From: "Cédric Le Goater" <clg@redhat.com>
To: qemu-arm@nongnu.org, qemu-devel@nongnu.org
Cc: Kane-Chen-AS <kane_chen@aspeedtech.com>,
"Cédric Le Goater" <clg@redhat.com>
Subject: [PULL 02/32] hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to SBC
Date: Mon, 29 Sep 2025 18:52:00 +0200 [thread overview]
Message-ID: <20250929165230.797471-3-clg@redhat.com> (raw)
In-Reply-To: <20250929165230.797471-1-clg@redhat.com>
From: Kane-Chen-AS <kane_chen@aspeedtech.com>
This patch connects the aspeed.otp device to the ASPEED Secure Boot
Controller (SBC) model. It implements OTP memory access via the SBC's
command interface and enables emulation of secure fuse programming
flows.
The following OTP commands are supported:
- READ: reads a 32-bit word from OTP memory into internal registers
- PROG: programs a 32-bit word value to the specified OTP address
Trace events are added to observe read/program operations and command
handling flow.
Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20250812094011.2617526-3-kane_chen@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
include/hw/misc/aspeed_sbc.h | 5 ++
hw/misc/aspeed_sbc.c | 111 +++++++++++++++++++++++++++++++++++
hw/misc/trace-events | 5 ++
3 files changed, 121 insertions(+)
diff --git a/include/hw/misc/aspeed_sbc.h b/include/hw/misc/aspeed_sbc.h
index 405e6782b97a..0c2746d392a4 100644
--- a/include/hw/misc/aspeed_sbc.h
+++ b/include/hw/misc/aspeed_sbc.h
@@ -10,6 +10,7 @@
#define ASPEED_SBC_H
#include "hw/sysbus.h"
+#include "hw/nvram/aspeed_otp.h"
#define TYPE_ASPEED_SBC "aspeed.sbc"
#define TYPE_ASPEED_AST2600_SBC TYPE_ASPEED_SBC "-ast2600"
@@ -36,10 +37,14 @@ struct AspeedSBCState {
MemoryRegion iomem;
uint32_t regs[ASPEED_SBC_NR_REGS];
+
+ AspeedOTPState otp;
};
struct AspeedSBCClass {
SysBusDeviceClass parent_class;
+
+ bool has_otp;
};
#endif /* ASPEED_SBC_H */
diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c
index a7d101ba71f4..46a038337c31 100644
--- a/hw/misc/aspeed_sbc.c
+++ b/hw/misc/aspeed_sbc.c
@@ -15,9 +15,13 @@
#include "hw/misc/aspeed_sbc.h"
#include "qapi/error.h"
#include "migration/vmstate.h"
+#include "trace.h"
#define R_PROT (0x000 / 4)
+#define R_CMD (0x004 / 4)
+#define R_ADDR (0x010 / 4)
#define R_STATUS (0x014 / 4)
+#define R_CAMP1 (0x020 / 4)
#define R_QSR (0x040 / 4)
/* R_STATUS */
@@ -41,6 +45,11 @@
#define QSR_RSA_MASK (0x3 << 12)
#define QSR_HASH_MASK (0x3 << 10)
+#define OTP_MEMORY_SIZE 0x4000
+/* OTP command */
+#define SBC_OTP_CMD_READ 0x23b1e361
+#define SBC_OTP_CMD_PROG 0x23b1e364
+
static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size)
{
AspeedSBCState *s = ASPEED_SBC(opaque);
@@ -57,6 +66,84 @@ static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size)
return s->regs[addr];
}
+static bool aspeed_sbc_otp_read(AspeedSBCState *s,
+ uint32_t otp_addr)
+{
+ MemTxResult ret;
+ AspeedOTPState *otp = &s->otp;
+ uint32_t value, otp_offset;
+
+ otp_offset = otp_addr << 2;
+ ret = address_space_read(&otp->as, otp_offset, MEMTXATTRS_UNSPECIFIED,
+ &value, sizeof(value));
+ if (ret != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "Failed to read OTP memory, addr = %x\n",
+ otp_addr);
+ return false;
+ }
+ s->regs[R_CAMP1] = value;
+ trace_aspeed_sbc_otp_read(otp_addr, value);
+
+ return true;
+}
+
+static bool aspeed_sbc_otp_prog(AspeedSBCState *s,
+ uint32_t otp_addr)
+{
+ MemTxResult ret;
+ AspeedOTPState *otp = &s->otp;
+ uint32_t value = s->regs[R_CAMP1];
+
+ ret = address_space_write(&otp->as, otp_addr, MEMTXATTRS_UNSPECIFIED,
+ &value, sizeof(value));
+ if (ret != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "Failed to write OTP memory, addr = %x\n",
