[PATCH v2 00/18] Implements RISC-V WorldGuard extension v0.4

[PATCH v2 00/18] Implements RISC-V WorldGuard extension v0.4

[Jim Shu]

This patchset implements Smwg/Smwgd/Sswg CPU extension and wgChecker
device defined in WorldGuard spec v0.4.

The WG v0.4 spec could be found here:
https://lists.riscv.org/g/security/attachment/711/0/worldguard_rvia_spec-v0.4.pdf

To enable WG in QEMU, pass "wg=on" as machine parameter to virt machine.
It enables both WG CPU CSRs to apply WID of CPU and wgCheckers on
the DRAM, FLASH, and UART to protect these resources.

This patchset contains 5 parts:

1. Commit  1 ~ 2: Bugfix of IOMMUMemoryRegion
2. Commit  3 ~ 4: Extend IOMMUMemoryRegion and MemTxAttr for WG support
3. Commit  5 ~ 13: Add WG global device and CPU extensions
4. Commit 14 ~ 17: Add WG checker device
5. Commit 18: Add WG support to the virt machine

QEMU code can be found at [1]

[1] https://github.com/cwshu/qemu/tree/riscv-wg-v2

Changed since v1:
- Remove the assertion of 4k sections limitation. Remove
  iotlb_to_section() and rename 'xlat_section' to 'xlat'.
- Fix RST issue and typo in virt machine doc

Changed since RFCv1:
- Rebase to latest QEMU (v10.0.0-rc3)
- Add the description of HW config and CPU option of WG in the
  virt machine documentation
- Expose CPU options of WG after WG CPU code has been implemented
- Change 'mwid' and 'mwidlist' options to experimental options
- Change 'world_id' to unsigned int type + bit field.

Jim Shu (18):
  accel/tcg: Store section pointer in CPUTLBEntryFull
  system/physmem: Remove the assertion of page-aligned section number
  accel/tcg: memory access from CPU will pass access_type to IOMMU
  exec: Add RISC-V WorldGuard WID to MemTxAttrs
  hw/misc: riscv_worldguard: Add RISC-V WorldGuard global config
  target/riscv: Add CPU options of WorldGuard CPU extension
  target/riscv: Add hard-coded CPU state of WG extension
  target/riscv: Add defines for WorldGuard CSRs
  target/riscv: Allow global WG config to set WG CPU callbacks
  target/riscv: Implement WorldGuard CSRs
  target/riscv: Add WID to MemTxAttrs of CPU memory transactions
  target/riscv: Expose CPU options of WorldGuard
  hw/misc: riscv_worldguard: Add API to enable WG extension of CPU
  hw/misc: riscv_wgchecker: Implement RISC-V WorldGuard Checker
  hw/misc: riscv_wgchecker: Implement wgchecker slot registers
  hw/misc: riscv_wgchecker: Implement correct block-access behavior
  hw/misc: riscv_wgchecker: Check the slot settings in translate
  hw/riscv: virt: Add WorldGuard support

 accel/tcg/cputlb.c                   |   49 +-
 docs/system/riscv/virt.rst           |   20 +
 hw/misc/Kconfig                      |    3 +
 hw/misc/meson.build                  |    1 +
 hw/misc/riscv_wgchecker.c            | 1160 ++++++++++++++++++++++++++
 hw/misc/riscv_worldguard.c           |  272 ++++++
 hw/misc/trace-events                 |    9 +
 hw/riscv/Kconfig                     |    1 +
 hw/riscv/virt.c                      |  163 +++-
 include/exec/cputlb.h                |   13 +-
 include/exec/exec-all.h              |   18 +-
 include/exec/memattrs.h              |    8 +-
 include/hw/core/cpu.h                |   12 +-
 include/hw/misc/riscv_worldguard.h   |  123 +++
 include/hw/riscv/virt.h              |   15 +-
 system/physmem.c                     |   39 +-
 target/alpha/helper.c                |    2 +-
 target/avr/helper.c                  |    2 +-
 target/hppa/mem_helper.c             |    1 -
 target/i386/tcg/system/excp_helper.c |    3 +-
 target/loongarch/tcg/tlb_helper.c    |    2 +-
 target/m68k/helper.c                 |   10 +-
 target/microblaze/helper.c           |    8 +-
 target/mips/tcg/system/tlb_helper.c  |    4 +-
 target/openrisc/mmu.c                |    2 +-
 target/ppc/mmu_helper.c              |    2 +-
 target/riscv/cpu.c                   |   17 +-
 target/riscv/cpu.h                   |   12 +
 target/riscv/cpu_bits.h              |    5 +
 target/riscv/cpu_cfg.h               |    5 +
 target/riscv/cpu_helper.c            |   69 +-
 target/riscv/csr.c                   |  107 +++
 target/riscv/tcg/tcg-cpu.c           |   11 +
 target/rx/cpu.c                      |    3 +-
 target/s390x/tcg/excp_helper.c       |    2 +-
 target/sh4/helper.c                  |    2 +-
 target/sparc/mmu_helper.c            |    6 +-
 target/tricore/helper.c              |    2 +-
 target/xtensa/helper.c               |    3 +-
 39 files changed, 2074 insertions(+), 112 deletions(-)
 create mode 100644 hw/misc/riscv_wgchecker.c
 create mode 100644 hw/misc/riscv_worldguard.c
 create mode 100644 include/hw/misc/riscv_worldguard.h

-- 
2.17.1

[PATCH v2 01/18] accel/tcg: Store section pointer in CPUTLBEntryFull

[Jim Shu]

To fix the bug of iotlb_to_section(), store complete MemoryRegionSection
pointer in CPUTLBEntryFull to replace the section_index in xlat_section.
Rename 'xlat_section' to 'xlat' as we remove last 12 bits section_index
inside. Remove iotlb_to_section() as we directly use section pointer in
the CPUTLBEntryFull (full->section).

iotlb_to_section() bug description:
'CPUTLBEntryFull.xlat_section' stores section_index in last 12 bits to
find the correct section when CPU access the IO region over the IOTLB.
However, section_index is only unique inside single AddressSpace. If
address space translation is over IOMMUMemoryRegion, it could return
section from other AddressSpace. 'iotlb_to_section()' API only finds the
sections from CPU's AddressSpace so that it couldn't find section in
other AddressSpace. Thus, using 'iotlb_to_section()' API will find the
wrong section and QEMU will have wrong load/store access.

This bug occurs only when
(1) IOMMUMemoryRegion is in the path of CPU access.
(2) IOMMUMemoryRegion returns different target_as and the section is in
the IO region.

Common IOMMU devices don't have this issue since they are only in the
path of DMA access. Currently, the bug only occurs when ARM MPC device
(hw/misc/tz-mpc.c) returns 'blocked_io_as' to emulate blocked access
handling. Upcoming RISC-V wgChecker device is also affected by this bug.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 accel/tcg/cputlb.c      | 32 +++++++++++++++-----------------
 include/exec/cputlb.h   |  2 +-
 include/exec/exec-all.h | 15 ---------------
 include/hw/core/cpu.h   | 12 +++++++-----
 system/physmem.c        | 17 -----------------
 5 files changed, 23 insertions(+), 55 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index fb22048876..d51bfc19c1 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -1085,7 +1085,7 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
         }
     } else {
         /* I/O or ROMD */
-        iotlb = memory_region_section_get_iotlb(cpu, section) + xlat;
+        iotlb = xlat;
         /*
          * Writes to romd devices must go through MMIO to enable write.
          * Reads to romd devices go through the ram_ptr found above,
@@ -1136,10 +1136,9 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
     /*
      * When memory region is ram, iotlb contains a TARGET_PAGE_BITS
      * aligned ram_addr_t of the page base of the target RAM.
-     * Otherwise, iotlb contains
-     *  - a physical section number in the lower TARGET_PAGE_BITS
-     *  - the offset within section->mr of the page base (I/O, ROMD) with the
-     *    TARGET_PAGE_BITS masked off.
+     * Otherwise, iotlb contains a TARGET_PAGE_BITS aligned
+     * offset within section->mr of the page base (I/O, ROMD)
+     *
      * We subtract addr_page (which is page aligned and thus won't
      * disturb the low bits) to give an offset which can be added to the
      * (non-page-aligned) vaddr of the eventual memory access to get
@@ -1149,7 +1148,8 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
      */
     desc->fulltlb[index] = *full;
     full = &desc->fulltlb[index];
-    full->xlat_section = iotlb - addr_page;
+    full->xlat = iotlb - addr_page;
+    full->section = section;
     full->phys_addr = paddr_page;
 
     /* Now calculate the new entry */
@@ -1265,14 +1265,14 @@ static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr,
 }
 
 static MemoryRegionSection *
-io_prepare(hwaddr *out_offset, CPUState *cpu, hwaddr xlat,
+io_prepare(hwaddr *out_offset, CPUState *cpu, CPUTLBEntryFull *full,
            MemTxAttrs attrs, vaddr addr, uintptr_t retaddr)
 {
     MemoryRegionSection *section;
     hwaddr mr_offset;
 
-    section = iotlb_to_section(cpu, xlat, attrs);
-    mr_offset = (xlat & TARGET_PAGE_MASK) + addr;
+    section = full->section;
+    mr_offset = full->xlat + addr;
     cpu->mem_io_pc = retaddr;
     if (!cpu->neg.can_do_io) {
         cpu_io_recompile(cpu, retaddr);
@@ -1331,7 +1331,7 @@ static bool victim_tlb_hit(CPUState *cpu, size_t mmu_idx, size_t index,
 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                            CPUTLBEntryFull *full, uintptr_t retaddr)
 {
-    ram_addr_t ram_addr = mem_vaddr + full->xlat_section;
+    ram_addr_t ram_addr = mem_vaddr + full->xlat;
 
     trace_memory_notdirty_write_access(mem_vaddr, ram_addr, size);
 
@@ -1588,9 +1588,7 @@ bool tlb_plugin_lookup(CPUState *cpu, vaddr addr, int mmu_idx,
 
     /* We must have an iotlb entry for MMIO */
     if (tlb_addr & TLB_MMIO) {
-        MemoryRegionSection *section =
-            iotlb_to_section(cpu, full->xlat_section & ~TARGET_PAGE_MASK,
-                             full->attrs);
+        MemoryRegionSection *section = full->section;
         data->is_io = true;
         data->mr = section->mr;
     } else {
@@ -1980,7 +1978,7 @@ static uint64_t do_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
     tcg_debug_assert(size > 0 && size <= 8);
 
     attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
     mr = section->mr;
 
     BQL_LOCK_GUARD();
@@ -2001,7 +1999,7 @@ static Int128 do_ld16_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
     tcg_debug_assert(size > 8 && size <= 16);
 
     attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
     mr = section->mr;
 
     BQL_LOCK_GUARD();
@@ -2521,7 +2519,7 @@ static uint64_t do_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
     tcg_debug_assert(size > 0 && size <= 8);
 
     attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
     mr = section->mr;
 
     BQL_LOCK_GUARD();
@@ -2541,7 +2539,7 @@ static uint64_t do_st16_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
     tcg_debug_assert(size > 8 && size <= 16);
 
     attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
     mr = section->mr;
 
     BQL_LOCK_GUARD();
diff --git a/include/exec/cputlb.h b/include/exec/cputlb.h
index 8125f6809c..fea0474cf6 100644
--- a/include/exec/cputlb.h
+++ b/include/exec/cputlb.h
@@ -43,7 +43,7 @@ void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length);
  * @full: the details of the tlb entry
  *
  * Add an entry to @cpu tlb index @mmu_idx.  All of the fields of
- * @full must be filled, except for xlat_section, and constitute
+ * @full must be filled, except for xlat, and constitute
  * the complete description of the translated page.
  *
  * This is generally called by the target tlb_fill function after
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index dd5c40f223..46be330d99 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -178,21 +178,6 @@ void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr);
 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t last);
 void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
 
-#if !defined(CONFIG_USER_ONLY)
-
-/**
- * iotlb_to_section:
- * @cpu: CPU performing the access
- * @index: TCG CPU IOTLB entry
- *
- * Given a TCG CPU IOTLB entry, return the MemoryRegionSection that
- * it refers to. @index will have been initially created and returned
- * by memory_region_section_get_iotlb().
- */
-struct MemoryRegionSection *iotlb_to_section(CPUState *cpu,
-                                             hwaddr index, MemTxAttrs attrs);
-#endif
-
 /**
  * get_page_addr_code_hostp()
  * @env: CPUArchState
diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index abd8764e83..da9011e2c5 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -208,15 +208,17 @@ struct CPUClass {
  */
 struct CPUTLBEntryFull {
     /*
-     * @xlat_section contains:
-     *  - in the lower TARGET_PAGE_BITS, a physical section number
-     *  - with the lower TARGET_PAGE_BITS masked off, an offset which
-     *    must be added to the virtual address to obtain:
+     * @xlat contains:
+     *  - a TARGET_PAGE_BITS aligned offset which must be added to
+     *    the virtual address to obtain:
      *     + the ram_addr_t of the target RAM (if the physical section
      *       number is PHYS_SECTION_NOTDIRTY or PHYS_SECTION_ROM)
      *     + the offset within the target MemoryRegion (otherwise)
      */
-    hwaddr xlat_section;
+    hwaddr xlat;
+
+    /* @section contains physical section. */
+    MemoryRegionSection *section;
 
     /*
      * @phys_addr contains the physical address in the address space
diff --git a/system/physmem.c b/system/physmem.c
index 333a5eb94d..70a6dd1962 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -2668,23 +2668,6 @@ static uint16_t dummy_section(PhysPageMap *map, FlatView *fv, MemoryRegion *mr)
     return phys_section_add(map, &section);
 }
 
-MemoryRegionSection *iotlb_to_section(CPUState *cpu,
-                                      hwaddr index, MemTxAttrs attrs)
-{
-    int asidx = cpu_asidx_from_attrs(cpu, attrs);
-    CPUAddressSpace *cpuas = &cpu->cpu_ases[asidx];
-    AddressSpaceDispatch *d = cpuas->memory_dispatch;
-    int section_index = index & ~TARGET_PAGE_MASK;
-    MemoryRegionSection *ret;
-
-    assert(section_index < d->map.sections_nb);
-    ret = d->map.sections + section_index;
-    assert(ret->mr);
-    assert(ret->mr->ops);
-
-    return ret;
-}
-
 static void io_mem_init(void)
 {
     memory_region_init_io(&io_mem_unassigned, NULL, &unassigned_mem_ops, NULL,
-- 
2.17.1

[PATCH v2 02/18] system/physmem: Remove the assertion of page-aligned section number

[Jim Shu]

The physical section number is no longer ORed into the IOTLB entries
together with a page-aligned pointer, so it no longer needs to be
page-aligned.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 system/physmem.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/system/physmem.c b/system/physmem.c
index 70a6dd1962..da58d5c8ae 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -1016,12 +1016,6 @@ static subpage_t *subpage_init(FlatView *fv, hwaddr base);
 static uint16_t phys_section_add(PhysPageMap *map,
                                  MemoryRegionSection *section)
 {
-    /* The physical section number is ORed with a page-aligned
-     * pointer to produce the iotlb entries.  Thus it should
-     * never overflow into the page-aligned value.
-     */
-    assert(map->sections_nb < TARGET_PAGE_SIZE);
-
     if (map->sections_nb == map->sections_nb_alloc) {
         map->sections_nb_alloc = MAX(map->sections_nb_alloc * 2, 16);
         map->sections = g_renew(MemoryRegionSection, map->sections,
-- 
2.17.1

[PATCH v2 03/18] accel/tcg: memory access from CPU will pass access_type to IOMMU

[Jim Shu]

It is the preparation patch for upcoming RISC-V wgChecker device.

Since RISC-V wgChecker could permit access in RO/WO permission, the
IOMMUMemoryRegion could return different section for read & write
access. The memory access from CPU should also pass the access_type to
IOMMU translate function so that IOMMU could return the correct section
of specified access_type.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 accel/tcg/cputlb.c                   | 17 ++++++++++-------
 include/exec/cputlb.h                | 11 +++++++----
 include/exec/exec-all.h              |  3 ++-
 system/physmem.c                     | 16 +++++++++++-----
 target/alpha/helper.c                |  2 +-
 target/avr/helper.c                  |  2 +-
 target/hppa/mem_helper.c             |  1 -
 target/i386/tcg/system/excp_helper.c |  3 ++-
 target/loongarch/tcg/tlb_helper.c    |  2 +-
 target/m68k/helper.c                 | 10 +++++++---
 target/microblaze/helper.c           |  8 ++++----
 target/mips/tcg/system/tlb_helper.c  |  4 ++--
 target/openrisc/mmu.c                |  2 +-
 target/ppc/mmu_helper.c              |  2 +-
 target/riscv/cpu_helper.c            |  2 +-
 target/rx/cpu.c                      |  3 ++-
 target/s390x/tcg/excp_helper.c       |  2 +-
 target/sh4/helper.c                  |  2 +-
 target/sparc/mmu_helper.c            |  6 +++---
 target/tricore/helper.c              |  2 +-
 target/xtensa/helper.c               |  3 ++-
 21 files changed, 61 insertions(+), 42 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index d51bfc19c1..9396024e75 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -1017,7 +1017,8 @@ static inline void tlb_set_compare(CPUTLBEntryFull *full, CPUTLBEntry *ent,
  * critical section.
  */
 void tlb_set_page_full(CPUState *cpu, int mmu_idx,
-                       vaddr addr, CPUTLBEntryFull *full)
+                       vaddr addr, MMUAccessType access_type,
+                       CPUTLBEntryFull *full)
 {
     CPUTLB *tlb = &cpu->neg.tlb;
     CPUTLBDesc *desc = &tlb->d[mmu_idx];
@@ -1044,7 +1045,8 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
     prot = full->prot;
     asidx = cpu_asidx_from_attrs(cpu, full->attrs);
     section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
-                                                &xlat, &sz, full->attrs, &prot);
+                                                &xlat, &sz, full->attrs, &prot,
+                                                access_type);
     assert(sz >= TARGET_PAGE_SIZE);
 
     tlb_debug("vaddr=%016" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx
@@ -1180,7 +1182,8 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
 
 void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr,
                              hwaddr paddr, MemTxAttrs attrs, int prot,
-                             int mmu_idx, vaddr size)
+                             MMUAccessType access_type, int mmu_idx,
+                             vaddr size)
 {
     CPUTLBEntryFull full = {
         .phys_addr = paddr,
@@ -1190,15 +1193,15 @@ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr,
     };
 
     assert(is_power_of_2(size));
-    tlb_set_page_full(cpu, mmu_idx, addr, &full);
+    tlb_set_page_full(cpu, mmu_idx, addr, access_type, &full);
 }
 
 void tlb_set_page(CPUState *cpu, vaddr addr,
-                  hwaddr paddr, int prot,
+                  hwaddr paddr, int prot, MMUAccessType access_type,
                   int mmu_idx, vaddr size)
 {
     tlb_set_page_with_attrs(cpu, addr, paddr, MEMTXATTRS_UNSPECIFIED,
-                            prot, mmu_idx, size);
+                            prot, access_type, mmu_idx, size);
 }
 
 /**
@@ -1240,7 +1243,7 @@ static bool tlb_fill_align(CPUState *cpu, vaddr addr, MMUAccessType type,
     if (ops->tlb_fill_align) {
         if (ops->tlb_fill_align(cpu, &full, addr, type, mmu_idx,
                                 memop, size, probe, ra)) {
-            tlb_set_page_full(cpu, mmu_idx, addr, &full);
+            tlb_set_page_full(cpu, mmu_idx, addr, type, &full);
             return true;
         }
     } else {
diff --git a/include/exec/cputlb.h b/include/exec/cputlb.h
index fea0474cf6..4ea67e8a96 100644
--- a/include/exec/cputlb.h
+++ b/include/exec/cputlb.h
@@ -40,6 +40,7 @@ void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length);
  * @cpu: CPU context
  * @mmu_idx: mmu index of the tlb to modify
  * @addr: virtual address of the entry to add
+ * @access_type: access was read/write/execute
  * @full: the details of the tlb entry
  *
  * Add an entry to @cpu tlb index @mmu_idx.  All of the fields of
@@ -55,6 +56,7 @@ void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length);
  * used by tlb_flush_page.
  */
 void tlb_set_page_full(CPUState *cpu, int mmu_idx, vaddr addr,
+                       MMUAccessType access_type,
                        CPUTLBEntryFull *full);
 
 /**
@@ -64,6 +66,7 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, vaddr addr,
  * @paddr: physical address of the page
  * @attrs: memory transaction attributes
  * @prot: access permissions (PAGE_READ/PAGE_WRITE/PAGE_EXEC bits)
+ * @access_type: access was read/write/execute
  * @mmu_idx: MMU index to insert TLB entry for
  * @size: size of the page in bytes
  *
@@ -80,9 +83,9 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx, vaddr addr,
  * used by tlb_flush_page.
  */
 void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr,
-                             hwaddr paddr, MemTxAttrs attrs,
-                             int prot, int mmu_idx, vaddr size);
-
+                             hwaddr paddr, MemTxAttrs attrs, int prot,
+                             MMUAccessType access_type, int mmu_idx,
+                             vaddr size);
 /**
  * tlb_set_page:
  *
@@ -91,7 +94,7 @@ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr,
  * as a convenience for CPUs which don't use memory transaction attributes.
  */
 void tlb_set_page(CPUState *cpu, vaddr addr,
-                  hwaddr paddr, int prot,
+                  hwaddr paddr, int prot, MMUAccessType access_type,
                   int mmu_idx, vaddr size);
 
 #if defined(CONFIG_TCG) && !defined(CONFIG_USER_ONLY)
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index 46be330d99..63bec1446c 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -217,7 +217,8 @@ static inline tb_page_addr_t get_page_addr_code(CPUArchState *env,
 MemoryRegionSection *
 address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
                                   hwaddr *xlat, hwaddr *plen,
-                                  MemTxAttrs attrs, int *prot);
+                                  MemTxAttrs attrs, int *prot,
+                                  MMUAccessType access_type);
 hwaddr memory_region_section_get_iotlb(CPUState *cpu,
                                        MemoryRegionSection *section);
 #endif
diff --git a/system/physmem.c b/system/physmem.c
index da58d5c8ae..fc04725096 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -681,12 +681,14 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
 MemoryRegionSection *
 address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
                                   hwaddr *xlat, hwaddr *plen,
-                                  MemTxAttrs attrs, int *prot)
+                                  MemTxAttrs attrs, int *prot,
+                                  MMUAccessType access_type)
 {
     MemoryRegionSection *section;
     IOMMUMemoryRegion *iommu_mr;
     IOMMUMemoryRegionClass *imrc;
     IOMMUTLBEntry iotlb;
+    IOMMUAccessFlags iommu_flags;
     int iommu_idx;
     hwaddr addr = orig_addr;
     AddressSpaceDispatch *d = cpu->cpu_ases[asidx].memory_dispatch;
@@ -703,10 +705,14 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
 
         iommu_idx = imrc->attrs_to_index(iommu_mr, attrs);
         tcg_register_iommu_notifier(cpu, iommu_mr, iommu_idx);
-        /* We need all the permissions, so pass IOMMU_NONE so the IOMMU
-         * doesn't short-cut its translation table walk.
-         */
-        iotlb = imrc->translate(iommu_mr, addr, IOMMU_NONE, iommu_idx);
+
+        if (access_type == MMU_DATA_STORE) {
+            iommu_flags = IOMMU_WO;
+        } else {
+            iommu_flags = IOMMU_RO;
+        }
+
+        iotlb = imrc->translate(iommu_mr, addr, iommu_flags, iommu_idx);
         addr = ((iotlb.translated_addr & ~iotlb.addr_mask)
                 | (addr & iotlb.addr_mask));
         /* Update the caller's prot bits to remove permissions the IOMMU
diff --git a/target/alpha/helper.c b/target/alpha/helper.c
index 57cefcba14..e16dcde3ac 100644
--- a/target/alpha/helper.c
+++ b/target/alpha/helper.c
@@ -318,7 +318,7 @@ bool alpha_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
     }
 
     tlb_set_page(cs, addr & TARGET_PAGE_MASK, phys & TARGET_PAGE_MASK,
-                 prot, mmu_idx, TARGET_PAGE_SIZE);
+                 prot, access_type, mmu_idx, TARGET_PAGE_SIZE);
     return true;
 }
 
diff --git a/target/avr/helper.c b/target/avr/helper.c
index 3412312ad5..05a89b3614 100644
--- a/target/avr/helper.c
+++ b/target/avr/helper.c
@@ -149,7 +149,7 @@ bool avr_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
         }
     }
 
-    tlb_set_page(cs, address, paddr, prot, mmu_idx, page_size);
+    tlb_set_page(cs, address, paddr, prot, access_type, mmu_idx, page_size);
     return true;
 }
 
diff --git a/target/hppa/mem_helper.c b/target/hppa/mem_helper.c
index fb1d93ef1f..4f0982a2c1 100644
--- a/target/hppa/mem_helper.c
+++ b/target/hppa/mem_helper.c
@@ -473,7 +473,6 @@ bool hppa_cpu_tlb_fill_align(CPUState *cs, CPUTLBEntryFull *out, vaddr addr,
     out->prot = prot;
     out->attrs = MEMTXATTRS_UNSPECIFIED;
     out->lg_page_size = TARGET_PAGE_BITS;
-
     return true;
 }
 
diff --git a/target/i386/tcg/system/excp_helper.c b/target/i386/tcg/system/excp_helper.c
index 6876329de2..831e178927 100644
--- a/target/i386/tcg/system/excp_helper.c
+++ b/target/i386/tcg/system/excp_helper.c
@@ -624,7 +624,8 @@ bool x86_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
         tlb_set_page_with_attrs(cs, addr & TARGET_PAGE_MASK,
                                 out.paddr & TARGET_PAGE_MASK,
                                 cpu_get_mem_attrs(env),
-                                out.prot, mmu_idx, out.page_size);
+                                out.prot, access_type, mmu_idx,
+                                out.page_size);
         return true;
     }
 
diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_helper.c
index 70d1b5cf99..b57775908d 100644
--- a/target/loongarch/tcg/tlb_helper.c
+++ b/target/loongarch/tcg/tlb_helper.c
@@ -522,7 +522,7 @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     if (ret == TLBRET_MATCH) {
         tlb_set_page(cs, address & TARGET_PAGE_MASK,
                      physical & TARGET_PAGE_MASK, prot,
-                     mmu_idx, TARGET_PAGE_SIZE);
+                     access_type, mmu_idx, TARGET_PAGE_SIZE);
         qemu_log_mask(CPU_LOG_MMU,
                       "%s address=%" VADDR_PRIx " physical " HWADDR_FMT_plx
                       " prot %d\n", __func__, address, physical, prot);
diff --git a/target/m68k/helper.c b/target/m68k/helper.c
index 0bf574830f..e652c23485 100644
--- a/target/m68k/helper.c
+++ b/target/m68k/helper.c
@@ -969,7 +969,7 @@ bool m68k_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
         tlb_set_page(cs, address & TARGET_PAGE_MASK,
                      address & TARGET_PAGE_MASK,
                      PAGE_READ | PAGE_WRITE | PAGE_EXEC,
-                     mmu_idx, TARGET_PAGE_SIZE);
+                     qemu_access_type, mmu_idx, TARGET_PAGE_SIZE);
         return true;
     }
 
@@ -989,7 +989,8 @@ bool m68k_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                                address, access_type, &page_size);
     if (likely(ret == 0)) {
         tlb_set_page(cs, address & TARGET_PAGE_MASK,
-                     physical & TARGET_PAGE_MASK, prot, mmu_idx, page_size);
+                     physical & TARGET_PAGE_MASK, prot, qemu_access_type,
+                     mmu_idx, page_size);
         return true;
     }
 
@@ -1461,6 +1462,7 @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read)
     int prot;
     int ret;
     target_ulong page_size;
+    MMUAccessType qemu_access_type;
 
     access_type = ACCESS_PTEST;
     if (env->dfc & 4) {
@@ -1468,9 +1470,11 @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read)
     }
     if ((env->dfc & 3) == 2) {
         access_type |= ACCESS_CODE;
+        qemu_access_type = MMU_INST_FETCH;
     }
     if (!is_read) {
         access_type |= ACCESS_STORE;
+        qemu_access_type = MMU_DATA_STORE;
     }
 
     env->mmu.mmusr = 0;
@@ -1480,7 +1484,7 @@ void HELPER(ptest)(CPUM68KState *env, uint32_t addr, uint32_t is_read)
     if (ret == 0) {
         tlb_set_page(env_cpu(env), addr & TARGET_PAGE_MASK,
                      physical & TARGET_PAGE_MASK,
-                     prot, access_type & ACCESS_SUPER ?
+                     prot, qemu_access_type, access_type & ACCESS_SUPER ?
                      MMU_KERNEL_IDX : MMU_USER_IDX, page_size);
     }
 }
diff --git a/target/microblaze/helper.c b/target/microblaze/helper.c
index 27fc929bee..fd8847e71f 100644
--- a/target/microblaze/helper.c
+++ b/target/microblaze/helper.c
@@ -53,8 +53,8 @@ bool mb_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
         /* MMU disabled or not available.  */
         address &= TARGET_PAGE_MASK;
         prot = PAGE_RWX;
-        tlb_set_page_with_attrs(cs, address, address, attrs, prot, mmu_idx,
-                                TARGET_PAGE_SIZE);
+        tlb_set_page_with_attrs(cs, address, address, attrs, prot, access_type,
+                                mmu_idx, TARGET_PAGE_SIZE);
         return true;
     }
 
@@ -65,8 +65,8 @@ bool mb_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 
         qemu_log_mask(CPU_LOG_MMU, "MMU map mmu=%d v=%x p=%x prot=%x\n",
                       mmu_idx, vaddr, paddr, lu.prot);
-        tlb_set_page_with_attrs(cs, vaddr, paddr, attrs, lu.prot, mmu_idx,
-                                TARGET_PAGE_SIZE);
+        tlb_set_page_with_attrs(cs, vaddr, paddr, attrs, lu.prot, access_type,
+                                mmu_idx, TARGET_PAGE_SIZE);
         return true;
     }
 
diff --git a/target/mips/tcg/system/tlb_helper.c b/target/mips/tcg/system/tlb_helper.c
index df80301a41..172640aef0 100644
--- a/target/mips/tcg/system/tlb_helper.c
+++ b/target/mips/tcg/system/tlb_helper.c
@@ -933,7 +933,7 @@ bool mips_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     if (ret == TLBRET_MATCH) {
         tlb_set_page(cs, address & TARGET_PAGE_MASK,
                      physical & TARGET_PAGE_MASK, prot,
-                     mmu_idx, TARGET_PAGE_SIZE);
+                     access_type, mmu_idx, TARGET_PAGE_SIZE);
         return true;
     }
 #if !defined(TARGET_MIPS64)
@@ -951,7 +951,7 @@ bool mips_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
             if (ret == TLBRET_MATCH) {
                 tlb_set_page(cs, address & TARGET_PAGE_MASK,
                              physical & TARGET_PAGE_MASK, prot,
-                             mmu_idx, TARGET_PAGE_SIZE);
+                             access_type, mmu_idx, TARGET_PAGE_SIZE);
                 return true;
             }
         }
diff --git a/target/openrisc/mmu.c b/target/openrisc/mmu.c
index 47ac783c52..5248c168b2 100644
--- a/target/openrisc/mmu.c
+++ b/target/openrisc/mmu.c
@@ -128,7 +128,7 @@ bool openrisc_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
     if (likely(excp == 0)) {
         tlb_set_page(cs, addr & TARGET_PAGE_MASK,
                      phys_addr & TARGET_PAGE_MASK, prot,
-                     mmu_idx, TARGET_PAGE_SIZE);
+                     access_type, mmu_idx, TARGET_PAGE_SIZE);
         return true;
     }
     if (probe) {
diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c
index ad9ba8294c..d0e8f20e11 100644
--- a/target/ppc/mmu_helper.c
+++ b/target/ppc/mmu_helper.c
@@ -1369,7 +1369,7 @@ bool ppc_cpu_tlb_fill(CPUState *cs, vaddr eaddr, int size,
     if (ppc_xlate(cpu, eaddr, access_type, &raddr,
                   &page_size, &prot, mmu_idx, !probe)) {
         tlb_set_page(cs, eaddr & TARGET_PAGE_MASK, raddr & TARGET_PAGE_MASK,
-                     prot, mmu_idx, 1UL << page_size);
+                     prot, access_type, mmu_idx, 1UL << page_size);
         return true;
     }
     if (probe) {
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 6c4391d96b..f4c4b69a3c 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1967,7 +1967,7 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 
     if (ret == TRANSLATE_SUCCESS) {
         tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1),
-                     prot, mmu_idx, tlb_size);
+                     prot, access_type, mmu_idx, tlb_size);
         return true;
     } else if (probe) {
         return false;
diff --git a/target/rx/cpu.c b/target/rx/cpu.c
index 0ba0d55ab5..9d8afa150c 100644
--- a/target/rx/cpu.c
+++ b/target/rx/cpu.c
@@ -182,7 +182,8 @@ static bool rx_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
     /* Linear mapping */
     address = physical = addr & TARGET_PAGE_MASK;
     prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-    tlb_set_page(cs, address, physical, prot, mmu_idx, TARGET_PAGE_SIZE);
+    tlb_set_page(cs, address, physical, prot, access_type,
+                 mmu_idx, TARGET_PAGE_SIZE);
     return true;
 }
 
diff --git a/target/s390x/tcg/excp_helper.c b/target/s390x/tcg/excp_helper.c
index f969850f87..ec6d4076e8 100644
--- a/target/s390x/tcg/excp_helper.c
+++ b/target/s390x/tcg/excp_helper.c
@@ -179,7 +179,7 @@ bool s390_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                       "%s: set tlb %" PRIx64 " -> %" PRIx64 " (%x)\n",
                       __func__, (uint64_t)vaddr, (uint64_t)raddr, prot);
         tlb_set_page(cs, address & TARGET_PAGE_MASK, raddr, prot,
-                     mmu_idx, TARGET_PAGE_SIZE);
+                     access_type, mmu_idx, TARGET_PAGE_SIZE);
         return true;
     }
     if (probe) {
diff --git a/target/sh4/helper.c b/target/sh4/helper.c
index 7567e6c8b6..7531f6d933 100644
--- a/target/sh4/helper.c
+++ b/target/sh4/helper.c
@@ -808,7 +808,7 @@ bool superh_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     if (ret == MMU_OK) {
         address &= TARGET_PAGE_MASK;
         physical &= TARGET_PAGE_MASK;
-        tlb_set_page(cs, address, physical, prot, mmu_idx, TARGET_PAGE_SIZE);
+        tlb_set_page(cs, address, physical, prot, access_type, mmu_idx, TARGET_PAGE_SIZE);
         return true;
     }
     if (probe) {
diff --git a/target/sparc/mmu_helper.c b/target/sparc/mmu_helper.c
index 3821cd91ec..08dd73b210 100644
--- a/target/sparc/mmu_helper.c
+++ b/target/sparc/mmu_helper.c
@@ -229,7 +229,7 @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                       "Translate at %" VADDR_PRIx " -> "
                       HWADDR_FMT_plx ", vaddr " TARGET_FMT_lx "\n",
                       address, full.phys_addr, vaddr);
-        tlb_set_page_full(cs, mmu_idx, vaddr, &full);
+        tlb_set_page_full(cs, mmu_idx, vaddr, access_type, &full);
         return true;
     }
 
@@ -245,7 +245,7 @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
            neverland. Fake/overridden mappings will be flushed when
            switching to normal mode. */
         full.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-        tlb_set_page_full(cs, mmu_idx, vaddr, &full);
+        tlb_set_page_full(cs, mmu_idx, vaddr, access_type, &full);
         return true;
     } else {
         if (access_type == MMU_INST_FETCH) {
@@ -769,7 +769,7 @@ bool sparc_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
         trace_mmu_helper_mmu_fault(address, full.phys_addr, mmu_idx, env->tl,
                                    env->dmmu.mmu_primary_context,
                                    env->dmmu.mmu_secondary_context);
-        tlb_set_page_full(cs, mmu_idx, address, &full);
+        tlb_set_page_full(cs, mmu_idx, address, access_type, &full);
         return true;
     }
     if (probe) {
diff --git a/target/tricore/helper.c b/target/tricore/helper.c
index a64412e6bd..4a4688f109 100644
--- a/target/tricore/helper.c
+++ b/target/tricore/helper.c
@@ -84,7 +84,7 @@ bool tricore_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     if (ret == TLBRET_MATCH) {
         tlb_set_page(cs, address & TARGET_PAGE_MASK,
                      physical & TARGET_PAGE_MASK, prot | PAGE_EXEC,
-                     mmu_idx, TARGET_PAGE_SIZE);
+                     rw, mmu_idx, TARGET_PAGE_SIZE);
         return true;
     } else {
         assert(ret < 0);
diff --git a/target/xtensa/helper.c b/target/xtensa/helper.c
index 4824b97e37..5d5d69a811 100644
--- a/target/xtensa/helper.c
+++ b/target/xtensa/helper.c
@@ -281,7 +281,8 @@ bool xtensa_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
         tlb_set_page(cs,
                      address & TARGET_PAGE_MASK,
                      paddr & TARGET_PAGE_MASK,
-                     access, mmu_idx, page_size);
+                     access, access_type, mmu_idx,
+                     page_size);
         return true;
     } else if (probe) {
         return false;
-- 
2.17.1

[PATCH v2 04/18] exec: Add RISC-V WorldGuard WID to MemTxAttrs

[Jim Shu]

RISC-V WorldGuard will add 5-bit world_id (WID) to the each memory
transaction on the bus. The wgChecker in front of RAM or peripherals
MMIO could do the access control based on the WID. It is similar to ARM
TrustZone NS bit, but the WID is 5-bit.

