Commit Graph

487 Commits

Author SHA1 Message Date
Peter Maydell
56e9d7c09e
target-arm: Split data abort syndrome generator
Split the data abort syndrome generator into two versions:
One with a valid Instruction Specific Syndrome (ISS) and another without.

The following new flags are supported by the syndrome generator
with ISS:
* isv - Instruction syndrome valid
* sas - Syndrome access size
* sse - Syndrome sign extend
* srt - Syndrome register transfer
* sf - Sixty-Four bit register width
* ar - Acquire/Release

These flags are not yet used, so this patch has no functional change
except that we will now correctly set the IL bit in data abort
syndromes without ISS information.

Backports commit 094d028a7968236cd2b7f7b96394f7a3b8ad97c8 from qemu
2018-02-23 20:03:04 -05:00
Sergey Sorokin
98a6d44c54
target-arm: Fix descriptor address masking in ARM address translation
There is a bug in ARM address translation regime with a long-descriptor
format. On the descriptor reading its address is formed from an index
which is a part of the input address. And on the first iteration this index
is incorrectly masked with 'grainsize' mask. But it can be wider according
to pseudo-code.
On the other hand on the iterations other than first the descriptor address
is formed from the previous level descriptor by masking with 'descaddrmask'
value. It always clears just 12 lower bits, but it must clear 'grainsize'
lower bits instead according to pseudo-code.
The patch fixes both cases.

Backports commit dddb5223413c5425ae6eaeb3b967627efc9675f7 from qemu
2018-02-23 19:56:56 -05:00
Sergey Sorokin
00e751f18e
target-arm: Stage 2 permission fault was fixed in AArch32 state
As described in AArch32.CheckS2Permission an instruction fetch fails if
XN bit is set or there is no read permission for the address.

Backports commit dfda68377e20943f474505e75238cb96bc6874bf from qemu
2018-02-23 19:55:11 -05:00
Lioncash
88af0b0153
target-arm: Get rid of unused variable warnings 2018-02-23 12:43:09 -05:00
Peter Maydell
a632d1b96d
target-arm: Make the 64-bit version of VTCR do the migration
Move the ALIAS tag from VTCR_EL2 to VTCR so that we migrate the
64-bit version, as is usual. (This has no particular effect now
unless the guest wrote to the high RES0 bits of VTCR_EL2.)
Add a comment about why it's OK that we don't have the various
accessor functions that the EL1 TCR regdefs do.

Backports commit bf06c1123a427fefc2cf9cf8019578eafc19eb6f from qemu
2018-02-22 11:53:19 -05:00
Peter Maydell
a93e873441
target-arm: Remove incorrect ALIAS tags from ESR_EL2 and ESR_EL3
The regdefs for the ESR_EL2 and ESR_EL3 system registers should not
be marked as ARM_CP_ALIAS, because these are the master copies; the
DFSR regdef in vmsa_pmsa_cp_reginfo[] is marked as an alias.
Remove the ALIAS tags so that these registers are correctly migrated.

Backports commit 094a7d0b9d10812d06be2c5c19288cee4603c693 from qemu
2018-02-22 11:40:20 -05:00
Peter Maydell
f1b5b5cea9
target-arm: Correctly reset SCTLR_EL3 for 64-bit CPUs
The regdef for SCTRL_EL3 was incorrectly marked as being an
ARM_CP_ALIAS, with the remark that this was because the 32-bit
definition would take care of reset and migration. However the
intention for banked registers as documented in the comment in
add_cpreg_to_hashtable() is:

* 2) If ARMv8 is enabled then we can count on a 64-bit version
* taking care of the secure bank. This requires that separate
* 32 and 64-bit definitions are provided.

and so it marks the 32-bit secure banked version as an alias.
This results in the sctlr_s/sctlr_el[3] field never being reset
or migrated for a 64-bit CPU with EL3 enabled.

Fix this by removing the ARM_CP_ALIAS annotation from SCTLR_EL3.
Since this means it now needs a real reset value, move the regdef
into the same place that we define the 32-bit SCTLR.

Backports commit e24fdd238a159d830a9a65dd9b08f80fba9b9e06 from qemu
2018-02-22 11:38:16 -05:00
Rutuja Shah
d9fdc180d7
Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND
This patch replaces get_ticks_per_sec() calls with the macro
NANOSECONDS_PER_SECOND. Also, as there are no callers, get_ticks_per_sec()
is then removed. This replacement improves the readability and
understandability of code.

For example,

timer_mod(fdctrl->result_timer,
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (get_ticks_per_sec() / 50));

NANOSECONDS_PER_SECOND makes it obvious that qemu_clock_get_ns
matches the unit of the expression on the right side of the plus.

Backports commit 73bcb24d932912f8e75e1d88da0fc0ac6d4bce78 from qemu
2018-02-21 23:21:36 -05:00
Markus Armbruster
06668850e3
include/qemu/osdep.h: Don't include qapi/error.h
Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the
Error typedef. Since then, we've moved to include qemu/osdep.h
everywhere. Its file comment explains: "To avoid getting into
possible circular include dependencies, this file should not include
any other QEMU headers, with the exceptions of config-host.h,
compiler.h, os-posix.h and os-win32.h, all of which are doing a
similar job to this file and are under similar constraints."
qapi/error.h doesn't do a similar job, and it doesn't adhere to
similar constraints: it includes qapi-types.h. That's in excess of
100KiB of crap most .c files don't actually need.

Add the typedef to qemu/typedefs.h, and include that instead of
qapi/error.h. Include qapi/error.h in .c files that need it and don't
get it now. Include qapi-types.h in qom/object.h for uint16List.

Update scripts/clean-includes accordingly. Update it further to match
reality: replace config.h by config-target.h, add sysemu/os-posix.h,
sysemu/os-win32.h. Update the list of includes in the qemu/osdep.h
comment quoted above similarly.

This reduces the number of objects depending on qapi/error.h from "all
of them" to less than a third. Unfortunately, the number depending on
qapi-types.h shrinks only a little. More work is needed for that one.

Backports commit da34e65cb4025728566d6504a99916f6e7e1dd6a from qemu
2018-02-21 23:08:18 -05:00
Sergey Sorokin
da6a9f331b
target-arm: Fix translation level on early translation faults
Qemu reports translation fault on 1st level instead of 0th level in case of
AArch64 address translation if the translation table walk is disabled or
the address is in the gap between the two regions.

