[Qemu-devel] [PATCH 0/5] Wire up various EL2/EL3 address translation ops

[Qemu-devel] [PATCH 0/5] Wire up various EL2/EL3 address translation ops

[Peter Maydell]

This patch series wires up some of the EL2 and EL3 address
translation operations which we were missing:
 * the AArch64 EL2 and EL3 AT ops
 * the AArch32 ATS12NSO ops
 * the AArch32 ATS1H ops

Most of these are still not accessible or not very interesting
because we don't have any CPUs which set ARM_FEATURE_EL2 yet.
Providing ATS12NSO for AArch32-with-EL3 CPUs is a genuine bugfix.

I included a bugfix for the 32-bit EL2 stage 1 translation
regime. I think that the only remaining thing missing for EL2
(based on eyeballing our current code) is implementing stage
2 translations.

NB: this code isn't really tested, but it looks nice when you
read it.

Peter Maydell (5):
  target-arm: there is no TTBR1 for 32-bit EL2 stage 1 translations
  target-arm: Wire up AArch64 EL2 and EL3 address translation ops
  target-arm: Add CP_ACCESS_TRAP_UNCATEGORIZED_EL2,3
  target-arm: Enable the AArch32 ATS12NSO ops
  target-arm: Implement AArch32 ATS1H* operations

 target-arm/cpu.h       |  3 ++
 target-arm/helper.c    | 88 ++++++++++++++++++++++++++++++++++++++++++++++----
 target-arm/op_helper.c |  8 +++++
 3 files changed, 92 insertions(+), 7 deletions(-)

-- 
1.9.1

[Qemu-devel] [PATCH 1/5] target-arm: there is no TTBR1 for 32-bit EL2 stage 1 translations

[Peter Maydell]

For EL2 stage 1 translations, there is no TTBR1. We were already
handling this for 64-bit EL2; add the code to take the 'no TTBR1'
code path for 64-bit EL2 as well.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target-arm/helper.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 01f0d0d..1ac6594 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5638,6 +5638,11 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
         if (el > 1) {
             ttbr1_valid = false;
         }
+    } else {
+        /* There is no TTBR1 for EL2 */
+        if (el == 2) {
+            ttbr1_valid = false;
+        }
     }
 
     /* Determine whether this address is in the region controlled by
-- 
1.9.1

[Qemu-devel] [PATCH 2/5] target-arm: Wire up AArch64 EL2 and EL3 address translation ops

[Peter Maydell]

Wire up the AArch64 EL2 and EL3 address translation operations
(AT S12E1*, AT S12E0*, AT S1E2*, AT S1E3*), and correct some
errors in the ats_write64() function in previously unused code
that would have done the wrong kind of lookup for accesses from
EL3 when SCR.NS==0.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target-arm/helper.c | 45 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 1ac6594..1974fa6 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -1602,6 +1602,14 @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
     A32_BANKED_CURRENT_REG_SET(env, par, par64);
 }
 
+static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    if (arm_current_el(env) == 3 && !(env->cp15.scr_el3 & SCR_NS)) {
+        return CP_ACCESS_TRAP;
+    }
+    return CP_ACCESS_OK;
+}
+
 static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
                         uint64_t value)
 {
@@ -1629,10 +1637,10 @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
         mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S1NSE0;
         break;
     case 4: /* AT S12E1R, AT S12E1W */
-        mmu_idx = ARMMMUIdx_S12NSE1;
+        mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S12NSE1;
         break;
     case 6: /* AT S12E0R, AT S12E0W */
-        mmu_idx = ARMMMUIdx_S12NSE0;
+        mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S12NSE0;
         break;
     default:
         g_assert_not_reached();
@@ -2504,6 +2512,25 @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
     { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
       .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+    { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 4,
+      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+    { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 5,
+      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+    { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 6,
+      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+    { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 7,
+      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+    /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
+    { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
+      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+    { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1,
+      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 #endif
     /* TLB invalidate last level of translation table walk */
     { .name = "TLBIMVALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5,
@@ -2724,6 +2751,20 @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 1,
       .type = ARM_CP_NO_RAW, .access = PL2_W,
       .writefn = tlbi_aa64_vaa_write },
+#ifndef CONFIG_USER_ONLY
+    /* Unlike the other EL2-related AT operations, these must
+     * UNDEF from EL3 if EL2 is not implemented, which is why we
+     * define them here rather than with the rest of the AT ops.
+     */
+    { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
+      .access = PL2_W, .accessfn = at_s1e2_access,
+      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+    { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
+      .access = PL2_W, .accessfn = at_s1e2_access,
+      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+#endif
     REGINFO_SENTINEL
 };
 
