Add the cpr-exec migration mode. Usage:
qemu-system-$arch -machine aux-ram-share=on ...
migrate_set_parameter mode cpr-exec
migrate_set_parameter cpr-exec-command \
<arg1> <arg2> ... -incoming <uri-1> \
migrate -d <uri-1>
The migrate command stops the VM, saves state to uri-1,
directly exec's a new version of QEMU on the same host,
replacing the original process while retaining its PID, and
loads state from uri-1. Guest RAM is preserved in place,
albeit with new virtual addresses.
The new QEMU process is started by exec'ing the command
specified by the @cpr-exec-command parameter. The first word of
the command is the binary, and the remaining words are its
arguments. The command may be a direct invocation of new QEMU,
or may be a non-QEMU command that exec's the new QEMU binary.
This mode creates a second migration channel that is not visible
to the user. At the start of migration, old QEMU saves CPR state
to the second channel, and at the end of migration, it tells the
main loop to call cpr_exec. New QEMU loads CPR state early, before
objects are created.
Because old QEMU terminates when new QEMU starts, one cannot
stream data between the two, so uri-1 must be a type,
such as a file, that accepts all data before old QEMU exits.
Otherwise, old QEMU may quietly block writing to the channel.
Memory-backend objects must have the share=on attribute, but
memory-backend-epc is not supported. The VM must be started with
the '-machine aux-ram-share=on' option, which allows anonymous
memory to be transferred in place to the new process. The memfds
are kept open across exec by clearing the close-on-exec flag, their
values are saved in CPR state, and they are mmap'd in new QEMU.
Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
Acked-by: Markus Armbruster <armbru@redhat.com>
Link: https://lore.kernel.org/r/1759332851-370353-7-git-send-email-steven.sistare@oracle.com
Signed-off-by: Peter Xu <peterx@redhat.com>
To preserve CPR state across exec, create a QEMUFile based on a memfd, and
keep the memfd open across exec. Save the value of the memfd in an
environment variable so post-exec QEMU can find it.
These new functions are called in a subsequent patch.
Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
Link: https://lore.kernel.org/r/1759332851-370353-6-git-send-email-steven.sistare@oracle.com
[peterx: fix build for Windows]
Signed-off-by: Peter Xu <peterx@redhat.com>
Define qemu_clear_cloexec, analogous to qemu_set_cloexec.
Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/1759332851-370353-4-git-send-email-steven.sistare@oracle.com
Signed-off-by: Peter Xu <peterx@redhat.com>
Allow a notifier to be added for multiple migration modes.
To allow a notifier to appear on multiple per-node lists, use
a generic list type. We can no longer use NotifierWithReturnList,
because it shoe horns the notifier onto a single list.
Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/1759332851-370353-2-git-send-email-steven.sistare@oracle.com
Signed-off-by: Peter Xu <peterx@redhat.com>
When we unrealize a CPU object (which happens on vCPU hot-unplug), we
should destroy all the AddressSpace objects we created via calls to
cpu_address_space_init() when the CPU was realized.
Commit 24bec42f3d added a function to do this for a specific
AddressSpace, but did not add any places where the function was
called.
Since we always want to destroy all the AddressSpaces on unrealize,
regardless of the target architecture, we don't need to try to keep
track of how many are still undestroyed, or make the target
architecture code manually call a destroy function for each AS it
created. Instead we can adjust the function to always completely
destroy the whole cpu->ases array, and arrange for it to be called
during CPU unrealize as part of the common code.
Without this fix, AddressSanitizer will report a leak like this
from a run where we hot-plugged and then hot-unplugged an x86 KVM
vCPU:
Direct leak of 416 byte(s) in 1 object(s) allocated from:
#0 0x5b638565053d in calloc (/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/qemu-system-x86_64+0x1ee153d) (BuildId: c1cd6022b195142106e1bffeca23498c2b752bca)
#1 0x7c28083f77b1 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x637b1) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5b6386999c7c in cpu_address_space_init /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../system/physmem.c:797:25
#3 0x5b638727f049 in kvm_cpu_realizefn /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../target/i386/kvm/kvm-cpu.c:102:5
#4 0x5b6385745f40 in accel_cpu_common_realize /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../accel/accel-common.c:101:13
#5 0x5b638568fe3c in cpu_exec_realizefn /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/cpu-common.c:232:10
#6 0x5b63874a2cd5 in x86_cpu_realizefn /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../target/i386/cpu.c:9321:5
#7 0x5b6387a0469a in device_set_realized /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/qdev.c:494:13
#8 0x5b6387a27d9e in property_set_bool /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:2375:5
#9 0x5b6387a2090b in object_property_set /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:1450:5
#10 0x5b6387a35b05 in object_property_set_qobject /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/qom-qobject.c:28:10
#11 0x5b6387a21739 in object_property_set_bool /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:1520:15
#12 0x5b63879fe510 in qdev_realize /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/qdev.c:276:12
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2517
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20250929144228.1994037-4-peter.maydell@linaro.org
Signed-off-by: Peter Xu <peterx@redhat.com>
If an AddressSpace has been created in its own allocated
memory, cleaning it up requires first destroying the AS
and then freeing the memory. Doing this doesn't work:
address_space_destroy(as);
g_free_rcu(as, rcu);
because both address_space_destroy() and g_free_rcu()
try to use the same 'rcu' node in the AddressSpace struct
and the address_space_destroy hook gets overwritten.
Provide a new address_space_destroy_free() function which
will destroy the AS and then free the memory it uses, all
in one RCU callback.
(CC to stable because the next commit needs this function.)
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20250929144228.1994037-3-peter.maydell@linaro.org
Signed-off-by: Peter Xu <peterx@redhat.com>
address_space_destroy() doesn't actually immediately destroy the AS;
it queues it to be destroyed via RCU. This means you can't g_free()
the memory the AS struct is in until that has happened.
