From: Jean-Philippe Brucker <jean-philippe@linaro.org>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-arm@nongnu.org, qemu-devel@nongnu.org,
Richard Henderson <richard.henderson@linaro.org>
Subject: Re: [PATCH for-8.1 2/3] target/arm: Fix S1_ptw_translate() debug path
Date: Tue, 11 Jul 2023 12:05:31 +0100 [thread overview]
Message-ID: <20230711110531.GA201871@myrica> (raw)
In-Reply-To: <20230710152130.3928330-3-peter.maydell@linaro.org>
On Mon, Jul 10, 2023 at 04:21:29PM +0100, Peter Maydell wrote:
> In commit XXX we rearranged the logic in S1_ptw_translate() so that
> the debug-access "call get_phys_addr_*" codepath is used both when S1
> is doing ptw reads from stage 2 and when it is doing ptw reads from
> physical memory. However, we didn't update the calculation of
> s2ptw->in_space and s2ptw->in_secure to account for the "ptw reads
> from physical memory" case. This meant that debug accesses when in
> Secure state broke.
>
> Create a new function S2_security_space() which returns the
> correct security space to use for the ptw load, and use it to
> determine the correct .in_secure and .in_space fields for the
> stage 2 lookup for the ptw load.
>
> Reported-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
> Fixes: fe4a5472ccd6 ("target/arm: Use get_phys_addr_with_struct in S1_ptw_translate")
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Thanks, this fixes tf-a boot with semihosting
Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
> ---
> target/arm/ptw.c | 37 ++++++++++++++++++++++++++++++++-----
> 1 file changed, 32 insertions(+), 5 deletions(-)
>
> diff --git a/target/arm/ptw.c b/target/arm/ptw.c
> index 21749375f97..c0b9cee5843 100644
> --- a/target/arm/ptw.c
> +++ b/target/arm/ptw.c
> @@ -485,11 +485,39 @@ static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
> }
> }
>
> +static ARMSecuritySpace S2_security_space(ARMSecuritySpace s1_space,
> + ARMMMUIdx s2_mmu_idx)
> +{
> + /*
> + * Return the security space to use for stage 2 when doing
> + * the S1 page table descriptor load.
> + */
> + if (regime_is_stage2(s2_mmu_idx)) {
> + /*
> + * The security space for ptw reads is almost always the same
> + * as that of the security space of the stage 1 translation.
> + * The only exception is when stage 1 is Secure; in that case
> + * the ptw read might be to the Secure or the NonSecure space
> + * (but never Realm or Root), and the s2_mmu_idx tells us which.
> + * Root translations are always single-stage.
> + */
> + if (s1_space == ARMSS_Secure) {
> + return arm_secure_to_space(s2_mmu_idx == ARMMMUIdx_Stage2_S);
> + } else {
> + assert(s2_mmu_idx != ARMMMUIdx_Stage2_S);
> + assert(s1_space != ARMSS_Root);
> + return s1_space;
> + }
> + } else {
> + /* ptw loads are from phys: the mmu idx itself says which space */
> + return arm_phys_to_space(s2_mmu_idx);
> + }
> +}
> +
> /* Translate a S1 pagetable walk through S2 if needed. */
> static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
> hwaddr addr, ARMMMUFaultInfo *fi)
> {
> - ARMSecuritySpace space = ptw->in_space;
> bool is_secure = ptw->in_secure;
> ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
> ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
> @@ -502,13 +530,12 @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
> * From gdbstub, do not use softmmu so that we don't modify the
> * state of the cpu at all, including softmmu tlb contents.
> */
> + ARMSecuritySpace s2_space = S2_security_space(ptw->in_space, s2_mmu_idx);
> S1Translate s2ptw = {
> .in_mmu_idx = s2_mmu_idx,
> .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
> - .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
> - .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
> - : space == ARMSS_Realm ? ARMSS_Realm
> - : ARMSS_NonSecure),
> + .in_secure = arm_space_is_secure(s2_space),
> + .in_space = s2_space,
> .in_debug = true,
> };
> GetPhysAddrResult s2 = { };
> --
> 2.34.1
>
next prev parent reply other threads:[~2023-07-11 11:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-10 15:21 [PATCH for-8.1 0/3] target/arm: Fix ptw bugs introduced by FEAT_RME changes Peter Maydell
2023-07-10 15:21 ` [PATCH for-8.1 1/3] target/arm/ptw.c: Add comments to S1Translate struct fields Peter Maydell
2023-07-13 17:37 ` Richard Henderson
2023-07-10 15:21 ` [PATCH for-8.1 2/3] target/arm: Fix S1_ptw_translate() debug path Peter Maydell
2023-07-10 16:46 ` Peter Maydell
2023-07-11 11:05 ` Jean-Philippe Brucker [this message]
2023-07-13 18:28 ` Richard Henderson
2023-07-10 15:21 ` [PATCH for-8.1 3/3] target/arm/ptw.c: Account for FEAT_RME when applying {N}SW, SA bits Peter Maydell
2023-07-13 18:31 ` [PATCH for-8.1 3/3] target/arm/ptw.c: Account for FEAT_RME when applying {N}SW,SA bits Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230711110531.GA201871@myrica \
--to=jean-philippe@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).