]> git.proxmox.com Git - mirror_qemu.git/blob - hw/misc/tz-mpc.c
projects / mirror_qemu.git / blob
? search:


deb7796ec2cc84cfb07eaa71be56f3cb4a6b4fee
[mirror_qemu.git] / hw / misc / tz-mpc.c
1 /*
2 * ARM AHB5 TrustZone Memory Protection Controller emulation
3 *
4 * Copyright (c) 2018 Linaro Limited
5 * Written by Peter Maydell
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 or
9 * (at your option) any later version.
10 */
11
12 #include "qemu/osdep.h"
13 #include "qemu/log.h"
14 #include "qemu/module.h"
15 #include "qapi/error.h"
16 #include "trace.h"
17 #include "hw/sysbus.h"
18 #include "migration/vmstate.h"
19 #include "hw/registerfields.h"
20 #include "hw/irq.h"
21 #include "hw/misc/tz-mpc.h"
22
23 /* Our IOMMU has two IOMMU indexes, one for secure transactions and one for
24 * non-secure transactions.
25 */
26 enum {
27 IOMMU_IDX_S,
28 IOMMU_IDX_NS,
29 IOMMU_NUM_INDEXES,
30 };
31
32 /* Config registers */
33 REG32(CTRL, 0x00)
34 FIELD(CTRL, SEC_RESP, 4, 1)
35 FIELD(CTRL, AUTOINC, 8, 1)
36 FIELD(CTRL, LOCKDOWN, 31, 1)
37 REG32(BLK_MAX, 0x10)
38 REG32(BLK_CFG, 0x14)
39 REG32(BLK_IDX, 0x18)
40 REG32(BLK_LUT, 0x1c)
41 REG32(INT_STAT, 0x20)
42 FIELD(INT_STAT, IRQ, 0, 1)
43 REG32(INT_CLEAR, 0x24)
44 FIELD(INT_CLEAR, IRQ, 0, 1)
45 REG32(INT_EN, 0x28)
46 FIELD(INT_EN, IRQ, 0, 1)
47 REG32(INT_INFO1, 0x2c)
48 REG32(INT_INFO2, 0x30)
49 FIELD(INT_INFO2, HMASTER, 0, 16)
50 FIELD(INT_INFO2, HNONSEC, 16, 1)
51 FIELD(INT_INFO2, CFG_NS, 17, 1)
52 REG32(INT_SET, 0x34)
53 FIELD(INT_SET, IRQ, 0, 1)
54 REG32(PIDR4, 0xfd0)
55 REG32(PIDR5, 0xfd4)
56 REG32(PIDR6, 0xfd8)
57 REG32(PIDR7, 0xfdc)
58 REG32(PIDR0, 0xfe0)
59 REG32(PIDR1, 0xfe4)
60 REG32(PIDR2, 0xfe8)
61 REG32(PIDR3, 0xfec)
62 REG32(CIDR0, 0xff0)
63 REG32(CIDR1, 0xff4)
64 REG32(CIDR2, 0xff8)
65 REG32(CIDR3, 0xffc)
66
67 static const uint8_t tz_mpc_idregs[] = {
68 0x04, 0x00, 0x00, 0x00,
69 0x60, 0xb8, 0x1b, 0x00,
70 0x0d, 0xf0, 0x05, 0xb1,
71 };
72
73 static void tz_mpc_irq_update(TZMPC *s)
74 {
75 qemu_set_irq(s->irq, s->int_stat && s->int_en);
76 }
77
78 static void tz_mpc_iommu_notify(TZMPC *s, uint32_t lutidx,
79 uint32_t oldlut, uint32_t newlut)
80 {
81 /* Called when the LUT word at lutidx has changed from oldlut to newlut;
82 * must call the IOMMU notifiers for the changed blocks.
83 */
84 IOMMUTLBEntry entry = {
85 .addr_mask = s->blocksize - 1,
86 };
87 hwaddr addr = lutidx * s->blocksize * 32;
88 int i;
89
90 for (i = 0; i < 32; i++, addr += s->blocksize) {
91 bool block_is_ns;
92
93 if (!((oldlut ^ newlut) & (1 << i))) {
94 continue;
95 }
96 /* This changes the mappings for both the S and the NS space,
97 * so we need to do four notifies: an UNMAP then a MAP for each.
