[Qemu-arm] [PATCH] Fix bug: SRS instructions would trap to EL3 in Secure EL1 even if specified mode was not monitor mode. [RESUBMIT DUE TO MISSING SIGN-OFF]

[Qemu-arm] [PATCH] Fix bug: SRS instructions would trap to EL3 in Secure EL1 even if specified mode was not monitor mode. [RESUBMIT DUE TO MISSING SIGN-OFF]

[Ralf-Philipp Weinmann]

According to the ARMv8 Architecture reference manual [F6.1.203], ALL
of the following conditions need to be met for SRS to trap to EL3:
* It is executed at Secure PL1.
* The specified mode is monitor mode.
* EL3 is using AArch64.

Signed-off-by: Ralf-Philipp Weinmann <ralf+devel@comsecuris.com>
---
 target-arm/translate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target-arm/translate.c b/target-arm/translate.c
index c29c47f..a7688bb 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -7582,7 +7582,8 @@ static void gen_srs(DisasContext *s,
     bool undef = false;
 
     /* SRS is:
-     * - trapped to EL3 if EL3 is AArch64 and we are at Secure EL1
+     * - trapped to EL3 if EL3 is AArch64 and we are at Secure EL1 and 
+     *   mode is monitor mode
      * - UNDEFINED in Hyp mode
      * - UNPREDICTABLE in User or System mode
      * - UNPREDICTABLE if the specified mode is:
@@ -7592,7 +7593,7 @@ static void gen_srs(DisasContext *s,
      * -- Monitor, if we are Non-secure
      * For the UNPREDICTABLE cases we choose to UNDEF.
      */
-    if (s->current_el == 1 && !s->ns) {
+    if (s->current_el == 1 && !s->ns && mode == ARM_CPU_MODE_MON) {
         gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), 3);
         return;
     }
-- 
2.5.4 (Apple Git-61)

[Qemu-devel] [PATCH] Fix bug: SRS instructions would trap to EL3 in Secure EL1 even if specified mode was not monitor mode. [RESUBMIT DUE TO MISSING SIGN-OFF]

[Ralf-Philipp Weinmann]

According to the ARMv8 Architecture reference manual [F6.1.203], ALL
of the following conditions need to be met for SRS to trap to EL3:
* It is executed at Secure PL1.
* The specified mode is monitor mode.
* EL3 is using AArch64.

Signed-off-by: Ralf-Philipp Weinmann <ralf+devel@comsecuris.com>
---
 target-arm/translate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target-arm/translate.c b/target-arm/translate.c
index c29c47f..a7688bb 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -7582,7 +7582,8 @@ static void gen_srs(DisasContext *s,
     bool undef = false;
 
     /* SRS is:
-     * - trapped to EL3 if EL3 is AArch64 and we are at Secure EL1
+     * - trapped to EL3 if EL3 is AArch64 and we are at Secure EL1 and 
+     *   mode is monitor mode
      * - UNDEFINED in Hyp mode
      * - UNPREDICTABLE in User or System mode
      * - UNPREDICTABLE if the specified mode is:
@@ -7592,7 +7593,7 @@ static void gen_srs(DisasContext *s,
      * -- Monitor, if we are Non-secure
      * For the UNPREDICTABLE cases we choose to UNDEF.
      */
-    if (s->current_el == 1 && !s->ns) {
+    if (s->current_el == 1 && !s->ns && mode == ARM_CPU_MODE_MON) {
         gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), 3);
         return;
     }
-- 
2.5.4 (Apple Git-61)

Re: [Qemu-arm] [PATCH] Fix bug: SRS instructions would trap to EL3 in Secure EL1 even if specified mode was not monitor mode. [RESUBMIT DUE TO MISSING SIGN-OFF]

[Peter Maydell]

On 22 February 2016 at 22:42, Ralf-Philipp Weinmann
<ralf+devel@comsecuris.com> wrote:
> According to the ARMv8 Architecture reference manual [F6.1.203], ALL
> of the following conditions need to be met for SRS to trap to EL3:
> * It is executed at Secure PL1.
> * The specified mode is monitor mode.
> * EL3 is using AArch64.
>
> Signed-off-by: Ralf-Philipp Weinmann <ralf+devel@comsecuris.com>

Thanks, nice catch. Did you find this by code inspection or
by some sort of test program or real guest code?

>      /* SRS is:
> -     * - trapped to EL3 if EL3 is AArch64 and we are at Secure EL1
> +     * - trapped to EL3 if EL3 is AArch64 and we are at Secure EL1 and
> +     *   mode is monitor mode

I tweaked this to say "specified mode is monitor mode" just to be
slightly clearer that we're not testing the mode we're currently in.
I have applied it to target-arm.next; thanks!

-- PMM

Re: [Qemu-devel] [Qemu-arm] [PATCH] Fix bug: SRS instructions would trap to EL3 in Secure EL1 even if specified mode was not monitor mode. [RESUBMIT DUE TO MISSING SIGN-OFF]

[Peter Maydell]

On 22 February 2016 at 22:42, Ralf-Philipp Weinmann
<ralf+devel@comsecuris.com> wrote:
> According to the ARMv8 Architecture reference manual [F6.1.203], ALL
> of the following conditions need to be met for SRS to trap to EL3:
> * It is executed at Secure PL1.
> * The specified mode is monitor mode.
> * EL3 is using AArch64.
>
> Signed-off-by: Ralf-Philipp Weinmann <ralf+devel@comsecuris.com>

Thanks, nice catch. Did you find this by code inspection or
by some sort of test program or real guest code?

>      /* SRS is:
> -     * - trapped to EL3 if EL3 is AArch64 and we are at Secure EL1
> +     * - trapped to EL3 if EL3 is AArch64 and we are at Secure EL1 and
> +     *   mode is monitor mode

I tweaked this to say "specified mode is monitor mode" just to be
slightly clearer that we're not testing the mode we're currently in.
I have applied it to target-arm.next; thanks!

-- PMM