From: Mostafa Saleh <smostafa@google.com>
To: Tao Tang <tangtao1634@phytium.com.cn>
Cc: "Eric Auger" <eric.auger@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Michael S . Tsirkin" <mst@redhat.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
qemu-devel@nongnu.org, qemu-arm@nongnu.org,
"Chen Baozi" <chenbaozi@phytium.com.cn>,
"Pierrick Bouvier" <pierrick.bouvier@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Chao Liu" <chao.liu.zevorn@gmail.com>
Subject: Re: [RFC v4 24/31] hw/arm/smmuv3: Determine register bank from MMIO offset
Date: Fri, 27 Feb 2026 14:59:21 +0000 [thread overview]
Message-ID: <aaGxST56MQWlN8fJ@google.com> (raw)
In-Reply-To: <20260221101830.2996354-1-tangtao1634@phytium.com.cn>
On Sat, Feb 21, 2026 at 06:18:29PM +0800, Tao Tang wrote:
> Modify the main MMIO handlers (smmu_write_mmio, smmu_read_mmio)
> to determine the security state of the target register based on its
> memory-mapped offset.
>
> By checking if the offset is within the secure register space (>=
> SMMU_SECURE_REG_START), the handlers can deduce the register's
> SEC_SID (reg_sec_sid). This SID is then passed down to the register
> access helper functions (smmu_writel, smmu_readl, etc.).
>
> Inside these helpers, the switch statement now operates on a masked,
> relative offset:
>
> uint32_t reg_offset = offset & 0xfff;
> switch (reg_offset) {
> ...
> }
>
> This design leverages a key feature of the SMMU specification: registers
> with the same function across different 3 security states
> (Non-secure, Secure, Realm) share the same relative offset. This avoids
> significant code duplication. The reg_sec_sid passed from the MMIO
> handler determines which security bank to operate on, while the masked
> offset identifies the specific register within that bank.
>
> It is important to distinguish between the security state of the
> register itself and the security state of the access. A
> higher-privilege security state is permitted to access registers
> belonging to a lower-privilege state, but the reverse is not allowed.
> This patch lays the groundwork for enforcing such rules.
>
> For future compatibility with Realm states, the logic in the
> else block corresponding to the secure offset check:
>
> if (offset >= SMMU_SECURE_REG_START) {
> reg_sec_sid = SMMU_SEC_SID_S;
> } else {
> /* Future Realm handling */
> }
>
> will need to be expanded.
>
> Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn>
> ---
> hw/arm/smmuv3.c | 57 +++++++++++++++++++++++++++++++++----------------
> 1 file changed, 39 insertions(+), 18 deletions(-)
>
> diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
> index 9c09ea0716e..d81485a6a46 100644
> --- a/hw/arm/smmuv3.c
> +++ b/hw/arm/smmuv3.c
> @@ -1781,12 +1781,13 @@ static int smmuv3_cmdq_consume(SMMUv3State *s, Error **errp, SMMUSecSID sec_sid)
> }
>
> static MemTxResult smmu_writell(SMMUv3State *s, hwaddr offset,
> - uint64_t data, MemTxAttrs attrs)
> + uint64_t data, MemTxAttrs attrs,
> + SMMUSecSID reg_sec_sid)
> {
> - SMMUSecSID reg_sec_sid = SMMU_SEC_SID_NS;
> SMMUv3RegBank *bank = smmuv3_bank(s, reg_sec_sid);
> + uint32_t reg_offset = offset & 0xfff;
This breaks all registers above 4k?
For example, TCU registers/PMU reside on some of this area and if SW
writes to those this might be aliased to something as CR0, which might
disable the SMMU and bypass some security checks. (in case it’s managed
by the hypervisor).
I believe you should check the secure offset explicitly to distinguish secure
and non-secure.
