* [PATCH 01/65] hw/core: Permit devices to define an array of link properties
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 11:11 ` Jonathan Cameron via qemu development
2026-03-21 15:42 ` Philippe Mathieu-Daudé
2026-02-23 17:01 ` [PATCH 02/65] hw/intc: Skeleton of GICv5 IRS classes Peter Maydell
` (64 subsequent siblings)
65 siblings, 2 replies; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Currently we allow devices to define "link properties" with
DEFINE_PROP_LINK(): these are a way to give a device a pointer to
another QOM object. (Under the hood this is done by handing it the
canonical QOM path for the object.)
We also allow devices to define "array properties" with
DEFINE_PROP_ARRAY(): these are a way to give a device a
variable-length array of properties.
However, there is no way to define an array of link properties. If
you try to do it by passing qdev_prop_link as the arrayprop argument
to DEFINE_PROP_ARRAY() you will get a crash because qdev_prop_link
does not provide the .set and .get methods in its PropertyInfo
struct.
This patch implements a new DEFINE_PROP_LINK_ARRAY(). In
a device you can use it like this:
struct MyDevice {
...
uint32_t num_cpus;
ARMCPU **cpus;
}
and in your Property array:
DEFINE_PROP_LINK_ARRAY("cpus", MyDevice, num_cpus, cpus,
TYPE_ARM_CPU, ARMCPU *),
The array property code will fill in s->num_cpus, allocate memory in
s->cpus, and populate it with pointers.
On the device-creation side you set the property in the same way as
the existing array properties, using the new qlist_append_link()
function to append to the QList:
QList *cpulist = qlist_new();
for (int i = 0; i < cpus; i++) {
qlist_append_link(cpulist, OBJECT(cpu[i]));
}
qdev_prop_set_array(mydev, "cpus", cpulist);
The implementation is mostly in the provision of the .set and
.get methods to the qdev_prop_link PropertyInfo struct. The
code of these methods parallels the code in
object_set_link_property() and object_get_link_property(). We can't
completely share the code with those functions because of differences
in where we get the information like the target QOM type, but I have
pulled out a new function object_resolve_and_typecheck() for the
shared "given a QOM path and a type, give me the object or an error"
code.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
I want this specifically for the GICv5 interrupt controller device
I'm working on. I'd like to be able to pass in links to the CPUs
connected to the GIC, so that we don't have to have the code assume
that it's connected to CPU numbers 0,1,2... the way the current
GICv3 code does.
I think Phil also had a proposed series a while back that wanted
to do something similar with one of the existing devices.
I figured I'd post this early for review, though obviously it's a
little unmotivated until I have my new GICv5 code into enough shape
to submit. This is tested, but with my work-in-progress code.
---
hw/core/qdev-properties.c | 78 +++++++++++++++++++++++++++++++
include/hw/core/qdev-properties.h | 40 ++++++++++++++++
include/qom/object.h | 19 ++++++++
qom/object.c | 42 ++++++++++-------
4 files changed, 161 insertions(+), 18 deletions(-)
diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
index ba8461e9a4..f8181b0d91 100644
--- a/hw/core/qdev-properties.c
+++ b/hw/core/qdev-properties.c
@@ -669,6 +669,7 @@ static Property array_elem_prop(Object *obj, const Property *parent_prop,
* being inside the device struct.
*/
.offset = (uintptr_t)elem - (uintptr_t)obj,
+ .link_type = parent_prop->link_type,
};
}
@@ -950,6 +951,12 @@ void qdev_prop_set_array(DeviceState *dev, const char *name, QList *values)
qobject_unref(values);
}
+void qlist_append_link(QList *qlist, Object *obj)
+{
+ g_autofree char *path = object_get_canonical_path(obj);
+ qlist_append_str(qlist, path);
+}
+
static GPtrArray *global_props(void)
{
static GPtrArray *gp;
@@ -1059,9 +1066,80 @@ static ObjectProperty *create_link_property(ObjectClass *oc, const char *name,
OBJ_PROP_LINK_STRONG);
}
+/*
+ * The logic in these get_link() and set_link() functions is similar
+ * to that used for single-element link properties in the
+ * object_get_link_property() and object_set_link_property() functions.
+ * The difference is largely in how we get the expected type of the
+ * link: for us it is in the Property struct, and for a single link
+ * property it is part of the property name on the object.
+ */
+static void get_link(Object *obj, Visitor *v, const char *name, void *opaque,
+ Error **errp)
+{
+ const Property *prop = opaque;
+ Object **targetp = object_field_prop_ptr(obj, prop);
+ g_autofree char *path = NULL;
+
+ if (*targetp) {
+ path = object_get_canonical_path(*targetp);
+ visit_type_str(v, name, &path, errp);
+ } else {
+ path = g_strdup("");
+ visit_type_str(v, name, &path, errp);
+ }
+}
+
+static void set_link(Object *obj, Visitor *v, const char *name, void *opaque,
+ Error **errp)
+{
+ const Property *prop = opaque;
+ Object **targetp = object_field_prop_ptr(obj, prop);
+ g_autofree char *path = NULL;
+ Object *new_target, *old_target = *targetp;
+
+ ERRP_GUARD();
+
+ /* Get the path to the object we want to set the link to */
+ if (!visit_type_str(v, name, &path, errp)) {
+ return;
+ }
+
+ /* Now get the pointer to the actual object */
+ if (*path) {
+ new_target = object_resolve_and_typecheck(path, prop->name,
+ prop->link_type, errp);
+ if (!new_target) {
+ return;
+ }
+ } else {
+ new_target = NULL;
+ }
+
+ /*
+ * Our link properties are always OBJ_PROP_LINK_STRONG and
+ * have the allow_set_link_before_realize check.
+ */
+ qdev_prop_allow_set_link_before_realize(obj, prop->name, new_target, errp);
+ if (*errp) {
+ return;
+ }
+
+ *targetp = new_target;
+ object_ref(new_target);
+ object_unref(old_target);
+}
+
const PropertyInfo qdev_prop_link = {
.type = "link",
.create = create_link_property,
+ /*
+ * Since we have a create method, the get and set are used
+ * only in get_prop_array() and set_prop_array() for the case
+ * where we have an array of link properties.
+ */
+ .get = get_link,
+ .set = set_link,
};
void qdev_property_add_static(DeviceState *dev, const Property *prop)
diff --git a/include/hw/core/qdev-properties.h b/include/hw/core/qdev-properties.h
index d8745d4c65..936d06023a 100644
--- a/include/hw/core/qdev-properties.h
+++ b/include/hw/core/qdev-properties.h
@@ -168,6 +168,31 @@ extern const PropertyInfo qdev_prop_link;
DEFINE_PROP(_name, _state, _field, qdev_prop_link, _ptr_type, \
.link_type = _type)
+/**
+ * DEFINE_PROP_LINK_ARRAY:
+ * @_name: name of the array
+ * @_state: name of the device state structure type
+ * @_field: uint32_t field in @_state to hold the array length
+ * @_arrayfield: field in @_state (of type '@_arraytype *') which
+ * will point to the array
+ * @_linktype: QOM type name of the link type
+ * @_arraytype: C type of the array elements
+ *
+ * Define device properties for a variable-length array _name of links
+ * (i.e. this is the array version of DEFINE_PROP_LINK).
+ * The array is represented as a list of QStrings in the visitor interface,
+ * where each string is the QOM path of the object to be linked.
+ */
+#define DEFINE_PROP_LINK_ARRAY(_name, _state, _field, _arrayfield, \
+ _linktype, _arraytype) \
+ DEFINE_PROP(_name, _state, _field, qdev_prop_array, uint32_t, \
+ .set_default = true, \
+ .defval.u = 0, \
+ .arrayinfo = &qdev_prop_link, \
+ .arrayfieldsize = sizeof(_arraytype), \
+ .arrayoffset = offsetof(_state, _arrayfield), \
+ .link_type = _linktype)
+
#define DEFINE_PROP_UINT8(_n, _s, _f, _d) \
DEFINE_PROP_UNSIGNED(_n, _s, _f, _d, qdev_prop_uint8, uint8_t)
#define DEFINE_PROP_UINT16(_n, _s, _f, _d) \
@@ -219,6 +244,21 @@ void qdev_prop_set_enum(DeviceState *dev, const char *name, int value);
/* Takes ownership of @values */
void qdev_prop_set_array(DeviceState *dev, const char *name, QList *values);
+/**
+ * qlist_append_link: Add a QOM object to a QList of link properties
+ * @qlist: list to append to
+ * @obj: object to append
+ *
+ * This is a helper function for constructing a QList to pass to
+ * qdev_prop_set_array() when the qdev property array is an array of link
+ * properties (i.e. one defined with DEFINE_PROP_LINK_ARRAY).
+ *
+ * The object is encoded into the list as a QString which is the
+ * canonical path of the object; this is the same encoding that
+ * object_set_link_property() and object_get_link_property() use.
+ */
+void qlist_append_link(QList *qlist, Object *obj);
+
void *object_field_prop_ptr(Object *obj, const Property *prop);
void qdev_prop_register_global(GlobalProperty *prop);
diff --git a/include/qom/object.h b/include/qom/object.h
index 26df6137b9..48fdbf353e 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -1750,6 +1750,25 @@ ObjectProperty *object_class_property_add_link(ObjectClass *oc,
Object *val, Error **errp),
ObjectPropertyLinkFlags flags);
+
+/**
+ * object_resolve_and_typecheck:
+ * @path: path to look up
+ * @name: name of property we are resolving for (used only in error messages)
+ * @target_type: QOM type we expect @path to resolve to
+ * @errp: error
+ *
+ * Look up the object at @path and return it. If it does not have
+ * the correct type @target_type, return NULL and set @errp.
+ *
+ * This is similar to object_resolve_path_type(), but it insists on
+ * a non-ambiguous path and it produces error messages that are specialised
+ * to the use case of setting a link property on an object.
+ */
+Object *object_resolve_and_typecheck(const char *path,
+ const char *name,
+ const char *target_type, Error **errp);
+
/**
* object_property_add_str:
* @obj: the object to add a property to
diff --git a/qom/object.c b/qom/object.c
index ff8ede8a32..90b8f3461e 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -1895,26 +1895,13 @@ static void object_get_link_property(Object *obj, Visitor *v,
}
}
-/*
- * object_resolve_link:
- *
- * Lookup an object and ensure its type matches the link property type. This
- * is similar to object_resolve_path() except type verification against the
- * link property is performed.
- *
- * Returns: The matched object or NULL on path lookup failures.
- */
-static Object *object_resolve_link(Object *obj, const char *name,
- const char *path, Error **errp)
+Object *object_resolve_and_typecheck(const char *path,
+ const char *name,
+ const char *target_type, Error **errp)
{
- const char *type;
- char *target_type;
bool ambiguous = false;
Object *target;
- /* Go from link<FOO> to FOO. */
- type = object_property_get_type(obj, name, NULL);
- target_type = g_strndup(&type[5], strlen(type) - 6);
target = object_resolve_path_type(path, target_type, &ambiguous);
if (ambiguous) {
@@ -1931,11 +1918,30 @@ static Object *object_resolve_link(Object *obj, const char *name,
}
target = NULL;
}
- g_free(target_type);
-
return target;
}
+/*
+ * object_resolve_link:
+ *
+ * Lookup an object and ensure its type matches the link property type. This
+ * is similar to object_resolve_path() except type verification against the
+ * link property is performed.
+ *
+ * Returns: The matched object or NULL on path lookup failures.
+ */
+static Object *object_resolve_link(Object *obj, const char *name,
+ const char *path, Error **errp)
+{
+ const char *type;
+ g_autofree char *target_type = NULL;
+
+ /* Go from link<FOO> to FOO. */
+ type = object_property_get_type(obj, name, NULL);
+ target_type = g_strndup(&type[5], strlen(type) - 6);
+ return object_resolve_and_typecheck(path, name, target_type, errp);
+}
+
static void object_set_link_property(Object *obj, Visitor *v,
const char *name, void *opaque,
Error **errp)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 01/65] hw/core: Permit devices to define an array of link properties
2026-02-23 17:01 ` [PATCH 01/65] hw/core: Permit devices to define an array of link properties Peter Maydell
@ 2026-03-06 11:11 ` Jonathan Cameron via qemu development
2026-03-06 11:17 ` Peter Maydell
2026-03-21 15:42 ` Philippe Mathieu-Daudé
1 sibling, 1 reply; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 11:11 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:08 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Currently we allow devices to define "link properties" with
> DEFINE_PROP_LINK(): these are a way to give a device a pointer to
> another QOM object. (Under the hood this is done by handing it the
> canonical QOM path for the object.)
>
> We also allow devices to define "array properties" with
> DEFINE_PROP_ARRAY(): these are a way to give a device a
> variable-length array of properties.
>
> However, there is no way to define an array of link properties. If
> you try to do it by passing qdev_prop_link as the arrayprop argument
> to DEFINE_PROP_ARRAY() you will get a crash because qdev_prop_link
> does not provide the .set and .get methods in its PropertyInfo
> struct.
>
> This patch implements a new DEFINE_PROP_LINK_ARRAY(). In
> a device you can use it like this:
>
> struct MyDevice {
> ...
> uint32_t num_cpus;
> ARMCPU **cpus;
> }
>
> and in your Property array:
> DEFINE_PROP_LINK_ARRAY("cpus", MyDevice, num_cpus, cpus,
> TYPE_ARM_CPU, ARMCPU *),
>
> The array property code will fill in s->num_cpus, allocate memory in
> s->cpus, and populate it with pointers.
>
> On the device-creation side you set the property in the same way as
> the existing array properties, using the new qlist_append_link()
> function to append to the QList:
>
> QList *cpulist = qlist_new();
> for (int i = 0; i < cpus; i++) {
> qlist_append_link(cpulist, OBJECT(cpu[i]));
> }
> qdev_prop_set_array(mydev, "cpus", cpulist);
>
> The implementation is mostly in the provision of the .set and
> .get methods to the qdev_prop_link PropertyInfo struct. The
> code of these methods parallels the code in
> object_set_link_property() and object_get_link_property(). We can't
> completely share the code with those functions because of differences
> in where we get the information like the target QOM type, but I have
> pulled out a new function object_resolve_and_typecheck() for the
> shared "given a QOM path and a type, give me the object or an error"
> code.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Hi Peter,
Looks good to me, but I'm not confident enough on this stuff to give
tags. A couple of trivial things inline.
Jonathan
> ---
> I want this specifically for the GICv5 interrupt controller device
> I'm working on. I'd like to be able to pass in links to the CPUs
> connected to the GIC, so that we don't have to have the code assume
> that it's connected to CPU numbers 0,1,2... the way the current
> GICv3 code does.
>
> I think Phil also had a proposed series a while back that wanted
> to do something similar with one of the existing devices.
>
> I figured I'd post this early for review, though obviously it's a
> little unmotivated until I have my new GICv5 code into enough shape
> to submit. This is tested, but with my work-in-progress code.
You probably want to update this set of notes given it's in your
GICv5 set now!
> diff --git a/include/qom/object.h b/include/qom/object.h
> index 26df6137b9..48fdbf353e 100644
> --- a/include/qom/object.h
> +++ b/include/qom/object.h
> @@ -1750,6 +1750,25 @@ ObjectProperty *object_class_property_add_link(ObjectClass *oc,
> Object *val, Error **errp),
> ObjectPropertyLinkFlags flags);
>
> +
> +/**
> + * object_resolve_and_typecheck:
> + * @path: path to look up
> + * @name: name of property we are resolving for (used only in error messages)
> + * @target_type: QOM type we expect @path to resolve to
> + * @errp: error
> + *
> + * Look up the object at @path and return it. If it does not have
> + * the correct type @target_type, return NULL and set @errp.
> + *
> + * This is similar to object_resolve_path_type(), but it insists on
> + * a non-ambiguous path and it produces error messages that are specialised
> + * to the use case of setting a link property on an object.
> + */
> +Object *object_resolve_and_typecheck(const char *path,
> + const char *name,
> + const char *target_type, Error **errp);
I'm not sure why you went with this wrapping. I'd combine the first two lines.
> +
> /**
> * object_property_add_str:
> * @obj: the object to add a property to
> diff --git a/qom/object.c b/qom/object.c
> index ff8ede8a32..90b8f3461e 100644
> --- a/qom/object.c
> +++ b/qom/object.c
> @@ -1895,26 +1895,13 @@ static void object_get_link_property(Object *obj, Visitor *v,
> }
> }
>
> -/*
> - * object_resolve_link:
> - *
> - * Lookup an object and ensure its type matches the link property type. This
> - * is similar to object_resolve_path() except type verification against the
> - * link property is performed.
> - *
> - * Returns: The matched object or NULL on path lookup failures.
> - */
> -static Object *object_resolve_link(Object *obj, const char *name,
> - const char *path, Error **errp)
> +Object *object_resolve_and_typecheck(const char *path,
> + const char *name,
As above.
> + const char *target_type, Error **errp)
^ permalink raw reply [flat|nested] 142+ messages in thread* Re: [PATCH 01/65] hw/core: Permit devices to define an array of link properties
2026-03-06 11:11 ` Jonathan Cameron via qemu development
@ 2026-03-06 11:17 ` Peter Maydell
0 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-03-06 11:17 UTC (permalink / raw)
To: Jonathan Cameron; +Cc: qemu-arm, qemu-devel
On Fri, 6 Mar 2026 at 11:11, Jonathan Cameron
<jonathan.cameron@huawei.com> wrote:
>
> On Mon, 23 Feb 2026 17:01:08 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > Currently we allow devices to define "link properties" with
> > DEFINE_PROP_LINK(): these are a way to give a device a pointer to
> > another QOM object. (Under the hood this is done by handing it the
> > canonical QOM path for the object.)
> >
> > We also allow devices to define "array properties" with
> > DEFINE_PROP_ARRAY(): these are a way to give a device a
> > variable-length array of properties.
> >
> > However, there is no way to define an array of link properties. If
> > you try to do it by passing qdev_prop_link as the arrayprop argument
> > to DEFINE_PROP_ARRAY() you will get a crash because qdev_prop_link
> > does not provide the .set and .get methods in its PropertyInfo
> > struct.
> >
> > This patch implements a new DEFINE_PROP_LINK_ARRAY(). In
> > a device you can use it like this:
> >
> > struct MyDevice {
> > ...
> > uint32_t num_cpus;
> > ARMCPU **cpus;
> > }
> >
> > and in your Property array:
> > DEFINE_PROP_LINK_ARRAY("cpus", MyDevice, num_cpus, cpus,
> > TYPE_ARM_CPU, ARMCPU *),
> >
> > The array property code will fill in s->num_cpus, allocate memory in
> > s->cpus, and populate it with pointers.
> >
> > On the device-creation side you set the property in the same way as
> > the existing array properties, using the new qlist_append_link()
> > function to append to the QList:
> >
> > QList *cpulist = qlist_new();
> > for (int i = 0; i < cpus; i++) {
> > qlist_append_link(cpulist, OBJECT(cpu[i]));
> > }
> > qdev_prop_set_array(mydev, "cpus", cpulist);
> >
> > The implementation is mostly in the provision of the .set and
> > .get methods to the qdev_prop_link PropertyInfo struct. The
> > code of these methods parallels the code in
> > object_set_link_property() and object_get_link_property(). We can't
> > completely share the code with those functions because of differences
> > in where we get the information like the target QOM type, but I have
> > pulled out a new function object_resolve_and_typecheck() for the
> > shared "given a QOM path and a type, give me the object or an error"
> > code.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>
> Hi Peter,
>
> Looks good to me, but I'm not confident enough on this stuff to give
> tags. A couple of trivial things inline.
>
> Jonathan
>
> > ---
> > I want this specifically for the GICv5 interrupt controller device
> > I'm working on. I'd like to be able to pass in links to the CPUs
> > connected to the GIC, so that we don't have to have the code assume
> > that it's connected to CPU numbers 0,1,2... the way the current
> > GICv3 code does.
> >
> > I think Phil also had a proposed series a while back that wanted
> > to do something similar with one of the existing devices.
> >
> > I figured I'd post this early for review, though obviously it's a
> > little unmotivated until I have my new GICv5 code into enough shape
> > to submit. This is tested, but with my work-in-progress code.
>
> You probably want to update this set of notes given it's in your
> GICv5 set now!
Yes :-)
> > diff --git a/include/qom/object.h b/include/qom/object.h
> > index 26df6137b9..48fdbf353e 100644
> > --- a/include/qom/object.h
> > +++ b/include/qom/object.h
> > @@ -1750,6 +1750,25 @@ ObjectProperty *object_class_property_add_link(ObjectClass *oc,
> > Object *val, Error **errp),
> > ObjectPropertyLinkFlags flags);
> >
> > +
> > +/**
> > + * object_resolve_and_typecheck:
> > + * @path: path to look up
> > + * @name: name of property we are resolving for (used only in error messages)
> > + * @target_type: QOM type we expect @path to resolve to
> > + * @errp: error
> > + *
> > + * Look up the object at @path and return it. If it does not have
> > + * the correct type @target_type, return NULL and set @errp.
> > + *
> > + * This is similar to object_resolve_path_type(), but it insists on
> > + * a non-ambiguous path and it produces error messages that are specialised
> > + * to the use case of setting a link property on an object.
> > + */
> > +Object *object_resolve_and_typecheck(const char *path,
> > + const char *name,
> > + const char *target_type, Error **errp);
>
> I'm not sure why you went with this wrapping. I'd combine the first two lines.
Yeah, I'm not sure why it ended up like this either. Sometimes that happens
because I change my mind on the name of a function and don't notice that it
means the wrapping can be done differently, but I have no recollection of
what the process was in this specific case. I agree that putting the first
two arguments on one line is better.
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* Re: [PATCH 01/65] hw/core: Permit devices to define an array of link properties
2026-02-23 17:01 ` [PATCH 01/65] hw/core: Permit devices to define an array of link properties Peter Maydell
2026-03-06 11:11 ` Jonathan Cameron via qemu development
@ 2026-03-21 15:42 ` Philippe Mathieu-Daudé
2026-03-23 13:26 ` Peter Maydell
1 sibling, 1 reply; 142+ messages in thread
From: Philippe Mathieu-Daudé @ 2026-03-21 15:42 UTC (permalink / raw)
To: Peter Maydell, qemu-arm, qemu-devel
Cc: Kevin Wolf, Markus Armbruster, Mark Cave-Ayland
(+Kevin / Markus / Mark for previous discussions)
On 23/2/26 18:01, Peter Maydell wrote:
> Currently we allow devices to define "link properties" with
> DEFINE_PROP_LINK(): these are a way to give a device a pointer to
> another QOM object. (Under the hood this is done by handing it the
> canonical QOM path for the object.)
>
> We also allow devices to define "array properties" with
> DEFINE_PROP_ARRAY(): these are a way to give a device a
> variable-length array of properties.
>
> However, there is no way to define an array of link properties. If
> you try to do it by passing qdev_prop_link as the arrayprop argument
> to DEFINE_PROP_ARRAY() you will get a crash because qdev_prop_link
> does not provide the .set and .get methods in its PropertyInfo
> struct.
>
> This patch implements a new DEFINE_PROP_LINK_ARRAY(). In
> a device you can use it like this:
>
> struct MyDevice {
> ...
> uint32_t num_cpus;
> ARMCPU **cpus;
> }
>
> and in your Property array:
> DEFINE_PROP_LINK_ARRAY("cpus", MyDevice, num_cpus, cpus,
> TYPE_ARM_CPU, ARMCPU *),
>
> The array property code will fill in s->num_cpus, allocate memory in
> s->cpus, and populate it with pointers.
>
> On the device-creation side you set the property in the same way as
> the existing array properties, using the new qlist_append_link()
> function to append to the QList:
>
> QList *cpulist = qlist_new();
> for (int i = 0; i < cpus; i++) {
> qlist_append_link(cpulist, OBJECT(cpu[i]));
> }
> qdev_prop_set_array(mydev, "cpus", cpulist);
>
> The implementation is mostly in the provision of the .set and
> .get methods to the qdev_prop_link PropertyInfo struct. The
> code of these methods parallels the code in
> object_set_link_property() and object_get_link_property(). We can't
> completely share the code with those functions because of differences
> in where we get the information like the target QOM type, but I have
> pulled out a new function object_resolve_and_typecheck() for the
> shared "given a QOM path and a type, give me the object or an error"
> code.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> I want this specifically for the GICv5 interrupt controller device
> I'm working on. I'd like to be able to pass in links to the CPUs
> connected to the GIC, so that we don't have to have the code assume
> that it's connected to CPU numbers 0,1,2... the way the current
> GICv3 code does.
>
> I think Phil also had a proposed series a while back that wanted
> to do something similar with one of the existing devices.
FTR previous discussions:
https://lore.kernel.org/qemu-devel/47615329-9ae4-f9e0-117d-f7d4300bfdf1@ilande.co.uk/
https://lore.kernel.org/qemu-devel/CAFEAcA9FT+QMyQSLCeLjd7tEfaoS9JazmkYWQE++s1AmF7Nfvw@mail.gmail.com/
>
> I figured I'd post this early for review, though obviously it's a
> little unmotivated until I have my new GICv5 code into enough shape
> to submit. This is tested, but with my work-in-progress code.
> ---
> hw/core/qdev-properties.c | 78 +++++++++++++++++++++++++++++++
> include/hw/core/qdev-properties.h | 40 ++++++++++++++++
> include/qom/object.h | 19 ++++++++
> qom/object.c | 42 ++++++++++-------
> 4 files changed, 161 insertions(+), 18 deletions(-)
>
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index ba8461e9a4..f8181b0d91 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -669,6 +669,7 @@ static Property array_elem_prop(Object *obj, const Property *parent_prop,
> * being inside the device struct.
> */
> .offset = (uintptr_t)elem - (uintptr_t)obj,
> + .link_type = parent_prop->link_type,
> };
> }
>
> @@ -950,6 +951,12 @@ void qdev_prop_set_array(DeviceState *dev, const char *name, QList *values)
> qobject_unref(values);
> }
>
> +void qlist_append_link(QList *qlist, Object *obj)
> +{
> + g_autofree char *path = object_get_canonical_path(obj);
> + qlist_append_str(qlist, path);
> +}
> +
> static GPtrArray *global_props(void)
> {
> static GPtrArray *gp;
> @@ -1059,9 +1066,80 @@ static ObjectProperty *create_link_property(ObjectClass *oc, const char *name,
> OBJ_PROP_LINK_STRONG);
> }
>
> +/*
> + * The logic in these get_link() and set_link() functions is similar
> + * to that used for single-element link properties in the
> + * object_get_link_property() and object_set_link_property() functions.
> + * The difference is largely in how we get the expected type of the
> + * link: for us it is in the Property struct, and for a single link
> + * property it is part of the property name on the object.
> + */
> +static void get_link(Object *obj, Visitor *v, const char *name, void *opaque,
> + Error **errp)
> +{
> + const Property *prop = opaque;
> + Object **targetp = object_field_prop_ptr(obj, prop);
> + g_autofree char *path = NULL;
> +
> + if (*targetp) {
> + path = object_get_canonical_path(*targetp);
> + visit_type_str(v, name, &path, errp);
> + } else {
> + path = g_strdup("");
> + visit_type_str(v, name, &path, errp);
> + }
> +}
> +
> +static void set_link(Object *obj, Visitor *v, const char *name, void *opaque,
> + Error **errp)
> +{
> + const Property *prop = opaque;
> + Object **targetp = object_field_prop_ptr(obj, prop);
> + g_autofree char *path = NULL;
> + Object *new_target, *old_target = *targetp;
> +
> + ERRP_GUARD();
> +
> + /* Get the path to the object we want to set the link to */
> + if (!visit_type_str(v, name, &path, errp)) {
> + return;
> + }
> +
> + /* Now get the pointer to the actual object */
> + if (*path) {
> + new_target = object_resolve_and_typecheck(path, prop->name,
> + prop->link_type, errp);
> + if (!new_target) {
> + return;
> + }
> + } else {
> + new_target = NULL;
> + }
> +
> + /*
> + * Our link properties are always OBJ_PROP_LINK_STRONG and
> + * have the allow_set_link_before_realize check.
> + */
> + qdev_prop_allow_set_link_before_realize(obj, prop->name, new_target, errp);
> + if (*errp) {
> + return;
> + }
> +
> + *targetp = new_target;
> + object_ref(new_target);
> + object_unref(old_target);
> +}
> +
> const PropertyInfo qdev_prop_link = {
> .type = "link",
> .create = create_link_property,
> + /*
> + * Since we have a create method, the get and set are used
> + * only in get_prop_array() and set_prop_array() for the case
> + * where we have an array of link properties.
> + */
> + .get = get_link,
> + .set = set_link,
> };
>
> void qdev_property_add_static(DeviceState *dev, const Property *prop)
> diff --git a/include/hw/core/qdev-properties.h b/include/hw/core/qdev-properties.h
> index d8745d4c65..936d06023a 100644
> --- a/include/hw/core/qdev-properties.h
> +++ b/include/hw/core/qdev-properties.h
> @@ -168,6 +168,31 @@ extern const PropertyInfo qdev_prop_link;
> DEFINE_PROP(_name, _state, _field, qdev_prop_link, _ptr_type, \
> .link_type = _type)
>
> +/**
> + * DEFINE_PROP_LINK_ARRAY:
> + * @_name: name of the array
> + * @_state: name of the device state structure type
> + * @_field: uint32_t field in @_state to hold the array length
> + * @_arrayfield: field in @_state (of type '@_arraytype *') which
> + * will point to the array
> + * @_linktype: QOM type name of the link type
> + * @_arraytype: C type of the array elements
> + *
> + * Define device properties for a variable-length array _name of links
> + * (i.e. this is the array version of DEFINE_PROP_LINK).
> + * The array is represented as a list of QStrings in the visitor interface,
> + * where each string is the QOM path of the object to be linked.
> + */
> +#define DEFINE_PROP_LINK_ARRAY(_name, _state, _field, _arrayfield, \
> + _linktype, _arraytype) \
> + DEFINE_PROP(_name, _state, _field, qdev_prop_array, uint32_t, \
> + .set_default = true, \
> + .defval.u = 0, \
> + .arrayinfo = &qdev_prop_link, \
> + .arrayfieldsize = sizeof(_arraytype), \
> + .arrayoffset = offsetof(_state, _arrayfield), \
> + .link_type = _linktype)
> +
> #define DEFINE_PROP_UINT8(_n, _s, _f, _d) \
> DEFINE_PROP_UNSIGNED(_n, _s, _f, _d, qdev_prop_uint8, uint8_t)
> #define DEFINE_PROP_UINT16(_n, _s, _f, _d) \
> @@ -219,6 +244,21 @@ void qdev_prop_set_enum(DeviceState *dev, const char *name, int value);
> /* Takes ownership of @values */
> void qdev_prop_set_array(DeviceState *dev, const char *name, QList *values);
>
> +/**
> + * qlist_append_link: Add a QOM object to a QList of link properties
> + * @qlist: list to append to
> + * @obj: object to append
> + *
> + * This is a helper function for constructing a QList to pass to
> + * qdev_prop_set_array() when the qdev property array is an array of link
> + * properties (i.e. one defined with DEFINE_PROP_LINK_ARRAY).
> + *
> + * The object is encoded into the list as a QString which is the
> + * canonical path of the object; this is the same encoding that
> + * object_set_link_property() and object_get_link_property() use.
> + */
> +void qlist_append_link(QList *qlist, Object *obj);
> +
> void *object_field_prop_ptr(Object *obj, const Property *prop);
>
> void qdev_prop_register_global(GlobalProperty *prop);
> diff --git a/include/qom/object.h b/include/qom/object.h
> index 26df6137b9..48fdbf353e 100644
> --- a/include/qom/object.h
> +++ b/include/qom/object.h
> @@ -1750,6 +1750,25 @@ ObjectProperty *object_class_property_add_link(ObjectClass *oc,
> Object *val, Error **errp),
> ObjectPropertyLinkFlags flags);
>
> +
> +/**
> + * object_resolve_and_typecheck:
> + * @path: path to look up
> + * @name: name of property we are resolving for (used only in error messages)
> + * @target_type: QOM type we expect @path to resolve to
> + * @errp: error
> + *
> + * Look up the object at @path and return it. If it does not have
> + * the correct type @target_type, return NULL and set @errp.
> + *
> + * This is similar to object_resolve_path_type(), but it insists on
> + * a non-ambiguous path and it produces error messages that are specialised
> + * to the use case of setting a link property on an object.
> + */
> +Object *object_resolve_and_typecheck(const char *path,
> + const char *name,
> + const char *target_type, Error **errp);
> +
> /**
> * object_property_add_str:
> * @obj: the object to add a property to
> diff --git a/qom/object.c b/qom/object.c
> index ff8ede8a32..90b8f3461e 100644
> --- a/qom/object.c
> +++ b/qom/object.c
> @@ -1895,26 +1895,13 @@ static void object_get_link_property(Object *obj, Visitor *v,
> }
> }
>
> -/*
> - * object_resolve_link:
> - *
> - * Lookup an object and ensure its type matches the link property type. This
> - * is similar to object_resolve_path() except type verification against the
> - * link property is performed.
> - *
> - * Returns: The matched object or NULL on path lookup failures.
> - */
> -static Object *object_resolve_link(Object *obj, const char *name,
> - const char *path, Error **errp)
> +Object *object_resolve_and_typecheck(const char *path,
> + const char *name,
> + const char *target_type, Error **errp)
> {
> - const char *type;
> - char *target_type;
> bool ambiguous = false;
> Object *target;
>
> - /* Go from link<FOO> to FOO. */
> - type = object_property_get_type(obj, name, NULL);
> - target_type = g_strndup(&type[5], strlen(type) - 6);
> target = object_resolve_path_type(path, target_type, &ambiguous);
>
> if (ambiguous) {
> @@ -1931,11 +1918,30 @@ static Object *object_resolve_link(Object *obj, const char *name,
> }
> target = NULL;
> }
> - g_free(target_type);
> -
> return target;
> }
>
> +/*
> + * object_resolve_link:
> + *
> + * Lookup an object and ensure its type matches the link property type. This
> + * is similar to object_resolve_path() except type verification against the
> + * link property is performed.
> + *
> + * Returns: The matched object or NULL on path lookup failures.
> + */
> +static Object *object_resolve_link(Object *obj, const char *name,
> + const char *path, Error **errp)
> +{
> + const char *type;
> + g_autofree char *target_type = NULL;
> +
> + /* Go from link<FOO> to FOO. */
> + type = object_property_get_type(obj, name, NULL);
> + target_type = g_strndup(&type[5], strlen(type) - 6);
> + return object_resolve_and_typecheck(path, name, target_type, errp);
> +}
> +
> static void object_set_link_property(Object *obj, Visitor *v,
> const char *name, void *opaque,
> Error **errp)
Nitpicking, I'd add object_resolve_and_typecheck() in a preliminary
patch. Otherwise patch LGTM!
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
^ permalink raw reply [flat|nested] 142+ messages in thread* Re: [PATCH 01/65] hw/core: Permit devices to define an array of link properties
2026-03-21 15:42 ` Philippe Mathieu-Daudé
@ 2026-03-23 13:26 ` Peter Maydell
0 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-03-23 13:26 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: qemu-arm, qemu-devel, Kevin Wolf, Markus Armbruster,
Mark Cave-Ayland
On Sat, 21 Mar 2026 at 15:42, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> (+Kevin / Markus / Mark for previous discussions)
>
> On 23/2/26 18:01, Peter Maydell wrote:
> > Currently we allow devices to define "link properties" with
> > DEFINE_PROP_LINK(): these are a way to give a device a pointer to
> > another QOM object. (Under the hood this is done by handing it the
> > canonical QOM path for the object.)
> >
> > We also allow devices to define "array properties" with
> > DEFINE_PROP_ARRAY(): these are a way to give a device a
> > variable-length array of properties.
> >
> > However, there is no way to define an array of link properties. If
> > you try to do it by passing qdev_prop_link as the arrayprop argument
> > to DEFINE_PROP_ARRAY() you will get a crash because qdev_prop_link
> > does not provide the .set and .get methods in its PropertyInfo
> > struct.
> >
> > This patch implements a new DEFINE_PROP_LINK_ARRAY().
> Nitpicking, I'd add object_resolve_and_typecheck() in a preliminary
> patch. Otherwise patch LGTM!
>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thanks. I've split the patch in two (it splits exactly into
"changes to object.[ch]" and "changes to qdev-properties.[ch]")
and added your R-by tag to both the resulting patches.
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 02/65] hw/intc: Skeleton of GICv5 IRS classes
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
2026-02-23 17:01 ` [PATCH 01/65] hw/core: Permit devices to define an array of link properties Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 11:15 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 03/65] hw/arm/Kconfig: select ARM_GICV5 for ARM_VIRT board Peter Maydell
` (63 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
This commit adds the skeleton of the classes for the GICv5 IRS
(Interrupt Routing Service). Since the IRS is the main (and only
non-optional) part of the GICv5 outside the CPU, we call it simply
"GICv5", in line with how we've handled the GICv3.
Since we're definitely going to need to have support for KVM VMs
where we present the guest with a GICv5, we use the same split
between an abstract "common" and a concrete specific-to-TCG child
class that we have for the various GICv3 components. This avoids
having to refactor out the base class later.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/Kconfig | 4 +++
hw/intc/arm_gicv5.c | 39 ++++++++++++++++++++++++++++++
hw/intc/arm_gicv5_common.c | 31 ++++++++++++++++++++++++
hw/intc/meson.build | 4 +++
include/hw/intc/arm_gicv5.h | 32 ++++++++++++++++++++++++
include/hw/intc/arm_gicv5_common.h | 31 ++++++++++++++++++++++++
6 files changed, 141 insertions(+)
create mode 100644 hw/intc/arm_gicv5.c
create mode 100644 hw/intc/arm_gicv5_common.c
create mode 100644 include/hw/intc/arm_gicv5.h
create mode 100644 include/hw/intc/arm_gicv5_common.h
diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
index 9f456d7e43..a3241fc1eb 100644
--- a/hw/intc/Kconfig
+++ b/hw/intc/Kconfig
@@ -35,6 +35,10 @@ config ARM_GIC_KVM
bool
depends on ARM_GIC && KVM
+config ARM_GICV5
+ bool
+ select MSI_NONBROKEN
+
config XICS
bool
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
new file mode 100644
index 0000000000..f9dab710d3
--- /dev/null
+++ b/hw/intc/arm_gicv5.c
@@ -0,0 +1,39 @@
+/*
+ * ARM GICv5 emulation: Interrupt Routing Service (IRS)
+ *
+ * Copyright (c) 2025 Linaro Limited
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "hw/intc/arm_gicv5.h"
+
+OBJECT_DEFINE_TYPE(GICv5, gicv5, ARM_GICV5, ARM_GICV5_COMMON)
+
+static void gicv5_reset_hold(Object *obj, ResetType type)
+{
+ GICv5 *s = ARM_GICV5(obj);
+ GICv5Class *c = ARM_GICV5_GET_CLASS(s);
+
+ if (c->parent_phases.hold) {
+ c->parent_phases.hold(obj, type);
+ }
+}
+
+static void gicv5_init(Object *obj)
+{
+}
+
+static void gicv5_finalize(Object *obj)
+{
+}
+
+static void gicv5_class_init(ObjectClass *oc, const void *data)
+{
+ ResettableClass *rc = RESETTABLE_CLASS(oc);
+ GICv5Class *gc = ARM_GICV5_CLASS(oc);
+
+ resettable_class_set_parent_phases(rc, NULL, gicv5_reset_hold, NULL,
+ &gc->parent_phases);
+}
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
new file mode 100644
index 0000000000..b0194f7f26
--- /dev/null
+++ b/hw/intc/arm_gicv5_common.c
@@ -0,0 +1,31 @@
+/*
+ * Common base class for GICv5 IRS
+ *
+ * Copyright (c) 2025 Linaro Limited
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "hw/intc/arm_gicv5_common.h"
+
+OBJECT_DEFINE_ABSTRACT_TYPE(GICv5Common, gicv5_common, ARM_GICV5_COMMON, SYS_BUS_DEVICE)
+
+static void gicv5_common_reset_hold(Object *obj, ResetType type)
+{
+}
+
+static void gicv5_common_init(Object *obj)
+{
+}
+
+static void gicv5_common_finalize(Object *obj)
+{
+}
+
+static void gicv5_common_class_init(ObjectClass *oc, const void *data)
+{
+ ResettableClass *rc = RESETTABLE_CLASS(oc);
+
+ rc->phases.hold = gicv5_common_reset_hold;
+}
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index 96742df090..e4ddc5107f 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -12,6 +12,10 @@ system_ss.add(when: 'CONFIG_ARM_GICV3', if_true: files(
'arm_gicv3_its.c',
'arm_gicv3_redist.c',
))
+system_ss.add(when: 'CONFIG_ARM_GICV5', if_true: files(
+ 'arm_gicv5_common.c',
+ 'arm_gicv5.c',
+))
system_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
system_ss.add(when: 'CONFIG_ASPEED_SOC', if_true: files('aspeed_vic.c'))
system_ss.add(when: 'CONFIG_ASPEED_SOC', if_true: files('aspeed_intc.c'))
diff --git a/include/hw/intc/arm_gicv5.h b/include/hw/intc/arm_gicv5.h
new file mode 100644
index 0000000000..3cd9652f6f
--- /dev/null
+++ b/include/hw/intc/arm_gicv5.h
@@ -0,0 +1,32 @@
+/*
+ * ARM GICv5 emulation: Interrupt Routing Service (IRS)
+ *
+ * Copyright (c) 2025 Linaro Limited
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef HW_INTC_ARM_GICV5_H
+#define HW_INTC_ARM_GICV5_H
+
+#include "qom/object.h"
+#include "hw/core/sysbus.h"
+#include "hw/intc/arm_gicv5_common.h"
+
+#define TYPE_ARM_GICV5 "arm-gicv5"
+
+OBJECT_DECLARE_TYPE(GICv5, GICv5Class, ARM_GICV5)
+
+/*
+ * This class is for TCG-specific state for the GICv5.
+ */
+struct GICv5 {
+ GICv5Common parent_obj;
+};
+
+struct GICv5Class {
+ GICv5CommonClass parent_class;
+ ResettablePhases parent_phases;
+};
+
+#endif
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
new file mode 100644
index 0000000000..d2243c7660
--- /dev/null
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -0,0 +1,31 @@
+/*
+ * Common base class for GICv5 IRS
+ *
+ * Copyright (c) 2025 Linaro Limited
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef HW_INTC_ARM_GICV5_COMMON_H
+#define HW_INTC_ARM_GICV5_COMMON_H
+
+#include "qom/object.h"
+#include "hw/core/sysbus.h"
+
+#define TYPE_ARM_GICV5_COMMON "arm-gicv5-common"
+
+OBJECT_DECLARE_TYPE(GICv5Common, GICv5CommonClass, ARM_GICV5_COMMON)
+
+/*
+ * This class is for common state that will eventually be shared
+ * between TCG and KVM implementations of the GICv5.
+ */
+struct GICv5Common {
+ SysBusDevice parent_obj;
+};
+
+struct GICv5CommonClass {
+ SysBusDeviceClass parent_class;
+};
+
+#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 02/65] hw/intc: Skeleton of GICv5 IRS classes
2026-02-23 17:01 ` [PATCH 02/65] hw/intc: Skeleton of GICv5 IRS classes Peter Maydell
@ 2026-03-06 11:15 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 11:15 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:09 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> This commit adds the skeleton of the classes for the GICv5 IRS
> (Interrupt Routing Service). Since the IRS is the main (and only
> non-optional) part of the GICv5 outside the CPU, we call it simply
> "GICv5", in line with how we've handled the GICv3.
>
> Since we're definitely going to need to have support for KVM VMs
> where we present the guest with a GICv5, we use the same split
> between an abstract "common" and a concrete specific-to-TCG child
> class that we have for the various GICv3 components. This avoids
> having to refactor out the base class later.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
FWIW given it's all stubs for now.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 03/65] hw/arm/Kconfig: select ARM_GICV5 for ARM_VIRT board
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
2026-02-23 17:01 ` [PATCH 01/65] hw/core: Permit devices to define an array of link properties Peter Maydell
2026-02-23 17:01 ` [PATCH 02/65] hw/intc: Skeleton of GICv5 IRS classes Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 11:16 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 04/65] hw/intc/arm_gicv5: Implement skeleton code for IRS register frames Peter Maydell
` (62 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
When building the Arm "virt" board, pull in the GICv5.
We haven't added support for creating or wiring up the GICv5 in that
board yet, but adding it to the Kconfig early means that the GICv5
code will be compiled and so we can have more confidence that the
individual commits building it up are correct (or at least compile).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index c66c452737..91a15040a4 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -10,6 +10,7 @@ config ARM_VIRT
imply NVDIMM
imply IOMMUFD
select ARM_GIC
+ select ARM_GICV5
select ACPI
select ARM_SMMUV3
select GPIO_KEY
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 03/65] hw/arm/Kconfig: select ARM_GICV5 for ARM_VIRT board
2026-02-23 17:01 ` [PATCH 03/65] hw/arm/Kconfig: select ARM_GICV5 for ARM_VIRT board Peter Maydell
@ 2026-03-06 11:16 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 11:16 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:10 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> When building the Arm "virt" board, pull in the GICv5.
>
> We haven't added support for creating or wiring up the GICv5 in that
> board yet, but adding it to the Kconfig early means that the GICv5
> code will be compiled and so we can have more confidence that the
> individual commits building it up are correct (or at least compile).
Good. I much prefer this approach to people only enabling build
at the end.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 04/65] hw/intc/arm_gicv5: Implement skeleton code for IRS register frames
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (2 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 03/65] hw/arm/Kconfig: select ARM_GICV5 for ARM_VIRT board Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 11:51 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 05/65] hw/intc/arm_gicv5: Add migration blocker Peter Maydell
` (61 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 IRS has one mandatory register frame (the config frame) for
each of up to four supported physical interrupt domains. Implement
the skeleton of the code needed to create these as sysbus MMIO
regions.
The config frame has a mix of 32-bit and 64-bit registers, and it is
valid to access the 64-bit registers with 32-bit accesses. In a
similar way to the various GICv3 devices, we turn the MemoryRegionOps
read_with_attrs and write_with_attrs calls into calls on functions
specifically to read 32 or 64 bit values. (We can't trivially
implement one in terms of the other because various registers have
side effects on write which must only trigger when the "correct" half
of the 64-bit register is written to.)
Unlike the GICv3, we choose to expose a sysbus MMIO region for each
interrupt domain even if the config of the GICv5 means that it
doesn't implement that domain. This avoids having the config frame
for a domain ending up at a different MMIO region index depending on
the config of the GICv5. (This matters more for GICv5 because it
supports Realm, and so there are more possible valid configurations.)
gicv5_common_init_irqs_and_mmio() does not yet create any IRQs, but
we name it this way to parallel the equivalent GICv3 function and to
avoid having to rename it when we add the IRQ line creation in a
subsequent commit.
The arm_gicv5_types.h header is a little undermotivated at this
point, but the aim is to have somewhere to put definitions that we
want in both the GIC proper and the CPU interface.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 193 +++++++++++++++++++++++++++++
hw/intc/arm_gicv5_common.c | 35 ++++++
hw/intc/trace-events | 6 +
include/hw/intc/arm_gicv5.h | 1 +
include/hw/intc/arm_gicv5_common.h | 50 ++++++++
include/hw/intc/arm_gicv5_types.h | 28 +++++
6 files changed, 313 insertions(+)
create mode 100644 include/hw/intc/arm_gicv5_types.h
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index f9dab710d3..0eb4348e81 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -8,9 +8,178 @@
#include "qemu/osdep.h"
#include "hw/intc/arm_gicv5.h"
+#include "qapi/error.h"
+#include "qemu/log.h"
+#include "trace.h"
OBJECT_DEFINE_TYPE(GICv5, gicv5, ARM_GICV5, ARM_GICV5_COMMON)
+static const char *domain_name[] = {
+ [GICV5_ID_S] = "Secure",
+ [GICV5_ID_NS] = "NonSecure",
+ [GICV5_ID_EL3] = "EL3",
+ [GICV5_ID_REALM] = "Realm",
+};
+
+static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
+ uint64_t *data, MemTxAttrs attrs)
+{
+ return false;
+}
+
+static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
+ uint64_t data, MemTxAttrs attrs)
+{
+ return false;
+}
+
+static bool config_readll(GICv5 *s, GICv5Domain domain, hwaddr offset,
+ uint64_t *data, MemTxAttrs attrs)
+{
+ return false;
+}
+
+static bool config_writell(GICv5 *s, GICv5Domain domain, hwaddr offset,
+ uint64_t data, MemTxAttrs attrs)
+{
+ return false;
+}
+
+static MemTxResult config_read(void *opaque, GICv5Domain domain, hwaddr offset,
+ uint64_t *data, unsigned size,
+ MemTxAttrs attrs)
+{
+ GICv5 *s = ARM_GICV5(opaque);
+ bool result;
+
+ switch (size) {
+ case 4:
+ result = config_readl(s, domain, offset, data, attrs);
+ break;
+ case 8:
+ result = config_readll(s, domain, offset, data, attrs);
+ break;
+ default:
+ result = false;
+ break;
+ }
+
+ if (!result) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest read for IRS %s config frame "
+ "at offset " HWADDR_FMT_plx
+ " size %u\n", __func__, domain_name[domain],
+ offset, size);
+ trace_gicv5_badread(domain_name[domain], offset, size);
+ /*
+ * The spec requires that reserved registers are RAZ/WI;
+ * so we log the error but return MEMTX_OK so we don't cause
+ * a spurious data abort.
+ */
+ *data = 0;
+ } else {
+ trace_gicv5_read(domain_name[domain], offset, *data, size);
+ }
+
+ return MEMTX_OK;
+}
+
+static MemTxResult config_write(void *opaque, GICv5Domain domain,
+ hwaddr offset, uint64_t data, unsigned size,
+ MemTxAttrs attrs)
+{
+ GICv5 *s = ARM_GICV5(opaque);
+ bool result;
+
+ switch (size) {
+ case 4:
+ result = config_writel(s, domain, offset, data, attrs);
+ break;
+ case 8:
+ result = config_writell(s, domain, offset, data, attrs);
+ break;
+ default:
+ result = false;
+ break;
+ }
+
+ if (!result) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest write for IRS %s config frame "
+ "at offset " HWADDR_FMT_plx
+ " size %u\n", __func__, domain_name[domain],
+ offset, size);
+ trace_gicv5_badwrite(domain_name[domain], offset, data, size);
+ /*
+ * The spec requires that reserved registers are RAZ/WI;
+ * so we log the error but return MEMTX_OK so we don't cause
+ * a spurious data abort.
+ */
+ } else {
+ trace_gicv5_write(domain_name[domain], offset, data, size);
+ }
+
+ return MEMTX_OK;
+}
+
+#define DEFINE_READ_WRITE_WRAPPERS(NAME, DOMAIN) \
+ static MemTxResult config_##NAME##_read(void *opaque, hwaddr offset, \
+ uint64_t *data, unsigned size, \
+ MemTxAttrs attrs) \
+ { \
+ return config_read(opaque, DOMAIN, offset, data, size, attrs); \
+ } \
+ static MemTxResult config_##NAME##_write(void *opaque, hwaddr offset, \
+ uint64_t data, unsigned size, \
+ MemTxAttrs attrs) \
+ { \
+ return config_write(opaque, DOMAIN, offset, data, size, attrs); \
+ }
+
+DEFINE_READ_WRITE_WRAPPERS(ns, GICV5_ID_NS)
+DEFINE_READ_WRITE_WRAPPERS(realm, GICV5_ID_REALM)
+DEFINE_READ_WRITE_WRAPPERS(secure, GICV5_ID_S)
+DEFINE_READ_WRITE_WRAPPERS(el3, GICV5_ID_EL3)
+
+static const MemoryRegionOps config_frame_ops[NUM_GICV5_DOMAINS] = {
+ [GICV5_ID_S] = {
+ .read_with_attrs = config_secure_read,
+ .write_with_attrs = config_secure_write,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 8,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 8,
+ },
+ [GICV5_ID_NS] = {
+ .read_with_attrs = config_ns_read,
+ .write_with_attrs = config_ns_write,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 8,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 8,
+ },
+ [GICV5_ID_EL3] = {
+ .read_with_attrs = config_el3_read,
+ .write_with_attrs = config_el3_write,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 8,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 8,
+ },
+ [GICV5_ID_REALM] = {
+ .read_with_attrs = config_realm_read,
+ .write_with_attrs = config_realm_write,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 8,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 8,
+ },
+};
+
static void gicv5_reset_hold(Object *obj, ResetType type)
{
GICv5 *s = ARM_GICV5(obj);
@@ -21,6 +190,28 @@ static void gicv5_reset_hold(Object *obj, ResetType type)
}
}
+static void gicv5_realize(DeviceState *dev, Error **errp)
+{
+ GICv5Common *cs = ARM_GICV5_COMMON(dev);
+ GICv5Class *gc = ARM_GICV5_GET_CLASS(dev);
+
+ ERRP_GUARD();
+
+ gc->parent_realize(dev, errp);
+ if (*errp) {
+ return;
+ }
+
+ /*
+ * When we implement support for more than one interrupt domain,
+ * we will provide some QOM properties so the board can configure
+ * which domains are implemented. For now, we only implement the
+ * NS domain.
+ */
+ cs->implemented_domains = (1 << GICV5_ID_NS);
+ gicv5_common_init_irqs_and_mmio(cs, config_frame_ops);
+}
+
static void gicv5_init(Object *obj)
{
}
@@ -32,8 +223,10 @@ static void gicv5_finalize(Object *obj)
static void gicv5_class_init(ObjectClass *oc, const void *data)
{
ResettableClass *rc = RESETTABLE_CLASS(oc);
+ DeviceClass *dc = DEVICE_CLASS(oc);
GICv5Class *gc = ARM_GICV5_CLASS(oc);
+ device_class_set_parent_realize(dc, gicv5_realize, &gc->parent_realize);
resettable_class_set_parent_phases(rc, NULL, gicv5_reset_hold, NULL,
&gc->parent_phases);
}
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index b0194f7f26..cb80c8821c 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -11,6 +11,41 @@
OBJECT_DEFINE_ABSTRACT_TYPE(GICv5Common, gicv5_common, ARM_GICV5_COMMON, SYS_BUS_DEVICE)
+static bool bad_frame_accepts(void *opaque, hwaddr addr, unsigned size,
+ bool is_write, MemTxAttrs attrs)
+{
+ return false;
+}
+
+/*
+ * Used for the sysbus MMIO regions corresponding to IRS frames
+ * where this IRS does not implement the interrupt domain.
+ * It's probably a board/SoC error to create an IRS and try to wire
+ * up this MMIO region, but if it does then the region will behave as
+ * unassigned memory (generating a decode error).
+ * These frames are just here so that changing which domains are
+ * implemented doesn't reorder which sysbus MMIO region is which.
+ */
+static const MemoryRegionOps bad_frame_ops = {
+ .valid.accepts = bad_frame_accepts,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+};
+
+void gicv5_common_init_irqs_and_mmio(GICv5Common *cs,
+ const MemoryRegionOps config_ops[NUM_GICV5_DOMAINS])
+{
+ SysBusDevice *sbd = SYS_BUS_DEVICE(cs);
+
+ for (int i = 0; i < NUM_GICV5_DOMAINS; i++) {
+ g_autofree char *memname = g_strdup_printf("gicv5-irs-%d", i);
+ const MemoryRegionOps *ops = gicv5_domain_implemented(cs, i) ?
+ &config_ops[i] : &bad_frame_ops;
+ memory_region_init_io(&cs->iomem[i], OBJECT(cs), ops, cs,
+ memname, IRS_CONFIG_FRAME_SIZE);
+ sysbus_init_mmio(sbd, &cs->iomem[i]);
+ }
+}
+
static void gicv5_common_reset_hold(Object *obj, ResetType type)
{
}
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 018c609ca5..edd3c49c5f 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -227,6 +227,12 @@ gicv3_its_vte_read(uint32_t vpeid, int valid, uint32_t vptsize, uint64_t vptaddr
gicv3_its_vte_read_fault(uint32_t vpeid) "GICv3 ITS: vPE Table read for vPEID 0x%x: faulted"
gicv3_its_vte_write(uint32_t vpeid, int valid, uint32_t vptsize, uint64_t vptaddr, uint32_t rdbase) "GICv3 ITS: vPE Table write for vPEID 0x%x: valid %d VPTsize 0x%x VPTaddr 0x%" PRIx64 " RDbase 0x%x"
+# arm_gicv5.c
+gicv5_read(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame read: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
+gicv5_badread(const char *domain, uint64_t offset, unsigned size) "GICv5 IRS %s config frame read: offset 0x%" PRIx64 " size %u: error"
+gicv5_write(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
+gicv5_badwrite(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u: error"
+
# armv7m_nvic.c
nvic_recompute_state(int vectpending, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d vectpending_prio %d exception_prio %d"
nvic_recompute_state_secure(int vectpending, bool vectpending_is_s_banked, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d is_s_banked %d vectpending_prio %d exception_prio %d"
diff --git a/include/hw/intc/arm_gicv5.h b/include/hw/intc/arm_gicv5.h
index 3cd9652f6f..42ccef8474 100644
--- a/include/hw/intc/arm_gicv5.h
+++ b/include/hw/intc/arm_gicv5.h
@@ -26,6 +26,7 @@ struct GICv5 {
struct GICv5Class {
GICv5CommonClass parent_class;
+ DeviceRealize parent_realize;
ResettablePhases parent_phases;
};
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index d2243c7660..8ba2e5c879 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -11,6 +11,26 @@
#include "qom/object.h"
#include "hw/core/sysbus.h"
+#include "hw/intc/arm_gicv5_types.h"
+
+/*
+ * QEMU interface:
+ *
+ * sysbus MMIO regions (in order matching IRS_IDR0.INT_DOM encoding):
+ * - IRS config frame for the Secure Interrupt Domain
+ * - IRS config frame for the Non-secure Interrupt Domain
+ * - IRS config frame for the EL3 Interrupt Domain
+ * - IRS config frame for the Realm Interrupt Domain
+ *
+ * Note that even if this particular IRS does not implement all four
+ * interrupt domains it will still expose four sysbus MMIO regions.
+ * The regions corresponding to unimplemented domains will always
+ * fail accesses with a decode error. Generally the SoC/board should
+ * probably not map a region for a domain that it configured the IRS
+ * to not implement; the regions are only exposed so that changing
+ * which domains are implemented doesn't reorder which sysbus MMIO
+ * region is which (e.g. NS will always be 1 and EL3 will always be 2).
+ */
#define TYPE_ARM_GICV5_COMMON "arm-gicv5-common"
@@ -22,10 +42,40 @@ OBJECT_DECLARE_TYPE(GICv5Common, GICv5CommonClass, ARM_GICV5_COMMON)
*/
struct GICv5Common {
SysBusDevice parent_obj;
+
+ MemoryRegion iomem[NUM_GICV5_DOMAINS];
+
+ /* Bits here are set for each physical interrupt domain implemented */
+ uint8_t implemented_domains;
};
struct GICv5CommonClass {
SysBusDeviceClass parent_class;
};
+
+#define IRS_CONFIG_FRAME_SIZE 0x10000
+
+/**
+ * gicv5_common_init_irqs_and_mmio: Create IRQs and MMIO regions for the GICv5
+ * @s: GIC object
+ * @ops: array of MemoryRegionOps that implement the config frames behaviour
+ *
+ * Subclasses of ARM_GICV5_COMMON should call this to create the sysbus
+ * MemoryRegions for the IRS config frames, passing in a four element array
+ * of MemoryRegionOps structs.
+ */
+void gicv5_common_init_irqs_and_mmio(GICv5Common *cs,
+ const MemoryRegionOps ops[NUM_GICV5_DOMAINS]);
+
+/**
+ * gicv5_domain_implemented: Return true if this IRS implements this domain
+ * @s: GIC object
+ * @domain: domain to check
+ */
+static inline bool gicv5_domain_implemented(GICv5Common *cs, GICv5Domain domain)
+{
+ return cs->implemented_domains & (1 << domain);
+}
+
#endif
diff --git a/include/hw/intc/arm_gicv5_types.h b/include/hw/intc/arm_gicv5_types.h
new file mode 100644
index 0000000000..143dcdec28
--- /dev/null
+++ b/include/hw/intc/arm_gicv5_types.h
@@ -0,0 +1,28 @@
+/*
+ * Type definitions for GICv5
+ *
+ * This file is for type definitions that we want to share between
+ * the GIC proper and the CPU interface.
+ *
+ * Copyright (c) 2025 Linaro Limited
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef HW_INTC_ARM_GICv5_TYPES_H
+#define HW_INTC_ARM_GICv5_TYPES_H
+
+/*
+ * The GICv5 has four physical Interrupt Domains. This numbering
+ * must match the encoding used in IRS_IDR0.INT_DOM.
