[Qemu-devel] [PATCH 0/6] mips_malta: fixes to support YAMON firmware

[Qemu-devel] [PATCH 0/6] mips_malta: fixes to support YAMON firmware

[Leon Alrae]

From: Paul Burton <paul.burton@imgtec.com>

This patchset fixes some bugs with MIPS malta emulation allowing the YAMON
firmware to run.

YAMON can be found at http://www.mips.com/products/system-software/yamon/

You can then boot to a YAMON prompt by passing the path to yamon-XX.bin to
the -bios argument or by writing yamon-XX.bin to the start of a flash image
passed to the -pflash argument. The YAMON 2.21 release & newer have been tested
to work.

There is still a bug preventing YAMON from initialising the ethernet controller
so an application or kernel cannot be loaded via TFTP. However the serial
console functions and can examine or modify memory, modify the flash and
environment variables, access disks etc.

As of YAMON 2.22 a YAMON bug prevents the environment from being initialized
correctly by an "erase -e" command if you begin with a zeroed flash image. As
a workaround you can fill empty areas of your flash image with 1s be generating
your flash image like so:

  dd if=/dev/zero bs=1M count=4 | tr '\0' '\377' >flash.bin
  dd if=yamon-02.22.bin of=flash.bin conv=notrunc

Paul Burton (6):
  mips_malta: fix BIOS endianness swapping
  mips_malta: correct reading MIPS revision at 0x1fc00010
  mips_malta: generate SPD EEPROM data at runtime
  mips_malta: cap BIOS endian swap length at 0x3e0000 bytes
  mips_malta: generate SMBUS EEPROM data
  pflash_cfi01: duplicate status byte from bits 23:16 for 32bit reads

 hw/block/pflash_cfi01.c |    3 +
 hw/mips/mips_malta.c    |  219 +++++++++++++++++++++++++++++++++++------------
 2 files changed, 166 insertions(+), 56 deletions(-)

-- 
1.7.5.4

[Qemu-devel] [PATCH 1/6] mips_malta: fix BIOS endianness swapping

[Leon Alrae]

From: Paul Burton <paul.burton@imgtec.com>

If the target is little endian (mipsel) then the BIOS image endianness
is swapped so that the big endian BIOS binaries commonly produced can be
loaded correctly.

When using the -bios argument the BIOS is loaded using
load_image_targphys, however this doesn't perform the load to target
memory immediately. Instead it loads the BIOS file into a struct Rom
which will later be written to target memory upon reset. However the
endianness conversion was being performed before this, on init, and
operating on the target memory which at this point is blank & will later
be overwritten by the (big endian) BIOS image. Correct this by operating
on the data referenced by struct Rom rather than the target memory when
the -bios argument is used.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/mips/mips_malta.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index 5033d51..4def898 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -916,8 +916,11 @@ void mips_malta_init(QEMUMachineInitArgs *args)
            a neat trick which allows bi-endian firmware. */
 #ifndef TARGET_WORDS_BIGENDIAN
         {
-            uint32_t *addr = memory_region_get_ram_ptr(bios);
-            uint32_t *end = addr + bios_size;
+            uint32_t *end, *addr = rom_ptr(FLASH_ADDRESS);
+            if (!addr) {
+                addr = memory_region_get_ram_ptr(bios);
+            }
+            end = (void *)addr + bios_size;
             while (addr < end) {
                 bswap32s(addr);
                 addr++;
-- 
1.7.5.4

[Qemu-devel] [PATCH 2/6] mips_malta: correct reading MIPS revision at 0x1fc00010

[Leon Alrae]

From: Paul Burton <paul.burton@imgtec.com>

Rather than modifying the BIOS code at its original location, copy it
for the 0x1fc00000 region & modify the copy. This means the original
ROM code is correctly readable at 0x1e000010 whilst the MIPS revision
is readable at 0x1fc00010.

