[PULL 0/4] target-arm queue

[PULL 0/4] target-arm queue

[Peter Maydell]

Arm patches for rc3 : just a handful of bug fixes.

thanks
-- PMM


The following changes since commit 4ecc984210ca1bf508a96a550ec8a93a5f833f6c:

  Merge remote-tracking branch 'remotes/palmer/tags/riscv-for-master-4.2-rc3' into staging (2019-11-26 12:36:40 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191126

for you to fetch changes up to 6a4ef4e5d1084ce41fafa7d470a644b0fd3d9317:

  target/arm: Honor HCR_EL2.TID3 trapping requirements (2019-11-26 13:55:37 +0000)

----------------------------------------------------------------
target-arm queue:
 * handle FTYPE flag correctly in v7M exception return
   for v7M CPUs with an FPU (v8M CPUs were already correct)
 * versal: Add the CRP as unimplemented
 * Fix ISR_EL1 tracking when executing at EL2
 * Honor HCR_EL2.TID3 trapping requirements

----------------------------------------------------------------
Edgar E. Iglesias (1):
      hw/arm: versal: Add the CRP as unimplemented

Jean-Hugues Deschênes (1):
      target/arm: Fix handling of cortex-m FTYPE flag in EXCRET

Marc Zyngier (2):
      target/arm: Fix ISR_EL1 tracking when executing at EL2
      target/arm: Honor HCR_EL2.TID3 trapping requirements

 include/hw/arm/xlnx-versal.h |  3 ++
 hw/arm/xlnx-versal.c         |  2 ++
 target/arm/helper.c          | 83 ++++++++++++++++++++++++++++++++++++++++++--
 target/arm/m_helper.c        |  7 ++--
 4 files changed, 89 insertions(+), 6 deletions(-)

Re: [PULL 0/4] target-arm queue

[Peter Maydell]

On Tue, 26 Nov 2019 at 14:12, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> Arm patches for rc3 : just a handful of bug fixes.
>
> thanks
> -- PMM
>
>
> The following changes since commit 4ecc984210ca1bf508a96a550ec8a93a5f833f6c:
>
>   Merge remote-tracking branch 'remotes/palmer/tags/riscv-for-master-4.2-rc3' into staging (2019-11-26 12:36:40 +0000)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191126
>
> for you to fetch changes up to 6a4ef4e5d1084ce41fafa7d470a644b0fd3d9317:
>
>   target/arm: Honor HCR_EL2.TID3 trapping requirements (2019-11-26 13:55:37 +0000)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * handle FTYPE flag correctly in v7M exception return
>    for v7M CPUs with an FPU (v8M CPUs were already correct)
>  * versal: Add the CRP as unimplemented
>  * Fix ISR_EL1 tracking when executing at EL2
>  * Honor HCR_EL2.TID3 trapping requirements
>

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/4.2
for any user-visible changes.

-- PMM

[PULL 0/4] target-arm queue

[Peter Maydell]

Hi; some minor changes for 6.2, which I think can be classified
as bug fixes and are OK for this point in the release cycle.
(Wouldn't be the end of the world if they slipped to 7.0.)

-- PMM

The following changes since commit 42f6c9179be4401974dd3a75ee72defd16b5092d:

  Merge tag 'pull-ppc-20211112' of https://github.com/legoater/qemu into staging (2021-11-12 12:28:25 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211115-1

for you to fetch changes up to 1adf528ec3bdf62ea3b580b7ad562534a3676ff5:

  hw/rtc/pl031: Send RTC_CHANGE QMP event (2021-11-15 18:53:00 +0000)

----------------------------------------------------------------
target-arm queue:
 * Support multiple redistributor regions for TCG GICv3
 * Send RTC_CHANGE QMP event from pl031

----------------------------------------------------------------
Eric Auger (1):
      hw/rtc/pl031: Send RTC_CHANGE QMP event

Peter Maydell (3):
      hw/intc/arm_gicv3: Move checking of redist-region-count to arm_gicv3_common_realize
      hw/intc/arm_gicv3: Set GICR_TYPER.Last correctly when nb_redist_regions > 1
      hw/intc/arm_gicv3: Support multiple redistributor regions

 include/hw/intc/arm_gicv3_common.h | 14 ++++++++--
 hw/intc/arm_gicv3.c                | 12 +-------
 hw/intc/arm_gicv3_common.c         | 56 ++++++++++++++++++++++++--------------
 hw/intc/arm_gicv3_kvm.c            | 10 ++-----
 hw/intc/arm_gicv3_redist.c         | 40 +++++++++++++++------------
 hw/rtc/pl031.c                     | 10 ++++++-
 hw/rtc/meson.build                 |  2 +-
 7 files changed, 83 insertions(+), 61 deletions(-)

Re: [PULL 0/4] target-arm queue

[Richard Henderson]

On 11/15/21 9:19 PM, Peter Maydell wrote:
> Hi; some minor changes for 6.2, which I think can be classified
> as bug fixes and are OK for this point in the release cycle.
> (Wouldn't be the end of the world if they slipped to 7.0.)
> 
> -- PMM
> 
> The following changes since commit 42f6c9179be4401974dd3a75ee72defd16b5092d:
> 
>    Merge tag 'pull-ppc-20211112' of https://github.com/legoater/qemu into staging (2021-11-12 12:28:25 +0100)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211115-1
> 
> for you to fetch changes up to 1adf528ec3bdf62ea3b580b7ad562534a3676ff5:
> 
>    hw/rtc/pl031: Send RTC_CHANGE QMP event (2021-11-15 18:53:00 +0000)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * Support multiple redistributor regions for TCG GICv3
>   * Send RTC_CHANGE QMP event from pl031
> 
> ----------------------------------------------------------------
> Eric Auger (1):
>        hw/rtc/pl031: Send RTC_CHANGE QMP event
> 
> Peter Maydell (3):
>        hw/intc/arm_gicv3: Move checking of redist-region-count to arm_gicv3_common_realize
>        hw/intc/arm_gicv3: Set GICR_TYPER.Last correctly when nb_redist_regions > 1
>        hw/intc/arm_gicv3: Support multiple redistributor regions
> 
>   include/hw/intc/arm_gicv3_common.h | 14 ++++++++--
>   hw/intc/arm_gicv3.c                | 12 +-------
>   hw/intc/arm_gicv3_common.c         | 56 ++++++++++++++++++++++++--------------
>   hw/intc/arm_gicv3_kvm.c            | 10 ++-----
>   hw/intc/arm_gicv3_redist.c         | 40 +++++++++++++++------------
>   hw/rtc/pl031.c                     | 10 ++++++-
>   hw/rtc/meson.build                 |  2 +-
>   7 files changed, 83 insertions(+), 61 deletions(-)

Applied, thanks.


