]> git.proxmox.com Git - mirror_qemu.git/blob - hw/i386/intel_iommu.c
projects / mirror_qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
intel_iommu: introduce vtd_reset_caches()
[mirror_qemu.git] / hw / i386 / intel_iommu.c
1 /*
2 * QEMU emulation of an Intel IOMMU (VT-d)
3 * (DMA Remapping device)
4 *
5 * Copyright (C) 2013 Knut Omang, Oracle <knut.omang@oracle.com>
6 * Copyright (C) 2014 Le Tan, <tamlokveer@gmail.com>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "qemu/osdep.h"
23 #include "qemu/error-report.h"
24 #include "qapi/error.h"
25 #include "hw/sysbus.h"
26 #include "exec/address-spaces.h"
27 #include "intel_iommu_internal.h"
28 #include "hw/pci/pci.h"
29 #include "hw/pci/pci_bus.h"
30 #include "hw/i386/pc.h"
31 #include "hw/i386/apic-msidef.h"
32 #include "hw/boards.h"
33 #include "hw/i386/x86-iommu.h"
34 #include "hw/pci-host/q35.h"
35 #include "sysemu/kvm.h"
36 #include "hw/i386/apic_internal.h"
37 #include "kvm_i386.h"
38 #include "trace.h"
39
40 static void vtd_define_quad(IntelIOMMUState *s, hwaddr addr, uint64_t val,
41 uint64_t wmask, uint64_t w1cmask)
42 {
43 stq_le_p(&s->csr[addr], val);
44 stq_le_p(&s->wmask[addr], wmask);
45 stq_le_p(&s->w1cmask[addr], w1cmask);
46 }
47
48 static void vtd_define_quad_wo(IntelIOMMUState *s, hwaddr addr, uint64_t mask)
49 {
50 stq_le_p(&s->womask[addr], mask);
51 }
52
53 static void vtd_define_long(IntelIOMMUState *s, hwaddr addr, uint32_t val,
54 uint32_t wmask, uint32_t w1cmask)
55 {
56 stl_le_p(&s->csr[addr], val);
57 stl_le_p(&s->wmask[addr], wmask);
58 stl_le_p(&s->w1cmask[addr], w1cmask);
59 }
60
61 static void vtd_define_long_wo(IntelIOMMUState *s, hwaddr addr, uint32_t mask)
62 {
63 stl_le_p(&s->womask[addr], mask);
64 }
65
66 /* "External" get/set operations */
67 static void vtd_set_quad(IntelIOMMUState *s, hwaddr addr, uint64_t val)
68 {
69 uint64_t oldval = ldq_le_p(&s->csr[addr]);
70 uint64_t wmask = ldq_le_p(&s->wmask[addr]);
71 uint64_t w1cmask = ldq_le_p(&s->w1cmask[addr]);
72 stq_le_p(&s->csr[addr],
73 ((oldval & ~wmask) | (val & wmask)) & ~(w1cmask & val));
74 }
75
76 static void vtd_set_long(IntelIOMMUState *s, hwaddr addr, uint32_t val)
77 {
78 uint32_t oldval = ldl_le_p(&s->csr[addr]);
79 uint32_t wmask = ldl_le_p(&s->wmask[addr]);
80 uint32_t w1cmask = ldl_le_p(&s->w1cmask[addr]);
81 stl_le_p(&s->csr[addr],
82 ((oldval & ~wmask) | (val & wmask)) & ~(w1cmask & val));
83 }
84
85 static uint64_t vtd_get_quad(IntelIOMMUState *s, hwaddr addr)
86 {
87 uint64_t val = ldq_le_p(&s->csr[addr]);
88 uint64_t womask = ldq_le_p(&s->womask[addr]);
89 return val & ~womask;
90 }
91
92 static uint32_t vtd_get_long(IntelIOMMUState *s, hwaddr addr)
93 {
94 uint32_t val = ldl_le_p(&s->csr[addr]);
95 uint32_t womask = ldl_le_p(&s->womask[addr]);
96 return val & ~womask;
97 }
98
99 /* "Internal" get/set operations */
100 static uint64_t vtd_get_quad_raw(IntelIOMMUState *s, hwaddr addr)
101 {
102 return ldq_le_p(&s->csr[addr]);
103 }
104
105 static uint32_t vtd_get_long_raw(IntelIOMMUState *s, hwaddr addr)
106 {
107 return ldl_le_p(&s->csr[addr]);
108 }
109
110 static void vtd_set_quad_raw(IntelIOMMUState *s, hwaddr addr, uint64_t val)
111 {
112 stq_le_p(&s->csr[addr], val);
113 }
114
115 static uint32_t vtd_set_clear_mask_long(IntelIOMMUState *s, hwaddr addr,
116 uint32_t clear, uint32_t mask)
117 {
118 uint32_t new_val = (ldl_le_p(&s->csr[addr]) & ~clear) | mask;
119 stl_le_p(&s->csr[addr], new_val);
120 return new_val;
121 }
122
123 static uint64_t vtd_set_clear_mask_quad(IntelIOMMUState *s, hwaddr addr,
124 uint64_t clear, uint64_t mask)
125 {
126 uint64_t new_val = (ldq_le_p(&s->csr[addr]) & ~clear) | mask;
127 stq_le_p(&s->csr[addr], new_val);
128 return new_val;
129 }
130
131 static inline void vtd_iommu_lock(IntelIOMMUState *s)
132 {
133 qemu_mutex_lock(&s->iommu_lock);
134 }
135
136 static inline void vtd_iommu_unlock(IntelIOMMUState *s)
137 {
138 qemu_mutex_unlock(&s->iommu_lock);
139 }
140
141 /* Whether the address space needs to notify new mappings */
142 static inline gboolean vtd_as_has_map_notifier(VTDAddressSpace *as)
143 {
144 return as->notifier_flags & IOMMU_NOTIFIER_MAP;
145 }
146
147 /* GHashTable functions */
148 static gboolean vtd_uint64_equal(gconstpointer v1, gconstpointer v2)
149 {
150 return *((const uint64_t *)v1) == *((const uint64_t *)v2);
151 }
152
153 static guint vtd_uint64_hash(gconstpointer v)
154 {
155 return (guint)*(const uint64_t *)v;
156 }
157
158 static gboolean vtd_hash_remove_by_domain(gpointer key, gpointer value,
159 gpointer user_data)
160 {
161 VTDIOTLBEntry *entry = (VTDIOTLBEntry *)value;
162 uint16_t domain_id = *(uint16_t *)user_data;
163 return entry->domain_id == domain_id;
164 }
165
166 /* The shift of an addr for a certain level of paging structure */
167 static inline uint32_t vtd_slpt_level_shift(uint32_t level)
168 {
169 assert(level != 0);
170 return VTD_PAGE_SHIFT_4K + (level - 1) * VTD_SL_LEVEL_BITS;
171 }
172
173 static inline uint64_t vtd_slpt_level_page_mask(uint32_t level)
174 {
175 return ~((1ULL << vtd_slpt_level_shift(level)) - 1);
176 }
177
178 static gboolean vtd_hash_remove_by_page(gpointer key, gpointer value,
179 gpointer user_data)
180 {
181 VTDIOTLBEntry *entry = (VTDIOTLBEntry *)value;
182 VTDIOTLBPageInvInfo *info = (VTDIOTLBPageInvInfo *)user_data;
183 uint64_t gfn = (info->addr >> VTD_PAGE_SHIFT_4K) & info->mask;
184 uint64_t gfn_tlb = (info->addr & entry->mask) >> VTD_PAGE_SHIFT_4K;
185 return (entry->domain_id == info->domain_id) &&
186 (((entry->gfn & info->mask) == gfn) ||
187 (entry->gfn == gfn_tlb));
188 }
189
190 /* Reset all the gen of VTDAddressSpace to zero and set the gen of
191 * IntelIOMMUState to 1. Must be called with IOMMU lock held.
192 */
193 static void vtd_reset_context_cache_locked(IntelIOMMUState *s)
194 {
195 VTDAddressSpace *vtd_as;
196 VTDBus *vtd_bus;
197 GHashTableIter bus_it;
198 uint32_t devfn_it;
199
200 trace_vtd_context_cache_reset();
201
202 g_hash_table_iter_init(&bus_it, s->vtd_as_by_busptr);
203
204 while (g_hash_table_iter_next (&bus_it, NULL, (void**)&vtd_bus)) {
205 for (devfn_it = 0; devfn_it < PCI_DEVFN_MAX; ++devfn_it) {
206 vtd_as = vtd_bus->dev_as[devfn_it];
207 if (!vtd_as) {
208 continue;
209 }
210 vtd_as->context_cache_entry.context_cache_gen = 0;
211 }
212 }
213 s->context_cache_gen = 1;
214 }
215
216 /* Must be called with IOMMU lock held. */
217 static void vtd_reset_iotlb_locked(IntelIOMMUState *s)
218 {
219 assert(s->iotlb);
220 g_hash_table_remove_all(s->iotlb);
221 }
222
223 static void vtd_reset_iotlb(IntelIOMMUState *s)
224 {
225 vtd_iommu_lock(s);
226 vtd_reset_iotlb_locked(s);
227 vtd_iommu_unlock(s);
228 }
229
230 static void vtd_reset_caches(IntelIOMMUState *s)
231 {
232 vtd_iommu_lock(s);
233 vtd_reset_iotlb_locked(s);
234 vtd_reset_context_cache_locked(s);
235 vtd_iommu_unlock(s);
236 }
237
238 static uint64_t vtd_get_iotlb_key(uint64_t gfn, uint16_t source_id,
239 uint32_t level)
240 {
241 return gfn | ((uint64_t)(source_id) << VTD_IOTLB_SID_SHIFT) |
242 ((uint64_t)(level) << VTD_IOTLB_LVL_SHIFT);
243 }
244
245 static uint64_t vtd_get_iotlb_gfn(hwaddr addr, uint32_t level)
246 {
247 return (addr & vtd_slpt_level_page_mask(level)) >> VTD_PAGE_SHIFT_4K;
248 }
249
250 /* Must be called with IOMMU lock held */
251 static VTDIOTLBEntry *vtd_lookup_iotlb(IntelIOMMUState *s, uint16_t source_id,
252 hwaddr addr)
253 {
254 VTDIOTLBEntry *entry;
255 uint64_t key;
256 int level;
257
258 for (level = VTD_SL_PT_LEVEL; level < VTD_SL_PML4_LEVEL; level++) {
259 key = vtd_get_iotlb_key(vtd_get_iotlb_gfn(addr, level),
260 source_id, level);
261 entry = g_hash_table_lookup(s->iotlb, &key);
262 if (entry) {
263 goto out;
264 }
265 }
266
267 out:
268 return entry;
269 }
270
271 /* Must be with IOMMU lock held */
272 static void vtd_update_iotlb(IntelIOMMUState *s, uint16_t source_id,
273 uint16_t domain_id, hwaddr addr, uint64_t slpte,
274 uint8_t access_flags, uint32_t level)
275 {
276 VTDIOTLBEntry *entry = g_malloc(sizeof(*entry));
277 uint64_t *key = g_malloc(sizeof(*key));
278 uint64_t gfn = vtd_get_iotlb_gfn(addr, level);
279
280 trace_vtd_iotlb_page_update(source_id, addr, slpte, domain_id);
281 if (g_hash_table_size(s->iotlb) >= VTD_IOTLB_MAX_SIZE) {
282 trace_vtd_iotlb_reset("iotlb exceeds size limit");
283 vtd_reset_iotlb_locked(s);
284 }
285
286 entry->gfn = gfn;
287 entry->domain_id = domain_id;
288 entry->slpte = slpte;
289 entry->access_flags = access_flags;
290 entry->mask = vtd_slpt_level_page_mask(level);
291 *key = vtd_get_iotlb_key(gfn, source_id, level);
292 g_hash_table_replace(s->iotlb, key, entry);
293 }
294
295 /* Given the reg addr of both the message data and address, generate an
296 * interrupt via MSI.
297 */
298 static void vtd_generate_interrupt(IntelIOMMUState *s, hwaddr mesg_addr_reg,
299 hwaddr mesg_data_reg)
300 {
301 MSIMessage msi;
302
303 assert(mesg_data_reg < DMAR_REG_SIZE);
304 assert(mesg_addr_reg < DMAR_REG_SIZE);
305
306 msi.address = vtd_get_long_raw(s, mesg_addr_reg);
307 msi.data = vtd_get_long_raw(s, mesg_data_reg);
308
309 trace_vtd_irq_generate(msi.address, msi.data);
310
311 apic_get_class()->send_msi(&msi);
312 }
313
314 /* Generate a fault event to software via MSI if conditions are met.
315 * Notice that the value of FSTS_REG being passed to it should be the one
316 * before any update.
317 */
318 static void vtd_generate_fault_event(IntelIOMMUState *s, uint32_t pre_fsts)
319 {
320 if (pre_fsts & VTD_FSTS_PPF || pre_fsts & VTD_FSTS_PFO ||
321 pre_fsts & VTD_FSTS_IQE) {
322 error_report_once("There are previous interrupt conditions "
323 "to be serviced by software, fault event "
324 "is not generated");
325 return;
326 }
327 vtd_set_clear_mask_long(s, DMAR_FECTL_REG, 0, VTD_FECTL_IP);
328 if (vtd_get_long_raw(s, DMAR_FECTL_REG) & VTD_FECTL_IM) {
329 error_report_once("Interrupt Mask set, irq is not generated");
330 } else {
331 vtd_generate_interrupt(s, DMAR_FEADDR_REG, DMAR_FEDATA_REG);
332 vtd_set_clear_mask_long(s, DMAR_FECTL_REG, VTD_FECTL_IP, 0);
333 }
334 }
335
336 /* Check if the Fault (F) field of the Fault Recording Register referenced by
337 * @index is Set.
338 */
339 static bool vtd_is_frcd_set(IntelIOMMUState *s, uint16_t index)
340 {
341 /* Each reg is 128-bit */
342 hwaddr addr = DMAR_FRCD_REG_OFFSET + (((uint64_t)index) << 4);
343 addr += 8; /* Access the high 64-bit half */
344
345 assert(index < DMAR_FRCD_REG_NR);
346
347 return vtd_get_quad_raw(s, addr) & VTD_FRCD_F;
348 }
349
350 /* Update the PPF field of Fault Status Register.
351 * Should be called whenever change the F field of any fault recording
352 * registers.
353 */
354 static void vtd_update_fsts_ppf(IntelIOMMUState *s)
355 {
356 uint32_t i;
357 uint32_t ppf_mask = 0;
358
359 for (i = 0; i < DMAR_FRCD_REG_NR; i++) {
360 if (vtd_is_frcd_set(s, i)) {
361 ppf_mask = VTD_FSTS_PPF;
362 break;
363 }
364 }
365 vtd_set_clear_mask_long(s, DMAR_FSTS_REG, VTD_FSTS_PPF, ppf_mask);
366 trace_vtd_fsts_ppf(!!ppf_mask);
367 }
368
369 static void vtd_set_frcd_and_update_ppf(IntelIOMMUState *s, uint16_t index)
370 {
371 /* Each reg is 128-bit */
372 hwaddr addr = DMAR_FRCD_REG_OFFSET + (((uint64_t)index) << 4);
373 addr += 8; /* Access the high 64-bit half */
374
375 assert(index < DMAR_FRCD_REG_NR);
376
377 vtd_set_clear_mask_quad(s, addr, 0, VTD_FRCD_F);
378 vtd_update_fsts_ppf(s);
379 }
380
381 /* Must not update F field now, should be done later */
382 static void vtd_record_frcd(IntelIOMMUState *s, uint16_t index,
383 uint16_t source_id, hwaddr addr,
384 VTDFaultReason fault, bool is_write)
385 {
386 uint64_t hi = 0, lo;
387 hwaddr frcd_reg_addr = DMAR_FRCD_REG_OFFSET + (((uint64_t)index) << 4);
388
389 assert(index < DMAR_FRCD_REG_NR);
390
391 lo = VTD_FRCD_FI(addr);
392 hi = VTD_FRCD_SID(source_id) | VTD_FRCD_FR(fault);
393 if (!is_write) {
394 hi |= VTD_FRCD_T;
395 }
396 vtd_set_quad_raw(s, frcd_reg_addr, lo);
397 vtd_set_quad_raw(s, frcd_reg_addr + 8, hi);
398
399 trace_vtd_frr_new(index, hi, lo);
400 }
401
402 /* Try to collapse multiple pending faults from the same requester */
403 static bool vtd_try_collapse_fault(IntelIOMMUState *s, uint16_t source_id)
404 {
405 uint32_t i;
406 uint64_t frcd_reg;
407 hwaddr addr = DMAR_FRCD_REG_OFFSET + 8; /* The high 64-bit half */
408
409 for (i = 0; i < DMAR_FRCD_REG_NR; i++) {
410 frcd_reg = vtd_get_quad_raw(s, addr);
411 if ((frcd_reg & VTD_FRCD_F) &&
412 ((frcd_reg & VTD_FRCD_SID_MASK) == source_id)) {
413 return true;
414 }
415 addr += 16; /* 128-bit for each */
416 }
417 return false;
418 }
419
420 /* Log and report an DMAR (address translation) fault to software */
421 static void vtd_report_dmar_fault(IntelIOMMUState *s, uint16_t source_id,
422 hwaddr addr, VTDFaultReason fault,
423 bool is_write)
424 {
425 uint32_t fsts_reg = vtd_get_long_raw(s, DMAR_FSTS_REG);
426
427 assert(fault < VTD_FR_MAX);
428
429 if (fault == VTD_FR_RESERVED_ERR) {
430 /* This is not a normal fault reason case. Drop it. */
431 return;
432 }
433
434 trace_vtd_dmar_fault(source_id, fault, addr, is_write);
435
436 if (fsts_reg & VTD_FSTS_PFO) {
437 error_report_once("New fault is not recorded due to "
438 "Primary Fault Overflow");
439 return;
440 }
441
442 if (vtd_try_collapse_fault(s, source_id)) {
443 error_report_once("New fault is not recorded due to "
444 "compression of faults");
445 return;
446 }
447
448 if (vtd_is_frcd_set(s, s->next_frcd_reg)) {
449 error_report_once("Next Fault Recording Reg is used, "
450 "new fault is not recorded, set PFO field");
451 vtd_set_clear_mask_long(s, DMAR_FSTS_REG, 0, VTD_FSTS_PFO);
452 return;
453 }
454
455 vtd_record_frcd(s, s->next_frcd_reg, source_id, addr, fault, is_write);
456
457 if (fsts_reg & VTD_FSTS_PPF) {
458 error_report_once("There are pending faults already, "
459 "fault event is not generated");
460 vtd_set_frcd_and_update_ppf(s, s->next_frcd_reg);
461 s->next_frcd_reg++;
462 if (s->next_frcd_reg == DMAR_FRCD_REG_NR) {
463 s->next_frcd_reg = 0;
464 }
465 } else {
466 vtd_set_clear_mask_long(s, DMAR_FSTS_REG, VTD_FSTS_FRI_MASK,
467 VTD_FSTS_FRI(s->next_frcd_reg));
468 vtd_set_frcd_and_update_ppf(s, s->next_frcd_reg); /* Will set PPF */
469 s->next_frcd_reg++;
470 if (s->next_frcd_reg == DMAR_FRCD_REG_NR) {
471 s->next_frcd_reg = 0;
472 }
473 /* This case actually cause the PPF to be Set.
