projects / mirror_qemu.git / blame
| Commit | Line | Data |
|---|---|---|
| 9eb8040c PM |
1 | /* |
| 2 | * ARM TrustZone peripheral protection controller emulation | |
| 3 | * | |
| 4 | * Copyright (c) 2018 Linaro Limited | |
| 5 | * Written by Peter Maydell | |
| 6 | * | |
| 7 | * This program is free software; you can redistribute it and/or modify | |
| 8 | * it under the terms of the GNU General Public License version 2 or | |
| 9 | * (at your option) any later version. | |
| 10 | */ | |
| 11 | ||
| 12 | /* This is a model of the TrustZone peripheral protection controller (PPC). | |
| 13 | * It is documented in the ARM CoreLink SIE-200 System IP for Embedded TRM | |
| 14 | * (DDI 0571G): | |
| 15 | * https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g | |
| 16 | * | |
| 17 | * The PPC sits in front of peripherals and allows secure software to | |
| 18 | * configure it to either pass through or reject transactions. | |
| 19 | * Rejected transactions may be configured to either be aborted, or to | |
| 20 | * behave as RAZ/WI. An interrupt can be signalled for a rejected transaction. | |
| 21 | * | |
| 22 | * The PPC has no register interface -- it is configured purely by a | |
| 23 | * collection of input signals from other hardware in the system. Typically | |
| 24 | * they are either hardwired or exposed in an ad-hoc register interface by | |
| 25 | * the SoC that uses the PPC. | |
| 26 | * | |
| 27 | * This QEMU model can be used to model either the AHB5 or APB4 TZ PPC, | |
| 28 | * since the only difference between them is that the AHB version has a | |
| 29 | * "default" port which has no security checks applied. In QEMU the default | |
| 30 | * port can be emulated simply by wiring its downstream devices directly | |
| 31 | * into the parent address space, since the PPC does not need to intercept | |
| 32 | * transactions there. | |
| 33 | * | |
| 34 | * In the hardware, selection of which downstream port to use is done by | |
| 35 | * the user's decode logic asserting one of the hsel[] signals. In QEMU, | |
| 36 | * we provide 16 MMIO regions, one per port, and the user maps these into | |
| 37 | * the desired addresses to implement the address decode. | |
| 38 | * | |
| 39 | * QEMU interface: | |
| 40 | * + sysbus MMIO regions 0..15: MemoryRegions defining the upstream end | |
| 37e571f1 PM |
41 | * of each of the 16 ports of the PPC. When a port is unused (i.e. no |
| 42 | * downstream MemoryRegion is connected to it) at the end of the 0..15 | |
| 43 | * range then no sysbus MMIO region is created for its upstream. When an | |
| 44 | * unused port lies in the middle of the range with other used ports at | |
| 45 | * higher port numbers, a dummy MMIO region is created to ensure that | |
| 46 | * port N's upstream is always sysbus MMIO region N. Dummy regions should | |
| 47 | * not be mapped, and will assert if any access is made to them. | |
| 9eb8040c PM |
48 | * + Property "port[0..15]": MemoryRegion defining the downstream device(s) |
| 49 | * for each of the 16 ports of the PPC | |
| 50 | * + Named GPIO inputs "cfg_nonsec[0..15]": set to 1 if the port should be | |
| 51 | * accessible to NonSecure transactions | |
| 52 | * + Named GPIO inputs "cfg_ap[0..15]": set to 1 if the port should be | |
| 53 | * accessible to non-privileged transactions | |
| 54 | * + Named GPIO input "cfg_sec_resp": set to 1 if a rejected transaction should | |
| 55 | * result in a transaction error, or 0 for the transaction to RAZ/WI | |
| 56 | * + Named GPIO input "irq_enable": set to 1 to enable interrupts | |
| 57 | * + Named GPIO input "irq_clear": set to 1 to clear a pending interrupt | |
| 58 | * + Named GPIO output "irq": set for a transaction-failed interrupt | |
| 59 | * + Property "NONSEC_MASK": if a bit is set in this mask then accesses to | |
| 60 | * the associated port do not have the TZ security check performed. (This | |
| 61 | * corresponds to the hardware allowing this to be set as a Verilog | |
| 62 | * parameter.) | |
| 63 | */ | |
| 64 | ||
| 65 | #ifndef TZ_PPC_H | |
| 66 | #define TZ_PPC_H | |
| 67 | ||
| 68 | #include "hw/sysbus.h" | |
| db1015e9 | 69 | #include "qom/object.h" |
| 9eb8040c PM |
70 | |
| 71 | #define TYPE_TZ_PPC "tz-ppc" | |
| db1015e9 | 72 | typedef struct TZPPC TZPPC; |
| 9eb8040c PM |
73 | #define TZ_PPC(obj) OBJECT_CHECK(TZPPC, (obj), TYPE_TZ_PPC) |
| 74 | ||
| 75 | #define TZ_NUM_PORTS 16 | |
| 76 | ||
| 9eb8040c PM |
77 | |
| 78 | typedef struct TZPPCPort { | |
| 79 | TZPPC *ppc; | |
| 80 | MemoryRegion upstream; | |
| 81 | AddressSpace downstream_as; | |
| 82 | MemoryRegion *downstream; | |
| 83 | } TZPPCPort; | |
| 84 | ||
| 85 | struct TZPPC { | |
| 86 | /*< private >*/ | |
| 87 | SysBusDevice parent_obj; | |
| 88 | ||
| 89 | /*< public >*/ | |
| 90 | ||
| 91 | /* State: these just track the values of our input signals */ | |
| 92 | bool cfg_nonsec[TZ_NUM_PORTS]; | |
| 93 | bool cfg_ap[TZ_NUM_PORTS]; | |
| 94 | bool cfg_sec_resp; | |
| 95 | bool irq_enable; | |
| 96 | bool irq_clear; | |
| 97 | /* State: are we asserting irq ? */ | |
| 98 | bool irq_status; | |
| 99 | ||
| 100 | qemu_irq irq; | |
| 101 | ||
| 102 | /* Properties */ | |
| 103 | uint32_t nonsec_mask; | |
| 104 | ||
| 105 | TZPPCPort port[TZ_NUM_PORTS]; | |
| 106 | }; | |
| 107 | ||
| 108 | #endif |