+ */
+typedef enum GICv5Domain {
+ GICV5_ID_S = 0,
+ GICV5_ID_NS = 1,
+ GICV5_ID_EL3 = 2,
+ GICV5_ID_REALM = 3,
+} GICv5Domain;
+
+#define NUM_GICV5_DOMAINS 4
+
+#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 04/65] hw/intc/arm_gicv5: Implement skeleton code for IRS register frames
2026-02-23 17:01 ` [PATCH 04/65] hw/intc/arm_gicv5: Implement skeleton code for IRS register frames Peter Maydell
@ 2026-03-06 11:51 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 11:51 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:11 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GICv5 IRS has one mandatory register frame (the config frame) for
> each of up to four supported physical interrupt domains. Implement
> the skeleton of the code needed to create these as sysbus MMIO
> regions.
>
> The config frame has a mix of 32-bit and 64-bit registers, and it is
> valid to access the 64-bit registers with 32-bit accesses. In a
> similar way to the various GICv3 devices, we turn the MemoryRegionOps
> read_with_attrs and write_with_attrs calls into calls on functions
> specifically to read 32 or 64 bit values. (We can't trivially
> implement one in terms of the other because various registers have
> side effects on write which must only trigger when the "correct" half
> of the 64-bit register is written to.)
>
> Unlike the GICv3, we choose to expose a sysbus MMIO region for each
> interrupt domain even if the config of the GICv5 means that it
> doesn't implement that domain. This avoids having the config frame
> for a domain ending up at a different MMIO region index depending on
> the config of the GICv5. (This matters more for GICv5 because it
> supports Realm, and so there are more possible valid configurations.)
>
> gicv5_common_init_irqs_and_mmio() does not yet create any IRQs, but
> we name it this way to parallel the equivalent GICv3 function and to
> avoid having to rename it when we add the IRQ line creation in a
> subsequent commit.
>
> The arm_gicv5_types.h header is a little undermotivated at this
> point, but the aim is to have somewhere to put definitions that we
> want in both the GIC proper and the CPU interface.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Really trivial stuff inline.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> +DEFINE_READ_WRITE_WRAPPERS(ns, GICV5_ID_NS)
> +DEFINE_READ_WRITE_WRAPPERS(realm, GICV5_ID_REALM)
> +DEFINE_READ_WRITE_WRAPPERS(secure, GICV5_ID_S)
> +DEFINE_READ_WRITE_WRAPPERS(el3, GICV5_ID_EL3)
> +
> +static const MemoryRegionOps config_frame_ops[NUM_GICV5_DOMAINS] = {
> + [GICV5_ID_S] = {
Maybe it's worth a macro for filing in the MemoryRegionOps as well
if we don't expect them to diverge beyond the config_xx_read/write.
> + .read_with_attrs = config_secure_read,
> + .write_with_attrs = config_secure_write,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + .valid.min_access_size = 4,
> + .valid.max_access_size = 8,
> + .impl.min_access_size = 4,
> + .impl.max_access_size = 8,
> + },
> + [GICV5_ID_NS] = {
> + .read_with_attrs = config_ns_read,
> + .write_with_attrs = config_ns_write,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + .valid.min_access_size = 4,
> + .valid.max_access_size = 8,
> + .impl.min_access_size = 4,
> + .impl.max_access_size = 8,
> + },
> + [GICV5_ID_EL3] = {
> + .read_with_attrs = config_el3_read,
> + .write_with_attrs = config_el3_write,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + .valid.min_access_size = 4,
> + .valid.max_access_size = 8,
> + .impl.min_access_size = 4,
> + .impl.max_access_size = 8,
> + },
> + [GICV5_ID_REALM] = {
> + .read_with_attrs = config_realm_read,
> + .write_with_attrs = config_realm_write,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + .valid.min_access_size = 4,
> + .valid.max_access_size = 8,
> + .impl.min_access_size = 4,
> + .impl.max_access_size = 8,
> + },
> +};
> diff --git a/include/hw/intc/arm_gicv5_types.h b/include/hw/intc/arm_gicv5_types.h
> new file mode 100644
> index 0000000000..143dcdec28
> --- /dev/null
> +++ b/include/hw/intc/arm_gicv5_types.h
> +/*
> + * The GICv5 has four physical Interrupt Domains. This numbering
> + * must match the encoding used in IRS_IDR0.INT_DOM.
Wrap seems a bit short but meh, maybe it's more readable like this.
> + */
> +typedef enum GICv5Domain {
> + GICV5_ID_S = 0,
> + GICV5_ID_NS = 1,
> + GICV5_ID_EL3 = 2,
> + GICV5_ID_REALM = 3,
> +} GICv5Domain;
> +
> +#define NUM_GICV5_DOMAINS 4
> +
> +#endif
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 05/65] hw/intc/arm_gicv5: Add migration blocker
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (3 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 04/65] hw/intc/arm_gicv5: Implement skeleton code for IRS register frames Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 11:52 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 06/65] hw/intc/arm_gicv5: Create and validate QOM properties Peter Maydell
` (60 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
This initial version of the GICv5 will not support migration:
* the spec is still only at EAC level, so the data to be
migrated might in theory change before it is finalised
* when we add support for missing features like EL2/EL3/Realm
we might find we want to refactor the data structures we use
* I still need to check against the proposed KVM GICv5
handling to see if there are any awkward mismatches
that might affect how we want to store the data
* it's experimental, so for pragmatic reasons I'm skipping
it to get the initial version done faster
Install a migration blocker to enforce this.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 0eb4348e81..73a6e629df 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -11,6 +11,7 @@
#include "qapi/error.h"
#include "qemu/log.h"
#include "trace.h"
+#include "migration/blocker.h"
OBJECT_DEFINE_TYPE(GICv5, gicv5, ARM_GICV5, ARM_GICV5_COMMON)
@@ -194,6 +195,7 @@ static void gicv5_realize(DeviceState *dev, Error **errp)
{
GICv5Common *cs = ARM_GICV5_COMMON(dev);
GICv5Class *gc = ARM_GICV5_GET_CLASS(dev);
+ Error *migration_blocker = NULL;
ERRP_GUARD();
@@ -202,6 +204,12 @@ static void gicv5_realize(DeviceState *dev, Error **errp)
return;
}
+ error_setg(&migration_blocker,
+ "Live migration disabled: not yet supported by GICv5");
+ if (migrate_add_blocker(&migration_blocker, errp)) {
+ return;
+ }
+
/*
* When we implement support for more than one interrupt domain,
* we will provide some QOM properties so the board can configure
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 05/65] hw/intc/arm_gicv5: Add migration blocker
2026-02-23 17:01 ` [PATCH 05/65] hw/intc/arm_gicv5: Add migration blocker Peter Maydell
@ 2026-03-06 11:52 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 11:52 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:12 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> This initial version of the GICv5 will not support migration:
>
> * the spec is still only at EAC level, so the data to be
> migrated might in theory change before it is finalised
> * when we add support for missing features like EL2/EL3/Realm
> we might find we want to refactor the data structures we use
> * I still need to check against the proposed KVM GICv5
> handling to see if there are any awkward mismatches
> that might affect how we want to store the data
> * it's experimental, so for pragmatic reasons I'm skipping
> it to get the initial version done faster
>
All make sense to me.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 06/65] hw/intc/arm_gicv5: Create and validate QOM properties
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (4 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 05/65] hw/intc/arm_gicv5: Add migration blocker Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 12:07 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 07/65] hw/intc/arm_gicv5: Create inbound GPIO lines for SPIs Peter Maydell
` (59 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Add code to the GICv5 skeleton which creates the QOM properties which
the board or SoC can use to configure the GIC, and the validation
code to check they are in range. Generally these correspond to
fields in the IRS ID registers, and the properties are named
correspondingly.
Notable here is that unlike the GICv3 (which assumes its connected
CPUs are the system's CPUs starting from 0), we define a QOM array
property which is an array of pointers to the CPUs, and a QOM array
property which is an array of integers telling the GIC what the
IAFFID (interrupt affinity ID) for each CPU is; so a board or SoC
which wants to connect multiple CPUs to this GICv5 would do something
like:
QList *cpulist = qlist_new(), *iaffidlist = qlist_new();
for (int i = 0; i < ms->smp.cpus; i++) {
qlist_append_link(cpulist, OBJECT(qemu_get_cpu(i)));
qlist_append_int(iaffidlist, i);
}
qdev_prop_set_array(vms->gic, "cpus", cpulist);
qdev_prop_set_array(vms->gic, "cpu-iaffids", iaffidlist);
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5_common.c | 80 ++++++++++++++++++++++++++++++
hw/intc/trace-events | 3 ++
include/hw/intc/arm_gicv5_common.h | 25 ++++++++++
3 files changed, 108 insertions(+)
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index cb80c8821c..c8b6704fe4 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -8,9 +8,15 @@
#include "qemu/osdep.h"
#include "hw/intc/arm_gicv5_common.h"
+#include "hw/core/qdev-properties.h"
+#include "qapi/error.h"
+#include "trace.h"
OBJECT_DEFINE_ABSTRACT_TYPE(GICv5Common, gicv5_common, ARM_GICV5_COMMON, SYS_BUS_DEVICE)
+/* Any value > 2^24 is out of the valid range for this property */
+#define GICV5_SPI_IRS_RANGE_NOT_SET 0xffffffff
+
static bool bad_frame_accepts(void *opaque, hwaddr addr, unsigned size,
bool is_write, MemTxAttrs attrs)
{
@@ -58,9 +64,83 @@ static void gicv5_common_finalize(Object *obj)
{
}
+static void gicv5_common_realize(DeviceState *dev, Error **errp)
+{
+ GICv5Common *cs = ARM_GICV5_COMMON(dev);
+
+ if (cs->num_cpus == 0) {
+ error_setg(errp, "The cpus array property must have at least one CPU");
+ return;
+ }
+ if (cs->num_cpus >= (1 << 16)) {
+ /* We'll hit other QEMU limits long before this one :-) */
+ error_setg(errp, "Number of CPUs exceeds GICv5 architectural maximum");
+ return;
+ }
+ if (cs->num_cpus != cs->num_cpu_iaffids) {
+ error_setg(errp, "The cpu-iaffids array property must be the same size "
+ "as the cpus array property");
+ return;
+ }
+ if (cs->irsid >= (1 << 16)) {
+ error_setg(errp, "irsid (%u) is more than 2^16-1", cs->irsid);
+ return;
+ }
+ if (cs->spi_range > (1 << 24)) {
+ /*
+ * Note that IRS_IDR5.SPI_RANGE is a 25 bit field but the largest
+ * architecturally permitted value is 2^24 (not 2^25-1), hence
+ * use of > in the range check.
+ */
+ error_setg(errp, "spi-range (%u) is more than 2^24", cs->spi_range);
+ return;
+ }
+ if (cs->spi_irs_range == GICV5_SPI_IRS_RANGE_NOT_SET) {
+ /* spi-irs-range defaults to same as spi-range */
+ cs->spi_irs_range = cs->spi_range;
+ }
+ if (cs->spi_irs_range > (1 << 24)) {
+ /* Similarly IRS_IDR6.SPI_IRS_RANGE */
+ error_setg(errp, "spi-irs-range (%u) is more than 2^24",
+ cs->spi_irs_range);
+ return;
+ }
+ if (cs->spi_base >= (1 << 24)) {
+ /* IRS_IDR7.SPI_BASE is a 24-bit field, so range check is >= */
+ error_setg(errp, "spi-base (%u) is more than 2^24-1", cs->spi_base);
+ return;
+ }
+ /* range checks above mean we know this addition won't overflow */
+ if (cs->spi_base + cs->spi_irs_range > cs->spi_range) {
+ error_setg(errp, "spi-base (%u) + spi-irs-range (%u) is "
+ "more than spi-range (%u)",
+ cs->spi_base, cs->spi_irs_range, cs->spi_range);
+ return;
+ }
+
+ trace_gicv5_common_realize(cs->irsid, cs->num_cpus,
+ cs->spi_base, cs->spi_irs_range, cs->spi_range);
+}
+
+static const Property arm_gicv5_common_properties[] = {
+ DEFINE_PROP_LINK_ARRAY("cpus", GICv5Common, num_cpus,
+ cpus, TYPE_ARM_CPU, ARMCPU *),
+ DEFINE_PROP_ARRAY("cpu-iaffids", GICv5Common, num_cpu_iaffids,
+ cpu_iaffids, qdev_prop_uint32, uint32_t),
+ DEFINE_PROP_UINT32("irsid", GICv5Common, irsid, 0),
+ DEFINE_PROP_UINT32("spi-range", GICv5Common, spi_range, 0),
+ DEFINE_PROP_UINT32("spi-base", GICv5Common, spi_base, 0),
+ DEFINE_PROP_UINT32("spi-irs-range", GICv5Common, spi_irs_range,
+ GICV5_SPI_IRS_RANGE_NOT_SET),
+};
+
static void gicv5_common_class_init(ObjectClass *oc, const void *data)
{
ResettableClass *rc = RESETTABLE_CLASS(oc);
+ DeviceClass *dc = DEVICE_CLASS(oc);
rc->phases.hold = gicv5_common_reset_hold;
+
+ dc->realize = gicv5_common_realize;
+ device_class_set_props(dc, arm_gicv5_common_properties);
}
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index edd3c49c5f..54777f6da3 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -233,6 +233,9 @@ gicv5_badread(const char *domain, uint64_t offset, unsigned size) "GICv5 IRS %s
gicv5_write(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
gicv5_badwrite(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u: error"
+# arm_gicv5_common.c
+gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
+
# armv7m_nvic.c
nvic_recompute_state(int vectpending, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d vectpending_prio %d exception_prio %d"
nvic_recompute_state_secure(int vectpending, bool vectpending_is_s_banked, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d is_s_banked %d vectpending_prio %d exception_prio %d"
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index 8ba2e5c879..b22f020a53 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -12,10 +12,24 @@
#include "qom/object.h"
#include "hw/core/sysbus.h"
#include "hw/intc/arm_gicv5_types.h"
+#include "target/arm/cpu-qom.h"
/*
* QEMU interface:
*
+ * + QOM array property "cpus": CPUState pointers to each CPU
+ * connected to this IRS.
+ * + QOM array property "cpu-iaffids": array of uint32_t giving the
+ * IAFFID for each CPU in the "cpus" property array
+ * + QOM property "irsid": unique identifier for this IRS in the system
+ * (this is IRS_IDR0.IRSID); default is 0
+ * + QOM property "spi-range": total number of SPIs in the system
+ * IRS (this is IRS_IDR5.SPI_RANGE); must be set
+ * + QOM property "spi-base": minimum SPI INTID.ID implemented on this
+ * IRS (this is IRS_IDR7.SPI_BASE); default is 0
+ * + QOM property "spi-irs-range": number of SPI INTID.ID managed on this
+ * IRS (this is IRS_IDR6.SPI_IRS_RANGE); defaults to value of spi-range
+ *
* sysbus MMIO regions (in order matching IRS_IDR0.INT_DOM encoding):
* - IRS config frame for the Secure Interrupt Domain
* - IRS config frame for the Non-secure Interrupt Domain
@@ -47,6 +61,17 @@ struct GICv5Common {
/* Bits here are set for each physical interrupt domain implemented */
uint8_t implemented_domains;
+
+ /* Properties */
+ uint32_t num_cpus;
+ ARMCPU **cpus;
+ uint32_t num_cpu_iaffids;
+ uint32_t *cpu_iaffids;
+
+ uint32_t irsid;
+ uint32_t spi_base;
+ uint32_t spi_irs_range;
+ uint32_t spi_range;
};
struct GICv5CommonClass {
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 06/65] hw/intc/arm_gicv5: Create and validate QOM properties
2026-02-23 17:01 ` [PATCH 06/65] hw/intc/arm_gicv5: Create and validate QOM properties Peter Maydell
@ 2026-03-06 12:07 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 12:07 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:13 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Add code to the GICv5 skeleton which creates the QOM properties which
> the board or SoC can use to configure the GIC, and the validation
> code to check they are in range. Generally these correspond to
> fields in the IRS ID registers, and the properties are named
> correspondingly.
>
> Notable here is that unlike the GICv3 (which assumes its connected
> CPUs are the system's CPUs starting from 0), we define a QOM array
> property which is an array of pointers to the CPUs, and a QOM array
> property which is an array of integers telling the GIC what the
> IAFFID (interrupt affinity ID) for each CPU is; so a board or SoC
> which wants to connect multiple CPUs to this GICv5 would do something
> like:
>
> QList *cpulist = qlist_new(), *iaffidlist = qlist_new();
>
> for (int i = 0; i < ms->smp.cpus; i++) {
> qlist_append_link(cpulist, OBJECT(qemu_get_cpu(i)));
> qlist_append_int(iaffidlist, i);
> }
> qdev_prop_set_array(vms->gic, "cpus", cpulist);
> qdev_prop_set_array(vms->gic, "cpu-iaffids", iaffidlist);
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 07/65] hw/intc/arm_gicv5: Create inbound GPIO lines for SPIs
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (5 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 06/65] hw/intc/arm_gicv5: Create and validate QOM properties Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 14:57 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 08/65] hw/intc/arm_gicv5: Define macros for config frame registers Peter Maydell
` (58 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 IRS may have inbound GPIO lines corresponding to SPIs
(shared peripheral interrupts). Unlike the GICv3, it does not deal
with PPIs (private peripheral interrupts, i.e. per-CPU interrupts):
in a GICv5 system those are handled entirely within the CPU
interface. The inbound GPIO array is therefore a simple sequence of
one GPIO per SPI that this IRS handles.
Create the GPIO input array in gicv5_common_init_irqs_and_mmio().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 11 ++++++++++-
hw/intc/arm_gicv5_common.c | 5 +++++
hw/intc/trace-events | 1 +
include/hw/intc/arm_gicv5_common.h | 4 ++++
4 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 73a6e629df..7ef48bb450 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -181,6 +181,15 @@ static const MemoryRegionOps config_frame_ops[NUM_GICV5_DOMAINS] = {
},
};
+static void gicv5_set_spi(void *opaque, int irq, int level)
+{
+ /* These irqs are all SPIs; the INTID is irq + s->spi_base */
+ GICv5Common *cs = ARM_GICV5_COMMON(opaque);
+ uint32_t spi_id = irq + cs->spi_base;
+
+ trace_gicv5_spi(spi_id, level);
+}
+
static void gicv5_reset_hold(Object *obj, ResetType type)
{
GICv5 *s = ARM_GICV5(obj);
@@ -217,7 +226,7 @@ static void gicv5_realize(DeviceState *dev, Error **errp)
* NS domain.
*/
cs->implemented_domains = (1 << GICV5_ID_NS);
- gicv5_common_init_irqs_and_mmio(cs, config_frame_ops);
+ gicv5_common_init_irqs_and_mmio(cs, gicv5_set_spi, config_frame_ops);
}
static void gicv5_init(Object *obj)
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index c8b6704fe4..0f966dfd1b 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -38,10 +38,15 @@ static const MemoryRegionOps bad_frame_ops = {
};
void gicv5_common_init_irqs_and_mmio(GICv5Common *cs,
+ qemu_irq_handler handler,
const MemoryRegionOps config_ops[NUM_GICV5_DOMAINS])
{
SysBusDevice *sbd = SYS_BUS_DEVICE(cs);
+ if (cs->spi_irs_range) {
+ qdev_init_gpio_in(DEVICE(cs), handler, cs->spi_irs_range);
+ }
+
for (int i = 0; i < NUM_GICV5_DOMAINS; i++) {
g_autofree char *memname = g_strdup_printf("gicv5-irs-%d", i);
const MemoryRegionOps *ops = gicv5_domain_implemented(cs, i) ?
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 54777f6da3..0797a23c1a 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -232,6 +232,7 @@ gicv5_read(const char *domain, uint64_t offset, uint64_t data, unsigned size) "G
gicv5_badread(const char *domain, uint64_t offset, unsigned size) "GICv5 IRS %s config frame read: offset 0x%" PRIx64 " size %u: error"
gicv5_write(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
gicv5_badwrite(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u: error"
+gicv5_spi(uint32_t id, int level) "GICv5 SPI ID %u asserted at level %d"
# arm_gicv5_common.c
gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index b22f020a53..be898abcd5 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -29,6 +29,9 @@
* IRS (this is IRS_IDR7.SPI_BASE); default is 0
* + QOM property "spi-irs-range": number of SPI INTID.ID managed on this
* IRS (this is IRS_IDR6.SPI_IRS_RANGE); defaults to value of spi-range
+ * + unnamed GPIO inputs: the SPIs handled by this IRS
+ * (so GPIO input 0 is the SPI with INTID SPI_BASE, input 1 is
+ * SPI_BASE+1, and so on up to SPI_BASE + SPI_IRS_RANGE - 1)
*
* sysbus MMIO regions (in order matching IRS_IDR0.INT_DOM encoding):
* - IRS config frame for the Secure Interrupt Domain
@@ -91,6 +94,7 @@ struct GICv5CommonClass {
* of MemoryRegionOps structs.
*/
void gicv5_common_init_irqs_and_mmio(GICv5Common *cs,
+ qemu_irq_handler handler,
const MemoryRegionOps ops[NUM_GICV5_DOMAINS]);
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 07/65] hw/intc/arm_gicv5: Create inbound GPIO lines for SPIs
2026-02-23 17:01 ` [PATCH 07/65] hw/intc/arm_gicv5: Create inbound GPIO lines for SPIs Peter Maydell
@ 2026-03-06 14:57 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 14:57 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:14 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GICv5 IRS may have inbound GPIO lines corresponding to SPIs
> (shared peripheral interrupts). Unlike the GICv3, it does not deal
> with PPIs (private peripheral interrupts, i.e. per-CPU interrupts):
> in a GICv5 system those are handled entirely within the CPU
> interface. The inbound GPIO array is therefore a simple sequence of
> one GPIO per SPI that this IRS handles.
>
> Create the GPIO input array in gicv5_common_init_irqs_and_mmio().
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Another bit of trivial stuff from me ;)
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
> diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
> index b22f020a53..be898abcd5 100644
> --- a/include/hw/intc/arm_gicv5_common.h
> +++ b/include/hw/intc/arm_gicv5_common.h
> @@ -29,6 +29,9 @@
> * IRS (this is IRS_IDR7.SPI_BASE); default is 0
> * + QOM property "spi-irs-range": number of SPI INTID.ID managed on this
> * IRS (this is IRS_IDR6.SPI_IRS_RANGE); defaults to value of spi-range
> + * + unnamed GPIO inputs: the SPIs handled by this IRS
> + * (so GPIO input 0 is the SPI with INTID SPI_BASE, input 1 is
> + * SPI_BASE+1, and so on up to SPI_BASE + SPI_IRS_RANGE - 1)
SPI_BASE + 1
for consistency.
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 08/65] hw/intc/arm_gicv5: Define macros for config frame registers
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (6 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 07/65] hw/intc/arm_gicv5: Create inbound GPIO lines for SPIs Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 15:53 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 09/65] hw/intc/arm_gicv5: Implement IRS ID regs Peter Maydell
` (57 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Define constants for the various registers in the IRS config frame
using the REG and FIELD macros.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 243 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 243 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 7ef48bb450..db754e7681 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -7,6 +7,7 @@
*/
#include "qemu/osdep.h"
+#include "hw/core/registerfields.h"
#include "hw/intc/arm_gicv5.h"
#include "qapi/error.h"
#include "qemu/log.h"
@@ -22,6 +23,248 @@ static const char *domain_name[] = {
[GICV5_ID_REALM] = "Realm",
};
+REG32(IRS_IDR0, 0x0)
+ FIELD(IRS_IDR0, INT_DOM, 0, 2)
+ FIELD(IRS_IDR0, PA_RANGE, 2, 5)
+ FIELD(IRS_IDR0, VIRT, 6, 1)
+ FIELD(IRS_IDR0, ONE_N, 7, 1)
+ FIELD(IRS_IDR0, VIRT_ONE_N, 8, 1)
+ FIELD(IRS_IDR0, SETLPI, 9, 1)
+ FIELD(IRS_IDR0, MEC, 10, 1)
+ FIELD(IRS_IDR0, MPAM, 11, 1)
+ FIELD(IRS_IDR0, SWE, 12, 1)
+ FIELD(IRS_IDR0, IRSID, 16, 16)
+
+REG32(IRS_IDR1, 0x4)
+ FIELD(IRS_IDR1, PE_CNT, 0, 16)
+ FIELD(IRS_IDR1, IAFFID_BITS, 16, 4)
+ FIELD(IRS_IDR1, PRI_BITS, 20, 3)
+
+REG32(IRS_IDR2, 0x8)
+ FIELD(IRS_IDR2, ID_BITS, 0, 5)
+ FIELD(IRS_IDR2, LPI, 5, 1)
+ FIELD(IRS_IDR2, MIN_LPI_ID_BITS, 6, 4)
+ FIELD(IRS_IDR2, IST_LEVELS, 10, 1)
+ FIELD(IRS_IDR2, IST_L2SZ, 11, 3)
+ FIELD(IRS_IDR2, IST_MD, 14, 1)
+ FIELD(IRS_IDR2, ISTMD_SZ, 15, 5)
+
+REG32(IRS_IDR3, 0xc)
+ FIELD(IRS_IDR3, VMD, 0, 1)
+ FIELD(IRS_IDR3, VMD_SZ, 1, 4)
+ FIELD(IRS_IDR3, VM_ID_BITS, 5, 5)
+ FIELD(IRS_IDR3, VMT_LEVELS, 10, 1)
+
+REG32(IRS_IDR4, 0x10)
+ FIELD(IRS_IDR4, VPED_SZ, 0, 6)
+ FIELD(IRS_IDR4, VPE_ID_BITS, 6, 4)
+
+REG32(IRS_IDR5, 0x14)
+ FIELD(IRS_IDR5, SPI_RANGE, 0, 25)
+
+REG32(IRS_IDR6, 0x18)
+ FIELD(IRS_IDR6, SPI_IRS_RANGE, 0, 25)
+
+REG32(IRS_IDR7, 0x1c)
+ FIELD(IRS_IDR7, SPI_BASE, 0, 24)
+
+REG32(IRS_IIDR, 0x40)
+ FIELD(IRS_IIDR, IMPLEMENTER, 0, 12)
+ FIELD(IRS_IIDR, REVISION, 12, 4)
+ FIELD(IRS_IIDR, VARIANT, 16, 4)
+ FIELD(IRS_IIDR, PRODUCTID, 20, 12)
+
+REG32(IRS_AIDR, 0x44)
+ FIELD(IRS_AIDR, ARCHMINORREV, 0, 4)
+ FIELD(IRS_AIDR, ARCHMAJORREV, 4, 4)
+ FIELD(IRS_AIDR, COMPONENT, 8, 4)
+
+REG32(IRS_CR0, 0x80)
+ FIELD(IRS_CR0, IRSEN, 0, 1)
+ FIELD(IRS_CR0, IDLE, 1, 1)
+
+REG32(IRS_CR1, 0x84)
+ FIELD(IRS_CR1, SH, 0, 2)
+ FIELD(IRS_CR1, OC, 2, 2)
+ FIELD(IRS_CR1, IC, 4, 2)
+ FIELD(IRS_CR1, IST_RA, 6, 1)
+ FIELD(IRS_CR1, IST_WA, 7, 1)
+ FIELD(IRS_CR1, VMT_RA, 8, 1)
+ FIELD(IRS_CR1, VMT_WA, 9, 1)
+ FIELD(IRS_CR1, VPET_RA, 10, 1)
+ FIELD(IRS_CR1, VPET_WA, 11, 1)
+ FIELD(IRS_CR1, VMD_RA, 12, 1)
+ FIELD(IRS_CR1, VMD_WA, 13, 1)
+ FIELD(IRS_CR1, VPED_RA, 14, 1)
+ FIELD(IRS_CR1, VPED_WA, 15, 1)
+
+REG32(IRS_SYNCR, 0xc0)
+ FIELD(IRS_SYNCR, SYNC, 31, 1)
+
+REG32(IRS_SYNC_STATUSR, 0xc4)
+ FIELD(IRS_SYNC_STATUSR, IDLE, 0, 1)
+
+REG64(IRS_SPI_VMR, 0x100)
+ FIELD(IRS_SPI_VMR, VM_ID, 0, 16)
+ FIELD(IRS_SPI_VMR, VIRT, 63, 1)
+
+REG32(IRS_SPI_SELR, 0x108)
+ FIELD(IRS_SPI_SELR, ID, 0, 24)
+
+REG32(IRS_SPI_DOMAINR, 0x10c)
+ FIELD(IRS_SPI_DOMAINR, DOMAIN, 0, 2)
+
+REG32(IRS_SPI_RESAMPLER, 0x110)
+ FIELD(IRS_SPI_RESAMPLER, SPI_ID, 0, 24)
+
+REG32(IRS_SPI_CFGR, 0x114)
+ FIELD(IRS_SPI_CFGR, TM, 0, 1)
+
+REG32(IRS_SPI_STATUSR, 0x118)
+ FIELD(IRS_SPI_STATUSR, IDLE, 0, 1)
+ FIELD(IRS_SPI_STATUSR, V, 1, 1)
+
+REG32(IRS_PE_SELR, 0x140)
+ FIELD(IRS_PE_SELR, IAFFID, 0, 16)
+
+REG32(IRS_PE_STATUSR, 0x144)
+ FIELD(IRS_PE_STATUSR, IDLE, 0, 1)
+ FIELD(IRS_PE_STATUSR, V, 1, 1)
+ FIELD(IRS_PE_STATUSR, ONLINE, 2, 1)
+
+REG32(IRS_PE_CR0, 0x148)
+ FIELD(IRS_PE_CR0, DPS, 0, 1)
+
+REG64(IRS_IST_BASER, 0x180)
+ FIELD(IRS_IST_BASER, VALID, 0, 1)
+ FIELD(IRS_IST_BASER, ADDR, 6, 50)
+
+REG32(IRS_IST_CFGR, 0x190)
+ FIELD(IRS_IST_CFGR, LPI_ID_BITS, 0, 5)
+ FIELD(IRS_IST_CFGR, L2SZ, 5, 2)
+ FIELD(IRS_IST_CFGR, ISTSZ, 7, 2)
+ FIELD(IRS_IST_CFGR, STRUCTURE, 16, 1)
+
+REG32(IRS_IST_STATUSR, 0x194)
+ FIELD(IRS_IST_STATUSR, IDLE, 0, 1)
+
+REG32(IRS_MAP_L2_ISTR, 0x1c0)
+ FIELD(IRS_MAP_L2_ISTR, ID, 0, 24)
+
+REG64(IRS_VMT_BASER, 0x200)
+ FIELD(IRS_VMT_BASER, VALID, 0, 1)
+ FIELD(IRS_VMT_BASER, ADDR, 3, 53)
+
+REG32(IRS_VMT_CFGR, 0x210)
+ FIELD(IRS_VMT_CFGR, VM_ID_BITS, 0, 5)
+ FIELD(IRS_VMT_CFGR, STRUCTURE, 16, 1)
+
+REG32(IRS_VMT_STATUSR, 0x124)
+ FIELD(IRS_VMT_STATUSR, IDLE, 0, 1)
+
+REG64(IRS_VPE_SELR, 0x240)
+ FIELD(IRS_VPE_SELR, VM_ID, 0, 16)
+ FIELD(IRS_VPE_SELR, VPE_ID, 32, 16)
+ FIELD(IRS_VPE_SELR, S, 63, 1)
+
+REG64(IRS_VPE_DBR, 0x248)
+ FIELD(IRS_VPE_DBR, INTID, 0, 24)
+ FIELD(IRS_VPE_DBR, DBPM, 32, 5)
+ FIELD(IRS_VPE_DBR, REQ_DB, 62, 1)
+ FIELD(IRS_VPE_DBR, DBV, 63, 1)
+
+REG32(IRS_VPE_HPPIR, 0x250)
+ FIELD(IRS_VPE_HPPIR, ID, 0, 24)
+ FIELD(IRS_VPE_HPPIR, TYPE, 29, 3)
+ FIELD(IRS_VPE_HPPIR, HPPIV, 32, 1)
+
+REG32(IRS_VPE_CR0, 0x258)
+ FIELD(IRS_VPE_CR0, DPS, 0, 1)
+
+REG32(IRS_VPE_STATUSR, 0x25c)
+ FIELD(IRS_VPE_STATUSR, IDLE, 0, 1)
+ FIELD(IRS_VPE_STATUSR, V, 1, 1)
+
+REG64(IRS_VM_DBR, 0x280)
+ FIELD(IRS_VM_DBR, VPE_ID, 0, 16)
+ FIELD(IRS_VM_DBR, EN, 63, 1)
+
+REG32(IRS_VM_SELR, 0x288)
+ FIELD(IRS_VM_SELR, VM_ID, 0, 16)
+
+REG32(IRS_VM_STATUSR, 0x28c)
+ FIELD(IRS_VM_STATUSR, IDLE, 0, 1)
+ FIELD(IRS_VM_STATUSR, V, 1, 1)
+
+REG64(IRS_VMAP_L2_VMTR, 0x2c0)
+ FIELD(IRS_VMAP_L2_VMTR, VM_ID, 0, 16)
+ FIELD(IRS_VMAP_L2_VMTR, M, 63, 1)
+
+REG64(IRS_VMAP_VMR, 0x2c8)
+ FIELD(IRS_VMAP_VMR, VM_ID, 0, 16)
+ FIELD(IRS_VMAP_VMR, U, 62, 1)
+ FIELD(IRS_VMAP_VMR, M, 63, 1)
+
+REG64(IRS_VMAP_VISTR, 0x2d0)
+ FIELD(IRS_VMAP_VISTR, TYPE, 29, 3)
+ FIELD(IRS_VMAP_VISTR, VM_ID, 32, 16)
+ FIELD(IRS_VMAP_VISTR, U, 62, 1)
+ FIELD(IRS_VMAP_VISTR, M, 63, 1)
+
+REG64(IRS_VMAP_L2_VISTR, 0x2d8)
+ FIELD(IRS_VMAP_L2_VISTR, ID, 0, 24)
+ FIELD(IRS_VMAP_L2_VISTR, TYPE, 29, 3)
+ FIELD(IRS_VMAP_L2_VISTR, VM_ID, 32, 16)
+ FIELD(IRS_VMAP_L2_VISTR, M, 63, 1)
+
+REG64(IRS_VMAP_VPER, 0x2e0)
+ FIELD(IRS_VMAP_VPER, VPE_ID, 0, 16)
+ FIELD(IRS_VMAP_VPER, VM_ID, 32, 16)
+ FIELD(IRS_VMAP_VPER, M, 63, 1)
+
+REG64(IRS_SAVE_VMR, 0x300)
+ FIELD(IRS_SAVE_VMR, VM_ID, 0, 16)
+ FIELD(IRS_SAVE_VMR, Q, 62, 1)
+ FIELD(IRS_SAVE_VMR, S, 63, 1)
+
+REG32(IRS_SAVE_VM_STATUSR, 0x308)
+ FIELD(IRS_SAVE_VM_STATUSR, IDLE, 0, 1)
+ FIELD(IRS_SAVE_VM_STATUSR, Q, 1, 1)
+
+REG32(IRS_MEC_IDR, 0x340)
+ FIELD(IRS_MEC_IDR, MECIDSIZE, 0, 4)
+
+REG32(IRS_MEC_MECID_R, 0x344)
+ FIELD(IRS_MEC_MICID_R, MECID, 0, 16)
+
+REG32(IRS_MPAM_IDR, 0x380)
+ FIELD(IRS_MPAM_IDR, PARTID_MAX, 0, 16)
+ FIELD(IRS_MPAM_IDR, PMG_MAX, 16, 8)
+ FIELD(IRS_MPAM_IDR, HAS_MPAM_SP, 24, 1)
+
+REG32(IRS_MPAM_PARTID_R, 0x384)
+ FIELD(IRS_MPAM_IDR, PARTID, 0, 16)
+ FIELD(IRS_MPAM_IDR, PMG, 16, 8)
+ FIELD(IRS_MPAM_IDR, MPAM_SP, 24, 2)
+ FIELD(IRS_MPAM_IDR, IDLE, 31, 1)
+
+REG64(IRS_SWERR_STATUSR, 0x3c0)
+ FIELD(IRS_SWERR_STATUSR, V, 0, 1)
+ FIELD(IRS_SWERR_STATUSR, S0V, 1, 1)
+ FIELD(IRS_SWERR_STATUSR, S1V, 2, 1)
+ FIELD(IRS_SWERR_STATUSR, OF, 3, 1)
+ FIELD(IRS_SWERR_STATUSR, EC, 16, 8)
+ FIELD(IRS_SWERR_STATUSR, IMP_EC, 24, 8)
+
+REG64(IRS_SWERR_SYNDROMER0, 0x3c8)
+ FIELD(IRS_SWERR_SYNDROMER0, VM_ID, 0, 16)
+ FIELD(IRS_SWERR_SYNDROMER0, ID, 32, 24)
+ FIELD(IRS_SWERR_SYNDROMER0, TYPE, 60, 3)
+ FIELD(IRS_SWERR_SYNDROMER0, VIRTUAL, 63, 1)
+
+REG64(IRS_SWERR_SYNDROMER1, 0x3d0)
+ FIELD(IRS_SWERR_SYNDROMER2, ADDR, 3, 53)
+
static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
uint64_t *data, MemTxAttrs attrs)
{
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 08/65] hw/intc/arm_gicv5: Define macros for config frame registers
2026-02-23 17:01 ` [PATCH 08/65] hw/intc/arm_gicv5: Define macros for config frame registers Peter Maydell
@ 2026-03-06 15:53 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 15:53 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:15 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Define constants for the various registers in the IRS config frame
> using the REG and FIELD macros.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Hi Peter,
I think one tiny error, with that tidied up.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/intc/arm_gicv5.c | 243 ++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 243 insertions(+)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index 7ef48bb450..db754e7681 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> @@ -7,6 +7,7 @@
> */
> @@ -22,6 +23,248 @@ static const char *domain_name[] = {
> [GICV5_ID_REALM] = "Realm",
> };
>
> +REG32(IRS_IDR0, 0x0)
> + FIELD(IRS_IDR0, INT_DOM, 0, 2)
> + FIELD(IRS_IDR0, PA_RANGE, 2, 5)
Bits 2-5 so
FIELD(IRS_IDR0, PA_RANGE, 2, 4)
Otherwise overlaps with VIRT
> + FIELD(IRS_IDR0, VIRT, 6, 1)
...
> +
> +REG32(IRS_AIDR, 0x44)
> + FIELD(IRS_AIDR, ARCHMINORREV, 0, 4)
Style wise the GICV5 spec does like to mix it up with
underscores camelCase and just generally smashing words
together. Ah well :)
> + FIELD(IRS_AIDR, ARCHMAJORREV, 4, 4)
> + FIELD(IRS_AIDR, COMPONENT, 8, 4)
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 09/65] hw/intc/arm_gicv5: Implement IRS ID regs
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (7 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 08/65] hw/intc/arm_gicv5: Define macros for config frame registers Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 16:16 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 10/65] hw/intc/arm_gicv5: Add link property for MemoryRegion for DMA Peter Maydell
` (56 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the IRS frame ID registers IRS_IDR[0-7], IRS_IIDR and
IRS_AIDR. These are all 32-bit registers.
We make these fields in the GIC state struct rather than just
hardcoding them in the register read function so that we can later
code "do this only if X is implemented" as a test on the ID register
value.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 112 +++++++++++++++++++++++++++++
include/hw/intc/arm_gicv5_common.h | 39 ++++++++++
2 files changed, 151 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index db754e7681..f34bb81966 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -268,6 +268,62 @@ REG64(IRS_SWERR_SYNDROMER1, 0x3d0)
static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
uint64_t *data, MemTxAttrs attrs)
{
+ GICv5Common *cs = ARM_GICV5_COMMON(s);
+ uint32_t v = 0;
+
+ switch (offset) {
+ case A_IRS_IDR0:
+ v = cs->irs_idr0;
+ /* INT_DOM reports the domain this register is for */
+ v = FIELD_DP32(v, IRS_IDR0, INT_DOM, domain);
+ if (domain != GICV5_ID_REALM) {
+ /* MEC field RES0 except for the Realm domain */
+ v &= ~R_IRS_IDR0_MEC_MASK;
+ }
+ if (domain == GICV5_ID_EL3) {
+ /* VIRT is RES0 for EL3 domain */
+ v &= ~R_IRS_IDR0_VIRT_MASK;
+ }
+ return true;
+
+ case A_IRS_IDR1:
+ *data = cs->irs_idr1;
+ return true;
+
+ case A_IRS_IDR2:
+ *data = cs->irs_idr2;
+ return true;
+
+ case A_IRS_IDR3:
+ /* In EL3 IDR0.VIRT is 0 so this is RES0 */
+ *data = domain == GICV5_ID_EL3 ? 0 : cs->irs_idr3;
+ return true;
+
+ case A_IRS_IDR4:
+ /* In EL3 IDR0.VIRT is 0 so this is RES0 */
+ *data = domain == GICV5_ID_EL3 ? 0 : cs->irs_idr4;
+ return true;
+
+ case A_IRS_IDR5:
+ *data = cs->irs_idr5;
+ return true;
+
+ case A_IRS_IDR6:
+ *data = cs->irs_idr6;
+ return true;
+
+ case A_IRS_IDR7:
+ *data = cs->irs_idr7;
+ return true;
+
+ case A_IRS_IIDR:
+ *data = cs->irs_iidr;
+ return true;
+
+ case A_IRS_AIDR:
+ *data = cs->irs_aidr;
+ return true;
+ }
return false;
}
@@ -443,6 +499,60 @@ static void gicv5_reset_hold(Object *obj, ResetType type)
}
}
+static void gicv5_set_idregs(GICv5Common *cs)
+{
+ /* Set the ID register value fields */
+ uint32_t v;
+
+ /*
+ * We don't support any of the optional parts of the spec currently,
+ * so most of the fields in IRS_IDR0 are zero.
+ */
+ v = 0;
+ /*
+ * We can handle physical addresses of any size, so report
+ * support for 56 bits of physical address space.
+ */
+ v = FIELD_DP32(v, IRS_IDR0, PA_RANGE, 7);
+ v = FIELD_DP32(v, IRS_IDR0, IRSID, cs->irsid);
+ cs->irs_idr0 = v;
+
+ v = 0;
+ v = FIELD_DP32(v, IRS_IDR1, PE_CNT, cs->num_cpus);
+ v = FIELD_DP32(v, IRS_IDR1, IAFFID_BITS, QEMU_GICV5_IAFFID_BITS - 1);
+ v = FIELD_DP32(v, IRS_IDR1, PRI_BITS, QEMU_GICV5_PRI_BITS - 1);
+ cs->irs_idr1 = v;
+
+ v = 0;
+ /* We always support physical LPIs with 2-level ISTs of all sizes */
+ v = FIELD_DP32(v, IRS_IDR2, ID_BITS, QEMU_GICV5_ID_BITS);
+ v = FIELD_DP32(v, IRS_IDR2, LPI, 1);
+ v = FIELD_DP32(v, IRS_IDR2, MIN_LPI_ID_BITS, QEMU_GICV5_MIN_LPI_ID_BITS);
+ v = FIELD_DP32(v, IRS_IDR2, IST_LEVELS, 1);
+ v = FIELD_DP32(v, IRS_IDR2, IST_L2SZ, 7);
+ /* Our impl does not need IST metadata, so ISTMD and ISTMD_SZ are 0 */
+ cs->irs_idr2 = v;
+
+ /* We don't implement virtualization yet, so these are zero */
+ cs->irs_idr3 = 0;
+ cs->irs_idr4 = 0;
+
+ /* These three have just one field each */
+ cs->irs_idr5 = FIELD_DP32(0, IRS_IDR5, SPI_RANGE, cs->spi_range);
+ cs->irs_idr6 = FIELD_DP32(0, IRS_IDR6, SPI_IRS_RANGE, cs->spi_irs_range);
+ cs->irs_idr7 = FIELD_DP32(0, IRS_IDR7, SPI_BASE, cs->spi_base);
+
+ v = 0;
+ v = FIELD_DP32(v, IRS_IIDR, IMPLEMENTER, QEMU_GICV5_IMPLEMENTER);
+ v = FIELD_DP32(v, IRS_IIDR, REVISION, QEMU_GICV5_REVISION);
+ v = FIELD_DP32(v, IRS_IIDR, VARIANT, QEMU_GICV5_VARIANT);
+ v = FIELD_DP32(v, IRS_IIDR, PRODUCTID, QEMU_GICV5_PRODUCTID);
+ cs->irs_iidr = v;
+
+ /* This is a GICv5.0 IRS, so all fields are zero */
+ cs->irs_aidr = 0;
+}
+
static void gicv5_realize(DeviceState *dev, Error **errp)
{
GICv5Common *cs = ARM_GICV5_COMMON(dev);
@@ -469,6 +579,8 @@ static void gicv5_realize(DeviceState *dev, Error **errp)
* NS domain.
*/
cs->implemented_domains = (1 << GICV5_ID_NS);
+
+ gicv5_set_idregs(cs);
gicv5_common_init_irqs_and_mmio(cs, gicv5_set_spi, config_frame_ops);
}
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index be898abcd5..bcf7cd4239 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -65,6 +65,18 @@ struct GICv5Common {
/* Bits here are set for each physical interrupt domain implemented */
uint8_t implemented_domains;
+ /* ID register values: set at realize, constant thereafter */
+ uint32_t irs_idr0;
+ uint32_t irs_idr1;
+ uint32_t irs_idr2;
+ uint32_t irs_idr3;
+ uint32_t irs_idr4;
+ uint32_t irs_idr5;
+ uint32_t irs_idr6;
+ uint32_t irs_idr7;
+ uint32_t irs_iidr;
+ uint32_t irs_aidr;
+
/* Properties */
uint32_t num_cpus;
ARMCPU **cpus;
@@ -84,6 +96,33 @@ struct GICv5CommonClass {
#define IRS_CONFIG_FRAME_SIZE 0x10000
+/*
+ * The architecture allows a GICv5 to implement less than the
+ * full width for various ID fields. QEMU's implementation
+ * always supports the full width of these fields. These constants
+ * define our implementation's limits.
+ */
+
+/* Number of INTID.ID bits we support */
+#define QEMU_GICV5_ID_BITS 24
+/* Min LPI_ID_BITS supported */
+#define QEMU_GICV5_MIN_LPI_ID_BITS 14
+/* IAFFID bits supported */
+#define QEMU_GICV5_IAFFID_BITS 16
+/* Number of priority bits supported in the IRS */
+#define QEMU_GICV5_PRI_BITS 5
+
+/*
+ * There are no TRMs currently published for hardware
+ * implementations of GICv5 that we might identify ourselves
+ * as. Instead, we borrow the Arm Implementer code and
+ * pick an arbitrary product ID (ASCII "Q")
+ */
+#define QEMU_GICV5_IMPLEMENTER 0x43b
+#define QEMU_GICV5_PRODUCTID 0x51
+#define QEMU_GICV5_REVISION 0
+#define QEMU_GICV5_VARIANT 0
+
/**
* gicv5_common_init_irqs_and_mmio: Create IRQs and MMIO regions for the GICv5
* @s: GIC object
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 09/65] hw/intc/arm_gicv5: Implement IRS ID regs
2026-02-23 17:01 ` [PATCH 09/65] hw/intc/arm_gicv5: Implement IRS ID regs Peter Maydell
@ 2026-03-06 16:16 ` Jonathan Cameron via qemu development
2026-03-19 13:22 ` Peter Maydell
0 siblings, 1 reply; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 16:16 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:16 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the IRS frame ID registers IRS_IDR[0-7], IRS_IIDR and
> IRS_AIDR. These are all 32-bit registers.
>
> We make these fields in the GIC state struct rather than just
> hardcoding them in the register read function so that we can later
> code "do this only if X is implemented" as a test on the ID register
> value.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> hw/intc/arm_gicv5.c | 112 +++++++++++++++++++++++++++++
> include/hw/intc/arm_gicv5_common.h | 39 ++++++++++
> 2 files changed, 151 insertions(+)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index db754e7681..f34bb81966 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> @@ -268,6 +268,62 @@ REG64(IRS_SWERR_SYNDROMER1, 0x3d0)
> static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
> uint64_t *data, MemTxAttrs attrs)
> {
> + GICv5Common *cs = ARM_GICV5_COMMON(s);
> + uint32_t v = 0;
> +
> + switch (offset) {
> + case A_IRS_IDR0:
> + v = cs->irs_idr0;
> + /* INT_DOM reports the domain this register is for */
> + v = FIELD_DP32(v, IRS_IDR0, INT_DOM, domain);
> + if (domain != GICV5_ID_REALM) {
> + /* MEC field RES0 except for the Realm domain */
> + v &= ~R_IRS_IDR0_MEC_MASK;
> + }
> + if (domain == GICV5_ID_EL3) {
> + /* VIRT is RES0 for EL3 domain */
> + v &= ~R_IRS_IDR0_VIRT_MASK;
> + }
There are some more complex RES0 conditions that kind of build
off these, like VIRT_ONE_N is RES0 if VIRT is 0, including
I think if VIRT is RES0 as a result of the above. That particular
condition is perhaps worth encoding in here as you can see we may
have it implemented for everything other than EL3.
This is similar to what you do for the whole of IDR3.
> + return true;
> +
> + case A_IRS_IDR1:
> + *data = cs->irs_idr1;
> + return true;
> +
> + case A_IRS_IDR2:
> + *data = cs->irs_idr2;
> + return true;
> +
> + case A_IRS_IDR3:
> + /* In EL3 IDR0.VIRT is 0 so this is RES0 */
> + *data = domain == GICV5_ID_EL3 ? 0 : cs->irs_idr3;
The spec has that condition on a field by field bases. I wonder
if it would be clearer to mask out each field rather than set
whole thing to 0.
> + return true;
> +
> + case A_IRS_IDR4:
> + /* In EL3 IDR0.VIRT is 0 so this is RES0 */
> + *data = domain == GICV5_ID_EL3 ? 0 : cs->irs_idr4;
Similar for this one. Most of register is currently res0 and
we don't know if those bits will be used later for stuff that
isn't dependent on IRS_IDR0.VIRT being 1.
> + return true;
...
> }
>
> @@ -443,6 +499,60 @@ static void gicv5_reset_hold(Object *obj, ResetType type)
> }
> }
>
> +static void gicv5_set_idregs(GICv5Common *cs)
> +{
> + /* Set the ID register value fields */
> + uint32_t v;
> +
> + /*
> + * We don't support any of the optional parts of the spec currently,
Doesn't matter much but 'currently' does add anything to this sentence so
could just drop it.
> + * so most of the fields in IRS_IDR0 are zero.
> + */
> + v = 0;
> +}
> +
>
> diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
> index be898abcd5..bcf7cd4239 100644
> --- a/include/hw/intc/arm_gicv5_common.h
> +++ b/include/hw/intc/arm_gicv5_common.h
> @@ -65,6 +65,18 @@ struct GICv5Common {
> +/*
> + * The architecture allows a GICv5 to implement less than the
> + * full width for various ID fields. QEMU's implementation
> + * always supports the full width of these fields. These constants
> + * define our implementation's limits.
> + */
> +
> +/* Number of INTID.ID bits we support */
> +#define QEMU_GICV5_ID_BITS 24
> +/* Min LPI_ID_BITS supported */
> +#define QEMU_GICV5_MIN_LPI_ID_BITS 14
> +/* IAFFID bits supported */
> +#define QEMU_GICV5_IAFFID_BITS 16
> +/* Number of priority bits supported in the IRS */
> +#define QEMU_GICV5_PRI_BITS 5
> +
> +/*
> + * There are no TRMs currently published for hardware
> + * implementations of GICv5 that we might identify ourselves
> + * as. Instead, we borrow the Arm Implementer code and
> + * pick an arbitrary product ID (ASCII "Q")
Rather short wrap.
> + */
> +#define QEMU_GICV5_IMPLEMENTER 0x43b
> +#define QEMU_GICV5_PRODUCTID 0x51
> +#define QEMU_GICV5_REVISION 0
> +#define QEMU_GICV5_VARIANT 0
> +
> /**
> * gicv5_common_init_irqs_and_mmio: Create IRQs and MMIO regions for the GICv5
> * @s: GIC object
^ permalink raw reply [flat|nested] 142+ messages in thread* Re: [PATCH 09/65] hw/intc/arm_gicv5: Implement IRS ID regs
2026-03-06 16:16 ` Jonathan Cameron via qemu development
@ 2026-03-19 13:22 ` Peter Maydell
0 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-03-19 13:22 UTC (permalink / raw)
To: Jonathan Cameron; +Cc: qemu-arm, qemu-devel
On Fri, 6 Mar 2026 at 16:16, Jonathan Cameron
<jonathan.cameron@huawei.com> wrote:
>
> On Mon, 23 Feb 2026 17:01:16 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > Implement the IRS frame ID registers IRS_IDR[0-7], IRS_IIDR and
> > IRS_AIDR. These are all 32-bit registers.
> >
> > We make these fields in the GIC state struct rather than just
> > hardcoding them in the register read function so that we can later
> > code "do this only if X is implemented" as a test on the ID register
> > value.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> > ---
> > hw/intc/arm_gicv5.c | 112 +++++++++++++++++++++++++++++
> > include/hw/intc/arm_gicv5_common.h | 39 ++++++++++
> > 2 files changed, 151 insertions(+)
> >
> > diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> > index db754e7681..f34bb81966 100644
> > --- a/hw/intc/arm_gicv5.c
> > +++ b/hw/intc/arm_gicv5.c
> > @@ -268,6 +268,62 @@ REG64(IRS_SWERR_SYNDROMER1, 0x3d0)
> > static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
> > uint64_t *data, MemTxAttrs attrs)
> > {
> > + GICv5Common *cs = ARM_GICV5_COMMON(s);
> > + uint32_t v = 0;
> > +
> > + switch (offset) {
> > + case A_IRS_IDR0:
> > + v = cs->irs_idr0;
> > + /* INT_DOM reports the domain this register is for */
> > + v = FIELD_DP32(v, IRS_IDR0, INT_DOM, domain);
> > + if (domain != GICV5_ID_REALM) {
> > + /* MEC field RES0 except for the Realm domain */
> > + v &= ~R_IRS_IDR0_MEC_MASK;
> > + }
> > + if (domain == GICV5_ID_EL3) {
> > + /* VIRT is RES0 for EL3 domain */
> > + v &= ~R_IRS_IDR0_VIRT_MASK;
> > + }
>
> There are some more complex RES0 conditions that kind of build
> off these, like VIRT_ONE_N is RES0 if VIRT is 0, including
> I think if VIRT is RES0 as a result of the above. That particular
> condition is perhaps worth encoding in here as you can see we may
> have it implemented for everything other than EL3.
As it happens, I have no intention of implementing 1ofN support.
But yes, for consistency we should mask it out to follow a rule
of "mask stuff that will appear differently in the view of this
register in the different register frames".
> This is similar to what you do for the whole of IDR3.
>
> > + return true;
> > +
> > + case A_IRS_IDR1:
> > + *data = cs->irs_idr1;
> > + return true;
> > +
> > + case A_IRS_IDR2:
> > + *data = cs->irs_idr2;
> > + return true;
> > +
> > + case A_IRS_IDR3:
> > + /* In EL3 IDR0.VIRT is 0 so this is RES0 */
> > + *data = domain == GICV5_ID_EL3 ? 0 : cs->irs_idr3;
>
> The spec has that condition on a field by field bases. I wonder
> if it would be clearer to mask out each field rather than set
> whole thing to 0.
I think that the whole IDR3 register is clearly deliberately
"things related to virtualization" and it's clearer to zero
it all at once rather than have multiple lines and leave the
reader wondering if any fields don't get zeroed.
> > + return true;
> > +
> > + case A_IRS_IDR4:
> > + /* In EL3 IDR0.VIRT is 0 so this is RES0 */
> > + *data = domain == GICV5_ID_EL3 ? 0 : cs->irs_idr4;
> Similar for this one. Most of register is currently res0 and
> we don't know if those bits will be used later for stuff that
> isn't dependent on IRS_IDR0.VIRT being 1.
There's a lot of spare space in the register offset map
after IDR7 and before the next register, so I imagine the
intention is to add more ID registers if there's a future
need for more ID information that's not related to the existing
fields in any ID register.
thanks
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 10/65] hw/intc/arm_gicv5: Add link property for MemoryRegion for DMA
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (8 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 09/65] hw/intc/arm_gicv5: Implement IRS ID regs Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 16:17 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 11/65] hw/intc/arm_gicv5: Implement gicv5_class_name() Peter Maydell
` (55 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 IRS keeps data structures in system memory. (Notably, it
stores per-interrupt configuration information like the interrupt
priority and its active and pending state in an in-memory data
structure.) Add a link property so that the board or SoC can wire up
a MemoryRegion that we will do DMA to. We name this property
"sysmem" to match the GICv3's equivalent property.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5_common.c | 8 ++++++++
include/hw/intc/arm_gicv5_common.h | 4 ++++
2 files changed, 12 insertions(+)
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index 0f966dfd1b..274d8cd255 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -122,6 +122,12 @@ static void gicv5_common_realize(DeviceState *dev, Error **errp)
cs->spi_base, cs->spi_irs_range, cs->spi_range);
return;
}
+ if (!cs->dma) {
+ error_setg(errp, "sysmem link property not set");
+ return;
+ }
+
+ address_space_init(&cs->dma_as, cs->dma, "gicv5-sysmem");
trace_gicv5_common_realize(cs->irsid, cs->num_cpus,
cs->spi_base, cs->spi_irs_range, cs->spi_range);
@@ -137,6 +143,8 @@ static const Property arm_gicv5_common_properties[] = {
DEFINE_PROP_UINT32("spi-base", GICv5Common, spi_base, 0),
DEFINE_PROP_UINT32("spi-irs-range", GICv5Common, spi_irs_range,
GICV5_SPI_IRS_RANGE_NOT_SET),
+ DEFINE_PROP_LINK("sysmem", GICv5Common, dma, TYPE_MEMORY_REGION,
+ MemoryRegion *),
};
static void gicv5_common_class_init(ObjectClass *oc, const void *data)
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index bcf7cd4239..3bffa2cb1d 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -83,6 +83,10 @@ struct GICv5Common {
uint32_t num_cpu_iaffids;
uint32_t *cpu_iaffids;
+ /* MemoryRegion and AS to DMA to/from for in-memory data structures */
+ MemoryRegion *dma;
+ AddressSpace dma_as;
+
uint32_t irsid;
uint32_t spi_base;
uint32_t spi_irs_range;
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 10/65] hw/intc/arm_gicv5: Add link property for MemoryRegion for DMA
2026-02-23 17:01 ` [PATCH 10/65] hw/intc/arm_gicv5: Add link property for MemoryRegion for DMA Peter Maydell
@ 2026-03-06 16:17 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 16:17 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:17 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GICv5 IRS keeps data structures in system memory. (Notably, it
> stores per-interrupt configuration information like the interrupt
> priority and its active and pending state in an in-memory data
> structure.) Add a link property so that the board or SoC can wire up
> a MemoryRegion that we will do DMA to. We name this property
> "sysmem" to match the GICv3's equivalent property.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 11/65] hw/intc/arm_gicv5: Implement gicv5_class_name()
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (9 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 10/65] hw/intc/arm_gicv5: Add link property for MemoryRegion for DMA Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 17:00 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 12/65] hw/intc/arm_gicv5: Add defines for GICv5 architected PPIs Peter Maydell
` (54 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement a gicv5_class_name() function that does the same job as
gicv3_class_name(): allows board code to get the correct QOM type for
the GIC at runtime depending on whether KVM is enabled or not.
For the GICv5, we don't yet implement KVM support, so the KVM-enabled
codepath is always an error.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5_common.c | 12 ++++++++++++
include/hw/intc/arm_gicv5_common.h | 10 ++++++++++
2 files changed, 22 insertions(+)
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index 274d8cd255..620ae3b88f 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -11,6 +11,8 @@
#include "hw/core/qdev-properties.h"
#include "qapi/error.h"
#include "trace.h"
+#include "qemu/error-report.h"
+#include "system/kvm.h"
OBJECT_DEFINE_ABSTRACT_TYPE(GICv5Common, gicv5_common, ARM_GICV5_COMMON, SYS_BUS_DEVICE)
@@ -157,3 +159,13 @@ static void gicv5_common_class_init(ObjectClass *oc, const void *data)
dc->realize = gicv5_common_realize;
device_class_set_props(dc, arm_gicv5_common_properties);
}
+
+const char *gicv5_class_name(void)
+{
+ /* When we implement KVM GICv5 we might return "kvm-arm-gicv5" here. */
+ if (kvm_enabled()) {
+ error_report("Userspace GICv5 is not supported with KVM");
+ exit(1);
+ }
+ return "arm-gicv5";
+}
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index 3bffa2cb1d..7db2c87ddc 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -150,4 +150,14 @@ static inline bool gicv5_domain_implemented(GICv5Common *cs, GICv5Domain domain)
return cs->implemented_domains & (1 << domain);
}
+/**
+ * gicv5_class_name
+ *
+ * Return name of GICv5 class to use depending on whether KVM acceleration is
+ * in use. May throw an error if the chosen implementation is not available.