474 * So generate fault event (interrupt).
475 */
476 vtd_generate_fault_event(s, fsts_reg);
477 }
478 }
479
480 /* Handle Invalidation Queue Errors of queued invalidation interface error
481 * conditions.
482 */
483 static void vtd_handle_inv_queue_error(IntelIOMMUState *s)
484 {
485 uint32_t fsts_reg = vtd_get_long_raw(s, DMAR_FSTS_REG);
486
487 vtd_set_clear_mask_long(s, DMAR_FSTS_REG, 0, VTD_FSTS_IQE);
488 vtd_generate_fault_event(s, fsts_reg);
489 }
490
491 /* Set the IWC field and try to generate an invalidation completion interrupt */
492 static void vtd_generate_completion_event(IntelIOMMUState *s)
493 {
494 if (vtd_get_long_raw(s, DMAR_ICS_REG) & VTD_ICS_IWC) {
495 trace_vtd_inv_desc_wait_irq("One pending, skip current");
496 return;
497 }
498 vtd_set_clear_mask_long(s, DMAR_ICS_REG, 0, VTD_ICS_IWC);
499 vtd_set_clear_mask_long(s, DMAR_IECTL_REG, 0, VTD_IECTL_IP);
500 if (vtd_get_long_raw(s, DMAR_IECTL_REG) & VTD_IECTL_IM) {
501 trace_vtd_inv_desc_wait_irq("IM in IECTL_REG is set, "
502 "new event not generated");
503 return;
504 } else {
505 /* Generate the interrupt event */
506 trace_vtd_inv_desc_wait_irq("Generating complete event");
507 vtd_generate_interrupt(s, DMAR_IEADDR_REG, DMAR_IEDATA_REG);
508 vtd_set_clear_mask_long(s, DMAR_IECTL_REG, VTD_IECTL_IP, 0);
509 }
510 }
511
512 static inline bool vtd_root_entry_present(VTDRootEntry *root)
513 {
514 return root->val & VTD_ROOT_ENTRY_P;
515 }
516
517 static int vtd_get_root_entry(IntelIOMMUState *s, uint8_t index,
518 VTDRootEntry *re)
519 {
520 dma_addr_t addr;
521
522 addr = s->root + index * sizeof(*re);
523 if (dma_memory_read(&address_space_memory, addr, re, sizeof(*re))) {
524 trace_vtd_re_invalid(re->rsvd, re->val);
525 re->val = 0;
526 return -VTD_FR_ROOT_TABLE_INV;
527 }
528 re->val = le64_to_cpu(re->val);
529 return 0;
530 }
531
532 static inline bool vtd_ce_present(VTDContextEntry *context)
533 {
534 return context->lo & VTD_CONTEXT_ENTRY_P;
535 }
536
537 static int vtd_get_context_entry_from_root(VTDRootEntry *root, uint8_t index,
538 VTDContextEntry *ce)
539 {
540 dma_addr_t addr;
541
542 /* we have checked that root entry is present */
543 addr = (root->val & VTD_ROOT_ENTRY_CTP) + index * sizeof(*ce);
544 if (dma_memory_read(&address_space_memory, addr, ce, sizeof(*ce))) {
545 trace_vtd_re_invalid(root->rsvd, root->val);
546 return -VTD_FR_CONTEXT_TABLE_INV;
547 }
548 ce->lo = le64_to_cpu(ce->lo);
549 ce->hi = le64_to_cpu(ce->hi);
550 return 0;
551 }
552
553 static inline dma_addr_t vtd_ce_get_slpt_base(VTDContextEntry *ce)
554 {
555 return ce->lo & VTD_CONTEXT_ENTRY_SLPTPTR;
556 }
557
558 static inline uint64_t vtd_get_slpte_addr(uint64_t slpte, uint8_t aw)
559 {
560 return slpte & VTD_SL_PT_BASE_ADDR_MASK(aw);
561 }
562
563 /* Whether the pte indicates the address of the page frame */
564 static inline bool vtd_is_last_slpte(uint64_t slpte, uint32_t level)
565 {
566 return level == VTD_SL_PT_LEVEL || (slpte & VTD_SL_PT_PAGE_SIZE_MASK);
567 }
568
569 /* Get the content of a spte located in @base_addr[@index] */
570 static uint64_t vtd_get_slpte(dma_addr_t base_addr, uint32_t index)
571 {
572 uint64_t slpte;
573
574 assert(index < VTD_SL_PT_ENTRY_NR);
575
576 if (dma_memory_read(&address_space_memory,
577 base_addr + index * sizeof(slpte), &slpte,
578 sizeof(slpte))) {
579 slpte = (uint64_t)-1;
580 return slpte;
581 }
582 slpte = le64_to_cpu(slpte);
583 return slpte;
584 }
585
586 /* Given an iova and the level of paging structure, return the offset
587 * of current level.
588 */
589 static inline uint32_t vtd_iova_level_offset(uint64_t iova, uint32_t level)
590 {
591 return (iova >> vtd_slpt_level_shift(level)) &
592 ((1ULL << VTD_SL_LEVEL_BITS) - 1);
593 }
594
595 /* Check Capability Register to see if the @level of page-table is supported */
596 static inline bool vtd_is_level_supported(IntelIOMMUState *s, uint32_t level)
597 {
598 return VTD_CAP_SAGAW_MASK & s->cap &
599 (1ULL << (level - 2 + VTD_CAP_SAGAW_SHIFT));
600 }
601
602 /* Get the page-table level that hardware should use for the second-level
603 * page-table walk from the Address Width field of context-entry.
604 */
605 static inline uint32_t vtd_ce_get_level(VTDContextEntry *ce)
606 {
607 return 2 + (ce->hi & VTD_CONTEXT_ENTRY_AW);
608 }
609
610 static inline uint32_t vtd_ce_get_agaw(VTDContextEntry *ce)
611 {
612 return 30 + (ce->hi & VTD_CONTEXT_ENTRY_AW) * 9;
613 }
614
615 static inline uint32_t vtd_ce_get_type(VTDContextEntry *ce)
616 {
617 return ce->lo & VTD_CONTEXT_ENTRY_TT;
618 }
619
620 /* Return true if check passed, otherwise false */
621 static inline bool vtd_ce_type_check(X86IOMMUState *x86_iommu,
622 VTDContextEntry *ce)
623 {
624 switch (vtd_ce_get_type(ce)) {
625 case VTD_CONTEXT_TT_MULTI_LEVEL:
626 /* Always supported */
627 break;
628 case VTD_CONTEXT_TT_DEV_IOTLB:
629 if (!x86_iommu->dt_supported) {
630 return false;
631 }
632 break;
633 case VTD_CONTEXT_TT_PASS_THROUGH:
634 if (!x86_iommu->pt_supported) {
635 return false;
636 }
637 break;
638 default:
639 /* Unknwon type */
640 return false;
641 }
642 return true;
643 }
644
645 static inline uint64_t vtd_iova_limit(VTDContextEntry *ce, uint8_t aw)
646 {
647 uint32_t ce_agaw = vtd_ce_get_agaw(ce);
648 return 1ULL << MIN(ce_agaw, aw);
649 }
650
651 /* Return true if IOVA passes range check, otherwise false. */
652 static inline bool vtd_iova_range_check(uint64_t iova, VTDContextEntry *ce,
653 uint8_t aw)
654 {
655 /*
656 * Check if @iova is above 2^X-1, where X is the minimum of MGAW
657 * in CAP_REG and AW in context-entry.
658 */
659 return !(iova & ~(vtd_iova_limit(ce, aw) - 1));
660 }
661
662 /*
663 * Rsvd field masks for spte:
664 * Index [1] to [4] 4k pages
665 * Index [5] to [8] large pages
666 */
667 static uint64_t vtd_paging_entry_rsvd_field[9];
668
669 static bool vtd_slpte_nonzero_rsvd(uint64_t slpte, uint32_t level)
670 {
671 if (slpte & VTD_SL_PT_PAGE_SIZE_MASK) {
672 /* Maybe large page */
673 return slpte & vtd_paging_entry_rsvd_field[level + 4];
674 } else {
675 return slpte & vtd_paging_entry_rsvd_field[level];
676 }
677 }
678
679 /* Find the VTD address space associated with a given bus number */
680 static VTDBus *vtd_find_as_from_bus_num(IntelIOMMUState *s, uint8_t bus_num)
681 {
682 VTDBus *vtd_bus = s->vtd_as_by_bus_num[bus_num];
683 if (!vtd_bus) {
684 /*
685 * Iterate over the registered buses to find the one which
686 * currently hold this bus number, and update the bus_num
687 * lookup table:
688 */
689 GHashTableIter iter;
690
691 g_hash_table_iter_init(&iter, s->vtd_as_by_busptr);
692 while (g_hash_table_iter_next(&iter, NULL, (void **)&vtd_bus)) {
693 if (pci_bus_num(vtd_bus->bus) == bus_num) {
694 s->vtd_as_by_bus_num[bus_num] = vtd_bus;
695 return vtd_bus;
696 }
697 }
698 }
699 return vtd_bus;
700 }
701
702 /* Given the @iova, get relevant @slptep. @slpte_level will be the last level
703 * of the translation, can be used for deciding the size of large page.
704 */
705 static int vtd_iova_to_slpte(VTDContextEntry *ce, uint64_t iova, bool is_write,
706 uint64_t *slptep, uint32_t *slpte_level,
707 bool *reads, bool *writes, uint8_t aw_bits)
708 {
709 dma_addr_t addr = vtd_ce_get_slpt_base(ce);
710 uint32_t level = vtd_ce_get_level(ce);
711 uint32_t offset;
712 uint64_t slpte;
713 uint64_t access_right_check;
714
715 if (!vtd_iova_range_check(iova, ce, aw_bits)) {
716 error_report_once("%s: detected IOVA overflow (iova=0x%" PRIx64 ")",
717 __func__, iova);
718 return -VTD_FR_ADDR_BEYOND_MGAW;
719 }
720
721 /* FIXME: what is the Atomics request here? */
722 access_right_check = is_write ? VTD_SL_W : VTD_SL_R;
723
724 while (true) {
725 offset = vtd_iova_level_offset(iova, level);
726 slpte = vtd_get_slpte(addr, offset);
727
728 if (slpte == (uint64_t)-1) {
729 error_report_once("%s: detected read error on DMAR slpte "
730 "(iova=0x%" PRIx64 ")", __func__, iova);
731 if (level == vtd_ce_get_level(ce)) {
732 /* Invalid programming of context-entry */
733 return -VTD_FR_CONTEXT_ENTRY_INV;
734 } else {
735 return -VTD_FR_PAGING_ENTRY_INV;
736 }
737 }
738 *reads = (*reads) && (slpte & VTD_SL_R);
739 *writes = (*writes) && (slpte & VTD_SL_W);
740 if (!(slpte & access_right_check)) {
741 error_report_once("%s: detected slpte permission error "
742 "(iova=0x%" PRIx64 ", level=0x%" PRIx32 ", "
743 "slpte=0x%" PRIx64 ", write=%d)", __func__,
744 iova, level, slpte, is_write);
745 return is_write ? -VTD_FR_WRITE : -VTD_FR_READ;
746 }
747 if (vtd_slpte_nonzero_rsvd(slpte, level)) {
748 error_report_once("%s: detected splte reserve non-zero "
749 "iova=0x%" PRIx64 ", level=0x%" PRIx32
750 "slpte=0x%" PRIx64 ")", __func__, iova,
751 level, slpte);
752 return -VTD_FR_PAGING_ENTRY_RSVD;
753 }
754
755 if (vtd_is_last_slpte(slpte, level)) {
756 *slptep = slpte;
757 *slpte_level = level;
758 return 0;
759 }
760 addr = vtd_get_slpte_addr(slpte, aw_bits);
761 level--;
762 }
763 }
764
765 typedef int (*vtd_page_walk_hook)(IOMMUTLBEntry *entry, void *private);
766
767 /**
768 * Constant information used during page walking
769 *
770 * @hook_fn: hook func to be called when detected page
771 * @private: private data to be passed into hook func
772 * @notify_unmap: whether we should notify invalid entries
773 * @as: VT-d address space of the device
774 * @aw: maximum address width
775 * @domain: domain ID of the page walk
776 */
777 typedef struct {
778 VTDAddressSpace *as;
779 vtd_page_walk_hook hook_fn;
780 void *private;
781 bool notify_unmap;
782 uint8_t aw;
783 uint16_t domain_id;
784 } vtd_page_walk_info;
785
786 static int vtd_page_walk_one(IOMMUTLBEntry *entry, vtd_page_walk_info *info)
787 {
788 VTDAddressSpace *as = info->as;
789 vtd_page_walk_hook hook_fn = info->hook_fn;
790 void *private = info->private;
791 DMAMap target = {
792 .iova = entry->iova,
793 .size = entry->addr_mask,
794 .translated_addr = entry->translated_addr,
795 .perm = entry->perm,
796 };
797 DMAMap *mapped = iova_tree_find(as->iova_tree, &target);
798
799 if (entry->perm == IOMMU_NONE && !info->notify_unmap) {
800 trace_vtd_page_walk_one_skip_unmap(entry->iova, entry->addr_mask);
801 return 0;
802 }
803
804 assert(hook_fn);
805
806 /* Update local IOVA mapped ranges */
807 if (entry->perm) {
808 if (mapped) {
809 /* If it's exactly the same translation, skip */
810 if (!memcmp(mapped, &target, sizeof(target))) {
811 trace_vtd_page_walk_one_skip_map(entry->iova, entry->addr_mask,
812 entry->translated_addr);
813 return 0;
814 } else {
815 /*
816 * Translation changed. Normally this should not
817 * happen, but it can happen when with buggy guest
818 * OSes. Note that there will be a small window that
819 * we don't have map at all. But that's the best
820 * effort we can do. The ideal way to emulate this is
821 * atomically modify the PTE to follow what has
822 * changed, but we can't. One example is that vfio
823 * driver only has VFIO_IOMMU_[UN]MAP_DMA but no
824 * interface to modify a mapping (meanwhile it seems
825 * meaningless to even provide one). Anyway, let's
826 * mark this as a TODO in case one day we'll have
827 * a better solution.
828 */
829 IOMMUAccessFlags cache_perm = entry->perm;
830 int ret;
831
832 /* Emulate an UNMAP */
833 entry->perm = IOMMU_NONE;
834 trace_vtd_page_walk_one(info->domain_id,
835 entry->iova,
836 entry->translated_addr,
837 entry->addr_mask,
838 entry->perm);
839 ret = hook_fn(entry, private);
840 if (ret) {
841 return ret;
842 }
843 /* Drop any existing mapping */
844 iova_tree_remove(as->iova_tree, &target);
845 /* Recover the correct permission */
846 entry->perm = cache_perm;
847 }
848 }
849 iova_tree_insert(as->iova_tree, &target);
850 } else {
851 if (!mapped) {
852 /* Skip since we didn't map this range at all */
853 trace_vtd_page_walk_one_skip_unmap(entry->iova, entry->addr_mask);
854 return 0;
855 }
856 iova_tree_remove(as->iova_tree, &target);
857 }
858
859 trace_vtd_page_walk_one(info->domain_id, entry->iova,
860 entry->translated_addr, entry->addr_mask,
861 entry->perm);
862 return hook_fn(entry, private);
863 }
864
865 /**
866 * vtd_page_walk_level - walk over specific level for IOVA range
867 *
868 * @addr: base GPA addr to start the walk
869 * @start: IOVA range start address
870 * @end: IOVA range end address (start <= addr < end)
871 * @read: whether parent level has read permission
872 * @write: whether parent level has write permission
873 * @info: constant information for the page walk
874 */
875 static int vtd_page_walk_level(dma_addr_t addr, uint64_t start,
876 uint64_t end, uint32_t level, bool read,
877 bool write, vtd_page_walk_info *info)
878 {
879 bool read_cur, write_cur, entry_valid;
880 uint32_t offset;
881 uint64_t slpte;
882 uint64_t subpage_size, subpage_mask;
883 IOMMUTLBEntry entry;
884 uint64_t iova = start;
885 uint64_t iova_next;
886 int ret = 0;
887
888 trace_vtd_page_walk_level(addr, level, start, end);
889
890 subpage_size = 1ULL << vtd_slpt_level_shift(level);
891 subpage_mask = vtd_slpt_level_page_mask(level);
892
893 while (iova < end) {
894 iova_next = (iova & subpage_mask) + subpage_size;
895
896 offset = vtd_iova_level_offset(iova, level);
897 slpte = vtd_get_slpte(addr, offset);
898
899 if (slpte == (uint64_t)-1) {
900 trace_vtd_page_walk_skip_read(iova, iova_next);
901 goto next;
902 }
903
904 if (vtd_slpte_nonzero_rsvd(slpte, level)) {
905 trace_vtd_page_walk_skip_reserve(iova, iova_next);
906 goto next;
907 }
908
909 /* Permissions are stacked with parents' */
910 read_cur = read && (slpte & VTD_SL_R);
911 write_cur = write && (slpte & VTD_SL_W);
912
913 /*
914 * As long as we have either read/write permission, this is a
915 * valid entry. The rule works for both page entries and page
916 * table entries.