Clarify this in the documentation.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20250929144228.1994037-2-peter.maydell@linaro.org
Signed-off-by: Peter Xu <peterx@redhat.com>
The load procedure of VFIO PCI devices involves setting up IRT
for each VFIO PCI devices. This requires determining whether an
interrupt is single-destination interrupt to decide between
Posted Interrupt(PI) or remapping mode for the IRTE. However,
determining this may require accessing the VM's APIC registers.
For example:
ioctl(vbasedev->fd, VFIO_DEVICE_SET_IRQS, irqs)
...
kvm_arch_irq_bypass_add_producer
kvm_x86_call(pi_update_irte)
vmx_pi_update_irte
kvm_intr_is_single_vcpu
If the LAPIC has not been loaded yet, interrupts will use remapping
mode. To prevent the fallback of interrupt mode, keep APIC is always
loaded prior to VFIO PCI devices.
Signed-off-by: Yicong Shen <shenyicong.1023@bytedance.com>
Signed-off-by: Yanfei Xu <yanfei.xu@bytedance.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/r/20250818131127.1021648-1-yanfei.xu@bytedance.com
Signed-off-by: Peter Xu <peterx@redhat.com>
QCryptoTLSSession allows TLS premature termination in two cases, one of the
case is when the channel shutdown() is invoked on READ side.
It's possible the shutdown() happened after the read thread blocked at
gnutls_record_recv(). In this case, we should allow the premature
termination to happen.
The problem is by the time qcrypto_tls_session_read() was invoked,
tioc->shutdown may not have been set, so this may instead be treated as an
error if there is concurrent shutdown() calls.
To allow the flag to reflect the latest status of tioc->shutdown, move the
check upper into the QIOChannel level, so as to read the flag only after
QEMU gets an GNUTLS_E_PREMATURE_TERMINATION.
When at it, introduce qio_channel_tls_allow_premature_termination() helper
to make the condition checks easier to read. When doing so, change the
qatomic_load_acquire() to qatomic_read(): here we don't need any ordering
of memory accesses, but reading a flag. qatomic_read() would suffice
because it guarantees fetching from memory. Nothing else we should need to
order on memory access.
This patch will fix a qemu qtest warning when running the preempt tls test,
reporting premature termination:
QTEST_QEMU_BINARY=./qemu-system-x86_64 ./tests/qtest/migration-test --full -r /x86_64/migration/postcopy/preempt/tls/psk
...
qemu-kvm: Cannot read from TLS channel: The TLS connection was non-properly terminated.
...
In this specific case, the error was set by postcopy_preempt_thread, which
normally will be concurrently shutdown()ed by the main thread.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Juraj Marcin <jmarcin@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20250918203937.200833-2-peterx@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
- We need to have good error reporting in the callbacks in
VMStateDescription struct. Specifically pre_save, pre_load
and post_load callbacks.
- It is not possible to change these functions everywhere in one
patch, therefore, we introduce a duplicate set of callbacks
with Error object passed to them.
- So, in this commit, we implement 'errp' variants of these callbacks,
introducing an explicit Error object parameter.
- This is a functional step towards transitioning the entire codebase
to the new error-parameterized functions.
- Deliberately called in mutual exclusion from their counterparts,
to prevent conflicts during the transition.
- New impls should preferentally use 'errp' variants of
these methods, and existing impls incrementally converted.
The variants without 'errp' are intended to be removed
once all usage is converted.
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Arun Menon <armenon@redhat.com>
Tested-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Link: https://lore.kernel.org/r/20250918-propagate_tpm_error-v14-26-36f11a6fb9d3@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
This commit removes the redundant vmstate_save_state_with_err()
function.
Previously, commit 969298f9d7 introduced vmstate_save_state_with_err()
to handle error propagation, while vmstate_save_state() existed for
non-error scenarios.
This is because there were code paths where vmstate_save_state_v()
(called internally by vmstate_save_state) did not explicitly set
errors on failure.
This change unifies error handling by
- updating vmstate_save_state() to accept an Error **errp argument.
- vmstate_save_state_v() ensures errors are set directly within the errp
object, eliminating the need for two separate functions.
All calls to vmstate_save_state_with_err() are replaced with
vmstate_save_state(). This simplifies the API and improves code
maintainability.
vmstate_save_state() that only calls vmstate_save_state_v(),
by inference, also has errors set in errp in case of failure.
The errors are reported using error_report_err().
If we want the function to exit on error, then &error_fatal is
passed.
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Arun Menon <armenon@redhat.com>
Tested-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Link: https://lore.kernel.org/r/20250918-propagate_tpm_error-v14-24-36f11a6fb9d3@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
This is an incremental step in converting vmstate loading
code to report error via Error objects instead of directly
printing it to console/monitor.
It is ensured that loadvm_process_enable_colo() must report an error
in errp, in case of failure.
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Arun Menon <armenon@redhat.com>
Tested-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Link: https://lore.kernel.org/r/20250918-propagate_tpm_error-v14-21-36f11a6fb9d3@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
This is an incremental step in converting vmstate loading
code to report error via Error objects instead of directly
printing it to console/monitor.
It is ensured that vmstate_load_state() must report an error
in errp, in case of failure.
The errors are temporarily reported using error_report_err().
This is removed in the subsequent patches in this series,
when we are actually able to propagate the error to the calling
function using errp. Whereas, if we want the function to exit on
error, then error_fatal is passed.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Arun Menon <armenon@redhat.com>
Tested-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Link: https://lore.kernel.org/r/20250918-propagate_tpm_error-v14-2-36f11a6fb9d3@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
Bindgen makes the LOG_* constants unsigned, even if they are defined as
(1 << 15):
pub const LOG_TRACE: u32 = 32768;
Make them unsigned in C as well through the BIT() macro, and also change
the type of the variable that they are used with.
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <20250929154938.594389-14-pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
We added @error_warn some two years ago in commit 3ffef1a55c (error:
add global &error_warn destination). It has multiple issues:
* error.h's big comment was not updated for it.
* Function contracts were not updated for it.