>
> - switch (offset) {
> + switch (reg_offset) {
> case A_GERROR_IRQ_CFG0:
> if (!smmu_gerror_irq_cfg_writable(s, reg_sec_sid)) {
> /* SMMU_(*_)_IRQ_CTRL.GERROR_IRQEN == 1: IGNORED this write */
> @@ -1851,13 +1852,14 @@ static MemTxResult smmu_writell(SMMUv3State *s, hwaddr offset,
> }
>
> static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
> - uint64_t data, MemTxAttrs attrs)
> + uint64_t data, MemTxAttrs attrs,
> + SMMUSecSID reg_sec_sid)
> {
> Error *local_err = NULL;
> - SMMUSecSID reg_sec_sid = SMMU_SEC_SID_NS;
> SMMUv3RegBank *bank = smmuv3_bank(s, reg_sec_sid);
> + uint32_t reg_offset = offset & 0xfff;
>
> - switch (offset) {
> + switch (reg_offset) {
> case A_CR0:
> bank->cr[0] = data;
> bank->cr0ack = data & ~SMMU_CR0_RESERVED;
> @@ -2094,16 +2096,25 @@ static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
> SMMUState *sys = opaque;
> SMMUv3State *s = ARM_SMMUV3(sys);
> MemTxResult r;
> + SMMUSecSID reg_sec_sid = SMMU_SEC_SID_NS;
>
> /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
> offset &= ~0x10000;
>
> + /*
> + * Realm and Non-secure share the same page-local offset layout; Secure uses
> + * the same layout but is mapped starting at 0x8000(SMMU_SECURE_REG_START)
> + */
> + if (offset >= SMMU_SECURE_REG_START) {
> + reg_sec_sid = SMMU_SEC_SID_S;
> + }
> +
> switch (size) {
> case 8:
> - r = smmu_writell(s, offset, data, attrs);
> + r = smmu_writell(s, offset, data, attrs, reg_sec_sid);
> break;
> case 4:
> - r = smmu_writel(s, offset, data, attrs);
> + r = smmu_writel(s, offset, data, attrs, reg_sec_sid);
> break;
> default:
> r = MEMTX_ERROR;
> @@ -2115,12 +2126,13 @@ static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
> }
>
> static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
> - uint64_t *data, MemTxAttrs attrs)
> + uint64_t *data, MemTxAttrs attrs,
> + SMMUSecSID reg_sec_sid)
> {
> - SMMUSecSID reg_sec_sid = SMMU_SEC_SID_NS;
> SMMUv3RegBank *bank = smmuv3_bank(s, reg_sec_sid);
> + uint32_t reg_offset = offset & 0xfff;
>
> - switch (offset) {
> + switch (reg_offset) {
> case A_GERROR_IRQ_CFG0:
> /* SMMU_(*_)GERROR_IRQ_CFG0 BOTH check SMMU_IDR0.MSI */
> if (!smmu_msi_supported(s)) {
> @@ -2149,17 +2161,22 @@ static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
> }
>
> static MemTxResult smmu_readl(SMMUv3State *s, hwaddr offset,
> - uint64_t *data, MemTxAttrs attrs)
> + uint64_t *data, MemTxAttrs attrs,
> + SMMUSecSID reg_sec_sid)
> {
> - SMMUSecSID reg_sec_sid = SMMU_SEC_SID_NS;
> SMMUv3RegBank *bank = smmuv3_bank(s, reg_sec_sid);
> + uint32_t reg_offset = offset & 0xfff;
>
> - switch (offset) {
> + switch (reg_offset) {
> case A_IDREGS ... A_IDREGS + 0x2f:
> - *data = smmuv3_idreg(offset - A_IDREGS);
> + *data = smmuv3_idreg(reg_offset - A_IDREGS);
> return MEMTX_OK;
> case A_IDR0 ... A_IDR5:
> - *data = bank->idr[(offset - A_IDR0) / 4];
> + if (reg_sec_sid == SMMU_SEC_SID_S) {
> + g_assert((reg_offset - A_IDR0) / 4 < 5);
Asserting here is too much as this can be easily triggered by guests,
we should follow the convention of other unimplemented registers.