Backports commit 1b4093ea6678ff79d3006db3d3abbf6990b4a59b from qemu
2018-02-21 21:53:15 -05:00
Peter Maydell
8309945dcc
target-arm: Implement MRS (banked) and MSR (banked) instructions
Starting with the ARMv7 Virtualization Extensions, the A32 and T32
instruction sets provide instructions "MSR (banked)" and "MRS
(banked)" which can be used to access registers for a mode other
than the current one:
* R<m>_<mode>
* ELR_hyp
* SPSR_<mode>

Implement the missing instructions.

Backports commit 8bfd0550be821cf27d71444e2af350de3c3d2ee3 from qemu
2018-02-21 21:50:42 -05:00
Ralf-Philipp Weinmann
893b9f7f96
target-arm: Only trap SRS from S-EL1 if specified mode is MON
Commit cbc0326b6fb9 caused SRS instructions executed from Secure
EL1 to trap to EL3 even if the specified mode was not monitor mode.

According to the ARMv8 Architecture reference manual [F6.1.203], ALL
of the following conditions need to be met for SRS to trap to EL3:
* It is executed at Secure PL1.
* The specified mode is monitor mode.
* EL3 is using AArch64.

Correct the condition governing the trap to EL3 to check the
specified mode.

Backports commit ba63cf47a93041137a94e86b7d0cd87fc896949b from qemu
2018-02-21 02:49:28 -05:00
Paolo Bonzini
7f23f7004d
target-arm: implement BE32 mode in system emulation
System emulation only has a little-endian target; BE32 mode
is implemented by adjusting the low bits of the address
for every byte and halfword load and store. 64-bit accesses
flip the low and high words.

Backports commit e334bd3190f6c4ca12f1d40d316dc471c70009ab from qemu
2018-02-21 02:47:22 -05:00
Paolo Bonzini
aa5be4d6ca
target-arm: implement setend
Since this is not a high-performance path, just use a helper to
flip the E bit and force a lookup in the hash table since the
flags have changed.

Backports commit 9886ecdf31165de2d4b8bccc1a220bd6ac8bc192 from qemu
2018-02-21 02:39:13 -05:00
Peter Crosthwaite
902170741a
target-arm: introduce tbflag for endianness
Introduce a tbflags for endianness, set based upon the CPUs current
endianness. This in turn propagates through to the disas endianness
flag.

Backports commit 91cca2cda9823b1e7a049cb308a05104b5076cba from qemu
2018-02-21 02:35:34 -05:00
Peter Crosthwaite
50a3c7f2ee
target-arm: a64: Add endianness support
Set the dc->mo_endianness flag for AA64 and use it in all ldst ops.

Backports commit aa6489da4e297fb3ffcbc09b50afd700395b6386 from qemu
2018-02-21 02:31:50 -05:00
Paolo Bonzini
9ab3d105fd
target-arm: introduce disas flag for endianness
Introduce a disas flag for setting the CPU data endianness. This allows
control of the endianness from the CPU state rather than hard-coding it
to TARGET_WORDS_BIGENDIAN.

Backports commit dacf0a2ff7d39ab12bd90f2f5496a3889facd54a from qemu
2018-02-21 02:20:50 -05:00
Peter Crosthwaite
e5cfcc3221
target-arm: implement SCTLR.EE
Implement SCTLR.EE bit which controls data endianess for exceptions
and page table translations. SCTLR.EE is mirrored to the CPSR.E bit
on exception entry.

Backports commit 73462dddf670c32c45c8ea359658092b0365b2d4 from qemu
2018-02-21 02:14:56 -05:00
Peter Crosthwaite
38f4a833a4
arm: cpu: handle BE32 user-mode as BE
endian with address manipulations on subword accesses (to give the
illusion of BE). But user-mode cannot tell the difference and is
already implemented as straight BE. So handle the difference in the
endianess query, where USER mode is BE and system is not.

Backports commit b2e62d9a7b9a2eb10e451a57813bad168376e122 from qemu
2018-02-21 02:12:39 -05:00
Peter Crosthwaite
1457b73a13
target-arm: cpu: Move cpu_is_big_endian to header
There is a CPU data endianness test that is used to drive the
virtio_big_endian test.

Move this up to the header so it can be more generally used for endian
tests. The KVM specific cpu_syncronize_state call is left behind in the
virtio specific function.

Rename it arm_cpu-data_is_big_endian() to more accurately capture that
this is for data accesses only.

Backports commit ed50ff7875d61a75517c92deb0444d73fbbca878 from qemu
2018-02-21 02:10:48 -05:00
Paolo Bonzini
ec15ee10d0
target-arm: implement SCTLR.B, drop bswap_code
bswap_code is a CPU property of sorts ("is the iside endianness the
opposite way round to TARGET_WORDS_BIGENDIAN?") but it is not the
actual CPU state involved here which is SCTLR.B (set for BE32
binaries, clear for BE8).

Replace bswap_code with SCTLR.B, and pass that to arm_ld*_code.
The next patches will make data fetches honor both SCTLR.B and
CPSR.E appropriately.

Backports commit f9fd40ebe4f55e0048e002925b8d65e66d56e7a7 from qemu
2018-02-21 02:08:05 -05:00
Peter Maydell
64a9bec68a
target-arm: Correct handling of writes to CPSR mode bits from gdb in usermode
In helper.c the expression
(env->uncached_cpsr & CPSR_M) != CPSR_USER
is always true; the right hand side was supposed to be ARM_CPU_MODE_USR
(an error in commit cb01d391).

Since the incorrect expression was always true, this just meant that
commit cb01d391 had no effect.

However simply changing the RHS here would reveal a logic error: if
the mode is USR we wish to completely ignore the attempt to set the
mode bits, which means that we must clear the CPSR_M bits from mask
to avoid the uncached_cpsr bits being updated at the end of the
function.

Move the condition into the correct place in the code, fix its RHS
constant, and add a comment about the fact that we must be doing a
gdbstub write if we're in user mode.

Backports commit 8c4f0eb94cc65ee32a12feba88d0b32e3665d5ea from qemu
2018-02-21 01:57:34 -05:00
Peter Maydell
20712bcb9a
target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF
The v8 ARM ARM defines that unused spaces in the ID_AA64* system
register ranges are Reserved and must RAZ, rather than being UNDEF.
Implement this.