* ERRP_GUARD() is unaware of @error_warn, and fails to mask it from
error_prepend() and such. These crash on @error_warn, as pointed
out by Akihiko Odaki.
All fixable. However, after more than two years, we had just of 15
uses, of which the last few patches removed seven as unclean or
otherwise undesirable, adding back five elsewhere. I didn't look
closely enough at the remaining seven to decide whether they are
desirable or not.
I don't think this feature earns its keep. Drop it.
Thanks-to: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Message-ID: <20250923091000.3180122-14-armbru@redhat.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
HMP command gdbserver used to emit two error messages for certain
errors. For instance, with -M none:
(qemu) gdbserver
gdbstub: meaningless to attach gdb to a machine without any CPU.
Could not open gdbserver on device 'tcp::1234'
The first message is the specific error, and the second one a generic
additional message that feels superfluous to me.
Commit c0e6b8b798 (system: propagate Error to gdbserver_start (and
other device setups)) turned the first message into a warning:
warning: gdbstub: meaningless to attach gdb to a machine without any CPU.
Could not open gdbserver on device 'tcp::1234'
This is arguably worse.
hmp_gdbserver() passes &error_warn to gdbserver_start(), so that
failure gets reported as warning, and then additionally emits the
generic error on failure. This is a misuse of &error_warn.
Instead, receive the error in &err and report it, as usual. With
this, gdbserver reports just the error:
gdbstub: meaningless to attach gdb to a machine without any CPU.
Cc: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20250923091000.3180122-2-armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
* Introduce a new ASPEED OTP memory device model integrated with the
Secure Boot Controller. It includes a new block device backend
('drive' property), is enabled for AST2600 SoCs and AST1030 SoCs.
Functional tests are included
* Changed "ast2700-evb" alias to point to the "ast2700a1-evb" machine
* Introduce support for Aspeed PCIe host controller, including models
for the PCIe Root Complex, Root Port, and PHY. Enabled for the
AST2600 and AST2700 SoCs, and functional tests are included
* Refactor Boot ROM support to improve code reuse across the different
Aspeed machine. This is in preparation of vbootrom support in the
ast2700fc machine
* Improved Error Handling in the AST27x0-fc machine init functions
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmjauRoACgkQUaNDx8/7
7KGAxA//YdPPGf8vKhPeblUt0/3760GGhI17TBWJFVZP/aZYcIiE0oRxo5zH0Lne
YjwFKTtx7GXzbE2wqVCLSt/VPDAEMk6wZGwGvMbmeydssyNjbPuF79+EVYnFsUrQ
Zkm8YPf/qFcKYFxp8O5GTKedAu70AFDMkFwy2xuBRqE5v0RQJe20+EHaiEC8S+3a
z5PIZJ74J3m4d+h+BlIHoiPe7hwTiyQ8V4rrWKWupwqDBExZfgNGX0zGPZDOlwOo
bpV38gb0ugyG93/FJSXyXQqiiH5h+10CaSzc1QuytYtQXAM2qj60Kh86YruTsbLu
g3TUz+jOgDatTk/MhH8q/gtwDjmqcygGeybbMJZeCzhq1qLIFgJW2KwPNwj8eHCd
7jZp6NT9GekVMB+FghApWjc63EozKveJ3wzyHE481GGF7TgvuVF1Km+dVHNPjpBz
pjXgIeKmDl0hmgGp3Se9S8B1ryWK3+KvuNoKe63UK/NMCkSXF3xTerkU1evJjIrp
B9Tus7kLRqbDGWPyprp1d7Jv6MKJ6sELKvGHlalMcnzo4vAvQu1RB5s1kYqsCGlY
414Bc2v/YdkLxQGU6hCp1rABq3sIdWVzxRJ4c0XalRNZBkOmlsy1p5FaG5RXQdhz
Gm27nzDAWBeNmWD6Jjjj6VwWmqBbSO4M4mYVTMnTfEaO7y/l1d4=
=7BzG
-----END PGP SIGNATURE-----
Merge tag 'pull-aspeed-20250929' of https://github.com/legoater/qemu into staging
aspeed queue:
* Introduce a new ASPEED OTP memory device model integrated with the
Secure Boot Controller. It includes a new block device backend
('drive' property), is enabled for AST2600 SoCs and AST1030 SoCs.