The common implementation of WID is AXI4 AxUSER signal.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 include/exec/memattrs.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
index 8db1d30464..7a6866fa41 100644
--- a/include/exec/memattrs.h
+++ b/include/exec/memattrs.h
@@ -54,6 +54,11 @@ typedef struct MemTxAttrs {
      */
     unsigned int pid:8;
 
+    /*
+     * RISC-V WorldGuard: the 5-bit WID field of memory access.
+     */
+    unsigned int world_id:5;
+
     /*
      * Bus masters which don't specify any attributes will get this
      * (via the MEMTXATTRS_UNSPECIFIED constant), so that we can
@@ -63,8 +68,7 @@ typedef struct MemTxAttrs {
      */
     bool unspecified;
 
-    uint8_t _reserved1;
-    uint16_t _reserved2;
+    uint16_t _reserved1;
 } MemTxAttrs;
 
 QEMU_BUILD_BUG_ON(sizeof(MemTxAttrs) > 8);
-- 
2.17.1

[PATCH v2 05/18] hw/misc: riscv_worldguard: Add RISC-V WorldGuard global config

[Jim Shu]

Add a device for RISCV WG global config, which contains the number of
worlds, reset value, and trusted WID ... etc.

This global config is used by both CPU WG extension and wgChecker devices.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 hw/misc/Kconfig                    |   3 +
 hw/misc/meson.build                |   1 +
 hw/misc/riscv_worldguard.c         | 182 +++++++++++++++++++++++++++++
 include/hw/misc/riscv_worldguard.h |  55 +++++++++
 4 files changed, 241 insertions(+)
 create mode 100644 hw/misc/riscv_worldguard.c
 create mode 100644 include/hw/misc/riscv_worldguard.h

diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
index ec0fa5aa9f..7677c0e962 100644
--- a/hw/misc/Kconfig
+++ b/hw/misc/Kconfig
@@ -222,4 +222,7 @@ config IOSB
 config XLNX_VERSAL_TRNG
     bool
 
+config RISCV_WORLDGUARD
+    bool
+
 source macio/Kconfig
diff --git a/hw/misc/meson.build b/hw/misc/meson.build
index 6d47de482c..3d2f4bb6a3 100644
--- a/hw/misc/meson.build
+++ b/hw/misc/meson.build
@@ -34,6 +34,7 @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c'))
 system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c'))
 system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c'))
 system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c'))
+specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c'))
 
 subdir('macio')
 
diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c
new file mode 100644
index 0000000000..b02bd28d02
--- /dev/null
+++ b/hw/misc/riscv_worldguard.c
@@ -0,0 +1,182 @@
+/*
+ * RISC-V WorldGuard Device
+ *
+ * Copyright (c) 2022 SiFive, Inc.
+ *
+ * This provides WorldGuard global config.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu/log.h"
+#include "exec/hwaddr.h"
+#include "hw/registerfields.h"
+#include "hw/sysbus.h"
+#include "hw/hw.h"
+#include "hw/qdev-properties.h"
+#include "hw/misc/riscv_worldguard.h"
+#include "hw/core/cpu.h"
+#include "target/riscv/cpu.h"
+#include "trace.h"
+
+/*
+ * WorldGuard global config:
+ * List the global setting of WG, like num-of-worlds. It is unique in the machine.
+ * All CPUs with WG extension and wgChecker devices will use it.
+ */
+struct RISCVWorldGuardState *worldguard_config = NULL;
+
+static Property riscv_worldguard_properties[] = {
+    DEFINE_PROP_UINT32("nworlds", RISCVWorldGuardState, nworlds, 0),
+
+    /* Only Trusted WID could access wgCheckers if it is enabled. */
+    DEFINE_PROP_UINT32("trustedwid", RISCVWorldGuardState, trustedwid, NO_TRUSTEDWID),
+
+    /*
+     * WG reset value is bypass mode in HW. All WG permission checkings are
+     * pass by default, so SW could correctly run on the machine w/o any WG
+     * programming.
+     */
+    DEFINE_PROP_BOOL("hw-bypass", RISCVWorldGuardState, hw_bypass, false),
+
+    /*
+     * TrustZone compatible mode:
+     * This mode is only supported in 2 worlds system. It converts WorldGuard
+     * WID to TZ NS signal on the bus so WG could be cooperated with
+     * TZ components. In QEMU, it converts WID to 'MemTxAttrs.secure' bit used
+     * by TZ.
+     */
+    DEFINE_PROP_BOOL("tz-compat", RISCVWorldGuardState, tz_compat, false),
+};
+
+/* WID to MemTxAttrs converter */
+static void wid_to_mem_attrs(MemTxAttrs *attrs, uint32_t wid)
+{
+    g_assert(wid < worldguard_config->nworlds);
+
+    attrs->unspecified = 0;
+    if (worldguard_config->tz_compat) {
+        attrs->secure = wid;
+    } else {
+        attrs->world_id = wid;
+    }
+}
+
+/* MemTxAttrs to WID converter */
+uint32_t mem_attrs_to_wid(MemTxAttrs attrs)
+{
+    if (attrs.unspecified) {
+        if (worldguard_config->trustedwid != NO_TRUSTEDWID) {
+            return worldguard_config->trustedwid;
+        } else {
+            return worldguard_config->nworlds - 1;
+        }
+    }
+
+    if (worldguard_config->tz_compat) {
+        return attrs.secure;
+    } else {
+        return attrs.world_id;
+    }
+}
+
+bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock)
+{
+    uint32_t wid = mem_attrs_to_wid(attrs);
+    uint32_t trustedwid = worldguard_config->trustedwid;
+
+    if ((trustedwid == NO_TRUSTEDWID) || (wid == trustedwid)) {
+        return true;
+    } else {
+        /*
+         * Only Trusted WID could access WG blocks if having it.
+         * Access them from other WIDs will get failed.
+         */
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Invalid access to %s from non-trusted WID %d\n",
+                      __func__, wgblock, wid);
+
+        return false;
+    }
+}
+
+static void riscv_worldguard_realize(DeviceState *dev, Error **errp)
+{
+    RISCVWorldGuardState *s = RISCV_WORLDGUARD(dev);
+
+    if (worldguard_config != NULL) {
+        error_setg(errp, "Couldn't realize multiple global WorldGuard configs.");
+        return;
+    }
+
+    if ((s->nworlds) & (s->nworlds - 1)) {
+        error_setg(errp, "Current implementation only support power-of-2 NWorld.");
+        return;
+    }
+
+    if ((s->trustedwid != NO_TRUSTEDWID) && (s->trustedwid >= s->nworlds)) {
+        error_setg(errp, "Trusted WID must be less than the number of world.");
+        return;
+    }
+
+    if ((s->nworlds != 2) && (s->tz_compat)) {
+        error_setg(errp, "Only 2 worlds system could use TrustZone compatible mode.");
+        return;
+    }
+
+    /* Register WG global config */
+    worldguard_config = s;
+
+    /* Initialize global data for wgChecker */
+    wgc_slot_perm_mask = MAKE_64BIT_MASK(0, 2 * worldguard_config->nworlds);
+}
+
+static void riscv_worldguard_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    device_class_set_props(dc, riscv_worldguard_properties);
+    dc->user_creatable = true;
+    dc->realize = riscv_worldguard_realize;
+}
+
+static const TypeInfo riscv_worldguard_info = {
+    .name          = TYPE_RISCV_WORLDGUARD,
+    .parent        = TYPE_DEVICE,
+    .instance_size = sizeof(RISCVWorldGuardState),
+    .class_init    = riscv_worldguard_class_init,
+};
+
+/*
+ * Create WorldGuard global config
+ */
+DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
+                                     bool hw_bypass, bool tz_compat)
+{
+    DeviceState *dev = qdev_new(TYPE_RISCV_WORLDGUARD);
+    qdev_prop_set_uint32(dev, "nworlds", nworlds);
+    qdev_prop_set_uint32(dev, "trustedwid", trustedwid);
+    qdev_prop_set_bit(dev, "hw-bypass", hw_bypass);
+    qdev_prop_set_bit(dev, "tz-compat", tz_compat);
+    qdev_realize(DEVICE(dev), NULL, &error_fatal);
+    return dev;
+}
+
+static void riscv_worldguard_register_types(void)
+{
+    type_register_static(&riscv_worldguard_info);
+}
+
+type_init(riscv_worldguard_register_types)
diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
new file mode 100644
index 0000000000..8a533a0517
--- /dev/null
+++ b/include/hw/misc/riscv_worldguard.h
@@ -0,0 +1,55 @@
+/*
+ * RISC-V WorldGuard Devices
+ *
+ * Copyright (c) 2022 RISCV, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HW_RISCV_WORLDGUARD_H
+#define HW_RISCV_WORLDGUARD_H
+
+#include "qom/object.h"
+#include "hw/sysbus.h"
+#include "exec/hwaddr.h"
+
+#define TYPE_RISCV_WORLDGUARD "riscv.worldguard"
+
+#define NO_TRUSTEDWID           UINT32_MAX
+
+typedef struct RISCVWorldGuardState RISCVWorldGuardState;
+DECLARE_INSTANCE_CHECKER(RISCVWorldGuardState, RISCV_WORLDGUARD,
+                         TYPE_RISCV_WORLDGUARD)
+
+struct RISCVWorldGuardState {
+    /*< private >*/
+    DeviceState parent_obj;
+
+    /*< public >*/
+
+    /* Property */
+    uint32_t nworlds;
+    uint32_t trustedwid;
+    bool hw_bypass;
+    bool tz_compat;
+};
+
+extern struct RISCVWorldGuardState *worldguard_config;
+
+DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
+                                     bool hw_bypass, bool tz_compat);
+
+uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
+bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);
+
+#endif
-- 
2.17.1

[PATCH v2 06/18] target/riscv: Add CPU options of WorldGuard CPU extension

[Jim Shu]

We define CPU options for WG CSR support in RISC-V CPUs which
can be set by machine/device emulation. The RISC-V CSR emulation
will also check this feature for emulating WG CSRs.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 target/riscv/cpu.c         |  3 +++
 target/riscv/cpu_cfg.h     |  3 +++
 target/riscv/tcg/tcg-cpu.c | 11 +++++++++++
 3 files changed, 17 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 09ded6829a..a182e8c61f 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -236,6 +236,9 @@ const RISCVIsaExtData isa_edata_arr[] = {
     ISA_EXT_DATA_ENTRY(xtheadmempair, PRIV_VERSION_1_11_0, ext_xtheadmempair),
     ISA_EXT_DATA_ENTRY(xtheadsync, PRIV_VERSION_1_11_0, ext_xtheadsync),
     ISA_EXT_DATA_ENTRY(xventanacondops, PRIV_VERSION_1_12_0, ext_XVentanaCondOps),
+    ISA_EXT_DATA_ENTRY(smwg, PRIV_VERSION_1_12_0, ext_smwg),
+    ISA_EXT_DATA_ENTRY(smwgd, PRIV_VERSION_1_12_0, ext_smwgd),
+    ISA_EXT_DATA_ENTRY(sswg, PRIV_VERSION_1_12_0, ext_sswg),
 
     { },
 };
diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h
index 8a843482cc..a5b045aa2f 100644
--- a/target/riscv/cpu_cfg.h
+++ b/target/riscv/cpu_cfg.h
@@ -143,6 +143,9 @@ struct RISCVCPUConfig {
     bool ext_smmpm;
     bool ext_sspm;
     bool ext_supm;
+    bool ext_smwg;
+    bool ext_smwgd;
+    bool ext_sswg;
     bool rvv_ta_all_1s;
     bool rvv_ma_all_1s;
     bool rvv_vl_half_avl;
diff --git a/target/riscv/tcg/tcg-cpu.c b/target/riscv/tcg/tcg-cpu.c
index 5aef9eef36..343e46e698 100644
--- a/target/riscv/tcg/tcg-cpu.c
+++ b/target/riscv/tcg/tcg-cpu.c
@@ -694,6 +694,17 @@ void riscv_cpu_validate_set_extensions(RISCVCPU *cpu, Error **errp)
         cpu->cfg.ext_ssctr = false;
     }
 
+    /* RISC-V WorldGuard */
+    if (cpu->cfg.ext_sswg && !cpu->cfg.ext_smwg) {
+        error_setg(errp, "Sswg extension requires Smwg extension");
+        return;
+    }
+
+    if (cpu->cfg.ext_smwgd != cpu->cfg.ext_sswg) {
+        error_setg(errp, "Smwgd/Sswg extensions should be enabled together");
+        return;
+    }
+
     /*
      * Disable isa extensions based on priv spec after we
      * validated and set everything we need.
-- 
2.17.1

[PATCH v2 07/18] target/riscv: Add hard-coded CPU state of WG extension

[Jim Shu]

Add hard-coded state of WG extension. 'mwid' is the M-mode WID of CPU.
'mwidlist' is the list of allowed WID value of 'mlwid' CSR.

These CPU states can be set by CPU option, or can be set by machine code
via newly added APIs. If we want different WG configs of CPUs, we should
set it by machine code.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 target/riscv/cpu.h        |  2 ++
 target/riscv/cpu_cfg.h    |  2 ++
 target/riscv/cpu_helper.c | 18 ++++++++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 51e49e03de..ac50928b57 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -613,6 +613,8 @@ void riscv_cpu_set_aia_ireg_rmw_fn(CPURISCVState *env, uint32_t priv,
                                    void *rmw_fn_arg);
 
 RISCVException smstateen_acc_ok(CPURISCVState *env, int index, uint64_t bit);
+void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid);
+void riscv_cpu_set_wg_mwidlist(CPURISCVState *env, uint32_t mwidlist);
 #endif /* !CONFIG_USER_ONLY */
 
 void riscv_cpu_set_mode(CPURISCVState *env, target_ulong newpriv, bool virt_en);
diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h
index a5b045aa2f..86b6240989 100644
--- a/target/riscv/cpu_cfg.h
+++ b/target/riscv/cpu_cfg.h
@@ -196,6 +196,8 @@ struct RISCVCPUConfig {
     bool pmp;
     bool debug;
     bool misa_w;
+    uint32_t mwid;
+    uint32_t mwidlist;
 
     bool short_isa_string;
 
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f4c4b69a3c..2c3a0d903b 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -231,6 +231,24 @@ void cpu_get_tb_cpu_state(CPURISCVState *env, vaddr *pc,
     *pflags = flags;
 }
 
+#ifndef CONFIG_USER_ONLY
+void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid)
+{
+    CPUState *cs = env_cpu(env);
+    RISCVCPU *cpu = RISCV_CPU(cs);
+
+    cpu->cfg.mwid = mwid;
+}
+
+void riscv_cpu_set_wg_mwidlist(CPURISCVState *env, uint32_t mwidlist)
+{
+    CPUState *cs = env_cpu(env);
+    RISCVCPU *cpu = RISCV_CPU(cs);
+
+    cpu->cfg.mwidlist = mwidlist;
+}
+#endif /* CONFIG_USER_ONLY */
+
 RISCVPmPmm riscv_pm_get_pmm(CPURISCVState *env)
 {
 #ifndef CONFIG_USER_ONLY
-- 
2.17.1

[PATCH v2 08/18] target/riscv: Add defines for WorldGuard CSRs

[Jim Shu]

Add CSRs for 3 WG extensions: Smwg, Smwgd, and Sswg.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 target/riscv/cpu_bits.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index a30317c617..7705c6995e 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -408,6 +408,11 @@
 #define CSR_DPC             0x7b1
 #define CSR_DSCRATCH        0x7b2
 
+/* RISC-V WorldGuard */
+#define CSR_MLWID           0x390
+#define CSR_SLWID           0x190
+#define CSR_MWIDDELEG       0x748
+
 /* Performance Counters */
 #define CSR_MHPMCOUNTER3    0xb03
 #define CSR_MHPMCOUNTER4    0xb04
-- 
2.17.1

[PATCH v2 09/18] target/riscv: Allow global WG config to set WG CPU callbacks

[Jim Shu]

Some WG CPU functions depend on global WG config (like num-of-world), so
we let the global WG config device to set callbacks of a RISC-V HART.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 target/riscv/cpu.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index ac50928b57..6dfc260a07 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -500,6 +500,10 @@ struct CPUArchState {
     target_ulong rnmip;
     uint64_t rnmi_irqvec;
     uint64_t rnmi_excpvec;
+
+    /* machine specific WorldGuard callback */
+    void (*wg_reset)(CPURISCVState *env);
+    void (*wid_to_mem_attrs)(MemTxAttrs *attrs, uint32_t wid);
 };
 
 /*
-- 
2.17.1

[PATCH v2 10/18] target/riscv: Implement WorldGuard CSRs

[Jim Shu]

The WG v0.4 specification adds 3 CSRs to configure S/U/HS/VS-mode WIDs
of CPUs in the higher privileged modes.

The Smwg extension at least requires a RISC-V HART to have M/U-mode, and
the Sswg/Smwgd extension at least requires a RISC-V HART to have
M/S/U-mode.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 target/riscv/cpu.c |   4 ++
 target/riscv/cpu.h |   5 +++
 target/riscv/csr.c | 107 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 116 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index a182e8c61f..1dbeac0509 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -1141,6 +1141,10 @@ static void riscv_cpu_reset_hold(Object *obj, ResetType type)
         env->mnstatus = set_field(env->mnstatus, MNSTATUS_NMIE, false);
     }
 
+    if (riscv_cpu_cfg(env)->ext_smwg && env->wg_reset) {
+        env->wg_reset(env);
+    }
+
     if (kvm_enabled()) {
         kvm_riscv_reset_vcpu(cpu);
     }
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 6dfc260a07..7bffe62f70 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -501,6 +501,11 @@ struct CPUArchState {
     uint64_t rnmi_irqvec;
     uint64_t rnmi_excpvec;
 
+    /* RISC-V WorldGuard */
+    target_ulong mlwid;
+    target_ulong slwid;
+    target_ulong mwiddeleg;
+
     /* machine specific WorldGuard callback */
     void (*wg_reset)(CPURISCVState *env);
     void (*wid_to_mem_attrs)(MemTxAttrs *attrs, uint32_t wid);
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 7948188356..614df37d00 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -5388,6 +5388,109 @@ static int write_mnstatus(CPURISCVState *env, int csrno, target_ulong val)
     return RISCV_EXCP_NONE;
 }
 
+/* RISC-V Worldguard */
+static RISCVException worldguard_umode(CPURISCVState *env, int csrno)
+{
+    if (!riscv_cpu_cfg(env)->ext_smwg) {
+        return RISCV_EXCP_ILLEGAL_INST;
+    }
+
+    return umode(env, csrno);
+}
+
+static RISCVException worldguard_sumode(CPURISCVState *env, int csrno)
+{
+    RISCVException ret;
+
+    if (!riscv_cpu_cfg(env)->ext_sswg) {
+        return RISCV_EXCP_ILLEGAL_INST;
+    }
+
+    ret = smode(env, csrno);
+
+    if (ret != RISCV_EXCP_NONE) {
+        return ret;
+    }
+
+    return umode(env, csrno);
+}
+
+static RISCVException rmw_mlwid(CPURISCVState *env, int csrno,
+                                target_ulong *ret_val,
+                                target_ulong new_val, target_ulong wr_mask)
+{
+    CPUState *cs = env_cpu(env);
+    RISCVCPU *cpu = RISCV_CPU(cs);
+    target_ulong new_mlwid = (env->mlwid & ~wr_mask) | (new_val & wr_mask);
+
+    if (ret_val) {
+        *ret_val = env->mlwid;
+    }
+
+    g_assert(cpu->cfg.mwidlist);
+    if (!(BIT(new_mlwid) & cpu->cfg.mwidlist)) {
+        /* Set WID to lowest legal value if writing illegal value (WARL) */
+        new_mlwid = find_first_bit((unsigned long *)&cpu->cfg.mwidlist, 32);
+    }
+
+    if (env->mlwid != new_mlwid) {
+        env->mlwid = new_mlwid;
+        tlb_flush(cs);
+    }
+
+    return RISCV_EXCP_NONE;
+}
+
+static RISCVException rmw_slwid(CPURISCVState *env, int csrno,
+                                target_ulong *ret_val,
+                                target_ulong new_val, target_ulong wr_mask)
+{
+    target_ulong new_slwid = (env->slwid & ~wr_mask) | (new_val & wr_mask);
+
+    if (!env->mwiddeleg) {
+        /*
+         * When mwiddeleg CSR is zero, access to slwid raises an illegal
+         * instruction exception.
+         */
+        return RISCV_EXCP_ILLEGAL_INST;
+    }
+
+    if (ret_val) {
+        *ret_val = env->slwid;
+    }
+
+    if (!(BIT(new_slwid) & env->mwiddeleg)) {
+        /* Set WID to lowest legal value if writing illegal value (WARL) */
+        new_slwid = find_first_bit(
+            (unsigned long *)&env->mwiddeleg, TARGET_LONG_BITS);
+    }
+
+    if (env->slwid != new_slwid) {
+        env->slwid = new_slwid;
+        tlb_flush(env_cpu(env));
+    }
+
+    return RISCV_EXCP_NONE;
+}
+
+static RISCVException rmw_mwiddeleg(CPURISCVState *env, int csrno,
+                                    target_ulong *ret_val,
+                                    target_ulong new_val, target_ulong wr_mask)
+{
+    CPUState *cs = env_cpu(env);
+    RISCVCPU *cpu = RISCV_CPU(cs);
+
+    if (ret_val) {
+        *ret_val = env->mwiddeleg;
+    }
+
+    env->mwiddeleg = (env->mwiddeleg & ~wr_mask) | (new_val & wr_mask);
+
+    /* Core wgMarker can only have WID value in mwidlist. */
+    env->mwiddeleg &= cpu->cfg.mwidlist;
+
+    return RISCV_EXCP_NONE;
+}
 #endif
 
 /* Crypto Extension */
@@ -6465,5 +6568,9 @@ riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = {
     [CSR_SCOUNTOVF]      = { "scountovf", sscofpmf,  read_scountovf,
                              .min_priv_ver = PRIV_VERSION_1_12_0 },
 
+    /* RISC-V WorldGuard */
+    [CSR_MLWID]     = { "mlwid",     worldguard_umode,  NULL, NULL, rmw_mlwid },
+    [CSR_SLWID]     = { "slwid",     worldguard_sumode, NULL, NULL, rmw_slwid },
+    [CSR_MWIDDELEG] = { "mwiddeleg", worldguard_sumode, NULL, NULL, rmw_mwiddeleg },
 #endif /* !CONFIG_USER_ONLY */
 };
-- 
2.17.1

[PATCH v2 11/18] target/riscv: Add WID to MemTxAttrs of CPU memory transactions

[Jim Shu]

When a RISC-V HART has WG extension, their memory transactions will
contain WID. Support MemTxAttrs in RISC-V target and add WID inside if
a HART has WG extension.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 target/riscv/cpu.c        |  2 +-
 target/riscv/cpu.h        |  1 +
 target/riscv/cpu_helper.c | 51 ++++++++++++++++++++++++++++++++++++---
 3 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 1dbeac0509..1aba6dd853 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -3035,7 +3035,7 @@ static int64_t riscv_get_arch_id(CPUState *cs)
 
 static const struct SysemuCPUOps riscv_sysemu_ops = {
     .has_work = riscv_cpu_has_work,
-    .get_phys_page_debug = riscv_cpu_get_phys_page_debug,
+    .get_phys_page_attrs_debug = riscv_cpu_get_phys_page_attrs_debug,
     .write_elf64_note = riscv_cpu_write_elf64_note,
     .write_elf32_note = riscv_cpu_write_elf32_note,
     .legacy_vmsd = &vmstate_riscv_cpu,
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 7bffe62f70..1fdeee7708 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -584,6 +584,7 @@ int riscv_env_mmu_index(CPURISCVState *env, bool ifetch);
 bool cpu_get_fcfien(CPURISCVState *env);
 bool cpu_get_bcfien(CPURISCVState *env);
 bool riscv_env_smode_dbltrp_enabled(CPURISCVState *env, bool virt);
+hwaddr riscv_cpu_get_phys_page_attrs_debug(CPUState *cpu, vaddr addr, MemTxAttrs *attrs);
 G_NORETURN void  riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
                                                MMUAccessType access_type,
                                                int mmu_idx, uintptr_t retaddr);
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 2c3a0d903b..944a5b7ee1 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -232,6 +232,34 @@ void cpu_get_tb_cpu_state(CPURISCVState *env, vaddr *pc,
 }
 
 #ifndef CONFIG_USER_ONLY
+static uint32_t riscv_cpu_wg_get_wid(CPURISCVState *env, int mode)
+{
+    CPUState *cs = env_cpu(env);
+    RISCVCPU *cpu = RISCV_CPU(cs);
+    bool virt = env->virt_enabled;
+
+    if (mode == PRV_M) {
+        return cpu->cfg.mwid;
+    } else if (mode == PRV_S) {
+        if (!virt || !env->mwiddeleg) {
+            /* HS-mode, S-mode w/o RVH, or VS-mode but mwiddeleg = 0 */
+            return env->mlwid;
+        } else {
+            /* VS-mode */
+            return env->slwid;
+        }
+    } else if (mode == PRV_U) {
+        if (!riscv_has_ext(env, RVS) || !env->mwiddeleg) {
+            /* M/U mode CPU or mwiddeleg = 0 */
+            return env->mlwid;
+        } else {
+            return env->slwid;
+        }
+    }
+
+    return cpu->cfg.mwid;
+}
+
 void riscv_cpu_set_wg_mwid(CPURISCVState *env, uint32_t mwid)
 {
     CPUState *cs = env_cpu(env);
@@ -1768,13 +1796,22 @@ static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
     env->two_stage_indirect_lookup = two_stage_indirect;
 }
 
-hwaddr riscv_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
+hwaddr riscv_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr, MemTxAttrs *attrs)
 {
     RISCVCPU *cpu = RISCV_CPU(cs);
     CPURISCVState *env = &cpu->env;
     hwaddr phys_addr;
     int prot;
     int mmu_idx = riscv_env_mmu_index(&cpu->env, false);
+    int mode = mmuidx_priv(mmu_idx);
+    uint32_t wid;
+
+    if (riscv_cpu_cfg(env)->ext_smwg && env->wid_to_mem_attrs) {
+        wid = riscv_cpu_wg_get_wid(env, mode);
+        env->wid_to_mem_attrs(attrs, wid);
+    } else {
+        *attrs = MEMTXATTRS_UNSPECIFIED;
+    }
 
     if (get_physical_address(env, &phys_addr, &prot, addr, NULL, 0, mmu_idx,
                              true, env->virt_enabled, true, false)) {
@@ -1886,12 +1923,20 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     int mode = mmuidx_priv(mmu_idx);
     /* default TLB page size */
     hwaddr tlb_size = TARGET_PAGE_SIZE;
+    uint32_t wid;
+    MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
 
     env->guest_phys_fault_addr = 0;
 
     qemu_log_mask(CPU_LOG_MMU, "%s ad %" VADDR_PRIx " rw %d mmu_idx %d\n",
                   __func__, address, access_type, mmu_idx);
 
+    if (riscv_cpu_cfg(env)->ext_smwg && env->wid_to_mem_attrs) {
+        mode = mmuidx_priv(mmu_idx);
+        wid = riscv_cpu_wg_get_wid(env, mode);
+        env->wid_to_mem_attrs(&attrs, wid);
+    }
+
     pmu_tlb_fill_incr_ctr(cpu, access_type);
     if (two_stage_lookup) {
         /* Two stage lookup */
@@ -1984,8 +2029,8 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     }
 
     if (ret == TRANSLATE_SUCCESS) {
-        tlb_set_page(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1),
-                     prot, access_type, mmu_idx, tlb_size);
+        tlb_set_page_with_attrs(cs, address & ~(tlb_size - 1), pa & ~(tlb_size - 1),
+                                attrs, prot, access_type, mmu_idx, tlb_size);
         return true;
     } else if (probe) {
         return false;
-- 
2.17.1

[PATCH v2 12/18] target/riscv: Expose CPU options of WorldGuard

[Jim Shu]

Expose WG CPU extensions (Smwg, Sswg, Smwgd) and WG CPU configs
(mwid, mwidlist).

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 target/riscv/cpu.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 1aba6dd853..46df970fe3 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -1742,6 +1742,11 @@ const RISCVCPUMultiExtConfig riscv_cpu_vendor_exts[] = {
 const RISCVCPUMultiExtConfig riscv_cpu_experimental_exts[] = {
     MULTI_EXT_CFG_BOOL("x-svukte", ext_svukte, false),
 
+    /* RISC-V WorldGuard v0.4 */
+    MULTI_EXT_CFG_BOOL("x-smwg", ext_smwg, false),
+    MULTI_EXT_CFG_BOOL("x-smwgd", ext_smwgd, false),
+    MULTI_EXT_CFG_BOOL("x-sswg", ext_sswg, false),
+
     { },
 };
 
@@ -2975,6 +2980,9 @@ static const Property riscv_cpu_properties[] = {
      * it with -x and default to 'false'.
      */
     DEFINE_PROP_BOOL("x-misa-w", RISCVCPU, cfg.misa_w, false),
+
+    DEFINE_PROP_UINT32("x-mwid", RISCVCPU, cfg.mwid, UINT32_MAX),
+    DEFINE_PROP_UINT32("x-mwidlist", RISCVCPU, cfg.mwidlist, UINT32_MAX),
 };
 
 #if defined(TARGET_RISCV64)
-- 
2.17.1

[PATCH v2 13/18] hw/misc: riscv_worldguard: Add API to enable WG extension of CPU

[Jim Shu]

riscv_worldguard_apply_cpu() could enable WG CPU extension and set WG
callback to CPUs. It is used by machine code after realizing global WG
device.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 hw/misc/riscv_worldguard.c         | 87 ++++++++++++++++++++++++++++++
 include/hw/misc/riscv_worldguard.h |  1 +
 2 files changed, 88 insertions(+)

diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c
index b02bd28d02..1a910f4cf3 100644
--- a/hw/misc/riscv_worldguard.c
+++ b/hw/misc/riscv_worldguard.c
@@ -92,6 +92,93 @@ uint32_t mem_attrs_to_wid(MemTxAttrs attrs)
     }
 }
 
+static void riscv_cpu_wg_reset(CPURISCVState *env)
+{
+    CPUState *cs = env_cpu(env);
+    RISCVCPU *cpu = RISCV_CPU(cs);
+    uint32_t mlwid, slwid, mwiddeleg;
+    uint32_t trustedwid;
+
+    if (!riscv_cpu_cfg(env)->ext_smwg) {
+        return;
+    }
+
+    if (worldguard_config == NULL) {
+        /*
+         * Note: This reset is dummy now and WG CSRs will be reset again
+         * after worldguard_config is realized.
+         */
+        return;
+    }
+
+    trustedwid = worldguard_config->trustedwid;
+    if (trustedwid == NO_TRUSTEDWID) {
+        trustedwid = worldguard_config->nworlds - 1;
+    }
+
+    /* Reset mlwid, slwid, mwiddeleg CSRs */
+    if (worldguard_config->hw_bypass) {
+        /* HW bypass mode */
+        mlwid = trustedwid;
+    } else {
+        mlwid = 0;
+    }
+    slwid = 0;
+    mwiddeleg = 0;
+
+    env->mlwid = mlwid;
+    if (riscv_cpu_cfg(env)->ext_sswg) {
+        env->slwid = slwid;
+        env->mwiddeleg = mwiddeleg;
+    }
+
+    /* Check mwid, mwidlist config */
+    if (worldguard_config != NULL) {
+        uint32_t valid_widlist = MAKE_64BIT_MASK(0, worldguard_config->nworlds);
+
+        /* CPU use default mwid / mwidlist config if not set */
+        if (cpu->cfg.mwidlist == UINT32_MAX) {
+            /* mwidlist contains all WIDs */
+            cpu->cfg.mwidlist = valid_widlist;
+        }
+        if (cpu->cfg.mwid == UINT32_MAX) {
+            cpu->cfg.mwid = trustedwid;
+        }
+
+        /* Check if mwid/mwidlist HW config is valid in NWorld. */
+        g_assert((cpu->cfg.mwidlist & ~valid_widlist) == 0);
+        g_assert(cpu->cfg.mwid < worldguard_config->nworlds);
+    }
+}
+
+/*
+ * riscv_worldguard_apply_cpu - Enable WG extension of CPU
+ *
+ * Note: This API should be used after global WG device is created
+ * (riscv_worldguard_realize()).
+ */
+void riscv_worldguard_apply_cpu(uint32_t hartid)
+{
+    /* WG global config should exist */
+    g_assert(worldguard_config);
+
+    CPUState *cpu = qemu_get_cpu(hartid);
+    RISCVCPU *rcpu = RISCV_CPU(cpu);
+    CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
+
+    rcpu->cfg.ext_smwg = true;
+    if (riscv_has_ext(env, RVS) && riscv_has_ext(env, RVU)) {
+        rcpu->cfg.ext_sswg = true;
+    }
+
+    /* Set machine specific WorldGuard callback */
+    env->wg_reset = riscv_cpu_wg_reset;
+    env->wid_to_mem_attrs = wid_to_mem_attrs;
+
+    /* Reset WG CSRs in CPU */
+    env->wg_reset(env);
+}
+
 bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock)
 {
     uint32_t wid = mem_attrs_to_wid(attrs);
diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
index 8a533a0517..211a72e438 100644
--- a/include/hw/misc/riscv_worldguard.h
+++ b/include/hw/misc/riscv_worldguard.h
@@ -48,6 +48,7 @@ extern struct RISCVWorldGuardState *worldguard_config;
 
 DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
                                      bool hw_bypass, bool tz_compat);
+void riscv_worldguard_apply_cpu(uint32_t hartid);
 
 uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
 bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);
-- 
2.17.1

[PATCH v2 14/18] hw/misc: riscv_wgchecker: Implement RISC-V WorldGuard Checker

[Jim Shu]

Implement the RISC-V WorldGuard Checker, which sits in front of RAM or
device MMIO and allow software to configure it to either pass through or
reject transactions.