r~

[PULL 0/4] target-arm queue

[Peter Maydell]

The following changes since commit efcd0ec14b0fe9ee0ee70277763b2d538d19238d:

  Merge tag 'misc-fixes-20230330' of https://github.com/philmd/qemu into staging (2023-03-30 14:22:29 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230403

for you to fetch changes up to a0eaa126af3c5a43937a22c58cfb9bb36e4a5001:

  hw/ssi: Fix Linux driver init issue with xilinx_spi (2023-04-03 16:12:30 +0100)

----------------------------------------------------------------
 * target/arm: Fix non-TCG build failure by inlining pauth_ptr_mask()
 * hw/arm: do not free machine->fdt in arm_load_dtb()
 * target/arm: Fix generated code for cpreg reads when HSTR is active
 * hw/ssi: Fix Linux driver init issue with xilinx_spi

----------------------------------------------------------------
Chris Rauer (1):
      hw/ssi: Fix Linux driver init issue with xilinx_spi

Markus Armbruster (1):
      hw/arm: do not free machine->fdt in arm_load_dtb()

Peter Maydell (1):
      target/arm: Fix generated code for cpreg reads when HSTR is active

Philippe Mathieu-Daudé (1):
      target/arm: Fix non-TCG build failure by inlining pauth_ptr_mask()

 target/arm/internals.h        | 15 ++++++++++-----
 hw/arm/boot.c                 |  5 ++++-
 hw/ssi/xilinx_spi.c           |  1 +
 target/arm/gdbstub64.c        |  7 +++++--
 target/arm/tcg/pauth_helper.c | 18 +-----------------
 target/arm/tcg/translate.c    |  6 ++++++
 6 files changed, 27 insertions(+), 25 deletions(-)

Re: [PULL 0/4] target-arm queue

[Peter Maydell]

On Mon, 3 Apr 2023 at 17:01, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> The following changes since commit efcd0ec14b0fe9ee0ee70277763b2d538d19238d:
>
>   Merge tag 'misc-fixes-20230330' of https://github.com/philmd/qemu into staging (2023-03-30 14:22:29 +0100)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230403
>
> for you to fetch changes up to a0eaa126af3c5a43937a22c58cfb9bb36e4a5001:
>
>   hw/ssi: Fix Linux driver init issue with xilinx_spi (2023-04-03 16:12:30 +0100)
>
> ----------------------------------------------------------------
>  * target/arm: Fix non-TCG build failure by inlining pauth_ptr_mask()
>  * hw/arm: do not free machine->fdt in arm_load_dtb()
>  * target/arm: Fix generated code for cpreg reads when HSTR is active
>  * hw/ssi: Fix Linux driver init issue with xilinx_spi
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

[PULL 0/4] target-arm queue

[Peter Maydell]

Hi; here are a handful of small bug fixes for Arm guests for rc0.

thanks
-- PMM

The following changes since commit 69680740eafa1838527c90155a7432d51b8ff203:

  Merge tag 'qdev-array-prop' of https://repo.or.cz/qemu/kevin into staging (2023-11-11 11:23:25 +0800)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20231113

for you to fetch changes up to f6e8d1ef05a126de796ae03dd81e048e3ff48ff1:

  target/arm/tcg: enable PMU feature for Cortex-A8 and A9 (2023-11-13 16:31:41 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/virt: fix GIC maintenance IRQ registration
 * target/arm: HVC at EL3 should go to EL3, not EL2
 * target/arm: Correct MTE tag checking for reverse-copy MOPS
 * target/arm/tcg: enable PMU feature for Cortex-A8 and A9

----------------------------------------------------------------
Jean-Philippe Brucker (1):
      hw/arm/virt: fix GIC maintenance IRQ registration

Nikita Ostrenkov (1):
      target/arm/tcg: enable PMU feature for Cortex-A8 and A9

Peter Maydell (2):
      target/arm: HVC at EL3 should go to EL3, not EL2
      target/arm: Correct MTE tag checking for reverse-copy MOPS

 hw/arm/virt.c                  |  6 ++++--
 target/arm/tcg/cpu32.c         |  2 ++
 target/arm/tcg/mte_helper.c    | 12 ++++++++++--
 target/arm/tcg/translate-a64.c |  4 +++-
 4 files changed, 19 insertions(+), 5 deletions(-)

Re: [PULL 0/4] target-arm queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.2 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 0/4] target-arm queue

[Peter Maydell]

Just 4 bug fixes here...

thanks
-- PMM

The following changes since commit e9d2db818ff934afb366aea566d0b33acf7bced1:

  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2024-08-01 07:31:49 +1000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240801

for you to fetch changes up to 5e8e4f098d872818aa9a138a171200068b81c8d1:

  target/xtensa: Correct assert condition in handle_interrupt() (2024-08-01 10:59:01 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/mps2-tz.c: fix RX/TX interrupts order
 * accel/kvm/kvm-all: Fixes the missing break in vCPU unpark logic
 * target/arm: Handle denormals correctly for FMOPA (widening)
 * target/xtensa: Correct assert condition in handle_interrupt()

----------------------------------------------------------------
Marco Palumbi (1):
      hw/arm/mps2-tz.c: fix RX/TX interrupts order

Peter Maydell (2):
      target/arm: Handle denormals correctly for FMOPA (widening)
      target/xtensa: Correct assert condition in handle_interrupt()

Salil Mehta (1):
      accel/kvm/kvm-all: Fixes the missing break in vCPU unpark logic

 target/arm/tcg/helper-sme.h    |  2 +-
 accel/kvm/kvm-all.c            |  1 +
 hw/arm/mps2-tz.c               |  6 +++---
 target/arm/tcg/sme_helper.c    | 39 +++++++++++++++++++++++++++------------
 target/arm/tcg/translate-sme.c | 25 +++++++++++++++++++++++--
 target/xtensa/exc_helper.c     |  2 +-
 6 files changed, 56 insertions(+), 19 deletions(-)

Re: [PULL 0/4] target-arm queue

[Richard Henderson]

On 8/2/24 00:23, Peter Maydell wrote:
> Just 4 bug fixes here...
> 
> thanks
> -- PMM
> 
> The following changes since commit e9d2db818ff934afb366aea566d0b33acf7bced1:
> 
>    Merge tag 'for-upstream' ofhttps://gitlab.com/bonzini/qemu into staging (2024-08-01 07:31:49 +1000)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240801
> 
> for you to fetch changes up to 5e8e4f098d872818aa9a138a171200068b81c8d1:
> 
>    target/xtensa: Correct assert condition in handle_interrupt() (2024-08-01 10:59:01 +0100)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * hw/arm/mps2-tz.c: fix RX/TX interrupts order
>   * accel/kvm/kvm-all: Fixes the missing break in vCPU unpark logic
>   * target/arm: Handle denormals correctly for FMOPA (widening)
>   * target/xtensa: Correct assert condition in handle_interrupt()

