed_sbc.c +++ b/hw/misc/aspeed_sbc.c @@ -22,6 +22,7 @@ #define R_ADDR (0x010 / 4) #define R_STATUS (0x014 / 4) #define R_CAMP1 (0x020 / 4) +#define R_CAMP2 (0x024 / 4) #define R_QSR (0x040 / 4) /* R_STATUS */ @@ -50,6 +51,8 @@ #define SBC_OTP_CMD_READ 0x23b1e361 #define SBC_OTP_CMD_PROG 0x23b1e364 +#define OTP_DATA_DWORD_COUNT (0x800) +#define OTP_TOTAL_DWORD_COUNT (0x1000) static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size) { AspeedSBCState *s = ASPEED_SBC(opaque); @@ -72,6 +75,16 @@ static bool aspeed_sbc_otp_read(AspeedSBCState *s, MemTxResult ret; AspeedOTPState *otp = &s->otp; uint32_t value, otp_offset; + bool is_data = false; + + if (otp_addr < OTP_DATA_DWORD_COUNT) { + is_data = true; + } else if (otp_addr >= OTP_TOTAL_DWORD_COUNT) { + qemu_log_mask(LOG_GUEST_ERROR, + "Invalid OTP addr 0x%x\n", + otp_addr); + return false; + } otp_offset = otp_addr << 2; ret = address_space_read(&otp->as, otp_offset, MEMTXATTRS_UNSPECIFIED, @@ -85,6 +98,20 @@ static bool aspeed_sbc_otp_read(AspeedSBCState *s, s->regs[R_CAMP1] = value; trace_aspeed_sbc_otp_read(otp_addr, value); + if (is_data) { + ret = address_space_read(&otp->as, otp_offset + 4, + MEMTXATTRS_UNSPECIFIED, + &value, sizeof(value)); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to read OTP memory, addr = %x\n", + otp_addr); + return false; + } + s->regs[R_CAMP2] = value; + trace_aspeed_sbc_otp_read(otp_addr + 1, value); + } + return true; } From 61dcc2c2db0236fde878d053028c39fe27dc8f36 Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:40:05 +0800 Subject: [PATCH 08/32] hw/misc/aspeed_sbc: Handle OTP write command for voltage mode registers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extend OTP command handling to recognize specific voltage mode register addresses and emulate the expected hardware behavior. Without this change, legitimate voltage mode change requests would be incorrectly reported as "Unknown command" and logged as an error. This implementation does not perform actual mode changes, but ensures that valid requests are accepted and ignored as per hardware behavior. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-9-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/misc/aspeed_sbc.c | 41 +++++++++++++++++++++++++++++++++++++++++ hw/misc/trace-events | 1 + 2 files changed, 42 insertions(+) diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c index 787e2d0489..2fc5db749d 100644 --- a/hw/misc/aspeed_sbc.c +++ b/hw/misc/aspeed_sbc.c @@ -49,10 +49,17 @@ #define OTP_MEMORY_SIZE 0x4000 /* OTP command */ #define SBC_OTP_CMD_READ 0x23b1e361 +#define SBC_OTP_CMD_WRITE 0x23b1e362 #define SBC_OTP_CMD_PROG 0x23b1e364 #define OTP_DATA_DWORD_COUNT (0x800) #define OTP_TOTAL_DWORD_COUNT (0x1000) + +/* Voltage mode */ +#define MODE_REGISTER (0x1000) +#define MODE_REGISTER_A (0x3000) +#define MODE_REGISTER_B (0x5000) + static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size) { AspeedSBCState *s = ASPEED_SBC(opaque); @@ -115,6 +122,37 @@ static bool aspeed_sbc_otp_read(AspeedSBCState *s, return true; } +static bool mode_handler(uint32_t otp_addr) +{ + switch (otp_addr) { + case MODE_REGISTER: + case MODE_REGISTER_A: + case MODE_REGISTER_B: + /* HW behavior, do nothing here */ + return true; + default: + qemu_log_mask(LOG_GUEST_ERROR, + "Unsupported address 0x%x\n", + otp_addr); + return false; + } +} + +static bool aspeed_sbc_otp_write(AspeedSBCState *s, + uint32_t otp_addr) +{ + if (otp_addr == 0) { + trace_aspeed_sbc_ignore_cmd(otp_addr); + return true; + } else { + if (mode_handler(otp_addr) == false) { + return false; + } + } + + return true; +} + static bool aspeed_sbc_otp_prog(AspeedSBCState *s, uint32_t otp_addr) { @@ -157,6 +195,9 @@ static void aspeed_sbc_handle_command(void *opaque, uint32_t cmd) case SBC_OTP_CMD_READ: ret = aspeed_sbc_otp_read(s, otp_addr); break; + case SBC_OTP_CMD_WRITE: + ret = aspeed_sbc_otp_write(s, otp_addr); + break; case SBC_OTP_CMD_PROG: ret = aspeed_sbc_otp_prog(s, otp_addr); break; diff --git a/hw/misc/trace-events b/hw/misc/trace-events index 9e05b82f37..eeb9243898 100644 --- a/hw/misc/trace-events +++ b/hw/misc/trace-events @@ -91,6 +91,7 @@ slavio_led_mem_writew(uint32_t val) "Write diagnostic LED 0x%04x" slavio_led_mem_readw(uint32_t ret) "Read diagnostic LED 0x%04x" # aspeed_sbc.c +aspeed_sbc_ignore_cmd(uint32_t cmd) "Ignoring command 0x%" PRIx32 aspeed_sbc_handle_cmd(uint32_t cmd, uint32_t addr, bool ret) "Handling command 0x%" PRIx32 " for OTP addr 0x%" PRIx32 " Result: %d" aspeed_sbc_otp_read(uint32_t addr, uint32_t value) "OTP Memory read: addr 0x%" PRIx32 " value 0x%" PRIx32 aspeed_sbc_otp_prog(uint32_t addr, uint32_t value) "OTP Memory write: addr 0x%" PRIx32 " value 0x%" PRIx32 From ea82822b7962df7846fc71a387e0c44867a66e39 Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Tue, 12 Aug 2025 17:40:07 +0800 Subject: [PATCH 09/32] docs/system/arm/aspeed: Document OTP memory options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add documentation for the OTP memory module used by AST2600 and AST1030 SoCs, and describe options for using a pre-generated image or an internal buffer. Include example commands for configuration and image generation. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-11-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- docs/system/arm/aspeed.rst | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst index bf18c56347..6317c0e910 100644 --- a/docs/system/arm/aspeed.rst +++ b/docs/system/arm/aspeed.rst @@ -243,6 +243,37 @@ under Linux), use : -M ast2500-evb,bmc-console=uart3 +OTP Option +^^^^^^^^^^ + +Both the AST2600 and AST1030 chips use the same One Time Programmable +(OTP) memory module, which is utilized for configuration, key storage, +and storing user-programmable data. This OTP memory module is managed +by the Secure Boot Controller (SBC). The following options can be +specified or omitted based on your needs. + + * When the options are specified, the pre-generated configuration + file will be used as the OTP memory storage. + + * When the options are omitted, an internal memory buffer will be + used to store the OTP memory data. + +.. code-block:: bash + + -blockdev driver=file,filename=otpmem.img,node-name=otp \ + -global aspeed-otp.drive=otp \ + +The following bash command can be used to generate a default +configuration file for OTP memory: + +.. code-block:: bash + + if [ ! -f otpmem.img ]; then + for i in $(seq 1 2048); do + printf '\x00\x00\x00\x00\xff\xff\xff\xff' + done > otpmem.img + fi + Aspeed 2700 family boards (``ast2700-evb``) ================================================================== From b28103bb52161e2d240be3e03bf0e8680cb873c9 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Tue, 2 Sep 2025 14:25:50 +0800 Subject: [PATCH 10/32] hw/arm/aspeed Move ast2700-evb alias to ast2700a1-evb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch moves the "ast2700-evb" alias from the A0 to A1. The A0 machine remains available via its explicit name ("ast2700a0-evb"), while functional tests are updated to target A0 by name instead of relying on the generic alias. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250902062550.3797040-1-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed.c | 2 +- tests/functional/aarch64/test_aspeed_ast2700.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c index c31bbe7701..d21b21965a 100644 --- a/hw/arm/aspeed.c +++ b/hw/arm/aspeed.c @@ -1995,7 +1995,6 @@ static void aspeed_machine_ast2700a0_evb_class_init(ObjectClass *oc, MachineClass *mc = MACHINE_CLASS(oc); AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc); - mc->alias = "ast2700-evb"; mc->desc = "Aspeed AST2700 A0 EVB (Cortex-A35)"; amc->soc_name = "ast2700-a0"; amc->hw_strap1 = AST2700_EVB_HW_STRAP1; @@ -2018,6 +2017,7 @@ static void aspeed_machine_ast2700a1_evb_class_init(ObjectClass *oc, MachineClass *mc = MACHINE_CLASS(oc); AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc); + mc->alias = "ast2700-evb"; mc->desc = "Aspeed AST2700 A1 EVB (Cortex-A35)"; amc->soc_name = "ast2700-a1"; amc->hw_strap1 = AST2700_EVB_HW_STRAP1; diff --git a/tests/functional/aarch64/test_aspeed_ast2700.py b/tests/functional/aarch64/test_aspeed_ast2700.py index 8a08bc4688..a3db267294 100755 --- a/tests/functional/aarch64/test_aspeed_ast2700.py +++ b/tests/functional/aarch64/test_aspeed_ast2700.py @@ -115,8 +115,8 @@ class AST2x00MachineSDK(QemuSystemTest): self.do_test_aarch64_aspeed_sdk_start( self.scratch_file(name, 'image-bmc')) - def test_aarch64_ast2700_evb_sdk_v09_06(self): - self.set_machine('ast2700-evb') + def test_aarch64_ast2700a0_evb_sdk_v09_06(self): + self.set_machine('ast2700a0-evb') self.archive_extract(self.ASSET_SDK_V906_AST2700) self.start_ast2700_test('ast2700-a0-default') From 54623e94623cd75aec87ebd1e49b538033676c3f Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Wed, 17 Sep 2025 11:59:15 +0800 Subject: [PATCH 11/32] tests/functional/arm: Add helper to generate OTP images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a small helper that generates OTP images at test time. This lets multiple test cases create default OTP contents without shipping prebuilt fixtures and keeps the tests self-contained. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250917035917.4141723-2-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- tests/functional/aspeed.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/functional/aspeed.py b/tests/functional/aspeed.py index b131703c52..47e84e035b 100644 --- a/tests/functional/aspeed.py +++ b/tests/functional/aspeed.py @@ -61,3 +61,11 @@ class AspeedTest(LinuxKernelTest): self.wait_for_console_pattern('U-Boot 2019.04') self.wait_for_console_pattern('## Loading kernel from FIT Image') self.wait_for_console_pattern('Starting kernel ...') + + def generate_otpmem_image(self): + path = self.scratch_file("otpmem.img") + pattern = b'\x00\x00\x00\x00\xff\xff\xff\xff' * (16 * 1024 // 8) + with open(path, "wb") as f: + f.write(pattern) + return path + From fb89ceac92012d154f1113190e24e45a42f396fc Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Wed, 17 Sep 2025 11:59:16 +0800 Subject: [PATCH 12/32] tests/functional/arm: Add AST1030 boot test with generated OTP image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a functional test that boots an AST1030 machine with a generated OTP image. The test verifies that OTP contents are read during early boot and that the system reaches the expected console prompt. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250917035917.4141723-3-kane_chen@aspeedtech.com Signed-off-by: Cédric Le Goater --- tests/functional/arm/test_aspeed_ast1030.py | 24 +++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/tests/functional/arm/test_aspeed_ast1030.py b/tests/functional/arm/test_aspeed_ast1030.py index 42126b514f..e47b597d0b 100755 --- a/tests/functional/arm/test_aspeed_ast1030.py +++ b/tests/functional/arm/test_aspeed_ast1030.py @@ -7,17 +7,18 @@ # SPDX-License-Identifier: GPL-2.0-or-later from qemu_test import LinuxKernelTest, Asset +from aspeed import AspeedTest from qemu_test import exec_command_and_wait_for_pattern -class AST1030Machine(LinuxKernelTest): +class AST1030Machine(AspeedTest): ASSET_ZEPHYR_3_02 = Asset( ('https://github.com/AspeedTech-BMC' '/zephyr/releases/download/v00.03.02/ast1030-evb-demo.zip'), '1ec83caab3ddd5d09481772801be7210e222cb015ce22ec6fffb8a76956dcd4f') - def test_ast1030_zephyros_3_02(self): + def test_arm_ast1030_zephyros_3_02(self): self.set_machine('ast1030-evb') kernel_name = "ast1030-evb-demo-3/zephyr.elf" @@ -36,7 +37,7 @@ class AST1030Machine(LinuxKernelTest): '/zephyr/releases/download/v00.01.07/ast1030-evb-demo.zip'), 'ad52e27959746988afaed8429bf4e12ab988c05c4d07c9d90e13ec6f7be4574c') - def test_ast1030_zephyros_1_07(self): + def test_arm_ast1030_zephyros_1_07(self): self.set_machine('ast1030-evb') kernel_name = "ast1030-evb-demo/zephyr.bin" @@ -68,6 +69,21 @@ class AST1030Machine(LinuxKernelTest): 'kernel uptime', ]: exec_command_and_wait_for_pattern(self, shell_cmd, "uart:~$") + def test_arm_ast1030_otp_blockdev_device(self): + self.vm.set_machine("ast1030-evb") + + kernel_name = "ast1030-evb-demo-3/zephyr.elf" + kernel_file = self.archive_extract(self.ASSET_ZEPHYR_3_02, member=kernel_name) + otp_img = self.generate_otpmem_image() + + self.vm.set_console() + self.vm.add_args( + "-kernel", kernel_file, + "-blockdev", f"driver=file,filename={otp_img},node-name=otp", + "-global", "aspeed-otp.drive=otp", + ) + self.vm.launch() + self.wait_for_console_pattern("Booting Zephyr OS") if __name__ == '__main__': - LinuxKernelTest.main() + AspeedTest.main() From 2057685f0b02f06ae2aec0627489421f06bc7796 Mon Sep 17 00:00:00 2001 From: Kane-Chen-AS Date: Wed, 17 Sep 2025 11:59:17 +0800 Subject: [PATCH 13/32] tests/functional/arm: Add AST2600 boot test with generated OTP image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a functional test that boots an AST2600 machine with a generated OTP image. The test verifies that OTP contents are read during early boot and that the system reaches the expected console prompt. Signed-off-by: Kane-Chen-AS Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250917035917.4141723-4-kane_chen@aspeedtech.com [ clg: checkpath fixes ] Signed-off-by: Cédric Le Goater --- tests/functional/arm/test_aspeed_ast2600.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/functional/arm/test_aspeed_ast2600.py b/tests/functional/arm/test_aspeed_ast2600.py index 129695ca4e..62949b0b4f 100755 --- a/tests/functional/arm/test_aspeed_ast2600.py +++ b/tests/functional/arm/test_aspeed_ast2600.py @@ -136,5 +136,20 @@ class AST2600Machine(AspeedTest): exec_command_and_wait_for_pattern(self, '/sbin/hwclock -f /dev/rtc1', year) + def test_arm_ast2600_otp_blockdev_device(self): + self.vm.set_machine("ast2600-evb") + + image_path = self.archive_extract(self.ASSET_SDK_V907_AST2600) + otp_img = self.generate_otpmem_image() + + self.vm.set_console() + self.vm.add_args( + "-blockdev", f"driver=file,filename={otp_img},node-name=otp", + "-global", "aspeed-otp.drive=otp", + ) + self.do_test_arm_aspeed_sdk_start( + self.scratch_file("ast2600-default", "image-bmc")) + self.wait_for_console_pattern("ast2600-default login:") + if __name__ == '__main__': AspeedTest.main() From 42dd3c4f7dbceb6ea374b3fbe104781f68008e1f Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:00 +0800 Subject: [PATCH 14/32] hw/pci/pci_ids: Add PCI vendor ID for ASPEED MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-2-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- include/hw/pci/pci_ids.