[PATCH v2 0/3] Add QEMU model for ASPEED OTP memory and integrate with SoC

[PATCH v2 0/3] Add QEMU model for ASPEED OTP memory and integrate with SoC

[Kane Chen via]

From: Kane-Chen-AS <kane_chen@aspeedtech.com>

This patch series introduces a QEMU model for the ASPEED OTP (One-Time
Programmable) memory, along with its integration into the Secure Boot
Controller (SBC) and supported SoC (AST2600).

The OTP model emulates a simple fuse array used for secure boot or
device configuration, implemented with internal buffers; external
file/device support not included in this version. It exposes an
AddressSpace to support transaction-based access from controllers
like the SBC.

This series includes:
  - OTP memory device implementation
  - SBC integration with command decoding (READ/PROG)
  - Direct integration in AST2600 SoC without requiring user parameters

Any feedback or suggestions are appreciated!

Kane
---

ChangeLog
---------
v2:
- Rename device from 'aspeed_otpmem' to 'aspeed_otp' and move it to hw/nvram/
- Move OTP device realization from instance_init to the realize function
- Improve error logging with qemu_log_mask() and remove unused error propagation

v1:
- Initial version

---

Kane-Chen-AS (3):
  hw/misc/aspeed_otp: Add ASPEED OTP memory device model
  hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to SBC
  hw/arm: Integrate ASPEED OTP memory support into AST2600 SoCs

 include/hw/misc/aspeed_sbc.h  |   5 ++
 include/hw/nvram/aspeed_otp.h |  30 +++++++++
 hw/arm/aspeed_ast2600.c       |   2 +-
 hw/misc/aspeed_sbc.c          | 119 ++++++++++++++++++++++++++++++++++
 hw/nvram/aspeed_otp.c         |  94 +++++++++++++++++++++++++++
 hw/misc/trace-events          |   5 ++
 hw/nvram/meson.build          |   4 ++
 7 files changed, 258 insertions(+), 1 deletion(-)
 create mode 100644 include/hw/nvram/aspeed_otp.h
 create mode 100644 hw/nvram/aspeed_otp.c

-- 
2.43.0

[PATCH v2 1/3] hw/misc/aspeed_otp: Add ASPEED OTP memory device model

[Kane Chen via]

From: Kane-Chen-AS <kane_chen@aspeedtech.com>

Introduce a QEMU device model for ASPEED's One-Time Programmable (OTP)
memory.

This model simulates a word-addressable OTP region used for secure
fuse storage. The OTP memory can operate with an internal memory
buffer.

The OTP model provides a memory-like interface through a dedicated
AddressSpace, allowing other device models (e.g., SBC) to issue
transactions as if accessing a memory-mapped region.

Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com>
---
 include/hw/nvram/aspeed_otp.h | 30 +++++++++++
 hw/nvram/aspeed_otp.c         | 94 +++++++++++++++++++++++++++++++++++
 hw/nvram/meson.build          |  4 ++
 3 files changed, 128 insertions(+)
 create mode 100644 include/hw/nvram/aspeed_otp.h
 create mode 100644 hw/nvram/aspeed_otp.c