We implement the wgChecker as a QEMU IOMMU, which will direct transactions
either through to the devices and memory behind it or to a special
"never works" AddressSpace if they are blocked.

This initial commit implements the skeleton of the device:
 * it always permits accesses
 * it doesn't implement wgChecker's slot registers
 * it doesn't implement the interrupt or other behaviour
   for blocked transactions

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 hw/misc/meson.build                |   2 +-
 hw/misc/riscv_wgchecker.c          | 603 +++++++++++++++++++++++++++++
 hw/misc/trace-events               |   8 +
 include/hw/misc/riscv_worldguard.h |  63 +++
 4 files changed, 675 insertions(+), 1 deletion(-)
 create mode 100644 hw/misc/riscv_wgchecker.c

diff --git a/hw/misc/meson.build b/hw/misc/meson.build
index 3d2f4bb6a3..73c11bc7c9 100644
--- a/hw/misc/meson.build
+++ b/hw/misc/meson.build
@@ -34,7 +34,7 @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c'))
 system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c'))
 system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c'))
 system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c'))
-specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c'))
+specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c', 'riscv_wgchecker.c'))
 
 subdir('macio')
 
diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c
new file mode 100644
index 0000000000..ea50f4f53a
--- /dev/null
+++ b/hw/misc/riscv_wgchecker.c
@@ -0,0 +1,603 @@
+/*
+ * RISC-V WorldGuard Checker Device
+ *
+ * Copyright (c) 2022 SiFive, Inc.
+ *
+ * This provides WorldGuard Checker model.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu/log.h"
+#include "exec/hwaddr.h"
+#include "exec/exec-all.h"
+#include "hw/irq.h"
+#include "hw/registerfields.h"
+#include "hw/sysbus.h"
+#include "hw/hw.h"
+#include "hw/qdev-properties.h"
+#include "hw/misc/riscv_worldguard.h"
+#include "target/riscv/cpu.h"
+#include "trace.h"
+
+/* Common */
+REG32(VENDOR,               0x000)
+REG32(IMPID,                0x004)
+
+/* wgChecker */
+REG32(NSLOTS,               0x008)
+REG64(ERRCAUSE,             0x010)
+    FIELD(ERRCAUSE, WID,        0,  8)
+    FIELD(ERRCAUSE, R,          8,  1)
+    FIELD(ERRCAUSE, W,          9,  1)
+    FIELD(ERRCAUSE, BE,         62, 1)
+    FIELD(ERRCAUSE, IP,         63, 1)
+
+#define ERRCAUSE_MASK   \
+    (R_ERRCAUSE_WID_MASK | \
+     R_ERRCAUSE_R_MASK   | \
+     R_ERRCAUSE_W_MASK   | \
+     R_ERRCAUSE_BE_MASK  | \
+     R_ERRCAUSE_IP_MASK)
+
+REG64(ERRADDR,              0x018)
+
+/*
+ * Accesses only reach these read and write functions if the wgChecker
+ * is blocking them; non-blocked accesses go directly to the downstream
+ * memory region without passing through this code.
+ */
+static MemTxResult riscv_wgc_mem_blocked_read(void *opaque, hwaddr addr,
+                                               uint64_t *pdata,
+                                               unsigned size, MemTxAttrs attrs)
+{
+    uint32_t wid = mem_attrs_to_wid(attrs);
+
+    trace_riscv_wgc_mem_blocked_read(addr, size, wid);
+
+    *pdata = 0;
+    return MEMTX_OK;
+}
+
+static MemTxResult riscv_wgc_mem_blocked_write(void *opaque, hwaddr addr,
+                                               uint64_t value,
+                                               unsigned size, MemTxAttrs attrs)
+{
+    uint32_t wid = mem_attrs_to_wid(attrs);
+
+    trace_riscv_wgc_mem_blocked_write(addr, value, size, wid);
+
+    return MEMTX_OK;
+}
+
+static const MemoryRegionOps riscv_wgc_mem_blocked_ops = {
+    .read_with_attrs = riscv_wgc_mem_blocked_read,
+    .write_with_attrs = riscv_wgc_mem_blocked_write,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 8,
+    .impl.min_access_size = 1,
+    .impl.max_access_size = 8,
+};
+
+static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu,
+                                          hwaddr addr, IOMMUAccessFlags flags,
+                                          int iommu_idx)
+{
+    WgCheckerRegion *region = container_of(iommu, WgCheckerRegion, upstream);
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker);
+    hwaddr phys_addr;
+    uint64_t region_size;
+
+    IOMMUTLBEntry ret = {
+        .iova = addr & ~WG_ALIGNED_MASK,
+        .translated_addr = addr & ~WG_ALIGNED_MASK,
+        .addr_mask = WG_ALIGNED_MASK,
+        .perm = IOMMU_RW,
+    };
+
+    /* addr shouldn't exceed region size of down/upstream. */
+    region_size = memory_region_size(region->downstream);
+    g_assert(addr < region_size);
+
+    /*
+     * Look at the wgChecker configuration for this address, and
+     * return a TLB entry directing the transaction at either
+     * downstream_as or blocked_io_as, as appropriate.
+     * For the moment, always permit accesses.
+     */
+
+    /* Use physical address instead of offset */
+    phys_addr = addr + region->region_offset;
+
+    is_success = true;
+
+    trace_riscv_wgc_translate(phys_addr, flags,
+        iommu_idx, is_success ? "pass" : "block");
+
+    ret.target_as = is_success ? &region->downstream_as : &region->blocked_io_as;
+    return ret;
+}
+
+static int riscv_wgc_attrs_to_index(IOMMUMemoryRegion *iommu, MemTxAttrs attrs)
+{
+    return mem_attrs_to_wid(attrs);
+}
+
+static int riscv_wgc_num_indexes(IOMMUMemoryRegion *iommu)
+{
+    return worldguard_config->nworlds;
+}
+
+static uint64_t riscv_wgchecker_readq(void *opaque, hwaddr addr)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
+    uint64_t val = 0;
+
+    switch (addr) {
+    case A_ERRCAUSE:
+        val = s->errcause & ERRCAUSE_MASK;
+        break;
+    case A_ERRADDR:
+        val = s->erraddr;
+        break;
+    case A_NSLOTS:
+        val = s->slot_count;
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                      __func__, addr, 8);
+        break;
+    }
+
+    return val;
+}
+
+static uint64_t riscv_wgchecker_readl(void *opaque, hwaddr addr)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
+    uint64_t val = 0;
+
+    switch (addr) {
+    case A_VENDOR:
+        val = 0;
+        break;
+    case A_IMPID:
+        val = 0;
+        break;
+    case A_NSLOTS:
+        val = extract64(s->slot_count, 0, 32);
+        break;
+    case A_NSLOTS + 4:
+        val = extract64(s->slot_count, 0, 32);
+        break;
+    case A_ERRCAUSE:
+        val = s->errcause & ERRCAUSE_MASK;
+        val = extract64(val, 0, 32);
+        break;
+    case A_ERRCAUSE + 4:
+        val = s->errcause & ERRCAUSE_MASK;
+        val = extract64(val, 32, 32);
+        break;
+    case A_ERRADDR:
+        val = extract64(s->erraddr, 0, 32);
+        break;
+    case A_ERRADDR + 4:
+        val = extract64(s->erraddr, 32, 32);
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                      __func__, addr, 4);
+        break;
+    }
+
+    return val;
+}
+
+static uint64_t riscv_wgchecker_read(void *opaque, hwaddr addr, unsigned size)
+{
+    uint64_t val = 0;
+
+    switch (size) {
+    case 8:
+        val = riscv_wgchecker_readq(opaque, addr);
+        break;
+    case 4:
+        val = riscv_wgchecker_readl(opaque, addr);
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid read size %u to wgChecker\n",
+                      __func__, size);
+        return 0;
+    }
+
+    return val;
+}
+
+static void riscv_wgchecker_writeq(void *opaque, hwaddr addr,
+                                    uint64_t value)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
+
+    switch (addr) {
+    case A_ERRCAUSE:
+        s->errcause = value & ERRCAUSE_MASK;
+        break;
+    case A_ERRADDR:
+        s->erraddr = value;
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                      __func__, addr, 8);
+        break;
+    }
+}
+
+static void riscv_wgchecker_writel(void *opaque, hwaddr addr,
+                                    uint64_t value)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
+
+    switch (addr) {
+    case A_ERRCAUSE:
+        value &= extract64(ERRCAUSE_MASK, 0, 32);
+        s->errcause = deposit64(s->errcause, 0, 32, value);
+        break;
+    case A_ERRCAUSE + 4:
+        value &= extract64(ERRCAUSE_MASK, 32, 32);
+        s->errcause = deposit64(s->errcause, 32, 32, value);
+        break;
+    case A_ERRADDR:
+        s->erraddr = deposit64(s->erraddr, 0, 32, value);
+        break;
+    case A_ERRADDR + 4:
+        s->erraddr = deposit64(s->erraddr, 32, 32, value);
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                      __func__, addr, 4);
+        break;
+    }
+}
+
+static void riscv_wgchecker_write(void *opaque, hwaddr addr,
+                                   uint64_t value, unsigned size)
+{
+    switch (size) {
+    case 8:
+        riscv_wgchecker_writeq(opaque, addr, value);
+        break;
+    case 4:
+        riscv_wgchecker_writel(opaque, addr, value);
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid write size %u to wgChecker\n",
+                      __func__, size);
+        break;
+    }
+}
+
+static MemTxResult riscv_wgchecker_read_with_attrs(
+    void *opaque, hwaddr addr, uint64_t *pdata, unsigned size,
+    MemTxAttrs attrs)
+{
+    SysBusDevice *dev = SYS_BUS_DEVICE(opaque);
+
+    trace_riscv_wgchecker_mmio_read(dev->mmio[0].addr, addr, size);
+
+    *pdata = 0;
+    if (could_access_wgblocks(attrs, "wgChecker")) {
+        *pdata = riscv_wgchecker_read(opaque, addr, size);
+    }
+
+    return MEMTX_OK;
+}
+
+static MemTxResult riscv_wgchecker_write_with_attrs(
+    void *opaque, hwaddr addr, uint64_t data, unsigned size,
+    MemTxAttrs attrs)
+{
+    SysBusDevice *dev = SYS_BUS_DEVICE(opaque);
+
+    trace_riscv_wgchecker_mmio_write(dev->mmio[0].addr, addr, size, data);
+
+    if (could_access_wgblocks(attrs, "wgChecker")) {
+        riscv_wgchecker_write(opaque, addr, data, size);
+    }
+
+    return MEMTX_OK;
+}
+
+static const MemoryRegionOps riscv_wgchecker_ops = {
+    .read_with_attrs = riscv_wgchecker_read_with_attrs,
+    .write_with_attrs = riscv_wgchecker_write_with_attrs,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 8
+    },
+    .impl = {
+        .min_access_size = 4,
+        .max_access_size = 8
+    }
+};
+
+static void riscv_wgc_iommu_memory_region_class_init(ObjectClass *klass,
+                                                  void *data)
+{
+    IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
+
+    imrc->translate = riscv_wgc_translate;
+    imrc->attrs_to_index = riscv_wgc_attrs_to_index;
+    imrc->num_indexes = riscv_wgc_num_indexes;
+}
+
+static const TypeInfo riscv_wgc_iommu_memory_region_info = {
+    .name = TYPE_RISCV_WGC_IOMMU_MEMORY_REGION,
+    .parent = TYPE_IOMMU_MEMORY_REGION,
+    .class_init = riscv_wgc_iommu_memory_region_class_init,
+};
+
+
+#define DEFINE_REGION(N)                                                \
+    DEFINE_PROP_LINK("downstream-mr[" #N "]", RISCVWgCheckerState,     \
+                     mem_regions[N].downstream,                         \
+                     TYPE_MEMORY_REGION, MemoryRegion *),               \
+    DEFINE_PROP_UINT64("region-offset[" #N "]", RISCVWgCheckerState,   \
+                       mem_regions[N].region_offset, 0)                 \
+
+static Property riscv_wgchecker_properties[] = {
+    DEFINE_PROP_UINT32("slot-count", RISCVWgCheckerState, slot_count, 0x1),
+    DEFINE_PROP_UINT32("mmio-size", RISCVWgCheckerState, mmio_size, 0x1000),
+
+    /* Assume 1 wgChecker has 16 regions at maximum (WGC_NUM_REGIONS). */
+    DEFINE_REGION(0), DEFINE_REGION(1), DEFINE_REGION(2), DEFINE_REGION(3),
+    DEFINE_REGION(4), DEFINE_REGION(5), DEFINE_REGION(6), DEFINE_REGION(7),
+    DEFINE_REGION(8), DEFINE_REGION(9), DEFINE_REGION(10), DEFINE_REGION(11),
+    DEFINE_REGION(12), DEFINE_REGION(13), DEFINE_REGION(14), DEFINE_REGION(15),
+
+    DEFINE_PROP_UINT64("addr-range-start", RISCVWgCheckerState, addr_range_start, 0),
+    DEFINE_PROP_UINT64("addr-range-size", RISCVWgCheckerState, addr_range_size, UINT64_MAX),
+
+    /*
+     * We could only set individual wgChecker to hw-bypass mode. It is
+     * usually used in wgChecker of BootROM, since SW has no way to enable
+     * the permission of it.
+     */
+    DEFINE_PROP_BOOL("hw-bypass", RISCVWgCheckerState, hw_bypass, false),
+};
+
+static int int_log2_down(int n)
+{
+    int i = 0;
+
+    n >>= 1;
+
+    while (n) {
+        i++;
+        n >>= 1;
+    }
+
+    return i;
+}
+
+static int int_log2_up(int n)
+{
+    return int_log2_down(n - 1) + 1;
+}
+
+/*
+ * Change the address range to be NAPOT alignment.
+ *
+ * New address range should totally cover the origin range, but new range
+ * should be configured by 1 NAPOT region (slot).
+ */
+static void address_range_align_napot(RISCVWgCheckerState *s)
+{
+    uint64_t start, end, size, new_size;
+
+    start = s->addr_range_start;
+    end = s->addr_range_start + s->addr_range_size;
+    size = s->addr_range_size;
+
+    if (size == UINT64_MAX) {
+        /* Full address range. No need of NAPOT alignment. */
+        return;
+    }
+
+    /* Size is the next power-of-2 number. */
+    size = 1 << (int_log2_up(size));
+    start = QEMU_ALIGN_DOWN(start, size);
+    end = QEMU_ALIGN_UP(end, size);
+    new_size = end - start;
+
+    /*
+     * If base is not aligned to region size (new_size),
+     * double the region size and try it again.
+     */
+    while ((new_size != size) && (size != 1ULL << 63)) {
+        size *= 2;
+        start = QEMU_ALIGN_DOWN(start, size);
+        end = QEMU_ALIGN_UP(end, size);
+        new_size = end - start;
+    }
+
+    s->addr_range_start = start;
+    s->addr_range_size = size;
+}
+
+static void riscv_wgchecker_realize(DeviceState *dev, Error **errp)
+{
+    Object *obj = OBJECT(dev);
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
+    uint64_t size;
+
+    if (worldguard_config == NULL) {
+        error_setg(errp, "Couldn't find global WorldGuard configs. "
+                   "Please realize %s device at first.",
+                   TYPE_RISCV_WORLDGUARD);
+        return;
+    }
+
+    if (s->slot_count == 0) {
+        error_setg(errp, "wgChecker slot-count couldn't be zero.");
+        return;
+    }
+
+    memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s,
+                          TYPE_RISCV_WGCHECKER, s->mmio_size);
+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio);
+    sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);
+
+    /* Address range should be NAPOT alignment */
+    address_range_align_napot(s);
+
+    for (int i=0; i<WGC_NUM_REGIONS; i++) {
+        WgCheckerRegion *region = &s->mem_regions[i];
+
+        if (!region->downstream) {
+            continue;
+        }
+        region->wgchecker = s;
+
+        const char *upstream_name = g_strdup_printf(
+            "wgchecker-upstream-%"HWADDR_PRIx, region->region_offset);
+        const char *downstream_name = g_strdup_printf(
+            "wgchecker-downstream-%"HWADDR_PRIx, region->region_offset);
+
+        size = memory_region_size(region->downstream);
+        memory_region_init_iommu(&region->upstream, sizeof(region->upstream),
+                                 TYPE_RISCV_WGC_IOMMU_MEMORY_REGION,
+                                 obj, upstream_name, size);
+
+        /* upstream MRs are 2nd ~ (n+1)th MemoryRegion. */
+        sysbus_init_mmio(SYS_BUS_DEVICE(dev), MEMORY_REGION(&region->upstream));
+
+        /*
+         * This memory region is not exposed to users of this device as a
+         * sysbus MMIO region, but is instead used internally as something
+         * that our IOMMU translate function might direct accesses to.
+         */
+        memory_region_init_io(&region->blocked_io, obj, &riscv_wgc_mem_blocked_ops,
+                              region, "wgchecker-blocked-io", size);
+
+        address_space_init(&region->downstream_as, region->downstream,
+                           downstream_name);
+        address_space_init(&region->blocked_io_as, &region->blocked_io,
+                           "wgchecker-blocked-io");
+    }
+}
+
+static void riscv_wgchecker_unrealize(DeviceState *dev)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
+
+    g_free(s->slots);
+    if (s->num_default_slots && s->default_slots) {
+        g_free(s->default_slots);
+    }
+}
+
+static void riscv_wgchecker_reset_enter(Object *obj, ResetType type)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(obj);
+    uint64_t start = s->addr_range_start;
+    uint64_t end = s->addr_range_start + s->addr_range_size;
+    int nslots = s->slot_count;
+
+    s->errcause = 0;
+    s->erraddr = 0;
+}
+
+static void riscv_wgchecker_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    device_class_set_props(dc, riscv_wgchecker_properties);
+    dc->user_creatable = true;
+    dc->realize = riscv_wgchecker_realize;
+    dc->unrealize = riscv_wgchecker_unrealize;
+    ResettableClass *rc = RESETTABLE_CLASS(klass);
+    rc->phases.enter = riscv_wgchecker_reset_enter;
+}
+
+static void riscv_wgchecker_instance_init(Object *obj)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(obj);
+
+    s->num_default_slots = 0;
+}
+
+static const TypeInfo riscv_wgchecker_info = {
+    .name          = TYPE_RISCV_WGCHECKER,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_init = riscv_wgchecker_instance_init,
+    .instance_size = sizeof(RISCVWgCheckerState),
+    .class_init    = riscv_wgchecker_class_init,
+};
+
+static void riscv_wgchecker_register_types(void)
+{
+    type_register_static(&riscv_wgchecker_info);
+    type_register_static(&riscv_wgc_iommu_memory_region_info);
+}
+
+type_init(riscv_wgchecker_register_types)
+
+/*
+ * Create WgChecker device
+ */
+DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size,
+                                    qemu_irq irq, uint32_t slot_count,
+                                    uint64_t addr_range_start,
+                                    uint64_t addr_range_size,
+                                    uint32_t num_of_region,
+                                    MemoryRegion **downstream,
+                                    uint64_t *region_offset,
+                                    uint32_t num_default_slots,
+                                    WgCheckerSlot *default_slots)
+{
+    DeviceState *dev = qdev_new(TYPE_RISCV_WGCHECKER);
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
+    char name_mr[32];
+    char name_offset[32];
+    int i;
+
+    qdev_prop_set_uint32(dev, "slot-count", slot_count);
+    qdev_prop_set_uint32(dev, "mmio-size", size);
+    qdev_prop_set_uint64(dev, "addr-range-start", addr_range_start);
+    if (addr_range_size) {
+        qdev_prop_set_uint64(dev, "addr-range-size", addr_range_size);
+    }
+
+    g_assert(num_of_region <= WGC_NUM_REGIONS);
+    for (i=0; i<num_of_region; i++) {
+        snprintf(name_mr, 32, "downstream-mr[%d]", i);
+        snprintf(name_offset, 32, "region-offset[%d]", i);
+
+        object_property_set_link(OBJECT(dev), name_mr,
+                                 OBJECT(downstream[i]), &error_fatal);
+        qdev_prop_set_uint64(dev, name_offset, region_offset[i]);
+    }
+
+    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr);
+    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq);
+    return dev;
+}
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
index 4383808d7a..b1d8538220 100644
--- a/hw/misc/trace-events
+++ b/hw/misc/trace-events
@@ -395,3 +395,11 @@ ivshmem_flat_interrupt_peer(uint16_t peer_id, uint16_t vector_id) "Interrupting
 i2c_echo_event(const char *id, const char *event) "%s: %s"
 i2c_echo_recv(const char *id, uint8_t data) "%s: recv 0x%02" PRIx8
 i2c_echo_send(const char *id, uint8_t data) "%s: send 0x%02" PRIx8
+
+# riscv_worldguard.c
+riscv_wgchecker_mmio_read(uint64_t base, uint64_t offset, unsigned int size) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x"
+riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, uint64_t val) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x, val = 0x%"PRIx64
+
+riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32
+riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32
+riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s"
diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
index 211a72e438..7b5aae866a 100644
--- a/include/hw/misc/riscv_worldguard.h
+++ b/include/hw/misc/riscv_worldguard.h
@@ -53,4 +53,67 @@ void riscv_worldguard_apply_cpu(uint32_t hartid);
 uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
 bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);
 
+#define TYPE_RISCV_WGCHECKER  "riscv.wgchecker"
+
+typedef struct RISCVWgCheckerState RISCVWgCheckerState;
+DECLARE_INSTANCE_CHECKER(RISCVWgCheckerState, RISCV_WGCHECKER,
+                         TYPE_RISCV_WGCHECKER)
+
+#define TYPE_RISCV_WGC_IOMMU_MEMORY_REGION    "riscv-wgc-iommu-memory-region"
+
+typedef struct WgCheckerSlot WgCheckerSlot;
+struct WgCheckerSlot {
+    uint64_t addr;
+    uint64_t perm;
+    uint32_t cfg;
+};
+
+typedef struct WgCheckerRegion WgCheckerRegion;
+struct WgCheckerRegion {
+    MemoryRegion *downstream;
+    uint64_t region_offset;
+
+    IOMMUMemoryRegion upstream;
+    MemoryRegion blocked_io;
+    AddressSpace downstream_as;
+    AddressSpace blocked_io_as;
+
+    RISCVWgCheckerState *wgchecker;
+};
+
+#define WGC_NUM_REGIONS     16
+
+struct RISCVWgCheckerState {
+    /*< private >*/
+    SysBusDevice parent_obj;
+
+    /*< public >*/
+    MemoryRegion mmio;
+    qemu_irq irq;
+
+    /* error reg */
+    uint64_t errcause;
+    uint64_t erraddr;
+
+    /* Memory regions protected by wgChecker */
+    WgCheckerRegion mem_regions[WGC_NUM_REGIONS];
+
+    /* Property */
+    uint32_t slot_count; /* nslots */
+    uint32_t mmio_size;
+    uint64_t addr_range_start;
+    uint64_t addr_range_size;
+    bool hw_bypass;
+};
+
+DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size,
+                                    qemu_irq irq, uint32_t slot_count,
+                                    uint64_t addr_range_start,
+                                    uint64_t addr_range_size,
+                                    uint32_t num_of_region,
+                                    MemoryRegion **downstream,
+                                    uint64_t *region_offset,
+                                    uint32_t num_default_slots,
+                                    WgCheckerSlot *default_slots);
+
 #endif
-- 
2.17.1

[PATCH v2 15/18] hw/misc: riscv_wgchecker: Implement wgchecker slot registers

[Jim Shu]

wgChecker slot is similar to PMP region. SW could program each slot to
configure the permission of address range.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 hw/misc/riscv_wgchecker.c          | 330 +++++++++++++++++++++++++++++
 hw/misc/riscv_worldguard.c         |   3 +
 include/hw/misc/riscv_worldguard.h |   4 +
 3 files changed, 337 insertions(+)

diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c
index ea50f4f53a..8839d898c9 100644
--- a/hw/misc/riscv_wgchecker.c
+++ b/hw/misc/riscv_wgchecker.c
@@ -53,6 +53,52 @@ REG64(ERRCAUSE,             0x010)
      R_ERRCAUSE_IP_MASK)
 
 REG64(ERRADDR,              0x018)
+REG64(WGC_SLOT,             0x020)
+
+/* wgChecker slots */
+REG64(SLOT_ADDR,            0x000)
+REG64(SLOT_PERM,            0x008)
+REG32(SLOT_CFG,             0x010)
+    FIELD(SLOT_CFG, A,          0,  2)
+    FIELD(SLOT_CFG, ER,         8,  1)
+    FIELD(SLOT_CFG, EW,         9,  1)
+    FIELD(SLOT_CFG, IR,         10, 1)
+    FIELD(SLOT_CFG, IW,         11, 1)
+    FIELD(SLOT_CFG, LOCK,       31, 1)
+
+#define SLOT_SIZE               0x020
+
+#define SLOT0_CFG_MASK \
+    (R_SLOT_CFG_ER_MASK | \
+     R_SLOT_CFG_EW_MASK | \
+     R_SLOT_CFG_IR_MASK | \
+     R_SLOT_CFG_IW_MASK | \
+     R_SLOT_CFG_LOCK_MASK)
+
+#define SLOT_CFG_MASK \
+    (R_SLOT_CFG_A_MASK  | (SLOT0_CFG_MASK))
+
+#define WGC_SLOT_END(nslots) \
+    (A_WGC_SLOT + SLOT_SIZE * (nslots + 1))
+
+/* wgChecker slot is 4K alignment */
+#define WG_ALIGNED_SIZE         (1 << 12)
+#define WG_ALIGNED_MASK         MAKE_64BIT_MASK(0, 12)
+
+/* wgChecker slot address is (addr / 4). */
+#define TO_SLOT_ADDR(addr)      ((addr) >> 2)
+#define FROM_SLOT_ADDR(addr)    ((addr) << 2)
+
+/* wgChecker slot cfg.A[1:0] */
+#define A_OFF                   0
+#define A_TOR                   1
+#define A_NA4                   2
+#define A_NAPOT                 3
+
+/* wgChecker slot perm */
+#define WGC_PERM(wid, perm)     ((uint64_t)(perm) << (2 * (wid)))
+#define P_READ                  (1 << 0)
+#define P_WRITE                 (1 << 1)
 
 /*
  * Accesses only reach these read and write functions if the wgChecker
@@ -146,6 +192,28 @@ static uint64_t riscv_wgchecker_readq(void *opaque, hwaddr addr)
     RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
     uint64_t val = 0;
 
+    if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) {
+        /* Read from WGC slot */
+        int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE;
+        int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE;
+
+        switch (slot_offset) {
+        case A_SLOT_ADDR:
+            val = s->slots[slot_id].addr;
+            break;
+        case A_SLOT_PERM:
+            val = s->slots[slot_id].perm;
+            break;
+        default:
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                          __func__, addr, 8);
+            break;
+        }
+
+        return val;
+    }
+
     switch (addr) {
     case A_ERRCAUSE:
         val = s->errcause & ERRCAUSE_MASK;
@@ -171,6 +239,37 @@ static uint64_t riscv_wgchecker_readl(void *opaque, hwaddr addr)
     RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
     uint64_t val = 0;
 
+    if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) {
+        /* Read from WGC slot */
+        int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE;
+        int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE;
+
+        switch (slot_offset) {
+        case A_SLOT_ADDR:
+            val = extract64(s->slots[slot_id].addr, 0, 32);
+            break;
+        case A_SLOT_ADDR + 4:
+            val = extract64(s->slots[slot_id].addr, 32, 32);
+            break;
+        case A_SLOT_PERM:
+            val = extract64(s->slots[slot_id].perm, 0, 32);
+            break;
+        case A_SLOT_PERM + 4:
+            val = extract64(s->slots[slot_id].perm, 32, 32);
+            break;
+        case A_SLOT_CFG:
+            val = s->slots[slot_id].cfg & SLOT_CFG_MASK;
+            break;
+        default:
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                          __func__, addr, 4);
+            break;
+        }
+
+        return val;
+    }
+
     switch (addr) {
     case A_VENDOR:
         val = 0;
@@ -228,11 +327,121 @@ static uint64_t riscv_wgchecker_read(void *opaque, hwaddr addr, unsigned size)
     return val;
 }
 
+/*
+ * Validate the WGC slot address is between address range.
+ *
+ * Fix the slot address to the start address if it's not within the address range.
+ * We need validation when changing "slot address" or "TOR/NAPOT mode (cfg.A)"
+ */
+static void validate_slot_address(void *opaque, int slot_id)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
+    uint64_t start = TO_SLOT_ADDR(s->addr_range_start);
+    uint64_t end = TO_SLOT_ADDR(s->addr_range_start + s->addr_range_size);
+    uint32_t cfg_a = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, A);
+
+    /* First and last slot address are hard-coded. */
+    if ((slot_id == 0) || (slot_id == s->slot_count)) {
+        return;
+    }
+
+    /* Check WGC slot address is between address range. */
+    if ((s->slots[slot_id].addr < start) || (s->slots[slot_id].addr >= end)) {
+        s->slots[slot_id].addr = start;
+    }
+
+    /* Check WGC slot is 4k-aligned. */
+    if (cfg_a == A_TOR) {
+        s->slots[slot_id].addr &= ~TO_SLOT_ADDR(WG_ALIGNED_MASK);
+    } else if (cfg_a == A_NAPOT) {
+        s->slots[slot_id].addr |= TO_SLOT_ADDR(WG_ALIGNED_MASK >> 1);
+    } else if (cfg_a == A_NA4) {
+        /* Forcely replace NA4 slot with 4K-aligned NAPOT slot. */
+        FIELD_DP32(s->slots[slot_id].cfg, SLOT_CFG, A, A_NAPOT);
+        s->slots[slot_id].addr |= TO_SLOT_ADDR(WG_ALIGNED_MASK >> 1);
+    }
+}
+
+static bool slots_reg_is_ro(int slot_id, int slot_offset, uint32_t nslots)
+{
+    /*
+     * Special slots:
+     *   - slot[0]:
+     *     - addr is RO
+     *     - perm is RO
+     *     - cfg.A is OFF
+     *
+     *   - slot[nslots]:
+     *     - addr is RO
+     *     - cfg.A is OFF or TOR
+     */
+    if (slot_id == 0) {
+        switch (slot_offset) {
+        case A_SLOT_ADDR:
+        case A_SLOT_ADDR + 4:
+        case A_SLOT_PERM:
+        case A_SLOT_PERM + 4:
+            return true;
+        default:
+            break;
+        }
+    } else if (slot_id == nslots) {
+        switch (slot_offset) {
+        case A_SLOT_ADDR:
+        case A_SLOT_ADDR + 4:
+            return true;
+        default:
+            break;
+        }
+    }
+
+    return false;
+}
+
 static void riscv_wgchecker_writeq(void *opaque, hwaddr addr,
                                     uint64_t value)
 {
     RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
 
+    if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) {
+        /* Read from WGC slot */
+        int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE;
+        int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE;
+        bool locked = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, LOCK);
+
+        if (locked) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Couldn't write access to locked wgChecker Slot: "
+                          "slot = %d, offset = %d\n", __func__, slot_id,
+                          slot_offset);
+            return;
+        }
+
+        if (slots_reg_is_ro(slot_id, slot_offset, s->slot_count)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                          __func__, addr, 8);
+        }
+
+        switch (slot_offset) {
+        case A_SLOT_ADDR:
+            s->slots[slot_id].addr = value;
+            validate_slot_address(s, slot_id);
+            break;
+        case A_SLOT_PERM:
+            value &= wgc_slot_perm_mask;
+            s->slots[slot_id].perm = value;
+            break;
+        default:
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                          __func__, addr, 8);
+            break;
+        }
+
+        return;
+    }
+
     switch (addr) {
     case A_ERRCAUSE:
         s->errcause = value & ERRCAUSE_MASK;
@@ -253,6 +462,81 @@ static void riscv_wgchecker_writel(void *opaque, hwaddr addr,
 {
     RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
 
+    if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) {
+        /* Write to WGC slot */
+        int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE;
+        int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE;
+        bool locked = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, LOCK);
+        int cfg_a, old_cfg_a;
+
+        if (locked) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Couldn't write access to locked wgChecker Slot: "
+                          "slot = %d, offset = %d\n", __func__, slot_id,
+                          slot_offset);
+            return;
+        }
+
+        if (slots_reg_is_ro(slot_id, slot_offset, s->slot_count)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                          __func__, addr, 4);
+        }
+
+        switch (slot_offset) {
+        case A_SLOT_ADDR:
+            s->slots[slot_id].addr = deposit64(
+                s->slots[slot_id].addr, 0, 32, value);
+            validate_slot_address(s, slot_id);
+            break;
+        case A_SLOT_ADDR + 4:
+            s->slots[slot_id].addr = deposit64(
+                s->slots[slot_id].addr, 32, 32, value);
+            validate_slot_address(s, slot_id);
+            break;
+        case A_SLOT_PERM:
+            value &= wgc_slot_perm_mask;
+            s->slots[slot_id].perm = deposit64(
+                s->slots[slot_id].perm, 0, 32, value);
+            break;
+        case A_SLOT_PERM + 4:
+            value &= extract64(wgc_slot_perm_mask, 32, 32);
+            s->slots[slot_id].perm = deposit64(
+                s->slots[slot_id].perm, 32, 32, value);
+            break;
+        case A_SLOT_CFG:
+            if (slot_id == 0) {
+                value &= SLOT0_CFG_MASK;
+                s->slots[0].cfg = value;
+            } else if (slot_id == s->slot_count) {
+                old_cfg_a = FIELD_EX32(s->slots[s->slot_count].cfg, SLOT_CFG, A);
+                cfg_a = FIELD_EX32(value, SLOT_CFG, A);
+
+                value &= SLOT0_CFG_MASK;
+                if ((cfg_a == A_OFF) || (cfg_a == A_TOR)) {
+                    value |= cfg_a;
+                } else {
+                    /* slot[nslots] could only use OFF or TOR config. */
+                    value |= old_cfg_a;
+                }
+                s->slots[s->slot_count].cfg = value;
+
+                validate_slot_address(s, slot_id);
+            } else {
+                value &= SLOT_CFG_MASK;
+                s->slots[slot_id].cfg = value;
+            }
+            break;
+        default:
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
+                          __func__, addr, 4);
+            break;
+        }
+
+        return;
+    }
+
     switch (addr) {
     case A_ERRCAUSE:
         value &= extract64(ERRCAUSE_MASK, 0, 32);
@@ -460,6 +744,8 @@ static void riscv_wgchecker_realize(DeviceState *dev, Error **errp)
         return;
     }
 
+    s->slots = g_new0(WgCheckerSlot, s->slot_count + 1);
+
     memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s,
                           TYPE_RISCV_WGCHECKER, s->mmio_size);
     sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio);
@@ -523,6 +809,37 @@ static void riscv_wgchecker_reset_enter(Object *obj, ResetType type)
 
     s->errcause = 0;
     s->erraddr = 0;
+
+    for (int i = 0; i < nslots; i++) {
+        s->slots[i].addr = TO_SLOT_ADDR(start);
+        s->slots[i].perm = 0;
+        s->slots[i].cfg = 0;
+    }
+    s->slots[nslots].addr = TO_SLOT_ADDR(end);
+    s->slots[nslots].perm = 0;
+    s->slots[nslots].cfg = 0;
+
+    if (s->num_default_slots != 0) {
+        /*
+         * Use default slots:
+         *   slot[0] is hard-coded to start address, so the default slots
+         *   start from slot[1].
+         */
+        memcpy(&s->slots[1], s->default_slots,
+               sizeof(WgCheckerSlot) * s->num_default_slots);
+    } else if ((s->hw_bypass) ||
+               ((worldguard_config != NULL) && worldguard_config->hw_bypass)) {
+        /* HW bypass mode */
+        uint32_t trustedwid = worldguard_config->trustedwid;
+
+        if (trustedwid == NO_TRUSTEDWID) {
+            trustedwid = worldguard_config->nworlds - 1;
+        }
+
+        s->slots[nslots].perm = WGC_PERM(trustedwid, P_READ | P_WRITE);
+        s->slots[nslots].perm &= wgc_slot_perm_mask;
+        s->slots[nslots].cfg = A_TOR;
+    }
 }
 
 static void riscv_wgchecker_class_init(ObjectClass *klass, void *data)
@@ -596,6 +913,19 @@ DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size,
         qdev_prop_set_uint64(dev, name_offset, region_offset[i]);
     }
 