Additionally the code previously operated on target memory which would
later be overwritten by the BIOS image upon CPU reset if the -bios
argument was used to specify the BIOS image. This led to the written
MIPS revision being lost. Copying using rom_copy when -bios is used
fixes this issue.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/mips/mips_malta.c |   25 +++++++++++++++++--------
 1 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index 4def898..9117ae4 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -789,7 +789,7 @@ void mips_malta_init(QEMUMachineInitArgs *args)
     pflash_t *fl;
     MemoryRegion *system_memory = get_system_memory();
     MemoryRegion *ram = g_new(MemoryRegion, 1);
-    MemoryRegion *bios, *bios_alias = g_new(MemoryRegion, 1);
+    MemoryRegion *bios, *bios_copy = g_new(MemoryRegion, 1);
     target_long bios_size = FLASH_SIZE;
     int64_t kernel_entry;
     PCIBus *pci_bus;
@@ -929,14 +929,23 @@ void mips_malta_init(QEMUMachineInitArgs *args)
 #endif
     }
 
-    /* Map the BIOS at a 2nd physical location, as on the real board. */
-    memory_region_init_alias(bios_alias, "bios.1fc", bios, 0, BIOS_SIZE);
-    memory_region_add_subregion(system_memory, RESET_ADDRESS, bios_alias);
+    /*
+     * Map the BIOS at a 2nd physical location, as on the real board.
+     * Copy it so that we can patch in the MIPS revision, which cannot be
+     * handled by an overlapping region as the resulting ROM code subpage
+     * regions are not executable.
+     */
+    memory_region_init_ram(bios_copy, "bios.1fc", BIOS_SIZE);
+    if (!rom_copy(memory_region_get_ram_ptr(bios_copy),
+                  FLASH_ADDRESS, bios_size)) {
+        memcpy(memory_region_get_ram_ptr(bios_copy),
+               memory_region_get_ram_ptr(bios), bios_size);
+    }
+    memory_region_set_readonly(bios_copy, true);
+    memory_region_add_subregion(system_memory, RESET_ADDRESS, bios_copy);
 
-    /* Board ID = 0x420 (Malta Board with CoreLV)
-       XXX: theoretically 0x1e000010 should map to flash and 0x1fc00010 should
-       map to the board ID. */
-    stl_p(memory_region_get_ram_ptr(bios) + 0x10, 0x00000420);
+    /* Board ID = 0x420 (Malta Board with CoreLV) */
+    stl_p(memory_region_get_ram_ptr(bios_copy) + 0x10, 0x00000420);
 
     /* Init internal devices */
     cpu_mips_irq_init_cpu(env);
-- 
1.7.5.4

[Qemu-devel] [PATCH 3/6] mips_malta: generate SPD EEPROM data at runtime

[Leon Alrae]

From: Paul Burton <paul.burton@imgtec.com>

The SPD EEPROM specifies the amount of memory present in the system and
thus its correct contents can only be known at runtime. Calculating
parts of the data on init allows the data to accurately reflect the
amount of target memory present and allow YAMON to boot with an
arbitrary amount of SDRAM.

Where possible the SPD data will favor indicating 2 banks of SDRAM
rather than 1. For example the default 128MB of target memory will be
represented as 2x64MB banks rather than 1x128MB bank. This allows
versions of MIPS BIOS code (such as YAMON 2.22 and older) to boot
despite a bug preventing them from handling a single bank of SDRAM with
the Galileo GT64120 system controller emulated by QEMU.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/mips/mips_malta.c |   60 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 57 insertions(+), 3 deletions(-)

diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index 9117ae4..116a2f8 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -47,6 +47,7 @@
 #include "sysemu/blockdev.h"
 #include "exec/address-spaces.h"
 #include "hw/sysbus.h"             /* SysBusDevice */
+#include "qemu/host-utils.h"
 
 //#define DEBUG_BOARD_INIT
 
@@ -146,10 +147,10 @@ typedef struct _eeprom24c0x_t eeprom24c0x_t;
 
 static eeprom24c0x_t eeprom = {
     .contents = {
-        /* 00000000: */ 0x80,0x08,0x04,0x0D,0x0A,0x01,0x40,0x00,
+        /* 00000000: */ 0x80,0x08,0xff,0x0D,0x0A,0xff,0x40,0x00,
         /* 00000008: */ 0x01,0x75,0x54,0x00,0x82,0x08,0x00,0x01,
-        /* 00000010: */ 0x8F,0x04,0x02,0x01,0x01,0x00,0x0E,0x00,
-        /* 00000018: */ 0x00,0x00,0x00,0x14,0x0F,0x14,0x2D,0x40,
+        /* 00000010: */ 0x8F,0x04,0x02,0x01,0x01,0x00,0x00,0x00,
+        /* 00000018: */ 0x00,0x00,0x00,0x14,0x0F,0x14,0x2D,0xff,
         /* 00000020: */ 0x15,0x08,0x15,0x08,0x00,0x00,0x00,0x00,
         /* 00000028: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
         /* 00000030: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
@@ -165,6 +166,56 @@ static eeprom24c0x_t eeprom = {
     },
 };
 