+ *
+ * Returns: class name to use
+ */
+const char *gicv5_class_name(void);
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 11/65] hw/intc/arm_gicv5: Implement gicv5_class_name()
2026-02-23 17:01 ` [PATCH 11/65] hw/intc/arm_gicv5: Implement gicv5_class_name() Peter Maydell
@ 2026-03-06 17:00 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 17:00 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:18 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement a gicv5_class_name() function that does the same job as
> gicv3_class_name(): allows board code to get the correct QOM type for
> the GIC at runtime depending on whether KVM is enabled or not.
>
> For the GICv5, we don't yet implement KVM support, so the KVM-enabled
> codepath is always an error.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 12/65] hw/intc/arm_gicv5: Add defines for GICv5 architected PPIs
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (10 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 11/65] hw/intc/arm_gicv5: Implement gicv5_class_name() Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 17:09 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 13/65] target/arm: GICv5 cpuif: Initial skeleton and GSB barrier insns Peter Maydell
` (53 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 defines architected numbers for the PPI sources like the
generic timer and the PMU; these are different from the ones
traditionally used by GICv2 and GICv3. Add defines for them.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
include/hw/intc/arm_gicv5_types.h | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/include/hw/intc/arm_gicv5_types.h b/include/hw/intc/arm_gicv5_types.h
index 143dcdec28..9c7788b1e6 100644
--- a/include/hw/intc/arm_gicv5_types.h
+++ b/include/hw/intc/arm_gicv5_types.h
@@ -25,4 +25,24 @@ typedef enum GICv5Domain {
#define NUM_GICV5_DOMAINS 4
+/* Architected GICv5 PPIs (as listed in R_XDVCM) */
+#define GICV5_PPI_S_DB_PPI 0
+#define GICV5_PPI_RL_DB_PPI 1
+#define GICV5_PPI_NS_DB_PPI 2
+#define GICV5_PPI_SW_PPI 3
+#define GICV5_PPI_HACDBSIRQ 15
+#define GICV5_PPI_CNTHVS 19
+#define GICV5_PPI_CNTHPS 20
+#define GICV5_PPI_PMBIRQ 21
+#define GICV5_PPI_COMMIRQ 22
+#define GICV5_PPI_PMUIRQ 23
+#define GICV5_PPI_CTIIRQ 24
+#define GICV5_PPI_GICMNT 25
+#define GICV5_PPI_CNTHP 26
+#define GICV5_PPI_CNTV 27
+#define GICV5_PPI_CNTHV 28
+#define GICV5_PPI_CNTPS 29
+#define GICV5_PPI_CNTP 30
+#define GICV5_PPI_TRBIRQ 31
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 13/65] target/arm: GICv5 cpuif: Initial skeleton and GSB barrier insns
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (11 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 12/65] hw/intc/arm_gicv5: Add defines for GICv5 architected PPIs Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 17:23 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 14/65] target/arm: Set up pointer to GICv5 in each CPU Peter Maydell
` (52 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
In the GICv5 architecture, part of the GIC is implemented inside the
CPU: this is the CPU interface, which presents software with system
instructions and system registers, and communicates with the external
part of the GIC (the Interrupt Routing Service, IRS) via an
architected stream interface where both sides can send commands and
receive responses.
Add the initial source files for the GICv5 CPU interface, with
initial content implementing just the two GSB GIC barrier
instructions, which are no-ops for QEMU.
Since we will not initially implement virtualization or the "legacy
GICv3" interface that can be provided to a VM guest, we don't have
the ICH_VCTLR_EL2 register and do not need to implement an accessfn
for the "trap if at EL1 and EL2 enabled and legacy GICv3 is enabled"
handling. We will come back and add this later as part of the
legacy-GICv3 code.
(The GICv3 has a similar architecture with part of the GIC being in
the CPU and part external; for QEMU we implemented the CPU interface
in hw/intc/, but in retrospect I think this was something of a design
mistake, and for GICv5 I am going to stick a bit closer to how the
hardware architecture splits things up; hence this code is in
target/arm.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu-features.h | 6 +++++
target/arm/helper.c | 1 +
target/arm/internals.h | 3 +++
target/arm/tcg/gicv5-cpuif.c | 43 ++++++++++++++++++++++++++++++++++++
target/arm/tcg/meson.build | 1 +
5 files changed, 54 insertions(+)
create mode 100644 target/arm/tcg/gicv5-cpuif.c
diff --git a/target/arm/cpu-features.h b/target/arm/cpu-features.h
index b683c9551a..e391b394ba 100644
--- a/target/arm/cpu-features.h
+++ b/target/arm/cpu-features.h
@@ -280,6 +280,7 @@ FIELD(ID_AA64PFR1, PFAR, 60, 4)
FIELD(ID_AA64PFR2, MTEPERM, 0, 4)
FIELD(ID_AA64PFR2, MTESTOREONLY, 4, 4)
FIELD(ID_AA64PFR2, MTEFAR, 8, 4)
+FIELD(ID_AA64PFR2, GCIE, 12, 4)
FIELD(ID_AA64PFR2, FPMR, 32, 4)
FIELD(ID_AA64MMFR0, PARANGE, 0, 4)
@@ -1159,6 +1160,11 @@ static inline bool isar_feature_aa64_gcs(const ARMISARegisters *id)
return FIELD_EX64_IDREG(id, ID_AA64PFR1, GCS) != 0;
}
+static inline bool isar_feature_aa64_gcie(const ARMISARegisters *id)
+{
+ return FIELD_EX64_IDREG(id, ID_AA64PFR2, GCIE) != 0;
+}
+
static inline bool isar_feature_aa64_tgran4_lpa2(const ARMISARegisters *id)
{
return FIELD_SEX64_IDREG(id, ID_AA64MMFR0, TGRAN4) >= 1;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 6bfab90981..5e7cc039aa 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6315,6 +6315,7 @@ void register_cp_regs_for_features(ARMCPU *cpu)
if (tcg_enabled()) {
define_tlb_insn_regs(cpu);
define_at_insn_regs(cpu);
+ define_gicv5_cpuif_regs(cpu);
}
#endif
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 8ec2750847..9bde58cf00 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1797,6 +1797,9 @@ void define_pm_cpregs(ARMCPU *cpu);
/* Add the cpreg definitions for GCS cpregs */
void define_gcs_cpregs(ARMCPU *cpu);
+/* Add the cpreg definitions for the GICv5 CPU interface */
+void define_gicv5_cpuif_regs(ARMCPU *cpu);
+
/* Effective value of MDCR_EL2 */
static inline uint64_t arm_mdcr_el2_eff(CPUARMState *env)
{
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
new file mode 100644
index 0000000000..76c2577c09
--- /dev/null
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -0,0 +1,43 @@
+/*
+ * GICv5 CPU interface
+ *
+ * Copyright (c) 2025 Linaro Limited
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "internals.h"
+#include "cpregs.h"
+
+static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
+ /*
+ * Barrier: wait until the effects of a cpuif system register
+ * write have definitely made it to the IRS (and will thus show up
+ * in cpuif reads from the IRS by this or other CPUs and in the
+ * status of IRQ, FIQ etc). For QEMU we do all interaction with
+ * the IRS synchronously, so we can make this a nop.
+ */
+ { .name = "GSB_SYS", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 0,
+ .access = PL1_W, .type = ARM_CP_NOP,
+ },
+ /*
+ * Barrier: wait until the effects of acknowledging an interrupt
+ * (via GICR CDIA or GICR CDNMIA) are visible, including the
+ * effect on the {IRQ,FIQ,vIRQ,vFIQ} pending state. This is
+ * a weaker version of GSB SYS. Again, for QEMU this is a nop.
+ */
+ { .name = "GSB_ACK", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
+ .access = PL1_W, .type = ARM_CP_NOP,
+ },
+};
+
+void define_gicv5_cpuif_regs(ARMCPU *cpu)
+{
+ if (cpu_isar_feature(aa64_gcie, cpu)) {
+ define_arm_cp_regs(cpu, gicv5_cpuif_reginfo);
+ }
+}
diff --git a/target/arm/tcg/meson.build b/target/arm/tcg/meson.build
index 5f59156055..a67911f8dc 100644
--- a/target/arm/tcg/meson.build
+++ b/target/arm/tcg/meson.build
@@ -62,6 +62,7 @@ arm_common_ss.add(files(
arm_common_system_ss.add(files(
'cpregs-at.c',
'debug.c',
+ 'gicv5-cpuif.c',
'hflags.c',
'neon_helper.c',
'psci.c',
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 13/65] target/arm: GICv5 cpuif: Initial skeleton and GSB barrier insns
2026-02-23 17:01 ` [PATCH 13/65] target/arm: GICv5 cpuif: Initial skeleton and GSB barrier insns Peter Maydell
@ 2026-03-06 17:23 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 17:23 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:20 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> In the GICv5 architecture, part of the GIC is implemented inside the
> CPU: this is the CPU interface, which presents software with system
> instructions and system registers, and communicates with the external
> part of the GIC (the Interrupt Routing Service, IRS) via an
> architected stream interface where both sides can send commands and
> receive responses.
>
> Add the initial source files for the GICv5 CPU interface, with
> initial content implementing just the two GSB GIC barrier
> instructions, which are no-ops for QEMU.
>
> Since we will not initially implement virtualization or the "legacy
> GICv3" interface that can be provided to a VM guest, we don't have
> the ICH_VCTLR_EL2 register and do not need to implement an accessfn
> for the "trap if at EL1 and EL2 enabled and legacy GICv3 is enabled"
> handling. We will come back and add this later as part of the
> legacy-GICv3 code.
>
> (The GICv3 has a similar architecture with part of the GIC being in
> the CPU and part external; for QEMU we implemented the CPU interface
> in hw/intc/, but in retrospect I think this was something of a design
> mistake, and for GICv5 I am going to stick a bit closer to how the
> hardware architecture splits things up; hence this code is in
> target/arm.)
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
LGTM
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 14/65] target/arm: Set up pointer to GICv5 in each CPU
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (12 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 13/65] target/arm: GICv5 cpuif: Initial skeleton and GSB barrier insns Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 17:29 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 15/65] hw/intc/arm_gicv5: Implement IRS_IST_{BASER, STATUSR, CFGR} Peter Maydell
` (51 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The qdev link property array gives the IRS a pointer to each CPU that
is connected to it, but the CPU also needs a pointer to the IRS so
that it can issue commands. Set this up in a similar way to how we
do it for the GICv3: have the GIC's realize function call
gicv5_set_gicv5state() to set a pointer in the CPUARMState.
The CPU will only allow this link to be made if it actually
implements the GICv5 CPU interface; it will be the responsibility of
the board code to configure the CPU to have a GICv5 cpuif if it wants
to connect a GICv5 to it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5_common.c | 9 +++++++++
include/hw/intc/arm_gicv5_stream.h | 32 ++++++++++++++++++++++++++++++
target/arm/cpu.c | 16 +++++++++++++++
target/arm/cpu.h | 2 ++
4 files changed, 59 insertions(+)
create mode 100644 include/hw/intc/arm_gicv5_stream.h
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index 620ae3b88f..046dcdf5a3 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -8,6 +8,7 @@
#include "qemu/osdep.h"
#include "hw/intc/arm_gicv5_common.h"
+#include "hw/intc/arm_gicv5_stream.h"
#include "hw/core/qdev-properties.h"
#include "qapi/error.h"
#include "trace.h"
@@ -129,6 +130,14 @@ static void gicv5_common_realize(DeviceState *dev, Error **errp)
return;
}
+ for (int i = 0; i < cs->num_cpus; i++) {
+ if (!gicv5_set_gicv5state(cs->cpus[i], cs)) {
+ error_setg(errp,
+ "CPU %d does not implement GICv5 CPU interface", i);
+ return;
+ }
+ }
+
address_space_init(&cs->dma_as, cs->dma, "gicv5-sysmem");
trace_gicv5_common_realize(cs->irsid, cs->num_cpus,
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
new file mode 100644
index 0000000000..9b9c2e4b60
--- /dev/null
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -0,0 +1,32 @@
+/*
+ * Interface between GICv5 CPU interface and GICv5 IRS
+ * Loosely modelled on the GICv5 Stream Protocol interface documented
+ * in the GICv5 specification.
+ *
+ * Copyright (c) 2025 Linaro Limited
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef HW_INTC_ARM_GICV5_STREAM_H
+#define HW_INTC_ARM_GICV5_STREAM_H
+
+#include "target/arm/cpu-qom.h"
+
+typedef struct GICv5Common GICv5Common;
+
+/**
+ * gicv5_set_gicv5state
+ * @cpu: CPU object to tell about its IRS
+ * @cs: the GIC IRS it is connected to
+ *
+ * Set the CPU object's GICv5 pointer to point to this GIC IRS.
+ * The IRS must call this when it is realized, for each CPU it is
+ * connected to.
+ *
+ * Returns true on success, false if the CPU doesn't implement
+ * the GICv5 CPU interface.
+ */
+bool gicv5_set_gicv5state(ARMCPU *cpu, GICv5Common *cs);
+
+#endif
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 10f8280eef..ef2afca6b9 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -41,6 +41,7 @@
#include "hw/core/boards.h"
#ifdef CONFIG_TCG
#include "hw/intc/armv7m_nvic.h"
+#include "hw/intc/arm_gicv5_stream.h"
#endif /* CONFIG_TCG */
#endif /* !CONFIG_USER_ONLY */
#include "system/tcg.h"
@@ -1085,6 +1086,21 @@ static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
}
}
+#ifndef CONFIG_USER_ONLY
+bool gicv5_set_gicv5state(ARMCPU *cpu, GICv5Common *cs)
+{
+ /*
+ * Set this CPU's gicv5state pointer to point to the GIC that we are
+ * connected to.
+ */
+ if (!cpu_isar_feature(aa64_gcie, cpu)) {
+ return false;
+ }
+ cpu->env.gicv5state = cs;
+ return true;
+}
+#endif
+
uint64_t arm_build_mp_affinity(int idx, uint8_t clustersz)
{
uint32_t Aff1 = idx / clustersz;
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 657ff4ab20..16de0ebfa8 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -812,6 +812,8 @@ typedef struct CPUArchState {
const struct arm_boot_info *boot_info;
/* Store GICv3CPUState to access from this struct */
void *gicv3state;
+ /* Similarly, for a GICv5Common */
+ void *gicv5state;
#else /* CONFIG_USER_ONLY */
/* For usermode syscall translation. */
bool eabi;
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 14/65] target/arm: Set up pointer to GICv5 in each CPU
2026-02-23 17:01 ` [PATCH 14/65] target/arm: Set up pointer to GICv5 in each CPU Peter Maydell
@ 2026-03-06 17:29 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 17:29 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:21 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The qdev link property array gives the IRS a pointer to each CPU that
> is connected to it, but the CPU also needs a pointer to the IRS so
> that it can issue commands. Set this up in a similar way to how we
> do it for the GICv3: have the GIC's realize function call
> gicv5_set_gicv5state() to set a pointer in the CPUARMState.
>
> The CPU will only allow this link to be made if it actually
> implements the GICv5 CPU interface; it will be the responsibility of
> the board code to configure the CPU to have a GICv5 cpuif if it wants
> to connect a GICv5 to it.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 15/65] hw/intc/arm_gicv5: Implement IRS_IST_{BASER, STATUSR, CFGR}
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (13 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 14/65] target/arm: Set up pointer to GICv5 in each CPU Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 17:39 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 16/65] hw/intc/arm_gicv5: Cache LPI IST config in a struct Peter Maydell
` (50 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the three registers that handle configuration of the
interrupt status table for physical LPIs:
* IRS_IST_BASER holds the base address of the table, and
has the VALID bit that tells the IRS to start using the config
* IRS_IST_CFGR has all the other config data for the table
* IRS_IST_STATUSR has the IDLE bit that tells software when
updates to IRS_IST_BASER have taken effect
Implement these registers. Note that neither BASER nor CFGR can be
written when VALID == 1, except to clear the VALID bit.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 71 ++++++++++++++++++++++++++++++
hw/intc/arm_gicv5_common.c | 4 ++
include/hw/intc/arm_gicv5_common.h | 3 ++
3 files changed, 78 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index f34bb81966..f5933197ea 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -265,6 +265,24 @@ REG64(IRS_SWERR_SYNDROMER0, 0x3c8)
REG64(IRS_SWERR_SYNDROMER1, 0x3d0)
FIELD(IRS_SWERR_SYNDROMER2, ADDR, 3, 53)
+static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
+{
+ GICv5Common *cs = ARM_GICV5_COMMON(s);
+
+ if (FIELD_EX64(cs->irs_ist_baser[domain], IRS_IST_BASER, VALID)) {
+ /* If VALID is set, ADDR is RO and we can only update VALID */
+ bool valid = FIELD_EX64(value, IRS_IST_BASER, VALID);
+ if (valid) {
+ /* Ignore 1->1 transition */
+ return;
+ }
+ cs->irs_ist_baser[domain] = FIELD_DP64(cs->irs_ist_baser[domain],
+ IRS_IST_BASER, VALID, valid);
+ return;
+ }
+ cs->irs_ist_baser[domain] = value;
+}
+
static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
uint64_t *data, MemTxAttrs attrs)
{
@@ -323,6 +341,26 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
case A_IRS_AIDR:
*data = cs->irs_aidr;
return true;
+
+ case A_IRS_IST_BASER:
+ *data = extract64(cs->irs_ist_baser[domain], 0, 32);
+ return true;
+
+ case A_IRS_IST_BASER + 4:
+ *data = extract64(cs->irs_ist_baser[domain], 32, 32);
+ return true;
+
+ case A_IRS_IST_STATUSR:
+ /*
+ * For QEMU writes to IRS_IST_BASER and IRS_MAP_L2_ISTR take effect
+ * instantaneously, and the guest can never see the IDLE bit as 0.
+ */
+ *data = R_IRS_IST_STATUSR_IDLE_MASK;
+ return true;
+
+ case A_IRS_IST_CFGR:
+ *data = cs->irs_ist_cfgr[domain];
+ return true;
}
return false;
}
@@ -330,18 +368,51 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
uint64_t data, MemTxAttrs attrs)
{
+ GICv5Common *cs = ARM_GICV5_COMMON(s);
+
+ switch (offset) {
+ case A_IRS_IST_BASER:
+ irs_ist_baser_write(s, domain,
+ deposit64(cs->irs_ist_baser[domain], 0, 32, data));
+ return true;
+ case A_IRS_IST_BASER + 4:
+ irs_ist_baser_write(s, domain,
+ deposit64(cs->irs_ist_baser[domain], 32, 32, data));
+ return true;
+ case A_IRS_IST_CFGR:
+ if (FIELD_EX64(cs->irs_ist_baser[domain], IRS_IST_BASER, VALID)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "guest tried to write IRS_IST_CFGR for %s config frame "
+ "while IST_BASER.VALID set\n", domain_name[domain]);
+ } else {
+ cs->irs_ist_cfgr[domain] = data;
+ }
+ return true;
+ }
return false;
}
static bool config_readll(GICv5 *s, GICv5Domain domain, hwaddr offset,
uint64_t *data, MemTxAttrs attrs)
{
+ GICv5Common *cs = ARM_GICV5_COMMON(s);
+
+ switch (offset) {
+ case A_IRS_IST_BASER:
+ *data = cs->irs_ist_baser[domain];
+ return true;
+ }
return false;
}
static bool config_writell(GICv5 *s, GICv5Domain domain, hwaddr offset,
uint64_t data, MemTxAttrs attrs)
{
+ switch (offset) {
+ case A_IRS_IST_BASER:
+ irs_ist_baser_write(s, domain, data);
+ return true;
+ }
return false;
}
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index 046dcdf5a3..751df2001c 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -62,6 +62,10 @@ void gicv5_common_init_irqs_and_mmio(GICv5Common *cs,
static void gicv5_common_reset_hold(Object *obj, ResetType type)
{
+ GICv5Common *cs = ARM_GICV5_COMMON(obj);
+
+ memset(cs->irs_ist_baser, 0, sizeof(cs->irs_ist_baser));
+ memset(cs->irs_ist_cfgr, 0, sizeof(cs->irs_ist_cfgr));
}
static void gicv5_common_init(Object *obj)
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index 7db2c87ddc..2a49d58679 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -62,6 +62,9 @@ struct GICv5Common {
MemoryRegion iomem[NUM_GICV5_DOMAINS];
+ uint64_t irs_ist_baser[NUM_GICV5_DOMAINS];
+ uint32_t irs_ist_cfgr[NUM_GICV5_DOMAINS];
+
/* Bits here are set for each physical interrupt domain implemented */
uint8_t implemented_domains;
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 15/65] hw/intc/arm_gicv5: Implement IRS_IST_{BASER, STATUSR, CFGR}
2026-02-23 17:01 ` [PATCH 15/65] hw/intc/arm_gicv5: Implement IRS_IST_{BASER, STATUSR, CFGR} Peter Maydell
@ 2026-03-06 17:39 ` Jonathan Cameron via qemu development
2026-03-06 18:27 ` Peter Maydell
0 siblings, 1 reply; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 17:39 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:22 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the three registers that handle configuration of the
> interrupt status table for physical LPIs:
>
> * IRS_IST_BASER holds the base address of the table, and
> has the VALID bit that tells the IRS to start using the config
> * IRS_IST_CFGR has all the other config data for the table
> * IRS_IST_STATUSR has the IDLE bit that tells software when
> updates to IRS_IST_BASER have taken effect
>
> Implement these registers. Note that neither BASER nor CFGR can be
> written when VALID == 1, except to clear the VALID bit.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
One query inline but it'll probably become obvious later, so
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
> index 7db2c87ddc..2a49d58679 100644
> --- a/include/hw/intc/arm_gicv5_common.h
> +++ b/include/hw/intc/arm_gicv5_common.h
> @@ -62,6 +62,9 @@ struct GICv5Common {
>
> MemoryRegion iomem[NUM_GICV5_DOMAINS];
>
> + uint64_t irs_ist_baser[NUM_GICV5_DOMAINS];
> + uint32_t irs_ist_cfgr[NUM_GICV5_DOMAINS];
Feels like you are going to have a lot of these, why not an array of
structures?
> +
> /* Bits here are set for each physical interrupt domain implemented */
> uint8_t implemented_domains;
>
^ permalink raw reply [flat|nested] 142+ messages in thread* Re: [PATCH 15/65] hw/intc/arm_gicv5: Implement IRS_IST_{BASER, STATUSR, CFGR}
2026-03-06 17:39 ` Jonathan Cameron via qemu development
@ 2026-03-06 18:27 ` Peter Maydell
0 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-03-06 18:27 UTC (permalink / raw)
To: Jonathan Cameron; +Cc: qemu-arm, qemu-devel
On Fri, 6 Mar 2026 at 17:39, Jonathan Cameron
<jonathan.cameron@huawei.com> wrote:
>
> On Mon, 23 Feb 2026 17:01:22 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > Implement the three registers that handle configuration of the
> > interrupt status table for physical LPIs:
> >
> > * IRS_IST_BASER holds the base address of the table, and
> > has the VALID bit that tells the IRS to start using the config
> > * IRS_IST_CFGR has all the other config data for the table
> > * IRS_IST_STATUSR has the IDLE bit that tells software when
> > updates to IRS_IST_BASER have taken effect
> >
> > Implement these registers. Note that neither BASER nor CFGR can be
> > written when VALID == 1, except to clear the VALID bit.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>
> One query inline but it'll probably become obvious later, so
> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
>
> > diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
> > index 7db2c87ddc..2a49d58679 100644
> > --- a/include/hw/intc/arm_gicv5_common.h
> > +++ b/include/hw/intc/arm_gicv5_common.h
> > @@ -62,6 +62,9 @@ struct GICv5Common {
> >
> > MemoryRegion iomem[NUM_GICV5_DOMAINS];
> >
> > + uint64_t irs_ist_baser[NUM_GICV5_DOMAINS];
> > + uint32_t irs_ist_cfgr[NUM_GICV5_DOMAINS];
>
> Feels like you are going to have a lot of these, why not an array of
> structures?
Six of them in total, at least in this series:
uint64_t irs_ist_baser[NUM_GICV5_DOMAINS];
uint32_t irs_ist_cfgr[NUM_GICV5_DOMAINS];
uint32_t irs_spi_selr[NUM_GICV5_DOMAINS];
uint32_t irs_cr0[NUM_GICV5_DOMAINS];
uint32_t irs_cr1[NUM_GICV5_DOMAINS];
uint32_t irs_pe_selr[NUM_GICV5_DOMAINS];
I tend to implement banked registers as separate arrays
because it's what I'm used to from how we've done the
target/arm/cpu.h banked registers, and because
cs->irs_ist_baser[domain]
is a bit shorter and more straightforward
cs->regs[domain].irs_ist_baser
and because you generally don't want "the struct with all
the regs for this domain" as a thing itself.
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 16/65] hw/intc/arm_gicv5: Cache LPI IST config in a struct
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (14 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 15/65] hw/intc/arm_gicv5: Implement IRS_IST_{BASER, STATUSR, CFGR} Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 17:46 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 17/65] hw/intc/arm_gicv5: Implement gicv5_set_priority() Peter Maydell
` (49 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The IRS has multiple ISTs, for different contexts:
* physical LPIs (separately for each interrupt domain)
* virtual LPIs
* virtual SPIs
The config information for physical LPIs is in the IRS_IST_BASER and
IRS_IST_CFGR registers; for virtual LPIs and virtual SPIs it will be
in the L2_VMTE VM table entry. We would like to be able to write
generic code that can manipulate any of these ISTs. Define a struct
which captures the config information for an IST, and cache the
IRS_IST_CFGR/IRS_IST_BASER data into this format when the guest sets
the VALID bit.
This also allows us to enforce the correct handling of reserved and
out-of-range values, and expand the encodings of sizes into a more
convenient format for later use.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 64 +++++++++++++++++++++++++++++++++++++
hw/intc/trace-events | 2 ++
include/hw/intc/arm_gicv5.h | 12 +++++++
3 files changed, 78 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index f5933197ea..3f74069e01 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -278,9 +278,68 @@ static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
}
cs->irs_ist_baser[domain] = FIELD_DP64(cs->irs_ist_baser[domain],
IRS_IST_BASER, VALID, valid);
+ s->phys_lpi_config[domain].valid = false;
+ trace_gicv5_ist_invalid(domain_name[domain]);
return;
}
cs->irs_ist_baser[domain] = value;
+
+ if (FIELD_EX64(cs->irs_ist_baser[domain], IRS_IST_BASER, VALID)) {
+ /*
+ * If the guest just set VALID then capture data into config struct,
+ * sanitize the reserved values, and expand fields out into byte counts.
+ */
+ GICv5ISTConfig *cfg = &s->phys_lpi_config[domain];
+ uint8_t istbits, l2bits, l2_idx_bits;
+ uint8_t id_bits = FIELD_EX64(cs->irs_ist_cfgr[domain],
+ IRS_IST_CFGR, LPI_ID_BITS);
+ id_bits = MIN(MAX(id_bits, QEMU_GICV5_MIN_LPI_ID_BITS), QEMU_GICV5_ID_BITS);
+
+ switch (FIELD_EX64(cs->irs_ist_cfgr[domain], IRS_IST_CFGR, ISTSZ)) {
+ case 0:
+ case 3: /* reserved: acts like the minimum required size */
+ istbits = 2;
+ break;
+ case 1:
+ istbits = 3;
+ break;
+ case 2:
+ istbits = 4;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+ switch (FIELD_EX64(cs->irs_ist_cfgr[domain], IRS_IST_CFGR, L2SZ)) {
+ case 0:
+ case 3: /* reserved; CONSTRAINED UNPREDICTABLE */
+ l2bits = 12; /* 4K: 12 bits */
+ break;
+ case 1:
+ l2bits = 14; /* 16K: 14 bits */
+ break;
+ case 2:
+ l2bits = 16; /* 64K: 16 bits */
+ break;
+ default:
+ g_assert_not_reached();
+ }
+ /*
+ * Calculate how many bits of an ID index the L2 table
+ * (e.g. if we need 14 bits to index each byte in a 16K L2 table,
+ * but each entry is 4 bytes wide then we need 14 - 2 = 12 bits
+ * to index an entry in the table).
+ */
+ l2_idx_bits = l2bits - istbits;
+ cfg->base = cs->irs_ist_baser[domain] & R_IRS_IST_BASER_ADDR_MASK;
+ cfg->id_bits = id_bits;
+ cfg->istsz = 1 << istbits;
+ cfg->l2_idx_bits = l2_idx_bits;
+ cfg->structure = FIELD_EX64(cs->irs_ist_cfgr[domain],
+ IRS_IST_CFGR, STRUCTURE);
+ cfg->valid = true;
+ trace_gicv5_ist_valid(domain_name[domain], cfg->base, cfg->id_bits,
+ cfg->l2_idx_bits, cfg->istsz, cfg->structure);
+ }
}
static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
@@ -568,6 +627,11 @@ static void gicv5_reset_hold(Object *obj, ResetType type)
if (c->parent_phases.hold) {
c->parent_phases.hold(obj, type);
}
+
+ /* IRS_IST_BASER and IRS_IST_CFGR reset to 0, clear cached info */
+ for (int i = 0; i < NUM_GICV5_DOMAINS; i++) {
+ s->phys_lpi_config[i].valid = false;
+ }
}
static void gicv5_set_idregs(GICv5Common *cs)
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 0797a23c1a..80fc47794b 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -233,6 +233,8 @@ gicv5_badread(const char *domain, uint64_t offset, unsigned size) "GICv5 IRS %s
gicv5_write(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
gicv5_badwrite(const char *domain, uint64_t offset, uint64_t data, unsigned size) "GICv5 IRS %s config frame write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u: error"
gicv5_spi(uint32_t id, int level) "GICv5 SPI ID %u asserted at level %d"
+gicv5_ist_valid(const char *domain, uint64_t base, uint8_t id_bits, uint8_t l2_idx_bits, uint8_t istsz, bool structure) "GICv5 IRS %s IST now valid: base 0x%" PRIx64 " id_bits %u l2_idx_bits %u IST entry size %u 2-level %d"
+gicv5_ist_invalid(const char *domain) "GICv5 IRS %s IST no longer valid"
# arm_gicv5_common.c
gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
diff --git a/include/hw/intc/arm_gicv5.h b/include/hw/intc/arm_gicv5.h
index 42ccef8474..f6ecd9c323 100644
--- a/include/hw/intc/arm_gicv5.h
+++ b/include/hw/intc/arm_gicv5.h
@@ -17,11 +17,23 @@
OBJECT_DECLARE_TYPE(GICv5, GICv5Class, ARM_GICV5)
+typedef struct GICv5ISTConfig {
+ hwaddr base; /* Base address */
+ uint8_t id_bits; /* number of bits in an ID for this table */
+ uint8_t l2_idx_bits; /* number of ID bits that index into L2 table */
+ uint8_t istsz; /* L2 ISTE size in bytes */
+ bool structure; /* true if using 2-level table */
+ bool valid; /* true if this table is valid and usable */
+} GICv5ISTConfig;
+
/*
* This class is for TCG-specific state for the GICv5.
*/
struct GICv5 {
GICv5Common parent_obj;
+
+ /* This is the info from IRS_IST_BASER and IRS_IST_CFGR */
+ GICv5ISTConfig phys_lpi_config[NUM_GICV5_DOMAINS];
};
struct GICv5Class {
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 16/65] hw/intc/arm_gicv5: Cache LPI IST config in a struct
2026-02-23 17:01 ` [PATCH 16/65] hw/intc/arm_gicv5: Cache LPI IST config in a struct Peter Maydell
@ 2026-03-06 17:46 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 17:46 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:23 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The IRS has multiple ISTs, for different contexts:
> * physical LPIs (separately for each interrupt domain)
> * virtual LPIs
> * virtual SPIs
>
> The config information for physical LPIs is in the IRS_IST_BASER and
> IRS_IST_CFGR registers; for virtual LPIs and virtual SPIs it will be
> in the L2_VMTE VM table entry. We would like to be able to write
> generic code that can manipulate any of these ISTs. Define a struct
> which captures the config information for an IST, and cache the
> IRS_IST_CFGR/IRS_IST_BASER data into this format when the guest sets
> the VALID bit.
>
> This also allows us to enforce the correct handling of reserved and
> out-of-range values, and expand the encodings of sizes into a more
> convenient format for later use.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 17/65] hw/intc/arm_gicv5: Implement gicv5_set_priority()
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (15 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 16/65] hw/intc/arm_gicv5: Cache LPI IST config in a struct Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 18:02 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 18/65] target/arm: GICv5 cpuif: Implement the GIC CDPRI instruction Peter Maydell
` (48 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the gicv5_set_priority() function, which is our equivalent
of the Stream Protocol SetPriority command. This acts by looking the
interrupt ID up in the Interrupt State Table and storing the new
priority value into the table entry.
The memory transaction has to have the right transaction attributes
for the domain it is for; we precalculate these and keep them in the
GICv5ISTConfig.
The GIC has an optional software-error reporting mechanism via the
IRS_SWERR_* registers; this does not report all failure cases, only
those that would be annoying to detect and debug in some other way.
We choose not to implement this, but include some comments for
reportable error cases for future reference. Our LOG_GUEST_ERROR
logging is a superset of this.
At this point we implement only handling of SetPriority for LPIs; we
will add SPI handling in a later commit. Virtual interrupts aren't
supported by this initial EL1-only GICv5 implementation.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 228 +++++++++++++++++++++++++++++
hw/intc/trace-events | 1 +
include/hw/intc/arm_gicv5.h | 1 +
include/hw/intc/arm_gicv5_stream.h | 29 ++++
include/hw/intc/arm_gicv5_types.h | 10 ++
5 files changed, 269 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 3f74069e01..8572823edc 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -9,6 +9,7 @@
#include "qemu/osdep.h"
#include "hw/core/registerfields.h"
#include "hw/intc/arm_gicv5.h"
+#include "hw/intc/arm_gicv5_stream.h"
#include "qapi/error.h"
#include "qemu/log.h"
#include "trace.h"
@@ -23,6 +24,25 @@ static const char *domain_name[] = {
[GICV5_ID_REALM] = "Realm",
};
+static const char *inttype_name(GICv5IntType t)
+{
+ /*
+ * We have to be more cautious with getting human readable names
+ * for a GICv5IntType for trace strings than we do with the
+ * domain enum, because here the value can come from a guest
+ * register field.
+ */
+ static const char *names[] = {
+ [GICV5_PPI] = "PPI",
+ [GICV5_LPI] = "LPI",
+ [GICV5_SPI] = "SPI",
+ };
+ if (t >= ARRAY_SIZE(names) || !names[t]) {
+ return "RESERVED";
+ }
+ return names[t];
+}
+
REG32(IRS_IDR0, 0x0)
FIELD(IRS_IDR0, INT_DOM, 0, 2)
FIELD(IRS_IDR0, PA_RANGE, 2, 5)
@@ -265,6 +285,213 @@ REG64(IRS_SWERR_SYNDROMER0, 0x3c8)
REG64(IRS_SWERR_SYNDROMER1, 0x3d0)
FIELD(IRS_SWERR_SYNDROMER2, ADDR, 3, 53)
+FIELD(L1_ISTE, VALID, 0, 1)
+FIELD(L1_ISTE, L2_ADDR, 12, 44)
+
+FIELD(L2_ISTE, PENDING, 0, 1)
+FIELD(L2_ISTE, ACTIVE, 1, 1)
+FIELD(L2_ISTE, HM, 2, 1)
+FIELD(L2_ISTE, ENABLE, 3, 1)
+FIELD(L2_ISTE, IRM, 4, 1)
+FIELD(L2_ISTE, HWU, 9, 2)
+FIELD(L2_ISTE, PRIORITY, 11, 5)
+FIELD(L2_ISTE, IAFFID, 16, 16)
+
+static MemTxAttrs irs_txattrs(GICv5Common *cs, GICv5Domain domain)
+{
+ /*
+ * Return a MemTxAttrs to use for IRS memory accesses.
+ * IRS_CR1 has the usual Arm cacheability/shareability attributes,
+ * but QEMU doesn't care about those. All we need to specify here
+ * is the correct security attributes, which depend on the
+ * interrupt domain. Conveniently, our GICv5Domain encoding matches
+ * the ARMSecuritySpace one (because both follow an architecturally
+ * specified field). The exception is that the EL3 domain must
+ * be Secure instead of Root if we don't implement Realm.
+ */
+ if (domain == GICV5_ID_EL3 &&
+ !gicv5_domain_implemented(cs, GICV5_ID_REALM)) {
+ domain = GICV5_ID_S;
+ }
+ return (MemTxAttrs) {
+ .space = domain,
+ .secure = domain == GICV5_ID_S || domain == GICV5_ID_EL3,
+ };
+}
+
+static hwaddr l1_iste_addr(GICv5Common *cs, const GICv5ISTConfig *cfg,
+ uint32_t id)
+{
+ /*
+ * In a 2-level IST configuration, return the address of the L1
+ * IST entry for this interrupt ID. The bottom l2_idx_bits of the
+ * ID value are the index into the L2 table, and the higher bits
+ * of the ID index the L1 table.
+ */
+ uint32_t l1_index = id >> cfg->l2_idx_bits;
+ return cfg->base + (l1_index * 8);
+}
+
+static bool get_l2_iste_addr(GICv5Common *cs, const GICv5ISTConfig *cfg,
+ uint32_t id, hwaddr *l2_iste_addr)
+{
+ /*
+ * Get the address of the L2 interrupt state table entry for
+ * this interrupt. On success, fill in l2_iste_addr and return true.
+ * On failure, return false.
+ */
+ hwaddr l2_base;
+
+ if (!cfg->valid) {
+ return false;
+ }
+
+ if (id >= (1 << cfg->id_bits)) {
+ return false;
+ }
+
+ if (cfg->structure) {
+ /*
+ * 2-level table: read the L1 IST. The bottom l2_idx_bits
+ * of the ID value are the index into the L2 table, and
+ * the higher bits of the ID index the L1 table. There is
+ * always at least one L1 table entry.
+ */
+ hwaddr l1_addr = l1_iste_addr(cs, cfg, id);
+ uint64_t l1_iste;
+ MemTxResult res;
+
+ l1_iste = address_space_ldq_le(&cs->dma_as, l1_addr,
+ cfg->txattrs, &res);
+ if (res != MEMTX_OK) {
+ /* Reportable with EC=0x01 if sw error reporting implemented */
+ qemu_log_mask(LOG_GUEST_ERROR, "L1 ISTE lookup failed for ID 0x%x"
+ " at physical address 0x" HWADDR_FMT_plx "\n",
+ id, l1_addr);
+ return false;
+ }
+ if (!FIELD_EX64(l1_iste, L1_ISTE, VALID)) {
+ return false;
+ }
+ l2_base = l1_iste & R_L1_ISTE_L2_ADDR_MASK;
+ id = extract32(id, 0, cfg->l2_idx_bits);
+ } else {
+ /* 1-level table */
+ l2_base = cfg->base;
+ }
+
+ *l2_iste_addr = l2_base + (id * cfg->istsz);
+ return true;
+}
+
+static bool read_l2_iste_mem(GICv5Common *cs, const GICv5ISTConfig *cfg,
+ hwaddr addr, uint32_t *l2_iste)
+{
+ MemTxResult res;
+ *l2_iste = address_space_ldl_le(&cs->dma_as, addr, cfg->txattrs, &res);
+ if (res != MEMTX_OK) {
+ /* Reportable with EC=0x02 if sw error reporting implemented */
+ qemu_log_mask(LOG_GUEST_ERROR, "L2 ISTE read failed at physical "
+ "address 0x" HWADDR_FMT_plx "\n", addr);
+ }
+ return res == MEMTX_OK;
+}
+
+static bool write_l2_iste_mem(GICv5Common *cs, const GICv5ISTConfig *cfg,
+ hwaddr addr, uint32_t l2_iste)
+{
+ MemTxResult res;
+ address_space_stl_le(&cs->dma_as, addr, l2_iste, cfg->txattrs, &res);
+ if (res != MEMTX_OK) {
+ /* Reportable with EC=0x02 if sw error reporting implemented */
+ qemu_log_mask(LOG_GUEST_ERROR, "L2 ISTE write failed at physical "
+ "address 0x" HWADDR_FMT_plx "\n", addr);
+ }
+ return res == MEMTX_OK;
+}
+
+/*
+ * This is returned by get_l2_iste() and has everything we
+ * need to do the writeback of the L2 ISTE word in put_l2_iste().
+ * Currently the get/put functions always directly do guest memory
+ * reads and writes to update the L2 ISTE. In a future commit we
+ * will add support for a cache of some of the ISTE data in a
+ * local hashtable; the APIs are designed with that in mind.
+ */
+typedef struct L2_ISTE_Handle {
+ hwaddr l2_iste_addr;
+ uint32_t l2_iste;
+} L2_ISTE_Handle;
+
+static uint32_t *get_l2_iste(GICv5Common *cs, const GICv5ISTConfig *cfg,
+ uint32_t id, L2_ISTE_Handle *h)
+{
+ /*
+ * Find the L2 ISTE for the interrupt @id.
+ *
+ * We return a pointer to the ISTE: the caller can freely
+ * read and modify the uint64_t pointed to to update the ISTE.
+ * If the caller modifies the L2 ISTE word, it must call
+ * put_l2_iste(), passing it @h, to write back the ISTE.
+ * If the caller is only reading the L2 ISTE, it does not need
+ * to call put_l2_iste().
+ *
+ * We fill in @h with information needed for put_l2_iste().
+ *
+ * If the ISTE could not be read (typically because of a
+ * memory error), return NULL.
+ */
+ if (!get_l2_iste_addr(cs, cfg, id, &h->l2_iste_addr) ||
+ !read_l2_iste_mem(cs, cfg, h->l2_iste_addr, &h->l2_iste)) {
+ return NULL;
+ }
+ return &h->l2_iste;
+}
+
+static void put_l2_iste(GICv5Common *cs, const GICv5ISTConfig *cfg,
+ L2_ISTE_Handle *h)
+{
+ /*
+ * Write back the modified L2_ISTE word found with get_l2_iste().
+ * Once this has been called the L2_ISTE_Handle @h and the
+ * pointer to the L2 ISTE word are no longer valid.
+ */
+ write_l2_iste_mem(cs, cfg, h->l2_iste_addr, h->l2_iste);
+}
+
+void gicv5_set_priority(GICv5Common *cs, uint32_t id,
+ uint8_t priority, GICv5Domain domain,
+ GICv5IntType type, bool virtual)
+{
+ const GICv5ISTConfig *cfg;
+ GICv5 *s = ARM_GICV5(cs);
+ uint32_t *l2_iste_p;
+ L2_ISTE_Handle h;
+
+ trace_gicv5_set_priority(domain_name[domain], inttype_name(type), virtual,
+ id, priority);
+ /* We must ignore unimplemented low-order priority bits */
+ priority &= MAKE_64BIT_MASK(5 - QEMU_GICV5_PRI_BITS, QEMU_GICV5_PRI_BITS);
+
+ if (virtual) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_priority: tried to set "
+ "priority of a virtual interrupt\n");
+ return;
+ }
+ if (type != GICV5_LPI) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_priority: tried to set "
+ "priority of bad interrupt type %d\n", type);
+ return;
+ }
+ cfg = &s->phys_lpi_config[domain];
+ l2_iste_p = get_l2_iste(cs, cfg, id, &h);
+ if (!l2_iste_p) {
+ return;
+ }
+ *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, PRIORITY, priority);
+ put_l2_iste(cs, cfg, &h);
+}
+
static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
{
GICv5Common *cs = ARM_GICV5_COMMON(s);
@@ -331,6 +558,7 @@ static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
*/
l2_idx_bits = l2bits - istbits;
cfg->base = cs->irs_ist_baser[domain] & R_IRS_IST_BASER_ADDR_MASK;
+ cfg->txattrs = irs_txattrs(cs, domain),
cfg->id_bits = id_bits;
cfg->istsz = 1 << istbits;
cfg->l2_idx_bits = l2_idx_bits;
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 80fc47794b..42f5e73d54 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -235,6 +235,7 @@ gicv5_badwrite(const char *domain, uint64_t offset, uint64_t data, unsigned size
gicv5_spi(uint32_t id, int level) "GICv5 SPI ID %u asserted at level %d"
gicv5_ist_valid(const char *domain, uint64_t base, uint8_t id_bits, uint8_t l2_idx_bits, uint8_t istsz, bool structure) "GICv5 IRS %s IST now valid: base 0x%" PRIx64 " id_bits %u l2_idx_bits %u IST entry size %u 2-level %d"
gicv5_ist_invalid(const char *domain) "GICv5 IRS %s IST no longer valid"
+gicv5_set_priority(const char *domain, const char *type, bool virtual, uint32_t id, uint8_t priority) "GICv5 IRS SetPriority %s %s virtual:%d ID %u prio %u"
# arm_gicv5_common.c
gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
diff --git a/include/hw/intc/arm_gicv5.h b/include/hw/intc/arm_gicv5.h
index f6ecd9c323..c631ecc3e8 100644
--- a/include/hw/intc/arm_gicv5.h
+++ b/include/hw/intc/arm_gicv5.h
@@ -19,6 +19,7 @@ OBJECT_DECLARE_TYPE(GICv5, GICv5Class, ARM_GICV5)
typedef struct GICv5ISTConfig {
hwaddr base; /* Base address */
+ MemTxAttrs txattrs; /* TX attrs to use for this table */
uint8_t id_bits; /* number of bits in an ID for this table */
uint8_t l2_idx_bits; /* number of ID bits that index into L2 table */
uint8_t istsz; /* L2 ISTE size in bytes */
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
index 9b9c2e4b60..3239a86f1a 100644
--- a/include/hw/intc/arm_gicv5_stream.h
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -12,6 +12,7 @@
#define HW_INTC_ARM_GICV5_STREAM_H
#include "target/arm/cpu-qom.h"
+#include "hw/intc/arm_gicv5_types.h"
typedef struct GICv5Common GICv5Common;
@@ -29,4 +30,32 @@ typedef struct GICv5Common GICv5Common;
*/
bool gicv5_set_gicv5state(ARMCPU *cpu, GICv5Common *cs);
+/*
+ * The architected Stream Protocol is asynchronous; commands can be
+ * initiated both from the IRS and from the CPU interface, and some
+ * require acknowledgement. For QEMU, we simplify this because we know
+ * that in the CPU interface code we hold the BQL and so our IRS model
+ * is not going to be busy; when we send commands from the CPUIF
+ * ("upstream commands") we can model this as a synchronous function
+ * call whose return corresponds to the acknowledgement of a completed
+ * command.
+ */
+
+/**
+ * gicv5_set_priority
+ * @cs: GIC IRS to send command to
+ * @id: interrupt ID
+ * @priority: priority to set
+ * @domain: interrupt Domain to act on
+ * @type: interrupt type (LPI or SPI)
+ * @virtual: true if this is a virtual interrupt
+ *
+ * Set priority of an interrupt; matches stream interface
+ * SetPriority command from CPUIF to IRS. There is no report back
+ * of success/failure to the CPUIF in the protocol.
+ */
+void gicv5_set_priority(GICv5Common *cs, uint32_t id,
+ uint8_t priority, GICv5Domain domain,
+ GICv5IntType type, bool virtual);
+
#endif
diff --git a/include/hw/intc/arm_gicv5_types.h b/include/hw/intc/arm_gicv5_types.h
index 9c7788b1e6..b4452a7b7d 100644
--- a/include/hw/intc/arm_gicv5_types.h
+++ b/include/hw/intc/arm_gicv5_types.h
@@ -45,4 +45,14 @@ typedef enum GICv5Domain {
#define GICV5_PPI_CNTP 30
#define GICV5_PPI_TRBIRQ 31
+/*
+ * Type of the interrupt; these values match the 3-bit format
+ * specified in the GICv5 spec R_GYVWB.
+ */
+typedef enum GICv5IntType {
+ GICV5_PPI = 1,
+ GICV5_LPI = 2,
+ GICV5_SPI = 3,
+} GICv5IntType;
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 17/65] hw/intc/arm_gicv5: Implement gicv5_set_priority()
2026-02-23 17:01 ` [PATCH 17/65] hw/intc/arm_gicv5: Implement gicv5_set_priority() Peter Maydell
@ 2026-03-06 18:02 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 18:02 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:24 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the gicv5_set_priority() function, which is our equivalent
> of the Stream Protocol SetPriority command. This acts by looking the
> interrupt ID up in the Interrupt State Table and storing the new
> priority value into the table entry.
>
> The memory transaction has to have the right transaction attributes
> for the domain it is for; we precalculate these and keep them in the
> GICv5ISTConfig.
>
> The GIC has an optional software-error reporting mechanism via the
> IRS_SWERR_* registers; this does not report all failure cases, only
> those that would be annoying to detect and debug in some other way.
> We choose not to implement this, but include some comments for
> reportable error cases for future reference. Our LOG_GUEST_ERROR
> logging is a superset of this.
>
> At this point we implement only handling of SetPriority for LPIs; we
> will add SPI handling in a later commit. Virtual interrupts aren't
> supported by this initial EL1-only GICv5 implementation.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Trivial stuff inline.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index 3f74069e01..8572823edc 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> +static bool read_l2_iste_mem(GICv5Common *cs, const GICv5ISTConfig *cfg,
> + hwaddr addr, uint32_t *l2_iste)
> +{
> + MemTxResult res;
I'd like a blank line here.
> + *l2_iste = address_space_ldl_le(&cs->dma_as, addr, cfg->txattrs, &res);
> + if (res != MEMTX_OK) {
> + /* Reportable with EC=0x02 if sw error reporting implemented */
> + qemu_log_mask(LOG_GUEST_ERROR, "L2 ISTE read failed at physical "
> + "address 0x" HWADDR_FMT_plx "\n", addr);
> + }
> + return res == MEMTX_OK;
> +}
> +
> +static bool write_l2_iste_mem(GICv5Common *cs, const GICv5ISTConfig *cfg,
> + hwaddr addr, uint32_t l2_iste)
> +{
> + MemTxResult res;
and here
> + address_space_stl_le(&cs->dma_as, addr, l2_iste, cfg->txattrs, &res);
> + if (res != MEMTX_OK) {
> + /* Reportable with EC=0x02 if sw error reporting implemented */
> + qemu_log_mask(LOG_GUEST_ERROR, "L2 ISTE write failed at physical "
> + "address 0x" HWADDR_FMT_plx "\n", addr);
> + }
> + return res == MEMTX_OK;
> +}
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 18/65] target/arm: GICv5 cpuif: Implement the GIC CDPRI instruction
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (16 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 17/65] hw/intc/arm_gicv5: Implement gicv5_set_priority() Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 18:05 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 19/65] hw/intc/arm_gicv5: Implement IRS_MAP_L2_ISTR Peter Maydell
` (47 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the CPU interface GIC CDPRI instruction, which is a wrapper
around the SetPriority operation.
As with the barrier insns, we omit for the moment details which are
needed when the GICv5 supports virtualization:
* traps when legacy GICv3 emulation is enabled
* fine-grained-trap handling (which is done via
registers that are new in GICv5)
* sending the command for the virtual interrupt domain
when inside a guest
The CD instructions operate on the Current Physical Interrupt Domain,
which is the one associated with the current security state and
exception level. The spec also has the concept of a Logical
Interrupt Domain, which is the one associated with the security state
defined by SCR_EL3.{NS,NSE}. Mostly the logical interrupt domain is
used by the LD instructions, which are EL3-only; but we will also
want the concept later for handling some banked registers, so we
define functions for both.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/tcg/gicv5-cpuif.c | 58 ++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 76c2577c09..072b38e785 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -10,6 +10,59 @@
#include "cpu.h"
#include "internals.h"
#include "cpregs.h"
+#include "hw/intc/arm_gicv5_stream.h"
+
+FIELD(GIC_CDPRI, ID, 0, 24)
+FIELD(GIC_CDPRI, TYPE, 29, 3)
+FIELD(GIC_CDPRI, PRIORITY, 35, 5)
+
+static GICv5Common *gicv5_get_gic(CPUARMState *env)
+{
+ return env->gicv5state;
+}
+
+static GICv5Domain gicv5_logical_domain(CPUARMState *env)
+{
+ /*
+ * Return the Logical Interrupt Domain, which is the one associated
+ * with the security state selected by the SCR_EL3.{NS,NSE} bits
+ */
+ switch (arm_security_space_below_el3(env)) {
+ case ARMSS_Secure:
+ return GICV5_ID_S;
+ case ARMSS_NonSecure:
+ return GICV5_ID_NS;
+ case ARMSS_Realm:
+ return GICV5_ID_REALM;
+ default:
+ g_assert_not_reached();
+ }
+}
+
+static GICv5Domain gicv5_current_phys_domain(CPUARMState *env)
+{
+ /*
+ * Return the Current Physical Interrupt Domain as
+ * defined by R_ZFCXM.
+ */
+ if (arm_current_el(env) == 3) {
+ return GICV5_ID_EL3;
+ }
+ return gicv5_logical_domain(env);
+}
+
+static void gic_cdpri_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ GICv5Common *gic = gicv5_get_gic(env);
+ uint8_t priority = FIELD_EX64(value, GIC_CDPRI, PRIORITY);
+ GICv5IntType type = FIELD_EX64(value, GIC_CDPRI, TYPE);
+ uint32_t id = FIELD_EX64(value, GIC_CDPRI, ID);
+ bool virtual = false;
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+
+ gicv5_set_priority(gic, id, priority, domain, type, virtual);
+}
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
@@ -33,6 +86,11 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.opc0 = 1, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
.access = PL1_W, .type = ARM_CP_NOP,
},
+ { .name = "GIC_CDPRI", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 2,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cdpri_write,
+ },
};
void define_gicv5_cpuif_regs(ARMCPU *cpu)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 18/65] target/arm: GICv5 cpuif: Implement the GIC CDPRI instruction
2026-02-23 17:01 ` [PATCH 18/65] target/arm: GICv5 cpuif: Implement the GIC CDPRI instruction Peter Maydell
@ 2026-03-06 18:05 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 18:05 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:25 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the CPU interface GIC CDPRI instruction, which is a wrapper
> around the SetPriority operation.
>
> As with the barrier insns, we omit for the moment details which are
> needed when the GICv5 supports virtualization:
>
> * traps when legacy GICv3 emulation is enabled
> * fine-grained-trap handling (which is done via
> registers that are new in GICv5)
> * sending the command for the virtual interrupt domain
> when inside a guest
>
> The CD instructions operate on the Current Physical Interrupt Domain,
> which is the one associated with the current security state and
> exception level. The spec also has the concept of a Logical
> Interrupt Domain, which is the one associated with the security state
> defined by SCR_EL3.{NS,NSE}. Mostly the logical interrupt domain is
> used by the LD instructions, which are EL3-only; but we will also
> want the concept later for handling some banked registers, so we
> define functions for both.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 19/65] hw/intc/arm_gicv5: Implement IRS_MAP_L2_ISTR
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (17 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 18/65] target/arm: GICv5 cpuif: Implement the GIC CDPRI instruction Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-06 18:10 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 20/65] hw/intc/arm_gicv5: Implement remaining set-config functions Peter Maydell
` (46 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The IRS register IRS_MAP_L2_ISTR is used by software to tell the IRS
that it has updated the address in an L1 IST entry to point to an
L2 IST. The sequence of events here is:
* software writes to L1_ISTE.L2_ADDR for some L1 ISTE which is
not valid (i.e. where L1_ISTE.VALID is 0); it leaves VALID at 0
* software writes to IRS_MAP_L2_ISTR with some INTID that is inside
the range for this L1 ISTE
* the IRS sets IRS_IST_STATUSR.IDLE to 0
* the IRS takes note of this information
* the IRS writes to the L1_ISTE to set VALID=1
* the IRS sets IRS_IST_STATUSR.IDLE to 1 to indicate that the
update is complete
For QEMU, we're strictly synchronous, so (as with IRS_IST_BASER
updates) we don't need to model the IDLE transitions and can have
IRS_IST_STATUSR always return IDLE=1. We also don't currently cache
anything for ISTE lookups, so we don't need to invalidate or update
anything when software makes the L2 valid.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 8572823edc..af27fb7e63 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -492,6 +492,44 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
put_l2_iste(cs, cfg, &h);
}
+static void irs_map_l2_istr_write(GICv5 *s, GICv5Domain domain, uint64_t value)
+{
+ GICv5Common *cs = ARM_GICV5_COMMON(s);
+ GICv5ISTConfig *cfg = &s->phys_lpi_config[domain];
+ uint32_t intid = FIELD_EX32(value, IRS_MAP_L2_ISTR, ID);
+ hwaddr l1_addr;
+ uint64_t l1_iste;
+ MemTxResult res;
+
+ if (!FIELD_EX64(cs->irs_ist_baser[domain], IRS_IST_BASER, VALID) ||
+ !cfg->structure) {
+ /* WI if no IST set up or it is not 2-level */
+ return;
+ }
+
+ /* Find the relevant L1 ISTE and set its VALID bit */
+ l1_addr = l1_iste_addr(cs, cfg, intid);
+
+ l1_iste = address_space_ldq_le(&cs->dma_as, l1_addr, cfg->txattrs, &res);
+ if (res != MEMTX_OK) {
+ goto txfail;
+ }
+
+ l1_iste = FIELD_DP64(l1_iste, L1_ISTE, VALID, 1);
+
+ address_space_stq_le(&cs->dma_as, l1_addr, l1_iste, cfg->txattrs, &res);
+ if (res != MEMTX_OK) {
+ goto txfail;
+ }
+ return;
+
+txfail:
+ /* Reportable with EC=0x0 if sw error reporting implemented */
+ qemu_log_mask(LOG_GUEST_ERROR, "L1 ISTE update failed for ID 0x%x at "
+ "physical address 0x" HWADDR_FMT_plx "\n", intid, l1_addr);
+}
+
+
static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
{
GICv5Common *cs = ARM_GICV5_COMMON(s);
@@ -675,6 +713,9 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
cs->irs_ist_cfgr[domain] = data;
}
return true;
+ case A_IRS_MAP_L2_ISTR:
+ irs_map_l2_istr_write(s, domain, data);
+ return true;
}
return false;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 19/65] hw/intc/arm_gicv5: Implement IRS_MAP_L2_ISTR
2026-02-23 17:01 ` [PATCH 19/65] hw/intc/arm_gicv5: Implement IRS_MAP_L2_ISTR Peter Maydell
@ 2026-03-06 18:10 ` Jonathan Cameron via qemu development
2026-03-06 18:21 ` Peter Maydell
0 siblings, 1 reply; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-06 18:10 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:26 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The IRS register IRS_MAP_L2_ISTR is used by software to tell the IRS
> that it has updated the address in an L1 IST entry to point to an
> L2 IST. The sequence of events here is:
> * software writes to L1_ISTE.L2_ADDR for some L1 ISTE which is
> not valid (i.e. where L1_ISTE.VALID is 0); it leaves VALID at 0
> * software writes to IRS_MAP_L2_ISTR with some INTID that is inside
> the range for this L1 ISTE
> * the IRS sets IRS_IST_STATUSR.IDLE to 0
> * the IRS takes note of this information
> * the IRS writes to the L1_ISTE to set VALID=1
> * the IRS sets IRS_IST_STATUSR.IDLE to 1 to indicate that the
> update is complete
>
> For QEMU, we're strictly synchronous, so (as with IRS_IST_BASER
> updates) we don't need to model the IDLE transitions and can have
> IRS_IST_STATUSR always return IDLE=1. We also don't currently cache
> anything for ISTE lookups, so we don't need to invalidate or update
> anything when software makes the L2 valid.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
One trivial thing inline.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
That's enough for today, not sure when I'll get back to the rest of the series.
So far very nice and clean. Makes reviewing pleasant!