+    if (num_default_slots > slot_count) {
+        num_default_slots = slot_count;
+    }
+
+    s->num_default_slots = num_default_slots;
+    if (s->num_default_slots) {
+        s->default_slots = g_new0(WgCheckerSlot, s->num_default_slots);
+        memcpy(s->default_slots, default_slots,
+               sizeof(WgCheckerSlot) * s->num_default_slots);
+    } else {
+        s->default_slots = NULL;
+    }
+
     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr);
     sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq);
diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c
index 1a910f4cf3..59ca6d16e7 100644
--- a/hw/misc/riscv_worldguard.c
+++ b/hw/misc/riscv_worldguard.c
@@ -38,6 +38,9 @@
  */
 struct RISCVWorldGuardState *worldguard_config = NULL;
 
+/* perm field bitmask of wgChecker slot, it's depends on NWorld. */
+uint64_t wgc_slot_perm_mask = 0;
+
 static Property riscv_worldguard_properties[] = {
     DEFINE_PROP_UINT32("nworlds", RISCVWorldGuardState, nworlds, 0),
 
diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
index 7b5aae866a..f53202524c 100644
--- a/include/hw/misc/riscv_worldguard.h
+++ b/include/hw/misc/riscv_worldguard.h
@@ -45,6 +45,7 @@ struct RISCVWorldGuardState {
 };
 
 extern struct RISCVWorldGuardState *worldguard_config;
+extern uint64_t wgc_slot_perm_mask;
 
 DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
                                      bool hw_bypass, bool tz_compat);
@@ -86,9 +87,12 @@ struct WgCheckerRegion {
 struct RISCVWgCheckerState {
     /*< private >*/
     SysBusDevice parent_obj;
+    uint32_t num_default_slots;
+    WgCheckerSlot *default_slots;
 
     /*< public >*/
     MemoryRegion mmio;
+    WgCheckerSlot *slots;
     qemu_irq irq;
 
     /* error reg */
-- 
2.17.1

[PATCH v2 16/18] hw/misc: riscv_wgchecker: Implement correct block-access behavior

[Jim Shu]

The wgChecker is configurable for whether blocked accesses:
* should cause a bus error or just read return zero and write ignore
* should generate the interrupt or not

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 hw/misc/riscv_wgchecker.c | 169 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 167 insertions(+), 2 deletions(-)

diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c
index 8839d898c9..5d2af7946f 100644
--- a/hw/misc/riscv_wgchecker.c
+++ b/hw/misc/riscv_wgchecker.c
@@ -100,6 +100,169 @@ REG32(SLOT_CFG,             0x010)
 #define P_READ                  (1 << 0)
 #define P_WRITE                 (1 << 1)
 
+static void decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea)
+{
+    /*
+     * aaaa...aaa0   8-byte NAPOT range
+     * aaaa...aa01   16-byte NAPOT range
+     * aaaa...a011   32-byte NAPOT range
+     * ...
+     * aa01...1111   2^XLEN-byte NAPOT range
+     * a011...1111   2^(XLEN+1)-byte NAPOT range
+     * 0111...1111   2^(XLEN+2)-byte NAPOT range
+     * 1111...1111   Reserved
+     */
+
+    a = FROM_SLOT_ADDR(a) | 0x3;
+
+    if (sa) {
+        *sa = a & (a + 1);
+    }
+    if (ea) {
+        *ea = a | (a + 1);
+    }
+}
+
+typedef struct WgAccessResult WgAccessResult;
+struct WgAccessResult {
+    bool is_success;
+    bool has_bus_error;
+    bool has_interrupt;
+    uint8_t perm:2;
+};
+
+static WgAccessResult wgc_check_access(
+    RISCVWgCheckerState *s, hwaddr phys_addr, uint32_t wid, bool is_write)
+{
+    WgCheckerSlot *slot, *prev_slot;
+    uint32_t cfg_a, prev_cfg_a;
+    uint64_t start, end;
+    int slot_id, wgc_perm = 0;
+    WgAccessResult result = { 0 };
+
+    bool is_matching = false;
+    bool slot0_be, slot0_ip;
+    bool matched_slot_be = false, matched_slot_ip = false;
+
+    for (slot_id = 0; slot_id < s->slot_count; slot_id++) {
+        slot = &s->slots[slot_id + 1];
+        cfg_a = FIELD_EX32(slot->cfg, SLOT_CFG, A);
+
+        if (cfg_a == A_TOR) {
+            prev_slot = &s->slots[slot_id];
+
+            prev_cfg_a = FIELD_EX32(prev_slot->cfg, SLOT_CFG, A);
+            if (prev_cfg_a == A_NA4) {
+                start = FROM_SLOT_ADDR(prev_slot->addr) + 4;
+            } else if (prev_cfg_a == A_NAPOT) {
+                decode_napot(prev_slot->addr, NULL, &start);
+                start += 1;
+            } else { /* A_TOR or A_OFF */
+                start = FROM_SLOT_ADDR(prev_slot->addr);
+            }
+            end = FROM_SLOT_ADDR(slot->addr);
+        } else if (cfg_a == A_NA4) {
+            start = FROM_SLOT_ADDR(slot->addr);
+            end = start + 4;
+        } else if (cfg_a == A_NAPOT) {
+            decode_napot(slot->addr, &start, &end);
+            end += 1;
+        } else {
+            /* A_OFF: not in slot range. */
+            continue;
+        }
+
+        /* wgChecker slot range is between start to (end - 1). */
+        if ((start <= phys_addr) && (phys_addr < end)) {
+            /* Match the wgC slot */
+            int perm = ((slot->perm >> (wid * 2)) & 0x3);
+
+            /* If any matching rule permits access, the access is permitted. */
+            wgc_perm |= perm;
+
+            /*
+             * If any matching rule wants to report error (IRQ or Bus Error),
+             * the denied access should report error.
+             */
+            is_matching = true;
+            if (is_write) {
+                matched_slot_be |= FIELD_EX64(slot->cfg, SLOT_CFG, EW);
+                matched_slot_ip |= FIELD_EX64(slot->cfg, SLOT_CFG, IW);
+            } else {
+                matched_slot_be |= FIELD_EX64(slot->cfg, SLOT_CFG, ER);
+                matched_slot_ip |= FIELD_EX64(slot->cfg, SLOT_CFG, IR);
+            }
+        }
+    }
+
+    /* If no matching rule, error reporting depends on the slot0's config. */
+    if (is_write) {
+        slot0_be = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, EW);
+        slot0_ip = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, IW);
+    } else {
+        slot0_be = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, ER);
+        slot0_ip = FIELD_EX64(s->slots[0].cfg, SLOT_CFG, IR);
+    }
+
+    result.is_success = is_write ? (wgc_perm & P_WRITE) : (wgc_perm & P_READ);
+    result.perm = wgc_perm;
+    if (!result.is_success) {
+        if (is_matching) {
+            result.has_bus_error = matched_slot_be;
+            result.has_interrupt = matched_slot_ip;
+        } else {
+            result.has_bus_error = slot0_be;
+            result.has_interrupt = slot0_ip;
+        }
+    }
+
+    return result;
+}
+
+static MemTxResult riscv_wgc_handle_blocked_access(
+    WgCheckerRegion *region, hwaddr addr, uint32_t wid, bool is_write)
+{
+    RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker);
+    bool be, ip;
+    WgAccessResult result;
+    hwaddr phys_addr;
+
+    be = FIELD_EX64(s->errcause, ERRCAUSE, BE);
+    ip = FIELD_EX64(s->errcause, ERRCAUSE, IP);
+    phys_addr = addr + region->region_offset;
+
+    /*
+     * Check if this blocked access trigger IRQ (Bus Error) or not.
+     * It depends on wgChecker slot config (cfg.IR/IW/ER/EW bits).
+     */
+    result = wgc_check_access(s, phys_addr, wid, is_write);
+
+    if (!be && !ip) {
+        /*
+         * With either of the be or ip bits is set, further violations do not
+         * update the errcause or erraddr registers. Also, new interrupts
+         * cannot be generated until the be and ip fields are cleared.
+         */
+        if (result.has_interrupt || result.has_bus_error) {
+            s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, WID, wid);
+            s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, R, !is_write);
+            s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, W, is_write);
+            s->erraddr = TO_SLOT_ADDR(phys_addr);
+        }
+
+        if (result.has_interrupt) {
+            s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, IP, 1);
+            qemu_irq_raise(s->irq);
+        }
+
+        if (result.has_bus_error) {
+            s->errcause = FIELD_DP64(s->errcause, ERRCAUSE, BE, 1);
+        }
+    }
+
+    return result.has_bus_error ? MEMTX_ERROR : MEMTX_OK;
+}
+
 /*
  * Accesses only reach these read and write functions if the wgChecker
  * is blocking them; non-blocked accesses go directly to the downstream
@@ -109,23 +272,25 @@ static MemTxResult riscv_wgc_mem_blocked_read(void *opaque, hwaddr addr,
                                                uint64_t *pdata,
                                                unsigned size, MemTxAttrs attrs)
 {
+    WgCheckerRegion *region = opaque;
     uint32_t wid = mem_attrs_to_wid(attrs);
 
     trace_riscv_wgc_mem_blocked_read(addr, size, wid);
 
     *pdata = 0;
-    return MEMTX_OK;
+    return riscv_wgc_handle_blocked_access(region, addr, wid, false);
 }
 
 static MemTxResult riscv_wgc_mem_blocked_write(void *opaque, hwaddr addr,
                                                uint64_t value,
                                                unsigned size, MemTxAttrs attrs)
 {
+    WgCheckerRegion *region = opaque;
     uint32_t wid = mem_attrs_to_wid(attrs);
 
     trace_riscv_wgc_mem_blocked_write(addr, value, size, wid);
 
-    return MEMTX_OK;
+    return riscv_wgc_handle_blocked_access(region, addr, wid, true);
 }
 
 static const MemoryRegionOps riscv_wgc_mem_blocked_ops = {
-- 
2.17.1

[PATCH v2 17/18] hw/misc: riscv_wgchecker: Check the slot settings in translate

[Jim Shu]

The final part of wgChecker we need to implement is actually using the
wgChecker slots programmed by guest to determine whether to block the
transaction or not.

Since this means we now change transaction mappings when
the guest writes to wgChecker slots, we must also call the IOMMU
notifiers at that point.

One tricky part here is that the perm of 'blocked_io_as' is the
condition of deny access. For example, if wgChecker only permits RO
access, the perm of 'downstream_as' will be IOMMU_RO and the perm of
'blocked_io_as' will be IOMMU_WO.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 hw/misc/riscv_wgchecker.c | 70 ++++++++++++++++++++++++++++++++++++---
 hw/misc/trace-events      |  1 +
 2 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c
index 5d2af7946f..5a70231837 100644
--- a/hw/misc/riscv_wgchecker.c
+++ b/hw/misc/riscv_wgchecker.c
@@ -100,6 +100,52 @@ REG32(SLOT_CFG,             0x010)
 #define P_READ                  (1 << 0)
 #define P_WRITE                 (1 << 1)
 
+static IOMMUAccessFlags wgc_perm_to_iommu_flags(int wgc_perm)
+{
+    if (wgc_perm == (P_READ | P_WRITE)) {
+        return IOMMU_RW;
+    } else if (wgc_perm & P_WRITE) {
+        return IOMMU_WO;
+    } else if (wgc_perm & P_READ) {
+        return IOMMU_RO;
+    } else {
+        return IOMMU_NONE;
+    }
+}
+
+static void wgchecker_iommu_notify_all(RISCVWgCheckerState *s)
+{
+    /*
+     * Do tlb_flush() to whole address space via memory_region_notify_iommu()
+     * when wgChecker changes it's config.
+     */
+
+    IOMMUTLBEvent event = {
+        .entry = {
+            .addr_mask = -1ULL,
+        }
+    };
+
+    trace_riscv_wgc_iommu_notify_all();
+
+    for (int i=0; i<WGC_NUM_REGIONS; i++) {
+        WgCheckerRegion *region = &s->mem_regions[i];
+        uint32_t nworlds = worldguard_config->nworlds;
+
+        if (!region->downstream) {
+            continue;
+        }
+        event.entry.iova = 0;
+        event.entry.translated_addr = 0;
+        event.type = IOMMU_NOTIFIER_UNMAP;
+        event.entry.perm = IOMMU_NONE;
+
+        for (int wid=0; wid<nworlds; wid++) {
+            memory_region_notify_iommu(&region->upstream, wid, event);
+        }
+    }
+}
+
 static void decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea)
 {
     /*
@@ -309,6 +355,9 @@ static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu,
 {
     WgCheckerRegion *region = container_of(iommu, WgCheckerRegion, upstream);
     RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker);
+    bool is_write;
+    WgAccessResult result;
+    int wgc_perm;
     hwaddr phys_addr;
     uint64_t region_size;
 
@@ -327,18 +376,25 @@ static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu,
      * Look at the wgChecker configuration for this address, and
      * return a TLB entry directing the transaction at either
      * downstream_as or blocked_io_as, as appropriate.
-     * For the moment, always permit accesses.
      */
 
     /* Use physical address instead of offset */
     phys_addr = addr + region->region_offset;
+    is_write = (flags == IOMMU_WO);
 
-    is_success = true;
+    result = wgc_check_access(s, phys_addr, iommu_idx, is_write);
 
     trace_riscv_wgc_translate(phys_addr, flags,
-        iommu_idx, is_success ? "pass" : "block");
+        iommu_idx, result.is_success ? "pass" : "block");
 
-    ret.target_as = is_success ? &region->downstream_as : &region->blocked_io_as;
+    wgc_perm = result.perm;
+    if (!result.is_success) {
+        /* if target_as is blocked_io_as, the perm is the condition of deny access. */
+        wgc_perm ^= (P_READ | P_WRITE);
+    }
+    ret.perm = wgc_perm_to_iommu_flags(wgc_perm);
+
+    ret.target_as = result.is_success ? &region->downstream_as : &region->blocked_io_as;
     return ret;
 }
 
@@ -604,6 +660,9 @@ static void riscv_wgchecker_writeq(void *opaque, hwaddr addr,
             break;
         }
 
+        /* Flush softmmu TLB when wgChecker changes config. */
+        wgchecker_iommu_notify_all(s);
+
         return;
     }
 
@@ -699,6 +758,9 @@ static void riscv_wgchecker_writel(void *opaque, hwaddr addr,
             break;
         }
 
+        /* Flush softmmu TLB when wgChecker changes config. */
+        wgchecker_iommu_notify_all(s);
+
         return;
     }
 
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
index b1d8538220..54dfcd50a1 100644
--- a/hw/misc/trace-events
+++ b/hw/misc/trace-events
@@ -403,3 +403,4 @@ riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, ui
 riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32
 riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32
 riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s"
+riscv_wgc_iommu_notify_all(void) "wgChecker iommu: notifying UNMAP for all"
-- 
2.17.1

[PATCH v2 18/18] hw/riscv: virt: Add WorldGuard support

[Jim Shu]

* Add 'wg=on' option to enable RISC-V WorldGuard
* Add wgChecker to protect several resources:
  DRAM, FLASH, UART.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 docs/system/riscv/virt.rst |  20 +++++
 hw/riscv/Kconfig           |   1 +
 hw/riscv/virt.c            | 163 ++++++++++++++++++++++++++++++++++++-
 include/hw/riscv/virt.h    |  15 +++-
 4 files changed, 195 insertions(+), 4 deletions(-)

diff --git a/docs/system/riscv/virt.rst b/docs/system/riscv/virt.rst
index 60850970ce..eef1233350 100644
--- a/docs/system/riscv/virt.rst
+++ b/docs/system/riscv/virt.rst
@@ -146,6 +146,26 @@ The following machine-specific options are supported:
 
   Enables the riscv-iommu-sys platform device. Defaults to 'off'.
 
+- wg=[on|off]
+
+  When this option is "on", RISC-V WorldGuard will be enabled in the system
+  to provide the isolation of multiple worlds. RISC-V HARTs will enable WG
+  extensions to have WID in memory transaction. wgCheckers in front of RAMs
+  and device MMIO will be enabled to provide the access control of resources
+  if the transaction contains WID. When not specified, this option is assumed
+  to be "off".
+
+  The WG configuration of virt machine includes 4 worlds. For WG configuration
+  of CPUs, the M-mode WID of CPU (``mwid``) is set to the largest WID number,
+  and the authorized WID list of CPU (``mwidlist``) includes all WIDs. We can
+  modify the configuration of all CPUs via ``x-mwid`` and ``x-mwidlist``
+  CPU options. There are 3 wgCheckers in the virt machine, which separately
+  protects DRAM, FLASH, and UART. Default WG configuration on the virt machine
+  is enough to run the demo of dual OSes in the different worlds. For example,
+  running both Linux kernel and Secure OS (e.g. OP-TEE) in it's own world.
+
+  This option is restricted to the TCG accelerator.
+
 Running Linux kernel
 --------------------
 
diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig
index e6a0ac1fa1..5c3e7b3479 100644
--- a/hw/riscv/Kconfig
+++ b/hw/riscv/Kconfig
@@ -68,6 +68,7 @@ config RISCV_VIRT
     select PLATFORM_BUS
     select ACPI
     select ACPI_PCI
+    select RISCV_WORLDGUARD
 
 config SHAKTI_C
     bool
diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index e517002fdf..da873bc8b8 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -58,6 +58,7 @@
 #include "qapi/qapi-visit-common.h"
 #include "hw/virtio/virtio-iommu.h"
 #include "hw/uefi/var-service-api.h"
+#include "hw/misc/riscv_worldguard.h"
 
 /* KVM AIA only supports APLIC MSI. APLIC Wired is always emulated by QEMU. */
 static bool virt_use_kvm_aia_aplic_imsic(RISCVVirtAIAType aia_type)
@@ -89,6 +90,9 @@ static const MemMapEntry virt_memmap[] = {
     [VIRT_PCIE_PIO] =     {  0x3000000,       0x10000 },
     [VIRT_IOMMU_SYS] =    {  0x3010000,        0x1000 },
     [VIRT_PLATFORM_BUS] = {  0x4000000,     0x2000000 },
+    [VIRT_WGC_DRAM] =     {  0x6000000,        0x1000 },
+    [VIRT_WGC_FLASH] =    {  0x6001000,        0x1000 },
+    [VIRT_WGC_UART] =     {  0x6002000,        0x1000 },
     [VIRT_PLIC] =         {  0xc000000, VIRT_PLIC_SIZE(VIRT_CPUS_MAX * 2) },
     [VIRT_APLIC_M] =      {  0xc000000, APLIC_SIZE(VIRT_CPUS_MAX) },
     [VIRT_APLIC_S] =      {  0xd000000, APLIC_SIZE(VIRT_CPUS_MAX) },
@@ -114,6 +118,38 @@ static MemMapEntry virt_high_pcie_memmap;
 
 #define VIRT_FLASH_SECTOR_SIZE (256 * KiB)
 
+/* wgChecker helpers */
+typedef struct WGCInfo {
+    int memmap_idx;
+    uint32_t irq_num;
+    uint32_t slot_count;
+
+    int num_of_child;
+    MemoryRegion *c_region[WGC_NUM_REGIONS];
+    uint64_t c_offset[WGC_NUM_REGIONS];
+} WGCInfo;
+
+enum {
+    WGC_DRAM,
+    WGC_FLASH,
+    WGC_UART,
+    WGC_NUM,
+};
+
+static WGCInfo virt_wgcinfo[] = {
+    [WGC_DRAM]  = { VIRT_WGC_DRAM, WGC_DRAM_IRQ, 16 },
+    [WGC_FLASH] = { VIRT_WGC_FLASH, WGC_FLASH_IRQ, 16 },
+    [WGC_UART]  = { VIRT_WGC_UART, WGC_UART_IRQ, 1 },
+};
+
+static void wgc_append_child(WGCInfo *info, MemoryRegion *region,
+                             uint64_t offset)
+{
+    info->c_region[info->num_of_child] = region;
+    info->c_offset[info->num_of_child] = offset;
+    info->num_of_child += 1;
+}
+
 static PFlashCFI01 *virt_flash_create1(RISCVVirtState *s,
                                        const char *name,
                                        const char *alias_prop_name)
@@ -164,7 +200,8 @@ static void virt_flash_map1(PFlashCFI01 *flash,
 }
 
 static void virt_flash_map(RISCVVirtState *s,
-                           MemoryRegion *sysmem)
+                           MemoryRegion *sysmem,
+                           WGCInfo *info)
 {
     hwaddr flashsize = virt_memmap[VIRT_FLASH].size / 2;
     hwaddr flashbase = virt_memmap[VIRT_FLASH].base;
@@ -173,6 +210,15 @@ static void virt_flash_map(RISCVVirtState *s,
                     sysmem);
     virt_flash_map1(s->flash[1], flashbase + flashsize, flashsize,
                     sysmem);
+
+    if (info) {
+        wgc_append_child(info,
+                         sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[0]), 0),
+                         flashbase);
+        wgc_append_child(info,
+                         sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[1]), 0),
+                         flashbase + flashsize);
+    }
 }
 
 static void create_pcie_irq_map(RISCVVirtState *s, void *fdt, char *nodename,
@@ -1426,6 +1472,71 @@ static void virt_build_smbios(RISCVVirtState *s)
     }
 }
 
+static DeviceState *create_wgc(WGCInfo *info, DeviceState *irqchip)
+{
+    MemoryRegion *system_memory = get_system_memory();
+    DeviceState *wgc;
+    MemoryRegion *upstream_mr, *downstream_mr;
+    qemu_irq irq = qdev_get_gpio_in(irqchip, info->irq_num);
+    hwaddr base, size;
+
+    /* Unmap downstream_mr from system_memory if it is already mapped. */
+    for (int i=0; i<info->num_of_child; i++) {
+        downstream_mr = info->c_region[i];
+
+        g_assert(downstream_mr);
+        if (downstream_mr->container == system_memory) {
+            memory_region_del_subregion(system_memory, downstream_mr);
+        }
+
+        /*
+         * Clear the offset of downstream_mr, so we could correctly do
+         * address_space_init() to it in wgchecker.
+         */
+        memory_region_set_address(downstream_mr, 0);
+    }
+
+    base = virt_memmap[info->memmap_idx].base;
+    size = virt_memmap[info->memmap_idx].size;
+
+    wgc = riscv_wgchecker_create(
+        base, size, irq, info->slot_count, 0, 0,
+        info->num_of_child, info->c_region, info->c_offset, 0, NULL);
+
+    /* Map upstream_mr to system_memory */
+    for (int i=0; i<info->num_of_child; i++) {
+        upstream_mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(wgc), i+1);
+        g_assert(upstream_mr);
+        memory_region_add_subregion(system_memory, info->c_offset[i], upstream_mr);
+    }
+
+    return wgc;
+}
+
+static void virt_create_worldguard(WGCInfo *wgcinfo, int wgc_num,
+                                   DeviceState *irqchip)
+{
+    CPUState *cpu;
+
+    /* Global WG config */
+    riscv_worldguard_create(VIRT_WG_NWORLDS,
+                            VIRT_WG_TRUSTEDWID,
+                            VIRT_WG_HWBYPASS,
+                            VIRT_WG_TZCOMPAT);
+
+    /* Enable WG extension of each CPU */
+    CPU_FOREACH(cpu) {
+        CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
+
+        riscv_worldguard_apply_cpu(env->mhartid);
+    }
+
+    /* Create all wgChecker devices */
+    for (int i=0; i<wgc_num; i++) {
+        create_wgc(&wgcinfo[i], DEVICE(irqchip));
+    }
+}
+
 static void virt_machine_done(Notifier *notifier, void *data)
 {
     RISCVVirtState *s = container_of(notifier, RISCVVirtState,
@@ -1527,10 +1638,12 @@ static void virt_machine_done(Notifier *notifier, void *data)
 static void virt_machine_init(MachineState *machine)
 {
     const MemMapEntry *memmap = virt_memmap;
+    WGCInfo *wgcinfo = virt_wgcinfo;
     RISCVVirtState *s = RISCV_VIRT_MACHINE(machine);
     MemoryRegion *system_memory = get_system_memory();
     MemoryRegion *mask_rom = g_new(MemoryRegion, 1);
     DeviceState *mmio_irqchip, *virtio_irqchip, *pcie_irqchip;
+    SerialMM *uart;
     int i, base_hartid, hart_count;
     int socket_count = riscv_socket_count(machine);
 
@@ -1546,6 +1659,11 @@ static void virt_machine_init(MachineState *machine)
         exit(1);
     }
 
+    if (!tcg_enabled() && s->have_wg) {
+        error_report("'wg' is only available with TCG acceleration");
+        exit(1);
+    }
+
     /* Initialize sockets */
     mmio_irqchip = virtio_irqchip = pcie_irqchip = NULL;
     for (i = 0; i < socket_count; i++) {
@@ -1673,6 +1791,10 @@ static void virt_machine_init(MachineState *machine)
     memory_region_add_subregion(system_memory, memmap[VIRT_DRAM].base,
         machine->ram);
 
+    if (tcg_enabled() && s->have_wg) {
+        wgc_append_child(&wgcinfo[WGC_DRAM], machine->ram, memmap[VIRT_DRAM].base);
+    }
+
     /* boot rom */
     memory_region_init_rom(mask_rom, NULL, "riscv_virt_board.mrom",
                            memmap[VIRT_MROM].size, &error_fatal);
@@ -1700,10 +1822,16 @@ static void virt_machine_init(MachineState *machine)
 
     create_platform_bus(s, mmio_irqchip);
 
-    serial_mm_init(system_memory, memmap[VIRT_UART0].base,
+    uart = serial_mm_init(system_memory, memmap[VIRT_UART0].base,
         0, qdev_get_gpio_in(mmio_irqchip, UART0_IRQ), 399193,
         serial_hd(0), DEVICE_LITTLE_ENDIAN);
 
+    if (tcg_enabled() && s->have_wg) {
+        wgc_append_child(&wgcinfo[WGC_UART],
+                         sysbus_mmio_get_region(SYS_BUS_DEVICE(uart), 0),
+                         memmap[VIRT_UART0].base);
+    }
+
     sysbus_create_simple("goldfish_rtc", memmap[VIRT_RTC].base,
         qdev_get_gpio_in(mmio_irqchip, RTC_IRQ));
 
@@ -1712,7 +1840,16 @@ static void virt_machine_init(MachineState *machine)
         pflash_cfi01_legacy_drive(s->flash[i],
                                   drive_get(IF_PFLASH, 0, i));
     }
-    virt_flash_map(s, system_memory);
+
+    if (tcg_enabled() && s->have_wg) {
+        virt_flash_map(s, system_memory, &wgcinfo[WGC_FLASH]);
+    } else {
+        virt_flash_map(s, system_memory, NULL);
+    }
+
+    if (tcg_enabled() && s->have_wg) {
+        virt_create_worldguard(wgcinfo, WGC_NUM, mmio_irqchip);
+    }
 
     /* load/create device tree */
     if (machine->dtb) {
@@ -1757,6 +1894,20 @@ static void virt_machine_instance_init(Object *obj)
     s->iommu_sys = ON_OFF_AUTO_AUTO;
 }
 
+static bool virt_get_wg(Object *obj, Error **errp)
+{
+    RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
+
+    return s->have_wg;
+}
+
+static void virt_set_wg(Object *obj, bool value, Error **errp)
+{
+    RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
+
+    s->have_wg = value;
+}
+
 static char *virt_get_aia_guests(Object *obj, Error **errp)
 {
     RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
@@ -1977,6 +2128,12 @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
                               NULL, NULL);
     object_class_property_set_description(oc, "iommu-sys",
                                           "Enable IOMMU platform device");
+
+    object_class_property_add_bool(oc, "wg", virt_get_wg,
+                                   virt_set_wg);
+    object_class_property_set_description(oc, "wg",
+                                              "Set on/off to enable/disable the "
+                                              "RISC-V WorldGuard.");
 }
 
 static const TypeInfo virt_machine_typeinfo = {
diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
index 48a14bea2e..3a631a6a23 100644
--- a/include/hw/riscv/virt.h
+++ b/include/hw/riscv/virt.h
@@ -57,6 +57,7 @@ struct RISCVVirtState {
     bool have_aclint;
     RISCVVirtAIAType aia_type;
     int aia_guests;
+    bool have_wg;
     char *oem_id;
     char *oem_table_id;
     OnOffAuto acpi;
@@ -87,11 +88,17 @@ enum {
     VIRT_PLATFORM_BUS,
     VIRT_PCIE_ECAM,
     VIRT_IOMMU_SYS,
+    VIRT_WGC_DRAM,
+    VIRT_WGC_FLASH,
+    VIRT_WGC_UART
 };
 
 enum {
     UART0_IRQ = 10,
     RTC_IRQ = 11,
+    WGC_DRAM_IRQ = 15,
+    WGC_FLASH_IRQ = 16,
+    WGC_UART_IRQ = 17,
     VIRTIO_IRQ = 1, /* 1 to 8 */
     VIRTIO_COUNT = 8,
     PCIE_IRQ = 0x20, /* 32 to 35 */
@@ -102,7 +109,7 @@ enum {
 #define VIRT_PLATFORM_BUS_NUM_IRQS 32
 
 #define VIRT_IRQCHIP_NUM_MSIS 255
-#define VIRT_IRQCHIP_NUM_SOURCES 96
+#define VIRT_IRQCHIP_NUM_SOURCES 128
 #define VIRT_IRQCHIP_NUM_PRIO_BITS 3
 #define VIRT_IRQCHIP_MAX_GUESTS_BITS 3
 #define VIRT_IRQCHIP_MAX_GUESTS ((1U << VIRT_IRQCHIP_MAX_GUESTS_BITS) - 1U)
@@ -158,4 +165,10 @@ uint32_t imsic_num_bits(uint32_t count);
 #error "Can't accommodate all IMSIC groups in address space"
 #endif
 
+/* WorldGuard */
+#define VIRT_WG_NWORLDS         4
+#define VIRT_WG_TRUSTEDWID      3
+#define VIRT_WG_HWBYPASS        true
+#define VIRT_WG_TZCOMPAT        false
+
 #endif
-- 
2.17.1

Re: [PATCH v2 04/18] exec: Add RISC-V WorldGuard WID to MemTxAttrs

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> RISC-V WorldGuard will add 5-bit world_id (WID) to the each memory
> transaction on the bus. The wgChecker in front of RAM or peripherals
> MMIO could do the access control based on the WID. It is similar to ARM
> TrustZone NS bit, but the WID is 5-bit.
> 
> The common implementation of WID is AXI4 AxUSER signal.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---
>   include/exec/memattrs.h | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
> index 8db1d30464..7a6866fa41 100644
> --- a/include/exec/memattrs.h
> +++ b/include/exec/memattrs.h
> @@ -54,6 +54,11 @@ typedef struct MemTxAttrs {
>        */
>       unsigned int pid:8;
>   
> +    /*
> +     * RISC-V WorldGuard: the 5-bit WID field of memory access.
> +     */
> +    unsigned int world_id:5;
> +
>       /*
>        * Bus masters which don't specify any attributes will get this
>        * (via the MEMTXATTRS_UNSPECIFIED constant), so that we can
> @@ -63,8 +68,7 @@ typedef struct MemTxAttrs {
>        */
>       bool unspecified;
>   
> -    uint8_t _reserved1;
> -    uint16_t _reserved2;
> +    uint16_t _reserved1;

Is 'reserved2' unused? Not sure why you ended up removing it in this patch.

If it's really unused it's ok to remove it but this should be done in separate.