+static void eeprom_generate(eeprom24c0x_t *eeprom, ram_addr_t ram_size)
+{
+    enum { SDR = 0x4, DDR2 = 0x8 } type;
+    uint8_t *spd = eeprom->contents;
+    uint8_t nbanks = 0;
+    uint16_t density = 0;
+    int i;
+
+    /* work in terms of MB */
+    ram_size >>= 20;
+
+    while ((ram_size >= 4) && (nbanks <= 2)) {
+        int sz_log2 = MIN(31 - clz32(ram_size), 14);
+        nbanks++;
+        density |= 1 << (sz_log2 - 2);
+        ram_size -= 1 << sz_log2;
+    }
+
+    /* split to 2 banks if possible */
+    if ((nbanks == 1) && (density > 1)) {
+        nbanks++;
+        density >>= 1;
+    }
+
+    if (density & 0xff00) {
+        density = (density & 0xe0) | ((density >> 8) & 0x1f);
+        type = DDR2;
+    } else if (!(density & 0x1f)) {
+        type = DDR2;
+    } else {
+        type = SDR;
+    }
+
+    if (ram_size) {
+        fprintf(stderr, "Warning: SPD cannot represent final %dMB"
+                " of SDRAM\n", (int)ram_size);
+    }
+
+    /* fill in SPD memory information */
+    spd[2] = type;
+    spd[5] = nbanks;
+    spd[31] = density;
+
+    /* checksum */
+    spd[63] = 0;
+    for (i = 0; i < 63; i++) {
+        spd[63] += spd[i];
+    }
+}
+
 static uint8_t eeprom24c0x_read(void)
 {
     logout("%u: scl = %u, sda = %u, data = 0x%02x\n",
@@ -857,6 +908,9 @@ void mips_malta_init(QEMUMachineInitArgs *args)
     vmstate_register_ram_global(ram);
     memory_region_add_subregion(system_memory, 0, ram);
 
+    /* generate SPD EEPROM data */
+    eeprom_generate(&eeprom, ram_size);
+
 #ifdef TARGET_WORDS_BIGENDIAN
     be = 1;
 #else
-- 
1.7.5.4

[Qemu-devel] [PATCH 4/6] mips_malta: cap BIOS endian swap length at 0x3e0000 bytes

[Leon Alrae]

From: Paul Burton <paul.burton@imgtec.com>

This preserves the final sector of the pflash which is used by YAMON to
hold environment variables. If the endianness of the environment data
is swapped then YAMON will fail to load environment variables from
pflash.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/mips/mips_malta.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index 116a2f8..6d43e86 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -974,7 +974,7 @@ void mips_malta_init(QEMUMachineInitArgs *args)
             if (!addr) {
                 addr = memory_region_get_ram_ptr(bios);
             }
-            end = (void *)addr + bios_size;
+            end = (void *)addr + MIN(bios_size, 0x3e0000);
             while (addr < end) {
                 bswap32s(addr);
                 addr++;
-- 
1.7.5.4

[Qemu-devel] [PATCH 5/6] mips_malta: generate SMBUS EEPROM data

[Leon Alrae]

From: Paul Burton <paul.burton@imgtec.com>

The malta contains 2 EEPROMs, one containing SPD data for the SDRAM and
another containing board information such as serial number and MAC
address. These are both exposed via the PIIX4 SMBUS. Generating this
data and providing it to smbus_eeprom_init will allow YAMON to read a
serial number for the board and prevent it from warning that the EEPROM
data is invalid.

We already have the contents of the SPD EEPROM which are exposed via
FPGA I2C accesses, this is provided as part of the SMBUS EEPROM data
too for consistency.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/mips/mips_malta.c |  133 ++++++++++++++++++++++++++++++++-----------------
 1 files changed, 87 insertions(+), 46 deletions(-)

diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index 6d43e86..467c38e 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -145,7 +145,7 @@ struct _eeprom24c0x_t {
 
 typedef struct _eeprom24c0x_t eeprom24c0x_t;
 
-static eeprom24c0x_t eeprom = {
+static eeprom24c0x_t spd_eeprom = {
     .contents = {
         /* 00000000: */ 0x80,0x08,0xff,0x0D,0x0A,0xff,0x40,0x00,
         /* 00000008: */ 0x01,0x75,0x54,0x00,0x82,0x08,0x00,0x01,
@@ -166,10 +166,10 @@ static eeprom24c0x_t eeprom = {
     },
 };
 