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.

r~

[PULL 0/4] target-arm queue

[Peter Maydell]

Three last bugfixes to sneak into rc2 if we can. The fix
for the EL3-is-AArch32-and-we-run-code-at-EL0 bug is the
most important one here I think (though also the most risky).

thanks
-- PMM

The following changes since commit 9eb51530c12ae645b91e308d16196c68563ea883:

  Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2024-08-13 07:59:32 +1000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240813

for you to fetch changes up to 4c2c0474693229c1f533239bb983495c5427784d:

  target/arm: Fix usage of MMU indexes when EL3 is AArch32 (2024-08-13 11:44:53 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values
 * target/arm: Clear high SVE elements in handle_vec_simd_wshli
 * target/arm: Fix usage of MMU indexes when EL3 is AArch32

----------------------------------------------------------------
Peter Maydell (2):
      target/arm: Update translation regime comment for new features
      target/arm: Fix usage of MMU indexes when EL3 is AArch32

Richard Henderson (1):
      target/arm: Clear high SVE elements in handle_vec_simd_wshli

Zheyu Ma (1):
      hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values

 target/arm/cpu.h               | 50 +++++++++++++++++++++++++++---------------
 target/arm/internals.h         | 27 +++++++++++++++++++----
 target/arm/tcg/translate.h     |  2 ++
 hw/misc/stm32l4x5_rcc.c        | 28 ++++++++++++++++-------
 target/arm/helper.c            | 34 ++++++++++++++++++----------
 target/arm/ptw.c               |  6 ++++-
 target/arm/tcg/hflags.c        |  4 ++++
 target/arm/tcg/translate-a64.c |  3 ++-
 target/arm/tcg/translate.c     |  9 ++++----
 9 files changed, 116 insertions(+), 47 deletions(-)

[PULL 1/4] hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values

[Peter Maydell]

From: Zheyu Ma <zheyuma97@gmail.com>

This commit adds validation checks for the MCOPRE and MCOSEL values in
the rcc_update_cfgr_register function. If the MCOPRE value exceeds
0b100 or the MCOSEL value exceeds 0b111, an error is logged and the
corresponding clock mux is disabled. This helps in identifying and
handling invalid configurations in the RCC registers.

Reproducer:
cat << EOF | qemu-system-aarch64 -display \
none -machine accel=qtest, -m 512M -machine b-l475e-iot01a -qtest \
stdio
writeq 0x40021008 0xffffffff
EOF

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2356
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/stm32l4x5_rcc.c | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/hw/misc/stm32l4x5_rcc.c b/hw/misc/stm32l4x5_rcc.c
index 417bd5e85f6..59d428fa662 100644
--- a/hw/misc/stm32l4x5_rcc.c
+++ b/hw/misc/stm32l4x5_rcc.c
@@ -543,19 +543,31 @@ static void rcc_update_cfgr_register(Stm32l4x5RccState *s)
     uint32_t val;
     /* MCOPRE */
     val = FIELD_EX32(s->cfgr, CFGR, MCOPRE);
-    assert(val <= 0b100);
-    clock_mux_set_factor(&s->clock_muxes[RCC_CLOCK_MUX_MCO],
-                         1, 1 << val);
+    if (val > 0b100) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Invalid MCOPRE value: 0x%"PRIx32"\n",
+                      __func__, val);
+        clock_mux_set_enable(&s->clock_muxes[RCC_CLOCK_MUX_MCO], false);
+    } else {
+        clock_mux_set_factor(&s->clock_muxes[RCC_CLOCK_MUX_MCO],
+                             1, 1 << val);
+    }
 
     /* MCOSEL */
     val = FIELD_EX32(s->cfgr, CFGR, MCOSEL);
-    assert(val <= 0b111);
-    if (val == 0) {
+    if (val > 0b111) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Invalid MCOSEL value: 0x%"PRIx32"\n",
+                      __func__, val);
         clock_mux_set_enable(&s->clock_muxes[RCC_CLOCK_MUX_MCO], false);
     } else {
-        clock_mux_set_enable(&s->clock_muxes[RCC_CLOCK_MUX_MCO], true);
-        clock_mux_set_source(&s->clock_muxes[RCC_CLOCK_MUX_MCO],
-                             val - 1);
+        if (val == 0) {
+            clock_mux_set_enable(&s->clock_muxes[RCC_CLOCK_MUX_MCO], false);
+        } else {
+            clock_mux_set_enable(&s->clock_muxes[RCC_CLOCK_MUX_MCO], true);
+            clock_mux_set_source(&s->clock_muxes[RCC_CLOCK_MUX_MCO],
+                                 val - 1);
+        }
     }
 
     /* STOPWUCK */
-- 
2.34.1

[PULL 2/4] target/arm: Clear high SVE elements in handle_vec_simd_wshli

[Peter Maydell]

From: Richard Henderson <richard.henderson@linaro.org>

AdvSIMD instructions are supposed to zero bits beyond 128.
Affects SSHLL, USHLL, SSHLL2, USHLL2.

Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240717060903.205098-15-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-a64.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index 28a10135032..bc2d64e8835 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -10756,6 +10756,7 @@ static void handle_vec_simd_wshli(DisasContext *s, bool is_q, bool is_u,
         tcg_gen_shli_i64(tcg_rd, tcg_rd, shift);
         write_vec_element(s, tcg_rd, rd, i, size + 1);
     }
+    clear_vec_high(s, true, rd);
 }
 
 /* SHRN/RSHRN - Shift right with narrowing (and potential rounding) */
-- 
2.34.1

[PULL 3/4] target/arm: Update translation regime comment for new features

[Peter Maydell]

We have a long comment describing the Arm architectural translation
regimes and how we map them to QEMU MMU indexes.  This comment has
got a bit out of date:

 * FEAT_SEL2 allows Secure EL2 and corresponding new regimes
 * FEAT_RME introduces Realm state and its translation regimes
 * We now model the Cortex-R52 so that is no longer a hypothetical
 * We separated Secure Stage 2 and NonSecure Stage 2 MMU indexes
 * We have an MMU index per physical address spacea