Thanks,

Daniel


>   } MemTxAttrs;
>   
>   QEMU_BUILD_BUG_ON(sizeof(MemTxAttrs) > 8);

Re: [PATCH v2 05/18] hw/misc: riscv_worldguard: Add RISC-V WorldGuard global config

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> Add a device for RISCV WG global config, which contains the number of
> worlds, reset value, and trusted WID ... etc.
> 
> This global config is used by both CPU WG extension and wgChecker devices.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---

Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

>   hw/misc/Kconfig                    |   3 +
>   hw/misc/meson.build                |   1 +
>   hw/misc/riscv_worldguard.c         | 182 +++++++++++++++++++++++++++++
>   include/hw/misc/riscv_worldguard.h |  55 +++++++++
>   4 files changed, 241 insertions(+)
>   create mode 100644 hw/misc/riscv_worldguard.c
>   create mode 100644 include/hw/misc/riscv_worldguard.h
> 
> diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
> index ec0fa5aa9f..7677c0e962 100644
> --- a/hw/misc/Kconfig
> +++ b/hw/misc/Kconfig
> @@ -222,4 +222,7 @@ config IOSB
>   config XLNX_VERSAL_TRNG
>       bool
>   
> +config RISCV_WORLDGUARD
> +    bool
> +
>   source macio/Kconfig
> diff --git a/hw/misc/meson.build b/hw/misc/meson.build
> index 6d47de482c..3d2f4bb6a3 100644
> --- a/hw/misc/meson.build
> +++ b/hw/misc/meson.build
> @@ -34,6 +34,7 @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c'))
>   system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c'))
>   system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c'))
>   system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c'))
> +specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c'))
>   
>   subdir('macio')
>   
> diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c
> new file mode 100644
> index 0000000000..b02bd28d02
> --- /dev/null
> +++ b/hw/misc/riscv_worldguard.c
> @@ -0,0 +1,182 @@
> +/*
> + * RISC-V WorldGuard Device
> + *
> + * Copyright (c) 2022 SiFive, Inc.
> + *
> + * This provides WorldGuard global config.
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms and conditions of the GNU General Public License,
> + * version 2 or later, as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope it will be useful, but WITHOUT
> + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
> + * more details.
> + *
> + * You should have received a copy of the GNU General Public License along with
> + * this program.  If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qapi/error.h"
> +#include "qemu/log.h"
> +#include "exec/hwaddr.h"
> +#include "hw/registerfields.h"
> +#include "hw/sysbus.h"
> +#include "hw/hw.h"
> +#include "hw/qdev-properties.h"
> +#include "hw/misc/riscv_worldguard.h"
> +#include "hw/core/cpu.h"
> +#include "target/riscv/cpu.h"
> +#include "trace.h"
> +
> +/*
> + * WorldGuard global config:
> + * List the global setting of WG, like num-of-worlds. It is unique in the machine.
> + * All CPUs with WG extension and wgChecker devices will use it.
> + */
> +struct RISCVWorldGuardState *worldguard_config = NULL;
> +
> +static Property riscv_worldguard_properties[] = {
> +    DEFINE_PROP_UINT32("nworlds", RISCVWorldGuardState, nworlds, 0),
> +
> +    /* Only Trusted WID could access wgCheckers if it is enabled. */
> +    DEFINE_PROP_UINT32("trustedwid", RISCVWorldGuardState, trustedwid, NO_TRUSTEDWID),
> +
> +    /*
> +     * WG reset value is bypass mode in HW. All WG permission checkings are
> +     * pass by default, so SW could correctly run on the machine w/o any WG
> +     * programming.
> +     */
> +    DEFINE_PROP_BOOL("hw-bypass", RISCVWorldGuardState, hw_bypass, false),
> +
> +    /*
> +     * TrustZone compatible mode:
> +     * This mode is only supported in 2 worlds system. It converts WorldGuard
> +     * WID to TZ NS signal on the bus so WG could be cooperated with
> +     * TZ components. In QEMU, it converts WID to 'MemTxAttrs.secure' bit used
> +     * by TZ.
> +     */
> +    DEFINE_PROP_BOOL("tz-compat", RISCVWorldGuardState, tz_compat, false),
> +};
> +
> +/* WID to MemTxAttrs converter */
> +static void wid_to_mem_attrs(MemTxAttrs *attrs, uint32_t wid)
> +{
> +    g_assert(wid < worldguard_config->nworlds);
> +
> +    attrs->unspecified = 0;
> +    if (worldguard_config->tz_compat) {
> +        attrs->secure = wid;
> +    } else {
> +        attrs->world_id = wid;
> +    }
> +}
> +
> +/* MemTxAttrs to WID converter */
> +uint32_t mem_attrs_to_wid(MemTxAttrs attrs)
> +{
> +    if (attrs.unspecified) {
> +        if (worldguard_config->trustedwid != NO_TRUSTEDWID) {
> +            return worldguard_config->trustedwid;
> +        } else {
> +            return worldguard_config->nworlds - 1;
> +        }
> +    }
> +
> +    if (worldguard_config->tz_compat) {
> +        return attrs.secure;
> +    } else {
> +        return attrs.world_id;
> +    }
> +}
> +
> +bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock)
> +{
> +    uint32_t wid = mem_attrs_to_wid(attrs);
> +    uint32_t trustedwid = worldguard_config->trustedwid;
> +
> +    if ((trustedwid == NO_TRUSTEDWID) || (wid == trustedwid)) {
> +        return true;
> +    } else {
> +        /*
> +         * Only Trusted WID could access WG blocks if having it.
> +         * Access them from other WIDs will get failed.
> +         */
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +                      "%s: Invalid access to %s from non-trusted WID %d\n",
> +                      __func__, wgblock, wid);
> +
> +        return false;
> +    }
> +}
> +
> +static void riscv_worldguard_realize(DeviceState *dev, Error **errp)
> +{
> +    RISCVWorldGuardState *s = RISCV_WORLDGUARD(dev);
> +
> +    if (worldguard_config != NULL) {
> +        error_setg(errp, "Couldn't realize multiple global WorldGuard configs.");
> +        return;
> +    }
> +
> +    if ((s->nworlds) & (s->nworlds - 1)) {
> +        error_setg(errp, "Current implementation only support power-of-2 NWorld.");
> +        return;
> +    }
> +
> +    if ((s->trustedwid != NO_TRUSTEDWID) && (s->trustedwid >= s->nworlds)) {
> +        error_setg(errp, "Trusted WID must be less than the number of world.");
> +        return;
> +    }
> +
> +    if ((s->nworlds != 2) && (s->tz_compat)) {
> +        error_setg(errp, "Only 2 worlds system could use TrustZone compatible mode.");
> +        return;
> +    }
> +
> +    /* Register WG global config */
> +    worldguard_config = s;
> +
> +    /* Initialize global data for wgChecker */
> +    wgc_slot_perm_mask = MAKE_64BIT_MASK(0, 2 * worldguard_config->nworlds);
> +}
> +
> +static void riscv_worldguard_class_init(ObjectClass *klass, void *data)
> +{
> +    DeviceClass *dc = DEVICE_CLASS(klass);
> +
> +    device_class_set_props(dc, riscv_worldguard_properties);
> +    dc->user_creatable = true;
> +    dc->realize = riscv_worldguard_realize;
> +}
> +
> +static const TypeInfo riscv_worldguard_info = {
> +    .name          = TYPE_RISCV_WORLDGUARD,
> +    .parent        = TYPE_DEVICE,
> +    .instance_size = sizeof(RISCVWorldGuardState),
> +    .class_init    = riscv_worldguard_class_init,
> +};
> +
> +/*
> + * Create WorldGuard global config
> + */
> +DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
> +                                     bool hw_bypass, bool tz_compat)
> +{
> +    DeviceState *dev = qdev_new(TYPE_RISCV_WORLDGUARD);
> +    qdev_prop_set_uint32(dev, "nworlds", nworlds);
> +    qdev_prop_set_uint32(dev, "trustedwid", trustedwid);
> +    qdev_prop_set_bit(dev, "hw-bypass", hw_bypass);
> +    qdev_prop_set_bit(dev, "tz-compat", tz_compat);
> +    qdev_realize(DEVICE(dev), NULL, &error_fatal);
> +    return dev;
> +}
> +
> +static void riscv_worldguard_register_types(void)
> +{
> +    type_register_static(&riscv_worldguard_info);
> +}
> +
> +type_init(riscv_worldguard_register_types)
> diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
> new file mode 100644
> index 0000000000..8a533a0517
> --- /dev/null
> +++ b/include/hw/misc/riscv_worldguard.h
> @@ -0,0 +1,55 @@
> +/*
> + * RISC-V WorldGuard Devices
> + *
> + * Copyright (c) 2022 RISCV, Inc.
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms and conditions of the GNU General Public License,
> + * version 2 or later, as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope it will be useful, but WITHOUT
> + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
> + * more details.
> + *
> + * You should have received a copy of the GNU General Public License along with
> + * this program.  If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#ifndef HW_RISCV_WORLDGUARD_H
> +#define HW_RISCV_WORLDGUARD_H
> +
> +#include "qom/object.h"
> +#include "hw/sysbus.h"
> +#include "exec/hwaddr.h"
> +
> +#define TYPE_RISCV_WORLDGUARD "riscv.worldguard"
> +
> +#define NO_TRUSTEDWID           UINT32_MAX
> +
> +typedef struct RISCVWorldGuardState RISCVWorldGuardState;
> +DECLARE_INSTANCE_CHECKER(RISCVWorldGuardState, RISCV_WORLDGUARD,
> +                         TYPE_RISCV_WORLDGUARD)
> +
> +struct RISCVWorldGuardState {
> +    /*< private >*/
> +    DeviceState parent_obj;
> +
> +    /*< public >*/
> +
> +    /* Property */
> +    uint32_t nworlds;
> +    uint32_t trustedwid;
> +    bool hw_bypass;
> +    bool tz_compat;
> +};
> +
> +extern struct RISCVWorldGuardState *worldguard_config;
> +
> +DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
> +                                     bool hw_bypass, bool tz_compat);
> +
> +uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
> +bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);
> +
> +#endif

Re: [PATCH v2 06/18] target/riscv: Add CPU options of WorldGuard CPU extension

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> We define CPU options for WG CSR support in RISC-V CPUs which
> can be set by machine/device emulation. The RISC-V CSR emulation
> will also check this feature for emulating WG CSRs.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---
>   target/riscv/cpu.c         |  3 +++
>   target/riscv/cpu_cfg.h     |  3 +++
>   target/riscv/tcg/tcg-cpu.c | 11 +++++++++++
>   3 files changed, 17 insertions(+)
> 
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index 09ded6829a..a182e8c61f 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -236,6 +236,9 @@ const RISCVIsaExtData isa_edata_arr[] = {
>       ISA_EXT_DATA_ENTRY(xtheadmempair, PRIV_VERSION_1_11_0, ext_xtheadmempair),
>       ISA_EXT_DATA_ENTRY(xtheadsync, PRIV_VERSION_1_11_0, ext_xtheadsync),
>       ISA_EXT_DATA_ENTRY(xventanacondops, PRIV_VERSION_1_12_0, ext_XVentanaCondOps),
> +    ISA_EXT_DATA_ENTRY(smwg, PRIV_VERSION_1_12_0, ext_smwg),
> +    ISA_EXT_DATA_ENTRY(smwgd, PRIV_VERSION_1_12_0, ext_smwgd),
> +    ISA_EXT_DATA_ENTRY(sswg, PRIV_VERSION_1_12_0, ext_sswg),

We need to keep isa_edata_arr in order because we use it to create the riscv,isa DT:


$ git diff
diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index d055ddf462..714fff9c33 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -207,6 +207,8 @@ const RISCVIsaExtData isa_edata_arr[] = {
      ISA_EXT_DATA_ENTRY(smmpm, PRIV_VERSION_1_13_0, ext_smmpm),
      ISA_EXT_DATA_ENTRY(smnpm, PRIV_VERSION_1_13_0, ext_smnpm),
      ISA_EXT_DATA_ENTRY(smstateen, PRIV_VERSION_1_12_0, ext_smstateen),
+    ISA_EXT_DATA_ENTRY(smwg, PRIV_VERSION_1_12_0, ext_smwg),
+    ISA_EXT_DATA_ENTRY(smwgd, PRIV_VERSION_1_12_0, ext_smwgd),
      ISA_EXT_DATA_ENTRY(ssaia, PRIV_VERSION_1_12_0, ext_ssaia),
      ISA_EXT_DATA_ENTRY(ssccfg, PRIV_VERSION_1_13_0, ext_ssccfg),
      ISA_EXT_DATA_ENTRY(ssccptr, PRIV_VERSION_1_11_0, has_priv_1_11),
@@ -222,6 +224,7 @@ const RISCVIsaExtData isa_edata_arr[] = {
      ISA_EXT_DATA_ENTRY(sstvala, PRIV_VERSION_1_12_0, has_priv_1_12),
      ISA_EXT_DATA_ENTRY(sstvecd, PRIV_VERSION_1_12_0, has_priv_1_12),
      ISA_EXT_DATA_ENTRY(ssu64xl, PRIV_VERSION_1_12_0, has_priv_1_12),
+    ISA_EXT_DATA_ENTRY(sswg, PRIV_VERSION_1_12_0, ext_sswg),
      ISA_EXT_DATA_ENTRY(supm, PRIV_VERSION_1_13_0, ext_supm),
      ISA_EXT_DATA_ENTRY(svade, PRIV_VERSION_1_11_0, ext_svade),



Thanks,

Daniel

>   
>       { },
>   };
> diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h
> index 8a843482cc..a5b045aa2f 100644
> --- a/target/riscv/cpu_cfg.h
> +++ b/target/riscv/cpu_cfg.h
> @@ -143,6 +143,9 @@ struct RISCVCPUConfig {
>       bool ext_smmpm;
>       bool ext_sspm;
>       bool ext_supm;
> +    bool ext_smwg;
> +    bool ext_smwgd;
> +    bool ext_sswg;
>       bool rvv_ta_all_1s;
>       bool rvv_ma_all_1s;
>       bool rvv_vl_half_avl;
> diff --git a/target/riscv/tcg/tcg-cpu.c b/target/riscv/tcg/tcg-cpu.c
> index 5aef9eef36..343e46e698 100644
> --- a/target/riscv/tcg/tcg-cpu.c
> +++ b/target/riscv/tcg/tcg-cpu.c
> @@ -694,6 +694,17 @@ void riscv_cpu_validate_set_extensions(RISCVCPU *cpu, Error **errp)
>           cpu->cfg.ext_ssctr = false;
>       }
>   
> +    /* RISC-V WorldGuard */
> +    if (cpu->cfg.ext_sswg && !cpu->cfg.ext_smwg) {
> +        error_setg(errp, "Sswg extension requires Smwg extension");
> +        return;
> +    }
> +
> +    if (cpu->cfg.ext_smwgd != cpu->cfg.ext_sswg) {
> +        error_setg(errp, "Smwgd/Sswg extensions should be enabled together");
> +        return;
> +    }
> +
>       /*
>        * Disable isa extensions based on priv spec after we
>        * validated and set everything we need.

Re: [PATCH v2 08/18] target/riscv: Add defines for WorldGuard CSRs

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> Add CSRs for 3 WG extensions: Smwg, Smwgd, and Sswg.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---

Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

>   target/riscv/cpu_bits.h | 5 +++++
>   1 file changed, 5 insertions(+)
> 
> diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
> index a30317c617..7705c6995e 100644
> --- a/target/riscv/cpu_bits.h
> +++ b/target/riscv/cpu_bits.h
> @@ -408,6 +408,11 @@
>   #define CSR_DPC             0x7b1
>   #define CSR_DSCRATCH        0x7b2
>   
> +/* RISC-V WorldGuard */
> +#define CSR_MLWID           0x390
> +#define CSR_SLWID           0x190
> +#define CSR_MWIDDELEG       0x748
> +
>   /* Performance Counters */
>   #define CSR_MHPMCOUNTER3    0xb03
>   #define CSR_MHPMCOUNTER4    0xb04

Re: [PATCH v2 09/18] target/riscv: Allow global WG config to set WG CPU callbacks

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> Some WG CPU functions depend on global WG config (like num-of-world), so
> we let the global WG config device to set callbacks of a RISC-V HART.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---


Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

>   target/riscv/cpu.h | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
> index ac50928b57..6dfc260a07 100644
> --- a/target/riscv/cpu.h
> +++ b/target/riscv/cpu.h
> @@ -500,6 +500,10 @@ struct CPUArchState {
>       target_ulong rnmip;
>       uint64_t rnmi_irqvec;
>       uint64_t rnmi_excpvec;
> +
> +    /* machine specific WorldGuard callback */
> +    void (*wg_reset)(CPURISCVState *env);
> +    void (*wid_to_mem_attrs)(MemTxAttrs *attrs, uint32_t wid);
>   };
>   
>   /*

Re: [PATCH v2 10/18] target/riscv: Implement WorldGuard CSRs

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> The WG v0.4 specification adds 3 CSRs to configure S/U/HS/VS-mode WIDs
> of CPUs in the higher privileged modes.
> 
> The Smwg extension at least requires a RISC-V HART to have M/U-mode, and
> the Sswg/Smwgd extension at least requires a RISC-V HART to have
> M/S/U-mode.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---


Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

>   target/riscv/cpu.c |   4 ++
>   target/riscv/cpu.h |   5 +++
>   target/riscv/csr.c | 107 +++++++++++++++++++++++++++++++++++++++++++++
>   3 files changed, 116 insertions(+)
> 
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index a182e8c61f..1dbeac0509 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -1141,6 +1141,10 @@ static void riscv_cpu_reset_hold(Object *obj, ResetType type)
>           env->mnstatus = set_field(env->mnstatus, MNSTATUS_NMIE, false);
>       }
>   
> +    if (riscv_cpu_cfg(env)->ext_smwg && env->wg_reset) {
> +        env->wg_reset(env);
> +    }
> +
>       if (kvm_enabled()) {
>           kvm_riscv_reset_vcpu(cpu);
>       }
> diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
> index 6dfc260a07..7bffe62f70 100644
> --- a/target/riscv/cpu.h
> +++ b/target/riscv/cpu.h
> @@ -501,6 +501,11 @@ struct CPUArchState {
>       uint64_t rnmi_irqvec;
>       uint64_t rnmi_excpvec;
>   
> +    /* RISC-V WorldGuard */
> +    target_ulong mlwid;
> +    target_ulong slwid;
> +    target_ulong mwiddeleg;
> +
>       /* machine specific WorldGuard callback */
>       void (*wg_reset)(CPURISCVState *env);
>       void (*wid_to_mem_attrs)(MemTxAttrs *attrs, uint32_t wid);
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index 7948188356..614df37d00 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -5388,6 +5388,109 @@ static int write_mnstatus(CPURISCVState *env, int csrno, target_ulong val)
>       return RISCV_EXCP_NONE;
>   }
>   
> +/* RISC-V Worldguard */
> +static RISCVException worldguard_umode(CPURISCVState *env, int csrno)
> +{
> +    if (!riscv_cpu_cfg(env)->ext_smwg) {
> +        return RISCV_EXCP_ILLEGAL_INST;
> +    }
> +
> +    return umode(env, csrno);
> +}
> +
> +static RISCVException worldguard_sumode(CPURISCVState *env, int csrno)
> +{
> +    RISCVException ret;
> +
> +    if (!riscv_cpu_cfg(env)->ext_sswg) {
> +        return RISCV_EXCP_ILLEGAL_INST;
> +    }
> +
> +    ret = smode(env, csrno);
> +
> +    if (ret != RISCV_EXCP_NONE) {
> +        return ret;
> +    }
> +
> +    return umode(env, csrno);
> +}
> +
> +static RISCVException rmw_mlwid(CPURISCVState *env, int csrno,
> +                                target_ulong *ret_val,
> +                                target_ulong new_val, target_ulong wr_mask)
> +{
> +    CPUState *cs = env_cpu(env);
> +    RISCVCPU *cpu = RISCV_CPU(cs);
> +    target_ulong new_mlwid = (env->mlwid & ~wr_mask) | (new_val & wr_mask);
> +
> +    if (ret_val) {
> +        *ret_val = env->mlwid;
> +    }
> +
> +    g_assert(cpu->cfg.mwidlist);
> +    if (!(BIT(new_mlwid) & cpu->cfg.mwidlist)) {
> +        /* Set WID to lowest legal value if writing illegal value (WARL) */
> +        new_mlwid = find_first_bit((unsigned long *)&cpu->cfg.mwidlist, 32);
> +    }
> +
> +    if (env->mlwid != new_mlwid) {
> +        env->mlwid = new_mlwid;
> +        tlb_flush(cs);
> +    }
> +
> +    return RISCV_EXCP_NONE;
> +}
> +
> +static RISCVException rmw_slwid(CPURISCVState *env, int csrno,
> +                                target_ulong *ret_val,
> +                                target_ulong new_val, target_ulong wr_mask)
> +{
> +    target_ulong new_slwid = (env->slwid & ~wr_mask) | (new_val & wr_mask);
> +
> +    if (!env->mwiddeleg) {
> +        /*
> +         * When mwiddeleg CSR is zero, access to slwid raises an illegal
> +         * instruction exception.
> +         */
> +        return RISCV_EXCP_ILLEGAL_INST;
> +    }
> +
> +    if (ret_val) {
> +        *ret_val = env->slwid;
> +    }
> +
> +    if (!(BIT(new_slwid) & env->mwiddeleg)) {
> +        /* Set WID to lowest legal value if writing illegal value (WARL) */
> +        new_slwid = find_first_bit(
> +            (unsigned long *)&env->mwiddeleg, TARGET_LONG_BITS);
> +    }
> +
> +    if (env->slwid != new_slwid) {
> +        env->slwid = new_slwid;
> +        tlb_flush(env_cpu(env));
> +    }
> +
> +    return RISCV_EXCP_NONE;
> +}
> +
> +static RISCVException rmw_mwiddeleg(CPURISCVState *env, int csrno,
> +                                    target_ulong *ret_val,
> +                                    target_ulong new_val, target_ulong wr_mask)
> +{
> +    CPUState *cs = env_cpu(env);
> +    RISCVCPU *cpu = RISCV_CPU(cs);
> +
> +    if (ret_val) {
> +        *ret_val = env->mwiddeleg;
> +    }
> +
> +    env->mwiddeleg = (env->mwiddeleg & ~wr_mask) | (new_val & wr_mask);
> +
> +    /* Core wgMarker can only have WID value in mwidlist. */
> +    env->mwiddeleg &= cpu->cfg.mwidlist;
> +
> +    return RISCV_EXCP_NONE;
> +}
>   #endif
>   
>   /* Crypto Extension */
> @@ -6465,5 +6568,9 @@ riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = {
>       [CSR_SCOUNTOVF]      = { "scountovf", sscofpmf,  read_scountovf,
>                                .min_priv_ver = PRIV_VERSION_1_12_0 },
>   
> +    /* RISC-V WorldGuard */
> +    [CSR_MLWID]     = { "mlwid",     worldguard_umode,  NULL, NULL, rmw_mlwid },
> +    [CSR_SLWID]     = { "slwid",     worldguard_sumode, NULL, NULL, rmw_slwid },
> +    [CSR_MWIDDELEG] = { "mwiddeleg", worldguard_sumode, NULL, NULL, rmw_mwiddeleg },
>   #endif /* !CONFIG_USER_ONLY */
>   };

Re: [PATCH v2 12/18] target/riscv: Expose CPU options of WorldGuard

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> Expose WG CPU extensions (Smwg, Sswg, Smwgd) and WG CPU configs
> (mwid, mwidlist).
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---


Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

>   target/riscv/cpu.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index 1aba6dd853..46df970fe3 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -1742,6 +1742,11 @@ const RISCVCPUMultiExtConfig riscv_cpu_vendor_exts[] = {
>   const RISCVCPUMultiExtConfig riscv_cpu_experimental_exts[] = {
>       MULTI_EXT_CFG_BOOL("x-svukte", ext_svukte, false),
>   
> +    /* RISC-V WorldGuard v0.4 */
> +    MULTI_EXT_CFG_BOOL("x-smwg", ext_smwg, false),
> +    MULTI_EXT_CFG_BOOL("x-smwgd", ext_smwgd, false),
> +    MULTI_EXT_CFG_BOOL("x-sswg", ext_sswg, false),
> +
>       { },
>   };
>   
> @@ -2975,6 +2980,9 @@ static const Property riscv_cpu_properties[] = {
>        * it with -x and default to 'false'.
>        */
>       DEFINE_PROP_BOOL("x-misa-w", RISCVCPU, cfg.misa_w, false),
> +
> +    DEFINE_PROP_UINT32("x-mwid", RISCVCPU, cfg.mwid, UINT32_MAX),
> +    DEFINE_PROP_UINT32("x-mwidlist", RISCVCPU, cfg.mwidlist, UINT32_MAX),
>   };
>   
>   #if defined(TARGET_RISCV64)

Re: [PATCH v2 13/18] hw/misc: riscv_worldguard: Add API to enable WG extension of CPU

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> riscv_worldguard_apply_cpu() could enable WG CPU extension and set WG
> callback to CPUs. It is used by machine code after realizing global WG
> device.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---
>   hw/misc/riscv_worldguard.c         | 87 ++++++++++++++++++++++++++++++
>   include/hw/misc/riscv_worldguard.h |  1 +
>   2 files changed, 88 insertions(+)
> 
> diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c
> index b02bd28d02..1a910f4cf3 100644
> --- a/hw/misc/riscv_worldguard.c
> +++ b/hw/misc/riscv_worldguard.c
> @@ -92,6 +92,93 @@ uint32_t mem_attrs_to_wid(MemTxAttrs attrs)
>       }
>   }
>   
> +static void riscv_cpu_wg_reset(CPURISCVState *env)
> +{
> +    CPUState *cs = env_cpu(env);
> +    RISCVCPU *cpu = RISCV_CPU(cs);
> +    uint32_t mlwid, slwid, mwiddeleg;
> +    uint32_t trustedwid;
> +
> +    if (!riscv_cpu_cfg(env)->ext_smwg) {
> +        return;
> +    }
> +
> +    if (worldguard_config == NULL) {
> +        /*
> +         * Note: This reset is dummy now and WG CSRs will be reset again
> +         * after worldguard_config is realized.
> +         */
> +        return;
> +    }
> +
> +    trustedwid = worldguard_config->trustedwid;
> +    if (trustedwid == NO_TRUSTEDWID) {
> +        trustedwid = worldguard_config->nworlds - 1;
> +    }
> +
> +    /* Reset mlwid, slwid, mwiddeleg CSRs */
> +    if (worldguard_config->hw_bypass) {
> +        /* HW bypass mode */
> +        mlwid = trustedwid;
> +    } else {
> +        mlwid = 0;
> +    }
> +    slwid = 0;
> +    mwiddeleg = 0;
> +
> +    env->mlwid = mlwid;
> +    if (riscv_cpu_cfg(env)->ext_sswg) {
> +        env->slwid = slwid;
> +        env->mwiddeleg = mwiddeleg;
> +    }
> +
> +    /* Check mwid, mwidlist config */
> +    if (worldguard_config != NULL) {
> +        uint32_t valid_widlist = MAKE_64BIT_MASK(0, worldguard_config->nworlds);
> +
> +        /* CPU use default mwid / mwidlist config if not set */
> +        if (cpu->cfg.mwidlist == UINT32_MAX) {
> +            /* mwidlist contains all WIDs */
> +            cpu->cfg.mwidlist = valid_widlist;
> +        }
> +        if (cpu->cfg.mwid == UINT32_MAX) {
> +            cpu->cfg.mwid = trustedwid;
> +        }
> +
> +        /* Check if mwid/mwidlist HW config is valid in NWorld. */
> +        g_assert((cpu->cfg.mwidlist & ~valid_widlist) == 0);
> +        g_assert(cpu->cfg.mwid < worldguard_config->nworlds);
> +    }
> +}
> +
> +/*
> + * riscv_worldguard_apply_cpu - Enable WG extension of CPU
> + *
> + * Note: This API should be used after global WG device is created
> + * (riscv_worldguard_realize()).
> + */
> +void riscv_worldguard_apply_cpu(uint32_t hartid)
> +{
> +    /* WG global config should exist */
> +    g_assert(worldguard_config);

We usually add g_asserts() after the variable declarations.

> +
> +    CPUState *cpu = qemu_get_cpu(hartid);
> +    RISCVCPU *rcpu = RISCV_CPU(cpu);
> +    CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
> +
> +    rcpu->cfg.ext_smwg = true;
> +    if (riscv_has_ext(env, RVS) && riscv_has_ext(env, RVU)) {
> +        rcpu->cfg.ext_sswg = true;
> +    }

riscv_has_ext() will segfault if env == NULL, and you're creating a code
path where this might happen:

> +    CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;

In fact, cpu == NULL will explode on you earlier via this macro:

> +    RISCVCPU *rcpu = RISCV_CPU(cpu);

You can either handle cpu == NULL with a clean exit before using 'cpu' to assign
stuff or g_assert(cpu != NULL) for a more rude exit. But with this code as is
you're gambling with segfaults.


Thanks,

Daniel


> +
> +    /* Set machine specific WorldGuard callback */
> +    env->wg_reset = riscv_cpu_wg_reset;
> +    env->wid_to_mem_attrs = wid_to_mem_attrs;
> +
> +    /* Reset WG CSRs in CPU */
> +    env->wg_reset(env);
> +}
> +
>   bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock)
>   {
>       uint32_t wid = mem_attrs_to_wid(attrs);
> diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
> index 8a533a0517..211a72e438 100644
> --- a/include/hw/misc/riscv_worldguard.h
> +++ b/include/hw/misc/riscv_worldguard.h
> @@ -48,6 +48,7 @@ extern struct RISCVWorldGuardState *worldguard_config;
>   
>   DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
>                                        bool hw_bypass, bool tz_compat);
> +void riscv_worldguard_apply_cpu(uint32_t hartid);
>   
>   uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
>   bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);

Re: [PATCH v2 14/18] hw/misc: riscv_wgchecker: Implement RISC-V WorldGuard Checker

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> Implement the RISC-V WorldGuard Checker, which sits in front of RAM or
> device MMIO and allow software to configure it to either pass through or
> reject transactions.
> 
> We implement the wgChecker as a QEMU IOMMU, which will direct transactions
> either through to the devices and memory behind it or to a special
> "never works" AddressSpace if they are blocked.
> 
> This initial commit implements the skeleton of the device:
>   * it always permits accesses
>   * it doesn't implement wgChecker's slot registers
>   * it doesn't implement the interrupt or other behaviour
>     for blocked transactions
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---
>   hw/misc/meson.build                |   2 +-
>   hw/misc/riscv_wgchecker.c          | 603 +++++++++++++++++++++++++++++
>   hw/misc/trace-events               |   8 +
>   include/hw/misc/riscv_worldguard.h |  63 +++
>   4 files changed, 675 insertions(+), 1 deletion(-)
>   create mode 100644 hw/misc/riscv_wgchecker.c
> 
> diff --git a/hw/misc/meson.build b/hw/misc/meson.build
> index 3d2f4bb6a3..73c11bc7c9 100644
> --- a/hw/misc/meson.build
> +++ b/hw/misc/meson.build
> @@ -34,7 +34,7 @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c'))
>   system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c'))
>   system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c'))
>   system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c'))
> -specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c'))
> +specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c', 'riscv_wgchecker.c'))
>   
>   subdir('macio')
>   
> diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c
> new file mode 100644
> index 0000000000..ea50f4f53a
> --- /dev/null
> +++ b/hw/misc/riscv_wgchecker.c
> @@ -0,0 +1,603 @@

(...)

> +
> +static void riscv_wgchecker_realize(DeviceState *dev, Error **errp)
> +{
> +    Object *obj = OBJECT(dev);
> +    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
> +    uint64_t size;
> +
> +    if (worldguard_config == NULL) {
> +        error_setg(errp, "Couldn't find global WorldGuard configs. "
> +                   "Please realize %s device at first.",

Extra "at":  "Please realize %s device first."


Everything else LGTM:


Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

> +                   TYPE_RISCV_WORLDGUARD);
> +        return;
> +    }
> +
> +    if (s->slot_count == 0) {
> +        error_setg(errp, "wgChecker slot-count couldn't be zero.");
> +        return;
> +    }
> +
> +    memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s,
> +                          TYPE_RISCV_WGCHECKER, s->mmio_size);
> +    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio);
> +    sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);
> +
> +    /* Address range should be NAPOT alignment */
> +    address_range_align_napot(s);
> +
> +    for (int i=0; i<WGC_NUM_REGIONS; i++) {
> +        WgCheckerRegion *region = &s->mem_regions[i];
> +
> +        if (!region->downstream) {
> +            continue;
> +        }
> +        region->wgchecker = s;
> +
> +        const char *upstream_name = g_strdup_printf(
> +            "wgchecker-upstream-%"HWADDR_PRIx, region->region_offset);
> +        const char *downstream_name = g_strdup_printf(
> +            "wgchecker-downstream-%"HWADDR_PRIx, region->region_offset);
> +
> +        size = memory_region_size(region->downstream);
> +        memory_region_init_iommu(&region->upstream, sizeof(region->upstream),
> +                                 TYPE_RISCV_WGC_IOMMU_MEMORY_REGION,
> +                                 obj, upstream_name, size);
> +
> +        /* upstream MRs are 2nd ~ (n+1)th MemoryRegion. */
> +        sysbus_init_mmio(SYS_BUS_DEVICE(dev), MEMORY_REGION(&region->upstream));
> +
> +        /*
> +         * This memory region is not exposed to users of this device as a
> +         * sysbus MMIO region, but is instead used internally as something
> +         * that our IOMMU translate function might direct accesses to.
> +         */
> +        memory_region_init_io(&region->blocked_io, obj, &riscv_wgc_mem_blocked_ops,
> +                              region, "wgchecker-blocked-io", size);
> +
> +        address_space_init(&region->downstream_as, region->downstream,
> +                           downstream_name);
> +        address_space_init(&region->blocked_io_as, &region->blocked_io,
> +                           "wgchecker-blocked-io");
> +    }
> +}
> +
> +static void riscv_wgchecker_unrealize(DeviceState *dev)
> +{
> +    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
> +
> +    g_free(s->slots);
> +    if (s->num_default_slots && s->default_slots) {
> +        g_free(s->default_slots);
> +    }
> +}
> +
> +static void riscv_wgchecker_reset_enter(Object *obj, ResetType type)
> +{
> +    RISCVWgCheckerState *s = RISCV_WGCHECKER(obj);
> +    uint64_t start = s->addr_range_start;
> +    uint64_t end = s->addr_range_start + s->addr_range_size;
> +    int nslots = s->slot_count;
> +
> +    s->errcause = 0;
> +    s->erraddr = 0;
> +}
> +
> +static void riscv_wgchecker_class_init(ObjectClass *klass, void *data)
> +{
> +    DeviceClass *dc = DEVICE_CLASS(klass);
> +
> +    device_class_set_props(dc, riscv_wgchecker_properties);
> +    dc->user_creatable = true;
> +    dc->realize = riscv_wgchecker_realize;
> +    dc->unrealize = riscv_wgchecker_unrealize;
> +    ResettableClass *rc = RESETTABLE_CLASS(klass);
> +    rc->phases.enter = riscv_wgchecker_reset_enter;
> +}
> +
> +static void riscv_wgchecker_instance_init(Object *obj)
> +{
> +    RISCVWgCheckerState *s = RISCV_WGCHECKER(obj);
> +
> +    s->num_default_slots = 0;
> +}
> +
> +static const TypeInfo riscv_wgchecker_info = {
> +    .name          = TYPE_RISCV_WGCHECKER,
> +    .parent        = TYPE_SYS_BUS_DEVICE,
> +    .instance_init = riscv_wgchecker_instance_init,
> +    .instance_size = sizeof(RISCVWgCheckerState),
> +    .class_init    = riscv_wgchecker_class_init,
> +};
> +
> +static void riscv_wgchecker_register_types(void)
> +{
> +    type_register_static(&riscv_wgchecker_info);
> +    type_register_static(&riscv_wgc_iommu_memory_region_info);
> +}
> +
> +type_init(riscv_wgchecker_register_types)
> +
> +/*
> + * Create WgChecker device
> + */
> +DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size,
> +                                    qemu_irq irq, uint32_t slot_count,
> +                                    uint64_t addr_range_start,
> +                                    uint64_t addr_range_size,
> +                                    uint32_t num_of_region,
> +                                    MemoryRegion **downstream,
> +                                    uint64_t *region_offset,
> +                                    uint32_t num_default_slots,
> +                                    WgCheckerSlot *default_slots)
> +{
> +    DeviceState *dev = qdev_new(TYPE_RISCV_WGCHECKER);
> +    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
> +    char name_mr[32];
> +    char name_offset[32];
> +    int i;
> +
> +    qdev_prop_set_uint32(dev, "slot-count", slot_count);
> +    qdev_prop_set_uint32(dev, "mmio-size", size);
> +    qdev_prop_set_uint64(dev, "addr-range-start", addr_range_start);
> +    if (addr_range_size) {
> +        qdev_prop_set_uint64(dev, "addr-range-size", addr_range_size);
> +    }
> +
> +    g_assert(num_of_region <= WGC_NUM_REGIONS);
> +    for (i=0; i<num_of_region; i++) {
> +        snprintf(name_mr, 32, "downstream-mr[%d]", i);
> +        snprintf(name_offset, 32, "region-offset[%d]", i);
> +
> +        object_property_set_link(OBJECT(dev), name_mr,
> +                                 OBJECT(downstream[i]), &error_fatal);
> +        qdev_prop_set_uint64(dev, name_offset, region_offset[i]);
> +    }
> +
> +    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
> +    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr);
> +    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq);
> +    return dev;
> +}
> diff --git a/hw/misc/trace-events b/hw/misc/trace-events
> index 4383808d7a..b1d8538220 100644
> --- a/hw/misc/trace-events
> +++ b/hw/misc/trace-events
> @@ -395,3 +395,11 @@ ivshmem_flat_interrupt_peer(uint16_t peer_id, uint16_t vector_id) "Interrupting
>   i2c_echo_event(const char *id, const char *event) "%s: %s"
>   i2c_echo_recv(const char *id, uint8_t data) "%s: recv 0x%02" PRIx8
>   i2c_echo_send(const char *id, uint8_t data) "%s: send 0x%02" PRIx8
> +
> +# riscv_worldguard.c
> +riscv_wgchecker_mmio_read(uint64_t base, uint64_t offset, unsigned int size) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x"
> +riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, uint64_t val) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x, val = 0x%"PRIx64
> +
> +riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32
> +riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32
> +riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s"
> diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
> index 211a72e438..7b5aae866a 100644
> --- a/include/hw/misc/riscv_worldguard.h
> +++ b/include/hw/misc/riscv_worldguard.h
> @@ -53,4 +53,67 @@ void riscv_worldguard_apply_cpu(uint32_t hartid);
>   uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
>   bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);
>   
> +#define TYPE_RISCV_WGCHECKER  "riscv.wgchecker"
> +
> +typedef struct RISCVWgCheckerState RISCVWgCheckerState;
> +DECLARE_INSTANCE_CHECKER(RISCVWgCheckerState, RISCV_WGCHECKER,
> +                         TYPE_RISCV_WGCHECKER)
> +
> +#define TYPE_RISCV_WGC_IOMMU_MEMORY_REGION    "riscv-wgc-iommu-memory-region"
> +
> +typedef struct WgCheckerSlot WgCheckerSlot;
> +struct WgCheckerSlot {
> +    uint64_t addr;
> +    uint64_t perm;
> +    uint32_t cfg;
> +};
> +
> +typedef struct WgCheckerRegion WgCheckerRegion;
> +struct WgCheckerRegion {
> +    MemoryRegion *downstream;
> +    uint64_t region_offset;
> +
> +    IOMMUMemoryRegion upstream;
> +    MemoryRegion blocked_io;
> +    AddressSpace downstream_as;
> +    AddressSpace blocked_io_as;
> +
> +    RISCVWgCheckerState *wgchecker;
> +};
> +
> +#define WGC_NUM_REGIONS     16
> +
> +struct RISCVWgCheckerState {
> +    /*< private >*/
> +    SysBusDevice parent_obj;
> +
> +    /*< public >*/
> +    MemoryRegion mmio;
> +    qemu_irq irq;
> +
> +    /* error reg */
> +    uint64_t errcause;
> +    uint64_t erraddr;
> +
> +    /* Memory regions protected by wgChecker */
> +    WgCheckerRegion mem_regions[WGC_NUM_REGIONS];
> +
> +    /* Property */
> +    uint32_t slot_count; /* nslots */
> +    uint32_t mmio_size;
> +    uint64_t addr_range_start;
> +    uint64_t addr_range_size;
> +    bool hw_bypass;
> +};
> +
> +DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size,
> +                                    qemu_irq irq, uint32_t slot_count,
> +                                    uint64_t addr_range_start,
> +                                    uint64_t addr_range_size,
> +                                    uint32_t num_of_region,
> +                                    MemoryRegion **downstream,
> +                                    uint64_t *region_offset,
> +                                    uint32_t num_default_slots,
> +                                    WgCheckerSlot *default_slots);
> +
>   #endif