In particular, ARM v8.2 adds a new feature register ID_AA64MMFR2,
and newer versions of the Linux kernel will attempt to read this,
which causes them not to boot up on versions of QEMU missing this fix.

Since the encoding .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6
is actually defined in ARMv8 (as ID_MMFR4), we give it an entry in
the ARMCPU struct so CPUs can override it, though since none do
this too will just RAZ.

Backports commit e20d84c1407d43d5a2e2ac95dbb46db3b0af8f9f from qemu
2018-02-20 22:49:43 -05:00
Edgar E. Iglesias
66c4bd02eb
target-arm: Mark CNTHP_TVAL_EL2 as ARM_CP_NO_RAW
Mark CNTHP_TVAL_EL2 as ARM_CP_NO_RAW due to the register not
having any underlying state. This fixes an issue with booting
KVM enabled kernels when EL2 is on.

Backports commit d44ec156300a149b386a14d3ab349d3b83b66b8c from qemu
2018-02-20 22:30:44 -05:00
Peter Maydell
eb02f0e818
target-arm: Implement MDCR_EL3.TPM and MDCR_EL2.TPM traps
Implement the performance monitor register traps controlled
by MDCR_EL3.TPM and MDCR_EL2.TPM. Most of the performance
registers already have an access function to deal with the
user-enable bit, and the TPM checks can be added there. We
also need a new access function which only implements the
TPM checks for use by the few not-EL0-accessible registers
and by PMUSERENR_EL0 (which is always EL0-readable).

Backports commit 1fce1ba985d9c5c96e5b9709e1356d1814b8fa9e from qemu
2018-02-20 22:29:26 -05:00
Peter Maydell
ece364e7cc
target-arm: Fix handling of SDCR for 32-bit code
Fix two issues with our implementation of the SDCR:
* it is only present from ARMv8 onwards
* it does not contain several of the trap bits present in its 64-bit
counterpart the MDCR_EL3

Put the register description in the right place so that it does not
get enabled for ARMv7 and earlier, and give it a write function so that
we can mask out the bits which should not be allowed to have an effect
if EL3 is 32-bit.

Backports commit a8d64e735182cbbb5dcc98f41656b118c45e57cc from qemu
2018-02-20 22:26:58 -05:00
Peter Maydell
8477ed6389
target-arm: Make Monitor->NS PL1 mode changes illegal if HCR.TGE is 1
If HCR.TGE is 1 then mode changes via CPS and MSR from Monitor to
NonSecure PL1 modes are illegal mode changes. Implement this check
in bad_mode_switch().

(We don't currently implement HCR.TGE, but this is the only missing
check from the v8 ARM ARM G1.9.3 and so it's worth adding now; the
rest of the HCR.TGE checks can be added later as necessary.)

Backports commit 10eacda787ac9990dc22d4437b289200c819712c from qemu
2018-02-20 22:24:19 -05:00
Peter Maydell
8bfdc63424
target-arm: Make mode switches from Hyp via CPS and MRS illegal
Mode switches from Hyp to any other mode via the CPS and MRS
instructions are illegal mode switches (though obviously switching
via exception return is valid). Add this check to bad_mode_switch().

Backports commit af393ffc6da116b9dd4c70901bad1f4cafb1773d from qemu
2018-02-20 22:23:23 -05:00
Peter Maydell
00d06bf20e
target-arm: In v8, make illegal AArch32 mode changes set PSTATE.IL
In v8, the illegal mode changes which are UNPREDICTABLE in v7 are
given architected behaviour:
* the mode field is unchanged
* PSTATE.IL is set (so any subsequent instructions will UNDEF)
* any other CPSR fields are written to as normal

This is pretty much the same behaviour we picked for our
UNPREDICTABLE handling, with the exception that for v8 we
need to set the IL bit.

Backports commit 81907a582901671c15be36a63b5063f88f3487e2 from qemu
2018-02-20 22:22:01 -05:00
Peter Maydell
2296fb5915
target-arm: Forbid mode switch to Mon from Secure EL1
In v8 trying to switch mode to Mon from Secure EL1 is an
illegal mode switch. (In v7 this is impossible as all secure
modes except User are at EL3.) We can handle this case by
making a switch to Mon valid only if the current EL is 3,
which then gives the correct answer whether EL3 is AArch32
or AArch64.

Backports commit 58ae2d1f037fae1d90eed4522053a85d79edfbec from qemu
2018-02-20 22:21:10 -05:00
Peter Maydell
4919c7287c
target-arm: Add Hyp mode checks to bad_mode_switch()
We don't actually support Hyp mode yet, but add the correct
checks for it to the bad_mode_switch() function for completeness.

Backports commit e6c8fc07b4fce0729bb747770756835f4b0ca7f4 from qemu
2018-02-20 22:20:19 -05:00
Peter Maydell
339e3e340e
target-arm: Add comment about not implementing NSACR.RFR
QEMU doesn't implement the NSACR.RFR bit, which is a permitted
IMPDEF in choice in ARMv7 and the only permitted choice in ARMv8.
Add a comment to bad_mode_switch() to note that this is why
FIQ is always a valid mode regardless of the CPU's Secure state.

Backports commit 52ff951b4f63a29593650a15efdf82f63d6d962d from qemu
2018-02-20 22:19:38 -05:00
Peter Maydell
a468baff61
target-arm: In cpsr_write() ignore mode switches from User mode
The only case where we can attempt a cpsr_write() mode switch from
User is from the gdbstub; all other cases are handled in the
calling code (notably translate.c). Architecturally attempts to
alter the mode bits from user mode are simply ignored (and not
treated as a bad mode switch, which in v8 sets CPSR.IL). Make
mode switches from User ignored in cpsr_write() as well, for
consistency.

Backports commit cb01d3912c8b000ed26d5fe95f6c194b3e3ba7a6 from qemu
2018-02-20 22:18:48 -05:00
Peter Maydell
553e230088
target-arm: Raw CPSR writes should skip checks and bank switching
Raw CPSR writes should skip the architectural checks for whether
we're allowed to set the A or F bits and should also not do
the switching of register banks if the mode changes. Handle
this inside cpsr_write(), which allows us to drop the "manually
set the mode bits to avoid the bank switch" code from all the
callsites which are using CPSRWriteRaw.

