[Qemu-devel] [Bug 1812091] [NEW] ARMv8-M boots in wrong security mode

[Qemu-devel] [Bug 1812091] [NEW] ARMv8-M boots in wrong security mode

[Thomas Roth]

Public bug reported:

Qemu-commit: b2f7c27f56bf1116ebb7848c75914aa7c5d6a040


The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).

On further investigation, it seems that `attrs.secure` is set to false
(armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will
return the correct value.

As the CPU should be in 'secure' mode after reset, I think this behavior
is wrong.

Steps to reproduce:
Example code that loads an endless loop into the beginning of secure memory: https://github.com/ajblane/armv8m-hello

Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
	                    -m 4096 \
			    -nographic -serial mon:stdio \
	                    -kernel $(IMAGE) -s -S

Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812091

Title:
  ARMv8-M boots in wrong security mode

Status in QEMU:
  New

Bug description:
  Qemu-commit: b2f7c27f56bf1116ebb7848c75914aa7c5d6a040

  
  The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).

  On further investigation, it seems that `attrs.secure` is set to false
  (armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will
  return the correct value.

  As the CPU should be in 'secure' mode after reset, I think this
  behavior is wrong.

  Steps to reproduce:
  Example code that loads an endless loop into the beginning of secure memory: https://github.com/ajblane/armv8m-hello

  Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
  	                    -m 4096 \
  			    -nographic -serial mon:stdio \
  	                    -kernel $(IMAGE) -s -S

  Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812091/+subscriptions

[Qemu-devel] [Bug 1812091] Re: ARMv8-M boots in wrong security mode

[Thomas Roth]

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812091

Title:
  ARMv8-M boots in wrong security mode

Status in QEMU:
  New

Bug description:
  Qemu-commit: b2f7c27f56bf1116ebb7848c75914aa7c5d6a040

  
  The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).

  On further investigation, it seems that `attrs.secure` is set to false
  (armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will
  return the correct value.

  As the CPU should be in 'secure' mode after reset, I think this
  behavior is wrong.

  Steps to reproduce:
  Example code that loads an endless loop into the beginning of secure memory: https://github.com/ajblane/armv8m-hello

  Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
  	                    -m 4096 \
  			    -nographic -serial mon:stdio \
  	                    -kernel $(IMAGE) -s -S

  Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812091/+subscriptions

[Qemu-devel] [Bug 1812091] Re: ARMv8-M boots in wrong security mode

[Thomas Roth]

** Information type changed from Public Security to Public

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812091

Title:
  ARMv8-M boots in wrong security mode

Status in QEMU:
  New

Bug description:
  Qemu-commit: b2f7c27f56bf1116ebb7848c75914aa7c5d6a040

  
  The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).

  On further investigation, it seems that `attrs.secure` is set to false
  (armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will
  return the correct value.

  As the CPU should be in 'secure' mode after reset, I think this
  behavior is wrong.

  Steps to reproduce:
  Example code that loads an endless loop into the beginning of secure memory: https://github.com/ajblane/armv8m-hello

  Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
  	                    -m 4096 \
  			    -nographic -serial mon:stdio \
  	                    -kernel $(IMAGE) -s -S

  Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812091/+subscriptions

[Qemu-devel] [Bug 1812091] Re: ARMv8-M boots in wrong security mode

[Peter Maydell]

This is not an issue with the CPU emulation, it is a bug in the gdb
memory read/write path, which currently effectively always does its
accesses as nonsecure. The CPU itself is correctly coming out of reset
in secure mode and will be able to read the correct value of the
register.

I suspect that the following change will fix this:
diff --git a/exec.c b/exec.c
index 6e875f0640a..2f0f40b0be6 100644
--- a/exec.c
+++ b/exec.c
@@ -3881,12 +3881,10 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
         phys_addr += (addr & ~TARGET_PAGE_MASK);
         if (is_write) {
             address_space_write_rom(cpu->cpu_ases[asidx].as, phys_addr,
-                                    MEMTXATTRS_UNSPECIFIED,
-                                    buf, l);
+                                    attrs, buf, l);
         } else {
             address_space_rw(cpu->cpu_ases[asidx].as, phys_addr,
-                             MEMTXATTRS_UNSPECIFIED,
-                             buf, l, 0);
+                             attrs, buf, l, 0);
         }
         len -= l;
         buf += l;


I'll test it later today and send it as a proper patch if it works.