Thanks,
Mostafa
> + }
> +
> + *data = bank->idr[(reg_offset - A_IDR0) / 4];
> return MEMTX_OK;
> case A_IIDR:
> *data = s->iidr;
> @@ -2275,16 +2292,20 @@ static MemTxResult smmu_read_mmio(void *opaque, hwaddr offset, uint64_t *data,
> SMMUState *sys = opaque;
> SMMUv3State *s = ARM_SMMUV3(sys);
> MemTxResult r;
> + SMMUSecSID reg_sec_sid = SMMU_SEC_SID_NS;
>
> /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
> offset &= ~0x10000;
> + if (offset >= SMMU_SECURE_REG_START) {
> + reg_sec_sid = SMMU_SEC_SID_S;
> + }
>
> switch (size) {
> case 8:
> - r = smmu_readll(s, offset, data, attrs);
> + r = smmu_readll(s, offset, data, attrs, reg_sec_sid);
> break;
> case 4:
> - r = smmu_readl(s, offset, data, attrs);
> + r = smmu_readl(s, offset, data, attrs, reg_sec_sid);
> break;
> default:
> r = MEMTX_ERROR;
> --
> 2.34.1
>
>
next prev parent reply other threads:[~2026-02-27 14:59 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 10:02 [RFC v4 00/31] hw/arm/smmuv3: Support Secure state for SMMUv3 Tao Tang
2026-02-21 10:02 ` [RFC v4 01/31] hw/arm/smmuv3-common: Fix incorrect reserved mask for SMMU CR0 register Tao Tang
2026-02-25 20:18 ` Pierrick Bouvier
2026-02-27 14:31 ` Mostafa Saleh
2026-02-21 10:02 ` [RFC v4 02/31] hw/arm/smmuv3: Correct SMMUEN field name in CR0 Tao Tang
2026-02-25 20:18 ` Pierrick Bouvier
2026-02-27 14:31 ` Mostafa Saleh
2026-02-21 10:02 ` [RFC v4 03/31] hw/arm/smmuv3: Introduce secure registers Tao Tang
2026-02-25 20:23 ` Pierrick Bouvier
2026-02-27 14:33 ` Mostafa Saleh
2026-02-21 10:02 ` [RFC v4 04/31] hw/arm/smmuv3: Introduce banked registers for SMMUv3 state Tao Tang
2026-02-25 20:26 ` Pierrick Bouvier
2026-02-27 14:38 ` Mostafa Saleh
2026-03-01 13:44 ` Tao Tang
2026-03-02 10:16 ` Mostafa Saleh
2026-02-21 10:02 ` [RFC v4 05/31] hw/arm/smmuv3: Thread SEC_SID through helper APIs Tao Tang
2026-02-25 20:27 ` Pierrick Bouvier
2026-02-21 10:02 ` [RFC v4 06/31] hw/arm/smmuv3: Track SEC_SID in configs and events Tao Tang
2026-02-25 20:29 ` Pierrick Bouvier
2026-02-27 14:39 ` Mostafa Saleh
2026-03-01 13:53 ` Tao Tang
2026-03-02 10:19 ` Mostafa Saleh
2026-03-02 13:45 ` Eric Auger
2026-03-02 16:13 ` Eric Auger
2026-03-03 7:26 ` Eric Auger via
2026-03-03 7:26 ` Eric Auger via qemu development
2026-03-06 13:56 ` Tao Tang
2026-02-21 10:02 ` [RFC v4 07/31] hw/arm/smmu-common: Add security-aware address space selector Tao Tang
2026-02-25 20:36 ` Pierrick Bouvier
2026-02-21 10:02 ` [RFC v4 08/31] hw/arm/smmuv3: Plumb transaction attributes into config helpers Tao Tang
2026-02-25 20:52 ` Pierrick Bouvier
2026-02-27 15:20 ` Tao Tang
2026-02-27 22:02 ` Pierrick Bouvier