-static void eeprom_generate(eeprom24c0x_t *eeprom, ram_addr_t ram_size)
+static void generate_eeprom_spd(uint8_t *eeprom, ram_addr_t ram_size)
 {
     enum { SDR = 0x4, DDR2 = 0x8 } type;
-    uint8_t *spd = eeprom->contents;
+    uint8_t *spd = spd_eeprom.contents;
     uint8_t nbanks = 0;
     uint16_t density = 0;
     int i;
@@ -214,71 +214,109 @@ static void eeprom_generate(eeprom24c0x_t *eeprom, ram_addr_t ram_size)
     for (i = 0; i < 63; i++) {
         spd[63] += spd[i];
     }
+
+    /* copy for SMBUS */
+    memcpy(eeprom, spd, sizeof(spd_eeprom.contents));
+}
+
+static void generate_eeprom_serial(uint8_t *eeprom)
+{
+    int i, pos = 0;
+    uint8_t mac[6] = { 0x00 };
+    uint8_t sn[5] = { 0x01, 0x23, 0x45, 0x67, 0x89 };
+
+    /* version */
+    eeprom[pos++] = 0x01;
+
+    /* count */
+    eeprom[pos++] = 0x02;
+
+    /* MAC address */
+    eeprom[pos++] = 0x01; /* MAC */
+    eeprom[pos++] = 0x06; /* length */
+    memcpy(&eeprom[pos], mac, sizeof(mac));
+    pos += sizeof(mac);
+
+    /* serial number */
+    eeprom[pos++] = 0x02; /* serial */
+    eeprom[pos++] = 0x05; /* length */
+    memcpy(&eeprom[pos], sn, sizeof(sn));
+    pos += sizeof(sn);
+
+    /* checksum */
+    eeprom[pos] = 0;
+    for (i = 0; i < pos; i++) {
+        eeprom[pos] += eeprom[i];
+    }
 }
 
-static uint8_t eeprom24c0x_read(void)
+static uint8_t eeprom24c0x_read(eeprom24c0x_t *eeprom)
 {
     logout("%u: scl = %u, sda = %u, data = 0x%02x\n",
-        eeprom.tick, eeprom.scl, eeprom.sda, eeprom.data);
-    return eeprom.sda;
+        eeprom->tick, eeprom->scl, eeprom->sda, eeprom->data);
+    return eeprom->sda;
 }
 