Add the missing pieces so that the list of architectural translation
regimes matches the Arm ARM, and the list and count of QEMU MMU
indexes in the comment matches the enum.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240809160430.1144805-2-peter.maydell@linaro.org
---
 target/arm/cpu.h | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index a12859fc533..216774f5d3a 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -2772,8 +2772,14 @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
  *  + NonSecure EL1 & 0 stage 2
  *  + NonSecure EL2
  *  + NonSecure EL2 & 0   (ARMv8.1-VHE)
- *  + Secure EL1 & 0
- *  + Secure EL3
+ *  + Secure EL1 & 0 stage 1
+ *  + Secure EL1 & 0 stage 2 (FEAT_SEL2)
+ *  + Secure EL2 (FEAT_SEL2)
+ *  + Secure EL2 & 0 (FEAT_SEL2)
+ *  + Realm EL1 & 0 stage 1 (FEAT_RME)
+ *  + Realm EL1 & 0 stage 2 (FEAT_RME)
+ *  + Realm EL2 (FEAT_RME)
+ *  + EL3
  * If EL3 is 32-bit:
  *  + NonSecure PL1 & 0 stage 1
  *  + NonSecure PL1 & 0 stage 2
@@ -2805,10 +2811,12 @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
  *     table over and over.
  *  6. we need separate EL1/EL2 mmu_idx for handling the Privileged Access
  *     Never (PAN) bit within PSTATE.
- *  7. we fold together the secure and non-secure regimes for A-profile,
+ *  7. we fold together most secure and non-secure regimes for A-profile,
  *     because there are no banked system registers for aarch64, so the
  *     process of switching between secure and non-secure is
  *     already heavyweight.
+ *  8. we cannot fold together Stage 2 Secure and Stage 2 NonSecure,
+ *     because both are in use simultaneously for Secure EL2.
  *
  * This gives us the following list of cases:
  *
@@ -2820,14 +2828,15 @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
  * EL2 EL2&0 +PAN
  * EL2 (aka NS PL2)
  * EL3 (aka S PL1)
- * Physical (NS & S)
- * Stage2 (NS & S)
+ * Stage2 Secure
+ * Stage2 NonSecure
+ * plus one TLB per Physical address space: S, NS, Realm, Root
  *
- * for a total of 12 different mmu_idx.
+ * for a total of 14 different mmu_idx.
  *
  * R profile CPUs have an MPU, but can use the same set of MMU indexes
  * as A profile. They only need to distinguish EL0 and EL1 (and
- * EL2 if we ever model a Cortex-R52).
+ * EL2 for cores like the Cortex-R52).
  *
  * M profile CPUs are rather different as they do not have a true MMU.
  * They have the following different MMU indexes:
-- 
2.34.1

[PULL 4/4] target/arm: Fix usage of MMU indexes when EL3 is AArch32

[Peter Maydell]

Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure PL1&0 translation regime:
 * code at EL3, which might be Mon, or SVC, or any of the
   other privileged modes (PL1)
 * code at EL0 (Secure PL0)

This is different from when EL3 is AArch64, in which case EL3 is its
own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
have their own regime.

We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
do anything special about Secure PL0, which meant it used the same
ARMMMUIdx_EL10_0 that NonSecure PL0 does.  This resulted in a bug
where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
controlling register when in Secure PL0, which meant we were
spuriously generating alignment faults because we were looking at the
wrong SCTLR control bits.

The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
we wouldn't honour the PAN bit for Secure PL1, because there's no
equivalent _PAN mmu index for it.

We could fix this in one of two ways:
 * The most straightforward is to add new MMU indexes EL30_0,
   EL30_3, EL30_3_PAN to correspond to "Secure PL1&0 at PL0",
   "Secure PL1&0 at PL1", and "Secure PL1&0 at PL1 with PAN".
   This matches how we use indexes for the AArch64 regimes, and
   preserves propirties like being able to determine the privilege
   level from an MMU index without any other information. However
   it would add two MMU indexes (we can share one with ARMMMUIdx_EL3),
   and we are already using 14 of the 16 the core TLB code permits.

 * The more complicated approach is the one we take here. We use
   the same MMU indexes (E10_0, E10_1, E10_1_PAN) for Secure PL1&0
   than we do for NonSecure PL1&0. This saves on MMU indexes, but
   means we need to check in some places whether we're in the
   Secure PL1&0 regime or not before we interpret an MMU index.

The changes in this commit were created by auditing all the places
where we use specific ARMMMUIdx_ values, and checking whether they
needed to be changed to handle the new index value usage.

Note for potential stable backports: taking also the previous
(comment-change-only) commit might make the backport easier.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2326
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240809160430.1144805-3-peter.maydell@linaro.org
---
 target/arm/cpu.h               | 31 ++++++++++++++++++-------------
 target/arm/internals.h         | 27 +++++++++++++++++++++++----
 target/arm/tcg/translate.h     |  2 ++
 target/arm/helper.c            | 34 +++++++++++++++++++++++-----------
 target/arm/ptw.c               |  6 +++++-
 target/arm/tcg/hflags.c        |  4 ++++
 target/arm/tcg/translate-a64.c |  2 +-
 target/arm/tcg/translate.c     |  9 +++++----
 8 files changed, 81 insertions(+), 34 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 216774f5d3a..9a3fd595621 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -2784,8 +2784,7 @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
  *  + NonSecure PL1 & 0 stage 1
  *  + NonSecure PL1 & 0 stage 2
  *  + NonSecure PL2
- *  + Secure PL0
- *  + Secure PL1
+ *  + Secure PL1 & 0
  * (reminder: for 32 bit EL3, Secure PL1 is *EL3*, not EL1.)
  *
  * For QEMU, an mmu_idx is not quite the same as a translation regime because:
@@ -2803,37 +2802,39 @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
  *     The only use of stage 2 translations is either as part of an s1+2
  *     lookup or when loading the descriptors during a stage 1 page table walk,
  *     and in both those cases we don't use the TLB.
- *  4. we can also safely fold together the "32 bit EL3" and "64 bit EL3"
- *     translation regimes, because they map reasonably well to each other
- *     and they can't both be active at the same time.
- *  5. we want to be able to use the TLB for accesses done as part of a
+ *  4. we want to be able to use the TLB for accesses done as part of a
  *     stage1 page table walk, rather than having to walk the stage2 page
  *     table over and over.
- *  6. we need separate EL1/EL2 mmu_idx for handling the Privileged Access
+ *  5. we need separate EL1/EL2 mmu_idx for handling the Privileged Access
  *     Never (PAN) bit within PSTATE.
- *  7. we fold together most secure and non-secure regimes for A-profile,
+ *  6. we fold together most secure and non-secure regimes for A-profile,
  *     because there are no banked system registers for aarch64, so the
  *     process of switching between secure and non-secure is
  *     already heavyweight.
- *  8. we cannot fold together Stage 2 Secure and Stage 2 NonSecure,
+ *  7. we cannot fold together Stage 2 Secure and Stage 2 NonSecure,
  *     because both are in use simultaneously for Secure EL2.
  *
  * This gives us the following list of cases:
  *
- * EL0 EL1&0 stage 1+2 (aka NS PL0)
- * EL1 EL1&0 stage 1+2 (aka NS PL1)
- * EL1 EL1&0 stage 1+2 +PAN
+ * EL0 EL1&0 stage 1+2 (or AArch32 PL0 PL1&0 stage 1+2)
+ * EL1 EL1&0 stage 1+2 (or AArch32 PL1 PL1&0 stage 1+2)
+ * EL1 EL1&0 stage 1+2 +PAN (or AArch32 PL1 PL1&0 stage 1+2 +PAN)
  * EL0 EL2&0
  * EL2 EL2&0
  * EL2 EL2&0 +PAN
  * EL2 (aka NS PL2)
- * EL3 (aka S PL1)
+ * EL3 (not used when EL3 is AArch32)
  * Stage2 Secure
  * Stage2 NonSecure
  * plus one TLB per Physical address space: S, NS, Realm, Root
  *
  * for a total of 14 different mmu_idx.
  *
+ * Note that when EL3 is AArch32, the usage is potentially confusing
+ * because the MMU indexes are named for their AArch64 use, so code
+ * using the ARMMMUIdx_E10_1 might be at EL3, not EL1. This is because
+ * Secure PL1 is always at EL3.
+ *
  * R profile CPUs have an MPU, but can use the same set of MMU indexes
  * as A profile. They only need to distinguish EL0 and EL1 (and
  * EL2 for cores like the Cortex-R52).
@@ -3126,6 +3127,10 @@ FIELD(TBFLAG_A32, NS, 10, 1)
  * This requires an SME trap from AArch32 mode when using NEON.
  */
 FIELD(TBFLAG_A32, SME_TRAP_NONSTREAMING, 11, 1)
+/*
+ * Indicates whether we are in the Secure PL1&0 translation regime
+ */
+FIELD(TBFLAG_A32, S_PL1_0, 12, 1)
 