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/hw/pci/pci_ids.h b/include/hw/pci/pci_ids.h index 33e2898be9..16034aaa2c 100644 --- a/include/hw/pci/pci_ids.h +++ b/include/hw/pci/pci_ids.h @@ -291,4 +291,6 @@ #define PCI_VENDOR_ID_NVIDIA 0x10de +#define PCI_VENDOR_ID_ASPEED 0x1A03 + #endif From 303e8dc29ffe6dc2417a0240cea604f18371ea12 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:01 +0800 Subject: [PATCH 15/32] hw/pci-host/aspeed: Add AST2600 PCIe PHY model MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch introduces an initial ASPEED PCIe PHY/host controller model to support the AST2600 SoC. It provides a simple register block with MMIO read/write callbacks, integration into the build system, and trace events for debugging. Key changes: 1. PCIe PHY MMIO read/write callbacks Implemented aspeed_pcie_phy_read() and aspeed_pcie_phy_write() to handle 32-bit register accesses. 2. Build system and Kconfig integration Added CONFIG_PCI_EXPRESS_ASPEED in hw/pci-host/Kconfig and meson rules. Updated ASPEED_SOC in hw/arm/Kconfig to imply PCI_DEVICES and select PCI_EXPRESS_ASPEED. 3. Trace events for debug New tracepoints aspeed_pcie_phy_read and aspeed_pcie_phy_write allow monitoring MMIO accesses. 4. Register space and defaults (AST2600 reference) Expose a 0x100 register space, as documented in the AST2600 datasheet. On reset, set default values: PEHR_ID: Vendor ID = ASPEED, Device ID = 0x1150 PEHR_CLASS_CODE = 0x06040006 PEHR_DATALINK = 0xD7040022 PEHR_LINK: bit[5] set to 1 to indicate link up. This provides a skeleton device for the AST2600 platform. It enables firmware to detect the PCIe link as up by default and allows future extension. This commit is the starting point of the series to introduce ASPEED PCIe Root Complex (RC) support. Based on previous work from Cédric Le Goater, the following commits in this series extend and refine the implementation: - Add a PCIe Root Port so that devices can be attached without requiring an extra bridge. - Restrict the Root Port device instantiation to the AST2600 platform. - Integrate aspeed_cfg_translate_write() to support both AST2600 and AST2700. - Add MSI support and a preliminary RC IOMMU address space. - Fix issues with MSI interrupt clearing. - Extend support to the AST2700 SoC. - Drop the AST2600 RC_L support. - Introduce PCIe RC functional tests covering both AST2600 and AST2700. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-3-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/Kconfig | 3 + hw/pci-host/Kconfig | 4 + hw/pci-host/aspeed_pcie.c | 157 ++++++++++++++++++++++++++++++ hw/pci-host/meson.build | 1 + hw/pci-host/trace-events | 4 + include/hw/pci-host/aspeed_pcie.h | 42 ++++++++ 6 files changed, 211 insertions(+) create mode 100644 hw/pci-host/aspeed_pcie.c create mode 100644 include/hw/pci-host/aspeed_pcie.h diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig index 3baa6c6c74..b44b85f436 100644 --- a/hw/arm/Kconfig +++ b/hw/arm/Kconfig @@ -541,6 +541,7 @@ config ASPEED_SOC bool default y depends on TCG && ARM + imply PCI_DEVICES select DS1338 select FTGMAC100 select I2C @@ -561,6 +562,8 @@ config ASPEED_SOC select MAX31785 select FSI_APB2OPB_ASPEED select AT24C + select PCI_EXPRESS + select PCI_EXPRESS_ASPEED config MPS2 bool diff --git a/hw/pci-host/Kconfig b/hw/pci-host/Kconfig index 9824fa188d..8cbb8304a3 100644 --- a/hw/pci-host/Kconfig +++ b/hw/pci-host/Kconfig @@ -46,6 +46,10 @@ config PCI_I440FX select PCI select PAM +config PCI_EXPRESS_ASPEED + bool + select PCI_EXPRESS + config PCI_EXPRESS_Q35 bool select PCI_EXPRESS diff --git a/hw/pci-host/aspeed_pcie.c b/hw/pci-host/aspeed_pcie.c new file mode 100644 index 0000000000..4c74520052 --- /dev/null +++ b/hw/pci-host/aspeed_pcie.c @@ -0,0 +1,157 @@ +/* + * ASPEED PCIe Host Controller + * + * Copyright (C) 2025 ASPEED Technology Inc. + * Copyright (c) 2022 Cédric Le Goater + * + * Authors: + * Cédric Le Goater + * Jamin Lin + * + * SPDX-License-Identifier: GPL-2.0-or-later + * + * Based on previous work from Cédric Le Goater. + * Modifications extend support for the ASPEED AST2600 and AST2700 platforms. + */ + +#include "qemu/osdep.h" +#include "qemu/log.h" +#include "qapi/error.h" +#include "hw/qdev-properties.h" +#include "hw/registerfields.h" +#include "hw/irq.h" +#include "hw/pci/pci_host.h" +#include "hw/pci-host/aspeed_pcie.h" +#include "hw/pci/msi.h" +#include "trace.h" + +/* + * PCIe PHY + * + * PCIe Host Controller (PCIEH) + */ + +/* AST2600 */ +REG32(PEHR_ID, 0x00) + FIELD(PEHR_ID, DEV, 16, 16) +REG32(PEHR_CLASS_CODE, 0x04) +REG32(PEHR_DATALINK, 0x10) +REG32(PEHR_PROTECT, 0x7C) + FIELD(PEHR_PROTECT, LOCK, 0, 8) +REG32(PEHR_LINK, 0xC0) + FIELD(PEHR_LINK, STS, 5, 1) + +#define ASPEED_PCIE_PHY_UNLOCK 0xA8 + +static uint64_t aspeed_pcie_phy_read(void *opaque, hwaddr addr, + unsigned int size) +{ + AspeedPCIEPhyState *s = ASPEED_PCIE_PHY(opaque); + uint32_t reg = addr >> 2; + uint32_t value = 0; + + value = s->regs[reg]; + + trace_aspeed_pcie_phy_read(s->id, addr, value); + + return value; +} + +static void aspeed_pcie_phy_write(void *opaque, hwaddr addr, uint64_t data, + unsigned int size) +{ + AspeedPCIEPhyState *s = ASPEED_PCIE_PHY(opaque); + uint32_t reg = addr >> 2; + + trace_aspeed_pcie_phy_write(s->id, addr, data); + + switch (reg) { + case R_PEHR_PROTECT: + data &= R_PEHR_PROTECT_LOCK_MASK; + s->regs[reg] = !!(data == ASPEED_PCIE_PHY_UNLOCK); + break; + default: + s->regs[reg] = data; + break; + } +} + +static const MemoryRegionOps aspeed_pcie_phy_ops = { + .read = aspeed_pcie_phy_read, + .write = aspeed_pcie_phy_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 1, + .max_access_size = 4, + }, +}; + +static void aspeed_pcie_phy_reset(DeviceState *dev) +{ + AspeedPCIEPhyState *s = ASPEED_PCIE_PHY(dev); + AspeedPCIEPhyClass *apc = ASPEED_PCIE_PHY_GET_CLASS(s); + + memset(s->regs, 0, apc->nr_regs << 2); + + s->regs[R_PEHR_ID] = + (0x1150 << R_PEHR_ID_DEV_SHIFT) | PCI_VENDOR_ID_ASPEED; + s->regs[R_PEHR_CLASS_CODE] = 0x06040006; + s->regs[R_PEHR_DATALINK] = 0xD7040022; + s->regs[R_PEHR_LINK] = R_PEHR_LINK_STS_MASK; +} + +static void aspeed_pcie_phy_realize(DeviceState *dev, Error **errp) +{ + AspeedPCIEPhyState *s = ASPEED_PCIE_PHY(dev); + AspeedPCIEPhyClass *apc = ASPEED_PCIE_PHY_GET_CLASS(s); + SysBusDevice *sbd = SYS_BUS_DEVICE(dev); + g_autofree char *name = NULL; + + s->regs = g_new(uint32_t, apc->nr_regs); + name = g_strdup_printf(TYPE_ASPEED_PCIE_PHY ".regs.%d", s->id); + memory_region_init_io(&s->mmio, OBJECT(s), &aspeed_pcie_phy_ops, s, name, + apc->nr_regs << 2); + sysbus_init_mmio(sbd, &s->mmio); +} + +static void aspeed_pcie_phy_unrealize(DeviceState *dev) +{ + AspeedPCIEPhyState *s = ASPEED_PCIE_PHY(dev); + + g_free(s->regs); + s->regs = NULL; +} + +static const Property aspeed_pcie_phy_props[] = { + DEFINE_PROP_UINT32("id", AspeedPCIEPhyState, id, 0), +}; + +static void aspeed_pcie_phy_class_init(ObjectClass *klass, const void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + AspeedPCIEPhyClass *apc = ASPEED_PCIE_PHY_CLASS(klass); + + dc->desc = "ASPEED PCIe Phy"; + dc->realize = aspeed_pcie_phy_realize; + dc->unrealize = aspeed_pcie_phy_unrealize; + device_class_set_legacy_reset(dc, aspeed_pcie_phy_reset); + device_class_set_props(dc, aspeed_pcie_phy_props); + + apc->nr_regs = 0x100 >> 2; +} + +static const TypeInfo aspeed_pcie_phy_info = { + .name = TYPE_ASPEED_PCIE_PHY, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_size = sizeof(AspeedPCIEPhyState), + .class_init = aspeed_pcie_phy_class_init, + .class_size = sizeof(AspeedPCIEPhyClass), +}; + +static void aspeed_pcie_register_types(void) +{ + type_register_static(&aspeed_pcie_phy_info); +} + +type_init(aspeed_pcie_register_types); + diff --git a/hw/pci-host/meson.build b/hw/pci-host/meson.build index 937a0f72ac..86b754d0b0 100644 --- a/hw/pci-host/meson.build +++ b/hw/pci-host/meson.build @@ -2,6 +2,7 @@ pci_ss = ss.source_set() pci_ss.add(when: 'CONFIG_PAM', if_true: files('pam.c')) pci_ss.add(when: 'CONFIG_PCI_BONITO', if_true: files('bonito.c')) pci_ss.add(when: 'CONFIG_GT64120', if_true: files('gt64120.c')) +pci_ss.add(when: 'CONFIG_PCI_EXPRESS_ASPEED', if_true: files('aspeed_pcie.c')) pci_ss.add(when: 'CONFIG_PCI_EXPRESS_DESIGNWARE', if_true: files('designware.c')) pci_ss.add(when: 'CONFIG_PCI_EXPRESS_GENERIC_BRIDGE', if_true: files('gpex.c')) pci_ss.add(when: ['CONFIG_PCI_EXPRESS_GENERIC_BRIDGE', 'CONFIG_ACPI'], if_true: files('gpex-acpi.c')) diff --git a/hw/pci-host/trace-events b/hw/pci-host/trace-events index 0a816b9aa1..3438516756 100644 --- a/hw/pci-host/trace-events +++ b/hw/pci-host/trace-events @@ -1,5 +1,9 @@ # See docs/devel/tracing.rst for syntax documentation. +# aspeed_pcie.c +aspeed_pcie_phy_read(uint32_t id, uint64_t addr, uint32_t value) "%d: addr 0x%" PRIx64 " value 0x%" PRIx32 +aspeed_pcie_phy_write(uint32_t id, uint64_t addr, uint32_t value) "%d: addr 0x%" PRIx64 " value 0x%" PRIx32 + # bonito.c bonito_spciconf_small_access(uint64_t addr, unsigned size) "PCI config address is smaller then 32-bit, addr: 0x%"PRIx64", size: %u" diff --git a/include/hw/pci-host/aspeed_pcie.h b/include/hw/pci-host/aspeed_pcie.h new file mode 100644 index 0000000000..d9fb829048 --- /dev/null +++ b/include/hw/pci-host/aspeed_pcie.h @@ -0,0 +1,42 @@ +/* + * ASPEED PCIe Host Controller + * + * Copyright (C) 2025 ASPEED Technology Inc. + * Copyright (c) 2022 Cédric Le Goater + * + * Authors: + * Cédric Le Goater + * Jamin Lin + * + * SPDX-License-Identifier: GPL-2.0-or-later + * + * Based on previous work from Cédric Le Goater. + * Modifications extend support for the ASPEED AST2600 and AST2700 platforms. + */ + +#ifndef ASPEED_PCIE_H +#define ASPEED_PCIE_H + +#include "hw/sysbus.h" +#include "hw/pci/pci_bridge.h" +#include "hw/pci/pcie_host.h" +#include "qom/object.h" + +#define TYPE_ASPEED_PCIE_PHY "aspeed.pcie-phy" +OBJECT_DECLARE_TYPE(AspeedPCIEPhyState, AspeedPCIEPhyClass, ASPEED_PCIE_PHY); + +struct AspeedPCIEPhyState { + SysBusDevice parent_obj; + + MemoryRegion mmio; + uint32_t *regs; + uint32_t id; +}; + +struct AspeedPCIEPhyClass { + SysBusDeviceClass parent_class; + + uint64_t nr_regs; +}; + +#endif /* ASPEED_PCIE_H */ From f002aa35f3205d55bbe4a68670ba19a6dcf1d6a8 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:02 +0800 Subject: [PATCH 16/32] hw/pci-host/aspeed: Add AST2600 PCIe config space and host bridge MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce PCIe config and host bridge model for the AST2600 platform. This patch adds support for the H2X (AHB to PCIe Bus Bridge) controller with a 0x100 byte register space. The register layout is shared between two root complexes: 0x00–0x7f is common, 0x80–0xbf for RC_L, and 0xc0–0xff for RC_H. Only RC_H is modeled in this implementation. The RC_H bus uses bus numbers in the 0x80–0xff range instead of the standard root bus 0x00. To allow the PCI subsystem to discover devices, the host bridge logic remaps the root bus number back to 0x00 whenever the configured bus number matches the "bus-nr" property. New MMIO callbacks are added for the H2X config space: - aspeed_pcie_cfg_read() and aspeed_pcie_cfg_write() handle register accesses. - aspeed_pcie_cfg_readwrite() provides configuration read/write support. - aspeed_pcie_cfg_translate_write() handles PCIe byte-enable semantics for write operations. The reset handler initializes the H2X register block with default values as defined in the AST2600 datasheet. Additional changes: - Implement ASPEED PCIe root complex (TYPE_ASPEED_PCIE_RC). - Wire up interrupt propagation via aspeed_pcie_rc_set_irq(). - Add tracepoints for config read/write and INTx handling. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-4-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/pci-host/aspeed_pcie.c | 421 ++++++++++++++++++++++++++++++ hw/pci-host/trace-events | 4 + include/hw/pci-host/aspeed_pcie.h | 59 +++++ 3 files changed, 484 insertions(+) diff --git a/hw/pci-host/aspeed_pcie.c b/hw/pci-host/aspeed_pcie.c index 4c74520052..c3e92ee449 100644 --- a/hw/pci-host/aspeed_pcie.c +++ b/hw/pci-host/aspeed_pcie.c @@ -25,6 +25,425 @@ #include "hw/pci/msi.h" #include "trace.h" +/* + * PCIe Root Complex (RC) + */ + +static void aspeed_pcie_rc_set_irq(void *opaque, int irq, int level) +{ + AspeedPCIERcState *rc = (AspeedPCIERcState *) opaque; + AspeedPCIECfgState *cfg = + container_of(rc, AspeedPCIECfgState, rc); + bool intx; + + assert(irq < PCI_NUM_PINS); + + if (level) { + cfg->regs[cfg->rc_regs->int_sts_reg] |= BIT(irq); + } else { + cfg->regs[cfg->rc_regs->int_sts_reg] &= ~BIT(irq); + } + + intx = !!(cfg->regs[cfg->rc_regs->int_sts_reg] & + cfg->regs[cfg->rc_regs->int_en_reg]); + trace_aspeed_pcie_rc_intx_set_irq(cfg->id, irq, intx); + qemu_set_irq(rc->irq, intx); +} + +static int aspeed_pcie_rc_map_irq(PCIDevice *pci_dev, int irq_num) +{ + return irq_num % PCI_NUM_PINS; +} + +static void aspeed_pcie_rc_realize(DeviceState *dev, Error **errp) +{ + PCIExpressHost *pex = PCIE_HOST_BRIDGE(dev); + AspeedPCIERcState *rc = ASPEED_PCIE_RC(dev); + AspeedPCIECfgState *cfg = + container_of(rc, AspeedPCIECfgState, rc); + PCIHostState *pci = PCI_HOST_BRIDGE(dev); + SysBusDevice *sbd = SYS_BUS_DEVICE(dev); + g_autofree char *ioport_window_name = NULL; + g_autofree char *mmio_window_name = NULL; + g_autofree char *root_bus_name = NULL; + + /* PCI configuration space */ + pcie_host_mmcfg_init(pex, PCIE_MMCFG_SIZE_MAX); + sysbus_init_mmio(sbd, &pex->mmio); + + /* MMIO and IO region */ + memory_region_init(&rc->mmio, OBJECT(rc), "mmio", UINT64_MAX); + memory_region_init(&rc->io, OBJECT(rc), "io", 0x10000); + + mmio_window_name = g_strdup_printf("pcie.%d.mmio_window", cfg->id); + memory_region_init_io(&rc->mmio_window, OBJECT(rc), &unassigned_io_ops, + OBJECT(rc), mmio_window_name, UINT64_MAX); + ioport_window_name = g_strdup_printf("pcie.