2026-03-02 15:59 ` Eric Auger
2026-02-25 20:55 ` Pierrick Bouvier
2026-02-27 15:35 ` Tao Tang
2026-02-21 10:02 ` [RFC v4 09/31] hw/arm/smmuv3: Enforce Secure stage 2 capability check when decoding STE Tao Tang
2026-02-25 20:52 ` Pierrick Bouvier
2026-02-27 14:39 ` Mostafa Saleh
2026-03-01 14:02 ` Tao Tang
2026-03-02 16:48 ` Eric Auger
2026-03-04 16:09 ` Tao Tang
2026-02-21 10:14 ` [RFC v4 10/31] hw/arm/smmu-common: Key configuration cache on SMMUDevice and SEC_SID Tao Tang
2026-02-25 21:01 ` Pierrick Bouvier
2026-03-02 16:54 ` Eric Auger
2026-03-05 13:42 ` Tao Tang
2026-02-21 10:15 ` [RFC v4 11/31] hw/arm/smmu: Add PTE NS/NSTable helpers Tao Tang
2026-02-25 21:01 ` Pierrick Bouvier
2026-03-02 17:07 ` Eric Auger
2026-03-05 13:22 ` Tao Tang
2026-02-21 10:16 ` [RFC v4 12/31] hw/arm/smmuv3: Store CD NSCFG in TT info Tao Tang
2026-02-25 21:01 ` Pierrick Bouvier
2026-02-27 14:41 ` Mostafa Saleh
2026-03-01 14:21 ` Tao Tang
2026-03-02 10:22 ` Mostafa Saleh
2026-03-02 17:21 ` Eric Auger
2026-03-02 17:18 ` Eric Auger
2026-02-21 10:16 ` [RFC v4 13/31] hw/arm/smmu-common: Add sec_sid field to TLB entries Tao Tang
2026-02-25 21:02 ` Pierrick Bouvier
2026-02-27 14:45 ` Mostafa Saleh
2026-03-01 15:08 ` Tao Tang
2026-03-02 10:30 ` Mostafa Saleh
2026-03-02 17:34 ` Eric Auger
2026-03-05 14:33 ` Tao Tang
2026-02-21 10:16 ` [RFC v4 14/31] hw/arm/smmu-common: Implement secure state handling in ptw Tao Tang
2026-02-25 21:12 ` Pierrick Bouvier
2026-02-28 14:07 ` Tao Tang
2026-03-03 9:41 ` Eric Auger
2026-03-06 10:39 ` Tao Tang
2026-02-21 10:16 ` [RFC v4 15/31] hw/arm/smmuv3: Tag IOTLB cache keys with SEC_SID Tao Tang
2026-02-25 21:21 ` Pierrick Bouvier
2026-03-03 7:40 ` Eric Auger
2026-03-05 15:54 ` Tao Tang
2026-02-21 10:17 ` [RFC v4 16/31] hw/arm/smmuv3: Plumb SEC_SID through IOMMU notifier path Tao Tang
2026-02-25 21:32 ` Pierrick Bouvier
2026-02-27 14:47 ` Mostafa Saleh
2026-03-01 15:26 ` Tao Tang
2026-03-02 18:26 ` Eric Auger
2026-03-02 19:17 ` Mostafa Saleh
2026-03-03 7:49 ` Eric Auger
2026-03-04 15:34 ` Tao Tang
2026-03-04 16:36 ` Eric Auger
2026-02-21 10:17 ` [RFC v4 17/31] hw/arm/smmuv3: Pass sec_sid into cmdq consume path Tao Tang
2026-02-25 21:35 ` Pierrick Bouvier
2026-03-03 10:14 ` Eric Auger
2026-03-05 14:42 ` Tao Tang
2026-02-21 10:17 ` [RFC v4 18/31] hw/arm/smmuv3: Make evtq producer use SEC_SID Tao Tang
2026-02-25 21:40 ` Pierrick Bouvier
2026-03-03 10:16 ` Eric Auger
2026-02-21 10:17 ` [RFC v4 19/31] hw/arm/smmuv3: Fix CFGI_CD handling when stage-1 is unsupported Tao Tang
2026-02-25 21:40 ` Pierrick Bouvier
2026-02-27 14:49 ` Mostafa Saleh