This fixes a bug in 32-bit KVM handling where we had forgotten
the "manually set the mode bits" part and could thus potentially
trash the register state if the mode from the last exit to userspace
differed from the mode on this exit.

Backports commit f8c88bbcda76d5674e4bb125471371b41d330df8 from qemu
2018-02-20 22:17:48 -05:00
Peter Maydell
611d4dad4b
target-arm: Add write_type argument to cpsr_write()
Add an argument to cpsr_write() to indicate what kind of CPSR
write is being requested, since the exact behaviour should
differ for the different cases.

Backports commit 50866ba5a2cfe922aaf3edb79f6eac5b0653477a from qemu
2018-02-20 22:15:53 -05:00
Peter Maydell
6ae2357be6
target-arm: Give CPSR setting on 32-bit exception return its own helper
The rules for setting the CPSR on a 32-bit exception return are
subtly different from those for setting the CPSR via an instruction
like MSR or CPS. (In particular, in Hyp mode changing the mode bits
is not valid via MSR or CPS.) Split the exception-return case into
its own helper for setting CPSR, so we can eventually handle them
differently in the helper function.

Backports commit 235ea1f5c89abf30e452539b973b0dbe43d3fe2b from qemu
2018-02-20 22:08:35 -05:00
Alistair Francis
a8807cd3b9
target-arm: Add PMUSERENR_EL0 register
The Linux kernel accesses this register early in its setup.

Backports commit 8a83ffc2dafad3499b87a736b17ab1b203fdb00b from qemu
2018-02-20 15:36:31 -05:00
Lioncash
b29e024f56
target-arm: Correct bad VBAR patch merge 2018-02-20 15:34:32 -05:00
Alistair Francis
2945893f40
target-arm: Add the pmovsclr_el0 and pmintenclr_el1 registers
Backports commit 978364f12adebb4b8d90fdeb71242cb3c1405740 from qemu
2018-02-20 15:27:50 -05:00
Alistair Francis
c31856e34e
target-arm: Add the pmceid0 and pmceid1 registers
Backports commit 4054bfa9e7986c9b7d2bf70f9e10af9647e376fc from qemu
2018-02-20 15:22:41 -05:00
Peter Maydell
57a9474cc7
target-arm: UNDEF in the UNPREDICTABLE SRS-from-System case
Make get_r13_banked() raise an exception at runtime for the
corner case of SRS from System mode, so that we can UNDEF it;
this brings us in to line with the ARM ARM's set of permitted
CONSTRAINED UNPREDICTABLE choices.

Backports commit f01377f591fe15c652f947646c4a69a7d4a71ad9 from qemu
2018-02-20 15:12:25 -05:00
Peter Maydell
88d21504e4
target-arm: Combine user-only and softmmu get/set_r13_banked()
The user-mode versions of get/set_r13_banked() exist just to assert
if they're ever called -- the translate time code should never
emit calls to them because SRS from user mode always UNDEF.
There's no code in the softmmu versions that can't compile in
CONFIG_USER_ONLY, and the assertion is not particularly useful,
so combine the two functions rather than having completely split
versions under ifdefs.

Backports commit d86d57d4fe683c99823f625f941eff26c07c72c3 from qemu
2018-02-20 15:09:58 -05:00
Peter Maydell
3d4f8b2d8f
target-arm: Move get/set_r13_banked() to op_helper.c
Move get/set_r13_banked() from helper.c to op_helper.c. This will
let us add exception-raising code to them, and also puts them
in the same file as get/set_user_reg(), which makes some conceptual
sense.

(The original reason for the helper.c/op_helper.c split was that
only op_helper.c had access to the CPU env pointer; this distinction
has not been true for a long time, though, and so the split is
now rather arbitrary.)

Backports commit 72309cee482868d6c4711931c3f7e02ab9dec229 from qemu

target-arm: Move bank_number() into internals.h

Move bank_number()'s implementation into internals.h, so
it's available in the user-mode-only compile as well.

Backports commit c766568d3604082c6fd45cbabe42c48e4861a13f from qemu
2018-02-20 15:09:07 -05:00
Peter Maydell
a6aac0dbb4
target-arm: Clean up trap/undef handling of SRS
The SRS instruction is:
* UNDEFINED in Hyp mode
* UNPREDICTABLE in User or System mode
* UNPREDICTABLE if the specified mode isn't accessible
* trapped to EL3 if EL3 is AArch64 and we are at Secure EL1

Clean up the code to handle all these cases cleanly, including
picking UNDEF as our choice of UNPREDICTABLE behaviour rather
blindly trusting the mode field passed in the instruction.
As part of this, move the check for IS_USER into gen_srs()
itself rather than having it done by the caller.

The exception is that we don't UNDEF for calls from System
mode, which need a runtime check. This will be dealt with in
the following commits.

Backports commit cbc0326b6fb905f80b7cef85b24571f7ebb62077 from qemu
2018-02-20 15:02:45 -05:00
Peter Maydell
56a88557db
target-arm: Report correct syndrome for FPEXC32_EL2 traps
If access to FPEXC32_EL2 is trapped by CPTR_EL2.TFP or CPTR_EL3.TFP,
this should be reported with a syndrome register indicating an
FP access trap, not one indicating a system register access trap.

Backports commit f2cae6092767aaf418778eada15be444c23883be from qemu
2018-02-20 15:00:32 -05:00
Peter Maydell
425db8c149
target-arm: Implement MDCR_EL3.TDA and MDCR_EL2.TDA traps
Implement the debug register traps controlled by MDCR_EL2.TDA
and MDCR_EL3.TDA.

Backports commit d6c8cf815171e35e0b1ef4e0cff602ab3d575747 from qemu
2018-02-20 14:58:52 -05:00
Peter Maydell
7295676caf
target-arm: Implement MDCR_EL2.TDRA traps
Implement trapping of the "debug ROM" registers, which are controlled
by MDCR_EL2.TDRA for EL2 but by the more general MDCR_EL3.TDA for EL3.

Backports commit 91b0a23865558e2ce9c2e7042d404e8bf2e4b817 from qemu
2018-02-20 14:54:53 -05:00
Peter Maydell
537ff96e34
target-arm: Implement MDCR_EL3.TDOSA and MDCR_EL2.TDOSA traps
Implement the traps to EL2 and EL3 controlled by the bits
MDCR_EL2.TDOSA MDCR_EL3.TDOSA. These can configurably trap
accesses to the "powerdown debug" registers.