J
> ---
> hw/intc/arm_gicv5.c | 41 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 41 insertions(+)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index 8572823edc..af27fb7e63 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> @@ -492,6 +492,44 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
> put_l2_iste(cs, cfg, &h);
> }
>
> +static void irs_map_l2_istr_write(GICv5 *s, GICv5Domain domain, uint64_t value)
> +{
> + GICv5Common *cs = ARM_GICV5_COMMON(s);
> + GICv5ISTConfig *cfg = &s->phys_lpi_config[domain];
> + uint32_t intid = FIELD_EX32(value, IRS_MAP_L2_ISTR, ID);
> + hwaddr l1_addr;
> + uint64_t l1_iste;
> + MemTxResult res;
> +
> + if (!FIELD_EX64(cs->irs_ist_baser[domain], IRS_IST_BASER, VALID) ||
> + !cfg->structure) {
> + /* WI if no IST set up or it is not 2-level */
> + return;
> + }
> +
> + /* Find the relevant L1 ISTE and set its VALID bit */
> + l1_addr = l1_iste_addr(cs, cfg, intid);
> +
> + l1_iste = address_space_ldq_le(&cs->dma_as, l1_addr, cfg->txattrs, &res);
> + if (res != MEMTX_OK) {
> + goto txfail;
> + }
> +
> + l1_iste = FIELD_DP64(l1_iste, L1_ISTE, VALID, 1);
> +
> + address_space_stq_le(&cs->dma_as, l1_addr, l1_iste, cfg->txattrs, &res);
> + if (res != MEMTX_OK) {
> + goto txfail;
> + }
> + return;
> +
> +txfail:
> + /* Reportable with EC=0x0 if sw error reporting implemented */
> + qemu_log_mask(LOG_GUEST_ERROR, "L1 ISTE update failed for ID 0x%x at "
> + "physical address 0x" HWADDR_FMT_plx "\n", intid, l1_addr);
> +}
> +
I think other code is all one blank line between functions. Guessing no
particular reason for 2 here?
> +
> static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
> {
> GICv5Common *cs = ARM_GICV5_COMMON(s);
> @@ -675,6 +713,9 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
> cs->irs_ist_cfgr[domain] = data;
> }
> return true;
> + case A_IRS_MAP_L2_ISTR:
> + irs_map_l2_istr_write(s, domain, data);
> + return true;
> }
> return false;
> }
^ permalink raw reply [flat|nested] 142+ messages in thread* Re: [PATCH 19/65] hw/intc/arm_gicv5: Implement IRS_MAP_L2_ISTR
2026-03-06 18:10 ` Jonathan Cameron via qemu development
@ 2026-03-06 18:21 ` Peter Maydell
0 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-03-06 18:21 UTC (permalink / raw)
To: Jonathan Cameron; +Cc: qemu-arm, qemu-devel
On Fri, 6 Mar 2026 at 18:10, Jonathan Cameron
<jonathan.cameron@huawei.com> wrote:
>
> On Mon, 23 Feb 2026 17:01:26 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > The IRS register IRS_MAP_L2_ISTR is used by software to tell the IRS
> > that it has updated the address in an L1 IST entry to point to an
> > L2 IST. The sequence of events here is:
> > * software writes to L1_ISTE.L2_ADDR for some L1 ISTE which is
> > not valid (i.e. where L1_ISTE.VALID is 0); it leaves VALID at 0
> > * software writes to IRS_MAP_L2_ISTR with some INTID that is inside
> > the range for this L1 ISTE
> > * the IRS sets IRS_IST_STATUSR.IDLE to 0
> > * the IRS takes note of this information
> > * the IRS writes to the L1_ISTE to set VALID=1
> > * the IRS sets IRS_IST_STATUSR.IDLE to 1 to indicate that the
> > update is complete
> >
> > For QEMU, we're strictly synchronous, so (as with IRS_IST_BASER
> > updates) we don't need to model the IDLE transitions and can have
> > IRS_IST_STATUSR always return IDLE=1. We also don't currently cache
> > anything for ISTE lookups, so we don't need to invalidate or update
> > anything when software makes the L2 valid.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> One trivial thing inline.
>
> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> I think other code is all one blank line between functions. Guessing no
> particular reason for 2 here?
No, no reason. This kind of thing usually creeps in during rebasing
or shuffling around of pieces between patches and I don't always
spot it.
thanks
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 20/65] hw/intc/arm_gicv5: Implement remaining set-config functions
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (18 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 19/65] hw/intc/arm_gicv5: Implement IRS_MAP_L2_ISTR Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 14:15 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 21/65] target/arm: GICv5 cpuif: Implement GIC CD* insns for setting config Peter Maydell
` (45 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the GICv5 functions corresponding to the stream protocol
SetEnabled, SetPending, SetHandling, and SetTarget commands. These
work exactly like SetPriority: the IRS looks up the L2TE and updates
the corresponding field in it with the new value.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 133 +++++++++++++++++++++++++++++
hw/intc/trace-events | 4 +
include/hw/intc/arm_gicv5_stream.h | 68 +++++++++++++++
include/hw/intc/arm_gicv5_types.h | 15 ++++
4 files changed, 220 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index af27fb7e63..3c6ef17573 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -492,6 +492,139 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
put_l2_iste(cs, cfg, &h);
}
+void gicv5_set_enabled(GICv5Common *cs, uint32_t id,
+ bool enabled, GICv5Domain domain,
+ GICv5IntType type, bool virtual)
+{
+ const GICv5ISTConfig *cfg;
+ GICv5 *s = ARM_GICV5(cs);
+ uint32_t *l2_iste_p;
+ L2_ISTE_Handle h;
+
+ trace_gicv5_set_enabled(domain_name[domain], inttype_name(type), virtual,
+ id, enabled);
+ if (virtual) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_enabled: tried to set "
+ "enable state of a virtual interrupt\n");
+ return;
+ }
+ if (type != GICV5_LPI) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_enabled: tried to set "
+ "enable state of bad interrupt type %d\n", type);
+ return;
+ }
+ cfg = &s->phys_lpi_config[domain];
+ l2_iste_p = get_l2_iste(cs, cfg, id, &h);
+ if (!l2_iste_p) {
+ return;
+ }
+ *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, ENABLE, enabled);
+ put_l2_iste(cs, cfg, &h);
+}
+
+void gicv5_set_pending(GICv5Common *cs, uint32_t id,
+ bool pending, GICv5Domain domain,
+ GICv5IntType type, bool virtual)
+{
+ const GICv5ISTConfig *cfg;
+ GICv5 *s = ARM_GICV5(cs);
+ uint32_t *l2_iste_p;
+ L2_ISTE_Handle h;
+
+ trace_gicv5_set_pending(domain_name[domain], inttype_name(type), virtual,
+ id, pending);
+ if (virtual) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_pending: tried to set "
+ "pending state of a virtual interrupt\n");
+ return;
+ }
+ if (type != GICV5_LPI) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_pending: tried to set "
+ "pending state of bad interrupt type %d\n", type);
+ return;
+ }
+ cfg = &s->phys_lpi_config[domain];
+ l2_iste_p = get_l2_iste(cs, cfg, id, &h);
+ if (!l2_iste_p) {
+ return;
+ }
+ *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, PENDING, pending);
+ put_l2_iste(cs, cfg, &h);
+}
+
+void gicv5_set_handling(GICv5Common *cs, uint32_t id,
+ GICv5HandlingMode handling, GICv5Domain domain,
+ GICv5IntType type, bool virtual)
+{
+ const GICv5ISTConfig *cfg;
+ GICv5 *s = ARM_GICV5(cs);
+ uint32_t *l2_iste_p;
+ L2_ISTE_Handle h;
+
+ trace_gicv5_set_handling(domain_name[domain], inttype_name(type), virtual,
+ id, handling);
+ if (virtual) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_handling: tried to set "
+ "handling mode of a virtual interrupt\n");
+ return;
+ }
+ if (type != GICV5_LPI) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_handling: tried to set "
+ "handling mode of bad interrupt type %d\n", type);
+ return;
+ }
+ cfg = &s->phys_lpi_config[domain];
+ l2_iste_p = get_l2_iste(cs, cfg, id, &h);
+ if (!l2_iste_p) {
+ return;
+ }
+ *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, HM, handling);
+ put_l2_iste(cs, cfg, &h);
+}
+
+void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
+ GICv5RoutingMode irm, GICv5Domain domain,
+ GICv5IntType type, bool virtual)
+{
+ const GICv5ISTConfig *cfg;
+ GICv5 *s = ARM_GICV5(cs);
+ uint32_t *l2_iste_p;
+ L2_ISTE_Handle h;
+
+ trace_gicv5_set_target(domain_name[domain], inttype_name(type), virtual,
+ id, iaffid, irm);
+ if (virtual) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_target: tried to set "
+ "target of a virtual interrupt\n");
+ return;
+ }
+ if (irm != GICV5_TARGETED) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_target: tried to set "
+ "1-of-N routing\n");
+ /*
+ * In the cpuif insn "GIC CDAFF", IRM is RES0 for a GIC which does not
+ * support 1-of-N routing. So warn, and fall through to treat
+ * IRM=1 the same as IRM=0.
+ */
+ }
+ if (type != GICV5_LPI) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_target: tried to set "
+ "target of bad interrupt type %d\n", type);
+ return;
+ }
+ cfg = &s->phys_lpi_config[domain];
+ l2_iste_p = get_l2_iste(cs, cfg, id, &h);
+ if (!l2_iste_p) {
+ return;
+ }
+ /*
+ * For QEMU we do not implement 1-of-N routing, and so L2_ISTE.IRM is RES0.
+ * We never read it, and we can skip explicitly writing it to zero here.
+ */
+ *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, IAFFID, iaffid);
+ put_l2_iste(cs, cfg, &h);
+}
+
static void irs_map_l2_istr_write(GICv5 *s, GICv5Domain domain, uint64_t value)
{
GICv5Common *cs = ARM_GICV5_COMMON(s);
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 42f5e73d54..37ca6e8e12 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -236,6 +236,10 @@ gicv5_spi(uint32_t id, int level) "GICv5 SPI ID %u asserted at level %d"
gicv5_ist_valid(const char *domain, uint64_t base, uint8_t id_bits, uint8_t l2_idx_bits, uint8_t istsz, bool structure) "GICv5 IRS %s IST now valid: base 0x%" PRIx64 " id_bits %u l2_idx_bits %u IST entry size %u 2-level %d"
gicv5_ist_invalid(const char *domain) "GICv5 IRS %s IST no longer valid"
gicv5_set_priority(const char *domain, const char *type, bool virtual, uint32_t id, uint8_t priority) "GICv5 IRS SetPriority %s %s virtual:%d ID %u prio %u"
+gicv5_set_enabled(const char *domain, const char *type, bool virtual, uint32_t id, bool enabled) "GICv5 IRS SetEnabled %s %s virtual:%d ID %u enabled %d"
+gicv5_set_pending(const char *domain, const char *type, bool virtual, uint32_t id, bool pending) "GICv5 IRS SetPending %s %s virtual:%d ID %u pending %d"
+gicv5_set_handling(const char *domain, const char *type, bool virtual, uint32_t id, int handling) "GICv5 IRS SetHandling %s %s virtual:%d ID %u handling %d"
+gicv5_set_target(const char *domain, const char *type, bool virtual, uint32_t id, uint32_t iaffid, int irm) "GICv5 IRS SetTarget %s %s virtual:%d ID %u IAFFID %u routingmode %d"
# arm_gicv5_common.c
gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
index 3239a86f1a..db0e3e01c6 100644
--- a/include/hw/intc/arm_gicv5_stream.h
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -58,4 +58,72 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
uint8_t priority, GICv5Domain domain,
GICv5IntType type, bool virtual);
+/**
+ * gicv5_set_enabled
+ * @cs: GIC IRS to send command to
+ * @id: interrupt ID
+ * @enabled: new enabled state
+ * @domain: interrupt Domain to act on
+ * @type: interrupt type (LPI or SPI)
+ * @virtual: true if this is a virtual interrupt
+ *
+ * Set enabled state of an interrupt; matches stream interface
+ * SetEnabled command from CPUIF to IRS. There is no report back
+ * of success/failure to the CPUIF in the protocol.
+ */
+void gicv5_set_enabled(GICv5Common *cs, uint32_t id,
+ bool enabled, GICv5Domain domain,
+ GICv5IntType type, bool virtual);
+
+/**
+ * gicv5_set_pending
+ * @cs: GIC IRS to send command to
+ * @id: interrupt ID
+ * @pending: new pending state
+ * @domain: interrupt Domain to act on
+ * @type: interrupt type (LPI or SPI)
+ * @virtual: true if this is a virtual interrupt
+ *
+ * Set pending state of an interrupt; matches stream interface
+ * SetPending command from CPUIF to IRS. There is no report back
+ * of success/failure to the CPUIF in the protocol.
+ */
+void gicv5_set_pending(GICv5Common *cs, uint32_t id,
+ bool pending, GICv5Domain domain,
+ GICv5IntType type, bool virtual);
+
+/**
+ * gicv5_set_handling
+ * @cs: GIC IRS to send command to
+ * @id: interrupt ID
+ * @handling: new handling mode
+ * @domain: interrupt Domain to act on
+ * @type: interrupt type (LPI or SPI)
+ * @virtual: true if this is a virtual interrupt
+ *
+ * Set handling mode of an interrupt (edge/level); matches stream interface
+ * SetHandling command from CPUIF to IRS. There is no report back
+ * of success/failure to the CPUIF in the protocol.
+ */
+void gicv5_set_handling(GICv5Common *cs, uint32_t id,
+ GICv5HandlingMode handling, GICv5Domain domain,
+ GICv5IntType type, bool virtual);
+
+/**
+ * gicv5_set_target
+ * @cs: GIC IRS to send command to
+ * @id: interrupt ID
+ * @iaffid: new target PE's interrupt affinity
+ * @irm: interrupt routing mode (targeted vs 1-of-N)
+ * @domain: interrupt Domain to act on
+ * @type: interrupt type (LPI or SPI)
+ * @virtual: true if this is a virtual interrupt
+ *
+ * Set handling mode of an interrupt (edge/level); matches stream interface
+ * SetHandling command from CPUIF to IRS. There is no report back
+ * of success/failure to the CPUIF in the protocol.
+ */
+void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
+ GICv5RoutingMode irm, GICv5Domain domain,
+ GICv5IntType type, bool virtual);
#endif
diff --git a/include/hw/intc/arm_gicv5_types.h b/include/hw/intc/arm_gicv5_types.h
index b4452a7b7d..15d4d5c3f4 100644
--- a/include/hw/intc/arm_gicv5_types.h
+++ b/include/hw/intc/arm_gicv5_types.h
@@ -55,4 +55,19 @@ typedef enum GICv5IntType {
GICV5_SPI = 3,
} GICv5IntType;
+/* Interrupt handling mode (same encoding as L2_ISTE.HM) */
+typedef enum GICv5HandlingMode {
+ GICV5_EDGE = 0,
+ GICV5_LEVEL = 1,
+} GICv5HandlingMode;
+
+/*
+ * Interrupt routing mode (same encoding as L2_ISTE.IRM).
+ * Note that 1-of-N support is option and QEMU does not implement it.
+ */
+typedef enum GICv5RoutingMode {
+ GICV5_TARGETED = 0,
+ GICV5_1OFN = 1,
+} GICv5RoutingMode;
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 20/65] hw/intc/arm_gicv5: Implement remaining set-config functions
2026-02-23 17:01 ` [PATCH 20/65] hw/intc/arm_gicv5: Implement remaining set-config functions Peter Maydell
@ 2026-03-11 14:15 ` Jonathan Cameron via qemu development
2026-03-19 9:59 ` Peter Maydell
0 siblings, 1 reply; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 14:15 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:27 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the GICv5 functions corresponding to the stream protocol
> SetEnabled, SetPending, SetHandling, and SetTarget commands. These
> work exactly like SetPriority: the IRS looks up the L2TE and updates
> the corresponding field in it with the new value.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Trivial formatting and naming comments only.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/intc/arm_gicv5.c | 133 +++++++++++++++++++++++++++++
> hw/intc/trace-events | 4 +
> include/hw/intc/arm_gicv5_stream.h | 68 +++++++++++++++
> include/hw/intc/arm_gicv5_types.h | 15 ++++
> 4 files changed, 220 insertions(+)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index af27fb7e63..3c6ef17573 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> @@ -492,6 +492,139 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
> put_l2_iste(cs, cfg, &h);
> }
>
> +void gicv5_set_enabled(GICv5Common *cs, uint32_t id,
> + bool enabled, GICv5Domain domain,
> + GICv5IntType type, bool virtual)
Seems like wrapping as:
void gicv5_set_enabled(GICv5Common *cs, uint32_t id, bool enabled,
GICv5Domain domain, GICv5IntType type, bool virtual)
might be better. I'm not seeing clear reason to do the 3 line version
unless maybe another parameter turns up in a later patch.
Same applies to other cases.
> +{
> + const GICv5ISTConfig *cfg;
> + GICv5 *s = ARM_GICV5(cs);
> + uint32_t *l2_iste_p;
> + L2_ISTE_Handle h;
> +
> + trace_gicv5_set_enabled(domain_name[domain], inttype_name(type), virtual,
> + id, enabled);
> + if (virtual) {
> + qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_enabled: tried to set "
> + "enable state of a virtual interrupt\n");
> + return;
> + }
> + if (type != GICV5_LPI) {
> + qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_enabled: tried to set "
> + "enable state of bad interrupt type %d\n", type);
> + return;
> + }
> + cfg = &s->phys_lpi_config[domain];
> + l2_iste_p = get_l2_iste(cs, cfg, id, &h);
> + if (!l2_iste_p) {
> + return;
> + }
> + *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, ENABLE, enabled);
> + put_l2_iste(cs, cfg, &h);
> +}
> +void gicv5_set_handling(GICv5Common *cs, uint32_t id,
Might be worth throwing _mode in there as set_handling almost
feels like 'set that it is being handled' Also aligns better
with the HM naming in the spec.
Not that important though give from the actual code it is easy to
see this is HM.
> + GICv5HandlingMode handling, GICv5Domain domain,
> + GICv5IntType type, bool virtual)
> +{
> + const GICv5ISTConfig *cfg;
> + GICv5 *s = ARM_GICV5(cs);
> + uint32_t *l2_iste_p;
> + L2_ISTE_Handle h;
> +
> + trace_gicv5_set_handling(domain_name[domain], inttype_name(type), virtual,
> + id, handling);
> + if (virtual) {
> + qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_handling: tried to set "
> + "handling mode of a virtual interrupt\n");
> + return;
> + }
> + if (type != GICV5_LPI) {
> + qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_handling: tried to set "
> + "handling mode of bad interrupt type %d\n", type);
> + return;
> + }
> + cfg = &s->phys_lpi_config[domain];
> + l2_iste_p = get_l2_iste(cs, cfg, id, &h);
> + if (!l2_iste_p) {
> + return;
> + }
> + *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, HM, handling);
> + put_l2_iste(cs, cfg, &h);
> +}
^ permalink raw reply [flat|nested] 142+ messages in thread* Re: [PATCH 20/65] hw/intc/arm_gicv5: Implement remaining set-config functions
2026-03-11 14:15 ` Jonathan Cameron via qemu development
@ 2026-03-19 9:59 ` Peter Maydell
0 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-03-19 9:59 UTC (permalink / raw)
To: Jonathan Cameron; +Cc: qemu-arm, qemu-devel
On Wed, 11 Mar 2026 at 14:15, Jonathan Cameron
<jonathan.cameron@huawei.com> wrote:
>
> On Mon, 23 Feb 2026 17:01:27 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > Implement the GICv5 functions corresponding to the stream protocol
> > SetEnabled, SetPending, SetHandling, and SetTarget commands. These
> > work exactly like SetPriority: the IRS looks up the L2TE and updates
> > the corresponding field in it with the new value.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> Trivial formatting and naming comments only.
> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> > +void gicv5_set_handling(GICv5Common *cs, uint32_t id,
>
> Might be worth throwing _mode in there as set_handling almost
> feels like 'set that it is being handled' Also aligns better
> with the HM naming in the spec.
These functions are named to align with the stream protocol
command names in the spec. I agree that "set_handling_mode"
would be a nicer name, but the spec calls this command SetHandling...
thanks
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 21/65] target/arm: GICv5 cpuif: Implement GIC CD* insns for setting config
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (19 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 20/65] hw/intc/arm_gicv5: Implement remaining set-config functions Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 14:24 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 22/65] hw/intc/arm_gicv5: Create backing state for SPIs Peter Maydell
` (44 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the GIC CDDIS, GIC CDEN, GIC CDAFF, GIC CDPEND and GIC CDHM
system instructions. These are all simple wrappers around the
equivalent gicv5_set_* functions, like GIC CDPRI.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/tcg/gicv5-cpuif.c | 108 +++++++++++++++++++++++++++++++++++
1 file changed, 108 insertions(+)
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 072b38e785..c426e045d9 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -16,6 +16,25 @@ FIELD(GIC_CDPRI, ID, 0, 24)
FIELD(GIC_CDPRI, TYPE, 29, 3)
FIELD(GIC_CDPRI, PRIORITY, 35, 5)
+FIELD(GIC_CDDIS, ID, 0, 24)
+FIELD(GIC_CDDIS, TYPE, 29, 3)
+
+FIELD(GIC_CDEN, ID, 0, 24)
+FIELD(GIC_CDEN, TYPE, 29, 3)
+
+FIELD(GIC_CDAFF, ID, 0, 24)
+FIELD(GIC_CDAFF, IRM, 28, 1)
+FIELD(GIC_CDAFF, TYPE, 29, 3)
+FIELD(GIC_CDAFF, IAFFID, 32, 16)
+
+FIELD(GIC_CDPEND, ID, 0, 24)
+FIELD(GIC_CDPEND, TYPE, 29, 3)
+FIELD(GIC_CDPEND, PENDING, 32, 1)
+
+FIELD(GIC_CDHM, ID, 0, 24)
+FIELD(GIC_CDHM, TYPE, 29, 3)
+FIELD(GIC_CDHM, HM, 32, 1)
+
static GICv5Common *gicv5_get_gic(CPUARMState *env)
{
return env->gicv5state;
@@ -51,6 +70,30 @@ static GICv5Domain gicv5_current_phys_domain(CPUARMState *env)
return gicv5_logical_domain(env);
}
+static void gic_cddis_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ GICv5Common *gic = gicv5_get_gic(env);
+ GICv5IntType type = FIELD_EX64(value, GIC_CDDIS, TYPE);
+ uint32_t id = FIELD_EX64(value, GIC_CDDIS, ID);
+ bool virtual = false;
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+
+ gicv5_set_enabled(gic, id, false, domain, type, virtual);
+}
+
+static void gic_cden_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ GICv5Common *gic = gicv5_get_gic(env);
+ GICv5IntType type = FIELD_EX64(value, GIC_CDEN, TYPE);
+ uint32_t id = FIELD_EX64(value, GIC_CDEN, ID);
+ bool virtual = false;
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+
+ gicv5_set_enabled(gic, id, true, domain, type, virtual);
+}
+
static void gic_cdpri_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
{
@@ -64,6 +107,46 @@ static void gic_cdpri_write(CPUARMState *env, const ARMCPRegInfo *ri,
gicv5_set_priority(gic, id, priority, domain, type, virtual);
}
+static void gic_cdaff_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ GICv5Common *gic = gicv5_get_gic(env);
+ uint32_t iaffid = FIELD_EX64(value, GIC_CDAFF, IAFFID);
+ GICv5RoutingMode irm = FIELD_EX64(value, GIC_CDAFF, IRM);
+ GICv5IntType type = FIELD_EX64(value, GIC_CDAFF, TYPE);
+ uint32_t id = FIELD_EX64(value, GIC_CDAFF, ID);
+ bool virtual = false;
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+
+ gicv5_set_target(gic, id, iaffid, irm, domain, type, virtual);
+}
+
+static void gic_cdpend_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ GICv5Common *gic = gicv5_get_gic(env);
+ bool pending = FIELD_EX64(value, GIC_CDPEND, PENDING);
+ GICv5IntType type = FIELD_EX64(value, GIC_CDPEND, TYPE);
+ uint32_t id = FIELD_EX64(value, GIC_CDPEND, ID);
+ bool virtual = false;
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+
+ gicv5_set_pending(gic, id, pending, domain, type, virtual);
+}
+
+static void gic_cdhm_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ GICv5Common *gic = gicv5_get_gic(env);
+ GICv5HandlingMode hm = FIELD_EX64(value, GIC_CDHM, HM);
+ GICv5IntType type = FIELD_EX64(value, GIC_CDAFF, TYPE);
+ uint32_t id = FIELD_EX64(value, GIC_CDAFF, ID);
+ bool virtual = false;
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+
+ gicv5_set_handling(gic, id, hm, domain, type, virtual);
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -86,11 +169,36 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.opc0 = 1, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
.access = PL1_W, .type = ARM_CP_NOP,
},
+ { .name = "GIC_CDDIS", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 0,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cddis_write,
+ },
+ { .name = "GIC_CDEN", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 1,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cden_write,
+ },
{ .name = "GIC_CDPRI", .state = ARM_CP_STATE_AA64,
.opc0 = 1, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 2,
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
.writefn = gic_cdpri_write,
},
+ { .name = "GIC_CDAFF", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 3,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cdaff_write,
+ },
+ { .name = "GIC_CDPEND", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 4,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cdpend_write,
+ },
+ { .name = "GIC_CDHM", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 2, .opc2 = 1,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cdhm_write,
+ },
};
void define_gicv5_cpuif_regs(ARMCPU *cpu)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 22/65] hw/intc/arm_gicv5: Create backing state for SPIs
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (20 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 21/65] target/arm: GICv5 cpuif: Implement GIC CD* insns for setting config Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 14:30 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 23/65] hw/intc/arm_gicv5: Make gicv5_set_* update SPI state Peter Maydell
` (43 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 allows an IRS to implement SPIs, which are fixed-wire
interrupts connected directly to the IRS. For QEMU we want to use
these for all our traditional fixed-wire interrupt devices. (The
other option the architecture permits is an Interrupt Wire Bridge
(IWB), which converts from a fixed-wire interrupt to an interrupt
event that is then translated through an ITS to send an LPI to the
ITS -- this is much more complexity than we need or want.)
SPI configuration is set via the same CPUIF instructions as LPI
configuration. Create an array of structs which track the SPI state
information listed in I_JVVTZ and I_BWPPP (ignoring for the moment
the VM assignment state, which we will add when we add virtualization
support).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5_common.c | 30 ++++++++++++++++++++++++++++++
include/hw/intc/arm_gicv5_common.h | 28 ++++++++++++++++++++++++++++
include/hw/intc/arm_gicv5_types.h | 15 +++++++++++++++
3 files changed, 73 insertions(+)
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index 751df2001c..8cca3a9764 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -66,6 +66,34 @@ static void gicv5_common_reset_hold(Object *obj, ResetType type)
memset(cs->irs_ist_baser, 0, sizeof(cs->irs_ist_baser));
memset(cs->irs_ist_cfgr, 0, sizeof(cs->irs_ist_cfgr));
+
+ if (cs->spi) {
+ GICv5Domain mp_domain;
+
+ /*
+ * D_YGLYC, D_TVVRZ: SPIs reset to edge-triggered, inactive,
+ * idle, disabled, targeted routing mode, not assigned to a VM,
+ * and assigned to the most-privileged interrupt domain.
+ * Other state is UNKNOWN: we choose to zero it.
+ */
+ memset(cs->spi, 0, cs->spi_irs_range * sizeof(*cs->spi));
+
+ /*
+ * The most-privileged interrupt domain is effectively the
+ * first in the list (EL3, S, NS) that we implement.
+ */
+ if (gicv5_domain_implemented(cs, GICV5_ID_EL3)) {
+ mp_domain = GICV5_ID_EL3;
+ } else if (gicv5_domain_implemented(cs, GICV5_ID_S)) {
+ mp_domain = GICV5_ID_S;
+ } else {
+ mp_domain = GICV5_ID_NS;
+ }
+
+ for (int i = 0; i < cs->spi_irs_range; i++) {
+ cs->spi[i].domain = mp_domain;
+ }
+ }
}
static void gicv5_common_init(Object *obj)
@@ -144,6 +172,8 @@ static void gicv5_common_realize(DeviceState *dev, Error **errp)
address_space_init(&cs->dma_as, cs->dma, "gicv5-sysmem");
+ cs->spi = g_new0(GICv5SPIState, cs->spi_irs_range);
+
trace_gicv5_common_realize(cs->irsid, cs->num_cpus,
cs->spi_base, cs->spi_irs_range, cs->spi_range);
}
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index 2a49d58679..c29eab2951 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -53,6 +53,26 @@
OBJECT_DECLARE_TYPE(GICv5Common, GICv5CommonClass, ARM_GICV5_COMMON)
+/*
+ * This is where we store the state the IRS handles for an SPI.
+ * Generally this corresponds to the spec's list of state in
+ * I_JVVTZ and J_BWPPP. level is a QEMU implementation detail and
+ * is where we store the actual current state of the incoming
+ * qemu_irq line.
+ */
+typedef struct GICv5SPIState {
+ uint32_t iaffid;
+ uint8_t priority;
+ bool level;
+ bool pending;
+ bool active;
+ bool enabled;
+ GICv5HandlingMode hm;
+ GICv5RoutingMode irm;
+ GICv5TriggerMode tm;
+ GICv5Domain domain;
+} GICv5SPIState;
+
/*
* This class is for common state that will eventually be shared
* between TCG and KVM implementations of the GICv5.
@@ -65,6 +85,14 @@ struct GICv5Common {
uint64_t irs_ist_baser[NUM_GICV5_DOMAINS];
uint32_t irs_ist_cfgr[NUM_GICV5_DOMAINS];
+ /*
+ * Pointer to an array of state information for the SPIs.
+ * Array element 0 is SPI ID s->spi_base, and there are s->spi_irs_range
+ * elements in total. SPI state is not per-domain: SPI is configurable
+ * to a particular domain via IRS_SPI_DOMAINR.
+ */
+ GICv5SPIState *spi;
+
/* Bits here are set for each physical interrupt domain implemented */
uint8_t implemented_domains;
diff --git a/include/hw/intc/arm_gicv5_types.h b/include/hw/intc/arm_gicv5_types.h
index 15d4d5c3f4..30e1bc58cb 100644
--- a/include/hw/intc/arm_gicv5_types.h
+++ b/include/hw/intc/arm_gicv5_types.h
@@ -70,4 +70,19 @@ typedef enum GICv5RoutingMode {
GICV5_1OFN = 1,
} GICv5RoutingMode;
+/*
+ * Interrupt trigger mode (same encoding as IRS_SPI_CFGR.TM)
+ * Note that this is not the same thing as handling mode, even though
+ * the two possible states have the same names. Trigger mode applies
+ * only for SPIs and tells the IRS what kinds of changes to the input
+ * signal wire should make it generate SET and CLEAR events.
+ * Handling mode affects whether the pending state of an interrupt
+ * is cleared when the interrupt is acknowledged, and applies to
+ * both SPIs and LPIs.
+ */
+typedef enum GICv5TriggerMode {
+ GICV5_TRIGGER_EDGE = 0,
+ GICV5_TRIGGER_LEVEL = 1,
+} GICv5TriggerMode;
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 22/65] hw/intc/arm_gicv5: Create backing state for SPIs
2026-02-23 17:01 ` [PATCH 22/65] hw/intc/arm_gicv5: Create backing state for SPIs Peter Maydell
@ 2026-03-11 14:30 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 14:30 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:29 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GICv5 allows an IRS to implement SPIs, which are fixed-wire
> interrupts connected directly to the IRS. For QEMU we want to use
> these for all our traditional fixed-wire interrupt devices. (The
> other option the architecture permits is an Interrupt Wire Bridge
> (IWB), which converts from a fixed-wire interrupt to an interrupt
> event that is then translated through an ITS to send an LPI to the
> ITS -- this is much more complexity than we need or want.)
Skipping the fun stuff? :)
>
> SPI configuration is set via the same CPUIF instructions as LPI
> configuration. Create an array of structs which track the SPI state
> information listed in I_JVVTZ and I_BWPPP (ignoring for the moment
> the VM assignment state, which we will add when we add virtualization
> support).
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 23/65] hw/intc/arm_gicv5: Make gicv5_set_* update SPI state
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (21 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 22/65] hw/intc/arm_gicv5: Create backing state for SPIs Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 14:35 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 24/65] hw/intc/arm_gicv5: Implement gicv5_request_config() Peter Maydell
` (42 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GIC CD* insns that update interrupt state also work for SPIs.
Instead of ignoring the GICV5_SPI type in gicv5_set_priority() and
friends, update the state in our SPI state array.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 59 ++++++++++++++++++++++++++++++
include/hw/intc/arm_gicv5_common.h | 40 ++++++++++++++++++++
2 files changed, 99 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 3c6ef17573..4d99200122 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -478,6 +478,18 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
"priority of a virtual interrupt\n");
return;
}
+ if (type == GICV5_SPI) {
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (!spi) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_priority: tried to set "
+ "priority of unreachable SPI %d\n", id);
+ return;
+ }
+
+ spi->priority = priority;
+ return;
+ }
if (type != GICV5_LPI) {
qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_priority: tried to set "
"priority of bad interrupt type %d\n", type);
@@ -508,6 +520,18 @@ void gicv5_set_enabled(GICv5Common *cs, uint32_t id,
"enable state of a virtual interrupt\n");
return;
}
+ if (type == GICV5_SPI) {
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (!spi) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_enabled: tried to set "
+ "enable state of unreachable SPI %d\n", id);
+ return;
+ }
+
+ spi->enabled = true;
+ return;
+ }
if (type != GICV5_LPI) {
qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_enabled: tried to set "
"enable state of bad interrupt type %d\n", type);
@@ -538,6 +562,18 @@ void gicv5_set_pending(GICv5Common *cs, uint32_t id,
"pending state of a virtual interrupt\n");
return;
}
+ if (type == GICV5_SPI) {
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (!spi) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_pending: tried to set "
+ "pending state of unreachable SPI %d\n", id);
+ return;
+ }
+
+ spi->pending = true;
+ return;
+ }
if (type != GICV5_LPI) {
qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_pending: tried to set "
"pending state of bad interrupt type %d\n", type);
@@ -568,6 +604,17 @@ void gicv5_set_handling(GICv5Common *cs, uint32_t id,
"handling mode of a virtual interrupt\n");
return;
}
+ if (type == GICV5_SPI) {
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (!spi) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_handling: tried to set "
+ "priority of unreachable SPI %d\n", id);
+ }
+
+ spi->hm = handling;
+ return;
+ }
if (type != GICV5_LPI) {
qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_handling: tried to set "
"handling mode of bad interrupt type %d\n", type);
@@ -607,6 +654,18 @@ void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
* IRM=1 the same as IRM=0.
*/
}
+ if (type == GICV5_SPI) {
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (!spi) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_target: tried to set "
+ "target of unreachable SPI %d\n", id);
+ return;
+ }
+
+ spi->iaffid = iaffid;
+ return;
+ }
if (type != GICV5_LPI) {
qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_target: tried to set "
"target of bad interrupt type %d\n", type);
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index c29eab2951..1a1d360c68 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -191,4 +191,44 @@ static inline bool gicv5_domain_implemented(GICv5Common *cs, GICv5Domain domain)
*/
const char *gicv5_class_name(void);
+/**
+ * gicv5_raw_spi_state
+ * @cs: GIC object
+ * @id: INTID of SPI to look up
+ *
+ * Return pointer to the GICv5SPIState for this SPI, or NULL if the
+ * interrupt ID is out of range. This does not do a check that the
+ * SPI is assigned to the right domain: generally you should call it
+ * via some other wrapper that performs an appropriate further check.
+ */
+static inline GICv5SPIState *gicv5_raw_spi_state(GICv5Common *cs, uint32_t id)
+{
+ if (id < cs->spi_base || id >= cs->spi_base + cs->spi_irs_range) {
+ return NULL;
+ }
+
+ return cs->spi + (id - cs->spi_base);
+}
+
+/**
+ * gicv5_spi_state:
+ * @cs: GIC object
+ * @id: INTID of SPI to look up
+ * @domain: domain to check
+ *
+ * Return pointer to the GICv5SPIState for this SPI, or NULL if the
+ * interrupt is unreachable (which can be because the INTID is out
+ * of range, or because the SPI is configured for a different domain).
+ */
+static inline GICv5SPIState *gicv5_spi_state(GICv5Common *cs, uint32_t id,
+ GICv5Domain domain)
+{
+ GICv5SPIState *spi = gicv5_raw_spi_state(cs, id);
+
+ if (!spi || spi->domain != domain) {
+ return NULL;
+ }
+ return spi;
+}
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 23/65] hw/intc/arm_gicv5: Make gicv5_set_* update SPI state
2026-02-23 17:01 ` [PATCH 23/65] hw/intc/arm_gicv5: Make gicv5_set_* update SPI state Peter Maydell
@ 2026-03-11 14:35 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 14:35 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:30 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GIC CD* insns that update interrupt state also work for SPIs.
> Instead of ignoring the GICV5_SPI type in gicv5_set_priority() and
> friends, update the state in our SPI state array.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
For this one I wonder if the resulting code structure is reflecting
more about how the patch series evolves rather than a more ideal
version where the SPI and LPI are treated as to 'equalish' options.
So to me a switch statement with two good legs and a default one
that rejects all other types of interrupt (so the 1 remaining one!)
Not that important however.
> ---
> hw/intc/arm_gicv5.c | 59 ++++++++++++++++++++++++++++++
> include/hw/intc/arm_gicv5_common.h | 40 ++++++++++++++++++++
> 2 files changed, 99 insertions(+)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index 3c6ef17573..4d99200122 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> @@ -478,6 +478,18 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
> "priority of a virtual interrupt\n");
> return;
> }
> + if (type == GICV5_SPI) {
To me it feels a bit like this would be readable as a switch statement
given 2 out of 3 types are handled.
If you do go that way, then introducing the switch in the earlier patch
probably makes sense to minimize churn.
> + GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
> +
> + if (!spi) {
> + qemu_log_mask(LOG_GUEST_ERROR, "gicv5_set_priority: tried to set "
> + "priority of unreachable SPI %d\n", id);
> + return;
> + }
> +
> + spi->priority = priority;
> + return;
> + }
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 24/65] hw/intc/arm_gicv5: Implement gicv5_request_config()
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (22 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 23/65] hw/intc/arm_gicv5: Make gicv5_set_* update SPI state Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 14:44 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 25/65] target/arm: GICv5 cpuif: Implement GIC CDRCFG and ICC_ICSR_EL1 Peter Maydell
` (41 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the gicv5_request_config() function, which corresponds to
the RequestConfig command and its RequestConfigAck reply.
We provide read_l2_iste() as a separate function to keep the "access
the in-guest-memory data structure" layer separate from the "operate
on the L2_ISTE values" layer.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 92 ++++++++++++++++++++++++++++++
hw/intc/trace-events | 1 +
include/hw/intc/arm_gicv5_stream.h | 24 ++++++++
3 files changed, 117 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 4d99200122..51b25775c4 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -297,6 +297,19 @@ FIELD(L2_ISTE, HWU, 9, 2)
FIELD(L2_ISTE, PRIORITY, 11, 5)
FIELD(L2_ISTE, IAFFID, 16, 16)
+/*
+ * Format used for gicv5_request_config() return value, which matches
+ * the ICC_ICSR_EL1 bit layout.
+ */
+FIELD(ICSR, F, 0, 1)
+FIELD(ICSR, ENABLED, 1, 1)
+FIELD(ICSR, PENDING, 2, 1)
+FIELD(ICSR, IRM, 3, 1)
+FIELD(ICSR, ACTIVE, 4, 1)
+FIELD(ICSR, HM, 5, 1)
+FIELD(ICSR, PRIORITY, 11, 5)
+FIELD(ICSR, IAFFID, 32, 16)
+
static MemTxAttrs irs_txattrs(GICv5Common *cs, GICv5Domain domain)
{
/*
@@ -684,6 +697,85 @@ void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
put_l2_iste(cs, cfg, &h);
}
+static uint64_t l2_iste_to_icsr(GICv5Common *cs, const GICv5ISTConfig *cfg,
+ uint32_t id)
+{
+ uint64_t icsr = 0;
+ const uint32_t *l2_iste_p;
+ L2_ISTE_Handle h;
+
+ l2_iste_p = get_l2_iste(cs, cfg, id, &h);
+ if (!l2_iste_p) {
+ return R_ICSR_F_MASK;
+ }
+
+ /*
+ * The field locations in the L2 ISTE do not line up with the
+ * corresponding fields in the ICC_ICSR_EL1 register, so we need to
+ * extract and deposit them individually.
+ */
+ icsr = FIELD_DP64(icsr, ICSR, F, 0);
+ icsr = FIELD_DP64(icsr, ICSR, ENABLED, FIELD_EX32(*l2_iste_p, L2_ISTE, ENABLE));
+ icsr = FIELD_DP64(icsr, ICSR, PENDING, FIELD_EX32(*l2_iste_p, L2_ISTE, PENDING));
+ icsr = FIELD_DP64(icsr, ICSR, IRM, FIELD_EX32(*l2_iste_p, L2_ISTE, IRM));
+ icsr = FIELD_DP64(icsr, ICSR, ACTIVE, FIELD_EX32(*l2_iste_p, L2_ISTE, ACTIVE));
+ icsr = FIELD_DP64(icsr, ICSR, HM, FIELD_EX32(*l2_iste_p, L2_ISTE, HM));
+ icsr = FIELD_DP64(icsr, ICSR, PRIORITY, FIELD_EX32(*l2_iste_p, L2_ISTE, PRIORITY));
+ icsr = FIELD_DP64(icsr, ICSR, IAFFID, FIELD_EX32(*l2_iste_p, L2_ISTE, IAFFID));
+
+ return icsr;
+}
+
+static uint64_t spi_state_to_icsr(GICv5SPIState *spi)
+{
+ uint64_t icsr = 0;
+
+ icsr = FIELD_DP64(icsr, ICSR, F, 0);
+ icsr = FIELD_DP64(icsr, ICSR, ENABLED, spi->enabled);
+ icsr = FIELD_DP64(icsr, ICSR, PENDING, spi->pending);
+ icsr = FIELD_DP64(icsr, ICSR, IRM, spi->irm);
+ icsr = FIELD_DP64(icsr, ICSR, ACTIVE, spi->active);
+ icsr = FIELD_DP64(icsr, ICSR, HM, spi->hm);
+ icsr = FIELD_DP64(icsr, ICSR, PRIORITY, spi->priority);
+ icsr = FIELD_DP64(icsr, ICSR, IAFFID, spi->iaffid);
+
+ return icsr;
+}
+
+uint64_t gicv5_request_config(GICv5Common *cs, uint32_t id, GICv5Domain domain,
+ GICv5IntType type, bool virtual)
+{
+ const GICv5ISTConfig *cfg;
+ GICv5 *s = ARM_GICV5(cs);
+ uint64_t icsr;
+
+ if (virtual) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_request_config: tried to "
+ "read config of a virtual interrupt\n");
+ return R_ICSR_F_MASK;
+ }
+ if (type == GICV5_SPI) {
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (!spi) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_request_config: tried to "
+ "read config of unreachable SPI %d\n", id);
+ return R_ICSR_F_MASK;
+ }
+
+ icsr = spi_state_to_icsr(spi);
+ trace_gicv5_request_config(domain_name[domain], inttype_name(type),
+ virtual, id, icsr);
+ return icsr;
+ }
+ cfg = &s->phys_lpi_config[domain];
+
+ icsr = l2_iste_to_icsr(cs, cfg, id);
+ trace_gicv5_request_config(domain_name[domain], inttype_name(type),
+ virtual, id, icsr);
+ return icsr;
+}
+
static void irs_map_l2_istr_write(GICv5 *s, GICv5Domain domain, uint64_t value)
{
GICv5Common *cs = ARM_GICV5_COMMON(s);
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 37ca6e8e12..409935e15a 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -240,6 +240,7 @@ gicv5_set_enabled(const char *domain, const char *type, bool virtual, uint32_t i
gicv5_set_pending(const char *domain, const char *type, bool virtual, uint32_t id, bool pending) "GICv5 IRS SetPending %s %s virtual:%d ID %u pending %d"
gicv5_set_handling(const char *domain, const char *type, bool virtual, uint32_t id, int handling) "GICv5 IRS SetHandling %s %s virtual:%d ID %u handling %d"
gicv5_set_target(const char *domain, const char *type, bool virtual, uint32_t id, uint32_t iaffid, int irm) "GICv5 IRS SetTarget %s %s virtual:%d ID %u IAFFID %u routingmode %d"
+gicv5_request_config(const char *domain, const char *type, bool virtual, uint32_t id, uint64_t icsr) "GICv5 IRS RequestConfig %s %s virtual:%d ID %u ICSR 0x%" PRIx64
# arm_gicv5_common.c
gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
index db0e3e01c6..1f00e8ffff 100644
--- a/include/hw/intc/arm_gicv5_stream.h
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -126,4 +126,28 @@ void gicv5_set_handling(GICv5Common *cs, uint32_t id,
void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
GICv5RoutingMode irm, GICv5Domain domain,
GICv5IntType type, bool virtual);
+
+/**
+ * gicv5_request_config
+ * @cs: GIC IRS to send command to
+ * @id: interrupt ID
+ * @domain: interrupt domain to act on
+ * @type: interrupt type (LPI or SPI)
+ * @virtual: true if this is a virtual interrupt
+ *
+ * Query the current configuration of an interrupt; matches stream
+ * interface RequestConfig command from CPUIF to IRS and the RequestConfigAck
+ * reply to it.
+ *
+ * In the real stream protocol, the RequestConfigAck packet has the same
+ * information as the register but in a different order; we use the register
+ * order, not the packet order, so we don't need to unpack and repack in
+ * the cpuif.
+ *
+ * Returns: the config of the interrupt, in the format used by
+ * ICC_ICSR_EL1.
+ */
+uint64_t gicv5_request_config(GICv5Common *cs, uint32_t id, GICv5Domain domain,
+ GICv5IntType type, bool virtual);
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 24/65] hw/intc/arm_gicv5: Implement gicv5_request_config()
2026-02-23 17:01 ` [PATCH 24/65] hw/intc/arm_gicv5: Implement gicv5_request_config() Peter Maydell
@ 2026-03-11 14:44 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 14:44 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:31 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the gicv5_request_config() function, which corresponds to
> the RequestConfig command and its RequestConfigAck reply.
>
> We provide read_l2_iste() as a separate function to keep the "access
> the in-guest-memory data structure" layer separate from the "operate
> on the L2_ISTE values" layer.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
One comment in line. Pretty much follows from earlier comments.
> ---
> hw/intc/arm_gicv5.c | 92 ++++++++++++++++++++++++++++++
> hw/intc/trace-events | 1 +
> include/hw/intc/arm_gicv5_stream.h | 24 ++++++++
> 3 files changed, 117 insertions(+)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index 4d99200122..51b25775c4 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> +uint64_t gicv5_request_config(GICv5Common *cs, uint32_t id, GICv5Domain domain,
> + GICv5IntType type, bool virtual)
> +{
> + const GICv5ISTConfig *cfg;
> + GICv5 *s = ARM_GICV5(cs);
> + uint64_t icsr;
> +
> + if (virtual) {
> + qemu_log_mask(LOG_GUEST_ERROR, "gicv5_request_config: tried to "
> + "read config of a virtual interrupt\n");
> + return R_ICSR_F_MASK;
> + }
> + if (type == GICV5_SPI) {
Seems a bit inconsistent to not reject the remaining defined
GICv5IntType as you did in previous patches. As before I
think I'd prefer this as a switch statement with resulting clarity
on what is handled.
> + GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
> +
> + if (!spi) {
> + qemu_log_mask(LOG_GUEST_ERROR, "gicv5_request_config: tried to "
> + "read config of unreachable SPI %d\n", id);
> + return R_ICSR_F_MASK;
> + }
> +
> + icsr = spi_state_to_icsr(spi);
> + trace_gicv5_request_config(domain_name[domain], inttype_name(type),
> + virtual, id, icsr);
> + return icsr;
> + }
> + cfg = &s->phys_lpi_config[domain];
> +
> + icsr = l2_iste_to_icsr(cs, cfg, id);
> + trace_gicv5_request_config(domain_name[domain], inttype_name(type),
> + virtual, id, icsr);
> + return icsr;
> +}
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 25/65] target/arm: GICv5 cpuif: Implement GIC CDRCFG and ICC_ICSR_EL1
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (23 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 24/65] hw/intc/arm_gicv5: Implement gicv5_request_config() Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 14:51 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 26/65] hw/intc/arm_gicv5: Implement IRS_SPI_{SELR, STATUSR, CFGR, DOMAINR} Peter Maydell
` (40 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the GIC CDRCFG system instruction, which asks the IRS for
the configuration of an interrupt, and the system register
ICC_ICSR_EL1 which is where the answer is placed for the guest to
read it.
We mark ICC_ICSR_EL1 as ARM_CP_NO_RAW, because we do not want to have
this migrated as part of the generic "system register" migration
arrays. Instead we will do migration via a GICv5 cpuif vmstate
section. This is necessary because some of the cpuif registers are
banked by interrupt domain and so need special handling to migrate
the data in all the banks; it's also how we handle the gicv3 cpuif
registers. (We expect that KVM also will expose the cpuif registers
via GIC-specific ioctls rather than as generic sysregs.) We'll mark
all the GICv5 sysregs as NO_RAW.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu.h | 5 +++++
target/arm/tcg/gicv5-cpuif.c | 27 +++++++++++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 16de0ebfa8..1fdfd91ba4 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -597,6 +597,11 @@ typedef struct CPUArchState {
uint64_t vmecid_a_el2;
} cp15;
+ struct {
+ /* GICv5 CPU interface data */
+ uint64_t icc_icsr_el1;
+ } gicv5_cpuif;
+
struct {
/* M profile has up to 4 stack pointers:
* a Main Stack Pointer and a Process Stack Pointer for each
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index c426e045d9..4420a44c71 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -35,6 +35,9 @@ FIELD(GIC_CDHM, ID, 0, 24)
FIELD(GIC_CDHM, TYPE, 29, 3)
FIELD(GIC_CDHM, HM, 32, 1)
+FIELD(GIC_CDRCFG, ID, 0, 24)
+FIELD(GIC_CDRCFG, TYPE, 29, 3)
+
static GICv5Common *gicv5_get_gic(CPUARMState *env)
{
return env->gicv5state;
@@ -134,6 +137,19 @@ static void gic_cdpend_write(CPUARMState *env, const ARMCPRegInfo *ri,
gicv5_set_pending(gic, id, pending, domain, type, virtual);
}
+static void gic_cdrcfg_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ GICv5Common *gic = gicv5_get_gic(env);
+ GICv5IntType type = FIELD_EX64(value, GIC_CDRCFG, TYPE);
+ uint32_t id = FIELD_EX64(value, GIC_CDRCFG, ID);
+ bool virtual = false;
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+
+ env->gicv5_cpuif.icc_icsr_el1 =
+ gicv5_request_config(gic, id, domain, type, virtual);
+}
+
static void gic_cdhm_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
{
@@ -194,11 +210,22 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
.writefn = gic_cdpend_write,
},
+ { .name = "GIC_CDRCFG", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 5,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cdrcfg_write,
+ },
{ .name = "GIC_CDHM", .state = ARM_CP_STATE_AA64,
.opc0 = 1, .opc1 = 0, .crn = 12, .crm = 2, .opc2 = 1,
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
.writefn = gic_cdhm_write,
},
+ { .name = "ICC_ICSR_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 4,
+ .access = PL1_RW, .type = ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.icc_icsr_el1),
+ .resetvalue = 0,
+ },
};
void define_gicv5_cpuif_regs(ARMCPU *cpu)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 25/65] target/arm: GICv5 cpuif: Implement GIC CDRCFG and ICC_ICSR_EL1
2026-02-23 17:01 ` [PATCH 25/65] target/arm: GICv5 cpuif: Implement GIC CDRCFG and ICC_ICSR_EL1 Peter Maydell
@ 2026-03-11 14:51 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 14:51 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:32 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the GIC CDRCFG system instruction, which asks the IRS for
> the configuration of an interrupt, and the system register
> ICC_ICSR_EL1 which is where the answer is placed for the guest to
> read it.
>
> We mark ICC_ICSR_EL1 as ARM_CP_NO_RAW, because we do not want to have
> this migrated as part of the generic "system register" migration
> arrays. Instead we will do migration via a GICv5 cpuif vmstate
> section. This is necessary because some of the cpuif registers are
> banked by interrupt domain and so need special handling to migrate
> the data in all the banks; it's also how we handle the gicv3 cpuif
> registers. (We expect that KVM also will expose the cpuif registers
> via GIC-specific ioctls rather than as generic sysregs.) We'll mark
> all the GICv5 sysregs as NO_RAW.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 26/65] hw/intc/arm_gicv5: Implement IRS_SPI_{SELR, STATUSR, CFGR, DOMAINR}
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (24 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 25/65] target/arm: GICv5 cpuif: Implement GIC CDRCFG and ICC_ICSR_EL1 Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 15:01 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 27/65] hw/intc/arm_gicv5: Update SPI state for CLEAR/SET events Peter Maydell
` (39 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the IRS registers IRS_SPI_{SELR,STATUSR,CFGR,DOMAINR} which
form the config access for setting the trigger mode and domain of an
SPI. The way these work is that the guest writes the ID of the
interrupt it wants to configure to IRS_SPI_SELR, and then it can read
and write the trigger mode of that SPI via IRS_SPI_CFGR and the
domain via IRS_SPI_DOMAINR. IRS_SPI_STATUSR has a bit to indicate
whether the SPI is valid, and the usual IDLE bit to allow for
non-instantaneous updates (which QEMU doesn't do).
Since the only domain which can configure the domain of an SPI is EL3
and our initial implementation is NS-only, technically the DOMAINR
handling is unused code. However it is straightforward, being almost
the same as the CFGR handling, and we'll need it later on.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 68 ++++++++++++++++++++++++++++++
hw/intc/arm_gicv5_common.c | 9 ++++
include/hw/intc/arm_gicv5_common.h | 1 +
3 files changed, 78 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 51b25775c4..9f4d44f975 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -310,6 +310,22 @@ FIELD(ICSR, HM, 5, 1)
FIELD(ICSR, PRIORITY, 11, 5)
FIELD(ICSR, IAFFID, 32, 16)
+static GICv5SPIState *spi_for_selr(GICv5Common *cs, GICv5Domain domain)
+{
+ /*
+ * If the IRS_SPI_SELR value specifies an SPI that can be managed in
+ * this domain, return a pointer to its GICv5SPIState; otherwise
+ * return NULL.
+ */
+ uint32_t id = FIELD_EX32(cs->irs_spi_selr[domain], IRS_SPI_SELR, ID);
+ GICv5SPIState *spi = gicv5_raw_spi_state(cs, id);
+
+ if (spi && (domain == GICV5_ID_EL3 || domain == spi->domain)) {
+ return spi;
+ }
+ return NULL;
+}
+
static MemTxAttrs irs_txattrs(GICv5Common *cs, GICv5Domain domain)
{
/*
@@ -970,6 +986,38 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
case A_IRS_IST_CFGR:
*data = cs->irs_ist_cfgr[domain];
return true;
+
+ case A_IRS_SPI_STATUSR:
+ /*
+ * QEMU writes to IRS_SPI_{CFGR,DOMAINR,SELR,VMR} take effect
+ * instantaneously, so the guest can never see the IDLE bit as 0.
+ */
+ v = FIELD_DP32(v, IRS_SPI_STATUSR, V,
+ spi_for_selr(cs, domain) != NULL);
+ v = FIELD_DP32(v, IRS_SPI_STATUSR, IDLE, 1);
+ *data = v;
+ return true;
+
+ case A_IRS_SPI_CFGR:
+ {
+ GICv5SPIState *spi = spi_for_selr(cs, domain);
+
+ if (spi) {
+ v = FIELD_DP32(v, IRS_SPI_CFGR, TM, spi->tm);
+ }
+ *data = v;
+ return true;
+ }
+ case A_IRS_SPI_DOMAINR:
+ if (domain == GICV5_ID_EL3) {
+ /* This is RAZ/WI except for the EL3 domain */
+ GICv5SPIState *spi = spi_for_selr(cs, domain);
+ if (spi) {
+ v = FIELD_DP32(v, IRS_SPI_DOMAINR, DOMAIN, spi->domain);
+ }
+ }
+ *data = v;
+ return true;
}
return false;
}
@@ -1000,6 +1048,26 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
case A_IRS_MAP_L2_ISTR:
irs_map_l2_istr_write(s, domain, data);
return true;
+ case A_IRS_SPI_SELR:
+ cs->irs_spi_selr[domain] = data;
+ return true;
+ case A_IRS_SPI_CFGR:
+ {
+ GICv5SPIState *spi = spi_for_selr(cs, domain);
+ if (spi) {
+ spi->tm = FIELD_EX32(data, IRS_SPI_CFGR, TM);
+ }
+ return true;
+ }
+ case A_IRS_SPI_DOMAINR:
+ if (domain == GICV5_ID_EL3) {
+ /* this is RAZ/WI except for the EL3 domain */
+ GICv5SPIState *spi = spi_for_selr(cs, domain);
+ if (spi) {
+ spi->domain = FIELD_EX32(data, IRS_SPI_DOMAINR, DOMAIN);
+ }
+ }
+ return true;
}
return false;
}
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index 8cca3a9764..e0d954f3c6 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -94,6 +94,15 @@ static void gicv5_common_reset_hold(Object *obj, ResetType type)
cs->spi[i].domain = mp_domain;
}
}
+
+ for (int i = 0; i < NUM_GICV5_DOMAINS; i++) {
+ /*
+ * We reset irs_spi_selr to an invalid value so that our reset
+ * value for IRS_SPI_STATUSR.V is correctly 0. The guest
+ * can never read IRS_SPI_SELR directly.
+ */
+ cs->irs_spi_selr[i] = cs->spi_base + cs->spi_irs_range;
+ }
}
static void gicv5_common_init(Object *obj)
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index 1a1d360c68..5490fdaf8b 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -84,6 +84,7 @@ struct GICv5Common {
uint64_t irs_ist_baser[NUM_GICV5_DOMAINS];
uint32_t irs_ist_cfgr[NUM_GICV5_DOMAINS];
+ uint32_t irs_spi_selr[NUM_GICV5_DOMAINS];
/*
* Pointer to an array of state information for the SPIs.
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 26/65] hw/intc/arm_gicv5: Implement IRS_SPI_{SELR, STATUSR, CFGR, DOMAINR}
2026-02-23 17:01 ` [PATCH 26/65] hw/intc/arm_gicv5: Implement IRS_SPI_{SELR, STATUSR, CFGR, DOMAINR} Peter Maydell
@ 2026-03-11 15:01 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 15:01 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:33 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the IRS registers IRS_SPI_{SELR,STATUSR,CFGR,DOMAINR} which
> form the config access for setting the trigger mode and domain of an
> SPI. The way these work is that the guest writes the ID of the
> interrupt it wants to configure to IRS_SPI_SELR, and then it can read
> and write the trigger mode of that SPI via IRS_SPI_CFGR and the
> domain via IRS_SPI_DOMAINR. IRS_SPI_STATUSR has a bit to indicate
> whether the SPI is valid, and the usual IDLE bit to allow for
> non-instantaneous updates (which QEMU doesn't do).
>
> Since the only domain which can configure the domain of an SPI is EL3
> and our initial implementation is NS-only, technically the DOMAINR
> handling is unused code. However it is straightforward, being almost
> the same as the CFGR handling, and we'll need it later on.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 27/65] hw/intc/arm_gicv5: Update SPI state for CLEAR/SET events
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (25 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 26/65] hw/intc/arm_gicv5: Implement IRS_SPI_{SELR, STATUSR, CFGR, DOMAINR} Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 15:23 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 28/65] hw/intc/arm_gicv5: Implement IRS_CR0 and IRS_CR1 Peter Maydell
` (38 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
When an SPI irq line changes level, this causes what the spec
describes as SET_LEVEL, SET_EDGE or CLEAR events. These also happen
when the trigger mode is reconfigured, or when software requests a
manual resample via the IRS_SPI_RESAMPLER register.
SET_LEVEL and SET_EDGE events make the interrupt pending, and update
its handler mode to match its trigger mode. CLEAR events make the
interrupt no longer pending.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 59 ++++++++++++++++++++++++++++++++++++++++++++
hw/intc/trace-events | 1 +
2 files changed, 60 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 9f4d44f975..d1baa015d1 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -908,6 +908,28 @@ static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
}
}
+static void spi_sample(GICv5SPIState *spi)
+{
+ /*
+ * Sample the state of the SPI input line; this generates
+ * SET_EDGE, SET_LEVEL or CLEAR events which update the SPI's
+ * pending state and handling mode per R_HHKMN.
+ * The logic is the same for "the input line changed" (R_QBXXV)
+ * and "software asked us to resample" (R_DMTFM).
+ */
+ if (spi->level) {
+ /*
+ * SET_LEVEL or SET_EDGE: interrupt becomes pending, and the
+ * handling mode is updated to match the trigger mode.