-static void eeprom24c0x_write(int scl, int sda)
+static void eeprom24c0x_write(eeprom24c0x_t *eeprom, int scl, int sda)
 {
-    if (eeprom.scl && scl && (eeprom.sda != sda)) {
+    if (eeprom->scl && scl && (eeprom->sda != sda)) {
         logout("%u: scl = %u->%u, sda = %u->%u i2c %s\n",
-                eeprom.tick, eeprom.scl, scl, eeprom.sda, sda, sda ? "stop" : "start");
+                eeprom->tick, eeprom->scl, scl, eeprom->sda, sda,
+                sda ? "stop" : "start");
         if (!sda) {
-            eeprom.tick = 1;
-            eeprom.command = 0;
+            eeprom->tick = 1;
+            eeprom->command = 0;
         }
-    } else if (eeprom.tick == 0 && !eeprom.ack) {
+    } else if (eeprom->tick == 0 && !eeprom->ack) {
         /* Waiting for start. */
         logout("%u: scl = %u->%u, sda = %u->%u wait for i2c start\n",
-                eeprom.tick, eeprom.scl, scl, eeprom.sda, sda);
-    } else if (!eeprom.scl && scl) {
+                eeprom->tick, eeprom->scl, scl, eeprom->sda, sda);
+    } else if (!eeprom->scl && scl) {
         logout("%u: scl = %u->%u, sda = %u->%u trigger bit\n",
-                eeprom.tick, eeprom.scl, scl, eeprom.sda, sda);
-        if (eeprom.ack) {
+                eeprom->tick, eeprom->scl, scl, eeprom->sda, sda);
+        if (eeprom->ack) {
             logout("\ti2c ack bit = 0\n");
             sda = 0;
-            eeprom.ack = 0;
-        } else if (eeprom.sda == sda) {
+            eeprom->ack = 0;
+        } else if (eeprom->sda == sda) {
             uint8_t bit = (sda != 0);
             logout("\ti2c bit = %d\n", bit);
-            if (eeprom.tick < 9) {
-                eeprom.command <<= 1;
-                eeprom.command += bit;
-                eeprom.tick++;
-                if (eeprom.tick == 9) {
-                    logout("\tcommand 0x%04x, %s\n", eeprom.command, bit ? "read" : "write");
-                    eeprom.ack = 1;
+            if (eeprom->tick < 9) {
+                eeprom->command <<= 1;
+                eeprom->command += bit;
+                eeprom->tick++;
+                if (eeprom->tick == 9) {
+                    logout("\tcommand 0x%04x, %s\n", eeprom->command,
+                           bit ? "read" : "write");
+                    eeprom->ack = 1;
                 }
-            } else if (eeprom.tick < 17) {
-                if (eeprom.command & 1) {
-                    sda = ((eeprom.data & 0x80) != 0);
+            } else if (eeprom->tick < 17) {
+                if (eeprom->command & 1) {
+                    sda = ((eeprom->data & 0x80) != 0);
                 }
-                eeprom.address <<= 1;
-                eeprom.address += bit;
-                eeprom.tick++;
-                eeprom.data <<= 1;
-                if (eeprom.tick == 17) {
-                    eeprom.data = eeprom.contents[eeprom.address];
-                    logout("\taddress 0x%04x, data 0x%02x\n", eeprom.address, eeprom.data);
-                    eeprom.ack = 1;
-                    eeprom.tick = 0;
+                eeprom->address <<= 1;
+                eeprom->address += bit;
+                eeprom->tick++;
+                eeprom->data <<= 1;
+                if (eeprom->tick == 17) {
+                    eeprom->data = eeprom->contents[eeprom->address];
+                    logout("\taddress 0x%04x, data 0x%02x\n",
+                           eeprom->address, eeprom->data);
+                    eeprom->ack = 1;
+                    eeprom->tick = 0;
                 }
-            } else if (eeprom.tick >= 17) {
+            } else if (eeprom->tick >= 17) {
                 sda = 0;
             }
         } else {
             logout("\tsda changed with raising scl\n");
         }
     } else {
-        logout("%u: scl = %u->%u, sda = %u->%u\n", eeprom.tick, eeprom.scl, scl, eeprom.sda, sda);
+        logout("%u: scl = %u->%u, sda = %u->%u\n", eeprom->tick, eeprom->scl,
+               scl, eeprom->sda, sda);
     }
-    eeprom.scl = scl;
-    eeprom.sda = sda;
+    eeprom->scl = scl;
+    eeprom->sda = sda;
 }
 
 static uint64_t malta_fpga_read(void *opaque, hwaddr addr,
@@ -341,7 +379,7 @@ static uint64_t malta_fpga_read(void *opaque, hwaddr addr,
 
     /* I2CINP Register */
     case 0x00b00:
-        val = ((s->i2cin & ~1) | eeprom24c0x_read());
+        val = ((s->i2cin & ~1) | eeprom24c0x_read(&spd_eeprom));
         break;
 
     /* I2COE Register */
@@ -437,7 +475,7 @@ static void malta_fpga_write(void *opaque, hwaddr addr,
 
     /* I2COUT Register */
     case 0x00b10:
-        eeprom24c0x_write(val & 0x02, val & 0x01);
+        eeprom24c0x_write(&spd_eeprom, val & 0x02, val & 0x01);
         s->i2cout = val;
         break;
 
@@ -842,6 +880,8 @@ void mips_malta_init(QEMUMachineInitArgs *args)
     MemoryRegion *ram = g_new(MemoryRegion, 1);
     MemoryRegion *bios, *bios_copy = g_new(MemoryRegion, 1);
     target_long bios_size = FLASH_SIZE;
+    const size_t smbus_eeprom_size = 8 * 256;
+    uint8_t *smbus_eeprom_buf = g_malloc0(smbus_eeprom_size);
     int64_t kernel_entry;
     PCIBus *pci_bus;
     ISABus *isa_bus;
@@ -909,7 +949,8 @@ void mips_malta_init(QEMUMachineInitArgs *args)
     memory_region_add_subregion(system_memory, 0, ram);
 
     /* generate SPD EEPROM data */
-    eeprom_generate(&eeprom, ram_size);
+    generate_eeprom_spd(&smbus_eeprom_buf[0 * 256], ram_size);
+    generate_eeprom_serial(&smbus_eeprom_buf[6 * 256]);
 