Functional tests are included
* Changed "ast2700-evb" alias to point to the "ast2700a1-evb" machine
* Introduce support for Aspeed PCIe host controller, including models
for the PCIe Root Complex, Root Port, and PHY. Enabled for the
AST2600 and AST2700 SoCs, and functional tests are included
* Refactor Boot ROM support to improve code reuse across the different
Aspeed machine. This is in preparation of vbootrom support in the
ast2700fc machine
* Improved Error Handling in the AST27x0-fc machine init functions
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmjauRoACgkQUaNDx8/7
# 7KGAxA//YdPPGf8vKhPeblUt0/3760GGhI17TBWJFVZP/aZYcIiE0oRxo5zH0Lne
# YjwFKTtx7GXzbE2wqVCLSt/VPDAEMk6wZGwGvMbmeydssyNjbPuF79+EVYnFsUrQ
# Zkm8YPf/qFcKYFxp8O5GTKedAu70AFDMkFwy2xuBRqE5v0RQJe20+EHaiEC8S+3a
# z5PIZJ74J3m4d+h+BlIHoiPe7hwTiyQ8V4rrWKWupwqDBExZfgNGX0zGPZDOlwOo
# bpV38gb0ugyG93/FJSXyXQqiiH5h+10CaSzc1QuytYtQXAM2qj60Kh86YruTsbLu
# g3TUz+jOgDatTk/MhH8q/gtwDjmqcygGeybbMJZeCzhq1qLIFgJW2KwPNwj8eHCd
# 7jZp6NT9GekVMB+FghApWjc63EozKveJ3wzyHE481GGF7TgvuVF1Km+dVHNPjpBz
# pjXgIeKmDl0hmgGp3Se9S8B1ryWK3+KvuNoKe63UK/NMCkSXF3xTerkU1evJjIrp
# B9Tus7kLRqbDGWPyprp1d7Jv6MKJ6sELKvGHlalMcnzo4vAvQu1RB5s1kYqsCGlY
# 414Bc2v/YdkLxQGU6hCp1rABq3sIdWVzxRJ4c0XalRNZBkOmlsy1p5FaG5RXQdhz
# Gm27nzDAWBeNmWD6Jjjj6VwWmqBbSO4M4mYVTMnTfEaO7y/l1d4=
# =7BzG
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 29 Sep 2025 09:51:38 AM PDT
# gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@redhat.com>" [full]
# gpg: aka "Cédric Le Goater <clg@kaod.org>" [full]
* tag 'pull-aspeed-20250929' of https://github.com/legoater/qemu: (32 commits)
hw/arm/aspeed_ast27x0-fc: Make sub-init functions return bool with errp
hw/arm/aspeed_ast27x0-fc: Drop dead return checks
hw/arm/aspeed: Move aspeed_load_vbootrom to common SoC code
hw/arm/aspeed: Move aspeed_install_boot_rom to common SoC code
hw/arm/aspeed: Move write_boot_rom to common SoC code
hw/arm/aspeed: Move aspeed_board_init_flashes() to common SoC code
tests/functional/arm/test_aspeed_ast2600: Add PCIe and network test
hw/arm/aspeed_ast27x0: Introduce 3 PCIe RCs for AST2700
hw/pci-host/aspeed: Disable Root Device and place Root Port at 00:00.0 to AST2700
hw/pci-host/aspeed: Add AST2700 PCIe config with dedicated H2X blocks
hw/pci-host/aspeed: Add AST2700 PCIe PHY
hw/arm/aspeed_ast2600: Add PCIe RC support (RC_H only)
hw/arm/aspeed: Wire up PCIe devices in SoC model
hw/pci-host/aspeed: Add MSI support and per-RC IOMMU address space
hw/pci-host/aspeed: Add AST2600 PCIe Root Port and make address configurable
hw/pci-host/aspeed: Add AST2600 PCIe Root Device support
hw/pci-host/aspeed: Add AST2600 PCIe config space and host bridge
hw/pci-host/aspeed: Add AST2600 PCIe PHY model
hw/pci/pci_ids: Add PCI vendor ID for ASPEED
tests/functional/arm: Add AST2600 boot test with generated OTP image
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Move the vbootrom loader helper into common SoC code so it can be reused
by all ASPEED boards, and decouple the API from AspeedMachineState.
Specifically:
- Move aspeed_load_vbootrom() to hw/arm/aspeed_soc_common.c and
declare it in include/hw/arm/aspeed_soc.h.
- Change the helper’s signature to take AspeedSoCState * instead of
AspeedMachineState *.
- Update aspeed_machine_init() call sites accordingly.
No functional change.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-5-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Move the boot ROM install helper into common SoC code so it can be reused
by all ASPEED boards, and decouple the API from AspeedMachineState.
Specifically:
- Move aspeed_install_boot_rom() to hw/arm/aspeed_soc_common.c and
declare it in include/hw/arm/aspeed_soc.h.
- Change the helper’s signature to take AspeedSoCState * and a
MemoryRegion * provided by the caller, instead of AspeedMachineState *.
- Update aspeed_machine_init() call sites accordingly.
No functional change.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-4-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Move the write_boot_rom helper from hw/arm/aspeed.c into
hw/arm/aspeed_soc_common.c so it can be reused by all ASPEED
machines. Export the API as aspeed_write_boot_rom() in
include/hw/arm/aspeed_soc.h and update the existing call site
to use the new helper.
No functional change.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250925050535.2657256-3-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Add PCIe Root Complex support to the AST2700 SoC model.
The AST2700 A1 silicon revision provides three PCIe Root Complexes:
PCIe0 with its PHY at 0x12C15000, config (H2X) block at 0x120E0000,
MMIO window at 0x60000000, and GIC IRQ 56.
PCIe1 with its PHY at 0x12C15800, config (H2X) block at 0x120F0000,
MMIO window at 0x80000000, and GIC IRQ 57.
PCIe2 with its PHY at 0x14C1C000, config (H2X) block at 0x140D0000,
MMIO window at 0xA0000000, and IRQ routed through INTC4 bit 31
mapped to GIC IRQ 196.
Each RC instantiates a PHY device, a PCIe config (H2X) bridge, and an MMIO
alias region. The per-RC MMIO alias size is 0x20000000. The AST2700 A0
silicon revision does not support PCIe Root Complexes, so pcie_num is set
to 0 in that variant.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-13-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Introduce PCIe config (H2X) support for the AST2700 SoC.
Unlike the AST2600, the AST2700 provides three independent Root Complexes,
each with its own H2X (AHB to PCIe bridge) register block of size 0x100.
All RCs use the same MSI address (0x000000F0). The H2X block includes
two different access paths:
1. CFGI (internal bridge): used to access the host bridge itself, always
with BDF=0. The AST2700 controller simplifies the design by exposing
only one register (H2X_CFGI_TLP) with fields for ADDR[15:0], BEN[19:16],
and WR[20]. This is not a full TLP descriptor as in the external case.
For QEMU readability and code reuse, the model converts H2X_CFGI_TLP
into a standard TLP TX descriptor with BDF forced to 0 and then calls
the existing helpers aspeed_pcie_cfg_readwrite() and
aspeed_pcie_cfg_translate_write().
2. CFGE (external EP access): used to access external endpoints. The
AST2700 design provides H2X_CFGE_TLP1 and a small FIFO at H2X_CFGE_TLPN.
For reads, TX DESC0 is stored in TLP1 and DESC1/DESC2 in TLPN FIFO
slots. For writes, TX DESC0 is stored in TLP1, DESC1/DESC2 in TLPN
FIFO[0..1], and TX write data in TLPN FIFO[2].