917 */
918 entry_valid = read_cur | write_cur;
919
920 if (!vtd_is_last_slpte(slpte, level) && entry_valid) {
921 /*
922 * This is a valid PDE (or even bigger than PDE). We need
923 * to walk one further level.
924 */
925 ret = vtd_page_walk_level(vtd_get_slpte_addr(slpte, info->aw),
926 iova, MIN(iova_next, end), level - 1,
927 read_cur, write_cur, info);
928 } else {
929 /*
930 * This means we are either:
931 *
932 * (1) the real page entry (either 4K page, or huge page)
933 * (2) the whole range is invalid
934 *
935 * In either case, we send an IOTLB notification down.
936 */
937 entry.target_as = &address_space_memory;
938 entry.iova = iova & subpage_mask;
939 entry.perm = IOMMU_ACCESS_FLAG(read_cur, write_cur);
940 entry.addr_mask = ~subpage_mask;
941 /* NOTE: this is only meaningful if entry_valid == true */
942 entry.translated_addr = vtd_get_slpte_addr(slpte, info->aw);
943 ret = vtd_page_walk_one(&entry, info);
944 }
945
946 if (ret < 0) {
947 return ret;
948 }
949
950 next:
951 iova = iova_next;
952 }
953
954 return 0;
955 }
956
957 /**
958 * vtd_page_walk - walk specific IOVA range, and call the hook
959 *
960 * @ce: context entry to walk upon
961 * @start: IOVA address to start the walk
962 * @end: IOVA range end address (start <= addr < end)
963 * @info: page walking information struct
964 */
965 static int vtd_page_walk(VTDContextEntry *ce, uint64_t start, uint64_t end,
966 vtd_page_walk_info *info)
967 {
968 dma_addr_t addr = vtd_ce_get_slpt_base(ce);
969 uint32_t level = vtd_ce_get_level(ce);
970
971 if (!vtd_iova_range_check(start, ce, info->aw)) {
972 return -VTD_FR_ADDR_BEYOND_MGAW;
973 }
974
975 if (!vtd_iova_range_check(end, ce, info->aw)) {
976 /* Fix end so that it reaches the maximum */
977 end = vtd_iova_limit(ce, info->aw);
978 }
979
980 return vtd_page_walk_level(addr, start, end, level, true, true, info);
981 }
982
983 /* Map a device to its corresponding domain (context-entry) */
984 static int vtd_dev_to_context_entry(IntelIOMMUState *s, uint8_t bus_num,
985 uint8_t devfn, VTDContextEntry *ce)
986 {
987 VTDRootEntry re;
988 int ret_fr;
989 X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
990
991 ret_fr = vtd_get_root_entry(s, bus_num, &re);
992 if (ret_fr) {
993 return ret_fr;
994 }
995
996 if (!vtd_root_entry_present(&re)) {
997 /* Not error - it's okay we don't have root entry. */
998 trace_vtd_re_not_present(bus_num);
999 return -VTD_FR_ROOT_ENTRY_P;
1000 }
1001
1002 if (re.rsvd || (re.val & VTD_ROOT_ENTRY_RSVD(s->aw_bits))) {
1003 trace_vtd_re_invalid(re.rsvd, re.val);
1004 return -VTD_FR_ROOT_ENTRY_RSVD;
1005 }
1006
1007 ret_fr = vtd_get_context_entry_from_root(&re, devfn, ce);
1008 if (ret_fr) {
1009 return ret_fr;
1010 }
1011
1012 if (!vtd_ce_present(ce)) {
1013 /* Not error - it's okay we don't have context entry. */
1014 trace_vtd_ce_not_present(bus_num, devfn);
1015 return -VTD_FR_CONTEXT_ENTRY_P;
1016 }
1017
1018 if ((ce->hi & VTD_CONTEXT_ENTRY_RSVD_HI) ||
1019 (ce->lo & VTD_CONTEXT_ENTRY_RSVD_LO(s->aw_bits))) {
1020 trace_vtd_ce_invalid(ce->hi, ce->lo);
1021 return -VTD_FR_CONTEXT_ENTRY_RSVD;
1022 }
1023
1024 /* Check if the programming of context-entry is valid */
1025 if (!vtd_is_level_supported(s, vtd_ce_get_level(ce))) {
1026 trace_vtd_ce_invalid(ce->hi, ce->lo);
1027 return -VTD_FR_CONTEXT_ENTRY_INV;
1028 }
1029
1030 /* Do translation type check */
1031 if (!vtd_ce_type_check(x86_iommu, ce)) {
1032 trace_vtd_ce_invalid(ce->hi, ce->lo);
1033 return -VTD_FR_CONTEXT_ENTRY_INV;
1034 }
1035
1036 return 0;
1037 }
1038
1039 static int vtd_sync_shadow_page_hook(IOMMUTLBEntry *entry,
1040 void *private)
1041 {
1042 memory_region_notify_iommu((IOMMUMemoryRegion *)private, 0, *entry);
1043 return 0;
1044 }
1045
1046 /* If context entry is NULL, we'll try to fetch it on our own. */
1047 static int vtd_sync_shadow_page_table_range(VTDAddressSpace *vtd_as,
1048 VTDContextEntry *ce,
1049 hwaddr addr, hwaddr size)
1050 {
1051 IntelIOMMUState *s = vtd_as->iommu_state;
1052 vtd_page_walk_info info = {
1053 .hook_fn = vtd_sync_shadow_page_hook,
1054 .private = (void *)&vtd_as->iommu,
1055 .notify_unmap = true,
1056 .aw = s->aw_bits,
1057 .as = vtd_as,
1058 };
1059 VTDContextEntry ce_cache;
1060 int ret;
1061
1062 if (ce) {
1063 /* If the caller provided context entry, use it */
1064 ce_cache = *ce;
1065 } else {
1066 /* If the caller didn't provide ce, try to fetch */
1067 ret = vtd_dev_to_context_entry(s, pci_bus_num(vtd_as->bus),
1068 vtd_as->devfn, &ce_cache);
1069 if (ret) {
1070 /*
1071 * This should not really happen, but in case it happens,
1072 * we just skip the sync for this time. After all we even
1073 * don't have the root table pointer!
1074 */
1075 error_report_once("%s: invalid context entry for bus 0x%x"
1076 " devfn 0x%x",
1077 __func__, pci_bus_num(vtd_as->bus),
1078 vtd_as->devfn);
1079 return 0;
1080 }
1081 }
1082
1083 info.domain_id = VTD_CONTEXT_ENTRY_DID(ce_cache.hi);
1084
1085 return vtd_page_walk(&ce_cache, addr, addr + size, &info);
1086 }
1087
1088 static int vtd_sync_shadow_page_table(VTDAddressSpace *vtd_as)
1089 {
1090 return vtd_sync_shadow_page_table_range(vtd_as, NULL, 0, UINT64_MAX);
1091 }
1092
1093 /*
1094 * Fetch translation type for specific device. Returns <0 if error
1095 * happens, otherwise return the shifted type to check against
1096 * VTD_CONTEXT_TT_*.
1097 */
1098 static int vtd_dev_get_trans_type(VTDAddressSpace *as)
1099 {
1100 IntelIOMMUState *s;
1101 VTDContextEntry ce;
1102 int ret;
1103
1104 s = as->iommu_state;
1105
1106 ret = vtd_dev_to_context_entry(s, pci_bus_num(as->bus),
1107 as->devfn, &ce);
1108 if (ret) {
1109 return ret;
1110 }
1111
1112 return vtd_ce_get_type(&ce);
1113 }
1114
1115 static bool vtd_dev_pt_enabled(VTDAddressSpace *as)
1116 {
1117 int ret;
1118
1119 assert(as);
1120
1121 ret = vtd_dev_get_trans_type(as);
1122 if (ret < 0) {
1123 /*
1124 * Possibly failed to parse the context entry for some reason
1125 * (e.g., during init, or any guest configuration errors on
1126 * context entries). We should assume PT not enabled for
1127 * safety.
1128 */
1129 return false;
1130 }
1131
1132 return ret == VTD_CONTEXT_TT_PASS_THROUGH;
1133 }
1134
1135 /* Return whether the device is using IOMMU translation. */
1136 static bool vtd_switch_address_space(VTDAddressSpace *as)
1137 {
1138 bool use_iommu;
1139 /* Whether we need to take the BQL on our own */
1140 bool take_bql = !qemu_mutex_iothread_locked();
1141
1142 assert(as);
1143
1144 use_iommu = as->iommu_state->dmar_enabled & !vtd_dev_pt_enabled(as);
1145
1146 trace_vtd_switch_address_space(pci_bus_num(as->bus),
1147 VTD_PCI_SLOT(as->devfn),
1148 VTD_PCI_FUNC(as->devfn),
1149 use_iommu);
1150
1151 /*
1152 * It's possible that we reach here without BQL, e.g., when called
1153 * from vtd_pt_enable_fast_path(). However the memory APIs need
1154 * it. We'd better make sure we have had it already, or, take it.
1155 */
1156 if (take_bql) {
1157 qemu_mutex_lock_iothread();
1158 }
1159
1160 /* Turn off first then on the other */
1161 if (use_iommu) {
1162 memory_region_set_enabled(&as->sys_alias, false);
1163 memory_region_set_enabled(MEMORY_REGION(&as->iommu), true);
1164 } else {
1165 memory_region_set_enabled(MEMORY_REGION(&as->iommu), false);
1166 memory_region_set_enabled(&as->sys_alias, true);
1167 }
1168
1169 if (take_bql) {
1170 qemu_mutex_unlock_iothread();
1171 }
1172
1173 return use_iommu;
1174 }
1175
1176 static void vtd_switch_address_space_all(IntelIOMMUState *s)
1177 {
1178 GHashTableIter iter;
1179 VTDBus *vtd_bus;
1180 int i;
1181
1182 g_hash_table_iter_init(&iter, s->vtd_as_by_busptr);
1183 while (g_hash_table_iter_next(&iter, NULL, (void **)&vtd_bus)) {
1184 for (i = 0; i < PCI_DEVFN_MAX; i++) {
1185 if (!vtd_bus->dev_as[i]) {
1186 continue;
1187 }
1188 vtd_switch_address_space(vtd_bus->dev_as[i]);
1189 }
1190 }
1191 }
1192
1193 static inline uint16_t vtd_make_source_id(uint8_t bus_num, uint8_t devfn)
1194 {
1195 return ((bus_num & 0xffUL) << 8) | (devfn & 0xffUL);
1196 }
1197
1198 static const bool vtd_qualified_faults[] = {
1199 [VTD_FR_RESERVED] = false,
1200 [VTD_FR_ROOT_ENTRY_P] = false,
1201 [VTD_FR_CONTEXT_ENTRY_P] = true,
1202 [VTD_FR_CONTEXT_ENTRY_INV] = true,
1203 [VTD_FR_ADDR_BEYOND_MGAW] = true,
1204 [VTD_FR_WRITE] = true,
1205 [VTD_FR_READ] = true,
1206 [VTD_FR_PAGING_ENTRY_INV] = true,
1207 [VTD_FR_ROOT_TABLE_INV] = false,
1208 [VTD_FR_CONTEXT_TABLE_INV] = false,
1209 [VTD_FR_ROOT_ENTRY_RSVD] = false,
1210 [VTD_FR_PAGING_ENTRY_RSVD] = true,
1211 [VTD_FR_CONTEXT_ENTRY_TT] = true,
1212 [VTD_FR_RESERVED_ERR] = false,
1213 [VTD_FR_MAX] = false,
1214 };
1215
1216 /* To see if a fault condition is "qualified", which is reported to software
1217 * only if the FPD field in the context-entry used to process the faulting
1218 * request is 0.
1219 */
1220 static inline bool vtd_is_qualified_fault(VTDFaultReason fault)
1221 {
1222 return vtd_qualified_faults[fault];
1223 }
1224
1225 static inline bool vtd_is_interrupt_addr(hwaddr addr)
1226 {
1227 return VTD_INTERRUPT_ADDR_FIRST <= addr && addr <= VTD_INTERRUPT_ADDR_LAST;
1228 }
1229
1230 static void vtd_pt_enable_fast_path(IntelIOMMUState *s, uint16_t source_id)
1231 {
1232 VTDBus *vtd_bus;
1233 VTDAddressSpace *vtd_as;
1234 bool success = false;
1235
1236 vtd_bus = vtd_find_as_from_bus_num(s, VTD_SID_TO_BUS(source_id));
1237 if (!vtd_bus) {
1238 goto out;
1239 }
1240
1241 vtd_as = vtd_bus->dev_as[VTD_SID_TO_DEVFN(source_id)];
1242 if (!vtd_as) {
1243 goto out;
1244 }
1245
1246 if (vtd_switch_address_space(vtd_as) == false) {
1247 /* We switched off IOMMU region successfully. */
1248 success = true;
1249 }
1250
1251 out:
1252 trace_vtd_pt_enable_fast_path(source_id, success);
1253 }
1254
1255 /* Map dev to context-entry then do a paging-structures walk to do a iommu
1256 * translation.
1257 *
1258 * Called from RCU critical section.
1259 *
1260 * @bus_num: The bus number
1261 * @devfn: The devfn, which is the combined of device and function number
1262 * @is_write: The access is a write operation
1263 * @entry: IOMMUTLBEntry that contain the addr to be translated and result
1264 *
1265 * Returns true if translation is successful, otherwise false.
1266 */
1267 static bool vtd_do_iommu_translate(VTDAddressSpace *vtd_as, PCIBus *bus,
1268 uint8_t devfn, hwaddr addr, bool is_write,
1269 IOMMUTLBEntry *entry)
1270 {
1271 IntelIOMMUState *s = vtd_as->iommu_state;
1272 VTDContextEntry ce;
1273 uint8_t bus_num = pci_bus_num(bus);
1274 VTDContextCacheEntry *cc_entry;
1275 uint64_t slpte, page_mask;
1276 uint32_t level;
1277 uint16_t source_id = vtd_make_source_id(bus_num, devfn);
1278 int ret_fr;
1279 bool is_fpd_set = false;
1280 bool reads = true;
1281 bool writes = true;
1282 uint8_t access_flags;
1283 VTDIOTLBEntry *iotlb_entry;
1284
1285 /*
1286 * We have standalone memory region for interrupt addresses, we
1287 * should never receive translation requests in this region.
1288 */
1289 assert(!vtd_is_interrupt_addr(addr));
1290
1291 vtd_iommu_lock(s);
1292
1293 cc_entry = &vtd_as->context_cache_entry;
1294
1295 /* Try to fetch slpte form IOTLB */
1296 iotlb_entry = vtd_lookup_iotlb(s, source_id, addr);
1297 if (iotlb_entry) {
1298 trace_vtd_iotlb_page_hit(source_id, addr, iotlb_entry->slpte,
1299 iotlb_entry->domain_id);
1300 slpte = iotlb_entry->slpte;
1301 access_flags = iotlb_entry->access_flags;
1302 page_mask = iotlb_entry->mask;
1303 goto out;
1304 }
1305
1306 /* Try to fetch context-entry from cache first */
1307 if (cc_entry->context_cache_gen == s->context_cache_gen) {
1308 trace_vtd_iotlb_cc_hit(bus_num, devfn, cc_entry->context_entry.hi,
1309 cc_entry->context_entry.lo,
1310 cc_entry->context_cache_gen);
1311 ce = cc_entry->context_entry;
1312 is_fpd_set = ce.lo & VTD_CONTEXT_ENTRY_FPD;
1313 } else {
1314 ret_fr = vtd_dev_to_context_entry(s, bus_num, devfn, &ce);
1315 is_fpd_set = ce.lo & VTD_CONTEXT_ENTRY_FPD;
1316 if (ret_fr) {
1317 ret_fr = -ret_fr;
1318 if (is_fpd_set && vtd_is_qualified_fault(ret_fr)) {
1319 trace_vtd_fault_disabled();
1320 } else {
1321 vtd_report_dmar_fault(s, source_id, addr, ret_fr, is_write);
1322 }
1323 goto error;
1324 }
1325 /* Update context-cache */
1326 trace_vtd_iotlb_cc_update(bus_num, devfn, ce.hi, ce.lo,
1327 cc_entry->context_cache_gen,
1328 s->context_cache_gen);
1329 cc_entry->context_entry = ce;
1330 cc_entry->context_cache_gen = s->context_cache_gen;
1331 }
1332
1333 /*
1334 * We don't need to translate for pass-through context entries.