 #ifdef TARGET_WORDS_BIGENDIAN
     be = 1;
@@ -1031,8 +1072,8 @@ void mips_malta_init(QEMUMachineInitArgs *args)
     pci_create_simple(pci_bus, piix4_devfn + 2, "piix4-usb-uhci");
     smbus = piix4_pm_init(pci_bus, piix4_devfn + 3, 0x1100,
                           isa_get_irq(NULL, 9), NULL, 0, NULL);
-    /* TODO: Populate SPD eeprom data.  */
-    smbus_eeprom_init(smbus, 8, NULL, 0);
+    smbus_eeprom_init(smbus, 8, smbus_eeprom_buf, smbus_eeprom_size);
+    g_free(smbus_eeprom_buf);
     pit = pit_init(isa_bus, 0x40, 0, NULL);
     cpu_exit_irq = qemu_allocate_irqs(cpu_request_exit, NULL, 1);
     DMA_init(0, cpu_exit_irq);
-- 
1.7.5.4

[Qemu-devel] [PATCH 6/6] pflash_cfi01: duplicate status byte from bits 23:16 for 32bit reads

[Leon Alrae]

From: Paul Burton <paul.burton@imgtec.com>

The firmware commonly used with MIPS Malta boards (YAMON) reads the
status of the pflash with a 32bit memory access. On real hardware
this results in the status byte being mirrored in the upper 16 bits
of the read value. For example if the status byte is represented by
SS then the hardware reads 0x00SS00SS. The YAMON firmware compares the
status against 32bit values expecting the mirrored value and fails
without it.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/block/pflash_cfi01.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
index 63d7c99..047ee65 100644
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -186,6 +186,9 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr offset,
     case 0xe8: /* Write block */
         /* Status register read */
         ret = pfl->status;
+        if (width > 2) {
+            ret |= pfl->status << 16;
+        }
         DPRINTF("%s: status %x\n", __func__, ret);
         break;
     case 0x90:
-- 
1.7.5.4

Re: [Qemu-devel] [PATCH 0/6] mips_malta: fixes to support YAMON firmware

[Leon Alrae]

ping

http://patchwork.ozlabs.org/patch/251250/
http://patchwork.ozlabs.org/patch/251254/
http://patchwork.ozlabs.org/patch/251253/
http://patchwork.ozlabs.org/patch/251251/
http://patchwork.ozlabs.org/patch/251252/
http://patchwork.ozlabs.org/patch/251249/

On 14/06/13 08:30, Leon Alrae wrote:
> From: Paul Burton <paul.burton@imgtec.com>
> 
> This patchset fixes some bugs with MIPS malta emulation allowing the YAMON
> firmware to run.
> 
> YAMON can be found at http://www.mips.com/products/system-software/yamon/
> 
> You can then boot to a YAMON prompt by passing the path to yamon-XX.bin to
> the -bios argument or by writing yamon-XX.bin to the start of a flash image
> passed to the -pflash argument. The YAMON 2.21 release & newer have been tested
> to work.
> 
> There is still a bug preventing YAMON from initialising the ethernet controller
> so an application or kernel cannot be loaded via TFTP. However the serial
> console functions and can examine or modify memory, modify the flash and
> environment variables, access disks etc.
> 
> As of YAMON 2.22 a YAMON bug prevents the environment from being initialized
> correctly by an "erase -e" command if you begin with a zeroed flash image. As
> a workaround you can fill empty areas of your flash image with 1s be generating
> your flash image like so:
> 
>   dd if=/dev/zero bs=1M count=4 | tr '\0' '\377' >flash.bin
>   dd if=yamon-02.22.bin of=flash.bin conv=notrunc
> 
> Paul Burton (6):
>   mips_malta: fix BIOS endianness swapping
>   mips_malta: correct reading MIPS revision at 0x1fc00010
>   mips_malta: generate SPD EEPROM data at runtime
>   mips_malta: cap BIOS endian swap length at 0x3e0000 bytes
>   mips_malta: generate SMBUS EEPROM data
>   pflash_cfi01: duplicate status byte from bits 23:16 for 32bit reads
> 
>  hw/block/pflash_cfi01.c |    3 +
>  hw/mips/mips_malta.c    |  219 +++++++++++++++++++++++++++++++++++------------
>  2 files changed, 166 insertions(+), 56 deletions(-)
> 