The implementation extends AspeedPCIECfgState with a small FIFO and index,
wires up new register definitions for AST2700, and adds a specific ops
table and class (TYPE_ASPEED_2700_PCIE_CFG). The reset handler clears the
FIFO state. Interrupt and MSI status registers are also supported.
This provides enough modeling for firmware and drivers to use any of the
three PCIe RCs on AST2700 with their own dedicated H2X config window,
while reusing existing TLP decode helpers in QEMU.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-11-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Introduce a PCIe Host Controller PHY model for AST2700. This adds an
AST2700 specific PHY type (TYPE_ASPEED_2700_PCIE_PHY) with a 0x800 byte
register space and link-status bits compatible with the firmware’s
expectations.
AST2700 provides three PCIe RCs; PCIe0 and PCIe1 are GEN4, PCIe2 is
GEN2. The PHY exposes:
PEHR_2700_LINK_GEN2 at 0x344, bit 18 indicates GEN2 link up
PEHR_2700_LINK_GEN4 at 0x358, bit 8 indicates GEN4 link up
In real hardware these GEN2/GEN4 link bits are mutually exclusive.
QEMU does not model GEN2 vs GEN4 signaling differences, so the reset
handler sets both bits to 1. This keeps the model simple and lets
firmware see the link as up; firmware will read the appropriate
register per RC port to infer the intended mode.
The header gains TYPE_ASPEED_2700_PCIE_PHY; the new class derives from
TYPE_ASPEED_PCIE_PHY, sets nr_regs to 0x800 >> 2, and installs an
AST2700 reset routine that programs the class code (0x06040011) and the
GEN2/GEN4 status bits.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-10-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Wire up the PCIe Root Complex in the AST2600 SoC model.
According to the AST2600 firmware driver, only the RC_H controller is
supported. RC_H uses PCIe PHY1 at 0x1e6ed200 and the PCIe config (H2X)
register block at 0x1e770000. The RC_H MMIO window is mapped at
0x70000000–0x80000000. RC_L is not modeled. The RC_H interrupt is
wired to IRQ 168. Only RC_H is realized and connected to the SoC
interrupt controller.
The SoC integration initializes PCIe PHY1, instantiates a single RC
instance, wires its MMIO regions, and connects its interrupt. An alias
region is added to map the RC MMIO space into the guest physical address
space.
This provides enough functionality for firmware and guest drivers to
discover and use the AST2600 RC_H Root Complex while leaving RC_L
unimplemented.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-9-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Add PCIe controller and PHY instances to the Aspeed SoC state and device
enum. This prepares the SoC model to host PCIe Root Complexes and their
associated PHYs.
Although the AST2600 supports only a single Root Complex, the AST2700
provides three Root Complexes. For this reason, the model defines arrays
of three PCIe config/PHY objects and enumerates three PCIe device IDs so
that both SoCs can be represented consistently.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-8-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Add MSI support to the ASPEED PCIe RC/Config model and introduce a per-RC
"IOMMU root" address space to correctly route MSI writes.
On AST2700 all RCs use the same MSI address, and the MSI target is PCI
system memory (not normal DRAM). If the MSI window were mapped into real
system RAM, an endpoint's write could be observed by other RCs and
spuriously trigger their interrupts. To avoid this, each RC now owns an
isolated IOMMU root AddressSpace that contains a small MSI window and a
DRAM alias region for normal DMA.
The MSI window captures writes and asserts the RC IRQ. MSI status bits
are tracked in new H2X RC_H registers (R_H2X_RC_H_MSI_EN{0,1} and
R_H2X_RC_H_MSI_STS{0,1}). Clearing all status bits drops the IRQ. The
default MSI address is set to 0x1e77005c and can be overridden via the
msi-addr property.
This keeps MSI traffic contained within each RC while preserving normal
DMA to system DRAM. It enables correct MSI/MSI-X interrupt delivery when
multiple RCs use the same MSI target address.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-7-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Introduce an ASPEED PCIe Root Port and wire it under the RC. The root port
is modeled as TYPE_ASPEED_PCIE_ROOT_PORT (subclass of TYPE_PCIE_ROOT_PORT).
Key changes:
- Add TYPE_ASPEED_PCIE_ROOT_PORT (PCIESlot-based) with vendor/device IDs
and AER capability offset.
- Extend AspeedPCIERcState to embed a root_port instance and a
configurable rp_addr.
- Add "rp-addr" property to the RC to place the root port at a specific
devfn on the root bus.
- Set the root port's "chassis" property to ensure a unique chassis per RC.
- Extend AspeedPCIECfgClass with rc_rp_addr defaulting to PCI_DEVFN(8,0).
Rationale:
- AST2600 places the root port at 80:08.0 (bus 0x80, dev 8, fn 0).
- AST2700 must place the root port at 00:00.0, and it supports three RCs.
Each root port must therefore be uniquely identifiable; uses the
PCIe "chassis" ID for that.
- Providing a configurable "rp-addr" lets platforms select the correct
devfn per SoC family, while the "chassis" property ensures uniqueness
across multiple RC instances on AST2700.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-6-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Introduce a PCIe Root Device for AST2600 platform.
The AST2600 root complex exposes a PCIe root device at bus 80, devfn 0.
This root device is implemented as a child of the PCIe RC and modeled
as a host bridge PCI function (class_id = PCI_CLASS_BRIDGE_HOST).
Key changes:
- Add a new device type "aspeed.pcie-root-device".
- Instantiate the root device as part of AspeedPCIERcState.
- Initialize it during RC realize() and attach it to the root bus.
- Mark the root device as non-user-creatable.
- Add RC boolean property "has-rd" to control whether the Root Device is
created (platforms can enable/disable it as needed).
Note: Only AST2600 implements this PCIe root device. AST2700 does not
provide one.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-5-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Introduce PCIe config and host bridge model for the AST2600 platform.