1335 * Also, let's ignore IOTLB caching as well for PT devices.
1336 */
1337 if (vtd_ce_get_type(&ce) == VTD_CONTEXT_TT_PASS_THROUGH) {
1338 entry->iova = addr & VTD_PAGE_MASK_4K;
1339 entry->translated_addr = entry->iova;
1340 entry->addr_mask = ~VTD_PAGE_MASK_4K;
1341 entry->perm = IOMMU_RW;
1342 trace_vtd_translate_pt(source_id, entry->iova);
1343
1344 /*
1345 * When this happens, it means firstly caching-mode is not
1346 * enabled, and this is the first passthrough translation for
1347 * the device. Let's enable the fast path for passthrough.
1348 *
1349 * When passthrough is disabled again for the device, we can
1350 * capture it via the context entry invalidation, then the
1351 * IOMMU region can be swapped back.
1352 */
1353 vtd_pt_enable_fast_path(s, source_id);
1354 vtd_iommu_unlock(s);
1355 return true;
1356 }
1357
1358 ret_fr = vtd_iova_to_slpte(&ce, addr, is_write, &slpte, &level,
1359 &reads, &writes, s->aw_bits);
1360 if (ret_fr) {
1361 ret_fr = -ret_fr;
1362 if (is_fpd_set && vtd_is_qualified_fault(ret_fr)) {
1363 trace_vtd_fault_disabled();
1364 } else {
1365 vtd_report_dmar_fault(s, source_id, addr, ret_fr, is_write);
1366 }
1367 goto error;
1368 }
1369
1370 page_mask = vtd_slpt_level_page_mask(level);
1371 access_flags = IOMMU_ACCESS_FLAG(reads, writes);
1372 vtd_update_iotlb(s, source_id, VTD_CONTEXT_ENTRY_DID(ce.hi), addr, slpte,
1373 access_flags, level);
1374 out:
1375 vtd_iommu_unlock(s);
1376 entry->iova = addr & page_mask;
1377 entry->translated_addr = vtd_get_slpte_addr(slpte, s->aw_bits) & page_mask;
1378 entry->addr_mask = ~page_mask;
1379 entry->perm = access_flags;
1380 return true;
1381
1382 error:
1383 vtd_iommu_unlock(s);
1384 entry->iova = 0;
1385 entry->translated_addr = 0;
1386 entry->addr_mask = 0;
1387 entry->perm = IOMMU_NONE;
1388 return false;
1389 }
1390
1391 static void vtd_root_table_setup(IntelIOMMUState *s)
1392 {
1393 s->root = vtd_get_quad_raw(s, DMAR_RTADDR_REG);
1394 s->root_extended = s->root & VTD_RTADDR_RTT;
1395 s->root &= VTD_RTADDR_ADDR_MASK(s->aw_bits);
1396
1397 trace_vtd_reg_dmar_root(s->root, s->root_extended);
1398 }
1399
1400 static void vtd_iec_notify_all(IntelIOMMUState *s, bool global,
1401 uint32_t index, uint32_t mask)
1402 {
1403 x86_iommu_iec_notify_all(X86_IOMMU_DEVICE(s), global, index, mask);
1404 }
1405
1406 static void vtd_interrupt_remap_table_setup(IntelIOMMUState *s)
1407 {
1408 uint64_t value = 0;
1409 value = vtd_get_quad_raw(s, DMAR_IRTA_REG);
1410 s->intr_size = 1UL << ((value & VTD_IRTA_SIZE_MASK) + 1);
1411 s->intr_root = value & VTD_IRTA_ADDR_MASK(s->aw_bits);
1412 s->intr_eime = value & VTD_IRTA_EIME;
1413
1414 /* Notify global invalidation */
1415 vtd_iec_notify_all(s, true, 0, 0);
1416
1417 trace_vtd_reg_ir_root(s->intr_root, s->intr_size);
1418 }
1419
1420 static void vtd_iommu_replay_all(IntelIOMMUState *s)
1421 {
1422 VTDAddressSpace *vtd_as;
1423
1424 QLIST_FOREACH(vtd_as, &s->vtd_as_with_notifiers, next) {
1425 vtd_sync_shadow_page_table(vtd_as);
1426 }
1427 }
1428
1429 static void vtd_context_global_invalidate(IntelIOMMUState *s)
1430 {
1431 trace_vtd_inv_desc_cc_global();
1432 /* Protects context cache */
1433 vtd_iommu_lock(s);
1434 s->context_cache_gen++;
1435 if (s->context_cache_gen == VTD_CONTEXT_CACHE_GEN_MAX) {
1436 vtd_reset_context_cache_locked(s);
1437 }
1438 vtd_iommu_unlock(s);
1439 vtd_switch_address_space_all(s);
1440 /*
1441 * From VT-d spec 6.5.2.1, a global context entry invalidation
1442 * should be followed by a IOTLB global invalidation, so we should
1443 * be safe even without this. Hoewever, let's replay the region as
1444 * well to be safer, and go back here when we need finer tunes for
1445 * VT-d emulation codes.
1446 */
1447 vtd_iommu_replay_all(s);
1448 }
1449
1450 /* Do a context-cache device-selective invalidation.
1451 * @func_mask: FM field after shifting
1452 */
1453 static void vtd_context_device_invalidate(IntelIOMMUState *s,
1454 uint16_t source_id,
1455 uint16_t func_mask)
1456 {
1457 uint16_t mask;
1458 VTDBus *vtd_bus;
1459 VTDAddressSpace *vtd_as;
1460 uint8_t bus_n, devfn;
1461 uint16_t devfn_it;
1462
1463 trace_vtd_inv_desc_cc_devices(source_id, func_mask);
1464
1465 switch (func_mask & 3) {
1466 case 0:
1467 mask = 0; /* No bits in the SID field masked */
1468 break;
1469 case 1:
1470 mask = 4; /* Mask bit 2 in the SID field */
1471 break;
1472 case 2:
1473 mask = 6; /* Mask bit 2:1 in the SID field */
1474 break;
1475 case 3:
1476 mask = 7; /* Mask bit 2:0 in the SID field */
1477 break;
1478 }
1479 mask = ~mask;
1480
1481 bus_n = VTD_SID_TO_BUS(source_id);
1482 vtd_bus = vtd_find_as_from_bus_num(s, bus_n);
1483 if (vtd_bus) {
1484 devfn = VTD_SID_TO_DEVFN(source_id);
1485 for (devfn_it = 0; devfn_it < PCI_DEVFN_MAX; ++devfn_it) {
1486 vtd_as = vtd_bus->dev_as[devfn_it];
1487 if (vtd_as && ((devfn_it & mask) == (devfn & mask))) {
1488 trace_vtd_inv_desc_cc_device(bus_n, VTD_PCI_SLOT(devfn_it),
1489 VTD_PCI_FUNC(devfn_it));
1490 vtd_iommu_lock(s);
1491 vtd_as->context_cache_entry.context_cache_gen = 0;
1492 vtd_iommu_unlock(s);
1493 /*
1494 * Do switch address space when needed, in case if the
1495 * device passthrough bit is switched.
1496 */
1497 vtd_switch_address_space(vtd_as);
1498 /*
1499 * So a device is moving out of (or moving into) a
1500 * domain, resync the shadow page table.
1501 * This won't bring bad even if we have no such
1502 * notifier registered - the IOMMU notification
1503 * framework will skip MAP notifications if that
1504 * happened.
1505 */
1506 vtd_sync_shadow_page_table(vtd_as);
1507 }
1508 }
1509 }
1510 }
1511
1512 /* Context-cache invalidation
1513 * Returns the Context Actual Invalidation Granularity.
1514 * @val: the content of the CCMD_REG
1515 */
1516 static uint64_t vtd_context_cache_invalidate(IntelIOMMUState *s, uint64_t val)
1517 {
1518 uint64_t caig;
1519 uint64_t type = val & VTD_CCMD_CIRG_MASK;
1520
1521 switch (type) {
1522 case VTD_CCMD_DOMAIN_INVL:
1523 /* Fall through */
1524 case VTD_CCMD_GLOBAL_INVL:
1525 caig = VTD_CCMD_GLOBAL_INVL_A;
1526 vtd_context_global_invalidate(s);
1527 break;
1528
1529 case VTD_CCMD_DEVICE_INVL:
1530 caig = VTD_CCMD_DEVICE_INVL_A;
1531 vtd_context_device_invalidate(s, VTD_CCMD_SID(val), VTD_CCMD_FM(val));
1532 break;
1533
1534 default:
1535 error_report_once("%s: invalid context: 0x%" PRIx64,
1536 __func__, val);
1537 caig = 0;
1538 }
1539 return caig;
1540 }
1541
1542 static void vtd_iotlb_global_invalidate(IntelIOMMUState *s)
1543 {
1544 trace_vtd_inv_desc_iotlb_global();
1545 vtd_reset_iotlb(s);
1546 vtd_iommu_replay_all(s);
1547 }
1548
1549 static void vtd_iotlb_domain_invalidate(IntelIOMMUState *s, uint16_t domain_id)
1550 {
1551 VTDContextEntry ce;
1552 VTDAddressSpace *vtd_as;
1553
1554 trace_vtd_inv_desc_iotlb_domain(domain_id);
1555
1556 vtd_iommu_lock(s);
1557 g_hash_table_foreach_remove(s->iotlb, vtd_hash_remove_by_domain,
1558 &domain_id);
1559 vtd_iommu_unlock(s);
1560
1561 QLIST_FOREACH(vtd_as, &s->vtd_as_with_notifiers, next) {
1562 if (!vtd_dev_to_context_entry(s, pci_bus_num(vtd_as->bus),
1563 vtd_as->devfn, &ce) &&
1564 domain_id == VTD_CONTEXT_ENTRY_DID(ce.hi)) {
1565 vtd_sync_shadow_page_table(vtd_as);
1566 }
1567 }
1568 }
1569
1570 static void vtd_iotlb_page_invalidate_notify(IntelIOMMUState *s,
1571 uint16_t domain_id, hwaddr addr,
1572 uint8_t am)
1573 {
1574 VTDAddressSpace *vtd_as;
1575 VTDContextEntry ce;
1576 int ret;
1577 hwaddr size = (1 << am) * VTD_PAGE_SIZE;
1578
1579 QLIST_FOREACH(vtd_as, &(s->vtd_as_with_notifiers), next) {
1580 ret = vtd_dev_to_context_entry(s, pci_bus_num(vtd_as->bus),
1581 vtd_as->devfn, &ce);
1582 if (!ret && domain_id == VTD_CONTEXT_ENTRY_DID(ce.hi)) {
1583 if (vtd_as_has_map_notifier(vtd_as)) {
1584 /*
1585 * As long as we have MAP notifications registered in
1586 * any of our IOMMU notifiers, we need to sync the
1587 * shadow page table.
1588 */
1589 vtd_sync_shadow_page_table_range(vtd_as, &ce, addr, size);
1590 } else {
1591 /*
1592 * For UNMAP-only notifiers, we don't need to walk the
1593 * page tables. We just deliver the PSI down to
1594 * invalidate caches.
1595 */
1596 IOMMUTLBEntry entry = {
1597 .target_as = &address_space_memory,
1598 .iova = addr,
1599 .translated_addr = 0,
1600 .addr_mask = size - 1,
1601 .perm = IOMMU_NONE,
1602 };
1603 memory_region_notify_iommu(&vtd_as->iommu, 0, entry);
1604 }
1605 }
1606 }
1607 }
1608
1609 static void vtd_iotlb_page_invalidate(IntelIOMMUState *s, uint16_t domain_id,
1610 hwaddr addr, uint8_t am)
1611 {
1612 VTDIOTLBPageInvInfo info;
1613
1614 trace_vtd_inv_desc_iotlb_pages(domain_id, addr, am);
1615
1616 assert(am <= VTD_MAMV);
1617 info.domain_id = domain_id;
1618 info.addr = addr;
1619 info.mask = ~((1 << am) - 1);
1620 vtd_iommu_lock(s);
1621 g_hash_table_foreach_remove(s->iotlb, vtd_hash_remove_by_page, &info);
1622 vtd_iommu_unlock(s);
1623 vtd_iotlb_page_invalidate_notify(s, domain_id, addr, am);
1624 }
1625
1626 /* Flush IOTLB
1627 * Returns the IOTLB Actual Invalidation Granularity.
1628 * @val: the content of the IOTLB_REG
1629 */
1630 static uint64_t vtd_iotlb_flush(IntelIOMMUState *s, uint64_t val)
1631 {
1632 uint64_t iaig;
1633 uint64_t type = val & VTD_TLB_FLUSH_GRANU_MASK;
1634 uint16_t domain_id;
1635 hwaddr addr;
1636 uint8_t am;
1637
1638 switch (type) {
1639 case VTD_TLB_GLOBAL_FLUSH:
1640 iaig = VTD_TLB_GLOBAL_FLUSH_A;
1641 vtd_iotlb_global_invalidate(s);
1642 break;
1643
1644 case VTD_TLB_DSI_FLUSH:
1645 domain_id = VTD_TLB_DID(val);
1646 iaig = VTD_TLB_DSI_FLUSH_A;
1647 vtd_iotlb_domain_invalidate(s, domain_id);
1648 break;
1649
1650 case VTD_TLB_PSI_FLUSH:
1651 domain_id = VTD_TLB_DID(val);
1652 addr = vtd_get_quad_raw(s, DMAR_IVA_REG);
1653 am = VTD_IVA_AM(addr);
1654 addr = VTD_IVA_ADDR(addr);
1655 if (am > VTD_MAMV) {
1656 error_report_once("%s: address mask overflow: 0x%" PRIx64,
1657 __func__, vtd_get_quad_raw(s, DMAR_IVA_REG));
1658 iaig = 0;
1659 break;
1660 }
1661 iaig = VTD_TLB_PSI_FLUSH_A;
1662 vtd_iotlb_page_invalidate(s, domain_id, addr, am);
1663 break;
1664
1665 default:
1666 error_report_once("%s: invalid granularity: 0x%" PRIx64,
1667 __func__, val);
1668 iaig = 0;
1669 }
1670 return iaig;
1671 }
1672
1673 static void vtd_fetch_inv_desc(IntelIOMMUState *s);
1674
1675 static inline bool vtd_queued_inv_disable_check(IntelIOMMUState *s)
1676 {
1677 return s->qi_enabled && (s->iq_tail == s->iq_head) &&
1678 (s->iq_last_desc_type == VTD_INV_DESC_WAIT);
1679 }
1680
1681 static void vtd_handle_gcmd_qie(IntelIOMMUState *s, bool en)
1682 {
1683 uint64_t iqa_val = vtd_get_quad_raw(s, DMAR_IQA_REG);
1684
1685 trace_vtd_inv_qi_enable(en);
1686
1687 if (en) {
1688 s->iq = iqa_val & VTD_IQA_IQA_MASK(s->aw_bits);
1689 /* 2^(x+8) entries */
1690 s->iq_size = 1UL << ((iqa_val & VTD_IQA_QS) + 8);
1691 s->qi_enabled = true;
1692 trace_vtd_inv_qi_setup(s->iq, s->iq_size);
1693 /* Ok - report back to driver */
1694 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, 0, VTD_GSTS_QIES);
1695
1696 if (s->iq_tail != 0) {
1697 /*
1698 * This is a spec violation but Windows guests are known to set up
1699 * Queued Invalidation this way so we allow the write and process
1700 * Invalidation Descriptors right away.