98 */
99 block_is_ns = newlut & (1 << i);
100
101 trace_tz_mpc_iommu_notify(addr);
102 entry.iova = addr;
103 entry.translated_addr = addr;
104
105 entry.perm = IOMMU_NONE;
106 memory_region_notify_iommu(&s->upstream, IOMMU_IDX_S, entry);
107 memory_region_notify_iommu(&s->upstream, IOMMU_IDX_NS, entry);
108
109 entry.perm = IOMMU_RW;
110 if (block_is_ns) {
111 entry.target_as = &s->blocked_io_as;
112 } else {
113 entry.target_as = &s->downstream_as;
114 }
115 memory_region_notify_iommu(&s->upstream, IOMMU_IDX_S, entry);
116 if (block_is_ns) {
117 entry.target_as = &s->downstream_as;
118 } else {
119 entry.target_as = &s->blocked_io_as;
120 }
121 memory_region_notify_iommu(&s->upstream, IOMMU_IDX_NS, entry);
122 }
123 }
124
125 static void tz_mpc_autoinc_idx(TZMPC *s, unsigned access_size)
126 {
127 /* Auto-increment BLK_IDX if necessary */
128 if (access_size == 4 && (s->ctrl & R_CTRL_AUTOINC_MASK)) {
129 s->blk_idx++;
130 s->blk_idx %= s->blk_max;
131 }
132 }
133
134 static MemTxResult tz_mpc_reg_read(void *opaque, hwaddr addr,
135 uint64_t *pdata,
136 unsigned size, MemTxAttrs attrs)
137 {
138 TZMPC *s = TZ_MPC(opaque);
139 uint64_t r;
140 uint32_t offset = addr & ~0x3;
141
142 if (!attrs.secure && offset < A_PIDR4) {
143 /* NS accesses can only see the ID registers */
144 qemu_log_mask(LOG_GUEST_ERROR,
145 "TZ MPC register read: NS access to offset 0x%x\n",
146 offset);
147 r = 0;
148 goto read_out;
149 }
150
151 switch (offset) {
152 case A_CTRL:
153 r = s->ctrl;
154 break;
155 case A_BLK_MAX:
156 r = s->blk_max - 1;
157 break;
158 case A_BLK_CFG:
159 /* We are never in "init in progress state", so this just indicates
160 * the block size. s->blocksize == (1 << BLK_CFG + 5), so
161 * BLK_CFG == ctz32(s->blocksize) - 5
162 */
163 r = ctz32(s->blocksize) - 5;
164 break;
165 case A_BLK_IDX:
166 r = s->blk_idx;
167 break;
168 case A_BLK_LUT:
169 r = s->blk_lut[s->blk_idx];
170 tz_mpc_autoinc_idx(s, size);
171 break;
172 case A_INT_STAT:
173 r = s->int_stat;
174 break;
175 case A_INT_EN:
176 r = s->int_en;
177 break;
178 case A_INT_INFO1:
179 r = s->int_info1;
180 break;
181 case A_INT_INFO2:
182 r = s->int_info2;
183 break;
184 case A_PIDR4:
185 case A_PIDR5:
186 case A_PIDR6:
187 case A_PIDR7:
188 case A_PIDR0:
189 case A_PIDR1:
190 case A_PIDR2:
191 case A_PIDR3:
192 case A_CIDR0:
193 case A_CIDR1:
194 case A_CIDR2:
195 case A_CIDR3:
196 r = tz_mpc_idregs[(offset - A_PIDR4) / 4];
197 break;
198 case A_INT_CLEAR:
199 case A_INT_SET:
200 qemu_log_mask(LOG_GUEST_ERROR,
201 "TZ MPC register read: write-only offset 0x%x\n",
202 offset);
203 r = 0;
204 break;
205 default:
206 qemu_log_mask(LOG_GUEST_ERROR,
207 "TZ MPC register read: bad offset 0x%x\n", offset);
208 r = 0;
209 break;
210 }
211
212 if (size != 4) {
213 /* None of our registers are read-sensitive (except BLK_LUT,
214 * which can special case the "size not 4" case), so just
215 * pull the right bytes out of the word read result.