Re: [PATCH v2 15/18] hw/misc: riscv_wgchecker: Implement wgchecker slot registers

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> wgChecker slot is similar to PMP region. SW could program each slot to
> configure the permission of address range.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---


Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

>   hw/misc/riscv_wgchecker.c          | 330 +++++++++++++++++++++++++++++
>   hw/misc/riscv_worldguard.c         |   3 +
>   include/hw/misc/riscv_worldguard.h |   4 +
>   3 files changed, 337 insertions(+)
> 
> diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c
> index ea50f4f53a..8839d898c9 100644
> --- a/hw/misc/riscv_wgchecker.c
> +++ b/hw/misc/riscv_wgchecker.c
> @@ -53,6 +53,52 @@ REG64(ERRCAUSE,             0x010)
>        R_ERRCAUSE_IP_MASK)
>   
>   REG64(ERRADDR,              0x018)
> +REG64(WGC_SLOT,             0x020)
> +
> +/* wgChecker slots */
> +REG64(SLOT_ADDR,            0x000)
> +REG64(SLOT_PERM,            0x008)
> +REG32(SLOT_CFG,             0x010)
> +    FIELD(SLOT_CFG, A,          0,  2)
> +    FIELD(SLOT_CFG, ER,         8,  1)
> +    FIELD(SLOT_CFG, EW,         9,  1)
> +    FIELD(SLOT_CFG, IR,         10, 1)
> +    FIELD(SLOT_CFG, IW,         11, 1)
> +    FIELD(SLOT_CFG, LOCK,       31, 1)
> +
> +#define SLOT_SIZE               0x020
> +
> +#define SLOT0_CFG_MASK \
> +    (R_SLOT_CFG_ER_MASK | \
> +     R_SLOT_CFG_EW_MASK | \
> +     R_SLOT_CFG_IR_MASK | \
> +     R_SLOT_CFG_IW_MASK | \
> +     R_SLOT_CFG_LOCK_MASK)
> +
> +#define SLOT_CFG_MASK \
> +    (R_SLOT_CFG_A_MASK  | (SLOT0_CFG_MASK))
> +
> +#define WGC_SLOT_END(nslots) \
> +    (A_WGC_SLOT + SLOT_SIZE * (nslots + 1))
> +
> +/* wgChecker slot is 4K alignment */
> +#define WG_ALIGNED_SIZE         (1 << 12)
> +#define WG_ALIGNED_MASK         MAKE_64BIT_MASK(0, 12)
> +
> +/* wgChecker slot address is (addr / 4). */
> +#define TO_SLOT_ADDR(addr)      ((addr) >> 2)
> +#define FROM_SLOT_ADDR(addr)    ((addr) << 2)
> +
> +/* wgChecker slot cfg.A[1:0] */
> +#define A_OFF                   0
> +#define A_TOR                   1
> +#define A_NA4                   2
> +#define A_NAPOT                 3
> +
> +/* wgChecker slot perm */
> +#define WGC_PERM(wid, perm)     ((uint64_t)(perm) << (2 * (wid)))
> +#define P_READ                  (1 << 0)
> +#define P_WRITE                 (1 << 1)
>   
>   /*
>    * Accesses only reach these read and write functions if the wgChecker
> @@ -146,6 +192,28 @@ static uint64_t riscv_wgchecker_readq(void *opaque, hwaddr addr)
>       RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
>       uint64_t val = 0;
>   
> +    if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) {
> +        /* Read from WGC slot */
> +        int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE;
> +        int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE;
> +
> +        switch (slot_offset) {
> +        case A_SLOT_ADDR:
> +            val = s->slots[slot_id].addr;
> +            break;
> +        case A_SLOT_PERM:
> +            val = s->slots[slot_id].perm;
> +            break;
> +        default:
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
> +                          __func__, addr, 8);
> +            break;
> +        }
> +
> +        return val;
> +    }
> +
>       switch (addr) {
>       case A_ERRCAUSE:
>           val = s->errcause & ERRCAUSE_MASK;
> @@ -171,6 +239,37 @@ static uint64_t riscv_wgchecker_readl(void *opaque, hwaddr addr)
>       RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
>       uint64_t val = 0;
>   
> +    if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) {
> +        /* Read from WGC slot */
> +        int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE;
> +        int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE;
> +
> +        switch (slot_offset) {
> +        case A_SLOT_ADDR:
> +            val = extract64(s->slots[slot_id].addr, 0, 32);
> +            break;
> +        case A_SLOT_ADDR + 4:
> +            val = extract64(s->slots[slot_id].addr, 32, 32);
> +            break;
> +        case A_SLOT_PERM:
> +            val = extract64(s->slots[slot_id].perm, 0, 32);
> +            break;
> +        case A_SLOT_PERM + 4:
> +            val = extract64(s->slots[slot_id].perm, 32, 32);
> +            break;
> +        case A_SLOT_CFG:
> +            val = s->slots[slot_id].cfg & SLOT_CFG_MASK;
> +            break;
> +        default:
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
> +                          __func__, addr, 4);
> +            break;
> +        }
> +
> +        return val;
> +    }
> +
>       switch (addr) {
>       case A_VENDOR:
>           val = 0;
> @@ -228,11 +327,121 @@ static uint64_t riscv_wgchecker_read(void *opaque, hwaddr addr, unsigned size)
>       return val;
>   }
>   
> +/*
> + * Validate the WGC slot address is between address range.
> + *
> + * Fix the slot address to the start address if it's not within the address range.
> + * We need validation when changing "slot address" or "TOR/NAPOT mode (cfg.A)"
> + */
> +static void validate_slot_address(void *opaque, int slot_id)
> +{
> +    RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
> +    uint64_t start = TO_SLOT_ADDR(s->addr_range_start);
> +    uint64_t end = TO_SLOT_ADDR(s->addr_range_start + s->addr_range_size);
> +    uint32_t cfg_a = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, A);
> +
> +    /* First and last slot address are hard-coded. */
> +    if ((slot_id == 0) || (slot_id == s->slot_count)) {
> +        return;
> +    }
> +
> +    /* Check WGC slot address is between address range. */
> +    if ((s->slots[slot_id].addr < start) || (s->slots[slot_id].addr >= end)) {
> +        s->slots[slot_id].addr = start;
> +    }
> +
> +    /* Check WGC slot is 4k-aligned. */
> +    if (cfg_a == A_TOR) {
> +        s->slots[slot_id].addr &= ~TO_SLOT_ADDR(WG_ALIGNED_MASK);
> +    } else if (cfg_a == A_NAPOT) {
> +        s->slots[slot_id].addr |= TO_SLOT_ADDR(WG_ALIGNED_MASK >> 1);
> +    } else if (cfg_a == A_NA4) {
> +        /* Forcely replace NA4 slot with 4K-aligned NAPOT slot. */
> +        FIELD_DP32(s->slots[slot_id].cfg, SLOT_CFG, A, A_NAPOT);
> +        s->slots[slot_id].addr |= TO_SLOT_ADDR(WG_ALIGNED_MASK >> 1);
> +    }
> +}
> +
> +static bool slots_reg_is_ro(int slot_id, int slot_offset, uint32_t nslots)
> +{
> +    /*
> +     * Special slots:
> +     *   - slot[0]:
> +     *     - addr is RO
> +     *     - perm is RO
> +     *     - cfg.A is OFF
> +     *
> +     *   - slot[nslots]:
> +     *     - addr is RO
> +     *     - cfg.A is OFF or TOR
> +     */
> +    if (slot_id == 0) {
> +        switch (slot_offset) {
> +        case A_SLOT_ADDR:
> +        case A_SLOT_ADDR + 4:
> +        case A_SLOT_PERM:
> +        case A_SLOT_PERM + 4:
> +            return true;
> +        default:
> +            break;
> +        }
> +    } else if (slot_id == nslots) {
> +        switch (slot_offset) {
> +        case A_SLOT_ADDR:
> +        case A_SLOT_ADDR + 4:
> +            return true;
> +        default:
> +            break;
> +        }
> +    }
> +
> +    return false;
> +}
> +
>   static void riscv_wgchecker_writeq(void *opaque, hwaddr addr,
>                                       uint64_t value)
>   {
>       RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
>   
> +    if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) {
> +        /* Read from WGC slot */
> +        int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE;
> +        int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE;
> +        bool locked = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, LOCK);
> +
> +        if (locked) {
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: Couldn't write access to locked wgChecker Slot: "
> +                          "slot = %d, offset = %d\n", __func__, slot_id,
> +                          slot_offset);
> +            return;
> +        }
> +
> +        if (slots_reg_is_ro(slot_id, slot_offset, s->slot_count)) {
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
> +                          __func__, addr, 8);
> +        }
> +
> +        switch (slot_offset) {
> +        case A_SLOT_ADDR:
> +            s->slots[slot_id].addr = value;
> +            validate_slot_address(s, slot_id);
> +            break;
> +        case A_SLOT_PERM:
> +            value &= wgc_slot_perm_mask;
> +            s->slots[slot_id].perm = value;
> +            break;
> +        default:
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
> +                          __func__, addr, 8);
> +            break;
> +        }
> +
> +        return;
> +    }
> +
>       switch (addr) {
>       case A_ERRCAUSE:
>           s->errcause = value & ERRCAUSE_MASK;
> @@ -253,6 +462,81 @@ static void riscv_wgchecker_writel(void *opaque, hwaddr addr,
>   {
>       RISCVWgCheckerState *s = RISCV_WGCHECKER(opaque);
>   
> +    if ((addr >= A_WGC_SLOT) && (addr < WGC_SLOT_END(s->slot_count))) {
> +        /* Write to WGC slot */
> +        int slot_id = (addr - A_WGC_SLOT) / SLOT_SIZE;
> +        int slot_offset = (addr - A_WGC_SLOT) % SLOT_SIZE;
> +        bool locked = FIELD_EX32(s->slots[slot_id].cfg, SLOT_CFG, LOCK);
> +        int cfg_a, old_cfg_a;
> +
> +        if (locked) {
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: Couldn't write access to locked wgChecker Slot: "
> +                          "slot = %d, offset = %d\n", __func__, slot_id,
> +                          slot_offset);
> +            return;
> +        }
> +
> +        if (slots_reg_is_ro(slot_id, slot_offset, s->slot_count)) {
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
> +                          __func__, addr, 4);
> +        }
> +
> +        switch (slot_offset) {
> +        case A_SLOT_ADDR:
> +            s->slots[slot_id].addr = deposit64(
> +                s->slots[slot_id].addr, 0, 32, value);
> +            validate_slot_address(s, slot_id);
> +            break;
> +        case A_SLOT_ADDR + 4:
> +            s->slots[slot_id].addr = deposit64(
> +                s->slots[slot_id].addr, 32, 32, value);
> +            validate_slot_address(s, slot_id);
> +            break;
> +        case A_SLOT_PERM:
> +            value &= wgc_slot_perm_mask;
> +            s->slots[slot_id].perm = deposit64(
> +                s->slots[slot_id].perm, 0, 32, value);
> +            break;
> +        case A_SLOT_PERM + 4:
> +            value &= extract64(wgc_slot_perm_mask, 32, 32);
> +            s->slots[slot_id].perm = deposit64(
> +                s->slots[slot_id].perm, 32, 32, value);
> +            break;
> +        case A_SLOT_CFG:
> +            if (slot_id == 0) {
> +                value &= SLOT0_CFG_MASK;
> +                s->slots[0].cfg = value;
> +            } else if (slot_id == s->slot_count) {
> +                old_cfg_a = FIELD_EX32(s->slots[s->slot_count].cfg, SLOT_CFG, A);
> +                cfg_a = FIELD_EX32(value, SLOT_CFG, A);
> +
> +                value &= SLOT0_CFG_MASK;
> +                if ((cfg_a == A_OFF) || (cfg_a == A_TOR)) {
> +                    value |= cfg_a;
> +                } else {
> +                    /* slot[nslots] could only use OFF or TOR config. */
> +                    value |= old_cfg_a;
> +                }
> +                s->slots[s->slot_count].cfg = value;
> +
> +                validate_slot_address(s, slot_id);
> +            } else {
> +                value &= SLOT_CFG_MASK;
> +                s->slots[slot_id].cfg = value;
> +            }
> +            break;
> +        default:
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: Unexpected memory access to (0x%" HWADDR_PRIX ", %u) \n",
> +                          __func__, addr, 4);
> +            break;
> +        }
> +
> +        return;
> +    }
> +
>       switch (addr) {
>       case A_ERRCAUSE:
>           value &= extract64(ERRCAUSE_MASK, 0, 32);
> @@ -460,6 +744,8 @@ static void riscv_wgchecker_realize(DeviceState *dev, Error **errp)
>           return;
>       }
>   
> +    s->slots = g_new0(WgCheckerSlot, s->slot_count + 1);
> +
>       memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s,
>                             TYPE_RISCV_WGCHECKER, s->mmio_size);
>       sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio);
> @@ -523,6 +809,37 @@ static void riscv_wgchecker_reset_enter(Object *obj, ResetType type)
>   
>       s->errcause = 0;
>       s->erraddr = 0;
> +
> +    for (int i = 0; i < nslots; i++) {
> +        s->slots[i].addr = TO_SLOT_ADDR(start);
> +        s->slots[i].perm = 0;
> +        s->slots[i].cfg = 0;
> +    }
> +    s->slots[nslots].addr = TO_SLOT_ADDR(end);
> +    s->slots[nslots].perm = 0;
> +    s->slots[nslots].cfg = 0;
> +
> +    if (s->num_default_slots != 0) {
> +        /*
> +         * Use default slots:
> +         *   slot[0] is hard-coded to start address, so the default slots
> +         *   start from slot[1].
> +         */
> +        memcpy(&s->slots[1], s->default_slots,
> +               sizeof(WgCheckerSlot) * s->num_default_slots);
> +    } else if ((s->hw_bypass) ||
> +               ((worldguard_config != NULL) && worldguard_config->hw_bypass)) {
> +        /* HW bypass mode */
> +        uint32_t trustedwid = worldguard_config->trustedwid;
> +
> +        if (trustedwid == NO_TRUSTEDWID) {
> +            trustedwid = worldguard_config->nworlds - 1;
> +        }
> +
> +        s->slots[nslots].perm = WGC_PERM(trustedwid, P_READ | P_WRITE);
> +        s->slots[nslots].perm &= wgc_slot_perm_mask;
> +        s->slots[nslots].cfg = A_TOR;
> +    }
>   }
>   
>   static void riscv_wgchecker_class_init(ObjectClass *klass, void *data)
> @@ -596,6 +913,19 @@ DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size,
>           qdev_prop_set_uint64(dev, name_offset, region_offset[i]);
>       }
>   
> +    if (num_default_slots > slot_count) {
> +        num_default_slots = slot_count;
> +    }
> +
> +    s->num_default_slots = num_default_slots;
> +    if (s->num_default_slots) {
> +        s->default_slots = g_new0(WgCheckerSlot, s->num_default_slots);
> +        memcpy(s->default_slots, default_slots,
> +               sizeof(WgCheckerSlot) * s->num_default_slots);
> +    } else {
> +        s->default_slots = NULL;
> +    }
> +
>       sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
>       sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr);
>       sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq);
> diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c
> index 1a910f4cf3..59ca6d16e7 100644
> --- a/hw/misc/riscv_worldguard.c
> +++ b/hw/misc/riscv_worldguard.c
> @@ -38,6 +38,9 @@
>    */
>   struct RISCVWorldGuardState *worldguard_config = NULL;
>   
> +/* perm field bitmask of wgChecker slot, it's depends on NWorld. */
> +uint64_t wgc_slot_perm_mask = 0;
> +
>   static Property riscv_worldguard_properties[] = {
>       DEFINE_PROP_UINT32("nworlds", RISCVWorldGuardState, nworlds, 0),
>   
> diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
> index 7b5aae866a..f53202524c 100644
> --- a/include/hw/misc/riscv_worldguard.h
> +++ b/include/hw/misc/riscv_worldguard.h
> @@ -45,6 +45,7 @@ struct RISCVWorldGuardState {
>   };
>   
>   extern struct RISCVWorldGuardState *worldguard_config;
> +extern uint64_t wgc_slot_perm_mask;
>   
>   DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
>                                        bool hw_bypass, bool tz_compat);
> @@ -86,9 +87,12 @@ struct WgCheckerRegion {
>   struct RISCVWgCheckerState {
>       /*< private >*/
>       SysBusDevice parent_obj;
> +    uint32_t num_default_slots;
> +    WgCheckerSlot *default_slots;
>   
>       /*< public >*/
>       MemoryRegion mmio;
> +    WgCheckerSlot *slots;
>       qemu_irq irq;
>   
>       /* error reg */

Re: [PATCH v2 17/18] hw/misc: riscv_wgchecker: Check the slot settings in translate

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> The final part of wgChecker we need to implement is actually using the
> wgChecker slots programmed by guest to determine whether to block the
> transaction or not.
> 
> Since this means we now change transaction mappings when
> the guest writes to wgChecker slots, we must also call the IOMMU
> notifiers at that point.
> 
> One tricky part here is that the perm of 'blocked_io_as' is the
> condition of deny access. For example, if wgChecker only permits RO
> access, the perm of 'downstream_as' will be IOMMU_RO and the perm of
> 'blocked_io_as' will be IOMMU_WO.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---

Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

>   hw/misc/riscv_wgchecker.c | 70 ++++++++++++++++++++++++++++++++++++---
>   hw/misc/trace-events      |  1 +
>   2 files changed, 67 insertions(+), 4 deletions(-)
> 
> diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c
> index 5d2af7946f..5a70231837 100644
> --- a/hw/misc/riscv_wgchecker.c
> +++ b/hw/misc/riscv_wgchecker.c
> @@ -100,6 +100,52 @@ REG32(SLOT_CFG,             0x010)
>   #define P_READ                  (1 << 0)
>   #define P_WRITE                 (1 << 1)
>   
> +static IOMMUAccessFlags wgc_perm_to_iommu_flags(int wgc_perm)
> +{
> +    if (wgc_perm == (P_READ | P_WRITE)) {
> +        return IOMMU_RW;
> +    } else if (wgc_perm & P_WRITE) {
> +        return IOMMU_WO;
> +    } else if (wgc_perm & P_READ) {
> +        return IOMMU_RO;
> +    } else {
> +        return IOMMU_NONE;
> +    }
> +}
> +
> +static void wgchecker_iommu_notify_all(RISCVWgCheckerState *s)
> +{
> +    /*
> +     * Do tlb_flush() to whole address space via memory_region_notify_iommu()
> +     * when wgChecker changes it's config.
> +     */
> +
> +    IOMMUTLBEvent event = {
> +        .entry = {
> +            .addr_mask = -1ULL,
> +        }
> +    };
> +
> +    trace_riscv_wgc_iommu_notify_all();
> +
> +    for (int i=0; i<WGC_NUM_REGIONS; i++) {
> +        WgCheckerRegion *region = &s->mem_regions[i];
> +        uint32_t nworlds = worldguard_config->nworlds;
> +
> +        if (!region->downstream) {
> +            continue;
> +        }
> +        event.entry.iova = 0;
> +        event.entry.translated_addr = 0;
> +        event.type = IOMMU_NOTIFIER_UNMAP;
> +        event.entry.perm = IOMMU_NONE;
> +
> +        for (int wid=0; wid<nworlds; wid++) {
> +            memory_region_notify_iommu(&region->upstream, wid, event);
> +        }
> +    }
> +}
> +
>   static void decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea)
>   {
>       /*
> @@ -309,6 +355,9 @@ static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu,
>   {
>       WgCheckerRegion *region = container_of(iommu, WgCheckerRegion, upstream);
>       RISCVWgCheckerState *s = RISCV_WGCHECKER(region->wgchecker);
> +    bool is_write;
> +    WgAccessResult result;
> +    int wgc_perm;
>       hwaddr phys_addr;
>       uint64_t region_size;
>   
> @@ -327,18 +376,25 @@ static IOMMUTLBEntry riscv_wgc_translate(IOMMUMemoryRegion *iommu,
>        * Look at the wgChecker configuration for this address, and
>        * return a TLB entry directing the transaction at either
>        * downstream_as or blocked_io_as, as appropriate.
> -     * For the moment, always permit accesses.
>        */
>   
>       /* Use physical address instead of offset */
>       phys_addr = addr + region->region_offset;
> +    is_write = (flags == IOMMU_WO);
>   
> -    is_success = true;
> +    result = wgc_check_access(s, phys_addr, iommu_idx, is_write);
>   
>       trace_riscv_wgc_translate(phys_addr, flags,
> -        iommu_idx, is_success ? "pass" : "block");
> +        iommu_idx, result.is_success ? "pass" : "block");
>   
> -    ret.target_as = is_success ? &region->downstream_as : &region->blocked_io_as;
> +    wgc_perm = result.perm;
> +    if (!result.is_success) {
> +        /* if target_as is blocked_io_as, the perm is the condition of deny access. */
> +        wgc_perm ^= (P_READ | P_WRITE);
> +    }
> +    ret.perm = wgc_perm_to_iommu_flags(wgc_perm);
> +
> +    ret.target_as = result.is_success ? &region->downstream_as : &region->blocked_io_as;
>       return ret;
>   }
>   
> @@ -604,6 +660,9 @@ static void riscv_wgchecker_writeq(void *opaque, hwaddr addr,
>               break;
>           }
>   
> +        /* Flush softmmu TLB when wgChecker changes config. */
> +        wgchecker_iommu_notify_all(s);
> +
>           return;
>       }
>   
> @@ -699,6 +758,9 @@ static void riscv_wgchecker_writel(void *opaque, hwaddr addr,
>               break;
>           }
>   
> +        /* Flush softmmu TLB when wgChecker changes config. */
> +        wgchecker_iommu_notify_all(s);
> +
>           return;
>       }
>   
> diff --git a/hw/misc/trace-events b/hw/misc/trace-events
> index b1d8538220..54dfcd50a1 100644
> --- a/hw/misc/trace-events
> +++ b/hw/misc/trace-events
> @@ -403,3 +403,4 @@ riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, ui
>   riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32
>   riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32
>   riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s"
> +riscv_wgc_iommu_notify_all(void) "wgChecker iommu: notifying UNMAP for all"

Re: [PATCH v2 18/18] hw/riscv: virt: Add WorldGuard support

[Daniel Henrique Barboza]

On 4/17/25 7:52 AM, Jim Shu wrote:
> * Add 'wg=on' option to enable RISC-V WorldGuard
> * Add wgChecker to protect several resources:
>    DRAM, FLASH, UART.
> 
> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> ---
>   docs/system/riscv/virt.rst |  20 +++++
>   hw/riscv/Kconfig           |   1 +
>   hw/riscv/virt.c            | 163 ++++++++++++++++++++++++++++++++++++-
>   include/hw/riscv/virt.h    |  15 +++-
>   4 files changed, 195 insertions(+), 4 deletions(-)
> 
> diff --git a/docs/system/riscv/virt.rst b/docs/system/riscv/virt.rst
> index 60850970ce..eef1233350 100644
> --- a/docs/system/riscv/virt.rst
> +++ b/docs/system/riscv/virt.rst
> @@ -146,6 +146,26 @@ The following machine-specific options are supported:
>   
>     Enables the riscv-iommu-sys platform device. Defaults to 'off'.
>   
> +- wg=[on|off]
> +
> +  When this option is "on", RISC-V WorldGuard will be enabled in the system
> +  to provide the isolation of multiple worlds. RISC-V HARTs will enable WG
> +  extensions to have WID in memory transaction. wgCheckers in front of RAMs
> +  and device MMIO will be enabled to provide the access control of resources
> +  if the transaction contains WID. When not specified, this option is assumed
> +  to be "off".
> +
> +  The WG configuration of virt machine includes 4 worlds. For WG configuration
> +  of CPUs, the M-mode WID of CPU (``mwid``) is set to the largest WID number,
> +  and the authorized WID list of CPU (``mwidlist``) includes all WIDs. We can
> +  modify the configuration of all CPUs via ``x-mwid`` and ``x-mwidlist``
> +  CPU options. There are 3 wgCheckers in the virt machine, which separately
> +  protects DRAM, FLASH, and UART. Default WG configuration on the virt machine
> +  is enough to run the demo of dual OSes in the different worlds. For example,
> +  running both Linux kernel and Secure OS (e.g. OP-TEE) in it's own world.
> +
> +  This option is restricted to the TCG accelerator.
> +
>   Running Linux kernel
>   --------------------
>   
> diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig
> index e6a0ac1fa1..5c3e7b3479 100644
> --- a/hw/riscv/Kconfig
> +++ b/hw/riscv/Kconfig
> @@ -68,6 +68,7 @@ config RISCV_VIRT
>       select PLATFORM_BUS
>       select ACPI
>       select ACPI_PCI
> +    select RISCV_WORLDGUARD
>   
>   config SHAKTI_C
>       bool
> diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> index e517002fdf..da873bc8b8 100644
> --- a/hw/riscv/virt.c
> +++ b/hw/riscv/virt.c
> @@ -58,6 +58,7 @@
>   #include "qapi/qapi-visit-common.h"
>   #include "hw/virtio/virtio-iommu.h"
>   #include "hw/uefi/var-service-api.h"
> +#include "hw/misc/riscv_worldguard.h"
>   
>   /* KVM AIA only supports APLIC MSI. APLIC Wired is always emulated by QEMU. */
>   static bool virt_use_kvm_aia_aplic_imsic(RISCVVirtAIAType aia_type)
> @@ -89,6 +90,9 @@ static const MemMapEntry virt_memmap[] = {
>       [VIRT_PCIE_PIO] =     {  0x3000000,       0x10000 },
>       [VIRT_IOMMU_SYS] =    {  0x3010000,        0x1000 },
>       [VIRT_PLATFORM_BUS] = {  0x4000000,     0x2000000 },
> +    [VIRT_WGC_DRAM] =     {  0x6000000,        0x1000 },
> +    [VIRT_WGC_FLASH] =    {  0x6001000,        0x1000 },
> +    [VIRT_WGC_UART] =     {  0x6002000,        0x1000 },
>       [VIRT_PLIC] =         {  0xc000000, VIRT_PLIC_SIZE(VIRT_CPUS_MAX * 2) },
>       [VIRT_APLIC_M] =      {  0xc000000, APLIC_SIZE(VIRT_CPUS_MAX) },
>       [VIRT_APLIC_S] =      {  0xd000000, APLIC_SIZE(VIRT_CPUS_MAX) },
> @@ -114,6 +118,38 @@ static MemMapEntry virt_high_pcie_memmap;
>   
>   #define VIRT_FLASH_SECTOR_SIZE (256 * KiB)
>   
> +/* wgChecker helpers */
> +typedef struct WGCInfo {
> +    int memmap_idx;
> +    uint32_t irq_num;
> +    uint32_t slot_count;
> +
> +    int num_of_child;
> +    MemoryRegion *c_region[WGC_NUM_REGIONS];
> +    uint64_t c_offset[WGC_NUM_REGIONS];
> +} WGCInfo;
> +
> +enum {
> +    WGC_DRAM,
> +    WGC_FLASH,
> +    WGC_UART,
> +    WGC_NUM,
> +};
> +
> +static WGCInfo virt_wgcinfo[] = {
> +    [WGC_DRAM]  = { VIRT_WGC_DRAM, WGC_DRAM_IRQ, 16 },
> +    [WGC_FLASH] = { VIRT_WGC_FLASH, WGC_FLASH_IRQ, 16 },
> +    [WGC_UART]  = { VIRT_WGC_UART, WGC_UART_IRQ, 1 },
> +};
> +
> +static void wgc_append_child(WGCInfo *info, MemoryRegion *region,
> +                             uint64_t offset)
> +{
> +    info->c_region[info->num_of_child] = region;
> +    info->c_offset[info->num_of_child] = offset;
> +    info->num_of_child += 1;
> +}
> +
>   static PFlashCFI01 *virt_flash_create1(RISCVVirtState *s,
>                                          const char *name,
>                                          const char *alias_prop_name)
> @@ -164,7 +200,8 @@ static void virt_flash_map1(PFlashCFI01 *flash,
>   }
>   
>   static void virt_flash_map(RISCVVirtState *s,
> -                           MemoryRegion *sysmem)
> +                           MemoryRegion *sysmem,
> +                           WGCInfo *info)
>   {
>       hwaddr flashsize = virt_memmap[VIRT_FLASH].size / 2;
>       hwaddr flashbase = virt_memmap[VIRT_FLASH].base;
> @@ -173,6 +210,15 @@ static void virt_flash_map(RISCVVirtState *s,
>                       sysmem);
>       virt_flash_map1(s->flash[1], flashbase + flashsize, flashsize,
>                       sysmem);
> +
> +    if (info) {
> +        wgc_append_child(info,
> +                         sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[0]), 0),
> +                         flashbase);
> +        wgc_append_child(info,
> +                         sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[1]), 0),
> +                         flashbase + flashsize);
> +    }
>   }
>   
>   static void create_pcie_irq_map(RISCVVirtState *s, void *fdt, char *nodename,
> @@ -1426,6 +1472,71 @@ static void virt_build_smbios(RISCVVirtState *s)
>       }
>   }
>   
> +static DeviceState *create_wgc(WGCInfo *info, DeviceState *irqchip)
> +{
> +    MemoryRegion *system_memory = get_system_memory();
> +    DeviceState *wgc;
> +    MemoryRegion *upstream_mr, *downstream_mr;
> +    qemu_irq irq = qdev_get_gpio_in(irqchip, info->irq_num);
> +    hwaddr base, size;
> +
> +    /* Unmap downstream_mr from system_memory if it is already mapped. */
> +    for (int i=0; i<info->num_of_child; i++) {
> +        downstream_mr = info->c_region[i];
> +
> +        g_assert(downstream_mr);
> +        if (downstream_mr->container == system_memory) {
> +            memory_region_del_subregion(system_memory, downstream_mr);
> +        }
> +
> +        /*
> +         * Clear the offset of downstream_mr, so we could correctly do
> +         * address_space_init() to it in wgchecker.
> +         */
> +        memory_region_set_address(downstream_mr, 0);
> +    }
> +
> +    base = virt_memmap[info->memmap_idx].base;
> +    size = virt_memmap[info->memmap_idx].size;
> +
> +    wgc = riscv_wgchecker_create(
> +        base, size, irq, info->slot_count, 0, 0,
> +        info->num_of_child, info->c_region, info->c_offset, 0, NULL);
> +
> +    /* Map upstream_mr to system_memory */
> +    for (int i=0; i<info->num_of_child; i++) {
> +        upstream_mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(wgc), i+1);
> +        g_assert(upstream_mr);
> +        memory_region_add_subregion(system_memory, info->c_offset[i], upstream_mr);
> +    }
> +
> +    return wgc;
> +}
> +
> +static void virt_create_worldguard(WGCInfo *wgcinfo, int wgc_num,
> +                                   DeviceState *irqchip)
> +{
> +    CPUState *cpu;
> +
> +    /* Global WG config */
> +    riscv_worldguard_create(VIRT_WG_NWORLDS,
> +                            VIRT_WG_TRUSTEDWID,
> +                            VIRT_WG_HWBYPASS,
> +                            VIRT_WG_TZCOMPAT);
> +
> +    /* Enable WG extension of each CPU */
> +    CPU_FOREACH(cpu) {
> +        CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
> +
> +        riscv_worldguard_apply_cpu(env->mhartid);
> +    }
> +
> +    /* Create all wgChecker devices */
> +    for (int i=0; i<wgc_num; i++) {
> +        create_wgc(&wgcinfo[i], DEVICE(irqchip));
> +    }
> +}
> +
>   static void virt_machine_done(Notifier *notifier, void *data)
>   {
>       RISCVVirtState *s = container_of(notifier, RISCVVirtState,
> @@ -1527,10 +1638,12 @@ static void virt_machine_done(Notifier *notifier, void *data)
>   static void virt_machine_init(MachineState *machine)
>   {
>       const MemMapEntry *memmap = virt_memmap;
> +    WGCInfo *wgcinfo = virt_wgcinfo;
>       RISCVVirtState *s = RISCV_VIRT_MACHINE(machine);
>       MemoryRegion *system_memory = get_system_memory();
>       MemoryRegion *mask_rom = g_new(MemoryRegion, 1);
>       DeviceState *mmio_irqchip, *virtio_irqchip, *pcie_irqchip;
> +    SerialMM *uart;
>       int i, base_hartid, hart_count;
>       int socket_count = riscv_socket_count(machine);
>   
> @@ -1546,6 +1659,11 @@ static void virt_machine_init(MachineState *machine)
>           exit(1);
>       }
>   
> +    if (!tcg_enabled() && s->have_wg) {
> +        error_report("'wg' is only available with TCG acceleration");
> +        exit(1);
> +    }
> +
>       /* Initialize sockets */
>       mmio_irqchip = virtio_irqchip = pcie_irqchip = NULL;
>       for (i = 0; i < socket_count; i++) {
> @@ -1673,6 +1791,10 @@ static void virt_machine_init(MachineState *machine)
>       memory_region_add_subregion(system_memory, memmap[VIRT_DRAM].base,
>           machine->ram);
>   
> +    if (tcg_enabled() && s->have_wg) {
> +        wgc_append_child(&wgcinfo[WGC_DRAM], machine->ram, memmap[VIRT_DRAM].base);
> +    }

I see this "(tcg_enabled() && s->have_wg)" check being used throughout the code.
Given that s->have_wg is a machine property "wg":

> +    object_class_property_add_bool(oc, "wg", virt_get_wg,
> +                                   virt_set_wg);

I suggest changing the getter to check for TCG:

> +static bool virt_get_wg(Object *obj, Error **errp)
> +{
> +    RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
> +
> +    return tcg_enabled() && s->have_wg;
> +}

And then each time you need to check "tcg_enabled() && s->have_wg" you do a:

if (object_property_get_bool(OBJECT(s), "wg")) ...