Re: [Qemu-devel] [PATCH 0/6] mips_malta: fixes to support YAMON firmware

[Leon Alrae]

ping

On 28/06/13 14:20, Leon Alrae wrote:
> ping
> 
> http://patchwork.ozlabs.org/patch/251250/
> http://patchwork.ozlabs.org/patch/251254/
> http://patchwork.ozlabs.org/patch/251253/
> http://patchwork.ozlabs.org/patch/251251/
> http://patchwork.ozlabs.org/patch/251252/
> http://patchwork.ozlabs.org/patch/251249/
> 
> On 14/06/13 08:30, Leon Alrae wrote:
>> From: Paul Burton <paul.burton@imgtec.com>
>>
>> This patchset fixes some bugs with MIPS malta emulation allowing the YAMON
>> firmware to run.
>>
>> YAMON can be found at http://www.mips.com/products/system-software/yamon/
>>
>> You can then boot to a YAMON prompt by passing the path to yamon-XX.bin to
>> the -bios argument or by writing yamon-XX.bin to the start of a flash image
>> passed to the -pflash argument. The YAMON 2.21 release & newer have been tested
>> to work.
>>
>> There is still a bug preventing YAMON from initialising the ethernet controller
>> so an application or kernel cannot be loaded via TFTP. However the serial
>> console functions and can examine or modify memory, modify the flash and
>> environment variables, access disks etc.
>>
>> As of YAMON 2.22 a YAMON bug prevents the environment from being initialized
>> correctly by an "erase -e" command if you begin with a zeroed flash image. As
>> a workaround you can fill empty areas of your flash image with 1s be generating
>> your flash image like so:
>>
>>   dd if=/dev/zero bs=1M count=4 | tr '\0' '\377' >flash.bin
>>   dd if=yamon-02.22.bin of=flash.bin conv=notrunc
>>
>> Paul Burton (6):
>>   mips_malta: fix BIOS endianness swapping
>>   mips_malta: correct reading MIPS revision at 0x1fc00010
>>   mips_malta: generate SPD EEPROM data at runtime
>>   mips_malta: cap BIOS endian swap length at 0x3e0000 bytes
>>   mips_malta: generate SMBUS EEPROM data
>>   pflash_cfi01: duplicate status byte from bits 23:16 for 32bit reads
>>
>>  hw/block/pflash_cfi01.c |    3 +
>>  hw/mips/mips_malta.c    |  219 +++++++++++++++++++++++++++++++++++------------
>>  2 files changed, 166 insertions(+), 56 deletions(-)
>>
> 

Re: [Qemu-devel] [PATCH 0/6] mips_malta: fixes to support YAMON firmware

[Aurelien Jarno]

On Fri, Jun 14, 2013 at 08:30:42AM +0100, Leon Alrae wrote:
> From: Paul Burton <paul.burton@imgtec.com>
> 
> This patchset fixes some bugs with MIPS malta emulation allowing the YAMON
> firmware to run.
> 
> YAMON can be found at http://www.mips.com/products/system-software/yamon/
> 
> You can then boot to a YAMON prompt by passing the path to yamon-XX.bin to
> the -bios argument or by writing yamon-XX.bin to the start of a flash image
> passed to the -pflash argument. The YAMON 2.21 release & newer have been tested
> to work.
> 
> There is still a bug preventing YAMON from initialising the ethernet controller
> so an application or kernel cannot be loaded via TFTP. However the serial
> console functions and can examine or modify memory, modify the flash and
> environment variables, access disks etc.
> 
> As of YAMON 2.22 a YAMON bug prevents the environment from being initialized
> correctly by an "erase -e" command if you begin with a zeroed flash image. As
> a workaround you can fill empty areas of your flash image with 1s be generating
> your flash image like so:
> 
>   dd if=/dev/zero bs=1M count=4 | tr '\0' '\377' >flash.bin
>   dd if=yamon-02.22.bin of=flash.bin conv=notrunc
> 
> Paul Burton (6):
>   mips_malta: fix BIOS endianness swapping
>   mips_malta: correct reading MIPS revision at 0x1fc00010
>   mips_malta: generate SPD EEPROM data at runtime
>   mips_malta: cap BIOS endian swap length at 0x3e0000 bytes
>   mips_malta: generate SMBUS EEPROM data
>   pflash_cfi01: duplicate status byte from bits 23:16 for 32bit reads
> 
>  hw/block/pflash_cfi01.c |    3 +
>  hw/mips/mips_malta.c    |  219 +++++++++++++++++++++++++++++++++++------------
>  2 files changed, 166 insertions(+), 56 deletions(-)
> 

Thanks, all applied.