 /*
  * Bit usage when in AArch32 state, for M-profile only.
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 757b1fae925..203a2dae148 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -275,6 +275,20 @@ FIELD(CNTHCTL, CNTPMASK, 19, 1)
 #define M_FAKE_FSR_NSC_EXEC 0xf /* NS executing in S&NSC memory */
 #define M_FAKE_FSR_SFAULT 0xe /* SecureFault INVTRAN, INVEP or AUVIOL */
 
+/**
+ * arm_aa32_secure_pl1_0(): Return true if in Secure PL1&0 regime
+ *
+ * Return true if the CPU is in the Secure PL1&0 translation regime.
+ * This requires that EL3 exists and is AArch32 and we are currently
+ * Secure. If this is the case then the ARMMMUIdx_E10* apply and
+ * mean we are in EL3, not EL1.
+ */
+static inline bool arm_aa32_secure_pl1_0(CPUARMState *env)
+{
+    return arm_feature(env, ARM_FEATURE_EL3) &&
+        !arm_el_is_aa64(env, 3) && arm_is_secure(env);
+}
+
 /**
  * raise_exception: Raise the specified exception.
  * Raise a guest exception with the specified value, syndrome register
@@ -808,7 +822,12 @@ static inline ARMMMUIdx core_to_aa64_mmu_idx(int mmu_idx)
     return mmu_idx | ARM_MMU_IDX_A;
 }
 
-int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx);
+/**
+ * Return the exception level we're running at if our current MMU index
+ * is @mmu_idx. @s_pl1_0 should be true if this is the AArch32
+ * Secure PL1&0 translation regime.
+ */
+int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx, bool s_pl1_0);
 
 /* Return the MMU index for a v7M CPU in the specified security state */
 ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate);
@@ -903,11 +922,11 @@ static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
         return 3;
     case ARMMMUIdx_E10_0:
     case ARMMMUIdx_Stage1_E0:
-        return arm_el_is_aa64(env, 3) || !arm_is_secure_below_el3(env) ? 1 : 3;
-    case ARMMMUIdx_Stage1_E1:
-    case ARMMMUIdx_Stage1_E1_PAN:
     case ARMMMUIdx_E10_1:
     case ARMMMUIdx_E10_1_PAN:
+    case ARMMMUIdx_Stage1_E1:
+    case ARMMMUIdx_Stage1_E1_PAN:
+        return arm_el_is_aa64(env, 3) || !arm_is_secure_below_el3(env) ? 1 : 3;
     case ARMMMUIdx_MPrivNegPri:
     case ARMMMUIdx_MUserNegPri:
     case ARMMMUIdx_MPriv:
diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
index 01c217f4a45..3f0e9ceaa39 100644
--- a/target/arm/tcg/translate.h
+++ b/target/arm/tcg/translate.h
@@ -165,6 +165,8 @@ typedef struct DisasContext {
     uint8_t gm_blocksize;
     /* True if the current insn_start has been updated. */
     bool insn_start_updated;
+    /* True if this is the AArch32 Secure PL1&0 translation regime */
+    bool s_pl1_0;
     /* Bottom two bits of XScale c15_cpar coprocessor access control reg */
     int c15_cpar;
     /* Offset from VNCR_EL2 when FEAT_NV2 redirects this reg to memory */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 8fb4b474e83..0a582c1cd3b 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -3700,7 +3700,7 @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
          */
         format64 = arm_s1_regime_using_lpae_format(env, mmu_idx);
 
-        if (arm_feature(env, ARM_FEATURE_EL2)) {
+        if (arm_feature(env, ARM_FEATURE_EL2) && !arm_aa32_secure_pl1_0(env)) {
             if (mmu_idx == ARMMMUIdx_E10_0 ||
                 mmu_idx == ARMMMUIdx_E10_1 ||
                 mmu_idx == ARMMMUIdx_E10_1_PAN) {
@@ -3774,13 +3774,11 @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
     case 0:
         /* stage 1 current state PL1: ATS1CPR, ATS1CPW, ATS1CPRP, ATS1CPWP */
         switch (el) {
-        case 3:
-            mmu_idx = ARMMMUIdx_E3;
-            break;
         case 2:
             g_assert(ss != ARMSS_Secure);  /* ARMv8.4-SecEL2 is 64-bit only */
             /* fall through */
         case 1:
+        case 3:
             if (ri->crm == 9 && arm_pan_enabled(env)) {
                 mmu_idx = ARMMMUIdx_Stage1_E1_PAN;
             } else {
@@ -11861,8 +11859,11 @@ void arm_cpu_do_interrupt(CPUState *cs)
 
 uint64_t arm_sctlr(CPUARMState *env, int el)
 {
-    /* Only EL0 needs to be adjusted for EL1&0 or EL2&0. */
-    if (el == 0) {
+    if (arm_aa32_secure_pl1_0(env)) {
+        /* In Secure PL1&0 SCTLR_S is always controlling */
+        el = 3;
+    } else if (el == 0) {
+        /* Only EL0 needs to be adjusted for EL1&0 or EL2&0. */
         ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0);
         el = mmu_idx == ARMMMUIdx_E20_0 ? 2 : 1;
     }
@@ -12522,8 +12523,12 @@ int fp_exception_el(CPUARMState *env, int cur_el)
     return 0;
 }
 