Backports commit 187f678d5c28251dba2b44127e59966b14518ef7 from qemu
2018-02-20 14:52:47 -05:00
Peter Maydell
871dee4908
target-arm: Fix handling of SCR.SMD
We weren't quite implementing the handling of SCR.SMD correctly.
The condition governing whether the SMD bit should apply only
for NS state is "is EL3 is AArch32", not "is the current EL AArch32".
Fix the condition, and clarify the comment both to reflect this and
to expand slightly on what's going on for the v7-no-Virtualization case.

Backports commit f096e92b6385fd87e8ea948ad3af70faf752c13a from qemu
2018-02-20 14:50:33 -05:00
Peter Maydell
7b503db3c6
target-arm: correct CNTFRQ access rights
Correct some corner cases we were getting wrong for
CNTFRQ access rights:
* should UNDEF from 32-bit Secure EL1
* only writable from the highest implemented exception level,
which might not be EL1 now

To clarify the code, provide a new utility function
arm_highest_el() which returns the highest implemented
exception level.

Backports commit 755026728abb19fba70e6b4396a27fa2e7550d74 from qemu
2018-02-20 14:49:28 -05:00
Sergey Fedorov
dfb78118ff
target-arm: Implement checking of fired watchpoint
ARM stops before access to a location covered by watchpoint. Also, QEMU
watchpoint fire is not necessarily an architectural watchpoint match.
Unfortunately, that is hardly possible to ignore a fired watchpoint in
debug exception handler. So move watchpoint check from debug exception
handler to the dedicated watchpoint checking callback.

Backports commit 3826121d9298cde1d29ead05910e1f40125ee9b0 from qemu
2018-02-20 11:50:29 -05:00
Peter Maydell
3d5b54cf4b
target-arm: Fix IL bit reported for Thumb VFP and Neon traps
All Thumb Neon and VFP instructions are 32 bits, so the IL
bit in the syndrome register should be set. Pass false to the
syn_* function's is_16bit argument rather than s->thumb
so we report the correct IL bit.

Backports commit 7d197d2db5e99e4c8b20f6771ddc7303acaa1c89 from qemu
2018-02-20 11:39:39 -05:00
Peter Maydell
5b8ad0e2fc
target-arm: Fix IL bit reported for Thumb coprocessor traps
All Thumb coprocessor instructions are 32 bits, so the IL
bit in the syndrome register should be set. Pass false to the
syn_* function's is_16bit argument rather than s->thumb
so we report the correct IL bit.

Backports commit 4df322593037d2700f72dfdfb967300b7ad2e696 from qemu
2018-02-20 11:38:27 -05:00
Peter Maydell
814bffc1ee
target-arm: Correct misleading 'is_thumb' syn_* parameter names
In syndrome register values, the IL bit indicates the instruction
length, and is 1 for 4-byte instructions and 0 for 2-byte
instructions. All A64 and A32 instructions are 4-byte, but
Thumb instructions may be either 2 or 4 bytes long. Unfortunately
we named the parameter to the syn_* functions for constructing
syndromes "is_thumb", which falsely implies that it should be
set for all Thumb instructions, rather than only the 16-bit ones.
Fix the functions to name the parameter 'is_16bit' instead.

Backports commit fc05f4a62c568b607ec3fe428a419bb38205b570 from qemu
2018-02-20 11:36:55 -05:00
Peter Maydell
a3ff1c4a65
target-arm: Enable EL3 for Cortex-A53 and Cortex-A57
Enable EL3 support for our Cortex-A53 and Cortex-A57 CPU models.
We have enough implemented now to be able to run real world code
at least to some extent (I can boot ARM Trusted Firmware to the
point where it pulls in OP-TEE and then falls over because it
doesn't have a UEFI image it can chain to).

Backports commit 3ad901bc2b98f5539af9a7d4aef140a6d8fa6442 from qemu
2018-02-20 11:31:44 -05:00
Peter Maydell
aecf7b05dc
target-arm: Implement NSACR trapping behaviour
Implement some corner cases of the behaviour of the NSACR
register on ARMv8:
* if EL3 is AArch64 then accessing the NSACR from Secure EL1
with AArch32 should trap to EL3
* if EL3 is not present or is AArch64 then reads from NS EL1 and
NS EL2 return constant 0xc00

It would in theory be possible to implement all these with
a single reginfo definition, but for clarity we use three
separate definitions for the three cases and install the
right one based on the CPU feature flags.

Backports commit 2f027fc52d4b444a47cb05a9c96697372a6b57d2 from qemu
2018-02-20 11:29:29 -05:00
Peter Maydell
6dbc781ce3
target-arm: Add isread parameter to CPAccessFns
System registers might have access requirements which need to
be described via a CPAccessFn and which differ for reads and
writes. For this to be possible we need to pass the access
function a parameter to tell it whether the access being checked
is a read or a write.

Backports commit 3f208fd76bcc91a8506681bb8472f2398fe6f487 from qemu
2018-02-20 11:24:17 -05:00
Peter Maydell
4838c1dfe9
target-arm: Update arm_generate_debug_exceptions() to handle EL2/EL3
The arm_generate_debug_exceptions() function as originally implemented
assumes no EL2 or EL3. Since we now have much more of an implementation
of those now, fix this assumption.

Backports commit 533e93f1cf12c570aab45f14663dab6fb8ea3ffc from qemu
2018-02-20 11:12:36 -05:00
Peter Maydell
4552444928
target-arm: Use access_trap_aa32s_el1() for SCR and MVBAR
The registers MVBAR and SCR should have the behaviour of trapping to
EL3 if accessed from Secure EL1, but we were incorrectly implementing
them to UNDEF (which would trap to EL1). Fix this by using the new
access_trap_aa32s_el1() access function.

Backports commit efe4a274083f61484a8f1478d93f229d43aa8095 from qemu
2018-02-20 11:10:38 -05:00
Peter Maydell
c0411e5422
target-arm: Implement MDCR_EL3 and SDCR
Implement the MDCR_EL3 register (which is SDCR for AArch32).
For the moment we implement it as reads-as-written.