diff --git a/include/hw/nvram/aspeed_otp.h b/include/hw/nvram/aspeed_otp.h
new file mode 100644
index 0000000000..aadeb313be
--- /dev/null
+++ b/include/hw/nvram/aspeed_otp.h
@@ -0,0 +1,30 @@
+/*
+ *  ASPEED OTP (One-Time Programmable) memory
+ *
+ *  Copyright (C) 2025 Aspeed
+ *
+ *  SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef ASPEED_OTP_H
+#define ASPEED_OTP_H
+
+#include "system/memory.h"
+#include "system/address-spaces.h"
+
+#define TYPE_ASPEED_OTP "aspeed.otp"
+OBJECT_DECLARE_SIMPLE_TYPE(AspeedOTPState, ASPEED_OTP)
+
+typedef struct AspeedOTPState {
+    DeviceState parent_obj;
+
+    uint64_t size;
+
+    AddressSpace as;
+
+    MemoryRegion mmio;
+
+    uint8_t *storage;
+} AspeedOTPState;
+
+#endif /* ASPEED_OTP_H */
diff --git a/hw/nvram/aspeed_otp.c b/hw/nvram/aspeed_otp.c
new file mode 100644
index 0000000000..233dc3528b
--- /dev/null
+++ b/hw/nvram/aspeed_otp.c
@@ -0,0 +1,94 @@
+/*
+ *  ASPEED OTP (One-Time Programmable) memory
+ *
+ *  Copyright (C) 2025 Aspeed
+ *
+ *  SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "qapi/error.h"
+#include "hw/qdev-properties.h"
+#include "hw/nvram/aspeed_otp.h"
+
+static uint64_t aspeed_otp_read(void *opaque, hwaddr offset, unsigned size)
+{
+    AspeedOTPState *s = opaque;
+    uint64_t val = 0;
+
+    memcpy(&val, s->storage + offset, size);
+
+    return val;
+}
+
+static void aspeed_otp_write(void *opaque, hwaddr offset,
+                                uint64_t val, unsigned size)
+{
+    AspeedOTPState *s = opaque;
+
+    memcpy(s->storage + offset, &val, size);
+}
+
+static void aspeed_otp_init_storage(uint8_t *storage, uint64_t size)
+{
+    uint32_t *p;
+    int i, num;
+
+    num = size / sizeof(uint32_t);
+    p = (uint32_t *)storage;
+    for (i = 0; i < num; i++) {
+        p[i] = (i % 2 == 0) ? 0x00000000 : 0xFFFFFFFF;
+    }
+}
+
+static const MemoryRegionOps aspeed_otp_ops = {
+    .read = aspeed_otp_read,
+    .write = aspeed_otp_write,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
+};
+
+static void aspeed_otp_realize(DeviceState *dev, Error **errp)
+{
+    AspeedOTPState *s = ASPEED_OTP(dev);
+
+    if (s->size == 0) {
+        error_setg(errp, "aspeed.otp: 'size' property must be set");
+        return;
+    }
+
+    s->storage = g_malloc(s->size);
+
+    aspeed_otp_init_storage(s->storage, s->size);
+
+    memory_region_init_io(&s->mmio, OBJECT(dev), &aspeed_otp_ops,
+                          s, "aspeed.otp", s->size);
+    address_space_init(&s->as, &s->mmio, NULL);
+}
+
+static const Property aspeed_otp_properties[] = {
+    DEFINE_PROP_UINT64("size", AspeedOTPState, size, 0),
+};
+
+static void aspeed_otp_class_init(ObjectClass *klass, const void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    dc->realize = aspeed_otp_realize;
+    device_class_set_props(dc, aspeed_otp_properties);
+}
+
+static const TypeInfo aspeed_otp_info = {
+    .name          = TYPE_ASPEED_OTP,
+    .parent        = TYPE_DEVICE,
+    .instance_size = sizeof(AspeedOTPState),
+    .class_init    = aspeed_otp_class_init,
+};
+
+static void aspeed_otp_register_types(void)
+{
+    type_register_static(&aspeed_otp_info);
+}
+
+type_init(aspeed_otp_register_types)
diff --git a/hw/nvram/meson.build b/hw/nvram/meson.build
index 10f3639db6..b66f23605b 100644
--- a/hw/nvram/meson.build
+++ b/hw/nvram/meson.build
@@ -19,3 +19,7 @@ system_ss.add(when: 'CONFIG_XLNX_BBRAM', if_true: files('xlnx-bbram.c'))
 
 specific_ss.add(when: 'CONFIG_PSERIES', if_true: files('spapr_nvram.c'))
 specific_ss.add(when: 'CONFIG_ACPI', if_true: files('fw_cfg-acpi.c'))
+
+system_ss.add(when: 'CONFIG_ASPEED_SOC', if_true: files(
+  'aspeed_otp.c',
+  ))
\ No newline at end of file
-- 
2.43.0

[PATCH v2 2/3] hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to SBC

[Kane Chen via]

From: Kane-Chen-AS <kane_chen@aspeedtech.com>

This patch connects the aspeed.otpmem device to the ASPEED Secure Boot
Controller (SBC) model. It implements OTP memory access via the SBC's
command interface and enables emulation of secure fuse programming flows.

The following OTP commands are supported:
  - READ: reads a 32-bit word from OTP memory into internal registers
  - PROG: programs a 32-bit word value to the specified OTP address

Trace events are added to observe read/program operations and command
handling flow.

Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com>
---
 include/hw/misc/aspeed_sbc.h |   5 ++
 hw/misc/aspeed_sbc.c         | 117 +++++++++++++++++++++++++++++++++++
 hw/misc/trace-events         |   5 ++
 3 files changed, 127 insertions(+)

diff --git a/include/hw/misc/aspeed_sbc.h b/include/hw/misc/aspeed_sbc.h
index 405e6782b9..0c2746d392 100644
--- a/include/hw/misc/aspeed_sbc.h
+++ b/include/hw/misc/aspeed_sbc.h
@@ -10,6 +10,7 @@
 #define ASPEED_SBC_H
 
 #include "hw/sysbus.h"
+#include "hw/nvram/aspeed_otp.h"
 
 #define TYPE_ASPEED_SBC "aspeed.sbc"
 #define TYPE_ASPEED_AST2600_SBC TYPE_ASPEED_SBC "-ast2600"
@@ -36,10 +37,14 @@ struct AspeedSBCState {
     MemoryRegion iomem;
 
     uint32_t regs[ASPEED_SBC_NR_REGS];
+
+    AspeedOTPState otp;
 };
 
 struct AspeedSBCClass {
     SysBusDeviceClass parent_class;
+
+    bool has_otp;
 };
 