-- 
1.9.1

[Qemu-devel] [PATCH 3/5] target-arm: Add CP_ACCESS_TRAP_UNCATEGORIZED_EL2, 3

[Peter Maydell]

Some coprocessor register access functions need to be able
to report "trap to EL3 with an 'uncategorized' syndrome";
add the necessary CPAccessResult enum and handling for it.

I don't currently know of any registers that need to trap
to EL2 with the 'uncategorized' syndrome, but adding the
_EL2 enum as well is trivial and fills in what would
otherwise be an odd gap in the handling.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target-arm/cpu.h       | 3 +++
 target-arm/op_helper.c | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 7e89152..685474e 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -1280,6 +1280,9 @@ typedef enum CPAccessResult {
     /* As CP_ACCESS_TRAP, but for traps directly to EL2 or EL3 */
     CP_ACCESS_TRAP_EL2 = 3,
     CP_ACCESS_TRAP_EL3 = 4,
+    /* As CP_ACCESS_UNCATEGORIZED, but for traps directly to EL2 or EL3 */
+    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = 5,
+    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = 6,
 } CPAccessResult;
 
 /* Access functions for coprocessor registers. These cannot fail and
diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index 663c05d..1425a1d 100644
--- a/target-arm/op_helper.c
+++ b/target-arm/op_helper.c
@@ -444,6 +444,14 @@ void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome)
         target_el = exception_target_el(env);
         syndrome = syn_uncategorized();
         break;
+    case CP_ACCESS_TRAP_UNCATEGORIZED_EL2:
+        target_el = 2;
+        syndrome = syn_uncategorized();
+        break;
+    case CP_ACCESS_TRAP_UNCATEGORIZED_EL3:
+        target_el = 3;
+        syndrome = syn_uncategorized();
+        break;
     default:
         g_assert_not_reached();
     }
-- 
1.9.1

[Qemu-devel] [PATCH 4/5] target-arm: Enable the AArch32 ATS12NSO ops

[Peter Maydell]

Apply the correct conditions in the ats_access() function for
the ATS12NSO* address translation operations:
 * succeed at EL2 or EL3
 * normal UNDEF trap from NS EL1
 * trap to EL3 from S EL1 (only possible if EL3 is AArch64)

(This change means they're now available in our EL3-supporting
CPUs when they would previously always UNDEF.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target-arm/helper.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 1974fa6..67d108e 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -1477,12 +1477,17 @@ static void par_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
 static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     if (ri->opc2 & 4) {
-        /* Other states are only available with TrustZone; in
-         * a non-TZ implementation these registers don't exist
-         * at all, which is an Uncategorized trap. This underdecoding
-         * is safe because the reginfo is NO_RAW.
+        /* The ATS12NSO* operations must trap to EL3 if executed in
+         * Secure EL1 (which can only happen if EL3 is AArch64).
+         * They are simply UNDEF if executed from NS EL1.
+         * They function normally from EL2 or EL3.
          */
-        return CP_ACCESS_TRAP_UNCATEGORIZED;
+        if (arm_current_el(env) == 1) {
+            if (arm_is_secure_below_el3(env)) {
+                return CP_ACCESS_TRAP_UNCATEGORIZED_EL3;
+            }
+            return CP_ACCESS_TRAP_UNCATEGORIZED;
+        }
     }
     return CP_ACCESS_OK;
 }
@@ -1657,6 +1662,7 @@ static const ARMCPRegInfo vapa_cp_reginfo[] = {
                              offsetoflow32(CPUARMState, cp15.par_ns) },
       .writefn = par_write },
 #ifndef CONFIG_USER_ONLY
+    /* This underdecoding is safe because the reginfo is NO_RAW. */
     { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
       .access = PL1_W, .accessfn = ats_access,
       .writefn = ats_write, .type = ARM_CP_NO_RAW },
-- 
1.9.1

[Qemu-devel] [PATCH 5/5] target-arm: Implement AArch32 ATS1H* operations

[Peter Maydell]