216 */
217 r = extract32(r, (addr & 3) * 8, size * 8);
218 }
219
220 read_out:
221 trace_tz_mpc_reg_read(addr, r, size);
222 *pdata = r;
223 return MEMTX_OK;
224 }
225
226 static MemTxResult tz_mpc_reg_write(void *opaque, hwaddr addr,
227 uint64_t value,
228 unsigned size, MemTxAttrs attrs)
229 {
230 TZMPC *s = TZ_MPC(opaque);
231 uint32_t offset = addr & ~0x3;
232
233 trace_tz_mpc_reg_write(addr, value, size);
234
235 if (!attrs.secure && offset < A_PIDR4) {
236 /* NS accesses can only see the ID registers */
237 qemu_log_mask(LOG_GUEST_ERROR,
238 "TZ MPC register write: NS access to offset 0x%x\n",
239 offset);
240 return MEMTX_OK;
241 }
242
243 if (size != 4) {
244 /* Expand the byte or halfword write to a full word size.
245 * In most cases we can do this with zeroes; the exceptions
246 * are CTRL, BLK_IDX and BLK_LUT.
247 */
248 uint32_t oldval;
249
250 switch (offset) {
251 case A_CTRL:
252 oldval = s->ctrl;
253 break;
254 case A_BLK_IDX:
255 oldval = s->blk_idx;
256 break;
257 case A_BLK_LUT:
258 oldval = s->blk_lut[s->blk_idx];
259 break;
260 default:
261 oldval = 0;
262 break;
263 }
264 value = deposit32(oldval, (addr & 3) * 8, size * 8, value);
265 }
266
267 if ((s->ctrl & R_CTRL_LOCKDOWN_MASK) &&
268 (offset == A_CTRL || offset == A_BLK_LUT || offset == A_INT_EN)) {
269 /* Lockdown mode makes these three registers read-only, and
270 * the only way out of it is to reset the device.
271 */
272 qemu_log_mask(LOG_GUEST_ERROR, "TZ MPC register write to offset 0x%x "
273 "while MPC is in lockdown mode\n", offset);
274 return MEMTX_OK;
275 }
276
277 switch (offset) {
278 case A_CTRL:
279 /* We don't implement the 'data gating' feature so all other bits
280 * are reserved and we make them RAZ/WI.
281 */
282 s->ctrl = value & (R_CTRL_SEC_RESP_MASK |
283 R_CTRL_AUTOINC_MASK |
284 R_CTRL_LOCKDOWN_MASK);
285 break;
286 case A_BLK_IDX:
287 s->blk_idx = value % s->blk_max;
288 break;
289 case A_BLK_LUT:
290 tz_mpc_iommu_notify(s, s->blk_idx, s->blk_lut[s->blk_idx], value);
291 s->blk_lut[s->blk_idx] = value;
292 tz_mpc_autoinc_idx(s, size);
293 break;
294 case A_INT_CLEAR:
295 if (value & R_INT_CLEAR_IRQ_MASK) {
296 s->int_stat = 0;
297 tz_mpc_irq_update(s);
298 }
299 break;
300 case A_INT_EN:
301 s->int_en = value & R_INT_EN_IRQ_MASK;
302 tz_mpc_irq_update(s);
303 break;
304 case A_INT_SET:
305 if (value & R_INT_SET_IRQ_MASK) {
306 s->int_stat = R_INT_STAT_IRQ_MASK;
307 tz_mpc_irq_update(s);
308 }
309 break;
310 case A_PIDR4:
311 case A_PIDR5:
312 case A_PIDR6:
313 case A_PIDR7:
314 case A_PIDR0:
315 case A_PIDR1:
316 case A_PIDR2:
317 case A_PIDR3:
318 case A_CIDR0:
319 case A_CIDR1:
320 case A_CIDR2:
321 case A_CIDR3:
322 qemu_log_mask(LOG_GUEST_ERROR,
323 "TZ MPC register write: read-only offset 0x%x\n", offset);
324 break;
325 default:
326 qemu_log_mask(LOG_GUEST_ERROR,
327 "TZ MPC register write: bad offset 0x%x\n", offset);
328 break;
329 }
330
331 return MEMTX_OK;
332 }
333
334 static const MemoryRegionOps tz_mpc_reg_ops = {
335 .read_with_attrs = tz_mpc_reg_read,
336 .write_with_attrs = tz_mpc_reg_write,
337 .endianness = DEVICE_LITTLE_ENDIAN,
338 .valid.min_access_size = 1,
339 .valid.max_access_size = 4,
340 .impl.min_access_size = 1,
341 .impl.max_access_size = 4,
342 };
343
344 static inline bool tz_mpc_cfg_ns(TZMPC *s, hwaddr addr)
345 {
346 /* Return the cfg_ns bit from the LUT for the specified address */
347 hwaddr blknum = addr / s->blocksize;
348 hwaddr blkword = blknum / 32;
349 uint32_t blkbit = 1U << (blknum % 32);
350
351 /* This would imply the address was larger than the size we
352 * defined this memory region to be, so it can't happen.