 #endif /* ASPEED_SBC_H */
diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c
index a7d101ba71..2f5b83a3f2 100644
--- a/hw/misc/aspeed_sbc.c
+++ b/hw/misc/aspeed_sbc.c
@@ -15,9 +15,13 @@
 #include "hw/misc/aspeed_sbc.h"
 #include "qapi/error.h"
 #include "migration/vmstate.h"
+#include "trace.h"
 
 #define R_PROT          (0x000 / 4)
+#define R_CMD           (0x004 / 4)
+#define R_ADDR          (0x010 / 4)
 #define R_STATUS        (0x014 / 4)
+#define R_CAMP1         (0x020 / 4)
 #define R_QSR           (0x040 / 4)
 
 /* R_STATUS */
@@ -41,6 +45,11 @@
 #define QSR_RSA_MASK           (0x3 << 12)
 #define QSR_HASH_MASK          (0x3 << 10)
 
+#define OTP_MEMORY_SIZE 0x4000
+/* OTP command */
+#define SBC_OTP_CMD_READ 0x23b1e361
+#define SBC_OTP_CMD_PROG 0x23b1e364
+
 static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size)
 {
     AspeedSBCState *s = ASPEED_SBC(opaque);
@@ -57,6 +66,84 @@ static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size)
     return s->regs[addr];
 }
 
+static bool aspeed_sbc_otp_read(AspeedSBCState *s,
+                                   uint32_t otp_addr)
+{
+    MemTxResult ret;
+    AspeedOTPState *otp = &s->otp;
+    uint32_t value, otp_offset;
+
+    otp_offset = otp_addr << 2;
+    ret = address_space_read(&otp->as, otp_offset, MEMTXATTRS_UNSPECIFIED,
+                             &value, sizeof(value));
+    if (ret != MEMTX_OK) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "Failed to read OTP memory, addr = %x\n",
+                      otp_addr);
+        return false;
+    }
+    s->regs[R_CAMP1] = value;
+    trace_aspeed_sbc_otp_read(otp_addr, value);
+
+    return true;
+}
+
+static bool aspeed_sbc_otp_prog(AspeedSBCState *s,
+                                   uint32_t otp_addr)
+{
+    MemTxResult ret;
+    AspeedOTPState *otp = &s->otp;
+    uint32_t value = s->regs[R_CAMP1];
+
+    ret = address_space_write(&otp->as, otp_addr, MEMTXATTRS_UNSPECIFIED,
+                        &value, sizeof(value));
+    if (ret != MEMTX_OK) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "Failed to write OTP memory, addr = %x\n",
+                      otp_addr);
+        return false;
+    }
+
+    trace_aspeed_sbc_otp_prog(otp_addr, value);
+
+    return true;
+}
+
+static void aspeed_sbc_handle_command(void *opaque, uint32_t cmd)
+{
+    AspeedSBCState *s = ASPEED_SBC(opaque);
+    AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(opaque);
+    bool ret = false;
+    uint32_t otp_addr;
+
+    if (!sc->has_otp) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: OTP memory is not supported\n",
+                      __func__);
+        return;
+    }
+
+    s->regs[R_STATUS] &= ~(OTP_MEM_IDLE | OTP_IDLE);
+    otp_addr = s->regs[R_ADDR];
+
+    switch (cmd) {
+    case SBC_OTP_CMD_READ:
+        ret = aspeed_sbc_otp_read(s, otp_addr);
+        break;
+    case SBC_OTP_CMD_PROG:
+        ret = aspeed_sbc_otp_prog(s, otp_addr);
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Unknown command 0x%x\n",
+                      __func__, cmd);
+        break;
+    }
+
+    trace_aspeed_sbc_handle_cmd(cmd, otp_addr, ret);
+    s->regs[R_STATUS] |= (OTP_MEM_IDLE | OTP_IDLE);
+}
+
 static void aspeed_sbc_write(void *opaque, hwaddr addr, uint64_t data,
                               unsigned int size)
 {
@@ -78,6 +165,9 @@ static void aspeed_sbc_write(void *opaque, hwaddr addr, uint64_t data,
                       "%s: write to read only register 0x%" HWADDR_PRIx "\n",
                       __func__, addr << 2);
         return;
+    case R_CMD:
+        aspeed_sbc_handle_command(opaque, data);
+        return;
     default:
         break;
     }
@@ -115,10 +205,36 @@ static void aspeed_sbc_reset(DeviceState *dev)
     s->regs[R_QSR] = s->signing_settings;
 }
 