Implement the AArch32 ATS1H* operations which perform
Hyp mode stage 1 translations.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target-arm/helper.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 67d108e..b9ce965 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -1607,6 +1607,17 @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
     A32_BANKED_CURRENT_REG_SET(env, par, par64);
 }
 
+static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                        uint64_t value)
+{
+    int access_type = ri->opc2 & 1;
+    uint64_t par64;
+
+    par64 = do_ats_write(env, value, access_type, ARMMMUIdx_S2NS);
+
+    A32_BANKED_CURRENT_REG_SET(env, par, par64);
+}
+
 static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     if (arm_current_el(env) == 3 && !(env->cp15.scr_el3 & SCR_NS)) {
@@ -2770,6 +2781,17 @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
       .access = PL2_W, .accessfn = at_s1e2_access,
       .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+    /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
+     * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
+     * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
+     * to behave as if SCR.NS was 1.
+     */
+    { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
+      .access = PL2_W,
+      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
+    { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
+      .access = PL2_W,
+      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
 #endif
     REGINFO_SENTINEL
 };
-- 
1.9.1

Re: [Qemu-devel] [PATCH 0/5] Wire up various EL2/EL3 address translation ops

[Peter Maydell]

Ping?

thanks
-- PMM

On 24 July 2015 at 16:20, Peter Maydell <peter.maydell@linaro.org> wrote:
> This patch series wires up some of the EL2 and EL3 address
> translation operations which we were missing:
>  * the AArch64 EL2 and EL3 AT ops
>  * the AArch32 ATS12NSO ops
>  * the AArch32 ATS1H ops
>
> Most of these are still not accessible or not very interesting
> because we don't have any CPUs which set ARM_FEATURE_EL2 yet.
> Providing ATS12NSO for AArch32-with-EL3 CPUs is a genuine bugfix.
>
> I included a bugfix for the 32-bit EL2 stage 1 translation
> regime. I think that the only remaining thing missing for EL2
> (based on eyeballing our current code) is implementing stage
> 2 translations.
>
> NB: this code isn't really tested, but it looks nice when you
> read it.
>
> Peter Maydell (5):
>   target-arm: there is no TTBR1 for 32-bit EL2 stage 1 translations
>   target-arm: Wire up AArch64 EL2 and EL3 address translation ops
>   target-arm: Add CP_ACCESS_TRAP_UNCATEGORIZED_EL2,3
>   target-arm: Enable the AArch32 ATS12NSO ops
>   target-arm: Implement AArch32 ATS1H* operations
>
>  target-arm/cpu.h       |  3 ++
>  target-arm/helper.c    | 88 ++++++++++++++++++++++++++++++++++++++++++++++----
>  target-arm/op_helper.c |  8 +++++
>  3 files changed, 92 insertions(+), 7 deletions(-)

Re: [Qemu-devel] [PATCH 1/5] target-arm: there is no TTBR1 for 32-bit EL2 stage 1 translations

[Edgar E. Iglesias]

On Fri, Jul 24, 2015 at 04:20:59PM +0100, Peter Maydell wrote:
> For EL2 stage 1 translations, there is no TTBR1. We were already
> handling this for 64-bit EL2; add the code to take the 'no TTBR1'
> code path for 64-bit EL2 as well.
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>


> ---
>  target-arm/helper.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 01f0d0d..1ac6594 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -5638,6 +5638,11 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
>          if (el > 1) {
>              ttbr1_valid = false;
>          }
> +    } else {
> +        /* There is no TTBR1 for EL2 */
> +        if (el == 2) {
> +            ttbr1_valid = false;
> +        }
>      }
>  
>      /* Determine whether this address is in the region controlled by
> -- 
> 1.9.1
> 

Re: [Qemu-devel] [PATCH 2/5] target-arm: Wire up AArch64 EL2 and EL3 address translation ops

[Edgar E. Iglesias]

On Fri, Jul 24, 2015 at 04:21:00PM +0100, Peter Maydell wrote:
> Wire up the AArch64 EL2 and EL3 address translation operations
> (AT S12E1*, AT S12E0*, AT S1E2*, AT S1E3*), and correct some
> errors in the ats_write64() function in previously unused code
> that would have done the wrong kind of lookup for accesses from
> EL3 when SCR.NS==0.
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


THis one didn't apply for me, I guess some context has moved around a little..