1701 */
1702 trace_vtd_warn_invalid_qi_tail(s->iq_tail);
1703 if (!(vtd_get_long_raw(s, DMAR_FSTS_REG) & VTD_FSTS_IQE)) {
1704 vtd_fetch_inv_desc(s);
1705 }
1706 }
1707 } else {
1708 if (vtd_queued_inv_disable_check(s)) {
1709 /* disable Queued Invalidation */
1710 vtd_set_quad_raw(s, DMAR_IQH_REG, 0);
1711 s->iq_head = 0;
1712 s->qi_enabled = false;
1713 /* Ok - report back to driver */
1714 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, VTD_GSTS_QIES, 0);
1715 } else {
1716 error_report_once("%s: detected improper state when disable QI "
1717 "(head=0x%x, tail=0x%x, last_type=%d)",
1718 __func__,
1719 s->iq_head, s->iq_tail, s->iq_last_desc_type);
1720 }
1721 }
1722 }
1723
1724 /* Set Root Table Pointer */
1725 static void vtd_handle_gcmd_srtp(IntelIOMMUState *s)
1726 {
1727 vtd_root_table_setup(s);
1728 /* Ok - report back to driver */
1729 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, 0, VTD_GSTS_RTPS);
1730 }
1731
1732 /* Set Interrupt Remap Table Pointer */
1733 static void vtd_handle_gcmd_sirtp(IntelIOMMUState *s)
1734 {
1735 vtd_interrupt_remap_table_setup(s);
1736 /* Ok - report back to driver */
1737 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, 0, VTD_GSTS_IRTPS);
1738 }
1739
1740 /* Handle Translation Enable/Disable */
1741 static void vtd_handle_gcmd_te(IntelIOMMUState *s, bool en)
1742 {
1743 if (s->dmar_enabled == en) {
1744 return;
1745 }
1746
1747 trace_vtd_dmar_enable(en);
1748
1749 if (en) {
1750 s->dmar_enabled = true;
1751 /* Ok - report back to driver */
1752 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, 0, VTD_GSTS_TES);
1753 } else {
1754 s->dmar_enabled = false;
1755
1756 /* Clear the index of Fault Recording Register */
1757 s->next_frcd_reg = 0;
1758 /* Ok - report back to driver */
1759 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, VTD_GSTS_TES, 0);
1760 }
1761
1762 vtd_switch_address_space_all(s);
1763 }
1764
1765 /* Handle Interrupt Remap Enable/Disable */
1766 static void vtd_handle_gcmd_ire(IntelIOMMUState *s, bool en)
1767 {
1768 trace_vtd_ir_enable(en);
1769
1770 if (en) {
1771 s->intr_enabled = true;
1772 /* Ok - report back to driver */
1773 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, 0, VTD_GSTS_IRES);
1774 } else {
1775 s->intr_enabled = false;
1776 /* Ok - report back to driver */
1777 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, VTD_GSTS_IRES, 0);
1778 }
1779 }
1780
1781 /* Handle write to Global Command Register */
1782 static void vtd_handle_gcmd_write(IntelIOMMUState *s)
1783 {
1784 uint32_t status = vtd_get_long_raw(s, DMAR_GSTS_REG);
1785 uint32_t val = vtd_get_long_raw(s, DMAR_GCMD_REG);
1786 uint32_t changed = status ^ val;
1787
1788 trace_vtd_reg_write_gcmd(status, val);
1789 if (changed & VTD_GCMD_TE) {
1790 /* Translation enable/disable */
1791 vtd_handle_gcmd_te(s, val & VTD_GCMD_TE);
1792 }
1793 if (val & VTD_GCMD_SRTP) {
1794 /* Set/update the root-table pointer */
1795 vtd_handle_gcmd_srtp(s);
1796 }
1797 if (changed & VTD_GCMD_QIE) {
1798 /* Queued Invalidation Enable */
1799 vtd_handle_gcmd_qie(s, val & VTD_GCMD_QIE);
1800 }
1801 if (val & VTD_GCMD_SIRTP) {
1802 /* Set/update the interrupt remapping root-table pointer */
1803 vtd_handle_gcmd_sirtp(s);
1804 }
1805 if (changed & VTD_GCMD_IRE) {
1806 /* Interrupt remap enable/disable */
1807 vtd_handle_gcmd_ire(s, val & VTD_GCMD_IRE);
1808 }
1809 }
1810
1811 /* Handle write to Context Command Register */
1812 static void vtd_handle_ccmd_write(IntelIOMMUState *s)
1813 {
1814 uint64_t ret;
1815 uint64_t val = vtd_get_quad_raw(s, DMAR_CCMD_REG);
1816
1817 /* Context-cache invalidation request */
1818 if (val & VTD_CCMD_ICC) {
1819 if (s->qi_enabled) {
1820 error_report_once("Queued Invalidation enabled, "
1821 "should not use register-based invalidation");
1822 return;
1823 }
1824 ret = vtd_context_cache_invalidate(s, val);
1825 /* Invalidation completed. Change something to show */
1826 vtd_set_clear_mask_quad(s, DMAR_CCMD_REG, VTD_CCMD_ICC, 0ULL);
1827 ret = vtd_set_clear_mask_quad(s, DMAR_CCMD_REG, VTD_CCMD_CAIG_MASK,
1828 ret);
1829 }
1830 }
1831
1832 /* Handle write to IOTLB Invalidation Register */
1833 static void vtd_handle_iotlb_write(IntelIOMMUState *s)
1834 {
1835 uint64_t ret;
1836 uint64_t val = vtd_get_quad_raw(s, DMAR_IOTLB_REG);
1837
1838 /* IOTLB invalidation request */
1839 if (val & VTD_TLB_IVT) {
1840 if (s->qi_enabled) {
1841 error_report_once("Queued Invalidation enabled, "
1842 "should not use register-based invalidation");
1843 return;
1844 }
1845 ret = vtd_iotlb_flush(s, val);
1846 /* Invalidation completed. Change something to show */
1847 vtd_set_clear_mask_quad(s, DMAR_IOTLB_REG, VTD_TLB_IVT, 0ULL);
1848 ret = vtd_set_clear_mask_quad(s, DMAR_IOTLB_REG,
1849 VTD_TLB_FLUSH_GRANU_MASK_A, ret);
1850 }
1851 }
1852
1853 /* Fetch an Invalidation Descriptor from the Invalidation Queue */
1854 static bool vtd_get_inv_desc(dma_addr_t base_addr, uint32_t offset,
1855 VTDInvDesc *inv_desc)
1856 {
1857 dma_addr_t addr = base_addr + offset * sizeof(*inv_desc);
1858 if (dma_memory_read(&address_space_memory, addr, inv_desc,
1859 sizeof(*inv_desc))) {
1860 error_report_once("Read INV DESC failed");
1861 inv_desc->lo = 0;
1862 inv_desc->hi = 0;
1863 return false;
1864 }
1865 inv_desc->lo = le64_to_cpu(inv_desc->lo);
1866 inv_desc->hi = le64_to_cpu(inv_desc->hi);
1867 return true;
1868 }
1869
1870 static bool vtd_process_wait_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc)
1871 {
1872 if ((inv_desc->hi & VTD_INV_DESC_WAIT_RSVD_HI) ||
1873 (inv_desc->lo & VTD_INV_DESC_WAIT_RSVD_LO)) {
1874 trace_vtd_inv_desc_wait_invalid(inv_desc->hi, inv_desc->lo);
1875 return false;
1876 }
1877 if (inv_desc->lo & VTD_INV_DESC_WAIT_SW) {
1878 /* Status Write */
1879 uint32_t status_data = (uint32_t)(inv_desc->lo >>
1880 VTD_INV_DESC_WAIT_DATA_SHIFT);
1881
1882 assert(!(inv_desc->lo & VTD_INV_DESC_WAIT_IF));
1883
1884 /* FIXME: need to be masked with HAW? */
1885 dma_addr_t status_addr = inv_desc->hi;
1886 trace_vtd_inv_desc_wait_sw(status_addr, status_data);
1887 status_data = cpu_to_le32(status_data);
1888 if (dma_memory_write(&address_space_memory, status_addr, &status_data,
1889 sizeof(status_data))) {
1890 trace_vtd_inv_desc_wait_write_fail(inv_desc->hi, inv_desc->lo);
1891 return false;
1892 }
1893 } else if (inv_desc->lo & VTD_INV_DESC_WAIT_IF) {
1894 /* Interrupt flag */
1895 vtd_generate_completion_event(s);
1896 } else {
1897 trace_vtd_inv_desc_wait_invalid(inv_desc->hi, inv_desc->lo);
1898 return false;
1899 }
1900 return true;
1901 }
1902
1903 static bool vtd_process_context_cache_desc(IntelIOMMUState *s,
1904 VTDInvDesc *inv_desc)
1905 {
1906 uint16_t sid, fmask;
1907
1908 if ((inv_desc->lo & VTD_INV_DESC_CC_RSVD) || inv_desc->hi) {
1909 trace_vtd_inv_desc_cc_invalid(inv_desc->hi, inv_desc->lo);
1910 return false;
1911 }
1912 switch (inv_desc->lo & VTD_INV_DESC_CC_G) {
1913 case VTD_INV_DESC_CC_DOMAIN:
1914 trace_vtd_inv_desc_cc_domain(
1915 (uint16_t)VTD_INV_DESC_CC_DID(inv_desc->lo));
1916 /* Fall through */
1917 case VTD_INV_DESC_CC_GLOBAL:
1918 vtd_context_global_invalidate(s);
1919 break;
1920
1921 case VTD_INV_DESC_CC_DEVICE:
1922 sid = VTD_INV_DESC_CC_SID(inv_desc->lo);
1923 fmask = VTD_INV_DESC_CC_FM(inv_desc->lo);
1924 vtd_context_device_invalidate(s, sid, fmask);
1925 break;
1926
1927 default:
1928 trace_vtd_inv_desc_cc_invalid(inv_desc->hi, inv_desc->lo);
1929 return false;
1930 }
1931 return true;
1932 }
1933
1934 static bool vtd_process_iotlb_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc)
1935 {
1936 uint16_t domain_id;
1937 uint8_t am;
1938 hwaddr addr;
1939
1940 if ((inv_desc->lo & VTD_INV_DESC_IOTLB_RSVD_LO) ||
1941 (inv_desc->hi & VTD_INV_DESC_IOTLB_RSVD_HI)) {
1942 trace_vtd_inv_desc_iotlb_invalid(inv_desc->hi, inv_desc->lo);
1943 return false;
1944 }
1945
1946 switch (inv_desc->lo & VTD_INV_DESC_IOTLB_G) {
1947 case VTD_INV_DESC_IOTLB_GLOBAL:
1948 vtd_iotlb_global_invalidate(s);
1949 break;
1950
1951 case VTD_INV_DESC_IOTLB_DOMAIN:
1952 domain_id = VTD_INV_DESC_IOTLB_DID(inv_desc->lo);
1953 vtd_iotlb_domain_invalidate(s, domain_id);
1954 break;
1955
1956 case VTD_INV_DESC_IOTLB_PAGE:
1957 domain_id = VTD_INV_DESC_IOTLB_DID(inv_desc->lo);
1958 addr = VTD_INV_DESC_IOTLB_ADDR(inv_desc->hi);
1959 am = VTD_INV_DESC_IOTLB_AM(inv_desc->hi);
1960 if (am > VTD_MAMV) {
1961 trace_vtd_inv_desc_iotlb_invalid(inv_desc->hi, inv_desc->lo);
1962 return false;
1963 }
1964 vtd_iotlb_page_invalidate(s, domain_id, addr, am);
1965 break;
1966
1967 default:
1968 trace_vtd_inv_desc_iotlb_invalid(inv_desc->hi, inv_desc->lo);
1969 return false;
1970 }
1971 return true;
1972 }
1973
1974 static bool vtd_process_inv_iec_desc(IntelIOMMUState *s,
1975 VTDInvDesc *inv_desc)
1976 {
1977 trace_vtd_inv_desc_iec(inv_desc->iec.granularity,
1978 inv_desc->iec.index,
1979 inv_desc->iec.index_mask);
1980
1981 vtd_iec_notify_all(s, !inv_desc->iec.granularity,
1982 inv_desc->iec.index,
1983 inv_desc->iec.index_mask);
1984 return true;
1985 }
1986
1987 static bool vtd_process_device_iotlb_desc(IntelIOMMUState *s,
1988 VTDInvDesc *inv_desc)
1989 {
1990 VTDAddressSpace *vtd_dev_as;
1991 IOMMUTLBEntry entry;
1992 struct VTDBus *vtd_bus;
1993 hwaddr addr;
1994 uint64_t sz;
1995 uint16_t sid;
1996 uint8_t devfn;
1997 bool size;
1998 uint8_t bus_num;
1999
2000 addr = VTD_INV_DESC_DEVICE_IOTLB_ADDR(inv_desc->hi);
2001 sid = VTD_INV_DESC_DEVICE_IOTLB_SID(inv_desc->lo);
2002 devfn = sid & 0xff;
2003 bus_num = sid >> 8;
2004 size = VTD_INV_DESC_DEVICE_IOTLB_SIZE(inv_desc->hi);
2005
2006 if ((inv_desc->lo & VTD_INV_DESC_DEVICE_IOTLB_RSVD_LO) ||
2007 (inv_desc->hi & VTD_INV_DESC_DEVICE_IOTLB_RSVD_HI)) {
2008 trace_vtd_inv_desc_iotlb_invalid(inv_desc->hi, inv_desc->lo);
2009 return false;
2010 }
2011
2012 vtd_bus = vtd_find_as_from_bus_num(s, bus_num);
2013 if (!vtd_bus) {
2014 goto done;
2015 }
2016
2017 vtd_dev_as = vtd_bus->dev_as[devfn];
2018 if (!vtd_dev_as) {
2019 goto done;
2020 }
2021
2022 /* According to ATS spec table 2.4:
2023 * S = 0, bits 15:12 = xxxx range size: 4K
2024 * S = 1, bits 15:12 = xxx0 range size: 8K
2025 * S = 1, bits 15:12 = xx01 range size: 16K
2026 * S = 1, bits 15:12 = x011 range size: 32K
2027 * S = 1, bits 15:12 = 0111 range size: 64K
2028 * ...
2029 */
2030 if (size) {
2031 sz = (VTD_PAGE_SIZE * 2) << cto64(addr >> VTD_PAGE_SHIFT);
2032 addr &= ~(sz - 1);
2033 } else {
2034 sz = VTD_PAGE_SIZE;
2035 }
2036
2037 entry.target_as = &vtd_dev_as->as;
2038 entry.addr_mask = sz - 1;
2039 entry.iova = addr;
2040 entry.perm = IOMMU_NONE;
2041 entry.translated_addr = 0;
2042 memory_region_notify_iommu(&vtd_dev_as->iommu, 0, entry);
2043
2044 done:
2045 return true;
2046 }
2047
2048 static bool vtd_process_inv_desc(IntelIOMMUState *s)
2049 {
2050 VTDInvDesc inv_desc;
2051 uint8_t desc_type;
2052
2053 trace_vtd_inv_qi_head(s->iq_head);
2054 if (!vtd_get_inv_desc(s->iq, s->iq_head, &inv_desc)) {
2055 s->iq_last_desc_type = VTD_INV_DESC_NONE;
2056 return false;
2057 }
2058 desc_type = inv_desc.lo & VTD_INV_DESC_TYPE;
2059 /* FIXME: should update at first or at last? */
2060 s->iq_last_desc_type = desc_type;
2061
2062 switch (desc_type) {
2063 case VTD_INV_DESC_CC:
2064 trace_vtd_inv_desc("context-cache", inv_desc.hi, inv_desc.lo);
2065 if (!vtd_process_context_cache_desc(s, &inv_desc)) {
2066 return false;
2067 }
2068 break;
2069
2070 case VTD_INV_DESC_IOTLB:
2071 trace_vtd_inv_desc("iotlb", inv_desc.hi, inv_desc.lo);
2072 if (!vtd_process_iotlb_desc(s, &inv_desc)) {
2073 return false;
2074 }
2075 break;
2076
2077 case VTD_INV_DESC_WAIT:
2078 trace_vtd_inv_desc("wait", inv_desc.hi, inv_desc.lo);
2079 if (!vtd_process_wait_desc(s, &inv_desc)) {
2080 return false;
2081 }
2082 break;
2083
2084 case VTD_INV_DESC_IEC:
2085 trace_vtd_inv_desc("iec", inv_desc.hi, inv_desc.lo);
2086 if (!vtd_process_inv_iec_desc(s, &inv_desc)) {
2087 return false;
2088 }
2089 break;
2090
2091 case VTD_INV_DESC_DEVICE:
2092 trace_vtd_inv_desc("device", inv_desc.hi, inv_desc.lo);
2093 if (!vtd_process_device_iotlb_desc(s, &inv_desc)) {
2094 return false;
2095 }
2096 break;
2097
2098 default:
2099 trace_vtd_inv_desc_invalid(inv_desc.hi, inv_desc.lo);
2100 return false;
2101 }
2102 s->iq_head++;
2103 if (s->iq_head == s->iq_size) {
2104 s->iq_head = 0;
2105 }
2106 return true;
2107 }
2108
2109 /* Try to fetch and process more Invalidation Descriptors */
2110 static void vtd_fetch_inv_desc(IntelIOMMUState *s)
2111 {
2112 trace_vtd_inv_qi_fetch();
2113
2114 if (s->iq_tail >= s->iq_size) {
2115 /* Detects an invalid Tail pointer */
2116 error_report_once("%s: detected invalid QI tail "
2117 "(tail=0x%x, size=0x%x)",
2118 __func__, s->iq_tail, s->iq_size);
2119 vtd_handle_inv_queue_error(s);
2120 return;
2121 }
2122 while (s->iq_head != s->iq_tail) {
2123 if (!vtd_process_inv_desc(s)) {
2124 /* Invalidation Queue Errors */
2125 vtd_handle_inv_queue_error(s);
2126 break;
2127 }
2128 /* Must update the IQH_REG in time */
2129 vtd_set_quad_raw(s, DMAR_IQH_REG,
2130 (((uint64_t)(s->iq_head)) << VTD_IQH_QH_SHIFT) &
2131 VTD_IQH_QH_MASK);
2132 }
2133 }
2134
2135 /* Handle write to Invalidation Queue Tail Register */
2136 static void vtd_handle_iqt_write(IntelIOMMUState *s)
2137 {
2138 uint64_t val = vtd_get_quad_raw(s, DMAR_IQT_REG);
2139
2140 s->iq_tail = VTD_IQT_QT(val);
2141 trace_vtd_inv_qi_tail(s->iq_tail);
2142
2143 if (s->qi_enabled && !(vtd_get_long_raw(s, DMAR_FSTS_REG) & VTD_FSTS_IQE)) {
2144 /* Process Invalidation Queue here */
2145 vtd_fetch_inv_desc(s);
2146 }
2147 }
2148
2149 static void vtd_handle_fsts_write(IntelIOMMUState *s)
2150 {
2151 uint32_t fsts_reg = vtd_get_long_raw(s, DMAR_FSTS_REG);
2152 uint32_t fectl_reg = vtd_get_long_raw(s, DMAR_FECTL_REG);
2153 uint32_t status_fields = VTD_FSTS_PFO | VTD_FSTS_PPF | VTD_FSTS_IQE;
2154
2155 if ((fectl_reg & VTD_FECTL_IP) && !(fsts_reg & status_fields)) {
2156 vtd_set_clear_mask_long(s, DMAR_FECTL_REG, VTD_FECTL_IP, 0);
2157 trace_vtd_fsts_clear_ip();
2158 }
2159 /* FIXME: when IQE is Clear, should we try to fetch some Invalidation
2160 * Descriptors if there are any when Queued Invalidation is enabled?