%d.ioport_window", cfg->id); + memory_region_init_io(&rc->io_window, OBJECT(rc), &unassigned_io_ops, + OBJECT(rc), ioport_window_name, 0x10000); + + memory_region_add_subregion(&rc->mmio_window, 0, &rc->mmio); + memory_region_add_subregion(&rc->io_window, 0, &rc->io); + sysbus_init_mmio(sbd, &rc->mmio_window); + sysbus_init_mmio(sbd, &rc->io_window); + + sysbus_init_irq(sbd, &rc->irq); + root_bus_name = g_strdup_printf("pcie.rc%d", cfg->id); + pci->bus = pci_register_root_bus(dev, root_bus_name, + aspeed_pcie_rc_set_irq, + aspeed_pcie_rc_map_irq, rc, &rc->mmio, + &rc->io, 0, 4, TYPE_PCIE_BUS); + pci->bus->flags |= PCI_BUS_EXTENDED_CONFIG_SPACE; +} + +static const char *aspeed_pcie_rc_root_bus_path(PCIHostState *host_bridge, + PCIBus *rootbus) +{ + AspeedPCIERcState *rc = ASPEED_PCIE_RC(host_bridge); + AspeedPCIECfgState *cfg = + container_of(rc, AspeedPCIECfgState, rc); + + snprintf(rc->name, sizeof(rc->name), "%04x:%02x", cfg->id, rc->bus_nr); + + return rc->name; +} + +static const Property aspeed_pcie_rc_props[] = { + DEFINE_PROP_UINT32("bus-nr", AspeedPCIERcState, bus_nr, 0), +}; + +static void aspeed_pcie_rc_class_init(ObjectClass *klass, const void *data) +{ + PCIHostBridgeClass *hc = PCI_HOST_BRIDGE_CLASS(klass); + DeviceClass *dc = DEVICE_CLASS(klass); + + dc->desc = "ASPEED PCIe RC"; + dc->realize = aspeed_pcie_rc_realize; + dc->fw_name = "pci"; + set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories); + + hc->root_bus_path = aspeed_pcie_rc_root_bus_path; + device_class_set_props(dc, aspeed_pcie_rc_props); + + msi_nonbroken = true; +} + +static const TypeInfo aspeed_pcie_rc_info = { + .name = TYPE_ASPEED_PCIE_RC, + .parent = TYPE_PCIE_HOST_BRIDGE, + .instance_size = sizeof(AspeedPCIERcState), + .class_init = aspeed_pcie_rc_class_init, +}; + +/* + * PCIe Config + * + * AHB to PCIe Bus Bridge (H2X) + * + * On the AST2600: + * NOTE: rc_l is not supported by this model. + * - Registers 0x00 - 0x7F are shared by both PCIe0 (rc_l) and PCIe1 (rc_h). + * - Registers 0x80 - 0xBF are specific to PCIe0. + * - Registers 0xC0 - 0xFF are specific to PCIe1. + */ + +/* AST2600 */ +REG32(H2X_CTRL, 0x00) + FIELD(H2X_CTRL, CLEAR_RX, 4, 1) +REG32(H2X_TX_CLEAR, 0x08) + FIELD(H2X_TX_CLEAR, IDLE, 0, 1) +REG32(H2X_RDATA, 0x0C) +REG32(H2X_TX_DESC0, 0x10) +REG32(H2X_TX_DESC1, 0x14) +REG32(H2X_TX_DESC2, 0x18) +REG32(H2X_TX_DESC3, 0x1C) +REG32(H2X_TX_DATA, 0x20) +REG32(H2X_TX_STS, 0x24) + FIELD(H2X_TX_STS, IDLE, 31, 1) + FIELD(H2X_TX_STS, RC_L_TX_COMP, 24, 1) + FIELD(H2X_TX_STS, RC_H_TX_COMP, 25, 1) + FIELD(H2X_TX_STS, TRIG, 0, 1) +REG32(H2X_RC_H_CTRL, 0xC0) +REG32(H2X_RC_H_INT_EN, 0xC4) +REG32(H2X_RC_H_INT_STS, 0xC8) + SHARED_FIELD(H2X_RC_INT_INTDONE, 4, 1) + SHARED_FIELD(H2X_RC_INT_INTX, 0, 4) +REG32(H2X_RC_H_RDATA, 0xCC) + +#define TLP_FMTTYPE_CFGRD0 0x04 /* Configuration Read Type 0 */ +#define TLP_FMTTYPE_CFGWR0 0x44 /* Configuration Write Type 0 */ +#define TLP_FMTTYPE_CFGRD1 0x05 /* Configuration Read Type 1 */ +#define TLP_FMTTYPE_CFGWR1 0x45 /* Configuration Write Type 1 */ + +#define PCIE_CFG_FMTTYPE_MASK(x) (((x) >> 24) & 0xff) +#define PCIE_CFG_BYTE_EN(x) ((x) & 0xf) + +static const AspeedPCIERegMap aspeed_regmap = { + .rc = { + .int_en_reg = R_H2X_RC_H_INT_EN, + .int_sts_reg = R_H2X_RC_H_INT_STS, + }, +}; + +static uint64_t aspeed_pcie_cfg_read(void *opaque, hwaddr addr, + unsigned int size) +{ + AspeedPCIECfgState *s = ASPEED_PCIE_CFG(opaque); + uint32_t reg = addr >> 2; + uint32_t value = 0; + + value = s->regs[reg]; + + trace_aspeed_pcie_cfg_read(s->id, addr, value); + + return value; +} + +static void aspeed_pcie_cfg_translate_write(uint8_t byte_en, uint32_t *addr, + uint64_t *val, int *len) +{ + uint64_t packed_val = 0; + int first_bit = -1; + int index = 0; + int i; + + *len = ctpop8(byte_en); + + if (*len == 0 || *len > 4) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid byte enable: 0x%x\n", + __func__, byte_en); + return; + } + + /* Special case: full 4-byte write must be 4-byte aligned */ + if (byte_en == 0x0f) { + if ((*addr & 0x3) != 0) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: 4-byte write not 4-byte aligned: addr=0x%x\n", + __func__, *addr); + return; + } + *val &= 0xffffffffULL; + return; + } + + for (i = 0; i < 4; i++) { + if (byte_en & (1 << i)) { + if (first_bit < 0) { + first_bit = i; + } + packed_val |= ((*val >> (i * 8)) & 0xff) << (index * 8); + index++; + } + } + + *addr += first_bit; + *val = packed_val; +} + +static void aspeed_pcie_cfg_readwrite(AspeedPCIECfgState *s, + const AspeedPCIECfgTxDesc *desc) +{ + AspeedPCIERcState *rc = &s->rc; + PCIHostState *pci = NULL; + PCIDevice *pdev = NULL; + uint32_t cfg_addr; + uint32_t offset; + uint8_t byte_en; + bool is_write; + uint8_t devfn; + uint64_t val; + uint8_t bus; + int len; + + val = ~0; + is_write = !!(desc->desc0 & BIT(30)); + cfg_addr = desc->desc2; + + bus = (cfg_addr >> 24) & 0xff; + devfn = (cfg_addr >> 16) & 0xff; + offset = cfg_addr & 0xffc; + + pci = PCI_HOST_BRIDGE(rc); + + /* + * On the AST2600, the RC_H bus number range from 0x80 to 0xFF, with the + * root device and root port assigned to bus 0x80 instead of the standard + * 0x00. To allow the PCI subsystem to correctly discover devices on the + * root bus, bus 0x80 is remapped to 0x00. + */ + if (bus == rc->bus_nr) { + bus = 0; + } + + pdev = pci_find_device(pci->bus, bus, devfn); + if (!pdev) { + s->regs[desc->rdata_reg] = ~0; + goto out; + } + + switch (PCIE_CFG_FMTTYPE_MASK(desc->desc0)) { + case TLP_FMTTYPE_CFGWR0: + case TLP_FMTTYPE_CFGWR1: + byte_en = PCIE_CFG_BYTE_EN(desc->desc1); + val = desc->wdata; + aspeed_pcie_cfg_translate_write(byte_en, &offset, &val, &len); + pci_host_config_write_common(pdev, offset, pci_config_size(pdev), + val, len); + break; + case TLP_FMTTYPE_CFGRD0: + case TLP_FMTTYPE_CFGRD1: + val = pci_host_config_read_common(pdev, offset, + pci_config_size(pdev), 4); + s->regs[desc->rdata_reg] = val; + break; + default: + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid CFG type. DESC0=0x%x\n", + __func__, desc->desc0); + } + +out: + trace_aspeed_pcie_cfg_rw(s->id, is_write ? "write" : "read", bus, devfn, + cfg_addr, val); +} + +static void aspeed_pcie_cfg_write(void *opaque, hwaddr addr, uint64_t data, + unsigned int size) +{ + AspeedPCIECfgState *s = ASPEED_PCIE_CFG(opaque); + AspeedPCIECfgTxDesc desc; + uint32_t reg = addr >> 2; + uint32_t rc_reg; + + trace_aspeed_pcie_cfg_write(s->id, addr, data); + + switch (reg) { + case R_H2X_CTRL: + if (data & R_H2X_CTRL_CLEAR_RX_MASK) { + s->regs[R_H2X_RDATA] = ~0; + } + break; + case R_H2X_TX_CLEAR: + if (data & R_H2X_TX_CLEAR_IDLE_MASK) { + s->regs[R_H2X_TX_STS] &= ~R_H2X_TX_STS_IDLE_MASK; + } + break; + case R_H2X_TX_STS: + if (data & R_H2X_TX_STS_TRIG_MASK) { + desc.desc0 = s->regs[R_H2X_TX_DESC0]; + desc.desc1 = s->regs[R_H2X_TX_DESC1]; + desc.desc2 = s->regs[R_H2X_TX_DESC2]; + desc.desc3 = s->regs[R_H2X_TX_DESC3]; + desc.wdata = s->regs[R_H2X_TX_DATA]; + desc.rdata_reg = R_H2X_RC_H_RDATA; + aspeed_pcie_cfg_readwrite(s, &desc); + rc_reg = s->rc_regs->int_sts_reg; + s->regs[rc_reg] |= H2X_RC_INT_INTDONE_MASK; + s->regs[R_H2X_TX_STS] |= + BIT(R_H2X_TX_STS_RC_H_TX_COMP_SHIFT); + s->regs[R_H2X_TX_STS] |= R_H2X_TX_STS_IDLE_MASK; + } + break; + /* preserve INTx status */ + case R_H2X_RC_H_INT_STS: + if (data & H2X_RC_INT_INTDONE_MASK) { + s->regs[R_H2X_TX_STS] &= ~R_H2X_TX_STS_RC_H_TX_COMP_MASK; + } + s->regs[reg] &= ~data | H2X_RC_INT_INTX_MASK; + break; + default: + s->regs[reg] = data; + break; + } +} + +static const MemoryRegionOps aspeed_pcie_cfg_ops = { + .read = aspeed_pcie_cfg_read, + .write = aspeed_pcie_cfg_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 1, + .max_access_size = 4, + }, +}; + +static void aspeed_pcie_cfg_instance_init(Object *obj) +{ + AspeedPCIECfgState *s = ASPEED_PCIE_CFG(obj); + + object_initialize_child(obj, "rc", &s->rc, TYPE_ASPEED_PCIE_RC); + + return; +} + +static void aspeed_pcie_cfg_reset(DeviceState *dev) +{ + AspeedPCIECfgState *s = ASPEED_PCIE_CFG(dev); + AspeedPCIECfgClass *apc = ASPEED_PCIE_CFG_GET_CLASS(s); + + memset(s->regs, 0, apc->nr_regs << 2); +} + +static void aspeed_pcie_cfg_realize(DeviceState *dev, Error **errp) +{ + SysBusDevice *sbd = SYS_BUS_DEVICE(dev); + AspeedPCIECfgState *s = ASPEED_PCIE_CFG(dev); + AspeedPCIECfgClass *apc = ASPEED_PCIE_CFG_GET_CLASS(s); + g_autofree char *name = NULL; + + s->rc_regs = &apc->reg_map->rc; + s->regs = g_new(uint32_t, apc->nr_regs); + name = g_strdup_printf(TYPE_ASPEED_PCIE_CFG ".regs.%d", s->id); + memory_region_init_io(&s->mmio, OBJECT(s), apc->reg_ops, s, name, + apc->nr_regs << 2); + sysbus_init_mmio(sbd, &s->mmio); + + object_property_set_int(OBJECT(&s->rc), "bus-nr", + apc->rc_bus_nr, + &error_abort); + if (!sysbus_realize(SYS_BUS_DEVICE(&s->rc), errp)) { + return; + } +} + +static void aspeed_pcie_cfg_unrealize(DeviceState *dev) +{ + AspeedPCIECfgState *s = ASPEED_PCIE_CFG(dev); + + g_free(s->regs); + s->regs = NULL; +} + +static const Property aspeed_pcie_cfg_props[] = { + DEFINE_PROP_UINT32("id", AspeedPCIECfgState, id, 0), +}; + +static void aspeed_pcie_cfg_class_init(ObjectClass *klass, const void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + AspeedPCIECfgClass *apc = ASPEED_PCIE_CFG_CLASS(klass); + + dc->desc = "ASPEED PCIe Config"; + dc->realize = aspeed_pcie_cfg_realize; + dc->unrealize = aspeed_pcie_cfg_unrealize; + device_class_set_legacy_reset(dc, aspeed_pcie_cfg_reset); + device_class_set_props(dc, aspeed_pcie_cfg_props); + + apc->reg_ops = &aspeed_pcie_cfg_ops; + apc->reg_map = &aspeed_regmap; + apc->nr_regs = 0x100 >> 2; + apc->rc_bus_nr = 0x80; +} + +static const TypeInfo aspeed_pcie_cfg_info = { + .name = TYPE_ASPEED_PCIE_CFG, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_init = aspeed_pcie_cfg_instance_init, + .instance_size = sizeof(AspeedPCIECfgState), + .class_init = aspeed_pcie_cfg_class_init, + .class_size = sizeof(AspeedPCIECfgClass), +}; + /* * PCIe PHY * @@ -150,6 +569,8 @@ static const TypeInfo aspeed_pcie_phy_info = { static void aspeed_pcie_register_types(void) { + type_register_static(&aspeed_pcie_rc_info); + type_register_static(&aspeed_pcie_cfg_info); type_register_static(&aspeed_pcie_phy_info); } diff --git a/hw/pci-host/trace-events b/hw/pci-host/trace-events index 3438516756..2584ea56e2 100644 --- a/hw/pci-host/trace-events +++ b/hw/pci-host/trace-events @@ -1,6 +1,10 @@ # See docs/devel/tracing.rst for syntax documentation. # aspeed_pcie.c +aspeed_pcie_rc_intx_set_irq(uint32_t id, int num, int level) "%d: num %d set IRQ leve %d" +aspeed_pcie_cfg_read(uint32_t id, uint64_t addr, uint32_t value) "%d: addr 0x%" PRIx64 " value 0x%" PRIx32 +aspeed_pcie_cfg_write(uint32_t id, uint64_t addr, uint32_t value) "%d: addr 0x%" PRIx64 " value 0x%" PRIx32 +aspeed_pcie_cfg_rw(uint32_t id, const char *dir, uint8_t bus, uint8_t devfn, uint64_t addr, uint64_t data) "%d: %s bus:0x%x devfn:0x%x addr 0x%" PRIx64 " data 0x%" PRIx64 aspeed_pcie_phy_read(uint32_t id, uint64_t addr, uint32_t value) "%d: addr 0x%" PRIx64 " value 0x%" PRIx32 aspeed_pcie_phy_write(uint32_t id, uint64_t addr, uint32_t value) "%d: addr 0x%" PRIx64 " value 0x%" PRIx32 diff --git a/include/hw/pci-host/aspeed_pcie.h b/include/hw/pci-host/aspeed_pcie.h index d9fb829048..850d579189 100644 --- a/include/hw/pci-host/aspeed_pcie.h +++ b/include/hw/pci-host/aspeed_pcie.h @@ -22,6 +22,65 @@ #include "hw/pci/pcie_host.h" #include "qom/object.h" +typedef struct AspeedPCIECfgTxDesc { + uint32_t desc0; + uint32_t desc1; + uint32_t desc2; + uint32_t desc3; + uint32_t wdata; + uint32_t rdata_reg; +} AspeedPCIECfgTxDesc; + +typedef struct AspeedPCIERcRegs { + uint32_t int_en_reg; + uint32_t int_sts_reg; +} AspeedPCIERcRegs; + +typedef struct AspeedPCIERegMap { + AspeedPCIERcRegs rc; +} AspeedPCIERegMap; + +#define TYPE_ASPEED_PCIE_RC "aspeed.pcie-rc" +OBJECT_DECLARE_SIMPLE_TYPE(AspeedPCIERcState, ASPEED_PCIE_RC); + +struct AspeedPCIERcState { + PCIExpressHost parent_obj; + + MemoryRegion mmio_window; + MemoryRegion io_window; + MemoryRegion mmio; + MemoryRegion io; + + uint32_t bus_nr; + char name[16]; + qemu_irq irq; +}; + +/* Bridge between AHB bus and PCIe RC. */ +#define TYPE_ASPEED_PCIE_CFG "aspeed.pcie-cfg" +OBJECT_DECLARE_TYPE(AspeedPCIECfgState, AspeedPCIECfgClass, ASPEED_PCIE_CFG); + +struct AspeedPCIECfgState { + SysBusDevice parent_obj; + + MemoryRegion mmio; + uint32_t *regs; + uint32_t id; + + const AspeedPCIERcRegs *rc_regs; + AspeedPCIERcState rc; +}; + +struct AspeedPCIECfgClass { + SysBusDeviceClass parent_class; + + const AspeedPCIERegMap *reg_map; + const MemoryRegionOps *reg_ops; + + uint64_t rc_bus_nr; + uint64_t nr_regs; +}; + #define TYPE_ASPEED_PCIE_PHY "aspeed.pcie-phy" OBJECT_DECLARE_TYPE(AspeedPCIEPhyState, AspeedPCIEPhyClass, ASPEED_PCIE_PHY); From cac2f082936de3c35c7b9c04fef4dc99b7af9898 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:03 +0800 Subject: [PATCH 17/32] hw/pci-host/aspeed: Add AST2600 PCIe Root Device support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce a PCIe Root Device for AST2600 platform. The AST2600 root complex exposes a PCIe root device at bus 80, devfn 0. This root device is implemented as a child of the PCIe RC and modeled as a host bridge PCI function (class_id = PCI_CLASS_BRIDGE_HOST). Key changes: - Add a new device type "aspeed.pcie-root-device". - Instantiate the root device as part of AspeedPCIERcState. - Initialize it during RC realize() and attach it to the root bus. - Mark the root device as non-user-creatable. - Add RC boolean property "has-rd" to control whether the Root Device is created (platforms can enable/disable it as needed). Note: Only AST2600 implements this PCIe root device. AST2700 does not provide one. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-5-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/pci-host/aspeed_pcie.c | 56 +++++++++++++++++++++++++++++++ include/hw/pci-host/aspeed_pcie.h | 11 ++++++ 2 files changed, 67 insertions(+) diff --git a/hw/pci-host/aspeed_pcie.c b/hw/pci-host/aspeed_pcie.c index c3e92ee449..6e563a07a3 100644 --- a/hw/pci-host/aspeed_pcie.c +++ b/hw/pci-host/aspeed_pcie.c @@ -25,6 +25,44 @@ #include "hw/pci/msi.h" #include "trace.h" +/* + * PCIe Root Device + * This device exists only on AST2600. + */ + +static void aspeed_pcie_root_device_class_init(ObjectClass *klass, + const void *data) +{ + PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); + DeviceClass *dc = DEVICE_CLASS(klass); + + set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories); + dc->desc = "ASPEED PCIe Root Device"; + k->vendor_id = PCI_VENDOR_ID_ASPEED; + k->device_id = 0x2600; + k->class_id = PCI_CLASS_BRIDGE_HOST; + k->subsystem_vendor_id = k->vendor_id; + k->subsystem_id = k->device_id; + k->revision = 0; + + /* + * PCI-facing part of the host bridge, + * not usable without the host-facing part + */ + dc->user_creatable = false; +} + +static const TypeInfo aspeed_pcie_root_device_info = { + .name = TYPE_ASPEED_PCIE_ROOT_DEVICE, + .parent = TYPE_PCI_DEVICE, + .instance_size = sizeof(AspeedPCIERootDeviceState), + .class_init = aspeed_pcie_root_device_class_init, + .interfaces = (const InterfaceInfo[]) { + { INTERFACE_CONVENTIONAL_PCI_DEVICE }, + { }, + }, +}; + /* * PCIe Root Complex (RC) */ @@ -94,6 +132,18 @@ static void aspeed_pcie_rc_realize(DeviceState *dev, Error **errp) aspeed_pcie_rc_map_irq, rc, &rc->mmio, &rc->io, 0, 4, TYPE_PCIE_BUS); pci->bus->flags |= PCI_BUS_EXTENDED_CONFIG_SPACE; + + /* setup root device */ + if (rc->has_rd) { + object_initialize_child(OBJECT(rc), "root_device", &rc->root_device, + TYPE_ASPEED_PCIE_ROOT_DEVICE); + qdev_prop_set_int32(DEVICE(&rc->root_device), "addr", + PCI_DEVFN(0, 0)); + qdev_prop_set_bit(DEVICE(&rc->root_device), "multifunction", false); + if (!qdev_realize(DEVICE(&rc->root_device), BUS(pci->bus), errp)) { + return; + } + } } static const char *aspeed_pcie_rc_root_bus_path(PCIHostState *host_bridge, @@ -110,6 +160,7 @@ static const char *aspeed_pcie_rc_root_bus_path(PCIHostState *host_bridge, static const Property aspeed_pcie_rc_props[] = { DEFINE_PROP_UINT32("bus-nr", AspeedPCIERcState, bus_nr, 0), + DEFINE_PROP_BOOL("has-rd", AspeedPCIERcState, has_rd, 0), }; static void aspeed_pcie_rc_class_init(ObjectClass *klass, const void *data) @@ -401,6 +452,9 @@ static void aspeed_pcie_cfg_realize(DeviceState *dev, Error **errp) object_property_set_int(OBJECT(&s->rc), "bus-nr", apc->rc_bus_nr, &error_abort); + object_property_set_bool(OBJECT(&s->rc), "has-rd", + apc->rc_has_rd, + &error_abort); if (!sysbus_realize(SYS_BUS_DEVICE(&s->rc), errp)) { return; } @@ -433,6 +487,7 @@ static void aspeed_pcie_cfg_class_init(ObjectClass *klass, const void *data) apc->reg_map = &aspeed_regmap; apc->nr_regs = 0x100 >> 2; apc->rc_bus_nr = 0x80; + apc->rc_has_rd = true; } static const TypeInfo aspeed_pcie_cfg_info = { @@ -570,6 +625,7 @@ static const TypeInfo aspeed_pcie_phy_info = { static void aspeed_pcie_register_types(void) { type_register_static(&aspeed_pcie_rc_info); + type_register_static(&aspeed_pcie_root_device_info); type_register_static(&aspeed_pcie_cfg_info); type_register_static(&aspeed_pcie_phy_info); } diff --git a/include/hw/pci-host/aspeed_pcie.h b/include/hw/pci-host/aspeed_pcie.h index 850d579189..fe30ac02ae 100644 --- a/include/hw/pci-host/aspeed_pcie.h +++ b/include/hw/pci-host/aspeed_pcie.h @@ -40,6 +40,13 @@ typedef struct AspeedPCIERegMap { AspeedPCIERcRegs rc; } AspeedPCIERegMap; +#define TYPE_ASPEED_PCIE_ROOT_DEVICE "aspeed.pcie-root-device" +OBJECT_DECLARE_SIMPLE_TYPE(AspeedPCIERootDeviceState, ASPEED_PCIE_ROOT_DEVICE); + +struct AspeedPCIERootDeviceState { + PCIBridge parent_obj; +}; + #define TYPE_ASPEED_PCIE_RC "aspeed.pcie-rc" OBJECT_DECLARE_SIMPLE_TYPE(AspeedPCIERcState, ASPEED_PCIE_RC); @@ -53,7 +60,10 @@ struct AspeedPCIERcState { uint32_t bus_nr; char name[16]; + bool has_rd; qemu_irq irq; + + AspeedPCIERootDeviceState root_device; }; /* Bridge between AHB bus and PCIe RC. */ @@ -79,6 +89,7 @@ struct AspeedPCIECfgClass { uint64_t rc_bus_nr; uint64_t nr_regs; + bool rc_has_rd; }; #define TYPE_ASPEED_PCIE_PHY "aspeed.pcie-phy" From 2af56518fa911b8370adaaabc8823bfbab303613 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:04 +0800 Subject: [PATCH 18/32] hw/pci-host/aspeed: Add AST2600 PCIe Root Port and make address configurable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce an ASPEED PCIe Root Port and wire it under the RC. The root port is modeled as TYPE_ASPEED_PCIE_ROOT_PORT (subclass of TYPE_PCIE_ROOT_PORT). Key changes: - Add TYPE_ASPEED_PCIE_ROOT_PORT (PCIESlot-based) with vendor/device IDs and AER capability offset. - Extend AspeedPCIERcState to embed a root_port instance and a configurable rp_addr. - Add "rp-addr" property to the RC to place the root port at a specific devfn on the root bus. - Set the root port's "chassis" property to ensure a unique chassis per RC. - Extend AspeedPCIECfgClass with rc_rp_addr defaulting to PCI_DEVFN(8,0). Rationale: - AST2600 places the root port at 80:08.0 (bus 0x80, dev 8, fn 0). - AST2700 must place the root port at 00:00.0, and it supports three RCs. Each root port must therefore be uniquely identifiable; uses the PCIe "chassis" ID for that. - Providing a configurable "rp-addr" lets platforms select the correct devfn per SoC family, while the "chassis" property ensures uniqueness across multiple RC instances on AST2700. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-6-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/pci-host/aspeed_pcie.c | 50 +++++++++++++++++++++++++++++++ include/hw/pci-host/aspeed_pcie.h | 11 +++++++ 2 files changed, 61 insertions(+) diff --git a/hw/pci-host/aspeed_pcie.c b/hw/pci-host/aspeed_pcie.c index 6e563a07a3..dafffbde61 100644 --- a/hw/pci-host/aspeed_pcie.c +++ b/hw/pci-host/aspeed_pcie.c @@ -21,6 +21,7 @@ #include "hw/registerfields.h" #include "hw/irq.h" #include "hw/pci/pci_host.h" +#include "hw/pci/pcie_port.h" #include "hw/pci-host/aspeed_pcie.h" #include "hw/pci/msi.h" #include "trace.h" @@ -63,6 +64,32 @@ static const TypeInfo aspeed_pcie_root_device_info = { }, }; +/* + * PCIe Root Port + */ + +static void aspeed_pcie_root_port_class_init(ObjectClass *klass, + const void *data) +{ + PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); + DeviceClass *dc = DEVICE_CLASS(klass); + PCIERootPortClass *rpc = PCIE_ROOT_PORT_CLASS(klass); + + dc->desc = "ASPEED PCIe Root Port"; + k->vendor_id = PCI_VENDOR_ID_ASPEED; + k->device_id = 0x1150; + dc->user_creatable = true; + + rpc->aer_offset = 0x100; +} + +static const TypeInfo aspeed_pcie_root_port_info = { + .name = TYPE_ASPEED_PCIE_ROOT_PORT, + .parent = TYPE_PCIE_ROOT_PORT, + .instance_size = sizeof(AspeedPCIERootPortState), + .class_init = aspeed_pcie_root_port_class_init, +}; + /* * PCIe Root Complex (RC) */ @@ -144,6 +171,13 @@ static void aspeed_pcie_rc_realize(DeviceState *dev, Error **errp) return; } } + + /* setup root port */ + qdev_prop_set_int32(DEVICE(&rc->root_port), "addr", rc->rp_addr); + qdev_prop_set_uint16(DEVICE(&rc->root_port), "chassis", cfg->id); + if (!qdev_realize(DEVICE(&rc->root_port), BUS(pci->bus), errp)) { + return; + } } static const char *aspeed_pcie_rc_root_bus_path(PCIHostState *host_bridge, @@ -158,9 +192,19 @@ static const char *aspeed_pcie_rc_root_bus_path(PCIHostState *host_bridge, return rc->name; } +static void aspeed_pcie_rc_instance_init(Object *obj) +{ + AspeedPCIERcState *rc = ASPEED_PCIE_RC(obj); + AspeedPCIERootPortState *root_port = &rc->root_port; + + object_initialize_child(obj, "root_port", root_port, + TYPE_ASPEED_PCIE_ROOT_PORT); +} + static const Property aspeed_pcie_rc_props[] = { DEFINE_PROP_UINT32("bus-nr", AspeedPCIERcState, bus_nr, 0), DEFINE_PROP_BOOL("has-rd", AspeedPCIERcState, has_rd, 0), + DEFINE_PROP_UINT32("rp-addr", AspeedPCIERcState, rp_addr, 0), }; static void aspeed_pcie_rc_class_init(ObjectClass *klass, const void *data) @@ -183,6 +227,7 @@ static const TypeInfo aspeed_pcie_rc_info = { .name = TYPE_ASPEED_PCIE_RC, .parent = TYPE_PCIE_HOST_BRIDGE, .instance_size = sizeof(AspeedPCIERcState), + .instance_init = aspeed_pcie_rc_instance_init, .class_init = aspeed_pcie_rc_class_init, }; @@ -455,6 +500,9 @@ static void aspeed_pcie_cfg_realize(DeviceState *dev, Error **errp) object_property_set_bool(OBJECT(&s->rc), "has-rd", apc->rc_has_rd, &error_abort); + object_property_set_int(OBJECT(&s->rc), "rp-addr", + apc->rc_rp_addr, + &error_abort); if (!sysbus_realize(SYS_BUS_DEVICE(&s->rc), errp)) { return; } @@ -488,6 +536,7 @@ static void aspeed_pcie_cfg_class_init(ObjectClass *klass, const void *data) apc->nr_regs = 0x100 >> 2; apc->rc_bus_nr = 0x80; apc->rc_has_rd = true; + apc->rc_rp_addr = PCI_DEVFN(8, 0); } static const TypeInfo aspeed_pcie_cfg_info = { @@ -626,6 +675,7 @@ static void aspeed_pcie_register_types(void) { type_register_static(&aspeed_pcie_rc_info); type_register_static(&aspeed_pcie_root_device_info); + type_register_static(&aspeed_pcie_root_port_info); type_register_static(&aspeed_pcie_cfg_info); type_register_static(&aspeed_pcie_phy_info); } diff --git a/include/hw/pci-host/aspeed_pcie.h b/include/hw/pci-host/aspeed_pcie.h index fe30ac02ae..5346c15c81 100644 --- a/include/hw/pci-host/aspeed_pcie.h +++ b/include/hw/pci-host/aspeed_pcie.h @@ -20,6 +20,7 @@ #include "hw/sysbus.h" #include "hw/pci/pci_bridge.h" #include "hw/pci/pcie_host.h" +#include "hw/pci/pcie_port.h" #include "qom/object.h" typedef struct AspeedPCIECfgTxDesc { @@ -40,6 +41,13 @@ typedef struct AspeedPCIERegMap { AspeedPCIERcRegs rc; } AspeedPCIERegMap; +#define TYPE_ASPEED_PCIE_ROOT_PORT "aspeed.pcie-root-port" +OBJECT_DECLARE_SIMPLE_TYPE(AspeedPCIERootPortState, ASPEED_PCIE_ROOT_PORT) + +typedef struct AspeedPCIERootPortState { + PCIESlot parent_obj; +} AspeedPCIERootPortState; + #define TYPE_ASPEED_PCIE_ROOT_DEVICE "aspeed.pcie-root-device" OBJECT_DECLARE_SIMPLE_TYPE(AspeedPCIERootDeviceState, ASPEED_PCIE_ROOT_DEVICE); @@ -58,12 +66,14 @@ struct AspeedPCIERcState { MemoryRegion mmio; MemoryRegion io; + uint32_t rp_addr; uint32_t bus_nr; char name[16]; bool has_rd; qemu_irq irq; AspeedPCIERootDeviceState root_device; + AspeedPCIERootPortState root_port; }; /* Bridge between AHB bus and PCIe RC. */ @@ -87,6 +97,7 @@ struct AspeedPCIECfgClass { const AspeedPCIERegMap *reg_map; const MemoryRegionOps *reg_ops; + uint32_t rc_rp_addr; uint64_t rc_bus_nr; uint64_t nr_regs; bool rc_has_rd; From 89f949e515f1bcc4858993f9a47ac7d2656e361a Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:05 +0800 Subject: [PATCH 19/32] hw/pci-host/aspeed: Add MSI support and per-RC IOMMU address space MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add MSI support to the ASPEED PCIe RC/Config model and introduce a per-RC "IOMMU root" address space to correctly route MSI writes. On AST2700 all RCs use the same MSI address, and the MSI target is PCI system memory (not normal DRAM). If the MSI window were mapped into real system RAM, an endpoint's write could be observed by other RCs and spuriously trigger their interrupts. To avoid this, each RC now owns an isolated IOMMU root AddressSpace that contains a small MSI window and a DRAM alias region for normal DMA. The MSI window captures writes and asserts the RC IRQ. MSI status bits are tracked in new H2X RC_H registers (R_H2X_RC_H_MSI_EN{0,1} and R_H2X_RC_H_MSI_STS{0,1}). Clearing all status bits drops the IRQ. The default MSI address is set to 0x1e77005c and can be overridden via the msi-addr property. This keeps MSI traffic contained within each RC while preserving normal DMA to system DRAM. It enables correct MSI/MSI-X interrupt delivery when multiple RCs use the same MSI target address. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-7-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/pci-host/aspeed_pcie.c | 132 ++++++++++++++++++++++++++++++ hw/pci-host/trace-events | 3 + include/hw/pci-host/aspeed_pcie.h | 10 +++ 3 files changed, 145 insertions(+) diff --git a/hw/pci-host/aspeed_pcie.c b/hw/pci-host/aspeed_pcie.c index dafffbde61..8be55b962f 100644 --- a/hw/pci-host/aspeed_pcie.c +++ b/hw/pci-host/aspeed_pcie.c @@ -94,6 +94,8 @@ static const TypeInfo aspeed_pcie_root_port_info = { * PCIe Root Complex (RC) */ +#define ASPEED_PCIE_CFG_RC_MAX_MSI 64 + static void aspeed_pcie_rc_set_irq(void *opaque, int irq, int level) { AspeedPCIERcState *rc = (AspeedPCIERcState *) opaque; @@ -120,6 +122,58 @@ static int aspeed_pcie_rc_map_irq(PCIDevice *pci_dev, int irq_num) return irq_num % PCI_NUM_PINS; } +static void aspeed_pcie_rc_msi_notify(AspeedPCIERcState *rc, uint64_t data) +{ + AspeedPCIECfgState *cfg = + container_of(rc, AspeedPCIECfgState, rc); + uint32_t reg; + + /* Written data is the HW IRQ number */ + assert(data < ASPEED_PCIE_CFG_RC_MAX_MSI); + + reg = (data < 32) ? + cfg->rc_regs->msi_sts0_reg : cfg->rc_regs->msi_sts1_reg; + cfg->regs[reg] |= BIT(data % 32); + + trace_aspeed_pcie_rc_msi_set_irq(cfg->id, data, 1); + qemu_set_irq(rc->irq, 1); +} + +static void aspeed_pcie_rc_msi_write(void *opaque, hwaddr addr, uint64_t data, + unsigned int size) +{ + AspeedPCIERcState *rc = ASPEED_PCIE_RC(opaque); + AspeedPCIECfgState *cfg = + container_of(rc, AspeedPCIECfgState, rc); + + trace_aspeed_pcie_rc_msi_notify(cfg->id, addr + rc->msi_addr, data); + aspeed_pcie_rc_msi_notify(rc, data); +} + +static const MemoryRegionOps aspeed_pcie_rc_msi_ops = { + .write = aspeed_pcie_rc_msi_write, + .read = NULL, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 4, + .max_access_size = 4, + }, + .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, +}; + +static AddressSpace *aspeed_pcie_rc_get_as(PCIBus *bus, void *opaque, int devfn) +{ + AspeedPCIERcState *rc = ASPEED_PCIE_RC(opaque); + return &rc->iommu_as; +} + +static const PCIIOMMUOps aspeed_pcie_rc_iommu_ops = { + .get_address_space = aspeed_pcie_rc_get_as, +}; + static void aspeed_pcie_rc_realize(DeviceState *dev, Error **errp) { PCIExpressHost *pex = PCIE_HOST_BRIDGE(dev); @@ -130,6 +184,8 @@ static void aspeed_pcie_rc_realize(DeviceState *dev, Error **errp) SysBusDevice *sbd = SYS_BUS_DEVICE(dev); g_autofree char *ioport_window_name = NULL; g_autofree char *mmio_window_name = NULL; + g_autofree char *iommu_root_name = NULL; + g_autofree char *dram_alias_name = NULL; g_autofree char *root_bus_name = NULL; /* PCI configuration space */ @@ -160,6 +216,43 @@ static void aspeed_pcie_rc_realize(DeviceState *dev, Error **errp) &rc->io, 0, 4, TYPE_PCIE_BUS); pci->bus->flags |= PCI_BUS_EXTENDED_CONFIG_SPACE; + /* + * PCIe memory view setup + * + * Background: + * - On AST2700, all Root Complexes use the same MSI address. This MSI + * address is not normal system RAM - it is a PCI system memory address. + * If we map the MSI/MSI-X window into real system memory, a write from + * one EP can be seen by all RCs and wrongly trigger interrupts on them. + * + * Design: + * - MSI/MSI-X here is just a placeholder address so RC and EP can talk. + * We make a separate MMIO space (iommu_root) for the MSI window so the + * writes stay local to each RC. + * + * DMA: + * - EPs still need access to real system memory for DMA. We add a DRAM + * alias in the PCI space so DMA works as expected. + */ + iommu_root_name = g_strdup_printf("pcie.%d.iommu_root", cfg->id); + memory_region_init(&rc->iommu_root, OBJECT(rc), iommu_root_name, + UINT64_MAX); + address_space_init(&rc->iommu_as, &rc->iommu_root, iommu_root_name); + /* setup MSI */ + memory_region_init_io(&rc->msi_window, OBJECT(rc), + &aspeed_pcie_rc_msi_ops, rc, + "msi_window", 4); + memory_region_add_subregion(&rc->iommu_root, rc->msi_addr, + &rc->msi_window); + /* setup DRAM for DMA */ + assert(rc->dram_mr != NULL); + dram_alias_name = g_strdup_printf("pcie.