2026-03-01 12:33 ` Tao Tang
2026-03-02 10:10 ` Mostafa Saleh
2026-03-02 17:47 ` Pierrick Bouvier
2026-03-02 17:53 ` Eric Auger
2026-03-04 13:39 ` Tao Tang
2026-03-02 17:51 ` Eric Auger
2026-03-02 17:55 ` Eric Auger
2026-02-21 10:17 ` [RFC v4 20/31] hw/arm/smmu: Make CMDQ invalidation security-state aware Tao Tang
2026-02-25 21:47 ` Pierrick Bouvier
2026-02-27 15:41 ` Tao Tang
2026-02-21 10:17 ` [RFC v4 21/31] hw/arm/smmuv3: Add access checks for GERROR_IRQ_CFG registers Tao Tang
2026-02-25 21:48 ` Pierrick Bouvier
2026-02-21 10:18 ` [RFC v4 22/31] hw/arm/smmuv3: Add access checks for STRTAB_BASE and CR2 registers Tao Tang
2026-02-25 21:53 ` Pierrick Bouvier
2026-02-21 10:18 ` [RFC v4 23/31] hw/arm/smmuv3: Add access checks for CMDQ and EVENTQ registers Tao Tang
2026-02-25 21:59 ` Pierrick Bouvier
2026-02-27 15:44 ` Tao Tang
2026-02-21 10:18 ` [RFC v4 24/31] hw/arm/smmuv3: Determine register bank from MMIO offset Tao Tang
2026-02-25 22:00 ` Pierrick Bouvier
2026-02-27 14:59 ` Mostafa Saleh [this message]
2026-03-01 16:24 ` Tao Tang
2026-02-21 10:18 ` [RFC v4 25/31] hw/arm/smmuv3: Implement SMMU_S_INIT register Tao Tang
2026-02-25 22:01 ` Pierrick Bouvier
2026-02-21 10:18 ` [RFC v4 26/31] hw/arm/smmuv3: Harden security checks in MMIO handlers Tao Tang
2026-02-25 22:03 ` Pierrick Bouvier
2026-02-21 10:18 ` [RFC v4 27/31] hw/pci: Add sec-sid property to PCIDevice Tao Tang
2026-02-25 22:05 ` Pierrick Bouvier
2026-02-21 10:19 ` [RFC v4 28/31] hw/arm/smmuv3: Select sec-sid from PCI property and validate SECURE_IMPL Tao Tang
2026-02-25 22:10 ` Pierrick Bouvier
2026-02-25 22:12 ` Pierrick Bouvier
2026-03-03 10:47 ` Eric Auger
2026-03-06 13:30 ` Tao Tang
2026-03-06 17:29 ` Pierrick Bouvier
2026-03-03 10:48 ` Eric Auger
2026-02-21 10:19 ` [RFC v4 29/31] hw/arm/smmuv3: Initialize the secure register bank Tao Tang
2026-02-25 22:13 ` Pierrick Bouvier
2026-02-21 10:19 ` [RFC v4 30/31] hw/arm/smmuv3: Add secure bank migration and secure-impl property Tao Tang
2026-02-25 22:20 ` Pierrick Bouvier
2026-02-27 16:16 ` Tao Tang
2026-02-27 21:54 ` Pierrick Bouvier
2026-02-21 10:19 ` [RFC v4 31/31] [NOT-MERGE] hw/arm/smmuv3: temporarily enable SEL2 bit and sone other features Tao Tang
2026-02-25 21:31 ` Pierrick Bouvier
2026-02-25 22:07 ` Pierrick Bouvier
2026-02-27 16:13 ` Tao Tang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaGxST56MQWlN8fJ@google.com \
--to=smostafa@google.com \
--cc=chao.liu.zevorn@gmail.com \
--cc=chenbaozi@phytium.com.cn \
--cc=eric.auger@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=tangtao1634@phytium.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.