+static void aspeed_sbc_instance_init(Object *obj)
+{
+    AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(obj);
+    AspeedSBCState *s = ASPEED_SBC(obj);
+
+    if (sc->has_otp) {
+        object_initialize_child(OBJECT(s), "otp", &s->otp,
+                                TYPE_ASPEED_OTP);
+    }
+}
+
 static void aspeed_sbc_realize(DeviceState *dev, Error **errp)
 {
     AspeedSBCState *s = ASPEED_SBC(dev);
     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+    AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(dev);
+    Error *local_errp = NULL;
+    bool ret;
+
+    if (sc->has_otp) {
+        qdev_prop_set_uint64(DEVICE(&s->otp), "size", OTP_MEMORY_SIZE);
+        ret = qdev_realize(DEVICE(&s->otp), NULL, &local_errp);
+        if (!ret && local_errp) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: %s\n",
+                          __func__, error_get_pretty(local_errp));
+            error_free(local_errp);
+            return;
+        }
+    }
 
     memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_sbc_ops, s,
             TYPE_ASPEED_SBC, 0x1000);
@@ -155,6 +271,7 @@ static const TypeInfo aspeed_sbc_info = {
     .name = TYPE_ASPEED_SBC,
     .parent = TYPE_SYS_BUS_DEVICE,
     .instance_size = sizeof(AspeedSBCState),
+    .instance_init = aspeed_sbc_instance_init,
     .class_init = aspeed_sbc_class_init,
     .class_size = sizeof(AspeedSBCClass)
 };
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
index e3f64c0ff6..9e05b82f37 100644
--- a/hw/misc/trace-events
+++ b/hw/misc/trace-events
@@ -90,6 +90,11 @@ slavio_sysctrl_mem_readl(uint32_t ret) "Read system control 0x%08x"
 slavio_led_mem_writew(uint32_t val) "Write diagnostic LED 0x%04x"
 slavio_led_mem_readw(uint32_t ret) "Read diagnostic LED 0x%04x"
 
+# aspeed_sbc.c
+aspeed_sbc_handle_cmd(uint32_t cmd, uint32_t addr, bool ret) "Handling command 0x%" PRIx32 " for OTP addr 0x%" PRIx32 " Result: %d"
+aspeed_sbc_otp_read(uint32_t addr, uint32_t value) "OTP Memory read: addr 0x%" PRIx32 " value 0x%" PRIx32
+aspeed_sbc_otp_prog(uint32_t addr, uint32_t value) "OTP Memory write: addr 0x%" PRIx32 " value 0x%" PRIx32
+
 # aspeed_scu.c
 aspeed_scu_write(uint64_t offset, unsigned size, uint32_t data) "To 0x%" PRIx64 " of size %u: 0x%" PRIx32
 aspeed_scu_read(uint64_t offset, unsigned size, uint32_t data) "To 0x%" PRIx64 " of size %u: 0x%" PRIx32
-- 
2.43.0

[PATCH v2 3/3] hw/arm: Integrate ASPEED OTP memory support into AST2600 SoCs

[Kane Chen via]

From: Kane-Chen-AS <kane_chen@aspeedtech.com>

The has_otpmem attribute is enabled in the SBC subclasses for AST2600
to control the presence of OTP support per SoC type.

Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com>
---
 hw/arm/aspeed_ast2600.c | 2 +-
 hw/misc/aspeed_sbc.c    | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c
index d12707f0ab..59ffd41a4a 100644
--- a/hw/arm/aspeed_ast2600.c
+++ b/hw/arm/aspeed_ast2600.c
@@ -261,7 +261,7 @@ static void aspeed_soc_ast2600_init(Object *obj)
 
     object_initialize_child(obj, "i3c", &s->i3c, TYPE_ASPEED_I3C);
 
-    object_initialize_child(obj, "sbc", &s->sbc, TYPE_ASPEED_SBC);
+    object_initialize_child(obj, "sbc", &s->sbc, TYPE_ASPEED_AST2600_SBC);
 
     object_initialize_child(obj, "iomem", &s->iomem, TYPE_UNIMPLEMENTED_DEVICE);
     object_initialize_child(obj, "video", &s->video, TYPE_UNIMPLEMENTED_DEVICE);
diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c
index 2f5b83a3f2..f2ceec9ab5 100644
--- a/hw/misc/aspeed_sbc.c
+++ b/hw/misc/aspeed_sbc.c
@@ -279,8 +279,10 @@ static const TypeInfo aspeed_sbc_info = {
 static void aspeed_ast2600_sbc_class_init(ObjectClass *klass, const void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
+    AspeedSBCClass *sc = ASPEED_SBC_CLASS(klass);
 
     dc->desc = "AST2600 Secure Boot Controller";
+    sc->has_otp = true;
 }
 
 static const TypeInfo aspeed_ast2600_sbc_info = {
-- 
2.43.0

Re: [PATCH v2 2/3] hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to SBC

[Cédric Le Goater]