-/* Return the exception level we're running at if this is our mmu_idx */
-int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx)
+/*
+ * Return the exception level we're running at if this is our mmu_idx.
+ * s_pl1_0 should be true if this is the AArch32 Secure PL1&0 translation
+ * regime.
+ */
+int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx, bool s_pl1_0)
 {
     if (mmu_idx & ARM_MMU_IDX_M) {
         return mmu_idx & ARM_MMU_IDX_M_PRIV;
@@ -12535,7 +12540,7 @@ int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx)
         return 0;
     case ARMMMUIdx_E10_1:
     case ARMMMUIdx_E10_1_PAN:
-        return 1;
+        return s_pl1_0 ? 3 : 1;
     case ARMMMUIdx_E2:
     case ARMMMUIdx_E20_2:
     case ARMMMUIdx_E20_2_PAN:
@@ -12573,6 +12578,15 @@ ARMMMUIdx arm_mmu_idx_el(CPUARMState *env, int el)
             idx = ARMMMUIdx_E10_0;
         }
         break;
+    case 3:
+        /*
+         * AArch64 EL3 has its own translation regime; AArch32 EL3
+         * uses the Secure PL1&0 translation regime.
+         */
+        if (arm_el_is_aa64(env, 3)) {
+            return ARMMMUIdx_E3;
+        }
+        /* fall through */
     case 1:
         if (arm_pan_enabled(env)) {
             idx = ARMMMUIdx_E10_1_PAN;
@@ -12592,8 +12606,6 @@ ARMMMUIdx arm_mmu_idx_el(CPUARMState *env, int el)
             idx = ARMMMUIdx_E2;
         }
         break;
-    case 3:
-        return ARMMMUIdx_E3;
     default:
         g_assert_not_reached();
     }
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 4476b32ff50..278004661bf 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -3576,7 +3576,11 @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
     case ARMMMUIdx_Stage1_E1:
     case ARMMMUIdx_Stage1_E1_PAN:
     case ARMMMUIdx_E2:
-        ss = arm_security_space_below_el3(env);
+        if (arm_aa32_secure_pl1_0(env)) {
+            ss = ARMSS_Secure;
+        } else {
+            ss = arm_security_space_below_el3(env);
+        }
         break;
     case ARMMMUIdx_Stage2:
         /*
diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
index f03977b4b00..bab7822ef66 100644
--- a/target/arm/tcg/hflags.c
+++ b/target/arm/tcg/hflags.c
@@ -198,6 +198,10 @@ static CPUARMTBFlags rebuild_hflags_a32(CPUARMState *env, int fp_el,
         DP_TBFLAG_A32(flags, SME_TRAP_NONSTREAMING, 1);
     }
 
+    if (arm_aa32_secure_pl1_0(env)) {
+        DP_TBFLAG_A32(flags, S_PL1_0, 1);
+    }
+
     return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
 }
 
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index bc2d64e8835..4684e7eb6ea 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -11979,7 +11979,7 @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     dc->tbii = EX_TBFLAG_A64(tb_flags, TBII);
     dc->tbid = EX_TBFLAG_A64(tb_flags, TBID);
     dc->tcma = EX_TBFLAG_A64(tb_flags, TCMA);
-    dc->current_el = arm_mmu_idx_to_el(dc->mmu_idx);
+    dc->current_el = arm_mmu_idx_to_el(dc->mmu_idx, false);
 #if !defined(CONFIG_USER_ONLY)
     dc->user = (dc->current_el == 0);
 #endif
diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index c5bc691d92b..e2748ff2bb8 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -7546,10 +7546,6 @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
 
     core_mmu_idx = EX_TBFLAG_ANY(tb_flags, MMUIDX);
     dc->mmu_idx = core_to_arm_mmu_idx(env, core_mmu_idx);
-    dc->current_el = arm_mmu_idx_to_el(dc->mmu_idx);
-#if !defined(CONFIG_USER_ONLY)
-    dc->user = (dc->current_el == 0);
-#endif
     dc->fp_excp_el = EX_TBFLAG_ANY(tb_flags, FPEXC_EL);
     dc->align_mem = EX_TBFLAG_ANY(tb_flags, ALIGN_MEM);
     dc->pstate_il = EX_TBFLAG_ANY(tb_flags, PSTATE__IL);
@@ -7580,7 +7576,12 @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
         }
         dc->sme_trap_nonstreaming =
             EX_TBFLAG_A32(tb_flags, SME_TRAP_NONSTREAMING);
+        dc->s_pl1_0 = EX_TBFLAG_A32(tb_flags, S_PL1_0);
     }
+    dc->current_el = arm_mmu_idx_to_el(dc->mmu_idx, dc->s_pl1_0);
+#if !defined(CONFIG_USER_ONLY)
+    dc->user = (dc->current_el == 0);
+#endif
     dc->lse2 = false; /* applies only to aarch64 */
     dc->cp_regs = cpu->cp_regs;
     dc->features = env->features;
-- 
2.34.1

Re: [PULL 0/4] target-arm queue

[Richard Henderson]

On 8/14/24 01:20, Peter Maydell wrote:
> Three last bugfixes to sneak into rc2 if we can. The fix
> for the EL3-is-AArch32-and-we-run-code-at-EL0 bug is the
> most important one here I think (though also the most risky).
> 
> thanks
> -- PMM
> 
> The following changes since commit 9eb51530c12ae645b91e308d16196c68563ea883:
> 
>    Merge tag 'block-pull-request' ofhttps://gitlab.com/stefanha/qemu into staging (2024-08-13 07:59:32 +1000)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240813
> 
> for you to fetch changes up to 4c2c0474693229c1f533239bb983495c5427784d:
> 
>    target/arm: Fix usage of MMU indexes when EL3 is AArch32 (2024-08-13 11:44:53 +0100)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values
>   * target/arm: Clear high SVE elements in handle_vec_simd_wshli
>   * target/arm: Fix usage of MMU indexes when EL3 is AArch32


Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.

r~

Re: [PULL 4/4] target/arm: Fix usage of MMU indexes when EL3 is AArch32

[Thomas Huth]