+ */
+ spi->pending = true;
+ spi->hm = spi->tm == GICV5_TRIGGER_EDGE ? GICV5_EDGE : GICV5_LEVEL;
+ } else if (spi->tm == GICV5_TRIGGER_LEVEL) {
+ /* falling edges only trigger a CLEAR event for level-triggered */
+ spi->pending = false;
+ }
+}
+
static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
uint64_t *data, MemTxAttrs attrs)
{
@@ -1055,7 +1077,24 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
{
GICv5SPIState *spi = spi_for_selr(cs, domain);
if (spi) {
+ GICv5TriggerMode old_tm = spi->tm;
spi->tm = FIELD_EX32(data, IRS_SPI_CFGR, TM);
+ if (spi->tm != old_tm) {
+ /*
+ * R_KBPXL: updates to SPI trigger mode can generate CLEAR or
+ * SET_LEVEL events. This is not the same logic as spi_sample().
+ */
+ if (spi->tm == GICV5_TRIGGER_LEVEL) {
+ if (spi->level) {
+ spi->pending = true;
+ spi->hm = GICV5_LEVEL;
+ } else {
+ spi->pending = false;
+ }
+ } else if (spi->level) {
+ spi->pending = false;
+ }
+ }
}
return true;
}
@@ -1068,6 +1107,17 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
}
}
return true;
+ case A_IRS_SPI_RESAMPLER:
+ {
+ uint32_t id = FIELD_EX32(data, IRS_SPI_RESAMPLER, SPI_ID);
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (spi) {
+ spi_sample(spi);
+ }
+ trace_gicv5_spi_state(id, spi->level, spi->pending, spi->active);
+ return true;
+ }
}
return false;
}
@@ -1236,8 +1286,17 @@ static void gicv5_set_spi(void *opaque, int irq, int level)
/* These irqs are all SPIs; the INTID is irq + s->spi_base */
GICv5Common *cs = ARM_GICV5_COMMON(opaque);
uint32_t spi_id = irq + cs->spi_base;
+ GICv5SPIState *spi = gicv5_raw_spi_state(cs, spi_id);
+
+ if (!spi || spi->level == level) {
+ return;
+ }
trace_gicv5_spi(spi_id, level);
+
+ spi->level = level;
+ spi_sample(spi);
+ trace_gicv5_spi_state(spi_id, spi->level, spi->pending, spi->active);
}
static void gicv5_reset_hold(Object *obj, ResetType type)
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 409935e15a..4c55af2780 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -241,6 +241,7 @@ gicv5_set_pending(const char *domain, const char *type, bool virtual, uint32_t i
gicv5_set_handling(const char *domain, const char *type, bool virtual, uint32_t id, int handling) "GICv5 IRS SetHandling %s %s virtual:%d ID %u handling %d"
gicv5_set_target(const char *domain, const char *type, bool virtual, uint32_t id, uint32_t iaffid, int irm) "GICv5 IRS SetTarget %s %s virtual:%d ID %u IAFFID %u routingmode %d"
gicv5_request_config(const char *domain, const char *type, bool virtual, uint32_t id, uint64_t icsr) "GICv5 IRS RequestConfig %s %s virtual:%d ID %u ICSR 0x%" PRIx64
+gicv5_spi_state(uint32_t spi_id, bool level, bool pending, bool active) "GICv5 IRS SPI ID %u now level %d pending %d active %d"
# arm_gicv5_common.c
gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 27/65] hw/intc/arm_gicv5: Update SPI state for CLEAR/SET events
2026-02-23 17:01 ` [PATCH 27/65] hw/intc/arm_gicv5: Update SPI state for CLEAR/SET events Peter Maydell
@ 2026-03-11 15:23 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 15:23 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:34 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> When an SPI irq line changes level, this causes what the spec
> describes as SET_LEVEL, SET_EDGE or CLEAR events. These also happen
> when the trigger mode is reconfigured, or when software requests a
> manual resample via the IRS_SPI_RESAMPLER register.
>
> SET_LEVEL and SET_EDGE events make the interrupt pending, and update
> its handler mode to match its trigger mode. CLEAR events make the
> interrupt no longer pending.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Some fiddly rules covered by this one, but far as I can tell you
have it right.
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 28/65] hw/intc/arm_gicv5: Implement IRS_CR0 and IRS_CR1
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (26 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 27/65] hw/intc/arm_gicv5: Update SPI state for CLEAR/SET events Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 15:28 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 29/65] hw/intc/arm_gicv5: Implement IRS_SYNCR and IRS_SYNC_STATUSR Peter Maydell
` (37 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The IRS_CR0 register has the main enable bit for the IRS, and an IDLE
bit to tell the guest when an enable/disable transition has
completed.
The IRS_CR1 register has cacheability, shareability and cache hint
information to use for IRS memory accesses; since QEMU doesn't care
about this we can make it simply reads-as-written.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 14 ++++++++++++++
hw/intc/arm_gicv5_common.c | 2 ++
include/hw/intc/arm_gicv5_common.h | 2 ++
3 files changed, 18 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index d1baa015d1..5f4c4158c4 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -1040,7 +1040,15 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
}
*data = v;
return true;
+ case A_IRS_CR0:
+ /* Enabling is instantaneous for us so IDLE is always 1 */
+ *data = cs->irs_cr0[domain] | R_IRS_CR0_IDLE_MASK;
+ return true;
+ case A_IRS_CR1:
+ *data = cs->irs_cr1[domain];
+ return true;
}
+
return false;
}
@@ -1118,6 +1126,12 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
trace_gicv5_spi_state(id, spi->level, spi->pending, spi->active);
return true;
}
+ case A_IRS_CR0:
+ cs->irs_cr0[domain] = data & R_IRS_CR0_IRSEN_MASK;
+ return true;
+ case A_IRS_CR1:
+ cs->irs_cr1[domain] = data;
+ return true;
}
return false;
}
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index e0d954f3c6..b358691105 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -66,6 +66,8 @@ static void gicv5_common_reset_hold(Object *obj, ResetType type)
memset(cs->irs_ist_baser, 0, sizeof(cs->irs_ist_baser));
memset(cs->irs_ist_cfgr, 0, sizeof(cs->irs_ist_cfgr));
+ memset(cs->irs_cr0, 0, sizeof(cs->irs_cr0));
+ memset(cs->irs_cr1, 0, sizeof(cs->irs_cr1));
if (cs->spi) {
GICv5Domain mp_domain;
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index 5490fdaf8b..00b1dc2b45 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -85,6 +85,8 @@ struct GICv5Common {
uint64_t irs_ist_baser[NUM_GICV5_DOMAINS];
uint32_t irs_ist_cfgr[NUM_GICV5_DOMAINS];
uint32_t irs_spi_selr[NUM_GICV5_DOMAINS];
+ uint32_t irs_cr0[NUM_GICV5_DOMAINS];
+ uint32_t irs_cr1[NUM_GICV5_DOMAINS];
/*
* Pointer to an array of state information for the SPIs.
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 28/65] hw/intc/arm_gicv5: Implement IRS_CR0 and IRS_CR1
2026-02-23 17:01 ` [PATCH 28/65] hw/intc/arm_gicv5: Implement IRS_CR0 and IRS_CR1 Peter Maydell
@ 2026-03-11 15:28 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 15:28 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:35 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The IRS_CR0 register has the main enable bit for the IRS, and an IDLE
> bit to tell the guest when an enable/disable transition has
> completed.
>
> The IRS_CR1 register has cacheability, shareability and cache hint
> information to use for IRS memory accesses; since QEMU doesn't care
> about this we can make it simply reads-as-written.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Trivial comment inline.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/intc/arm_gicv5.c | 14 ++++++++++++++
> hw/intc/arm_gicv5_common.c | 2 ++
> include/hw/intc/arm_gicv5_common.h | 2 ++
> 3 files changed, 18 insertions(+)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index d1baa015d1..5f4c4158c4 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> @@ -1040,7 +1040,15 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
> }
> *data = v;
> return true;
> + case A_IRS_CR0:
> + /* Enabling is instantaneous for us so IDLE is always 1 */
> + *data = cs->irs_cr0[domain] | R_IRS_CR0_IDLE_MASK;
> + return true;
> + case A_IRS_CR1:
> + *data = cs->irs_cr1[domain];
> + return true;
> }
> +
Trivial, but nicer to push that back to wherever this code first
appeared (or drop it)
> return false;
> }
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 29/65] hw/intc/arm_gicv5: Implement IRS_SYNCR and IRS_SYNC_STATUSR
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (27 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 28/65] hw/intc/arm_gicv5: Implement IRS_CR0 and IRS_CR1 Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 15:29 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 30/65] hw/intc/arm_gicv5: Implement IRS_PE_{CR0,SELR,STATUSR} Peter Maydell
` (36 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The IRS_SYNCR register is used by software to request synchronization
of interrupt events. This means that in-flight interrupt events are
guaranteed to have been delivered.
Since QEMU's implementation is entirely synchronous, syncs are a
no-op for us. This means we can ignore writes to IRS_SYNCR and
always report "sync complete" via the IDLE bit in IRS_SYNC_STATUSR.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 5f4c4158c4..d0ba8fe669 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -1047,6 +1047,10 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
case A_IRS_CR1:
*data = cs->irs_cr1[domain];
return true;
+ case A_IRS_SYNC_STATUSR:
+ /* Sync is a no-op for QEMU: we are always IDLE */
+ *data = R_IRS_SYNC_STATUSR_IDLE_MASK;
+ return true;
}
return false;
@@ -1132,6 +1136,9 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
case A_IRS_CR1:
cs->irs_cr1[domain] = data;
return true;
+ case A_IRS_SYNCR:
+ /* Sync is a no-op for QEMU: ignore write */
+ return true;
}
return false;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 29/65] hw/intc/arm_gicv5: Implement IRS_SYNCR and IRS_SYNC_STATUSR
2026-02-23 17:01 ` [PATCH 29/65] hw/intc/arm_gicv5: Implement IRS_SYNCR and IRS_SYNC_STATUSR Peter Maydell
@ 2026-03-11 15:29 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 15:29 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:36 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The IRS_SYNCR register is used by software to request synchronization
> of interrupt events. This means that in-flight interrupt events are
> guaranteed to have been delivered.
>
> Since QEMU's implementation is entirely synchronous, syncs are a
> no-op for us. This means we can ignore writes to IRS_SYNCR and
> always report "sync complete" via the IDLE bit in IRS_SYNC_STATUSR.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 30/65] hw/intc/arm_gicv5: Implement IRS_PE_{CR0,SELR,STATUSR}
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (28 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 29/65] hw/intc/arm_gicv5: Implement IRS_SYNCR and IRS_SYNC_STATUSR Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 15:31 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 31/65] hw/intc/arm_gicv5: Implement CoreSight ID registers Peter Maydell
` (35 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The IRS_PE_CR0, IRS_PE_SELR, IRS_PE_STATUSR registers allow software
to set and query per-CPU config. Software writes the AFFID of a CPU
to IRS_PE_SELR, and can then read and write the 1ofN config for that
CPU to IRS_PE_CR0, and read the CPU's online status from
IRS_PE_STATUSR.
For QEMU, we do not implement 1-of-N interrupt routing, so IRS_PE_CR0
can be RAZ/WI. Our CPUs are always online and selecting a new one
via SELR is instantaneous, so IRS_PE_STATUSR will return either
ONLINE | V | IDLE if a valid AFFID was written to SELR, or just IDLE
if an invalid AFFID was written.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 39 ++++++++++++++++++++++++++++++
hw/intc/arm_gicv5_common.c | 1 +
include/hw/intc/arm_gicv5_common.h | 1 +
3 files changed, 41 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index d0ba8fe669..0f32bdf357 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -930,6 +930,21 @@ static void spi_sample(GICv5SPIState *spi)
}
}
+static bool irs_pe_selr_valid(GICv5Common *cs, GICv5Domain domain)
+{
+ /*
+ * Return true if IRS_PE_SELR has a valid AFFID in it. We don't
+ * expect the guest to do this except perhaps once at startup,
+ * so do a simple linear scan through the cpu_iaffids array.
+ */
+ for (int i = 0; i < cs->num_cpu_iaffids; i++) {
+ if (cs->irs_pe_selr[domain] == cs->cpu_iaffids[i]) {
+ return true;
+ }
+ }
+ return false;
+}
+
static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
uint64_t *data, MemTxAttrs attrs)
{
@@ -1051,6 +1066,24 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
/* Sync is a no-op for QEMU: we are always IDLE */
*data = R_IRS_SYNC_STATUSR_IDLE_MASK;
return true;
+ case A_IRS_PE_SELR:
+ *data = cs->irs_pe_selr[domain];
+ return true;
+ case A_IRS_PE_CR0:
+ /* We don't implement 1ofN, so this is RAZ/WI for us */
+ *data = 0;
+ return true;
+ case A_IRS_PE_STATUSR:
+ /*
+ * Our CPUs are always online, so we're really just reporting
+ * whether the guest wrote a valid AFFID to IRS_PE_SELR
+ */
+ v = R_IRS_PE_STATUSR_IDLE_MASK;
+ if (irs_pe_selr_valid(cs, domain)) {
+ v |= R_IRS_PE_STATUSR_V_MASK | R_IRS_PE_STATUSR_ONLINE_MASK;
+ }
+ *data = v;
+ return true;
}
return false;
@@ -1139,6 +1172,12 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
case A_IRS_SYNCR:
/* Sync is a no-op for QEMU: ignore write */
return true;
+ case A_IRS_PE_SELR:
+ cs->irs_pe_selr[domain] = data;
+ return true;
+ case A_IRS_PE_CR0:
+ /* We don't implement 1ofN, so this is RAZ/WI for us */
+ return true;
}
return false;
}
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index b358691105..bcbe88cde7 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -68,6 +68,7 @@ static void gicv5_common_reset_hold(Object *obj, ResetType type)
memset(cs->irs_ist_cfgr, 0, sizeof(cs->irs_ist_cfgr));
memset(cs->irs_cr0, 0, sizeof(cs->irs_cr0));
memset(cs->irs_cr1, 0, sizeof(cs->irs_cr1));
+ memset(cs->irs_pe_selr, 0, sizeof(cs->irs_pe_selr));
if (cs->spi) {
GICv5Domain mp_domain;
diff --git a/include/hw/intc/arm_gicv5_common.h b/include/hw/intc/arm_gicv5_common.h
index 00b1dc2b45..5254e68fbb 100644
--- a/include/hw/intc/arm_gicv5_common.h
+++ b/include/hw/intc/arm_gicv5_common.h
@@ -87,6 +87,7 @@ struct GICv5Common {
uint32_t irs_spi_selr[NUM_GICV5_DOMAINS];
uint32_t irs_cr0[NUM_GICV5_DOMAINS];
uint32_t irs_cr1[NUM_GICV5_DOMAINS];
+ uint32_t irs_pe_selr[NUM_GICV5_DOMAINS];
/*
* Pointer to an array of state information for the SPIs.
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 30/65] hw/intc/arm_gicv5: Implement IRS_PE_{CR0,SELR,STATUSR}
2026-02-23 17:01 ` [PATCH 30/65] hw/intc/arm_gicv5: Implement IRS_PE_{CR0,SELR,STATUSR} Peter Maydell
@ 2026-03-11 15:31 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 15:31 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:37 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The IRS_PE_CR0, IRS_PE_SELR, IRS_PE_STATUSR registers allow software
> to set and query per-CPU config. Software writes the AFFID of a CPU
> to IRS_PE_SELR, and can then read and write the 1ofN config for that
> CPU to IRS_PE_CR0, and read the CPU's online status from
> IRS_PE_STATUSR.
>
> For QEMU, we do not implement 1-of-N interrupt routing, so IRS_PE_CR0
> can be RAZ/WI. Our CPUs are always online and selecting a new one
> via SELR is instantaneous, so IRS_PE_STATUSR will return either
> ONLINE | V | IDLE if a valid AFFID was written to SELR, or just IDLE
> if an invalid AFFID was written.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 31/65] hw/intc/arm_gicv5: Implement CoreSight ID registers
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (29 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 30/65] hw/intc/arm_gicv5: Implement IRS_PE_{CR0,SELR,STATUSR} Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-02-23 17:01 ` [PATCH 32/65] hw/intc/arm_gicv5: Cache pending LPIs in a hash table Peter Maydell
` (34 subsequent siblings)
65 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 register blocks all implement the usual Arm CoreSight ID
registers; implement these for the IRS. Although we only have one
callsite at the moment, the ITS config frame uses the same ID
register values, so we abstract this out into a function we can reuse
later.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 0f32bdf357..fa7692ca0e 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -285,6 +285,9 @@ REG64(IRS_SWERR_SYNDROMER0, 0x3c8)
REG64(IRS_SWERR_SYNDROMER1, 0x3d0)
FIELD(IRS_SWERR_SYNDROMER2, ADDR, 3, 53)
+REG32(IRS_IDREGS, 0xffd0)
+REG32(IRS_DEVARCH, 0xffbc)
+
FIELD(L1_ISTE, VALID, 0, 1)
FIELD(L1_ISTE, L2_ADDR, 12, 44)
@@ -310,6 +313,31 @@ FIELD(ICSR, HM, 5, 1)
FIELD(ICSR, PRIORITY, 11, 5)
FIELD(ICSR, IAFFID, 32, 16)
+#define IRS_DEVARCH_VALUE ((0x23b << 31) | (0x1 << 20) | 0x5a19)
+
+static uint32_t gicv5_idreg(int regoffset)
+{
+ /*
+ * As with the main IRS_IIDR, we don't identify as a specific
+ * hardware GICv5 implementation. Arm suggests that the Implementer,
+ * Product, etc in IRS_IIDR should also be reported here, so we
+ * do that.
+ */
+ static const uint8_t gic_ids[] = {
+ QEMU_GICV5_IMPLEMENTER >> 8, 0x00, 0x00, 0x00, /* PIDR4..PIDR7 */
+ QEMU_GICV5_PRODUCTID & 0xff, /* PIDR0 */
+ ((QEMU_GICV5_PRODUCTID >> 8) |
+ ((QEMU_GICV5_IMPLEMENTER & 0xf) << 4)), /* PIDR1 */
+ ((QEMU_GICV5_REVISION << 4) | (1 << 3) |
+ ((QEMU_GICV5_IMPLEMENTER & 0x70) >> 4)), /* PIDR2 */
+ QEMU_GICV5_VARIANT << 4, /* PIDR3 */
+ 0x0D, 0xF0, 0x05, 0xB1, /* CIDR0..CIDR3 */
+ };
+
+ regoffset /= 4;
+ return gic_ids[regoffset];
+}
+
static GICv5SPIState *spi_for_selr(GICv5Common *cs, GICv5Domain domain)
{
/*
@@ -1084,6 +1112,13 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
}
*data = v;
return true;
+ case A_IRS_DEVARCH:
+ *data = IRS_DEVARCH_VALUE;
+ return true;
+ case A_IRS_IDREGS ... A_IRS_IDREGS + 0x2f:
+ /* CoreSight ID registers */
+ *data = gicv5_idreg(offset - A_IRS_IDREGS);
+ return true;
}
return false;
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 32/65] hw/intc/arm_gicv5: Cache pending LPIs in a hash table
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (30 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 31/65] hw/intc/arm_gicv5: Implement CoreSight ID registers Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 15:46 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 33/65] target/arm: GICv5 cpuif: Implement ICC_IAFFIDR_EL1 Peter Maydell
` (33 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 stores information about LPIs in a guest-memory data
structure. Iterating through this to identify the highest priority
pending interrupt would be expensive; to avoid this we will use a
hash table which contains an entry for each pending LPI and which
caches the L2 ISTE. Typically only a few LPIs will be pending at any
one time, so iterating through the hash table should be fast.
We can access an L2 ISTE whenever it is valid, and can freely cache
the data for as long as the IST is valid. We only need to ensure
that we have written back the data at the point where
IRS_IST_BASER.VALID is written to 0.
We add an LPI to the cache when the pending bit is written to 1, and
remove it when it is written to 0. Handling of checking the cache,
and of adding and removing entries, is handled within get_l2_iste()
and put_l2_iste(), which all the operations that read and write ISTE
words use.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 110 +++++++++++++++++++++++++++++++++++-
include/hw/intc/arm_gicv5.h | 2 +
2 files changed, 111 insertions(+), 1 deletion(-)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index fa7692ca0e..30368998d3 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -474,10 +474,21 @@ static bool write_l2_iste_mem(GICv5Common *cs, const GICv5ISTConfig *cfg,
* reads and writes to update the L2 ISTE. In a future commit we
* will add support for a cache of some of the ISTE data in a
* local hashtable; the APIs are designed with that in mind.
+ * Not all these fields are always valid; they are private to
+ * the implementation of get_l2_iste() and put_l2_iste().
*/
typedef struct L2_ISTE_Handle {
+ /* Guest memory address of the L2 ISTE; valid only if !hashed */
hwaddr l2_iste_addr;
- uint32_t l2_iste;
+ union {
+ /* Actual L2_ISTE word; valid only if !hashed */
+ uint32_t l2_iste;
+ /* Pointer to L2 ISTE word; valid only if hashed */
+ uint32_t *l2_iste_p;
+ };
+ uint32_t id;
+ /* True if this ISTE is currently in the cache */
+ bool hashed;
} L2_ISTE_Handle;
static uint32_t *get_l2_iste(GICv5Common *cs, const GICv5ISTConfig *cfg,
@@ -498,6 +509,25 @@ static uint32_t *get_l2_iste(GICv5Common *cs, const GICv5ISTConfig *cfg,
* If the ISTE could not be read (typically because of a
* memory error), return NULL.
*/
+ uint32_t *hashvalue;
+
+ if (!cfg->valid) {
+ /* Catch invalid config early, it has no lpi_cache */
+ return NULL;
+ }
+
+ hashvalue = g_hash_table_lookup(cfg->lpi_cache,
+ GINT_TO_POINTER(id));
+
+ h->id = id;
+
+ if (hashvalue) {
+ h->hashed = true;
+ h->l2_iste_p = hashvalue;
+ return hashvalue;
+ }
+
+ h->hashed = false;
if (!get_l2_iste_addr(cs, cfg, id, &h->l2_iste_addr) ||
!read_l2_iste_mem(cs, cfg, h->l2_iste_addr, &h->l2_iste)) {
return NULL;
@@ -513,6 +543,34 @@ static void put_l2_iste(GICv5Common *cs, const GICv5ISTConfig *cfg,
* Once this has been called the L2_ISTE_Handle @h and the
* pointer to the L2 ISTE word are no longer valid.
*/
+ if (h->hashed) {
+ uint32_t l2_iste = *h->l2_iste_p;
+ if (!FIELD_EX32(l2_iste, L2_ISTE, PENDING)) {
+ /*
+ * We just made this not pending: remove from hash table
+ * and write back to memory.
+ */
+ hwaddr l2_iste_addr;
+
+ g_hash_table_remove(cfg->lpi_cache, GINT_TO_POINTER(h->id));
+ if (get_l2_iste_addr(cs, cfg, h->id, &l2_iste_addr)) {
+ write_l2_iste_mem(cs, cfg, l2_iste_addr, l2_iste);
+ /* Writeback errors are ignored. */
+ }
+ }
+ return;
+ }
+
+ if (FIELD_EX32(h->l2_iste, L2_ISTE, PENDING)) {
+ /*
+ * We just made this pending: add it to the hash table, and
+ * don't bother writing it back to memory.
+ */
+ uint32_t *hashvalue = g_new(uint32_t, 1);
+ *hashvalue = h->l2_iste;
+ g_hash_table_insert(cfg->lpi_cache, GINT_TO_POINTER(h->id), hashvalue);
+ return;
+ }
write_l2_iste_mem(cs, cfg, h->l2_iste_addr, h->l2_iste);
}
@@ -857,6 +915,38 @@ txfail:
"physical address 0x" HWADDR_FMT_plx "\n", intid, l1_addr);
}
+/* Data we need to pass through to irs_clean_lpi_cache_entry() */
+typedef struct CleanLPICacheUserData {
+ GICv5Common *cs;
+ GICv5ISTConfig *cfg;
+} CleanLPICacheUserData;
+
+static gboolean irs_clean_lpi_cache_entry(gpointer key, gpointer value,
+ gpointer user_data)
+{
+ /* Drop this entry from the LPI cache, writing it back to guest memory. */
+ CleanLPICacheUserData *ud = user_data;
+ hwaddr l2_iste_addr;
+ uint64_t id = GPOINTER_TO_INT(key);
+ uint32_t l2_iste = *(uint32_t *)value;
+
+ if (!get_l2_iste_addr(ud->cs, ud->cfg, id, &l2_iste_addr) ||
+ !write_l2_iste_mem(ud->cs, ud->cfg, l2_iste_addr, l2_iste)) {
+ /* We drop the cached entry regardless of writeback errors */
+ return true;
+ }
+ return true;
+}
+
+static void irs_clean_lpi_cache(GICv5Common *cs, GICv5ISTConfig *cfg)
+{
+ /* Write everything in the LPI cache out to guest memory */
+ CleanLPICacheUserData ud;
+ ud.cs = cs;
+ ud.cfg = cfg;
+
+ g_hash_table_foreach_remove(cfg->lpi_cache, irs_clean_lpi_cache_entry, &ud);
+}
static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
{
@@ -869,6 +959,7 @@ static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
/* Ignore 1->1 transition */
return;
}
+ irs_clean_lpi_cache(cs, &s->phys_lpi_config[domain]);
cs->irs_ist_baser[domain] = FIELD_DP64(cs->irs_ist_baser[domain],
IRS_IST_BASER, VALID, valid);
s->phys_lpi_config[domain].valid = false;
@@ -930,6 +1021,15 @@ static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
cfg->l2_idx_bits = l2_idx_bits;
cfg->structure = FIELD_EX64(cs->irs_ist_cfgr[domain],
IRS_IST_CFGR, STRUCTURE);
+ if (!cfg->lpi_cache) {
+ /*
+ * Keys are GINT_TO_POINTER(intid), so we want the g_direct_hash
+ * and g_direct_equal hash and equality functions. We don't
+ * want to free the keys, but we do want to free the values
+ * (which are pointer-to-uint32_t).
+ */
+ cfg->lpi_cache = g_hash_table_new_full(NULL, NULL, NULL, g_free);
+ }
cfg->valid = true;
trace_gicv5_ist_valid(domain_name[domain], cfg->base, cfg->id_bits,
cfg->l2_idx_bits, cfg->istsz, cfg->structure);
@@ -1406,6 +1506,14 @@ static void gicv5_reset_hold(Object *obj, ResetType type)
/* IRS_IST_BASER and IRS_IST_CFGR reset to 0, clear cached info */
for (int i = 0; i < NUM_GICV5_DOMAINS; i++) {
s->phys_lpi_config[i].valid = false;
+ /*
+ * If we got reset (power-cycled) with data in the cache,
+ * we don't write it out to guest memory; just return to
+ * "empty cache".
+ */
+ if (s->phys_lpi_config[i].lpi_cache) {
+ g_hash_table_remove_all(s->phys_lpi_config[i].lpi_cache);
+ }
}
}
diff --git a/include/hw/intc/arm_gicv5.h b/include/hw/intc/arm_gicv5.h
index c631ecc3e8..fb13de0d01 100644
--- a/include/hw/intc/arm_gicv5.h
+++ b/include/hw/intc/arm_gicv5.h
@@ -25,6 +25,8 @@ typedef struct GICv5ISTConfig {
uint8_t istsz; /* L2 ISTE size in bytes */
bool structure; /* true if using 2-level table */
bool valid; /* true if this table is valid and usable */
+ /* This caches IST information about pending LPIs */
+ GHashTable *lpi_cache;
} GICv5ISTConfig;
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 32/65] hw/intc/arm_gicv5: Cache pending LPIs in a hash table
2026-02-23 17:01 ` [PATCH 32/65] hw/intc/arm_gicv5: Cache pending LPIs in a hash table Peter Maydell
@ 2026-03-11 15:46 ` Jonathan Cameron via qemu development
2026-03-19 10:11 ` Peter Maydell
0 siblings, 1 reply; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 15:46 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:39 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GICv5 stores information about LPIs in a guest-memory data
> structure. Iterating through this to identify the highest priority
> pending interrupt would be expensive; to avoid this we will use a
> hash table which contains an entry for each pending LPI and which
> caches the L2 ISTE. Typically only a few LPIs will be pending at any
> one time, so iterating through the hash table should be fast.
>
> We can access an L2 ISTE whenever it is valid, and can freely cache
> the data for as long as the IST is valid. We only need to ensure
> that we have written back the data at the point where
> IRS_IST_BASER.VALID is written to 0.
>
> We add an LPI to the cache when the pending bit is written to 1, and
> remove it when it is written to 0. Handling of checking the cache,
> and of adding and removing entries, is handled within get_l2_iste()
> and put_l2_iste(), which all the operations that read and write ISTE
> words use.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
LGTM
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/intc/arm_gicv5.c | 110 +++++++++++++++++++++++++++++++++++-
> include/hw/intc/arm_gicv5.h | 2 +
> 2 files changed, 111 insertions(+), 1 deletion(-)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index fa7692ca0e..30368998d3 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> @@ -474,10 +474,21 @@ static bool write_l2_iste_mem(GICv5Common *cs, const GICv5ISTConfig *cfg,
> * reads and writes to update the L2 ISTE. In a future commit we
> * will add support for a cache of some of the ISTE data in a
> * local hashtable; the APIs are designed with that in mind.
> + * Not all these fields are always valid; they are private to
> + * the implementation of get_l2_iste() and put_l2_iste().
Completely trivial but wrap seems to be getting shorter as this comment gains
lines!
^ permalink raw reply [flat|nested] 142+ messages in thread
* Re: [PATCH 32/65] hw/intc/arm_gicv5: Cache pending LPIs in a hash table
2026-03-11 15:46 ` Jonathan Cameron via qemu development
@ 2026-03-19 10:11 ` Peter Maydell
0 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-03-19 10:11 UTC (permalink / raw)
To: Jonathan Cameron; +Cc: qemu-arm, qemu-devel
On Wed, 11 Mar 2026 at 15:46, Jonathan Cameron
<jonathan.cameron@huawei.com> wrote:
>
> On Mon, 23 Feb 2026 17:01:39 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > The GICv5 stores information about LPIs in a guest-memory data
> > structure. Iterating through this to identify the highest priority
> > pending interrupt would be expensive; to avoid this we will use a
> > hash table which contains an entry for each pending LPI and which
> > caches the L2 ISTE. Typically only a few LPIs will be pending at any
> > one time, so iterating through the hash table should be fast.
> >
> > We can access an L2 ISTE whenever it is valid, and can freely cache
> > the data for as long as the IST is valid. We only need to ensure
> > that we have written back the data at the point where
> > IRS_IST_BASER.VALID is written to 0.
> >
> > We add an LPI to the cache when the pending bit is written to 1, and
> > remove it when it is written to 0. Handling of checking the cache,
> > and of adding and removing entries, is handled within get_l2_iste()
> > and put_l2_iste(), which all the operations that read and write ISTE
> > words use.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> LGTM
> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
>
> > ---
> > hw/intc/arm_gicv5.c | 110 +++++++++++++++++++++++++++++++++++-
> > include/hw/intc/arm_gicv5.h | 2 +
> > 2 files changed, 111 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> > index fa7692ca0e..30368998d3 100644
> > --- a/hw/intc/arm_gicv5.c
> > +++ b/hw/intc/arm_gicv5.c
> > @@ -474,10 +474,21 @@ static bool write_l2_iste_mem(GICv5Common *cs, const GICv5ISTConfig *cfg,
> > * reads and writes to update the L2 ISTE. In a future commit we
> > * will add support for a cache of some of the ISTE data in a
> > * local hashtable; the APIs are designed with that in mind.
> > + * Not all these fields are always valid; they are private to
> > + * the implementation of get_l2_iste() and put_l2_iste().
>
> Completely trivial but wrap seems to be getting shorter as this comment gains
> lines!
I also forgot to remove "In a future commit ..." part now we have
got to this future commit and added the hashtable :-) Fixed to:
/*
* This is returned by get_l2_iste() and has everything we
* need to do the writeback of the L2 ISTE word in put_l2_iste().
- * Currently the get/put functions always directly do guest memory
- * reads and writes to update the L2 ISTE. In a future commit we
- * will add support for a cache of some of the ISTE data in a
- * local hashtable; the APIs are designed with that in mind.
+ * Not all these fields are always valid; they are private to the
+ * implementation of get_l2_iste() and put_l2_iste().
*/
thanks
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 33/65] target/arm: GICv5 cpuif: Implement ICC_IAFFIDR_EL1
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (31 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 32/65] hw/intc/arm_gicv5: Cache pending LPIs in a hash table Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 15:48 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 34/65] target/arm: GICv5 cpuif: Implement ICC_IDR0_EL1 Peter Maydell
` (32 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The CPU system register ICC_IAFFIDR_EL1 is a read-only register that
tells the guest what the affinity ID of that CPU is.
Implement this register. In real hardware using the stream protocol,
the IRS tells the CPU its IAFFID using a DownstreamControl command as
part of the handshake process when the IRS-CPU link is brought
online. Our analogue of this is to pass the IAFFID as an extra
argument to gicv5_set_gicv5state(). (We could have the CPU call into
the GIC every time to ask for the value, but this would mean we had
to search the cpus[] array for the right CPU to return its IAFFID.)
Note that we don't put the IAFFID into the gicv5_cpuif sub-struct,
because that part of the CPU struct is zeroed on reset, and we must
keep the IAFFID across reset (we only set it up when the GIC device
is created).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5_common.c | 5 +++--
include/hw/intc/arm_gicv5_stream.h | 3 ++-
target/arm/cpu.c | 5 +++--
target/arm/cpu.h | 2 ++
target/arm/tcg/gicv5-cpuif.c | 11 +++++++++++
5 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/hw/intc/arm_gicv5_common.c b/hw/intc/arm_gicv5_common.c
index bcbe88cde7..8feb492a43 100644
--- a/hw/intc/arm_gicv5_common.c
+++ b/hw/intc/arm_gicv5_common.c
@@ -175,9 +175,10 @@ static void gicv5_common_realize(DeviceState *dev, Error **errp)
}
for (int i = 0; i < cs->num_cpus; i++) {
- if (!gicv5_set_gicv5state(cs->cpus[i], cs)) {
+ if (!gicv5_set_gicv5state(cs->cpus[i], cs, cs->cpu_iaffids[i])) {
error_setg(errp,
- "CPU %d does not implement GICv5 CPU interface", i);
+ "CPU %d (IAFFID 0x%x) does not implement GICv5 CPU interface",
+ i, cs->cpu_iaffids[i]);
return;
}
}
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
index 1f00e8ffff..7b5477c7f1 100644
--- a/include/hw/intc/arm_gicv5_stream.h
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -20,6 +20,7 @@ typedef struct GICv5Common GICv5Common;
* gicv5_set_gicv5state
* @cpu: CPU object to tell about its IRS
* @cs: the GIC IRS it is connected to
+ * @iaffid: the IAFFID of this CPU
*
* Set the CPU object's GICv5 pointer to point to this GIC IRS.
* The IRS must call this when it is realized, for each CPU it is
@@ -28,7 +29,7 @@ typedef struct GICv5Common GICv5Common;
* Returns true on success, false if the CPU doesn't implement
* the GICv5 CPU interface.
*/
-bool gicv5_set_gicv5state(ARMCPU *cpu, GICv5Common *cs);
+bool gicv5_set_gicv5state(ARMCPU *cpu, GICv5Common *cs, uint32_t iaffid);
/*
* The architected Stream Protocol is asynchronous; commands can be
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index ef2afca6b9..551be14e22 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1087,16 +1087,17 @@ static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
}
#ifndef CONFIG_USER_ONLY
-bool gicv5_set_gicv5state(ARMCPU *cpu, GICv5Common *cs)
+bool gicv5_set_gicv5state(ARMCPU *cpu, GICv5Common *cs, uint32_t iaffid)
{
/*
* Set this CPU's gicv5state pointer to point to the GIC that we are
- * connected to.
+ * connected to, and record our IAFFID.
*/
if (!cpu_isar_feature(aa64_gcie, cpu)) {
return false;
}
cpu->env.gicv5state = cs;
+ cpu->env.gicv5_iaffid = iaffid;
return true;
}
#endif
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 1fdfd91ba4..a32c5f3ab1 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -819,6 +819,8 @@ typedef struct CPUArchState {
void *gicv3state;
/* Similarly, for a GICv5Common */
void *gicv5state;
+ /* For GICv5, this CPU's IAFFID */
+ uint64_t gicv5_iaffid;
#else /* CONFIG_USER_ONLY */
/* For usermode syscall translation. */
bool eabi;
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 4420a44c71..c591e249b1 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -226,6 +226,17 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.fieldoffset = offsetof(CPUARMState, gicv5_cpuif.icc_icsr_el1),
.resetvalue = 0,
},
+ { .name = "ICC_IAFFIDR_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 5,
+ .access = PL1_R, .type = ARM_CP_NO_RAW,
+ /* ICC_IAFFIDR_EL1 holds the IAFFID only, in its low bits */
+ .fieldoffset = offsetof(CPUARMState, gicv5_iaffid),
+ /*
+ * The field is a constant value set in gicv5_set_gicv5state(),
+ * so don't allow it to be overwritten by reset.
+ */
+ .resetfn = arm_cp_reset_ignore,
+ },
};
void define_gicv5_cpuif_regs(ARMCPU *cpu)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 33/65] target/arm: GICv5 cpuif: Implement ICC_IAFFIDR_EL1
2026-02-23 17:01 ` [PATCH 33/65] target/arm: GICv5 cpuif: Implement ICC_IAFFIDR_EL1 Peter Maydell
@ 2026-03-11 15:48 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 15:48 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:40 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The CPU system register ICC_IAFFIDR_EL1 is a read-only register that
> tells the guest what the affinity ID of that CPU is.
>
> Implement this register. In real hardware using the stream protocol,
> the IRS tells the CPU its IAFFID using a DownstreamControl command as
> part of the handshake process when the IRS-CPU link is brought
> online. Our analogue of this is to pass the IAFFID as an extra
> argument to gicv5_set_gicv5state(). (We could have the CPU call into
> the GIC every time to ask for the value, but this would mean we had
> to search the cpus[] array for the right CPU to return its IAFFID.)
>
> Note that we don't put the IAFFID into the gicv5_cpuif sub-struct,
> because that part of the CPU struct is zeroed on reset, and we must
> keep the IAFFID across reset (we only set it up when the GIC device
> is created).
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 34/65] target/arm: GICv5 cpuif: Implement ICC_IDR0_EL1
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (32 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 33/65] target/arm: GICv5 cpuif: Implement ICC_IAFFIDR_EL1 Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 15:50 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 35/65] target/arm: GICv5 cpuif: Implement GICv5 PPI active set/clear registers Peter Maydell
` (31 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
ICC_IDR0_EL1 is an identification register; we can implement this as
a simple constant value.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/tcg/gicv5-cpuif.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index c591e249b1..36d1c196a8 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -38,6 +38,18 @@ FIELD(GIC_CDHM, HM, 32, 1)
FIELD(GIC_CDRCFG, ID, 0, 24)
FIELD(GIC_CDRCFG, TYPE, 29, 3)
+FIELD(ICC_IDR0_EL1, ID_BITS, 0, 4)
+FIELD(ICC_IDR0_EL1, PRI_BITS, 4, 4)
+FIELD(ICC_IDR0_EL1, GCIE_LEGACY, 8, 4)
+
+/*
+ * We implement 24 bits of interrupt ID, the mandated 5 bits of priority,
+ * and no legacy GICv3.3 vcpu interface (yet)
+ */
+#define QEMU_ICC_IDR0 \
+ ((4 << R_ICC_IDR0_EL1_PRI_BITS_SHIFT) | \
+ (1 << R_ICC_IDR0_EL1_ID_BITS_SHIFT))
+
static GICv5Common *gicv5_get_gic(CPUARMState *env)
{
return env->gicv5state;
@@ -220,6 +232,11 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
.writefn = gic_cdhm_write,
},
+ { .name = "ICC_IDR0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 2,
+ .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
+ .resetvalue = QEMU_ICC_IDR0,
+ },
{ .name = "ICC_ICSR_EL1", .state = ARM_CP_STATE_AA64,
.opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 4,
.access = PL1_RW, .type = ARM_CP_NO_RAW,
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 35/65] target/arm: GICv5 cpuif: Implement GICv5 PPI active set/clear registers
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (33 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 34/65] target/arm: GICv5 cpuif: Implement ICC_IDR0_EL1 Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 16:26 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 36/65] target/arm: GICv5 cpuif: Implement PPI handling mode register Peter Maydell
` (30 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
In the GICv5 PPI state and control lives in the CPU interface; this
is different from the GICv3 where this was all in the redistributor.
Implement the access system registers for the PPI active state; this
is a pair of registers, one of which has "write 1 to clear" behaviour
and the other of which has "write 1 to set". In both cases, reads
return the current state.
We start here by implementing the accessors for the underlying state;
we don't yet attempt to do anything (e.g. recalculating the highest
priority pending PPI) when the state changes. That will come in
subsequent commits.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu.h | 5 +++++
target/arm/tcg/gicv5-cpuif.c | 38 ++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index a32c5f3ab1..dd4dc12feb 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -257,6 +257,9 @@ typedef enum ARMFPStatusFlavour {
} ARMFPStatusFlavour;
#define FPST_COUNT 10
+/* Architecturally there are 128 PPIs in a GICv5 */
+#define GICV5_NUM_PPIS 128
+
typedef struct CPUArchState {
/* Regs for current mode. */
uint32_t regs[16];
@@ -600,6 +603,8 @@ typedef struct CPUArchState {
struct {
/* GICv5 CPU interface data */
uint64_t icc_icsr_el1;
+ /* Most PPI registers have 1 bit per PPI, so 64 PPIs to a register */
+ uint64_t ppi_active[GICV5_NUM_PPIS / 64];
} gicv5_cpuif;
struct {
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 36d1c196a8..0132b13853 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -175,6 +175,20 @@ static void gic_cdhm_write(CPUARMState *env, const ARMCPRegInfo *ri,
gicv5_set_handling(gic, id, hm, domain, type, virtual);
}
+static void gic_ppi_cactive_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ uint64_t old = raw_read(env, ri);
+ raw_write(env, ri, old & ~value);
+}
+
+static void gic_ppi_sactive_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ uint64_t old = raw_read(env, ri);
+ raw_write(env, ri, old | value);
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -254,6 +268,30 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
*/
.resetfn = arm_cp_reset_ignore,
},
+ { .name = "ICC_PPI_CACTIVER0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 0,
+ .access = PL1_RW, .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_active[0]),
+ .writefn = gic_ppi_cactive_write,
+ },
+ { .name = "ICC_PPI_CACTIVER1_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 1,
+ .access = PL1_RW, .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_active[1]),
+ .writefn = gic_ppi_cactive_write,
+ },
+ { .name = "ICC_PPI_SACTIVER0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 2,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_active[0]),
+ .writefn = gic_ppi_sactive_write,
+ },
+ { .name = "ICC_PPI_SACTIVER1_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 3,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_active[1]),
+ .writefn = gic_ppi_sactive_write,
+ },
};
void define_gicv5_cpuif_regs(ARMCPU *cpu)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 35/65] target/arm: GICv5 cpuif: Implement GICv5 PPI active set/clear registers
2026-02-23 17:01 ` [PATCH 35/65] target/arm: GICv5 cpuif: Implement GICv5 PPI active set/clear registers Peter Maydell
@ 2026-03-11 16:26 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 16:26 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:42 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> In the GICv5 PPI state and control lives in the CPU interface; this
> is different from the GICv3 where this was all in the redistributor.
>
> Implement the access system registers for the PPI active state; this
> is a pair of registers, one of which has "write 1 to clear" behaviour
> and the other of which has "write 1 to set". In both cases, reads
> return the current state.
>
> We start here by implementing the accessors for the underlying state;
> we don't yet attempt to do anything (e.g. recalculating the highest
> priority pending PPI) when the state changes. That will come in
> subsequent commits.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 36/65] target/arm: GICv5 cpuif: Implement PPI handling mode register
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (34 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 35/65] target/arm: GICv5 cpuif: Implement GICv5 PPI active set/clear registers Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 16:29 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 37/65] target/arm: GICv5 cpuif: Implement PPI pending status registers Peter Maydell
` (29 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
In the GICv5 the handling mode of a PPI is not software configurable;
it is reported via read-only CPU interface registers ICC_PPI_HMR0_EL1
and ICC_PPI_HMR1_EL1.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu.h | 1 +
target/arm/tcg/gicv5-cpuif.c | 22 ++++++++++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index dd4dc12feb..4574f7005d 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -605,6 +605,7 @@ typedef struct CPUArchState {
uint64_t icc_icsr_el1;
/* Most PPI registers have 1 bit per PPI, so 64 PPIs to a register */
uint64_t ppi_active[GICV5_NUM_PPIS / 64];
+ uint64_t ppi_hm[GICV5_NUM_PPIS / 64];
} gicv5_cpuif;
struct {
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 0132b13853..6fbc962131 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -50,6 +50,16 @@ FIELD(ICC_IDR0_EL1, GCIE_LEGACY, 8, 4)
((4 << R_ICC_IDR0_EL1_PRI_BITS_SHIFT) | \
(1 << R_ICC_IDR0_EL1_ID_BITS_SHIFT))
+/*
+ * PPI handling modes are fixed and not software configurable.
+ * R_CFSKX defines them for the architected PPIs: they are all Level,
+ * except that PPI 24 (CTIIRQ) is IMPDEF and PPI 3 (SW_PPI) is Edge.
+ * For unimplemented PPIs the field is RES0. The PPI register bits
+ * are 1 for Level and 0 for Edge.
+ */
+#define PPI_HMR0_RESET (~(1ULL << GICV5_PPI_SW_PPI))
+#define PPI_HMR1_RESET (~0ULL)
+
static GICv5Common *gicv5_get_gic(CPUARMState *env)
{
return env->gicv5state;
@@ -292,6 +302,18 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_active[1]),
.writefn = gic_ppi_sactive_write,
},
+ { .name = "ICC_PPI_HMR0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 0,
+ .access = PL1_R, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_hm[0]),
+ .resetvalue = PPI_HMR0_RESET,
+ },
+ { .name = "ICC_PPI_HMR1_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 1,
+ .access = PL1_R, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_hm[1]),
+ .resetvalue = PPI_HMR1_RESET,
+ },
};
void define_gicv5_cpuif_regs(ARMCPU *cpu)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 37/65] target/arm: GICv5 cpuif: Implement PPI pending status registers
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (35 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 36/65] target/arm: GICv5 cpuif: Implement PPI handling mode register Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 16:31 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 38/65] target/arm: GICv5 cpuif: Implement PPI enable register Peter Maydell
` (28 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 PPI pending status is handled by two registers, one of
which is write-1-to-set and one of which is write-1-to-clear. The
pending state is read-only for PPIs where the handling mode is Edge.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu.h | 1 +
target/arm/tcg/gicv5-cpuif.c | 44 ++++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 4574f7005d..980abda3ca 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -606,6 +606,7 @@ typedef struct CPUArchState {
/* Most PPI registers have 1 bit per PPI, so 64 PPIs to a register */
uint64_t ppi_active[GICV5_NUM_PPIS / 64];
uint64_t ppi_hm[GICV5_NUM_PPIS / 64];
+ uint64_t ppi_pend[GICV5_NUM_PPIS / 64];
} gicv5_cpuif;
struct {
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 6fbc962131..4647fd40ba 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -199,6 +199,26 @@ static void gic_ppi_sactive_write(CPUARMState *env, const ARMCPRegInfo *ri,
raw_write(env, ri, old | value);
}
+static void gic_ppi_cpend_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ uint64_t old = raw_read(env, ri);
+ /* If ICC_PPI_HMR_EL1[n].HM is 1, PEND bits are RO */
+ uint64_t hm = env->gicv5_cpuif.ppi_hm[ri->opc2 & 1];
+ value &= ~hm;
+ raw_write(env, ri, old & ~value);
+}
+
+static void gic_ppi_spend_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ uint64_t old = raw_read(env, ri);
+ /* If ICC_PPI_HMR_EL1[n].HM is 1, PEND bits are RO */
+ uint64_t hm = env->gicv5_cpuif.ppi_hm[ri->opc2 & 1];
+ value &= ~hm;
+ raw_write(env, ri, old | value);
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -314,6 +334,30 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_hm[1]),
.resetvalue = PPI_HMR1_RESET,
},
+ { .name = "ICC_PPI_CPENDR0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 4,
+ .access = PL1_RW, .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_pend[0]),
+ .writefn = gic_ppi_cpend_write,
+ },
+ { .name = "ICC_PPI_CPENDR1_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 5,
+ .access = PL1_RW, .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_pend[1]),
+ .writefn = gic_ppi_cpend_write,
+ },
+ { .name = "ICC_PPI_SPENDR0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 6,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_pend[0]),
+ .writefn = gic_ppi_spend_write,
+ },
+ { .name = "ICC_PPI_SPENDR0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 7,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_pend[1]),
+ .writefn = gic_ppi_spend_write,
+ },
};
void define_gicv5_cpuif_regs(ARMCPU *cpu)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 38/65] target/arm: GICv5 cpuif: Implement PPI enable register
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (36 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 37/65] target/arm: GICv5 cpuif: Implement PPI pending status registers Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 16:32 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 39/65] target/arm: GICv5 cpuif: Implement PPI priority registers Peter Maydell
` (27 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the GICv5 register which holds the enable state of PPIs:
ICC_PPI_ENABLER<n>_EL1.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu.h | 1 +
target/arm/tcg/gicv5-cpuif.c | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 980abda3ca..915a225f8e 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -607,6 +607,7 @@ typedef struct CPUArchState {
uint64_t ppi_active[GICV5_NUM_PPIS / 64];
uint64_t ppi_hm[GICV5_NUM_PPIS / 64];
uint64_t ppi_pend[GICV5_NUM_PPIS / 64];
+ uint64_t ppi_enable[GICV5_NUM_PPIS / 64];
} gicv5_cpuif;
struct {
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 4647fd40ba..c54e784dc4 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -219,6 +219,12 @@ static void gic_ppi_spend_write(CPUARMState *env, const ARMCPRegInfo *ri,
raw_write(env, ri, old | value);
}
+static void gic_ppi_enable_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ raw_write(env, ri, value);
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -334,6 +340,18 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_hm[1]),
.resetvalue = PPI_HMR1_RESET,
},
+ { .name = "ICC_PPI_ENABLER0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 6,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_enable[0]),
+ .writefn = gic_ppi_enable_write,
+ },
+ { .name = "ICC_PPI_ENABLER1_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 7,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_enable[1]),
+ .writefn = gic_ppi_enable_write,
+ },
{ .name = "ICC_PPI_CPENDR0_EL1", .state = ARM_CP_STATE_AA64,
.opc0 = 3, .opc1 = 0, .crn = 12, .crm = 13, .opc2 = 4,
.access = PL1_RW, .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW,
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 39/65] target/arm: GICv5 cpuif: Implement PPI priority registers
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (37 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 38/65] target/arm: GICv5 cpuif: Implement PPI enable register Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 16:34 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 40/65] target/arm: GICv5 cpuif: Implement ICC_APR_EL1 and ICC_HAPR_EL1 Peter Maydell
` (26 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the GICv5 registers which hold the priority of the PPIs.
Each 64-bit register has the priority fields for 8 PPIs, so there are
16 registers in total. This would be a lot of duplication if we
wrote it out statically in the array, so instead create each register
via a loop in define_gicv5_cpuif_regs().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu.h | 2 ++
target/arm/tcg/gicv5-cpuif.c | 23 +++++++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 915a225f8e..b97f659352 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -608,6 +608,8 @@ typedef struct CPUArchState {
uint64_t ppi_hm[GICV5_NUM_PPIS / 64];
uint64_t ppi_pend[GICV5_NUM_PPIS / 64];
uint64_t ppi_enable[GICV5_NUM_PPIS / 64];
+ /* The PRIO regs have 1 byte per PPI, so 8 PPIs to a register */
+ uint64_t ppi_priority[GICV5_NUM_PPIS / 8];
} gicv5_cpuif;
struct {
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index c54e784dc4..60b495dd8f 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -225,6 +225,12 @@ static void gic_ppi_enable_write(CPUARMState *env, const ARMCPRegInfo *ri,
raw_write(env, ri, value);
}
+static void gic_ppi_priority_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ raw_write(env, ri, value);
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -382,5 +388,22 @@ void define_gicv5_cpuif_regs(ARMCPU *cpu)
{
if (cpu_isar_feature(aa64_gcie, cpu)) {
define_arm_cp_regs(cpu, gicv5_cpuif_reginfo);
+
+ /*
+ * There are 16 ICC_PPI_PRIORITYR<n>_EL1 regs, so define them
+ * programmatically rather than listing them all statically.
+ */
+ for (int i = 0; i < 16; i++) {
+ g_autofree char *name = g_strdup_printf("ICC_PPI_PRIORITYR%d_EL1", i);
+ ARMCPRegInfo ppi_prio = {
+ .name = name, .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12,
+ .crm = 14 + (i >> 3), .opc2 = i & 7,
+ .access = PL1_RW, .type = ARM_CP_IO,
+ .fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_priority[i]),
+ .writefn = gic_ppi_priority_write, .raw_writefn = raw_write,
+ };
+ define_one_arm_cp_reg(cpu, &ppi_prio);
+ }
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 39/65] target/arm: GICv5 cpuif: Implement PPI priority registers
2026-02-23 17:01 ` [PATCH 39/65] target/arm: GICv5 cpuif: Implement PPI priority registers Peter Maydell
@ 2026-03-11 16:34 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 16:34 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:46 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the GICv5 registers which hold the priority of the PPIs.
> Each 64-bit register has the priority fields for 8 PPIs, so there are
> 16 registers in total. This would be a lot of duplication if we
> wrote it out statically in the array, so instead create each register
> via a loop in define_gicv5_cpuif_regs().
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 40/65] target/arm: GICv5 cpuif: Implement ICC_APR_EL1 and ICC_HAPR_EL1
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (38 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 39/65] target/arm: GICv5 cpuif: Implement PPI priority registers Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 16:41 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 41/65] target/arm: GICv5 cpuif: Calculate the highest priority PPI Peter Maydell
` (25 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The ICC_APR_EL1 GICv5 cpuif register records the physical active
priorities. Since the GICv5 always uses 5 bits of priority, this
register always has 32 non-RES0 bits, and we don't need the
complicated GICv3 setup where there might be 1, 2 or 4 APR registers.
ICC_HAPR_EL1 is a read-only register which reports the current
running priority. This is defined to be the lowest set bit (i.e.
the highest priority) in the APR, or the Idle priority 0xff if there
are no active interrupts, so it is effectively a convenience
re-presentation of the APR register data.
The APR register is banked per interrupt domain; ICC_APR_EL1 accesses
the version of the register corresponding to the current logical
interrupt domain. The APR data for the final domain (EL3) is
accessed via ICC_APR_EL3. Although we are starting with an EL1-only
implementation, we define the CPU state as banked here so we don't
have to change our representation of it later when we add EL3 and RME
support.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
include/hw/intc/arm_gicv5_types.h | 2 ++
target/arm/cpu.h | 2 ++
target/arm/tcg/gicv5-cpuif.c | 60 +++++++++++++++++++++++++++++++
3 files changed, 64 insertions(+)
diff --git a/include/hw/intc/arm_gicv5_types.h b/include/hw/intc/arm_gicv5_types.h
index 30e1bc58cb..b69ad137aa 100644
--- a/include/hw/intc/arm_gicv5_types.h
+++ b/include/hw/intc/arm_gicv5_types.h
@@ -85,4 +85,6 @@ typedef enum GICv5TriggerMode {
GICV5_TRIGGER_LEVEL = 1,
} GICv5TriggerMode;
+#define PRIO_IDLE 0xff
+
#endif
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index b97f659352..6841b6748f 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -35,6 +35,7 @@
#include "target/arm/gtimer.h"
#include "target/arm/cpu-sysregs.h"
#include "target/arm/mmuidx.h"
+#include "hw/intc/arm_gicv5_types.h"
#define EXCP_UDEF 1 /* undefined instruction */
#define EXCP_SWI 2 /* software interrupt */
@@ -603,6 +604,7 @@ typedef struct CPUArchState {
struct {
/* GICv5 CPU interface data */
uint64_t icc_icsr_el1;
+ uint64_t icc_apr[NUM_GICV5_DOMAINS];
/* Most PPI registers have 1 bit per PPI, so 64 PPIs to a register */
uint64_t ppi_active[GICV5_NUM_PPIS / 64];
uint64_t ppi_hm[GICV5_NUM_PPIS / 64];
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 60b495dd8f..d0521ce7fd 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -95,6 +95,16 @@ static GICv5Domain gicv5_current_phys_domain(CPUARMState *env)
return gicv5_logical_domain(env);
}
+static uint64_t gic_running_prio(CPUARMState *env, GICv5Domain domain)
+{
+ /*
+ * Return the current running priority; this is the lowest set bit in
+ * the Active Priority Register, or the idle priority if none (D_XMBQZ)
+ */
+ uint64_t hap = ctz64(env->gicv5_cpuif.icc_apr[domain]);
+ return hap < 32 ? hap : PRIO_IDLE;
+}
+
static void gic_cddis_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
{
@@ -231,6 +241,44 @@ static void gic_ppi_priority_write(CPUARMState *env, const ARMCPRegInfo *ri,
raw_write(env, ri, value);
}
+/*
+ * ICC_APR_EL1 is banked and reads/writes as the version for the
+ * current logical interrupt domain.
+ */
+static void gic_icc_apr_el1_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ /*
+ * With an architectural 5 bits of priority, this register has
+ * 32 non-RES0 bits
+ */
+ GICv5Domain domain = gicv5_logical_domain(env);
+ value &= 0xffffffff;
+ env->gicv5_cpuif.icc_apr[domain] = value;
+}
+
+static uint64_t gic_icc_apr_el1_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ GICv5Domain domain = gicv5_logical_domain(env);
+ return env->gicv5_cpuif.icc_apr[domain];
+}
+
+static void gic_icc_apr_el1_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ for (int i = 0; i < ARRAY_SIZE(env->gicv5_cpuif.icc_apr); i++) {
+ env->gicv5_cpuif.icc_apr[i] = 0;
+ }
+}
+
+static uint64_t gic_icc_hapr_el1_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ /*
+ * ICC_HAPR_EL1 reports the current running priority, which
+ * can be calculated from the APR register.
+ */
+ return gic_running_prio(env, gicv5_current_phys_domain(env));
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -382,6 +430,18 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_pend[1]),
.writefn = gic_ppi_spend_write,
},
+ { .name = "ICC_APR_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 1, .crn = 12, .crm = 0, .opc2 = 0,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .readfn = gic_icc_apr_el1_read,
+ .writefn = gic_icc_apr_el1_write,
+ .resetfn = gic_icc_apr_el1_reset,
+ },
+ { .name = "ICC_HAPR_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 1, .crn = 12, .crm = 0, .opc2 = 3,
+ .access = PL1_R, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .readfn = gic_icc_hapr_el1_read, .raw_writefn = arm_cp_write_ignore,
+ },
};
void define_gicv5_cpuif_regs(ARMCPU *cpu)
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 40/65] target/arm: GICv5 cpuif: Implement ICC_APR_EL1 and ICC_HAPR_EL1
2026-02-23 17:01 ` [PATCH 40/65] target/arm: GICv5 cpuif: Implement ICC_APR_EL1 and ICC_HAPR_EL1 Peter Maydell
@ 2026-03-11 16:41 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 16:41 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:47 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The ICC_APR_EL1 GICv5 cpuif register records the physical active
> priorities. Since the GICv5 always uses 5 bits of priority, this
> register always has 32 non-RES0 bits, and we don't need the
> complicated GICv3 setup where there might be 1, 2 or 4 APR registers.
>
> ICC_HAPR_EL1 is a read-only register which reports the current
> running priority. This is defined to be the lowest set bit (i.e.
> the highest priority) in the APR, or the Idle priority 0xff if there
> are no active interrupts, so it is effectively a convenience
> re-presentation of the APR register data.
>
> The APR register is banked per interrupt domain; ICC_APR_EL1 accesses
> the version of the register corresponding to the current logical
> interrupt domain. The APR data for the final domain (EL3) is
> accessed via ICC_APR_EL3. Although we are starting with an EL1-only
> implementation, we define the CPU state as banked here so we don't
> have to change our representation of it later when we add EL3 and RME
> support.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 41/65] target/arm: GICv5 cpuif: Calculate the highest priority PPI
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (39 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 40/65] target/arm: GICv5 cpuif: Implement ICC_APR_EL1 and ICC_HAPR_EL1 Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 16:51 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 42/65] hw/intc/arm_gicv5: Calculate HPPI in the IRS Peter Maydell
` (24 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
When the state of PPIs changes, recalculate the highest priority PPI.