Backports commit 5513c3abed8e5fabe116830c63f0d3fe1f94bd21 from qemu
2018-02-20 11:08:15 -05:00
Peter Maydell
a2fd906e8b
target-arm: Fix typo in comment in arm_is_secure_below_el3()
Fix a typo where "EL2" was written but "EL3" intended.

Backports commit 6b7f0b61f080b886c9b4bba8240379ce90e20b12 from qemu
2018-02-20 11:05:14 -05:00
Richard Henderson
c507f16702
tcg: Remove lingering references to gen_opc_buf
Three in comments and one in code in the stub tcg_liveness_analysis.

Backports commit 201577059331b8b3aef221ee2ed594deb99d6631 from qemu
2018-02-19 01:42:55 -05:00
Peter Maydell
61a59665d6
target-arm: Don't report presence of EL2 if it doesn't exist
We already modify the processor feature bits to not report EL3
support to the guest if EL3 isn't enabled for the CPU we're emulating.
Add similar support for not reporting EL2 unless it is enabled.
This is necessary because real world guest code running at EL3
(trusted firmware or bootloaders) will query the ID registers to
determine whether it should start a guest Linux kernel in EL2 or EL3.

Backports commit 3c2f7bb32b4c597925c5c7411307d51f1a56045d from qemu
2018-02-19 01:23:28 -05:00
Edgar E. Iglesias
3ea1b2a84c
target-arm: Implement the S2 MMU inputsize > pamax check
Implement the inputsize > pamax check for Stage 2 translations.
This is CONSTRAINED UNPREDICTABLE and we choose to fault.

Backports commit 3526423e867765568ad95b8094ae8b4042cac215 from qemu
2018-02-19 01:22:00 -05:00
Edgar E. Iglesias
71f370d549
target-arm: Rename check_s2_startlevel to check_s2_mmu_setup
Rename check_s2_startlevel to check_s2_mmu_setup in preparation
for additional checks.

Backports commit a0e966c93a0968d29ef51447d08a6b7be6f4d757 from qemu
2018-02-19 01:16:11 -05:00
Edgar E. Iglesias
bab59f6b18
target-arm: Apply S2 MMU startlevel table size check to AArch64
The S2 starting level table size check applies to both AArch32
and AArch64. Move it to common code.

Backports commit 98d68ec289750139258d9cd9ab3f6d7dd10bb762 from qemu
2018-02-19 01:13:35 -05:00
Peter Maydell
d3e5003e53
target-arm: Make various system registers visible to EL3
The AArch64 system registers DACR32_EL2, IFSR32_EL2, SPSR_IRQ,
SPSR_ABT, SPSR_UND and SPSR_FIQ are visible and fully functional from
EL3 even if the CPU has no EL2 (unlike some others which are RES0
from EL3 in that configuration). Move them from el2_cp_reginfo[] to
v8_cp_reginfo[] so they are always present.

Backports commit 6a43e0b6e1f6bcd6b11656967422f4217258200a from qemu
2018-02-19 01:11:40 -05:00
Peter Maydell
22dadac875
target-arm: Implement FPEXC32_EL2 system register
The AArch64 FPEXC32_EL2 system register is visible at EL2 and EL3,
and allows those exception levels to read and write the FPEXC
register for a lower exception level that is using AArch32.

Backports commit 03fbf20f4da58f41998dc10ec7542f65d37ba759 from qemu
2018-02-18 22:52:54 -05:00
Peter Maydell
f4ae64e78a
target-arm: ignore ELR_ELx[1] for exception return to 32-bit ARM mode
The architecture requires that for an exception return to AArch32 the
low bits of ELR_ELx are ignored when the PC is set from them:
* if returning to Thumb mode, ignore ELR_ELx[0]
* if returning to ARM mode, ignore ELR_ELx[1:0]

We were only squashing bit 0; also squash bit 1 if the SPSR T bit
indicates this is a return to ARM code.

Backports commit c1e0371442bf3a7e42ad53c2a3d816ed7099f81d from qemu
2018-02-18 22:50:18 -05:00
Peter Maydell
9826fc4414
target-arm: Implement remaining illegal return event checks
We already implement almost all the checks for the illegal
return events from AArch64 state described in the ARM ARM section
D1.11.2. Add the two missing ones:
* return to EL2 when EL3 is implemented and SCR_EL3.NS is 0
* return to Non-secure EL1 when EL2 is implemented and HCR_EL2.TGE is 1

(We don't implement external debug, so the case of "debug state exit
from EL0 using AArch64 state to EL0 using AArch32 state" doesn't apply
for QEMU.)

Backports commit e393f339af87da7210f6c86902b321df6a2e8bf5 from qemu
2018-02-18 22:47:23 -05:00
Peter Maydell
2ffb545ec3
target-arm: Handle exception return from AArch64 to non-EL0 AArch32
Remove the assumptions that the AArch64 exception return code was
making about a return to AArch32 always being a return to EL0.
This includes pulling out the illegal-SPSR checks so we can apply
them for return to 32 bit as well as return to 64-bit.

Backports commit 3809951bf61605974b91578c582de4da28f8ed07 from qemu
2018-02-18 22:46:50 -05:00
Peter Maydell
134eeeeacc
target-arm: Fix wrong AArch64 entry offset for EL2/EL3 target
The entry offset when taking an exception to AArch64 from a lower
exception level may be 0x400 or 0x600. 0x400 is used if the
implemented exception level immediately lower than the target level
is using AArch64, and 0x600 if it is using AArch32. We were
incorrectly implementing this as checking the exception level
that the exception was taken from. (The two can be different if
for example we take an exception from EL0 to AArch64 EL3; we should
in this case be checking EL2 if EL2 is implemented, and EL1 if
EL2 is not implemented.)

Backports commit 3d6f761713745dfed7d2ccfe98077d213a6a6eba from qemu
2018-02-18 22:43:52 -05:00
Peter Maydell
d7c3ba6fa0
target-arm: Pull semihosting handling out to arm_cpu_do_interrupt()
Handling of semihosting calls should depend on the register width
of the calling code, not on that of any higher exception level,
so we need to identify and handle semihosting calls before we
decide whether to deliver the exception as an entry to AArch32
or AArch64. (EXCP_SEMIHOST is also an "internal exception" so
it has no target exception level in the first place.)

This will allow AArch32 EL1 code to use semihosting calls when
running under an AArch64 EL3.