The changes look OK to me though:
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>




> ---
>  target-arm/helper.c | 45 +++++++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 43 insertions(+), 2 deletions(-)
> 
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 1ac6594..1974fa6 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -1602,6 +1602,14 @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
>      A32_BANKED_CURRENT_REG_SET(env, par, par64);
>  }
>  
> +static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri)
> +{
> +    if (arm_current_el(env) == 3 && !(env->cp15.scr_el3 & SCR_NS)) {
> +        return CP_ACCESS_TRAP;
> +    }
> +    return CP_ACCESS_OK;
> +}
> +
>  static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
>                          uint64_t value)
>  {
> @@ -1629,10 +1637,10 @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
>          mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S1NSE0;
>          break;
>      case 4: /* AT S12E1R, AT S12E1W */
> -        mmu_idx = ARMMMUIdx_S12NSE1;
> +        mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S12NSE1;
>          break;
>      case 6: /* AT S12E0R, AT S12E0W */
> -        mmu_idx = ARMMMUIdx_S12NSE0;
> +        mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S12NSE0;
>          break;
>      default:
>          g_assert_not_reached();
> @@ -2504,6 +2512,25 @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
>      { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
>        .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
>        .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +    { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
> +      .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 4,
> +      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +    { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
> +      .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 5,
> +      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +    { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
> +      .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 6,
> +      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +    { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
> +      .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 7,
> +      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +    /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
> +    { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
> +      .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
> +      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +    { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64,
> +      .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1,
> +      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
>  #endif
>      /* TLB invalidate last level of translation table walk */
>      { .name = "TLBIMVALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5,
> @@ -2724,6 +2751,20 @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
>        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 1,
>        .type = ARM_CP_NO_RAW, .access = PL2_W,
>        .writefn = tlbi_aa64_vaa_write },
> +#ifndef CONFIG_USER_ONLY
> +    /* Unlike the other EL2-related AT operations, these must
> +     * UNDEF from EL3 if EL2 is not implemented, which is why we
> +     * define them here rather than with the rest of the AT ops.
> +     */
> +    { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
> +      .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
> +      .access = PL2_W, .accessfn = at_s1e2_access,
> +      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +    { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
> +      .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
> +      .access = PL2_W, .accessfn = at_s1e2_access,
> +      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +#endif
>      REGINFO_SENTINEL
>  };
>  
> -- 
> 1.9.1
> 

Re: [Qemu-devel] [PATCH 3/5] target-arm: Add CP_ACCESS_TRAP_UNCATEGORIZED_EL2, 3

[Edgar E. Iglesias]

On Fri, Jul 24, 2015 at 04:21:01PM +0100, Peter Maydell wrote:
> Some coprocessor register access functions need to be able
> to report "trap to EL3 with an 'uncategorized' syndrome";
> add the necessary CPAccessResult enum and handling for it.
> 
> I don't currently know of any registers that need to trap
> to EL2 with the 'uncategorized' syndrome, but adding the
> _EL2 enum as well is trivial and fills in what would
> otherwise be an odd gap in the handling.
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>


> ---
>  target-arm/cpu.h       | 3 +++
>  target-arm/op_helper.c | 8 ++++++++
>  2 files changed, 11 insertions(+)
> 
> diff --git a/target-arm/cpu.h b/target-arm/cpu.h
> index 7e89152..685474e 100644
> --- a/target-arm/cpu.h
> +++ b/target-arm/cpu.h
> @@ -1280,6 +1280,9 @@ typedef enum CPAccessResult {
>      /* As CP_ACCESS_TRAP, but for traps directly to EL2 or EL3 */
>      CP_ACCESS_TRAP_EL2 = 3,
>      CP_ACCESS_TRAP_EL3 = 4,
> +    /* As CP_ACCESS_UNCATEGORIZED, but for traps directly to EL2 or EL3 */
> +    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = 5,
> +    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = 6,
>  } CPAccessResult;
>  
>  /* Access functions for coprocessor registers. These cannot fail and
> diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
> index 663c05d..1425a1d 100644
> --- a/target-arm/op_helper.c
> +++ b/target-arm/op_helper.c
> @@ -444,6 +444,14 @@ void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome)
>          target_el = exception_target_el(env);
>          syndrome = syn_uncategorized();
>          break;
> +    case CP_ACCESS_TRAP_UNCATEGORIZED_EL2:
> +        target_el = 2;
> +        syndrome = syn_uncategorized();
> +        break;
> +    case CP_ACCESS_TRAP_UNCATEGORIZED_EL3:
> +        target_el = 3;
> +        syndrome = syn_uncategorized();
> +        break;
>      default:
>          g_assert_not_reached();
>      }
> -- 
> 1.9.1
> 