%d.dram_alias", cfg->id); + memory_region_init_alias(&rc->dram_alias, OBJECT(rc), dram_alias_name, + rc->dram_mr, 0, memory_region_size(rc->dram_mr)); + memory_region_add_subregion(&rc->iommu_root, rc->dram_base, + &rc->dram_alias); + pci_setup_iommu(pci->bus, &aspeed_pcie_rc_iommu_ops, rc); + /* setup root device */ if (rc->has_rd) { object_initialize_child(OBJECT(rc), "root_device", &rc->root_device, @@ -205,6 +298,10 @@ static const Property aspeed_pcie_rc_props[] = { DEFINE_PROP_UINT32("bus-nr", AspeedPCIERcState, bus_nr, 0), DEFINE_PROP_BOOL("has-rd", AspeedPCIERcState, has_rd, 0), DEFINE_PROP_UINT32("rp-addr", AspeedPCIERcState, rp_addr, 0), + DEFINE_PROP_UINT32("msi-addr", AspeedPCIERcState, msi_addr, 0), + DEFINE_PROP_UINT64("dram-base", AspeedPCIERcState, dram_base, 0), + DEFINE_PROP_LINK("dram", AspeedPCIERcState, dram_mr, TYPE_MEMORY_REGION, + MemoryRegion *), }; static void aspeed_pcie_rc_class_init(ObjectClass *klass, const void *data) @@ -265,6 +362,10 @@ REG32(H2X_RC_H_INT_STS, 0xC8) SHARED_FIELD(H2X_RC_INT_INTDONE, 4, 1) SHARED_FIELD(H2X_RC_INT_INTX, 0, 4) REG32(H2X_RC_H_RDATA, 0xCC) +REG32(H2X_RC_H_MSI_EN0, 0xE0) +REG32(H2X_RC_H_MSI_EN1, 0xE4) +REG32(H2X_RC_H_MSI_STS0, 0xE8) +REG32(H2X_RC_H_MSI_STS1, 0xEC) #define TLP_FMTTYPE_CFGRD0 0x04 /* Configuration Read Type 0 */ #define TLP_FMTTYPE_CFGWR0 0x44 /* Configuration Write Type 0 */ @@ -278,6 +379,8 @@ static const AspeedPCIERegMap aspeed_regmap = { .rc = { .int_en_reg = R_H2X_RC_H_INT_EN, .int_sts_reg = R_H2X_RC_H_INT_STS, + .msi_sts0_reg = R_H2X_RC_H_MSI_STS0, + .msi_sts1_reg = R_H2X_RC_H_MSI_STS1, }, }; @@ -447,6 +550,29 @@ static void aspeed_pcie_cfg_write(void *opaque, hwaddr addr, uint64_t data, } s->regs[reg] &= ~data | H2X_RC_INT_INTX_MASK; break; + /* + * These status registers are used for notify sources ISR are executed. + * If one source ISR is executed, it will clear one bit. + * If it clear all bits, it means to initialize this register status + * rather than sources ISR are executed. + */ + case R_H2X_RC_H_MSI_STS0: + case R_H2X_RC_H_MSI_STS1: + if (data == 0) { + return ; + } + + s->regs[reg] &= ~data; + if (data == 0xffffffff) { + return; + } + + if (!s->regs[R_H2X_RC_H_MSI_STS0] && + !s->regs[R_H2X_RC_H_MSI_STS1]) { + trace_aspeed_pcie_rc_msi_clear_irq(s->id, 0); + qemu_set_irq(s->rc.irq, 0); + } + break; default: s->regs[reg] = data; break; @@ -468,6 +594,8 @@ static void aspeed_pcie_cfg_instance_init(Object *obj) AspeedPCIECfgState *s = ASPEED_PCIE_CFG(obj); object_initialize_child(obj, "rc", &s->rc, TYPE_ASPEED_PCIE_RC); + object_property_add_alias(obj, "dram", OBJECT(&s->rc), "dram"); + object_property_add_alias(obj, "dram-base", OBJECT(&s->rc), "dram-base"); return; } @@ -503,6 +631,9 @@ static void aspeed_pcie_cfg_realize(DeviceState *dev, Error **errp) object_property_set_int(OBJECT(&s->rc), "rp-addr", apc->rc_rp_addr, &error_abort); + object_property_set_int(OBJECT(&s->rc), "msi-addr", + apc->rc_msi_addr, + &error_abort); if (!sysbus_realize(SYS_BUS_DEVICE(&s->rc), errp)) { return; } @@ -534,6 +665,7 @@ static void aspeed_pcie_cfg_class_init(ObjectClass *klass, const void *data) apc->reg_ops = &aspeed_pcie_cfg_ops; apc->reg_map = &aspeed_regmap; apc->nr_regs = 0x100 >> 2; + apc->rc_msi_addr = 0x1e77005C; apc->rc_bus_nr = 0x80; apc->rc_has_rd = true; apc->rc_rp_addr = PCI_DEVFN(8, 0); diff --git a/hw/pci-host/trace-events b/hw/pci-host/trace-events index 2584ea56e2..a6fd88c2c4 100644 --- a/hw/pci-host/trace-events +++ b/hw/pci-host/trace-events @@ -2,6 +2,9 @@ # aspeed_pcie.c aspeed_pcie_rc_intx_set_irq(uint32_t id, int num, int level) "%d: num %d set IRQ leve %d" +aspeed_pcie_rc_msi_notify(uint32_t id, uint64_t addr, uint64_t data) "%d: 0x%" PRIx64 " data 0x%" PRIx64 +aspeed_pcie_rc_msi_set_irq(uint32_t id, uint64_t unm, int level) "%d: num 0x%" PRIx64 " set IRQ level %d" +aspeed_pcie_rc_msi_clear_irq(uint32_t id, int level) "%d: clear IRQ level %d" aspeed_pcie_cfg_read(uint32_t id, uint64_t addr, uint32_t value) "%d: addr 0x%" PRIx64 " value 0x%" PRIx32 aspeed_pcie_cfg_write(uint32_t id, uint64_t addr, uint32_t value) "%d: addr 0x%" PRIx64 " value 0x%" PRIx32 aspeed_pcie_cfg_rw(uint32_t id, const char *dir, uint8_t bus, uint8_t devfn, uint64_t addr, uint64_t data) "%d: %s bus:0x%x devfn:0x%x addr 0x%" PRIx64 " data 0x%" PRIx64 diff --git a/include/hw/pci-host/aspeed_pcie.h b/include/hw/pci-host/aspeed_pcie.h index 5346c15c81..5e60cba07b 100644 --- a/include/hw/pci-host/aspeed_pcie.h +++ b/include/hw/pci-host/aspeed_pcie.h @@ -35,6 +35,8 @@ typedef struct AspeedPCIECfgTxDesc { typedef struct AspeedPCIERcRegs { uint32_t int_en_reg; uint32_t int_sts_reg; + uint32_t msi_sts0_reg; + uint32_t msi_sts1_reg; } AspeedPCIERcRegs; typedef struct AspeedPCIERegMap { @@ -61,11 +63,18 @@ OBJECT_DECLARE_SIMPLE_TYPE(AspeedPCIERcState, ASPEED_PCIE_RC); struct AspeedPCIERcState { PCIExpressHost parent_obj; + MemoryRegion iommu_root; + AddressSpace iommu_as; + MemoryRegion dram_alias; + MemoryRegion *dram_mr; MemoryRegion mmio_window; + MemoryRegion msi_window; MemoryRegion io_window; MemoryRegion mmio; MemoryRegion io; + uint64_t dram_base; + uint32_t msi_addr; uint32_t rp_addr; uint32_t bus_nr; char name[16]; @@ -97,6 +106,7 @@ struct AspeedPCIECfgClass { const AspeedPCIERegMap *reg_map; const MemoryRegionOps *reg_ops; + uint32_t rc_msi_addr; uint32_t rc_rp_addr; uint64_t rc_bus_nr; uint64_t nr_regs; From 575846c056a320b3008436fc8c11d10616677722 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:06 +0800 Subject: [PATCH 20/32] hw/arm/aspeed: Wire up PCIe devices in SoC model MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add PCIe controller and PHY instances to the Aspeed SoC state and device enum. This prepares the SoC model to host PCIe Root Complexes and their associated PHYs. Although the AST2600 supports only a single Root Complex, the AST2700 provides three Root Complexes. For this reason, the model defines arrays of three PCIe config/PHY objects and enumerates three PCIe device IDs so that both SoCs can be represented consistently. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-8-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- include/hw/arm/aspeed_soc.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h index 217ef0eafd..79fe353f83 100644 --- a/include/hw/arm/aspeed_soc.h +++ b/include/hw/arm/aspeed_soc.h @@ -37,6 +37,7 @@ #include "qom/object.h" #include "hw/misc/aspeed_lpc.h" #include "hw/misc/unimp.h" +#include "hw/pci-host/aspeed_pcie.h" #include "hw/misc/aspeed_peci.h" #include "hw/fsi/aspeed_apb2opb.h" #include "hw/char/serial-mm.h" @@ -49,6 +50,7 @@ #define ASPEED_MACS_NUM 4 #define ASPEED_UARTS_NUM 13 #define ASPEED_JTAG_NUM 2 +#define ASPEED_PCIE_NUM 3 struct AspeedSoCState { DeviceState parent; @@ -87,6 +89,8 @@ struct AspeedSoCState { AspeedSDHCIState sdhci; AspeedSDHCIState emmc; AspeedLPCState lpc; + AspeedPCIECfgState pcie[ASPEED_PCIE_NUM]; + AspeedPCIEPhyState pcie_phy[ASPEED_PCIE_NUM]; AspeedPECIState peci; SerialMM uart[ASPEED_UARTS_NUM]; Clock *sysclk; @@ -254,6 +258,15 @@ enum { ASPEED_DEV_LPC, ASPEED_DEV_IBT, ASPEED_DEV_I2C, + ASPEED_DEV_PCIE0, + ASPEED_DEV_PCIE1, + ASPEED_DEV_PCIE2, + ASPEED_DEV_PCIE_PHY0, + ASPEED_DEV_PCIE_PHY1, + ASPEED_DEV_PCIE_PHY2, + ASPEED_DEV_PCIE_MMIO0, + ASPEED_DEV_PCIE_MMIO1, + ASPEED_DEV_PCIE_MMIO2, ASPEED_DEV_PECI, ASPEED_DEV_ETH1, ASPEED_DEV_ETH2, From a498916ba292ada19cc47df80e0e9507c63356fc Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:07 +0800 Subject: [PATCH 21/32] hw/arm/aspeed_ast2600: Add PCIe RC support (RC_H only) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wire up the PCIe Root Complex in the AST2600 SoC model. According to the AST2600 firmware driver, only the RC_H controller is supported. RC_H uses PCIe PHY1 at 0x1e6ed200 and the PCIe config (H2X) register block at 0x1e770000. The RC_H MMIO window is mapped at 0x70000000–0x80000000. RC_L is not modeled. The RC_H interrupt is wired to IRQ 168. Only RC_H is realized and connected to the SoC interrupt controller. The SoC integration initializes PCIe PHY1, instantiates a single RC instance, wires its MMIO regions, and connects its interrupt. An alias region is added to map the RC MMIO space into the guest physical address space. This provides enough functionality for firmware and guest drivers to discover and use the AST2600 RC_H Root Complex while leaving RC_L unimplemented. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-9-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed_ast2600.c | 74 +++++++++++++++++++++++++++++++++++++ include/hw/arm/aspeed_soc.h | 1 + 2 files changed, 75 insertions(+) diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c index 59ffd41a4a..03e5df96bb 100644 --- a/hw/arm/aspeed_ast2600.c +++ b/hw/arm/aspeed_ast2600.c @@ -48,11 +48,13 @@ static const hwaddr aspeed_soc_ast2600_memmap[] = { [ASPEED_DEV_XDMA] = 0x1E6E7000, [ASPEED_DEV_ADC] = 0x1E6E9000, [ASPEED_DEV_DP] = 0x1E6EB000, + [ASPEED_DEV_PCIE_PHY1] = 0x1E6ED200, [ASPEED_DEV_SBC] = 0x1E6F2000, [ASPEED_DEV_EMMC_BC] = 0x1E6f5000, [ASPEED_DEV_VIDEO] = 0x1E700000, [ASPEED_DEV_SDHCI] = 0x1E740000, [ASPEED_DEV_EMMC] = 0x1E750000, + [ASPEED_DEV_PCIE0] = 0x1E770000, [ASPEED_DEV_GPIO] = 0x1E780000, [ASPEED_DEV_GPIO_1_8V] = 0x1E780800, [ASPEED_DEV_RTC] = 0x1E781000, @@ -79,6 +81,7 @@ static const hwaddr aspeed_soc_ast2600_memmap[] = { [ASPEED_DEV_FSI1] = 0x1E79B000, [ASPEED_DEV_FSI2] = 0x1E79B100, [ASPEED_DEV_I3C] = 0x1E7A0000, + [ASPEED_DEV_PCIE_MMIO1] = 0x70000000, [ASPEED_DEV_SDRAM] = 0x80000000, }; @@ -127,6 +130,7 @@ static const int aspeed_soc_ast2600_irqmap[] = { [ASPEED_DEV_LPC] = 35, [ASPEED_DEV_IBT] = 143, [ASPEED_DEV_I2C] = 110, /* 110 -> 125 */ + [ASPEED_DEV_PCIE0] = 168, [ASPEED_DEV_PECI] = 38, [ASPEED_DEV_ETH1] = 2, [ASPEED_DEV_ETH2] = 3, @@ -191,6 +195,10 @@ static void aspeed_soc_ast2600_init(Object *obj) snprintf(typename, sizeof(typename), "aspeed.i2c-%s", socname); object_initialize_child(obj, "i2c", &s->i2c, typename); + object_initialize_child(obj, "pcie-cfg", &s->pcie[0], TYPE_ASPEED_PCIE_CFG); + object_initialize_child(obj, "pcie-phy[*]", &s->pcie_phy[0], + TYPE_ASPEED_PCIE_PHY); + object_initialize_child(obj, "peci", &s->peci, TYPE_ASPEED_PECI); snprintf(typename, sizeof(typename), "aspeed.fmc-%s", socname); @@ -285,6 +293,67 @@ static uint64_t aspeed_calc_affinity(int cpu) return (0xf << ARM_AFF1_SHIFT) | cpu; } +/* + * PCIe Root Complex (RC) + * + * H2X register space (single block 0x00-0xFF): + * 0x00-0x7F : shared by RC_L (PCIe0) and RC_H (PCIe1) + * 0x80-0xBF : RC_L only + * 0xC0-0xFF : RC_H only + * + * Model scope / limitations: + * - Firmware supports RC_H only; this QEMU model does not support RC_L. + * - RC_H uses PHY1 and the MMIO window [0x70000000, 0x80000000] + * (aka MMIO1). + * + * Indexing convention (this model): + * - Expose a single logical instance at index 0. + * - pcie[0] -> hardware RC_H (PCIe1) + * - phy[0] -> hardware PHY1 + * - mmio.0 -> guest address range MMIO1: 0x70000000-0x80000000 + * - RC_L / PCIe0 is not created and mapped. + */ +static bool aspeed_soc_ast2600_pcie_realize(DeviceState *dev, Error **errp) +{ + Aspeed2600SoCState *a = ASPEED2600_SOC(dev); + AspeedSoCState *s = ASPEED_SOC(dev); + AspeedSoCClass *sc = ASPEED_SOC_GET_CLASS(s); + MemoryRegion *mmio_mr = NULL; + qemu_irq irq; + + if (!sysbus_realize(SYS_BUS_DEVICE(&s->pcie_phy[0]), errp)) { + return false; + } + aspeed_mmio_map(s, SYS_BUS_DEVICE(&s->pcie_phy[0]), 0, + sc->memmap[ASPEED_DEV_PCIE_PHY1]); + + object_property_set_int(OBJECT(&s->pcie[0]), "dram-base", + sc->memmap[ASPEED_DEV_SDRAM], + &error_abort); + object_property_set_link(OBJECT(&s->pcie[0]), "dram", OBJECT(s->dram_mr), + &error_abort); + if (!sysbus_realize(SYS_BUS_DEVICE(&s->pcie[0]), errp)) { + return false; + } + aspeed_mmio_map(s, SYS_BUS_DEVICE(&s->pcie[0]), 0, + sc->memmap[ASPEED_DEV_PCIE0]); + + irq = qdev_get_gpio_in(DEVICE(&a->a7mpcore), + sc->irqmap[ASPEED_DEV_PCIE0]); + sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie[0].rc), 0, irq); + + mmio_mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->pcie[0].rc), 1); + memory_region_init_alias(&s->pcie_mmio_alias[0], OBJECT(&s->pcie[0].rc), + "aspeed.pcie-mmio", mmio_mr, + sc->memmap[ASPEED_DEV_PCIE_MMIO1], + 0x10000000); + memory_region_add_subregion(s->memory, + sc->memmap[ASPEED_DEV_PCIE_MMIO1], + &s->pcie_mmio_alias[0]); + + return true; +} + static void aspeed_soc_ast2600_realize(DeviceState *dev, Error **errp) { int i; @@ -438,6 +507,11 @@ static void aspeed_soc_ast2600_realize(DeviceState *dev, Error **errp) sysbus_connect_irq(SYS_BUS_DEVICE(&s->peci), 0, aspeed_soc_get_irq(s, ASPEED_DEV_PECI)); + /* PCIe Root Complex (RC) */ + if (!aspeed_soc_ast2600_pcie_realize(dev, errp)) { + return; + } + /* FMC, The number of CS is set at the board level */ object_property_set_link(OBJECT(&s->fmc), "dram", OBJECT(s->dram_mr), &error_abort); diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h index 79fe353f83..a0cf433775 100644 --- a/include/hw/arm/aspeed_soc.h +++ b/include/hw/arm/aspeed_soc.h @@ -62,6 +62,7 @@ struct AspeedSoCState { MemoryRegion spi_boot_container; MemoryRegion spi_boot; MemoryRegion vbootrom; + MemoryRegion pcie_mmio_alias[ASPEED_PCIE_NUM]; AddressSpace dram_as; AspeedRtcState rtc; AspeedTimerCtrlState timerctrl; From ed2df979ab229feaa81327ad4941383c024116e6 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:08 +0800 Subject: [PATCH 22/32] hw/pci-host/aspeed: Add AST2700 PCIe PHY MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce a PCIe Host Controller PHY model for AST2700. This adds an AST2700 specific PHY type (TYPE_ASPEED_2700_PCIE_PHY) with a 0x800 byte register space and link-status bits compatible with the firmware’s expectations. AST2700 provides three PCIe RCs; PCIe0 and PCIe1 are GEN4, PCIe2 is GEN2. The PHY exposes: PEHR_2700_LINK_GEN2 at 0x344, bit 18 indicates GEN2 link up PEHR_2700_LINK_GEN4 at 0x358, bit 8 indicates GEN4 link up In real hardware these GEN2/GEN4 link bits are mutually exclusive. QEMU does not model GEN2 vs GEN4 signaling differences, so the reset handler sets both bits to 1. This keeps the model simple and lets firmware see the link as up; firmware will read the appropriate register per RC port to infer the intended mode. The header gains TYPE_ASPEED_2700_PCIE_PHY; the new class derives from TYPE_ASPEED_PCIE_PHY, sets nr_regs to 0x800 >> 2, and installs an AST2700 reset routine that programs the class code (0x06040011) and the GEN2/GEN4 status bits. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-10-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/pci-host/aspeed_pcie.c | 39 +++++++++++++++++++++++++++++++ include/hw/pci-host/aspeed_pcie.h | 1 + 2 files changed, 40 insertions(+) diff --git a/hw/pci-host/aspeed_pcie.c b/hw/pci-host/aspeed_pcie.c index 8be55b962f..788160d532 100644 --- a/hw/pci-host/aspeed_pcie.c +++ b/hw/pci-host/aspeed_pcie.c @@ -696,6 +696,12 @@ REG32(PEHR_PROTECT, 0x7C) REG32(PEHR_LINK, 0xC0) FIELD(PEHR_LINK, STS, 5, 1) +/* AST2700 */ +REG32(PEHR_2700_LINK_GEN2, 0x344) + FIELD(PEHR_2700_LINK_GEN2, STS, 18, 1) +REG32(PEHR_2700_LINK_GEN4, 0x358) + FIELD(PEHR_2700_LINK_GEN4, STS, 8, 1) + #define ASPEED_PCIE_PHY_UNLOCK 0xA8 static uint64_t aspeed_pcie_phy_read(void *opaque, hwaddr addr, @@ -803,6 +809,38 @@ static const TypeInfo aspeed_pcie_phy_info = { .class_size = sizeof(AspeedPCIEPhyClass), }; +static void aspeed_2700_pcie_phy_reset(DeviceState *dev) +{ + AspeedPCIEPhyState *s = ASPEED_PCIE_PHY(dev); + AspeedPCIEPhyClass *apc = ASPEED_PCIE_PHY_GET_CLASS(s); + + memset(s->regs, 0, apc->nr_regs << 2); + + s->regs[R_PEHR_ID] = + (0x1150 << R_PEHR_ID_DEV_SHIFT) | PCI_VENDOR_ID_ASPEED; + s->regs[R_PEHR_CLASS_CODE] = 0x06040011; + s->regs[R_PEHR_2700_LINK_GEN2] = R_PEHR_2700_LINK_GEN2_STS_MASK; + s->regs[R_PEHR_2700_LINK_GEN4] = R_PEHR_2700_LINK_GEN4_STS_MASK; +} + +static void aspeed_2700_pcie_phy_class_init(ObjectClass *klass, + const void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + AspeedPCIEPhyClass *apc = ASPEED_PCIE_PHY_CLASS(klass); + + dc->desc = "ASPEED AST2700 PCIe Phy"; + device_class_set_legacy_reset(dc, aspeed_2700_pcie_phy_reset); + + apc->nr_regs = 0x800 >> 2; +} + +static const TypeInfo aspeed_2700_pcie_phy_info = { + .name = TYPE_ASPEED_2700_PCIE_PHY, + .parent = TYPE_ASPEED_PCIE_PHY, + .class_init = aspeed_2700_pcie_phy_class_init, +}; + static void aspeed_pcie_register_types(void) { type_register_static(&aspeed_pcie_rc_info); @@ -810,6 +848,7 @@ static void aspeed_pcie_register_types(void) type_register_static(&aspeed_pcie_root_port_info); type_register_static(&aspeed_pcie_cfg_info); type_register_static(&aspeed_pcie_phy_info); + type_register_static(&aspeed_2700_pcie_phy_info); } type_init(aspeed_pcie_register_types); diff --git a/include/hw/pci-host/aspeed_pcie.h b/include/hw/pci-host/aspeed_pcie.h index 5e60cba07b..5806505f30 100644 --- a/include/hw/pci-host/aspeed_pcie.h +++ b/include/hw/pci-host/aspeed_pcie.h @@ -114,6 +114,7 @@ struct AspeedPCIECfgClass { }; #define TYPE_ASPEED_PCIE_PHY "aspeed.pcie-phy" +#define TYPE_ASPEED_2700_PCIE_PHY TYPE_ASPEED_PCIE_PHY "-ast2700" OBJECT_DECLARE_TYPE(AspeedPCIEPhyState, AspeedPCIEPhyClass, ASPEED_PCIE_PHY); struct AspeedPCIEPhyState { From ba6fb09048198a2952d731cd063f4307b137e7ec Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:09 +0800 Subject: [PATCH 23/32] hw/pci-host/aspeed: Add AST2700 PCIe config with dedicated H2X blocks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce PCIe config (H2X) support for the AST2700 SoC. Unlike the AST2600, the AST2700 provides three independent Root Complexes, each with its own H2X (AHB to PCIe bridge) register block of size 0x100. All RCs use the same MSI address (0x000000F0). The H2X block includes two different access paths: 1. CFGI (internal bridge): used to access the host bridge itself, always with BDF=0. The AST2700 controller simplifies the design by exposing only one register (H2X_CFGI_TLP) with fields for ADDR[15:0], BEN[19:16], and WR[20]. This is not a full TLP descriptor as in the external case. For QEMU readability and code reuse, the model converts H2X_CFGI_TLP into a standard TLP TX descriptor with BDF forced to 0 and then calls the existing helpers aspeed_pcie_cfg_readwrite() and aspeed_pcie_cfg_translate_write(). 2. CFGE (external EP access): used to access external endpoints. The AST2700 design provides H2X_CFGE_TLP1 and a small FIFO at H2X_CFGE_TLPN. For reads, TX DESC0 is stored in TLP1 and DESC1/DESC2 in TLPN FIFO slots. For writes, TX DESC0 is stored in TLP1, DESC1/DESC2 in TLPN FIFO[0..1], and TX write data in TLPN FIFO[2]. The implementation extends AspeedPCIECfgState with a small FIFO and index, wires up new register definitions for AST2700, and adds a specific ops table and class (TYPE_ASPEED_2700_PCIE_CFG). The reset handler clears the FIFO state. Interrupt and MSI status registers are also supported. This provides enough modeling for firmware and drivers to use any of the three PCIe RCs on AST2700 with their own dedicated H2X config window, while reusing existing TLP decode helpers in QEMU. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-11-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/pci-host/aspeed_pcie.c | 158 ++++++++++++++++++++++++++++++ include/hw/pci-host/aspeed_pcie.h | 3 + 2 files changed, 161 insertions(+) diff --git a/hw/pci-host/aspeed_pcie.c b/hw/pci-host/aspeed_pcie.c index 788160d532..a757fd7ec8 100644 --- a/hw/pci-host/aspeed_pcie.c +++ b/hw/pci-host/aspeed_pcie.c @@ -338,6 +338,11 @@ static const TypeInfo aspeed_pcie_rc_info = { * - Registers 0x00 - 0x7F are shared by both PCIe0 (rc_l) and PCIe1 (rc_h). * - Registers 0x80 - 0xBF are specific to PCIe0. * - Registers 0xC0 - 0xFF are specific to PCIe1. + * + * On the AST2700: + * - The register range 0x00 - 0xFF is assigned to a single PCIe configuration. + * - There are three PCIe Root Complexes (RCs), each with its own dedicated H2X + * register set of size 0x100 (covering offsets 0x00 to 0xFF). */ /* AST2600 */ @@ -367,6 +372,31 @@ REG32(H2X_RC_H_MSI_EN1, 0xE4) REG32(H2X_RC_H_MSI_STS0, 0xE8) REG32(H2X_RC_H_MSI_STS1, 0xEC) +/* AST2700 */ +REG32(H2X_CFGE_INT_STS, 0x08) + FIELD(H2X_CFGE_INT_STS, TX_IDEL, 0, 1) + FIELD(H2X_CFGE_INT_STS, RX_BUSY, 1, 1) +REG32(H2X_CFGI_TLP, 0x20) + FIELD(H2X_CFGI_TLP, ADDR, 0, 16) + FIELD(H2X_CFGI_TLP, BEN, 16, 4) + FIELD(H2X_CFGI_TLP, WR, 20, 1) +REG32(H2X_CFGI_WDATA, 0x24) +REG32(H2X_CFGI_CTRL, 0x28) + FIELD(H2X_CFGI_CTRL, FIRE, 0, 1) +REG32(H2X_CFGI_RDATA, 0x2C) +REG32(H2X_CFGE_TLP1, 0x30) +REG32(H2X_CFGE_TLPN, 0x34) +REG32(H2X_CFGE_CTRL, 0x38) + FIELD(H2X_CFGE_CTRL, FIRE, 0, 1) +REG32(H2X_CFGE_RDATA, 0x3C) +REG32(H2X_INT_EN, 0x40) +REG32(H2X_INT_STS, 0x48) + FIELD(H2X_INT_STS, INTX, 0, 4) +REG32(H2X_MSI_EN0, 0x50) +REG32(H2X_MSI_EN1, 0x54) +REG32(H2X_MSI_STS0, 0x58) +REG32(H2X_MSI_STS1, 0x5C) + #define TLP_FMTTYPE_CFGRD0 0x04 /* Configuration Read Type 0 */ #define TLP_FMTTYPE_CFGWR0 0x44 /* Configuration Write Type 0 */ #define TLP_FMTTYPE_CFGRD1 0x05 /* Configuration Read Type 1 */ @@ -384,6 +414,15 @@ static const AspeedPCIERegMap aspeed_regmap = { }, }; +static const AspeedPCIERegMap aspeed_2700_regmap = { + .rc = { + .int_en_reg = R_H2X_INT_EN, + .int_sts_reg = R_H2X_INT_STS, + .msi_sts0_reg = R_H2X_MSI_STS0, + .msi_sts1_reg = R_H2X_MSI_STS1, + }, +}; + static uint64_t aspeed_pcie_cfg_read(void *opaque, hwaddr addr, unsigned int size) { @@ -606,6 +645,8 @@ static void aspeed_pcie_cfg_reset(DeviceState *dev) AspeedPCIECfgClass *apc = ASPEED_PCIE_CFG_GET_CLASS(s); memset(s->regs, 0, apc->nr_regs << 2); + memset(s->tlpn_fifo, 0, sizeof(s->tlpn_fifo)); + s->tlpn_idx = 0; } static void aspeed_pcie_cfg_realize(DeviceState *dev, Error **errp) @@ -680,6 +721,122 @@ static const TypeInfo aspeed_pcie_cfg_info = { .class_size = sizeof(AspeedPCIECfgClass), }; +static void aspeed_2700_pcie_cfg_write(void *opaque, hwaddr addr, + uint64_t data, unsigned int size) +{ + AspeedPCIECfgState *s = ASPEED_PCIE_CFG(opaque); + AspeedPCIECfgTxDesc desc; + uint32_t reg = addr >> 2; + + trace_aspeed_pcie_cfg_write(s->id, addr, data); + + switch (reg) { + case R_H2X_CFGE_INT_STS: + if (data & R_H2X_CFGE_INT_STS_TX_IDEL_MASK) { + s->regs[R_H2X_CFGE_INT_STS] &= ~R_H2X_CFGE_INT_STS_TX_IDEL_MASK; + } + + if (data & R_H2X_CFGE_INT_STS_RX_BUSY_MASK) { + s->regs[R_H2X_CFGE_INT_STS] &= ~R_H2X_CFGE_INT_STS_RX_BUSY_MASK; + } + break; + case R_H2X_CFGI_CTRL: + if (data & R_H2X_CFGI_CTRL_FIRE_MASK) { + /* + * Internal access to bridge + * Type and BDF are 0 + */ + desc.desc0 = 0x04000001 | + (ARRAY_FIELD_EX32(s->regs, H2X_CFGI_TLP, WR) << 30); + desc.desc1 = 0x00401000 | + ARRAY_FIELD_EX32(s->regs, H2X_CFGI_TLP, BEN); + desc.desc2 = 0x00000000 | + ARRAY_FIELD_EX32(s->regs, H2X_CFGI_TLP, ADDR); + desc.wdata = s->regs[R_H2X_CFGI_WDATA]; + desc.rdata_reg = R_H2X_CFGI_RDATA; + aspeed_pcie_cfg_readwrite(s, &desc); + } + break; + case R_H2X_CFGE_TLPN: + s->tlpn_fifo[s->tlpn_idx] = data; + s->tlpn_idx = (s->tlpn_idx + 1) % ARRAY_SIZE(s->tlpn_fifo); + break; + case R_H2X_CFGE_CTRL: + if (data & R_H2X_CFGE_CTRL_FIRE_MASK) { + desc.desc0 = s->regs[R_H2X_CFGE_TLP1]; + desc.desc1 = s->tlpn_fifo[0]; + desc.desc2 = s->tlpn_fifo[1]; + desc.wdata = s->tlpn_fifo[2]; + desc.rdata_reg = R_H2X_CFGE_RDATA; + aspeed_pcie_cfg_readwrite(s, &desc); + s->regs[R_H2X_CFGE_INT_STS] |= R_H2X_CFGE_INT_STS_TX_IDEL_MASK; + s->regs[R_H2X_CFGE_INT_STS] |= R_H2X_CFGE_INT_STS_RX_BUSY_MASK; + s->tlpn_idx = 0; + } + break; + + case R_H2X_INT_STS: + s->regs[reg] &= ~data | R_H2X_INT_STS_INTX_MASK; + break; + /* + * These status registers are used for notify sources ISR are executed. + * If one source ISR is executed, it will clear one bit. + * If it clear all bits, it means to initialize this register status + * rather than sources ISR are executed. + */ + case R_H2X_MSI_STS0: + case R_H2X_MSI_STS1: + if (data == 0) { + return ; + } + + s->regs[reg] &= ~data; + if (data == 0xffffffff) { + return; + } + + if (!s->regs[R_H2X_MSI_STS0] && + !s->regs[R_H2X_MSI_STS1]) { + trace_aspeed_pcie_rc_msi_clear_irq(s->id, 0); + qemu_set_irq(s->rc.irq, 0); + } + break; + default: + s->regs[reg] = data; + break; + } +} + +static const MemoryRegionOps aspeed_2700_pcie_cfg_ops = { + .read = aspeed_pcie_cfg_read, + .write = aspeed_2700_pcie_cfg_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 1, + .max_access_size = 4, + }, +}; + +static void aspeed_2700_pcie_cfg_class_init(ObjectClass *klass, + const void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + AspeedPCIECfgClass *apc = ASPEED_PCIE_CFG_CLASS(klass); + + dc->desc = "ASPEED 2700 PCIe Config"; + apc->reg_ops = &aspeed_2700_pcie_cfg_ops; + apc->reg_map = &aspeed_2700_regmap; + apc->nr_regs = 0x100 >> 2; + apc->rc_msi_addr = 0x000000F0; + apc->rc_bus_nr = 0; +} + +static const TypeInfo aspeed_2700_pcie_cfg_info = { + .name = TYPE_ASPEED_2700_PCIE_CFG, + .parent = TYPE_ASPEED_PCIE_CFG, + .class_init = aspeed_2700_pcie_cfg_class_init, +}; + /* * PCIe PHY * @@ -847,6 +1004,7 @@ static void aspeed_pcie_register_types(void) type_register_static(&aspeed_pcie_root_device_info); type_register_static(&aspeed_pcie_root_port_info); type_register_static(&aspeed_pcie_cfg_info); + type_register_static(&aspeed_2700_pcie_cfg_info); type_register_static(&aspeed_pcie_phy_info); type_register_static(&aspeed_2700_pcie_phy_info); } diff --git a/include/hw/pci-host/aspeed_pcie.h b/include/hw/pci-host/aspeed_pcie.h index 5806505f30..be53ea96b9 100644 --- a/include/hw/pci-host/aspeed_pcie.h +++ b/include/hw/pci-host/aspeed_pcie.h @@ -87,6 +87,7 @@ struct AspeedPCIERcState { /* Bridge between AHB bus and PCIe RC. */ #define TYPE_ASPEED_PCIE_CFG "aspeed.pcie-cfg" +#define TYPE_ASPEED_2700_PCIE_CFG TYPE_ASPEED_PCIE_CFG "-ast2700" OBJECT_DECLARE_TYPE(AspeedPCIECfgState, AspeedPCIECfgClass, ASPEED_PCIE_CFG); struct AspeedPCIECfgState { @@ -98,6 +99,8 @@ struct AspeedPCIECfgState { const AspeedPCIERcRegs *rc_regs; AspeedPCIERcState rc; + uint32_t tlpn_fifo[3]; + uint32_t tlpn_idx; }; struct AspeedPCIECfgClass { From ac30597ee859ecaa4a87688fbd722bb5bfe80bd7 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:10 +0800 Subject: [PATCH 24/32] hw/pci-host/aspeed: Disable Root Device and place Root Port at 00:00.0 to AST2700 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AST2700 does not implement a PCIe Root Device; each RC exposes a single PCIe Root Port at devfn 0:0.0. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-12-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/pci-host/aspeed_pcie.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/pci-host/aspeed_pcie.c b/hw/pci-host/aspeed_pcie.c index a757fd7ec8..f7593444fc 100644 --- a/hw/pci-host/aspeed_pcie.c +++ b/hw/pci-host/aspeed_pcie.c @@ -829,6 +829,8 @@ static void aspeed_2700_pcie_cfg_class_init(ObjectClass *klass, apc->nr_regs = 0x100 >> 2; apc->rc_msi_addr = 0x000000F0; apc->rc_bus_nr = 0; + apc->rc_has_rd = false; + apc->rc_rp_addr = PCI_DEVFN(0, 0); } static const TypeInfo aspeed_2700_pcie_cfg_info = { From 65996e84089459a4b52514a928988816e5c0bae0 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:11 +0800 Subject: [PATCH 25/32] hw/arm/aspeed_ast27x0: Introduce 3 PCIe RCs for AST2700 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add PCIe Root Complex support to the AST2700 SoC model. The AST2700 A1 silicon revision provides three PCIe Root Complexes: PCIe0 with its PHY at 0x12C15000, config (H2X) block at 0x120E0000, MMIO window at 0x60000000, and GIC IRQ 56. PCIe1 with its PHY at 0x12C15800, config (H2X) block at 0x120F0000, MMIO window at 0x80000000, and GIC IRQ 57. PCIe2 with its PHY at 0x14C1C000, config (H2X) block at 0x140D0000, MMIO window at 0xA0000000, and IRQ routed through INTC4 bit 31 mapped to GIC IRQ 196. Each RC instantiates a PHY device, a PCIe config (H2X) bridge, and an MMIO alias region. The per-RC MMIO alias size is 0x20000000. The AST2700 A0 silicon revision does not support PCIe Root Complexes, so pcie_num is set to 0 in that variant. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-13-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed_ast27x0.c | 74 +++++++++++++++++++++++++++++++++++++ include/hw/arm/aspeed_soc.h | 1 + 2 files changed, 75 insertions(+) diff --git a/hw/arm/aspeed_ast27x0.c b/hw/arm/aspeed_ast27x0.c index 6aa3841b69..853339119f 100644 --- a/hw/arm/aspeed_ast27x0.c +++ b/hw/arm/aspeed_ast27x0.c @@ -38,6 +38,8 @@ static const hwaddr aspeed_soc_ast2700_memmap[] = { [ASPEED_DEV_EHCI2] = 0x12063000, [ASPEED_DEV_HACE] = 0x12070000, [ASPEED_DEV_EMMC] = 0x12090000, + [ASPEED_DEV_PCIE0] = 0x120E0000, + [ASPEED_DEV_PCIE1] = 0x120F0000, [ASPEED_DEV_INTC] = 0x12100000, [ASPEED_GIC_DIST] = 0x12200000, [ASPEED_GIC_REDIST] = 0x12280000, @@ -45,6 +47,8 @@ static const hwaddr aspeed_soc_ast2700_memmap[] = { [ASPEED_DEV_SCU] = 0x12C02000, [ASPEED_DEV_RTC] = 0x12C0F000, [ASPEED_DEV_TIMER1] = 0x12C10000, + [ASPEED_DEV_PCIE_PHY0] = 0x12C15000, + [ASPEED_DEV_PCIE_PHY1] = 0x12C15800, [ASPEED_DEV_SLI] = 0x12C17000, [ASPEED_DEV_UART4] = 0x12C1A000, [ASPEED_DEV_IOMEM1] = 0x14000000, @@ -59,6 +63,7 @@ static const hwaddr aspeed_soc_ast2700_memmap[] = { [ASPEED_DEV_ETH2] = 0x14060000, [ASPEED_DEV_ETH3] = 0x14070000, [ASPEED_DEV_SDHCI] = 0x14080000, + [ASPEED_DEV_PCIE2] = 0x140D0000, [ASPEED_DEV_EHCI3] = 0x14121000, [ASPEED_DEV_EHCI4] = 0x14123000, [ASPEED_DEV_ADC] = 0x14C00000, @@ -66,6 +71,7 @@ static const hwaddr aspeed_soc_ast2700_memmap[] = { [ASPEED_DEV_GPIO] = 0x14C0B000, [ASPEED_DEV_I2C] = 0x14C0F000, [ASPEED_DEV_INTCIO] = 0x14C18000, + [ASPEED_DEV_PCIE_PHY2] = 0x14C1C000, [ASPEED_DEV_SLIIO] = 0x14C1E000, [ASPEED_DEV_VUART] = 0x14C30000, [ASPEED_DEV_UART0] = 0x14C33000, @@ -81,6 +87,9 @@ static const hwaddr aspeed_soc_ast2700_memmap[] = { [ASPEED_DEV_UART11] = 0x14C33A00, [ASPEED_DEV_UART12] = 0x14C33B00, [ASPEED_DEV_WDT] = 0x14C37000, + [ASPEED_DEV_PCIE_MMIO0] = 0x60000000, + [ASPEED_DEV_PCIE_MMIO1] = 0x80000000, + [ASPEED_DEV_PCIE_MMIO2] = 0xA0000000, [ASPEED_DEV_SPI_BOOT] = 0x100000000, [ASPEED_DEV_LTPI] = 0x300000000, [ASPEED_DEV_SDRAM] = 0x400000000, @@ -156,6 +165,8 @@ static const int aspeed_soc_ast2700a1_irqmap[] = { [ASPEED_DEV_DP] = 28, [ASPEED_DEV_EHCI1] = 33, [ASPEED_DEV_EHCI2] = 37, + [ASPEED_DEV_PCIE0] = 56, + [ASPEED_DEV_PCIE1] = 57, [ASPEED_DEV_LPC] = 192, [ASPEED_DEV_IBT] = 