353 */
354 assert(blkword < s->blk_max);
355 return s->blk_lut[blkword] & blkbit;
356 }
357
358 static MemTxResult tz_mpc_handle_block(TZMPC *s, hwaddr addr, MemTxAttrs attrs)
359 {
360 /* Handle a blocked transaction: raise IRQ, capture info, etc */
361 if (!s->int_stat) {
362 /* First blocked transfer: capture information into INT_INFO1 and
363 * INT_INFO2. Subsequent transfers are still blocked but don't
364 * capture information until the guest clears the interrupt.
365 */
366
367 s->int_info1 = addr;
368 s->int_info2 = 0;
369 s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, HMASTER,
370 attrs.requester_id & 0xffff);
371 s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, HNONSEC,
372 ~attrs.secure);
373 s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, CFG_NS,
374 tz_mpc_cfg_ns(s, addr));
375 s->int_stat |= R_INT_STAT_IRQ_MASK;
376 tz_mpc_irq_update(s);
377 }
378
379 /* Generate bus error if desired; otherwise RAZ/WI */
380 return (s->ctrl & R_CTRL_SEC_RESP_MASK) ? MEMTX_ERROR : MEMTX_OK;
381 }
382
383 /* Accesses only reach these read and write functions if the MPC is
384 * blocking them; non-blocked accesses go directly to the downstream
385 * memory region without passing through this code.
386 */
387 static MemTxResult tz_mpc_mem_blocked_read(void *opaque, hwaddr addr,
388 uint64_t *pdata,
389 unsigned size, MemTxAttrs attrs)
390 {
391 TZMPC *s = TZ_MPC(opaque);
392
393 trace_tz_mpc_mem_blocked_read(addr, size, attrs.secure);
394
395 *pdata = 0;
396 return tz_mpc_handle_block(s, addr, attrs);
397 }
398
399 static MemTxResult tz_mpc_mem_blocked_write(void *opaque, hwaddr addr,
400 uint64_t value,
401 unsigned size, MemTxAttrs attrs)
402 {
403 TZMPC *s = TZ_MPC(opaque);
404
405 trace_tz_mpc_mem_blocked_write(addr, value, size, attrs.secure);
406
407 return tz_mpc_handle_block(s, addr, attrs);
408 }
409
410 static const MemoryRegionOps tz_mpc_mem_blocked_ops = {
411 .read_with_attrs = tz_mpc_mem_blocked_read,
412 .write_with_attrs = tz_mpc_mem_blocked_write,
413 .endianness = DEVICE_LITTLE_ENDIAN,
414 .valid.min_access_size = 1,
415 .valid.max_access_size = 8,
416 .impl.min_access_size = 1,
417 .impl.max_access_size = 8,
418 };
419
420 static IOMMUTLBEntry tz_mpc_translate(IOMMUMemoryRegion *iommu,
421 hwaddr addr, IOMMUAccessFlags flags,
422 int iommu_idx)
423 {
424 TZMPC *s = TZ_MPC(container_of(iommu, TZMPC, upstream));
425 bool ok;
426
427 IOMMUTLBEntry ret = {
428 .iova = addr & ~(s->blocksize - 1),
429 .translated_addr = addr & ~(s->blocksize - 1),
430 .addr_mask = s->blocksize - 1,
431 .perm = IOMMU_RW,
432 };
433
434 /* Look at the per-block configuration for this address, and
435 * return a TLB entry directing the transaction at either
436 * downstream_as or blocked_io_as, as appropriate.