This patch adds support for the H2X (AHB to PCIe Bus Bridge) controller
with a 0x100 byte register space. The register layout is shared between
two root complexes: 0x00–0x7f is common, 0x80–0xbf for RC_L, and 0xc0–0xff
for RC_H. Only RC_H is modeled in this implementation.
The RC_H bus uses bus numbers in the 0x80–0xff range instead of the
standard root bus 0x00. To allow the PCI subsystem to discover devices,
the host bridge logic remaps the root bus number back to 0x00 whenever the
configured bus number matches the "bus-nr" property.
New MMIO callbacks are added for the H2X config space:
- aspeed_pcie_cfg_read() and aspeed_pcie_cfg_write() handle register
accesses.
- aspeed_pcie_cfg_readwrite() provides configuration read/write support.
- aspeed_pcie_cfg_translate_write() handles PCIe byte-enable semantics for
write operations.
The reset handler initializes the H2X register block with default values
as defined in the AST2600 datasheet.
Additional changes:
- Implement ASPEED PCIe root complex (TYPE_ASPEED_PCIE_RC).
- Wire up interrupt propagation via aspeed_pcie_rc_set_irq().
- Add tracepoints for config read/write and INTx handling.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-4-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
This patch introduces an initial ASPEED PCIe PHY/host controller model to
support the AST2600 SoC. It provides a simple register block with MMIO
read/write callbacks, integration into the build system, and trace events
for debugging.
Key changes:
1. PCIe PHY MMIO read/write callbacks
Implemented aspeed_pcie_phy_read() and aspeed_pcie_phy_write() to
handle 32-bit register accesses.
2. Build system and Kconfig integration
Added CONFIG_PCI_EXPRESS_ASPEED in hw/pci-host/Kconfig and meson
rules.
Updated ASPEED_SOC in hw/arm/Kconfig to imply PCI_DEVICES and select
PCI_EXPRESS_ASPEED.
3. Trace events for debug
New tracepoints aspeed_pcie_phy_read and aspeed_pcie_phy_write allow
monitoring MMIO accesses.
4. Register space and defaults (AST2600 reference)
Expose a 0x100 register space, as documented in the AST2600 datasheet.
On reset, set default values:
PEHR_ID: Vendor ID = ASPEED, Device ID = 0x1150
PEHR_CLASS_CODE = 0x06040006
PEHR_DATALINK = 0xD7040022
PEHR_LINK: bit[5] set to 1 to indicate link up.
This provides a skeleton device for the AST2600 platform. It enables
firmware to detect the PCIe link as up by default and allows future
extension.
This commit is the starting point of the series to introduce ASPEED PCIe
Root Complex (RC) support. Based on previous work from Cédric Le Goater,
the following commits in this series extend and refine the implementation:
- Add a PCIe Root Port so that devices can be attached without requiring an
extra bridge.
- Restrict the Root Port device instantiation to the AST2600 platform.
- Integrate aspeed_cfg_translate_write() to support both AST2600 and AST2700.
- Add MSI support and a preliminary RC IOMMU address space.
- Fix issues with MSI interrupt clearing.
- Extend support to the AST2700 SoC.
- Drop the AST2600 RC_L support.
- Introduce PCIe RC functional tests covering both AST2600 and AST2700.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250919093017.338309-3-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
The has_otp attribute is enabled in the SBC subclasses for AST1030 to
control the presence of OTP support per SoC type.
Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-7-kane_chen@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
This patch connects the aspeed.otp device to the ASPEED Secure Boot
Controller (SBC) model. It implements OTP memory access via the SBC's
command interface and enables emulation of secure fuse programming
flows.
The following OTP commands are supported:
- READ: reads a 32-bit word from OTP memory into internal registers
- PROG: programs a 32-bit word value to the specified OTP address
Trace events are added to observe read/program operations and command
handling flow.
Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-3-kane_chen@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Introduce a QEMU device model for ASPEED's One-Time Programmable (OTP)
memory.
This model simulates a word-addressable OTP region used for secure
fuse storage. The OTP memory can operate with an internal memory
buffer.
The OTP model provides a memory-like interface through a dedicated
AddressSpace, allowing other device models (e.g., SBC) to issue
transactions as if accessing a memory-mapped region.
Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-2-kane_chen@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
* Support for PowerNV11 and PPE42 CPU/Machines.
* Deprecation of Power8E and Power8NVL
* Decodetree patches for some floating-point instructions
* Minor bug fixes, improvements in ppc/spapr/xive/xics.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEa4EM1tK+EPOIPSFCRUTplPnWj7sFAmjZgYQACgkQRUTplPnW
j7uNJQ/8Cbr3xqyCyyqL+MM+Ze1PbXe4xSgdg13A1sNU3IHTffB77DCQVOxjudUS
uo+XHVFssc4SKDZYjEzXFnYpzRpbZzfcuhG4kgn9QQ3VyKP+2xe6kWLleDbB6ds1
e9ZAW6Ryk4R3ZFLnZzGfEdltliaoIn6zy4R25oJfJUgIRt0Xz++GBxll+Tdr8Exy
qstvvyyjeTiIS3kA1zk6fbhDRJKKBsA0L1G1Pk6AuTMKa1RRTCniA36idnGVFAuY
ef8WCEQYQS0do9Ytai06Tp1QNRVMG2y+AsKbSQRMi92lFfn+qhvA29OJd5TNvXtp
LNiIfXHo3jLjGBUP13iVN8b8udWdis9BayvA/OwDaKWgononEHb9nqJgzVJR4n7t
DxxUxcSCiEXOpObtklrKhi1nDt16nXPZ/bnnreMSWzxHBZK1My7qnI3S0hA7c11z
YgssB5wJbRaETaEVzQfWfAcSaPpXBzBEXOAJcbd+Ni6w9SxXz2OrhckTOvfrXpmI
XQ1KFUCkmTtXF1qB+oEihlrvG2qjdGuleRZdyiktaM2psBFgN/2gHl3S+JjL9kiY
9FdBffr/2K604l7EQkAYWixe2WMMsjHVHpuxJ7opG7MMSXJZq9cXKIK+tbkSNoRO
Ia6Qr6eWJWjFF3y4OZCbYAOVU77ez6lo7kRj0e99fOjxfI+UuWU=
=Fjdq
-----END PGP SIGNATURE-----
Merge tag 'pull-ppc-for-20250928-20250929' of https://gitlab.com/harshpb/qemu into staging
ppc queue for 20250928
* Support for PowerNV11 and PPE42 CPU/Machines.