** Summary changed:

- ARMv8-M boots in wrong security mode
+ gdbstub memory accesses performed with wrong attributes

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812091

Title:
  gdbstub memory accesses performed with wrong attributes

Status in QEMU:
  New

Bug description:
  Qemu-commit: b2f7c27f56bf1116ebb7848c75914aa7c5d6a040

  
  The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).

  On further investigation, it seems that `attrs.secure` is set to false
  (armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will
  return the correct value.

  As the CPU should be in 'secure' mode after reset, I think this
  behavior is wrong.

  Steps to reproduce:
  Example code that loads an endless loop into the beginning of secure memory: https://github.com/ajblane/armv8m-hello

  Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
  	                    -m 4096 \
  			    -nographic -serial mon:stdio \
  	                    -kernel $(IMAGE) -s -S

  Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812091/+subscriptions

[Qemu-devel] [Bug 1812091] Re: gdbstub memory accesses performed with wrong attributes

[Thomas Roth]

Hello Peter and thanks a lot for your quick response.

I have tested the patch and it seems to work! Looks like my testing code
was buggy, apologies for the inaccurate bug description.

Thanks,
Thomas

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812091

Title:
  gdbstub memory accesses performed with wrong attributes

Status in QEMU:
  New

Bug description:
  Qemu-commit: b2f7c27f56bf1116ebb7848c75914aa7c5d6a040

  
  The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).

  On further investigation, it seems that `attrs.secure` is set to false
  (armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will
  return the correct value.

  As the CPU should be in 'secure' mode after reset, I think this
  behavior is wrong.

  Steps to reproduce:
  Example code that loads an endless loop into the beginning of secure memory: https://github.com/ajblane/armv8m-hello

  Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
  	                    -m 4096 \
  			    -nographic -serial mon:stdio \
  	                    -kernel $(IMAGE) -s -S

  Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812091/+subscriptions

[Qemu-devel] [Bug 1812091] Re: gdbstub memory accesses performed with wrong attributes

[Peter Maydell]

Patch sent to list:

https://patchwork.ozlabs.org/patch/1026664/


** Changed in: qemu
       Status: New => In Progress

** Tags added: arm

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812091

Title:
  gdbstub memory accesses performed with wrong attributes

Status in QEMU:
  In Progress

Bug description:
  Qemu-commit: b2f7c27f56bf1116ebb7848c75914aa7c5d6a040

  
  The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).

  On further investigation, it seems that `attrs.secure` is set to false
  (armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will
  return the correct value.

  As the CPU should be in 'secure' mode after reset, I think this
  behavior is wrong.

  Steps to reproduce:
  Example code that loads an endless loop into the beginning of secure memory: https://github.com/ajblane/armv8m-hello

  Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
  	                    -m 4096 \
  			    -nographic -serial mon:stdio \
  	                    -kernel $(IMAGE) -s -S

  Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812091/+subscriptions

[Qemu-devel] [Bug 1812091] Re: gdbstub memory accesses performed with wrong attributes

[Thomas Huth]

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812091

Title:
  gdbstub memory accesses performed with wrong attributes

Status in QEMU:
  Fix Released

Bug description:
  Qemu-commit: b2f7c27f56bf1116ebb7848c75914aa7c5d6a040

  
  The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).

  On further investigation, it seems that `attrs.secure` is set to false
  (armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will
  return the correct value.

  As the CPU should be in 'secure' mode after reset, I think this
  behavior is wrong.

  Steps to reproduce:
  Example code that loads an endless loop into the beginning of secure memory: https://github.com/ajblane/armv8m-hello

  Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
  	                    -m 4096 \
  			    -nographic -serial mon:stdio \
  	                    -kernel $(IMAGE) -s -S

  Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812091/+subscriptions