437 * If the LUT cfg_ns bit is 1, only non-secure transactions
438 * may pass. If the bit is 0, only secure transactions may pass.
439 */
440 ok = tz_mpc_cfg_ns(s, addr) == (iommu_idx == IOMMU_IDX_NS);
441
442 trace_tz_mpc_translate(addr, flags,
443 iommu_idx == IOMMU_IDX_S ? "S" : "NS",
444 ok ? "pass" : "block");
445
446 ret.target_as = ok ? &s->downstream_as : &s->blocked_io_as;
447 return ret;
448 }
449
450 static int tz_mpc_attrs_to_index(IOMMUMemoryRegion *iommu, MemTxAttrs attrs)
451 {
452 /* We treat unspecified attributes like secure. Transactions with
453 * unspecified attributes come from places like
454 * rom_reset() for initial image load, and we want
455 * those to pass through the from-reset "everything is secure" config.
456 * All the real during-emulation transactions from the CPU will
457 * specify attributes.
458 */
459 return (attrs.unspecified || attrs.secure) ? IOMMU_IDX_S : IOMMU_IDX_NS;
460 }
461
462 static int tz_mpc_num_indexes(IOMMUMemoryRegion *iommu)
463 {
464 return IOMMU_NUM_INDEXES;
465 }
466
467 static void tz_mpc_reset(DeviceState *dev)
468 {
469 TZMPC *s = TZ_MPC(dev);
470
471 s->ctrl = 0x00000100;
472 s->blk_idx = 0;
473 s->int_stat = 0;
474 s->int_en = 1;
475 s->int_info1 = 0;
476 s->int_info2 = 0;
477
478 memset(s->blk_lut, 0, s->blk_max * sizeof(uint32_t));
479 }
480
481 static void tz_mpc_init(Object *obj)
482 {
483 DeviceState *dev = DEVICE(obj);
484 TZMPC *s = TZ_MPC(obj);
485
486 qdev_init_gpio_out_named(dev, &s->irq, "irq", 1);
487 }
488
489 static void tz_mpc_realize(DeviceState *dev, Error **errp)
490 {
491 Object *obj = OBJECT(dev);
492 SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
493 TZMPC *s = TZ_MPC(dev);
494 uint64_t size;
495
496 /* We can't create the upstream end of the port until realize,
497 * as we don't know the size of the MR used as the downstream until then.
498 * We insist on having a downstream, to avoid complicating the code
499 * with handling the "don't know how big this is" case. It's easy
500 * enough for the user to create an unimplemented_device as downstream
501 * if they have nothing else to plug into this.
502 */
503 if (!s->downstream) {
504 error_setg(errp, "MPC 'downstream' link not set");
505 return;
506 }
507
508 size = memory_region_size(s->downstream);
509
510 memory_region_init_iommu(&s->upstream, sizeof(s->upstream),
511 TYPE_TZ_MPC_IOMMU_MEMORY_REGION,
512 obj, "tz-mpc-upstream", size);
513
514 /* In real hardware the block size is configurable. In QEMU we could
515 * make it configurable but will need it to be at least as big as the
516 * target page size so we can execute out of the resulting MRs. Guest
517 * software is supposed to check the block size using the BLK_CFG
518 * register, so make it fixed at the page size.
519 */
520 s->blocksize = memory_region_iommu_get_min_page_size(&s->upstream);
521 if (size % s->blocksize != 0) {
522 error_setg(errp,
523 "MPC 'downstream' size %" PRId64
524 " is not a multiple of %" HWADDR_PRIx " bytes",
525 size, s->blocksize);
526 object_unref(OBJECT(&s->upstream));
527 return;
528 }
529
530 /* BLK_MAX is the max value of BLK_IDX, which indexes an array of 32-bit
531 * words, each bit of which indicates one block.