2161 */
2162 }
2163
2164 static void vtd_handle_fectl_write(IntelIOMMUState *s)
2165 {
2166 uint32_t fectl_reg;
2167 /* FIXME: when software clears the IM field, check the IP field. But do we
2168 * need to compare the old value and the new value to conclude that
2169 * software clears the IM field? Or just check if the IM field is zero?
2170 */
2171 fectl_reg = vtd_get_long_raw(s, DMAR_FECTL_REG);
2172
2173 trace_vtd_reg_write_fectl(fectl_reg);
2174
2175 if ((fectl_reg & VTD_FECTL_IP) && !(fectl_reg & VTD_FECTL_IM)) {
2176 vtd_generate_interrupt(s, DMAR_FEADDR_REG, DMAR_FEDATA_REG);
2177 vtd_set_clear_mask_long(s, DMAR_FECTL_REG, VTD_FECTL_IP, 0);
2178 }
2179 }
2180
2181 static void vtd_handle_ics_write(IntelIOMMUState *s)
2182 {
2183 uint32_t ics_reg = vtd_get_long_raw(s, DMAR_ICS_REG);
2184 uint32_t iectl_reg = vtd_get_long_raw(s, DMAR_IECTL_REG);
2185
2186 if ((iectl_reg & VTD_IECTL_IP) && !(ics_reg & VTD_ICS_IWC)) {
2187 trace_vtd_reg_ics_clear_ip();
2188 vtd_set_clear_mask_long(s, DMAR_IECTL_REG, VTD_IECTL_IP, 0);
2189 }
2190 }
2191
2192 static void vtd_handle_iectl_write(IntelIOMMUState *s)
2193 {
2194 uint32_t iectl_reg;
2195 /* FIXME: when software clears the IM field, check the IP field. But do we
2196 * need to compare the old value and the new value to conclude that
2197 * software clears the IM field? Or just check if the IM field is zero?
2198 */
2199 iectl_reg = vtd_get_long_raw(s, DMAR_IECTL_REG);
2200
2201 trace_vtd_reg_write_iectl(iectl_reg);
2202
2203 if ((iectl_reg & VTD_IECTL_IP) && !(iectl_reg & VTD_IECTL_IM)) {
2204 vtd_generate_interrupt(s, DMAR_IEADDR_REG, DMAR_IEDATA_REG);
2205 vtd_set_clear_mask_long(s, DMAR_IECTL_REG, VTD_IECTL_IP, 0);
2206 }
2207 }
2208
2209 static uint64_t vtd_mem_read(void *opaque, hwaddr addr, unsigned size)
2210 {
2211 IntelIOMMUState *s = opaque;
2212 uint64_t val;
2213
2214 trace_vtd_reg_read(addr, size);
2215
2216 if (addr + size > DMAR_REG_SIZE) {
2217 error_report_once("%s: MMIO over range: addr=0x%" PRIx64
2218 " size=0x%u", __func__, addr, size);
2219 return (uint64_t)-1;
2220 }
2221
2222 switch (addr) {
2223 /* Root Table Address Register, 64-bit */
2224 case DMAR_RTADDR_REG:
2225 if (size == 4) {
2226 val = s->root & ((1ULL << 32) - 1);
2227 } else {
2228 val = s->root;
2229 }
2230 break;
2231
2232 case DMAR_RTADDR_REG_HI:
2233 assert(size == 4);
2234 val = s->root >> 32;
2235 break;
2236
2237 /* Invalidation Queue Address Register, 64-bit */
2238 case DMAR_IQA_REG:
2239 val = s->iq | (vtd_get_quad(s, DMAR_IQA_REG) & VTD_IQA_QS);
2240 if (size == 4) {
2241 val = val & ((1ULL << 32) - 1);
2242 }
2243 break;
2244
2245 case DMAR_IQA_REG_HI:
2246 assert(size == 4);
2247 val = s->iq >> 32;
2248 break;
2249
2250 default:
2251 if (size == 4) {
2252 val = vtd_get_long(s, addr);
2253 } else {
2254 val = vtd_get_quad(s, addr);
2255 }
2256 }
2257
2258 return val;
2259 }
2260
2261 static void vtd_mem_write(void *opaque, hwaddr addr,
2262 uint64_t val, unsigned size)
2263 {
2264 IntelIOMMUState *s = opaque;
2265
2266 trace_vtd_reg_write(addr, size, val);
2267
2268 if (addr + size > DMAR_REG_SIZE) {
2269 error_report_once("%s: MMIO over range: addr=0x%" PRIx64
2270 " size=0x%u", __func__, addr, size);
2271 return;
2272 }
2273
2274 switch (addr) {
2275 /* Global Command Register, 32-bit */
2276 case DMAR_GCMD_REG:
2277 vtd_set_long(s, addr, val);
2278 vtd_handle_gcmd_write(s);
2279 break;
2280
2281 /* Context Command Register, 64-bit */
2282 case DMAR_CCMD_REG:
2283 if (size == 4) {
2284 vtd_set_long(s, addr, val);
2285 } else {
2286 vtd_set_quad(s, addr, val);
2287 vtd_handle_ccmd_write(s);
2288 }
2289 break;
2290
2291 case DMAR_CCMD_REG_HI:
2292 assert(size == 4);
2293 vtd_set_long(s, addr, val);
2294 vtd_handle_ccmd_write(s);
2295 break;
2296
2297 /* IOTLB Invalidation Register, 64-bit */
2298 case DMAR_IOTLB_REG:
2299 if (size == 4) {
2300 vtd_set_long(s, addr, val);
2301 } else {
2302 vtd_set_quad(s, addr, val);
2303 vtd_handle_iotlb_write(s);
2304 }
2305 break;
2306
2307 case DMAR_IOTLB_REG_HI:
2308 assert(size == 4);
2309 vtd_set_long(s, addr, val);
2310 vtd_handle_iotlb_write(s);
2311 break;
2312
2313 /* Invalidate Address Register, 64-bit */
2314 case DMAR_IVA_REG:
2315 if (size == 4) {
2316 vtd_set_long(s, addr, val);
2317 } else {
2318 vtd_set_quad(s, addr, val);
2319 }
2320 break;
2321
2322 case DMAR_IVA_REG_HI:
2323 assert(size == 4);
2324 vtd_set_long(s, addr, val);
2325 break;
2326
2327 /* Fault Status Register, 32-bit */
2328 case DMAR_FSTS_REG:
2329 assert(size == 4);
2330 vtd_set_long(s, addr, val);
2331 vtd_handle_fsts_write(s);
2332 break;
2333
2334 /* Fault Event Control Register, 32-bit */
2335 case DMAR_FECTL_REG:
2336 assert(size == 4);
2337 vtd_set_long(s, addr, val);
2338 vtd_handle_fectl_write(s);
2339 break;
2340
2341 /* Fault Event Data Register, 32-bit */
2342 case DMAR_FEDATA_REG:
2343 assert(size == 4);
2344 vtd_set_long(s, addr, val);
2345 break;
2346
2347 /* Fault Event Address Register, 32-bit */
2348 case DMAR_FEADDR_REG:
2349 if (size == 4) {
2350 vtd_set_long(s, addr, val);
2351 } else {
2352 /*
2353 * While the register is 32-bit only, some guests (Xen...) write to
2354 * it with 64-bit.
2355 */
2356 vtd_set_quad(s, addr, val);
2357 }
2358 break;
2359
2360 /* Fault Event Upper Address Register, 32-bit */
2361 case DMAR_FEUADDR_REG:
2362 assert(size == 4);
2363 vtd_set_long(s, addr, val);
2364 break;
2365
2366 /* Protected Memory Enable Register, 32-bit */
2367 case DMAR_PMEN_REG:
2368 assert(size == 4);
2369 vtd_set_long(s, addr, val);
2370 break;
2371
2372 /* Root Table Address Register, 64-bit */
2373 case DMAR_RTADDR_REG:
2374 if (size == 4) {
2375 vtd_set_long(s, addr, val);
2376 } else {
2377 vtd_set_quad(s, addr, val);
2378 }
2379 break;
2380
2381 case DMAR_RTADDR_REG_HI:
2382 assert(size == 4);
2383 vtd_set_long(s, addr, val);
2384 break;
2385
2386 /* Invalidation Queue Tail Register, 64-bit */
2387 case DMAR_IQT_REG:
2388 if (size == 4) {
2389 vtd_set_long(s, addr, val);
2390 } else {
2391 vtd_set_quad(s, addr, val);
2392 }
2393 vtd_handle_iqt_write(s);
2394 break;
2395
2396 case DMAR_IQT_REG_HI:
2397 assert(size == 4);
2398 vtd_set_long(s, addr, val);
2399 /* 19:63 of IQT_REG is RsvdZ, do nothing here */
2400 break;
2401
2402 /* Invalidation Queue Address Register, 64-bit */
2403 case DMAR_IQA_REG:
2404 if (size == 4) {
2405 vtd_set_long(s, addr, val);
2406 } else {
2407 vtd_set_quad(s, addr, val);
2408 }
2409 break;
2410
2411 case DMAR_IQA_REG_HI:
2412 assert(size == 4);
2413 vtd_set_long(s, addr, val);
2414 break;
2415
2416 /* Invalidation Completion Status Register, 32-bit */
2417 case DMAR_ICS_REG:
2418 assert(size == 4);
2419 vtd_set_long(s, addr, val);
2420 vtd_handle_ics_write(s);
2421 break;
2422
2423 /* Invalidation Event Control Register, 32-bit */
2424 case DMAR_IECTL_REG:
2425 assert(size == 4);
2426 vtd_set_long(s, addr, val);
2427 vtd_handle_iectl_write(s);
2428 break;
2429
2430 /* Invalidation Event Data Register, 32-bit */
2431 case DMAR_IEDATA_REG:
2432 assert(size == 4);
2433 vtd_set_long(s, addr, val);
2434 break;
2435
2436 /* Invalidation Event Address Register, 32-bit */
2437 case DMAR_IEADDR_REG:
2438 assert(size == 4);
2439 vtd_set_long(s, addr, val);
2440 break;
2441
2442 /* Invalidation Event Upper Address Register, 32-bit */
2443 case DMAR_IEUADDR_REG:
2444 assert(size == 4);
2445 vtd_set_long(s, addr, val);
2446 break;
2447
2448 /* Fault Recording Registers, 128-bit */
2449 case DMAR_FRCD_REG_0_0:
2450 if (size == 4) {
2451 vtd_set_long(s, addr, val);
2452 } else {
2453 vtd_set_quad(s, addr, val);
2454 }
2455 break;
2456
2457 case DMAR_FRCD_REG_0_1:
2458 assert(size == 4);
2459 vtd_set_long(s, addr, val);
2460 break;
2461
2462 case DMAR_FRCD_REG_0_2:
2463 if (size == 4) {
2464 vtd_set_long(s, addr, val);
2465 } else {
2466 vtd_set_quad(s, addr, val);
2467 /* May clear bit 127 (Fault), update PPF */
2468 vtd_update_fsts_ppf(s);
2469 }
2470 break;
2471
2472 case DMAR_FRCD_REG_0_3:
2473 assert(size == 4);
2474 vtd_set_long(s, addr, val);
2475 /* May clear bit 127 (Fault), update PPF */
2476 vtd_update_fsts_ppf(s);
2477 break;
2478
2479 case DMAR_IRTA_REG:
2480 if (size == 4) {
2481 vtd_set_long(s, addr, val);
2482 } else {
2483 vtd_set_quad(s, addr, val);
2484 }
2485 break;
2486
2487 case DMAR_IRTA_REG_HI:
2488 assert(size == 4);
2489 vtd_set_long(s, addr, val);
2490 break;
2491
2492 default:
2493 if (size == 4) {
2494 vtd_set_long(s, addr, val);
2495 } else {
2496 vtd_set_quad(s, addr, val);
2497 }
2498 }
2499 }
2500
2501 static IOMMUTLBEntry vtd_iommu_translate(IOMMUMemoryRegion *iommu, hwaddr addr,
2502 IOMMUAccessFlags flag, int iommu_idx)
2503 {
2504 VTDAddressSpace *vtd_as = container_of(iommu, VTDAddressSpace, iommu);
2505 IntelIOMMUState *s = vtd_as->iommu_state;
2506 IOMMUTLBEntry iotlb = {
2507 /* We'll fill in the rest later. */
2508 .target_as = &address_space_memory,
2509 };
2510 bool success;
2511
2512 if (likely(s->dmar_enabled)) {
2513 success = vtd_do_iommu_translate(vtd_as, vtd_as->bus, vtd_as->devfn,
2514 addr, flag & IOMMU_WO, &iotlb);
2515 } else {
2516 /* DMAR disabled, passthrough, use 4k-page*/
2517 iotlb.iova = addr & VTD_PAGE_MASK_4K;
2518 iotlb.translated_addr = addr & VTD_PAGE_MASK_4K;
2519 iotlb.addr_mask = ~VTD_PAGE_MASK_4K;
2520 iotlb.perm = IOMMU_RW;
2521 success = true;
2522 }
2523
2524 if (likely(success)) {
2525 trace_vtd_dmar_translate(pci_bus_num(vtd_as->bus),
2526 VTD_PCI_SLOT(vtd_as->devfn),
2527 VTD_PCI_FUNC(vtd_as->devfn),
2528 iotlb.iova, iotlb.translated_addr,
2529 iotlb.addr_mask);
2530 } else {
2531 error_report_once("%s: detected translation failure "
2532 "(dev=%02x:%02x:%02x, iova=0x%" PRIx64 ")",
2533 __func__, pci_bus_num(vtd_as->bus),
2534 VTD_PCI_SLOT(vtd_as->devfn),
2535 VTD_PCI_FUNC(vtd_as->devfn),
2536 iotlb.iova);
2537 }
2538
2539 return iotlb;
2540 }
2541
2542 static void vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu,
2543 IOMMUNotifierFlag old,
2544 IOMMUNotifierFlag new)
2545 {
2546 VTDAddressSpace *vtd_as = container_of(iommu, VTDAddressSpace, iommu);
2547 IntelIOMMUState *s = vtd_as->iommu_state;
2548
2549 if (!s->caching_mode && new & IOMMU_NOTIFIER_MAP) {
2550 error_report("We need to set caching-mode=1 for intel-iommu to enable "
2551 "device assignment with IOMMU protection.");
2552 exit(1);
2553 }
2554
2555 /* Update per-address-space notifier flags */
2556 vtd_as->notifier_flags = new;
2557
2558 if (old == IOMMU_NOTIFIER_NONE) {
2559 QLIST_INSERT_HEAD(&s->vtd_as_with_notifiers, vtd_as, next);
2560 } else if (new == IOMMU_NOTIFIER_NONE) {
2561 QLIST_REMOVE(vtd_as, next);
2562 }
2563 }
2564
2565 static int vtd_post_load(void *opaque, int version_id)
2566 {
2567 IntelIOMMUState *iommu = opaque;
2568
2569 /*
2570 * Memory regions are dynamically turned on/off depending on
2571 * context entry configurations from the guest. After migration,
2572 * we need to make sure the memory regions are still correct.