Now that YAMON can be loaded in QEMU, it would be nice the distribute
the corresponding bios file with QEMU. This means YAMON should have a
license that allows at least the distribution. However there is no
license in the binary version, and the source version contains some
comments in some files that basically says the file should have never
been made public:

|  * Unpublished rights reserved under U.S. copyright law.
|  *
|  * PROPRIETARY/SECRET CONFIDENTIAL INFORMATION OF MIPS TECHNOLOGIES,
|  * INC. FOR INTERNAL USE ONLY.
|  *
|  * Under no circumstances (contract or otherwise) may this information be
|  * disclosed to, or copied, modified or used by anyone other than employees
|  * or contractors of MIPS Technologies having a need to know.

Could it be somehow clarified?

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Re: [Qemu-devel] [PATCH 2/6] mips_malta: correct reading MIPS revision at 0x1fc00010

[Andreas Färber]

Am 14.06.2013 09:30, schrieb Leon Alrae:
> From: Paul Burton <paul.burton@imgtec.com>
> 
> Rather than modifying the BIOS code at its original location, copy it
> for the 0x1fc00000 region & modify the copy. This means the original
> ROM code is correctly readable at 0x1e000010 whilst the MIPS revision
> is readable at 0x1fc00010.
> 
> Additionally the code previously operated on target memory which would
> later be overwritten by the BIOS image upon CPU reset if the -bios
> argument was used to specify the BIOS image. This led to the written
> MIPS revision being lost. Copying using rom_copy when -bios is used
> fixes this issue.
> 
> Signed-off-by: Paul Burton <paul.burton@imgtec.com>
> Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
> ---
>  hw/mips/mips_malta.c |   25 +++++++++++++++++--------
>  1 files changed, 17 insertions(+), 8 deletions(-)

For some reason this commit breaks `make check`, please revert or fix.

Andreas

> 
> diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
> index 4def898..9117ae4 100644
> --- a/hw/mips/mips_malta.c
> +++ b/hw/mips/mips_malta.c
> @@ -789,7 +789,7 @@ void mips_malta_init(QEMUMachineInitArgs *args)
>      pflash_t *fl;
>      MemoryRegion *system_memory = get_system_memory();
>      MemoryRegion *ram = g_new(MemoryRegion, 1);
> -    MemoryRegion *bios, *bios_alias = g_new(MemoryRegion, 1);
> +    MemoryRegion *bios, *bios_copy = g_new(MemoryRegion, 1);
>      target_long bios_size = FLASH_SIZE;
>      int64_t kernel_entry;
>      PCIBus *pci_bus;
> @@ -929,14 +929,23 @@ void mips_malta_init(QEMUMachineInitArgs *args)
>  #endif
>      }
>  
> -    /* Map the BIOS at a 2nd physical location, as on the real board. */
> -    memory_region_init_alias(bios_alias, "bios.1fc", bios, 0, BIOS_SIZE);
> -    memory_region_add_subregion(system_memory, RESET_ADDRESS, bios_alias);
> +    /*
> +     * Map the BIOS at a 2nd physical location, as on the real board.
> +     * Copy it so that we can patch in the MIPS revision, which cannot be
> +     * handled by an overlapping region as the resulting ROM code subpage
> +     * regions are not executable.
> +     */
> +    memory_region_init_ram(bios_copy, "bios.1fc", BIOS_SIZE);
> +    if (!rom_copy(memory_region_get_ram_ptr(bios_copy),
> +                  FLASH_ADDRESS, bios_size)) {
> +        memcpy(memory_region_get_ram_ptr(bios_copy),
> +               memory_region_get_ram_ptr(bios), bios_size);
> +    }
> +    memory_region_set_readonly(bios_copy, true);
> +    memory_region_add_subregion(system_memory, RESET_ADDRESS, bios_copy);
>  
> -    /* Board ID = 0x420 (Malta Board with CoreLV)
> -       XXX: theoretically 0x1e000010 should map to flash and 0x1fc00010 should
> -       map to the board ID. */
> -    stl_p(memory_region_get_ram_ptr(bios) + 0x10, 0x00000420);
> +    /* Board ID = 0x420 (Malta Board with CoreLV) */
> +    stl_p(memory_region_get_ram_ptr(bios_copy) + 0x10, 0x00000420);
>  
>      /* Init internal devices */
>      cpu_mips_irq_init_cpu(env);
> 


-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg