From 5d7148ae8c0f881425badb9b624e2d44efcdc0be Mon Sep 17 00:00:00 2001 From: Pierrick Bouvier Date: Wed, 8 Oct 2025 14:55:01 -0700 Subject: [PATCH 01/76] tests/functional: update tests using TF-A/TF-RMM to support FEAT_GCS Signed-off-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- tests/functional/aarch64/test_device_passthrough.py | 4 ++-- tests/functional/aarch64/test_rme_sbsaref.py | 4 ++-- tests/functional/aarch64/test_rme_virt.py | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/functional/aarch64/test_device_passthrough.py b/tests/functional/aarch64/test_device_passthrough.py index 17437784bb..05a3f52d5e 100755 --- a/tests/functional/aarch64/test_device_passthrough.py +++ b/tests/functional/aarch64/test_device_passthrough.py @@ -85,8 +85,8 @@ class Aarch64DevicePassthrough(QemuSystemTest): # https://docs.kernel.org/driver-api/vfio.html#vfio-device-cde ASSET_DEVICE_PASSTHROUGH_STACK = Asset( ('https://github.com/pbo-linaro/qemu-linux-stack/' - 'releases/download/build/device_passthrough-c3fb84a.tar.xz'), - '15ac2b02bed0c0ea8e3e007de0bcfdaf6fd51c1ba98213f841dc7d01d6f72f04') + 'releases/download/build/device_passthrough-a9612a2.tar.xz'), + 'f7d2f70912e7231986e6e293e1a2c4786dd02bec113a7acb6bfc619e96155455') # This tests the device passthrough implementation, by booting a VM # supporting it with two nvme disks attached, and launching a nested VM diff --git a/tests/functional/aarch64/test_rme_sbsaref.py b/tests/functional/aarch64/test_rme_sbsaref.py index ca892e0a8c..6f92858397 100755 --- a/tests/functional/aarch64/test_rme_sbsaref.py +++ b/tests/functional/aarch64/test_rme_sbsaref.py @@ -25,8 +25,8 @@ class Aarch64RMESbsaRefMachine(QemuSystemTest): # ./build.sh && ./archive_artifacts.sh out.tar.xz ASSET_RME_STACK_SBSA = Asset( ('https://github.com/pbo-linaro/qemu-linux-stack/' - 'releases/download/build/rme_sbsa_release-a7f02cf.tar.xz'), - '27d8400b11befb828d6db0cab97e7ae102d0992c928d3dfbf38b24b6cf6c324c') + 'releases/download/build/rme_sbsa_release-6a2dfc5.tar.xz'), + '5adba482aa069912292a8da746c6b21268224d9d81c97fe7c0bed690579ebdcb') # This tests the FEAT_RME cpu implementation, by booting a VM supporting it, # and launching a nested VM using it. diff --git a/tests/functional/aarch64/test_rme_virt.py b/tests/functional/aarch64/test_rme_virt.py index bb603aaa26..5e23773f93 100755 --- a/tests/functional/aarch64/test_rme_virt.py +++ b/tests/functional/aarch64/test_rme_virt.py @@ -23,8 +23,8 @@ class Aarch64RMEVirtMachine(QemuSystemTest): # ./build.sh && ./archive_artifacts.sh out.tar.xz ASSET_RME_STACK_VIRT = Asset( ('https://github.com/pbo-linaro/qemu-linux-stack/' - 'releases/download/build/rme_release-86101e5.tar.xz'), - 'e42fef8439badb52a071ac446fc33cff4cb7d61314c7a28fdbe61a11e1faad3a') + 'releases/download/build/rme_release-56bc99e.tar.xz'), + '0e3dc6b8a4b828dbae09c951a40dcb710eded084b32432b50c69cf4173ffa4be') # This tests the FEAT_RME cpu implementation, by booting a VM supporting it, # and launching a nested VM using it. From c817b325c16bee80a130e30c756021da95745b9e Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:02 -0700 Subject: [PATCH 02/76] target/arm: Add isar feature test for FEAT_S1PIE, FEAT_S2PIE Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-3-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpu-features.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/target/arm/cpu-features.h b/target/arm/cpu-features.h index f59c18b6ef..f3e90408f7 100644 --- a/target/arm/cpu-features.h +++ b/target/arm/cpu-features.h @@ -1349,6 +1349,16 @@ static inline bool isar_feature_aa64_sctlr2(const ARMISARegisters *id) return FIELD_EX64_IDREG(id, ID_AA64MMFR3, SCTLRX) != 0; } +static inline bool isar_feature_aa64_s1pie(const ARMISARegisters *id) +{ + return FIELD_EX64_IDREG(id, ID_AA64MMFR3, S1PIE) != 0; +} + +static inline bool isar_feature_aa64_s2pie(const ARMISARegisters *id) +{ + return FIELD_EX64_IDREG(id, ID_AA64MMFR3, S2PIE) != 0; +} + static inline bool isar_feature_aa64_pmuv3p1(const ARMISARegisters *id) { return FIELD_EX64_IDREG(id, ID_AA64DFR0, PMUVER) >= 4 && From 48669f526deae089f23f75638819e7bb90c57d32 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:03 -0700 Subject: [PATCH 03/76] target/arm: Enable TCR2_ELx.PIE Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-4-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/target/arm/helper.c b/target/arm/helper.c index b7bf45afc1..c9ebdf144e 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -5902,8 +5902,12 @@ static CPAccessResult tcr2_el1_access(CPUARMState *env, const ARMCPRegInfo *ri, static void tcr2_el1_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { + ARMCPU *cpu = env_archcpu(env); uint64_t valid_mask = 0; + if (cpu_isar_feature(aa64_s1pie, cpu)) { + valid_mask |= TCR2_PIE; + } value &= valid_mask; raw_write(env, ri, value); } @@ -5911,8 +5915,12 @@ static void tcr2_el1_write(CPUARMState *env, const ARMCPRegInfo *ri, static void tcr2_el2_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { + ARMCPU *cpu = env_archcpu(env); uint64_t valid_mask = 0; + if (cpu_isar_feature(aa64_s1pie, cpu)) { + valid_mask |= TCR2_PIE; + } value &= valid_mask; raw_write(env, ri, value); } From 0277e0652b663770bb42113ed3fea1ea0dfeaf19 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:04 -0700 Subject: [PATCH 04/76] target/arm: Implement PIR_ELx, PIRE0_ELx, S2PIR_EL2 registers Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-5-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs.h | 2 ++ target/arm/cpu.c | 4 +++ target/arm/cpu.h | 4 +++ target/arm/helper.c | 69 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+) diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index 57fde5f57a..f48c4df30f 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -781,6 +781,8 @@ typedef enum FGTBit { DO_BIT(HFGRTR, ERRIDR_EL1), DO_REV_BIT(HFGRTR, NSMPRI_EL1), DO_REV_BIT(HFGRTR, NTPIDR2_EL0), + DO_REV_BIT(HFGRTR, NPIRE0_EL1), + DO_REV_BIT(HFGRTR, NPIR_EL1), /* Trap bits in HDFGRTR_EL2 / HDFGWTR_EL2, starting from bit 0. */ DO_BIT(HDFGRTR, DBGBCRN_EL1), diff --git a/target/arm/cpu.c b/target/arm/cpu.c index 30e29fd315..9bca1b8eae 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -641,6 +641,10 @@ void arm_emulate_firmware_reset(CPUState *cpustate, int target_el) if (cpu_isar_feature(aa64_sctlr2, cpu)) { env->cp15.scr_el3 |= SCR_SCTLR2EN; } + if (cpu_isar_feature(aa64_s1pie, cpu) || + cpu_isar_feature(aa64_s2pie, cpu)) { + env->cp15.scr_el3 |= SCR_PIEN; + } } if (target_el == 2) { diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 41414ac22b..c9ea160d03 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -368,6 +368,9 @@ typedef struct CPUArchState { uint64_t tcr2_el[3]; uint64_t vtcr_el2; /* Virtualization Translation Control. */ uint64_t vstcr_el2; /* Secure Virtualization Translation Control. */ + uint64_t pir_el[4]; /* PIRE0_EL1, PIR_EL1, PIR_EL2, PIR_EL3 */ + uint64_t pire0_el2; + uint64_t s2pir_el2; uint32_t c2_data; /* MPU data cacheable bits. */ uint32_t c2_insn; /* MPU instruction cacheable bits. */ union { /* MMU domain access control register @@ -1720,6 +1723,7 @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask) #define SCR_ENTP2 (1ULL << 41) #define SCR_TCR2EN (1ULL << 43) #define SCR_SCTLR2EN (1ULL << 44) +#define SCR_PIEN (1ULL << 45) #define SCR_GPF (1ULL << 48) #define SCR_NSE (1ULL << 62) diff --git a/target/arm/helper.c b/target/arm/helper.c index c9ebdf144e..20a189ef4f 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -770,6 +770,10 @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) if (cpu_isar_feature(aa64_sctlr2, cpu)) { valid_mask |= SCR_SCTLR2EN; } + if (cpu_isar_feature(aa64_s1pie, cpu) || + cpu_isar_feature(aa64_s2pie, cpu)) { + valid_mask |= SCR_PIEN; + } } else { valid_mask &= ~(SCR_RW | SCR_ST); if (cpu_isar_feature(aa32_ras, cpu)) { @@ -5941,6 +5945,64 @@ static const ARMCPRegInfo tcr2_reginfo[] = { .fieldoffset = offsetof(CPUARMState, cp15.tcr2_el[2]) }, }; +static CPAccessResult pien_access(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + if (arm_feature(env, ARM_FEATURE_EL3) + && !(env->cp15.scr_el3 & SCR_PIEN) + && arm_current_el(env) < 3) { + return CP_ACCESS_TRAP_EL3; + } + return CP_ACCESS_OK; +} + +static CPAccessResult pien_el1_access(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + CPAccessResult ret = access_tvm_trvm(env, ri, isread); + if (ret == CP_ACCESS_OK) { + ret = pien_access(env, ri, isread); + } + return ret; +} + +static const ARMCPRegInfo s1pie_reginfo[] = { + { .name = "PIR_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .opc2 = 3, .crn = 10, .crm = 2, + .access = PL1_RW, .accessfn = pien_el1_access, + .fgt = FGT_NPIR_EL1, .nv2_redirect_offset = 0x2a0 | NV2_REDIR_NV1, + .vhe_redir_to_el2 = ENCODE_AA64_CP_REG(3, 4, 10, 2, 3), + .vhe_redir_to_el01 = ENCODE_AA64_CP_REG(3, 5, 10, 2, 3), + .fieldoffset = offsetof(CPUARMState, cp15.pir_el[1]) }, + { .name = "PIR_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 3, .crn = 10, .crm = 2, + .access = PL2_RW, .accessfn = pien_access, + .fieldoffset = offsetof(CPUARMState, cp15.pir_el[2]) }, + { .name = "PIR_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .opc2 = 3, .crn = 10, .crm = 2, + .access = PL3_RW, + .fieldoffset = offsetof(CPUARMState, cp15.pir_el[3]) }, + { .name = "PIRE0_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .opc2 = 2, .crn = 10, .crm = 2, + .access = PL1_RW, .accessfn = pien_el1_access, + .fgt = FGT_NPIRE0_EL1, .nv2_redirect_offset = 0x290 | NV2_REDIR_NV1, + .vhe_redir_to_el2 = ENCODE_AA64_CP_REG(3, 4, 10, 2, 2), + .vhe_redir_to_el01 = ENCODE_AA64_CP_REG(3, 5, 10, 2, 2), + .fieldoffset = offsetof(CPUARMState, cp15.pir_el[0]) }, + { .name = "PIRE0_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 2, .crn = 10, .crm = 2, + .access = PL2_RW, .accessfn = pien_access, + .fieldoffset = offsetof(CPUARMState, cp15.pire0_el2) }, +}; + +static const ARMCPRegInfo s2pie_reginfo[] = { + { .name = "S2PIR_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 5, .crn = 10, .crm = 2, + .access = PL2_RW, .accessfn = pien_access, + .nv2_redirect_offset = 0x2b0, + .fieldoffset = offsetof(CPUARMState, cp15.s2pir_el2) }, +}; + void register_cp_regs_for_features(ARMCPU *cpu) { /* Register all the coprocessor registers based on feature bits */ @@ -7173,6 +7235,13 @@ void register_cp_regs_for_features(ARMCPU *cpu) define_arm_cp_regs(cpu, tcr2_reginfo); } + if (cpu_isar_feature(aa64_s1pie, cpu)) { + define_arm_cp_regs(cpu, s1pie_reginfo); + } + if (cpu_isar_feature(aa64_s2pie, cpu)) { + define_arm_cp_regs(cpu, s2pie_reginfo); + } + if (cpu_isar_feature(any_predinv, cpu)) { define_arm_cp_regs(cpu, predinv_reginfo); } From 26c7b95eb1342907c569cc6da7e27ded0959e4fe Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:05 -0700 Subject: [PATCH 05/76] target/arm: Force HPD for stage2 translations Stage2 translations do not have hierarchial permissions. Setting HPD means we can eliminate an extra check against regime_is_stage2. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-6-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 7 +++++-- target/arm/ptw.c | 24 +++++++++++++----------- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index 20a189ef4f..b7bc27436f 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9397,8 +9397,11 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va, tsz = extract32(tcr, 0, 6); gran = tg0_to_gran_size(extract32(tcr, 14, 2)); if (stage2) { - /* VTCR_EL2 */ - hpd = false; + /* + * Stage2 does not have hierarchical permissions. + * Thus disabling them makes things easier during ptw. + */ + hpd = true; } else { hpd = extract32(tcr, 24, 1); } diff --git a/target/arm/ptw.c b/target/arm/ptw.c index e03657f309..2657023120 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -1507,8 +1507,12 @@ static ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va, } tsz = sextract32(tcr, 0, 4) + 8; select = 0; - hpd = false; epd = false; + /* + * Stage2 does not have hierarchical permissions. + * Thus disabling them makes things easier during ptw. + */ + hpd = true; } else if (el == 2) { /* HTCR */ tsz = extract32(tcr, 0, 3); @@ -2014,16 +2018,14 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, * except NSTable (which we have already handled). */ attrs = new_descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14)); - if (!regime_is_stage2(mmu_idx)) { - if (!param.hpd) { - attrs |= extract64(tableattrs, 0, 2) << 53; /* XN, PXN */ - /* - * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1 - * means "force PL1 access only", which means forcing AP[1] to 0. - */ - attrs &= ~(extract64(tableattrs, 2, 1) << 6); /* !APT[0] => AP[1] */ - attrs |= extract32(tableattrs, 3, 1) << 7; /* APT[1] => AP[2] */ - } + if (!param.hpd) { + attrs |= extract64(tableattrs, 0, 2) << 53; /* XN, PXN */ + /* + * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1 + * means "force PL1 access only", which means forcing AP[1] to 0. + */ + attrs &= ~(extract64(tableattrs, 2, 1) << 6); /* !APT[0] => AP[1] */ + attrs |= extract32(tableattrs, 3, 1) << 7; /* APT[1] => AP[2] */ } ap = extract32(attrs, 6, 2); From 67f3eda009d9af5afb64886cbadc01454fd987a5 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:06 -0700 Subject: [PATCH 06/76] target/arm: Cache NV1 early in get_phys_addr_lpae We were not using the correct security space in the existing call to nv_nv1_enabled, because it may have been modified for NSTable. Cache it early, as we will shortly need it elsewhere as well. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-7-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/ptw.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index 2657023120..e1515675eb 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -79,6 +79,8 @@ typedef struct S1Translate { * may be suppressed for debug or AT insns. */ uint8_t in_prot_check; + /* Cached EffectiveHCR_EL2_NVx() bit */ + bool in_nv1; bool out_rw; bool out_be; ARMSecuritySpace out_space; @@ -1677,12 +1679,6 @@ static bool lpae_block_desc_valid(ARMCPU *cpu, bool ds, } } -static bool nv_nv1_enabled(CPUARMState *env, S1Translate *ptw) -{ - uint64_t hcr = arm_hcr_el2_eff_secstate(env, ptw->in_space); - return (hcr & (HCR_NV | HCR_NV1)) == (HCR_NV | HCR_NV1); -} - /** * get_phys_addr_lpae: perform one stage of page table walk, LPAE format * @@ -1734,6 +1730,16 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, !arm_el_is_aa64(env, 1)); level = 0; + /* + * Cache NV1 before we adjust ptw->in_space for NSTable. + * Note that this is only relevant for EL1&0, and that + * computing it would assert for ARMSS_Root. + */ + if (el == 1) { + uint64_t hcr = arm_hcr_el2_eff_secstate(env, ptw->in_space); + ptw->in_nv1 = (hcr & (HCR_NV | HCR_NV1)) == (HCR_NV | HCR_NV1); + } + /* * If TxSZ is programmed to a value larger than the maximum, * or smaller than the effective minimum, it is IMPLEMENTATION @@ -2109,7 +2115,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, xn = extract64(attrs, 54, 1); pxn = extract64(attrs, 53, 1); - if (el == 1 && nv_nv1_enabled(env, ptw)) { + if (el == 1 && ptw->in_nv1) { /* * With FEAT_NV, when HCR_EL2.{NV,NV1} == {1,1}, the block/page * descriptor bit 54 holds PXN, 53 is RES0, and the effective value From 1952f58f984a36bb30b9780ed0257e6879252fcd Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:07 -0700 Subject: [PATCH 07/76] target/arm: Populate PIE in aa64_va_parameters Select the PIE bit for the translation regime. With PIE, the PTE layout changes, forcing HPD. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-8-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 19 ++++++++++++++++++- target/arm/internals.h | 3 ++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index b7bc27436f..37865bf70e 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9386,11 +9386,12 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va, bool el1_is_aa32) { uint64_t tcr = regime_tcr(env, mmu_idx); - bool epd, hpd, tsz_oob, ds, ha, hd; + bool epd, hpd, tsz_oob, ds, ha, hd, pie = false; int select, tsz, tbi, max_tsz, min_tsz, ps, sh; ARMGranuleSize gran; ARMCPU *cpu = env_archcpu(env); bool stage2 = regime_is_stage2(mmu_idx); + int r_el = regime_el(env, mmu_idx); if (!regime_has_2_ranges(mmu_idx)) { select = 0; @@ -9402,8 +9403,17 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va, * Thus disabling them makes things easier during ptw. */ hpd = true; + pie = extract64(tcr, 36, 1) && cpu_isar_feature(aa64_s2pie, cpu); } else { hpd = extract32(tcr, 24, 1); + if (r_el == 3) { + pie = (extract64(tcr, 35, 1) + && cpu_isar_feature(aa64_s1pie, cpu)); + } else { + pie = ((env->cp15.tcr2_el[2] & TCR2_PIE) + && (!arm_feature(env, ARM_FEATURE_EL3) + || (env->cp15.scr_el3 & SCR_TCR2EN))); + } } epd = false; sh = extract32(tcr, 12, 2); @@ -9443,7 +9453,13 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va, regime_is_user(env, mmu_idx)) { epd = true; } + + pie = ((env->cp15.tcr2_el[r_el] & TCR2_PIE) + && (!arm_feature(env, ARM_FEATURE_EL3) + || (env->cp15.scr_el3 & SCR_TCR2EN)) + && (r_el == 2 || (arm_hcrx_el2_eff(env) & HCRX_TCR2EN))); } + hpd |= pie; gran = sanitize_gran_size(cpu, gran, stage2); @@ -9522,6 +9538,7 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va, .ha = ha, .hd = ha && hd, .gran = gran, + .pie = pie, }; } diff --git a/target/arm/internals.h b/target/arm/internals.h index 1d958dbf68..face1019f5 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1491,7 +1491,7 @@ static inline int arm_granule_bits(ARMGranuleSize gran) /* * Parameters of a given virtual address, as extracted from the - * translation control register (TCR) for a given regime. + * translation controls for a given regime. */ typedef struct ARMVAParameters { unsigned tsz : 8; @@ -1506,6 +1506,7 @@ typedef struct ARMVAParameters { bool ha : 1; bool hd : 1; ARMGranuleSize gran : 2; + bool pie : 1; } ARMVAParameters; /** From 1cbaf63a109db8529589b0660df06ea69fd07b05 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:08 -0700 Subject: [PATCH 08/76] target/arm: Implement get_S1prot_indirect This approximately corresponds to AArch64.S1IndirectBasePermissions and the tail of AArch64.S1ComputePermissions which applies WXN. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-9-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/ptw.c | 161 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 139 insertions(+), 22 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index e1515675eb..5913556077 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -1484,6 +1484,106 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64, return prot_rw | PAGE_EXEC; } +/* Extra page permission bits, during get_S1prot_indirect only. */ +#define PAGE_GCS (1 << 3) +#define PAGE_WXN (1 << 4) +#define PAGE_OVERLAY (1 << 5) +QEMU_BUILD_BUG_ON(PAGE_RWX & (PAGE_GCS | PAGE_WXN | PAGE_OVERLAY)); + +static int get_S1prot_indirect(CPUARMState *env, S1Translate *ptw, + ARMMMUIdx mmu_idx, int pi_index, int po_index, + ARMSecuritySpace in_pa, ARMSecuritySpace out_pa) +{ + static const uint8_t perm_table[16] = { + /* 0 */ PAGE_OVERLAY, /* no access */ + /* 1 */ PAGE_OVERLAY | PAGE_READ, + /* 2 */ PAGE_OVERLAY | PAGE_EXEC, + /* 3 */ PAGE_OVERLAY | PAGE_READ | PAGE_EXEC, + /* 4 */ PAGE_OVERLAY, /* reserved */ + /* 5 */ PAGE_OVERLAY | PAGE_READ | PAGE_WRITE, + /* 6 */ PAGE_OVERLAY | PAGE_READ | PAGE_WRITE | PAGE_EXEC | PAGE_WXN, + /* 7 */ PAGE_OVERLAY | PAGE_READ | PAGE_WRITE | PAGE_EXEC, + /* 8 */ PAGE_READ, + /* 9 */ PAGE_READ | PAGE_GCS, + /* A */ PAGE_READ | PAGE_EXEC, + /* B */ 0, /* reserved */ + /* C */ PAGE_READ | PAGE_WRITE, + /* D */ 0, /* reserved */ + /* E */ PAGE_READ | PAGE_WRITE | PAGE_EXEC, + /* F */ 0, /* reserved */ + }; + + uint32_t el = regime_el(env, mmu_idx); + uint64_t pir = env->cp15.pir_el[el]; + uint64_t pire0 = 0; + int perm; + + if (el < 3) { + if (arm_feature(env, ARM_FEATURE_EL3) + && !(env->cp15.scr_el3 & SCR_PIEN)) { + pir = 0; + } else if (el == 2) { + pire0 = env->cp15.pire0_el2; + } else if (!ptw->in_nv1) { + pire0 = env->cp15.pir_el[0]; + } + } + perm = perm_table[extract64(pir, pi_index * 4, 4)]; + + if (regime_has_2_ranges(mmu_idx)) { + int p_perm = perm; + int u_perm = perm_table[extract64(pire0, pi_index * 4, 4)]; + + if ((p_perm & (PAGE_EXEC | PAGE_GCS)) && + (u_perm & (PAGE_WRITE | PAGE_GCS))) { + p_perm &= ~(PAGE_RWX | PAGE_GCS); + u_perm &= ~(PAGE_RWX | PAGE_GCS); + } + if ((u_perm & (PAGE_RWX | PAGE_GCS)) && regime_is_pan(env, mmu_idx)) { + p_perm &= ~(PAGE_READ | PAGE_WRITE); + } + perm = regime_is_user(env, mmu_idx) ? u_perm : p_perm; + } + + if (in_pa != out_pa) { + switch (in_pa) { + case ARMSS_Root: + /* + * R_ZWRVD: permission fault for insn fetched from non-Root, + * I_WWBFB: SIF has no effect in EL3. + */ + perm &= ~(PAGE_EXEC | PAGE_GCS); + break; + case ARMSS_Realm: + /* + * R_PKTDS: permission fault for insn fetched from non-Realm, + * for Realm EL2 or EL2&0. The corresponding fault for EL1&0 + * happens during any stage2 translation. + */ + if (el == 2) { + perm &= ~(PAGE_EXEC | PAGE_GCS); + } + break; + case ARMSS_Secure: + if (env->cp15.scr_el3 & SCR_SIF) { + perm &= ~(PAGE_EXEC | PAGE_GCS); + } + break; + default: + /* Input NonSecure must have output NonSecure. */ + g_assert_not_reached(); + } + } + + if (perm & PAGE_WXN) { + perm &= ~PAGE_EXEC; + } + + /* TODO: FEAT_GCS */ + + return perm & PAGE_RWX; +} + static ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va, ARMMMUIdx mmu_idx) { @@ -1713,7 +1813,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, int32_t stride; int addrsize, inputsize, outputsize; uint64_t tcr = regime_tcr(env, mmu_idx); - int ap, xn, pxn; + int ap; uint32_t el = regime_el(env, mmu_idx); uint64_t descaddrmask; bool aarch64 = arm_el_is_aa64(env, el); @@ -2047,7 +2147,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, out_space = ARMSS_NonSecure; result->f.prot = get_S2prot_noexecute(ap); } else { - xn = extract64(attrs, 53, 2); + int xn = extract64(attrs, 53, 2); result->f.prot = get_S2prot(env, ap, xn, ptw->in_s1_is_el0); } @@ -2063,7 +2163,6 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, int nse, ns = extract32(attrs, 5, 1); uint8_t attrindx; uint64_t mair; - int user_rw, prot_rw; switch (out_space) { case ARMSS_Root: @@ -2112,29 +2211,47 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, default: g_assert_not_reached(); } - xn = extract64(attrs, 54, 1); - pxn = extract64(attrs, 53, 1); - if (el == 1 && ptw->in_nv1) { + if (param.pie) { + int pi = extract64(attrs, 6, 1) + | (extract64(attrs, 51, 1) << 1) + | (extract64(attrs, 53, 2) << 2); + int po = extract64(attrs, 60, 3); /* - * With FEAT_NV, when HCR_EL2.{NV,NV1} == {1,1}, the block/page - * descriptor bit 54 holds PXN, 53 is RES0, and the effective value - * of UXN is 0. Similarly for bits 59 and 60 in table descriptors - * (which we have already folded into bits 53 and 54 of attrs). - * AP[1] (descriptor bit 6, our ap bit 0) is treated as 0. - * Similarly, APTable[0] from the table descriptor is treated as 0; - * we already folded this into AP[1] and squashing that to 0 does - * the right thing. + * Note that we modified ptw->in_space earlier for NSTable, but + * result->f.attrs retains a copy of the original security space. */ - pxn = xn; - xn = 0; - ap &= ~1; - } + result->f.prot = get_S1prot_indirect(env, ptw, mmu_idx, pi, po, + result->f.attrs.space, + out_space); + } else { + int xn = extract64(attrs, 54, 1); + int pxn = extract64(attrs, 53, 1); + int user_rw, prot_rw; - user_rw = simple_ap_to_rw_prot_is_user(ap, true); - prot_rw = simple_ap_to_rw_prot_is_user(ap, false); - result->f.prot = get_S1prot(env, mmu_idx, aarch64, user_rw, prot_rw, - xn, pxn, ptw->in_space, out_space); + if (el == 1 && ptw->in_nv1) { + /* + * With FEAT_NV, when HCR_EL2.{NV,NV1} == {1,1}, + * the block/page descriptor bit 54 holds PXN, + * 53 is RES0, and the effective value of UXN is 0. + * Similarly for bits 59 and 60 in table descriptors + * (which we have already folded into bits 53 and 54 of attrs). + * AP[1] (descriptor bit 6, our ap bit 0) is treated as 0. + * Similarly, APTable[0] from the table descriptor is treated + * as 0; we already folded this into AP[1] and squashing + * that to 0 does the right thing. + */ + pxn = xn; + xn = 0; + ap &= ~1; + } + + user_rw = simple_ap_to_rw_prot_is_user(ap, true); + prot_rw = simple_ap_to_rw_prot_is_user(ap, false); + result->f.prot = get_S1prot(env, mmu_idx, aarch64, + user_rw, prot_rw, xn, pxn, + ptw->in_space, out_space); + } /* Index into MAIR registers for cache attributes */ attrindx = extract32(attrs, 2, 3); From a811c5dafb728087fa6f222ad1322ec26d080fdd Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:09 -0700 Subject: [PATCH 09/76] target/arm: Implement get_S2prot_indirect Move the stage2 permissions for normal accesses to GetPhysAddrResult.s2prot. Put the stage2 permissions for page table walking in CPUTLBEntryFull.prot. This allows the permission checks in S1_ptw_translate and arm_casq_ptw to see the right permission. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-10-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 7 ++++ target/arm/ptw.c | 81 +++++++++++++++++++++++++++++++----------- 2 files changed, 68 insertions(+), 20 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index face1019f5..22947c4b78 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1577,6 +1577,13 @@ typedef struct ARMCacheAttrs { typedef struct GetPhysAddrResult { CPUTLBEntryFull f; ARMCacheAttrs cacheattrs; + /* + * For ARMMMUIdx_Stage2*, the protection installed into f.prot + * is the result for AccessType_TTW, i.e. the page table walk itself. + * The protection installed info s2prot is the one to be merged + * with the stage1 protection. + */ + int s2prot; } GetPhysAddrResult; /** diff --git a/target/arm/ptw.c b/target/arm/ptw.c index 5913556077..2e026a7c59 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -1316,7 +1316,7 @@ do_fault: * @xn: XN (execute-never) bits * @s1_is_el0: true if this is S2 of an S1+2 walk for EL0 */ -static int get_S2prot_noexecute(int s2ap) +static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0) { int prot = 0; @@ -1326,12 +1326,6 @@ static int get_S2prot_noexecute(int s2ap) if (s2ap & 2) { prot |= PAGE_WRITE; } - return prot; -} - -static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0) -{ - int prot = get_S2prot_noexecute(s2ap); if (cpu_isar_feature(any_tts2uxn, env_archcpu(env))) { switch (xn) { @@ -1363,6 +1357,44 @@ static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0) return prot; } +static int get_S2prot_indirect(CPUARMState *env, GetPhysAddrResult *result, + int pi_index, int po_index, bool s1_is_el0) +{ + /* Last index is (priv, unpriv, ttw) */ + static const uint8_t perm_table[16][3] = { + /* 0 */ { 0, 0, 0 }, /* no access */ + /* 1 */ { 0, 0, 0 }, /* reserved */ + /* 2 */ { PAGE_READ, PAGE_READ, PAGE_READ | PAGE_WRITE }, + /* 3 */ { PAGE_READ, PAGE_READ, PAGE_READ | PAGE_WRITE }, + /* 4 */ { PAGE_WRITE, PAGE_WRITE, 0 }, + /* 5 */ { 0, 0, 0 }, /* reserved */ + /* 6 */ { PAGE_READ, PAGE_READ, PAGE_READ | PAGE_WRITE }, + /* 7 */ { PAGE_READ, PAGE_READ, PAGE_READ | PAGE_WRITE }, + /* 8 */ { PAGE_READ, PAGE_READ, PAGE_READ }, + /* 9 */ { PAGE_READ, PAGE_READ | PAGE_EXEC, PAGE_READ }, + /* A */ { PAGE_READ | PAGE_EXEC, PAGE_READ, PAGE_READ }, + /* B */ { PAGE_READ | PAGE_EXEC, PAGE_READ | PAGE_EXEC, PAGE_READ }, + /* C */ { PAGE_READ | PAGE_WRITE, + PAGE_READ | PAGE_WRITE, + PAGE_READ | PAGE_WRITE }, + /* D */ { PAGE_READ | PAGE_WRITE, + PAGE_READ | PAGE_WRITE | PAGE_EXEC, + PAGE_READ | PAGE_WRITE }, + /* E */ { PAGE_READ | PAGE_WRITE | PAGE_EXEC, + PAGE_READ | PAGE_WRITE, + PAGE_READ | PAGE_WRITE }, + /* F */ { PAGE_READ | PAGE_WRITE | PAGE_EXEC, + PAGE_READ | PAGE_WRITE | PAGE_EXEC, + PAGE_READ | PAGE_WRITE }, + }; + + uint64_t pir = (env->cp15.scr_el3 & SCR_PIEN ? env->cp15.s2pir_el2 : 0); + int s2pi = extract64(pir, pi_index * 4, 4); + + result->f.prot = perm_table[s2pi][2]; + return perm_table[s2pi][s1_is_el0]; +} + /* * Translate section/page access permissions to protection flags * @env: CPUARMState @@ -1813,7 +1845,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, int32_t stride; int addrsize, inputsize, outputsize; uint64_t tcr = regime_tcr(env, mmu_idx); - int ap; + int ap, prot; uint32_t el = regime_el(env, mmu_idx); uint64_t descaddrmask; bool aarch64 = arm_el_is_aa64(env, el); @@ -2137,6 +2169,18 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, ap = extract32(attrs, 6, 2); out_space = ptw->cur_space; if (regime_is_stage2(mmu_idx)) { + if (param.pie) { + int pi = extract64(attrs, 6, 1) + | (extract64(attrs, 51, 1) << 1) + | (extract64(attrs, 53, 2) << 2); + int po = extract64(attrs, 60, 3); + prot = get_S2prot_indirect(env, result, pi, po, ptw->in_s1_is_el0); + } else { + int xn = extract64(attrs, 53, 2); + prot = get_S2prot(env, ap, xn, ptw->in_s1_is_el0); + /* Install TTW permissions in f.prot. */ + result->f.prot = prot & (PAGE_READ | PAGE_WRITE); + } /* * R_GYNXY: For stage2 in Realm security state, bit 55 is NS. * The bit remains ignored for other security states. @@ -2145,11 +2189,9 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, */ if (out_space == ARMSS_Realm && extract64(attrs, 55, 1)) { out_space = ARMSS_NonSecure; - result->f.prot = get_S2prot_noexecute(ap); - } else { - int xn = extract64(attrs, 53, 2); - result->f.prot = get_S2prot(env, ap, xn, ptw->in_s1_is_el0); + prot &= ~PAGE_EXEC; } + result->s2prot = prot; result->cacheattrs.is_s2_format = true; result->cacheattrs.attrs = extract32(attrs, 2, 4); @@ -2221,9 +2263,8 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, * Note that we modified ptw->in_space earlier for NSTable, but * result->f.attrs retains a copy of the original security space. */ - result->f.prot = get_S1prot_indirect(env, ptw, mmu_idx, pi, po, - result->f.attrs.space, - out_space); + prot = get_S1prot_indirect(env, ptw, mmu_idx, pi, po, + result->f.attrs.space, out_space); } else { int xn = extract64(attrs, 54, 1); int pxn = extract64(attrs, 53, 1); @@ -2248,10 +2289,10 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, user_rw = simple_ap_to_rw_prot_is_user(ap, true); prot_rw = simple_ap_to_rw_prot_is_user(ap, false); - result->f.prot = get_S1prot(env, mmu_idx, aarch64, - user_rw, prot_rw, xn, pxn, - ptw->in_space, out_space); + prot = get_S1prot(env, mmu_idx, aarch64, user_rw, prot_rw, + xn, pxn, ptw->in_space, out_space); } + result->f.prot = prot; /* Index into MAIR registers for cache attributes */ attrindx = extract32(attrs, 2, 3); @@ -2297,7 +2338,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, result->f.tlb_fill_flags = 0; } - if (ptw->in_prot_check & ~result->f.prot) { + if (ptw->in_prot_check & ~prot) { fi->type = ARMFault_Permission; goto do_fault; } @@ -3495,7 +3536,7 @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw, fi->s2addr = ipa; /* Combine the S1 and S2 perms. */ - result->f.prot &= s1_prot; + result->f.prot = s1_prot & result->s2prot; /* If S2 fails, return early. */ if (ret) { From 5a3197bc73040e657017d08445918c88c542f7d4 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:10 -0700 Subject: [PATCH 10/76] target/arm: Expand CPUARMState.exception.syndrome to 64 bits This will be used for storing the ISS2 portion of the ESR_ELx registers in aarch64 state. Re-order the fsr member to eliminate two structure holes. Drop the comment about "if we implement EL2" since we have already done so. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-11-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpu.h | 7 ++----- target/arm/helper.c | 2 +- target/arm/machine.c | 32 +++++++++++++++++++++++++++++++- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index c9ea160d03..04b57f1dc5 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -633,13 +633,10 @@ typedef struct CPUArchState { * entry process. */ struct { - uint32_t syndrome; /* AArch64 format syndrome register */ - uint32_t fsr; /* AArch32 format fault status register info */ + uint64_t syndrome; /* AArch64 format syndrome register */ uint64_t vaddress; /* virtual addr associated with exception, if any */ + uint32_t fsr; /* AArch32 format fault status register info */ uint32_t target_el; /* EL the exception should be targeted for */ - /* If we implement EL2 we will also need to store information - * about the intermediate physical address for stage 2 faults. - */ } exception; /* Information associated with an SError */ diff --git a/target/arm/helper.c b/target/arm/helper.c index 37865bf70e..bd5321348a 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9196,7 +9196,7 @@ void arm_cpu_do_interrupt(CPUState *cs) new_el); if (qemu_loglevel_mask(CPU_LOG_INT) && !excp_is_internal(cs->exception_index)) { - qemu_log_mask(CPU_LOG_INT, "...with ESR 0x%x/0x%" PRIx32 "\n", + qemu_log_mask(CPU_LOG_INT, "...with ESR 0x%x/0x%" PRIx64 "\n", syn_get_ec(env->exception.syndrome), env->exception.syndrome); } diff --git a/target/arm/machine.c b/target/arm/machine.c index 6666a0c50c..ce20b46f50 100644 --- a/target/arm/machine.c +++ b/target/arm/machine.c @@ -848,6 +848,23 @@ static const VMStateInfo vmstate_powered_off = { .put = put_power, }; +static bool syndrome64_needed(void *opaque) +{ + ARMCPU *cpu = opaque; + return cpu->env.exception.syndrome > UINT32_MAX; +} + +static const VMStateDescription vmstate_syndrome64 = { + .name = "cpu/syndrome64", + .version_id = 1, + .minimum_version_id = 1, + .needed = syndrome64_needed, + .fields = (const VMStateField[]) { + VMSTATE_UINT64(env.exception.syndrome, ARMCPU), + VMSTATE_END_OF_LIST() + }, +}; + static int cpu_pre_save(void *opaque) { ARMCPU *cpu = opaque; @@ -1065,7 +1082,19 @@ const VMStateDescription vmstate_arm_cpu = { VMSTATE_UINT64(env.exclusive_val, ARMCPU), VMSTATE_UINT64(env.exclusive_high, ARMCPU), VMSTATE_UNUSED(sizeof(uint64_t)), - VMSTATE_UINT32(env.exception.syndrome, ARMCPU), + /* + * If any bits are set in the upper 32 bits of syndrome, + * then the cpu/syndrome64 subsection will override this + * with the full 64 bit state. + */ + { + .name = "env.exception.syndrome", + .version_id = 0, + .size = sizeof(uint32_t), + .info = &vmstate_info_uint32, + .flags = VMS_SINGLE, + .offset = offsetoflow32(ARMCPU, env.exception.syndrome), + }, VMSTATE_UINT32(env.exception.fsr, ARMCPU), VMSTATE_UINT64(env.exception.vaddress, ARMCPU), VMSTATE_TIMER_PTR(gt_timer[GTIMER_PHYS], ARMCPU), @@ -1098,6 +1127,7 @@ const VMStateDescription vmstate_arm_cpu = { &vmstate_serror, &vmstate_irq_line_state, &vmstate_wfxt_timer, + &vmstate_syndrome64, NULL } }; From 9190d68e83dc13c08b50b538f6473894b1b7b024 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:11 -0700 Subject: [PATCH 11/76] target/arm: Expand syndrome parameter to raise_exception* Prepare for raising exceptions with 64-bit syndromes. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-12-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 6 +++--- target/arm/tcg-stubs.c | 2 +- target/arm/tcg/op_helper.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index 22947c4b78..b59650959e 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -304,14 +304,14 @@ FIELD(CNTHCTL, CNTPMASK, 19, 1) * and never returns because we will longjump back up to the CPU main loop. */ G_NORETURN void raise_exception(CPUARMState *env, uint32_t excp, - uint32_t syndrome, uint32_t target_el); + uint64_t syndrome, uint32_t target_el); /* * Similarly, but also use unwinding to restore cpu state. */ G_NORETURN void raise_exception_ra(CPUARMState *env, uint32_t excp, - uint32_t syndrome, uint32_t target_el, - uintptr_t ra); + uint64_t syndrome, uint32_t target_el, + uintptr_t ra); /* * For AArch64, map a given EL to an index in the banked_spsr array. diff --git a/target/arm/tcg-stubs.c b/target/arm/tcg-stubs.c index aac99b2672..aeeede8066 100644 --- a/target/arm/tcg-stubs.c +++ b/target/arm/tcg-stubs.c @@ -16,7 +16,7 @@ void write_v7m_exception(CPUARMState *env, uint32_t new_exc) g_assert_not_reached(); } -void raise_exception_ra(CPUARMState *env, uint32_t excp, uint32_t syndrome, +void raise_exception_ra(CPUARMState *env, uint32_t excp, uint64_t syndrome, uint32_t target_el, uintptr_t ra) { g_assert_not_reached(); diff --git a/target/arm/tcg/op_helper.c b/target/arm/tcg/op_helper.c index 5373e0e998..dd3700dc6f 100644 --- a/target/arm/tcg/op_helper.c +++ b/target/arm/tcg/op_helper.c @@ -46,7 +46,7 @@ int exception_target_el(CPUARMState *env) } void raise_exception(CPUARMState *env, uint32_t excp, - uint32_t syndrome, uint32_t target_el) + uint64_t syndrome, uint32_t target_el) { CPUState *cs = env_cpu(env); @@ -70,7 +70,7 @@ void raise_exception(CPUARMState *env, uint32_t excp, cpu_loop_exit(cs); } -void raise_exception_ra(CPUARMState *env, uint32_t excp, uint32_t syndrome, +void raise_exception_ra(CPUARMState *env, uint32_t excp, uint64_t syndrome, uint32_t target_el, uintptr_t ra) { CPUState *cs = env_cpu(env); From cfd363ca4c374ba34673e34467d973255ca009e5 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:12 -0700 Subject: [PATCH 12/76] target/arm: Implement dirtybit check for PIE Both S1PIE and S2PIE have a bit to make software tracking of dirty pages easier. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-13-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 1 + target/arm/ptw.c | 16 ++++++++++++++++ target/arm/tcg/tlb_helper.c | 12 +++++++++--- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index b59650959e..69eb1df617 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -752,6 +752,7 @@ struct ARMMMUFaultInfo { bool s1ptw; bool s1ns; bool ea; + bool dirtybit; /* FEAT_S1PIE, FEAT_S2PIE */ }; /** diff --git a/target/arm/ptw.c b/target/arm/ptw.c index 2e026a7c59..21540a1ec3 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -2343,6 +2343,22 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, goto do_fault; } + /* S1PIE and S2PIE both have a bit for software dirty page tracking. */ + if (access_type == MMU_DATA_STORE && param.pie) { + /* + * For S1PIE, bit 7 is nDirty and both HA and HD are checked. + * For S2PIE, bit 7 is Dirty and only HD is checked. + */ + bool bit7 = extract64(attrs, 7, 1); + if (regime_is_stage2(mmu_idx) + ? !bit7 && !param.hd + : bit7 && !(param.ha && param.hd)) { + fi->type = ARMFault_Permission; + fi->dirtybit = true; + goto do_fault; + } + } + /* If FEAT_HAFDBS has made changes, update the PTE. */ if (new_descriptor != descriptor) { new_descriptor = arm_casq_ptw(env, descriptor, new_descriptor, ptw, fi); diff --git a/target/arm/tcg/tlb_helper.c b/target/arm/tcg/tlb_helper.c index 23c72a99f5..ae2acd6727 100644 --- a/target/arm/tcg/tlb_helper.c +++ b/target/arm/tcg/tlb_helper.c @@ -24,13 +24,13 @@ bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx) return regime_using_lpae_format(env, mmu_idx); } -static inline uint32_t merge_syn_data_abort(uint32_t template_syn, +static inline uint64_t merge_syn_data_abort(uint32_t template_syn, ARMMMUFaultInfo *fi, unsigned int target_el, bool same_el, bool is_write, int fsc) { - uint32_t syn; + uint64_t syn; /* * ISV is only set for stage-2 data aborts routed to EL2 and @@ -75,6 +75,10 @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn, /* Merge the runtime syndrome with the template syndrome. */ syn |= template_syn; } + + /* Form ISS2 at the top of the syndrome. */ + syn |= (uint64_t)fi->dirtybit << 37; + return syn; } @@ -176,7 +180,9 @@ void arm_deliver_fault(ARMCPU *cpu, vaddr addr, int target_el = exception_target_el(env); int current_el = arm_current_el(env); bool same_el; - uint32_t syn, exc, fsr, fsc; + uint32_t exc, fsr, fsc; + uint64_t syn; + /* * We know this must be a data or insn abort, and that * env->exception.syndrome contains the template syndrome set From 4983e3ccc9c384c7ae12822945943a0d8bce6537 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:13 -0700 Subject: [PATCH 13/76] target/arm: Enable FEAT_S1PIE and FEAT_S2PIE on -cpu max Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-14-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- docs/system/arm/emulation.rst | 2 ++ target/arm/tcg/cpu64.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst index 1aa0a6e4c3..c779a50570 100644 --- a/docs/system/arm/emulation.rst +++ b/docs/system/arm/emulation.rst @@ -123,6 +123,8 @@ the following architecture extensions: - FEAT_RME_GPC2 (RME Granule Protection Check 2 Extension) - FEAT_RNG (Random number generator) - FEAT_RPRES (Increased precision of FRECPE and FRSQRTE) +- FEAT_S1PIE (Stage 1 permission indirections) +- FEAT_S2PIE (Stage 2 permission indirections) - FEAT_S2FWB (Stage 2 forced Write-Back) - FEAT_SB (Speculation Barrier) - FEAT_SCTLR2 (Extension to SCTLR_ELx) diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index 8c617fe37b..f024db1d29 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -1327,6 +1327,8 @@ void aarch64_max_tcg_initfn(Object *obj) t = FIELD_DP64(t, ID_AA64MMFR3, TCRX, 1); /* FEAT_TCR2 */ t = FIELD_DP64(t, ID_AA64MMFR3, SCTLRX, 1); /* FEAT_SCTLR2 */ t = FIELD_DP64(t, ID_AA64MMFR3, SPEC_FPACC, 1); /* FEAT_FPACC_SPEC */ + t = FIELD_DP64(t, ID_AA64MMFR3, S1PIE, 1); /* FEAT_S1PIE */ + t = FIELD_DP64(t, ID_AA64MMFR3, S2PIE, 1); /* FEAT_S2PIE */ SET_IDREG(isar, ID_AA64MMFR3, t); t = GET_IDREG(isar, ID_AA64ZFR0); From d182123974c4377757d50ce93108daef687a8951 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:14 -0700 Subject: [PATCH 14/76] include/exec/memopidx: Adjust for 32 mmu indexes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251008215613.300150-15-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- include/exec/memopidx.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/exec/memopidx.h b/include/exec/memopidx.h index eb7f1591a3..66d9c58b3a 100644 --- a/include/exec/memopidx.h +++ b/include/exec/memopidx.h @@ -25,9 +25,10 @@ typedef uint32_t MemOpIdx; static inline MemOpIdx make_memop_idx(MemOp op, unsigned idx) { #ifdef CONFIG_DEBUG_TCG - assert(idx <= 15); + assert(idx <= 31); + assert(clz32(op) >= 5); #endif - return (op << 4) | idx; + return (op << 5) | idx; } /** @@ -38,7 +39,7 @@ static inline MemOpIdx make_memop_idx(MemOp op, unsigned idx) */ static inline MemOp get_memop(MemOpIdx oi) { - return oi >> 4; + return oi >> 5; } /** @@ -49,7 +50,7 @@ static inline MemOp get_memop(MemOpIdx oi) */ static inline unsigned get_mmuidx(MemOpIdx oi) { - return oi & 15; + return oi & 31; } #endif From e1e2f08b431890c757e8dffc760c2719e9577f86 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:15 -0700 Subject: [PATCH 15/76] include/hw/core/cpu: Widen MMUIdxMap Widen MMUIdxMap to 32 bits. Do not yet expand NB_MMU_MODES, but widen the map type in preparation. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-16-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- accel/tcg/cputlb.c | 3 --- include/hw/core/cpu.h | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index 7214d41cb5..3010dd4f5d 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -90,9 +90,6 @@ */ QEMU_BUILD_BUG_ON(sizeof(vaddr) > sizeof(run_on_cpu_data)); -/* We currently can't handle more than 16 bits in the MMUIDX bitmask. - */ -QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16); #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1) static inline size_t tlb_n_entries(CPUTLBDescFast *fast) diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h index 4f7026a119..d175edb6f8 100644 --- a/include/hw/core/cpu.h +++ b/include/hw/core/cpu.h @@ -201,7 +201,7 @@ struct CPUClass { * Fix the number of mmu modes to 16. */ #define NB_MMU_MODES 16 -typedef uint16_t MMUIdxMap; +typedef uint32_t MMUIdxMap; /* Use a fully associative victim tlb of 8 entries. */ #define CPU_VTLB_SIZE 8 From e886dccc8276f22296582338c30c639a24e45ea3 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:16 -0700 Subject: [PATCH 16/76] target/arm: Split out mmuidx.h from cpu.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-17-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpu.h | 207 +----------------------------------------- target/arm/mmuidx.h | 216 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 217 insertions(+), 206 deletions(-) create mode 100644 target/arm/mmuidx.h diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 04b57f1dc5..6773676973 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -33,6 +33,7 @@ #include "target/arm/multiprocessing.h" #include "target/arm/gtimer.h" #include "target/arm/cpu-sysregs.h" +#include "target/arm/mmuidx.h" #define EXCP_UDEF 1 /* undefined instruction */ #define EXCP_SWI 2 /* software interrupt */ @@ -2301,212 +2302,6 @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync); #define TYPE_ARM_HOST_CPU "host-" TYPE_ARM_CPU -/* ARM has the following "translation regimes" (as the ARM ARM calls them): - * - * If EL3 is 64-bit: - * + NonSecure EL1 & 0 stage 1 - * + NonSecure EL1 & 0 stage 2 - * + NonSecure EL2 - * + NonSecure EL2 & 0 (ARMv8.1-VHE) - * + Secure EL1 & 0 stage 1 - * + Secure EL1 & 0 stage 2 (FEAT_SEL2) - * + Secure EL2 (FEAT_SEL2) - * + Secure EL2 & 0 (FEAT_SEL2) - * + Realm EL1 & 0 stage 1 (FEAT_RME) - * + Realm EL1 & 0 stage 2 (FEAT_RME) - * + Realm EL2 (FEAT_RME) - * + EL3 - * If EL3 is 32-bit: - * + NonSecure PL1 & 0 stage 1 - * + NonSecure PL1 & 0 stage 2 - * + NonSecure PL2 - * + Secure PL1 & 0 - * (reminder: for 32 bit EL3, Secure PL1 is *EL3*, not EL1.) - * - * For QEMU, an mmu_idx is not quite the same as a translation regime because: - * 1. we need to split the "EL1 & 0" and "EL2 & 0" regimes into two mmu_idxes, - * because they may differ in access permissions even if the VA->PA map is - * the same - * 2. we want to cache in our TLB the full VA->IPA->PA lookup for a stage 1+2 - * translation, which means that we have one mmu_idx that deals with two - * concatenated translation regimes [this sort of combined s1+2 TLB is - * architecturally permitted] - * 3. we don't need to allocate an mmu_idx to translations that we won't be - * handling via the TLB. The only way to do a stage 1 translation without - * the immediate stage 2 translation is via the ATS or AT system insns, - * which can be slow-pathed and always do a page table walk. - * The only use of stage 2 translations is either as part of an s1+2 - * lookup or when loading the descriptors during a stage 1 page table walk, - * and in both those cases we don't use the TLB. - * 4. we can also safely fold together the "32 bit EL3" and "64 bit EL3" - * translation regimes, because they map reasonably well to each other - * and they can't both be active at the same time. - * 5. we want to be able to use the TLB for accesses done as part of a - * stage1 page table walk, rather than having to walk the stage2 page - * table over and over. - * 6. we need separate EL1/EL2 mmu_idx for handling the Privileged Access - * Never (PAN) bit within PSTATE. - * 7. we fold together most secure and non-secure regimes for A-profile, - * because there are no banked system registers for aarch64, so the - * process of switching between secure and non-secure is - * already heavyweight. - * 8. we cannot fold together Stage 2 Secure and Stage 2 NonSecure, - * because both are in use simultaneously for Secure EL2. - * - * This gives us the following list of cases: - * - * EL0 EL1&0 stage 1+2 (aka NS PL0 PL1&0 stage 1+2) - * EL1 EL1&0 stage 1+2 (aka NS PL1 PL1&0 stage 1+2) - * EL1 EL1&0 stage 1+2 +PAN (aka NS PL1 P1&0 stage 1+2 +PAN) - * EL0 EL2&0 - * EL2 EL2&0 - * EL2 EL2&0 +PAN - * EL2 (aka NS PL2) - * EL3 (aka AArch32 S PL1 PL1&0) - * AArch32 S PL0 PL1&0 (we call this EL30_0) - * AArch32 S PL1 PL1&0 +PAN (we call this EL30_3_PAN) - * Stage2 Secure - * Stage2 NonSecure - * plus one TLB per Physical address space: S, NS, Realm, Root - * - * for a total of 16 different mmu_idx. - * - * R profile CPUs have an MPU, but can use the same set of MMU indexes - * as A profile. They only need to distinguish EL0 and EL1 (and - * EL2 for cores like the Cortex-R52). - * - * M profile CPUs are rather different as they do not have a true MMU. - * They have the following different MMU indexes: - * User - * Privileged - * User, execution priority negative (ie the MPU HFNMIENA bit may apply) - * Privileged, execution priority negative (ditto) - * If the CPU supports the v8M Security Extension then there are also: - * Secure User - * Secure Privileged - * Secure User, execution priority negative - * Secure Privileged, execution priority negative - * - * The ARMMMUIdx and the mmu index value used by the core QEMU TLB code - * are not quite the same -- different CPU types (most notably M profile - * vs A/R profile) would like to use MMU indexes with different semantics, - * but since we don't ever need to use all of those in a single CPU we - * can avoid having to set NB_MMU_MODES to "total number of A profile MMU - * modes + total number of M profile MMU modes". The lower bits of - * ARMMMUIdx are the core TLB mmu index, and the higher bits are always - * the same for any particular CPU. - * Variables of type ARMMUIdx are always full values, and the core - * index values are in variables of type 'int'. - * - * Our enumeration includes at the end some entries which are not "true" - * mmu_idx values in that they don't have corresponding TLBs and are only - * valid for doing slow path page table walks. - * - * The constant names here are patterned after the general style of the names - * of the AT/ATS operations. - * The values used are carefully arranged to make mmu_idx => EL lookup easy. - * For M profile we arrange them to have a bit for priv, a bit for negpri - * and a bit for secure. - */ -#define ARM_MMU_IDX_A 0x10 /* A profile */ -#define ARM_MMU_IDX_NOTLB 0x20 /* does not have a TLB */ -#define ARM_MMU_IDX_M 0x40 /* M profile */ - -/* Meanings of the bits for M profile mmu idx values */ -#define ARM_MMU_IDX_M_PRIV 0x1 -#define ARM_MMU_IDX_M_NEGPRI 0x2 -#define ARM_MMU_IDX_M_S 0x4 /* Secure */ - -#define ARM_MMU_IDX_TYPE_MASK \ - (ARM_MMU_IDX_A | ARM_MMU_IDX_M | ARM_MMU_IDX_NOTLB) -#define ARM_MMU_IDX_COREIDX_MASK 0xf - -typedef enum ARMMMUIdx { - /* - * A-profile. - */ - ARMMMUIdx_E10_0 = 0 | ARM_MMU_IDX_A, - ARMMMUIdx_E20_0 = 1 | ARM_MMU_IDX_A, - ARMMMUIdx_E10_1 = 2 | ARM_MMU_IDX_A, - ARMMMUIdx_E20_2 = 3 | ARM_MMU_IDX_A, - ARMMMUIdx_E10_1_PAN = 4 | ARM_MMU_IDX_A, - ARMMMUIdx_E20_2_PAN = 5 | ARM_MMU_IDX_A, - ARMMMUIdx_E2 = 6 | ARM_MMU_IDX_A, - ARMMMUIdx_E3 = 7 | ARM_MMU_IDX_A, - ARMMMUIdx_E30_0 = 8 | ARM_MMU_IDX_A, - ARMMMUIdx_E30_3_PAN = 9 | ARM_MMU_IDX_A, - - /* - * Used for second stage of an S12 page table walk, or for descriptor - * loads during first stage of an S1 page table walk. Note that both - * are in use simultaneously for SecureEL2: the security state for - * the S2 ptw is selected by the NS bit from the S1 ptw. - */ - ARMMMUIdx_Stage2_S = 10 | ARM_MMU_IDX_A, - ARMMMUIdx_Stage2 = 11 | ARM_MMU_IDX_A, - - /* TLBs with 1-1 mapping to the physical address spaces. */ - ARMMMUIdx_Phys_S = 12 | ARM_MMU_IDX_A, - ARMMMUIdx_Phys_NS = 13 | ARM_MMU_IDX_A, - ARMMMUIdx_Phys_Root = 14 | ARM_MMU_IDX_A, - ARMMMUIdx_Phys_Realm = 15 | ARM_MMU_IDX_A, - - /* - * These are not allocated TLBs and are used only for AT system - * instructions or for the first stage of an S12 page table walk. - */ - ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB, - ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB, - ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB, - - /* - * M-profile. - */ - ARMMMUIdx_MUser = ARM_MMU_IDX_M, - ARMMMUIdx_MPriv = ARM_MMU_IDX_M | ARM_MMU_IDX_M_PRIV, - ARMMMUIdx_MUserNegPri = ARMMMUIdx_MUser | ARM_MMU_IDX_M_NEGPRI, - ARMMMUIdx_MPrivNegPri = ARMMMUIdx_MPriv | ARM_MMU_IDX_M_NEGPRI, - ARMMMUIdx_MSUser = ARMMMUIdx_MUser | ARM_MMU_IDX_M_S, - ARMMMUIdx_MSPriv = ARMMMUIdx_MPriv | ARM_MMU_IDX_M_S, - ARMMMUIdx_MSUserNegPri = ARMMMUIdx_MUserNegPri | ARM_MMU_IDX_M_S, - ARMMMUIdx_MSPrivNegPri = ARMMMUIdx_MPrivNegPri | ARM_MMU_IDX_M_S, -} ARMMMUIdx; - -/* - * Bit macros for the core-mmu-index values for each index, - * for use when calling tlb_flush_by_mmuidx() and friends. - */ -#define TO_CORE_BIT(NAME) \ - ARMMMUIdxBit_##NAME = 1 << (ARMMMUIdx_##NAME & ARM_MMU_IDX_COREIDX_MASK) - -typedef enum ARMMMUIdxBit { - TO_CORE_BIT(E10_0), - TO_CORE_BIT(E20_0), - TO_CORE_BIT(E10_1), - TO_CORE_BIT(E10_1_PAN), - TO_CORE_BIT(E2), - TO_CORE_BIT(E20_2), - TO_CORE_BIT(E20_2_PAN), - TO_CORE_BIT(E3), - TO_CORE_BIT(E30_0), - TO_CORE_BIT(E30_3_PAN), - TO_CORE_BIT(Stage2), - TO_CORE_BIT(Stage2_S), - - TO_CORE_BIT(MUser), - TO_CORE_BIT(MPriv), - TO_CORE_BIT(MUserNegPri), - TO_CORE_BIT(MPrivNegPri), - TO_CORE_BIT(MSUser), - TO_CORE_BIT(MSPriv), - TO_CORE_BIT(MSUserNegPri), - TO_CORE_BIT(MSPrivNegPri), -} ARMMMUIdxBit; - -#undef TO_CORE_BIT - -#define MMU_USER_IDX 0 - /* Indexes used when registering address spaces with cpu_address_space_init */ typedef enum ARMASIdx { ARMASIdx_NS = 0, diff --git a/target/arm/mmuidx.h b/target/arm/mmuidx.h new file mode 100644 index 0000000000..5b9b4bc84f --- /dev/null +++ b/target/arm/mmuidx.h @@ -0,0 +1,216 @@ +/* + * QEMU Arm software mmu index definitions + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef TARGET_ARM_MMUIDX_H +#define TARGET_ARM_MMUIDX_H + +/* + * Arm has the following "translation regimes" (as the Arm ARM calls them): + * + * If EL3 is 64-bit: + * + NonSecure EL1 & 0 stage 1 + * + NonSecure EL1 & 0 stage 2 + * + NonSecure EL2 + * + NonSecure EL2 & 0 (ARMv8.1-VHE) + * + Secure EL1 & 0 stage 1 + * + Secure EL1 & 0 stage 2 (FEAT_SEL2) + * + Secure EL2 (FEAT_SEL2) + * + Secure EL2 & 0 (FEAT_SEL2) + * + Realm EL1 & 0 stage 1 (FEAT_RME) + * + Realm EL1 & 0 stage 2 (FEAT_RME) + * + Realm EL2 (FEAT_RME) + * + EL3 + * If EL3 is 32-bit: + * + NonSecure PL1 & 0 stage 1 + * + NonSecure PL1 & 0 stage 2 + * + NonSecure PL2 + * + Secure PL1 & 0 + * (reminder: for 32 bit EL3, Secure PL1 is *EL3*, not EL1.) + * + * For QEMU, an mmu_idx is not quite the same as a translation regime because: + * 1. we need to split the "EL1 & 0" and "EL2 & 0" regimes into two mmu_idxes, + * because they may differ in access permissions even if the VA->PA map is + * the same + * 2. we want to cache in our TLB the full VA->IPA->PA lookup for a stage 1+2 + * translation, which means that we have one mmu_idx that deals with two + * concatenated translation regimes [this sort of combined s1+2 TLB is + * architecturally permitted] + * 3. we don't need to allocate an mmu_idx to translations that we won't be + * handling via the TLB. The only way to do a stage 1 translation without + * the immediate stage 2 translation is via the ATS or AT system insns, + * which can be slow-pathed and always do a page table walk. + * The only use of stage 2 translations is either as part of an s1+2 + * lookup or when loading the descriptors during a stage 1 page table walk, + * and in both those cases we don't use the TLB. + * 4. we can also safely fold together the "32 bit EL3" and "64 bit EL3" + * translation regimes, because they map reasonably well to each other + * and they can't both be active at the same time. + * 5. we want to be able to use the TLB for accesses done as part of a + * stage1 page table walk, rather than having to walk the stage2 page + * table over and over. + * 6. we need separate EL1/EL2 mmu_idx for handling the Privileged Access + * Never (PAN) bit within PSTATE. + * 7. we fold together most secure and non-secure regimes for A-profile, + * because there are no banked system registers for aarch64, so the + * process of switching between secure and non-secure is + * already heavyweight. + * 8. we cannot fold together Stage 2 Secure and Stage 2 NonSecure, + * because both are in use simultaneously for Secure EL2. + * + * This gives us the following list of cases: + * + * EL0 EL1&0 stage 1+2 (aka NS PL0 PL1&0 stage 1+2) + * EL1 EL1&0 stage 1+2 (aka NS PL1 PL1&0 stage 1+2) + * EL1 EL1&0 stage 1+2 +PAN (aka NS PL1 P1&0 stage 1+2 +PAN) + * EL0 EL2&0 + * EL2 EL2&0 + * EL2 EL2&0 +PAN + * EL2 (aka NS PL2) + * EL3 (aka AArch32 S PL1 PL1&0) + * AArch32 S PL0 PL1&0 (we call this EL30_0) + * AArch32 S PL1 PL1&0 +PAN (we call this EL30_3_PAN) + * Stage2 Secure + * Stage2 NonSecure + * plus one TLB per Physical address space: S, NS, Realm, Root + * + * for a total of 16 different mmu_idx. + * + * R profile CPUs have an MPU, but can use the same set of MMU indexes + * as A profile. They only need to distinguish EL0 and EL1 (and + * EL2 for cores like the Cortex-R52). + * + * M profile CPUs are rather different as they do not have a true MMU. + * They have the following different MMU indexes: + * User + * Privileged + * User, execution priority negative (ie the MPU HFNMIENA bit may apply) + * Privileged, execution priority negative (ditto) + * If the CPU supports the v8M Security Extension then there are also: + * Secure User + * Secure Privileged + * Secure User, execution priority negative + * Secure Privileged, execution priority negative + * + * The ARMMMUIdx and the mmu index value used by the core QEMU TLB code + * are not quite the same -- different CPU types (most notably M profile + * vs A/R profile) would like to use MMU indexes with different semantics, + * but since we don't ever need to use all of those in a single CPU we + * can avoid having to set NB_MMU_MODES to "total number of A profile MMU + * modes + total number of M profile MMU modes". The lower bits of + * ARMMMUIdx are the core TLB mmu index, and the higher bits are always + * the same for any particular CPU. + * Variables of type ARMMUIdx are always full values, and the core + * index values are in variables of type 'int'. + * + * Our enumeration includes at the end some entries which are not "true" + * mmu_idx values in that they don't have corresponding TLBs and are only + * valid for doing slow path page table walks. + * + * The constant names here are patterned after the general style of the names + * of the AT/ATS operations. + * The values used are carefully arranged to make mmu_idx => EL lookup easy. + * For M profile we arrange them to have a bit for priv, a bit for negpri + * and a bit for secure. + */ +#define ARM_MMU_IDX_A 0x10 /* A profile */ +#define ARM_MMU_IDX_NOTLB 0x20 /* does not have a TLB */ +#define ARM_MMU_IDX_M 0x40 /* M profile */ + +/* Meanings of the bits for M profile mmu idx values */ +#define ARM_MMU_IDX_M_PRIV 0x1 +#define ARM_MMU_IDX_M_NEGPRI 0x2 +#define ARM_MMU_IDX_M_S 0x4 /* Secure */ + +#define ARM_MMU_IDX_TYPE_MASK \ + (ARM_MMU_IDX_A | ARM_MMU_IDX_M | ARM_MMU_IDX_NOTLB) +#define ARM_MMU_IDX_COREIDX_MASK 0xf + +typedef enum ARMMMUIdx { + /* + * A-profile. + */ + ARMMMUIdx_E10_0 = 0 | ARM_MMU_IDX_A, + ARMMMUIdx_E20_0 = 1 | ARM_MMU_IDX_A, + ARMMMUIdx_E10_1 = 2 | ARM_MMU_IDX_A, + ARMMMUIdx_E20_2 = 3 | ARM_MMU_IDX_A, + ARMMMUIdx_E10_1_PAN = 4 | ARM_MMU_IDX_A, + ARMMMUIdx_E20_2_PAN = 5 | ARM_MMU_IDX_A, + ARMMMUIdx_E2 = 6 | ARM_MMU_IDX_A, + ARMMMUIdx_E3 = 7 | ARM_MMU_IDX_A, + ARMMMUIdx_E30_0 = 8 | ARM_MMU_IDX_A, + ARMMMUIdx_E30_3_PAN = 9 | ARM_MMU_IDX_A, + + /* + * Used for second stage of an S12 page table walk, or for descriptor + * loads during first stage of an S1 page table walk. Note that both + * are in use simultaneously for SecureEL2: the security state for + * the S2 ptw is selected by the NS bit from the S1 ptw. + */ + ARMMMUIdx_Stage2_S = 10 | ARM_MMU_IDX_A, + ARMMMUIdx_Stage2 = 11 | ARM_MMU_IDX_A, + + /* TLBs with 1-1 mapping to the physical address spaces. */ + ARMMMUIdx_Phys_S = 12 | ARM_MMU_IDX_A, + ARMMMUIdx_Phys_NS = 13 | ARM_MMU_IDX_A, + ARMMMUIdx_Phys_Root = 14 | ARM_MMU_IDX_A, + ARMMMUIdx_Phys_Realm = 15 | ARM_MMU_IDX_A, + + /* + * These are not allocated TLBs and are used only for AT system + * instructions or for the first stage of an S12 page table walk. + */ + ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB, + ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB, + ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB, + + /* + * M-profile. + */ + ARMMMUIdx_MUser = ARM_MMU_IDX_M, + ARMMMUIdx_MPriv = ARM_MMU_IDX_M | ARM_MMU_IDX_M_PRIV, + ARMMMUIdx_MUserNegPri = ARMMMUIdx_MUser | ARM_MMU_IDX_M_NEGPRI, + ARMMMUIdx_MPrivNegPri = ARMMMUIdx_MPriv | ARM_MMU_IDX_M_NEGPRI, + ARMMMUIdx_MSUser = ARMMMUIdx_MUser | ARM_MMU_IDX_M_S, + ARMMMUIdx_MSPriv = ARMMMUIdx_MPriv | ARM_MMU_IDX_M_S, + ARMMMUIdx_MSUserNegPri = ARMMMUIdx_MUserNegPri | ARM_MMU_IDX_M_S, + ARMMMUIdx_MSPrivNegPri = ARMMMUIdx_MPrivNegPri | ARM_MMU_IDX_M_S, +} ARMMMUIdx; + +/* + * Bit macros for the core-mmu-index values for each index, + * for use when calling tlb_flush_by_mmuidx() and friends. + */ +#define TO_CORE_BIT(NAME) \ + ARMMMUIdxBit_##NAME = 1 << (ARMMMUIdx_##NAME & ARM_MMU_IDX_COREIDX_MASK) + +typedef enum ARMMMUIdxBit { + TO_CORE_BIT(E10_0), + TO_CORE_BIT(E20_0), + TO_CORE_BIT(E10_1), + TO_CORE_BIT(E10_1_PAN), + TO_CORE_BIT(E2), + TO_CORE_BIT(E20_2), + TO_CORE_BIT(E20_2_PAN), + TO_CORE_BIT(E3), + TO_CORE_BIT(E30_0), + TO_CORE_BIT(E30_3_PAN), + TO_CORE_BIT(Stage2), + TO_CORE_BIT(Stage2_S), + + TO_CORE_BIT(MUser), + TO_CORE_BIT(MPriv), + TO_CORE_BIT(MUserNegPri), + TO_CORE_BIT(MPrivNegPri), + TO_CORE_BIT(MSUser), + TO_CORE_BIT(MSPriv), + TO_CORE_BIT(MSUserNegPri), + TO_CORE_BIT(MSPrivNegPri), +} ARMMMUIdxBit; + +#undef TO_CORE_BIT + +#define MMU_USER_IDX 0 + +#endif /* TARGET_ARM_MMUIDX_H */ From 65ef0f2b33621fcc24ca54936475a00604e9a62e Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:17 -0700 Subject: [PATCH 17/76] target/arm: Convert arm_mmu_idx_to_el from switch to table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In an effort to keep all ARMMMUIdx data in one place, begin construction of an info table describing all of the properties of the mmu_idx. Begin with the access EL. Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-18-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 27 ------------------------ target/arm/internals.h | 3 +-- target/arm/meson.build | 7 +++++- target/arm/mmuidx-internal.h | 29 +++++++++++++++++++++++++ target/arm/mmuidx.c | 41 ++++++++++++++++++++++++++++++++++++ 5 files changed, 77 insertions(+), 30 deletions(-) create mode 100644 target/arm/mmuidx-internal.h create mode 100644 target/arm/mmuidx.c diff --git a/target/arm/helper.c b/target/arm/helper.c index bd5321348a..b1d68da133 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9653,33 +9653,6 @@ int fp_exception_el(CPUARMState *env, int cur_el) return 0; } -/* Return the exception level we're running at if this is our mmu_idx */ -int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx) -{ - if (mmu_idx & ARM_MMU_IDX_M) { - return mmu_idx & ARM_MMU_IDX_M_PRIV; - } - - switch (mmu_idx) { - case ARMMMUIdx_E10_0: - case ARMMMUIdx_E20_0: - case ARMMMUIdx_E30_0: - return 0; - case ARMMMUIdx_E10_1: - case ARMMMUIdx_E10_1_PAN: - return 1; - case ARMMMUIdx_E2: - case ARMMMUIdx_E20_2: - case ARMMMUIdx_E20_2_PAN: - return 2; - case ARMMMUIdx_E3: - case ARMMMUIdx_E30_3_PAN: - return 3; - default: - g_assert_not_reached(); - } -} - #ifndef CONFIG_TCG ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate) { diff --git a/target/arm/internals.h b/target/arm/internals.h index 69eb1df617..1a234d41c2 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -34,6 +34,7 @@ #include "system/memory.h" #include "syndrome.h" #include "cpu-features.h" +#include "mmuidx-internal.h" /* register banks for CPU modes */ #define BANK_USRSYS 0 @@ -984,8 +985,6 @@ static inline ARMMMUIdx core_to_aa64_mmu_idx(int mmu_idx) return mmu_idx | ARM_MMU_IDX_A; } -int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx); - /* Return the MMU index for a v7M CPU in the specified security state */ ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate); diff --git a/target/arm/meson.build b/target/arm/meson.build index 638ee62525..f9f0beef05 100644 --- a/target/arm/meson.build +++ b/target/arm/meson.build @@ -6,7 +6,12 @@ arm_ss.add(files( arm_ss.add(when: 'TARGET_AARCH64', if_true: files( 'cpu64.c', - 'gdbstub64.c')) + 'gdbstub64.c' +)) + +arm_common_ss.add(files( + 'mmuidx.c', +)) arm_system_ss = ss.source_set() arm_common_system_ss = ss.source_set() diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h new file mode 100644 index 0000000000..29bba4ecb5 --- /dev/null +++ b/target/arm/mmuidx-internal.h @@ -0,0 +1,29 @@ +/* + * QEMU Arm software mmu index internal definitions + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef TARGET_ARM_MMUIDX_INTERNAL_H +#define TARGET_ARM_MMUIDX_INTERNAL_H + +#include "mmuidx.h" +#include "tcg/debug-assert.h" +#include "hw/registerfields.h" + + +FIELD(MMUIDXINFO, EL, 0, 2) +FIELD(MMUIDXINFO, ELVALID, 2, 1) + +extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; + +#define arm_mmuidx_is_valid(x) ((unsigned)(x) < ARRAY_SIZE(arm_mmuidx_table)) + +/* Return the exception level associated with this mmu index. */ +static inline int arm_mmu_idx_to_el(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + tcg_debug_assert(FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, ELVALID)); + return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, EL); +} + +#endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c new file mode 100644 index 0000000000..309b1d68df --- /dev/null +++ b/target/arm/mmuidx.c @@ -0,0 +1,41 @@ +/* + * QEMU Arm software mmu index definitions + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "mmuidx-internal.h" + + +#define EL(X) ((X << R_MMUIDXINFO_EL_SHIFT) | R_MMUIDXINFO_ELVALID_MASK) + +const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { + /* + * A-profile. + */ + [ARMMMUIdx_E10_0] = EL(0), + [ARMMMUIdx_E10_1] = EL(1), + [ARMMMUIdx_E10_1_PAN] = EL(1), + + [ARMMMUIdx_E20_0] = EL(0), + [ARMMMUIdx_E20_2] = EL(2), + [ARMMMUIdx_E20_2_PAN] = EL(2), + + [ARMMMUIdx_E2] = EL(2), + + [ARMMMUIdx_E3] = EL(3), + [ARMMMUIdx_E30_0] = EL(0), + [ARMMMUIdx_E30_3_PAN] = EL(3), + + /* + * M-profile. + */ + [ARMMMUIdx_MUser] = EL(0), + [ARMMMUIdx_MPriv] = EL(1), + [ARMMMUIdx_MUserNegPri] = EL(0), + [ARMMMUIdx_MPrivNegPri] = EL(1), + [ARMMMUIdx_MSUser] = EL(0), + [ARMMMUIdx_MSPriv] = EL(1), + [ARMMMUIdx_MSUserNegPri] = EL(0), + [ARMMMUIdx_MSPrivNegPri] = EL(1), +}; From 5dccad96b1f089a2d97262565a26960cf04e1579 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:18 -0700 Subject: [PATCH 18/76] target/arm: Remove unused env argument from regime_el MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-19-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 2 +- target/arm/internals.h | 8 ++++---- target/arm/ptw.c | 34 +++++++++++++++++----------------- target/arm/tcg/mte_helper.c | 2 +- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index b1d68da133..a55161ef40 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9391,7 +9391,7 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va, ARMGranuleSize gran; ARMCPU *cpu = env_archcpu(env); bool stage2 = regime_is_stage2(mmu_idx); - int r_el = regime_el(env, mmu_idx); + int r_el = regime_el(mmu_idx); if (!regime_has_2_ranges(mmu_idx)) { select = 0; diff --git a/target/arm/internals.h b/target/arm/internals.h index 1a234d41c2..bd7ea82067 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1074,7 +1074,7 @@ static inline bool regime_is_stage2(ARMMMUIdx mmu_idx) } /* Return the exception level which controls this address translation regime */ -static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx) +static inline uint32_t regime_el(ARMMMUIdx mmu_idx) { switch (mmu_idx) { case ARMMMUIdx_E20_0: @@ -1128,7 +1128,7 @@ static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx) /* Return the SCTLR value which controls this address translation regime */ static inline uint64_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx) { - return env->cp15.sctlr_el[regime_el(env, mmu_idx)]; + return env->cp15.sctlr_el[regime_el(mmu_idx)]; } /* @@ -1160,13 +1160,13 @@ static inline uint64_t regime_tcr(CPUARMState *env, ARMMMUIdx mmu_idx) v |= env->cp15.vtcr_el2 & VTCR_SHARED_FIELD_MASK; return v; } - return env->cp15.tcr_el[regime_el(env, mmu_idx)]; + return env->cp15.tcr_el[regime_el(mmu_idx)]; } /* Return true if the translation regime is using LPAE format page tables */ static inline bool regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx) { - int el = regime_el(env, mmu_idx); + int el = regime_el(mmu_idx); if (el == 2 || arm_el_is_aa64(env, el)) { return true; } diff --git a/target/arm/ptw.c b/target/arm/ptw.c index 21540a1ec3..9c89ffe8a5 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -235,9 +235,9 @@ static uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn) return env->cp15.vsttbr_el2; } if (ttbrn == 0) { - return env->cp15.ttbr0_el[regime_el(env, mmu_idx)]; + return env->cp15.ttbr0_el[regime_el(mmu_idx)]; } else { - return env->cp15.ttbr1_el[regime_el(env, mmu_idx)]; + return env->cp15.ttbr1_el[regime_el(mmu_idx)]; } } @@ -1059,7 +1059,7 @@ static bool get_phys_addr_v5(CPUARMState *env, S1Translate *ptw, } type = (desc & 3); domain = (desc >> 5) & 0x0f; - if (regime_el(env, ptw->in_mmu_idx) == 1) { + if (regime_el(ptw->in_mmu_idx) == 1) { dacr = env->cp15.dacr_ns; } else { dacr = env->cp15.dacr_s; @@ -1198,7 +1198,7 @@ static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw, /* Page or Section. */ domain = (desc >> 5) & 0x0f; } - if (regime_el(env, mmu_idx) == 1) { + if (regime_el(mmu_idx) == 1) { dacr = env->cp15.dacr_ns; } else { dacr = env->cp15.dacr_s; @@ -1489,7 +1489,7 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64, xn = pxn || (user_rw & PAGE_WRITE); } } else if (arm_feature(env, ARM_FEATURE_V7)) { - switch (regime_el(env, mmu_idx)) { + switch (regime_el(mmu_idx)) { case 1: case 3: if (is_user) { @@ -1545,7 +1545,7 @@ static int get_S1prot_indirect(CPUARMState *env, S1Translate *ptw, /* F */ 0, /* reserved */ }; - uint32_t el = regime_el(env, mmu_idx); + uint32_t el = regime_el(mmu_idx); uint64_t pir = env->cp15.pir_el[el]; uint64_t pire0 = 0; int perm; @@ -1620,7 +1620,7 @@ static ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va, ARMMMUIdx mmu_idx) { uint64_t tcr = regime_tcr(env, mmu_idx); - uint32_t el = regime_el(env, mmu_idx); + uint32_t el = regime_el(mmu_idx); int select, tsz; bool epd, hpd; @@ -1846,7 +1846,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, int addrsize, inputsize, outputsize; uint64_t tcr = regime_tcr(env, mmu_idx); int ap, prot; - uint32_t el = regime_el(env, mmu_idx); + uint32_t el = regime_el(mmu_idx); uint64_t descaddrmask; bool aarch64 = arm_el_is_aa64(env, el); uint64_t descriptor, new_descriptor; @@ -2296,7 +2296,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, /* Index into MAIR registers for cache attributes */ attrindx = extract32(attrs, 2, 3); - mair = env->cp15.mair_el[regime_el(env, mmu_idx)]; + mair = env->cp15.mair_el[regime_el(mmu_idx)]; assert(attrindx <= 7); result->cacheattrs.is_s2_format = false; result->cacheattrs.attrs = extract64(mair, attrindx * 8, 8); @@ -2774,7 +2774,7 @@ static bool get_phys_addr_pmsav7(CPUARMState *env, static uint32_t *regime_rbar(CPUARMState *env, ARMMMUIdx mmu_idx, uint32_t secure) { - if (regime_el(env, mmu_idx) == 2) { + if (regime_el(mmu_idx) == 2) { return env->pmsav8.hprbar; } else { return env->pmsav8.rbar[secure]; @@ -2784,7 +2784,7 @@ static uint32_t *regime_rbar(CPUARMState *env, ARMMMUIdx mmu_idx, static uint32_t *regime_rlar(CPUARMState *env, ARMMMUIdx mmu_idx, uint32_t secure) { - if (regime_el(env, mmu_idx) == 2) { + if (regime_el(mmu_idx) == 2) { return env->pmsav8.hprlar; } else { return env->pmsav8.rlar[secure]; @@ -2816,7 +2816,7 @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, uint32_t addr_page_limit = addr_page_base + (TARGET_PAGE_SIZE - 1); int region_counter; - if (regime_el(env, mmu_idx) == 2) { + if (regime_el(mmu_idx) == 2) { region_counter = cpu->pmsav8r_hdregion; } else { region_counter = cpu->pmsav7_dregion; @@ -2942,7 +2942,7 @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, xn = 1; } - if (regime_el(env, mmu_idx) == 2) { + if (regime_el(mmu_idx) == 2) { result->f.prot = simple_ap_to_rw_prot_is_user(ap, mmu_idx != ARMMMUIdx_E2); } else { @@ -2951,7 +2951,7 @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, if (!arm_feature(env, ARM_FEATURE_M)) { uint8_t attrindx = extract32(matched_rlar, 1, 3); - uint64_t mair = env->cp15.mair_el[regime_el(env, mmu_idx)]; + uint64_t mair = env->cp15.mair_el[regime_el(mmu_idx)]; uint8_t sh = extract32(matched_rlar, 3, 2); if (regime_sctlr(env, mmu_idx) & SCTLR_WXN && @@ -2959,7 +2959,7 @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, xn = 0x1; } - if ((regime_el(env, mmu_idx) == 1) && + if ((regime_el(mmu_idx) == 1) && regime_sctlr(env, mmu_idx) & SCTLR_UWXN && ap == 0x1) { pxn = 0x1; } @@ -3444,7 +3444,7 @@ static bool get_phys_addr_disabled(CPUARMState *env, break; default: - r_el = regime_el(env, mmu_idx); + r_el = regime_el(mmu_idx); if (arm_el_is_aa64(env, r_el)) { int pamax = arm_pamax(env_archcpu(env)); uint64_t tcr = env->cp15.tcr_el[r_el]; @@ -3697,7 +3697,7 @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, */ if (address < 0x02000000 && mmu_idx != ARMMMUIdx_Stage2 && !arm_feature(env, ARM_FEATURE_V8)) { - if (regime_el(env, mmu_idx) == 3) { + if (regime_el(mmu_idx) == 3) { address += env->cp15.fcseidr_s; } else { address += env->cp15.fcseidr_ns; diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c index b96c953f80..bb48fe359b 100644 --- a/target/arm/tcg/mte_helper.c +++ b/target/arm/tcg/mte_helper.c @@ -605,7 +605,7 @@ void mte_check_fail(CPUARMState *env, uint32_t desc, int el, reg_el, tcf; uint64_t sctlr; - reg_el = regime_el(env, arm_mmu_idx); + reg_el = regime_el(arm_mmu_idx); sctlr = env->cp15.sctlr_el[reg_el]; switch (arm_mmu_idx) { From 9fe4b77afef948acfee1681ae7c0c2860c48dd5d Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:19 -0700 Subject: [PATCH 19/76] target/arm: Convert regime_el from switch to table Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-20-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 35 ---------------------------- target/arm/mmuidx-internal.h | 13 +++++++++++ target/arm/mmuidx.c | 44 +++++++++++++++++++++--------------- 3 files changed, 39 insertions(+), 53 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index bd7ea82067..319c39a4ac 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1073,41 +1073,6 @@ static inline bool regime_is_stage2(ARMMMUIdx mmu_idx) return mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S; } -/* Return the exception level which controls this address translation regime */ -static inline uint32_t regime_el(ARMMMUIdx mmu_idx) -{ - switch (mmu_idx) { - case ARMMMUIdx_E20_0: - case ARMMMUIdx_E20_2: - case ARMMMUIdx_E20_2_PAN: - case ARMMMUIdx_Stage2: - case ARMMMUIdx_Stage2_S: - case ARMMMUIdx_E2: - return 2; - case ARMMMUIdx_E3: - case ARMMMUIdx_E30_0: - case ARMMMUIdx_E30_3_PAN: - return 3; - case ARMMMUIdx_E10_0: - case ARMMMUIdx_Stage1_E0: - case ARMMMUIdx_Stage1_E1: - case ARMMMUIdx_Stage1_E1_PAN: - case ARMMMUIdx_E10_1: - case ARMMMUIdx_E10_1_PAN: - case ARMMMUIdx_MPrivNegPri: - case ARMMMUIdx_MUserNegPri: - case ARMMMUIdx_MPriv: - case ARMMMUIdx_MUser: - case ARMMMUIdx_MSPrivNegPri: - case ARMMMUIdx_MSUserNegPri: - case ARMMMUIdx_MSPriv: - case ARMMMUIdx_MSUser: - return 1; - default: - g_assert_not_reached(); - } -} - static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx) { switch (mmu_idx) { diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h index 29bba4ecb5..d8d64a14d6 100644 --- a/target/arm/mmuidx-internal.h +++ b/target/arm/mmuidx-internal.h @@ -13,6 +13,8 @@ FIELD(MMUIDXINFO, EL, 0, 2) FIELD(MMUIDXINFO, ELVALID, 2, 1) +FIELD(MMUIDXINFO, REL, 3, 2) +FIELD(MMUIDXINFO, RELVALID, 5, 1) extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; @@ -26,4 +28,15 @@ static inline int arm_mmu_idx_to_el(ARMMMUIdx idx) return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, EL); } +/* + * Return the exception level for the address translation regime + * associated with this mmu index. + */ +static inline uint32_t regime_el(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + tcg_debug_assert(FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, RELVALID)); + return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, REL); +} + #endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c index 309b1d68df..6dfefa56c2 100644 --- a/target/arm/mmuidx.c +++ b/target/arm/mmuidx.c @@ -8,34 +8,42 @@ #define EL(X) ((X << R_MMUIDXINFO_EL_SHIFT) | R_MMUIDXINFO_ELVALID_MASK) +#define REL(X) ((X << R_MMUIDXINFO_REL_SHIFT) | R_MMUIDXINFO_RELVALID_MASK) const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { /* * A-profile. */ - [ARMMMUIdx_E10_0] = EL(0), - [ARMMMUIdx_E10_1] = EL(1), - [ARMMMUIdx_E10_1_PAN] = EL(1), + [ARMMMUIdx_E10_0] = EL(0) | REL(1), + [ARMMMUIdx_E10_1] = EL(1) | REL(1), + [ARMMMUIdx_E10_1_PAN] = EL(1) | REL(1), - [ARMMMUIdx_E20_0] = EL(0), - [ARMMMUIdx_E20_2] = EL(2), - [ARMMMUIdx_E20_2_PAN] = EL(2), + [ARMMMUIdx_E20_0] = EL(0) | REL(2), + [ARMMMUIdx_E20_2] = EL(2) | REL(2), + [ARMMMUIdx_E20_2_PAN] = EL(2) | REL(2), - [ARMMMUIdx_E2] = EL(2), + [ARMMMUIdx_E2] = EL(2) | REL(2), - [ARMMMUIdx_E3] = EL(3), - [ARMMMUIdx_E30_0] = EL(0), - [ARMMMUIdx_E30_3_PAN] = EL(3), + [ARMMMUIdx_E3] = EL(3) | REL(3), + [ARMMMUIdx_E30_0] = EL(0) | REL(3), + [ARMMMUIdx_E30_3_PAN] = EL(3) | REL(3), + + [ARMMMUIdx_Stage2_S] = REL(2), + [ARMMMUIdx_Stage2] = REL(2), + + [ARMMMUIdx_Stage1_E0] = REL(1), + [ARMMMUIdx_Stage1_E1] = REL(1), + [ARMMMUIdx_Stage1_E1_PAN] = REL(1), /* * M-profile. */ - [ARMMMUIdx_MUser] = EL(0), - [ARMMMUIdx_MPriv] = EL(1), - [ARMMMUIdx_MUserNegPri] = EL(0), - [ARMMMUIdx_MPrivNegPri] = EL(1), - [ARMMMUIdx_MSUser] = EL(0), - [ARMMMUIdx_MSPriv] = EL(1), - [ARMMMUIdx_MSUserNegPri] = EL(0), - [ARMMMUIdx_MSPrivNegPri] = EL(1), + [ARMMMUIdx_MUser] = EL(0) | REL(1), + [ARMMMUIdx_MPriv] = EL(1) | REL(1), + [ARMMMUIdx_MUserNegPri] = EL(0) | REL(1), + [ARMMMUIdx_MPrivNegPri] = EL(1) | REL(1), + [ARMMMUIdx_MSUser] = EL(0) | REL(1), + [ARMMMUIdx_MSPriv] = EL(1) | REL(1), + [ARMMMUIdx_MSUserNegPri] = EL(0) | REL(1), + [ARMMMUIdx_MSPrivNegPri] = EL(1) | REL(1), }; From bb39dd76d7f66eb4e5d513cdc2ed0179f5c1cc7f Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:20 -0700 Subject: [PATCH 20/76] target/arm: Convert regime_has_2_ranges from switch to table Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-21-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 28 ---------------------------- target/arm/mmuidx-internal.h | 17 +++++++++++++++++ target/arm/mmuidx.c | 19 ++++++++++--------- 3 files changed, 27 insertions(+), 37 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index 319c39a4ac..061472a943 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1027,34 +1027,6 @@ static inline void arm_call_el_change_hook(ARMCPU *cpu) } } -/* - * Return true if this address translation regime has two ranges. - * Note that this will not return the correct answer for AArch32 - * Secure PL1&0 (i.e. mmu indexes E3, E30_0, E30_3_PAN), but it is - * never called from a context where EL3 can be AArch32. (The - * correct return value for ARMMMUIdx_E3 would be different for - * that case, so we can't just make the function return the - * correct value anyway; we would need an extra "bool e3_is_aarch32" - * argument which all the current callsites would pass as 'false'.) - */ -static inline bool regime_has_2_ranges(ARMMMUIdx mmu_idx) -{ - switch (mmu_idx) { - case ARMMMUIdx_Stage1_E0: - case ARMMMUIdx_Stage1_E1: - case ARMMMUIdx_Stage1_E1_PAN: - case ARMMMUIdx_E10_0: - case ARMMMUIdx_E10_1: - case ARMMMUIdx_E10_1_PAN: - case ARMMMUIdx_E20_0: - case ARMMMUIdx_E20_2: - case ARMMMUIdx_E20_2_PAN: - return true; - default: - return false; - } -} - static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx) { switch (mmu_idx) { diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h index d8d64a14d6..f03a2ab94c 100644 --- a/target/arm/mmuidx-internal.h +++ b/target/arm/mmuidx-internal.h @@ -15,6 +15,7 @@ FIELD(MMUIDXINFO, EL, 0, 2) FIELD(MMUIDXINFO, ELVALID, 2, 1) FIELD(MMUIDXINFO, REL, 3, 2) FIELD(MMUIDXINFO, RELVALID, 5, 1) +FIELD(MMUIDXINFO, 2RANGES, 6, 1) extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; @@ -39,4 +40,20 @@ static inline uint32_t regime_el(ARMMMUIdx idx) return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, REL); } +/* + * Return true if this address translation regime has two ranges. + * Note that this will not return the correct answer for AArch32 + * Secure PL1&0 (i.e. mmu indexes E3, E30_0, E30_3_PAN), but it is + * never called from a context where EL3 can be AArch32. (The + * correct return value for ARMMMUIdx_E3 would be different for + * that case, so we can't just make the function return the + * correct value anyway; we would need an extra "bool e3_is_aarch32" + * argument which all the current callsites would pass as 'false'.) + */ +static inline bool regime_has_2_ranges(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, 2RANGES); +} + #endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c index 6dfefa56c2..f880d21606 100644 --- a/target/arm/mmuidx.c +++ b/target/arm/mmuidx.c @@ -9,18 +9,19 @@ #define EL(X) ((X << R_MMUIDXINFO_EL_SHIFT) | R_MMUIDXINFO_ELVALID_MASK) #define REL(X) ((X << R_MMUIDXINFO_REL_SHIFT) | R_MMUIDXINFO_RELVALID_MASK) +#define R2 R_MMUIDXINFO_2RANGES_MASK const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { /* * A-profile. */ - [ARMMMUIdx_E10_0] = EL(0) | REL(1), - [ARMMMUIdx_E10_1] = EL(1) | REL(1), - [ARMMMUIdx_E10_1_PAN] = EL(1) | REL(1), + [ARMMMUIdx_E10_0] = EL(0) | REL(1) | R2, + [ARMMMUIdx_E10_1] = EL(1) | REL(1) | R2, + [ARMMMUIdx_E10_1_PAN] = EL(1) | REL(1) | R2, - [ARMMMUIdx_E20_0] = EL(0) | REL(2), - [ARMMMUIdx_E20_2] = EL(2) | REL(2), - [ARMMMUIdx_E20_2_PAN] = EL(2) | REL(2), + [ARMMMUIdx_E20_0] = EL(0) | REL(2) | R2, + [ARMMMUIdx_E20_2] = EL(2) | REL(2) | R2, + [ARMMMUIdx_E20_2_PAN] = EL(2) | REL(2) | R2, [ARMMMUIdx_E2] = EL(2) | REL(2), @@ -31,9 +32,9 @@ const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { [ARMMMUIdx_Stage2_S] = REL(2), [ARMMMUIdx_Stage2] = REL(2), - [ARMMMUIdx_Stage1_E0] = REL(1), - [ARMMMUIdx_Stage1_E1] = REL(1), - [ARMMMUIdx_Stage1_E1_PAN] = REL(1), + [ARMMMUIdx_Stage1_E0] = REL(1) | R2, + [ARMMMUIdx_Stage1_E1] = REL(1) | R2, + [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2, /* * M-profile. From 59af12841b749c15d2a26a8f4222bc7627d00d01 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:21 -0700 Subject: [PATCH 21/76] target/arm: Remove unused env argument from regime_is_pan MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-22-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 2 +- target/arm/ptw.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index 061472a943..cb2ffeff59 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1027,7 +1027,7 @@ static inline void arm_call_el_change_hook(ARMCPU *cpu) } } -static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx) +static inline bool regime_is_pan(ARMMMUIdx mmu_idx) { switch (mmu_idx) { case ARMMMUIdx_Stage1_E1_PAN: diff --git a/target/arm/ptw.c b/target/arm/ptw.c index 9c89ffe8a5..1080b6d69d 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -1429,10 +1429,10 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64, * We make the IMPDEF choices that SCR_EL3.SIF and Realm EL2&0 * do not affect EPAN. */ - if (user_rw && regime_is_pan(env, mmu_idx)) { + if (user_rw && regime_is_pan(mmu_idx)) { prot_rw = 0; } else if (cpu_isar_feature(aa64_pan3, cpu) && is_aa64 && - regime_is_pan(env, mmu_idx) && + regime_is_pan(mmu_idx) && (regime_sctlr(env, mmu_idx) & SCTLR_EPAN) && !xn) { prot_rw = 0; } @@ -1571,7 +1571,7 @@ static int get_S1prot_indirect(CPUARMState *env, S1Translate *ptw, p_perm &= ~(PAGE_RWX | PAGE_GCS); u_perm &= ~(PAGE_RWX | PAGE_GCS); } - if ((u_perm & (PAGE_RWX | PAGE_GCS)) && regime_is_pan(env, mmu_idx)) { + if ((u_perm & (PAGE_RWX | PAGE_GCS)) && regime_is_pan(mmu_idx)) { p_perm &= ~(PAGE_READ | PAGE_WRITE); } perm = regime_is_user(env, mmu_idx) ? u_perm : p_perm; From ceab42c677484b9d6c97c91e59f8263685e891f5 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:22 -0700 Subject: [PATCH 22/76] target/arm: Convert regime_is_pan from switch to table Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-23-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 13 ------------- target/arm/mmuidx-internal.h | 8 ++++++++ target/arm/mmuidx.c | 9 +++++---- 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index cb2ffeff59..819ada7a5d 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1027,19 +1027,6 @@ static inline void arm_call_el_change_hook(ARMCPU *cpu) } } -static inline bool regime_is_pan(ARMMMUIdx mmu_idx) -{ - switch (mmu_idx) { - case ARMMMUIdx_Stage1_E1_PAN: - case ARMMMUIdx_E10_1_PAN: - case ARMMMUIdx_E20_2_PAN: - case ARMMMUIdx_E30_3_PAN: - return true; - default: - return false; - } -} - static inline bool regime_is_stage2(ARMMMUIdx mmu_idx) { return mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S; diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h index f03a2ab94c..41baf1a003 100644 --- a/target/arm/mmuidx-internal.h +++ b/target/arm/mmuidx-internal.h @@ -16,6 +16,7 @@ FIELD(MMUIDXINFO, ELVALID, 2, 1) FIELD(MMUIDXINFO, REL, 3, 2) FIELD(MMUIDXINFO, RELVALID, 5, 1) FIELD(MMUIDXINFO, 2RANGES, 6, 1) +FIELD(MMUIDXINFO, PAN, 7, 1) extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; @@ -56,4 +57,11 @@ static inline bool regime_has_2_ranges(ARMMMUIdx idx) return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, 2RANGES); } +/* Return true if Privileged Access Never is enabled for this mmu index. */ +static inline bool regime_is_pan(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, PAN); +} + #endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c index f880d21606..98db02b8e5 100644 --- a/target/arm/mmuidx.c +++ b/target/arm/mmuidx.c @@ -10,6 +10,7 @@ #define EL(X) ((X << R_MMUIDXINFO_EL_SHIFT) | R_MMUIDXINFO_ELVALID_MASK) #define REL(X) ((X << R_MMUIDXINFO_REL_SHIFT) | R_MMUIDXINFO_RELVALID_MASK) #define R2 R_MMUIDXINFO_2RANGES_MASK +#define PAN R_MMUIDXINFO_PAN_MASK const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { /* @@ -17,24 +18,24 @@ const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { */ [ARMMMUIdx_E10_0] = EL(0) | REL(1) | R2, [ARMMMUIdx_E10_1] = EL(1) | REL(1) | R2, - [ARMMMUIdx_E10_1_PAN] = EL(1) | REL(1) | R2, + [ARMMMUIdx_E10_1_PAN] = EL(1) | REL(1) | R2 | PAN, [ARMMMUIdx_E20_0] = EL(0) | REL(2) | R2, [ARMMMUIdx_E20_2] = EL(2) | REL(2) | R2, - [ARMMMUIdx_E20_2_PAN] = EL(2) | REL(2) | R2, + [ARMMMUIdx_E20_2_PAN] = EL(2) | REL(2) | R2 | PAN, [ARMMMUIdx_E2] = EL(2) | REL(2), [ARMMMUIdx_E3] = EL(3) | REL(3), [ARMMMUIdx_E30_0] = EL(0) | REL(3), - [ARMMMUIdx_E30_3_PAN] = EL(3) | REL(3), + [ARMMMUIdx_E30_3_PAN] = EL(3) | REL(3) | PAN, [ARMMMUIdx_Stage2_S] = REL(2), [ARMMMUIdx_Stage2] = REL(2), [ARMMMUIdx_Stage1_E0] = REL(1) | R2, [ARMMMUIdx_Stage1_E1] = REL(1) | R2, - [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2, + [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2 | PAN, /* * M-profile. From b1af3bb87a808270bd6a0a48833e71a6ba506829 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:23 -0700 Subject: [PATCH 23/76] target/arm: Remove unused env argument from regime_is_user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-24-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 2 +- target/arm/internals.h | 2 +- target/arm/ptw.c | 16 ++++++++-------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index a55161ef40..aed245fd86 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9450,7 +9450,7 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va, ds = extract64(tcr, 59, 1); if (e0pd && cpu_isar_feature(aa64_e0pd, cpu) && - regime_is_user(env, mmu_idx)) { + regime_is_user(mmu_idx)) { epd = true; } diff --git a/target/arm/internals.h b/target/arm/internals.h index 819ada7a5d..d0d976cbb0 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1032,7 +1032,7 @@ static inline bool regime_is_stage2(ARMMMUIdx mmu_idx) return mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S; } -static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx) +static inline bool regime_is_user(ARMMMUIdx mmu_idx) { switch (mmu_idx) { case ARMMMUIdx_E10_0: diff --git a/target/arm/ptw.c b/target/arm/ptw.c index 1080b6d69d..d6d4bf3b23 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -1000,7 +1000,7 @@ static int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap, int domain_prot) { return ap_to_rw_prot_is_user(env, mmu_idx, ap, domain_prot, - regime_is_user(env, mmu_idx)); + regime_is_user(mmu_idx)); } /* @@ -1026,7 +1026,7 @@ static int simple_ap_to_rw_prot_is_user(int ap, bool is_user) static int simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap) { - return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx)); + return simple_ap_to_rw_prot_is_user(ap, regime_is_user(mmu_idx)); } static bool get_phys_addr_v5(CPUARMState *env, S1Translate *ptw, @@ -1412,7 +1412,7 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64, ARMSecuritySpace in_pa, ARMSecuritySpace out_pa) { ARMCPU *cpu = env_archcpu(env); - bool is_user = regime_is_user(env, mmu_idx); + bool is_user = regime_is_user(mmu_idx); bool have_wxn; int wxn = 0; @@ -1574,7 +1574,7 @@ static int get_S1prot_indirect(CPUARMState *env, S1Translate *ptw, if ((u_perm & (PAGE_RWX | PAGE_GCS)) && regime_is_pan(mmu_idx)) { p_perm &= ~(PAGE_READ | PAGE_WRITE); } - perm = regime_is_user(env, mmu_idx) ? u_perm : p_perm; + perm = regime_is_user(mmu_idx) ? u_perm : p_perm; } if (in_pa != out_pa) { @@ -2421,7 +2421,7 @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t mask; uint32_t base; ARMMMUIdx mmu_idx = ptw->in_mmu_idx; - bool is_user = regime_is_user(env, mmu_idx); + bool is_user = regime_is_user(mmu_idx); if (regime_translation_disabled(env, mmu_idx, ptw->in_space)) { /* MPU disabled. */ @@ -2588,7 +2588,7 @@ static bool get_phys_addr_pmsav7(CPUARMState *env, ARMCPU *cpu = env_archcpu(env); int n; ARMMMUIdx mmu_idx = ptw->in_mmu_idx; - bool is_user = regime_is_user(env, mmu_idx); + bool is_user = regime_is_user(mmu_idx); bool secure = arm_space_is_secure(ptw->in_space); result->f.phys_addr = address; @@ -2808,7 +2808,7 @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, * memory system to use a subpage. */ ARMCPU *cpu = env_archcpu(env); - bool is_user = regime_is_user(env, mmu_idx); + bool is_user = regime_is_user(mmu_idx); int n; int matchregion = -1; bool hit = false; @@ -3689,7 +3689,7 @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw, break; } - result->f.attrs.user = regime_is_user(env, mmu_idx); + result->f.attrs.user = regime_is_user(mmu_idx); /* * Fast Context Switch Extension. This doesn't exist at all in v8. From 38e5e7018b9d3dbce30999b38d10cc5d7315da8c Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:24 -0700 Subject: [PATCH 24/76] target/arm: Convert regime_is_user from switch to table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-25-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 17 ----------------- target/arm/mmuidx-internal.h | 12 ++++++++++++ target/arm/mmuidx.c | 6 ++++-- 3 files changed, 16 insertions(+), 19 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index d0d976cbb0..c4aef8b50e 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1032,23 +1032,6 @@ static inline bool regime_is_stage2(ARMMMUIdx mmu_idx) return mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S; } -static inline bool regime_is_user(ARMMMUIdx mmu_idx) -{ - switch (mmu_idx) { - case ARMMMUIdx_E10_0: - case ARMMMUIdx_E20_0: - case ARMMMUIdx_E30_0: - case ARMMMUIdx_Stage1_E0: - case ARMMMUIdx_MUser: - case ARMMMUIdx_MSUser: - case ARMMMUIdx_MUserNegPri: - case ARMMMUIdx_MSUserNegPri: - return true; - default: - return false; - } -} - /* Return the SCTLR value which controls this address translation regime */ static inline uint64_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx) { diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h index 41baf1a003..3e51c0f579 100644 --- a/target/arm/mmuidx-internal.h +++ b/target/arm/mmuidx-internal.h @@ -17,6 +17,7 @@ FIELD(MMUIDXINFO, REL, 3, 2) FIELD(MMUIDXINFO, RELVALID, 5, 1) FIELD(MMUIDXINFO, 2RANGES, 6, 1) FIELD(MMUIDXINFO, PAN, 7, 1) +FIELD(MMUIDXINFO, USER, 8, 1) extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; @@ -64,4 +65,15 @@ static inline bool regime_is_pan(ARMMMUIdx idx) return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, PAN); } +/* + * Return true if the exception level associated with this mmu index is 0. + * Differs from arm_mmu_idx_to_el(idx) == 0 in that this allows querying + * Stage1 and Stage2 mmu indexes. + */ +static inline bool regime_is_user(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, USER); +} + #endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c index 98db02b8e5..1c1e062bfe 100644 --- a/target/arm/mmuidx.c +++ b/target/arm/mmuidx.c @@ -7,10 +7,12 @@ #include "mmuidx-internal.h" -#define EL(X) ((X << R_MMUIDXINFO_EL_SHIFT) | R_MMUIDXINFO_ELVALID_MASK) +#define EL(X) ((X << R_MMUIDXINFO_EL_SHIFT) | R_MMUIDXINFO_ELVALID_MASK | \ + ((X == 0) << R_MMUIDXINFO_USER_SHIFT)) #define REL(X) ((X << R_MMUIDXINFO_REL_SHIFT) | R_MMUIDXINFO_RELVALID_MASK) #define R2 R_MMUIDXINFO_2RANGES_MASK #define PAN R_MMUIDXINFO_PAN_MASK +#define USER R_MMUIDXINFO_USER_MASK const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { /* @@ -33,7 +35,7 @@ const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { [ARMMMUIdx_Stage2_S] = REL(2), [ARMMMUIdx_Stage2] = REL(2), - [ARMMMUIdx_Stage1_E0] = REL(1) | R2, + [ARMMMUIdx_Stage1_E0] = REL(1) | R2 | USER, [ARMMMUIdx_Stage1_E1] = REL(1) | R2, [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2 | PAN, From 346feee01c87713230e5f3da7b1126da1b43027f Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:25 -0700 Subject: [PATCH 25/76] target/arm: Convert arm_mmu_idx_is_stage1_of_2 from switch to table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-26-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 19 ------------------- target/arm/mmuidx-internal.h | 8 ++++++++ target/arm/mmuidx.c | 7 ++++--- 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index c4aef8b50e..92883b6c0e 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1285,25 +1285,6 @@ ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx); ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env); #endif -/** - * arm_mmu_idx_is_stage1_of_2: - * @mmu_idx: The ARMMMUIdx to test - * - * Return true if @mmu_idx is a NOTLB mmu_idx that is the - * first stage of a two stage regime. - */ -static inline bool arm_mmu_idx_is_stage1_of_2(ARMMMUIdx mmu_idx) -{ - switch (mmu_idx) { - case ARMMMUIdx_Stage1_E0: - case ARMMMUIdx_Stage1_E1: - case ARMMMUIdx_Stage1_E1_PAN: - return true; - default: - return false; - } -} - static inline uint32_t aarch32_cpsr_valid_mask(uint64_t features, const ARMISARegisters *id) { diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h index 3e51c0f579..55fba4aae2 100644 --- a/target/arm/mmuidx-internal.h +++ b/target/arm/mmuidx-internal.h @@ -18,6 +18,7 @@ FIELD(MMUIDXINFO, RELVALID, 5, 1) FIELD(MMUIDXINFO, 2RANGES, 6, 1) FIELD(MMUIDXINFO, PAN, 7, 1) FIELD(MMUIDXINFO, USER, 8, 1) +FIELD(MMUIDXINFO, STAGE1, 9, 1) extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; @@ -76,4 +77,11 @@ static inline bool regime_is_user(ARMMMUIdx idx) return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, USER); } +/* Return true if this mmu index is stage 1 of a 2-stage translation. */ +static inline bool arm_mmu_idx_is_stage1_of_2(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, STAGE1); +} + #endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c index 1c1e062bfe..c5b43a5932 100644 --- a/target/arm/mmuidx.c +++ b/target/arm/mmuidx.c @@ -13,6 +13,7 @@ #define R2 R_MMUIDXINFO_2RANGES_MASK #define PAN R_MMUIDXINFO_PAN_MASK #define USER R_MMUIDXINFO_USER_MASK +#define S1 R_MMUIDXINFO_STAGE1_MASK const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { /* @@ -35,9 +36,9 @@ const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { [ARMMMUIdx_Stage2_S] = REL(2), [ARMMMUIdx_Stage2] = REL(2), - [ARMMMUIdx_Stage1_E0] = REL(1) | R2 | USER, - [ARMMMUIdx_Stage1_E1] = REL(1) | R2, - [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2 | PAN, + [ARMMMUIdx_Stage1_E0] = REL(1) | R2 | S1 | USER, + [ARMMMUIdx_Stage1_E1] = REL(1) | R2 | S1, + [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2 | S1 | PAN, /* * M-profile. From 35ba9340114dc6122f5e7b65565a85795c2dc7d7 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:26 -0700 Subject: [PATCH 26/76] target/arm: Convert regime_is_stage2 to table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This wasn't using a switch, but two comparisons. Convert it to arm_mmuidx_table for consistency. Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-27-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/internals.h | 5 ----- target/arm/mmuidx-internal.h | 8 ++++++++ target/arm/mmuidx.c | 5 +++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index 92883b6c0e..591b509e68 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1027,11 +1027,6 @@ static inline void arm_call_el_change_hook(ARMCPU *cpu) } } -static inline bool regime_is_stage2(ARMMMUIdx mmu_idx) -{ - return mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S; -} - /* Return the SCTLR value which controls this address translation regime */ static inline uint64_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx) { diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h index 55fba4aae2..1d948aa6f4 100644 --- a/target/arm/mmuidx-internal.h +++ b/target/arm/mmuidx-internal.h @@ -19,6 +19,7 @@ FIELD(MMUIDXINFO, 2RANGES, 6, 1) FIELD(MMUIDXINFO, PAN, 7, 1) FIELD(MMUIDXINFO, USER, 8, 1) FIELD(MMUIDXINFO, STAGE1, 9, 1) +FIELD(MMUIDXINFO, STAGE2, 10, 1) extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; @@ -84,4 +85,11 @@ static inline bool arm_mmu_idx_is_stage1_of_2(ARMMMUIdx idx) return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, STAGE1); } +/* Return true if this mmu index is stage 2 of a 2-stage translation. */ +static inline bool regime_is_stage2(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, STAGE2); +} + #endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c index c5b43a5932..61a682e655 100644 --- a/target/arm/mmuidx.c +++ b/target/arm/mmuidx.c @@ -14,6 +14,7 @@ #define PAN R_MMUIDXINFO_PAN_MASK #define USER R_MMUIDXINFO_USER_MASK #define S1 R_MMUIDXINFO_STAGE1_MASK +#define S2 R_MMUIDXINFO_STAGE2_MASK const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { /* @@ -33,8 +34,8 @@ const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { [ARMMMUIdx_E30_0] = EL(0) | REL(3), [ARMMMUIdx_E30_3_PAN] = EL(3) | REL(3) | PAN, - [ARMMMUIdx_Stage2_S] = REL(2), - [ARMMMUIdx_Stage2] = REL(2), + [ARMMMUIdx_Stage2_S] = REL(2) | S2, + [ARMMMUIdx_Stage2] = REL(2) | S2, [ARMMMUIdx_Stage1_E0] = REL(1) | R2 | S1 | USER, [ARMMMUIdx_Stage1_E1] = REL(1) | R2 | S1, From f76cee647cb4b2057d45d315ae73e89fa6d6f336 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:27 -0700 Subject: [PATCH 27/76] target/arm: Introduce mmu indexes for GCS Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-28-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- include/hw/core/cpu.h | 5 ++- target/arm/helper.c | 15 ++++++-- target/arm/mmuidx-internal.h | 8 ++++ target/arm/mmuidx.c | 9 +++++ target/arm/mmuidx.h | 71 ++++++++++++++++++++++++------------ target/arm/ptw.c | 20 ++++++++++ target/arm/tcg/tlb-insns.c | 47 ++++++++++++++++-------- 7 files changed, 132 insertions(+), 43 deletions(-) diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h index d175edb6f8..e79e8e0a8e 100644 --- a/include/hw/core/cpu.h +++ b/include/hw/core/cpu.h @@ -198,9 +198,10 @@ struct CPUClass { }; /* - * Fix the number of mmu modes to 16. + * Fix the number of mmu modes across all targets. + * Current maximum is target/arm/. */ -#define NB_MMU_MODES 16 +#define NB_MMU_MODES 22 typedef uint32_t MMUIdxMap; /* Use a fully associative victim tlb of 8 entries. */ diff --git a/target/arm/helper.c b/target/arm/helper.c index aed245fd86..6642cae0cc 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -420,7 +420,9 @@ int alle1_tlbmask(CPUARMState *env) */ return (ARMMMUIdxBit_E10_1 | ARMMMUIdxBit_E10_1_PAN | + ARMMMUIdxBit_E10_1_GCS | ARMMMUIdxBit_E10_0 | + ARMMMUIdxBit_E10_0_GCS | ARMMMUIdxBit_Stage2 | ARMMMUIdxBit_Stage2_S); } @@ -808,12 +810,17 @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) */ if (changed & (SCR_NS | SCR_NSE)) { tlb_flush_by_mmuidx(env_cpu(env), (ARMMMUIdxBit_E10_0 | + ARMMMUIdxBit_E10_0_GCS | ARMMMUIdxBit_E20_0 | + ARMMMUIdxBit_E20_0_GCS | ARMMMUIdxBit_E10_1 | - ARMMMUIdxBit_E20_2 | ARMMMUIdxBit_E10_1_PAN | + ARMMMUIdxBit_E10_1_GCS | + ARMMMUIdxBit_E20_2 | ARMMMUIdxBit_E20_2_PAN | - ARMMMUIdxBit_E2)); + ARMMMUIdxBit_E20_2_GCS | + ARMMMUIdxBit_E2 | + ARMMMUIdxBit_E2_GCS)); } } @@ -2787,7 +2794,9 @@ static void vmsa_tcr_ttbr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri, (arm_hcr_el2_eff(env) & HCR_E2H)) { uint16_t mask = ARMMMUIdxBit_E20_2 | ARMMMUIdxBit_E20_2_PAN | - ARMMMUIdxBit_E20_0; + ARMMMUIdxBit_E20_2_GCS | + ARMMMUIdxBit_E20_0 | + ARMMMUIdxBit_E20_0_GCS; tlb_flush_by_mmuidx(env_cpu(env), mask); } raw_write(env, ri, value); diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h index 1d948aa6f4..f494ec348d 100644 --- a/target/arm/mmuidx-internal.h +++ b/target/arm/mmuidx-internal.h @@ -20,6 +20,7 @@ FIELD(MMUIDXINFO, PAN, 7, 1) FIELD(MMUIDXINFO, USER, 8, 1) FIELD(MMUIDXINFO, STAGE1, 9, 1) FIELD(MMUIDXINFO, STAGE2, 10, 1) +FIELD(MMUIDXINFO, GCS, 11, 1) extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; @@ -92,4 +93,11 @@ static inline bool regime_is_stage2(ARMMMUIdx idx) return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, STAGE2); } +/* Return true if this mmu index implies AccessType_GCS. */ +static inline bool regime_is_gcs(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, GCS); +} + #endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c index 61a682e655..42b003db9c 100644 --- a/target/arm/mmuidx.c +++ b/target/arm/mmuidx.c @@ -15,22 +15,29 @@ #define USER R_MMUIDXINFO_USER_MASK #define S1 R_MMUIDXINFO_STAGE1_MASK #define S2 R_MMUIDXINFO_STAGE2_MASK +#define GCS R_MMUIDXINFO_GCS_MASK const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { /* * A-profile. */ [ARMMMUIdx_E10_0] = EL(0) | REL(1) | R2, + [ARMMMUIdx_E10_0_GCS] = EL(0) | REL(1) | R2 | GCS, [ARMMMUIdx_E10_1] = EL(1) | REL(1) | R2, [ARMMMUIdx_E10_1_PAN] = EL(1) | REL(1) | R2 | PAN, + [ARMMMUIdx_E10_1_GCS] = EL(1) | REL(1) | R2 | GCS, [ARMMMUIdx_E20_0] = EL(0) | REL(2) | R2, + [ARMMMUIdx_E20_0_GCS] = EL(0) | REL(2) | R2 | GCS, [ARMMMUIdx_E20_2] = EL(2) | REL(2) | R2, [ARMMMUIdx_E20_2_PAN] = EL(2) | REL(2) | R2 | PAN, + [ARMMMUIdx_E20_2_GCS] = EL(2) | REL(2) | R2 | GCS, [ARMMMUIdx_E2] = EL(2) | REL(2), + [ARMMMUIdx_E2_GCS] = EL(2) | REL(2) | GCS, [ARMMMUIdx_E3] = EL(3) | REL(3), + [ARMMMUIdx_E3_GCS] = EL(3) | REL(3) | GCS, [ARMMMUIdx_E30_0] = EL(0) | REL(3), [ARMMMUIdx_E30_3_PAN] = EL(3) | REL(3) | PAN, @@ -38,8 +45,10 @@ const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { [ARMMMUIdx_Stage2] = REL(2) | S2, [ARMMMUIdx_Stage1_E0] = REL(1) | R2 | S1 | USER, + [ARMMMUIdx_Stage1_E0_GCS] = REL(1) | R2 | S1 | USER | GCS, [ARMMMUIdx_Stage1_E1] = REL(1) | R2 | S1, [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2 | S1 | PAN, + [ARMMMUIdx_Stage1_E1_GCS] = REL(1) | R2 | S1 | GCS, /* * M-profile. diff --git a/target/arm/mmuidx.h b/target/arm/mmuidx.h index 5b9b4bc84f..8d8d27337e 100644 --- a/target/arm/mmuidx.h +++ b/target/arm/mmuidx.h @@ -58,24 +58,31 @@ * already heavyweight. * 8. we cannot fold together Stage 2 Secure and Stage 2 NonSecure, * because both are in use simultaneously for Secure EL2. + * 9. we need separate indexes for handling AccessType_GCS. * * This gives us the following list of cases: * * EL0 EL1&0 stage 1+2 (aka NS PL0 PL1&0 stage 1+2) + * EL0 EL1&0 stage 1+2 +GCS * EL1 EL1&0 stage 1+2 (aka NS PL1 PL1&0 stage 1+2) * EL1 EL1&0 stage 1+2 +PAN (aka NS PL1 P1&0 stage 1+2 +PAN) + * EL1 EL1&0 stage 1+2 +GCS * EL0 EL2&0 + * EL0 EL2&0 +GCS * EL2 EL2&0 * EL2 EL2&0 +PAN + * EL2 EL2&0 +GCS * EL2 (aka NS PL2) + * EL2 +GCS * EL3 (aka AArch32 S PL1 PL1&0) + * EL3 +GCS * AArch32 S PL0 PL1&0 (we call this EL30_0) * AArch32 S PL1 PL1&0 +PAN (we call this EL30_3_PAN) * Stage2 Secure * Stage2 NonSecure * plus one TLB per Physical address space: S, NS, Realm, Root * - * for a total of 16 different mmu_idx. + * for a total of 22 different mmu_idx. * * R profile CPUs have an MPU, but can use the same set of MMU indexes * as A profile. They only need to distinguish EL0 and EL1 (and @@ -114,9 +121,9 @@ * For M profile we arrange them to have a bit for priv, a bit for negpri * and a bit for secure. */ -#define ARM_MMU_IDX_A 0x10 /* A profile */ -#define ARM_MMU_IDX_NOTLB 0x20 /* does not have a TLB */ -#define ARM_MMU_IDX_M 0x40 /* M profile */ +#define ARM_MMU_IDX_A 0x20 /* A profile */ +#define ARM_MMU_IDX_NOTLB 0x40 /* does not have a TLB */ +#define ARM_MMU_IDX_M 0x80 /* M profile */ /* Meanings of the bits for M profile mmu idx values */ #define ARM_MMU_IDX_M_PRIV 0x1 @@ -125,22 +132,32 @@ #define ARM_MMU_IDX_TYPE_MASK \ (ARM_MMU_IDX_A | ARM_MMU_IDX_M | ARM_MMU_IDX_NOTLB) -#define ARM_MMU_IDX_COREIDX_MASK 0xf +#define ARM_MMU_IDX_COREIDX_MASK 0x1f typedef enum ARMMMUIdx { /* * A-profile. */ - ARMMMUIdx_E10_0 = 0 | ARM_MMU_IDX_A, - ARMMMUIdx_E20_0 = 1 | ARM_MMU_IDX_A, - ARMMMUIdx_E10_1 = 2 | ARM_MMU_IDX_A, - ARMMMUIdx_E20_2 = 3 | ARM_MMU_IDX_A, - ARMMMUIdx_E10_1_PAN = 4 | ARM_MMU_IDX_A, - ARMMMUIdx_E20_2_PAN = 5 | ARM_MMU_IDX_A, - ARMMMUIdx_E2 = 6 | ARM_MMU_IDX_A, - ARMMMUIdx_E3 = 7 | ARM_MMU_IDX_A, - ARMMMUIdx_E30_0 = 8 | ARM_MMU_IDX_A, - ARMMMUIdx_E30_3_PAN = 9 | ARM_MMU_IDX_A, + + ARMMMUIdx_E10_0 = 0 | ARM_MMU_IDX_A, + ARMMMUIdx_E10_0_GCS = 1 | ARM_MMU_IDX_A, + ARMMMUIdx_E10_1 = 2 | ARM_MMU_IDX_A, + ARMMMUIdx_E10_1_PAN = 3 | ARM_MMU_IDX_A, + ARMMMUIdx_E10_1_GCS = 4 | ARM_MMU_IDX_A, + + ARMMMUIdx_E20_0 = 5 | ARM_MMU_IDX_A, + ARMMMUIdx_E20_0_GCS = 6 | ARM_MMU_IDX_A, + ARMMMUIdx_E20_2 = 7 | ARM_MMU_IDX_A, + ARMMMUIdx_E20_2_PAN = 8 | ARM_MMU_IDX_A, + ARMMMUIdx_E20_2_GCS = 9 | ARM_MMU_IDX_A, + + ARMMMUIdx_E2 = 10 | ARM_MMU_IDX_A, + ARMMMUIdx_E2_GCS = 11 | ARM_MMU_IDX_A, + + ARMMMUIdx_E3 = 12 | ARM_MMU_IDX_A, + ARMMMUIdx_E3_GCS = 13 | ARM_MMU_IDX_A, + ARMMMUIdx_E30_0 = 14 | ARM_MMU_IDX_A, + ARMMMUIdx_E30_3_PAN = 15 | ARM_MMU_IDX_A, /* * Used for second stage of an S12 page table walk, or for descriptor @@ -148,14 +165,14 @@ typedef enum ARMMMUIdx { * are in use simultaneously for SecureEL2: the security state for * the S2 ptw is selected by the NS bit from the S1 ptw. */ - ARMMMUIdx_Stage2_S = 10 | ARM_MMU_IDX_A, - ARMMMUIdx_Stage2 = 11 | ARM_MMU_IDX_A, + ARMMMUIdx_Stage2_S = 16 | ARM_MMU_IDX_A, + ARMMMUIdx_Stage2 = 17 | ARM_MMU_IDX_A, /* TLBs with 1-1 mapping to the physical address spaces. */ - ARMMMUIdx_Phys_S = 12 | ARM_MMU_IDX_A, - ARMMMUIdx_Phys_NS = 13 | ARM_MMU_IDX_A, - ARMMMUIdx_Phys_Root = 14 | ARM_MMU_IDX_A, - ARMMMUIdx_Phys_Realm = 15 | ARM_MMU_IDX_A, + ARMMMUIdx_Phys_S = 18 | ARM_MMU_IDX_A, + ARMMMUIdx_Phys_NS = 19 | ARM_MMU_IDX_A, + ARMMMUIdx_Phys_Root = 20 | ARM_MMU_IDX_A, + ARMMMUIdx_Phys_Realm = 21 | ARM_MMU_IDX_A, /* * These are not allocated TLBs and are used only for AT system @@ -164,6 +181,8 @@ typedef enum ARMMMUIdx { ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB, ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB, ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB, + ARMMMUIdx_Stage1_E0_GCS = 3 | ARM_MMU_IDX_NOTLB, + ARMMMUIdx_Stage1_E1_GCS = 4 | ARM_MMU_IDX_NOTLB, /* * M-profile. @@ -187,13 +206,19 @@ typedef enum ARMMMUIdx { typedef enum ARMMMUIdxBit { TO_CORE_BIT(E10_0), - TO_CORE_BIT(E20_0), + TO_CORE_BIT(E10_0_GCS), TO_CORE_BIT(E10_1), TO_CORE_BIT(E10_1_PAN), - TO_CORE_BIT(E2), + TO_CORE_BIT(E10_1_GCS), + TO_CORE_BIT(E20_0), + TO_CORE_BIT(E20_0_GCS), TO_CORE_BIT(E20_2), TO_CORE_BIT(E20_2_PAN), + TO_CORE_BIT(E20_2_GCS), + TO_CORE_BIT(E2), + TO_CORE_BIT(E2_GCS), TO_CORE_BIT(E3), + TO_CORE_BIT(E3_GCS), TO_CORE_BIT(E30_0), TO_CORE_BIT(E30_3_PAN), TO_CORE_BIT(Stage2), diff --git a/target/arm/ptw.c b/target/arm/ptw.c index d6d4bf3b23..6c52ed1ad0 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -169,6 +169,10 @@ ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx) return ARMMMUIdx_Stage1_E1; case ARMMMUIdx_E10_1_PAN: return ARMMMUIdx_Stage1_E1_PAN; + case ARMMMUIdx_E10_0_GCS: + return ARMMMUIdx_Stage1_E0_GCS; + case ARMMMUIdx_E10_1_GCS: + return ARMMMUIdx_Stage1_E1_GCS; default: return mmu_idx; } @@ -276,8 +280,10 @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx, return (hcr_el2 & (HCR_DC | HCR_VM)) == 0; case ARMMMUIdx_E10_0: + case ARMMMUIdx_E10_0_GCS: case ARMMMUIdx_E10_1: case ARMMMUIdx_E10_1_PAN: + case ARMMMUIdx_E10_1_GCS: /* TGE means that EL0/1 act as if SCTLR_EL1.M is zero */ hcr_el2 = arm_hcr_el2_eff_secstate(env, space); if (hcr_el2 & HCR_TGE) { @@ -286,8 +292,10 @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx, break; case ARMMMUIdx_Stage1_E0: + case ARMMMUIdx_Stage1_E0_GCS: case ARMMMUIdx_Stage1_E1: case ARMMMUIdx_Stage1_E1_PAN: + case ARMMMUIdx_Stage1_E1_GCS: /* HCR.DC means SCTLR_EL1.M behaves as 0 */ hcr_el2 = arm_hcr_el2_eff_secstate(env, space); if (hcr_el2 & HCR_DC) { @@ -296,10 +304,14 @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx, break; case ARMMMUIdx_E20_0: + case ARMMMUIdx_E20_0_GCS: case ARMMMUIdx_E20_2: case ARMMMUIdx_E20_2_PAN: + case ARMMMUIdx_E20_2_GCS: case ARMMMUIdx_E2: + case ARMMMUIdx_E2_GCS: case ARMMMUIdx_E3: + case ARMMMUIdx_E3_GCS: case ARMMMUIdx_E30_0: case ARMMMUIdx_E30_3_PAN: break; @@ -3799,15 +3811,22 @@ arm_mmu_idx_to_security_space(CPUARMState *env, ARMMMUIdx mmu_idx) switch (mmu_idx) { case ARMMMUIdx_E10_0: + case ARMMMUIdx_E10_0_GCS: case ARMMMUIdx_E10_1: case ARMMMUIdx_E10_1_PAN: + case ARMMMUIdx_E10_1_GCS: case ARMMMUIdx_E20_0: + case ARMMMUIdx_E20_0_GCS: case ARMMMUIdx_E20_2: case ARMMMUIdx_E20_2_PAN: + case ARMMMUIdx_E20_2_GCS: case ARMMMUIdx_Stage1_E0: + case ARMMMUIdx_Stage1_E0_GCS: case ARMMMUIdx_Stage1_E1: case ARMMMUIdx_Stage1_E1_PAN: + case ARMMMUIdx_Stage1_E1_GCS: case ARMMMUIdx_E2: + case ARMMMUIdx_E2_GCS: ss = arm_security_space_below_el3(env); break; case ARMMMUIdx_Stage2: @@ -3836,6 +3855,7 @@ arm_mmu_idx_to_security_space(CPUARMState *env, ARMMMUIdx mmu_idx) ss = ARMSS_Secure; break; case ARMMMUIdx_E3: + case ARMMMUIdx_E3_GCS: case ARMMMUIdx_E30_0: case ARMMMUIdx_E30_3_PAN: if (arm_feature(env, ARM_FEATURE_AARCH64) && diff --git a/target/arm/tcg/tlb-insns.c b/target/arm/tcg/tlb-insns.c index 95c26c6d46..1a0a332583 100644 --- a/target/arm/tcg/tlb-insns.c +++ b/target/arm/tcg/tlb-insns.c @@ -149,7 +149,8 @@ static void tlbimva_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri, CPUState *cs = env_cpu(env); uint64_t pageaddr = value & ~MAKE_64BIT_MASK(0, 12); - tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_E2); + tlb_flush_page_by_mmuidx(cs, pageaddr, + ARMMMUIdxBit_E2 | ARMMMUIdxBit_E2_GCS); } static void tlbimva_hyp_is_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -159,7 +160,8 @@ static void tlbimva_hyp_is_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t pageaddr = value & ~MAKE_64BIT_MASK(0, 12); tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, - ARMMMUIdxBit_E2); + ARMMMUIdxBit_E2 | + ARMMMUIdxBit_E2_GCS); } static void tlbiipas2_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -202,7 +204,7 @@ static void tlbiall_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri, { CPUState *cs = env_cpu(env); - tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_E2); + tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_E2 | ARMMMUIdxBit_E2_GCS); } static void tlbiall_hyp_is_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -210,7 +212,8 @@ static void tlbiall_hyp_is_write(CPUARMState *env, const ARMCPRegInfo *ri, { CPUState *cs = env_cpu(env); - tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_E2); + tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_E2 | + ARMMMUIdxBit_E2_GCS); } /* @@ -228,12 +231,16 @@ static int vae1_tlbmask(CPUARMState *env) if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { mask = ARMMMUIdxBit_E20_2 | ARMMMUIdxBit_E20_2_PAN | - ARMMMUIdxBit_E20_0; + ARMMMUIdxBit_E20_2_GCS | + ARMMMUIdxBit_E20_0 | + ARMMMUIdxBit_E20_0_GCS; } else { /* This is AArch64 only, so we don't need to touch the EL30_x TLBs */ mask = ARMMMUIdxBit_E10_1 | ARMMMUIdxBit_E10_1_PAN | - ARMMMUIdxBit_E10_0; + ARMMMUIdxBit_E10_1_GCS | + ARMMMUIdxBit_E10_0 | + ARMMMUIdxBit_E10_0_GCS; } return mask; } @@ -246,13 +253,20 @@ static int vae2_tlbmask(CPUARMState *env) if (hcr & HCR_E2H) { mask = ARMMMUIdxBit_E20_2 | ARMMMUIdxBit_E20_2_PAN | - ARMMMUIdxBit_E20_0; + ARMMMUIdxBit_E20_2_GCS | + ARMMMUIdxBit_E20_0 | + ARMMMUIdxBit_E20_0_GCS; } else { - mask = ARMMMUIdxBit_E2; + mask = ARMMMUIdxBit_E2 | ARMMMUIdxBit_E2_GCS; } return mask; } +static int vae3_tlbmask(void) +{ + return ARMMMUIdxBit_E3 | ARMMMUIdxBit_E3_GCS; +} + /* Return 56 if TBI is enabled, 64 otherwise. */ static int tlbbits_for_regime(CPUARMState *env, ARMMMUIdx mmu_idx, uint64_t addr) @@ -325,9 +339,12 @@ static void tlbi_aa64_vmalle1_write(CPUARMState *env, const ARMCPRegInfo *ri, static int e2_tlbmask(CPUARMState *env) { return (ARMMMUIdxBit_E20_0 | + ARMMMUIdxBit_E20_0_GCS | ARMMMUIdxBit_E20_2 | ARMMMUIdxBit_E20_2_PAN | - ARMMMUIdxBit_E2); + ARMMMUIdxBit_E20_2_GCS | + ARMMMUIdxBit_E2 | + ARMMMUIdxBit_E2_GCS); } static void tlbi_aa64_alle1_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -354,7 +371,7 @@ static void tlbi_aa64_alle3_write(CPUARMState *env, const ARMCPRegInfo *ri, ARMCPU *cpu = env_archcpu(env); CPUState *cs = CPU(cpu); - tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_E3); + tlb_flush_by_mmuidx(cs, vae3_tlbmask()); } static void tlbi_aa64_alle1is_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -380,7 +397,7 @@ static void tlbi_aa64_alle3is_write(CPUARMState *env, const ARMCPRegInfo *ri, { CPUState *cs = env_cpu(env); - tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_E3); + tlb_flush_by_mmuidx_all_cpus_synced(cs, vae3_tlbmask()); } static void tlbi_aa64_vae2_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -411,7 +428,7 @@ static void tlbi_aa64_vae3_write(CPUARMState *env, const ARMCPRegInfo *ri, CPUState *cs = CPU(cpu); uint64_t pageaddr = sextract64(value << 12, 0, 56); - tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_E3); + tlb_flush_page_by_mmuidx(cs, pageaddr, vae3_tlbmask()); } static void tlbi_aa64_vae1is_write(CPUARMState *env, const ARMCPRegInfo *ri, @@ -465,7 +482,7 @@ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri, int bits = tlbbits_for_regime(env, ARMMMUIdx_E3, pageaddr); tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, - ARMMMUIdxBit_E3, bits); + vae3_tlbmask(), bits); } static int ipas2e1_tlbmask(CPUARMState *env, int64_t value) @@ -963,7 +980,7 @@ static void tlbi_aa64_rvae3_write(CPUARMState *env, * flush-last-level-only. */ - do_rvae_write(env, value, ARMMMUIdxBit_E3, tlb_force_broadcast(env)); + do_rvae_write(env, value, vae3_tlbmask(), tlb_force_broadcast(env)); } static void tlbi_aa64_rvae3is_write(CPUARMState *env, @@ -977,7 +994,7 @@ static void tlbi_aa64_rvae3is_write(CPUARMState *env, * flush-last-level-only or inner/outer specific flushes. */ - do_rvae_write(env, value, ARMMMUIdxBit_E3, true); + do_rvae_write(env, value, vae3_tlbmask(), true); } static void tlbi_aa64_ripas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri, From 0fe292fadb4d1886ad57bb14abcfb4130901b0f6 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:28 -0700 Subject: [PATCH 28/76] target/arm: Introduce regime_to_gcs Add a lookup from any a64 mmu index to the gcs mmu index within the same translation regime. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-29-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/mmuidx-internal.h | 10 ++++++++++ target/arm/mmuidx.c | 24 +++++++++++++----------- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/target/arm/mmuidx-internal.h b/target/arm/mmuidx-internal.h index f494ec348d..962b053852 100644 --- a/target/arm/mmuidx-internal.h +++ b/target/arm/mmuidx-internal.h @@ -21,6 +21,7 @@ FIELD(MMUIDXINFO, USER, 8, 1) FIELD(MMUIDXINFO, STAGE1, 9, 1) FIELD(MMUIDXINFO, STAGE2, 10, 1) FIELD(MMUIDXINFO, GCS, 11, 1) +FIELD(MMUIDXINFO, TG, 12, 5) extern const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8]; @@ -100,4 +101,13 @@ static inline bool regime_is_gcs(ARMMMUIdx idx) return FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, GCS); } +/* Return the GCS MMUIdx for a given regime. */ +static inline ARMMMUIdx regime_to_gcs(ARMMMUIdx idx) +{ + tcg_debug_assert(arm_mmuidx_is_valid(idx)); + uint32_t core = FIELD_EX32(arm_mmuidx_table[idx], MMUIDXINFO, TG); + tcg_debug_assert(core != 0); /* core 0 is E10_0, not a GCS index */ + return core | ARM_MMU_IDX_A; +} + #endif /* TARGET_ARM_MMUIDX_INTERNAL_H */ diff --git a/target/arm/mmuidx.c b/target/arm/mmuidx.c index 42b003db9c..a4663c8d87 100644 --- a/target/arm/mmuidx.c +++ b/target/arm/mmuidx.c @@ -16,27 +16,29 @@ #define S1 R_MMUIDXINFO_STAGE1_MASK #define S2 R_MMUIDXINFO_STAGE2_MASK #define GCS R_MMUIDXINFO_GCS_MASK +#define TG(X) \ + ((ARMMMUIdx_##X##_GCS & ARM_MMU_IDX_COREIDX_MASK) << R_MMUIDXINFO_TG_SHIFT) const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { /* * A-profile. */ - [ARMMMUIdx_E10_0] = EL(0) | REL(1) | R2, + [ARMMMUIdx_E10_0] = EL(0) | REL(1) | R2 | TG(E10_0), [ARMMMUIdx_E10_0_GCS] = EL(0) | REL(1) | R2 | GCS, - [ARMMMUIdx_E10_1] = EL(1) | REL(1) | R2, - [ARMMMUIdx_E10_1_PAN] = EL(1) | REL(1) | R2 | PAN, + [ARMMMUIdx_E10_1] = EL(1) | REL(1) | R2 | TG(E10_1), + [ARMMMUIdx_E10_1_PAN] = EL(1) | REL(1) | R2 | TG(E10_1) | PAN, [ARMMMUIdx_E10_1_GCS] = EL(1) | REL(1) | R2 | GCS, - [ARMMMUIdx_E20_0] = EL(0) | REL(2) | R2, + [ARMMMUIdx_E20_0] = EL(0) | REL(2) | R2 | TG(E20_0), [ARMMMUIdx_E20_0_GCS] = EL(0) | REL(2) | R2 | GCS, - [ARMMMUIdx_E20_2] = EL(2) | REL(2) | R2, - [ARMMMUIdx_E20_2_PAN] = EL(2) | REL(2) | R2 | PAN, + [ARMMMUIdx_E20_2] = EL(2) | REL(2) | R2 | TG(E20_2), + [ARMMMUIdx_E20_2_PAN] = EL(2) | REL(2) | R2 | TG(E20_2) | PAN, [ARMMMUIdx_E20_2_GCS] = EL(2) | REL(2) | R2 | GCS, - [ARMMMUIdx_E2] = EL(2) | REL(2), + [ARMMMUIdx_E2] = EL(2) | REL(2) | TG(E2), [ARMMMUIdx_E2_GCS] = EL(2) | REL(2) | GCS, - [ARMMMUIdx_E3] = EL(3) | REL(3), + [ARMMMUIdx_E3] = EL(3) | REL(3) | TG(E3), [ARMMMUIdx_E3_GCS] = EL(3) | REL(3) | GCS, [ARMMMUIdx_E30_0] = EL(0) | REL(3), [ARMMMUIdx_E30_3_PAN] = EL(3) | REL(3) | PAN, @@ -44,10 +46,10 @@ const uint32_t arm_mmuidx_table[ARM_MMU_IDX_M + 8] = { [ARMMMUIdx_Stage2_S] = REL(2) | S2, [ARMMMUIdx_Stage2] = REL(2) | S2, - [ARMMMUIdx_Stage1_E0] = REL(1) | R2 | S1 | USER, + [ARMMMUIdx_Stage1_E0] = REL(1) | R2 | S1 | USER | TG(Stage1_E0), [ARMMMUIdx_Stage1_E0_GCS] = REL(1) | R2 | S1 | USER | GCS, - [ARMMMUIdx_Stage1_E1] = REL(1) | R2 | S1, - [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2 | S1 | PAN, + [ARMMMUIdx_Stage1_E1] = REL(1) | R2 | S1 | TG(Stage1_E1), + [ARMMMUIdx_Stage1_E1_PAN] = REL(1) | R2 | S1 | TG(Stage1_E1) | PAN, [ARMMMUIdx_Stage1_E1_GCS] = REL(1) | R2 | S1 | GCS, /* From 4c14265b8092a250edaef62891ee2d55fcfac92d Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:29 -0700 Subject: [PATCH 29/76] target/arm: Support page protections for GCS mmu indexes Take read and write from the s1perms.gcs bit computed by the Arm pseudocode. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-30-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/ptw.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/target/arm/ptw.c b/target/arm/ptw.c index 6c52ed1ad0..d4386ede73 100644 --- a/target/arm/ptw.c +++ b/target/arm/ptw.c @@ -1619,12 +1619,16 @@ static int get_S1prot_indirect(CPUARMState *env, S1Translate *ptw, } } - if (perm & PAGE_WXN) { + if (regime_is_gcs(mmu_idx)) { + /* + * Note that the one s1perms.gcs bit controls both read and write + * access via AccessType_GCS. See AArch64.S1CheckPermissions. + */ + perm = (perm & PAGE_GCS ? PAGE_READ | PAGE_WRITE : 0); + } else if (perm & PAGE_WXN) { perm &= ~PAGE_EXEC; } - /* TODO: FEAT_GCS */ - return perm & PAGE_RWX; } @@ -2277,6 +2281,13 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw, */ prot = get_S1prot_indirect(env, ptw, mmu_idx, pi, po, result->f.attrs.space, out_space); + } else if (regime_is_gcs(mmu_idx)) { + /* + * While one must use indirect permissions to successfully + * use GCS instructions, AArch64.S1DirectBasePermissions + * faithfully supplies s1perms.gcs = 0, Just In Case. + */ + prot = 0; } else { int xn = extract64(attrs, 54, 1); int pxn = extract64(attrs, 53, 1); From 8a0dda3e6b2394d0e96c16b80f44db97f9cc3e6e Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:30 -0700 Subject: [PATCH 30/76] target/arm: Implement gcs bit for data abort Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-31-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/tlb_helper.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/target/arm/tcg/tlb_helper.c b/target/arm/tcg/tlb_helper.c index ae2acd6727..f1983a5732 100644 --- a/target/arm/tcg/tlb_helper.c +++ b/target/arm/tcg/tlb_helper.c @@ -28,7 +28,7 @@ static inline uint64_t merge_syn_data_abort(uint32_t template_syn, ARMMMUFaultInfo *fi, unsigned int target_el, bool same_el, bool is_write, - int fsc) + int fsc, bool gcs) { uint64_t syn; @@ -78,6 +78,7 @@ static inline uint64_t merge_syn_data_abort(uint32_t template_syn, /* Form ISS2 at the top of the syndrome. */ syn |= (uint64_t)fi->dirtybit << 37; + syn |= (uint64_t)gcs << 40; return syn; } @@ -252,9 +253,10 @@ void arm_deliver_fault(ARMCPU *cpu, vaddr addr, syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc); exc = EXCP_PREFETCH_ABORT; } else { + bool gcs = regime_is_gcs(core_to_arm_mmu_idx(env, mmu_idx)); syn = merge_syn_data_abort(env->exception.syndrome, fi, target_el, same_el, access_type == MMU_DATA_STORE, - fsc); + fsc, gcs); if (access_type == MMU_DATA_STORE && arm_feature(env, ARM_FEATURE_V6)) { fsr |= (1 << 11); From d8bf1761efa7aa0cbda765c153357079b1e0bd3f Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:31 -0700 Subject: [PATCH 31/76] target/arm: Add GCS cpregs Add isar_feature_aa64_gcs. Enable SCR_GCSEN in scr_write. Enable HCRX_GCSEN in hcrx_write. Default HCRX_GCSEN on if EL2 disabled. Add the GCSCR* and GCSPR* registers. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-32-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs-gcs.c | 95 +++++++++++++++++++++++++++++++++++++++ target/arm/cpregs.h | 2 + target/arm/cpu-features.h | 5 +++ target/arm/cpu.c | 3 ++ target/arm/cpu.h | 12 +++++ target/arm/helper.c | 10 +++++ target/arm/internals.h | 3 ++ target/arm/meson.build | 2 + 8 files changed, 132 insertions(+) create mode 100644 target/arm/cpregs-gcs.c diff --git a/target/arm/cpregs-gcs.c b/target/arm/cpregs-gcs.c new file mode 100644 index 0000000000..1ff041811d --- /dev/null +++ b/target/arm/cpregs-gcs.c @@ -0,0 +1,95 @@ +/* + * QEMU ARM CP Register GCS regiters and instructions + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "qemu/timer.h" +#include "exec/icount.h" +#include "hw/irq.h" +#include "cpu.h" +#include "cpu-features.h" +#include "cpregs.h" +#include "internals.h" + + +static CPAccessResult access_gcs(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + if (arm_current_el(env) < 3 + && arm_feature(env, ARM_FEATURE_EL3) + && !(env->cp15.scr_el3 & SCR_GCSEN)) { + return CP_ACCESS_TRAP_EL3; + } + return CP_ACCESS_OK; +} + +static CPAccessResult access_gcs_el0(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + if (arm_current_el(env) == 0 && !(env->cp15.gcscr_el[0] & GCSCRE0_NTR)) { + return CP_ACCESS_TRAP_EL1; + } + return access_gcs(env, ri, isread); +} + +static void gcspr_write(CPUARMState *env, const ARMCPRegInfo *ri, + uint64_t value) +{ + /* + * Bits [2:0] are RES0, so we might as well clear them now, + * rather than upon each usage a-la GetCurrentGCSPointer. + */ + raw_write(env, ri, value & ~7); +} + +static const ARMCPRegInfo gcs_reginfo[] = { + { .name = "GCSCRE0_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 5, .opc2 = 2, + .access = PL1_RW, .accessfn = access_gcs, .fgt = FGT_NGCS_EL0, + .fieldoffset = offsetof(CPUARMState, cp15.gcscr_el[0]) }, + { .name = "GCSCR_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 5, .opc2 = 0, + .access = PL1_RW, .accessfn = access_gcs, .fgt = FGT_NGCS_EL1, + .nv2_redirect_offset = 0x8d0 | NV2_REDIR_NV1, + .vhe_redir_to_el2 = ENCODE_AA64_CP_REG(3, 4, 2, 5, 0), + .vhe_redir_to_el01 = ENCODE_AA64_CP_REG(3, 5, 2, 5, 0), + .fieldoffset = offsetof(CPUARMState, cp15.gcscr_el[1]) }, + { .name = "GCSCR_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 5, .opc2 = 0, + .access = PL2_RW, .accessfn = access_gcs, + .fieldoffset = offsetof(CPUARMState, cp15.gcscr_el[2]) }, + { .name = "GCSCR_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 5, .opc2 = 0, + .access = PL3_RW, + .fieldoffset = offsetof(CPUARMState, cp15.gcscr_el[3]) }, + + { .name = "GCSPR_EL0", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 5, .opc2 = 1, + .access = PL0_R | PL1_W, .accessfn = access_gcs_el0, + .fgt = FGT_NGCS_EL0, .writefn = gcspr_write, + .fieldoffset = offsetof(CPUARMState, cp15.gcspr_el[0]) }, + { .name = "GCSPR_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 5, .opc2 = 1, + .access = PL1_RW, .accessfn = access_gcs, + .fgt = FGT_NGCS_EL1, .writefn = gcspr_write, + .nv2_redirect_offset = 0x8c0 | NV2_REDIR_NV1, + .vhe_redir_to_el2 = ENCODE_AA64_CP_REG(3, 4, 2, 5, 1), + .vhe_redir_to_el01 = ENCODE_AA64_CP_REG(3, 5, 2, 5, 1), + .fieldoffset = offsetof(CPUARMState, cp15.gcspr_el[1]) }, + { .name = "GCSPR_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 5, .opc2 = 1, + .access = PL2_RW, .accessfn = access_gcs, .writefn = gcspr_write, + .fieldoffset = offsetof(CPUARMState, cp15.gcspr_el[2]) }, + { .name = "GCSPR_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 5, .opc2 = 1, + .access = PL3_RW, .writefn = gcspr_write, + .fieldoffset = offsetof(CPUARMState, cp15.gcspr_el[2]) }, +}; + +void define_gcs_cpregs(ARMCPU *cpu) +{ + if (cpu_isar_feature(aa64_gcs, cpu)) { + define_arm_cp_regs(cpu, gcs_reginfo); + } +} diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index f48c4df30f..bd2121a336 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -779,6 +779,8 @@ typedef enum FGTBit { DO_BIT(HFGRTR, VBAR_EL1), DO_BIT(HFGRTR, ICC_IGRPENN_EL1), DO_BIT(HFGRTR, ERRIDR_EL1), + DO_REV_BIT(HFGRTR, NGCS_EL0), + DO_REV_BIT(HFGRTR, NGCS_EL1), DO_REV_BIT(HFGRTR, NSMPRI_EL1), DO_REV_BIT(HFGRTR, NTPIDR2_EL0), DO_REV_BIT(HFGRTR, NPIRE0_EL1), diff --git a/target/arm/cpu-features.h b/target/arm/cpu-features.h index f3e90408f7..0f0a112c21 100644 --- a/target/arm/cpu-features.h +++ b/target/arm/cpu-features.h @@ -1149,6 +1149,11 @@ static inline bool isar_feature_aa64_nmi(const ARMISARegisters *id) return FIELD_EX64_IDREG(id, ID_AA64PFR1, NMI) != 0; } +static inline bool isar_feature_aa64_gcs(const ARMISARegisters *id) +{ + return FIELD_EX64_IDREG(id, ID_AA64PFR1, GCS) != 0; +} + static inline bool isar_feature_aa64_tgran4_lpa2(const ARMISARegisters *id) { return FIELD_SEX64_IDREG(id, ID_AA64MMFR0, TGRAN4) >= 1; diff --git a/target/arm/cpu.c b/target/arm/cpu.c index 9bca1b8eae..192acac1f5 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -635,6 +635,9 @@ void arm_emulate_firmware_reset(CPUState *cpustate, int target_el) if (cpu_isar_feature(aa64_fgt, cpu)) { env->cp15.scr_el3 |= SCR_FGTEN; } + if (cpu_isar_feature(aa64_gcs, cpu)) { + env->cp15.scr_el3 |= SCR_GCSEN; + } if (cpu_isar_feature(aa64_tcr2, cpu)) { env->cp15.scr_el3 |= SCR_TCR2EN; } diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 6773676973..e55524ae10 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -580,6 +580,9 @@ typedef struct CPUArchState { /* NV2 register */ uint64_t vncr_el2; + + uint64_t gcscr_el[4]; /* GCSCRE0_EL1, GCSCR_EL[123] */ + uint64_t gcspr_el[4]; /* GCSPR_EL[0123] */ } cp15; struct { @@ -1717,6 +1720,7 @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask) #define SCR_ENAS0 (1ULL << 36) #define SCR_ADEN (1ULL << 37) #define SCR_HXEN (1ULL << 38) +#define SCR_GCSEN (1ULL << 39) #define SCR_TRNDR (1ULL << 40) #define SCR_ENTP2 (1ULL << 41) #define SCR_TCR2EN (1ULL << 43) @@ -1725,6 +1729,14 @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask) #define SCR_GPF (1ULL << 48) #define SCR_NSE (1ULL << 62) +/* GCSCR_ELx fields */ +#define GCSCR_PCRSEL (1ULL << 0) +#define GCSCR_RVCHKEN (1ULL << 5) +#define GCSCR_EXLOCKEN (1ULL << 6) +#define GCSCR_PUSHMEN (1ULL << 8) +#define GCSCR_STREN (1ULL << 9) +#define GCSCRE0_NTR (1ULL << 10) + /* Return the current FPSCR value. */ uint32_t vfp_get_fpscr(CPUARMState *env); void vfp_set_fpscr(CPUARMState *env, uint32_t val); diff --git a/target/arm/helper.c b/target/arm/helper.c index 6642cae0cc..64b6c21aef 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -766,6 +766,9 @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) if (cpu_isar_feature(aa64_ecv, cpu)) { valid_mask |= SCR_ECVEN; } + if (cpu_isar_feature(aa64_gcs, cpu)) { + valid_mask |= SCR_GCSEN; + } if (cpu_isar_feature(aa64_tcr2, cpu)) { valid_mask |= SCR_TCR2EN; } @@ -3953,6 +3956,9 @@ static void hcrx_write(CPUARMState *env, const ARMCPRegInfo *ri, if (cpu_isar_feature(aa64_sctlr2, cpu)) { valid_mask |= HCRX_SCTLR2EN; } + if (cpu_isar_feature(aa64_gcs, cpu)) { + valid_mask |= HCRX_GCSEN; + } /* Clear RES0 bits. */ env->cp15.hcrx_el2 = value & valid_mask; @@ -4023,6 +4029,9 @@ uint64_t arm_hcrx_el2_eff(CPUARMState *env) if (cpu_isar_feature(aa64_sctlr2, cpu)) { hcrx |= HCRX_SCTLR2EN; } + if (cpu_isar_feature(aa64_gcs, cpu)) { + hcrx |= HCRX_GCSEN; + } return hcrx; } if (arm_feature(env, ARM_FEATURE_EL3) && !(env->cp15.scr_el3 & SCR_HXEN)) { @@ -7260,6 +7269,7 @@ void register_cp_regs_for_features(ARMCPU *cpu) } define_pm_cpregs(cpu); + define_gcs_cpregs(cpu); } /* diff --git a/target/arm/internals.h b/target/arm/internals.h index 591b509e68..109aa104bf 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -251,6 +251,7 @@ FIELD(VSTCR, SA, 30, 1) #define HCRX_MSCEN (1ULL << 11) #define HCRX_TCR2EN (1ULL << 14) #define HCRX_SCTLR2EN (1ULL << 15) +#define HCRX_GCSEN (1ULL << 22) #define HPFAR_NS (1ULL << 63) @@ -1783,6 +1784,8 @@ void define_tlb_insn_regs(ARMCPU *cpu); void define_at_insn_regs(ARMCPU *cpu); /* Add the cpreg definitions for PM cpregs */ void define_pm_cpregs(ARMCPU *cpu); +/* Add the cpreg definitions for GCS cpregs */ +void define_gcs_cpregs(ARMCPU *cpu); /* Effective value of MDCR_EL2 */ static inline uint64_t arm_mdcr_el2_eff(CPUARMState *env) diff --git a/target/arm/meson.build b/target/arm/meson.build index f9f0beef05..3df7e03654 100644 --- a/target/arm/meson.build +++ b/target/arm/meson.build @@ -27,6 +27,7 @@ arm_user_ss.add(when: 'TARGET_AARCH64', if_false: files( 'cpu32-stubs.c', )) arm_user_ss.add(files( + 'cpregs-gcs.c', 'cpregs-pmu.c', 'debug_helper.c', 'helper.c', @@ -47,6 +48,7 @@ arm_common_system_ss.add(files( 'arch_dump.c', 'arm-powerctl.c', 'cortex-regs.c', + 'cpregs-gcs.c', 'cpregs-pmu.c', 'cpu-irq.c', 'debug_helper.c', From e5c79193ec92dca13e6eccc60c2a6a77bb8f2fb9 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:32 -0700 Subject: [PATCH 32/76] target/arm: Add GCS enable and trap levels to DisasContext Pipe GCSEnabled, GCSReturnValueCheckEnabled, and CheckGCSSTREnabled through hflags to the translator. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-33-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpu.h | 3 +++ target/arm/tcg/hflags.c | 38 ++++++++++++++++++++++++++++++++++ target/arm/tcg/translate-a64.c | 3 +++ target/arm/tcg/translate.h | 6 ++++++ 4 files changed, 50 insertions(+) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index e55524ae10..775219364f 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -2475,6 +2475,9 @@ FIELD(TBFLAG_A64, NV2_MEM_BE, 36, 1) FIELD(TBFLAG_A64, AH, 37, 1) /* FPCR.AH */ FIELD(TBFLAG_A64, NEP, 38, 1) /* FPCR.NEP */ FIELD(TBFLAG_A64, ZT0EXC_EL, 39, 2) +FIELD(TBFLAG_A64, GCS_EN, 41, 1) +FIELD(TBFLAG_A64, GCS_RVCEN, 42, 1) +FIELD(TBFLAG_A64, GCSSTR_EL, 43, 2) /* * Helpers for using the above. Note that only the A64 accessors use diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c index 17f83f13a4..5c9b9bec3b 100644 --- a/target/arm/tcg/hflags.c +++ b/target/arm/tcg/hflags.c @@ -451,6 +451,44 @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el, DP_TBFLAG_A64(flags, TCMA, aa64_va_parameter_tcma(tcr, mmu_idx)); } + if (cpu_isar_feature(aa64_gcs, env_archcpu(env))) { + /* C.f. GCSEnabled */ + if (env->cp15.gcscr_el[el] & GCSCR_PCRSEL) { + switch (el) { + default: + if (!el_is_in_host(env, el) + && !(arm_hcrx_el2_eff(env) & HCRX_GCSEN)) { + break; + } + /* fall through */ + case 2: + if (arm_feature(env, ARM_FEATURE_EL3) + && !(env->cp15.scr_el3 & SCR_GCSEN)) { + break; + } + /* fall through */ + case 3: + DP_TBFLAG_A64(flags, GCS_EN, 1); + break; + } + } + + /* C.f. GCSReturnValueCheckEnabled */ + if (env->cp15.gcscr_el[el] & GCSCR_RVCHKEN) { + DP_TBFLAG_A64(flags, GCS_RVCEN, 1); + } + + /* C.f. CheckGCSSTREnabled */ + if (!(env->cp15.gcscr_el[el] & GCSCR_STREN)) { + DP_TBFLAG_A64(flags, GCSSTR_EL, el ? el : 1); + } else if (el == 1 + && EX_TBFLAG_ANY(flags, FGT_ACTIVE) + && !FIELD_EX64(env->cp15.fgt_exec[FGTREG_HFGITR], + HFGITR_EL2, NGCSSTR_EL1)) { + DP_TBFLAG_A64(flags, GCSSTR_EL, 2); + } + } + if (env->vfp.fpcr & FPCR_AH) { DP_TBFLAG_A64(flags, AH, 1); } diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index a0e3300231..693eab1c01 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -10344,6 +10344,9 @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase, dc->nv2_mem_be = EX_TBFLAG_A64(tb_flags, NV2_MEM_BE); dc->fpcr_ah = EX_TBFLAG_A64(tb_flags, AH); dc->fpcr_nep = EX_TBFLAG_A64(tb_flags, NEP); + dc->gcs_en = EX_TBFLAG_A64(tb_flags, GCS_EN); + dc->gcs_rvcen = EX_TBFLAG_A64(tb_flags, GCS_RVCEN); + dc->gcsstr_el = EX_TBFLAG_A64(tb_flags, GCSSTR_EL); dc->vec_len = 0; dc->vec_stride = 0; dc->cp_regs = arm_cpu->cp_regs; diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h index f1a6e5e2b6..761edded52 100644 --- a/target/arm/tcg/translate.h +++ b/target/arm/tcg/translate.h @@ -166,6 +166,12 @@ typedef struct DisasContext { bool fpcr_ah; /* True if FPCR.NEP is 1 (FEAT_AFP scalar upper-element result handling) */ bool fpcr_nep; + /* True if GCSEnabled. */ + bool gcs_en; + /* True if GCSReturnValueCheckEnabled. */ + bool gcs_rvcen; + /* GCSSTR exception EL or 0 if enabled */ + uint8_t gcsstr_el; /* * >= 0, a copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI. * < 0, set by the current instruction. From 2b6c55fb032967629d07f2ba096f66d3b83a14bd Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:33 -0700 Subject: [PATCH 33/76] target/arm: Implement FEAT_CHK This feature contains only the CHKFEAT instruction. It has no ID enable, being back-allocated into the hint nop space. Reviewed-by: Gustavo Romero Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-34-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- docs/system/arm/emulation.rst | 1 + target/arm/tcg/a64.decode | 1 + target/arm/tcg/translate-a64.c | 14 ++++++++++++++ 3 files changed, 16 insertions(+) diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst index c779a50570..68d9a4e734 100644 --- a/docs/system/arm/emulation.rst +++ b/docs/system/arm/emulation.rst @@ -28,6 +28,7 @@ the following architecture extensions: - FEAT_BF16 (AArch64 BFloat16 instructions) - FEAT_BTI (Branch Target Identification) - FEAT_CCIDX (Extended cache index) +- FEAT_CHK (Check Feature Status) - FEAT_CMOW (Control for cache maintenance permission) - FEAT_CRC32 (CRC32 instructions) - FEAT_Crypto (Cryptographic Extension) diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode index 55ff6c504f..8283a9c83d 100644 --- a/target/arm/tcg/a64.decode +++ b/target/arm/tcg/a64.decode @@ -256,6 +256,7 @@ ERETA 1101011 0100 11111 00001 m:1 11111 11111 &reta # ERETAA, ERETAB AUTIASP 1101 0101 0000 0011 0010 0011 101 11111 AUTIBZ 1101 0101 0000 0011 0010 0011 110 11111 AUTIBSP 1101 0101 0000 0011 0010 0011 111 11111 + CHKFEAT 1101 0101 0000 0011 0010 0101 000 11111 ] # The canonical NOP has CRm == op2 == 0, but all of the space # that isn't specifically allocated to an instruction must NOP diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 693eab1c01..78b2881a15 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2124,6 +2124,20 @@ static bool trans_AUTIBSP(DisasContext *s, arg_AUTIBSP *a) return true; } +static bool trans_CHKFEAT(DisasContext *s, arg_CHKFEAT *a) +{ + uint64_t feat_en = 0; + + if (s->gcs_en) { + feat_en |= 1 << 0; + } + if (feat_en) { + TCGv_i64 x16 = cpu_reg(s, 16); + tcg_gen_andi_i64(x16, x16, ~feat_en); + } + return true; +} + static bool trans_CLREX(DisasContext *s, arg_CLREX *a) { tcg_gen_movi_i64(cpu_exclusive_addr, -1); From 3476d935c3f17f937c7939d91f79cd3bdffc6209 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:34 -0700 Subject: [PATCH 34/76] target/arm: Make helper_exception_return system-only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Peter Maydell Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251008215613.300150-35-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/helper-a64.c | 2 ++ target/arm/tcg/helper-a64.h | 5 ++++- target/arm/tcg/translate-a64.c | 8 ++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c index 71c6c44ee8..6d77fd0113 100644 --- a/target/arm/tcg/helper-a64.c +++ b/target/arm/tcg/helper-a64.c @@ -576,6 +576,7 @@ uint32_t HELPER(advsimd_rinth)(uint32_t x, float_status *fp_status) return ret; } +#ifndef CONFIG_USER_ONLY static int el_from_spsr(uint32_t spsr) { /* Return the exception level that this SPSR is requesting a return to, @@ -787,6 +788,7 @@ illegal_return: qemu_log_mask(LOG_GUEST_ERROR, "Illegal exception return at EL%d: " "resuming execution at 0x%" PRIx64 "\n", cur_el, env->pc); } +#endif /* !CONFIG_USER_ONLY */ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in) { diff --git a/target/arm/tcg/helper-a64.h b/target/arm/tcg/helper-a64.h index 85023465b7..b6008b5a3a 100644 --- a/target/arm/tcg/helper-a64.h +++ b/target/arm/tcg/helper-a64.h @@ -80,7 +80,6 @@ DEF_HELPER_3(vfp_ah_maxh, f16, f16, f16, fpst) DEF_HELPER_3(vfp_ah_maxs, f32, f32, f32, fpst) DEF_HELPER_3(vfp_ah_maxd, f64, f64, f64, fpst) -DEF_HELPER_2(exception_return, void, env, i64) DEF_HELPER_FLAGS_2(dc_zva, TCG_CALL_NO_WG, void, env, i64) DEF_HELPER_FLAGS_3(pacia, TCG_CALL_NO_WG, i64, env, i64, i64) @@ -145,3 +144,7 @@ DEF_HELPER_FLAGS_5(gvec_fmulx_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, fpst, i32 DEF_HELPER_FLAGS_5(gvec_fmulx_idx_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, fpst, i32) DEF_HELPER_FLAGS_5(gvec_fmulx_idx_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, fpst, i32) DEF_HELPER_FLAGS_5(gvec_fmulx_idx_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, fpst, i32) + +#ifndef CONFIG_USER_ONLY +DEF_HELPER_2(exception_return, void, env, i64) +#endif diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 78b2881a15..43c9bfef93 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -1870,6 +1870,9 @@ static bool trans_BLRA(DisasContext *s, arg_bra *a) static bool trans_ERET(DisasContext *s, arg_ERET *a) { +#ifdef CONFIG_USER_ONLY + return false; +#else TCGv_i64 dst; if (s->current_el == 0) { @@ -1889,10 +1892,14 @@ static bool trans_ERET(DisasContext *s, arg_ERET *a) /* Must exit loop to check un-masked IRQs */ s->base.is_jmp = DISAS_EXIT; return true; +#endif } static bool trans_ERETA(DisasContext *s, arg_reta *a) { +#ifdef CONFIG_USER_ONLY + return false; +#else TCGv_i64 dst; if (!dc_isar_feature(aa64_pauth, s)) { @@ -1918,6 +1925,7 @@ static bool trans_ERETA(DisasContext *s, arg_reta *a) /* Must exit loop to check un-masked IRQs */ s->base.is_jmp = DISAS_EXIT; return true; +#endif } static bool trans_NOP(DisasContext *s, arg_NOP *a) From 38f8b024d80d276429dad0adadc67789aa89730a Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:35 -0700 Subject: [PATCH 35/76] target/arm: Export cpsr_{read_for, write_from}_spsr_elx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move cpsr_write_from_spsr_elx from tcg/helper-a64.c to helper.c, so that it's present with --disable-tcg. Declare both in internals.h. Reviewed-by: Peter Maydell Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251008215613.300150-36-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 20 +++++++++++++++++++- target/arm/internals.h | 2 ++ target/arm/tcg/helper-a64.c | 20 -------------------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index 64b6c21aef..def4edf808 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -8896,7 +8896,7 @@ static int aarch64_regnum(CPUARMState *env, int aarch32_reg) } } -static uint32_t cpsr_read_for_spsr_elx(CPUARMState *env) +uint32_t cpsr_read_for_spsr_elx(CPUARMState *env) { uint32_t ret = cpsr_read(env); @@ -8911,6 +8911,24 @@ static uint32_t cpsr_read_for_spsr_elx(CPUARMState *env) return ret; } +void cpsr_write_from_spsr_elx(CPUARMState *env, uint32_t val) +{ + uint32_t mask; + + /* Save SPSR_ELx.SS into PSTATE. */ + env->pstate = (env->pstate & ~PSTATE_SS) | (val & PSTATE_SS); + val &= ~PSTATE_SS; + + /* Move DIT to the correct location for CPSR */ + if (val & PSTATE_DIT) { + val &= ~PSTATE_DIT; + val |= CPSR_DIT; + } + + mask = aarch32_cpsr_valid_mask(env->features, &env_archcpu(env)->isar); + cpsr_write(env, val, mask, CPSRWriteRaw); +} + static bool syndrome_is_sync_extabt(uint32_t syndrome) { /* Return true if this syndrome value is a synchronous external abort */ diff --git a/target/arm/internals.h b/target/arm/internals.h index 109aa104bf..2a85ab762d 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1897,6 +1897,8 @@ void vfp_clear_float_status_exc_flags(CPUARMState *env); */ void vfp_set_fpcr_to_host(CPUARMState *env, uint32_t val, uint32_t mask); bool arm_pan_enabled(CPUARMState *env); +uint32_t cpsr_read_for_spsr_elx(CPUARMState *env); +void cpsr_write_from_spsr_elx(CPUARMState *env, uint32_t val); /* Compare uint64_t for qsort and bsearch. */ int compare_u64(const void *a, const void *b); diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c index 6d77fd0113..eaea7859d3 100644 --- a/target/arm/tcg/helper-a64.c +++ b/target/arm/tcg/helper-a64.c @@ -615,26 +615,6 @@ static int el_from_spsr(uint32_t spsr) } } -static void cpsr_write_from_spsr_elx(CPUARMState *env, - uint32_t val) -{ - uint32_t mask; - - /* Save SPSR_ELx.SS into PSTATE. */ - env->pstate = (env->pstate & ~PSTATE_SS) | (val & PSTATE_SS); - val &= ~PSTATE_SS; - - /* Move DIT to the correct location for CPSR */ - if (val & PSTATE_DIT) { - val &= ~PSTATE_DIT; - val |= CPSR_DIT; - } - - mask = aarch32_cpsr_valid_mask(env->features, \ - &env_archcpu(env)->isar); - cpsr_write(env, val, mask, CPSRWriteRaw); -} - void HELPER(exception_return)(CPUARMState *env, uint64_t new_pc) { ARMCPU *cpu = env_archcpu(env); From de83d60a84f25b9518a91bcb996f60a911d03e48 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:36 -0700 Subject: [PATCH 36/76] target/arm: Expand pstate to 64 bits The ARM now defines 36 bits in SPSR_ELx in aarch64 mode, so it's time to bite the bullet and extend PSTATE to match. Most changes are straightforward, adjusting printf formats, changing local variable types. More complex is migration, where to maintain backward compatibility a new pstate64 record is introduced, and only when one of the extensions that sets bits 32-35 are active. The fate of gdbstub is left undecided for the moment. Reviewed-by: Peter Maydell Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-37-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpu.c | 6 +-- target/arm/cpu.h | 8 ++-- target/arm/gdbstub64.c | 2 + target/arm/helper.c | 11 ++--- target/arm/machine.c | 81 +++++++++++++++++++++++++++++++++++++ target/arm/tcg/helper-a64.c | 2 +- target/arm/tcg/translate.h | 20 ++++----- 7 files changed, 107 insertions(+), 23 deletions(-) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index 192acac1f5..cbb00c3db3 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -826,7 +826,7 @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags) { ARMCPU *cpu = ARM_CPU(cs); CPUARMState *env = &cpu->env; - uint32_t psr = pstate_read(env); + uint64_t psr = pstate_read(env); int i, j; int el = arm_current_el(env); uint64_t hcr = arm_hcr_el2_eff(env); @@ -848,7 +848,7 @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags) } else { ns_status = ""; } - qemu_fprintf(f, "PSTATE=%08x %c%c%c%c %sEL%d%c", + qemu_fprintf(f, "PSTATE=%016" PRIx64 " %c%c%c%c %sEL%d%c", psr, psr & PSTATE_N ? 'N' : '-', psr & PSTATE_Z ? 'Z' : '-', @@ -865,7 +865,7 @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags) (FIELD_EX64(env->svcr, SVCR, SM) ? 'S' : '-')); } if (cpu_isar_feature(aa64_bti, cpu)) { - qemu_fprintf(f, " BTYPE=%d", (psr & PSTATE_BTYPE) >> 10); + qemu_fprintf(f, " BTYPE=%d", (int)(psr & PSTATE_BTYPE) >> 10); } qemu_fprintf(f, "%s%s%s", (hcr & HCR_NV) ? " NV" : "", diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 775219364f..b8abfd8276 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -268,7 +268,7 @@ typedef struct CPUArchState { uint64_t xregs[32]; uint64_t pc; /* PSTATE isn't an architectural register for ARMv8. However, it is - * convenient for us to assemble the underlying state into a 32 bit format + * convenient for us to assemble the underlying state into a 64 bit format * identical to the architectural format used for the SPSR. (This is also * what the Linux kernel's 'pstate' field in signal handlers and KVM's * 'pstate' register are.) Of the PSTATE bits: @@ -280,7 +280,7 @@ typedef struct CPUArchState { * SM and ZA are kept in env->svcr * all other bits are stored in their correct places in env->pstate */ - uint32_t pstate; + uint64_t pstate; bool aarch64; /* True if CPU is in aarch64 state; inverse of PSTATE.nRW */ bool thumb; /* True if CPU is in thumb mode; cpsr[5] */ @@ -1538,7 +1538,7 @@ static inline unsigned int aarch64_pstate_mode(unsigned int el, bool handler) * interprocessing, so we don't attempt to sync with the cpsr state used by * the 32 bit decoder. */ -static inline uint32_t pstate_read(CPUARMState *env) +static inline uint64_t pstate_read(CPUARMState *env) { int ZF; @@ -1548,7 +1548,7 @@ static inline uint32_t pstate_read(CPUARMState *env) | env->pstate | env->daif | (env->btype << 10); } -static inline void pstate_write(CPUARMState *env, uint32_t val) +static inline void pstate_write(CPUARMState *env, uint64_t val) { env->ZF = (~val) & PSTATE_Z; env->NF = val; diff --git a/target/arm/gdbstub64.c b/target/arm/gdbstub64.c index 3bccde2bf2..65d6bbe65f 100644 --- a/target/arm/gdbstub64.c +++ b/target/arm/gdbstub64.c @@ -47,6 +47,7 @@ int aarch64_cpu_gdb_read_register(CPUState *cs, GByteArray *mem_buf, int n) case 32: return gdb_get_reg64(mem_buf, env->pc); case 33: + /* pstate is now a 64-bit value; can we simply adjust the xml? */ return gdb_get_reg32(mem_buf, pstate_read(env)); } /* Unknown register. */ @@ -75,6 +76,7 @@ int aarch64_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n) return 8; case 33: /* CPSR */ + /* pstate is now a 64-bit value; can we simply adjust the xml? */ pstate_write(env, tmp); return 4; } diff --git a/target/arm/helper.c b/target/arm/helper.c index def4edf808..8e342b0811 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -8961,8 +8961,8 @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs) CPUARMState *env = &cpu->env; unsigned int new_el = env->exception.target_el; vaddr addr = env->cp15.vbar_el[new_el]; - unsigned int new_mode = aarch64_pstate_mode(new_el, true); - unsigned int old_mode; + uint64_t new_mode = aarch64_pstate_mode(new_el, true); + uint64_t old_mode; unsigned int cur_el = arm_current_el(env); int rt; @@ -9110,7 +9110,7 @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs) * If NV2 is disabled, change SPSR when NV,NV1 == 1,0 (I_ZJRNN) * If NV2 is enabled, change SPSR when NV is 1 (I_DBTLM) */ - old_mode = deposit32(old_mode, 2, 2, 2); + old_mode = deposit64(old_mode, 2, 2, 2); } } } else { @@ -9123,7 +9123,7 @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs) } env->banked_spsr[aarch64_banked_spsr_index(new_el)] = old_mode; - qemu_log_mask(CPU_LOG_INT, "...with SPSR 0x%x\n", old_mode); + qemu_log_mask(CPU_LOG_INT, "...with SPSR 0x%" PRIx64 "\n", old_mode); qemu_log_mask(CPU_LOG_INT, "...with ELR 0x%" PRIx64 "\n", env->elr_el[new_el]); @@ -9177,7 +9177,8 @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs) env->pc = addr; - qemu_log_mask(CPU_LOG_INT, "...to EL%d PC 0x%" PRIx64 " PSTATE 0x%x\n", + qemu_log_mask(CPU_LOG_INT, "...to EL%d PC 0x%" PRIx64 + " PSTATE 0x%" PRIx64 "\n", new_el, env->pc, pstate_read(env)); } diff --git a/target/arm/machine.c b/target/arm/machine.c index ce20b46f50..44a0cf844b 100644 --- a/target/arm/machine.c +++ b/target/arm/machine.c @@ -816,6 +816,80 @@ static const VMStateInfo vmstate_cpsr = { .put = put_cpsr, }; +static int get_pstate64(QEMUFile *f, void *opaque, size_t size, + const VMStateField *field) +{ + ARMCPU *cpu = opaque; + CPUARMState *env = &cpu->env; + uint64_t val = qemu_get_be64(f); + + env->aarch64 = ((val & PSTATE_nRW) == 0); + if (is_a64(env)) { + pstate_write(env, val); + } else { + cpsr_write_from_spsr_elx(env, val); + } + return 0; +} + +static int put_pstate64(QEMUFile *f, void *opaque, size_t size, + const VMStateField *field, JSONWriter *vmdesc) +{ + ARMCPU *cpu = opaque; + CPUARMState *env = &cpu->env; + uint64_t val; + + if (is_a64(env)) { + val = pstate_read(env); + } else { + val = cpsr_read_for_spsr_elx(env); + } + qemu_put_be64(f, val); + return 0; +} + +static bool pstate64_needed(void *opaque) +{ + ARMCPU *cpu = opaque; + CPUARMState *env = &cpu->env; + uint64_t val; + + if (arm_feature(env, ARM_FEATURE_M)) { + return false; + } + if (is_a64(env)) { + val = pstate_read(env); + } else { + val = cpsr_read_for_spsr_elx(env); + if (val & PSTATE_SS) { + return true; + } + } + return val > UINT32_MAX; +} + +static const VMStateDescription vmstate_pstate64 = { + .name = "cpu/pstate64", + .version_id = 1, + .minimum_version_id = 1, + .needed = pstate64_needed, + .fields = (const VMStateField[]) { + { + .name = "pstate64", + .version_id = 0, + .size = sizeof(uint64_t), + .info = &(const VMStateInfo) { + .name = "pstate64", + .get = get_pstate64, + .put = put_pstate64, + }, + .flags = VMS_SINGLE, + .offset = 0, + }, + VMSTATE_END_OF_LIST() + }, +}; + static int get_power(QEMUFile *f, void *opaque, size_t size, const VMStateField *field) { @@ -1052,6 +1126,12 @@ const VMStateDescription vmstate_arm_cpu = { VMSTATE_UINT32_ARRAY(env.regs, ARMCPU, 16), VMSTATE_UINT64_ARRAY(env.xregs, ARMCPU, 32), VMSTATE_UINT64(env.pc, ARMCPU), + /* + * If any bits are set in the upper 32 bits of cpsr/pstate, + * or if the cpu is in aa32 mode and PSTATE.SS is set, then + * the cpu/pstate64 subsection will override this with the + * full 64 bit state. + */ { .name = "cpsr", .version_id = 0, @@ -1128,6 +1208,7 @@ const VMStateDescription vmstate_arm_cpu = { &vmstate_irq_line_state, &vmstate_wfxt_timer, &vmstate_syndrome64, + &vmstate_pstate64, NULL } }; diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c index eaea7859d3..08b7db7c46 100644 --- a/target/arm/tcg/helper-a64.c +++ b/target/arm/tcg/helper-a64.c @@ -620,7 +620,7 @@ void HELPER(exception_return)(CPUARMState *env, uint64_t new_pc) ARMCPU *cpu = env_archcpu(env); int cur_el = arm_current_el(env); unsigned int spsr_idx = aarch64_banked_spsr_index(cur_el); - uint32_t spsr = env->banked_spsr[spsr_idx]; + uint64_t spsr = env->banked_spsr[spsr_idx]; int new_el; bool return_to_aa64 = (spsr & PSTATE_nRW) == 0; diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h index 761edded52..943dfd45fe 100644 --- a/target/arm/tcg/translate.h +++ b/target/arm/tcg/translate.h @@ -378,27 +378,27 @@ static inline TCGv_i32 get_ahp_flag(void) } /* Set bits within PSTATE. */ -static inline void set_pstate_bits(uint32_t bits) +static inline void set_pstate_bits(uint64_t bits) { - TCGv_i32 p = tcg_temp_new_i32(); + TCGv_i64 p = tcg_temp_new_i64(); tcg_debug_assert(!(bits & CACHED_PSTATE_BITS)); - tcg_gen_ld_i32(p, tcg_env, offsetof(CPUARMState, pstate)); - tcg_gen_ori_i32(p, p, bits); - tcg_gen_st_i32(p, tcg_env, offsetof(CPUARMState, pstate)); + tcg_gen_ld_i64(p, tcg_env, offsetof(CPUARMState, pstate)); + tcg_gen_ori_i64(p, p, bits); + tcg_gen_st_i64(p, tcg_env, offsetof(CPUARMState, pstate)); } /* Clear bits within PSTATE. */ -static inline void clear_pstate_bits(uint32_t bits) +static inline void clear_pstate_bits(uint64_t bits) { - TCGv_i32 p = tcg_temp_new_i32(); + TCGv_i64 p = tcg_temp_new_i64(); tcg_debug_assert(!(bits & CACHED_PSTATE_BITS)); - tcg_gen_ld_i32(p, tcg_env, offsetof(CPUARMState, pstate)); - tcg_gen_andi_i32(p, p, ~bits); - tcg_gen_st_i32(p, tcg_env, offsetof(CPUARMState, pstate)); + tcg_gen_ld_i64(p, tcg_env, offsetof(CPUARMState, pstate)); + tcg_gen_andi_i64(p, p, ~bits); + tcg_gen_st_i64(p, tcg_env, offsetof(CPUARMState, pstate)); } /* If the singlestep state is Active-not-pending, advance to Active-pending. */ From f0fdbfae973de21344706c5fdd9588b24e2395b7 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:37 -0700 Subject: [PATCH 37/76] target/arm: Add syndrome data for EC_GCS Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-38-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/syndrome.h | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h index c48d3b8587..bff61f052c 100644 --- a/target/arm/syndrome.h +++ b/target/arm/syndrome.h @@ -63,6 +63,7 @@ enum arm_exception_class { EC_MOP = 0x27, EC_AA32_FPTRAP = 0x28, EC_AA64_FPTRAP = 0x2c, + EC_GCS = 0x2d, EC_SERROR = 0x2f, EC_BREAKPOINT = 0x30, EC_BREAKPOINT_SAME_EL = 0x31, @@ -83,6 +84,23 @@ typedef enum { SME_ET_InaccessibleZT0, } SMEExceptionType; +typedef enum { + GCS_ET_DataCheck, + GCS_ET_EXLOCK, + GCS_ET_GCSSTR_GCSSTTR, +} GCSExceptionType; + +typedef enum { + GCS_IT_RET_nPauth = 0, + GCS_IT_GCSPOPM = 1, + GCS_IT_RET_PauthA = 2, + GCS_IT_RET_PauthB = 3, + GCS_IT_GCSSS1 = 4, + GCS_IT_GCSSS2 = 5, + GCS_IT_GCSPOPCX = 8, + GCS_IT_GCSPOPX = 9, +} GCSInstructionType; + #define ARM_EL_EC_LENGTH 6 #define ARM_EL_EC_SHIFT 26 #define ARM_EL_IL_SHIFT 25 @@ -351,6 +369,23 @@ static inline uint32_t syn_pcalignment(void) return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL; } +static inline uint32_t syn_gcs_data_check(GCSInstructionType it, int rn) +{ + return ((EC_GCS << ARM_EL_EC_SHIFT) | ARM_EL_IL | + (GCS_ET_DataCheck << 20) | (rn << 5) | it); +} + +static inline uint32_t syn_gcs_exlock(void) +{ + return (EC_GCS << ARM_EL_EC_SHIFT) | ARM_EL_IL | (GCS_ET_EXLOCK << 20); +} + +static inline uint32_t syn_gcs_gcsstr(int ra, int rn) +{ + return ((EC_GCS << ARM_EL_EC_SHIFT) | ARM_EL_IL | + (GCS_ET_GCSSTR_GCSSTTR << 20) | (ra << 10) | (rn << 5)); +} + static inline uint32_t syn_serror(uint32_t extra) { return (EC_SERROR << ARM_EL_EC_SHIFT) | ARM_EL_IL | extra; From 9e703a01f00a156f7944b8150bfb787ce273a4a0 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:38 -0700 Subject: [PATCH 38/76] target/arm: Add arm_hcr_el2_nvx_eff MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implement the pseudocode function EffectiveHCR_EL2_NVx. Reviewed-by: Peter Maydell Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251008215613.300150-39-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpu.h | 1 + target/arm/helper.c | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index b8abfd8276..54f3d7b1cc 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -2235,6 +2235,7 @@ static inline bool arm_is_el2_enabled(CPUARMState *env) */ uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space); uint64_t arm_hcr_el2_eff(CPUARMState *env); +uint64_t arm_hcr_el2_nvx_eff(CPUARMState *env); uint64_t arm_hcrx_el2_eff(CPUARMState *env); /* diff --git a/target/arm/helper.c b/target/arm/helper.c index 8e342b0811..e397fe75bd 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -3904,6 +3904,16 @@ uint64_t arm_hcr_el2_eff(CPUARMState *env) return arm_hcr_el2_eff_secstate(env, arm_security_space_below_el3(env)); } +uint64_t arm_hcr_el2_nvx_eff(CPUARMState *env) +{ + uint64_t hcr = arm_hcr_el2_eff(env); + + if (!(hcr & HCR_NV)) { + return 0; /* CONSTRAINED UNPREDICTABLE wrt NV1 */ + } + return hcr & (HCR_NV2 | HCR_NV1 | HCR_NV); +} + /* * Corresponds to ARM pseudocode function ELIsInHost(). */ From 3a6a957b89ffcdeed3a39ae9eb268dfbda926a63 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:39 -0700 Subject: [PATCH 39/76] target/arm: Use arm_hcr_el2_nvx_eff in access_nv1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Peter Maydell Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251008215613.300150-40-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index e397fe75bd..2875f0ddd2 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -3427,7 +3427,7 @@ static CPAccessResult access_nv1(CPUARMState *env, const ARMCPRegInfo *ri, bool isread) { if (arm_current_el(env) == 1) { - uint64_t hcr_nv = arm_hcr_el2_eff(env) & (HCR_NV | HCR_NV1 | HCR_NV2); + uint64_t hcr_nv = arm_hcr_el2_nvx_eff(env); if (hcr_nv == (HCR_NV | HCR_NV1)) { return CP_ACCESS_TRAP_EL2; From 399d40b985032ec1364f9906ef6596264a53f2db Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:40 -0700 Subject: [PATCH 40/76] target/arm: Split out access_nv1_with_nvx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Peter Maydell Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251008215613.300150-41-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index 2875f0ddd2..5d40266d96 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -3423,15 +3423,16 @@ static void mdcr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri, } } +static CPAccessResult access_nv1_with_nvx(uint64_t hcr_nv) +{ + return hcr_nv == (HCR_NV | HCR_NV1) ? CP_ACCESS_TRAP_EL2 : CP_ACCESS_OK; +} + static CPAccessResult access_nv1(CPUARMState *env, const ARMCPRegInfo *ri, bool isread) { if (arm_current_el(env) == 1) { - uint64_t hcr_nv = arm_hcr_el2_nvx_eff(env); - - if (hcr_nv == (HCR_NV | HCR_NV1)) { - return CP_ACCESS_TRAP_EL2; - } + return access_nv1_with_nvx(arm_hcr_el2_nvx_eff(env)); } return CP_ACCESS_OK; } From 766c99beabd5a15ec2f4d2b1372926d8e1b03717 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:41 -0700 Subject: [PATCH 41/76] target/arm: Implement EXLOCKException for ELR_ELx and SPSR_ELx If PSTATE.EXLOCK is set, and the GCS EXLOCK enable bit is set, and nested virt is in the appropriate state, then we need to raise an EXLOCK exception. Since PSTATE.EXLOCK cannot be set without GCS being present and enabled, no explicit check for GCS is required. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-42-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs.h | 8 +++++ target/arm/cpu.h | 1 + target/arm/helper.c | 67 ++++++++++++++++++++++++++++++++++---- target/arm/tcg/op_helper.c | 7 ++++ 4 files changed, 77 insertions(+), 6 deletions(-) diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index bd2121a336..a79f00351c 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -351,6 +351,14 @@ typedef enum CPAccessResult { * specified target EL. */ CP_ACCESS_UNDEFINED = (2 << 2), + + /* + * Access fails with EXLOCK, a GCS exception syndrome. + * These traps are always to the current execution EL, + * which is the same as the usual target EL because + * they cannot occur from EL0. + */ + CP_ACCESS_EXLOCK = (3 << 2), } CPAccessResult; /* Indexes into fgt_read[] */ diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 54f3d7b1cc..91a851dac1 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -1502,6 +1502,7 @@ void pmu_init(ARMCPU *cpu); #define PSTATE_C (1U << 29) #define PSTATE_Z (1U << 30) #define PSTATE_N (1U << 31) +#define PSTATE_EXLOCK (1ULL << 34) #define PSTATE_NZCV (PSTATE_N | PSTATE_Z | PSTATE_C | PSTATE_V) #define PSTATE_DAIF (PSTATE_D | PSTATE_A | PSTATE_I | PSTATE_F) #define CACHED_PSTATE_BITS (PSTATE_NZCV | PSTATE_DAIF | PSTATE_BTYPE) diff --git a/target/arm/helper.c b/target/arm/helper.c index 5d40266d96..1aa0a157b7 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -3437,6 +3437,61 @@ static CPAccessResult access_nv1(CPUARMState *env, const ARMCPRegInfo *ri, return CP_ACCESS_OK; } +static CPAccessResult access_nv1_or_exlock_el1(CPUARMState *env, + const ARMCPRegInfo *ri, + bool isread) +{ + if (arm_current_el(env) == 1) { + uint64_t nvx = arm_hcr_el2_nvx_eff(env); + + if (!isread && + (env->pstate & PSTATE_EXLOCK) && + (env->cp15.gcscr_el[1] & GCSCR_EXLOCKEN) && + !(nvx & HCR_NV1)) { + return CP_ACCESS_EXLOCK; + } + return access_nv1_with_nvx(nvx); + } + + /* + * At EL2, since VHE redirection is done at translation time, + * el_is_in_host is always false here, so EXLOCK does not apply. + */ + return CP_ACCESS_OK; +} + +static CPAccessResult access_exlock_el2(CPUARMState *env, + const ARMCPRegInfo *ri, bool isread) +{ + int el = arm_current_el(env); + + if (el == 3) { + return CP_ACCESS_OK; + } + + /* + * Access to the EL2 register from EL1 means NV is set, and + * EXLOCK has priority over an NV1 trap to EL2. + */ + if (!isread && + (env->pstate & PSTATE_EXLOCK) && + (env->cp15.gcscr_el[el] & GCSCR_EXLOCKEN)) { + return CP_ACCESS_EXLOCK; + } + return CP_ACCESS_OK; +} + +static CPAccessResult access_exlock_el3(CPUARMState *env, + const ARMCPRegInfo *ri, bool isread) +{ + if (!isread && + (env->pstate & PSTATE_EXLOCK) && + (env->cp15.gcscr_el[3] & GCSCR_EXLOCKEN)) { + return CP_ACCESS_EXLOCK; + } + return CP_ACCESS_OK; +} + #ifdef CONFIG_USER_ONLY /* * `IC IVAU` is handled to improve compatibility with JITs that dual-map their @@ -3608,7 +3663,7 @@ static const ARMCPRegInfo v8_cp_reginfo[] = { { .name = "ELR_EL1", .state = ARM_CP_STATE_AA64, .type = ARM_CP_ALIAS, .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 1, - .access = PL1_RW, .accessfn = access_nv1, + .access = PL1_RW, .accessfn = access_nv1_or_exlock_el1, .nv2_redirect_offset = 0x230 | NV2_REDIR_NV1, .vhe_redir_to_el2 = ENCODE_AA64_CP_REG(3, 4, 4, 0, 1), .vhe_redir_to_el01 = ENCODE_AA64_CP_REG(3, 5, 4, 0, 1), @@ -3616,7 +3671,7 @@ static const ARMCPRegInfo v8_cp_reginfo[] = { { .name = "SPSR_EL1", .state = ARM_CP_STATE_AA64, .type = ARM_CP_ALIAS, .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 0, - .access = PL1_RW, .accessfn = access_nv1, + .access = PL1_RW, .accessfn = access_nv1_or_exlock_el1, .nv2_redirect_offset = 0x160 | NV2_REDIR_NV1, .vhe_redir_to_el2 = ENCODE_AA64_CP_REG(3, 4, 4, 0, 0), .vhe_redir_to_el01 = ENCODE_AA64_CP_REG(3, 5, 4, 0, 0), @@ -4100,7 +4155,7 @@ static const ARMCPRegInfo el2_cp_reginfo[] = { { .name = "ELR_EL2", .state = ARM_CP_STATE_AA64, .type = ARM_CP_ALIAS | ARM_CP_NV2_REDIRECT, .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 1, - .access = PL2_RW, + .access = PL2_RW, .accessfn = access_exlock_el2, .fieldoffset = offsetof(CPUARMState, elr_el[2]) }, { .name = "ESR_EL2", .state = ARM_CP_STATE_BOTH, .type = ARM_CP_NV2_REDIRECT, @@ -4118,7 +4173,7 @@ static const ARMCPRegInfo el2_cp_reginfo[] = { { .name = "SPSR_EL2", .state = ARM_CP_STATE_AA64, .type = ARM_CP_ALIAS | ARM_CP_NV2_REDIRECT, .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 0, - .access = PL2_RW, + .access = PL2_RW, .accessfn = access_exlock_el2, .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_HYP]) }, { .name = "VBAR_EL2", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0, @@ -4400,7 +4455,7 @@ static const ARMCPRegInfo el3_cp_reginfo[] = { { .name = "ELR_EL3", .state = ARM_CP_STATE_AA64, .type = ARM_CP_ALIAS, .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 1, - .access = PL3_RW, + .access = PL3_RW, .accessfn = access_exlock_el3, .fieldoffset = offsetof(CPUARMState, elr_el[3]) }, { .name = "ESR_EL3", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 2, .opc2 = 0, @@ -4411,7 +4466,7 @@ static const ARMCPRegInfo el3_cp_reginfo[] = { { .name = "SPSR_EL3", .state = ARM_CP_STATE_AA64, .type = ARM_CP_ALIAS, .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 0, - .access = PL3_RW, + .access = PL3_RW, .accessfn = access_exlock_el3, .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_MON]) }, { .name = "VBAR_EL3", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 0, diff --git a/target/arm/tcg/op_helper.c b/target/arm/tcg/op_helper.c index dd3700dc6f..4fbd219555 100644 --- a/target/arm/tcg/op_helper.c +++ b/target/arm/tcg/op_helper.c @@ -881,6 +881,13 @@ const void *HELPER(access_check_cp_reg)(CPUARMState *env, uint32_t key, } syndrome = syn_uncategorized(); break; + case CP_ACCESS_EXLOCK: + /* + * CP_ACCESS_EXLOCK is always directed to the current EL, + * which is going to be the same as the usual target EL. + */ + syndrome = syn_gcs_exlock(); + break; default: g_assert_not_reached(); } From 49b49214f346da81a79961e7f89225200da274e6 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:42 -0700 Subject: [PATCH 42/76] target/arm: Split {full,core}_a64_user_mem_index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Separate get_a64_user_mem_index into two separate functions, one which returns the full ARMMMUIdx and one which returns the core mmu_idx. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251008215613.300150-43-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate-a64.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 43c9bfef93..1337e16a96 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -93,7 +93,7 @@ void a64_translate_init(void) } /* - * Return the core mmu_idx to use for A64 load/store insns which + * Return the full arm mmu_idx to use for A64 load/store insns which * have a "unprivileged load/store" variant. Those insns access * EL0 if executed from an EL which has control over EL0 (usually * EL1) but behave like normal loads and stores if executed from @@ -103,7 +103,7 @@ void a64_translate_init(void) * normal encoding (in which case we will return the same * thing as get_mem_index(). */ -static int get_a64_user_mem_index(DisasContext *s, bool unpriv) +static ARMMMUIdx full_a64_user_mem_index(DisasContext *s, bool unpriv) { /* * If AccType_UNPRIV is not used, the insn uses AccType_NORMAL, @@ -130,7 +130,13 @@ static int get_a64_user_mem_index(DisasContext *s, bool unpriv) g_assert_not_reached(); } } - return arm_to_core_mmu_idx(useridx); + return useridx; +} + +/* Return the core mmu_idx per above. */ +static int core_a64_user_mem_index(DisasContext *s, bool unpriv) +{ + return arm_to_core_mmu_idx(full_a64_user_mem_index(s, unpriv)); } static void set_btype_raw(int val) @@ -3577,7 +3583,7 @@ static void op_addr_ldst_imm_pre(DisasContext *s, arg_ldst_imm *a, if (!a->p) { tcg_gen_addi_i64(*dirty_addr, *dirty_addr, offset); } - memidx = get_a64_user_mem_index(s, a->unpriv); + memidx = core_a64_user_mem_index(s, a->unpriv); *clean_addr = gen_mte_check1_mmuidx(s, *dirty_addr, is_store, a->w || a->rn != 31, mop, a->unpriv, memidx); @@ -3598,7 +3604,7 @@ static bool trans_STR_i(DisasContext *s, arg_ldst_imm *a) { bool iss_sf, iss_valid = !a->w; TCGv_i64 clean_addr, dirty_addr, tcg_rt; - int memidx = get_a64_user_mem_index(s, a->unpriv); + int memidx = core_a64_user_mem_index(s, a->unpriv); MemOp mop = finalize_memop(s, a->sz + a->sign * MO_SIGN); op_addr_ldst_imm_pre(s, a, &clean_addr, &dirty_addr, a->imm, true, mop); @@ -3616,7 +3622,7 @@ static bool trans_LDR_i(DisasContext *s, arg_ldst_imm *a) { bool iss_sf, iss_valid = !a->w; TCGv_i64 clean_addr, dirty_addr, tcg_rt; - int memidx = get_a64_user_mem_index(s, a->unpriv); + int memidx = core_a64_user_mem_index(s, a->unpriv); MemOp mop = finalize_memop(s, a->sz + a->sign * MO_SIGN); op_addr_ldst_imm_pre(s, a, &clean_addr, &dirty_addr, a->imm, false, mop); @@ -4514,7 +4520,7 @@ static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, return false; } - memidx = get_a64_user_mem_index(s, a->unpriv); + memidx = core_a64_user_mem_index(s, a->unpriv); /* * We pass option_a == true, matching our implementation; @@ -4568,8 +4574,8 @@ static bool do_CPY(DisasContext *s, arg_cpy *a, bool is_epilogue, CpyFn fn) return false; } - rmemidx = get_a64_user_mem_index(s, runpriv); - wmemidx = get_a64_user_mem_index(s, wunpriv); + rmemidx = core_a64_user_mem_index(s, runpriv); + wmemidx = core_a64_user_mem_index(s, wunpriv); /* * We pass option_a == true, matching our implementation; From 609f5d7692d97ea260eee9236d5741c46d07ff8d Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:43 -0700 Subject: [PATCH 43/76] target/arm: Introduce delay_exception{_el} Add infrastructure to raise an exception out of line. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-44-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate-a64.c | 2 ++ target/arm/tcg/translate.c | 53 ++++++++++++++++++++++++++++++++++ target/arm/tcg/translate.h | 20 +++++++++++++ 3 files changed, 75 insertions(+) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 1337e16a96..c037119cdf 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -10601,6 +10601,8 @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu) break; } } + + emit_delayed_exceptions(dc); } const TranslatorOps aarch64_translator_ops = { diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c index e62dcc5d85..78d26aac04 100644 --- a/target/arm/tcg/translate.c +++ b/target/arm/tcg/translate.c @@ -1088,6 +1088,57 @@ void gen_exception_insn(DisasContext *s, target_long pc_diff, s->base.is_jmp = DISAS_NORETURN; } +TCGLabel *delay_exception_el(DisasContext *s, int excp, + uint32_t syn, uint32_t target_el) +{ + /* Use tcg_malloc for automatic release on longjmp out of translation. */ + DisasDelayException *e = tcg_malloc(sizeof(DisasDelayException)); + + memset(e, 0, sizeof(*e)); + + /* Save enough of the current state to satisfy gen_exception_insn. */ + e->pc_curr = s->pc_curr; + e->pc_save = s->pc_save; + if (!s->aarch64) { + e->condexec_cond = s->condexec_cond; + e->condexec_mask = s->condexec_mask; + } + + e->excp = excp; + e->syn = syn; + e->target_el = target_el; + + e->next = s->delay_excp_list; + s->delay_excp_list = e; + + e->lab = gen_new_label(); + return e->lab; +} + +TCGLabel *delay_exception(DisasContext *s, int excp, uint32_t syn) +{ + return delay_exception_el(s, excp, syn, 0); +} + +void emit_delayed_exceptions(DisasContext *s) +{ + for (DisasDelayException *e = s->delay_excp_list; e ; e = e->next) { + gen_set_label(e->lab); + + /* Restore the insn state to satisfy gen_exception_insn. */ + s->pc_curr = e->pc_curr; + s->pc_save = e->pc_save; + s->condexec_cond = e->condexec_cond; + s->condexec_mask = e->condexec_mask; + + if (e->target_el) { + gen_exception_insn_el(s, 0, e->excp, e->syn, e->target_el); + } else { + gen_exception_insn(s, 0, e->excp, e->syn); + } + } +} + static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn) { gen_set_condexec(s); @@ -6791,6 +6842,8 @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu) gen_goto_tb(dc, 1, curr_insn_len(dc)); } } + + emit_delayed_exceptions(dc); } static const TranslatorOps arm_translator_ops = { diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h index 943dfd45fe..9a85ea74db 100644 --- a/target/arm/tcg/translate.h +++ b/target/arm/tcg/translate.h @@ -21,9 +21,25 @@ typedef struct DisasLabel { target_ulong pc_save; } DisasLabel; +/* + * Emit an exception call out of line. + */ +typedef struct DisasDelayException { + struct DisasDelayException *next; + TCGLabel *lab; + target_long pc_curr; + target_long pc_save; + int condexec_mask; + int condexec_cond; + uint32_t excp; + uint32_t syn; + uint32_t target_el; +} DisasDelayException; + typedef struct DisasContext { DisasContextBase base; const ARMISARegisters *isar; + DisasDelayException *delay_excp_list; /* The address of the current instruction being translated. */ target_ulong pc_curr; @@ -365,6 +381,10 @@ void gen_exception_insn_el(DisasContext *s, target_long pc_diff, int excp, uint32_t syn, uint32_t target_el); void gen_exception_insn(DisasContext *s, target_long pc_diff, int excp, uint32_t syn); +TCGLabel *delay_exception_el(DisasContext *s, int excp, + uint32_t syn, uint32_t target_el); +TCGLabel *delay_exception(DisasContext *s, int excp, uint32_t syn); +void emit_delayed_exceptions(DisasContext *s); /* Return state of Alternate Half-precision flag, caller frees result */ static inline TCGv_i32 get_ahp_flag(void) From 923e7c432ec0fdee97b746f529f238dde2ba78f0 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:44 -0700 Subject: [PATCH 44/76] target/arm: Emit HSTR trap exception out of line Use delay_exception_el to move the exception out of line. Use TCG_COND_TSTNE instead of separate AND+NE. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-45-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate.c | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c index 78d26aac04..57bc8ea4c5 100644 --- a/target/arm/tcg/translate.c +++ b/target/arm/tcg/translate.c @@ -1774,21 +1774,11 @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64, if (maskbit != 4 && maskbit != 14) { /* T4 and T14 are RES0 so never cause traps */ - TCGv_i32 t; - DisasLabel over = gen_disas_label(s); + TCGLabel *fail = delay_exception_el(s, EXCP_UDEF, syndrome, 2); + TCGv_i32 t = + load_cpu_offset(offsetoflow32(CPUARMState, cp15.hstr_el2)); - t = load_cpu_offset(offsetoflow32(CPUARMState, cp15.hstr_el2)); - tcg_gen_andi_i32(t, t, 1u << maskbit); - tcg_gen_brcondi_i32(TCG_COND_EQ, t, 0, over.label); - - gen_exception_insn_el(s, 0, EXCP_UDEF, syndrome, 2); - /* - * gen_exception_insn() will set is_jmp to DISAS_NORETURN, - * but since we're conditionally branching over it, we want - * to assume continue-to-next-instruction. - */ - s->base.is_jmp = DISAS_NEXT; - set_disas_label(s, over); + tcg_gen_brcondi_i32(TCG_COND_TSTNE, t, 1u << maskbit, fail); } } From 0e15a9a53c56f8ddd6a8c6f691a0507429387d91 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:45 -0700 Subject: [PATCH 45/76] target/arm: Emit v7m LTPSIZE exception out of line Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-46-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c index 57bc8ea4c5..3df0bbcb7f 100644 --- a/target/arm/tcg/translate.c +++ b/target/arm/tcg/translate.c @@ -5598,11 +5598,10 @@ static bool trans_LE(DisasContext *s, arg_LE *a) if (!a->tp && dc_isar_feature(aa32_mve, s) && fpu_active) { /* Need to do a runtime check for LTPSIZE != 4 */ - DisasLabel skipexc = gen_disas_label(s); + TCGLabel *fail = delay_exception(s, EXCP_INVSTATE, syn_uncategorized()); + tmp = load_cpu_field(v7m.ltpsize); - tcg_gen_brcondi_i32(TCG_COND_EQ, tmp, 4, skipexc.label); - gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized()); - set_disas_label(s, skipexc); + tcg_gen_brcondi_i32(TCG_COND_NE, tmp, 4, fail); } if (a->f) { From 6a5596bad37e62800e9d8ed8d35cb6a1af1030ba Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:46 -0700 Subject: [PATCH 46/76] target/arm: Implement GCSSTR, GCSSTTR Note that CreateAccDescGCS() does not enable tagchecked, and Data Aborts from GCS instructions do not set iss.isv. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-47-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/a64.decode | 3 +++ target/arm/tcg/translate-a64.c | 42 ++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode index 8283a9c83d..2ae73f443a 100644 --- a/target/arm/tcg/a64.decode +++ b/target/arm/tcg/a64.decode @@ -571,6 +571,9 @@ LDAPR_i 10 011001 10 0 ......... 00 ..... ..... @ldapr_stlr_i sign=1 ext LDAPR_i 00 011001 11 0 ......... 00 ..... ..... @ldapr_stlr_i sign=1 ext=1 sz=0 LDAPR_i 01 011001 11 0 ......... 00 ..... ..... @ldapr_stlr_i sign=1 ext=1 sz=1 +# GCSSTR, GCSSTTR +GCSSTR 11011001 000 11111 000 unpriv:1 11 rn:5 rt:5 + # Load/store multiple structures # The 4-bit opcode in [15:12] encodes repeat count and structure elements &ldst_mult rm rn rt sz q p rpt selem diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index c037119cdf..b72aa968cd 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -139,6 +139,12 @@ static int core_a64_user_mem_index(DisasContext *s, bool unpriv) return arm_to_core_mmu_idx(full_a64_user_mem_index(s, unpriv)); } +/* For a given translation regime, return the core mmu_idx for gcs access. */ +static int core_gcs_mem_index(ARMMMUIdx armidx) +{ + return arm_to_core_mmu_idx(regime_to_gcs(armidx)); +} + static void set_btype_raw(int val) { tcg_gen_st_i32(tcg_constant_i32(val), tcg_env, @@ -3989,6 +3995,42 @@ static bool trans_STLR_i(DisasContext *s, arg_ldapr_stlr_i *a) return true; } +static bool trans_GCSSTR(DisasContext *s, arg_GCSSTR *a) +{ + ARMMMUIdx armidx; + + if (!dc_isar_feature(aa64_gcs, s)) { + return false; + } + + /* + * The pseudocode for GCSSTTR is + * + * effective_el = AArch64.IsUnprivAccessPriv() ? PSTATE.EL : EL0; + * if (effective_el == PSTATE.EL) CheckGCSSTREnabled(); + * + * We have cached the result of IsUnprivAccessPriv in DisasContext, + * but since we need the result of full_a64_user_mem_index anyway, + * use the mmu_idx test as a proxy for the effective_el test. + */ + armidx = full_a64_user_mem_index(s, a->unpriv); + if (armidx == s->mmu_idx && s->gcsstr_el != 0) { + gen_exception_insn_el(s, 0, EXCP_UDEF, + syn_gcs_gcsstr(a->rn, a->rt), + s->gcsstr_el); + return true; + } + + if (a->rn == 31) { + gen_check_sp_alignment(s); + } + tcg_gen_qemu_st_i64(cpu_reg(s, a->rt), + clean_data_tbi(s, cpu_reg_sp(s, a->rn)), + core_gcs_mem_index(armidx), + finalize_memop(s, MO_64 | MO_ALIGN)); + return true; +} + static bool trans_LD_mult(DisasContext *s, arg_ldst_mult *a) { TCGv_i64 clean_addr, tcg_rn, tcg_ebytes; From d383c43d6d510638adc69043a92572bec3840515 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:47 -0700 Subject: [PATCH 47/76] target/arm: Implement GCSB Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-48-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/a64.decode | 1 + target/arm/tcg/translate-a64.c | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode index 2ae73f443a..01b1b3e38b 100644 --- a/target/arm/tcg/a64.decode +++ b/target/arm/tcg/a64.decode @@ -248,6 +248,7 @@ ERETA 1101011 0100 11111 00001 m:1 11111 11111 &reta # ERETAA, ERETAB AUTIA1716 1101 0101 0000 0011 0010 0001 100 11111 AUTIB1716 1101 0101 0000 0011 0010 0001 110 11111 ESB 1101 0101 0000 0011 0010 0010 000 11111 + GCSB 1101 0101 0000 0011 0010 0010 011 11111 PACIAZ 1101 0101 0000 0011 0010 0011 000 11111 PACIASP 1101 0101 0000 0011 0010 0011 001 11111 PACIBZ 1101 0101 0000 0011 0010 0011 010 11111 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index b72aa968cd..38a1f51ed5 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2080,6 +2080,14 @@ static bool trans_ESB(DisasContext *s, arg_ESB *a) return true; } +static bool trans_GCSB(DisasContext *s, arg_GCSB *a) +{ + if (dc_isar_feature(aa64_gcs, s)) { + tcg_gen_mb(TCG_BAR_SC | TCG_MO_ALL); + } + return true; +} + static bool trans_PACIAZ(DisasContext *s, arg_PACIAZ *a) { if (s->pauth_active) { From 3afe6037e728f74be092027b4d24201a6ddc092f Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:48 -0700 Subject: [PATCH 48/76] target/arm: Implement GCSPUSHM Reviewed-by: Peter Maydell Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-49-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs-gcs.c | 15 +++++++++++++++ target/arm/cpregs.h | 3 +++ target/arm/tcg/translate-a64.c | 29 +++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) diff --git a/target/arm/cpregs-gcs.c b/target/arm/cpregs-gcs.c index 1ff041811d..cc5a0b86e4 100644 --- a/target/arm/cpregs-gcs.c +++ b/target/arm/cpregs-gcs.c @@ -43,6 +43,16 @@ static void gcspr_write(CPUARMState *env, const ARMCPRegInfo *ri, raw_write(env, ri, value & ~7); } +static CPAccessResult access_gcspushm(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + int el = arm_current_el(env); + if (!(env->cp15.gcscr_el[el] & GCSCR_PUSHMEN)) { + return CP_ACCESS_TRAP_BIT | (el ? el : 1); + } + return CP_ACCESS_OK; +} + static const ARMCPRegInfo gcs_reginfo[] = { { .name = "GCSCRE0_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 5, .opc2 = 2, @@ -85,6 +95,11 @@ static const ARMCPRegInfo gcs_reginfo[] = { .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 5, .opc2 = 1, .access = PL3_RW, .writefn = gcspr_write, .fieldoffset = offsetof(CPUARMState, cp15.gcspr_el[2]) }, + + { .name = "GCSPUSHM", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 7, .opc2 = 0, + .access = PL0_W, .accessfn = access_gcspushm, + .fgt = FGT_NGCSPUSHM_EL1, .type = ARM_CP_GCSPUSHM }, }; void define_gcs_cpregs(ARMCPU *cpu) diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index a79f00351c..d22ae383cd 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -47,6 +47,8 @@ enum { ARM_CP_DC_ZVA = 0x0005, ARM_CP_DC_GVA = 0x0006, ARM_CP_DC_GZVA = 0x0007, + /* Special: gcs instructions */ + ARM_CP_GCSPUSHM = 0x0008, /* Flag: reads produce resetvalue; writes ignored. */ ARM_CP_CONST = 1 << 4, @@ -871,6 +873,7 @@ typedef enum FGTBit { DO_BIT(HFGITR, DVPRCTX), DO_BIT(HFGITR, CPPRCTX), DO_BIT(HFGITR, DCCVAC), + DO_REV_BIT(HFGITR, NGCSPUSHM_EL1), DO_BIT(HFGITR, ATS1E1A), } FGTBit; diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 38a1f51ed5..625563d95b 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -26,6 +26,7 @@ #include "cpregs.h" static TCGv_i64 cpu_X[32]; +static TCGv_i64 cpu_gcspr[4]; static TCGv_i64 cpu_pc; /* Load/store exclusive handling */ @@ -77,6 +78,10 @@ static int scale_by_log2_tag_granule(DisasContext *s, int x) /* initialize TCG globals. */ void a64_translate_init(void) { + static const char gcspr_names[4][12] = { + "gcspr_el0", "gcspr_el1", "gcspr_el2", "gcspr_el3" + }; + int i; cpu_pc = tcg_global_mem_new_i64(tcg_env, @@ -90,6 +95,13 @@ void a64_translate_init(void) cpu_exclusive_high = tcg_global_mem_new_i64(tcg_env, offsetof(CPUARMState, exclusive_high), "exclusive_high"); + + for (i = 0; i < 4; i++) { + cpu_gcspr[i] = + tcg_global_mem_new_i64(tcg_env, + offsetof(CPUARMState, cp15.gcspr_el[i]), + gcspr_names[i]); + } } /* @@ -420,6 +432,18 @@ static MemOp check_ordered_align(DisasContext *s, int rn, int imm, return finalize_memop(s, mop); } +static void gen_add_gcs_record(DisasContext *s, TCGv_i64 value) +{ + TCGv_i64 addr = tcg_temp_new_i64(); + TCGv_i64 gcspr = cpu_gcspr[s->current_el]; + int mmuidx = core_gcs_mem_index(s->mmu_idx); + MemOp mop = finalize_memop(s, MO_64 | MO_ALIGN); + + tcg_gen_addi_i64(addr, gcspr, -8); + tcg_gen_qemu_st_i64(value, clean_data_tbi(s, addr), mmuidx, mop); + tcg_gen_mov_i64(gcspr, addr); +} + typedef struct DisasCompare64 { TCGCond cond; TCGv_i64 value; @@ -2803,6 +2827,11 @@ static void handle_sys(DisasContext *s, bool isread, } } return; + case ARM_CP_GCSPUSHM: + if (s->gcs_en) { + gen_add_gcs_record(s, cpu_reg(s, rt)); + } + return; default: g_assert_not_reached(); } From 0982f58db61277ff3babf1ac36c5eaceaadcb598 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:49 -0700 Subject: [PATCH 49/76] target/arm: Implement GCSPOPM Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-50-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs-gcs.c | 3 +++ target/arm/cpregs.h | 1 + target/arm/tcg/translate-a64.c | 24 ++++++++++++++++++++++++ 3 files changed, 28 insertions(+) diff --git a/target/arm/cpregs-gcs.c b/target/arm/cpregs-gcs.c index cc5a0b86e4..15d383b2a4 100644 --- a/target/arm/cpregs-gcs.c +++ b/target/arm/cpregs-gcs.c @@ -100,6 +100,9 @@ static const ARMCPRegInfo gcs_reginfo[] = { .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 7, .opc2 = 0, .access = PL0_W, .accessfn = access_gcspushm, .fgt = FGT_NGCSPUSHM_EL1, .type = ARM_CP_GCSPUSHM }, + { .name = "GCSPOPM", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 7, .opc2 = 1, + .access = PL0_R, .type = ARM_CP_GCSPOPM }, }; void define_gcs_cpregs(ARMCPU *cpu) diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index d22ae383cd..81d8f0e32b 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -49,6 +49,7 @@ enum { ARM_CP_DC_GZVA = 0x0007, /* Special: gcs instructions */ ARM_CP_GCSPUSHM = 0x0008, + ARM_CP_GCSPOPM = 0x0009, /* Flag: reads produce resetvalue; writes ignored. */ ARM_CP_CONST = 1 << 4, diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 625563d95b..7783273cc1 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2521,6 +2521,24 @@ static void gen_sysreg_undef(DisasContext *s, bool isread, gen_exception_insn(s, 0, EXCP_UDEF, syndrome); } +static void gen_gcspopm(DisasContext *s, int rt) +{ + TCGv_i64 gcspr = cpu_gcspr[s->current_el]; + int mmuidx = core_gcs_mem_index(s->mmu_idx); + MemOp mop = finalize_memop(s, MO_64 | MO_ALIGN); + TCGv_i64 value = tcg_temp_new_i64(); + TCGLabel *fail_label = + delay_exception(s, EXCP_UDEF, syn_gcs_data_check(GCS_IT_GCSPOPM, rt)); + + /* The value at top-of-stack must have low 2 bits clear. */ + tcg_gen_qemu_ld_i64(value, clean_data_tbi(s, gcspr), mmuidx, mop); + tcg_gen_brcondi_i64(TCG_COND_TSTNE, value, 3, fail_label); + + /* Complete the pop and return the value. */ + tcg_gen_addi_i64(gcspr, gcspr, 8); + tcg_gen_mov_i64(cpu_reg(s, rt), value); +} + /* * Look up @key, returning the cpreg, which must exist. * Additionally, the new cpreg must also be accessible. @@ -2832,6 +2850,12 @@ static void handle_sys(DisasContext *s, bool isread, gen_add_gcs_record(s, cpu_reg(s, rt)); } return; + case ARM_CP_GCSPOPM: + /* Note that X[rt] is unchanged if !GCSEnabled. */ + if (s->gcs_en) { + gen_gcspopm(s, rt); + } + return; default: g_assert_not_reached(); } From 6fb1678f90d028b0252699c66e99d6f6ff8127c8 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:50 -0700 Subject: [PATCH 50/76] target/arm: Implement GCSPUSHX Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-51-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs-gcs.c | 17 ++++++++++++++++ target/arm/cpregs.h | 2 ++ target/arm/tcg/translate-a64.c | 37 ++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/target/arm/cpregs-gcs.c b/target/arm/cpregs-gcs.c index 15d383b2a4..e6c7025d02 100644 --- a/target/arm/cpregs-gcs.c +++ b/target/arm/cpregs-gcs.c @@ -53,6 +53,19 @@ static CPAccessResult access_gcspushm(CPUARMState *env, const ARMCPRegInfo *ri, return CP_ACCESS_OK; } +static CPAccessResult access_gcspushx(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + /* Trap if lock taken, and enabled. */ + if (!(env->pstate & PSTATE_EXLOCK)) { + int el = arm_current_el(env); + if (env->cp15.gcscr_el[el] & GCSCR_EXLOCKEN) { + return CP_ACCESS_EXLOCK; + } + } + return CP_ACCESS_OK; +} + static const ARMCPRegInfo gcs_reginfo[] = { { .name = "GCSCRE0_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 5, .opc2 = 2, @@ -103,6 +116,10 @@ static const ARMCPRegInfo gcs_reginfo[] = { { .name = "GCSPOPM", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 7, .opc2 = 1, .access = PL0_R, .type = ARM_CP_GCSPOPM }, + { .name = "GCSPUSHX", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 7, .opc2 = 4, + .access = PL1_W, .accessfn = access_gcspushx, .fgt = FGT_NGCSEPP, + .type = ARM_CP_GCSPUSHX }, }; void define_gcs_cpregs(ARMCPU *cpu) diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index 81d8f0e32b..909916b7fd 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -50,6 +50,7 @@ enum { /* Special: gcs instructions */ ARM_CP_GCSPUSHM = 0x0008, ARM_CP_GCSPOPM = 0x0009, + ARM_CP_GCSPUSHX = 0x000a, /* Flag: reads produce resetvalue; writes ignored. */ ARM_CP_CONST = 1 << 4, @@ -875,6 +876,7 @@ typedef enum FGTBit { DO_BIT(HFGITR, CPPRCTX), DO_BIT(HFGITR, DCCVAC), DO_REV_BIT(HFGITR, NGCSPUSHM_EL1), + DO_REV_BIT(HFGITR, NGCSEPP), DO_BIT(HFGITR, ATS1E1A), } FGTBit; diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 7783273cc1..0df1916d28 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2539,6 +2539,35 @@ static void gen_gcspopm(DisasContext *s, int rt) tcg_gen_mov_i64(cpu_reg(s, rt), value); } +static void gen_gcspushx(DisasContext *s) +{ + TCGv_i64 gcspr = cpu_gcspr[s->current_el]; + int spsr_idx = aarch64_banked_spsr_index(s->current_el); + int spsr_off = offsetof(CPUARMState, banked_spsr[spsr_idx]); + int elr_off = offsetof(CPUARMState, elr_el[s->current_el]); + int mmuidx = core_gcs_mem_index(s->mmu_idx); + MemOp mop = finalize_memop(s, MO_64 | MO_ALIGN); + TCGv_i64 addr = tcg_temp_new_i64(); + TCGv_i64 tmp = tcg_temp_new_i64(); + + tcg_gen_addi_i64(addr, gcspr, -8); + tcg_gen_qemu_st_i64(cpu_reg(s, 30), addr, mmuidx, mop); + + tcg_gen_ld_i64(tmp, tcg_env, spsr_off); + tcg_gen_addi_i64(addr, addr, -8); + tcg_gen_qemu_st_i64(tmp, addr, mmuidx, mop); + + tcg_gen_ld_i64(tmp, tcg_env, elr_off); + tcg_gen_addi_i64(addr, addr, -8); + tcg_gen_qemu_st_i64(tmp, addr, mmuidx, mop); + + tcg_gen_addi_i64(addr, addr, -8); + tcg_gen_qemu_st_i64(tcg_constant_i64(0b1001), addr, mmuidx, mop); + + tcg_gen_mov_i64(gcspr, addr); + clear_pstate_bits(PSTATE_EXLOCK); +} + /* * Look up @key, returning the cpreg, which must exist. * Additionally, the new cpreg must also be accessible. @@ -2856,6 +2885,14 @@ static void handle_sys(DisasContext *s, bool isread, gen_gcspopm(s, rt); } return; + case ARM_CP_GCSPUSHX: + /* Choose the CONSTRAINED UNPREDICTABLE for UNDEF. */ + if (rt != 31) { + unallocated_encoding(s); + } else if (s->gcs_en) { + gen_gcspushx(s); + } + return; default: g_assert_not_reached(); } From 75c8d645b970ab083ce2ee06aa31c90028441983 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:51 -0700 Subject: [PATCH 51/76] target/arm: Implement GCSPOPX Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-52-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs-gcs.c | 3 +++ target/arm/cpregs.h | 1 + target/arm/tcg/translate-a64.c | 35 ++++++++++++++++++++++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/target/arm/cpregs-gcs.c b/target/arm/cpregs-gcs.c index e6c7025d02..5b5b895a09 100644 --- a/target/arm/cpregs-gcs.c +++ b/target/arm/cpregs-gcs.c @@ -120,6 +120,9 @@ static const ARMCPRegInfo gcs_reginfo[] = { .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 7, .opc2 = 4, .access = PL1_W, .accessfn = access_gcspushx, .fgt = FGT_NGCSEPP, .type = ARM_CP_GCSPUSHX }, + { .name = "GCSPOPX", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 7, .opc2 = 6, + .access = PL1_W, .type = ARM_CP_GCSPOPX }, }; void define_gcs_cpregs(ARMCPU *cpu) diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index 909916b7fd..ccf45fd136 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -51,6 +51,7 @@ enum { ARM_CP_GCSPUSHM = 0x0008, ARM_CP_GCSPOPM = 0x0009, ARM_CP_GCSPUSHX = 0x000a, + ARM_CP_GCSPOPX = 0x000b, /* Flag: reads produce resetvalue; writes ignored. */ ARM_CP_CONST = 1 << 4, diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 0df1916d28..72b912a605 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2568,6 +2568,33 @@ static void gen_gcspushx(DisasContext *s) clear_pstate_bits(PSTATE_EXLOCK); } +static void gen_gcspopx(DisasContext *s) +{ + TCGv_i64 gcspr = cpu_gcspr[s->current_el]; + int mmuidx = core_gcs_mem_index(s->mmu_idx); + MemOp mop = finalize_memop(s, MO_64 | MO_ALIGN); + TCGv_i64 addr = tcg_temp_new_i64(); + TCGv_i64 tmp = tcg_temp_new_i64(); + TCGLabel *fail_label = + delay_exception(s, EXCP_UDEF, syn_gcs_data_check(GCS_IT_GCSPOPX, 31)); + + /* The value at top-of-stack must be an exception token. */ + tcg_gen_qemu_ld_i64(tmp, gcspr, mmuidx, mop); + tcg_gen_brcondi_i64(TCG_COND_NE, tmp, 0b1001, fail_label); + + /* + * The other three values in the exception return record + * are ignored, but are loaded anyway to raise faults. + */ + tcg_gen_addi_i64(addr, gcspr, 8); + tcg_gen_qemu_ld_i64(tmp, addr, mmuidx, mop); + tcg_gen_addi_i64(addr, addr, 8); + tcg_gen_qemu_ld_i64(tmp, addr, mmuidx, mop); + tcg_gen_addi_i64(addr, addr, 8); + tcg_gen_qemu_ld_i64(tmp, addr, mmuidx, mop); + tcg_gen_addi_i64(gcspr, addr, 8); +} + /* * Look up @key, returning the cpreg, which must exist. * Additionally, the new cpreg must also be accessible. @@ -2893,6 +2920,14 @@ static void handle_sys(DisasContext *s, bool isread, gen_gcspushx(s); } return; + case ARM_CP_GCSPOPX: + /* Choose the CONSTRAINED UNPREDICTABLE for UNDEF. */ + if (rt != 31) { + unallocated_encoding(s); + } else if (s->gcs_en) { + gen_gcspopx(s); + } + return; default: g_assert_not_reached(); } From a94b6aab8e522825b745dfedc4f4b641d7f22be0 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:52 -0700 Subject: [PATCH 52/76] target/arm: Implement GCSPOPCX Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-53-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs-gcs.c | 17 +++++++++++ target/arm/cpregs.h | 1 + target/arm/tcg/translate-a64.c | 56 ++++++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+) diff --git a/target/arm/cpregs-gcs.c b/target/arm/cpregs-gcs.c index 5b5b895a09..3795bf7f36 100644 --- a/target/arm/cpregs-gcs.c +++ b/target/arm/cpregs-gcs.c @@ -66,6 +66,19 @@ static CPAccessResult access_gcspushx(CPUARMState *env, const ARMCPRegInfo *ri, return CP_ACCESS_OK; } +static CPAccessResult access_gcspopcx(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + /* Trap if lock not taken, and enabled. */ + if (env->pstate & PSTATE_EXLOCK) { + int el = arm_current_el(env); + if (env->cp15.gcscr_el[el] & GCSCR_EXLOCKEN) { + return CP_ACCESS_EXLOCK; + } + } + return CP_ACCESS_OK; +} + static const ARMCPRegInfo gcs_reginfo[] = { { .name = "GCSCRE0_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 5, .opc2 = 2, @@ -120,6 +133,10 @@ static const ARMCPRegInfo gcs_reginfo[] = { .