In subsequent commits we will use this cached value to provide the
HPPI info to the guest, decide whether to signal IRQ or FIQ, handle
interrupt acknowldge from the guest, and so on.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
include/hw/intc/arm_gicv5_types.h | 21 +++++++++++
meson.build | 1 +
target/arm/cpu.h | 3 ++
target/arm/tcg/gicv5-cpuif.c | 58 +++++++++++++++++++++++++++++++
target/arm/tcg/trace-events | 5 +++
target/arm/tcg/trace.h | 1 +
6 files changed, 89 insertions(+)
create mode 100644 target/arm/tcg/trace-events
create mode 100644 target/arm/tcg/trace.h
diff --git a/include/hw/intc/arm_gicv5_types.h b/include/hw/intc/arm_gicv5_types.h
index b69ad137aa..2c552cd3c5 100644
--- a/include/hw/intc/arm_gicv5_types.h
+++ b/include/hw/intc/arm_gicv5_types.h
@@ -12,6 +12,8 @@
#ifndef HW_INTC_ARM_GICv5_TYPES_H
#define HW_INTC_ARM_GICv5_TYPES_H
+#include "hw/core/registerfields.h"
+
/*
* The GICv5 has four physical Interrupt Domains. This numbering
* must match the encoding used in IRS_IDR0.INT_DOM.
@@ -87,4 +89,23 @@ typedef enum GICv5TriggerMode {
#define PRIO_IDLE 0xff
+/*
+ * We keep track of candidate highest possible pending interrupts
+ * using this struct.
+ *
+ * Unlike GICv3, we don't need a separate NMI bool, because for
+ * GICv5 superpriority is signaled by @prio == 0.
+ *
+ * In this struct the intid includes the interrupt type in bits [31:29]
+ * (i.e. it is in the form defined by R_TJPHS).
+ */
+typedef struct GICv5PendingIrq {
+ uint32_t intid;
+ uint8_t prio;
+} GICv5PendingIrq;
+
+/* Fields in a generic 32-bit INTID, per R_TJPHS */
+FIELD(INTID, ID, 0, 24)
+FIELD(INTID, TYPE, 29, 3)
+
#endif
diff --git a/meson.build b/meson.build
index 414c8ea7e2..04b87c1ee6 100644
--- a/meson.build
+++ b/meson.build
@@ -3665,6 +3665,7 @@ if have_system or have_user
'hw/core',
'target/arm',
'target/arm/hvf',
+ 'target/arm/tcg',
'target/hppa',
'target/i386',
'target/i386/kvm',
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 6841b6748f..e0a7d02386 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -612,6 +612,9 @@ typedef struct CPUArchState {
uint64_t ppi_enable[GICV5_NUM_PPIS / 64];
/* The PRIO regs have 1 byte per PPI, so 8 PPIs to a register */
uint64_t ppi_priority[GICV5_NUM_PPIS / 8];
+
+ /* Cached highest-priority pending PPI for each domain */
+ GICv5PendingIrq ppi_hppi[NUM_GICV5_DOMAINS];
} gicv5_cpuif;
struct {
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index d0521ce7fd..48cf14b4d0 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -11,6 +11,7 @@
#include "internals.h"
#include "cpregs.h"
#include "hw/intc/arm_gicv5_stream.h"
+#include "trace.h"
FIELD(GIC_CDPRI, ID, 0, 24)
FIELD(GIC_CDPRI, TYPE, 29, 3)
@@ -105,6 +106,57 @@ static uint64_t gic_running_prio(CPUARMState *env, GICv5Domain domain)
return hap < 32 ? hap : PRIO_IDLE;
}
+static void gic_recalc_ppi_hppi(CPUARMState *env)
+{
+ /*
+ * Recalculate the HPPI PPI: this is the best PPI which
+ * is enabled, pending and not active.
+ */
+ for (int i = 0; i < ARRAY_SIZE(env->gicv5_cpuif.ppi_hppi); i++) {
+ env->gicv5_cpuif.ppi_hppi[i].intid = 0;
+ env->gicv5_cpuif.ppi_hppi[i].prio = PRIO_IDLE;
+ };
+
+ for (int i = 0; i < ARRAY_SIZE(env->gicv5_cpuif.ppi_active); i++) {
+ uint64_t en_pend_nact = env->gicv5_cpuif.ppi_enable[i] &
+ env->gicv5_cpuif.ppi_pend[i] &
+ ~env->gicv5_cpuif.ppi_active[i];
+
+ while (en_pend_nact) {
+ /*
+ * When EL3 is supported ICC_PPI_DOMAINR<n>_EL3 tells us
+ * the domain of each PPI. While we only support EL1, the
+ * domain is always NS.
+ */
+ GICv5Domain ppi_domain = GICV5_ID_NS;
+ uint8_t prio;
+ int ppi;
+ int bit = ctz64(en_pend_nact);
+
+ en_pend_nact &= ~(1 << bit);
+
+ ppi = i * 64 + bit;
+ prio = extract64(env->gicv5_cpuif.ppi_priority[ppi / 8],
+ (ppi & 7) * 8, 5);
+
+ if (prio < env->gicv5_cpuif.ppi_hppi[ppi_domain].prio) {
+ uint32_t intid = 0;
+
+ intid = FIELD_DP32(intid, INTID, ID, ppi);
+ intid = FIELD_DP32(intid, INTID, TYPE, GICV5_PPI);
+ env->gicv5_cpuif.ppi_hppi[ppi_domain].intid = intid;
+ env->gicv5_cpuif.ppi_hppi[ppi_domain].prio = prio;
+ }
+ }
+ }
+
+ for (int i = 0; i < ARRAY_SIZE(env->gicv5_cpuif.ppi_hppi); i++) {
+ trace_gicv5_recalc_ppi_hppi(i,
+ env->gicv5_cpuif.ppi_hppi[i].intid,
+ env->gicv5_cpuif.ppi_hppi[i].prio);
+ }
+}
+
static void gic_cddis_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
{
@@ -200,6 +252,7 @@ static void gic_ppi_cactive_write(CPUARMState *env, const ARMCPRegInfo *ri,
{
uint64_t old = raw_read(env, ri);
raw_write(env, ri, old & ~value);
+ gic_recalc_ppi_hppi(env);
}
static void gic_ppi_sactive_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -207,6 +260,7 @@ static void gic_ppi_sactive_write(CPUARMState *env, const ARMCPRegInfo *ri,
{
uint64_t old = raw_read(env, ri);
raw_write(env, ri, old | value);
+ gic_recalc_ppi_hppi(env);
}
static void gic_ppi_cpend_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -217,6 +271,7 @@ static void gic_ppi_cpend_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t hm = env->gicv5_cpuif.ppi_hm[ri->opc2 & 1];
value &= ~hm;
raw_write(env, ri, old & ~value);
+ gic_recalc_ppi_hppi(env);
}
static void gic_ppi_spend_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -227,18 +282,21 @@ static void gic_ppi_spend_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t hm = env->gicv5_cpuif.ppi_hm[ri->opc2 & 1];
value &= ~hm;
raw_write(env, ri, old | value);
+ gic_recalc_ppi_hppi(env);
}
static void gic_ppi_enable_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
{
raw_write(env, ri, value);
+ gic_recalc_ppi_hppi(env);
}
static void gic_ppi_priority_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
{
raw_write(env, ri, value);
+ gic_recalc_ppi_hppi(env);
}
/*
diff --git a/target/arm/tcg/trace-events b/target/arm/tcg/trace-events
new file mode 100644
index 0000000000..7dc5f781c5
--- /dev/null
+++ b/target/arm/tcg/trace-events
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# See docs/devel/tracing.rst for syntax documentation.
+
+# gicv5-cpuif.c
+gicv5_recalc_ppi_hppi(int domain, uint32_t id, uint8_t prio) "domain %d new PPI HPPI id 0x%x prio %u"
diff --git a/target/arm/tcg/trace.h b/target/arm/tcg/trace.h
new file mode 100644
index 0000000000..c6e89d018b
--- /dev/null
+++ b/target/arm/tcg/trace.h
@@ -0,0 +1 @@
+#include "trace/trace-target_arm_tcg.h"
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 41/65] target/arm: GICv5 cpuif: Calculate the highest priority PPI
2026-02-23 17:01 ` [PATCH 41/65] target/arm: GICv5 cpuif: Calculate the highest priority PPI Peter Maydell
@ 2026-03-11 16:51 ` Jonathan Cameron via qemu development
2026-03-11 17:08 ` Peter Maydell
0 siblings, 1 reply; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 16:51 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:48 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> When the state of PPIs changes, recalculate the highest priority PPI.
> In subsequent commits we will use this cached value to provide the
> HPPI info to the guest, decide whether to signal IRQ or FIQ, handle
> interrupt acknowldge from the guest, and so on.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Other than struggling with the reference, LGTM
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> +/*
> + * We keep track of candidate highest possible pending interrupts
> + * using this struct.
> + *
> + * Unlike GICv3, we don't need a separate NMI bool, because for
> + * GICv5 superpriority is signaled by @prio == 0.
> + *
> + * In this struct the intid includes the interrupt type in bits [31:29]
> + * (i.e. it is in the form defined by R_TJPHS).
Not sure it matters, but the particular GIC v5 spec I'm looking doesn't
seem to have a R_TJPHS (I happen to have EAC0)
> + */
> +typedef struct GICv5PendingIrq {
> + uint32_t intid;
> + uint8_t prio;
> +} GICv5PendingIrq;
> +
> +/* Fields in a generic 32-bit INTID, per R_TJPHS */
> +FIELD(INTID, ID, 0, 24)
> +FIELD(INTID, TYPE, 29, 3)
> +
^ permalink raw reply [flat|nested] 142+ messages in thread* Re: [PATCH 41/65] target/arm: GICv5 cpuif: Calculate the highest priority PPI
2026-03-11 16:51 ` Jonathan Cameron via qemu development
@ 2026-03-11 17:08 ` Peter Maydell
2026-03-11 17:39 ` Jonathan Cameron via qemu development
0 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-03-11 17:08 UTC (permalink / raw)
To: Jonathan Cameron; +Cc: qemu-arm, qemu-devel
On Wed, 11 Mar 2026 at 16:51, Jonathan Cameron
<jonathan.cameron@huawei.com> wrote:
>
> On Mon, 23 Feb 2026 17:01:48 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > When the state of PPIs changes, recalculate the highest priority PPI.
> > In subsequent commits we will use this cached value to provide the
> > HPPI info to the guest, decide whether to signal IRQ or FIQ, handle
> > interrupt acknowldge from the guest, and so on.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>
> Other than struggling with the reference, LGTM
> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
>
> > +/*
> > + * We keep track of candidate highest possible pending interrupts
> > + * using this struct.
> > + *
> > + * Unlike GICv3, we don't need a separate NMI bool, because for
> > + * GICv5 superpriority is signaled by @prio == 0.
> > + *
> > + * In this struct the intid includes the interrupt type in bits [31:29]
> > + * (i.e. it is in the form defined by R_TJPHS).
> Not sure it matters, but the particular GIC v5 spec I'm looking doesn't
> seem to have a R_TJPHS (I happen to have EAC0)
Hmm. It's in the EAC0 download from
https://developer.arm.com/documentation/aes0070/latest/
in section 2.4, on page 32, second rule from the bottom.
thanks
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* Re: [PATCH 41/65] target/arm: GICv5 cpuif: Calculate the highest priority PPI
2026-03-11 17:08 ` Peter Maydell
@ 2026-03-11 17:39 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:39 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Wed, 11 Mar 2026 17:08:11 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> On Wed, 11 Mar 2026 at 16:51, Jonathan Cameron
> <jonathan.cameron@huawei.com> wrote:
> >
> > On Mon, 23 Feb 2026 17:01:48 +0000
> > Peter Maydell <peter.maydell@linaro.org> wrote:
> >
> > > When the state of PPIs changes, recalculate the highest priority PPI.
> > > In subsequent commits we will use this cached value to provide the
> > > HPPI info to the guest, decide whether to signal IRQ or FIQ, handle
> > > interrupt acknowldge from the guest, and so on.
> > >
> > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> >
> > Other than struggling with the reference, LGTM
> > Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> >
> > > +/*
> > > + * We keep track of candidate highest possible pending interrupts
> > > + * using this struct.
> > > + *
> > > + * Unlike GICv3, we don't need a separate NMI bool, because for
> > > + * GICv5 superpriority is signaled by @prio == 0.
> > > + *
> > > + * In this struct the intid includes the interrupt type in bits [31:29]
> > > + * (i.e. it is in the form defined by R_TJPHS).
> > Not sure it matters, but the particular GIC v5 spec I'm looking doesn't
> > seem to have a R_TJPHS (I happen to have EAC0)
>
> Hmm. It's in the EAC0 download from
> https://developer.arm.com/documentation/aes0070/latest/
> in section 2.4, on page 32, second rule from the bottom.
Yup. User error. :( Appears I can't search in acrobat.
Sorry for waste of time!
>
> thanks
> -- PMM
>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 42/65] hw/intc/arm_gicv5: Calculate HPPI in the IRS
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (40 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 41/65] target/arm: GICv5 cpuif: Calculate the highest priority PPI Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 16:59 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 43/65] target/arm: GICv5 cpuif: Implement ICC_CR0_EL1 Peter Maydell
` (23 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The IRS is required to present the highest priority pending interrupt
that it has for each domain for each cpu interface. We implement
this in the irs_recalc_hppi() function, which we call at every point
where some relevant IRS state changes.
This function calls gicv5_forward_interrupt() to do the equivalent of
the GICv5 stream protocol Forward and Recall commands. For the
moment we simply record the HPPI on the CPU interface side without
trying to process it; the handling of the HPPI in the cpuif will be
added in subsequent commits.
There are some cases where we could skip doing the full HPPI
recalculation, e.g. when the guest changes the config of an
interrupt that is disabled; we expect that the guest will only do
interrupt config at startup, so we don't attempt to optimise this.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 202 +++++++++++++++++++++++++++++
hw/intc/trace-events | 2 +
include/hw/intc/arm_gicv5.h | 3 +
include/hw/intc/arm_gicv5_stream.h | 24 ++++
target/arm/tcg/gicv5-cpuif.c | 9 ++
5 files changed, 240 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 30368998d3..070d414d67 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -376,6 +376,157 @@ static MemTxAttrs irs_txattrs(GICv5Common *cs, GICv5Domain domain)
};
}
+/* Data we need to pass through to lpi_cache_get_hppi() */
+typedef struct GetHPPIUserData {
+ GICv5PendingIrq *best;
+ uint32_t iaffid;
+} GetHPPIUserData;
+
+static void lpi_cache_get_hppi(gpointer key, gpointer value, gpointer user_data)
+{
+ uint64_t id = GPOINTER_TO_INT(key);
+ uint64_t l2_iste = *(uint64_t *)value;
+ uint32_t prio, iaffid;
+ GetHPPIUserData *ud = user_data;
+
+ if ((l2_iste & (R_L2_ISTE_PENDING_MASK | R_L2_ISTE_ACTIVE_MASK | R_L2_ISTE_ENABLE_MASK))
+ != (R_L2_ISTE_PENDING_MASK | R_L2_ISTE_ENABLE_MASK)) {
+ return;
+ }
+ prio = FIELD_EX32(l2_iste, L2_ISTE, PRIORITY);
+ iaffid = FIELD_EX32(l2_iste, L2_ISTE, IAFFID);
+ if (iaffid == ud->iaffid && prio < ud->best->prio) {
+ id = FIELD_DP32(id, INTID, TYPE, GICV5_LPI);
+ ud->best->intid = id;
+ ud->best->prio = prio;
+ }
+}
+
+static int irs_cpuidx_from_iaffid(GICv5Common *cs, uint32_t iaffid)
+{
+ for (int i = 0; i < cs->num_cpus; i++) {
+ if (cs->cpu_iaffids[i] == iaffid) {
+ return i;
+ }
+ }
+ return -1;
+}
+
+static void irs_recalc_hppi(GICv5 *s, GICv5Domain domain, uint32_t iaffid)
+{
+ /*
+ * Recalculate the highest priority pending interrupt for the
+ * specified domain and cpuif.
+ * HPPI candidates must be pending, inactive and enabled.
+ */
+ GICv5Common *cs = ARM_GICV5_COMMON(s);
+ int cpuidx = irs_cpuidx_from_iaffid(cs, iaffid);
+ ARMCPU *cpu = cpuidx >= 0 ? cs->cpus[cpuidx] : NULL;
+ GICv5PendingIrq best;
+
+ best.intid = 0;
+ best.prio = PRIO_IDLE;
+
+ if (!cpu) {
+ /* Nothing happens for iaffids targeting nonexistent CPUs */
+ trace_gicv5_irs_recalc_hppi_fail(domain_name[domain], iaffid,
+ "IAFFID doesn't match any CPU");
+ return;
+ }
+
+ if (!FIELD_EX32(cs->irs_cr0[domain], IRS_CR0, IRSEN)) {
+ /* When the IRS is disabled we don't forward HPPIs */
+ trace_gicv5_irs_recalc_hppi_fail(domain_name[domain], iaffid,
+ "IRS_CR0.IRSEN is zero");
+ return;
+ }
+
+ if (s->phys_lpi_config[domain].valid) {
+ GetHPPIUserData ud;
+
+ ud.best = &best;
+ ud.iaffid = iaffid;
+ g_hash_table_foreach(s->phys_lpi_config[domain].lpi_cache,
+ lpi_cache_get_hppi, &ud);
+ }
+
+ /*
+ * OPT: consider also caching the SPI interrupt information,
+ * similarly to how we handle LPIs, if iterating through the
+ * whole SPI array every time is too expensive.
+ */
+ for (int i = 0; i < cs->spi_irs_range; i++) {
+ GICv5SPIState *spi = &cs->spi[i];
+
+ if (spi->active || !spi->pending || !spi->enabled) {
+ continue;
+ }
+ if (spi->domain != domain || spi->iaffid != iaffid) {
+ continue;
+ }
+ if (spi->priority < best.prio) {
+ uint32_t intid = 0;
+ intid = FIELD_DP32(intid, INTID, ID, i);
+ intid = FIELD_DP32(intid, INTID, TYPE, GICV5_SPI);
+ best.intid = intid;
+ best.prio = spi->priority;
+ }
+ }
+
+ trace_gicv5_irs_recalc_hppi(domain_name[domain], iaffid,
+ best.intid, best.prio);
+
+ s->hppi[domain][cpuidx] = best;
+ /*
+ * Now present the HPPI to the cpuif. In the real hardware
+ * stream protocol, the connection between IRS and cpuif is
+ * asynchronous, and so both ends track their idea of the
+ * current HPPI, with a back-and-forth sequence so they stay
+ * in sync and more interaction when the cpuif resets.
+ * For QEMU, we are strictly synchronous and the cpuif asking
+ * the IRS for data is a cheap function call, so we simplify this:
+ * - the IRS knows what the current HPPI is
+ * - s->hppi[][] is a cache we can recalculate
+ * - the IRS merely tells the cpuif "something changed", and
+ * the cpuif asks for the current HPPI when it needs it
+ * - the cpuif does not cache the HPPI on its end
+ */
+ gicv5_forward_interrupt(cpu, domain);
+}
+
+static void irs_recalc_hppi_all_cpus(GICv5 *s, GICv5Domain domain)
+{
+ /*
+ * Recalculate the HPPI for every CPU for this domain.
+ * This is not as efficient as it could be because we will
+ * scan through the LPI cached hash table and the SPI array
+ * for each CPU rather than doing a single combined scan,
+ * but we only need to do this very rarely, when the guest
+ * enables or disables the IST, so we implement this the simple way.
+ */
+ GICv5Common *cs = ARM_GICV5_COMMON(s);
+ for (int i = 0; i < cs->num_cpus; i++) {
+ irs_recalc_hppi(s, domain, cs->cpu_iaffids[i]);
+ }
+}
+
+static void irs_recall_hppis(GICv5 *s, GICv5Domain domain)
+{
+ /*
+ * The IRS was just disabled -- we must recall any pending
+ * HPPIs we have sent to the CPU interfaces. For us this means
+ * that we clear our cached HPPI data and tell the cpuif
+ * that it has changed.
+ */
+ GICv5Common *cs = ARM_GICV5_COMMON(s);
+
+ for (int i = 0; i < cs->num_cpus; i++) {
+ s->hppi[domain][i].intid = 0;
+ s->hppi[domain][i].prio = PRIO_IDLE;
+ gicv5_forward_interrupt(cs->cpus[i], domain);
+ }
+}
+
static hwaddr l1_iste_addr(GICv5Common *cs, const GICv5ISTConfig *cfg,
uint32_t id)
{
@@ -582,6 +733,7 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
GICv5 *s = ARM_GICV5(cs);
uint32_t *l2_iste_p;
L2_ISTE_Handle h;
+ uint32_t iaffid;
trace_gicv5_set_priority(domain_name[domain], inttype_name(type), virtual,
id, priority);
@@ -603,6 +755,7 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
}
spi->priority = priority;
+ irs_recalc_hppi(s, domain, spi->iaffid);
return;
}
if (type != GICV5_LPI) {
@@ -616,7 +769,10 @@ void gicv5_set_priority(GICv5Common *cs, uint32_t id,
return;
}
*l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, PRIORITY, priority);
+ iaffid = FIELD_EX32(*l2_iste_p, L2_ISTE, IAFFID);
put_l2_iste(cs, cfg, &h);
+
+ irs_recalc_hppi(s, domain, iaffid);
}
void gicv5_set_enabled(GICv5Common *cs, uint32_t id,
@@ -627,6 +783,7 @@ void gicv5_set_enabled(GICv5Common *cs, uint32_t id,
GICv5 *s = ARM_GICV5(cs);
uint32_t *l2_iste_p;
L2_ISTE_Handle h;
+ uint32_t iaffid;
trace_gicv5_set_enabled(domain_name[domain], inttype_name(type), virtual,
id, enabled);
@@ -645,6 +802,7 @@ void gicv5_set_enabled(GICv5Common *cs, uint32_t id,
}
spi->enabled = true;
+ irs_recalc_hppi(s, domain, spi->iaffid);
return;
}
if (type != GICV5_LPI) {
@@ -658,7 +816,9 @@ void gicv5_set_enabled(GICv5Common *cs, uint32_t id,
return;
}
*l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, ENABLE, enabled);
+ iaffid = FIELD_EX32(*l2_iste_p, L2_ISTE, IAFFID);
put_l2_iste(cs, cfg, &h);
+ irs_recalc_hppi(s, domain, iaffid);
}
void gicv5_set_pending(GICv5Common *cs, uint32_t id,
@@ -669,6 +829,7 @@ void gicv5_set_pending(GICv5Common *cs, uint32_t id,
GICv5 *s = ARM_GICV5(cs);
uint32_t *l2_iste_p;
L2_ISTE_Handle h;
+ uint32_t iaffid;
trace_gicv5_set_pending(domain_name[domain], inttype_name(type), virtual,
id, pending);
@@ -687,6 +848,7 @@ void gicv5_set_pending(GICv5Common *cs, uint32_t id,
}
spi->pending = true;
+ irs_recalc_hppi(s, domain, spi->iaffid);
return;
}
if (type != GICV5_LPI) {
@@ -700,7 +862,9 @@ void gicv5_set_pending(GICv5Common *cs, uint32_t id,
return;
}
*l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, PENDING, pending);
+ iaffid = FIELD_EX32(*l2_iste_p, L2_ISTE, IAFFID);
put_l2_iste(cs, cfg, &h);
+ irs_recalc_hppi(s, domain, iaffid);
}
void gicv5_set_handling(GICv5Common *cs, uint32_t id,
@@ -752,6 +916,7 @@ void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
GICv5 *s = ARM_GICV5(cs);
uint32_t *l2_iste_p;
L2_ISTE_Handle h;
+ uint32_t old_iaffid;
trace_gicv5_set_target(domain_name[domain], inttype_name(type), virtual,
id, iaffid, irm);
@@ -778,7 +943,10 @@ void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
return;
}
+ old_iaffid = spi->iaffid;
spi->iaffid = iaffid;
+ irs_recalc_hppi(s, domain, old_iaffid);
+ irs_recalc_hppi(s, domain, iaffid);
return;
}
if (type != GICV5_LPI) {
@@ -795,8 +963,12 @@ void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
* For QEMU we do not implement 1-of-N routing, and so L2_ISTE.IRM is RES0.
* We never read it, and we can skip explicitly writing it to zero here.
*/
+ old_iaffid = FIELD_EX32(*l2_iste_p, L2_ISTE, IAFFID);
*l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, IAFFID, iaffid);
put_l2_iste(cs, cfg, &h);
+
+ irs_recalc_hppi(s, domain, old_iaffid);
+ irs_recalc_hppi(s, domain, iaffid);
}
static uint64_t l2_iste_to_icsr(GICv5Common *cs, const GICv5ISTConfig *cfg,
@@ -907,6 +1079,12 @@ static void irs_map_l2_istr_write(GICv5 *s, GICv5Domain domain, uint64_t value)
if (res != MEMTX_OK) {
goto txfail;
}
+ /*
+ * It's CONSTRAINED UNPREDICTABLE to make an L2 IST valid
+ * when some of its entries have Pending already set, so we don't
+ * need to go through looking for Pending bits and pulling them
+ * into the cache, and we don't need to recalc our HPPI.
+ */
return;
txfail:
@@ -964,6 +1142,7 @@ static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
IRS_IST_BASER, VALID, valid);
s->phys_lpi_config[domain].valid = false;
trace_gicv5_ist_invalid(domain_name[domain]);
+ irs_recalc_hppi_all_cpus(s, domain);
return;
}
cs->irs_ist_baser[domain] = value;
@@ -1033,6 +1212,7 @@ static void irs_ist_baser_write(GICv5 *s, GICv5Domain domain, uint64_t value)
cfg->valid = true;
trace_gicv5_ist_valid(domain_name[domain], cfg->base, cfg->id_bits,
cfg->l2_idx_bits, cfg->istsz, cfg->structure);
+ irs_recalc_hppi_all_cpus(s, domain);
}
}
@@ -1186,6 +1366,11 @@ static bool config_readl(GICv5 *s, GICv5Domain domain, hwaddr offset,
case A_IRS_CR0:
/* Enabling is instantaneous for us so IDLE is always 1 */
*data = cs->irs_cr0[domain] | R_IRS_CR0_IDLE_MASK;
+ if (FIELD_EX32(cs->irs_cr0[domain], IRS_CR0, IRSEN)) {
+ irs_recalc_hppi_all_cpus(s, domain);
+ } else {
+ irs_recall_hppis(s, domain);
+ }
return true;
case A_IRS_CR1:
*data = cs->irs_cr1[domain];
@@ -1274,6 +1459,7 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
} else if (spi->level) {
spi->pending = false;
}
+ irs_recalc_hppi(s, spi->domain, spi->iaffid);
}
}
return true;
@@ -1283,7 +1469,12 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
/* this is RAZ/WI except for the EL3 domain */
GICv5SPIState *spi = spi_for_selr(cs, domain);
if (spi) {
+ GICv5Domain old_domain = spi->domain;
spi->domain = FIELD_EX32(data, IRS_SPI_DOMAINR, DOMAIN);
+ if (spi->domain != old_domain) {
+ irs_recalc_hppi(s, old_domain, spi->iaffid);
+ irs_recalc_hppi(s, spi->domain, spi->iaffid);
+ }
}
}
return true;
@@ -1294,6 +1485,7 @@ static bool config_writel(GICv5 *s, GICv5Domain domain, hwaddr offset,
if (spi) {
spi_sample(spi);
+ irs_recalc_hppi(s, spi->domain, spi->iaffid);
}
trace_gicv5_spi_state(id, spi->level, spi->pending, spi->active);
return true;
@@ -1480,6 +1672,7 @@ static void gicv5_set_spi(void *opaque, int irq, int level)
{
/* These irqs are all SPIs; the INTID is irq + s->spi_base */
GICv5Common *cs = ARM_GICV5_COMMON(opaque);
+ GICv5 *s = ARM_GICV5(cs);
uint32_t spi_id = irq + cs->spi_base;
GICv5SPIState *spi = gicv5_raw_spi_state(cs, spi_id);
@@ -1492,6 +1685,8 @@ static void gicv5_set_spi(void *opaque, int irq, int level)
spi->level = level;
spi_sample(spi);
trace_gicv5_spi_state(spi_id, spi->level, spi->pending, spi->active);
+
+ irs_recalc_hppi(s, spi->domain, spi->iaffid);
}
static void gicv5_reset_hold(Object *obj, ResetType type)
@@ -1573,6 +1768,7 @@ static void gicv5_set_idregs(GICv5Common *cs)
static void gicv5_realize(DeviceState *dev, Error **errp)
{
+ GICv5 *s = ARM_GICV5(dev);
GICv5Common *cs = ARM_GICV5_COMMON(dev);
GICv5Class *gc = ARM_GICV5_GET_CLASS(dev);
Error *migration_blocker = NULL;
@@ -1600,6 +1796,12 @@ static void gicv5_realize(DeviceState *dev, Error **errp)
gicv5_set_idregs(cs);
gicv5_common_init_irqs_and_mmio(cs, gicv5_set_spi, config_frame_ops);
+
+ for (int i = 0; i < NUM_GICV5_DOMAINS; i++) {
+ if (gicv5_domain_implemented(cs, i)) {
+ s->hppi[i] = g_new0(GICv5PendingIrq, cs->num_cpus);
+ }
+ }
}
static void gicv5_init(Object *obj)
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 4c55af2780..6475ba5959 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -242,6 +242,8 @@ gicv5_set_handling(const char *domain, const char *type, bool virtual, uint32_t
gicv5_set_target(const char *domain, const char *type, bool virtual, uint32_t id, uint32_t iaffid, int irm) "GICv5 IRS SetTarget %s %s virtual:%d ID %u IAFFID %u routingmode %d"
gicv5_request_config(const char *domain, const char *type, bool virtual, uint32_t id, uint64_t icsr) "GICv5 IRS RequestConfig %s %s virtual:%d ID %u ICSR 0x%" PRIx64
gicv5_spi_state(uint32_t spi_id, bool level, bool pending, bool active) "GICv5 IRS SPI ID %u now level %d pending %d active %d"
+gicv5_irs_recalc_hppi_fail(const char *domain, uint32_t iaffid, const char *reason) "GICv5 IRS %s IAFFID %u: no HPPI: %s"
+gicv5_irs_recalc_hppi(const char *domain, uint32_t iaffid, uint32_t id, uint8_t prio) "GICv5 IRS %s IAFFID %u: new HPPI ID 0x%x prio %u"
# arm_gicv5_common.c
gicv5_common_realize(uint32_t irsid, uint32_t num_cpus, uint32_t spi_base, uint32_t spi_irs_range, uint32_t spi_range) "GICv5 IRS realized: IRS ID %u, %u CPUs, SPI base %u, SPI IRS range %u, SPI range %u"
diff --git a/include/hw/intc/arm_gicv5.h b/include/hw/intc/arm_gicv5.h
index fb13de0d01..b8baf003ad 100644
--- a/include/hw/intc/arm_gicv5.h
+++ b/include/hw/intc/arm_gicv5.h
@@ -37,6 +37,9 @@ struct GICv5 {
/* This is the info from IRS_IST_BASER and IRS_IST_CFGR */
GICv5ISTConfig phys_lpi_config[NUM_GICV5_DOMAINS];
+
+ /* We cache the HPPI for each CPU for each domain here */
+ GICv5PendingIrq *hppi[NUM_GICV5_DOMAINS];
};
struct GICv5Class {
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
index 7b5477c7f1..13b343504d 100644
--- a/include/hw/intc/arm_gicv5_stream.h
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -151,4 +151,28 @@ void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
uint64_t gicv5_request_config(GICv5Common *cs, uint32_t id, GICv5Domain domain,
GICv5IntType type, bool virtual);
+/**
+ * gicv5_forward_interrupt
+ * @cpu: CPU interface to forward interrupt to
+ * @domain: domain this interrupt is for
+ *
+ * Tell the CPU interface that the highest priority pending interrupt
+ * that the IRS has available for it has changed.
+ * This is the equivalent of the stream protocol's Forward packet,
+ * and also of its Recall packet.
+ *
+ * The stream protocol makes this asynchronous, allowing two
+ * Forward packets to be in flight and requiring an acknowledge,
+ * because the cpuif might be about to activate the previous
+ * forwarded interrupt while we are trying to tell it about a new
+ * one. But for QEMU we hold the BQL, so we know the vcpu might be
+ * executing guest code but it cannot be in the middle of changing
+ * cpuif state. So we can just synchronously tell it that a new
+ * HPPI exists (which might cause it to assert IRQ or FIQ to itself);
+ * this works as if the cpuif gave us a Release for the old HPPI.
+ * The cpuif will ask the IRS for the HPPI info via a function
+ * call, so we do not need to pass it across here.
+ */
+void gicv5_forward_interrupt(ARMCPU *cpu, GICv5Domain domain);
+
#endif
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 48cf14b4d0..2f6827dc13 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -157,6 +157,15 @@ static void gic_recalc_ppi_hppi(CPUARMState *env)
}
}
+void gicv5_forward_interrupt(ARMCPU *cpu, GICv5Domain domain)
+{
+ /*
+ * For now, we do nothing. Later we will recalculate the overall
+ * HPPI by combining the IRS HPPI with the PPI HPPI, and possibly
+ * signal IRQ/FIQ.
+ */
+}
+
static void gic_cddis_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
{
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 42/65] hw/intc/arm_gicv5: Calculate HPPI in the IRS
2026-02-23 17:01 ` [PATCH 42/65] hw/intc/arm_gicv5: Calculate HPPI in the IRS Peter Maydell
@ 2026-03-11 16:59 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 16:59 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:49 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The IRS is required to present the highest priority pending interrupt
> that it has for each domain for each cpu interface. We implement
> this in the irs_recalc_hppi() function, which we call at every point
> where some relevant IRS state changes.
>
> This function calls gicv5_forward_interrupt() to do the equivalent of
> the GICv5 stream protocol Forward and Recall commands. For the
> moment we simply record the HPPI on the CPU interface side without
> trying to process it; the handling of the HPPI in the cpuif will be
> added in subsequent commits.
>
> There are some cases where we could skip doing the full HPPI
> recalculation, e.g. when the guest changes the config of an
> interrupt that is disabled; we expect that the guest will only do
> interrupt config at startup, so we don't attempt to optimise this.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 43/65] target/arm: GICv5 cpuif: Implement ICC_CR0_EL1
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (41 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 42/65] hw/intc/arm_gicv5: Calculate HPPI in the IRS Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:01 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 44/65] target/arm: GICv5 cpuif: Implement ICC_PCR_EL1 Peter Maydell
` (22 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement ICC_CR0_EL1, which is the main control register. This is
banked between interrupt domains in the same way as ICC_APR_*.
The GICv5 spec assumes that typically there will need to be a
hardware handshake between the CPU and the IRS, which is kicked off
by guest software setting a LINK bit in this register to bring the
link between the two online. However it is permitted to have an
implementation where the link is permanently up. We take advantage
of this, so our LINK and LINK_IDLE bits are read-only and always 1.
This means the only interesting bit in this register for us is the
main enable bit: when disabled for a domain, the cpuif considers that
there is never an available highest priority interrupt.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu.h | 1 +
target/arm/tcg/gicv5-cpuif.c | 44 ++++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index e0a7d02386..1263841a1d 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -605,6 +605,7 @@ typedef struct CPUArchState {
/* GICv5 CPU interface data */
uint64_t icc_icsr_el1;
uint64_t icc_apr[NUM_GICV5_DOMAINS];
+ uint64_t icc_cr0[NUM_GICV5_DOMAINS];
/* Most PPI registers have 1 bit per PPI, so 64 PPIs to a register */
uint64_t ppi_active[GICV5_NUM_PPIS / 64];
uint64_t ppi_hm[GICV5_NUM_PPIS / 64];
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 2f6827dc13..5af9fdb1db 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -43,6 +43,12 @@ FIELD(ICC_IDR0_EL1, ID_BITS, 0, 4)
FIELD(ICC_IDR0_EL1, PRI_BITS, 4, 4)
FIELD(ICC_IDR0_EL1, GCIE_LEGACY, 8, 4)
+FIELD(ICC_CR0, EN, 0, 1)
+FIELD(ICC_CR0, LINK, 1, 1)
+FIELD(ICC_CR0, LINK_IDLE, 2, 1)
+FIELD(ICC_CR0, IPPT, 32, 6)
+FIELD(ICC_CR0, PID, 38, 1)
+
/*
* We implement 24 bits of interrupt ID, the mandated 5 bits of priority,
* and no legacy GICv3.3 vcpu interface (yet)
@@ -346,6 +352,37 @@ static uint64_t gic_icc_hapr_el1_read(CPUARMState *env, const ARMCPRegInfo *ri)
return gic_running_prio(env, gicv5_current_phys_domain(env));
}
+/* ICC_CR0_EL1 is also banked */
+static uint64_t gic_icc_cr0_el1_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ GICv5Domain domain = gicv5_logical_domain(env);
+ return env->gicv5_cpuif.icc_cr0[domain];
+}
+
+static void gic_icc_cr0_el1_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ /*
+ * For our implementation the link to the IRI is always connected,
+ * so LINK and LINK_IDLE are always 1. Without EL3, PID and IPPT
+ * are RAZ/WI, so the only writeable bit is the main enable bit EN.
+ */
+ GICv5Domain domain = gicv5_logical_domain(env);
+ value &= R_ICC_CR0_EN_MASK;
+ value |= R_ICC_CR0_LINK_MASK | R_ICC_CR0_LINK_IDLE_MASK;
+
+ env->gicv5_cpuif.icc_cr0[domain] = value;
+}
+
+static void gic_icc_cr0_el1_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ /* The link is always connected so we reset with LINK and LINK_IDLE set */
+ for (int i = 0; i < ARRAY_SIZE(env->gicv5_cpuif.icc_cr0); i++) {
+ env->gicv5_cpuif.icc_cr0[i] =
+ R_ICC_CR0_LINK_MASK | R_ICC_CR0_LINK_IDLE_MASK;
+ }
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -504,6 +541,13 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.writefn = gic_icc_apr_el1_write,
.resetfn = gic_icc_apr_el1_reset,
},
+ { .name = "ICC_CR0_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 1, .crn = 12, .crm = 0, .opc2 = 1,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .readfn = gic_icc_cr0_el1_read,
+ .writefn = gic_icc_cr0_el1_write,
+ .resetfn = gic_icc_cr0_el1_reset,
+ },
{ .name = "ICC_HAPR_EL1", .state = ARM_CP_STATE_AA64,
.opc0 = 3, .opc1 = 1, .crn = 12, .crm = 0, .opc2 = 3,
.access = PL1_R, .type = ARM_CP_IO | ARM_CP_NO_RAW,
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 43/65] target/arm: GICv5 cpuif: Implement ICC_CR0_EL1
2026-02-23 17:01 ` [PATCH 43/65] target/arm: GICv5 cpuif: Implement ICC_CR0_EL1 Peter Maydell
@ 2026-03-11 17:01 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:01 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:50 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement ICC_CR0_EL1, which is the main control register. This is
> banked between interrupt domains in the same way as ICC_APR_*.
>
> The GICv5 spec assumes that typically there will need to be a
> hardware handshake between the CPU and the IRS, which is kicked off
> by guest software setting a LINK bit in this register to bring the
> link between the two online. However it is permitted to have an
> implementation where the link is permanently up. We take advantage
> of this, so our LINK and LINK_IDLE bits are read-only and always 1.
>
> This means the only interesting bit in this register for us is the
> main enable bit: when disabled for a domain, the cpuif considers that
> there is never an available highest priority interrupt.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 44/65] target/arm: GICv5 cpuif: Implement ICC_PCR_EL1
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (42 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 43/65] target/arm: GICv5 cpuif: Implement ICC_CR0_EL1 Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:04 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 45/65] target/arm: GICv5 cpuif: Implement ICC_HPPIR_EL1 Peter Maydell
` (21 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the ICC_PCR_* registers. These hold the physical priority
mask for each interrupt domain -- an HPPI is only sufficientyl high
priority to preempt if it is higher priority than this mask value.
Here we just implement the access to this data.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu.h | 1 +
target/arm/tcg/gicv5-cpuif.c | 31 +++++++++++++++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 1263841a1d..651fccd59b 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -606,6 +606,7 @@ typedef struct CPUArchState {
uint64_t icc_icsr_el1;
uint64_t icc_apr[NUM_GICV5_DOMAINS];
uint64_t icc_cr0[NUM_GICV5_DOMAINS];
+ uint64_t icc_pcr[NUM_GICV5_DOMAINS];
/* Most PPI registers have 1 bit per PPI, so 64 PPIs to a register */
uint64_t ppi_active[GICV5_NUM_PPIS / 64];
uint64_t ppi_hm[GICV5_NUM_PPIS / 64];
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 5af9fdb1db..45ef80ca87 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -49,6 +49,8 @@ FIELD(ICC_CR0, LINK_IDLE, 2, 1)
FIELD(ICC_CR0, IPPT, 32, 6)
FIELD(ICC_CR0, PID, 38, 1)
+FIELD(ICC_PCR, PRIORITY, 0, 5)
+
/*
* We implement 24 bits of interrupt ID, the mandated 5 bits of priority,
* and no legacy GICv3.3 vcpu interface (yet)
@@ -383,6 +385,28 @@ static void gic_icc_cr0_el1_reset(CPUARMState *env, const ARMCPRegInfo *ri)
}
}
+static uint64_t gic_icc_pcr_el1_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ GICv5Domain domain = gicv5_logical_domain(env);
+ return env->gicv5_cpuif.icc_pcr[domain];
+}
+
+static void gic_icc_pcr_el1_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ GICv5Domain domain = gicv5_logical_domain(env);
+
+ value &= R_ICC_PCR_PRIORITY_MASK;
+ env->gicv5_cpuif.icc_pcr[domain] = value;
+}
+
+static void gic_icc_pcr_el1_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ for (int i = 0; i < ARRAY_SIZE(env->gicv5_cpuif.icc_pcr); i++) {
+ env->gicv5_cpuif.icc_pcr[i] = 0;
+ }
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -548,6 +572,13 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.writefn = gic_icc_cr0_el1_write,
.resetfn = gic_icc_cr0_el1_reset,
},
+ { .name = "ICC_PCR_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 1, .crn = 12, .crm = 0, .opc2 = 2,
+ .access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .readfn = gic_icc_pcr_el1_read,
+ .writefn = gic_icc_pcr_el1_write,
+ .resetfn = gic_icc_pcr_el1_reset,
+ },
{ .name = "ICC_HAPR_EL1", .state = ARM_CP_STATE_AA64,
.opc0 = 3, .opc1 = 1, .crn = 12, .crm = 0, .opc2 = 3,
.access = PL1_R, .type = ARM_CP_IO | ARM_CP_NO_RAW,
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 44/65] target/arm: GICv5 cpuif: Implement ICC_PCR_EL1
2026-02-23 17:01 ` [PATCH 44/65] target/arm: GICv5 cpuif: Implement ICC_PCR_EL1 Peter Maydell
@ 2026-03-11 17:04 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:04 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:51 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the ICC_PCR_* registers. These hold the physical priority
> mask for each interrupt domain -- an HPPI is only sufficientyl high
sufficiently
> priority to preempt if it is higher priority than this mask value.
> Here we just implement the access to this data.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 45/65] target/arm: GICv5 cpuif: Implement ICC_HPPIR_EL1
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (43 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 44/65] target/arm: GICv5 cpuif: Implement ICC_PCR_EL1 Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:14 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 46/65] hw/intc/arm_gicv5: Implement Activate command Peter Maydell
` (20 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement ICC_HPPIR_EL1, which the guest can use to read the current
highest priority pending interrupt. Like APR, PCR and CR0, this is
banked, with the _EL1 register reading the answer for the current
logical interrupt domain, and the _EL3 register reading the answer
for the EL3 interrupt domain.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 11 ++++++
include/hw/intc/arm_gicv5_stream.h | 14 +++++++
target/arm/tcg/gicv5-cpuif.c | 62 ++++++++++++++++++++++++++++++
3 files changed, 87 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 070d414d67..6cb81123e5 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -527,6 +527,17 @@ static void irs_recall_hppis(GICv5 *s, GICv5Domain domain)
}
}
+GICv5PendingIrq gicv5_get_hppi(GICv5Common *cs, GICv5Domain domain,
+ uint32_t iaffid)
+{
+ GICv5 *s = ARM_GICV5(cs);
+
+ int cpuidx = irs_cpuidx_from_iaffid(cs, iaffid);
+
+ assert(cpuidx >= 0);
+ return s->hppi[domain][cpuidx];
+}
+
static hwaddr l1_iste_addr(GICv5Common *cs, const GICv5ISTConfig *cfg,
uint32_t id)
{
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
index 13b343504d..6850f03b74 100644
--- a/include/hw/intc/arm_gicv5_stream.h
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -175,4 +175,18 @@ uint64_t gicv5_request_config(GICv5Common *cs, uint32_t id, GICv5Domain domain,
*/
void gicv5_forward_interrupt(ARMCPU *cpu, GICv5Domain domain);
+/**
+ * gicv5_get_hppi
+ * @cs: GIC IRS to query
+ * @domain: interrupt domain to act on
+ * @iaffid: IAFFID of this CPU interface
+ *
+ * Ask the IRS for the highest priority pending interrupt
+ * that it has for this CPU. This returns the equivalent of what in the
+ * stream protocol is the outstanding interrupt sent with
+ * a Forward packet.
+ */
+GICv5PendingIrq gicv5_get_hppi(GICv5Common *cs, GICv5Domain domain,
+ uint32_t iaffid);
+
#endif
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 45ef80ca87..adb4d2018f 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -51,6 +51,10 @@ FIELD(ICC_CR0, PID, 38, 1)
FIELD(ICC_PCR, PRIORITY, 0, 5)
+FIELD(ICC_HPPIR_EL1, ID, 0, 24)
+FIELD(ICC_HPPIR_EL1, TYPE, 29, 3)
+FIELD(ICC_HPPIR_EL1, HPPIV, 32, 1)
+
/*
* We implement 24 bits of interrupt ID, the mandated 5 bits of priority,
* and no legacy GICv3.3 vcpu interface (yet)
@@ -114,6 +118,52 @@ static uint64_t gic_running_prio(CPUARMState *env, GICv5Domain domain)
return hap < 32 ? hap : PRIO_IDLE;
}
+static GICv5PendingIrq gic_hppi(CPUARMState *env, GICv5Domain domain)
+{
+ /*
+ * Return the current highest priority pending
+ * interrupt for the specified domain, if it has sufficient
+ * priority to preempt. The intid field of the return value
+ * will be in the format of the ICC_HPPIR register (and will
+ * be zero if and only if there is no interrupt that can preempt).
+ */
+
+ GICv5Common *gic = gicv5_get_gic(env);
+ GICv5PendingIrq best;
+ GICv5PendingIrq irs_hppi;
+
+ if (!(env->gicv5_cpuif.icc_cr0[domain] & R_ICC_CR0_EN_MASK)) {
+ /* If cpuif is disabled there is no HPPI */
+ return (GICv5PendingIrq) { .intid = 0, .prio = PRIO_IDLE };
+ }
+
+ irs_hppi = gicv5_get_hppi(gic, domain, env->gicv5_iaffid);
+
+ /*
+ * If the best PPI and the best interrupt from the IRS have the
+ * same priority, it's IMPDEF which we pick (R_VVBPS). We choose
+ * the PPI.
+ */
+ if (env->gicv5_cpuif.ppi_hppi[domain].prio <= irs_hppi.prio) {
+ best = env->gicv5_cpuif.ppi_hppi[domain];
+ } else {
+ best = irs_hppi;
+ }
+
+ /*
+ * D_MSQKF: an interrupt has sufficient priority if its priority
+ * is higher than the current running priority and equal to or
+ * higher than the priority mask.
+ */
+ if (best.prio == PRIO_IDLE ||
+ best.prio > env->gicv5_cpuif.icc_pcr[domain] ||
+ best.prio >= gic_running_prio(env, domain)) {
+ return (GICv5PendingIrq) { .intid = 0, .prio = PRIO_IDLE };
+ }
+ best.intid |= R_ICC_HPPIR_EL1_HPPIV_MASK;
+ return best;
+}
+
static void gic_recalc_ppi_hppi(CPUARMState *env)
{
/*
@@ -407,6 +457,13 @@ static void gic_icc_pcr_el1_reset(CPUARMState *env, const ARMCPRegInfo *ri)
}
}
+static uint64_t gic_icc_hppir_el1_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ GICv5Domain domain = gicv5_logical_domain(env);
+ GICv5PendingIrq hppi = gic_hppi(env, domain);
+ return hppi.intid;
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -522,6 +579,11 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.fieldoffset = offsetof(CPUARMState, gicv5_cpuif.ppi_hm[1]),
.resetvalue = PPI_HMR1_RESET,
},
+ { .name = "ICC_HPPIR_EL1", .state = ARM_CP_STATE_AA64,
+ .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 3,
+ .access = PL1_R, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .readfn = gic_icc_hppir_el1_read,
+ },
{ .name = "ICC_PPI_ENABLER0_EL1", .state = ARM_CP_STATE_AA64,
.opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 6,
.access = PL1_RW, .type = ARM_CP_IO | ARM_CP_NO_RAW,
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 45/65] target/arm: GICv5 cpuif: Implement ICC_HPPIR_EL1
2026-02-23 17:01 ` [PATCH 45/65] target/arm: GICv5 cpuif: Implement ICC_HPPIR_EL1 Peter Maydell
@ 2026-03-11 17:14 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:14 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:52 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement ICC_HPPIR_EL1, which the guest can use to read the current
> highest priority pending interrupt. Like APR, PCR and CR0, this is
> banked, with the _EL1 register reading the answer for the current
> logical interrupt domain, and the _EL3 register reading the answer
> for the EL3 interrupt domain.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Few formatting things...
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/intc/arm_gicv5.c | 11 ++++++
> include/hw/intc/arm_gicv5_stream.h | 14 +++++++
> target/arm/tcg/gicv5-cpuif.c | 62 ++++++++++++++++++++++++++++++
> 3 files changed, 87 insertions(+)
>
> diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
> index 070d414d67..6cb81123e5 100644
> --- a/hw/intc/arm_gicv5.c
> +++ b/hw/intc/arm_gicv5.c
> @@ -527,6 +527,17 @@ static void irs_recall_hppis(GICv5 *s, GICv5Domain domain)
> }
> }
>
> +GICv5PendingIrq gicv5_get_hppi(GICv5Common *cs, GICv5Domain domain,
> + uint32_t iaffid)
> +{
> + GICv5 *s = ARM_GICV5(cs);
> +
Why the blank line?
> + int cpuidx = irs_cpuidx_from_iaffid(cs, iaffid);
> +
> + assert(cpuidx >= 0);
> + return s->hppi[domain][cpuidx];
> +}
> +
> static hwaddr l1_iste_addr(GICv5Common *cs, const GICv5ISTConfig *cfg,
> uint32_t id)
> {
> diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
> index 45ef80ca87..adb4d2018f 100644
> --- a/target/arm/tcg/gicv5-cpuif.c
> +++ b/target/arm/tcg/gicv5-cpuif.c
> /*
> * We implement 24 bits of interrupt ID, the mandated 5 bits of priority,
> * and no legacy GICv3.3 vcpu interface (yet)
> @@ -114,6 +118,52 @@ static uint64_t gic_running_prio(CPUARMState *env, GICv5Domain domain)
> return hap < 32 ? hap : PRIO_IDLE;
> }
>
> +static GICv5PendingIrq gic_hppi(CPUARMState *env, GICv5Domain domain)
> +{
> + /*
> + * Return the current highest priority pending
rewrap
> + * interrupt for the specified domain, if it has sufficient
> + * priority to preempt. The intid field of the return value
> + * will be in the format of the ICC_HPPIR register (and will
> + * be zero if and only if there is no interrupt that can preempt).
> + */
> +
> + GICv5Common *gic = gicv5_get_gic(env);
> + GICv5PendingIrq best;
> + GICv5PendingIrq irs_hppi;
Maybe just one line?
> +
> + if (!(env->gicv5_cpuif.icc_cr0[domain] & R_ICC_CR0_EN_MASK)) {
> + /* If cpuif is disabled there is no HPPI */
> + return (GICv5PendingIrq) { .intid = 0, .prio = PRIO_IDLE };
> + }
> +
> + irs_hppi = gicv5_get_hppi(gic, domain, env->gicv5_iaffid);
> +
> + /*
> + * If the best PPI and the best interrupt from the IRS have the
> + * same priority, it's IMPDEF which we pick (R_VVBPS). We choose
> + * the PPI.
> + */
> + if (env->gicv5_cpuif.ppi_hppi[domain].prio <= irs_hppi.prio) {
> + best = env->gicv5_cpuif.ppi_hppi[domain];
> + } else {
> + best = irs_hppi;
> + }
> +
> + /*
> + * D_MSQKF: an interrupt has sufficient priority if its priority
> + * is higher than the current running priority and equal to or
> + * higher than the priority mask.
> + */
> + if (best.prio == PRIO_IDLE ||
> + best.prio > env->gicv5_cpuif.icc_pcr[domain] ||
> + best.prio >= gic_running_prio(env, domain)) {
> + return (GICv5PendingIrq) { .intid = 0, .prio = PRIO_IDLE };
> + }
> + best.intid |= R_ICC_HPPIR_EL1_HPPIV_MASK;
> + return best;
> +}
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 46/65] hw/intc/arm_gicv5: Implement Activate command
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (44 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 45/65] target/arm: GICv5 cpuif: Implement ICC_HPPIR_EL1 Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:22 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 47/65] target/arm: GICv5 cpuif: Implement GICR CDIA command Peter Maydell
` (19 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the equivalent of the GICv5 stream protocol's Activate
command, which lets the cpuif tell the IRS to move its current
highest priority pending interrupt into the Active state, and to
clear the Pending state for an Edge handling mode interrupt.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 52 ++++++++++++++++++++++++++++++
hw/intc/trace-events | 1 +
include/hw/intc/arm_gicv5_stream.h | 23 +++++++++++++
3 files changed, 76 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 6cb81123e5..6636a66976 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -1061,6 +1061,58 @@ uint64_t gicv5_request_config(GICv5Common *cs, uint32_t id, GICv5Domain domain,
return icsr;
}
+void gicv5_activate(GICv5Common *cs, uint32_t id, GICv5Domain domain,
+ GICv5IntType type, bool virtual)
+{
+ const GICv5ISTConfig *cfg;
+ GICv5 *s = ARM_GICV5(cs);
+ uint32_t *l2_iste_p;
+ L2_ISTE_Handle h;
+ uint32_t iaffid;
+
+ trace_gicv5_activate(domain_name[domain], inttype_name(type), virtual, id);
+
+ if (virtual) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_activate: tried to "
+ "activate a virtual interrupt\n");
+ return;
+ }
+ if (type == GICV5_SPI) {
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (!spi) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_activate: tried to "
+ "activate unreachable SPI %d\n", id);
+ return;
+ }
+
+ spi->active = true;
+ if (spi->hm == GICV5_EDGE) {
+ spi->pending = false;
+ }
+ irs_recalc_hppi(s, domain, spi->iaffid);
+ return;
+ }
+ if (type != GICV5_LPI) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_activate: tried to "
+ "activate bad interrupt type %d\n", type);
+ return;
+ }
+ cfg = &s->phys_lpi_config[domain];
+ l2_iste_p = get_l2_iste(cs, cfg, id, &h);
+ if (!l2_iste_p) {
+ return;
+ }
+ *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, ACTIVE, true);
+ if (FIELD_EX32(*l2_iste_p, L2_ISTE, HM) == GICV5_EDGE) {
+ *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, PENDING, false);
+ }
+ iaffid = FIELD_EX32(*l2_iste_p, L2_ISTE, IAFFID);
+ put_l2_iste(cs, cfg, &h);
+
+ irs_recalc_hppi(s, domain, iaffid);
+}
+
static void irs_map_l2_istr_write(GICv5 *s, GICv5Domain domain, uint64_t value)
{
GICv5Common *cs = ARM_GICV5_COMMON(s);
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 6475ba5959..636c598970 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -241,6 +241,7 @@ gicv5_set_pending(const char *domain, const char *type, bool virtual, uint32_t i
gicv5_set_handling(const char *domain, const char *type, bool virtual, uint32_t id, int handling) "GICv5 IRS SetHandling %s %s virtual:%d ID %u handling %d"
gicv5_set_target(const char *domain, const char *type, bool virtual, uint32_t id, uint32_t iaffid, int irm) "GICv5 IRS SetTarget %s %s virtual:%d ID %u IAFFID %u routingmode %d"
gicv5_request_config(const char *domain, const char *type, bool virtual, uint32_t id, uint64_t icsr) "GICv5 IRS RequestConfig %s %s virtual:%d ID %u ICSR 0x%" PRIx64
+gicv5_activate(const char *domain, const char *type, bool virtual, uint32_t id) "GICv5 IRS Activate %s %s virtual:%d ID %u"
gicv5_spi_state(uint32_t spi_id, bool level, bool pending, bool active) "GICv5 IRS SPI ID %u now level %d pending %d active %d"
gicv5_irs_recalc_hppi_fail(const char *domain, uint32_t iaffid, const char *reason) "GICv5 IRS %s IAFFID %u: no HPPI: %s"
gicv5_irs_recalc_hppi(const char *domain, uint32_t iaffid, uint32_t id, uint8_t prio) "GICv5 IRS %s IAFFID %u: new HPPI ID 0x%x prio %u"
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
index 6850f03b74..7adb53c86d 100644
--- a/include/hw/intc/arm_gicv5_stream.h
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -151,6 +151,29 @@ void gicv5_set_target(GICv5Common *cs, uint32_t id, uint32_t iaffid,
uint64_t gicv5_request_config(GICv5Common *cs, uint32_t id, GICv5Domain domain,
GICv5IntType type, bool virtual);
+/**
+ * gicv5_activate
+ * @cs: GIC IRS to send command to
+ * @id: interrupt ID
+ * @domain: interrupt domain to act on
+ * @type: interrupt type (LPI or SPI)
+ * @virtual: true if this is a virtual interrupt
+ *
+ * Activate the IRS's highest priority pending interrupt; matches
+ * the stream interface's Activate command.
+ *
+ * In the stream interface, the command has only the domain
+ * and virtual fields, because both the IRS and the CPUIF keep
+ * track of the IRS's current HPPI. In QEMU, we also have arguments
+ * here for @id and @type which are telling the IRS something that
+ * in hardware it already knows. This is because we have them to
+ * hand in the cpuif code, and it means we don't need to pass in
+ * an iaffid argument to tell the IRS which CPU we are so it can
+ * find the right element in its hppi[][] array.
+ */
+void gicv5_activate(GICv5Common *cs, uint32_t id, GICv5Domain domain,
+ GICv5IntType type, bool virtual);
+
/**
* gicv5_forward_interrupt
* @cpu: CPU interface to forward interrupt to
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 46/65] hw/intc/arm_gicv5: Implement Activate command
2026-02-23 17:01 ` [PATCH 46/65] hw/intc/arm_gicv5: Implement Activate command Peter Maydell
@ 2026-03-11 17:22 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:22 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:53 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the equivalent of the GICv5 stream protocol's Activate
> command, which lets the cpuif tell the IRS to move its current
> highest priority pending interrupt into the Active state, and to
> clear the Pending state for an Edge handling mode interrupt.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Similar thing to earlier on whether a switch(type) would be neater, but
otherwise LGTM
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 47/65] target/arm: GICv5 cpuif: Implement GICR CDIA command
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (45 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 46/65] hw/intc/arm_gicv5: Implement Activate command Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:28 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 48/65] target/arm: GICv5 cpuif: Implement GIC CDEOI Peter Maydell
` (18 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICR CDIA system instruction is what the guest uses to
acknowledge the highest priority pending interrupt. It returns a
value corresponding to the HPPI for the current physical interrupt
domain, if any, and moves that interrupt to being Active.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/tcg/gicv5-cpuif.c | 102 +++++++++++++++++++++++++++++++++++
target/arm/tcg/trace-events | 2 +
2 files changed, 104 insertions(+)
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index adb4d2018f..d32263a5b7 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -39,6 +39,10 @@ FIELD(GIC_CDHM, HM, 32, 1)
FIELD(GIC_CDRCFG, ID, 0, 24)
FIELD(GIC_CDRCFG, TYPE, 29, 3)
+FIELD(GICR_CDIA, ID, 0, 24)
+FIELD(GICR_CDIA, TYPE, 29, 3)
+FIELD(GICR_CDIA, VALID, 32, 1)
+
FIELD(ICC_IDR0_EL1, ID_BITS, 0, 4)
FIELD(ICC_IDR0_EL1, PRI_BITS, 4, 4)
FIELD(ICC_IDR0_EL1, GCIE_LEGACY, 8, 4)
@@ -464,6 +468,94 @@ static uint64_t gic_icc_hppir_el1_read(CPUARMState *env, const ARMCPRegInfo *ri)
return hppi.intid;
}
+static bool gic_hppi_is_nmi(CPUARMState *env, GICv5PendingIrq hppi,
+ GICv5Domain domain)
+{
+ /*
+ * For GICv5 an interrupt is an NMI if it is signaled with
+ * Superpriority and SCTLR_ELx.NMI for the current EL is 1.