* Deprecation of Power8E and Power8NVL
* Decodetree patches for some floating-point instructions
* Minor bug fixes, improvements in ppc/spapr/xive/xics.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEa4EM1tK+EPOIPSFCRUTplPnWj7sFAmjZgYQACgkQRUTplPnW
# j7uNJQ/8Cbr3xqyCyyqL+MM+Ze1PbXe4xSgdg13A1sNU3IHTffB77DCQVOxjudUS
# uo+XHVFssc4SKDZYjEzXFnYpzRpbZzfcuhG4kgn9QQ3VyKP+2xe6kWLleDbB6ds1
# e9ZAW6Ryk4R3ZFLnZzGfEdltliaoIn6zy4R25oJfJUgIRt0Xz++GBxll+Tdr8Exy
# qstvvyyjeTiIS3kA1zk6fbhDRJKKBsA0L1G1Pk6AuTMKa1RRTCniA36idnGVFAuY
# ef8WCEQYQS0do9Ytai06Tp1QNRVMG2y+AsKbSQRMi92lFfn+qhvA29OJd5TNvXtp
# LNiIfXHo3jLjGBUP13iVN8b8udWdis9BayvA/OwDaKWgononEHb9nqJgzVJR4n7t
# DxxUxcSCiEXOpObtklrKhi1nDt16nXPZ/bnnreMSWzxHBZK1My7qnI3S0hA7c11z
# YgssB5wJbRaETaEVzQfWfAcSaPpXBzBEXOAJcbd+Ni6w9SxXz2OrhckTOvfrXpmI
# XQ1KFUCkmTtXF1qB+oEihlrvG2qjdGuleRZdyiktaM2psBFgN/2gHl3S+JjL9kiY
# 9FdBffr/2K604l7EQkAYWixe2WMMsjHVHpuxJ7opG7MMSXJZq9cXKIK+tbkSNoRO
# Ia6Qr6eWJWjFF3y4OZCbYAOVU77ez6lo7kRj0e99fOjxfI+UuWU=
# =Fjdq
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 28 Sep 2025 11:42:12 AM PDT
# gpg: using RSA key 6B810CD6D2BE10F3883D21424544E994F9D68FBB
# gpg: Good signature from "Harsh Prateek Bora <harsh.prateek.bora@gmail.com>" [undefined]
# gpg: aka "Harsh Prateek Bora <harshpb@linux.ibm.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6B81 0CD6 D2BE 10F3 883D 2142 4544 E994 F9D6 8FBB
* tag 'pull-ppc-for-20250928-20250929' of https://gitlab.com/harshpb/qemu: (27 commits)
target/ppc: use MAKE_64BIT_MASK for mcrfs exception clear mask
target/ppc: Deprecate Power8E and Power8NVL
target/ppc: Introduce macro for deprecating PowerPC CPUs
target/ppc: Move remaining floating-point move instructions to decodetree.
target/ppc: Move floating-point move instructions to decodetree.
target/ppc: Move floating-point compare instructions to decodetree.
target/ppc: Move floating-point rounding and conversion instructions to decodetree.
ppc/xive2: Fix integer overflow warning in xive2_redistribute()
ppc/spapr: init lrdr-capapcity phys with ram size if maxmem not provided
hw/intc/xics: Add missing call to register vmstate_icp_server
tests/functional: Add test for IBM PPE42 instructions
hw/ppc: Add a test machine for the IBM PPE42 CPU
hw/ppc: Support for an IBM PPE42 CPU decrementer
target/ppc: Add IBM PPE42 special instructions
target/ppc: Support for IBM PPE42 MMU
target/ppc: Add IBM PPE42 exception model
target/ppc: IBM PPE42 exception flags and regs
target/ppc: Add IBM PPE42 family of processors
target/ppc: IBM PPE42 general regs and flags
tests/powernv: Add PowerNV test for Power11
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
The IBM PPE42 processors support a 32-bit decrementer
that can raise an external interrupt when DEC[0]
transitions from a 0 to a -1 (a non-negative value to a
negative value). It also continues decrementing
even after this condition is met.
The BookE timer is slightly different in that it
raises an interrupt when the DEC value reaches 0
and stops decrementing at that point.
Support a PPE42 version of the BookE timer by
adding a new PPC_TIMER_PPE flag that has the timer
code look for the transition from a non-negative value
to a negative value and allows the value to
continue decrementing.
Signed-off-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Link: https://lore.kernel.org/r/20250925201758.652077-8-milesg@linux.ibm.com
Message-ID: <20250925201758.652077-8-milesg@linux.ibm.com>
Introduce Power11 ChipTod. The code has been copied from Power10 ChipTod
code as the Power11 core is same as Power10 core.
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Aditya Gupta <adityag@linux.ibm.com>
Tested-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Tested-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Link: https://lore.kernel.org/r/20250925173049.891406-7-adityag@linux.ibm.com
Message-ID: <20250925173049.891406-7-adityag@linux.ibm.com>
Add a XIVE2 controller to Power11 chip and machine.
The controller has the same logic as Power10.
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Aditya Gupta <adityag@linux.ibm.com>
Tested-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Tested-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Link: https://lore.kernel.org/r/20250925173049.891406-5-adityag@linux.ibm.com
Message-ID: <20250925173049.891406-5-adityag@linux.ibm.com>
Existing code in XIVE2 assumes the chip to be a Power10 Chip.
Instead add a handler to get reference to the interrupt controller (XIVE)
for a given Power Chip.