Backports commit 904c04de2e1b425e7bc8c4ce2fae3d652eeed242 from qemu
2018-02-18 22:41:58 -05:00
Peter Maydell
4d0bdc61b6
target-arm: Use a single entry point for AArch64 and AArch32 exceptions
If EL2 or EL3 is present on an AArch64 CPU, then exceptions can be
taken to an exception level which is running AArch32 (if only EL0
and EL1 are present then EL1 must be AArch64 and all exceptions are
taken to AArch64). To support this we need to have a single
implementation of the CPU do_interrupt() method which can handle both
32 and 64 bit exception entry.

Pull the common parts of aarch64_cpu_do_interrupt() and
arm_cpu_do_interrupt() out into a new function which calls
either the AArch32 or AArch64 specific entry code once it has
worked out which one is needed.

We temporarily special-case the handling of EXCP_SEMIHOST to
avoid an assertion in arm_el_is_aa64(); the next patch will
pull all the semihosting handling out to the arm_cpu_do_interrupt()
level (since semihosting semantics depend on the register width
of the calling code, not on that of any higher EL).

Backports commit 966f758c49ff478c4757efa5970ce649161bff92 from qemu
2018-02-18 22:34:31 -05:00
Peter Maydell
e1925bb5fb
target-arm: Move aarch64_cpu_do_interrupt() to helper.c
Move the aarch64_cpu_do_interrupt() function to helper.c. We want
to be able to call this from code that isn't AArch64-only, and
the move allows us to avoid awkward #ifdeffery at the callsite.

Backports commit f3a9b6945cbbb23f3a70da14e9ffdf1e60c580a8 from qemu
2018-02-18 22:23:06 -05:00
Peter Maydell
c06519a2fd
target-arm: Properly support EL2 and EL3 in arm_el_is_aa64()
Support EL2 and EL3 in arm_el_is_aa64() by implementing the
logic for checking the SCR_EL3 and HCR_EL2 register-width bits
as appropriate to determine the register width of lower exception
levels.

Backports commit 446c81abf8e0572b8d5d23fe056516ac62af278d from qemu
2018-02-18 22:20:51 -05:00
Lioncash
f1f3ff39eb
target-arm: Support multiple address spaces in page table walks
If we have a secure address space, use it in page table walks:
when doing the physical accesses to read descriptors, make them
through the correct address space.

(The descriptor reads are the only direct physical accesses
made in target-arm/ for CPUs which might have TrustZone.)

Backports commit 5ce4ff6502fc6ae01a30c3917996c6c41be1d176 from qemu
2018-02-18 22:18:28 -05:00
Peter Maydell
d3eb5fb710
target-arm: Implement cpu_get_phys_page_attrs_debug
Implement cpu_get_phys_page_attrs_debug instead of cpu_get_phys_page_debug.

Backports commit 0faea0c7e6b729c64035b3591b184eeeeef6f1d4 from qemu
2018-02-18 22:15:50 -05:00
Peter Maydell
f96988503a
target-arm: Implement asidx_from_attrs
Implement the asidx_from_attrs CPU method to return the
Secure or NonSecure address space as appropriate.

(The function is inline so we can use it directly in target-arm
code to be added in later patches.)

Backports commit 017518c1f6ed9939c7f390cb91078f0919b5494c from qemu
2018-02-18 22:11:55 -05:00
Peter Maydell
c13497c369
target-arm: Add QOM property for Secure memory region
Add QOM property to the ARM CPU which boards can use to tell us what
memory region to use for secure accesses. Nonsecure accesses
go via the memory region specified with the base CPU class 'memory'
property.

By default, if no secure region is specified it is the same as the
nonsecure region, and if no nonsecure region is specified we will use
address_space_memory.

Backports commit 9e273ef2174d7cd5b14a16d8638812541d3eb6bb from qemu
2018-02-18 22:09:46 -05:00
Peter Maydell
e07cd2542c
exec.c: Drop TARGET_HAS_ICE define and checks
The TARGET_HAS_ICE #define is intended to indicate whether a target-*
guest CPU implementation supports the breakpoint handling. However,
all our guest CPUs have that support (the only two which do not
define TARGET_HAS_ICE are unicore32 and openrisc, and in both those
cases the bp support is present and the lack of the #define is just
a bug). So remove the #define entirely: all new guest CPU support
should include breakpoint handling as part of the basic implementation.

Backports commit ec53b45bcd1f74f7a4c31331fa6d50b402cd6d26 from qemu
2018-02-18 18:17:14 -05:00
Peter Maydell
cd5c4037ac
target-arm: Clean up includes
Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Backports commit 74c21bd07491739c6e56bcb1f962e4df730e77f3 from qemu
2018-02-17 21:09:32 -05:00
Alvise Rigo
1e3e75fa44
target-arm: Use the right MMU index in arm_regime_using_lpae_format
arm_regime_using_lpae_format checks whether the LPAE extension is used
for stage 1 translation regimes. MMU indexes not exclusively of a stage 1
regime won't work with this method.

In case of ARMMMUIdx_S12NSE0 or ARMMMUIdx_S12NSE1, offset these values
by ARMMMUIdx_S1NSE0 to get the right index indicating a stage 1
translation regime.

Rename also the function to arm_s1_regime_using_lpae_format and update
the comments to reflect the change.

Backports commit deb2db996cbb9470b39ae1e383791ef34c4eb3c2 from qemu
2018-02-17 20:56:32 -05:00
Sergey Fedorov
587c9f0570
target-arm: Fix and improve AA32 singlestep translation completion code 2018-02-17 19:34:52 -05:00
Andrew Baumann
e1701b069f
target-arm: raise exception on misaligned LDREX operands
Qemu does not generally perform alignment checks. However, the ARM ARM
requires implementation of alignment exceptions for a number of cases
including LDREX, and Windows-on-ARM relies on this.

This change adds plumbing to enable alignment checks on loads using
MO_ALIGN, a do_unaligned_access hook to raise the exception (data
abort), and uses the new aligned loads in LDREX (for all but
single-byte loads).

Backports commit 30901475b91ef1f46304404ab4bfe89097f61b96 from qemu
2018-02-17 19:29:29 -05:00
Peter Maydell
386e398c56
target-arm: Don't mask out bits [47:40] in LPAE descriptors for v8
In an LPAE format descriptor in ARMv8 the address field extends
up to bit 47, not just bit 39. Correct the masking so we don't
give incorrect results if the output address size is greater
than 40 bits, as it can be for AArch64.