On 6/27/25 04:56, Kane Chen wrote:
> From: Kane-Chen-AS <kane_chen@aspeedtech.com>
> 
> This patch connects the aspeed.otpmem device to the ASPEED Secure Boot
> Controller (SBC) model. It implements OTP memory access via the SBC's
> command interface and enables emulation of secure fuse programming flows.
> 
> The following OTP commands are supported:
>    - READ: reads a 32-bit word from OTP memory into internal registers
>    - PROG: programs a 32-bit word value to the specified OTP address
> 
> Trace events are added to observe read/program operations and command
> handling flow.
> 
> Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com>
> ---
>   include/hw/misc/aspeed_sbc.h |   5 ++
>   hw/misc/aspeed_sbc.c         | 117 +++++++++++++++++++++++++++++++++++
>   hw/misc/trace-events         |   5 ++
>   3 files changed, 127 insertions(+)
> 
> diff --git a/include/hw/misc/aspeed_sbc.h b/include/hw/misc/aspeed_sbc.h
> index 405e6782b9..0c2746d392 100644
> --- a/include/hw/misc/aspeed_sbc.h
> +++ b/include/hw/misc/aspeed_sbc.h
> @@ -10,6 +10,7 @@
>   #define ASPEED_SBC_H
>   
>   #include "hw/sysbus.h"
> +#include "hw/nvram/aspeed_otp.h"
>   
>   #define TYPE_ASPEED_SBC "aspeed.sbc"
>   #define TYPE_ASPEED_AST2600_SBC TYPE_ASPEED_SBC "-ast2600"
> @@ -36,10 +37,14 @@ struct AspeedSBCState {
>       MemoryRegion iomem;
>   
>       uint32_t regs[ASPEED_SBC_NR_REGS];
> +
> +    AspeedOTPState otp;
>   };
>   
>   struct AspeedSBCClass {
>       SysBusDeviceClass parent_class;
> +
> +    bool has_otp;
>   };
>   
>   #endif /* ASPEED_SBC_H */
> diff --git a/hw/misc/aspeed_sbc.c b/hw/misc/aspeed_sbc.c
> index a7d101ba71..2f5b83a3f2 100644
> --- a/hw/misc/aspeed_sbc.c
> +++ b/hw/misc/aspeed_sbc.c
> @@ -15,9 +15,13 @@
>   #include "hw/misc/aspeed_sbc.h"
>   #include "qapi/error.h"
>   #include "migration/vmstate.h"
> +#include "trace.h"
>   
>   #define R_PROT          (0x000 / 4)
> +#define R_CMD           (0x004 / 4)
> +#define R_ADDR          (0x010 / 4)
>   #define R_STATUS        (0x014 / 4)
> +#define R_CAMP1         (0x020 / 4)
>   #define R_QSR           (0x040 / 4)
>   
>   /* R_STATUS */
> @@ -41,6 +45,11 @@
>   #define QSR_RSA_MASK           (0x3 << 12)
>   #define QSR_HASH_MASK          (0x3 << 10)
>   
> +#define OTP_MEMORY_SIZE 0x4000
> +/* OTP command */
> +#define SBC_OTP_CMD_READ 0x23b1e361
> +#define SBC_OTP_CMD_PROG 0x23b1e364
> +
>   static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size)
>   {
>       AspeedSBCState *s = ASPEED_SBC(opaque);
> @@ -57,6 +66,84 @@ static uint64_t aspeed_sbc_read(void *opaque, hwaddr addr, unsigned int size)
>       return s->regs[addr];
>   }
>   
> +static bool aspeed_sbc_otp_read(AspeedSBCState *s,
> +                                   uint32_t otp_addr)
> +{
> +    MemTxResult ret;
> +    AspeedOTPState *otp = &s->otp;
> +    uint32_t value, otp_offset;
> +
> +    otp_offset = otp_addr << 2;
> +    ret = address_space_read(&otp->as, otp_offset, MEMTXATTRS_UNSPECIFIED,
> +                             &value, sizeof(value));
> +    if (ret != MEMTX_OK) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +                      "Failed to read OTP memory, addr = %x\n",
> +                      otp_addr);
> +        return false;