+ * GICR CDIA/CDNMIA always work on the current interrupt domain,
+ * so we do not need to consider preemptive interrupts. This
+ * means that the interrupt has Superpriority if and only if it
+ * has priority 0.
+ */
+ return hppi.prio == 0 && arm_sctlr(env, arm_current_el(env)) & SCTLR_NMI;
+}
+
+static uint64_t gicr_cdia_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+ /* Acknowledge HPPI in the current interrupt domain */
+ GICv5Common *gic = gicv5_get_gic(env);
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+ GICv5PendingIrq hppi = gic_hppi(env, domain);
+ GICv5IntType type = FIELD_EX64(hppi.intid, INTID, TYPE);
+ uint32_t id = FIELD_EX64(hppi.intid, INTID, ID);
+
+ bool cdnmia = ri->opc2 == 1;
+
+ if (!hppi.intid) {
+ /* No interrupt available to acknowledge */
+ trace_gicv5_gicr_cdia_fail(domain,
+ "no available interrupt to acknowledge");
+ return 0;
+ }
+ assert(hppi.prio != PRIO_IDLE);
+
+ if (gic_hppi_is_nmi(env, hppi, domain) != cdnmia) {
+ /* GICR CDIA only acknowledges non-NMI; GICR CDNMIA only NMI */
+ trace_gicv5_gicr_cdia_fail(domain,
+ cdnmia ? "CDNMIA but HPPI is not NMI" :
+ "CDIA but HPPI is NMI");
+ return 0;
+ }
+
+ trace_gicv5_gicr_cdia(domain, hppi.intid);
+
+ /*
+ * The interrupt becomes Active. If the handling mode of the
+ * interrupt is Edge then we also clear the pending state.
+ */
+
+ /*
+ * Set the appropriate bit in the APR to track active priorities.
+ * We do this now so that when gic_recalc_ppi_hppi() or
+ * gicv5_activate() cause a re-evaluation of HPPIs they
+ * use the right (new) running priority.
+ */
+ env->gicv5_cpuif.icc_apr[domain] |= (1 << hppi.prio);
+ switch (type) {
+ case GICV5_PPI:
+ {
+ uint32_t ppireg, ppibit;
+
+ assert(id < GICV5_NUM_PPIS);
+ ppireg = id / 64;
+ ppibit = 1 << (id % 64);
+
+ env->gicv5_cpuif.ppi_active[ppireg] |= ppibit;
+ if (!(env->gicv5_cpuif.ppi_hm[ppireg] & ppibit)) {
+ /* handling mode is Edge: clear pending */
+ env->gicv5_cpuif.ppi_pend[ppireg] &= ~ppibit;
+ }
+ gic_recalc_ppi_hppi(env);
+ break;
+ }
+ case GICV5_LPI:
+ case GICV5_SPI:
+ /*
+ * Send an Activate command to the IRS, which, despite the name
+ * of the stream command, does both "set Active" and "maybe set
+ * not Pending" as a single atomic action.
+ */
+ gicv5_activate(gic, id, domain, type, false);
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ return hppi.intid | R_GICR_CDIA_VALID_MASK;
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -521,6 +613,16 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
.writefn = gic_cdhm_write,
},
+ { .name = "GICR_CDIA", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 3, .opc2 = 0,
+ .access = PL1_R, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .readfn = gicr_cdia_read,
+ },
+ { .name = "GICR_CDNMIA", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 3, .opc2 = 1,
+ .access = PL1_R, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .readfn = gicr_cdia_read,
+ },
{ .name = "ICC_IDR0_EL1", .state = ARM_CP_STATE_AA64,
.opc0 = 3, .opc1 = 0, .crn = 12, .crm = 10, .opc2 = 2,
.access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
diff --git a/target/arm/tcg/trace-events b/target/arm/tcg/trace-events
index 7dc5f781c5..13e15cfcfc 100644
--- a/target/arm/tcg/trace-events
+++ b/target/arm/tcg/trace-events
@@ -3,3 +3,5 @@
# gicv5-cpuif.c
gicv5_recalc_ppi_hppi(int domain, uint32_t id, uint8_t prio) "domain %d new PPI HPPI id 0x%x prio %u"
+gicv5_gicr_cdia_fail(int domain, const char *reason) "domain %d CDIA attempt failed: %s"
+gicv5_gicr_cdia(int domain, uint32_t id) "domain %d CDIA acknowledge of interrupt 0x%x"
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 48/65] target/arm: GICv5 cpuif: Implement GIC CDEOI
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (46 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 47/65] target/arm: GICv5 cpuif: Implement GICR CDIA command Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:32 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 49/65] hw/intc/arm_gicv5: Implement Deactivate command Peter Maydell
` (17 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the GIC CDEOI instruction, which performs a "priority
drop", clearing the highest set bit in the APR register.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/tcg/gicv5-cpuif.c | 21 +++++++++++++++++++++
target/arm/tcg/trace-events | 1 +
2 files changed, 22 insertions(+)
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index d32263a5b7..c830938bdc 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -556,6 +556,22 @@ static uint64_t gicr_cdia_read(CPUARMState *env, const ARMCPRegInfo *ri)
return hppi.intid | R_GICR_CDIA_VALID_MASK;
}
+static void gic_cdeoi_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ /*
+ * Perform Priority Drop in the current interrupt domain.
+ * This is just clearing the lowest set bit in the APR.
+ */
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+ uint64_t *apr = &env->gicv5_cpuif.icc_apr[domain];
+
+ trace_gicv5_cdeoi(domain);
+
+ /* clear lowest bit, doing nothing if already zero */
+ *apr &= *apr - 1;
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -608,6 +624,11 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
.writefn = gic_cdrcfg_write,
},
+ { .name = "GIC_CDEOI", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 7,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cdeoi_write,
+ },
{ .name = "GIC_CDHM", .state = ARM_CP_STATE_AA64,
.opc0 = 1, .opc1 = 0, .crn = 12, .crm = 2, .opc2 = 1,
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
diff --git a/target/arm/tcg/trace-events b/target/arm/tcg/trace-events
index 13e15cfcfc..fcb3106a96 100644
--- a/target/arm/tcg/trace-events
+++ b/target/arm/tcg/trace-events
@@ -5,3 +5,4 @@
gicv5_recalc_ppi_hppi(int domain, uint32_t id, uint8_t prio) "domain %d new PPI HPPI id 0x%x prio %u"
gicv5_gicr_cdia_fail(int domain, const char *reason) "domain %d CDIA attempt failed: %s"
gicv5_gicr_cdia(int domain, uint32_t id) "domain %d CDIA acknowledge of interrupt 0x%x"
+gicv5_cdeoi(int domain) "domain %d CDEOI performing priority drop"
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 49/65] hw/intc/arm_gicv5: Implement Deactivate command
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (47 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 48/65] target/arm: GICv5 cpuif: Implement GIC CDEOI Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:34 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 50/65] target/arm: GICv5 cpuif: Implement GIC CDDI Peter Maydell
` (16 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the equivalent of the GICv5 stream protocol's Deactivate
command, which lets the cpuif tell the IRS to deactivate the
specified interrupt.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv5.c | 46 ++++++++++++++++++++++++++++++
hw/intc/trace-events | 1 +
include/hw/intc/arm_gicv5_stream.h | 14 +++++++++
3 files changed, 61 insertions(+)
diff --git a/hw/intc/arm_gicv5.c b/hw/intc/arm_gicv5.c
index 6636a66976..0509a958ff 100644
--- a/hw/intc/arm_gicv5.c
+++ b/hw/intc/arm_gicv5.c
@@ -1113,6 +1113,52 @@ void gicv5_activate(GICv5Common *cs, uint32_t id, GICv5Domain domain,
irs_recalc_hppi(s, domain, iaffid);
}
+void gicv5_deactivate(GICv5Common *cs, uint32_t id, GICv5Domain domain,
+ GICv5IntType type, bool virtual)
+{
+ const GICv5ISTConfig *cfg;
+ GICv5 *s = ARM_GICV5(cs);
+ uint32_t *l2_iste_p;
+ L2_ISTE_Handle h;
+ uint32_t iaffid;
+
+ trace_gicv5_deactivate(domain_name[domain], inttype_name(type), virtual, id);
+
+ if (virtual) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_deactivate: tried to "
+ "deactivate a virtual interrupt\n");
+ return;
+ }
+ if (type == GICV5_SPI) {
+ GICv5SPIState *spi = gicv5_spi_state(cs, id, domain);
+
+ if (!spi) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_deactivate: tried to "
+ "deactivate unreachable SPI %d\n", id);
+ return;
+ }
+
+ spi->active = false;
+ irs_recalc_hppi(s, domain, spi->iaffid);
+ return;
+ }
+ if (type != GICV5_LPI) {
+ qemu_log_mask(LOG_GUEST_ERROR, "gicv5_deactivate: tried to "
+ "deactivate bad interrupt type %d\n", type);
+ return;
+ }
+ cfg = &s->phys_lpi_config[domain];
+ l2_iste_p = get_l2_iste(cs, cfg, id, &h);
+ if (!l2_iste_p) {
+ return;
+ }
+ *l2_iste_p = FIELD_DP32(*l2_iste_p, L2_ISTE, ACTIVE, false);
+ iaffid = FIELD_EX32(*l2_iste_p, L2_ISTE, IAFFID);
+ put_l2_iste(cs, cfg, &h);
+
+ irs_recalc_hppi(s, domain, iaffid);
+}
+
static void irs_map_l2_istr_write(GICv5 *s, GICv5Domain domain, uint64_t value)
{
GICv5Common *cs = ARM_GICV5_COMMON(s);
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 636c598970..c6696f0e0a 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -242,6 +242,7 @@ gicv5_set_handling(const char *domain, const char *type, bool virtual, uint32_t
gicv5_set_target(const char *domain, const char *type, bool virtual, uint32_t id, uint32_t iaffid, int irm) "GICv5 IRS SetTarget %s %s virtual:%d ID %u IAFFID %u routingmode %d"
gicv5_request_config(const char *domain, const char *type, bool virtual, uint32_t id, uint64_t icsr) "GICv5 IRS RequestConfig %s %s virtual:%d ID %u ICSR 0x%" PRIx64
gicv5_activate(const char *domain, const char *type, bool virtual, uint32_t id) "GICv5 IRS Activate %s %s virtual:%d ID %u"
+gicv5_deactivate(const char *domain, const char *type, bool virtual, uint32_t id) "GICv5 IRS Deactivate %s %s virtual:%d ID %u"
gicv5_spi_state(uint32_t spi_id, bool level, bool pending, bool active) "GICv5 IRS SPI ID %u now level %d pending %d active %d"
gicv5_irs_recalc_hppi_fail(const char *domain, uint32_t iaffid, const char *reason) "GICv5 IRS %s IAFFID %u: no HPPI: %s"
gicv5_irs_recalc_hppi(const char *domain, uint32_t iaffid, uint32_t id, uint8_t prio) "GICv5 IRS %s IAFFID %u: new HPPI ID 0x%x prio %u"
diff --git a/include/hw/intc/arm_gicv5_stream.h b/include/hw/intc/arm_gicv5_stream.h
index 7adb53c86d..f6783cc6b5 100644
--- a/include/hw/intc/arm_gicv5_stream.h
+++ b/include/hw/intc/arm_gicv5_stream.h
@@ -212,4 +212,18 @@ void gicv5_forward_interrupt(ARMCPU *cpu, GICv5Domain domain);
GICv5PendingIrq gicv5_get_hppi(GICv5Common *cs, GICv5Domain domain,
uint32_t iaffid);
+/**
+ * gicv5_deactivate
+ * @cs: GIC IRS to send command to
+ * @id: interrupt ID
+ * @domain: interrupt Domain to act on
+ * @type: interrupt type (LPI or SPI)
+ * @virtual: true if this is a virtual interrupt
+ *
+ * Deactivate the specified interrupt. There is no report back
+ * of success/failure to the CPUIF in the protocol.
+ */
+void gicv5_deactivate(GICv5Common *cs, uint32_t id, GICv5Domain domain,
+ GICv5IntType type, bool virtual);
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 50/65] target/arm: GICv5 cpuif: Implement GIC CDDI
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (48 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 49/65] hw/intc/arm_gicv5: Implement Deactivate command Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:35 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 51/65] target/arm: GICv5 cpuif: Signal IRQ or FIQ Peter Maydell
` (15 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Implement the GIC CDDI system instruction, which deactivates the
specified interrupt.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/tcg/gicv5-cpuif.c | 49 ++++++++++++++++++++++++++++++++++++
target/arm/tcg/trace-events | 1 +
2 files changed, 50 insertions(+)
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index c830938bdc..02129d5936 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -17,6 +17,9 @@ FIELD(GIC_CDPRI, ID, 0, 24)
FIELD(GIC_CDPRI, TYPE, 29, 3)
FIELD(GIC_CDPRI, PRIORITY, 35, 5)
+FIELD(GIC_CDDI, ID, 0, 24)
+FIELD(GIC_CDDI, TYPE, 29, 3)
+
FIELD(GIC_CDDIS, ID, 0, 24)
FIELD(GIC_CDDIS, TYPE, 29, 3)
@@ -572,6 +575,47 @@ static void gic_cdeoi_write(CPUARMState *env, const ARMCPRegInfo *ri,
*apr &= *apr - 1;
}
+static void gic_cddi_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ uint64_t value)
+{
+ /*
+ * Clear the Active state of the specified interrupt
+ * in the current interrupt domain.
+ */
+ GICv5Common *gic = gicv5_get_gic(env);
+ GICv5Domain domain = gicv5_current_phys_domain(env);
+ GICv5IntType type = FIELD_EX64(value, GIC_CDDI, TYPE);
+ uint32_t id = FIELD_EX64(value, GIC_CDDI, ID);
+ bool virtual = false;
+
+ trace_gicv5_cddi(domain, value);
+
+ switch (type) {
+ case GICV5_PPI:
+ {
+ uint32_t ppireg, ppibit;
+
+ if (id >= GICV5_NUM_PPIS) {
+ break;
+ }
+
+ ppireg = id / 64;
+ ppibit = 1 << (id % 64);
+
+ env->gicv5_cpuif.ppi_active[ppireg] &= ~ppibit;
+ gic_recalc_ppi_hppi(env);
+ break;
+ }
+ case GICV5_LPI:
+ case GICV5_SPI:
+ /* Tell the IRS to deactivate this interrupt */
+ gicv5_deactivate(gic, id, domain, type, virtual);
+ break;
+ default:
+ break;
+ }
+}
+
static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
/*
* Barrier: wait until the effects of a cpuif system register
@@ -629,6 +673,11 @@ static const ARMCPRegInfo gicv5_cpuif_reginfo[] = {
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
.writefn = gic_cdeoi_write,
},
+ { .name = "GIC_CDDI", .state = ARM_CP_STATE_AA64,
+ .opc0 = 1, .opc1 = 0, .crn = 12, .crm = 2, .opc2 = 0,
+ .access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
+ .writefn = gic_cddi_write,
+ },
{ .name = "GIC_CDHM", .state = ARM_CP_STATE_AA64,
.opc0 = 1, .opc1 = 0, .crn = 12, .crm = 2, .opc2 = 1,
.access = PL1_W, .type = ARM_CP_IO | ARM_CP_NO_RAW,
diff --git a/target/arm/tcg/trace-events b/target/arm/tcg/trace-events
index fcb3106a96..c60ce6834e 100644
--- a/target/arm/tcg/trace-events
+++ b/target/arm/tcg/trace-events
@@ -6,3 +6,4 @@ gicv5_recalc_ppi_hppi(int domain, uint32_t id, uint8_t prio) "domain %d new PPI
gicv5_gicr_cdia_fail(int domain, const char *reason) "domain %d CDIA attempt failed: %s"
gicv5_gicr_cdia(int domain, uint32_t id) "domain %d CDIA acknowledge of interrupt 0x%x"
gicv5_cdeoi(int domain) "domain %d CDEOI performing priority drop"
+gicv5_cddi(int domain, uint32_t id) "domain %d CDDI deactivating interrupt ID 0x%x"
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 50/65] target/arm: GICv5 cpuif: Implement GIC CDDI
2026-02-23 17:01 ` [PATCH 50/65] target/arm: GICv5 cpuif: Implement GIC CDDI Peter Maydell
@ 2026-03-11 17:35 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:35 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:57 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Implement the GIC CDDI system instruction, which deactivates the
> specified interrupt.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> target/arm/tcg/gicv5-cpuif.c | 49 ++++++++++++++++++++++++++++++++++++
> target/arm/tcg/trace-events | 1 +
> 2 files changed, 50 insertions(+)
>
> diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
> index c830938bdc..02129d5936 100644
> --- a/target/arm/tcg/gicv5-cpuif.c
> +++ b/target/arm/tcg/gicv5-cpuif.c
> +static void gic_cddi_write(CPUARMState *env, const ARMCPRegInfo *ri,
> + uint64_t value)
> +{
> + /*
> + * Clear the Active state of the specified interrupt
> + * in the current interrupt domain.
Maybe rewrap. Doesn't really matter...
> + */
> + GICv5Common *gic = gicv5_get_gic(env);
> + GICv5Domain domain = gicv5_current_phys_domain(env);
> + GICv5IntType type = FIELD_EX64(value, GIC_CDDI, TYPE);
> + uint32_t id = FIELD_EX64(value, GIC_CDDI, ID);
> + bool virtual = false;
> +
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 51/65] target/arm: GICv5 cpuif: Signal IRQ or FIQ
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (49 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 50/65] target/arm: GICv5 cpuif: Implement GIC CDDI Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:43 ` Jonathan Cameron via qemu development
2026-02-23 17:01 ` [PATCH 52/65] target/arm: Connect internal interrupt sources up as GICv5 PPIs Peter Maydell
` (14 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The CPU interface must signal IRQ or FIQ (possibly with
superpriority) when there is a pending interrupt of sufficient
priority available. Implement this logic.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/tcg/gicv5-cpuif.c | 91 ++++++++++++++++++++++++++++++++++--
target/arm/tcg/trace-events | 1 +
2 files changed, 89 insertions(+), 3 deletions(-)
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 02129d5936..79203a3478 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -171,6 +171,88 @@ static GICv5PendingIrq gic_hppi(CPUARMState *env, GICv5Domain domain)
return best;
}
+static void cpu_interrupt_update(CPUARMState *env, int irqtype, bool new_state)
+{
+ CPUState *cs = env_cpu(env);
+
+ /*
+ * OPT: calling cpu_interrupt() and cpu_reset_interrupt()
+ * has the correct behaviour, but is not optimal for the
+ * case where we're setting the interrupt line to the same
+ * level it already has.
+ *
+ * Clearing an already clear interrupt is free (it's just
+ * doing an atomic AND operation). Signalling an already set
+ * interrupt is a bit less ideal (it might unnecessarily kick
+ * the CPU).
+ *
+ * We could potentially use cpu_test_interrupt(), like
+ * arm_cpu_update_{virq,vfiq,vinmi,vserr}, since we always
+ * hold the BQL here; or perhaps there is an abstraction
+ * we could provide in the core code that all these places
+ * could call.
+ *
+ * For now, this is simple and definitely correct.
+ */
+ if (new_state) {
+ cpu_interrupt(cs, irqtype);
+ } else {
+ cpu_reset_interrupt(cs, irqtype);
+ }
+}
+
+static void gicv5_update_irq_fiq(CPUARMState *env)
+{
+ /*
+ * Update whether we are signalling IRQ or FIQ based
+ * on the current state of the CPU interface (and in
+ * particular on the HPPI information from the IRS and
+ * for the PPIs for each interrupt domain);
+ *
+ * The logic here for IRQ and FIQ is defined by rules R_QLGBG
+ * and R_ZGHMN; whether to signal with superpriority is
+ * defined by rule R_CSBDX.
+ *
+ * For the moment, we do not consider preemptive interrupts,
+ * because these only occur when there is a HPPI of
+ * sufficient priority for another interrupt domain, and
+ * we only support EL1 and the NonSecure interrupt domain
+ * currently.
+ *
+ * NB: when we handle more than just EL1 we will need to
+ * arrange to call this function to re-evaluate the IRQ
+ * and FIQ state when we change EL.
+ */
+ GICv5PendingIrq current_hppi;
+ bool irq, fiq, superpriority;
+
+ /*
+ * We will never signal FIQ because FIQ is for
+ * preemptive interrupts or for EL3 HPPIs.
+ */
+ fiq = false;
+
+ /*
+ * We signal IRQ when we are not signalling FIQ and there is a
+ * HPPI of sufficient priority for the current domain. It
+ * has Superpriority if its priority is 0 (in which case it
+ * is CPU_INTERRUPT_NMI rather than CPU_INTERRUPT_HARD).
+ */
+ current_hppi = gic_hppi(env, gicv5_current_phys_domain(env));
+ superpriority = current_hppi.prio == 0;
+ irq = current_hppi.prio != PRIO_IDLE && !superpriority;
+
+ /*
+ * Unlike a GICv3 or GICv2, there is no external IRQ or FIQ
+ * line to the CPU. Instead we directly signal the interrupt
+ * via cpu_interrupt()/cpu_reset_interrupt().
+ */
+ trace_gicv5_update_irq_fiq(irq, fiq, superpriority);
+ cpu_interrupt_update(env, CPU_INTERRUPT_HARD, irq);
+ cpu_interrupt_update(env, CPU_INTERRUPT_FIQ, fiq);
+ cpu_interrupt_update(env, CPU_INTERRUPT_NMI, superpriority);
+}
+
static void gic_recalc_ppi_hppi(CPUARMState *env)
{
/*
@@ -220,15 +302,16 @@ static void gic_recalc_ppi_hppi(CPUARMState *env)
env->gicv5_cpuif.ppi_hppi[i].intid,
env->gicv5_cpuif.ppi_hppi[i].prio);
}
+ gicv5_update_irq_fiq(env);
}
void gicv5_forward_interrupt(ARMCPU *cpu, GICv5Domain domain)
{
/*
- * For now, we do nothing. Later we will recalculate the overall
- * HPPI by combining the IRS HPPI with the PPI HPPI, and possibly
- * signal IRQ/FIQ.
+ * IRS HPPI has changed: recalculate the IRQ/FIQ levels by
+ * combining the IRS HPPI with the PPI HPPI.
*/
+ gicv5_update_irq_fiq(&cpu->env);
}
static void gic_cddis_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -431,6 +514,7 @@ static void gic_icc_cr0_el1_write(CPUARMState *env, const ARMCPRegInfo *ri,
value |= R_ICC_CR0_LINK_MASK | R_ICC_CR0_LINK_IDLE_MASK;
env->gicv5_cpuif.icc_cr0[domain] = value;
+ gicv5_update_irq_fiq(env);
}
static void gic_icc_cr0_el1_reset(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -573,6 +657,7 @@ static void gic_cdeoi_write(CPUARMState *env, const ARMCPRegInfo *ri,
/* clear lowest bit, doing nothing if already zero */
*apr &= *apr - 1;
+ gicv5_update_irq_fiq(env);
}
static void gic_cddi_write(CPUARMState *env, const ARMCPRegInfo *ri,
diff --git a/target/arm/tcg/trace-events b/target/arm/tcg/trace-events
index c60ce6834e..2bfa8fc552 100644
--- a/target/arm/tcg/trace-events
+++ b/target/arm/tcg/trace-events
@@ -7,3 +7,4 @@ gicv5_gicr_cdia_fail(int domain, const char *reason) "domain %d CDIA attempt fai
gicv5_gicr_cdia(int domain, uint32_t id) "domain %d CDIA acknowledge of interrupt 0x%x"
gicv5_cdeoi(int domain) "domain %d CDEOI performing priority drop"
gicv5_cddi(int domain, uint32_t id) "domain %d CDDI deactivating interrupt ID 0x%x"
+gicv5_update_irq_fiq(bool irq, bool fiq, bool nmi) "now IRQ %d FIQ %d NMI %d"
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 51/65] target/arm: GICv5 cpuif: Signal IRQ or FIQ
2026-02-23 17:01 ` [PATCH 51/65] target/arm: GICv5 cpuif: Signal IRQ or FIQ Peter Maydell
@ 2026-03-11 17:43 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:43 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:58 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The CPU interface must signal IRQ or FIQ (possibly with
> superpriority) when there is a pending interrupt of sufficient
> priority available. Implement this logic.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Another bit of triviality. I can't find anything else ;)
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> target/arm/tcg/gicv5-cpuif.c | 91 ++++++++++++++++++++++++++++++++++--
> target/arm/tcg/trace-events | 1 +
> 2 files changed, 89 insertions(+), 3 deletions(-)
>
> diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
> index 02129d5936..79203a3478 100644
> --- a/target/arm/tcg/gicv5-cpuif.c
> +++ b/target/arm/tcg/gicv5-cpuif.c
> +static void gicv5_update_irq_fiq(CPUARMState *env)
> +{
> + /*
> + * Update whether we are signalling IRQ or FIQ based
> + * on the current state of the CPU interface (and in
> + * particular on the HPPI information from the IRS and
> + * for the PPIs for each interrupt domain);
The comment wrapping is a bit too random in here. Perhaps give
it a once over for consistency.
> + *
> + * The logic here for IRQ and FIQ is defined by rules R_QLGBG
> + * and R_ZGHMN; whether to signal with superpriority is
> + * defined by rule R_CSBDX.
> + *
> + * For the moment, we do not consider preemptive interrupts,
> + * because these only occur when there is a HPPI of
> + * sufficient priority for another interrupt domain, and
> + * we only support EL1 and the NonSecure interrupt domain
> + * currently.
> + *
> + * NB: when we handle more than just EL1 we will need to
> + * arrange to call this function to re-evaluate the IRQ
> + * and FIQ state when we change EL.
> + */
> + GICv5PendingIrq current_hppi;
> + bool irq, fiq, superpriority;
> +
> + /*
> + * We will never signal FIQ because FIQ is for
> + * preemptive interrupts or for EL3 HPPIs.
> + */
> + fiq = false;
> +
> + /*
> + * We signal IRQ when we are not signalling FIQ and there is a
> + * HPPI of sufficient priority for the current domain. It
> + * has Superpriority if its priority is 0 (in which case it
> + * is CPU_INTERRUPT_NMI rather than CPU_INTERRUPT_HARD).
> + */
> + current_hppi = gic_hppi(env, gicv5_current_phys_domain(env));
> + superpriority = current_hppi.prio == 0;
> + irq = current_hppi.prio != PRIO_IDLE && !superpriority;
> +
> + /*
> + * Unlike a GICv3 or GICv2, there is no external IRQ or FIQ
> + * line to the CPU. Instead we directly signal the interrupt
> + * via cpu_interrupt()/cpu_reset_interrupt().
> + */
> + trace_gicv5_update_irq_fiq(irq, fiq, superpriority);
> + cpu_interrupt_update(env, CPU_INTERRUPT_HARD, irq);
> + cpu_interrupt_update(env, CPU_INTERRUPT_FIQ, fiq);
> + cpu_interrupt_update(env, CPU_INTERRUPT_NMI, superpriority);
> +}
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 52/65] target/arm: Connect internal interrupt sources up as GICv5 PPIs
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (50 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 51/65] target/arm: GICv5 cpuif: Signal IRQ or FIQ Peter Maydell
@ 2026-02-23 17:01 ` Peter Maydell
2026-03-11 17:48 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 53/65] target/arm: Add has_gcie property to enable FEAT_GCIE Peter Maydell
` (13 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:01 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The CPU has several interrupt sources which are exposed as GICv5
PPIs. For QEMU, this means the generic timers and the PMU.
In GICv3, we implemented these as qemu_irq lines which connect up to
the external interrupt controller device. In a GICv5, the PPIs are
handled entirely inside the CPU interface, so there are no external
signals. Instead we provide a gicv5_update_ppi_state() function
which the emulated timer and PMU code uses to tell the CPU interface
about the new state of the PPI source.
We make the GICv5 function a no-op if there is no GICv5 present, so
that calling code can do both "update the old irq lines" and "update
the GICv5 PPI" without having to add conditionals. (In a GICv5
system the old irq lines won't be connected to anything, so the
qemu_set_irq() will be a no-op.)
Updating PPIs via either mechanism is unnecessary in user-only mode;
we got away with not ifdeffing this away before because
qemu_set_irq() is built for user-only mode, but since the GICv5 cpuif
code is system-emulation only, we do need an ifdef now.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpregs-pmu.c | 9 +++++++--
target/arm/helper.c | 20 ++++++++++++++++++++
target/arm/internals.h | 6 ++++++
target/arm/tcg/gicv5-cpuif.c | 28 ++++++++++++++++++++++++++++
target/arm/tcg/trace-events | 1 +
5 files changed, 62 insertions(+), 2 deletions(-)
diff --git a/target/arm/cpregs-pmu.c b/target/arm/cpregs-pmu.c
index 47e1e4652b..46df6597b1 100644
--- a/target/arm/cpregs-pmu.c
+++ b/target/arm/cpregs-pmu.c
@@ -428,9 +428,14 @@ static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter)
static void pmu_update_irq(CPUARMState *env)
{
+#ifndef CONFIG_USER_ONLY
ARMCPU *cpu = env_archcpu(env);
- qemu_set_irq(cpu->pmu_interrupt, (env->cp15.c9_pmcr & PMCRE) &&
- (env->cp15.c9_pminten & env->cp15.c9_pmovsr));
+ bool level = (env->cp15.c9_pmcr & PMCRE) &&
+ (env->cp15.c9_pminten & env->cp15.c9_pmovsr);
+
+ gicv5_update_ppi_state(env, GICV5_PPI_PMUIRQ, level);
+ qemu_set_irq(cpu->pmu_interrupt, level);
+#endif
}
static bool pmccntr_clockdiv_enabled(CPUARMState *env)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 5e7cc039aa..a6bad8eba3 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -1348,6 +1348,21 @@ uint64_t gt_get_countervalue(CPUARMState *env)
return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / gt_cntfrq_period_ns(cpu);
}
+static void gt_update_gicv5_ppi(CPUARMState *env, int timeridx, bool level)
+{
+ static int timeridx_to_ppi[] = {
+ [GTIMER_PHYS] = GICV5_PPI_CNTP,
+ [GTIMER_VIRT] = GICV5_PPI_CNTV,
+ [GTIMER_HYP] = GICV5_PPI_CNTHP,
+ [GTIMER_SEC] = GICV5_PPI_CNTPS,
+ [GTIMER_HYPVIRT] = GICV5_PPI_CNTHV,
+ [GTIMER_S_EL2_PHYS] = GICV5_PPI_CNTHPS,
+ [GTIMER_S_EL2_VIRT] = GICV5_PPI_CNTHVS,
+ };
+
+ gicv5_update_ppi_state(env, timeridx_to_ppi[timeridx], level);
+}
+
static void gt_update_irq(ARMCPU *cpu, int timeridx)
{
CPUARMState *env = &cpu->env;
@@ -1366,6 +1381,11 @@ static void gt_update_irq(ARMCPU *cpu, int timeridx)
irqstate = 0;
}
+ /*
+ * We update both the GICv5 PPI and the external-GIC irq line
+ * (whichever of the two mechanisms is unused will do nothing)
+ */
+ gt_update_gicv5_ppi(env, timeridx, irqstate);
qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate);
trace_arm_gt_update_irq(timeridx, irqstate);
}
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 9bde58cf00..afe893f49d 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1800,6 +1800,12 @@ void define_gcs_cpregs(ARMCPU *cpu);
/* Add the cpreg definitions for the GICv5 CPU interface */
void define_gicv5_cpuif_regs(ARMCPU *cpu);
+/*
+ * Update the state of the given GICv5 PPI for this CPU. Does nothing
+ * if the GICv5 is not present.
+ */
+void gicv5_update_ppi_state(CPUARMState *env, int ppi, bool level);
+
/* Effective value of MDCR_EL2 */
static inline uint64_t arm_mdcr_el2_eff(CPUARMState *env)
{
diff --git a/target/arm/tcg/gicv5-cpuif.c b/target/arm/tcg/gicv5-cpuif.c
index 79203a3478..d30617d143 100644
--- a/target/arm/tcg/gicv5-cpuif.c
+++ b/target/arm/tcg/gicv5-cpuif.c
@@ -314,6 +314,34 @@ void gicv5_forward_interrupt(ARMCPU *cpu, GICv5Domain domain)
gicv5_update_irq_fiq(&cpu->env);
}
+void gicv5_update_ppi_state(CPUARMState *env, int ppi, bool level)
+{
+ /*
+ * Update the state of the given PPI (which is connected to some
+ * CPU-internal source of interrupts, like the timers).
+ * We can assume that the PPI is fixed as level-triggered,
+ * which means that its pending state exactly tracks the input
+ * (and the guest cannot separately change the pending state,
+ * because the pending bits are RO).
+ */
+ int oldlevel;
+
+ if (!cpu_isar_feature(aa64_gcie, env_archcpu(env))) {
+ return;
+ }
+
+ /* The architected PPIs are 0..63, so in the first PPI register. */
+ assert(ppi >= 0 && ppi < 64);
+ oldlevel = extract64(env->gicv5_cpuif.ppi_pend[0], ppi, 1);
+ if (oldlevel != level) {
+ trace_gicv5_update_ppi_state(ppi, level);
+
+ env->gicv5_cpuif.ppi_pend[0] =
+ deposit64(env->gicv5_cpuif.ppi_pend[0], ppi, 1, level);
+ gic_recalc_ppi_hppi(env);
+ }
+}
+
static void gic_cddis_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
{
diff --git a/target/arm/tcg/trace-events b/target/arm/tcg/trace-events
index 2bfa8fc552..bf1803c872 100644
--- a/target/arm/tcg/trace-events
+++ b/target/arm/tcg/trace-events
@@ -8,3 +8,4 @@ gicv5_gicr_cdia(int domain, uint32_t id) "domain %d CDIA acknowledge of interrup
gicv5_cdeoi(int domain) "domain %d CDEOI performing priority drop"
gicv5_cddi(int domain, uint32_t id) "domain %d CDDI deactivating interrupt ID 0x%x"
gicv5_update_irq_fiq(bool irq, bool fiq, bool nmi) "now IRQ %d FIQ %d NMI %d"
+gicv5_update_ppi_state(int ppi, bool level) "PPI %d source level now %d"
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 52/65] target/arm: Connect internal interrupt sources up as GICv5 PPIs
2026-02-23 17:01 ` [PATCH 52/65] target/arm: Connect internal interrupt sources up as GICv5 PPIs Peter Maydell
@ 2026-03-11 17:48 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:48 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:01:59 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The CPU has several interrupt sources which are exposed as GICv5
> PPIs. For QEMU, this means the generic timers and the PMU.
>
> In GICv3, we implemented these as qemu_irq lines which connect up to
> the external interrupt controller device. In a GICv5, the PPIs are
> handled entirely inside the CPU interface, so there are no external
> signals. Instead we provide a gicv5_update_ppi_state() function
> which the emulated timer and PMU code uses to tell the CPU interface
> about the new state of the PPI source.
>
> We make the GICv5 function a no-op if there is no GICv5 present, so
> that calling code can do both "update the old irq lines" and "update
> the GICv5 PPI" without having to add conditionals. (In a GICv5
> system the old irq lines won't be connected to anything, so the
> qemu_set_irq() will be a no-op.)
>
> Updating PPIs via either mechanism is unnecessary in user-only mode;
> we got away with not ifdeffing this away before because
> qemu_set_irq() is built for user-only mode, but since the GICv5 cpuif
> code is system-emulation only, we do need an ifdef now.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 53/65] target/arm: Add has_gcie property to enable FEAT_GCIE
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (51 preceding siblings ...)
2026-02-23 17:01 ` [PATCH 52/65] target/arm: Connect internal interrupt sources up as GICv5 PPIs Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-11 17:51 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 54/65] hw/intc/arm_gicv3_cpuif: Don't allow GICv3 if CPU has GICv5 cpuif Peter Maydell
` (12 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Add a has_gcie QOM property to the CPU which allows the board code to
enable FEAT_GCIE, the GICv5 CPU interface.
Enabling the GICv5 CPU interface comes with a significant
restriction: because the GICv5 architecture is Armv9, it assumes the
Armv9 requirement that only EL0 (userspace) may be in AArch32. So
there are no GIC control system registers defined for AArch32. We
force AArch32 at ELs 1, 2 and 3 to disabled, to avoid a guest being
able to get into an EL where interrupts are completely broken.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/cpu-features.h | 5 +++++
target/arm/cpu.c | 45 +++++++++++++++++++++++++++++++++++++++
target/arm/cpu.h | 2 ++
3 files changed, 52 insertions(+)
diff --git a/target/arm/cpu-features.h b/target/arm/cpu-features.h
index e391b394ba..c0ba56f244 100644
--- a/target/arm/cpu-features.h
+++ b/target/arm/cpu-features.h
@@ -1072,6 +1072,11 @@ static inline bool isar_feature_aa64_aa32_el2(const ARMISARegisters *id)
return FIELD_EX64_IDREG(id, ID_AA64PFR0, EL2) >= 2;
}
+static inline bool isar_feature_aa64_aa32_el3(const ARMISARegisters *id)
+{
+ return FIELD_EX64_IDREG(id, ID_AA64PFR0, EL3) >= 2;
+}
+
static inline bool isar_feature_aa64_ras(const ARMISARegisters *id)
{
return FIELD_EX64_IDREG(id, ID_AA64PFR0, RAS) != 0;
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 551be14e22..7f67e8ae47 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1191,6 +1191,9 @@ static const Property arm_cpu_has_el2_property =
static const Property arm_cpu_has_el3_property =
DEFINE_PROP_BOOL("has_el3", ARMCPU, has_el3, true);
+
+static const Property arm_cpu_has_gcie_property =
+ DEFINE_PROP_BOOL("has_gcie", ARMCPU, has_gcie, false);
#endif
static const Property arm_cpu_cfgend_property =
@@ -1423,6 +1426,11 @@ static void arm_cpu_post_init(Object *obj)
object_property_add_uint64_ptr(obj, "rvbar",
&cpu->rvbar_prop,
OBJ_PROP_FLAG_READWRITE);
+
+ /* We only allow GICv5 on a 64-bit v8 CPU */
+ if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
+ qdev_property_add_static(DEVICE(obj), &arm_cpu_has_gcie_property);
+ }
}
if (arm_feature(&cpu->env, ARM_FEATURE_EL3)) {
@@ -1697,6 +1705,12 @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
current_accel_name());
return;
}
+ if (cpu->has_gcie) {
+ error_setg(errp,
+ "Cannot enable %s when guest CPU has GICv5 enabled",
+ current_accel_name());
+ return;
+ }
}
#endif
@@ -2020,6 +2034,37 @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
FIELD_DP32_IDREG(isar, ID_PFR1, VIRTUALIZATION, 0);
}
+ /* Report FEAT_GCIE in our ID registers if property was set */
+ FIELD_DP64_IDREG(isar, ID_AA64PFR2, GCIE, cpu->has_gcie);
+ if (cpu_isar_feature(aa64_gcie, cpu)) {
+ if (!arm_feature(env, ARM_FEATURE_AARCH64)) {
+ /*
+ * We only create the have_gcie property for AArch64 CPUs,
+ * but the user might have tried aarch64=off with has_gcie=on.
+ */
+ error_setg(errp, "Cannot both enable has_gcie and disable aarch64");
+ return;
+ }
+
+ /*
+ * FEAT_GCIE implies Armv9, which implies no AArch32 above EL0.
+ * Usually we don't strictly insist on this kind of feature
+ * dependency, but in this case we enforce it, because the
+ * GICv5 CPU interface has no AArch32 versions of its system
+ * registers, so interrupts wouldn't work if we allowed AArch32
+ * in EL1 or above. Downgrade "AArch32 and AArch64" to "AArch64".
+ */
+ if (cpu_isar_feature(aa64_aa32_el3, cpu)) {
+ FIELD_DP64_IDREG(isar, ID_AA64PFR0, EL3, 1);
+ }
+ if (cpu_isar_feature(aa64_aa32_el2, cpu)) {
+ FIELD_DP64_IDREG(isar, ID_AA64PFR0, EL2, 1);
+ }
+ if (cpu_isar_feature(aa64_aa32_el1, cpu)) {
+ FIELD_DP64_IDREG(isar, ID_AA64PFR0, EL1, 1);
+ }
+ }
+
if (cpu_isar_feature(aa64_mte, cpu)) {
/*
* The architectural range of GM blocksize is 2-6, however qemu
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 651fccd59b..a5f27dfe0f 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1032,6 +1032,8 @@ struct ArchCPU {
bool has_neon;
/* CPU has M-profile DSP extension */
bool has_dsp;
+ /* CPU has FEAT_GCIE GICv5 CPU interface */
+ bool has_gcie;
/* CPU has memory protection unit */
bool has_mpu;
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 53/65] target/arm: Add has_gcie property to enable FEAT_GCIE
2026-02-23 17:02 ` [PATCH 53/65] target/arm: Add has_gcie property to enable FEAT_GCIE Peter Maydell
@ 2026-03-11 17:51 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:51 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:00 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Add a has_gcie QOM property to the CPU which allows the board code to
> enable FEAT_GCIE, the GICv5 CPU interface.
>
> Enabling the GICv5 CPU interface comes with a significant
> restriction: because the GICv5 architecture is Armv9, it assumes the
> Armv9 requirement that only EL0 (userspace) may be in AArch32. So
> there are no GIC control system registers defined for AArch32. We
> force AArch32 at ELs 1, 2 and 3 to disabled, to avoid a guest being
> able to get into an EL where interrupts are completely broken.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 54/65] hw/intc/arm_gicv3_cpuif: Don't allow GICv3 if CPU has GICv5 cpuif
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (52 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 53/65] target/arm: Add has_gcie property to enable FEAT_GCIE Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-11 17:52 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 55/65] hw/arm/virt: Update error message for bad gic-version option Peter Maydell
` (11 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv3 and GICv5 CPU interfaces are not compatible, and a CPU will
only implement either one or the other. If we find that we're trying
to connect a GICv3 to a CPU that implements FEAT_GCIE, fail. This
will only happen if the board code has a bug and doesn't configure
its CPUs and its GIC consistently.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/intc/arm_gicv3.c | 2 +-
hw/intc/arm_gicv3_cpuif.c | 14 +++++++++++++-
hw/intc/gicv3_internal.h | 2 +-
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
index 542f81ea49..e93c1df5b4 100644
--- a/hw/intc/arm_gicv3.c
+++ b/hw/intc/arm_gicv3.c
@@ -449,7 +449,7 @@ static void arm_gic_realize(DeviceState *dev, Error **errp)
gicv3_init_irqs_and_mmio(s, gicv3_set_irq, gic_ops);
- gicv3_init_cpuif(s);
+ gicv3_init_cpuif(s, errp);
}
static void arm_gicv3_class_init(ObjectClass *klass, const void *data)
diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index eaf1e512ed..73e06f87d4 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -16,6 +16,7 @@
#include "qemu/bitops.h"
#include "qemu/log.h"
#include "qemu/main-loop.h"
+#include "qapi/error.h"
#include "trace.h"
#include "gicv3_internal.h"
#include "hw/core/irq.h"
@@ -3016,7 +3017,7 @@ static void gicv3_cpuif_el_change_hook(ARMCPU *cpu, void *opaque)
gicv3_cpuif_virt_irq_fiq_update(cs);
}
-void gicv3_init_cpuif(GICv3State *s)
+void gicv3_init_cpuif(GICv3State *s, Error **errp)
{
/* Called from the GICv3 realize function; register our system
* registers with the CPU
@@ -3027,6 +3028,17 @@ void gicv3_init_cpuif(GICv3State *s)
ARMCPU *cpu = ARM_CPU(qemu_get_cpu(s->first_cpu_idx + i));
GICv3CPUState *cs = &s->cpu[i];
+ if (cpu_isar_feature(aa64_gcie, cpu)) {
+ /*
+ * Attempt to connect GICv3 to a CPU with GICv5 cpuif
+ * (almost certainly a bug in the board code)
+ */
+ error_setg(errp,
+ "Cannot connect GICv3 to CPU %d which has GICv5 cpuif",
+ i);
+ return;
+ }
+
/*
* If the CPU doesn't define a GICv3 configuration, probably because
* in real hardware it doesn't have one, then we use default values
diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
index 880dbe52d8..c01be70464 100644
--- a/hw/intc/gicv3_internal.h
+++ b/hw/intc/gicv3_internal.h
@@ -722,7 +722,7 @@ void gicv3_redist_mov_vlpi(GICv3CPUState *src, uint64_t src_vptaddr,
void gicv3_redist_vinvall(GICv3CPUState *cs, uint64_t vptaddr);
void gicv3_redist_send_sgi(GICv3CPUState *cs, int grp, int irq, bool ns);
-void gicv3_init_cpuif(GICv3State *s);
+void gicv3_init_cpuif(GICv3State *s, Error **errp);
/**
* gicv3_cpuif_update:
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 54/65] hw/intc/arm_gicv3_cpuif: Don't allow GICv3 if CPU has GICv5 cpuif
2026-02-23 17:02 ` [PATCH 54/65] hw/intc/arm_gicv3_cpuif: Don't allow GICv3 if CPU has GICv5 cpuif Peter Maydell
@ 2026-03-11 17:52 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:52 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:01 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GICv3 and GICv5 CPU interfaces are not compatible, and a CPU will
> only implement either one or the other. If we find that we're trying
> to connect a GICv3 to a CPU that implements FEAT_GCIE, fail. This
> will only happen if the board code has a bug and doesn't configure
> its CPUs and its GIC consistently.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 55/65] hw/arm/virt: Update error message for bad gic-version option
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (53 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 54/65] hw/intc/arm_gicv3_cpuif: Don't allow GICv3 if CPU has GICv5 cpuif Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-11 17:54 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 56/65] hw/arm/virt: Remember CPU phandles rather than looking them up by name Peter Maydell
` (10 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
As we added different valid gic-version option settings,
we forgot to update the hint in the error message produced
when the user specifies an invalid value:
$ qemu-system-aarch64 -M virt,help | grep gic-version
gic-version=<string> - Set GIC version. Valid values are 2, 3, 4, host and max
$ qemu-system-aarch64 -M virt,gic-version=bang
qemu-system-aarch64: Invalid gic-version value
Valid values are 3, 2, host, max.
Update the error string to match the one we use in the help text
for the option.
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 50865e8115..8dc999712c 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2971,7 +2971,7 @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
vms->gic_version = VIRT_GIC_VERSION_MAX; /* Will probe later */
} else {
error_setg(errp, "Invalid gic-version value");
- error_append_hint(errp, "Valid values are 3, 2, host, max.\n");
+ error_append_hint(errp, "Valid values are 2, 3, 4, host, and max.\n");
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 55/65] hw/arm/virt: Update error message for bad gic-version option
2026-02-23 17:02 ` [PATCH 55/65] hw/arm/virt: Update error message for bad gic-version option Peter Maydell
@ 2026-03-11 17:54 ` Jonathan Cameron via qemu development
2026-03-12 9:12 ` Peter Maydell
0 siblings, 1 reply; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:54 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:02 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> As we added different valid gic-version option settings,
> we forgot to update the hint in the error message produced
> when the user specifies an invalid value:
>
> $ qemu-system-aarch64 -M virt,help | grep gic-version
> gic-version=<string> - Set GIC version. Valid values are 2, 3, 4, host and max
> $ qemu-system-aarch64 -M virt,gic-version=bang
> qemu-system-aarch64: Invalid gic-version value
> Valid values are 3, 2, host, max.
>
> Update the error string to match the one we use in the help text
> for the option.
>
> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Ah. I was going to say what is is this doing in here? But I see
you already sent a pull request with this in it.
All good but for anyone else reading you can skip this one :)
J
^ permalink raw reply [flat|nested] 142+ messages in thread
* Re: [PATCH 55/65] hw/arm/virt: Update error message for bad gic-version option
2026-03-11 17:54 ` Jonathan Cameron via qemu development
@ 2026-03-12 9:12 ` Peter Maydell
0 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-03-12 9:12 UTC (permalink / raw)
To: Jonathan Cameron; +Cc: qemu-arm, qemu-devel
On Wed, 11 Mar 2026 at 17:55, Jonathan Cameron
<jonathan.cameron@huawei.com> wrote:
>
> On Mon, 23 Feb 2026 17:02:02 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > As we added different valid gic-version option settings,
> > we forgot to update the hint in the error message produced
> > when the user specifies an invalid value:
> >
> > $ qemu-system-aarch64 -M virt,help | grep gic-version
> > gic-version=<string> - Set GIC version. Valid values are 2, 3, 4, host and max
> > $ qemu-system-aarch64 -M virt,gic-version=bang
> > qemu-system-aarch64: Invalid gic-version value
> > Valid values are 3, 2, host, max.
> >
> > Update the error string to match the one we use in the help text
> > for the option.
> >
> > Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
> > Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> > Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> Ah. I was going to say what is is this doing in here? But I see
> you already sent a pull request with this in it.
>
> All good but for anyone else reading you can skip this one :)
Yeah, it's only in here to avoid a conflict with the next patches
that also adjust this string.
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 56/65] hw/arm/virt: Remember CPU phandles rather than looking them up by name
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (54 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 55/65] hw/arm/virt: Update error message for bad gic-version option Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-11 17:56 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 57/65] hw/arm/virt: Move MSI controller creation out of create_gic() Peter Maydell
` (9 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
In fdt_add_cpu_nodes(), we currently add phandles for each CPU node
if we are going to add a topology description, and when we do, we
re-look-up the phandle by node name when creating the topology
description.
For GICv5 we will also want to refer to the CPU phandles; so always
add a phandle, and keep track of those phandles in the
VirtMachineState so we don't have to look them up by name in the dtb
every time.
The phandle property is extra data in the final DTB, but only a tiny
amount, so it's not worth trying to carefully track the conditions
when we're going to need them so we only emit them when required.
(We need to change the smp_cpus variable to unsigned because
otherwise gcc thinks that we might be passing a negative number to
g_new0() and produces an error:
/usr/include/glib-2.0/glib/gmem.h:270:19: error: argument 1 range [18446744071562067968, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
270 | __p = g_##func##_n (__n, __s); \
| ^~~~~~~~~~~~~~~~~~~~~~~
/usr/include/glib-2.0/glib/gmem.h:332:57: note: in expansion of macro ‘_G_NEW’
332 | #define g_new0(struct_type, n_structs) _G_NEW (struct_type, n_structs, malloc0)
| ^~~~~~
../../hw/arm/virt.c:469:25: note: in expansion of macro ‘g_new0’
469 | vms->cpu_phandles = g_new0(uint32_t, smp_cpus);
| ^~~~~~
)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 19 ++++++++++---------
include/hw/arm/virt.h | 1 +
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 8dc999712c..0d1032967c 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -432,13 +432,13 @@ static void fdt_add_timer_nodes(const VirtMachineState *vms)
}
}
-static void fdt_add_cpu_nodes(const VirtMachineState *vms)
+static void fdt_add_cpu_nodes(VirtMachineState *vms)
{
int cpu;
int addr_cells = 1;
const MachineState *ms = MACHINE(vms);
const VirtMachineClass *vmc = VIRT_MACHINE_GET_CLASS(vms);
- int smp_cpus = ms->smp.cpus;
+ unsigned int smp_cpus = ms->smp.cpus;
/*
* See Linux Documentation/devicetree/bindings/arm/cpus.yaml
@@ -466,10 +466,13 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
qemu_fdt_setprop_cell(ms->fdt, "/cpus", "#address-cells", addr_cells);
qemu_fdt_setprop_cell(ms->fdt, "/cpus", "#size-cells", 0x0);
+ vms->cpu_phandles = g_new0(uint32_t, smp_cpus);
+
for (cpu = smp_cpus - 1; cpu >= 0; cpu--) {
char *nodename = g_strdup_printf("/cpus/cpu@%d", cpu);
ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(cpu));
CPUState *cs = CPU(armcpu);
+ uint32_t phandle;
qemu_fdt_add_subnode(ms->fdt, nodename);
qemu_fdt_setprop_string(ms->fdt, nodename, "device_type", "cpu");
@@ -494,10 +497,9 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
ms->possible_cpus->cpus[cs->cpu_index].props.node_id);
}
- if (!vmc->no_cpu_topology) {
- qemu_fdt_setprop_cell(ms->fdt, nodename, "phandle",
- qemu_fdt_alloc_phandle(ms->fdt));
- }
+ phandle = qemu_fdt_alloc_phandle(ms->fdt);
+ qemu_fdt_setprop_cell(ms->fdt, nodename, "phandle", phandle);
+ vms->cpu_phandles[cpu] = phandle;
g_free(nodename);
}
@@ -522,7 +524,6 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
qemu_fdt_add_subnode(ms->fdt, "/cpus/cpu-map");
for (cpu = smp_cpus - 1; cpu >= 0; cpu--) {
- char *cpu_path = g_strdup_printf("/cpus/cpu@%d", cpu);
char *map_path;
if (ms->smp.threads > 1) {
@@ -540,10 +541,10 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
cpu % ms->smp.cores);
}
qemu_fdt_add_path(ms->fdt, map_path);
- qemu_fdt_setprop_phandle(ms->fdt, map_path, "cpu", cpu_path);
+ qemu_fdt_setprop_cell(ms->fdt, map_path, "cpu",
+ vms->cpu_phandles[cpu]);
g_free(map_path);
- g_free(cpu_path);
}
}
}
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index 8069422769..6b4691761e 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -171,6 +171,7 @@ struct VirtMachineState {
uint32_t gic_phandle;
uint32_t msi_phandle;
uint32_t iommu_phandle;
+ uint32_t *cpu_phandles;
int psci_conduit;
hwaddr highest_gpa;
DeviceState *gic;
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 56/65] hw/arm/virt: Remember CPU phandles rather than looking them up by name
2026-02-23 17:02 ` [PATCH 56/65] hw/arm/virt: Remember CPU phandles rather than looking them up by name Peter Maydell
@ 2026-03-11 17:56 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 17:56 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:03 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> In fdt_add_cpu_nodes(), we currently add phandles for each CPU node
> if we are going to add a topology description, and when we do, we
> re-look-up the phandle by node name when creating the topology
> description.
>
> For GICv5 we will also want to refer to the CPU phandles; so always
> add a phandle, and keep track of those phandles in the
> VirtMachineState so we don't have to look them up by name in the dtb
> every time.
>
> The phandle property is extra data in the final DTB, but only a tiny
> amount, so it's not worth trying to carefully track the conditions
> when we're going to need them so we only emit them when required.
>
> (We need to change the smp_cpus variable to unsigned because
> otherwise gcc thinks that we might be passing a negative number to
> g_new0() and produces an error:
>
> /usr/include/glib-2.0/glib/gmem.h:270:19: error: argument 1 range [18446744071562067968, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
> 270 | __p = g_##func##_n (__n, __s); \
> | ^~~~~~~~~~~~~~~~~~~~~~~
> /usr/include/glib-2.0/glib/gmem.h:332:57: note: in expansion of macro ‘_G_NEW’
> 332 | #define g_new0(struct_type, n_structs) _G_NEW (struct_type, n_structs, malloc0)
> | ^~~~~~
> ../../hw/arm/virt.c:469:25: note: in expansion of macro ‘g_new0’
> 469 | vms->cpu_phandles = g_new0(uint32_t, smp_cpus);
> | ^~~~~~
>
> )
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 57/65] hw/arm/virt: Move MSI controller creation out of create_gic()
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (55 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 56/65] hw/arm/virt: Remember CPU phandles rather than looking them up by name Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-11 17:57 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 58/65] hw/arm/virt: Pull "wire CPU interrupts" " Peter Maydell
` (8 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The create_gic() function also creates the MSI controller; however
there isn't really a strong linkage here, and for the GICv5 it will
be more convenient to separate it out. Move it to a new
create_msi_controller() function.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 0d1032967c..3c318680f8 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -959,11 +959,21 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
}
fdt_add_gic_node(vms);
+}
- if (vms->msi_controller == VIRT_MSI_CTRL_ITS) {
+static void create_msi_controller(VirtMachineState *vms)
+{
+ switch (vms->msi_controller) {
+ case VIRT_MSI_CTRL_ITS:
create_its(vms);
- } else if (vms->msi_controller == VIRT_MSI_CTRL_GICV2M) {
+ break;
+ case VIRT_MSI_CTRL_GICV2M:
create_v2m(vms);
+ break;
+ case VIRT_MSI_CTRL_NONE:
+ break;
+ default:
+ g_assert_not_reached();
}
}
@@ -2515,6 +2525,7 @@ static void machvirt_init(MachineState *machine)
virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
create_gic(vms, sysmem);
+ create_msi_controller(vms);
virt_post_cpus_gic_realized(vms, sysmem);
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 58/65] hw/arm/virt: Pull "wire CPU interrupts" out of create_gic()
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (56 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 57/65] hw/arm/virt: Move MSI controller creation out of create_gic() Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-11 18:01 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 59/65] hw/arm/virt: Split GICv2 and GICv3/4 creation Peter Maydell
` (7 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
create_gic() is quite long and mixes GICv2 and GICv3 even though
they're mostly different in their creation. As a preliminary to
splitting it up, pull out the "wire the CPU interrupts to the GIC PPI
inputs" code out into its own function. This is a long and
self-contained piece of code that is the main thing that we need to
do basically the same way for GICv2 and GICv3.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 127 +++++++++++++++++++++++++++-----------------------
1 file changed, 69 insertions(+), 58 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 3c318680f8..ec6e49099a 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -795,13 +795,80 @@ static bool gicv3_nmi_present(VirtMachineState *vms)
(vms->gic_version != VIRT_GIC_VERSION_2);
}
+static void gic_connect_ppis(VirtMachineState *vms)
+{
+ /*
+ * Wire the outputs from each CPU's generic timer and the GICv3
+ * maintenance interrupt signal to the appropriate GIC PPI inputs,
+ * and the GIC's IRQ/FIQ/VIRQ/VFIQ/NMI/VINMI interrupt outputs to the
+ * CPU's inputs.
+ */
+ MachineState *ms = MACHINE(vms);
+ int i;
+ unsigned int smp_cpus = ms->smp.cpus;
+ SysBusDevice *gicbusdev = SYS_BUS_DEVICE(vms->gic);
+
+ for (i = 0; i < smp_cpus; i++) {
+ DeviceState *cpudev = DEVICE(qemu_get_cpu(i));
+ int intidbase = NUM_IRQS + i * GIC_INTERNAL;
+ /*
+ * Mapping from the output timer irq lines from the CPU to the
+ * GIC PPI inputs we use for the virt board.
+ */
+ const int timer_irq[] = {
+ [GTIMER_PHYS] = ARCH_TIMER_NS_EL1_IRQ,
+ [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
+ [GTIMER_HYP] = ARCH_TIMER_NS_EL2_IRQ,
+ [GTIMER_SEC] = ARCH_TIMER_S_EL1_IRQ,
+ [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
+ [GTIMER_S_EL2_PHYS] = ARCH_TIMER_S_EL2_IRQ,
+ [GTIMER_S_EL2_VIRT] = ARCH_TIMER_S_EL2_VIRT_IRQ,
+ };
+
+ for (unsigned irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
+ qdev_connect_gpio_out(cpudev, irq,
+ qdev_get_gpio_in(vms->gic,
+ intidbase + timer_irq[irq]));
+ }
+
+ if (vms->gic_version != VIRT_GIC_VERSION_2) {
+ qemu_irq irq = qdev_get_gpio_in(vms->gic,
+ intidbase + ARCH_GIC_MAINT_IRQ);
+ qdev_connect_gpio_out_named(cpudev, "gicv3-maintenance-interrupt",
+ 0, irq);
+ } else if (vms->virt) {
+ qemu_irq irq = qdev_get_gpio_in(vms->gic,
+ intidbase + ARCH_GIC_MAINT_IRQ);
+ sysbus_connect_irq(gicbusdev, i + 4 * smp_cpus, irq);
+ }
+
+ qdev_connect_gpio_out_named(cpudev, "pmu-interrupt", 0,
+ qdev_get_gpio_in(vms->gic, intidbase
+ + VIRTUAL_PMU_IRQ));
+
+ sysbus_connect_irq(gicbusdev, i, qdev_get_gpio_in(cpudev, ARM_CPU_IRQ));
+ sysbus_connect_irq(gicbusdev, i + smp_cpus,
+ qdev_get_gpio_in(cpudev, ARM_CPU_FIQ));
+ sysbus_connect_irq(gicbusdev, i + 2 * smp_cpus,
+ qdev_get_gpio_in(cpudev, ARM_CPU_VIRQ));
+ sysbus_connect_irq(gicbusdev, i + 3 * smp_cpus,
+ qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
+
+ if (vms->gic_version != VIRT_GIC_VERSION_2) {
+ sysbus_connect_irq(gicbusdev, i + 4 * smp_cpus,
+ qdev_get_gpio_in(cpudev, ARM_CPU_NMI));
+ sysbus_connect_irq(gicbusdev, i + 5 * smp_cpus,
+ qdev_get_gpio_in(cpudev, ARM_CPU_VINMI));
+ }
+ }
+}
+
static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
{
MachineState *ms = MACHINE(vms);
/* We create a standalone GIC */
SysBusDevice *gicbusdev;
const char *gictype;
- int i;
unsigned int smp_cpus = ms->smp.cpus;
uint32_t nb_redist_regions = 0;
int revision;
@@ -900,63 +967,7 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
}
}
- /* Wire the outputs from each CPU's generic timer and the GICv3
- * maintenance interrupt signal to the appropriate GIC PPI inputs,
- * and the GIC's IRQ/FIQ/VIRQ/VFIQ/NMI/VINMI interrupt outputs to the
- * CPU's inputs.