192, [ASPEED_DEV_KCS] = 192, @@ -166,6 +177,7 @@ static const int aspeed_soc_ast2700a1_irqmap[] = { [ASPEED_DEV_WDT] = 195, [ASPEED_DEV_PWM] = 195, [ASPEED_DEV_I3C] = 195, + [ASPEED_DEV_PCIE2] = 196, [ASPEED_DEV_UART0] = 196, [ASPEED_DEV_UART1] = 196, [ASPEED_DEV_UART2] = 196, @@ -233,6 +245,7 @@ static const int ast2700_gic132_gic196_intcmap[] = { [ASPEED_DEV_UART12] = 18, [ASPEED_DEV_EHCI3] = 28, [ASPEED_DEV_EHCI4] = 29, + [ASPEED_DEV_PCIE2] = 31, }; /* GICINT 133 */ @@ -519,6 +532,17 @@ static void aspeed_soc_ast2700_init(Object *obj) snprintf(typename, sizeof(typename), "aspeed.hace-%s", socname); object_initialize_child(obj, "hace", &s->hace, typename); + + for (i = 0; i < sc->pcie_num; i++) { + snprintf(typename, sizeof(typename), "aspeed.pcie-phy-%s", socname); + object_initialize_child(obj, "pcie-phy[*]", &s->pcie_phy[i], typename); + object_property_set_int(OBJECT(&s->pcie_phy[i]), "id", i, &error_abort); + + snprintf(typename, sizeof(typename), "aspeed.pcie-cfg-%s", socname); + object_initialize_child(obj, "pcie-cfg[*]", &s->pcie[i], typename); + object_property_set_int(OBJECT(&s->pcie[i]), "id", i, &error_abort); + } + object_initialize_child(obj, "dpmcu", &s->dpmcu, TYPE_UNIMPLEMENTED_DEVICE); object_initialize_child(obj, "ltpi", &s->ltpi, @@ -610,6 +634,49 @@ static bool aspeed_soc_ast2700_gic_realize(DeviceState *dev, Error **errp) return true; } +static bool aspeed_soc_ast2700_pcie_realize(DeviceState *dev, Error **errp) +{ + AspeedSoCState *s = ASPEED_SOC(dev); + AspeedSoCClass *sc = ASPEED_SOC_GET_CLASS(s); + MemoryRegion *mmio_mr = NULL; + char name[64]; + qemu_irq irq; + int i; + + for (i = 0; i < sc->pcie_num; i++) { + if (!sysbus_realize(SYS_BUS_DEVICE(&s->pcie_phy[i]), errp)) { + return false; + } + aspeed_mmio_map(s, SYS_BUS_DEVICE(&s->pcie_phy[i]), 0, + sc->memmap[ASPEED_DEV_PCIE_PHY0 + i]); + + object_property_set_int(OBJECT(&s->pcie[i]), "dram-base", + sc->memmap[ASPEED_DEV_SDRAM], + &error_abort); + object_property_set_link(OBJECT(&s->pcie[i]), "dram", + OBJECT(s->dram_mr), &error_abort); + if (!sysbus_realize(SYS_BUS_DEVICE(&s->pcie[i]), errp)) { + return false; + } + aspeed_mmio_map(s, SYS_BUS_DEVICE(&s->pcie[i]), 0, + sc->memmap[ASPEED_DEV_PCIE0 + i]); + irq = aspeed_soc_get_irq(s, ASPEED_DEV_PCIE0 + i); + sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie[i].rc), 0, irq); + + mmio_mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->pcie[i].rc), 1); + snprintf(name, sizeof(name), "aspeed.pcie-mmio.%d", i); + memory_region_init_alias(&s->pcie_mmio_alias[i], OBJECT(&s->pcie[i].rc), + name, mmio_mr, + sc->memmap[ASPEED_DEV_PCIE_MMIO0 + i], + 0x20000000); + memory_region_add_subregion(s->memory, + sc->memmap[ASPEED_DEV_PCIE_MMIO0 + i], + &s->pcie_mmio_alias[i]); + } + + return true; +} + static void aspeed_soc_ast2700_realize(DeviceState *dev, Error **errp) { int i; @@ -936,6 +1003,11 @@ static void aspeed_soc_ast2700_realize(DeviceState *dev, Error **errp) sysbus_connect_irq(SYS_BUS_DEVICE(&s->hace), 0, aspeed_soc_get_irq(s, ASPEED_DEV_HACE)); + /* PCIe Root Complex (RC) */ + if (!aspeed_soc_ast2700_pcie_realize(dev, errp)) { + return; + } + aspeed_mmio_map_unimplemented(s, SYS_BUS_DEVICE(&s->dpmcu), "aspeed.dpmcu", sc->memmap[ASPEED_DEV_DPMCU], @@ -974,6 +1046,7 @@ static void aspeed_soc_ast2700a0_class_init(ObjectClass *oc, const void *data) sc->valid_cpu_types = valid_cpu_types; sc->silicon_rev = AST2700_A0_SILICON_REV; sc->sram_size = 0x20000; + sc->pcie_num = 0; sc->spis_num = 3; sc->ehcis_num = 2; sc->wdts_num = 8; @@ -1002,6 +1075,7 @@ static void aspeed_soc_ast2700a1_class_init(ObjectClass *oc, const void *data) sc->valid_cpu_types = valid_cpu_types; sc->silicon_rev = AST2700_A1_SILICON_REV; sc->sram_size = 0x20000; + sc->pcie_num = 3; sc->spis_num = 3; sc->ehcis_num = 4; sc->wdts_num = 8; diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h index a0cf433775..aaf518d179 100644 --- a/include/hw/arm/aspeed_soc.h +++ b/include/hw/arm/aspeed_soc.h @@ -186,6 +186,7 @@ struct AspeedSoCClass { uint32_t silicon_rev; uint64_t sram_size; uint64_t secsram_size; + int pcie_num; int spis_num; int ehcis_num; int wdts_num; From d43f6db6548c997263949d8908b62dbab5fbd0ff Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 19 Sep 2025 17:30:12 +0800 Subject: [PATCH 26/32] tests/functional/arm/test_aspeed_ast2600: Add PCIe and network test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extend the AST2600 functional tests with PCIe and network checks. This patch introduces a new helper "do_ast2600_pcie_test()" that runs "lspci" on the emulated system and verifies the presence of the expected PCIe devices: - 80:00.0 Host bridge: ASPEED Technology, Inc. Device 2600 - 80:08.0 PCI bridge: ASPEED Technology, Inc. AST1150 PCI-to-PCI Bridge - 81:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection To exercise the PCIe network device, the test adds: -device e1000e,netdev=net1,bus=pcie.0 -netdev user,id=net1 and assigns an IP address to the interface, verifying it with `ip addr`. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-14-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- tests/functional/arm/test_aspeed_ast2600.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tests/functional/arm/test_aspeed_ast2600.py b/tests/functional/arm/test_aspeed_ast2600.py index 62949b0b4f..f655c0ba0c 100755 --- a/tests/functional/arm/test_aspeed_ast2600.py +++ b/tests/functional/arm/test_aspeed_ast2600.py @@ -101,8 +101,26 @@ class AST2600Machine(AspeedTest): 'https://github.com/AspeedTech-BMC/openbmc/releases/download/v09.07/ast2600-default-obmc.tar.gz', 'cb6c08595bcbba1672ce716b068ba4e48eda1ed9abe78a07b30392ba2278feba') + def do_ast2600_pcie_test(self): + exec_command_and_wait_for_pattern(self, + 'lspci -s 80:00.0', + '80:00.0 Host bridge: ' + 'ASPEED Technology, Inc. Device 2600') + exec_command_and_wait_for_pattern(self, + 'lspci -s 80:08.0', + '80:08.0 PCI bridge: ' + 'ASPEED Technology, Inc. AST1150 PCI-to-PCI Bridge') + exec_command_and_wait_for_pattern(self, + 'lspci -s 81:00.0', + '81:00.0 Ethernet controller: ' + 'Intel Corporation 82574L Gigabit Network Connection') + exec_command_and_wait_for_pattern(self, + 'ip addr show dev eth4', + 'inet 10.0.2.15/24') + def test_arm_ast2600_evb_sdk(self): self.set_machine('ast2600-evb') + self.require_netdev('user') self.archive_extract(self.ASSET_SDK_V907_AST2600) @@ -110,6 +128,8 @@ class AST2600Machine(AspeedTest): 'tmp105,bus=aspeed.i2c.bus.5,address=0x4d,id=tmp-test') self.vm.add_args('-device', 'ds1338,bus=aspeed.i2c.bus.5,address=0x32') + self.vm.add_args('-device', 'e1000e,netdev=net1,bus=pcie.0') + self.vm.add_args('-netdev', 'user,id=net1') self.do_test_arm_aspeed_sdk_start( self.scratch_file("ast2600-default", "image-bmc")) @@ -135,6 +155,7 @@ class AST2600Machine(AspeedTest): year = time.strftime("%Y") exec_command_and_wait_for_pattern(self, '/sbin/hwclock -f /dev/rtc1', year) + self.do_ast2600_pcie_test() def test_arm_ast2600_otp_blockdev_device(self): self.vm.set_machine("ast2600-evb") From f821557f4f7fc8ff7ed5c1950e6a12cfe47cdac5 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Thu, 25 Sep 2025 13:05:27 +0800 Subject: [PATCH 27/32] hw/arm/aspeed: Move aspeed_board_init_flashes() to common SoC code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Relocate aspeed_board_init_flashes() from hw/arm/aspeed.c into hw/arm/aspeed_soc_common.c so the helper can be reused by all ASPEED machines. The API was already declared in include/hw/arm/aspeed_soc.h; this change moves its implementation out of the machine file to keep aspeed.c cleaner. No functional change. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-2-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed.c | 22 ---------------------- hw/arm/aspeed_soc_common.c | 23 +++++++++++++++++++++++ 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c index d21b21965a..55f0afe0a4 100644 --- a/hw/arm/aspeed.c +++ b/hw/arm/aspeed.c @@ -337,28 +337,6 @@ static void aspeed_load_vbootrom(AspeedMachineState *bmc, const char *bios_name, } } -void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype, - unsigned int count, int unit0) -{ - int i; - - if (!flashtype) { - return; - } - - for (i = 0; i < count; ++i) { - DriveInfo *dinfo = drive_get(IF_MTD, 0, unit0 + i); - DeviceState *dev; - - dev = qdev_new(flashtype); - if (dinfo) { - qdev_prop_set_drive(dev, "drive", blk_by_legacy_dinfo(dinfo)); - } - qdev_prop_set_uint8(dev, "cs", i); - qdev_realize_and_unref(dev, BUS(s->spi), &error_fatal); - } -} - static void sdhci_attach_drive(SDHCIState *sdhci, DriveInfo *dinfo, bool emmc, bool boot_emmc) { diff --git a/hw/arm/aspeed_soc_common.c b/hw/arm/aspeed_soc_common.c index 1c4ac93a0f..31b1e683c3 100644 --- a/hw/arm/aspeed_soc_common.c +++ b/hw/arm/aspeed_soc_common.c @@ -16,6 +16,7 @@ #include "hw/misc/unimp.h" #include "hw/arm/aspeed_soc.h" #include "hw/char/serial-mm.h" +#include "system/blockdev.h" const char *aspeed_soc_cpu_type(AspeedSoCClass *sc) @@ -124,6 +125,28 @@ void aspeed_mmio_map_unimplemented(AspeedSoCState *s, SysBusDevice *dev, sysbus_mmio_get_region(dev, 0), -1000); } +void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype, + unsigned int count, int unit0) +{ + int i; + + if (!flashtype) { + return; + } + + for (i = 0; i < count; ++i) { + DriveInfo *dinfo = drive_get(IF_MTD, 0, unit0 + i); + DeviceState *dev; + + dev = qdev_new(flashtype); + if (dinfo) { + qdev_prop_set_drive(dev, "drive", blk_by_legacy_dinfo(dinfo)); + } + qdev_prop_set_uint8(dev, "cs", i); + qdev_realize_and_unref(dev, BUS(s->spi), &error_fatal); + } +} + static void aspeed_soc_realize(DeviceState *dev, Error **errp) { AspeedSoCState *s = ASPEED_SOC(dev); From 597165ec2fb018be8aa7cefa5e3424c39fcec226 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Thu, 25 Sep 2025 13:05:28 +0800 Subject: [PATCH 28/32] hw/arm/aspeed: Move write_boot_rom to common SoC code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the write_boot_rom helper from hw/arm/aspeed.c into hw/arm/aspeed_soc_common.c so it can be reused by all ASPEED machines. Export the API as aspeed_write_boot_rom() in include/hw/arm/aspeed_soc.h and update the existing call site to use the new helper. No functional change. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-3-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed.c | 33 ++------------------------------- hw/arm/aspeed_soc_common.c | 31 +++++++++++++++++++++++++++++++ include/hw/arm/aspeed_soc.h | 2 ++ 3 files changed, 35 insertions(+), 31 deletions(-) diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c index 55f0afe0a4..4d0d935836 100644 --- a/hw/arm/aspeed.c +++ b/hw/arm/aspeed.c @@ -263,35 +263,6 @@ static void aspeed_reset_secondary(ARMCPU *cpu, cpu_set_pc(cs, info->smp_loader_start); } -static void write_boot_rom(BlockBackend *blk, hwaddr addr, size_t rom_size, - Error **errp) -{ - g_autofree void *storage = NULL; - int64_t size; - - /* - * The block backend size should have already been 'validated' by - * the creation of the m25p80 object. - */ - size = blk_getlength(blk); - if (size <= 0) { - error_setg(errp, "failed to get flash size"); - return; - } - - if (rom_size > size) { - rom_size = size; - } - - storage = g_malloc0(rom_size); - if (blk_pread(blk, 0, rom_size, storage, 0) < 0) { - error_setg(errp, "failed to read the initial flash content"); - return; - } - - rom_add_blob_fixed("aspeed.boot_rom", storage, rom_size, addr); -} - /* * Create a ROM and copy the flash contents at the expected address * (0x0). Boots faster than execute-in-place. @@ -306,8 +277,8 @@ static void aspeed_install_boot_rom(AspeedMachineState *bmc, BlockBackend *blk, &error_abort); memory_region_add_subregion_overlap(&soc->spi_boot_container, 0, &bmc->boot_rom, 1); - write_boot_rom(blk, sc->memmap[ASPEED_DEV_SPI_BOOT], - rom_size, &error_abort); + aspeed_write_boot_rom(blk, sc->memmap[ASPEED_DEV_SPI_BOOT], rom_size, + &error_abort); } #define VBOOTROM_FILE_NAME "ast27x0_bootrom.bin" diff --git a/hw/arm/aspeed_soc_common.c b/hw/arm/aspeed_soc_common.c index 31b1e683c3..d0a400725f 100644 --- a/hw/arm/aspeed_soc_common.c +++ b/hw/arm/aspeed_soc_common.c @@ -17,6 +17,8 @@ #include "hw/arm/aspeed_soc.h" #include "hw/char/serial-mm.h" #include "system/blockdev.h" +#include "system/block-backend.h" +#include "hw/loader.h" const char *aspeed_soc_cpu_type(AspeedSoCClass *sc) @@ -147,6 +149,35 @@ void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype, } } +void aspeed_write_boot_rom(BlockBackend *blk, hwaddr addr, size_t rom_size, + Error **errp) +{ + g_autofree void *storage = NULL; + int64_t size; + + /* + * The block backend size should have already been 'validated' by + * the creation of the m25p80 object. + */ + size = blk_getlength(blk); + if (size <= 0) { + error_setg(errp, "failed to get flash size"); + return; + } + + if (rom_size > size) { + rom_size = size; + } + + storage = g_malloc0(rom_size); + if (blk_pread(blk, 0, rom_size, storage, 0) < 0) { + error_setg(errp, "failed to read the initial flash content"); + return; + } + + rom_add_blob_fixed("aspeed.boot_rom", storage, rom_size, addr); +} + static void aspeed_soc_realize(DeviceState *dev, Error **errp) { AspeedSoCState *s = ASPEED_SOC(dev); diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h index aaf518d179..5567bdcb69 100644 --- a/include/hw/arm/aspeed_soc.h +++ b/include/hw/arm/aspeed_soc.h @@ -312,6 +312,8 @@ void aspeed_mmio_map_unimplemented(AspeedSoCState *s, SysBusDevice *dev, uint64_t size); void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype, unsigned int count, int unit0); +void aspeed_write_boot_rom(BlockBackend *blk, hwaddr addr, size_t rom_size, + Error **errp); static inline int aspeed_uart_index(int uart_dev) { From a705e9997fd571427fc72d88c1235b1e2bd0c6fb Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Thu, 25 Sep 2025 13:05:29 +0800 Subject: [PATCH 29/32] hw/arm/aspeed: Move aspeed_install_boot_rom to common SoC code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the boot ROM install helper into common SoC code so it can be reused by all ASPEED boards, and decouple the API from AspeedMachineState. Specifically: - Move aspeed_install_boot_rom() to hw/arm/aspeed_soc_common.c and declare it in include/hw/arm/aspeed_soc.h. - Change the helper’s signature to take AspeedSoCState * and a MemoryRegion * provided by the caller, instead of AspeedMachineState *. - Update aspeed_machine_init() call sites accordingly. No functional change. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-4-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed.c | 23 +++-------------------- hw/arm/aspeed_soc_common.c | 17 +++++++++++++++++ include/hw/arm/aspeed_soc.h | 2 ++ 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c index 4d0d935836..429f4c6d77 100644 --- a/hw/arm/aspeed.c +++ b/hw/arm/aspeed.c @@ -263,24 +263,6 @@ static void aspeed_reset_secondary(ARMCPU *cpu, cpu_set_pc(cs, info->smp_loader_start); } -/* - * Create a ROM and copy the flash contents at the expected address - * (0x0). Boots faster than execute-in-place. - */ -static void aspeed_install_boot_rom(AspeedMachineState *bmc, BlockBackend *blk, - uint64_t rom_size) -{ - AspeedSoCState *soc = bmc->soc; - AspeedSoCClass *sc = ASPEED_SOC_GET_CLASS(soc); - - memory_region_init_rom(&bmc->boot_rom, NULL, "aspeed.boot_rom", rom_size, - &error_abort); - memory_region_add_subregion_overlap(&soc->spi_boot_container, 0, - &bmc->boot_rom, 1); - aspeed_write_boot_rom(blk, sc->memmap[ASPEED_DEV_SPI_BOOT], rom_size, - &error_abort); -} - #define VBOOTROM_FILE_NAME "ast27x0_bootrom.bin" /* @@ -460,9 +442,10 @@ static void aspeed_machine_init(MachineState *machine) if (fmc0 && !boot_emmc) { uint64_t rom_size = memory_region_size(&bmc->soc->spi_boot); - aspeed_install_boot_rom(bmc, fmc0, rom_size); + aspeed_install_boot_rom(bmc->soc, fmc0, &bmc->boot_rom, rom_size); } else if (emmc0) { - aspeed_install_boot_rom(bmc, blk_by_legacy_dinfo(emmc0), 64 * KiB); + aspeed_install_boot_rom(bmc->soc, blk_by_legacy_dinfo(emmc0), + &bmc->boot_rom, 64 * KiB); } } diff --git a/hw/arm/aspeed_soc_common.c b/hw/arm/aspeed_soc_common.c index d0a400725f..7f104f8de5 100644 --- a/hw/arm/aspeed_soc_common.c +++ b/hw/arm/aspeed_soc_common.c @@ -178,6 +178,23 @@ void aspeed_write_boot_rom(BlockBackend *blk, hwaddr addr, size_t rom_size, rom_add_blob_fixed("aspeed.boot_rom", storage, rom_size, addr); } +/* + * Create a ROM and copy the flash contents at the expected address + * (0x0). Boots faster than execute-in-place. + */ +void aspeed_install_boot_rom(AspeedSoCState *soc, BlockBackend *blk, + MemoryRegion *boot_rom, uint64_t rom_size) +{ + AspeedSoCClass *sc = ASPEED_SOC_GET_CLASS(soc); + + memory_region_init_rom(boot_rom, NULL, "aspeed.boot_rom", rom_size, + &error_abort); + memory_region_add_subregion_overlap(&soc->spi_boot_container, 0, + boot_rom, 1); + aspeed_write_boot_rom(blk, sc->memmap[ASPEED_DEV_SPI_BOOT], rom_size, + &error_abort); +} + static void aspeed_soc_realize(DeviceState *dev, Error **errp) { AspeedSoCState *s = ASPEED_SOC(dev); diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h index 5567bdcb69..aea210a8e2 100644 --- a/include/hw/arm/aspeed_soc.h +++ b/include/hw/arm/aspeed_soc.h @@ -314,6 +314,8 @@ void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype, unsigned int count, int unit0); void aspeed_write_boot_rom(BlockBackend *blk, hwaddr addr, size_t rom_size, Error **errp); +void aspeed_install_boot_rom(AspeedSoCState *soc, BlockBackend *blk, + MemoryRegion *boot_rom, uint64_t rom_size); static inline int aspeed_uart_index(int uart_dev) { From ecabf8ba94961a23f473e7060f8589e93967cfd2 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Thu, 25 Sep 2025 13:05:30 +0800 Subject: [PATCH 30/32] hw/arm/aspeed: Move aspeed_load_vbootrom to common SoC code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the vbootrom loader helper into common SoC code so it can be reused by all ASPEED boards, and decouple the API from AspeedMachineState. Specifically: - Move aspeed_load_vbootrom() to hw/arm/aspeed_soc_common.c and declare it in include/hw/arm/aspeed_soc.h. - Change the helper’s signature to take AspeedSoCState * instead of AspeedMachineState *. - Update aspeed_machine_init() call sites accordingly. No functional change. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-5-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed.c | 31 +------------------------------ hw/arm/aspeed_soc_common.c | 25 +++++++++++++++++++++++++ include/hw/arm/aspeed_soc.h | 4 ++++ 3 files changed, 30 insertions(+), 30 deletions(-) diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c index 429f4c6d77..6046ec0bb2 100644 --- a/hw/arm/aspeed.c +++ b/hw/arm/aspeed.c @@ -26,9 +26,7 @@ #include "hw/qdev-properties.h" #include "system/block-backend.h" #include "system/reset.h" -#include "hw/loader.h" #include "qemu/error-report.h" -#include "qemu/datadir.h" #include "qemu/units.h" #include "hw/qdev-clock.h" #include "system/system.h" @@ -263,33 +261,6 @@ static void aspeed_reset_secondary(ARMCPU *cpu, cpu_set_pc(cs, info->smp_loader_start); } -#define VBOOTROM_FILE_NAME "ast27x0_bootrom.bin" - -/* - * This function locates the vbootrom image file specified via the command line - * using the -bios option. It loads the specified image into the vbootrom - * memory region and handles errors if the file cannot be found or loaded. - */ -static void aspeed_load_vbootrom(AspeedMachineState *bmc, const char *bios_name, - Error **errp) -{ - g_autofree char *filename = NULL; - AspeedSoCState *soc = bmc->soc; - int ret; - - filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name); - if (!filename) { - error_setg(errp, "Could not find vbootrom image '%s'", bios_name); - return; - } - - ret = load_image_mr(filename, &soc->vbootrom); - if (ret < 0) { - error_setg(errp, "Failed to load vbootrom image '%s'", bios_name); - return; - } -} - static void sdhci_attach_drive(SDHCIState *sdhci, DriveInfo *dinfo, bool emmc, bool boot_emmc) { @@ -451,7 +422,7 @@ static void aspeed_machine_init(MachineState *machine) if (amc->vbootrom) { bios_name = machine->firmware ?: VBOOTROM_FILE_NAME; - aspeed_load_vbootrom(bmc, bios_name, &error_abort); + aspeed_load_vbootrom(bmc->soc, bios_name, &error_abort); } arm_load_kernel(ARM_CPU(first_cpu), machine, &aspeed_board_binfo); diff --git a/hw/arm/aspeed_soc_common.c b/hw/arm/aspeed_soc_common.c index 7f104f8de5..bc70e864fb 100644 --- a/hw/arm/aspeed_soc_common.c +++ b/hw/arm/aspeed_soc_common.c @@ -19,6 +19,7 @@ #include "system/blockdev.h" #include "system/block-backend.h" #include "hw/loader.h" +#include "qemu/datadir.h" const char *aspeed_soc_cpu_type(AspeedSoCClass *sc) @@ -195,6 +196,30 @@ void aspeed_install_boot_rom(AspeedSoCState *soc, BlockBackend *blk, &error_abort); } +/* + * This function locates the vbootrom image file specified via the command line + * using the -bios option. It loads the specified image into the vbootrom + * memory region and handles errors if the file cannot be found or loaded. + */ +void aspeed_load_vbootrom(AspeedSoCState *soc, const char *bios_name, + Error **errp) +{ + g_autofree char *filename = NULL; + int ret; + + filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name); + if (!filename) { + error_setg(errp, "Could not find vbootrom image '%s'", bios_name); + return; + } + + ret = load_image_mr(filename, &soc->vbootrom); + if (ret < 0) { + error_setg(errp, "Failed to load vbootrom image '%s'", bios_name); + return; + } +} + static void aspeed_soc_realize(DeviceState *dev, Error **errp) { AspeedSoCState *s = ASPEED_SOC(dev); diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h index aea210a8e2..ed32efb543 100644 --- a/include/hw/arm/aspeed_soc.h +++ b/include/hw/arm/aspeed_soc.h @@ -43,6 +43,8 @@ #include "hw/char/serial-mm.h" #include "hw/intc/arm_gicv3.h" +#define VBOOTROM_FILE_NAME "ast27x0_bootrom.bin" + #define ASPEED_SPIS_NUM 3 #define ASPEED_EHCIS_NUM 4 #define ASPEED_WDTS_NUM 8 @@ -316,6 +318,8 @@ void aspeed_write_boot_rom(BlockBackend *blk, hwaddr addr, size_t rom_size, Error **errp); void aspeed_install_boot_rom(AspeedSoCState *soc, BlockBackend *blk, MemoryRegion *boot_rom, uint64_t rom_size); +void aspeed_load_vbootrom(AspeedSoCState *soc, const char *bios_name, + Error **errp); static inline int aspeed_uart_index(int uart_dev) { From 8d3aaefdb3bb13df7c57091a4319f3afe3c351ac Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Thu, 25 Sep 2025 13:05:31 +0800 Subject: [PATCH 31/32] hw/arm/aspeed_ast27x0-fc: Drop dead return checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. object_property_set_link() can return false only when it fails, and it sets an error when it fails. Since passing &error_abort causes an abort, the function never returns false, and the return statement is effectively dead code. 2. object_property_set_int() is considered as a routine which shouldn't fail. So the common practice in models is to pass &error_abort and ignore the returned value. https://patchwork.kernel.org/project/qemu-devel/patch/20250717034054.1903991-3-jamin_lin@aspeedtech.com/#26540626 No functional change. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-6-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed_ast27x0-fc.c | 43 +++++++++++++------------------------- 1 file changed, 14 insertions(+), 29 deletions(-) diff --git a/hw/arm/aspeed_ast27x0-fc.c b/hw/arm/aspeed_ast27x0-fc.c index 7087be4288..ebf3784df5 100644 --- a/hw/arm/aspeed_ast27x0-fc.c +++ b/hw/arm/aspeed_ast27x0-fc.c @@ -74,19 +74,12 @@ static void ast2700fc_ca35_init(MachineState *machine) AST2700FC_BMC_RAM_SIZE, &error_abort)) { return; } - if (!object_property_set_link(OBJECT(&s->ca35), "memory", - OBJECT(&s->ca35_memory), - &error_abort)) { - return; - }; - if (!object_property_set_link(OBJECT(&s->ca35), "dram", - OBJECT(&s->ca35_dram), &error_abort)) { - return; - } - if (!object_property_set_int(OBJECT(&s->ca35), "ram-size", - AST2700FC_BMC_RAM_SIZE, &error_abort)) { - return; - } + object_property_set_link(OBJECT(&s->ca35), "memory", + OBJECT(&s->ca35_memory), &error_abort); + object_property_set_link(OBJECT(&s->ca35), "dram", OBJECT(&s->ca35_dram), + &error_abort); + object_property_set_int(OBJECT(&s->ca35), "ram-size", + AST2700FC_BMC_RAM_SIZE, &error_abort); for (int i = 0; i < sc->macs_num; i++) { if (!qemu_configure_nic_device(DEVICE(&soc->ftgmac100[i]), @@ -94,14 +87,10 @@ static void ast2700fc_ca35_init(MachineState *machine) break; } } - if (!object_property_set_int(OBJECT(&s->ca35), "hw-strap1", - AST2700FC_HW_STRAP1, &error_abort)) { - return; - } - if (!object_property_set_int(OBJECT(&s->ca35), "hw-strap2", - AST2700FC_HW_STRAP2, &error_abort)) { - return; - } + object_property_set_int(OBJECT(&s->ca35), "hw-strap1", + AST2700FC_HW_STRAP1, &error_abort); + object_property_set_int(OBJECT(&s->ca35), "hw-strap2", + AST2700FC_HW_STRAP2, &error_abort); aspeed_soc_uart_set_chr(soc, ASPEED_DEV_UART12, serial_hd(0)); if (!qdev_realize(DEVICE(&s->ca35), NULL, &error_abort)) { return; @@ -133,10 +122,8 @@ static void ast2700fc_ssp_init(MachineState *machine) UINT64_MAX); qdev_connect_clock_in(DEVICE(&s->ssp), "sysclk", s->ssp_sysclk); - if (!object_property_set_link(OBJECT(&s->ssp), "memory", - OBJECT(&s->ssp_memory), &error_abort)) { - return; - } + object_property_set_link(OBJECT(&s->ssp), "memory", + OBJECT(&s->ssp_memory), &error_abort); soc = ASPEED_SOC(&s->ssp); aspeed_soc_uart_set_chr(soc, ASPEED_DEV_UART4, serial_hd(1)); @@ -157,10 +144,8 @@ static void ast2700fc_tsp_init(MachineState *machine) UINT64_MAX); qdev_connect_clock_in(DEVICE(&s->tsp), "sysclk", s->tsp_sysclk); - if (!object_property_set_link(OBJECT(&s->tsp), "memory", - OBJECT(&s->tsp_memory), &error_abort)) { - return; - } + object_property_set_link(OBJECT(&s->tsp), "memory", + OBJECT(&s->tsp_memory), &error_abort); soc = ASPEED_SOC(&s->tsp); aspeed_soc_uart_set_chr(soc, ASPEED_DEV_UART7, serial_hd(2)); From 9ec30a07483640ecb8417fce3dfa9273f7a036c9 Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Thu, 25 Sep 2025 13:05:32 +0800 Subject: [PATCH 32/32] hw/arm/aspeed_ast27x0-fc: Make sub-init functions return bool with errp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refactor ast2700fc_ca35_init(), ast2700fc_ssp_init(), and ast2700fc_tsp_init() to take an Error **errp parameter and return a bool. Each function now reports failure through the error object and returns false. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-7-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/arm/aspeed_ast27x0-fc.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/hw/arm/aspeed_ast27x0-fc.c b/hw/arm/aspeed_ast27x0-fc.c index ebf3784df5..2e16a0340a 100644 --- a/hw/arm/aspeed_ast27x0-fc.c +++ b/hw/arm/aspeed_ast27x0-fc.c @@ -56,7 +56,7 @@ struct Ast2700FCState { #define AST2700FC_FMC_MODEL "w25q01jvq" #define AST2700FC_SPI_MODEL "w25q512jv" -static void ast2700fc_ca35_init(MachineState *machine) +static bool ast2700fc_ca35_init(MachineState *machine, Error **errp) { Ast2700FCState *s = AST2700A1FC(machine); AspeedSoCState *soc; @@ -71,8 +71,8 @@ static void ast2700fc_ca35_init(MachineState *machine) memory_region_add_subregion(get_system_memory(), 0, &s->ca35_memory); if (!memory_region_init_ram(&s->ca35_dram, OBJECT(&s->ca35), "ca35-dram", - AST2700FC_BMC_RAM_SIZE, &error_abort)) { - return; + AST2700FC_BMC_RAM_SIZE, errp)) { + return false; } object_property_set_link(OBJECT(&s->ca35), "memory", OBJECT(&s->ca35_memory), &error_abort); @@ -92,8 +92,8 @@ static void ast2700fc_ca35_init(MachineState *machine) object_property_set_int(OBJECT(&s->ca35), "hw-strap2", AST2700FC_HW_STRAP2, &error_abort); aspeed_soc_uart_set_chr(soc, ASPEED_DEV_UART12, serial_hd(0)); - if (!qdev_realize(DEVICE(&s->ca35), NULL, &error_abort)) { - return; + if (!qdev_realize(DEVICE(&s->ca35), NULL, errp)) { + return false; } /* @@ -108,9 +108,11 @@ static void ast2700fc_ca35_init(MachineState *machine) ast2700fc_board_info.loader_start = sc->memmap[ASPEED_DEV_SDRAM]; arm_load_kernel(ARM_CPU(first_cpu), machine, &ast2700fc_board_info); + + return true; } -static void ast2700fc_ssp_init(MachineState *machine) +static bool ast2700fc_ssp_init(MachineState *machine, Error **errp) { AspeedSoCState *soc; Ast2700FCState *s = AST2700A1FC(machine); @@ -127,12 +129,14 @@ static void ast2700fc_ssp_init(MachineState *machine) soc = ASPEED_SOC(&s->ssp); aspeed_soc_uart_set_chr(soc, ASPEED_DEV_UART4, serial_hd(1)); - if (!qdev_realize(DEVICE(&s->ssp), NULL, &error_abort)) { - return; + if (!qdev_realize(DEVICE(&s->ssp), NULL, errp)) { + return false; } + + return true; } -static void ast2700fc_tsp_init(MachineState *machine) +static bool ast2700fc_tsp_init(MachineState *machine, Error **errp) { AspeedSoCState *soc; Ast2700FCState *s = AST2700A1FC(machine); @@ -149,16 +153,18 @@ static void ast2700fc_tsp_init(MachineState *machine) soc = ASPEED_SOC(&s->tsp); aspeed_soc_uart_set_chr(soc, ASPEED_DEV_UART7, serial_hd(2)); - if (!qdev_realize(DEVICE(&s->tsp), NULL, &error_abort)) { - return; + if (!qdev_realize(DEVICE(&s->tsp), NULL, errp)) { + return false; } + + return true; } static void ast2700fc_init(MachineState *machine) { - ast2700fc_ca35_init(machine); - ast2700fc_ssp_init(machine); - ast2700fc_tsp_init(machine); + ast2700fc_ca35_init(machine, &error_abort); + ast2700fc_ssp_init(machine, &error_abort); + ast2700fc_tsp_init(machine, &error_abort); } static void ast2700fc_class_init(ObjectClass *oc, const void *data)