2573 */
2574 vtd_switch_address_space_all(iommu);
2575
2576 return 0;
2577 }
2578
2579 static const VMStateDescription vtd_vmstate = {
2580 .name = "iommu-intel",
2581 .version_id = 1,
2582 .minimum_version_id = 1,
2583 .priority = MIG_PRI_IOMMU,
2584 .post_load = vtd_post_load,
2585 .fields = (VMStateField[]) {
2586 VMSTATE_UINT64(root, IntelIOMMUState),
2587 VMSTATE_UINT64(intr_root, IntelIOMMUState),
2588 VMSTATE_UINT64(iq, IntelIOMMUState),
2589 VMSTATE_UINT32(intr_size, IntelIOMMUState),
2590 VMSTATE_UINT16(iq_head, IntelIOMMUState),
2591 VMSTATE_UINT16(iq_tail, IntelIOMMUState),
2592 VMSTATE_UINT16(iq_size, IntelIOMMUState),
2593 VMSTATE_UINT16(next_frcd_reg, IntelIOMMUState),
2594 VMSTATE_UINT8_ARRAY(csr, IntelIOMMUState, DMAR_REG_SIZE),
2595 VMSTATE_UINT8(iq_last_desc_type, IntelIOMMUState),
2596 VMSTATE_BOOL(root_extended, IntelIOMMUState),
2597 VMSTATE_BOOL(dmar_enabled, IntelIOMMUState),
2598 VMSTATE_BOOL(qi_enabled, IntelIOMMUState),
2599 VMSTATE_BOOL(intr_enabled, IntelIOMMUState),
2600 VMSTATE_BOOL(intr_eime, IntelIOMMUState),
2601 VMSTATE_END_OF_LIST()
2602 }
2603 };
2604
2605 static const MemoryRegionOps vtd_mem_ops = {
2606 .read = vtd_mem_read,
2607 .write = vtd_mem_write,
2608 .endianness = DEVICE_LITTLE_ENDIAN,
2609 .impl = {
2610 .min_access_size = 4,
2611 .max_access_size = 8,
2612 },
2613 .valid = {
2614 .min_access_size = 4,
2615 .max_access_size = 8,
2616 },
2617 };
2618
2619 static Property vtd_properties[] = {
2620 DEFINE_PROP_UINT32("version", IntelIOMMUState, version, 0),
2621 DEFINE_PROP_ON_OFF_AUTO("eim", IntelIOMMUState, intr_eim,
2622 ON_OFF_AUTO_AUTO),
2623 DEFINE_PROP_BOOL("x-buggy-eim", IntelIOMMUState, buggy_eim, false),
2624 DEFINE_PROP_UINT8("x-aw-bits", IntelIOMMUState, aw_bits,
2625 VTD_HOST_ADDRESS_WIDTH),
2626 DEFINE_PROP_BOOL("caching-mode", IntelIOMMUState, caching_mode, FALSE),
2627 DEFINE_PROP_END_OF_LIST(),
2628 };
2629
2630 /* Read IRTE entry with specific index */
2631 static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t index,
2632 VTD_IR_TableEntry *entry, uint16_t sid)
2633 {
2634 static const uint16_t vtd_svt_mask[VTD_SQ_MAX] = \
2635 {0xffff, 0xfffb, 0xfff9, 0xfff8};
2636 dma_addr_t addr = 0x00;
2637 uint16_t mask, source_id;
2638 uint8_t bus, bus_max, bus_min;
2639
2640 addr = iommu->intr_root + index * sizeof(*entry);
2641 if (dma_memory_read(&address_space_memory, addr, entry,
2642 sizeof(*entry))) {
2643 error_report_once("%s: read failed: ind=0x%x addr=0x%" PRIx64,
2644 __func__, index, addr);
2645 return -VTD_FR_IR_ROOT_INVAL;
2646 }
2647
2648 trace_vtd_ir_irte_get(index, le64_to_cpu(entry->data[1]),
2649 le64_to_cpu(entry->data[0]));
2650
2651 if (!entry->irte.present) {
2652 error_report_once("%s: detected non-present IRTE "
2653 "(index=%u, high=0x%" PRIx64 ", low=0x%" PRIx64 ")",
2654 __func__, index, le64_to_cpu(entry->data[1]),
2655 le64_to_cpu(entry->data[0]));
2656 return -VTD_FR_IR_ENTRY_P;
2657 }
2658
2659 if (entry->irte.__reserved_0 || entry->irte.__reserved_1 ||
2660 entry->irte.__reserved_2) {
2661 error_report_once("%s: detected non-zero reserved IRTE "
2662 "(index=%u, high=0x%" PRIx64 ", low=0x%" PRIx64 ")",
2663 __func__, index, le64_to_cpu(entry->data[1]),
2664 le64_to_cpu(entry->data[0]));
2665 return -VTD_FR_IR_IRTE_RSVD;
2666 }
2667
2668 if (sid != X86_IOMMU_SID_INVALID) {
2669 /* Validate IRTE SID */
2670 source_id = le32_to_cpu(entry->irte.source_id);
2671 switch (entry->irte.sid_vtype) {
2672 case VTD_SVT_NONE:
2673 break;
2674
2675 case VTD_SVT_ALL:
2676 mask = vtd_svt_mask[entry->irte.sid_q];
2677 if ((source_id & mask) != (sid & mask)) {
2678 error_report_once("%s: invalid IRTE SID "
2679 "(index=%u, sid=%u, source_id=%u)",
2680 __func__, index, sid, source_id);
2681 return -VTD_FR_IR_SID_ERR;
2682 }
2683 break;
2684
2685 case VTD_SVT_BUS:
2686 bus_max = source_id >> 8;
2687 bus_min = source_id & 0xff;
2688 bus = sid >> 8;
2689 if (bus > bus_max || bus < bus_min) {
2690 error_report_once("%s: invalid SVT_BUS "
2691 "(index=%u, bus=%u, min=%u, max=%u)",
2692 __func__, index, bus, bus_min, bus_max);
2693 return -VTD_FR_IR_SID_ERR;
2694 }
2695 break;
2696
2697 default:
2698 error_report_once("%s: detected invalid IRTE SVT "
2699 "(index=%u, type=%d)", __func__,
2700 index, entry->irte.sid_vtype);
2701 /* Take this as verification failure. */
2702 return -VTD_FR_IR_SID_ERR;
2703 break;
2704 }
2705 }
2706
2707 return 0;
2708 }
2709
2710 /* Fetch IRQ information of specific IR index */
2711 static int vtd_remap_irq_get(IntelIOMMUState *iommu, uint16_t index,
2712 VTDIrq *irq, uint16_t sid)
2713 {
2714 VTD_IR_TableEntry irte = {};
2715 int ret = 0;
2716
2717 ret = vtd_irte_get(iommu, index, &irte, sid);
2718 if (ret) {
2719 return ret;
2720 }
2721
2722 irq->trigger_mode = irte.irte.trigger_mode;
2723 irq->vector = irte.irte.vector;
2724 irq->delivery_mode = irte.irte.delivery_mode;
2725 irq->dest = le32_to_cpu(irte.irte.dest_id);
2726 if (!iommu->intr_eime) {
2727 #define VTD_IR_APIC_DEST_MASK (0xff00ULL)
2728 #define VTD_IR_APIC_DEST_SHIFT (8)
2729 irq->dest = (irq->dest & VTD_IR_APIC_DEST_MASK) >>
2730 VTD_IR_APIC_DEST_SHIFT;
2731 }
2732 irq->dest_mode = irte.irte.dest_mode;
2733 irq->redir_hint = irte.irte.redir_hint;
2734
2735 trace_vtd_ir_remap(index, irq->trigger_mode, irq->vector,
2736 irq->delivery_mode, irq->dest, irq->dest_mode);
2737
2738 return 0;
2739 }
2740
2741 /* Generate one MSI message from VTDIrq info */
2742 static void vtd_generate_msi_message(VTDIrq *irq, MSIMessage *msg_out)
2743 {
2744 VTD_MSIMessage msg = {};
2745
2746 /* Generate address bits */
2747 msg.dest_mode = irq->dest_mode;
2748 msg.redir_hint = irq->redir_hint;
2749 msg.dest = irq->dest;
2750 msg.__addr_hi = irq->dest & 0xffffff00;
2751 msg.__addr_head = cpu_to_le32(0xfee);
2752 /* Keep this from original MSI address bits */
2753 msg.__not_used = irq->msi_addr_last_bits;
2754
2755 /* Generate data bits */
2756 msg.vector = irq->vector;
2757 msg.delivery_mode = irq->delivery_mode;
2758 msg.level = 1;
2759 msg.trigger_mode = irq->trigger_mode;
2760
2761 msg_out->address = msg.msi_addr;
2762 msg_out->data = msg.msi_data;
2763 }
2764
2765 /* Interrupt remapping for MSI/MSI-X entry */
2766 static int vtd_interrupt_remap_msi(IntelIOMMUState *iommu,
2767 MSIMessage *origin,
2768 MSIMessage *translated,
2769 uint16_t sid)
2770 {
2771 int ret = 0;
2772 VTD_IR_MSIAddress addr;
2773 uint16_t index;
2774 VTDIrq irq = {};
2775
2776 assert(origin && translated);
2777
2778 trace_vtd_ir_remap_msi_req(origin->address, origin->data);
2779
2780 if (!iommu || !iommu->intr_enabled) {
2781 memcpy(translated, origin, sizeof(*origin));
2782 goto out;
2783 }
2784
2785 if (origin->address & VTD_MSI_ADDR_HI_MASK) {
2786 error_report_once("%s: MSI address high 32 bits non-zero detected: "
2787 "address=0x%" PRIx64, __func__, origin->address);
2788 return -VTD_FR_IR_REQ_RSVD;
2789 }
2790
2791 addr.data = origin->address & VTD_MSI_ADDR_LO_MASK;
2792 if (addr.addr.__head != 0xfee) {
2793 error_report_once("%s: MSI address low 32 bit invalid: 0x%" PRIx32,
2794 __func__, addr.data);
2795 return -VTD_FR_IR_REQ_RSVD;
2796 }
2797
2798 /* This is compatible mode. */
2799 if (addr.addr.int_mode != VTD_IR_INT_FORMAT_REMAP) {
2800 memcpy(translated, origin, sizeof(*origin));
2801 goto out;
2802 }
2803
2804 index = addr.addr.index_h << 15 | le16_to_cpu(addr.addr.index_l);
2805
2806 #define VTD_IR_MSI_DATA_SUBHANDLE (0x0000ffff)
2807 #define VTD_IR_MSI_DATA_RESERVED (0xffff0000)
2808
2809 if (addr.addr.sub_valid) {
2810 /* See VT-d spec 5.1.2.2 and 5.1.3 on subhandle */
2811 index += origin->data & VTD_IR_MSI_DATA_SUBHANDLE;
2812 }
2813
2814 ret = vtd_remap_irq_get(iommu, index, &irq, sid);
2815 if (ret) {
2816 return ret;
2817 }
2818
2819 if (addr.addr.sub_valid) {
2820 trace_vtd_ir_remap_type("MSI");
2821 if (origin->data & VTD_IR_MSI_DATA_RESERVED) {
2822 error_report_once("%s: invalid IR MSI "
2823 "(sid=%u, address=0x%" PRIx64
2824 ", data=0x%" PRIx32 ")",
2825 __func__, sid, origin->address, origin->data);
2826 return -VTD_FR_IR_REQ_RSVD;
2827 }
2828 } else {
2829 uint8_t vector = origin->data & 0xff;
2830 uint8_t trigger_mode = (origin->data >> MSI_DATA_TRIGGER_SHIFT) & 0x1;
2831
2832 trace_vtd_ir_remap_type("IOAPIC");
2833 /* IOAPIC entry vector should be aligned with IRTE vector
2834 * (see vt-d spec 5.1.5.1). */
2835 if (vector != irq.vector) {
2836 trace_vtd_warn_ir_vector(sid, index, vector, irq.vector);
2837 }
2838
2839 /* The Trigger Mode field must match the Trigger Mode in the IRTE.
2840 * (see vt-d spec 5.1.5.1). */
2841 if (trigger_mode != irq.trigger_mode) {
2842 trace_vtd_warn_ir_trigger(sid, index, trigger_mode,
2843 irq.trigger_mode);
2844 }
2845 }
2846
2847 /*
2848 * We'd better keep the last two bits, assuming that guest OS
2849 * might modify it. Keep it does not hurt after all.
2850 */
2851 irq.msi_addr_last_bits = addr.addr.__not_care;
2852
2853 /* Translate VTDIrq to MSI message */
2854 vtd_generate_msi_message(&irq, translated);
2855
2856 out:
2857 trace_vtd_ir_remap_msi(origin->address, origin->data,
2858 translated->address, translated->data);
2859 return 0;
2860 }
2861
2862 static int vtd_int_remap(X86IOMMUState *iommu, MSIMessage *src,
2863 MSIMessage *dst, uint16_t sid)
2864 {
2865 return vtd_interrupt_remap_msi(INTEL_IOMMU_DEVICE(iommu),
2866 src, dst, sid);
2867 }
2868
2869 static MemTxResult vtd_mem_ir_read(void *opaque, hwaddr addr,
2870 uint64_t *data, unsigned size,
2871 MemTxAttrs attrs)
2872 {
2873 return MEMTX_OK;
2874 }
2875
2876 static MemTxResult vtd_mem_ir_write(void *opaque, hwaddr addr,
2877 uint64_t value, unsigned size,
2878 MemTxAttrs attrs)
2879 {
2880 int ret = 0;
2881 MSIMessage from = {}, to = {};
2882 uint16_t sid = X86_IOMMU_SID_INVALID;
2883
2884 from.address = (uint64_t) addr + VTD_INTERRUPT_ADDR_FIRST;
2885 from.data = (uint32_t) value;
2886
2887 if (!attrs.unspecified) {
2888 /* We have explicit Source ID */
2889 sid = attrs.requester_id;
2890 }
2891
2892 ret = vtd_interrupt_remap_msi(opaque, &from, &to, sid);
2893 if (ret) {
2894 /* TODO: report error */
2895 /* Drop this interrupt */
2896 return MEMTX_ERROR;
2897 }
2898
2899 apic_get_class()->send_msi(&to);
2900
2901 return MEMTX_OK;
2902 }
2903
2904 static const MemoryRegionOps vtd_mem_ir_ops = {
2905 .read_with_attrs = vtd_mem_ir_read,
2906 .write_with_attrs = vtd_mem_ir_write,
2907 .endianness = DEVICE_LITTLE_ENDIAN,
2908 .impl = {
2909 .min_access_size = 4,
2910 .max_access_size = 4,
2911 },
2912 .valid = {
2913 .min_access_size = 4,
2914 .max_access_size = 4,
2915 },
2916 };
2917
2918 VTDAddressSpace *vtd_find_add_as(IntelIOMMUState *s, PCIBus *bus, int devfn)
2919 {
2920 uintptr_t key = (uintptr_t)bus;
2921 VTDBus *vtd_bus = g_hash_table_lookup(s->vtd_as_by_busptr, &key);
2922 VTDAddressSpace *vtd_dev_as;
2923 char name[128];
2924
2925 if (!vtd_bus) {
2926 uintptr_t *new_key = g_malloc(sizeof(*new_key));
2927 *new_key = (uintptr_t)bus;
2928 /* No corresponding free() */
2929 vtd_bus = g_malloc0(sizeof(VTDBus) + sizeof(VTDAddressSpace *) * \
2930 PCI_DEVFN_MAX);
2931 vtd_bus->bus = bus;
2932 g_hash_table_insert(s->vtd_as_by_busptr, new_key, vtd_bus);
2933 }
2934
2935 vtd_dev_as = vtd_bus->dev_as[devfn];
2936
2937 if (!vtd_dev_as) {
2938 snprintf(name, sizeof(name), "intel_iommu_devfn_%d", devfn);
2939 vtd_bus->dev_as[devfn] = vtd_dev_as = g_malloc0(sizeof(VTDAddressSpace));
2940
2941 vtd_dev_as->bus = bus;
2942 vtd_dev_as->devfn = (uint8_t)devfn;
2943 vtd_dev_as->iommu_state = s;
2944 vtd_dev_as->context_cache_entry.context_cache_gen = 0;
2945 vtd_dev_as->iova_tree = iova_tree_new();
2946
2947 /*
2948 * Memory region relationships looks like (Address range shows
2949 * only lower 32 bits to make it short in length...):
2950 *
2951 * |-----------------+-------------------+----------|
2952 * | Name | Address range | Priority |
2953 * |-----------------+-------------------+----------+
2954 * | vtd_root | 00000000-ffffffff | 0 |
2955 * | intel_iommu | 00000000-ffffffff | 1 |
2956 * | vtd_sys_alias | 00000000-ffffffff | 1 |
2957 * | intel_iommu_ir | fee00000-feefffff | 64 |
2958 * |-----------------+-------------------+----------|
2959 *
2960 * We enable/disable DMAR by switching enablement for
2961 * vtd_sys_alias and intel_iommu regions. IR region is always
2962 * enabled.
2963 */
2964 memory_region_init_iommu(&vtd_dev_as->iommu, sizeof(vtd_dev_as->iommu),
2965 TYPE_INTEL_IOMMU_MEMORY_REGION, OBJECT(s),
2966 "intel_iommu_dmar",
2967 UINT64_MAX);
2968 memory_region_init_alias(&vtd_dev_as->sys_alias, OBJECT(s),
2969 "vtd_sys_alias", get_system_memory(),
2970 0, memory_region_size(get_system_memory()));
2971 memory_region_init_io(&vtd_dev_as->iommu_ir, OBJECT(s),
2972 &vtd_mem_ir_ops, s, "intel_iommu_ir",
2973 VTD_INTERRUPT_ADDR_SIZE);
2974 memory_region_init(&vtd_dev_as->root, OBJECT(s),
2975 "vtd_root", UINT64_MAX);
2976 memory_region_add_subregion_overlap(&vtd_dev_as->root,
2977 VTD_INTERRUPT_ADDR_FIRST,
2978 &vtd_dev_as->iommu_ir, 64);
2979 address_space_init(&vtd_dev_as->as, &vtd_dev_as->root, name);
2980 memory_region_add_subregion_overlap(&vtd_dev_as->root, 0,
2981 &vtd_dev_as->sys_alias, 1);
2982 memory_region_add_subregion_overlap(&vtd_dev_as->root, 0,
2983 MEMORY_REGION(&vtd_dev_as->iommu),
2984 1);
2985 vtd_switch_address_space(vtd_dev_as);
2986 }
2987 return vtd_dev_as;
2988 }
2989
2990 /* Unmap the whole range in the notifier's scope. */
2991 static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n)
2992 {
2993 IOMMUTLBEntry entry;
2994 hwaddr size;
2995 hwaddr start = n->start;
2996 hwaddr end = n->end;
2997 IntelIOMMUState *s = as->iommu_state;
2998 DMAMap map;
2999
3000 /*
3001 * Note: all the codes in this function has a assumption that IOVA
3002 * bits are no more than VTD_MGAW bits (which is restricted by
3003 * VT-d spec), otherwise we need to consider overflow of 64 bits.
3004 */
3005
3006 if (end > VTD_ADDRESS_SIZE(s->aw_bits)) {
3007 /*
3008 * Don't need to unmap regions that is bigger than the whole
3009 * VT-d supported address space size
3010 */
3011 end = VTD_ADDRESS_SIZE(s->aw_bits);
3012 }
3013
3014 assert(start <= end);
3015 size = end - start;
3016
3017 if (ctpop64(size) != 1) {
3018 /*
3019 * This size cannot format a correct mask. Let's enlarge it to
3020 * suite the minimum available mask.