If you don't want to use QOM feel free to use virt_get_wg() directly too.


Everything else LGTM. Thanks,


Daniel




> +
>       /* boot rom */
>       memory_region_init_rom(mask_rom, NULL, "riscv_virt_board.mrom",
>                              memmap[VIRT_MROM].size, &error_fatal);
> @@ -1700,10 +1822,16 @@ static void virt_machine_init(MachineState *machine)
>   
>       create_platform_bus(s, mmio_irqchip);
>   
> -    serial_mm_init(system_memory, memmap[VIRT_UART0].base,
> +    uart = serial_mm_init(system_memory, memmap[VIRT_UART0].base,
>           0, qdev_get_gpio_in(mmio_irqchip, UART0_IRQ), 399193,
>           serial_hd(0), DEVICE_LITTLE_ENDIAN);
>   
> +    if (tcg_enabled() && s->have_wg) {
> +        wgc_append_child(&wgcinfo[WGC_UART],
> +                         sysbus_mmio_get_region(SYS_BUS_DEVICE(uart), 0),
> +                         memmap[VIRT_UART0].base);
> +    }
> +
>       sysbus_create_simple("goldfish_rtc", memmap[VIRT_RTC].base,
>           qdev_get_gpio_in(mmio_irqchip, RTC_IRQ));
>   
> @@ -1712,7 +1840,16 @@ static void virt_machine_init(MachineState *machine)
>           pflash_cfi01_legacy_drive(s->flash[i],
>                                     drive_get(IF_PFLASH, 0, i));
>       }
> -    virt_flash_map(s, system_memory);
> +
> +    if (tcg_enabled() && s->have_wg) {
> +        virt_flash_map(s, system_memory, &wgcinfo[WGC_FLASH]);
> +    } else {
> +        virt_flash_map(s, system_memory, NULL);
> +    }
> +
> +    if (tcg_enabled() && s->have_wg) {
> +        virt_create_worldguard(wgcinfo, WGC_NUM, mmio_irqchip);
> +    }
>   
>       /* load/create device tree */
>       if (machine->dtb) {
> @@ -1757,6 +1894,20 @@ static void virt_machine_instance_init(Object *obj)
>       s->iommu_sys = ON_OFF_AUTO_AUTO;
>   }
>   
> +static bool virt_get_wg(Object *obj, Error **errp)
> +{
> +    RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
> +
> +    return s->have_wg;
> +}
> +
> +static void virt_set_wg(Object *obj, bool value, Error **errp)
> +{
> +    RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
> +
> +    s->have_wg = value;
> +}
> +
>   static char *virt_get_aia_guests(Object *obj, Error **errp)
>   {
>       RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
> @@ -1977,6 +2128,12 @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
>                                 NULL, NULL);
>       object_class_property_set_description(oc, "iommu-sys",
>                                             "Enable IOMMU platform device");
> +
> +    object_class_property_add_bool(oc, "wg", virt_get_wg,
> +                                   virt_set_wg);
> +    object_class_property_set_description(oc, "wg",
> +                                              "Set on/off to enable/disable the "
> +                                              "RISC-V WorldGuard.");
>   }
>   
>   static const TypeInfo virt_machine_typeinfo = {
> diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
> index 48a14bea2e..3a631a6a23 100644
> --- a/include/hw/riscv/virt.h
> +++ b/include/hw/riscv/virt.h
> @@ -57,6 +57,7 @@ struct RISCVVirtState {
>       bool have_aclint;
>       RISCVVirtAIAType aia_type;
>       int aia_guests;
> +    bool have_wg;
>       char *oem_id;
>       char *oem_table_id;
>       OnOffAuto acpi;
> @@ -87,11 +88,17 @@ enum {
>       VIRT_PLATFORM_BUS,
>       VIRT_PCIE_ECAM,
>       VIRT_IOMMU_SYS,
> +    VIRT_WGC_DRAM,
> +    VIRT_WGC_FLASH,
> +    VIRT_WGC_UART
>   };
>   
>   enum {
>       UART0_IRQ = 10,
>       RTC_IRQ = 11,
> +    WGC_DRAM_IRQ = 15,
> +    WGC_FLASH_IRQ = 16,
> +    WGC_UART_IRQ = 17,
>       VIRTIO_IRQ = 1, /* 1 to 8 */
>       VIRTIO_COUNT = 8,
>       PCIE_IRQ = 0x20, /* 32 to 35 */
> @@ -102,7 +109,7 @@ enum {
>   #define VIRT_PLATFORM_BUS_NUM_IRQS 32
>   
>   #define VIRT_IRQCHIP_NUM_MSIS 255
> -#define VIRT_IRQCHIP_NUM_SOURCES 96
> +#define VIRT_IRQCHIP_NUM_SOURCES 128
>   #define VIRT_IRQCHIP_NUM_PRIO_BITS 3
>   #define VIRT_IRQCHIP_MAX_GUESTS_BITS 3
>   #define VIRT_IRQCHIP_MAX_GUESTS ((1U << VIRT_IRQCHIP_MAX_GUESTS_BITS) - 1U)
> @@ -158,4 +165,10 @@ uint32_t imsic_num_bits(uint32_t count);
>   #error "Can't accommodate all IMSIC groups in address space"
>   #endif
>   
> +/* WorldGuard */
> +#define VIRT_WG_NWORLDS         4
> +#define VIRT_WG_TRUSTEDWID      3
> +#define VIRT_WG_HWBYPASS        true
> +#define VIRT_WG_TZCOMPAT        false
> +
>   #endif

Re: [PATCH v2 00/18] Implements RISC-V WorldGuard extension v0.4

[Daniel Henrique Barboza]

Hey,

Sorry for the late review. Frank told me that this work was left behind.
Somehow it went completely under my radar for months ...

I didn't find some patches - probably because I wasn't directly CC on them
and I've cleanup some mailboxes recently. Feel free to add myself in the CC
for all patches, even if the patch is for a different subsystem - having anyone
taking a look in the patch will help the subsystem maintainer.

I'm not sure how the WorldGuard support is faring in Linux. If you could add
some documentation (patch 18) on the current state of the support, how we
can test the feature and so on, that would be terrific.


Thanks,

Daniel



On 4/17/25 7:52 AM, Jim Shu wrote:
> This patchset implements Smwg/Smwgd/Sswg CPU extension and wgChecker
> device defined in WorldGuard spec v0.4.
> 
> The WG v0.4 spec could be found here:
> https://lists.riscv.org/g/security/attachment/711/0/worldguard_rvia_spec-v0.4.pdf
> 
> To enable WG in QEMU, pass "wg=on" as machine parameter to virt machine.
> It enables both WG CPU CSRs to apply WID of CPU and wgCheckers on
> the DRAM, FLASH, and UART to protect these resources.
> 
> This patchset contains 5 parts:
> 
> 1. Commit  1 ~ 2: Bugfix of IOMMUMemoryRegion
> 2. Commit  3 ~ 4: Extend IOMMUMemoryRegion and MemTxAttr for WG support
> 3. Commit  5 ~ 13: Add WG global device and CPU extensions
> 4. Commit 14 ~ 17: Add WG checker device
> 5. Commit 18: Add WG support to the virt machine
> 
> QEMU code can be found at [1]
> 
> [1] https://github.com/cwshu/qemu/tree/riscv-wg-v2
> 
> Changed since v1:
> - Remove the assertion of 4k sections limitation. Remove
>    iotlb_to_section() and rename 'xlat_section' to 'xlat'.
> - Fix RST issue and typo in virt machine doc
> 
> Changed since RFCv1:
> - Rebase to latest QEMU (v10.0.0-rc3)
> - Add the description of HW config and CPU option of WG in the
>    virt machine documentation
> - Expose CPU options of WG after WG CPU code has been implemented
> - Change 'mwid' and 'mwidlist' options to experimental options
> - Change 'world_id' to unsigned int type + bit field.
> 
> Jim Shu (18):
>    accel/tcg: Store section pointer in CPUTLBEntryFull
>    system/physmem: Remove the assertion of page-aligned section number
>    accel/tcg: memory access from CPU will pass access_type to IOMMU
>    exec: Add RISC-V WorldGuard WID to MemTxAttrs
>    hw/misc: riscv_worldguard: Add RISC-V WorldGuard global config
>    target/riscv: Add CPU options of WorldGuard CPU extension
>    target/riscv: Add hard-coded CPU state of WG extension
>    target/riscv: Add defines for WorldGuard CSRs
>    target/riscv: Allow global WG config to set WG CPU callbacks
>    target/riscv: Implement WorldGuard CSRs
>    target/riscv: Add WID to MemTxAttrs of CPU memory transactions
>    target/riscv: Expose CPU options of WorldGuard
>    hw/misc: riscv_worldguard: Add API to enable WG extension of CPU
>    hw/misc: riscv_wgchecker: Implement RISC-V WorldGuard Checker
>    hw/misc: riscv_wgchecker: Implement wgchecker slot registers
>    hw/misc: riscv_wgchecker: Implement correct block-access behavior
>    hw/misc: riscv_wgchecker: Check the slot settings in translate
>    hw/riscv: virt: Add WorldGuard support
> 
>   accel/tcg/cputlb.c                   |   49 +-
>   docs/system/riscv/virt.rst           |   20 +
>   hw/misc/Kconfig                      |    3 +
>   hw/misc/meson.build                  |    1 +
>   hw/misc/riscv_wgchecker.c            | 1160 ++++++++++++++++++++++++++
>   hw/misc/riscv_worldguard.c           |  272 ++++++
>   hw/misc/trace-events                 |    9 +
>   hw/riscv/Kconfig                     |    1 +
>   hw/riscv/virt.c                      |  163 +++-
>   include/exec/cputlb.h                |   13 +-
>   include/exec/exec-all.h              |   18 +-
>   include/exec/memattrs.h              |    8 +-
>   include/hw/core/cpu.h                |   12 +-
>   include/hw/misc/riscv_worldguard.h   |  123 +++
>   include/hw/riscv/virt.h              |   15 +-
>   system/physmem.c                     |   39 +-
>   target/alpha/helper.c                |    2 +-
>   target/avr/helper.c                  |    2 +-
>   target/hppa/mem_helper.c             |    1 -
>   target/i386/tcg/system/excp_helper.c |    3 +-
>   target/loongarch/tcg/tlb_helper.c    |    2 +-
>   target/m68k/helper.c                 |   10 +-
>   target/microblaze/helper.c           |    8 +-
>   target/mips/tcg/system/tlb_helper.c  |    4 +-
>   target/openrisc/mmu.c                |    2 +-
>   target/ppc/mmu_helper.c              |    2 +-
>   target/riscv/cpu.c                   |   17 +-
>   target/riscv/cpu.h                   |   12 +
>   target/riscv/cpu_bits.h              |    5 +
>   target/riscv/cpu_cfg.h               |    5 +
>   target/riscv/cpu_helper.c            |   69 +-
>   target/riscv/csr.c                   |  107 +++
>   target/riscv/tcg/tcg-cpu.c           |   11 +
>   target/rx/cpu.c                      |    3 +-
>   target/s390x/tcg/excp_helper.c       |    2 +-
>   target/sh4/helper.c                  |    2 +-
>   target/sparc/mmu_helper.c            |    6 +-
>   target/tricore/helper.c              |    2 +-
>   target/xtensa/helper.c               |    3 +-
>   39 files changed, 2074 insertions(+), 112 deletions(-)
>   create mode 100644 hw/misc/riscv_wgchecker.c
>   create mode 100644 hw/misc/riscv_worldguard.c
>   create mode 100644 include/hw/misc/riscv_worldguard.h
> 

Re: [PATCH v2 13/18] hw/misc: riscv_worldguard: Add API to enable WG extension of CPU

[Chao Liu]

> On 4/17/25 7:52 AM, Jim Shu wrote:
> > riscv_worldguard_apply_cpu() could enable WG CPU extension and set WG
> > callback to CPUs. It is used by machine code after realizing global WG
> > device.
> > 
> > Signed-off-by: Jim Shu <jim.shu@sifive.com>
> > ---
> >   hw/misc/riscv_worldguard.c         | 87 ++++++++++++++++++++++++++++++
> >   include/hw/misc/riscv_worldguard.h |  1 +
> >   2 files changed, 88 insertions(+)
> > 
> > diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c
> > index b02bd28d02..1a910f4cf3 100644
> > --- a/hw/misc/riscv_worldguard.c
> > +++ b/hw/misc/riscv_worldguard.c
> > @@ -92,6 +92,93 @@ uint32_t mem_attrs_to_wid(MemTxAttrs attrs)
> >       }
> >   }
> >   
> > +static void riscv_cpu_wg_reset(CPURISCVState *env)
> > +{
> > +    CPUState *cs = env_cpu(env);
> > +    RISCVCPU *cpu = RISCV_CPU(cs);
> > +    uint32_t mlwid, slwid, mwiddeleg;
> > +    uint32_t trustedwid;
> > +
> > +    if (!riscv_cpu_cfg(env)->ext_smwg) {
> > +        return;
> > +    }
> > +
> > +    if (worldguard_config == NULL) {
> > +        /*
> > +         * Note: This reset is dummy now and WG CSRs will be reset again
> > +         * after worldguard_config is realized.
> > +         */
> > +        return;
> > +    }
> > +
> > +    trustedwid = worldguard_config->trustedwid;
> > +    if (trustedwid == NO_TRUSTEDWID) {
> > +        trustedwid = worldguard_config->nworlds - 1;
> > +    }
> > +
> > +    /* Reset mlwid, slwid, mwiddeleg CSRs */
> > +    if (worldguard_config->hw_bypass) {
> > +        /* HW bypass mode */
> > +        mlwid = trustedwid;
> > +    } else {
> > +        mlwid = 0;
> > +    }
> > +    slwid = 0;
> > +    mwiddeleg = 0;
> > +
> > +    env->mlwid = mlwid;
> > +    if (riscv_cpu_cfg(env)->ext_sswg) {
> > +        env->slwid = slwid;
> > +        env->mwiddeleg = mwiddeleg;
> > +    }
> > +
> > +    /* Check mwid, mwidlist config */
> > +    if (worldguard_config != NULL) {
> > +        uint32_t valid_widlist = MAKE_64BIT_MASK(0, worldguard_config->nworlds);
> > +
> > +        /* CPU use default mwid / mwidlist config if not set */
> > +        if (cpu->cfg.mwidlist == UINT32_MAX) {
> > +            /* mwidlist contains all WIDs */
> > +            cpu->cfg.mwidlist = valid_widlist;
> > +        }
> > +        if (cpu->cfg.mwid == UINT32_MAX) {
> > +            cpu->cfg.mwid = trustedwid;
> > +        }
> > +
> > +        /* Check if mwid/mwidlist HW config is valid in NWorld. */
> > +        g_assert((cpu->cfg.mwidlist & ~valid_widlist) == 0);
> > +        g_assert(cpu->cfg.mwid < worldguard_config->nworlds);
> > +    }
> > +}
> > +
> > +/*
> > + * riscv_worldguard_apply_cpu - Enable WG extension of CPU
> > + *
> > + * Note: This API should be used after global WG device is created
> > + * (riscv_worldguard_realize()).
> > + */
> > +void riscv_worldguard_apply_cpu(uint32_t hartid)
> > +{
> > +    /* WG global config should exist */
> > +    g_assert(worldguard_config);
> 
> We usually add g_asserts() after the variable declarations.
> 
> > +
> > +    CPUState *cpu = qemu_get_cpu(hartid);

arm_get_cpu() uses CPUState::cpu_index to obtain the corresponding CPUState pointer.

However, CPUState::cpu_index and the RISC-V HART index are not necessarily strictly
one-to-one (for instance, when the hartid base is non-zero or when hartids are
discontinuous).

Typically, we use arm_get_cpu() at the accelerators, rather than in hw/code.

A better approach is to use cpu_by_arch_id() instead of qemu_get_cpu(),
in RISC-V cpu_by_arch_id() uses the hartid.

e.g.

     CPUState *cpu = cpu_by_arch_id(hartid);


Thanks,

Chao

> > +    RISCVCPU *rcpu = RISCV_CPU(cpu);
> > +    CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
> > +
> > +    rcpu->cfg.ext_smwg = true;
> > +    if (riscv_has_ext(env, RVS) && riscv_has_ext(env, RVU)) {
> > +        rcpu->cfg.ext_sswg = true;
> > +    }
> 
> riscv_has_ext() will segfault if env == NULL, and you're creating a code
> path where this might happen:
> 
> > +    CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
> 
> In fact, cpu == NULL will explode on you earlier via this macro:
> 
> > +    RISCVCPU *rcpu = RISCV_CPU(cpu);
> 
> You can either handle cpu == NULL with a clean exit before using 'cpu' to assign
> stuff or g_assert(cpu != NULL) for a more rude exit. But with this code as is
> you're gambling with segfaults.
> 
> 
> Thanks,
> 
> Daniel
> 
> 
> > +
> > +    /* Set machine specific WorldGuard callback */
> > +    env->wg_reset = riscv_cpu_wg_reset;
> > +    env->wid_to_mem_attrs = wid_to_mem_attrs;
> > +
> > +    /* Reset WG CSRs in CPU */
> > +    env->wg_reset(env);
> > +}
> > +
> >   bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock)
> >   {
> >       uint32_t wid = mem_attrs_to_wid(attrs);
> > diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
> > index 8a533a0517..211a72e438 100644
> > --- a/include/hw/misc/riscv_worldguard.h
> > +++ b/include/hw/misc/riscv_worldguard.h
> > @@ -48,6 +48,7 @@ extern struct RISCVWorldGuardState *worldguard_config;
> >   
> >   DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
> >                                        bool hw_bypass, bool tz_compat);
> > +void riscv_worldguard_apply_cpu(uint32_t hartid);
> >   
> >   uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
> >   bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);
> 

Re: [PATCH v2 04/18] exec: Add RISC-V WorldGuard WID to MemTxAttrs

[Jim Shu]

Hi Daniel,

Both '_reserved1' and '_reserved2' fields are only for padding
MemTxAttrs struct to be 8-byte [1], so I remove a 1-byte reserved
field when adding 'world_id' field to it.
Is it ok for you? Or you think it is better to separate them.


[1]
commit 5014e33b1e00d330f13df33c09a3932ac88f8d94
Link: https://lore.kernel.org/r/20250121151322.171832-2-zhao1.liu@intel.com

Thanks!

On Sat, Aug 9, 2025 at 8:34 PM Daniel Henrique Barboza
<dbarboza@ventanamicro.com> wrote:
>
>
>
> On 4/17/25 7:52 AM, Jim Shu wrote:
> > RISC-V WorldGuard will add 5-bit world_id (WID) to the each memory
> > transaction on the bus. The wgChecker in front of RAM or peripherals
> > MMIO could do the access control based on the WID. It is similar to ARM
> > TrustZone NS bit, but the WID is 5-bit.
> >
> > The common implementation of WID is AXI4 AxUSER signal.
> >
> > Signed-off-by: Jim Shu <jim.shu@sifive.com>
> > ---
> >   include/exec/memattrs.h | 8 ++++++--
> >   1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
> > index 8db1d30464..7a6866fa41 100644
> > --- a/include/exec/memattrs.h
> > +++ b/include/exec/memattrs.h
> > @@ -54,6 +54,11 @@ typedef struct MemTxAttrs {
> >        */
> >       unsigned int pid:8;
> >
> > +    /*
> > +     * RISC-V WorldGuard: the 5-bit WID field of memory access.
> > +     */
> > +    unsigned int world_id:5;
> > +
> >       /*
> >        * Bus masters which don't specify any attributes will get this
> >        * (via the MEMTXATTRS_UNSPECIFIED constant), so that we can
> > @@ -63,8 +68,7 @@ typedef struct MemTxAttrs {
> >        */
> >       bool unspecified;
> >
> > -    uint8_t _reserved1;
> > -    uint16_t _reserved2;
> > +    uint16_t _reserved1;
>
> Is 'reserved2' unused? Not sure why you ended up removing it in this patch.
>
> If it's really unused it's ok to remove it but this should be done in separate.
>
>
> Thanks,
>
> Daniel
>
>
> >   } MemTxAttrs;
> >
> >   QEMU_BUILD_BUG_ON(sizeof(MemTxAttrs) > 8);
>

Re: [PATCH v2 13/18] hw/misc: riscv_worldguard: Add API to enable WG extension of CPU

[Jim Shu]

Hi Daniel and Chao,

I will replace qemu_get_cpu() with cpu_by_arch_id().
However, cpu_by_arch_id() can still return NULL if the hartid is
invalid, so I will handle that case with a clean exit.

I will fix these in the v3 patch.


Thanks,
Jim

On Wed, Aug 13, 2025 at 11:10 AM Chao Liu <chao.liu@yeah.net> wrote:
>
> > On 4/17/25 7:52 AM, Jim Shu wrote:
> > > riscv_worldguard_apply_cpu() could enable WG CPU extension and set WG
> > > callback to CPUs. It is used by machine code after realizing global WG
> > > device.
> > >
> > > Signed-off-by: Jim Shu <jim.shu@sifive.com>
> > > ---
> > >   hw/misc/riscv_worldguard.c         | 87 ++++++++++++++++++++++++++++++
> > >   include/hw/misc/riscv_worldguard.h |  1 +
> > >   2 files changed, 88 insertions(+)
> > >
> > > diff --git a/hw/misc/riscv_worldguard.c b/hw/misc/riscv_worldguard.c
> > > index b02bd28d02..1a910f4cf3 100644
> > > --- a/hw/misc/riscv_worldguard.c
> > > +++ b/hw/misc/riscv_worldguard.c
> > > @@ -92,6 +92,93 @@ uint32_t mem_attrs_to_wid(MemTxAttrs attrs)
> > >       }
> > >   }
> > >
> > > +static void riscv_cpu_wg_reset(CPURISCVState *env)
> > > +{
> > > +    CPUState *cs = env_cpu(env);
> > > +    RISCVCPU *cpu = RISCV_CPU(cs);
> > > +    uint32_t mlwid, slwid, mwiddeleg;
> > > +    uint32_t trustedwid;
> > > +
> > > +    if (!riscv_cpu_cfg(env)->ext_smwg) {
> > > +        return;
> > > +    }
> > > +
> > > +    if (worldguard_config == NULL) {
> > > +        /*
> > > +         * Note: This reset is dummy now and WG CSRs will be reset again
> > > +         * after worldguard_config is realized.
> > > +         */
> > > +        return;
> > > +    }
> > > +
> > > +    trustedwid = worldguard_config->trustedwid;
> > > +    if (trustedwid == NO_TRUSTEDWID) {
> > > +        trustedwid = worldguard_config->nworlds - 1;
> > > +    }
> > > +
> > > +    /* Reset mlwid, slwid, mwiddeleg CSRs */
> > > +    if (worldguard_config->hw_bypass) {
> > > +        /* HW bypass mode */
> > > +        mlwid = trustedwid;
> > > +    } else {
> > > +        mlwid = 0;
> > > +    }
> > > +    slwid = 0;
> > > +    mwiddeleg = 0;
> > > +
> > > +    env->mlwid = mlwid;
> > > +    if (riscv_cpu_cfg(env)->ext_sswg) {
> > > +        env->slwid = slwid;
> > > +        env->mwiddeleg = mwiddeleg;
> > > +    }
> > > +
> > > +    /* Check mwid, mwidlist config */
> > > +    if (worldguard_config != NULL) {
> > > +        uint32_t valid_widlist = MAKE_64BIT_MASK(0, worldguard_config->nworlds);
> > > +
> > > +        /* CPU use default mwid / mwidlist config if not set */
> > > +        if (cpu->cfg.mwidlist == UINT32_MAX) {
> > > +            /* mwidlist contains all WIDs */
> > > +            cpu->cfg.mwidlist = valid_widlist;
> > > +        }
> > > +        if (cpu->cfg.mwid == UINT32_MAX) {
> > > +            cpu->cfg.mwid = trustedwid;
> > > +        }
> > > +
> > > +        /* Check if mwid/mwidlist HW config is valid in NWorld. */
> > > +        g_assert((cpu->cfg.mwidlist & ~valid_widlist) == 0);
> > > +        g_assert(cpu->cfg.mwid < worldguard_config->nworlds);
> > > +    }
> > > +}
> > > +
> > > +/*
> > > + * riscv_worldguard_apply_cpu - Enable WG extension of CPU
> > > + *
> > > + * Note: This API should be used after global WG device is created
> > > + * (riscv_worldguard_realize()).
> > > + */
> > > +void riscv_worldguard_apply_cpu(uint32_t hartid)
> > > +{
> > > +    /* WG global config should exist */
> > > +    g_assert(worldguard_config);
> >
> > We usually add g_asserts() after the variable declarations.
> >
> > > +
> > > +    CPUState *cpu = qemu_get_cpu(hartid);
>
> arm_get_cpu() uses CPUState::cpu_index to obtain the corresponding CPUState pointer.
>
> However, CPUState::cpu_index and the RISC-V HART index are not necessarily strictly
> one-to-one (for instance, when the hartid base is non-zero or when hartids are
> discontinuous).
>
> Typically, we use arm_get_cpu() at the accelerators, rather than in hw/code.
>
> A better approach is to use cpu_by_arch_id() instead of qemu_get_cpu(),
> in RISC-V cpu_by_arch_id() uses the hartid.
>
> e.g.
>
>      CPUState *cpu = cpu_by_arch_id(hartid);
>
>
> Thanks,
>
> Chao
>
> > > +    RISCVCPU *rcpu = RISCV_CPU(cpu);
> > > +    CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
> > > +
> > > +    rcpu->cfg.ext_smwg = true;
> > > +    if (riscv_has_ext(env, RVS) && riscv_has_ext(env, RVU)) {
> > > +        rcpu->cfg.ext_sswg = true;
> > > +    }
> >
> > riscv_has_ext() will segfault if env == NULL, and you're creating a code
> > path where this might happen:
> >
> > > +    CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
> >
> > In fact, cpu == NULL will explode on you earlier via this macro:
> >
> > > +    RISCVCPU *rcpu = RISCV_CPU(cpu);
> >
> > You can either handle cpu == NULL with a clean exit before using 'cpu' to assign
> > stuff or g_assert(cpu != NULL) for a more rude exit. But with this code as is
> > you're gambling with segfaults.
> >
> >
> > Thanks,
> >
> > Daniel
> >
> >
> > > +
> > > +    /* Set machine specific WorldGuard callback */
> > > +    env->wg_reset = riscv_cpu_wg_reset;
> > > +    env->wid_to_mem_attrs = wid_to_mem_attrs;
> > > +
> > > +    /* Reset WG CSRs in CPU */
> > > +    env->wg_reset(env);
> > > +}
> > > +
> > >   bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock)
> > >   {
> > >       uint32_t wid = mem_attrs_to_wid(attrs);
> > > diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
> > > index 8a533a0517..211a72e438 100644
> > > --- a/include/hw/misc/riscv_worldguard.h
> > > +++ b/include/hw/misc/riscv_worldguard.h
> > > @@ -48,6 +48,7 @@ extern struct RISCVWorldGuardState *worldguard_config;
> > >
> > >   DeviceState *riscv_worldguard_create(uint32_t nworlds, uint32_t trustedwid,
> > >                                        bool hw_bypass, bool tz_compat);
> > > +void riscv_worldguard_apply_cpu(uint32_t hartid);
> > >
> > >   uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
> > >   bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);
> >
>

Re: [PATCH v2 06/18] target/riscv: Add CPU options of WorldGuard CPU extension

[Jim Shu]

I will send a v3 patch to fix it, thanks!

- Jim

On Sat, Aug 9, 2025 at 8:48 PM Daniel Henrique Barboza
<dbarboza@ventanamicro.com> wrote:
>
>
>
> On 4/17/25 7:52 AM, Jim Shu wrote:
> > We define CPU options for WG CSR support in RISC-V CPUs which
> > can be set by machine/device emulation. The RISC-V CSR emulation
> > will also check this feature for emulating WG CSRs.
> >
> > Signed-off-by: Jim Shu <jim.shu@sifive.com>
> > ---
> >   target/riscv/cpu.c         |  3 +++
> >   target/riscv/cpu_cfg.h     |  3 +++
> >   target/riscv/tcg/tcg-cpu.c | 11 +++++++++++
> >   3 files changed, 17 insertions(+)
> >
> > diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> > index 09ded6829a..a182e8c61f 100644
> > --- a/target/riscv/cpu.c
> > +++ b/target/riscv/cpu.c
> > @@ -236,6 +236,9 @@ const RISCVIsaExtData isa_edata_arr[] = {
> >       ISA_EXT_DATA_ENTRY(xtheadmempair, PRIV_VERSION_1_11_0, ext_xtheadmempair),
> >       ISA_EXT_DATA_ENTRY(xtheadsync, PRIV_VERSION_1_11_0, ext_xtheadsync),
> >       ISA_EXT_DATA_ENTRY(xventanacondops, PRIV_VERSION_1_12_0, ext_XVentanaCondOps),
> > +    ISA_EXT_DATA_ENTRY(smwg, PRIV_VERSION_1_12_0, ext_smwg),
> > +    ISA_EXT_DATA_ENTRY(smwgd, PRIV_VERSION_1_12_0, ext_smwgd),
> > +    ISA_EXT_DATA_ENTRY(sswg, PRIV_VERSION_1_12_0, ext_sswg),
>
> We need to keep isa_edata_arr in order because we use it to create the riscv,isa DT:
>
>
> $ git diff
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index d055ddf462..714fff9c33 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -207,6 +207,8 @@ const RISCVIsaExtData isa_edata_arr[] = {
>       ISA_EXT_DATA_ENTRY(smmpm, PRIV_VERSION_1_13_0, ext_smmpm),
>       ISA_EXT_DATA_ENTRY(smnpm, PRIV_VERSION_1_13_0, ext_smnpm),
>       ISA_EXT_DATA_ENTRY(smstateen, PRIV_VERSION_1_12_0, ext_smstateen),
> +    ISA_EXT_DATA_ENTRY(smwg, PRIV_VERSION_1_12_0, ext_smwg),
> +    ISA_EXT_DATA_ENTRY(smwgd, PRIV_VERSION_1_12_0, ext_smwgd),
>       ISA_EXT_DATA_ENTRY(ssaia, PRIV_VERSION_1_12_0, ext_ssaia),
>       ISA_EXT_DATA_ENTRY(ssccfg, PRIV_VERSION_1_13_0, ext_ssccfg),
>       ISA_EXT_DATA_ENTRY(ssccptr, PRIV_VERSION_1_11_0, has_priv_1_11),
> @@ -222,6 +224,7 @@ const RISCVIsaExtData isa_edata_arr[] = {
>       ISA_EXT_DATA_ENTRY(sstvala, PRIV_VERSION_1_12_0, has_priv_1_12),
>       ISA_EXT_DATA_ENTRY(sstvecd, PRIV_VERSION_1_12_0, has_priv_1_12),
>       ISA_EXT_DATA_ENTRY(ssu64xl, PRIV_VERSION_1_12_0, has_priv_1_12),
> +    ISA_EXT_DATA_ENTRY(sswg, PRIV_VERSION_1_12_0, ext_sswg),
>       ISA_EXT_DATA_ENTRY(supm, PRIV_VERSION_1_13_0, ext_supm),
>       ISA_EXT_DATA_ENTRY(svade, PRIV_VERSION_1_11_0, ext_svade),
>
>
>
> Thanks,
>
> Daniel
>
> >
> >       { },
> >   };
> > diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h
> > index 8a843482cc..a5b045aa2f 100644
> > --- a/target/riscv/cpu_cfg.h
> > +++ b/target/riscv/cpu_cfg.h
> > @@ -143,6 +143,9 @@ struct RISCVCPUConfig {
> >       bool ext_smmpm;
> >       bool ext_sspm;
> >       bool ext_supm;
> > +    bool ext_smwg;
> > +    bool ext_smwgd;
> > +    bool ext_sswg;
> >       bool rvv_ta_all_1s;
> >       bool rvv_ma_all_1s;
> >       bool rvv_vl_half_avl;
> > diff --git a/target/riscv/tcg/tcg-cpu.c b/target/riscv/tcg/tcg-cpu.c
> > index 5aef9eef36..343e46e698 100644
> > --- a/target/riscv/tcg/tcg-cpu.c
> > +++ b/target/riscv/tcg/tcg-cpu.c
> > @@ -694,6 +694,17 @@ void riscv_cpu_validate_set_extensions(RISCVCPU *cpu, Error **errp)
> >           cpu->cfg.ext_ssctr = false;
> >       }
> >
> > +    /* RISC-V WorldGuard */
> > +    if (cpu->cfg.ext_sswg && !cpu->cfg.ext_smwg) {
> > +        error_setg(errp, "Sswg extension requires Smwg extension");
> > +        return;
> > +    }
> > +
> > +    if (cpu->cfg.ext_smwgd != cpu->cfg.ext_sswg) {
> > +        error_setg(errp, "Smwgd/Sswg extensions should be enabled together");
> > +        return;
> > +    }
> > +
> >       /*
> >        * Disable isa extensions based on priv spec after we
> >        * validated and set everything we need.
>

Re: [PATCH v2 14/18] hw/misc: riscv_wgchecker: Implement RISC-V WorldGuard Checker

[Jim Shu]

I will send a v3 patch to fix it, thanks!