(Note that we don't yet support the new-in-v8 Address Size fault which
should be generated if any translation table entry or TTBR contains
an address with non-zero bits above the most significant bit of the
maximum output address size.)

Backports commit 6109769a8b42bd0c3d5b1601c9b35fe7ea6a603e from qemu
2018-02-17 18:55:32 -05:00
Sergey Fedorov
5df03a909c
target-arm: Update condexec before arch BP check in AA32 translation
Architectural breakpoint check could raise an exceptions, thus condexec
bits should be updated before calling gen_helper_check_breakpoints().

Backports commit ce8a1b5449cd8c4c2831abb581d3208c3a3745a0 from qemu
2018-02-17 18:35:50 -05:00
Sergey Fedorov
b42bfc59f1
target-arm: Update condexec before CP access check in AA32 translation
Coprocessor access instructions are allowed inside IT block.
gen_helper_access_check_cp_reg() can raise an exceptions thus condexec
bits should be updated before.

Backports commit 43bfa4a100687af8d293fef0a197839b51400fca from qemu
2018-02-17 18:33:58 -05:00
Soren Brinkmann
3f4efdd95e
target-arm: Add and use symbolic names for register banks
Add BANK_<cpumode> #defines to index banked registers.

Backports commit 99a99c1fc8e9bfec1656ac5916c53977a93d3581 from qemu
2018-02-17 18:14:14 -05:00
Sergey Fedorov
23ece1622c
target-arm: Clean up DISAS_UPDATE usage in AArch32 translation code
AArch32 translation code does not distinguish between DISAS_UPDATE and
DISAS_JUMP. Thus, we cannot use any of them without first updating PC in
CPU state. Furthermore, it is too complicated to update PC in CPU state
before PC gets updated in disas context. So it is hardly possible to
correctly end TB early if is is not likely to be executed before calling
disas_*_insn(), e.g. just after calling breakpoint check helper.

Modify DISAS_UPDATE and DISAS_JUMP usage in AArch32 translation and
apply to them the same semantic as AArch64 translation does:
- DISAS_UPDATE: update PC in CPU state when finishing translation
- DISAS_JUMP: preserve current PC value in CPU state when finishing
translation

This patch fixes a bug in AArch32 breakpoint handling: when
check_breakpoints helper does not generate an exception, ending the TB
early with DISAS_UPDATE couldn't update PC in CPU state and execution
hangs.

Backports commit 577bf808958d06497928c639efaa473bf8c5e099 from qemu
2018-02-17 17:43:21 -05:00
Sergey Fedorov
f8c43c69b2
target-arm: Fix gdb singlestep handling in arm_debug_excp_handler()
Do not raise a CPU exception if no CPU breakpoint has fired, since
singlestep is also done by generating a debug internal exception. This
fixes a bug with singlestepping in gdbstub.

Backports commit 5c629f4ff4dc9ae79cc732f59a8df15ede796ff7 from qemu
2018-02-17 17:32:27 -05:00
Peter Maydell
0ed5787f89
target-arm: Report S/NS status in the CPU debug logs
If this CPU supports EL3, enhance the printing of the current
CPU mode in debug logging to distinguish S from NS modes as
appropriate.

Backports commit 06e5cf7acd1f94ab7c1cd6945974a1f039672940 from qemu
2018-02-17 15:24:14 -05:00
Peter Maydell
78d26764b7
target-arm: Bring AArch64 debug CPU display of PSTATE into line with AArch32
The AArch64 debug CPU display of PSTATE as "PSTATE=200003c5 (flags --C-)"
on the end of the same line as the last of the general purpose registers
is unnecessarily different from the AArch32 display of PSR as
"PSR=200001d3 --C- A svc32" on its own line. Update the AArch64
code to put PSTATE in its own line and in the same format, including
printing the exception level (mode).

Backports commit 08b8e0f527930208a548b424d2ab3103bf3c8c02 from qemu
2018-02-17 15:24:14 -05:00
Richard Henderson
c01a6dab0a
target-*: Advance pc after recognizing a breakpoint
Some targets already had this within their logic, but make sure
it's present for all targets.

Backports commit 522a0d4e3c0d397ffb45ec400d8cbd426dad9d17 from qemu
2018-02-17 15:24:11 -05:00
Richard Henderson
3ec0adcc07
target-*: Introduce and use cpu_breakpoint_test
Reduce the boilerplate required for each target. At the same time,
move the test for breakpoint after calling tcg_gen_insn_start.

Note that arm and aarch64 do not use cpu_breakpoint_test, but still
move the inline test down after tcg_gen_insn_start.

Backports commit b933066ae03d924a92b2616b4a24e7d91cd5b841 from qemu
2018-02-17 15:24:10 -05:00
Edgar E. Iglesias
942c18ead7
target-arm: Add support for S1 + S2 MMU translations
Backports commit 9b539263faa5c1b7fce2551092b5c7b6eea92081 from qemu
2018-02-17 15:24:10 -05:00
Edgar E. Iglesias
753a530ac8
target-arm: Route S2 MMU faults to EL2
Backports commit d759a457a144844bff259aafda093b24e92c116d from qemu
2018-02-17 15:24:10 -05:00
Edgar E. Iglesias
f779375656
target-arm: Add S2 translation to 32bit S1 PTWs
Add support for applying S2 translation to 32bit S1
page-table walks.

Backports commit a614e69854a2e601716ee44dfe15c09b8b88f620 from qemu
2018-02-17 15:24:10 -05:00
Edgar E. Iglesias
085a94faac
target-arm: Add S2 translation to 64bit S1 PTWs
Add support for applying S2 translation to 64bit S1
page-table walks.

Backports commit 37785977627295162bff58b1f8777d94e20f4c5b from qemu
2018-02-17 15:24:09 -05:00
Edgar E. Iglesias
716f1ac28c
target-arm: Add ARMMMUFaultInfo
Introduce ARMMMUFaultInfo to propagate MMU Fault information
across the MMU translation code path. This is in preparation for
adding Stage-2 translation.

No functional changes.

Backports commit e14b5a23d8c83304559f31397f95d22ada60a19a from qemu
2018-02-17 15:24:09 -05:00