+ otp_addr);
+ return false;
+ }
+
+ trace_aspeed_sbc_otp_prog(otp_addr, value);
+
+ return true;
+}
+
+static void aspeed_sbc_handle_command(void *opaque, uint32_t cmd)
+{
+ AspeedSBCState *s = ASPEED_SBC(opaque);
+ AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(opaque);
+ bool ret = false;
+ uint32_t otp_addr;
+
+ if (!sc->has_otp) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: OTP memory is not supported\n",
+ __func__);
+ return;
+ }
+
+ s->regs[R_STATUS] &= ~(OTP_MEM_IDLE | OTP_IDLE);
+ otp_addr = s->regs[R_ADDR];
+
+ switch (cmd) {
+ case SBC_OTP_CMD_READ:
+ ret = aspeed_sbc_otp_read(s, otp_addr);
+ break;
+ case SBC_OTP_CMD_PROG:
+ ret = aspeed_sbc_otp_prog(s, otp_addr);
+ break;
+ default:
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Unknown command 0x%x\n",
+ __func__, cmd);
+ break;
+ }
+
+ trace_aspeed_sbc_handle_cmd(cmd, otp_addr, ret);
+ s->regs[R_STATUS] |= (OTP_MEM_IDLE | OTP_IDLE);
+}
+
static void aspeed_sbc_write(void *opaque, hwaddr addr, uint64_t data,
unsigned int size)
{
@@ -78,6 +165,9 @@ static void aspeed_sbc_write(void *opaque, hwaddr addr, uint64_t data,
"%s: write to read only register 0x%" HWADDR_PRIx "\n",
__func__, addr << 2);
return;
+ case R_CMD:
+ aspeed_sbc_handle_command(opaque, data);
+ return;
default:
break;
}
@@ -115,10 +205,30 @@ static void aspeed_sbc_reset(DeviceState *dev)
s->regs[R_QSR] = s->signing_settings;
}
+static void aspeed_sbc_instance_init(Object *obj)
+{
+ AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(obj);
+ AspeedSBCState *s = ASPEED_SBC(obj);
+
+ if (sc->has_otp) {
+ object_initialize_child(OBJECT(s), "otp", &s->otp,
+ TYPE_ASPEED_OTP);
+ }
+}
+
static void aspeed_sbc_realize(DeviceState *dev, Error **errp)
{
AspeedSBCState *s = ASPEED_SBC(dev);
SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+ AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(dev);
+
+ if (sc->has_otp) {
+ object_property_set_int(OBJECT(&s->otp), "size",
+ OTP_MEMORY_SIZE, &error_abort);
+ if (!qdev_realize(DEVICE(&s->otp), NULL, errp)) {
+ return;
+ }
+ }
memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_sbc_ops, s,
TYPE_ASPEED_SBC, 0x1000);
@@ -155,6 +265,7 @@ static const TypeInfo aspeed_sbc_info = {
.name = TYPE_ASPEED_SBC,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(AspeedSBCState),
+ .instance_init = aspeed_sbc_instance_init,
.class_init = aspeed_sbc_class_init,
.class_size = sizeof(AspeedSBCClass)
};
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
index e3f64c0ff6b0..9e05b82f371e 100644
--- a/hw/misc/trace-events
+++ b/hw/misc/trace-events
@@ -90,6 +90,11 @@ slavio_sysctrl_mem_readl(uint32_t ret) "Read system control 0x%08x"
slavio_led_mem_writew(uint32_t val) "Write diagnostic LED 0x%04x"
slavio_led_mem_readw(uint32_t ret) "Read diagnostic LED 0x%04x"
+# aspeed_sbc.c
+aspeed_sbc_handle_cmd(uint32_t cmd, uint32_t addr, bool ret) "Handling command 0x%" PRIx32 " for OTP addr 0x%" PRIx32 " Result: %d"
+aspeed_sbc_otp_read(uint32_t addr, uint32_t value) "OTP Memory read: addr 0x%" PRIx32 " value 0x%" PRIx32
+aspeed_sbc_otp_prog(uint32_t addr, uint32_t value) "OTP Memory write: addr 0x%" PRIx32 " value 0x%" PRIx32
+
# aspeed_scu.c
aspeed_scu_write(uint64_t offset, unsigned size, uint32_t data) "To 0x%" PRIx64 " of size %u: 0x%" PRIx32
aspeed_scu_read(uint64_t offset, unsigned size, uint32_t data) "To 0x%" PRIx64 " of size %u: 0x%" PRIx32
--
2.51.0
next prev parent reply other threads:[~2025-09-29 16:54 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-29 16:51 [PULL 00/32] aspeed queue Cédric Le Goater