> +    }
> +    s->regs[R_CAMP1] = value;
> +    trace_aspeed_sbc_otp_read(otp_addr, value);
> +
> +    return true;
> +}
> +
> +static bool aspeed_sbc_otp_prog(AspeedSBCState *s,
> +                                   uint32_t otp_addr)
> +{
> +    MemTxResult ret;
> +    AspeedOTPState *otp = &s->otp;
> +    uint32_t value = s->regs[R_CAMP1];
> +
> +    ret = address_space_write(&otp->as, otp_addr, MEMTXATTRS_UNSPECIFIED,
> +                        &value, sizeof(value));
> +    if (ret != MEMTX_OK) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +                      "Failed to write OTP memory, addr = %x\n",
> +                      otp_addr);
> +        return false;
> +    }
> +
> +    trace_aspeed_sbc_otp_prog(otp_addr, value);
> +
> +    return true;
> +}
> +
> +static void aspeed_sbc_handle_command(void *opaque, uint32_t cmd)
> +{
> +    AspeedSBCState *s = ASPEED_SBC(opaque);
> +    AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(opaque);
> +    bool ret = false;
> +    uint32_t otp_addr;
> +
> +    if (!sc->has_otp) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +                      "%s: OTP memory is not supported\n",
> +                      __func__);
> +        return;
> +    }
> +
> +    s->regs[R_STATUS] &= ~(OTP_MEM_IDLE | OTP_IDLE);
> +    otp_addr = s->regs[R_ADDR];
> +
> +    switch (cmd) {
> +    case SBC_OTP_CMD_READ:
> +        ret = aspeed_sbc_otp_read(s, otp_addr);
> +        break;
> +    case SBC_OTP_CMD_PROG:
> +        ret = aspeed_sbc_otp_prog(s, otp_addr);
> +        break;
> +    default:
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +                      "%s: Unknown command 0x%x\n",
> +                      __func__, cmd);
> +        break;
> +    }
> +
> +    trace_aspeed_sbc_handle_cmd(cmd, otp_addr, ret);
> +    s->regs[R_STATUS] |= (OTP_MEM_IDLE | OTP_IDLE);
> +}
> +
>   static void aspeed_sbc_write(void *opaque, hwaddr addr, uint64_t data,
>                                 unsigned int size)
>   {
> @@ -78,6 +165,9 @@ static void aspeed_sbc_write(void *opaque, hwaddr addr, uint64_t data,
>                         "%s: write to read only register 0x%" HWADDR_PRIx "\n",
>                         __func__, addr << 2);
>           return;
> +    case R_CMD:
> +        aspeed_sbc_handle_command(opaque, data);
> +        return;
>       default:
>           break;
>       }
> @@ -115,10 +205,36 @@ static void aspeed_sbc_reset(DeviceState *dev)
>       s->regs[R_QSR] = s->signing_settings;
>   }
>   
> +static void aspeed_sbc_instance_init(Object *obj)
> +{
> +    AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(obj);
> +    AspeedSBCState *s = ASPEED_SBC(obj);
> +
> +    if (sc->has_otp) {
> +        object_initialize_child(OBJECT(s), "otp", &s->otp,
> +                                TYPE_ASPEED_OTP);
> +    }
> +}
> +
>   static void aspeed_sbc_realize(DeviceState *dev, Error **errp)
>   {
>       AspeedSBCState *s = ASPEED_SBC(dev);
>       SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
> +    AspeedSBCClass *sc = ASPEED_SBC_GET_CLASS(dev);
> +    Error *local_errp = NULL;
> +    bool ret;
> +
> +    if (sc->has_otp) {
> +        qdev_prop_set_uint64(DEVICE(&s->otp), "size", OTP_MEMORY_SIZE);