Re: [Qemu-devel] [PATCH 4/5] target-arm: Enable the AArch32 ATS12NSO ops

[Edgar E. Iglesias]

On Fri, Jul 24, 2015 at 04:21:02PM +0100, Peter Maydell wrote:
> Apply the correct conditions in the ats_access() function for
> the ATS12NSO* address translation operations:
>  * succeed at EL2 or EL3
>  * normal UNDEF trap from NS EL1
>  * trap to EL3 from S EL1 (only possible if EL3 is AArch64)
> 
> (This change means they're now available in our EL3-supporting
> CPUs when they would previously always UNDEF.)
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>


> ---
>  target-arm/helper.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 1974fa6..67d108e 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -1477,12 +1477,17 @@ static void par_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
>  static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri)
>  {
>      if (ri->opc2 & 4) {
> -        /* Other states are only available with TrustZone; in
> -         * a non-TZ implementation these registers don't exist
> -         * at all, which is an Uncategorized trap. This underdecoding
> -         * is safe because the reginfo is NO_RAW.
> +        /* The ATS12NSO* operations must trap to EL3 if executed in
> +         * Secure EL1 (which can only happen if EL3 is AArch64).
> +         * They are simply UNDEF if executed from NS EL1.
> +         * They function normally from EL2 or EL3.
>           */
> -        return CP_ACCESS_TRAP_UNCATEGORIZED;
> +        if (arm_current_el(env) == 1) {
> +            if (arm_is_secure_below_el3(env)) {
> +                return CP_ACCESS_TRAP_UNCATEGORIZED_EL3;
> +            }
> +            return CP_ACCESS_TRAP_UNCATEGORIZED;
> +        }
>      }
>      return CP_ACCESS_OK;
>  }
> @@ -1657,6 +1662,7 @@ static const ARMCPRegInfo vapa_cp_reginfo[] = {
>                               offsetoflow32(CPUARMState, cp15.par_ns) },
>        .writefn = par_write },
>  #ifndef CONFIG_USER_ONLY
> +    /* This underdecoding is safe because the reginfo is NO_RAW. */
>      { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
>        .access = PL1_W, .accessfn = ats_access,
>        .writefn = ats_write, .type = ARM_CP_NO_RAW },
> -- 
> 1.9.1
> 

Re: [Qemu-devel] [PATCH 5/5] target-arm: Implement AArch32 ATS1H* operations

[Edgar E. Iglesias]

On Fri, Jul 24, 2015 at 04:21:03PM +0100, Peter Maydell wrote:
> Implement the AArch32 ATS1H* operations which perform
> Hyp mode stage 1 translations.
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>


> ---
>  target-arm/helper.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
> 
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 67d108e..b9ce965 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -1607,6 +1607,17 @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
>      A32_BANKED_CURRENT_REG_SET(env, par, par64);
>  }
>  
> +static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
> +                        uint64_t value)
> +{
> +    int access_type = ri->opc2 & 1;
> +    uint64_t par64;
> +
> +    par64 = do_ats_write(env, value, access_type, ARMMMUIdx_S2NS);
> +
> +    A32_BANKED_CURRENT_REG_SET(env, par, par64);
> +}
> +
>  static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri)
>  {
>      if (arm_current_el(env) == 3 && !(env->cp15.scr_el3 & SCR_NS)) {
> @@ -2770,6 +2781,17 @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
>        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
>        .access = PL2_W, .accessfn = at_s1e2_access,
>        .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
> +    /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
> +     * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
> +     * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
> +     * to behave as if SCR.NS was 1.
> +     */
> +    { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
> +      .access = PL2_W,
> +      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
> +    { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
> +      .access = PL2_W,
> +      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
>  #endif
>      REGINFO_SENTINEL
>  };
> -- 
> 1.9.1
>