3021 */
3022 int n = 64 - clz64(size);
3023 if (n > s->aw_bits) {
3024 /* should not happen, but in case it happens, limit it */
3025 n = s->aw_bits;
3026 }
3027 size = 1ULL << n;
3028 }
3029
3030 entry.target_as = &address_space_memory;
3031 /* Adjust iova for the size */
3032 entry.iova = n->start & ~(size - 1);
3033 /* This field is meaningless for unmap */
3034 entry.translated_addr = 0;
3035 entry.perm = IOMMU_NONE;
3036 entry.addr_mask = size - 1;
3037
3038 trace_vtd_as_unmap_whole(pci_bus_num(as->bus),
3039 VTD_PCI_SLOT(as->devfn),
3040 VTD_PCI_FUNC(as->devfn),
3041 entry.iova, size);
3042
3043 map.iova = entry.iova;
3044 map.size = entry.addr_mask;
3045 iova_tree_remove(as->iova_tree, &map);
3046
3047 memory_region_notify_one(n, &entry);
3048 }
3049
3050 static void vtd_address_space_unmap_all(IntelIOMMUState *s)
3051 {
3052 VTDAddressSpace *vtd_as;
3053 IOMMUNotifier *n;
3054
3055 QLIST_FOREACH(vtd_as, &s->vtd_as_with_notifiers, next) {
3056 IOMMU_NOTIFIER_FOREACH(n, &vtd_as->iommu) {
3057 vtd_address_space_unmap(vtd_as, n);
3058 }
3059 }
3060 }
3061
3062 static int vtd_replay_hook(IOMMUTLBEntry *entry, void *private)
3063 {
3064 memory_region_notify_one((IOMMUNotifier *)private, entry);
3065 return 0;
3066 }
3067
3068 static void vtd_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n)
3069 {
3070 VTDAddressSpace *vtd_as = container_of(iommu_mr, VTDAddressSpace, iommu);
3071 IntelIOMMUState *s = vtd_as->iommu_state;
3072 uint8_t bus_n = pci_bus_num(vtd_as->bus);
3073 VTDContextEntry ce;
3074
3075 /*
3076 * The replay can be triggered by either a invalidation or a newly
3077 * created entry. No matter what, we release existing mappings
3078 * (it means flushing caches for UNMAP-only registers).
3079 */
3080 vtd_address_space_unmap(vtd_as, n);
3081
3082 if (vtd_dev_to_context_entry(s, bus_n, vtd_as->devfn, &ce) == 0) {
3083 trace_vtd_replay_ce_valid(bus_n, PCI_SLOT(vtd_as->devfn),
3084 PCI_FUNC(vtd_as->devfn),
3085 VTD_CONTEXT_ENTRY_DID(ce.hi),
3086 ce.hi, ce.lo);
3087 if (vtd_as_has_map_notifier(vtd_as)) {
3088 /* This is required only for MAP typed notifiers */
3089 vtd_page_walk_info info = {
3090 .hook_fn = vtd_replay_hook,
3091 .private = (void *)n,
3092 .notify_unmap = false,
3093 .aw = s->aw_bits,
3094 .as = vtd_as,
3095 .domain_id = VTD_CONTEXT_ENTRY_DID(ce.hi),
3096 };
3097
3098 vtd_page_walk(&ce, 0, ~0ULL, &info);
3099 }
3100 } else {
3101 trace_vtd_replay_ce_invalid(bus_n, PCI_SLOT(vtd_as->devfn),
3102 PCI_FUNC(vtd_as->devfn));
3103 }
3104
3105 return;
3106 }
3107
3108 /* Do the initialization. It will also be called when reset, so pay
3109 * attention when adding new initialization stuff.
3110 */
3111 static void vtd_init(IntelIOMMUState *s)
3112 {
3113 X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
3114
3115 memset(s->csr, 0, DMAR_REG_SIZE);
3116 memset(s->wmask, 0, DMAR_REG_SIZE);
3117 memset(s->w1cmask, 0, DMAR_REG_SIZE);
3118 memset(s->womask, 0, DMAR_REG_SIZE);
3119
3120 s->root = 0;
3121 s->root_extended = false;
3122 s->dmar_enabled = false;
3123 s->iq_head = 0;
3124 s->iq_tail = 0;
3125 s->iq = 0;
3126 s->iq_size = 0;
3127 s->qi_enabled = false;
3128 s->iq_last_desc_type = VTD_INV_DESC_NONE;
3129 s->next_frcd_reg = 0;
3130 s->cap = VTD_CAP_FRO | VTD_CAP_NFR | VTD_CAP_ND |
3131 VTD_CAP_MAMV | VTD_CAP_PSI | VTD_CAP_SLLPS |
3132 VTD_CAP_SAGAW_39bit | VTD_CAP_MGAW(s->aw_bits);
3133 if (s->aw_bits == VTD_HOST_AW_48BIT) {
3134 s->cap |= VTD_CAP_SAGAW_48bit;
3135 }
3136 s->ecap = VTD_ECAP_QI | VTD_ECAP_IRO;
3137
3138 /*
3139 * Rsvd field masks for spte
3140 */
3141 vtd_paging_entry_rsvd_field[0] = ~0ULL;
3142 vtd_paging_entry_rsvd_field[1] = VTD_SPTE_PAGE_L1_RSVD_MASK(s->aw_bits);
3143 vtd_paging_entry_rsvd_field[2] = VTD_SPTE_PAGE_L2_RSVD_MASK(s->aw_bits);
3144 vtd_paging_entry_rsvd_field[3] = VTD_SPTE_PAGE_L3_RSVD_MASK(s->aw_bits);
3145 vtd_paging_entry_rsvd_field[4] = VTD_SPTE_PAGE_L4_RSVD_MASK(s->aw_bits);
3146 vtd_paging_entry_rsvd_field[5] = VTD_SPTE_LPAGE_L1_RSVD_MASK(s->aw_bits);
3147 vtd_paging_entry_rsvd_field[6] = VTD_SPTE_LPAGE_L2_RSVD_MASK(s->aw_bits);
3148 vtd_paging_entry_rsvd_field[7] = VTD_SPTE_LPAGE_L3_RSVD_MASK(s->aw_bits);
3149 vtd_paging_entry_rsvd_field[8] = VTD_SPTE_LPAGE_L4_RSVD_MASK(s->aw_bits);
3150
3151 if (x86_iommu->intr_supported) {
3152 s->ecap |= VTD_ECAP_IR | VTD_ECAP_MHMV;
3153 if (s->intr_eim == ON_OFF_AUTO_ON) {
3154 s->ecap |= VTD_ECAP_EIM;
3155 }
3156 assert(s->intr_eim != ON_OFF_AUTO_AUTO);
3157 }
3158
3159 if (x86_iommu->dt_supported) {
3160 s->ecap |= VTD_ECAP_DT;
3161 }
3162
3163 if (x86_iommu->pt_supported) {
3164 s->ecap |= VTD_ECAP_PT;
3165 }
3166
3167 if (s->caching_mode) {
3168 s->cap |= VTD_CAP_CM;
3169 }
3170
3171 vtd_reset_caches(s);
3172
3173 /* Define registers with default values and bit semantics */
3174 vtd_define_long(s, DMAR_VER_REG, 0x10UL, 0, 0);
3175 vtd_define_quad(s, DMAR_CAP_REG, s->cap, 0, 0);
3176 vtd_define_quad(s, DMAR_ECAP_REG, s->ecap, 0, 0);
3177 vtd_define_long(s, DMAR_GCMD_REG, 0, 0xff800000UL, 0);
3178 vtd_define_long_wo(s, DMAR_GCMD_REG, 0xff800000UL);
3179 vtd_define_long(s, DMAR_GSTS_REG, 0, 0, 0);
3180 vtd_define_quad(s, DMAR_RTADDR_REG, 0, 0xfffffffffffff000ULL, 0);
3181 vtd_define_quad(s, DMAR_CCMD_REG, 0, 0xe0000003ffffffffULL, 0);
3182 vtd_define_quad_wo(s, DMAR_CCMD_REG, 0x3ffff0000ULL);
3183
3184 /* Advanced Fault Logging not supported */
3185 vtd_define_long(s, DMAR_FSTS_REG, 0, 0, 0x11UL);
3186 vtd_define_long(s, DMAR_FECTL_REG, 0x80000000UL, 0x80000000UL, 0);
3187 vtd_define_long(s, DMAR_FEDATA_REG, 0, 0x0000ffffUL, 0);
3188 vtd_define_long(s, DMAR_FEADDR_REG, 0, 0xfffffffcUL, 0);
3189
3190 /* Treated as RsvdZ when EIM in ECAP_REG is not supported
3191 * vtd_define_long(s, DMAR_FEUADDR_REG, 0, 0xffffffffUL, 0);
3192 */
3193 vtd_define_long(s, DMAR_FEUADDR_REG, 0, 0, 0);
3194
3195 /* Treated as RO for implementations that PLMR and PHMR fields reported
3196 * as Clear in the CAP_REG.
3197 * vtd_define_long(s, DMAR_PMEN_REG, 0, 0x80000000UL, 0);
3198 */
3199 vtd_define_long(s, DMAR_PMEN_REG, 0, 0, 0);
3200
3201 vtd_define_quad(s, DMAR_IQH_REG, 0, 0, 0);
3202 vtd_define_quad(s, DMAR_IQT_REG, 0, 0x7fff0ULL, 0);
3203 vtd_define_quad(s, DMAR_IQA_REG, 0, 0xfffffffffffff007ULL, 0);
3204 vtd_define_long(s, DMAR_ICS_REG, 0, 0, 0x1UL);
3205 vtd_define_long(s, DMAR_IECTL_REG, 0x80000000UL, 0x80000000UL, 0);
3206 vtd_define_long(s, DMAR_IEDATA_REG, 0, 0xffffffffUL, 0);
3207 vtd_define_long(s, DMAR_IEADDR_REG, 0, 0xfffffffcUL, 0);
3208 /* Treadted as RsvdZ when EIM in ECAP_REG is not supported */
3209 vtd_define_long(s, DMAR_IEUADDR_REG, 0, 0, 0);
3210
3211 /* IOTLB registers */
3212 vtd_define_quad(s, DMAR_IOTLB_REG, 0, 0Xb003ffff00000000ULL, 0);
3213 vtd_define_quad(s, DMAR_IVA_REG, 0, 0xfffffffffffff07fULL, 0);
3214 vtd_define_quad_wo(s, DMAR_IVA_REG, 0xfffffffffffff07fULL);
3215
3216 /* Fault Recording Registers, 128-bit */
3217 vtd_define_quad(s, DMAR_FRCD_REG_0_0, 0, 0, 0);
3218 vtd_define_quad(s, DMAR_FRCD_REG_0_2, 0, 0, 0x8000000000000000ULL);
3219
3220 /*
3221 * Interrupt remapping registers.
3222 */
3223 vtd_define_quad(s, DMAR_IRTA_REG, 0, 0xfffffffffffff80fULL, 0);
3224 }
3225
3226 /* Should not reset address_spaces when reset because devices will still use
3227 * the address space they got at first (won't ask the bus again).
3228 */
3229 static void vtd_reset(DeviceState *dev)
3230 {
3231 IntelIOMMUState *s = INTEL_IOMMU_DEVICE(dev);
3232
3233 vtd_init(s);
3234
3235 /*
3236 * When device reset, throw away all mappings and external caches
3237 */
3238 vtd_address_space_unmap_all(s);
3239 }
3240
3241 static AddressSpace *vtd_host_dma_iommu(PCIBus *bus, void *opaque, int devfn)
3242 {
3243 IntelIOMMUState *s = opaque;
3244 VTDAddressSpace *vtd_as;
3245
3246 assert(0 <= devfn && devfn < PCI_DEVFN_MAX);
3247
3248 vtd_as = vtd_find_add_as(s, bus, devfn);
3249 return &vtd_as->as;
3250 }
3251
3252 static bool vtd_decide_config(IntelIOMMUState *s, Error **errp)
3253 {
3254 X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
3255
3256 /* Currently Intel IOMMU IR only support "kernel-irqchip={off|split}" */
3257 if (x86_iommu->intr_supported && kvm_irqchip_in_kernel() &&
3258 !kvm_irqchip_is_split()) {
3259 error_setg(errp, "Intel Interrupt Remapping cannot work with "
3260 "kernel-irqchip=on, please use 'split|off'.");
3261 return false;
3262 }
3263 if (s->intr_eim == ON_OFF_AUTO_ON && !x86_iommu->intr_supported) {
3264 error_setg(errp, "eim=on cannot be selected without intremap=on");
3265 return false;
3266 }
3267
3268 if (s->intr_eim == ON_OFF_AUTO_AUTO) {
3269 s->intr_eim = (kvm_irqchip_in_kernel() || s->buggy_eim)
3270 && x86_iommu->intr_supported ?
3271 ON_OFF_AUTO_ON : ON_OFF_AUTO_OFF;
3272 }
3273 if (s->intr_eim == ON_OFF_AUTO_ON && !s->buggy_eim) {
3274 if (!kvm_irqchip_in_kernel()) {
3275 error_setg(errp, "eim=on requires accel=kvm,kernel-irqchip=split");
3276 return false;
3277 }
3278 if (!kvm_enable_x2apic()) {
3279 error_setg(errp, "eim=on requires support on the KVM side"
3280 "(X2APIC_API, first shipped in v4.7)");
3281 return false;
3282 }
3283 }
3284
3285 /* Currently only address widths supported are 39 and 48 bits */
3286 if ((s->aw_bits != VTD_HOST_AW_39BIT) &&
3287 (s->aw_bits != VTD_HOST_AW_48BIT)) {
3288 error_setg(errp, "Supported values for x-aw-bits are: %d, %d",
3289 VTD_HOST_AW_39BIT, VTD_HOST_AW_48BIT);
3290 return false;
3291 }
3292
3293 return true;
3294 }
3295
3296 static void vtd_realize(DeviceState *dev, Error **errp)
3297 {
3298 MachineState *ms = MACHINE(qdev_get_machine());
3299 PCMachineState *pcms = PC_MACHINE(ms);
3300 PCIBus *bus = pcms->bus;
3301 IntelIOMMUState *s = INTEL_IOMMU_DEVICE(dev);
3302 X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(dev);
3303
3304 x86_iommu->type = TYPE_INTEL;
3305
3306 if (!vtd_decide_config(s, errp)) {
3307 return;
3308 }
3309
3310 QLIST_INIT(&s->vtd_as_with_notifiers);
3311 qemu_mutex_init(&s->iommu_lock);
3312 memset(s->vtd_as_by_bus_num, 0, sizeof(s->vtd_as_by_bus_num));
3313 memory_region_init_io(&s->csrmem, OBJECT(s), &vtd_mem_ops, s,
3314 "intel_iommu", DMAR_REG_SIZE);
3315 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->csrmem);
3316 /* No corresponding destroy */
3317 s->iotlb = g_hash_table_new_full(vtd_uint64_hash, vtd_uint64_equal,
3318 g_free, g_free);
3319 s->vtd_as_by_busptr = g_hash_table_new_full(vtd_uint64_hash, vtd_uint64_equal,
3320 g_free, g_free);
3321 vtd_init(s);
3322 sysbus_mmio_map(SYS_BUS_DEVICE(s), 0, Q35_HOST_BRIDGE_IOMMU_ADDR);
3323 pci_setup_iommu(bus, vtd_host_dma_iommu, dev);
3324 /* Pseudo address space under root PCI bus. */
3325 pcms->ioapic_as = vtd_host_dma_iommu(bus, s, Q35_PSEUDO_DEVFN_IOAPIC);
3326 }
3327
3328 static void vtd_class_init(ObjectClass *klass, void *data)
3329 {
3330 DeviceClass *dc = DEVICE_CLASS(klass);
3331 X86IOMMUClass *x86_class = X86_IOMMU_CLASS(klass);
3332
3333 dc->reset = vtd_reset;
3334 dc->vmsd = &vtd_vmstate;
3335 dc->props = vtd_properties;
3336 dc->hotpluggable = false;
3337 x86_class->realize = vtd_realize;
3338 x86_class->int_remap = vtd_int_remap;
3339 /* Supported by the pc-q35-* machine types */
3340 dc->user_creatable = true;
3341 }
3342
3343 static const TypeInfo vtd_info = {
3344 .name = TYPE_INTEL_IOMMU_DEVICE,
3345 .parent = TYPE_X86_IOMMU_DEVICE,
3346 .instance_size = sizeof(IntelIOMMUState),
3347 .class_init = vtd_class_init,
3348 };
3349
3350 static void vtd_iommu_memory_region_class_init(ObjectClass *klass,
3351 void *data)
3352 {
3353 IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
3354
3355 imrc->translate = vtd_iommu_translate;
3356 imrc->notify_flag_changed = vtd_iommu_notify_flag_changed;
3357 imrc->replay = vtd_iommu_replay;
3358 }
3359
3360 static const TypeInfo vtd_iommu_memory_region_info = {
3361 .parent = TYPE_IOMMU_MEMORY_REGION,
3362 .name = TYPE_INTEL_IOMMU_MEMORY_REGION,
3363 .class_init = vtd_iommu_memory_region_class_init,
3364 };
3365
3366 static void vtd_register_types(void)
3367 {
3368 type_register_static(&vtd_info);
3369 type_register_static(&vtd_iommu_memory_region_info);
3370 }
3371
3372 type_init(vtd_register_types)
QEMU mirror