Please prefer object_property_set_int() instead. For examples, see
aspeed_soc_ast2600_realize().

> +        ret = qdev_realize(DEVICE(&s->otp), NULL, &local_errp);
> +        if (!ret && local_errp) {
> +            qemu_log_mask(LOG_GUEST_ERROR,
> +                          "%s: %s\n",
> +                          __func__, error_get_pretty(local_errp));
> +            error_free(local_errp);
> +            return;

This should be :

         if (!qdev_realize(DEVICE(&a->otp), NULL, errp)) {
             return;
         }

Thanks,

C.

> +        }
> +    }
>   
>       memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_sbc_ops, s,
>               TYPE_ASPEED_SBC, 0x1000);
> @@ -155,6 +271,7 @@ static const TypeInfo aspeed_sbc_info = {
>       .name = TYPE_ASPEED_SBC,
>       .parent = TYPE_SYS_BUS_DEVICE,
>       .instance_size = sizeof(AspeedSBCState),
> +    .instance_init = aspeed_sbc_instance_init,
>       .class_init = aspeed_sbc_class_init,
>       .class_size = sizeof(AspeedSBCClass)
>   };
> diff --git a/hw/misc/trace-events b/hw/misc/trace-events
> index e3f64c0ff6..9e05b82f37 100644
> --- a/hw/misc/trace-events
> +++ b/hw/misc/trace-events
> @@ -90,6 +90,11 @@ slavio_sysctrl_mem_readl(uint32_t ret) "Read system control 0x%08x"
>   slavio_led_mem_writew(uint32_t val) "Write diagnostic LED 0x%04x"
>   slavio_led_mem_readw(uint32_t ret) "Read diagnostic LED 0x%04x"
>   
> +# aspeed_sbc.c
> +aspeed_sbc_handle_cmd(uint32_t cmd, uint32_t addr, bool ret) "Handling command 0x%" PRIx32 " for OTP addr 0x%" PRIx32 " Result: %d"
> +aspeed_sbc_otp_read(uint32_t addr, uint32_t value) "OTP Memory read: addr 0x%" PRIx32 " value 0x%" PRIx32
> +aspeed_sbc_otp_prog(uint32_t addr, uint32_t value) "OTP Memory write: addr 0x%" PRIx32 " value 0x%" PRIx32
> +
>   # aspeed_scu.c
>   aspeed_scu_write(uint64_t offset, unsigned size, uint32_t data) "To 0x%" PRIx64 " of size %u: 0x%" PRIx32
>   aspeed_scu_read(uint64_t offset, unsigned size, uint32_t data) "To 0x%" PRIx64 " of size %u: 0x%" PRIx32

Re: [PATCH v2 0/3] Add QEMU model for ASPEED OTP memory and integrate with SoC

[Cédric Le Goater]

On 6/27/25 04:56, Kane Chen wrote:
> From: Kane-Chen-AS <kane_chen@aspeedtech.com>
> 
> This patch series introduces a QEMU model for the ASPEED OTP (One-Time
> Programmable) memory, along with its integration into the Secure Boot
> Controller (SBC) and supported SoC (AST2600).
> 
> The OTP model emulates a simple fuse array used for secure boot or
> device configuration, implemented with internal buffers; external
> file/device support not included in this version. It exposes an
> AddressSpace to support transaction-based access from controllers
> like the SBC.
> 
> This series includes:
>    - OTP memory device implementation
>    - SBC integration with command decoding (READ/PROG)
>    - Direct integration in AST2600 SoC without requiring user parameters
> 
> Any feedback or suggestions are appreciated!
> 
> Kane
> ---
> 
> ChangeLog
> ---------
> v2:
> - Rename device from 'aspeed_otpmem' to 'aspeed_otp' and move it to hw/nvram/
> - Move OTP device realization from instance_init to the realize function
> - Improve error logging with qemu_log_mask() and remove unused error propagation


v2 looks OK with the fix I asked on patch 2.

In the next round, could you please include a patch re-adding
a drive property and a block backend in AspeedOTPState ?

Last, we should work on linking the drive to a machine option
but first, let's add the drive.


Thanks,

C.




> 
> v1:
> - Initial version
> 
> ---
> 
> Kane-Chen-AS (3):
>    hw/misc/aspeed_otp: Add ASPEED OTP memory device model
>    hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to SBC
>    hw/arm: Integrate ASPEED OTP memory support into AST2600 SoCs
> 
>   include/hw/misc/aspeed_sbc.h  |   5 ++
>   include/hw/nvram/aspeed_otp.h |  30 +++++++++
>   hw/arm/aspeed_ast2600.c       |   2 +-
>   hw/misc/aspeed_sbc.c          | 119 ++++++++++++++++++++++++++++++++++
>   hw/nvram/aspeed_otp.c         |  94 +++++++++++++++++++++++++++
>   hw/misc/trace-events          |   5 ++
>   hw/nvram/meson.build          |   4 ++
>   7 files changed, 258 insertions(+), 1 deletion(-)
>   create mode 100644 include/hw/nvram/aspeed_otp.h
>   create mode 100644 hw/nvram/aspeed_otp.c
> 

RE: [PATCH v2 0/3] Add QEMU model for ASPEED OTP memory and integrate with SoC

[Kane Chen]

Hi Cédric,

Thanks for your reviewing and comments.

Regarding the drive property and block backend, my understanding is that the following changes would be required:

1. Add a BlockBackend field in AspeedOTPState
2. Register a drive property to associate the backend with the device
3. Launch QEMU using command-line options like:
   -blockdev driver=file,filename=otpmem.img,node-name=otp \
   -device aspeed.otp,drive=otp,id=otp-drive,size=16384 \

I have a question related to this setup. When using the -blockdev and -device options as above, QEMU will instantiate a standalone aspeed.otp device based on the command line. At the same time, our current implementation also creates an aspeed.otp object internally as a child of the SBC. As a result, two separate OTP devices exist in the QOM tree.

For example, based on info qom-tree, the hierarchy looks like this:
The OTP device instantiated via command-line options:
/machine (ast2600-evb-machine)
  /peripheral (container)
    /otp-drive (aspeed.otp)
      /aspeed.otp[0] (memory-region)

The OTP device instantiated from within the SBC:
    /sbc (aspeed.sbc-ast2600)
      /aspeed.sbc[0] (memory-region)
      /otp (aspeed.otp)
        /aspeed.otp[0] (memory-region)

In an earlier revision, I used a pointer like AspeedOTPState *otp along with qemu_add_machine_init_done_notifier() to locate and reuse the command-line–instantiated object, based on the assumption that there should be only one OTP instance. However, I realize this may not be a reliable approach and could lead to unexpected confusion or inconsistencies.

Given this, I would appreciate your advice on the proper way to handle this situation. Specifically, should we avoid creating the OTP device inside the SBC and rely entirely on the external device instance? Or would it be acceptable to instantiate it internally and avoid exposing it via -device?

Thanks again for your time and feedback.

Best Regards,
Kane
> -----Original Message-----
> From: Cédric Le Goater <clg@kaod.org>
> Sent: Friday, June 27, 2025 2:52 PM
> To: Kane Chen <kane_chen@aspeedtech.com>; Peter Maydell
> <peter.maydell@linaro.org>; Steven Lee <steven_lee@aspeedtech.com>; Troy
> Lee <leetroy@gmail.com>; Jamin Lin <jamin_lin@aspeedtech.com>; Andrew
> Jeffery <andrew@codeconstruct.com.au>; Joel Stanley <joel@jms.id.au>;
> open list:ASPEED BMCs <qemu-arm@nongnu.org>; open list:All patches CC
> here <qemu-devel@nongnu.org>
> Cc: Troy Lee <troy_lee@aspeedtech.com>
> Subject: Re: [PATCH v2 0/3] Add QEMU model for ASPEED OTP memory and
> integrate with SoC
> 
> On 6/27/25 04:56, Kane Chen wrote:
> > From: Kane-Chen-AS <kane_chen@aspeedtech.com>
> >
> > This patch series introduces a QEMU model for the ASPEED OTP (One-Time
> > Programmable) memory, along with its integration into the Secure Boot
> > Controller (SBC) and supported SoC (AST2600).
> >
> > The OTP model emulates a simple fuse array used for secure boot or
> > device configuration, implemented with internal buffers; external
> > file/device support not included in this version. It exposes an
> > AddressSpace to support transaction-based access from controllers like
> > the SBC.
> >
> > This series includes:
> >    - OTP memory device implementation
> >    - SBC integration with command decoding (READ/PROG)
> >    - Direct integration in AST2600 SoC without requiring user
> > parameters
> >
> > Any feedback or suggestions are appreciated!
> >
> > Kane
> > ---
> >
> > ChangeLog
> > ---------
> > v2:
> > - Rename device from 'aspeed_otpmem' to 'aspeed_otp' and move it to
> > hw/nvram/
> > - Move OTP device realization from instance_init to the realize
> > function
> > - Improve error logging with qemu_log_mask() and remove unused error
> > propagation
> 
> 
> v2 looks OK with the fix I asked on patch 2.
> 
> In the next round, could you please include a patch re-adding a drive property
> and a block backend in AspeedOTPState ?
> 
> Last, we should work on linking the drive to a machine option but first, let's
> add the drive.
> 
> 
> Thanks,
> 
> C.
> 
> 
> 
> 
> >
> > v1:
> > - Initial version
> >
> > ---
> >
> > Kane-Chen-AS (3):
> >    hw/misc/aspeed_otp: Add ASPEED OTP memory device model
> >    hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to SBC
> >    hw/arm: Integrate ASPEED OTP memory support into AST2600 SoCs
> >
> >   include/hw/misc/aspeed_sbc.h  |   5 ++
> >   include/hw/nvram/aspeed_otp.h |  30 +++++++++
> >   hw/arm/aspeed_ast2600.c       |   2 +-
> >   hw/misc/aspeed_sbc.c          | 119
> ++++++++++++++++++++++++++++++++++
> >   hw/nvram/aspeed_otp.c         |  94
> +++++++++++++++++++++++++++
> >   hw/misc/trace-events          |   5 ++
> >   hw/nvram/meson.build          |   4 ++
> >   7 files changed, 258 insertions(+), 1 deletion(-)
> >   create mode 100644 include/hw/nvram/aspeed_otp.h
> >   create mode 100644 hw/nvram/aspeed_otp.c
> >

Re: [PATCH v2 0/3] Add QEMU model for ASPEED OTP memory and integrate with SoC

[Cédric Le Goater]

On 6/27/25 11:09, Kane Chen wrote:
> Hi Cédric,
> 
> Thanks for your reviewing and comments.
> 
> Regarding the drive property and block backend, my understanding is that the following changes would be required:
> 
> 1. Add a BlockBackend field in AspeedOTPState
> 2. Register a drive property to associate the backend with the device

Let's do 1. and 2. first.

The rest has been discussed already in previous emails.
Please go through them.

Thanks,

C.