Signed-off-by: Aditya Gupta <adityag@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Tested-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Tested-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Link: https://lore.kernel.org/r/20250925173049.891406-4-adityag@linux.ibm.com
Message-ID: <20250925173049.891406-4-adityag@linux.ibm.com>
Implement Pnv11Chip, currently without chiptod, xive and phb.
Chiptod, XIVE, PHB are implemented in later patches.
Since Power11 core is same as Power10, the implementation of Pnv11Chip
is a duplicate of corresponding Pnv10Chip.
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Aditya Gupta <adityag@linux.ibm.com>
Tested-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Tested-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Link: https://lore.kernel.org/r/20250925173049.891406-2-adityag@linux.ibm.com
Message-ID: <20250925173049.891406-2-adityag@linux.ibm.com>
the DINTC use [2fe00000-2ff00000) Memory.
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250916122109.749813-7-gaosong@loongson.cn>
Add Loongarch direct interrupt controller device base Definition.
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250916122109.749813-5-gaosong@loongson.cn>
dmsi feature is added in LoongArchVirtMachinState, and it is used
to check whether virt machine supports the directy Message-Interrupts.
and by default set dmsi with ON_OFF_AUTO_AUTO.
LoongArchVirtMachineState adds misc_feature and misc_status for misc
features and status. and set the default dintc feature bit.
Msgint feature is added in LoongArchCPU, and it is used to check
whether th cpu supports the Message-Interrupts and by default set
mesgint with ON_OFF_AUTO_AUTO.
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250916122109.749813-3-gaosong@loongson.cn>
move some machine define to virt.h
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250916122109.749813-2-gaosong@loongson.cn>
- new gitlab-failure-analysis script
- tweak checkpath to ignore license in removed lines
- refactor semihosting to build once
- add explicit assert to execlog for coverity
- new uftrace plugin
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmjWWJYACgkQ+9DbCVqe
KkS1sgf+LsP0jsc1wKhzBhO4WarXXacWCDxK22riJ3aolm+gJ+b0WI4ds18A0e3R
z/J8VJVxBZ+6Hid+tOCQwfZ+Hb1p9IofzBdZryGUvwguviNdlpEChhXXnoZkicym
aGcC/jYRkhTx42dKRdZrSzPd3ccipqop9RvGx57bjCSBAEHYNz679p4z91kNR5a9
UfcCzIQHbBUPZo0F9gQkNnBrjsJQhvF+gXPmmsmBI1pby6gNRQvFshrTQ1C32VpL
VgXNc9cZ6vaREWlgb6izNjsMP7cYTMH2Ppxty/FyEMg7GTfWRjI6Ec8fJKjPFtKr
ZbCNNAeJ9uLK6pJfTk2YxYabxx3JuQ==
=cR9e
-----END PGP SIGNATURE-----
Merge tag 'pull-10.2-maintainer-260925-1' of https://gitlab.com/stsquad/qemu into staging
September maintainer updates (scripts, semihosting, plugins)
- new gitlab-failure-analysis script
- tweak checkpath to ignore license in removed lines
- refactor semihosting to build once
- add explicit assert to execlog for coverity
- new uftrace plugin
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmjWWJYACgkQ+9DbCVqe
# KkS1sgf+LsP0jsc1wKhzBhO4WarXXacWCDxK22riJ3aolm+gJ+b0WI4ds18A0e3R
# z/J8VJVxBZ+6Hid+tOCQwfZ+Hb1p9IofzBdZryGUvwguviNdlpEChhXXnoZkicym
# aGcC/jYRkhTx42dKRdZrSzPd3ccipqop9RvGx57bjCSBAEHYNz679p4z91kNR5a9
# UfcCzIQHbBUPZo0F9gQkNnBrjsJQhvF+gXPmmsmBI1pby6gNRQvFshrTQ1C32VpL
# VgXNc9cZ6vaREWlgb6izNjsMP7cYTMH2Ppxty/FyEMg7GTfWRjI6Ec8fJKjPFtKr
# ZbCNNAeJ9uLK6pJfTk2YxYabxx3JuQ==
# =cR9e
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 26 Sep 2025 02:10:46 AM PDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-10.2-maintainer-260925-1' of https://gitlab.com/stsquad/qemu: (24 commits)
contrib/plugins/uftrace: add documentation
contrib/plugins/uftrace_symbols.py
contrib/plugins/uftrace: implement x64 support
contrib/plugins/uftrace: generate additional files for uftrace
contrib/plugins/uftrace: implement privilege level tracing
contrib/plugins/uftrace: implement tracing
contrib/plugins/uftrace: track callstack
contrib/plugins/uftrace: define cpu operations and implement aarch64
contrib/plugins/uftrace: skeleton file
contrib/plugins/execlog: Explicitly check for qemu_plugin_read_register() failure
semihosting/arm-compat-semi: compile once in system and per target for user mode
semihosting/arm-compat-semi: remove dependency on cpu.h
semihosting/arm-compat-semi: eradicate target_long
semihosting/arm-compat-semi: replace target_ulong
semihosting/arm-compat-semi: eradicate sizeof(target_ulong)
include/semihosting/common-semi: extract common_semi API
target/{arm, riscv}/common-semi-target: eradicate target_ulong
target/riscv/common-semi-target: remove sizeof(target_ulong)
semihosting/arm-compat-semi: change common_semi_sys_exit_extended
semihosting/guestfd: compile once for system/user
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
We transform target/{arm,riscv}/common-semi-target.h headers to proper
compilation units, and use them in arm-compat-semi.c.
This way, we can include only the declaration header (which is target
agnostic), and selectively link the appropriate implementation based on
current target.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250822150058.18692-8-pierrick.bouvier@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-11-alex.bennee@linaro.org>
We move relevant code to semihosting/arm-compat-semi.c, and add
functions to query CONFIG_ARM_COMPATIBLE_SEMIHOSTING at runtime.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250822150058.18692-4-pierrick.bouvier@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-7-alex.bennee@linaro.org>