On 13/08/2024 17.20, Peter Maydell wrote:
> Our current usage of MMU indexes when EL3 is AArch32 is confused.
> Architecturally, when EL3 is AArch32, all Secure code runs under the
> Secure PL1&0 translation regime:
>   * code at EL3, which might be Mon, or SVC, or any of the
>     other privileged modes (PL1)
>   * code at EL0 (Secure PL0)
> 
> This is different from when EL3 is AArch64, in which case EL3 is its
> own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
> have their own regime.
> 
> We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
> do anything special about Secure PL0, which meant it used the same
> ARMMMUIdx_EL10_0 that NonSecure PL0 does.  This resulted in a bug
> where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
> controlling register when in Secure PL0, which meant we were
> spuriously generating alignment faults because we were looking at the
> wrong SCTLR control bits.
> 
> The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
> we wouldn't honour the PAN bit for Secure PL1, because there's no
> equivalent _PAN mmu index for it.
> 
> We could fix this in one of two ways:
>   * The most straightforward is to add new MMU indexes EL30_0,
>     EL30_3, EL30_3_PAN to correspond to "Secure PL1&0 at PL0",
>     "Secure PL1&0 at PL1", and "Secure PL1&0 at PL1 with PAN".
>     This matches how we use indexes for the AArch64 regimes, and
>     preserves propirties like being able to determine the privilege
>     level from an MMU index without any other information. However
>     it would add two MMU indexes (we can share one with ARMMMUIdx_EL3),
>     and we are already using 14 of the 16 the core TLB code permits.
> 
>   * The more complicated approach is the one we take here. We use
>     the same MMU indexes (E10_0, E10_1, E10_1_PAN) for Secure PL1&0
>     than we do for NonSecure PL1&0. This saves on MMU indexes, but
>     means we need to check in some places whether we're in the
>     Secure PL1&0 regime or not before we interpret an MMU index.
> 
> The changes in this commit were created by auditing all the places
> where we use specific ARMMMUIdx_ values, and checking whether they
> needed to be changed to handle the new index value usage.

  Hi Peter,

this commit caused a regression with one of the Avocado tests:

  AVOCADO_ALLOW_LARGE_STORAGE=1 avocado run 
tests/avocado/boot_linux_console.py:BootLinuxConsole.test_arm_bpim2u_openwrt_22_03_3

is failing now. It works still fine before this commit. Could you please 
have a look?

  Thanks,
   Thomas

Re: [PULL 4/4] target/arm: Fix usage of MMU indexes when EL3 is AArch32

[Peter Maydell]

On Fri, 25 Oct 2024 at 13:54, Thomas Huth <thuth@redhat.com> wrote:
>
> On 13/08/2024 17.20, Peter Maydell wrote:
> > Our current usage of MMU indexes when EL3 is AArch32 is confused.
> > Architecturally, when EL3 is AArch32, all Secure code runs under the
> > Secure PL1&0 translation regime:
> >   * code at EL3, which might be Mon, or SVC, or any of the
> >     other privileged modes (PL1)
> >   * code at EL0 (Secure PL0)
> >
> > This is different from when EL3 is AArch64, in which case EL3 is its
> > own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
> > have their own regime.
> >
> > We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
> > do anything special about Secure PL0, which meant it used the same
> > ARMMMUIdx_EL10_0 that NonSecure PL0 does.  This resulted in a bug
> > where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
> > controlling register when in Secure PL0, which meant we were
> > spuriously generating alignment faults because we were looking at the
> > wrong SCTLR control bits.
> >
> > The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
> > we wouldn't honour the PAN bit for Secure PL1, because there's no
> > equivalent _PAN mmu index for it.
> >
> > We could fix this in one of two ways:
> >   * The most straightforward is to add new MMU indexes EL30_0,
> >     EL30_3, EL30_3_PAN to correspond to "Secure PL1&0 at PL0",
> >     "Secure PL1&0 at PL1", and "Secure PL1&0 at PL1 with PAN".
> >     This matches how we use indexes for the AArch64 regimes, and
> >     preserves propirties like being able to determine the privilege
> >     level from an MMU index without any other information. However
> >     it would add two MMU indexes (we can share one with ARMMMUIdx_EL3),
> >     and we are already using 14 of the 16 the core TLB code permits.
> >
> >   * The more complicated approach is the one we take here. We use
> >     the same MMU indexes (E10_0, E10_1, E10_1_PAN) for Secure PL1&0
> >     than we do for NonSecure PL1&0. This saves on MMU indexes, but
> >     means we need to check in some places whether we're in the
> >     Secure PL1&0 regime or not before we interpret an MMU index.
> >
> > The changes in this commit were created by auditing all the places
> > where we use specific ARMMMUIdx_ values, and checking whether they
> > needed to be changed to handle the new index value usage.
>
>   Hi Peter,
>
> this commit caused a regression with one of the Avocado tests:
>
>   AVOCADO_ALLOW_LARGE_STORAGE=1 avocado run
> tests/avocado/boot_linux_console.py:BootLinuxConsole.test_arm_bpim2u_openwrt_22_03_3
>
> is failing now. It works still fine before this commit. Could you please
> have a look?

Thanks for the report; I've investigated it. The cause of this specific
failure is that regime_el() doesn't return the right answer when code
is executing in the guest in Monitor mode. The effect is that because
regime_el() returns 1, not 3, we look at the wrong banked registers
and the page table walk fails when it should not. This is enough to fix:

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 203a2dae148..812487b9291 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -926,7 +926,7 @@ static inline uint32_t regime_el(CPUARMState *env,
ARMMMUIdx mmu_idx)
     case ARMMMUIdx_E10_1_PAN:
     case ARMMMUIdx_Stage1_E1:
     case ARMMMUIdx_Stage1_E1_PAN:
-        return arm_el_is_aa64(env, 3) || !arm_is_secure_below_el3(env) ? 1 : 3;
+        return arm_aa32_secure_pl1_0(env) ? 3 : 1;
     case ARMMMUIdx_MPrivNegPri:
     case ARMMMUIdx_MUserNegPri:
     case ARMMMUIdx_MPriv:

However, while I was thinking about this I realised that there
are some problems with the design change this commit is trying
to do. The idea is that we now use the same MMU indexes for
Secure PL1&0 as we do for NonSecure PL1&0.

Small problem:
 That means we need to flush the TLBs at any point where the CPU
 state flips from one to the other. We already flush the TLB when
 SCR.NS is changed, but we don't flush the TLB when we take an
 exception from NS PL1&0 into Mon or when we return from Mon to
 NS PL1&0. Now we need to do that, so any time we call up into
 Mon and back we'll dump the TLBs, which is a bit sad.
 (Also we could skip flushing all these TLBs when NS changes.)

Larger problem:
 the ATS12NS* address translate instructions allow Mon code
 (which is Secure) to do a stage 1+2 page table walk for NS.
 I thought this was OK because do_ats_write() does a page
 table walk which doesn't use the TLBs, so because it can
 pass both the MMU index and also an ARMSecuritySpace argument
 we can tell the table walk that we want NS stage1+2, not S.
 But that means that all the code within the ptw that needs
 to find e.g. the regime EL cannot do so only with an
 mmu_idx -- all these functions like regime_sctlr(), regime_el(),
 etc would need to pass both an mmu_idx and the security_space,
 so they can tell whether this is a translation regime
 controlled by EL1 or EL3 (and so whether to look at SCTLR.S
 or SCTLR.NS, etc).