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 7, .opc2 = 4, .access = PL1_W, .accessfn = access_gcspushx, .fgt = FGT_NGCSEPP, .type = ARM_CP_GCSPUSHX }, + { .name = "GCSPOPCX", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 7, .opc2 = 5, + .access = PL1_W, .accessfn = access_gcspopcx, .fgt = FGT_NGCSEPP, + .type = ARM_CP_GCSPOPCX }, { .name = "GCSPOPX", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 7, .opc2 = 6, .access = PL1_W, .type = ARM_CP_GCSPOPX }, diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index ccf45fd136..6d9145109f 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -52,6 +52,7 @@ enum { ARM_CP_GCSPOPM = 0x0009, ARM_CP_GCSPUSHX = 0x000a, ARM_CP_GCSPOPX = 0x000b, + ARM_CP_GCSPOPCX = 0x000c, /* Flag: reads produce resetvalue; writes ignored. */ ARM_CP_CONST = 1 << 4, diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 72b912a605..bb8ffba586 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2568,6 +2568,54 @@ static void gen_gcspushx(DisasContext *s) clear_pstate_bits(PSTATE_EXLOCK); } +static void gen_gcspopcx(DisasContext *s) +{ + TCGv_i64 gcspr = cpu_gcspr[s->current_el]; + int spsr_idx = aarch64_banked_spsr_index(s->current_el); + int spsr_off = offsetof(CPUARMState, banked_spsr[spsr_idx]); + int elr_off = offsetof(CPUARMState, elr_el[s->current_el]); + int gcscr_off = offsetof(CPUARMState, cp15.gcscr_el[s->current_el]); + int pstate_off = offsetof(CPUARMState, pstate); + int mmuidx = core_gcs_mem_index(s->mmu_idx); + MemOp mop = finalize_memop(s, MO_64 | MO_ALIGN); + TCGv_i64 addr = tcg_temp_new_i64(); + TCGv_i64 tmp1 = tcg_temp_new_i64(); + TCGv_i64 tmp2 = tcg_temp_new_i64(); + TCGLabel *fail_label = + delay_exception(s, EXCP_UDEF, syn_gcs_data_check(GCS_IT_GCSPOPCX, 31)); + + /* The value at top-of-stack must be an exception token. */ + tcg_gen_qemu_ld_i64(tmp1, gcspr, mmuidx, mop); + tcg_gen_brcondi_i64(TCG_COND_NE, tmp1, 0b1001, fail_label); + + /* Validate in turn, ELR ... */ + tcg_gen_addi_i64(addr, gcspr, 8); + tcg_gen_qemu_ld_i64(tmp1, addr, mmuidx, mop); + tcg_gen_ld_i64(tmp2, tcg_env, elr_off); + tcg_gen_brcond_i64(TCG_COND_NE, tmp1, tmp2, fail_label); + + /* ... SPSR ... */ + tcg_gen_addi_i64(addr, addr, 8); + tcg_gen_qemu_ld_i64(tmp1, addr, mmuidx, mop); + tcg_gen_ld_i64(tmp2, tcg_env, spsr_off); + tcg_gen_brcond_i64(TCG_COND_NE, tmp1, tmp2, fail_label); + + /* ... and LR. */ + tcg_gen_addi_i64(addr, addr, 8); + tcg_gen_qemu_ld_i64(tmp1, addr, mmuidx, mop); + tcg_gen_brcond_i64(TCG_COND_NE, tmp1, cpu_reg(s, 30), fail_label); + + /* Writeback stack pointer after pop. */ + tcg_gen_addi_i64(gcspr, addr, 8); + + /* PSTATE.EXLOCK = GetCurrentEXLOCKEN(). */ + tcg_gen_ld_i64(tmp1, tcg_env, gcscr_off); + tcg_gen_ld_i64(tmp2, tcg_env, pstate_off); + tcg_gen_shri_i64(tmp1, tmp1, ctz64(GCSCR_EXLOCKEN)); + tcg_gen_deposit_i64(tmp2, tmp2, tmp1, ctz64(PSTATE_EXLOCK), 1); + tcg_gen_st_i64(tmp2, tcg_env, pstate_off); +} + static void gen_gcspopx(DisasContext *s) { TCGv_i64 gcspr = cpu_gcspr[s->current_el]; @@ -2920,6 +2968,14 @@ static void handle_sys(DisasContext *s, bool isread, gen_gcspushx(s); } return; + case ARM_CP_GCSPOPCX: + /* Choose the CONSTRAINED UNPREDICTABLE for UNDEF. */ + if (rt != 31) { + unallocated_encoding(s); + } else if (s->gcs_en) { + gen_gcspopcx(s); + } + return; case ARM_CP_GCSPOPX: /* Choose the CONSTRAINED UNPREDICTABLE for UNDEF. */ if (rt != 31) { From 22d20e38044bdebd217ad0339d3765933ef16143 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:53 -0700 Subject: [PATCH 53/76] target/arm: Implement GCSSS1 Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-54-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs-gcs.c | 3 +++ target/arm/cpregs.h | 1 + target/arm/tcg/translate-a64.c | 30 ++++++++++++++++++++++++++++++ 3 files changed, 34 insertions(+) diff --git a/target/arm/cpregs-gcs.c b/target/arm/cpregs-gcs.c index 3795bf7f36..eda5c498d7 100644 --- a/target/arm/cpregs-gcs.c +++ b/target/arm/cpregs-gcs.c @@ -129,6 +129,9 @@ static const ARMCPRegInfo gcs_reginfo[] = { { .name = "GCSPOPM", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 7, .opc2 = 1, .access = PL0_R, .type = ARM_CP_GCSPOPM }, + { .name = "GCSSS1", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 7, .opc2 = 2, + .access = PL0_W, .type = ARM_CP_GCSSS1 }, { .name = "GCSPUSHX", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 7, .opc2 = 4, .access = PL1_W, .accessfn = access_gcspushx, .fgt = FGT_NGCSEPP, diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index 6d9145109f..e7e7050880 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -53,6 +53,7 @@ enum { ARM_CP_GCSPUSHX = 0x000a, ARM_CP_GCSPOPX = 0x000b, ARM_CP_GCSPOPCX = 0x000c, + ARM_CP_GCSSS1 = 0x000d, /* Flag: reads produce resetvalue; writes ignored. */ ARM_CP_CONST = 1 << 4, diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index bb8ffba586..82ddf4e1dc 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2643,6 +2643,31 @@ static void gen_gcspopx(DisasContext *s) tcg_gen_addi_i64(gcspr, addr, 8); } +static void gen_gcsss1(DisasContext *s, int rt) +{ + TCGv_i64 gcspr = cpu_gcspr[s->current_el]; + int mmuidx = core_gcs_mem_index(s->mmu_idx); + MemOp mop = finalize_memop(s, MO_64 | MO_ALIGN); + TCGv_i64 inptr = cpu_reg(s, rt); + TCGv_i64 cmp = tcg_temp_new_i64(); + TCGv_i64 new = tcg_temp_new_i64(); + TCGv_i64 old = tcg_temp_new_i64(); + TCGLabel *fail_label = + delay_exception(s, EXCP_UDEF, syn_gcs_data_check(GCS_IT_GCSSS1, rt)); + + /* Compute the valid cap entry that the new stack must have. */ + tcg_gen_deposit_i64(cmp, inptr, tcg_constant_i64(1), 0, 12); + /* Compute the in-progress cap entry for the old stack. */ + tcg_gen_deposit_i64(new, gcspr, tcg_constant_i64(5), 0, 3); + + /* Swap the valid cap the with the in-progress cap. */ + tcg_gen_atomic_cmpxchg_i64(old, inptr, cmp, new, mmuidx, mop); + tcg_gen_brcond_i64(TCG_COND_NE, old, cmp, fail_label); + + /* The new stack had a valid cap: change gcspr. */ + tcg_gen_andi_i64(gcspr, inptr, ~7); +} + /* * Look up @key, returning the cpreg, which must exist. * Additionally, the new cpreg must also be accessible. @@ -2984,6 +3009,11 @@ static void handle_sys(DisasContext *s, bool isread, gen_gcspopx(s); } return; + case ARM_CP_GCSSS1: + if (s->gcs_en) { + gen_gcsss1(s, rt); + } + return; default: g_assert_not_reached(); } From e85fc2c62321201222d3e30191f376760978ccca Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:54 -0700 Subject: [PATCH 54/76] target/arm: Implement GCSSS2 Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-55-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpregs-gcs.c | 3 +++ target/arm/cpregs.h | 1 + target/arm/tcg/translate-a64.c | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/target/arm/cpregs-gcs.c b/target/arm/cpregs-gcs.c index eda5c498d7..1ed52a211a 100644 --- a/target/arm/cpregs-gcs.c +++ b/target/arm/cpregs-gcs.c @@ -132,6 +132,9 @@ static const ARMCPRegInfo gcs_reginfo[] = { { .name = "GCSSS1", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 7, .opc2 = 2, .access = PL0_W, .type = ARM_CP_GCSSS1 }, + { .name = "GCSSS2", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 7, .opc2 = 3, + .access = PL0_R, .type = ARM_CP_GCSSS2 }, { .name = "GCSPUSHX", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 7, .opc2 = 4, .access = PL1_W, .accessfn = access_gcspushx, .fgt = FGT_NGCSEPP, diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index e7e7050880..732c07506d 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -54,6 +54,7 @@ enum { ARM_CP_GCSPOPX = 0x000b, ARM_CP_GCSPOPCX = 0x000c, ARM_CP_GCSSS1 = 0x000d, + ARM_CP_GCSSS2 = 0x000e, /* Flag: reads produce resetvalue; writes ignored. */ ARM_CP_CONST = 1 << 4, diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 82ddf4e1dc..d58257be40 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2668,6 +2668,35 @@ static void gen_gcsss1(DisasContext *s, int rt) tcg_gen_andi_i64(gcspr, inptr, ~7); } +static void gen_gcsss2(DisasContext *s, int rt) +{ + TCGv_i64 gcspr = cpu_gcspr[s->current_el]; + int mmuidx = core_gcs_mem_index(s->mmu_idx); + MemOp mop = finalize_memop(s, MO_64 | MO_ALIGN); + TCGv_i64 outptr = tcg_temp_new_i64(); + TCGv_i64 tmp = tcg_temp_new_i64(); + TCGLabel *fail_label = + delay_exception(s, EXCP_UDEF, syn_gcs_data_check(GCS_IT_GCSSS2, rt)); + + /* Validate that the new stack has an in-progress cap. */ + tcg_gen_qemu_ld_i64(outptr, gcspr, mmuidx, mop); + tcg_gen_andi_i64(tmp, outptr, 7); + tcg_gen_brcondi_i64(TCG_COND_NE, tmp, 5, fail_label); + + /* Push a valid cap to the old stack. */ + tcg_gen_andi_i64(outptr, outptr, ~7); + tcg_gen_addi_i64(outptr, outptr, -8); + tcg_gen_deposit_i64(tmp, outptr, tcg_constant_i64(1), 0, 12); + tcg_gen_qemu_st_i64(tmp, outptr, mmuidx, mop); + tcg_gen_mb(TCG_BAR_SC | TCG_MO_ALL); + + /* Pop the in-progress cap from the new stack. */ + tcg_gen_addi_i64(gcspr, gcspr, 8); + + /* Return a pointer to the old stack cap. */ + tcg_gen_mov_i64(cpu_reg(s, rt), outptr); +} + /* * Look up @key, returning the cpreg, which must exist. * Additionally, the new cpreg must also be accessible. @@ -3014,6 +3043,11 @@ static void handle_sys(DisasContext *s, bool isread, gen_gcsss1(s, rt); } return; + case ARM_CP_GCSSS2: + if (s->gcs_en) { + gen_gcsss2(s, rt); + } + return; default: g_assert_not_reached(); } From a664ba1fc65ee84c9353cb2f0d2187f580b8e6bb Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:55 -0700 Subject: [PATCH 55/76] target/arm: Add gcs record for BL Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-56-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate-a64.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index d58257be40..9a564339fa 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -1678,7 +1678,14 @@ static bool trans_B(DisasContext *s, arg_i *a) static bool trans_BL(DisasContext *s, arg_i *a) { - gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s)); + TCGv_i64 link = tcg_temp_new_i64(); + + gen_pc_plus_diff(s, link, 4); + if (s->gcs_en) { + gen_add_gcs_record(s, link); + } + tcg_gen_mov_i64(cpu_reg(s, 30), link); + reset_btype(s); gen_goto_tb(s, 0, a->imm); return true; From 978bad65f84aa4780ed586ef588ddb68a5d0532f Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:56 -0700 Subject: [PATCH 56/76] target/arm: Add gcs record for BLR Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-57-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate-a64.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 9a564339fa..fcfa4223f5 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -1782,15 +1782,15 @@ static bool trans_BR(DisasContext *s, arg_r *a) static bool trans_BLR(DisasContext *s, arg_r *a) { - TCGv_i64 dst = cpu_reg(s, a->rn); - TCGv_i64 lr = cpu_reg(s, 30); - if (dst == lr) { - TCGv_i64 tmp = tcg_temp_new_i64(); - tcg_gen_mov_i64(tmp, dst); - dst = tmp; + TCGv_i64 link = tcg_temp_new_i64(); + + gen_pc_plus_diff(s, link, 4); + if (s->gcs_en) { + gen_add_gcs_record(s, link); } - gen_pc_plus_diff(s, lr, curr_insn_len(s)); - gen_a64_set_pc(s, dst); + gen_a64_set_pc(s, cpu_reg(s, a->rn)); + tcg_gen_mov_i64(cpu_reg(s, 30), link); + set_btype_for_blr(s); s->base.is_jmp = DISAS_JUMP; return true; From d28bb06dc8ad5667c26d00765c442ca9cf7f1aa1 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:57 -0700 Subject: [PATCH 57/76] target/arm: Add gcs record for BLR with PAuth Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-58-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate-a64.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index fcfa4223f5..9c3de0cf71 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -1842,21 +1842,21 @@ static bool trans_BRAZ(DisasContext *s, arg_braz *a) static bool trans_BLRAZ(DisasContext *s, arg_braz *a) { - TCGv_i64 dst, lr; + TCGv_i64 dst, link; if (!dc_isar_feature(aa64_pauth, s)) { return false; } - dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m); - lr = cpu_reg(s, 30); - if (dst == lr) { - TCGv_i64 tmp = tcg_temp_new_i64(); - tcg_gen_mov_i64(tmp, dst); - dst = tmp; + + link = tcg_temp_new_i64(); + gen_pc_plus_diff(s, link, 4); + if (s->gcs_en) { + gen_add_gcs_record(s, link); } - gen_pc_plus_diff(s, lr, curr_insn_len(s)); gen_a64_set_pc(s, dst); + tcg_gen_mov_i64(cpu_reg(s, 30), link); + set_btype_for_blr(s); s->base.is_jmp = DISAS_JUMP; return true; @@ -1892,20 +1892,21 @@ static bool trans_BRA(DisasContext *s, arg_bra *a) static bool trans_BLRA(DisasContext *s, arg_bra *a) { - TCGv_i64 dst, lr; + TCGv_i64 dst, link; if (!dc_isar_feature(aa64_pauth, s)) { return false; } dst = auth_branch_target(s, cpu_reg(s, a->rn), cpu_reg_sp(s, a->rm), !a->m); - lr = cpu_reg(s, 30); - if (dst == lr) { - TCGv_i64 tmp = tcg_temp_new_i64(); - tcg_gen_mov_i64(tmp, dst); - dst = tmp; + + link = tcg_temp_new_i64(); + gen_pc_plus_diff(s, link, 4); + if (s->gcs_en) { + gen_add_gcs_record(s, link); } - gen_pc_plus_diff(s, lr, curr_insn_len(s)); gen_a64_set_pc(s, dst); + tcg_gen_mov_i64(cpu_reg(s, 30), link); + set_btype_for_blr(s); s->base.is_jmp = DISAS_JUMP; return true; From 488fab6fc9470515309ca405ece3c8ae4bf8c37c Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:58 -0700 Subject: [PATCH 58/76] target/arm: Load gcs record for RET Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-59-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate-a64.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 9c3de0cf71..dfd5b17831 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -444,6 +444,27 @@ static void gen_add_gcs_record(DisasContext *s, TCGv_i64 value) tcg_gen_mov_i64(gcspr, addr); } +static void gen_load_check_gcs_record(DisasContext *s, TCGv_i64 target, + GCSInstructionType it, int rt) +{ + TCGv_i64 gcspr = cpu_gcspr[s->current_el]; + int mmuidx = core_gcs_mem_index(s->mmu_idx); + MemOp mop = finalize_memop(s, MO_64 | MO_ALIGN); + TCGv_i64 rec_va = tcg_temp_new_i64(); + + tcg_gen_qemu_ld_i64(rec_va, clean_data_tbi(s, gcspr), mmuidx, mop); + + if (s->gcs_rvcen) { + TCGLabel *fail_label = + delay_exception(s, EXCP_UDEF, syn_gcs_data_check(it, rt)); + + tcg_gen_brcond_i64(TCG_COND_NE, rec_va, target, fail_label); + } + + gen_a64_set_pc(s, rec_va); + tcg_gen_addi_i64(gcspr, gcspr, 8); +} + typedef struct DisasCompare64 { TCGCond cond; TCGv_i64 value; @@ -1798,7 +1819,13 @@ static bool trans_BLR(DisasContext *s, arg_r *a) static bool trans_RET(DisasContext *s, arg_r *a) { - gen_a64_set_pc(s, cpu_reg(s, a->rn)); + TCGv_i64 target = cpu_reg(s, a->rn); + + if (s->gcs_en) { + gen_load_check_gcs_record(s, target, GCS_IT_RET_nPauth, a->rn); + } else { + gen_a64_set_pc(s, target); + } s->base.is_jmp = DISAS_JUMP; return true; } From 3d366bb67ff2eab40052bc09983328b06c394e12 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:55:59 -0700 Subject: [PATCH 59/76] target/arm: Load gcs record for RET with PAuth Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-60-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/translate-a64.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index dfd5b17831..918d5ed112 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -1898,7 +1898,12 @@ static bool trans_RETA(DisasContext *s, arg_reta *a) } dst = auth_branch_target(s, cpu_reg(s, 30), cpu_X[31], !a->m); - gen_a64_set_pc(s, dst); + if (s->gcs_en) { + GCSInstructionType it = a->m ? GCS_IT_RET_PauthB : GCS_IT_RET_PauthA; + gen_load_check_gcs_record(s, dst, it, 30); + } else { + gen_a64_set_pc(s, dst); + } s->base.is_jmp = DISAS_JUMP; return true; } From d77ed960164490d4daeaa3e1a3532ea53477538a Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:00 -0700 Subject: [PATCH 60/76] target/arm: Copy EXLOCKEn to EXLOCK on exception to the same EL Per R_WTXBY, PSTATE.EXLOCK is 0 on an exception to a higher EL, and copied from EXLOCKEn otherwise. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-61-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index 1aa0a157b7..0077788e1e 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9071,8 +9071,13 @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs) } else { addr += 0x600; } - } else if (pstate_read(env) & PSTATE_SP) { - addr += 0x200; + } else { + if (pstate_read(env) & PSTATE_SP) { + addr += 0x200; + } + if (is_a64(env) && (env->cp15.gcscr_el[new_el] & GCSCR_EXLOCKEN)) { + new_mode |= PSTATE_EXLOCK; + } } switch (cs->exception_index) { From 70440a58589baa9d77428573f146a0ceaa5aa3ef Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:01 -0700 Subject: [PATCH 61/76] target/arm: Implement EXLOCK check during exception return Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-62-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/tcg/helper-a64.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c index 08b7db7c46..ba1d775d81 100644 --- a/target/arm/tcg/helper-a64.c +++ b/target/arm/tcg/helper-a64.c @@ -675,6 +675,17 @@ void HELPER(exception_return)(CPUARMState *env, uint64_t new_pc) goto illegal_return; } + /* + * If GetCurrentEXLOCKEN, the exception return path must use GCSPOPCX, + * which will set PSTATE.EXLOCK. We need not explicitly check FEAT_GCS, + * because GCSCR_ELx cannot be set without it. + */ + if (new_el == cur_el && + (env->cp15.gcscr_el[cur_el] & GCSCR_EXLOCKEN) && + !(env->pstate & PSTATE_EXLOCK)) { + goto illegal_return; + } + bql_lock(); arm_call_pre_el_change_hook(cpu); bql_unlock(); From 9c5dfe8b568b1b5265044f9f1dbc57345656e342 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:02 -0700 Subject: [PATCH 62/76] target/arm: Enable FEAT_GCS with -cpu max MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tested-by: Thiago Jung Bauermann Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251008215613.300150-63-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- docs/system/arm/emulation.rst | 1 + target/arm/tcg/cpu64.c | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst index 68d9a4e734..4496178c48 100644 --- a/docs/system/arm/emulation.rst +++ b/docs/system/arm/emulation.rst @@ -73,6 +73,7 @@ the following architecture extensions: - FEAT_FRINTTS (Floating-point to integer instructions) - FEAT_FlagM (Flag manipulation instructions v2) - FEAT_FlagM2 (Enhancements to flag manipulation instructions) +- FEAT_GCS (Guarded Control Stack Extension) - FEAT_GTG (Guest translation granule size) - FEAT_HAFDBS (Hardware management of the access flag and dirty bit state) - FEAT_HBC (Hinted conditional branches) diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index f024db1d29..cc42dfdf56 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -1280,6 +1280,7 @@ void aarch64_max_tcg_initfn(Object *obj) t = FIELD_DP64(t, ID_AA64PFR1, SME, 2); /* FEAT_SME2 */ t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_3 */ t = FIELD_DP64(t, ID_AA64PFR1, NMI, 1); /* FEAT_NMI */ + t = FIELD_DP64(t, ID_AA64PFR1, GCS, 1); /* FEAT_GCS */ SET_IDREG(isar, ID_AA64PFR1, t); t = GET_IDREG(isar, ID_AA64MMFR0); From d0e16dcad9b7a95367be91ddd2e74779c47ebf8a Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:03 -0700 Subject: [PATCH 63/76] linux-user/aarch64: Implement prctls for GCS This is PR_GET_SHADOW_STACK_STATUS, PR_SET_SHADOW_STACK_STATUS, and PR_LOCK_SHADOW_STACK_STATUS. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-64-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- linux-user/aarch64/gcs-internal.h | 38 ++++++++++++ linux-user/aarch64/target_prctl.h | 96 +++++++++++++++++++++++++++++++ linux-user/qemu.h | 5 ++ linux-user/syscall.c | 29 ++++++++++ 4 files changed, 168 insertions(+) create mode 100644 linux-user/aarch64/gcs-internal.h diff --git a/linux-user/aarch64/gcs-internal.h b/linux-user/aarch64/gcs-internal.h new file mode 100644 index 0000000000..e586c7e80e --- /dev/null +++ b/linux-user/aarch64/gcs-internal.h @@ -0,0 +1,38 @@ +/* + * AArch64 gcs functions for linux-user + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ +#ifndef AARCH64_GCS_INTERNAL_H +#define AARCH64_GCS_INTERNAL_H + +#ifndef PR_SHADOW_STACK_ENABLE +# define PR_SHADOW_STACK_ENABLE (1U << 0) +# define PR_SHADOW_STACK_WRITE (1U << 1) +# define PR_SHADOW_STACK_PUSH (1U << 2) +#endif + +static inline uint64_t gcs_get_el0_mode(CPUArchState *env) +{ + uint64_t cr = env->cp15.gcscr_el[0]; + abi_ulong flags = 0; + + flags |= cr & GCSCR_PCRSEL ? PR_SHADOW_STACK_ENABLE : 0; + flags |= cr & GCSCR_STREN ? PR_SHADOW_STACK_WRITE : 0; + flags |= cr & GCSCR_PUSHMEN ? PR_SHADOW_STACK_PUSH : 0; + + return flags; +} + +static inline void gcs_set_el0_mode(CPUArchState *env, uint64_t flags) +{ + uint64_t cr = GCSCRE0_NTR; + + cr |= flags & PR_SHADOW_STACK_ENABLE ? GCSCR_RVCHKEN | GCSCR_PCRSEL : 0; + cr |= flags & PR_SHADOW_STACK_WRITE ? GCSCR_STREN : 0; + cr |= flags & PR_SHADOW_STACK_PUSH ? GCSCR_PUSHMEN : 0; + + env->cp15.gcscr_el[0] = cr; +} + +#endif diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h index ed75b9e4b5..621be5727f 100644 --- a/linux-user/aarch64/target_prctl.h +++ b/linux-user/aarch64/target_prctl.h @@ -6,8 +6,10 @@ #ifndef AARCH64_TARGET_PRCTL_H #define AARCH64_TARGET_PRCTL_H +#include "qemu/units.h" #include "target/arm/cpu-features.h" #include "mte_user_helper.h" +#include "gcs-internal.h" static abi_long do_prctl_sve_get_vl(CPUArchState *env) { @@ -206,4 +208,98 @@ static abi_long do_prctl_get_tagged_addr_ctrl(CPUArchState *env) } #define do_prctl_get_tagged_addr_ctrl do_prctl_get_tagged_addr_ctrl +static abi_long do_prctl_get_shadow_stack_status(CPUArchState *env, + abi_long arg2) +{ + ARMCPU *cpu = env_archcpu(env); + + if (!cpu_isar_feature(aa64_gcs, cpu)) { + return -TARGET_EINVAL; + } + return put_user_ual(gcs_get_el0_mode(env), arg2); +} +#define do_prctl_get_shadow_stack_status do_prctl_get_shadow_stack_status + +static abi_long gcs_alloc(abi_ulong hint, abi_ulong size) +{ + /* + * Without softmmu, we cannot protect GCS memory properly. + * Make do with normal read/write permissions. This at least allows + * emulation of correct programs which don't access the gcs stack + * with normal instructions. + */ + return target_mmap(hint, size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS | + (hint ? MAP_FIXED_NOREPLACE : 0), -1, 0); +} + +static abi_ulong gcs_new_stack(TaskState *ts) +{ + /* Use guest_stack_size as a proxy for RLIMIT_STACK. */ + abi_ulong size = MIN(MAX(guest_stack_size / 2, TARGET_PAGE_SIZE), 2 * GiB); + abi_ulong base = gcs_alloc(0, size); + + if (base == -1) { + return -1; + } + + ts->gcs_base = base; + ts->gcs_size = size; + return base + size - 8; +} + +static abi_long do_prctl_set_shadow_stack_status(CPUArchState *env, + abi_long new_mode) +{ + ARMCPU *cpu = env_archcpu(env); + TaskState *ts = get_task_state(env_cpu(env)); + abi_long cur_mode; + + if (!cpu_isar_feature(aa64_gcs, cpu)) { + return -TARGET_EINVAL; + } + if (new_mode & ~(PR_SHADOW_STACK_ENABLE | + PR_SHADOW_STACK_WRITE | + PR_SHADOW_STACK_PUSH)) { + return -TARGET_EINVAL; + } + + cur_mode = gcs_get_el0_mode(env); + if ((new_mode ^ cur_mode) & ts->gcs_el0_locked) { + return -TARGET_EBUSY; + } + + if (new_mode & ~cur_mode & PR_SHADOW_STACK_ENABLE) { + abi_long gcspr; + + if (ts->gcs_base || env->cp15.gcspr_el[0]) { + return -EINVAL; + } + gcspr = gcs_new_stack(ts); + if (gcspr == -1) { + return -TARGET_ENOMEM; + } + env->cp15.gcspr_el[0] = gcspr; + } + + gcs_set_el0_mode(env, new_mode); + arm_rebuild_hflags(env); + return 0; +} +#define do_prctl_set_shadow_stack_status do_prctl_set_shadow_stack_status + +static abi_long do_prctl_lock_shadow_stack_status(CPUArchState *env, + abi_long arg2) +{ + ARMCPU *cpu = env_archcpu(env); + TaskState *ts = get_task_state(env_cpu(env)); + + if (!cpu_isar_feature(aa64_gcs, cpu)) { + return -EINVAL; + } + ts->gcs_el0_locked |= arg2; + return 0; +} +#define do_prctl_lock_shadow_stack_status do_prctl_lock_shadow_stack_status + #endif /* AARCH64_TARGET_PRCTL_H */ diff --git a/linux-user/qemu.h b/linux-user/qemu.h index cabb7bd6a8..85e68eff7b 100644 --- a/linux-user/qemu.h +++ b/linux-user/qemu.h @@ -121,6 +121,11 @@ struct TaskState { abi_ulong child_tidptr; #ifdef TARGET_M68K abi_ulong tp_value; +#endif +#if defined(TARGET_AARCH64) + vaddr gcs_base; + abi_ulong gcs_size; + abi_ulong gcs_el0_locked; #endif int used; /* non zero if used */ struct image_info *info; diff --git a/linux-user/syscall.c b/linux-user/syscall.c index d78b2029fa..56695de680 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6353,6 +6353,11 @@ abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr) # define PR_SME_VL_LEN_MASK 0xffff # define PR_SME_VL_INHERIT (1 << 17) #endif +#ifndef PR_GET_SHADOW_STACK_STATUS +# define PR_GET_SHADOW_STACK_STATUS 74 +# define PR_SET_SHADOW_STACK_STATUS 75 +# define PR_LOCK_SHADOW_STACK_STATUS 76 +#endif #include "target_prctl.h" @@ -6399,6 +6404,15 @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2) #ifndef do_prctl_sme_set_vl #define do_prctl_sme_set_vl do_prctl_inval1 #endif +#ifndef do_prctl_get_shadow_stack_status +#define do_prctl_get_shadow_stack_status do_prctl_inval1 +#endif +#ifndef do_prctl_set_shadow_stack_status +#define do_prctl_set_shadow_stack_status do_prctl_inval1 +#endif +#ifndef do_prctl_lock_shadow_stack_status +#define do_prctl_lock_shadow_stack_status do_prctl_inval1 +#endif static abi_long do_prctl_syscall_user_dispatch(CPUArchState *env, abi_ulong arg2, abi_ulong arg3, @@ -6499,6 +6513,21 @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2, return -TARGET_EINVAL; } return do_prctl_get_tagged_addr_ctrl(env); + case PR_GET_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) { + return -TARGET_EINVAL; + } + return do_prctl_get_shadow_stack_status(env, arg2); + case PR_SET_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) { + return -TARGET_EINVAL; + } + return do_prctl_set_shadow_stack_status(env, arg2); + case PR_LOCK_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) { + return -TARGET_EINVAL; + } + return do_prctl_lock_shadow_stack_status(env, arg2); case PR_GET_UNALIGN: return do_prctl_get_unalign(env, arg2); From f57359b3f0c85482c35f6668b0815c350ff5d451 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:04 -0700 Subject: [PATCH 64/76] linux-user/aarch64: Allocate new gcs stack on clone Allocate the new stack early, so that error reporting need not clean up other objects. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-65-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- linux-user/syscall.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 56695de680..dffe6c2016 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6686,6 +6686,21 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp, ts = g_new0(TaskState, 1); init_task_state(ts); +#ifdef TARGET_AARCH64 + /* + * If GCS is enabled in the parent thread, it is also enabled + * in the child thread, but with a newly allocated stack. + */ + abi_long new_gcspr = 0; + if (env->cp15.gcscr_el[0] & GCSCR_PCRSEL) { + new_gcspr = gcs_new_stack(ts); + if (new_gcspr == -1) { + g_free(ts); + return -TARGET_ENOMEM; + } + } +#endif + /* Grab a mutex so that thread setup appears atomic. */ pthread_mutex_lock(&clone_lock); @@ -6707,6 +6722,11 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp, ts->info = parent_ts->info; ts->signal_mask = parent_ts->signal_mask; +#ifdef TARGET_AARCH64 + ts->gcs_el0_locked = parent_ts->gcs_el0_locked; + new_env->cp15.gcspr_el[0] = new_gcspr; +#endif + if (flags & CLONE_CHILD_CLEARTID) { ts->child_tidptr = child_tidptr; } From 1c9448037758277eb3dae71f98be3bbfdc91f467 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:05 -0700 Subject: [PATCH 65/76] linux-user/aarch64: Release gcs stack on thread exit Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-66-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- linux-user/syscall.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index dffe6c2016..47a6b58cf5 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -9429,6 +9429,12 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); } +#ifdef TARGET_AARCH64 + if (ts->gcs_base) { + target_munmap(ts->gcs_base, ts->gcs_size); + } +#endif + object_unparent(OBJECT(cpu)); object_unref(OBJECT(cpu)); /* From ad1afe433fa18691306451cf0f79bd2568ef9709 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:06 -0700 Subject: [PATCH 66/76] linux-user/aarch64: Implement map_shadow_stack syscall Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-67-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- linux-user/syscall.c | 59 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 47a6b58cf5..8546f48a05 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6358,6 +6358,12 @@ abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr) # define PR_SET_SHADOW_STACK_STATUS 75 # define PR_LOCK_SHADOW_STACK_STATUS 76 #endif +#ifndef SHADOW_STACK_SET_TOKEN +# define SHADOW_STACK_SET_TOKEN (1u << 0) +#endif +#ifndef SHADOW_STACK_SET_MARKER +# define SHADOW_STACK_SET_MARKER (1u << 1) +#endif #include "target_prctl.h" @@ -6605,6 +6611,54 @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2, } } +#ifdef TARGET_AARCH64 +static abi_long do_map_shadow_stack(CPUArchState *env, abi_ulong addr, + abi_ulong size, abi_int flags) +{ + ARMCPU *cpu = env_archcpu(env); + abi_ulong alloc_size; + + if (!cpu_isar_feature(aa64_gcs, cpu)) { + return -TARGET_EOPNOTSUPP; + } + if (flags & ~(SHADOW_STACK_SET_TOKEN | SHADOW_STACK_SET_MARKER)) { + return -TARGET_EINVAL; + } + if (addr & ~TARGET_PAGE_MASK) { + return -TARGET_EINVAL; + } + if (size == 8 || !QEMU_IS_ALIGNED(size, 8)) { + return -TARGET_EINVAL; + } + + alloc_size = TARGET_PAGE_ALIGN(size); + if (alloc_size < size) { + return -TARGET_EOVERFLOW; + } + + mmap_lock(); + addr = gcs_alloc(addr, alloc_size); + if (addr != -1) { + if (flags & SHADOW_STACK_SET_TOKEN) { + abi_ptr cap_ptr = addr + size - 8; + uint64_t cap_val; + + if (flags & SHADOW_STACK_SET_MARKER) { + /* Leave an extra empty frame at top-of-stack. */ + cap_ptr -= 8; + } + cap_val = (cap_ptr & TARGET_PAGE_MASK) | 1; + if (put_user_u64(cap_val, cap_ptr)) { + /* Allocation succeeded above. */ + g_assert_not_reached(); + } + } + } + mmap_unlock(); + return get_errno(addr); +} +#endif + #define NEW_STACK_SIZE 0x40000 @@ -14065,6 +14119,11 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1, return do_riscv_hwprobe(cpu_env, arg1, arg2, arg3, arg4, arg5); #endif +#ifdef TARGET_AARCH64 + case TARGET_NR_map_shadow_stack: + return do_map_shadow_stack(cpu_env, arg1, arg2, arg3); +#endif + default: qemu_log_mask(LOG_UNIMP, "Unsupported syscall: %d\n", num); return -TARGET_ENOSYS; From 5149287e10c903f2c629f127ec90415b2d1703d5 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:07 -0700 Subject: [PATCH 67/76] target/arm: Enable GCSPR_EL0 for read in user-mode Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-68-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/cpu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index cbb00c3db3..11e7c10cef 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -311,6 +311,10 @@ static void arm_cpu_reset_hold(Object *obj, ResetType type) env->cp15.mdscr_el1 |= 1 << 12; /* Enable FEAT_MOPS */ env->cp15.sctlr_el[1] |= SCTLR_MSCEN; + /* For Linux, GCSPR_EL0 is always readable. */ + if (cpu_isar_feature(aa64_gcs, cpu)) { + env->cp15.gcscr_el[0] = GCSCRE0_NTR; + } #else /* Reset into the highest available EL */ if (arm_feature(env, ARM_FEATURE_EL3)) { From 37897b29b3a55fd60bb75ab12ff52d0b1bf72bef Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:08 -0700 Subject: [PATCH 68/76] linux-user/aarch64: Inject SIGSEGV for GCS faults Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-69-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- linux-user/aarch64/cpu_loop.c | 5 +++++ linux-user/aarch64/target_signal.h | 1 + 2 files changed, 6 insertions(+) diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c index 50a4c99535..7f66a879ea 100644 --- a/linux-user/aarch64/cpu_loop.c +++ b/linux-user/aarch64/cpu_loop.c @@ -89,6 +89,11 @@ static void signal_for_exception(CPUARMState *env, vaddr addr) si_code = TARGET_ILL_ILLOPN; break; + case EC_GCS: + si_signo = TARGET_SIGSEGV; + si_code = TARGET_SEGV_CPERR; + break; + case EC_MOP: /* * FIXME: The kernel fixes up wrong-option exceptions. diff --git a/linux-user/aarch64/target_signal.h b/linux-user/aarch64/target_signal.h index 6f66a50bfd..e509ac1032 100644 --- a/linux-user/aarch64/target_signal.h +++ b/linux-user/aarch64/target_signal.h @@ -7,6 +7,7 @@ #define TARGET_SEGV_MTEAERR 8 /* Asynchronous ARM MTE error */ #define TARGET_SEGV_MTESERR 9 /* Synchronous ARM MTE exception */ +#define TARGET_SEGV_CPERR 10 /* Control protection fault */ #define TARGET_ARCH_HAS_SETUP_FRAME #define TARGET_ARCH_HAS_SIGTRAMP_PAGE 1 From ef110c3070aff0994c3c5601a6e37c43ac793834 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:09 -0700 Subject: [PATCH 69/76] linux-user/aarch64: Generate GCS signal records Here we must push and pop a cap on the GCS stack as well as the gcs record on the normal stack. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-70-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- linux-user/aarch64/signal.c | 138 ++++++++++++++++++++++++++++++++++-- 1 file changed, 132 insertions(+), 6 deletions(-) diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c index ef97be3ac7..f7edfa249e 100644 --- a/linux-user/aarch64/signal.c +++ b/linux-user/aarch64/signal.c @@ -22,6 +22,7 @@ #include "signal-common.h" #include "linux-user/trace.h" #include "target/arm/cpu-features.h" +#include "gcs-internal.h" struct target_sigcontext { uint64_t fault_address; @@ -152,6 +153,16 @@ struct target_zt_context { QEMU_BUILD_BUG_ON(TARGET_ZT_SIG_REG_BYTES != \ sizeof_field(CPUARMState, za_state.zt0)); +#define TARGET_GCS_MAGIC 0x47435300 +#define GCS_SIGNAL_CAP(X) ((X) & TARGET_PAGE_MASK) + +struct target_gcs_context { + struct target_aarch64_ctx head; + uint64_t gcspr; + uint64_t features_enabled; + uint64_t reserved; +}; + struct target_rt_sigframe { struct target_siginfo info; struct target_ucontext uc; @@ -322,6 +333,35 @@ static void target_setup_zt_record(struct target_zt_context *zt, } } +static bool target_setup_gcs_record(struct target_gcs_context *ctx, + CPUARMState *env, uint64_t return_addr) +{ + uint64_t mode = gcs_get_el0_mode(env); + uint64_t gcspr = env->cp15.gcspr_el[0]; + + if (mode & PR_SHADOW_STACK_ENABLE) { + /* Push a cap for the signal frame. */ + gcspr -= 8; + if (put_user_u64(GCS_SIGNAL_CAP(gcspr), gcspr)) { + return false; + } + + /* Push a gcs entry for the trampoline. */ + if (put_user_u64(return_addr, gcspr - 8)) { + return false; + } + env->cp15.gcspr_el[0] = gcspr - 8; + } + + __put_user(TARGET_GCS_MAGIC, &ctx->head.magic); + __put_user(sizeof(*ctx), &ctx->head.size); + __put_user(gcspr, &ctx->gcspr); + __put_user(mode, &ctx->features_enabled); + __put_user(0, &ctx->reserved); + + return true; +} + static void target_restore_general_frame(CPUARMState *env, struct target_rt_sigframe *sf) { @@ -502,6 +542,64 @@ static bool target_restore_zt_record(CPUARMState *env, return true; } +static bool target_restore_gcs_record(CPUARMState *env, + struct target_gcs_context *ctx, + bool *rebuild_hflags) +{ + TaskState *ts = get_task_state(env_cpu(env)); + uint64_t cur_mode = gcs_get_el0_mode(env); + uint64_t new_mode, gcspr; + + __get_user(new_mode, &ctx->features_enabled); + __get_user(gcspr, &ctx->gcspr); + + /* + * The kernel pushes the value through the hw register: + * write_sysreg_s(gcspr, SYS_GCSPR_EL0) in restore_gcs_context, + * then read_sysreg_s(SYS_GCSPR_EL0) in gcs_restore_signal. + * Since the bottom 3 bits are RES0, this can (CONSTRAINED UNPREDICTABLE) + * force align the value. Mirror the choice from gcspr_write(). + */ + gcspr &= ~7; + + if (new_mode & ~(PR_SHADOW_STACK_ENABLE | + PR_SHADOW_STACK_WRITE | + PR_SHADOW_STACK_PUSH)) { + return false; + } + if ((new_mode ^ cur_mode) & ts->gcs_el0_locked) { + return false; + } + if (new_mode & ~cur_mode & PR_SHADOW_STACK_ENABLE) { + return false; + } + + if (new_mode & PR_SHADOW_STACK_ENABLE) { + uint64_t cap; + + /* Pop and clear the signal cap. */ + if (get_user_u64(cap, gcspr)) { + return false; + } + if (cap != GCS_SIGNAL_CAP(gcspr)) { + return false; + } + if (put_user_u64(0, gcspr)) { + return false; + } + gcspr += 8; + } else { + new_mode = 0; + } + + env->cp15.gcspr_el[0] = gcspr; + if (new_mode != cur_mode) { + *rebuild_hflags = true; + gcs_set_el0_mode(env, new_mode); + } + return true; +} + static int target_restore_sigframe(CPUARMState *env, struct target_rt_sigframe *sf) { @@ -511,8 +609,10 @@ static int target_restore_sigframe(CPUARMState *env, struct target_za_context *za = NULL; struct target_tpidr2_context *tpidr2 = NULL; struct target_zt_context *zt = NULL; + struct target_gcs_context *gcs = NULL; uint64_t extra_datap = 0; bool used_extra = false; + bool rebuild_hflags = false; int sve_size = 0; int za_size = 0; int zt_size = 0; @@ -582,6 +682,15 @@ static int target_restore_sigframe(CPUARMState *env, zt_size = size; break; + case TARGET_GCS_MAGIC: + if (gcs + || size != sizeof(struct target_gcs_context) + || !cpu_isar_feature(aa64_gcs, env_archcpu(env))) { + goto err; + } + gcs = (struct target_gcs_context *)ctx; + break; + case TARGET_EXTRA_MAGIC: if (extra || size != sizeof(struct target_extra_context)) { goto err; @@ -612,6 +721,10 @@ static int target_restore_sigframe(CPUARMState *env, goto err; } + if (gcs && !target_restore_gcs_record(env, gcs, &rebuild_hflags)) { + goto err; + } + /* SVE data, if present, overwrites FPSIMD data. */ if (sve && !target_restore_sve_record(env, sve, sve_size, &svcr)) { goto err; @@ -631,6 +744,9 @@ static int target_restore_sigframe(CPUARMState *env, } if (env->svcr != svcr) { env->svcr = svcr; + rebuild_hflags = true; + } + if (rebuild_hflags) { arm_rebuild_hflags(env); } unlock_user(extra, extra_datap, 0); @@ -701,7 +817,7 @@ static void target_setup_frame(int usig, struct target_sigaction *ka, uc.tuc_mcontext.__reserved), }; int fpsimd_ofs, fr_ofs, sve_ofs = 0, za_ofs = 0, tpidr2_ofs = 0; - int zt_ofs = 0, esr_ofs = 0; + int zt_ofs = 0, esr_ofs = 0, gcs_ofs = 0; int sve_size = 0, za_size = 0, tpidr2_size = 0, zt_size = 0; struct target_rt_sigframe *frame; struct target_rt_frame_record *fr; @@ -720,6 +836,11 @@ static void target_setup_frame(int usig, struct target_sigaction *ka, &layout); } + if (env->cp15.gcspr_el[0]) { + gcs_ofs = alloc_sigframe_space(sizeof(struct target_gcs_context), + &layout); + } + /* SVE state needs saving only if it exists. */ if (cpu_isar_feature(aa64_sve, env_archcpu(env)) || cpu_isar_feature(aa64_sme, env_archcpu(env))) { @@ -779,6 +900,12 @@ static void target_setup_frame(int usig, struct target_sigaction *ka, goto give_sigsegv; } + if (ka->sa_flags & TARGET_SA_RESTORER) { + return_addr = ka->sa_restorer; + } else { + return_addr = default_rt_sigreturn; + } + target_setup_general_frame(frame, env, set); target_setup_fpsimd_record((void *)frame + fpsimd_ofs, env); if (esr_ofs) { @@ -786,6 +913,10 @@ static void target_setup_frame(int usig, struct target_sigaction *ka, /* Leave ESR_EL1 clear while it's not relevant. */ env->cp15.esr_el[1] = 0; } + if (gcs_ofs && + !target_setup_gcs_record((void *)frame + gcs_ofs, env, return_addr)) { + goto give_sigsegv; + } target_setup_end_record((void *)frame + layout.std_end_ofs); if (layout.extra_ofs) { target_setup_extra_record((void *)frame + layout.extra_ofs, @@ -811,11 +942,6 @@ static void target_setup_frame(int usig, struct target_sigaction *ka, __put_user(env->xregs[29], &fr->fp); __put_user(env->xregs[30], &fr->lr); - if (ka->sa_flags & TARGET_SA_RESTORER) { - return_addr = ka->sa_restorer; - } else { - return_addr = default_rt_sigreturn; - } env->xregs[0] = usig; env->xregs[29] = frame_addr + fr_ofs; env->xregs[30] = return_addr; From d2687ad312f4ec776398d4badad287b421c8fbc0 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:10 -0700 Subject: [PATCH 70/76] linux-user/aarch64: Enable GCS in HWCAP Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-71-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- linux-user/aarch64/elfload.c | 1 + 1 file changed, 1 insertion(+) diff --git a/linux-user/aarch64/elfload.c b/linux-user/aarch64/elfload.c index 77d03b50e1..3af5a37776 100644 --- a/linux-user/aarch64/elfload.c +++ b/linux-user/aarch64/elfload.c @@ -169,6 +169,7 @@ abi_ulong get_elf_hwcap(CPUState *cs) GET_FEATURE_ID(aa64_dcpop, ARM_HWCAP_A64_DCPOP); GET_FEATURE_ID(aa64_rcpc_8_3, ARM_HWCAP_A64_LRCPC); GET_FEATURE_ID(aa64_rcpc_8_4, ARM_HWCAP_A64_ILRCPC); + GET_FEATURE_ID(aa64_gcs, ARM_HWCAP_A64_GCS); return hwcaps; } From 3f3cc39b7d263faf453b6a165f56425e46a2f44e Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:11 -0700 Subject: [PATCH 71/76] tests/tcg/aarch64: Add gcsstr Add some infrastructure for testing gcs in userspace. Validate successful and trapped executions of GCSSTR. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-72-richard.henderson@linaro.org [PMM: fixed hardcoded tabs] Signed-off-by: Peter Maydell --- tests/tcg/aarch64/Makefile.target | 5 +++ tests/tcg/aarch64/gcs.h | 71 +++++++++++++++++++++++++++++++ tests/tcg/aarch64/gcsstr.c | 48 +++++++++++++++++++++ 3 files changed, 124 insertions(+) create mode 100644 tests/tcg/aarch64/gcs.h create mode 100644 tests/tcg/aarch64/gcsstr.c diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target index 1755874bee..5e1b3a3385 100644 --- a/tests/tcg/aarch64/Makefile.target +++ b/tests/tcg/aarch64/Makefile.target @@ -75,6 +75,11 @@ AARCH64_TESTS += $(SME_TESTS) $(SME_TESTS): CFLAGS += $(CROSS_AS_HAS_ARMV9_SME) endif +# GCS Tests +GCS_TESTS += gcsstr +AARCH64_TESTS += $(GCS_TESTS) +$(GCS_TESTS): gcs.h + # System Registers Tests AARCH64_TESTS += sysregs diff --git a/tests/tcg/aarch64/gcs.h b/tests/tcg/aarch64/gcs.h new file mode 100644 index 0000000000..770cde6a85 --- /dev/null +++ b/tests/tcg/aarch64/gcs.h @@ -0,0 +1,71 @@ +/* + * Linux kernel fallback API definitions for GCS and test helpers. + * + * Copyright (c) 2025 Linaro Ltd + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef PR_GET_SHADOW_STACK_STATUS +#define PR_GET_SHADOW_STACK_STATUS 74 +#endif +#ifndef PR_SET_SHADOW_STACK_STATUS +#define PR_SET_SHADOW_STACK_STATUS 75 +#endif +#ifndef PR_LOCK_SHADOW_STACK_STATUS +#define PR_LOCK_SHADOW_STACK_STATUS 76 +#endif +#ifndef PR_SHADOW_STACK_ENABLE +# define PR_SHADOW_STACK_ENABLE (1 << 0) +# define PR_SHADOW_STACK_WRITE (1 << 1) +# define PR_SHADOW_STACK_PUSH (1 << 2) +#endif +#ifndef SHADOW_STACK_SET_TOKEN +#define SHADOW_STACK_SET_TOKEN (1 << 0) +#endif +#ifndef SHADOW_STACK_SET_MARKER +#define SHADOW_STACK_SET_MARKER (1 << 1) +#endif +#ifndef SEGV_CPERR +#define SEGV_CPERR 10 +#endif +#ifndef __NR_map_shadow_stack +#define __NR_map_shadow_stack 453 +#endif + +/* + * Macros, and implement the syscall inline, lest we fail + * the checked return from any function call. + */ +#define enable_gcs(flags) \ + do { \ + register long num __asm__ ("x8") = __NR_prctl; \ + register long arg1 __asm__ ("x0") = PR_SET_SHADOW_STACK_STATUS; \ + register long arg2 __asm__ ("x1") = PR_SHADOW_STACK_ENABLE | flags; \ + register long arg3 __asm__ ("x2") = 0; \ + register long arg4 __asm__ ("x3") = 0; \ + register long arg5 __asm__ ("x4") = 0; \ + asm volatile("svc #0" \ + : "+r"(arg1) \ + : "r"(arg2), "r"(arg3), "r"(arg4), "r"(arg5), "r"(num) \ + : "memory", "cc"); \ + if (arg1) { \ + errno = -arg1; \ + perror("PR_SET_SHADOW_STACK_STATUS"); \ + exit(2); \ + } \ + } while (0) + +#define gcspr() \ + ({ uint64_t *r; asm volatile("mrs %0, s3_3_c2_c5_1" : "=r"(r)); r; }) diff --git a/tests/tcg/aarch64/gcsstr.c b/tests/tcg/aarch64/gcsstr.c new file mode 100644 index 0000000000..b045aee925 --- /dev/null +++ b/tests/tcg/aarch64/gcsstr.c @@ -0,0 +1,48 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include "gcs.h" + +/* + * A single garbage store to the gcs stack. + * The asm inside must be unique, so disallow inlining. + */ +void __attribute__((noinline)) +test_gcsstr(void) +{ + register uint64_t *ptr __asm__("x0") = gcspr(); + /* GCSSTR x1, x0 */ + __asm__("inst_gcsstr: .inst 0xd91f1c01" : : "r"(--ptr)); +} + +static void test_sigsegv(int sig, siginfo_t *info, void *vuc) +{ + ucontext_t *uc = vuc; + uint64_t inst_gcsstr; + + __asm__("adr %0, inst_gcsstr" : "=r"(inst_gcsstr)); + assert(uc->uc_mcontext.pc == inst_gcsstr); + assert(info->si_code == SEGV_CPERR); + /* TODO: Dig for ESR and verify syndrome. */ + exit(0); +} + +int main() +{ + struct sigaction sa = { + .sa_sigaction = test_sigsegv, + .sa_flags = SA_SIGINFO, + }; + + /* Enable GCSSTR and test the store succeeds. */ + enable_gcs(PR_SHADOW_STACK_WRITE); + test_gcsstr(); + + /* Disable GCSSTR and test the resulting sigsegv. */ + enable_gcs(0); + if (sigaction(SIGSEGV, &sa, NULL) < 0) { + perror("sigaction"); + exit(1); + } + test_gcsstr(); + abort(); +} From 8f278acdce11cce89e5599bde0de76692ae1b1d6 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:12 -0700 Subject: [PATCH 72/76] tests/tcg/aarch64: Add gcspushm Validate successful and trapped executions of GCSPUSHM, GCSPOPM. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-73-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- tests/tcg/aarch64/Makefile.target | 2 +- tests/tcg/aarch64/gcspushm.c | 71 +++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 tests/tcg/aarch64/gcspushm.c diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target index 5e1b3a3385..fddb7bc9cd 100644 --- a/tests/tcg/aarch64/Makefile.target +++ b/tests/tcg/aarch64/Makefile.target @@ -76,7 +76,7 @@ $(SME_TESTS): CFLAGS += $(CROSS_AS_HAS_ARMV9_SME) endif # GCS Tests -GCS_TESTS += gcsstr +GCS_TESTS += gcsstr gcspushm AARCH64_TESTS += $(GCS_TESTS) $(GCS_TESTS): gcs.h diff --git a/tests/tcg/aarch64/gcspushm.c b/tests/tcg/aarch64/gcspushm.c new file mode 100644 index 0000000000..c330417a2f --- /dev/null +++ b/tests/tcg/aarch64/gcspushm.c @@ -0,0 +1,71 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include "gcs.h" + + +#define GCSPUSHM "sys #3, c7, c7, #0, %[push]" +#define GCSPOPM "sysl %[pop], #3, c7, c7, #1" + +static void test_sigsegv(int sig, siginfo_t *info, void *vuc) +{ + ucontext_t *uc = vuc; + uint64_t inst_sigsegv; + + __asm__("adr %0, inst_sigsegv" : "=r"(inst_sigsegv)); + assert(uc->uc_mcontext.pc == inst_sigsegv); + assert(info->si_code == SEGV_CPERR); + /* TODO: Dig for ESR and verify syndrome. */ + uc->uc_mcontext.pc += 4; +} + +static void test_sigill(int sig, siginfo_t *info, void *vuc) +{ + ucontext_t *uc = vuc; + uint64_t inst_sigill; + + __asm__("adr %0, inst_sigill" : "=r"(inst_sigill)); + assert(uc->uc_mcontext.pc == inst_sigill); + assert(info->si_code == ILL_ILLOPC); + uc->uc_mcontext.pc += 4; +} + +int main() +{ + struct sigaction sa = { .sa_flags = SA_SIGINFO }; + uint64_t old, new; + + sa.sa_sigaction = test_sigsegv; + if (sigaction(SIGSEGV, &sa, NULL) < 0) { + perror("sigaction"); + exit(1); + } + + sa.sa_sigaction = test_sigill; + if (sigaction(SIGILL, &sa, NULL) < 0) { + perror("sigaction"); + exit(1); + } + + /* Pushm is disabled -- SIGILL via EC_SYSTEMREGISTERTRAP */ + asm volatile("inst_sigill:\t" GCSPUSHM + : : [push] "r" (1)); + + enable_gcs(PR_SHADOW_STACK_PUSH); + + /* Valid value -- low 2 bits clear */ + old = 0xdeadbeeffeedcaec; + asm volatile(GCSPUSHM "\n\t" GCSPOPM + : [pop] "=r" (new) + : [push] "r" (old) + : "memory"); + assert(old == new); + + /* Invalid value -- SIGSEGV via EC_GCS */ + asm volatile(GCSPUSHM "\n" + "inst_sigsegv:\t" GCSPOPM + : [pop] "=r" (new) + : [push] "r" (1) + : "memory"); + + exit(0); +} From af0bd678df72f6c5a00484ed6acccfcfc91577d4 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Wed, 8 Oct 2025 14:56:13 -0700 Subject: [PATCH 73/76] tests/tcg/aarch64: Add gcsss Validate stack switching and recursion depth. Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-id: 20251008215613.300150-74-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- tests/tcg/aarch64/Makefile.target | 2 +- tests/tcg/aarch64/gcs.h | 9 ++++ tests/tcg/aarch64/gcsss.c | 74 +++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 tests/tcg/aarch64/gcsss.c diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target index fddb7bc9cd..55ce34e45e 100644 --- a/tests/tcg/aarch64/Makefile.target +++ b/tests/tcg/aarch64/Makefile.target @@ -76,7 +76,7 @@ $(SME_TESTS): CFLAGS += $(CROSS_AS_HAS_ARMV9_SME) endif # GCS Tests -GCS_TESTS += gcsstr gcspushm +GCS_TESTS += gcsstr gcspushm gcsss AARCH64_TESTS += $(GCS_TESTS) $(GCS_TESTS): gcs.h diff --git a/tests/tcg/aarch64/gcs.h b/tests/tcg/aarch64/gcs.h index 770cde6a85..6f013d0f1e 100644 --- a/tests/tcg/aarch64/gcs.h +++ b/tests/tcg/aarch64/gcs.h @@ -69,3 +69,12 @@ #define gcspr() \ ({ uint64_t *r; asm volatile("mrs %0, s3_3_c2_c5_1" : "=r"(r)); r; }) + +#define gcsss1(val) \ + do { \ + asm volatile("sys #3, c7, c7, #2, %0" : : "r"(val) : "memory"); \ + } while (0) + +#define gcsss2() \ + ({ uint64_t *r; \ + asm volatile("sysl %0, #3, c7, c7, #3" : "=r"(r) : : "memory"); r; }) diff --git a/tests/tcg/aarch64/gcsss.c b/tests/tcg/aarch64/gcsss.c new file mode 100644 index 0000000000..9550c68e7e --- /dev/null +++ b/tests/tcg/aarch64/gcsss.c @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include "gcs.h" + +#define IN_PROGRESS(X) ((uint64_t)(X) | 5) +#define CAP(X) (((uint64_t)(X) & ~0xfff) + 1) + +static uint64_t * __attribute__((noinline)) recurse(size_t index) +{ + if (index == 0) { + return gcspr(); + } + return recurse(index - 1); +} + +int main() +{ + void *tmp; + uint64_t *alt_stack, *alt_cap; + uint64_t *orig_pr, *orig_cap; + uint64_t *bottom; + size_t pagesize = getpagesize(); + size_t words; + + enable_gcs(0); + orig_pr = gcspr(); + + /* Allocate a guard page before and after. */ + tmp = mmap(0, 3 * pagesize, PROT_NONE, MAP_ANON | MAP_PRIVATE, -1, 0); + assert(tmp != MAP_FAILED); + + /* map_shadow_stack won't replace existing mappings */ + munmap(tmp + pagesize, pagesize); + + /* Allocate a new stack between the guards. */ + alt_stack = (uint64_t *) + syscall(__NR_map_shadow_stack, tmp + pagesize, pagesize, + SHADOW_STACK_SET_TOKEN); + assert(alt_stack == tmp + pagesize); + + words = pagesize / 8; + alt_cap = alt_stack + words - 1; + + /* SHADOW_STACK_SET_TOKEN set the cap. */ + assert(*alt_cap == CAP(alt_cap)); + + /* Swap to the alt stack, one step at a time. */ + gcsss1(alt_cap); + + assert(gcspr() == alt_cap); + assert(*alt_cap == IN_PROGRESS(orig_pr)); + + orig_cap = gcsss2(); + + assert(orig_cap == orig_pr - 1); + assert(*orig_cap == CAP(orig_cap)); + assert(gcspr() == alt_stack + words); + + /* We should be able to use the whole stack. */ + bottom = recurse(words - 1); + assert(bottom == alt_stack); + + /* We should be back where we started. */ + assert(gcspr() == alt_stack + words); + + /* Swap back to the original stack. */ + gcsss1(orig_cap); + tmp = gcsss2(); + + assert(gcspr() == orig_pr); + assert(tmp == alt_cap); + + exit(0); +} From 8f6dd8f78aa961dbc9a02b01b6abe316f37d2766 Mon Sep 17 00:00:00 2001 From: Gustavo Romero Date: Mon, 6 Oct 2025 00:10:16 +0000 Subject: [PATCH 74/76] target/arm: Add a cpreg flag to indicate no trap in NV Add a new flag, ARM_CP_NV_NO_TRAP, to indicate that a CP register, even though it has opc1 == 4 or 5, does not trap when nested virtualization is enabled (FEAT_NV/FEAT_NV2). Signed-off-by: Gustavo Romero Message-id: 20251006001018.219756-2-gustavo.romero@linaro.org [PMM: tweaked comment text] Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- target/arm/cpregs.h | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h index 732c07506d..763de5e051 100644 --- a/target/arm/cpregs.h +++ b/target/arm/cpregs.h @@ -144,6 +144,11 @@ enum { * identically to the normal one, other than FGT trapping handling.) */ ARM_CP_ADD_TLBI_NXS = 1 << 21, + /* + * Flag: even though this sysreg has opc1 == 4 or 5, it + * should not trap to EL2 when HCR_EL2.NV is set. + */ + ARM_CP_NV_NO_TRAP = 1 << 22, }; /* @@ -1178,12 +1183,17 @@ static inline bool arm_cpreg_traps_in_nv(const ARMCPRegInfo *ri) * fragile to future new sysregs, but this seems the least likely * to break. * - * In particular, note that the released sysreg XML defines that - * the FEAT_MEC sysregs and instructions do not follow this FEAT_NV - * trapping rule, so we will need to add an ARM_CP_* flag to indicate - * "register does not trap on NV" to handle those if/when we implement - * FEAT_MEC. + * In particular, note that the FEAT_MEC sysregs and instructions + * are exceptions to this trapping rule, so they are marked as + * ARM_CP_NV_NO_TRAP to indicate that they should not be trapped + * to EL2. (They are an exception because the FEAT_MEC sysregs UNDEF + * unless in Realm, and Realm is not expected to be virtualized.) */ + + if (ri->type & ARM_CP_NV_NO_TRAP) { + return false; + } + return ri->opc1 == 4 || ri->opc1 == 5; } From 700f08d5829f3736fdfafe92d8223254ffc9c495 Mon Sep 17 00:00:00 2001 From: Gustavo Romero Date: Mon, 6 Oct 2025 00:10:17 +0000 Subject: [PATCH 75/76] target/arm: Implement FEAT_MEC registers Add all FEAT_MEC registers. Enable access to the registers via the SCTLR2 and TCR2 control bits. Add the two new cache management instructions, which are nops in QEMU because we do not model caches. Message-ID: <20250711140828.1714666-3-gustavo.romero@linaro.org> Reviewed-by: Richard Henderson Reviewed-by: Peter Maydell Signed-off-by: Richard Henderson Signed-off-by: Gustavo Romero Message-id: 20251006001018.219756-3-gustavo.romero@linaro.org [rth: Squash 3 patches to add all registers at once.] Signed-off-by: Richard Henderson Signed-off-by: Gustavo Romero Signed-off-by: Peter Maydell --- target/arm/cpu-features.h | 5 ++ target/arm/cpu.c | 3 ++ target/arm/cpu.h | 10 ++++ target/arm/helper.c | 108 ++++++++++++++++++++++++++++++++++++++ target/arm/internals.h | 3 ++ 5 files changed, 129 insertions(+) diff --git a/target/arm/cpu-features.h b/target/arm/cpu-features.h index 0f0a112c21..37f1eca3af 100644 --- a/target/arm/cpu-features.h +++ b/target/arm/cpu-features.h @@ -1364,6 +1364,11 @@ static inline bool isar_feature_aa64_s2pie(const ARMISARegisters *id) return FIELD_EX64_IDREG(id, ID_AA64MMFR3, S2PIE) != 0; } +static inline bool isar_feature_aa64_mec(const ARMISARegisters *id) +{ + return FIELD_EX64_IDREG(id, ID_AA64MMFR3, MEC) != 0; +} + static inline bool isar_feature_aa64_pmuv3p1(const ARMISARegisters *id) { return FIELD_EX64_IDREG(id, ID_AA64DFR0, PMUVER) >= 4 && diff --git a/target/arm/cpu.c b/target/arm/cpu.c index 11e7c10cef..3b556f1404 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -652,6 +652,9 @@ void arm_emulate_firmware_reset(CPUState *cpustate, int target_el) cpu_isar_feature(aa64_s2pie, cpu)) { env->cp15.scr_el3 |= SCR_PIEN; } + if (cpu_isar_feature(aa64_mec, cpu)) { + env->cp15.scr_el3 |= SCR_MECEN; + } } if (target_el == 2) { diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 91a851dac1..1d4e13320c 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -583,6 +583,15 @@ typedef struct CPUArchState { uint64_t gcscr_el[4]; /* GCSCRE0_EL1, GCSCR_EL[123] */ uint64_t gcspr_el[4]; /* GCSPR_EL[0123] */ + + /* MEC registers */ + uint64_t mecid_p0_el2; + uint64_t mecid_a0_el2; + uint64_t mecid_p1_el2; + uint64_t mecid_a1_el2; + uint64_t mecid_rl_a_el3; + uint64_t vmecid_p_el2; + uint64_t vmecid_a_el2; } cp15; struct { @@ -1728,6 +1737,7 @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask) #define SCR_SCTLR2EN (1ULL << 44) #define SCR_PIEN (1ULL << 45) #define SCR_GPF (1ULL << 48) +#define SCR_MECEN (1ULL << 49) #define SCR_NSE (1ULL << 62) /* GCSCR_ELx fields */ diff --git a/target/arm/helper.c b/target/arm/helper.c index 0077788e1e..167f2909b3 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -779,6 +779,9 @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) cpu_isar_feature(aa64_s2pie, cpu)) { valid_mask |= SCR_PIEN; } + if (cpu_isar_feature(aa64_mec, cpu)) { + valid_mask |= SCR_MECEN; + } } else { valid_mask &= ~(SCR_RW | SCR_ST); if (cpu_isar_feature(aa32_ras, cpu)) { @@ -5088,6 +5091,96 @@ static const ARMCPRegInfo nmi_reginfo[] = { .resetfn = arm_cp_reset_ignore }, }; +static CPAccessResult mecid_access(CPUARMState *env, + const ARMCPRegInfo *ri, bool isread) +{ + int el = arm_current_el(env); + + if (el == 2) { + if (arm_security_space(env) != ARMSS_Realm) { + return CP_ACCESS_UNDEFINED; + } + + if (!(env->cp15.scr_el3 & SCR_MECEN)) { + return CP_ACCESS_TRAP_EL3; + } + } + + return CP_ACCESS_OK; +} + +static void mecid_write(CPUARMState *env, const ARMCPRegInfo *ri, + uint64_t value) +{ + value = extract64(value, 0, MECID_WIDTH); + raw_write(env, ri, value); +} + +static CPAccessResult cipae_access(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + switch (arm_security_space(env)) { + case ARMSS_Root: /* EL3 */ + case ARMSS_Realm: /* Realm EL2 */ + return CP_ACCESS_OK; + default: + return CP_ACCESS_UNDEFINED; + } +} + +static const ARMCPRegInfo mec_reginfo[] = { + { .name = "MECIDR_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 7, .crn = 10, .crm = 8, + .access = PL2_R, .type = ARM_CP_CONST | ARM_CP_NV_NO_TRAP, + .resetvalue = MECID_WIDTH - 1 }, + { .name = "MECID_P0_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 0, .crn = 10, .crm = 8, + .access = PL2_RW, .type = ARM_CP_NV_NO_TRAP, + .accessfn = mecid_access, .writefn = mecid_write, + .fieldoffset = offsetof(CPUARMState, cp15.mecid_p0_el2) }, + { .name = "MECID_A0_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 1, .crn = 10, .crm = 8, + .access = PL2_RW, .type = ARM_CP_NV_NO_TRAP, + .accessfn = mecid_access, .writefn = mecid_write, + .fieldoffset = offsetof(CPUARMState, cp15.mecid_a0_el2) }, + { .name = "MECID_P1_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 2, .crn = 10, .crm = 8, + .access = PL2_RW, .type = ARM_CP_NV_NO_TRAP, + .accessfn = mecid_access, .writefn = mecid_write, + .fieldoffset = offsetof(CPUARMState, cp15.mecid_p1_el2) }, + { .name = "MECID_A1_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 3, .crn = 10, .crm = 8, + .access = PL2_RW, .type = ARM_CP_NV_NO_TRAP, + .accessfn = mecid_access, .writefn = mecid_write, + .fieldoffset = offsetof(CPUARMState, cp15.mecid_a1_el2) }, + { .name = "MECID_RL_A_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .opc2 = 1, .crn = 10, .crm = 10, + .access = PL3_RW, .accessfn = mecid_access, + .writefn = mecid_write, + .fieldoffset = offsetof(CPUARMState, cp15.mecid_rl_a_el3) }, + { .name = "VMECID_P_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 0, .crn = 10, .crm = 9, + .access = PL2_RW, .type = ARM_CP_NV_NO_TRAP, + .accessfn = mecid_access, .writefn = mecid_write, + .fieldoffset = offsetof(CPUARMState, cp15.vmecid_p_el2) }, + { .name = "VMECID_A_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .opc2 = 1, .crn = 10, .crm = 9, + .access = PL2_RW, .type = ARM_CP_NV_NO_TRAP, + .accessfn = mecid_access, .writefn = mecid_write, + .fieldoffset = offsetof(CPUARMState, cp15.vmecid_a_el2) }, + { .name = "DC_CIPAE", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 14, .opc2 = 0, + .access = PL2_W, .type = ARM_CP_NOP | ARM_CP_NV_NO_TRAP, + .accessfn = cipae_access }, +}; + +static const ARMCPRegInfo mec_mte_reginfo[] = { + { .name = "DC_CIGDPAE", .state = ARM_CP_STATE_AA64, + .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 14, .opc2 = 7, + .access = PL2_W, .type = ARM_CP_NOP | ARM_CP_NV_NO_TRAP, + .accessfn = cipae_access }, +}; + #ifndef CONFIG_USER_ONLY /* * We don't know until after realize whether there's a GICv3 @@ -5930,6 +6023,9 @@ static void sctlr2_el2_write(CPUARMState *env, const ARMCPRegInfo *ri, { uint64_t valid_mask = 0; + if (cpu_isar_feature(aa64_mec, env_archcpu(env))) { + valid_mask |= SCTLR2_EMEC; + } value &= valid_mask; raw_write(env, ri, value); } @@ -5939,6 +6035,9 @@ static void sctlr2_el3_write(CPUARMState *env, const ARMCPRegInfo *ri, { uint64_t valid_mask = 0; + if (cpu_isar_feature(aa64_mec, env_archcpu(env))) { + valid_mask |= SCTLR2_EMEC; + } value &= valid_mask; raw_write(env, ri, value); } @@ -6009,6 +6108,9 @@ static void tcr2_el2_write(CPUARMState *env, const ARMCPRegInfo *ri, if (cpu_isar_feature(aa64_s1pie, cpu)) { valid_mask |= TCR2_PIE; } + if (cpu_isar_feature(aa64_mec, env_archcpu(env))) { + valid_mask |= TCR2_AMEC0 | TCR2_AMEC1; + } value &= valid_mask; raw_write(env, ri, value); } @@ -7325,6 +7427,12 @@ void register_cp_regs_for_features(ARMCPU *cpu) if (cpu_isar_feature(aa64_s2pie, cpu)) { define_arm_cp_regs(cpu, s2pie_reginfo); } + if (cpu_isar_feature(aa64_mec, cpu)) { + define_arm_cp_regs(cpu, mec_reginfo); + if (cpu_isar_feature(aa64_mte, cpu)) { + define_arm_cp_regs(cpu, mec_mte_reginfo); + } + } if (cpu_isar_feature(any_predinv, cpu)) { define_arm_cp_regs(cpu, predinv_reginfo); diff --git a/target/arm/internals.h b/target/arm/internals.h index 2a85ab762d..f539bbe58e 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -1903,4 +1903,7 @@ void cpsr_write_from_spsr_elx(CPUARMState *env, uint32_t val); /* Compare uint64_t for qsort and bsearch. */ int compare_u64(const void *a, const void *b); +/* Used in FEAT_MEC to set the MECIDWidthm1 field in the MECIDR_EL2 register. */ +#define MECID_WIDTH 16 + #endif From 00936783abf77ebb47a78312a2e6500c6a13d938 Mon Sep 17 00:00:00 2001 From: Gustavo Romero Date: Mon, 6 Oct 2025 00:10:18 +0000 Subject: [PATCH 76/76] target/arm: Enable FEAT_MEC in -cpu max Advertise FEAT_MEC in AA64MMFR3 ID register for the Arm64 cpu max as a first step to fully support FEAT_MEC. The FEAT_MEC is an extension to FEAT_RME that implements multiple Memory Encryption Contexts (MEC) so the memory in a realm can be encrypted and accessing it from the wrong encryption context is not possible. An encryption context allow the selection of a memory encryption engine. At this point, no real memory encryption is supported, but software stacks that rely on FEAT_MEC should work properly. Reviewed-by: Richard Henderson Reviewed-by: Peter Maydell Signed-off-by: Richard Henderson Signed-off-by: Gustavo Romero Message-id: 20251006001018.219756-4-gustavo.romero@linaro.org Message-ID: <20250711140828.1714666-7-gustavo.romero@linaro.org> Signed-off-by: Richard Henderson Signed-off-by: Gustavo Romero Signed-off-by: Peter Maydell --- docs/system/arm/emulation.rst | 3 +++ target/arm/tcg/cpu64.c | 1 + 2 files changed, 4 insertions(+) diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst index 4496178c48..bf81da124a 100644 --- a/docs/system/arm/emulation.rst +++ b/docs/system/arm/emulation.rst @@ -94,6 +94,9 @@ the following architecture extensions: - FEAT_LSE2 (Large System Extensions v2) - FEAT_LSE128 (128-bit Atomics) - FEAT_LVA (Large Virtual Address space) +- FEAT_MEC (Memory Encryption Contexts) + + * This is a register-only implementation without encryption. - FEAT_MixedEnd (Mixed-endian support) - FEAT_MixedEndEL0 (Mixed-endian support at EL0) - FEAT_MOPS (Standardization of memory operations) diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c index cc42dfdf56..1bffe66e81 100644 --- a/target/arm/tcg/cpu64.c +++ b/target/arm/tcg/cpu64.c @@ -1327,6 +1327,7 @@ void aarch64_max_tcg_initfn(Object *obj) t = GET_IDREG(isar, ID_AA64MMFR3); t = FIELD_DP64(t, ID_AA64MMFR3, TCRX, 1); /* FEAT_TCR2 */ t = FIELD_DP64(t, ID_AA64MMFR3, SCTLRX, 1); /* FEAT_SCTLR2 */ + t = FIELD_DP64(t, ID_AA64MMFR3, MEC, 1); /* FEAT_MEC */ t = FIELD_DP64(t, ID_AA64MMFR3, SPEC_FPACC, 1); /* FEAT_FPACC_SPEC */ t = FIELD_DP64(t, ID_AA64MMFR3, S1PIE, 1); /* FEAT_S1PIE */ t = FIELD_DP64(t, ID_AA64MMFR3, S2PIE, 1); /* FEAT_S2PIE */