- Jim

On Sun, Aug 10, 2025 at 12:39 AM Daniel Henrique Barboza
<dbarboza@ventanamicro.com> wrote:
>
>
>
> On 4/17/25 7:52 AM, Jim Shu wrote:
> > Implement the RISC-V WorldGuard Checker, which sits in front of RAM or
> > device MMIO and allow software to configure it to either pass through or
> > reject transactions.
> >
> > We implement the wgChecker as a QEMU IOMMU, which will direct transactions
> > either through to the devices and memory behind it or to a special
> > "never works" AddressSpace if they are blocked.
> >
> > This initial commit implements the skeleton of the device:
> >   * it always permits accesses
> >   * it doesn't implement wgChecker's slot registers
> >   * it doesn't implement the interrupt or other behaviour
> >     for blocked transactions
> >
> > Signed-off-by: Jim Shu <jim.shu@sifive.com>
> > ---
> >   hw/misc/meson.build                |   2 +-
> >   hw/misc/riscv_wgchecker.c          | 603 +++++++++++++++++++++++++++++
> >   hw/misc/trace-events               |   8 +
> >   include/hw/misc/riscv_worldguard.h |  63 +++
> >   4 files changed, 675 insertions(+), 1 deletion(-)
> >   create mode 100644 hw/misc/riscv_wgchecker.c
> >
> > diff --git a/hw/misc/meson.build b/hw/misc/meson.build
> > index 3d2f4bb6a3..73c11bc7c9 100644
> > --- a/hw/misc/meson.build
> > +++ b/hw/misc/meson.build
> > @@ -34,7 +34,7 @@ system_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true: files('sifive_e_prci.c'))
> >   system_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true: files('sifive_e_aon.c'))
> >   system_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true: files('sifive_u_otp.c'))
> >   system_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true: files('sifive_u_prci.c'))
> > -specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c'))
> > +specific_ss.add(when: 'CONFIG_RISCV_WORLDGUARD', if_true: files('riscv_worldguard.c', 'riscv_wgchecker.c'))
> >
> >   subdir('macio')
> >
> > diff --git a/hw/misc/riscv_wgchecker.c b/hw/misc/riscv_wgchecker.c
> > new file mode 100644
> > index 0000000000..ea50f4f53a
> > --- /dev/null
> > +++ b/hw/misc/riscv_wgchecker.c
> > @@ -0,0 +1,603 @@
>
> (...)
>
> > +
> > +static void riscv_wgchecker_realize(DeviceState *dev, Error **errp)
> > +{
> > +    Object *obj = OBJECT(dev);
> > +    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
> > +    uint64_t size;
> > +
> > +    if (worldguard_config == NULL) {
> > +        error_setg(errp, "Couldn't find global WorldGuard configs. "
> > +                   "Please realize %s device at first.",
>
> Extra "at":  "Please realize %s device first."
>
>
> Everything else LGTM:
>
>
> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
>
> > +                   TYPE_RISCV_WORLDGUARD);
> > +        return;
> > +    }
> > +
> > +    if (s->slot_count == 0) {
> > +        error_setg(errp, "wgChecker slot-count couldn't be zero.");
> > +        return;
> > +    }
> > +
> > +    memory_region_init_io(&s->mmio, OBJECT(dev), &riscv_wgchecker_ops, s,
> > +                          TYPE_RISCV_WGCHECKER, s->mmio_size);
> > +    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio);
> > +    sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);
> > +
> > +    /* Address range should be NAPOT alignment */
> > +    address_range_align_napot(s);
> > +
> > +    for (int i=0; i<WGC_NUM_REGIONS; i++) {
> > +        WgCheckerRegion *region = &s->mem_regions[i];
> > +
> > +        if (!region->downstream) {
> > +            continue;
> > +        }
> > +        region->wgchecker = s;
> > +
> > +        const char *upstream_name = g_strdup_printf(
> > +            "wgchecker-upstream-%"HWADDR_PRIx, region->region_offset);
> > +        const char *downstream_name = g_strdup_printf(
> > +            "wgchecker-downstream-%"HWADDR_PRIx, region->region_offset);
> > +
> > +        size = memory_region_size(region->downstream);
> > +        memory_region_init_iommu(&region->upstream, sizeof(region->upstream),
> > +                                 TYPE_RISCV_WGC_IOMMU_MEMORY_REGION,
> > +                                 obj, upstream_name, size);
> > +
> > +        /* upstream MRs are 2nd ~ (n+1)th MemoryRegion. */
> > +        sysbus_init_mmio(SYS_BUS_DEVICE(dev), MEMORY_REGION(&region->upstream));
> > +
> > +        /*
> > +         * This memory region is not exposed to users of this device as a
> > +         * sysbus MMIO region, but is instead used internally as something
> > +         * that our IOMMU translate function might direct accesses to.
> > +         */
> > +        memory_region_init_io(&region->blocked_io, obj, &riscv_wgc_mem_blocked_ops,
> > +                              region, "wgchecker-blocked-io", size);
> > +
> > +        address_space_init(&region->downstream_as, region->downstream,
> > +                           downstream_name);
> > +        address_space_init(&region->blocked_io_as, &region->blocked_io,
> > +                           "wgchecker-blocked-io");
> > +    }
> > +}
> > +
> > +static void riscv_wgchecker_unrealize(DeviceState *dev)
> > +{
> > +    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
> > +
> > +    g_free(s->slots);
> > +    if (s->num_default_slots && s->default_slots) {
> > +        g_free(s->default_slots);
> > +    }
> > +}
> > +
> > +static void riscv_wgchecker_reset_enter(Object *obj, ResetType type)
> > +{
> > +    RISCVWgCheckerState *s = RISCV_WGCHECKER(obj);
> > +    uint64_t start = s->addr_range_start;
> > +    uint64_t end = s->addr_range_start + s->addr_range_size;
> > +    int nslots = s->slot_count;
> > +
> > +    s->errcause = 0;
> > +    s->erraddr = 0;
> > +}
> > +
> > +static void riscv_wgchecker_class_init(ObjectClass *klass, void *data)
> > +{
> > +    DeviceClass *dc = DEVICE_CLASS(klass);
> > +
> > +    device_class_set_props(dc, riscv_wgchecker_properties);
> > +    dc->user_creatable = true;
> > +    dc->realize = riscv_wgchecker_realize;
> > +    dc->unrealize = riscv_wgchecker_unrealize;
> > +    ResettableClass *rc = RESETTABLE_CLASS(klass);
> > +    rc->phases.enter = riscv_wgchecker_reset_enter;
> > +}
> > +
> > +static void riscv_wgchecker_instance_init(Object *obj)
> > +{
> > +    RISCVWgCheckerState *s = RISCV_WGCHECKER(obj);
> > +
> > +    s->num_default_slots = 0;
> > +}
> > +
> > +static const TypeInfo riscv_wgchecker_info = {
> > +    .name          = TYPE_RISCV_WGCHECKER,
> > +    .parent        = TYPE_SYS_BUS_DEVICE,
> > +    .instance_init = riscv_wgchecker_instance_init,
> > +    .instance_size = sizeof(RISCVWgCheckerState),
> > +    .class_init    = riscv_wgchecker_class_init,
> > +};
> > +
> > +static void riscv_wgchecker_register_types(void)
> > +{
> > +    type_register_static(&riscv_wgchecker_info);
> > +    type_register_static(&riscv_wgc_iommu_memory_region_info);
> > +}
> > +
> > +type_init(riscv_wgchecker_register_types)
> > +
> > +/*
> > + * Create WgChecker device
> > + */
> > +DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size,
> > +                                    qemu_irq irq, uint32_t slot_count,
> > +                                    uint64_t addr_range_start,
> > +                                    uint64_t addr_range_size,
> > +                                    uint32_t num_of_region,
> > +                                    MemoryRegion **downstream,
> > +                                    uint64_t *region_offset,
> > +                                    uint32_t num_default_slots,
> > +                                    WgCheckerSlot *default_slots)
> > +{
> > +    DeviceState *dev = qdev_new(TYPE_RISCV_WGCHECKER);
> > +    RISCVWgCheckerState *s = RISCV_WGCHECKER(dev);
> > +    char name_mr[32];
> > +    char name_offset[32];
> > +    int i;
> > +
> > +    qdev_prop_set_uint32(dev, "slot-count", slot_count);
> > +    qdev_prop_set_uint32(dev, "mmio-size", size);
> > +    qdev_prop_set_uint64(dev, "addr-range-start", addr_range_start);
> > +    if (addr_range_size) {
> > +        qdev_prop_set_uint64(dev, "addr-range-size", addr_range_size);
> > +    }
> > +
> > +    g_assert(num_of_region <= WGC_NUM_REGIONS);
> > +    for (i=0; i<num_of_region; i++) {
> > +        snprintf(name_mr, 32, "downstream-mr[%d]", i);
> > +        snprintf(name_offset, 32, "region-offset[%d]", i);
> > +
> > +        object_property_set_link(OBJECT(dev), name_mr,
> > +                                 OBJECT(downstream[i]), &error_fatal);
> > +        qdev_prop_set_uint64(dev, name_offset, region_offset[i]);
> > +    }
> > +
> > +    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
> > +    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr);
> > +    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, irq);
> > +    return dev;
> > +}
> > diff --git a/hw/misc/trace-events b/hw/misc/trace-events
> > index 4383808d7a..b1d8538220 100644
> > --- a/hw/misc/trace-events
> > +++ b/hw/misc/trace-events
> > @@ -395,3 +395,11 @@ ivshmem_flat_interrupt_peer(uint16_t peer_id, uint16_t vector_id) "Interrupting
> >   i2c_echo_event(const char *id, const char *event) "%s: %s"
> >   i2c_echo_recv(const char *id, uint8_t data) "%s: recv 0x%02" PRIx8
> >   i2c_echo_send(const char *id, uint8_t data) "%s: send 0x%02" PRIx8
> > +
> > +# riscv_worldguard.c
> > +riscv_wgchecker_mmio_read(uint64_t base, uint64_t offset, unsigned int size) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x"
> > +riscv_wgchecker_mmio_write(uint64_t base, uint64_t offset, unsigned int size, uint64_t val) "base = 0x%"PRIx64", offset = 0x%"PRIx64", size = 0x%x, val = 0x%"PRIx64
> > +
> > +riscv_wgc_mem_blocked_read(uint64_t addr, unsigned size, uint32_t wid) "wgChecker blocked read: offset 0x%" PRIx64 " size %u wid %" PRIu32
> > +riscv_wgc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, uint32_t wid) "wgChecker blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u wid %" PRIu32
> > +riscv_wgc_translate(uint64_t addr, int flags, int wid, const char *res) "wgChecker translate: addr 0x%016" PRIx64 " flags 0x%x wid %d: %s"
> > diff --git a/include/hw/misc/riscv_worldguard.h b/include/hw/misc/riscv_worldguard.h
> > index 211a72e438..7b5aae866a 100644
> > --- a/include/hw/misc/riscv_worldguard.h
> > +++ b/include/hw/misc/riscv_worldguard.h
> > @@ -53,4 +53,67 @@ void riscv_worldguard_apply_cpu(uint32_t hartid);
> >   uint32_t mem_attrs_to_wid(MemTxAttrs attrs);
> >   bool could_access_wgblocks(MemTxAttrs attrs, const char *wgblock);
> >
> > +#define TYPE_RISCV_WGCHECKER  "riscv.wgchecker"
> > +
> > +typedef struct RISCVWgCheckerState RISCVWgCheckerState;
> > +DECLARE_INSTANCE_CHECKER(RISCVWgCheckerState, RISCV_WGCHECKER,
> > +                         TYPE_RISCV_WGCHECKER)
> > +
> > +#define TYPE_RISCV_WGC_IOMMU_MEMORY_REGION    "riscv-wgc-iommu-memory-region"
> > +
> > +typedef struct WgCheckerSlot WgCheckerSlot;
> > +struct WgCheckerSlot {
> > +    uint64_t addr;
> > +    uint64_t perm;
> > +    uint32_t cfg;
> > +};
> > +
> > +typedef struct WgCheckerRegion WgCheckerRegion;
> > +struct WgCheckerRegion {
> > +    MemoryRegion *downstream;
> > +    uint64_t region_offset;
> > +
> > +    IOMMUMemoryRegion upstream;
> > +    MemoryRegion blocked_io;
> > +    AddressSpace downstream_as;
> > +    AddressSpace blocked_io_as;
> > +
> > +    RISCVWgCheckerState *wgchecker;
> > +};
> > +
> > +#define WGC_NUM_REGIONS     16
> > +
> > +struct RISCVWgCheckerState {
> > +    /*< private >*/
> > +    SysBusDevice parent_obj;
> > +
> > +    /*< public >*/
> > +    MemoryRegion mmio;
> > +    qemu_irq irq;
> > +
> > +    /* error reg */
> > +    uint64_t errcause;
> > +    uint64_t erraddr;
> > +
> > +    /* Memory regions protected by wgChecker */
> > +    WgCheckerRegion mem_regions[WGC_NUM_REGIONS];
> > +
> > +    /* Property */
> > +    uint32_t slot_count; /* nslots */
> > +    uint32_t mmio_size;
> > +    uint64_t addr_range_start;
> > +    uint64_t addr_range_size;
> > +    bool hw_bypass;
> > +};
> > +
> > +DeviceState *riscv_wgchecker_create(hwaddr addr, uint32_t size,
> > +                                    qemu_irq irq, uint32_t slot_count,
> > +                                    uint64_t addr_range_start,
> > +                                    uint64_t addr_range_size,
> > +                                    uint32_t num_of_region,
> > +                                    MemoryRegion **downstream,
> > +                                    uint64_t *region_offset,
> > +                                    uint32_t num_default_slots,
> > +                                    WgCheckerSlot *default_slots);
> > +
> >   #endif
>

Re: [PATCH v2 18/18] hw/riscv: virt: Add WorldGuard support

[Jim Shu]

I will send a v3 patch to fix it, thanks!

- Jim

On Sun, Aug 10, 2025 at 12:54 AM Daniel Henrique Barboza
<dbarboza@ventanamicro.com> wrote:
>
>
>
> On 4/17/25 7:52 AM, Jim Shu wrote:
> > * Add 'wg=on' option to enable RISC-V WorldGuard
> > * Add wgChecker to protect several resources:
> >    DRAM, FLASH, UART.
> >
> > Signed-off-by: Jim Shu <jim.shu@sifive.com>
> > ---
> >   docs/system/riscv/virt.rst |  20 +++++
> >   hw/riscv/Kconfig           |   1 +
> >   hw/riscv/virt.c            | 163 ++++++++++++++++++++++++++++++++++++-
> >   include/hw/riscv/virt.h    |  15 +++-
> >   4 files changed, 195 insertions(+), 4 deletions(-)
> >
> > diff --git a/docs/system/riscv/virt.rst b/docs/system/riscv/virt.rst
> > index 60850970ce..eef1233350 100644
> > --- a/docs/system/riscv/virt.rst
> > +++ b/docs/system/riscv/virt.rst
> > @@ -146,6 +146,26 @@ The following machine-specific options are supported:
> >
> >     Enables the riscv-iommu-sys platform device. Defaults to 'off'.
> >
> > +- wg=[on|off]
> > +
> > +  When this option is "on", RISC-V WorldGuard will be enabled in the system
> > +  to provide the isolation of multiple worlds. RISC-V HARTs will enable WG
> > +  extensions to have WID in memory transaction. wgCheckers in front of RAMs
> > +  and device MMIO will be enabled to provide the access control of resources
> > +  if the transaction contains WID. When not specified, this option is assumed
> > +  to be "off".
> > +
> > +  The WG configuration of virt machine includes 4 worlds. For WG configuration
> > +  of CPUs, the M-mode WID of CPU (``mwid``) is set to the largest WID number,
> > +  and the authorized WID list of CPU (``mwidlist``) includes all WIDs. We can
> > +  modify the configuration of all CPUs via ``x-mwid`` and ``x-mwidlist``
> > +  CPU options. There are 3 wgCheckers in the virt machine, which separately
> > +  protects DRAM, FLASH, and UART. Default WG configuration on the virt machine
> > +  is enough to run the demo of dual OSes in the different worlds. For example,
> > +  running both Linux kernel and Secure OS (e.g. OP-TEE) in it's own world.
> > +
> > +  This option is restricted to the TCG accelerator.
> > +
> >   Running Linux kernel
> >   --------------------
> >
> > diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig
> > index e6a0ac1fa1..5c3e7b3479 100644
> > --- a/hw/riscv/Kconfig
> > +++ b/hw/riscv/Kconfig
> > @@ -68,6 +68,7 @@ config RISCV_VIRT
> >       select PLATFORM_BUS
> >       select ACPI
> >       select ACPI_PCI
> > +    select RISCV_WORLDGUARD
> >
> >   config SHAKTI_C
> >       bool
> > diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> > index e517002fdf..da873bc8b8 100644
> > --- a/hw/riscv/virt.c
> > +++ b/hw/riscv/virt.c
> > @@ -58,6 +58,7 @@
> >   #include "qapi/qapi-visit-common.h"
> >   #include "hw/virtio/virtio-iommu.h"
> >   #include "hw/uefi/var-service-api.h"
> > +#include "hw/misc/riscv_worldguard.h"
> >
> >   /* KVM AIA only supports APLIC MSI. APLIC Wired is always emulated by QEMU. */
> >   static bool virt_use_kvm_aia_aplic_imsic(RISCVVirtAIAType aia_type)
> > @@ -89,6 +90,9 @@ static const MemMapEntry virt_memmap[] = {
> >       [VIRT_PCIE_PIO] =     {  0x3000000,       0x10000 },
> >       [VIRT_IOMMU_SYS] =    {  0x3010000,        0x1000 },
> >       [VIRT_PLATFORM_BUS] = {  0x4000000,     0x2000000 },
> > +    [VIRT_WGC_DRAM] =     {  0x6000000,        0x1000 },
> > +    [VIRT_WGC_FLASH] =    {  0x6001000,        0x1000 },
> > +    [VIRT_WGC_UART] =     {  0x6002000,        0x1000 },
> >       [VIRT_PLIC] =         {  0xc000000, VIRT_PLIC_SIZE(VIRT_CPUS_MAX * 2) },
> >       [VIRT_APLIC_M] =      {  0xc000000, APLIC_SIZE(VIRT_CPUS_MAX) },
> >       [VIRT_APLIC_S] =      {  0xd000000, APLIC_SIZE(VIRT_CPUS_MAX) },
> > @@ -114,6 +118,38 @@ static MemMapEntry virt_high_pcie_memmap;
> >
> >   #define VIRT_FLASH_SECTOR_SIZE (256 * KiB)
> >
> > +/* wgChecker helpers */
> > +typedef struct WGCInfo {
> > +    int memmap_idx;
> > +    uint32_t irq_num;
> > +    uint32_t slot_count;
> > +
> > +    int num_of_child;
> > +    MemoryRegion *c_region[WGC_NUM_REGIONS];
> > +    uint64_t c_offset[WGC_NUM_REGIONS];
> > +} WGCInfo;
> > +
> > +enum {
> > +    WGC_DRAM,
> > +    WGC_FLASH,
> > +    WGC_UART,
> > +    WGC_NUM,
> > +};
> > +
> > +static WGCInfo virt_wgcinfo[] = {
> > +    [WGC_DRAM]  = { VIRT_WGC_DRAM, WGC_DRAM_IRQ, 16 },
> > +    [WGC_FLASH] = { VIRT_WGC_FLASH, WGC_FLASH_IRQ, 16 },
> > +    [WGC_UART]  = { VIRT_WGC_UART, WGC_UART_IRQ, 1 },
> > +};
> > +
> > +static void wgc_append_child(WGCInfo *info, MemoryRegion *region,
> > +                             uint64_t offset)
> > +{
> > +    info->c_region[info->num_of_child] = region;
> > +    info->c_offset[info->num_of_child] = offset;
> > +    info->num_of_child += 1;
> > +}
> > +
> >   static PFlashCFI01 *virt_flash_create1(RISCVVirtState *s,
> >                                          const char *name,
> >                                          const char *alias_prop_name)
> > @@ -164,7 +200,8 @@ static void virt_flash_map1(PFlashCFI01 *flash,
> >   }
> >
> >   static void virt_flash_map(RISCVVirtState *s,
> > -                           MemoryRegion *sysmem)
> > +                           MemoryRegion *sysmem,
> > +                           WGCInfo *info)
> >   {
> >       hwaddr flashsize = virt_memmap[VIRT_FLASH].size / 2;
> >       hwaddr flashbase = virt_memmap[VIRT_FLASH].base;
> > @@ -173,6 +210,15 @@ static void virt_flash_map(RISCVVirtState *s,
> >                       sysmem);
> >       virt_flash_map1(s->flash[1], flashbase + flashsize, flashsize,
> >                       sysmem);
> > +
> > +    if (info) {
> > +        wgc_append_child(info,
> > +                         sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[0]), 0),
> > +                         flashbase);
> > +        wgc_append_child(info,
> > +                         sysbus_mmio_get_region(SYS_BUS_DEVICE(s->flash[1]), 0),
> > +                         flashbase + flashsize);
> > +    }
> >   }
> >
> >   static void create_pcie_irq_map(RISCVVirtState *s, void *fdt, char *nodename,
> > @@ -1426,6 +1472,71 @@ static void virt_build_smbios(RISCVVirtState *s)
> >       }
> >   }
> >
> > +static DeviceState *create_wgc(WGCInfo *info, DeviceState *irqchip)
> > +{
> > +    MemoryRegion *system_memory = get_system_memory();
> > +    DeviceState *wgc;
> > +    MemoryRegion *upstream_mr, *downstream_mr;
> > +    qemu_irq irq = qdev_get_gpio_in(irqchip, info->irq_num);
> > +    hwaddr base, size;
> > +
> > +    /* Unmap downstream_mr from system_memory if it is already mapped. */
> > +    for (int i=0; i<info->num_of_child; i++) {
> > +        downstream_mr = info->c_region[i];
> > +
> > +        g_assert(downstream_mr);
> > +        if (downstream_mr->container == system_memory) {
> > +            memory_region_del_subregion(system_memory, downstream_mr);
> > +        }
> > +
> > +        /*
> > +         * Clear the offset of downstream_mr, so we could correctly do
> > +         * address_space_init() to it in wgchecker.
> > +         */
> > +        memory_region_set_address(downstream_mr, 0);
> > +    }
> > +
> > +    base = virt_memmap[info->memmap_idx].base;
> > +    size = virt_memmap[info->memmap_idx].size;
> > +
> > +    wgc = riscv_wgchecker_create(
> > +        base, size, irq, info->slot_count, 0, 0,
> > +        info->num_of_child, info->c_region, info->c_offset, 0, NULL);
> > +
> > +    /* Map upstream_mr to system_memory */
> > +    for (int i=0; i<info->num_of_child; i++) {
> > +        upstream_mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(wgc), i+1);
> > +        g_assert(upstream_mr);
> > +        memory_region_add_subregion(system_memory, info->c_offset[i], upstream_mr);
> > +    }
> > +
> > +    return wgc;
> > +}
> > +
> > +static void virt_create_worldguard(WGCInfo *wgcinfo, int wgc_num,
> > +                                   DeviceState *irqchip)
> > +{
> > +    CPUState *cpu;
> > +
> > +    /* Global WG config */
> > +    riscv_worldguard_create(VIRT_WG_NWORLDS,
> > +                            VIRT_WG_TRUSTEDWID,
> > +                            VIRT_WG_HWBYPASS,
> > +                            VIRT_WG_TZCOMPAT);
> > +
> > +    /* Enable WG extension of each CPU */
> > +    CPU_FOREACH(cpu) {
> > +        CPURISCVState *env = cpu ? cpu_env(cpu) : NULL;
> > +
> > +        riscv_worldguard_apply_cpu(env->mhartid);
> > +    }
> > +
> > +    /* Create all wgChecker devices */
> > +    for (int i=0; i<wgc_num; i++) {
> > +        create_wgc(&wgcinfo[i], DEVICE(irqchip));
> > +    }
> > +}
> > +
> >   static void virt_machine_done(Notifier *notifier, void *data)
> >   {
> >       RISCVVirtState *s = container_of(notifier, RISCVVirtState,
> > @@ -1527,10 +1638,12 @@ static void virt_machine_done(Notifier *notifier, void *data)
> >   static void virt_machine_init(MachineState *machine)
> >   {
> >       const MemMapEntry *memmap = virt_memmap;
> > +    WGCInfo *wgcinfo = virt_wgcinfo;
> >       RISCVVirtState *s = RISCV_VIRT_MACHINE(machine);
> >       MemoryRegion *system_memory = get_system_memory();
> >       MemoryRegion *mask_rom = g_new(MemoryRegion, 1);
> >       DeviceState *mmio_irqchip, *virtio_irqchip, *pcie_irqchip;
> > +    SerialMM *uart;
> >       int i, base_hartid, hart_count;
> >       int socket_count = riscv_socket_count(machine);
> >
> > @@ -1546,6 +1659,11 @@ static void virt_machine_init(MachineState *machine)
> >           exit(1);
> >       }
> >
> > +    if (!tcg_enabled() && s->have_wg) {
> > +        error_report("'wg' is only available with TCG acceleration");
> > +        exit(1);
> > +    }
> > +
> >       /* Initialize sockets */
> >       mmio_irqchip = virtio_irqchip = pcie_irqchip = NULL;
> >       for (i = 0; i < socket_count; i++) {
> > @@ -1673,6 +1791,10 @@ static void virt_machine_init(MachineState *machine)
> >       memory_region_add_subregion(system_memory, memmap[VIRT_DRAM].base,
> >           machine->ram);
> >
> > +    if (tcg_enabled() && s->have_wg) {
> > +        wgc_append_child(&wgcinfo[WGC_DRAM], machine->ram, memmap[VIRT_DRAM].base);
> > +    }
>
> I see this "(tcg_enabled() && s->have_wg)" check being used throughout the code.
> Given that s->have_wg is a machine property "wg":
>
> > +    object_class_property_add_bool(oc, "wg", virt_get_wg,
> > +                                   virt_set_wg);
>
> I suggest changing the getter to check for TCG:
>
> > +static bool virt_get_wg(Object *obj, Error **errp)
> > +{
> > +    RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
> > +
> > +    return tcg_enabled() && s->have_wg;
> > +}
>
> And then each time you need to check "tcg_enabled() && s->have_wg" you do a:
>
> if (object_property_get_bool(OBJECT(s), "wg")) ...
>
>
> If you don't want to use QOM feel free to use virt_get_wg() directly too.
>
>
> Everything else LGTM. Thanks,
>
>
> Daniel
>
>
>
>
> > +
> >       /* boot rom */
> >       memory_region_init_rom(mask_rom, NULL, "riscv_virt_board.mrom",
> >                              memmap[VIRT_MROM].size, &error_fatal);
> > @@ -1700,10 +1822,16 @@ static void virt_machine_init(MachineState *machine)
> >
> >       create_platform_bus(s, mmio_irqchip);
> >
> > -    serial_mm_init(system_memory, memmap[VIRT_UART0].base,
> > +    uart = serial_mm_init(system_memory, memmap[VIRT_UART0].base,
> >           0, qdev_get_gpio_in(mmio_irqchip, UART0_IRQ), 399193,
> >           serial_hd(0), DEVICE_LITTLE_ENDIAN);
> >
> > +    if (tcg_enabled() && s->have_wg) {
> > +        wgc_append_child(&wgcinfo[WGC_UART],
> > +                         sysbus_mmio_get_region(SYS_BUS_DEVICE(uart), 0),
> > +                         memmap[VIRT_UART0].base);
> > +    }
> > +
> >       sysbus_create_simple("goldfish_rtc", memmap[VIRT_RTC].base,
> >           qdev_get_gpio_in(mmio_irqchip, RTC_IRQ));
> >
> > @@ -1712,7 +1840,16 @@ static void virt_machine_init(MachineState *machine)
> >           pflash_cfi01_legacy_drive(s->flash[i],
> >                                     drive_get(IF_PFLASH, 0, i));
> >       }
> > -    virt_flash_map(s, system_memory);
> > +
> > +    if (tcg_enabled() && s->have_wg) {
> > +        virt_flash_map(s, system_memory, &wgcinfo[WGC_FLASH]);
> > +    } else {
> > +        virt_flash_map(s, system_memory, NULL);
> > +    }
> > +
> > +    if (tcg_enabled() && s->have_wg) {
> > +        virt_create_worldguard(wgcinfo, WGC_NUM, mmio_irqchip);
> > +    }
> >
> >       /* load/create device tree */
> >       if (machine->dtb) {
> > @@ -1757,6 +1894,20 @@ static void virt_machine_instance_init(Object *obj)
> >       s->iommu_sys = ON_OFF_AUTO_AUTO;
> >   }
> >
> > +static bool virt_get_wg(Object *obj, Error **errp)
> > +{
> > +    RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
> > +
> > +    return s->have_wg;
> > +}
> > +
> > +static void virt_set_wg(Object *obj, bool value, Error **errp)
> > +{
> > +    RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
> > +
> > +    s->have_wg = value;
> > +}
> > +
> >   static char *virt_get_aia_guests(Object *obj, Error **errp)
> >   {
> >       RISCVVirtState *s = RISCV_VIRT_MACHINE(obj);
> > @@ -1977,6 +2128,12 @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
> >                                 NULL, NULL);
> >       object_class_property_set_description(oc, "iommu-sys",
> >                                             "Enable IOMMU platform device");
> > +
> > +    object_class_property_add_bool(oc, "wg", virt_get_wg,
> > +                                   virt_set_wg);
> > +    object_class_property_set_description(oc, "wg",
> > +                                              "Set on/off to enable/disable the "
> > +                                              "RISC-V WorldGuard.");
> >   }
> >
> >   static const TypeInfo virt_machine_typeinfo = {
> > diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
> > index 48a14bea2e..3a631a6a23 100644
> > --- a/include/hw/riscv/virt.h
> > +++ b/include/hw/riscv/virt.h
> > @@ -57,6 +57,7 @@ struct RISCVVirtState {
> >       bool have_aclint;
> >       RISCVVirtAIAType aia_type;
> >       int aia_guests;
> > +    bool have_wg;
> >       char *oem_id;
> >       char *oem_table_id;
> >       OnOffAuto acpi;
> > @@ -87,11 +88,17 @@ enum {
> >       VIRT_PLATFORM_BUS,
> >       VIRT_PCIE_ECAM,
> >       VIRT_IOMMU_SYS,
> > +    VIRT_WGC_DRAM,
> > +    VIRT_WGC_FLASH,
> > +    VIRT_WGC_UART
> >   };
> >
> >   enum {
> >       UART0_IRQ = 10,
> >       RTC_IRQ = 11,
> > +    WGC_DRAM_IRQ = 15,
> > +    WGC_FLASH_IRQ = 16,
> > +    WGC_UART_IRQ = 17,
> >       VIRTIO_IRQ = 1, /* 1 to 8 */
> >       VIRTIO_COUNT = 8,
> >       PCIE_IRQ = 0x20, /* 32 to 35 */
> > @@ -102,7 +109,7 @@ enum {
> >   #define VIRT_PLATFORM_BUS_NUM_IRQS 32
> >
> >   #define VIRT_IRQCHIP_NUM_MSIS 255
> > -#define VIRT_IRQCHIP_NUM_SOURCES 96
> > +#define VIRT_IRQCHIP_NUM_SOURCES 128
> >   #define VIRT_IRQCHIP_NUM_PRIO_BITS 3
> >   #define VIRT_IRQCHIP_MAX_GUESTS_BITS 3
> >   #define VIRT_IRQCHIP_MAX_GUESTS ((1U << VIRT_IRQCHIP_MAX_GUESTS_BITS) - 1U)
> > @@ -158,4 +165,10 @@ uint32_t imsic_num_bits(uint32_t count);
> >   #error "Can't accommodate all IMSIC groups in address space"
> >   #endif
> >
> > +/* WorldGuard */
> > +#define VIRT_WG_NWORLDS         4
> > +#define VIRT_WG_TRUSTEDWID      3
> > +#define VIRT_WG_HWBYPASS        true
> > +#define VIRT_WG_TZCOMPAT        false
> > +
> >   #endif
>

Re: [PATCH v2 04/18] exec: Add RISC-V WorldGuard WID to MemTxAttrs

[Daniel Henrique Barboza]

On 10/8/25 2:54 AM, Jim Shu wrote:
> Hi Daniel,
> 
> Both '_reserved1' and '_reserved2' fields are only for padding
> MemTxAttrs struct to be 8-byte [1], so I remove a 1-byte reserved
> field when adding 'world_id' field to it.
> Is it ok for you? Or you think it is better to separate them.

It's fine. I suggest adding this explanation in the commit msg to avoid
further questions about it.


Thanks,

Daniel

> 
> 
> [1]
> commit 5014e33b1e00d330f13df33c09a3932ac88f8d94
> Link: https://lore.kernel.org/r/20250121151322.171832-2-zhao1.liu@intel.com
> 
> Thanks!
> 
> On Sat, Aug 9, 2025 at 8:34 PM Daniel Henrique Barboza
> <dbarboza@ventanamicro.com> wrote:
>>
>>
>>
>> On 4/17/25 7:52 AM, Jim Shu wrote:
>>> RISC-V WorldGuard will add 5-bit world_id (WID) to the each memory
>>> transaction on the bus. The wgChecker in front of RAM or peripherals
>>> MMIO could do the access control based on the WID. It is similar to ARM
>>> TrustZone NS bit, but the WID is 5-bit.
>>>
>>> The common implementation of WID is AXI4 AxUSER signal.
>>>
>>> Signed-off-by: Jim Shu <jim.shu@sifive.com>
>>> ---
>>>    include/exec/memattrs.h | 8 ++++++--
>>>    1 file changed, 6 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
>>> index 8db1d30464..7a6866fa41 100644
>>> --- a/include/exec/memattrs.h
>>> +++ b/include/exec/memattrs.h
>>> @@ -54,6 +54,11 @@ typedef struct MemTxAttrs {
>>>         */
>>>        unsigned int pid:8;
>>>
>>> +    /*
>>> +     * RISC-V WorldGuard: the 5-bit WID field of memory access.
>>> +     */
>>> +    unsigned int world_id:5;
>>> +
>>>        /*
>>>         * Bus masters which don't specify any attributes will get this
>>>         * (via the MEMTXATTRS_UNSPECIFIED constant), so that we can
>>> @@ -63,8 +68,7 @@ typedef struct MemTxAttrs {
>>>         */
>>>        bool unspecified;
>>>
>>> -    uint8_t _reserved1;
>>> -    uint16_t _reserved2;
>>> +    uint16_t _reserved1;
>>
>> Is 'reserved2' unused? Not sure why you ended up removing it in this patch.
>>
>> If it's really unused it's ok to remove it but this should be done in separate.
>>
>>
>> Thanks,
>>
>> Daniel
>>
>>
>>>    } MemTxAttrs;
>>>
>>>    QEMU_BUILD_BUG_ON(sizeof(MemTxAttrs) > 8);
>>

Re: [PATCH v2 04/18] exec: Add RISC-V WorldGuard WID to MemTxAttrs

[Jim Shu]

Hi Daniel,

Thanks for the suggestion. I will add it in the v3 patches.

- Jim

On Mon, Oct 13, 2025 at 1:27 AM Daniel Henrique Barboza
<dbarboza@ventanamicro.com> wrote:
>
>
>
> On 10/8/25 2:54 AM, Jim Shu wrote:
> > Hi Daniel,
> >
> > Both '_reserved1' and '_reserved2' fields are only for padding
> > MemTxAttrs struct to be 8-byte [1], so I remove a 1-byte reserved
> > field when adding 'world_id' field to it.
> > Is it ok for you? Or you think it is better to separate them.
>
> It's fine. I suggest adding this explanation in the commit msg to avoid
> further questions about it.
>
>
> Thanks,
>
> Daniel
>
> >
> >
> > [1]
> > commit 5014e33b1e00d330f13df33c09a3932ac88f8d94
> > Link: https://lore.kernel.org/r/20250121151322.171832-2-zhao1.liu@intel.com
> >
> > Thanks!
> >
> > On Sat, Aug 9, 2025 at 8:34 PM Daniel Henrique Barboza
> > <dbarboza@ventanamicro.com> wrote:
> >>
> >>
> >>
> >> On 4/17/25 7:52 AM, Jim Shu wrote:
> >>> RISC-V WorldGuard will add 5-bit world_id (WID) to the each memory
> >>> transaction on the bus. The wgChecker in front of RAM or peripherals
> >>> MMIO could do the access control based on the WID. It is similar to ARM
> >>> TrustZone NS bit, but the WID is 5-bit.
> >>>
> >>> The common implementation of WID is AXI4 AxUSER signal.
> >>>
> >>> Signed-off-by: Jim Shu <jim.shu@sifive.com>
> >>> ---
> >>>    include/exec/memattrs.h | 8 ++++++--
> >>>    1 file changed, 6 insertions(+), 2 deletions(-)
> >>>
> >>> diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
> >>> index 8db1d30464..7a6866fa41 100644
> >>> --- a/include/exec/memattrs.h
> >>> +++ b/include/exec/memattrs.h
> >>> @@ -54,6 +54,11 @@ typedef struct MemTxAttrs {
> >>>         */
> >>>        unsigned int pid:8;
> >>>
> >>> +    /*
> >>> +     * RISC-V WorldGuard: the 5-bit WID field of memory access.
> >>> +     */
> >>> +    unsigned int world_id:5;
> >>> +
> >>>        /*
> >>>         * Bus masters which don't specify any attributes will get this
> >>>         * (via the MEMTXATTRS_UNSPECIFIED constant), so that we can
> >>> @@ -63,8 +68,7 @@ typedef struct MemTxAttrs {
> >>>         */
> >>>        bool unspecified;
> >>>
> >>> -    uint8_t _reserved1;
> >>> -    uint16_t _reserved2;
> >>> +    uint16_t _reserved1;
> >>
> >> Is 'reserved2' unused? Not sure why you ended up removing it in this patch.
> >>
> >> If it's really unused it's ok to remove it but this should be done in separate.
> >>
> >>
> >> Thanks,
> >>
> >> Daniel
> >>
> >>
> >>>    } MemTxAttrs;
> >>>
> >>>    QEMU_BUILD_BUG_ON(sizeof(MemTxAttrs) > 8);
> >>
>