So now I'm wondering if this merge was a good idea after all.
Should we do all that replumbing required, or should we
instead revert this and take the "straightforward" approach
described in the commit message above of adding some extra
MMU indexes?

(I suspect that this commit is likely also the cause of
https://gitlab.com/qemu-project/qemu/-/issues/2588 )

-- PMM

Re: [PULL 4/4] target/arm: Fix usage of MMU indexes when EL3 is AArch32

[Richard Henderson]

On 10/28/24 13:24, Peter Maydell wrote:
> On Fri, 25 Oct 2024 at 13:54, Thomas Huth <thuth@redhat.com> wrote:
>>
>> On 13/08/2024 17.20, Peter Maydell wrote:
>>> Our current usage of MMU indexes when EL3 is AArch32 is confused.
>>> Architecturally, when EL3 is AArch32, all Secure code runs under the
>>> Secure PL1&0 translation regime:
>>>    * code at EL3, which might be Mon, or SVC, or any of the
>>>      other privileged modes (PL1)
>>>    * code at EL0 (Secure PL0)
>>>
>>> This is different from when EL3 is AArch64, in which case EL3 is its
>>> own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
>>> have their own regime.
>>>
>>> We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
>>> do anything special about Secure PL0, which meant it used the same
>>> ARMMMUIdx_EL10_0 that NonSecure PL0 does.  This resulted in a bug
>>> where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
>>> controlling register when in Secure PL0, which meant we were
>>> spuriously generating alignment faults because we were looking at the
>>> wrong SCTLR control bits.
>>>
>>> The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
>>> we wouldn't honour the PAN bit for Secure PL1, because there's no
>>> equivalent _PAN mmu index for it.
>>>
>>> We could fix this in one of two ways:
>>>    * The most straightforward is to add new MMU indexes EL30_0,
>>>      EL30_3, EL30_3_PAN to correspond to "Secure PL1&0 at PL0",
>>>      "Secure PL1&0 at PL1", and "Secure PL1&0 at PL1 with PAN".
>>>      This matches how we use indexes for the AArch64 regimes, and
>>>      preserves propirties like being able to determine the privilege
>>>      level from an MMU index without any other information. However
>>>      it would add two MMU indexes (we can share one with ARMMMUIdx_EL3),
>>>      and we are already using 14 of the 16 the core TLB code permits.
>>>
>>>    * The more complicated approach is the one we take here. We use
>>>      the same MMU indexes (E10_0, E10_1, E10_1_PAN) for Secure PL1&0
>>>      than we do for NonSecure PL1&0. This saves on MMU indexes, but
>>>      means we need to check in some places whether we're in the
>>>      Secure PL1&0 regime or not before we interpret an MMU index.
>>>
>>> The changes in this commit were created by auditing all the places
>>> where we use specific ARMMMUIdx_ values, and checking whether they
>>> needed to be changed to handle the new index value usage.
>>
>>    Hi Peter,
>>
>> this commit caused a regression with one of the Avocado tests:
>>
>>    AVOCADO_ALLOW_LARGE_STORAGE=1 avocado run
>> tests/avocado/boot_linux_console.py:BootLinuxConsole.test_arm_bpim2u_openwrt_22_03_3
>>
>> is failing now. It works still fine before this commit. Could you please
>> have a look?
> 
> Thanks for the report; I've investigated it. The cause of this specific
> failure is that regime_el() doesn't return the right answer when code
> is executing in the guest in Monitor mode. The effect is that because
> regime_el() returns 1, not 3, we look at the wrong banked registers
> and the page table walk fails when it should not. This is enough to fix:
> 
> diff --git a/target/arm/internals.h b/target/arm/internals.h
> index 203a2dae148..812487b9291 100644
> --- a/target/arm/internals.h
> +++ b/target/arm/internals.h
> @@ -926,7 +926,7 @@ static inline uint32_t regime_el(CPUARMState *env,
> ARMMMUIdx mmu_idx)
>       case ARMMMUIdx_E10_1_PAN:
>       case ARMMMUIdx_Stage1_E1:
>       case ARMMMUIdx_Stage1_E1_PAN:
> -        return arm_el_is_aa64(env, 3) || !arm_is_secure_below_el3(env) ? 1 : 3;
> +        return arm_aa32_secure_pl1_0(env) ? 3 : 1;
>       case ARMMMUIdx_MPrivNegPri:
>       case ARMMMUIdx_MUserNegPri:
>       case ARMMMUIdx_MPriv:
> 
> However, while I was thinking about this I realised that there
> are some problems with the design change this commit is trying
> to do. The idea is that we now use the same MMU indexes for
> Secure PL1&0 as we do for NonSecure PL1&0.
> 
> Small problem:
>   That means we need to flush the TLBs at any point where the CPU
>   state flips from one to the other. We already flush the TLB when
>   SCR.NS is changed, but we don't flush the TLB when we take an
>   exception from NS PL1&0 into Mon or when we return from Mon to
>   NS PL1&0. Now we need to do that, so any time we call up into
>   Mon and back we'll dump the TLBs, which is a bit sad.
>   (Also we could skip flushing all these TLBs when NS changes.)
> 
> Larger problem:
>   the ATS12NS* address translate instructions allow Mon code
>   (which is Secure) to do a stage 1+2 page table walk for NS.
>   I thought this was OK because do_ats_write() does a page
>   table walk which doesn't use the TLBs, so because it can
>   pass both the MMU index and also an ARMSecuritySpace argument
>   we can tell the table walk that we want NS stage1+2, not S.
>   But that means that all the code within the ptw that needs
>   to find e.g. the regime EL cannot do so only with an
>   mmu_idx -- all these functions like regime_sctlr(), regime_el(),
>   etc would need to pass both an mmu_idx and the security_space,
>   so they can tell whether this is a translation regime
>   controlled by EL1 or EL3 (and so whether to look at SCTLR.S
>   or SCTLR.NS, etc).
> 
> So now I'm wondering if this merge was a good idea after all.
> Should we do all that replumbing required, or should we
> instead revert this and take the "straightforward" approach
> described in the commit message above of adding some extra
> MMU indexes?

It might be easier to add the extra mmu indexes.

We'll have to re-use ARMMMUIdx_E3 for EL30_3, I think, because we only have 2 mmu_idx left 
available.


r~


> 
> (I suspect that this commit is likely also the cause of
> https://gitlab.com/qemu-project/qemu/-/issues/2588 )
> 
> -- PMM