532 */
533 s->blk_max = DIV_ROUND_UP(size / s->blocksize, 32);
534
535 memory_region_init_io(&s->regmr, obj, &tz_mpc_reg_ops,
536 s, "tz-mpc-regs", 0x1000);
537 sysbus_init_mmio(sbd, &s->regmr);
538
539 sysbus_init_mmio(sbd, MEMORY_REGION(&s->upstream));
540
541 /* This memory region is not exposed to users of this device as a
542 * sysbus MMIO region, but is instead used internally as something
543 * that our IOMMU translate function might direct accesses to.
544 */
545 memory_region_init_io(&s->blocked_io, obj, &tz_mpc_mem_blocked_ops,
546 s, "tz-mpc-blocked-io", size);
547
548 address_space_init(&s->downstream_as, s->downstream,
549 "tz-mpc-downstream");
550 address_space_init(&s->blocked_io_as, &s->blocked_io,
551 "tz-mpc-blocked-io");
552
553 s->blk_lut = g_new0(uint32_t, s->blk_max);
554 }
555
556 static int tz_mpc_post_load(void *opaque, int version_id)
557 {
558 TZMPC *s = TZ_MPC(opaque);
559
560 /* Check the incoming data doesn't point blk_idx off the end of blk_lut. */
561 if (s->blk_idx >= s->blk_max) {
562 return -1;
563 }
564 return 0;
565 }
566
567 static const VMStateDescription tz_mpc_vmstate = {
568 .name = "tz-mpc",
569 .version_id = 1,
570 .minimum_version_id = 1,
571 .post_load = tz_mpc_post_load,
572 .fields = (VMStateField[]) {
573 VMSTATE_UINT32(ctrl, TZMPC),
574 VMSTATE_UINT32(blk_idx, TZMPC),
575 VMSTATE_UINT32(int_stat, TZMPC),
576 VMSTATE_UINT32(int_en, TZMPC),
577 VMSTATE_UINT32(int_info1, TZMPC),
578 VMSTATE_UINT32(int_info2, TZMPC),
579 VMSTATE_VARRAY_UINT32(blk_lut, TZMPC, blk_max,
580 0, vmstate_info_uint32, uint32_t),
581 VMSTATE_END_OF_LIST()
582 }
583 };
584
585 static Property tz_mpc_properties[] = {
586 DEFINE_PROP_LINK("downstream", TZMPC, downstream,
587 TYPE_MEMORY_REGION, MemoryRegion *),
588 DEFINE_PROP_END_OF_LIST(),
589 };
590
591 static void tz_mpc_class_init(ObjectClass *klass, void *data)
592 {
593 DeviceClass *dc = DEVICE_CLASS(klass);
594
595 dc->realize = tz_mpc_realize;
596 dc->vmsd = &tz_mpc_vmstate;
597 dc->reset = tz_mpc_reset;
598 dc->props = tz_mpc_properties;
599 }
600
601 static const TypeInfo tz_mpc_info = {
602 .name = TYPE_TZ_MPC,
603 .parent = TYPE_SYS_BUS_DEVICE,
604 .instance_size = sizeof(TZMPC),
605 .instance_init = tz_mpc_init,
606 .class_init = tz_mpc_class_init,
607 };
608
609 static void tz_mpc_iommu_memory_region_class_init(ObjectClass *klass,
610 void *data)
611 {
612 IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
613
614 imrc->translate = tz_mpc_translate;
615 imrc->attrs_to_index = tz_mpc_attrs_to_index;
616 imrc->num_indexes = tz_mpc_num_indexes;
617 }
618
619 static const TypeInfo tz_mpc_iommu_memory_region_info = {
620 .name = TYPE_TZ_MPC_IOMMU_MEMORY_REGION,
621 .parent = TYPE_IOMMU_MEMORY_REGION,
622 .class_init = tz_mpc_iommu_memory_region_class_init,
623 };
624
625 static void tz_mpc_register_types(void)
626 {
627 type_register_static(&tz_mpc_info);
628 type_register_static(&tz_mpc_iommu_memory_region_info);
629 }
630
631 type_init(tz_mpc_register_types);
QEMU mirror