2025-09-29 16:51 ` [PULL 01/32] hw/nvram/aspeed_otp: Add ASPEED OTP memory device model Cédric Le Goater
2025-09-29 16:52 ` Cédric Le Goater [this message]
2025-09-29 16:52 ` [PULL 03/32] hw/arm: Integrate ASPEED OTP memory support into AST2600 SoCs Cédric Le Goater
2025-09-29 16:52 ` [PULL 04/32] hw/nvram/aspeed_otp: Add 'drive' property to support block backend Cédric Le Goater
2025-09-29 16:52 ` [PULL 05/32] hw/nvram/aspeed_otp: Add OTP programming semantics and tracing Cédric Le Goater
2025-09-29 16:52 ` [PULL 06/32] hw/arm: Integrate ASPEED OTP memory support into AST1030 SoCs Cédric Le Goater
2025-09-29 16:52 ` [PULL 07/32] hw/misc/aspeed_sbc: Add CAMP2 support for OTP data reads Cédric Le Goater
2025-09-29 16:52 ` [PULL 08/32] hw/misc/aspeed_sbc: Handle OTP write command for voltage mode registers Cédric Le Goater
2025-09-29 16:52 ` [PULL 09/32] docs/system/arm/aspeed: Document OTP memory options Cédric Le Goater
2025-09-29 16:52 ` [PULL 10/32] hw/arm/aspeed Move ast2700-evb alias to ast2700a1-evb Cédric Le Goater
2025-09-29 16:52 ` [PULL 11/32] tests/functional/arm: Add helper to generate OTP images Cédric Le Goater
2025-09-29 16:52 ` [PULL 12/32] tests/functional/arm: Add AST1030 boot test with generated OTP image Cédric Le Goater
2025-09-29 16:52 ` [PULL 13/32] tests/functional/arm: Add AST2600 " Cédric Le Goater
2025-09-29 16:52 ` [PULL 14/32] hw/pci/pci_ids: Add PCI vendor ID for ASPEED Cédric Le Goater
2025-09-29 16:52 ` [PULL 15/32] hw/pci-host/aspeed: Add AST2600 PCIe PHY model Cédric Le Goater
2025-09-29 16:52 ` [PULL 16/32] hw/pci-host/aspeed: Add AST2600 PCIe config space and host bridge Cédric Le Goater
2025-09-29 16:52 ` [PULL 17/32] hw/pci-host/aspeed: Add AST2600 PCIe Root Device support Cédric Le Goater
2025-09-29 16:52 ` [PULL 18/32] hw/pci-host/aspeed: Add AST2600 PCIe Root Port and make address configurable Cédric Le Goater
2025-09-29 16:52 ` [PULL 19/32] hw/pci-host/aspeed: Add MSI support and per-RC IOMMU address space Cédric Le Goater
2025-09-29 16:52 ` [PULL 20/32] hw/arm/aspeed: Wire up PCIe devices in SoC model Cédric Le Goater
2025-09-29 16:52 ` [PULL 21/32] hw/arm/aspeed_ast2600: Add PCIe RC support (RC_H only) Cédric Le Goater
2025-09-29 16:52 ` [PULL 22/32] hw/pci-host/aspeed: Add AST2700 PCIe PHY Cédric Le Goater
2025-09-29 16:52 ` [PULL 23/32] hw/pci-host/aspeed: Add AST2700 PCIe config with dedicated H2X blocks Cédric Le Goater
2025-09-29 16:52 ` [PULL 24/32] hw/pci-host/aspeed: Disable Root Device and place Root Port at 00:00.0 to AST2700 Cédric Le Goater
2025-09-29 16:52 ` [PULL 25/32] hw/arm/aspeed_ast27x0: Introduce 3 PCIe RCs for AST2700 Cédric Le Goater
2025-09-29 16:52 ` [PULL 26/32] tests/functional/arm/test_aspeed_ast2600: Add PCIe and network test Cédric Le Goater
2025-09-29 16:52 ` [PULL 27/32] hw/arm/aspeed: Move aspeed_board_init_flashes() to common SoC code Cédric Le Goater
2025-09-29 16:52 ` [PULL 28/32] hw/arm/aspeed: Move write_boot_rom " Cédric Le Goater
2025-09-29 16:52 ` [PULL 29/32] hw/arm/aspeed: Move aspeed_install_boot_rom " Cédric Le Goater
2025-09-29 16:52 ` [PULL 30/32] hw/arm/aspeed: Move aspeed_load_vbootrom " Cédric Le Goater
2025-09-29 16:52 ` [PULL 31/32] hw/arm/aspeed_ast27x0-fc: Drop dead return checks Cédric Le Goater
2025-09-29 16:52 ` [PULL 32/32] hw/arm/aspeed_ast27x0-fc: Make sub-init functions return bool with errp Cédric Le Goater
2025-09-30 14:10 ` [PULL 00/32] aspeed queue Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250929165230.797471-3-clg@redhat.com \
--to=clg@redhat.com \
--cc=kane_chen@aspeedtech.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).