- */
- for (i = 0; i < smp_cpus; i++) {
- DeviceState *cpudev = DEVICE(qemu_get_cpu(i));
- int intidbase = NUM_IRQS + i * GIC_INTERNAL;
- /* Mapping from the output timer irq lines from the CPU to the
- * GIC PPI inputs we use for the virt board.
- */
- const int timer_irq[] = {
- [GTIMER_PHYS] = ARCH_TIMER_NS_EL1_IRQ,
- [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
- [GTIMER_HYP] = ARCH_TIMER_NS_EL2_IRQ,
- [GTIMER_SEC] = ARCH_TIMER_S_EL1_IRQ,
- [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
- [GTIMER_S_EL2_PHYS] = ARCH_TIMER_S_EL2_IRQ,
- [GTIMER_S_EL2_VIRT] = ARCH_TIMER_S_EL2_VIRT_IRQ,
- };
-
- for (unsigned irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
- qdev_connect_gpio_out(cpudev, irq,
- qdev_get_gpio_in(vms->gic,
- intidbase + timer_irq[irq]));
- }
-
- if (vms->gic_version != VIRT_GIC_VERSION_2) {
- qemu_irq irq = qdev_get_gpio_in(vms->gic,
- intidbase + ARCH_GIC_MAINT_IRQ);
- qdev_connect_gpio_out_named(cpudev, "gicv3-maintenance-interrupt",
- 0, irq);
- } else if (vms->virt) {
- qemu_irq irq = qdev_get_gpio_in(vms->gic,
- intidbase + ARCH_GIC_MAINT_IRQ);
- sysbus_connect_irq(gicbusdev, i + 4 * smp_cpus, irq);
- }
-
- qdev_connect_gpio_out_named(cpudev, "pmu-interrupt", 0,
- qdev_get_gpio_in(vms->gic, intidbase
- + VIRTUAL_PMU_IRQ));
-
- sysbus_connect_irq(gicbusdev, i, qdev_get_gpio_in(cpudev, ARM_CPU_IRQ));
- sysbus_connect_irq(gicbusdev, i + smp_cpus,
- qdev_get_gpio_in(cpudev, ARM_CPU_FIQ));
- sysbus_connect_irq(gicbusdev, i + 2 * smp_cpus,
- qdev_get_gpio_in(cpudev, ARM_CPU_VIRQ));
- sysbus_connect_irq(gicbusdev, i + 3 * smp_cpus,
- qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
-
- if (vms->gic_version != VIRT_GIC_VERSION_2) {
- sysbus_connect_irq(gicbusdev, i + 4 * smp_cpus,
- qdev_get_gpio_in(cpudev, ARM_CPU_NMI));
- sysbus_connect_irq(gicbusdev, i + 5 * smp_cpus,
- qdev_get_gpio_in(cpudev, ARM_CPU_VINMI));
- }
- }
+ gic_connect_ppis(vms);
fdt_add_gic_node(vms);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 58/65] hw/arm/virt: Pull "wire CPU interrupts" out of create_gic()
2026-02-23 17:02 ` [PATCH 58/65] hw/arm/virt: Pull "wire CPU interrupts" " Peter Maydell
@ 2026-03-11 18:01 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-11 18:01 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:05 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> create_gic() is quite long and mixes GICv2 and GICv3 even though
> they're mostly different in their creation. As a preliminary to
> splitting it up, pull out the "wire the CPU interrupts to the GIC PPI
> inputs" code out into its own function. This is a long and
> self-contained piece of code that is the main thing that we need to
> do basically the same way for GICv2 and GICv3.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
One trivial, "whilst you are here" inline.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/arm/virt.c | 127 +++++++++++++++++++++++++++-----------------------
> 1 file changed, 69 insertions(+), 58 deletions(-)
>
> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
> index 3c318680f8..ec6e49099a 100644
> --- a/hw/arm/virt.c
> +++ b/hw/arm/virt.c
> @@ -795,13 +795,80 @@ static bool gicv3_nmi_present(VirtMachineState *vms)
> (vms->gic_version != VIRT_GIC_VERSION_2);
> }
>
> +static void gic_connect_ppis(VirtMachineState *vms)
> +{
> + /*
> + * Wire the outputs from each CPU's generic timer and the GICv3
> + * maintenance interrupt signal to the appropriate GIC PPI inputs,
> + * and the GIC's IRQ/FIQ/VIRQ/VFIQ/NMI/VINMI interrupt outputs to the
> + * CPU's inputs.
> + */
> + MachineState *ms = MACHINE(vms);
> + int i;
> + unsigned int smp_cpus = ms->smp.cpus;
> + SysBusDevice *gicbusdev = SYS_BUS_DEVICE(vms->gic);
> +
> + for (i = 0; i < smp_cpus; i++) {
If this doesn't get changed later in a way that prevents it, maybe sneak in
moving the int i into the loop init? It looks messy above.
> + DeviceState *cpudev = DEVICE(qemu_get_cpu(i));
> + int intidbase = NUM_IRQS + i * GIC_INTERNAL;
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 59/65] hw/arm/virt: Split GICv2 and GICv3/4 creation
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (57 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 58/65] hw/arm/virt: Pull "wire CPU interrupts" " Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-12 13:59 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 60/65] hw/arm/virt: Create and connect GICv5 Peter Maydell
` (6 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Currently create_gic() handles GICv2 and GICv3/4 in a single
function, with large sections that are conditional on the
vms->gic_version. GICv5 will be different to both.
Refactor into create_gicv2() and create_gicv3().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 137 ++++++++++++++++++++++++++++++--------------------
1 file changed, 82 insertions(+), 55 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index ec6e49099a..3d19eb0fee 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -863,26 +863,58 @@ static void gic_connect_ppis(VirtMachineState *vms)
}
}
-static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
+static void create_gicv2(VirtMachineState *vms, MemoryRegion *mem)
+{
+ MachineState *ms = MACHINE(vms);
+ /* We create a standalone GIC */
+ SysBusDevice *gicbusdev;
+ unsigned int smp_cpus = ms->smp.cpus;
+
+ if (kvm_enabled() && vms->virt) {
+ error_report("KVM EL2 is only supported with in-kernel GICv3");
+ exit(1);
+ }
+
+ vms->gic = qdev_new(gic_class_name());
+ qdev_prop_set_uint32(vms->gic, "revision", 2);
+ qdev_prop_set_uint32(vms->gic, "num-cpu", smp_cpus);
+ /*
+ * Note that the num-irq property counts both internal and external
+ * interrupts; there are always 32 of the former (mandated by GIC spec).
+ */
+ qdev_prop_set_uint32(vms->gic, "num-irq", NUM_IRQS + 32);
+ if (!kvm_irqchip_in_kernel()) {
+ qdev_prop_set_bit(vms->gic, "has-security-extensions", vms->secure);
+ qdev_prop_set_bit(vms->gic, "has-virtualization-extensions", vms->virt);
+ }
+
+ gicbusdev = SYS_BUS_DEVICE(vms->gic);
+ sysbus_realize_and_unref(gicbusdev, &error_fatal);
+ sysbus_mmio_map(gicbusdev, 0, vms->memmap[VIRT_GIC_DIST].base);
+ sysbus_mmio_map(gicbusdev, 1, vms->memmap[VIRT_GIC_CPU].base);
+ if (vms->virt) {
+ sysbus_mmio_map(gicbusdev, 2, vms->memmap[VIRT_GIC_HYP].base);
+ sysbus_mmio_map(gicbusdev, 3, vms->memmap[VIRT_GIC_VCPU].base);
+ }
+
+ gic_connect_ppis(vms);
+
+ fdt_add_gic_node(vms);
+}
+
+static void create_gicv3(VirtMachineState *vms, MemoryRegion *mem)
{
MachineState *ms = MACHINE(vms);
/* We create a standalone GIC */
SysBusDevice *gicbusdev;
- const char *gictype;
unsigned int smp_cpus = ms->smp.cpus;
uint32_t nb_redist_regions = 0;
int revision;
-
- if (vms->gic_version == VIRT_GIC_VERSION_2) {
- gictype = gic_class_name();
- } else {
- gictype = gicv3_class_name();
- }
+ QList *redist_region_count;
+ uint32_t redist0_capacity = virt_redist_capacity(vms, VIRT_GIC_REDIST);
+ uint32_t redist0_count = MIN(smp_cpus, redist0_capacity);
switch (vms->gic_version) {
- case VIRT_GIC_VERSION_2:
- revision = 2;
- break;
case VIRT_GIC_VERSION_3:
revision = 3;
break;
@@ -899,10 +931,11 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
exit(1);
}
- vms->gic = qdev_new(gictype);
+ vms->gic = qdev_new(gicv3_class_name());
qdev_prop_set_uint32(vms->gic, "revision", revision);
qdev_prop_set_uint32(vms->gic, "num-cpu", smp_cpus);
- /* Note that the num-irq property counts both internal and external
+ /*
+ * Note that the num-irq property counts both internal and external
* interrupts; there are always 32 of the former (mandated by GIC spec).
*/
qdev_prop_set_uint32(vms->gic, "num-irq", NUM_IRQS + 32);
@@ -910,40 +943,28 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
qdev_prop_set_bit(vms->gic, "has-security-extensions", vms->secure);
}
- if (vms->gic_version != VIRT_GIC_VERSION_2) {
- QList *redist_region_count;
- uint32_t redist0_capacity = virt_redist_capacity(vms, VIRT_GIC_REDIST);
- uint32_t redist0_count = MIN(smp_cpus, redist0_capacity);
+ nb_redist_regions = virt_gicv3_redist_region_count(vms);
- nb_redist_regions = virt_gicv3_redist_region_count(vms);
+ redist_region_count = qlist_new();
+ qlist_append_int(redist_region_count, redist0_count);
+ if (nb_redist_regions == 2) {
+ uint32_t redist1_capacity =
+ virt_redist_capacity(vms, VIRT_HIGH_GIC_REDIST2);
- redist_region_count = qlist_new();
- qlist_append_int(redist_region_count, redist0_count);
- if (nb_redist_regions == 2) {
- uint32_t redist1_capacity =
- virt_redist_capacity(vms, VIRT_HIGH_GIC_REDIST2);
+ qlist_append_int(redist_region_count,
+ MIN(smp_cpus - redist0_count, redist1_capacity));
+ }
+ qdev_prop_set_array(vms->gic, "redist-region-count", redist_region_count);
- qlist_append_int(redist_region_count,
- MIN(smp_cpus - redist0_count, redist1_capacity));
- }
- qdev_prop_set_array(vms->gic, "redist-region-count",
- redist_region_count);
-
- if (!kvm_irqchip_in_kernel()) {
- if (vms->tcg_its) {
- object_property_set_link(OBJECT(vms->gic), "sysmem",
- OBJECT(mem), &error_fatal);
- qdev_prop_set_bit(vms->gic, "has-lpi", true);
- }
- } else if (vms->virt) {
- qdev_prop_set_uint32(vms->gic, "maintenance-interrupt-id",
- ARCH_GIC_MAINT_IRQ);
- }
- } else {
- if (!kvm_irqchip_in_kernel()) {
- qdev_prop_set_bit(vms->gic, "has-virtualization-extensions",
- vms->virt);
+ if (!kvm_irqchip_in_kernel()) {
+ if (vms->tcg_its) {
+ object_property_set_link(OBJECT(vms->gic), "sysmem", OBJECT(mem),
+ &error_fatal);
+ qdev_prop_set_bit(vms->gic, "has-lpi", true);
}
+ } else if (vms->virt) {
+ qdev_prop_set_uint32(vms->gic, "maintenance-interrupt-id",
+ ARCH_GIC_MAINT_IRQ);
}
if (gicv3_nmi_present(vms)) {
@@ -953,18 +974,9 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
gicbusdev = SYS_BUS_DEVICE(vms->gic);
sysbus_realize_and_unref(gicbusdev, &error_fatal);
sysbus_mmio_map(gicbusdev, 0, vms->memmap[VIRT_GIC_DIST].base);
- if (vms->gic_version != VIRT_GIC_VERSION_2) {
- sysbus_mmio_map(gicbusdev, 1, vms->memmap[VIRT_GIC_REDIST].base);
- if (nb_redist_regions == 2) {
- sysbus_mmio_map(gicbusdev, 2,
- vms->memmap[VIRT_HIGH_GIC_REDIST2].base);
- }
- } else {
- sysbus_mmio_map(gicbusdev, 1, vms->memmap[VIRT_GIC_CPU].base);
- if (vms->virt) {
- sysbus_mmio_map(gicbusdev, 2, vms->memmap[VIRT_GIC_HYP].base);
- sysbus_mmio_map(gicbusdev, 3, vms->memmap[VIRT_GIC_VCPU].base);
- }
+ sysbus_mmio_map(gicbusdev, 1, vms->memmap[VIRT_GIC_REDIST].base);
+ if (nb_redist_regions == 2) {
+ sysbus_mmio_map(gicbusdev, 2, vms->memmap[VIRT_HIGH_GIC_REDIST2].base);
}
gic_connect_ppis(vms);
@@ -972,6 +984,21 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
fdt_add_gic_node(vms);
}
+static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
+{
+ switch (vms->gic_version) {
+ case VIRT_GIC_VERSION_2:
+ create_gicv2(vms, mem);
+ break;
+ case VIRT_GIC_VERSION_3:
+ case VIRT_GIC_VERSION_4:
+ create_gicv3(vms, mem);
+ break;
+ default:
+ g_assert_not_reached();
+ }
+}
+
static void create_msi_controller(VirtMachineState *vms)
{
switch (vms->msi_controller) {
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 59/65] hw/arm/virt: Split GICv2 and GICv3/4 creation
2026-02-23 17:02 ` [PATCH 59/65] hw/arm/virt: Split GICv2 and GICv3/4 creation Peter Maydell
@ 2026-03-12 13:59 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-12 13:59 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:06 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Currently create_gic() handles GICv2 and GICv3/4 in a single
> function, with large sections that are conditional on the
> vms->gic_version. GICv5 will be different to both.
>
> Refactor into create_gicv2() and create_gicv3().
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
One trivial comment inline.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/arm/virt.c | 137 ++++++++++++++++++++++++++++++--------------------
> 1 file changed, 82 insertions(+), 55 deletions(-)
>
> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
> index ec6e49099a..3d19eb0fee 100644
> --- a/hw/arm/virt.c
> +++ b/hw/arm/virt.c
> @@ -863,26 +863,58 @@ static void gic_connect_ppis(VirtMachineState *vms)
> }
> }
> +static void create_gicv3(VirtMachineState *vms, MemoryRegion *mem)
> {
> MachineState *ms = MACHINE(vms);
> /* We create a standalone GIC */
> SysBusDevice *gicbusdev;
> - const char *gictype;
> unsigned int smp_cpus = ms->smp.cpus;
> uint32_t nb_redist_regions = 0;
I think this now always set before use so can drop the initialization.
> int revision;
> -
> - if (vms->gic_version == VIRT_GIC_VERSION_2) {
> - gictype = gic_class_name();
> - } else {
> - gictype = gicv3_class_name();
> - }
> + QList *redist_region_count;
> + uint32_t redist0_capacity = virt_redist_capacity(vms, VIRT_GIC_REDIST);
> + uint32_t redist0_count = MIN(smp_cpus, redist0_capacity);
>
> switch (vms->gic_version) {
> - case VIRT_GIC_VERSION_2:
> - revision = 2;
> - break;
> case VIRT_GIC_VERSION_3:
> revision = 3;
> break;
> @@ -899,10 +931,11 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
> exit(1);
> }
>
> - vms->gic = qdev_new(gictype);
> + vms->gic = qdev_new(gicv3_class_name());
> qdev_prop_set_uint32(vms->gic, "revision", revision);
> qdev_prop_set_uint32(vms->gic, "num-cpu", smp_cpus);
> - /* Note that the num-irq property counts both internal and external
> + /*
> + * Note that the num-irq property counts both internal and external
> * interrupts; there are always 32 of the former (mandated by GIC spec).
> */
> qdev_prop_set_uint32(vms->gic, "num-irq", NUM_IRQS + 32);
> @@ -910,40 +943,28 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
> qdev_prop_set_bit(vms->gic, "has-security-extensions", vms->secure);
> }
>
> - if (vms->gic_version != VIRT_GIC_VERSION_2) {
> - QList *redist_region_count;
> - uint32_t redist0_capacity = virt_redist_capacity(vms, VIRT_GIC_REDIST);
> - uint32_t redist0_count = MIN(smp_cpus, redist0_capacity);
> + nb_redist_regions = virt_gicv3_redist_region_count(vms);
...
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 60/65] hw/arm/virt: Create and connect GICv5
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (58 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 59/65] hw/arm/virt: Split GICv2 and GICv3/4 creation Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-12 14:06 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 61/65] hw/arm/virt: Advertise GICv5 in the DTB Peter Maydell
` (5 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
In this commit we create and connect up the GICv5. We do not
advertise it in the ACPI tables or DTB; that will be done in a
following commit.
The user-facing gic-version property still only documents and permits
in its setter function the existing set of possible values; we won't
permit the user to select a GICv5 until all the code to handle it is
in place.
Although we currently implement only the IRS, and only for EL1,
we reserve space in the virt board's memory map now for all the
register frames that the GICv5 may use. Each interrupt domain has:
* one IRS config register frame
* one ITS config register frame
* one ITS translate register frame
and each of these frames is 64K in size and 64K aligned and must be
at a unique address (that is, it is not permitted to have all the IRS
config register frames at the same physical address in the different
S/NS/etc physical address spaces).
The addresses and layout of these frames are entirely up to the
implementation: software will be passed their addresses via firmware
data structures (ACPI or DTB).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 101 ++++++++++++++++++++++++++++++++++++++++++
include/hw/arm/virt.h | 14 ++++++
2 files changed, 115 insertions(+)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 3d19eb0fee..a9addf5ac0 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -69,6 +69,7 @@
#include "hw/intc/arm_gic.h"
#include "hw/intc/arm_gicv3_common.h"
#include "hw/intc/arm_gicv3_its_common.h"
+#include "hw/intc/arm_gicv5_common.h"
#include "hw/core/irq.h"
#include "kvm_arm.h"
#include "hvf_arm.h"
@@ -185,6 +186,19 @@ static const MemMapEntry base_memmap[] = {
[VIRT_GIC_ITS] = { 0x08080000, 0x00020000 },
/* This redistributor space allows up to 2*64kB*123 CPUs */
[VIRT_GIC_REDIST] = { 0x080A0000, 0x00F60000 },
+ /* The GICv5 uses this address range differently from GICv2/v3/v4 */
+ [VIRT_GICV5_IRS_S] = { 0x08000000, 0x00010000 },
+ [VIRT_GICV5_IRS_NS] = { 0x08010000, 0x00010000 },
+ [VIRT_GICV5_IRS_EL3] = { 0x08020000, 0x00010000 },
+ [VIRT_GICV5_IRS_REALM] = { 0x08030000, 0x00010000 },
+ [VIRT_GICV5_ITS_S] = { 0x08040000, 0x00010000 },
+ [VIRT_GICV5_ITS_NS] = { 0x08050000, 0x00010000 },
+ [VIRT_GICV5_ITS_EL3] = { 0x08060000, 0x00010000 },
+ [VIRT_GICV5_ITS_REALM] = { 0x08070000, 0x00010000 },
+ [VIRT_GICV5_ITS_TR_S] = { 0x08080000, 0x00010000 },
+ [VIRT_GICV5_ITS_TR_NS] = { 0x08090000, 0x00010000 },
+ [VIRT_GICV5_ITS_TR_EL3] = { 0x080A0000, 0x00010000 },
+ [VIRT_GICV5_ITS_TR_REALM] = { 0x080B0000, 0x00010000 },
[VIRT_UART0] = { 0x09000000, 0x00001000 },
[VIRT_RTC] = { 0x09010000, 0x00001000 },
[VIRT_FW_CFG] = { 0x09020000, 0x00000018 },
@@ -781,6 +795,49 @@ static void create_v2m(VirtMachineState *vms)
vms->msi_controller = VIRT_MSI_CTRL_GICV2M;
}
+static void create_gicv5(VirtMachineState *vms, MemoryRegion *mem)
+{
+ MachineState *ms = MACHINE(vms);
+ SysBusDevice *gicbusdev;
+ const char *gictype = gicv5_class_name();
+ QList *cpulist = qlist_new(), *iaffidlist = qlist_new();
+
+ vms->gic = qdev_new(gictype);
+ qdev_prop_set_uint32(vms->gic, "spi-range", NUM_IRQS);
+
+ object_property_set_link(OBJECT(vms->gic), "sysmem",
+ OBJECT(mem), &error_fatal);
+
+ for (int i = 0; i < ms->smp.cpus; i++) {
+ qlist_append_link(cpulist, OBJECT(qemu_get_cpu(i)));
+ /*
+ * GICv5 IAFFIDs must be system-wide unique across all GICs.
+ * For virt we make them the same as the CPU index.
+ */
+ qlist_append_int(iaffidlist, i);
+ }
+ qdev_prop_set_array(vms->gic, "cpus", cpulist);
+ qdev_prop_set_array(vms->gic, "cpu-iaffids", iaffidlist);
+
+ gicbusdev = SYS_BUS_DEVICE(vms->gic);
+ sysbus_realize_and_unref(gicbusdev, &error_fatal);
+
+ /*
+ * Map the IRS config frames for the interrupt domains.
+ * At the moment we implement only the NS domain, so this is simple.
+ */
+ sysbus_mmio_map(gicbusdev, GICV5_ID_NS,
+ vms->memmap[VIRT_GICV5_IRS_NS].base);
+
+ /*
+ * The GICv5 does not need to wire up CPU timer IRQ outputs to the GIC
+ * because for the GICv5 those PPIs are entirely internal to the CPU.
+ * Nor do we need to wire up GIC IRQ/FIQ signals to the CPUs, because
+ * that information is communicated directly between a GICv5 IRS and
+ * the GICv5 CPU interface via our equivalent of the stream protocol.
+ */
+}
+
/*
* If the CPU has FEAT_NMI, then turn on the NMI support in the GICv3 too.
* It's permitted to have a configuration with NMI in the CPU (and thus the
@@ -994,6 +1051,9 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
case VIRT_GIC_VERSION_4:
create_gicv3(vms, mem);
break;
+ case VIRT_GIC_VERSION_5:
+ create_gicv5(vms, mem);
+ break;
default:
g_assert_not_reached();
}
@@ -1929,6 +1989,11 @@ static uint64_t virt_cpu_mp_affinity(VirtMachineState *vms, int idx)
/*
* Adjust MPIDR to make TCG consistent (with 64-bit KVM hosts)
* and to improve SGI efficiency.
+ * - GICv2 only supports 8 CPUs anyway
+ * - GICv3 wants 16 CPUs per Aff0 because of an ICC_SGIxR
+ * register limitation
+ * - GICv5 has no restrictions, so we retain the GICv3 16-per-Aff0
+ * layout because that's what KVM does
*/
if (vms->gic_version == VIRT_GIC_VERSION_2) {
clustersz = GIC_TARGETLIST_BITS;
@@ -2074,6 +2139,11 @@ static VirtGICType finalize_gic_version_do(const char *accel_name,
return finalize_gic_version_do(accel_name, VIRT_GIC_VERSION_MAX,
gics_supported, max_cpus);
case VIRT_GIC_VERSION_MAX:
+ /*
+ * We don't (currently) make 'max' select GICv5 as it is not
+ * backwards compatible for system software with GICv3/v4 and
+ * at time of writing not widely supported in guest kernels.
+ */
if (gics_supported & VIRT_GIC_VERSION_4_MASK) {
gic_version = VIRT_GIC_VERSION_4;
} else if (gics_supported & VIRT_GIC_VERSION_3_MASK) {
@@ -2102,6 +2172,7 @@ static VirtGICType finalize_gic_version_do(const char *accel_name,
case VIRT_GIC_VERSION_2:
case VIRT_GIC_VERSION_3:
case VIRT_GIC_VERSION_4:
+ case VIRT_GIC_VERSION_5:
break;
}
@@ -2126,6 +2197,12 @@ static VirtGICType finalize_gic_version_do(const char *accel_name,
exit(1);
}
break;
+ case VIRT_GIC_VERSION_5:
+ if (!(gics_supported & VIRT_GIC_VERSION_5_MASK)) {
+ error_report("%s does not support GICv5 emulation", accel_name);
+ exit(1);
+ }
+ break;
default:
error_report("logic error in finalize_gic_version");
exit(1);
@@ -2177,6 +2254,10 @@ static void finalize_gic_version(VirtMachineState *vms)
gics_supported |= VIRT_GIC_VERSION_4_MASK;
}
}
+ if (!hvf_enabled() && module_object_class_by_name("arm-gicv5")) {
+ /* HVF doesn't have GICv5 support */
+ gics_supported |= VIRT_GIC_VERSION_5_MASK;
+ }
} else {
error_report("Unsupported accelerator, can not determine GIC support");
exit(1);
@@ -2210,6 +2291,9 @@ static void finalize_msi_controller(VirtMachineState *vms)
vms->msi_controller = VIRT_MSI_CTRL_GICV2M;
} else if (whpx_enabled()) {
vms->msi_controller = VIRT_MSI_CTRL_GICV2M;
+ } else if (vms->gic_version == VIRT_GIC_VERSION_5) {
+ /* GICv5 ITS is not yet implemented */
+ vms->msi_controller = VIRT_MSI_CTRL_NONE;
} else {
vms->msi_controller = VIRT_MSI_CTRL_ITS;
}
@@ -2225,6 +2309,10 @@ static void finalize_msi_controller(VirtMachineState *vms)
error_report("GICv2 + ITS is an invalid configuration.");
exit(1);
}
+ if (vms->gic_version == VIRT_GIC_VERSION_5) {
+ error_report("GICv5 + ITS is not yet implemented.");
+ exit(1);
+ }
if (whpx_enabled()) {
error_report("ITS not supported on WHPX.");
exit(1);
@@ -2397,6 +2485,13 @@ static void machvirt_init(MachineState *machine)
*/
if (vms->gic_version == VIRT_GIC_VERSION_2) {
virt_max_cpus = GIC_NCPU;
+ } else if (vms->gic_version == VIRT_GIC_VERSION_5) {
+ /*
+ * GICv5 imposes no CPU limit beyond the 16-bit IAFFID field.
+ * The maximum number of CPUs will be limited not by this, but
+ * by the MachineClass::max_cpus value we set earlier.
+ */
+ virt_max_cpus = 1 << QEMU_GICV5_IAFFID_BITS;
} else {
virt_max_cpus = virt_redist_capacity(vms, VIRT_GIC_REDIST);
if (vms->highmem_redists) {
@@ -2442,6 +2537,12 @@ static void machvirt_init(MachineState *machine)
exit(1);
}
+ if ((vms->virt || vms->secure) &&
+ vms->gic_version == VIRT_GIC_VERSION_5) {
+ error_report("mach-virt: GICv5 currently supports EL1 only\n");
+ exit(1);
+ }
+
create_fdt(vms);
assert(possible_cpus->len == max_cpus);
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index 6b4691761e..34588747aa 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -63,6 +63,18 @@ enum {
VIRT_GIC_VCPU,
VIRT_GIC_ITS,
VIRT_GIC_REDIST,
+ VIRT_GICV5_IRS_S,
+ VIRT_GICV5_IRS_NS,
+ VIRT_GICV5_IRS_EL3,
+ VIRT_GICV5_IRS_REALM,
+ VIRT_GICV5_ITS_S,
+ VIRT_GICV5_ITS_NS,
+ VIRT_GICV5_ITS_EL3,
+ VIRT_GICV5_ITS_REALM,
+ VIRT_GICV5_ITS_TR_S,
+ VIRT_GICV5_ITS_TR_NS,
+ VIRT_GICV5_ITS_TR_EL3,
+ VIRT_GICV5_ITS_TR_REALM,
VIRT_SMMU,
VIRT_UART0,
VIRT_MMIO,
@@ -116,12 +128,14 @@ typedef enum VirtGICType {
VIRT_GIC_VERSION_2 = 2,
VIRT_GIC_VERSION_3 = 3,
VIRT_GIC_VERSION_4 = 4,
+ VIRT_GIC_VERSION_5 = 5,
VIRT_GIC_VERSION_NOSEL,
} VirtGICType;
#define VIRT_GIC_VERSION_2_MASK BIT(VIRT_GIC_VERSION_2)
#define VIRT_GIC_VERSION_3_MASK BIT(VIRT_GIC_VERSION_3)
#define VIRT_GIC_VERSION_4_MASK BIT(VIRT_GIC_VERSION_4)
+#define VIRT_GIC_VERSION_5_MASK BIT(VIRT_GIC_VERSION_5)
struct VirtMachineClass {
MachineClass parent;
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 60/65] hw/arm/virt: Create and connect GICv5
2026-02-23 17:02 ` [PATCH 60/65] hw/arm/virt: Create and connect GICv5 Peter Maydell
@ 2026-03-12 14:06 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-12 14:06 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:07 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> In this commit we create and connect up the GICv5. We do not
> advertise it in the ACPI tables or DTB; that will be done in a
> following commit.
>
> The user-facing gic-version property still only documents and permits
> in its setter function the existing set of possible values; we won't
> permit the user to select a GICv5 until all the code to handle it is
> in place.
>
> Although we currently implement only the IRS, and only for EL1,
> we reserve space in the virt board's memory map now for all the
> register frames that the GICv5 may use. Each interrupt domain has:
> * one IRS config register frame
> * one ITS config register frame
> * one ITS translate register frame
> and each of these frames is 64K in size and 64K aligned and must be
> at a unique address (that is, it is not permitted to have all the IRS
> config register frames at the same physical address in the different
> S/NS/etc physical address spaces).
>
> The addresses and layout of these frames are entirely up to the
> implementation: software will be passed their addresses via firmware
> data structures (ACPI or DTB).
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/arm/virt.c | 101 ++++++++++++++++++++++++++++++++++++++++++
> include/hw/arm/virt.h | 14 ++++++
> 2 files changed, 115 insertions(+)
>
> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
> index 3d19eb0fee..a9addf5ac0 100644
> --- a/hw/arm/virt.c
> +++ b/hw/arm/virt.c
> @@ -781,6 +795,49 @@ static void create_v2m(VirtMachineState *vms)
> vms->msi_controller = VIRT_MSI_CTRL_GICV2M;
> }
>
> +static void create_gicv5(VirtMachineState *vms, MemoryRegion *mem)
> +{
> + MachineState *ms = MACHINE(vms);
> + SysBusDevice *gicbusdev;
> + const char *gictype = gicv5_class_name();
> + QList *cpulist = qlist_new(), *iaffidlist = qlist_new();
> +
> + vms->gic = qdev_new(gictype);
> + qdev_prop_set_uint32(vms->gic, "spi-range", NUM_IRQS);
> +
> + object_property_set_link(OBJECT(vms->gic), "sysmem",
> + OBJECT(mem), &error_fatal);
Trivial: I'd move OBJECT(mem) up a line.
> +
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 61/65] hw/arm/virt: Advertise GICv5 in the DTB
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (59 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 60/65] hw/arm/virt: Create and connect GICv5 Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-12 14:23 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 62/65] hw/arm/virt: Handle GICv5 in interrupt bindings for PPIs Peter Maydell
` (4 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Advertise the GICv5 in the DTB. This binding is final as it is in
the upstream Linux kernel as:
Documentation/devicetree/bindings/interrupt-controller/arm,gic-v5.yaml
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index a9addf5ac0..6775062c5d 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -795,6 +795,72 @@ static void create_v2m(VirtMachineState *vms)
vms->msi_controller = VIRT_MSI_CTRL_GICV2M;
}
+static void fdt_add_gicv5_node(VirtMachineState *vms)
+{
+ MachineState *ms = MACHINE(vms);
+ const char *nodename = "/intc";
+ g_autofree char *irsnodename = NULL;
+ g_autofree uint32_t *cpu_phandles = g_new(uint32_t, ms->smp.cpus);
+ g_autofree uint16_t *iaffids = g_new(uint16_t, ms->smp.cpus);
+
+ vms->gic_phandle = qemu_fdt_alloc_phandle(ms->fdt);
+ qemu_fdt_setprop_cell(ms->fdt, "/", "interrupt-parent", vms->gic_phandle);
+
+ qemu_fdt_add_subnode(ms->fdt, nodename);
+ qemu_fdt_setprop_cell(ms->fdt, nodename, "phandle", vms->gic_phandle);
+ qemu_fdt_setprop_string(ms->fdt, nodename, "compatible", "arm,gic-v5");
+ qemu_fdt_setprop_cell(ms->fdt, nodename, "#interrupt-cells", 3);
+ qemu_fdt_setprop(ms->fdt, nodename, "interrupt-controller", NULL, 0);
+ qemu_fdt_setprop_cell(ms->fdt, nodename, "#address-cells", 0x2);
+ qemu_fdt_setprop_cell(ms->fdt, nodename, "#size-cells", 0x2);
+ qemu_fdt_setprop(ms->fdt, nodename, "ranges", NULL, 0);
+
+ /* The IRS node is a child of the top level /intc node */
+ irsnodename = g_strdup_printf("%s/irs@%" PRIx64,
+ nodename,
+ vms->memmap[VIRT_GICV5_IRS_NS].base);
+ qemu_fdt_add_subnode(ms->fdt, irsnodename);
+ qemu_fdt_setprop_string(ms->fdt, irsnodename, "compatible",
+ "arm,gic-v5-irs");
+ /*
+ * "reg-names" describes the frames whose address/size is in "reg";
+ * at the moment we have only the NS config register frame.
+ */
+ qemu_fdt_setprop_string(ms->fdt, irsnodename, "reg-names", "ns-config");
+ qemu_fdt_setprop_sized_cells(ms->fdt, irsnodename, "reg",
+ 2, vms->memmap[VIRT_GICV5_IRS_NS].base,
+ 2, vms->memmap[VIRT_GICV5_IRS_NS].size);
+ qemu_fdt_setprop_cell(ms->fdt, irsnodename, "#address-cells", 0x2);
+ qemu_fdt_setprop_cell(ms->fdt, irsnodename, "#size-cells", 0x2);
+ qemu_fdt_setprop(ms->fdt, irsnodename, "ranges", NULL, 0);
+
+ /*
+ * The "cpus" property is an array of phandles to the CPUs, and "iaffids" is
+ * an array of uint16 IAFFIDs. For virt, our IAFFIDs are the CPU indexes.
+ * This function is called after fdt_add_cpu_nodes(), which allocates
+ * the cpu_phandles array.
+ */
+ assert(vms->cpu_phandles);
+ for (int i = 0; i < ms->smp.cpus; i++) {
+ /*
+ * We have to byteswap each element here because we're setting the
+ * whole property value at once as a lump of raw data, not via a
+ * helper like qemu_fdt_setprop_cell() that does the swapping for us.
+ */
+ cpu_phandles[i] = cpu_to_be32(vms->cpu_phandles[i]);
+ iaffids[i] = cpu_to_be16(i);
+ }
+ qemu_fdt_setprop(ms->fdt, irsnodename, "cpus", cpu_phandles,
+ ms->smp.cpus * sizeof(*cpu_phandles));
+ qemu_fdt_setprop(ms->fdt, irsnodename, "arm,iaffids", iaffids,
+ ms->smp.cpus * sizeof(*iaffids));
+
+ /*
+ * When we implement the GICv5 IRS, it gets a DTB node which
+ * is a child of the IRS node.
+ */
+}
+
static void create_gicv5(VirtMachineState *vms, MemoryRegion *mem)
{
MachineState *ms = MACHINE(vms);
@@ -836,6 +902,8 @@ static void create_gicv5(VirtMachineState *vms, MemoryRegion *mem)
* that information is communicated directly between a GICv5 IRS and
* the GICv5 CPU interface via our equivalent of the stream protocol.
*/
+
+ fdt_add_gicv5_node(vms);
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 61/65] hw/arm/virt: Advertise GICv5 in the DTB
2026-02-23 17:02 ` [PATCH 61/65] hw/arm/virt: Advertise GICv5 in the DTB Peter Maydell
@ 2026-03-12 14:23 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-12 14:23 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:08 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Advertise the GICv5 in the DTB. This binding is final as it is in
> the upstream Linux kernel as:
> Documentation/devicetree/bindings/interrupt-controller/arm,gic-v5.yaml
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
One trivial thing inline that might every so slightly help other reviewers.
Otherwise looks correct to me - though take into account I only review this
side of bindings once in a blue moon.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
> ---
> hw/arm/virt.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 68 insertions(+)
>
> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
> index a9addf5ac0..6775062c5d 100644
> --- a/hw/arm/virt.c
> +++ b/hw/arm/virt.c
> @@ -795,6 +795,72 @@ static void create_v2m(VirtMachineState *vms)
> vms->msi_controller = VIRT_MSI_CTRL_GICV2M;
> }
>
> +static void fdt_add_gicv5_node(VirtMachineState *vms)
> +{
> + MachineState *ms = MACHINE(vms);
> + const char *nodename = "/intc";
> + g_autofree char *irsnodename = NULL;
> + g_autofree uint32_t *cpu_phandles = g_new(uint32_t, ms->smp.cpus);
> + g_autofree uint16_t *iaffids = g_new(uint16_t, ms->smp.cpus);
> +
> + vms->gic_phandle = qemu_fdt_alloc_phandle(ms->fdt);
> + qemu_fdt_setprop_cell(ms->fdt, "/", "interrupt-parent", vms->gic_phandle);
> +
> + qemu_fdt_add_subnode(ms->fdt, nodename);
> + qemu_fdt_setprop_cell(ms->fdt, nodename, "phandle", vms->gic_phandle);
> + qemu_fdt_setprop_string(ms->fdt, nodename, "compatible", "arm,gic-v5");
> + qemu_fdt_setprop_cell(ms->fdt, nodename, "#interrupt-cells", 3);
> + qemu_fdt_setprop(ms->fdt, nodename, "interrupt-controller", NULL, 0);
> + qemu_fdt_setprop_cell(ms->fdt, nodename, "#address-cells", 0x2);
> + qemu_fdt_setprop_cell(ms->fdt, nodename, "#size-cells", 0x2);
> + qemu_fdt_setprop(ms->fdt, nodename, "ranges", NULL, 0);
> +
> + /* The IRS node is a child of the top level /intc node */
> + irsnodename = g_strdup_printf("%s/irs@%" PRIx64,
> + nodename,
> + vms->memmap[VIRT_GICV5_IRS_NS].base);
> + qemu_fdt_add_subnode(ms->fdt, irsnodename);
> + qemu_fdt_setprop_string(ms->fdt, irsnodename, "compatible",
> + "arm,gic-v5-irs");
> + /*
> + * "reg-names" describes the frames whose address/size is in "reg";
> + * at the moment we have only the NS config register frame.
> + */
> + qemu_fdt_setprop_string(ms->fdt, irsnodename, "reg-names", "ns-config");
Don't really care, but you could keep these ordered as per the binding doc
to make review a tiny little bit easier. reg comes before reg-names.
> + qemu_fdt_setprop_sized_cells(ms->fdt, irsnodename, "reg",
> + 2, vms->memmap[VIRT_GICV5_IRS_NS].base,
> + 2, vms->memmap[VIRT_GICV5_IRS_NS].size);
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 62/65] hw/arm/virt: Handle GICv5 in interrupt bindings for PPIs
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (60 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 61/65] hw/arm/virt: Advertise GICv5 in the DTB Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-12 14:28 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 63/65] hw/arm/virt: Use correct interrupt type for GICv5 SPIs in the DTB Peter Maydell
` (3 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 devicetree binding specifies the "interrupts" property
differently to GICv2 and GICv3 for PPIs: the first field is the
architectural INTID.TYPE, and the second is the architectural
INTID.ID. (The third field defining the level/edge trigger mode has
the same values for GICv5 as it did for the older GICs.)
In the places in the virt board where we wire up PPIs (the timer and
the PMU), handle the GICv5:
* use the architectural constant GICV5_PPI for the type
* use the architected GICv5 PPI numbers for the interrupt sources
(which differ from the old ones and don't need to be adjusted via
INTID_TO_PPI())
* leave the irqflags as-is
Add some commentary in our include/hw/arm/fdt.h file about what the
the constants defined there are valid for.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 23 +++++++++++++++++++----
include/hw/arm/fdt.h | 10 ++++++++++
2 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 6775062c5d..05c92e8482 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -421,7 +421,15 @@ static void fdt_add_timer_nodes(const VirtMachineState *vms)
"arm,armv7-timer");
}
qemu_fdt_setprop(ms->fdt, "/timer", "always-on", NULL, 0);
- if (vms->ns_el2_virt_timer_irq) {
+ if (vms->gic_version == VIRT_GIC_VERSION_5) {
+ /* The GICv5 architects the PPI numbers differently */
+ qemu_fdt_setprop_cells(ms->fdt, "/timer", "interrupts",
+ GICV5_PPI, GICV5_PPI_CNTPS, irqflags,
+ GICV5_PPI, GICV5_PPI_CNTP, irqflags,
+ GICV5_PPI, GICV5_PPI_CNTV, irqflags,
+ GICV5_PPI, GICV5_PPI_CNTHP, irqflags,
+ GICV5_PPI, GICV5_PPI_CNTHV, irqflags);
+ } else if (vms->ns_el2_virt_timer_irq) {
qemu_fdt_setprop_cells(ms->fdt, "/timer", "interrupts",
GIC_FDT_IRQ_TYPE_PPI,
INTID_TO_PPI(ARCH_TIMER_S_EL1_IRQ), irqflags,
@@ -700,11 +708,18 @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms)
qemu_fdt_add_subnode(ms->fdt, "/pmu");
if (arm_feature(&armcpu->env, ARM_FEATURE_V8)) {
const char compat[] = "arm,armv8-pmuv3";
+
qemu_fdt_setprop(ms->fdt, "/pmu", "compatible",
compat, sizeof(compat));
- qemu_fdt_setprop_cells(ms->fdt, "/pmu", "interrupts",
- GIC_FDT_IRQ_TYPE_PPI,
- INTID_TO_PPI(VIRTUAL_PMU_IRQ), irqflags);
+ if (vms->gic_version == VIRT_GIC_VERSION_5) {
+ qemu_fdt_setprop_cells(ms->fdt, "/pmu", "interrupts",
+ GICV5_PPI, GICV5_PPI_PMUIRQ, irqflags);
+ } else {
+ qemu_fdt_setprop_cells(ms->fdt, "/pmu", "interrupts",
+ GIC_FDT_IRQ_TYPE_PPI,
+ INTID_TO_PPI(VIRTUAL_PMU_IRQ),
+ irqflags);
+ }
}
}
diff --git a/include/hw/arm/fdt.h b/include/hw/arm/fdt.h
index c3d5015013..da5c9d4a8f 100644
--- a/include/hw/arm/fdt.h
+++ b/include/hw/arm/fdt.h
@@ -20,9 +20,19 @@
#ifndef QEMU_ARM_FDT_H
#define QEMU_ARM_FDT_H
+/*
+ * These are for GICv2/v3/v4 only; GICv5 encodes the interrupt type in
+ * the DTB "interrupts" properties differently, using constants that match
+ * the architectural INTID.Type. In QEMU those are available as the
+ * GICV5_PPI and GICV5_SPI enum values in arm_gicv5_types.h.
+ */
#define GIC_FDT_IRQ_TYPE_SPI 0
#define GIC_FDT_IRQ_TYPE_PPI 1
+/*
+ * The trigger type/level field in the DTB "interrupts" property
+ * has the same encoding for GICv2/v3/v4 and v5.
+ */
#define GIC_FDT_IRQ_FLAGS_EDGE_LO_HI 1
#define GIC_FDT_IRQ_FLAGS_EDGE_HI_LO 2
#define GIC_FDT_IRQ_FLAGS_LEVEL_HI 4
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 62/65] hw/arm/virt: Handle GICv5 in interrupt bindings for PPIs
2026-02-23 17:02 ` [PATCH 62/65] hw/arm/virt: Handle GICv5 in interrupt bindings for PPIs Peter Maydell
@ 2026-03-12 14:28 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-12 14:28 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:09 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GICv5 devicetree binding specifies the "interrupts" property
> differently to GICv2 and GICv3 for PPIs: the first field is the
> architectural INTID.TYPE, and the second is the architectural
> INTID.ID. (The third field defining the level/edge trigger mode has
> the same values for GICv5 as it did for the older GICs.)
>
> In the places in the virt board where we wire up PPIs (the timer and
> the PMU), handle the GICv5:
>
> * use the architectural constant GICV5_PPI for the type
> * use the architected GICv5 PPI numbers for the interrupt sources
> (which differ from the old ones and don't need to be adjusted via
> INTID_TO_PPI())
> * leave the irqflags as-is
>
> Add some commentary in our include/hw/arm/fdt.h file about what the
> the constants defined there are valid for.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 63/65] hw/arm/virt: Use correct interrupt type for GICv5 SPIs in the DTB
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (61 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 62/65] hw/arm/virt: Handle GICv5 in interrupt bindings for PPIs Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-12 14:29 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 64/65] hw/arm/virt: Enable GICv5 CPU interface when using GICv5 Peter Maydell
` (2 subsequent siblings)
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
The GICv5 devicetree binding specifies that the "interrupts" property
for devices connected to it should use the architectural INTID.TYPE
values to specify whether the interrupt is an SPI, LPI or PPI. This
is different to the GICv2 and GICv3, so instead of hardcoding the
GIC_FDT_IRQ_TYPE_SPI constant when we create "interrupts" bindings,
create a new function gic_fdt_irq_type_spi() that returns the right
value for the interrupt controller in use.
For SPIs, the INTID.ID and the trigger-mode fields of the
"interrupts" property remain the same for GICv5 and the older GIC
versions.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 05c92e8482..1b63338196 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -296,6 +296,16 @@ static bool ns_el2_virt_timer_present(void)
arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu);
}
+/*
+ * The correct value to use in a DTB "interrupts" property for an SPI
+ * depends on the GIC version.
+ */
+static int gic_fdt_irq_type_spi(const VirtMachineState *vms)
+{
+ return vms->gic_version == VIRT_GIC_VERSION_5 ?
+ GICV5_SPI : GIC_FDT_IRQ_TYPE_SPI;
+}
+
static void create_fdt(VirtMachineState *vms)
{
MachineState *ms = MACHINE(vms);
@@ -1185,7 +1195,7 @@ static void create_uart(const VirtMachineState *vms, int uart,
qemu_fdt_setprop_sized_cells(ms->fdt, nodename, "reg",
2, base, 2, size);
qemu_fdt_setprop_cells(ms->fdt, nodename, "interrupts",
- GIC_FDT_IRQ_TYPE_SPI, irq,
+ gic_fdt_irq_type_spi(vms), irq,
GIC_FDT_IRQ_FLAGS_LEVEL_HI);
qemu_fdt_setprop_cells(ms->fdt, nodename, "clocks",
vms->clock_phandle, vms->clock_phandle);
@@ -1227,7 +1237,7 @@ static void create_rtc(const VirtMachineState *vms)
qemu_fdt_setprop_sized_cells(ms->fdt, nodename, "reg",
2, base, 2, size);
qemu_fdt_setprop_cells(ms->fdt, nodename, "interrupts",
- GIC_FDT_IRQ_TYPE_SPI, irq,
+ gic_fdt_irq_type_spi(vms), irq,
GIC_FDT_IRQ_FLAGS_LEVEL_HI);
qemu_fdt_setprop_cell(ms->fdt, nodename, "clocks", vms->clock_phandle);
qemu_fdt_setprop_string(ms->fdt, nodename, "clock-names", "apb_pclk");
@@ -1346,7 +1356,7 @@ static void create_gpio_devices(const VirtMachineState *vms, int gpio,
qemu_fdt_setprop_cell(ms->fdt, nodename, "#gpio-cells", 2);
qemu_fdt_setprop(ms->fdt, nodename, "gpio-controller", NULL, 0);
qemu_fdt_setprop_cells(ms->fdt, nodename, "interrupts",
- GIC_FDT_IRQ_TYPE_SPI, irq,
+ gic_fdt_irq_type_spi(vms), irq,
GIC_FDT_IRQ_FLAGS_LEVEL_HI);
qemu_fdt_setprop_cell(ms->fdt, nodename, "clocks", vms->clock_phandle);
qemu_fdt_setprop_string(ms->fdt, nodename, "clock-names", "apb_pclk");
@@ -1427,7 +1437,7 @@ static void create_virtio_devices(const VirtMachineState *vms)
qemu_fdt_setprop_sized_cells(ms->fdt, nodename, "reg",
2, base, 2, size);
qemu_fdt_setprop_cells(ms->fdt, nodename, "interrupts",
- GIC_FDT_IRQ_TYPE_SPI, irq,
+ gic_fdt_irq_type_spi(vms), irq,
GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
qemu_fdt_setprop(ms->fdt, nodename, "dma-coherent", NULL, 0);
g_free(nodename);
@@ -1627,10 +1637,11 @@ static void create_pcie_irq_map(const MachineState *ms,
int devfn, pin;
uint32_t full_irq_map[4 * 4 * 10] = { 0 };
uint32_t *irq_map = full_irq_map;
+ const VirtMachineState *vms = VIRT_MACHINE(ms);
for (devfn = 0; devfn <= 0x18; devfn += 0x8) {
for (pin = 0; pin < 4; pin++) {
- int irq_type = GIC_FDT_IRQ_TYPE_SPI;
+ int irq_type = gic_fdt_irq_type_spi(vms);
int irq_nr = first_irq + ((pin + PCI_SLOT(devfn)) % PCI_NUM_PINS);
int irq_level = GIC_FDT_IRQ_FLAGS_LEVEL_HI;
int i;
@@ -1671,10 +1682,10 @@ static void create_smmuv3_dt_bindings(const VirtMachineState *vms, hwaddr base,
qemu_fdt_setprop_sized_cells(ms->fdt, node, "reg", 2, base, 2, size);
qemu_fdt_setprop_cells(ms->fdt, node, "interrupts",
- GIC_FDT_IRQ_TYPE_SPI, irq , GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
- GIC_FDT_IRQ_TYPE_SPI, irq + 1, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
- GIC_FDT_IRQ_TYPE_SPI, irq + 2, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
- GIC_FDT_IRQ_TYPE_SPI, irq + 3, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
+ gic_fdt_irq_type_spi(vms), irq , GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+ gic_fdt_irq_type_spi(vms), irq + 1, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+ gic_fdt_irq_type_spi(vms), irq + 2, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+ gic_fdt_irq_type_spi(vms), irq + 3, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
qemu_fdt_setprop(ms->fdt, node, "interrupt-names", irq_names,
sizeof(irq_names));
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 63/65] hw/arm/virt: Use correct interrupt type for GICv5 SPIs in the DTB
2026-02-23 17:02 ` [PATCH 63/65] hw/arm/virt: Use correct interrupt type for GICv5 SPIs in the DTB Peter Maydell
@ 2026-03-12 14:29 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-12 14:29 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:10 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The GICv5 devicetree binding specifies that the "interrupts" property
> for devices connected to it should use the architectural INTID.TYPE
> values to specify whether the interrupt is an SPI, LPI or PPI. This
> is different to the GICv2 and GICv3, so instead of hardcoding the
> GIC_FDT_IRQ_TYPE_SPI constant when we create "interrupts" bindings,
> create a new function gic_fdt_irq_type_spi() that returns the right
> value for the interrupt controller in use.
>
> For SPIs, the INTID.ID and the trigger-mode fields of the
> "interrupts" property remain the same for GICv5 and the older GIC
> versions.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
^ permalink raw reply [flat|nested] 142+ messages in thread
* [PATCH 64/65] hw/arm/virt: Enable GICv5 CPU interface when using GICv5
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (62 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 63/65] hw/arm/virt: Use correct interrupt type for GICv5 SPIs in the DTB Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-12 14:32 ` Jonathan Cameron via qemu development
2026-02-23 17:02 ` [PATCH 65/65] hw/arm/virt: Allow user to select GICv5 Peter Maydell
2026-02-23 17:24 ` [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
If we are using the GICv5 in the virt board, we need to set the
has_gcie property on the CPU objects to tell them to implement the
cpu interface part of GICv5.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/virt.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 1b63338196..1c684b59b4 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2677,6 +2677,14 @@ static void machvirt_init(MachineState *machine)
object_property_set_bool(cpuobj, "lpa2", false, NULL);
}
+ if (vms->gic_version == VIRT_GIC_VERSION_5) {
+ if (!object_property_find(cpuobj, "has_gcie")) {
+ error_report("Using GICv5 but guest CPU does not support it");
+ exit(1);
+ }
+ object_property_set_bool(cpuobj, "has_gcie", true, NULL);
+ }
+
if (object_property_find(cpuobj, "reset-cbar")) {
object_property_set_int(cpuobj, "reset-cbar",
vms->memmap[VIRT_CPUPERIPHS].base,
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* [PATCH 65/65] hw/arm/virt: Allow user to select GICv5
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (63 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 64/65] hw/arm/virt: Enable GICv5 CPU interface when using GICv5 Peter Maydell
@ 2026-02-23 17:02 ` Peter Maydell
2026-03-12 14:36 ` Jonathan Cameron via qemu development
2026-02-23 17:24 ` [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
65 siblings, 1 reply; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:02 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Allow the user to select a GICv5 via '-machine gic-version=x-5', and
document this. The 'x-' prefix indicates that the emulation is still
in an "experimental" state as far as QEMU is concerned; the
documentation describes what "experimental" means for the user and
what parts are not yet implemented.
We do not make 'gic-version=max' enable GICv5 here because:
* the GICv5 architectural spec is still at the EAC level and
could have minor changes between now and its final version;
only users who specifically want to start working with the
GICv5 should select it
* QEMU's implementation here is still not fully featured,
and selecting it instead of GICv3 will mean losing
functionality such as MSIs
* the GICv5 is not backwards compatible with the GICv3/GICv4
for system software, so silently "upgrading" an existing
command line to GICv5 is just going to break existing guest
kernels
The last one in particular suggests that even when the emulation
moves out of "experimental" status we will probably not want to
change "max".
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
docs/system/arm/virt.rst | 19 +++++++++++++++++++
hw/arm/virt.c | 11 ++++++++---
2 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
index f8148b5dcf..e38c567279 100644
--- a/docs/system/arm/virt.rst
+++ b/docs/system/arm/virt.rst
@@ -161,6 +161,25 @@ gic-version
GICv3. This allows up to 512 CPUs.
``4``
GICv4. Requires ``virtualization`` to be ``on``; allows up to 317 CPUs.
+ ``x-5``
+ GICv5 (experimental). This is an experimental emulation of the GICv5,
+ based on the EAC release of the GICv5 architecture specification.
+ Experimental means:
+
+ - guest-visible behaviour may change when the final version of
+ the specification is released and QEMU implements it
+ - migration support is not yet implemented
+ - the GICv5 is not exposed to the guest via ACPI tables, only via DTB
+ - the way the interrupt controller is exposed to the guest and the
+ command line syntax for enabling it may change
+
+ The current implementation supports only an EL1 guest (no EL2 or
+ EL3 and no Realm support), and does not implement the ITS (no
+ MSI support).
+
+ Note that as the GICv5 is an Armv9 feature, enabling it will
+ automatically disable support for AArch32 at all exception levels
+ except for EL0 (userspace).
``host``
Use the same GIC version the host provides, when using KVM
``max``
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 1c684b59b4..ca95cc9f73 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -3195,6 +3195,9 @@ static char *virt_get_gic_version(Object *obj, Error **errp)
const char *val;
switch (vms->gic_version) {
+ case VIRT_GIC_VERSION_5:
+ val = "x-5";
+ break;
case VIRT_GIC_VERSION_4:
val = "4";
break;
@@ -3212,7 +3215,9 @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
{
VirtMachineState *vms = VIRT_MACHINE(obj);
- if (!strcmp(value, "4")) {
+ if (!strcmp(value, "x-5")) {
+ vms->gic_version = VIRT_GIC_VERSION_5;
+ } else if (!strcmp(value, "4")) {
vms->gic_version = VIRT_GIC_VERSION_4;
} else if (!strcmp(value, "3")) {
vms->gic_version = VIRT_GIC_VERSION_3;
@@ -3224,7 +3229,7 @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
vms->gic_version = VIRT_GIC_VERSION_MAX; /* Will probe later */
} else {
error_setg(errp, "Invalid gic-version value");
- error_append_hint(errp, "Valid values are 2, 3, 4, host, and max.\n");
+ error_append_hint(errp, "Valid values are 2, 3, 4, x-5, host, and max.\n");
}
}
@@ -3792,7 +3797,7 @@ static void virt_machine_class_init(ObjectClass *oc, const void *data)
virt_set_gic_version);
object_class_property_set_description(oc, "gic-version",
"Set GIC version. "
- "Valid values are 2, 3, 4, host and max");
+ "Valid values are 2, 3, 4, x-5, host and max");
object_class_property_add_str(oc, "iommu", virt_get_iommu, virt_set_iommu);
object_class_property_set_description(oc, "iommu",
--
2.43.0
^ permalink raw reply related [flat|nested] 142+ messages in thread* Re: [PATCH 65/65] hw/arm/virt: Allow user to select GICv5
2026-02-23 17:02 ` [PATCH 65/65] hw/arm/virt: Allow user to select GICv5 Peter Maydell
@ 2026-03-12 14:36 ` Jonathan Cameron via qemu development
0 siblings, 0 replies; 142+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-03-12 14:36 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 17:02:12 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> Allow the user to select a GICv5 via '-machine gic-version=x-5', and
> document this. The 'x-' prefix indicates that the emulation is still
> in an "experimental" state as far as QEMU is concerned; the
> documentation describes what "experimental" means for the user and
> what parts are not yet implemented.
>
> We do not make 'gic-version=max' enable GICv5 here because:
>
> * the GICv5 architectural spec is still at the EAC level and
> could have minor changes between now and its final version;
> only users who specifically want to start working with the
> GICv5 should select it
> * QEMU's implementation here is still not fully featured,
> and selecting it instead of GICv3 will mean losing
> functionality such as MSIs
> * the GICv5 is not backwards compatible with the GICv3/GICv4
> for system software, so silently "upgrading" an existing
> command line to GICv5 is just going to break existing guest
> kernels
>
> The last one in particular suggests that even when the emulation
> moves out of "experimental" status we will probably not want to
> change "max".
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Nice start, looking forward to the ITS, ACPI bit and hopefully
eventually IWB as all useful for testing purposes.
Thanks,
Jonathan
^ permalink raw reply [flat|nested] 142+ messages in thread
* Re: [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller
2026-02-23 17:01 [PATCH 00/65] arm: Implement an emulation of GICv5 interrupt controller Peter Maydell
` (64 preceding siblings ...)
2026-02-23 17:02 ` [PATCH 65/65] hw/arm/virt: Allow user to select GICv5 Peter Maydell
@ 2026-02-23 17:24 ` Peter Maydell
65 siblings, 0 replies; 142+ messages in thread
From: Peter Maydell @ 2026-02-23 17:24 UTC (permalink / raw)
To: qemu-arm, qemu-devel
On Mon, 23 Feb 2026 at 17:02, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> This patchset implements initial support of emulation of Arm's new
> interrupt controller architecture, GICv5.
...forgot to mention, but if you prefer a git tree you can find one at
https://gitlab.com/pm215/qemu/-/tree/gicv5-v1
-- PMM
^ permalink raw reply [flat|nested] 142+ messages in thread