[Qemu-devel] [Bug 1572329] [NEW] ARM emulation: r0 != 0 on boot

[Qemu-devel] [Bug 1572329] [NEW] ARM emulation: r0 != 0 on boot

[Sylvain]

Public bug reported:

# arm-softmmu/qemu-system-arm -M raspi2 -m 1024 -smp 4 -kernel
kernel.bin -serial stdio -dtb rpi2.dtb

My code shows r0 = 0x31 while it should be 0.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1572329

Title:
  ARM emulation: r0 != 0 on boot

Status in QEMU:
  New

Bug description:
  # arm-softmmu/qemu-system-arm -M raspi2 -m 1024 -smp 4 -kernel
  kernel.bin -serial stdio -dtb rpi2.dtb

  My code shows r0 = 0x31 while it should be 0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1572329/+subscriptions

[Qemu-devel] [Bug 1572329] Re: ARM emulation: r0 != 0 on boot

[Sylvain]

** Patch added: "Fix ARM bootloader"
   https://bugs.launchpad.net/qemu/+bug/1572329/+attachment/4640678/+files/qemu.patch

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1572329

Title:
  ARM emulation: r0 != 0 on boot

Status in QEMU:
  New

Bug description:
  # arm-softmmu/qemu-system-arm -M raspi2 -m 1024 -smp 4 -kernel
  kernel.bin -serial stdio -dtb rpi2.dtb

  My code shows r0 = 0x31 while it should be 0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1572329/+subscriptions

[Qemu-devel] [Bug 1572329] Re: ARM emulation: r0 != 0 on boot

[Sylvain]

** Description changed:

- # arm-softmmu/qemu-system-arm -M raspi2 -m 1024 -smp 4 -kernel
- kernel.bin -serial stdio -dtb rpi2.dtb
+ The link register is not properly set up in the ARM bootloader code,
+ leading to the instruction which sets r0 to 0x00000000 to be skipped.
  
- My code shows r0 = 0x31 while it should be 0.
+ As a consequence, r0 may hold the value leaked from the board setup
+ code.
+ 
+ For instance, if using arm_write_secure_board_setup_dummy_smc, r0 holds
+ 0x00000031.
+ 
+ Attached is a patch to fix the issue.
+ 
+ Please include Sylvain Garrigues <sylvain@sylvaingarrigues.com> in the
+ commit log.

** Summary changed:

- ARM emulation: r0 != 0 on boot
+ ARM bootloader does not set r0 to 0

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1572329

Title:
  ARM bootloader does not set r0 to 0

Status in QEMU:
  New

Bug description:
  The link register is not properly set up in the ARM bootloader code,
  leading to the instruction which sets r0 to 0x00000000 to be skipped.

  As a consequence, r0 may hold the value leaked from the board setup
  code.

  For instance, if using arm_write_secure_board_setup_dummy_smc, r0
  holds 0x00000031.

  Attached is a patch to fix the issue.

  Please include Sylvain Garrigues <sylvain@sylvaingarrigues.com> in the
  commit log.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1572329/+subscriptions

Re: [Qemu-devel] [Bug 1572329] [NEW] ARM emulation: r0 != 0 on boot

[Peter Maydell]

On 19 April 2016 at 23:34, Sylvain <sylvain@sylvaingarrigues.com> wrote:
> # arm-softmmu/qemu-system-arm -M raspi2 -m 1024 -smp 4 -kernel
> kernel.bin -serial stdio -dtb rpi2.dtb
>
> My code shows r0 = 0x31 while it should be 0.

Hi. Thanks for this bug report and the patch. In order
for us to be able to use your patch, we'll need you to
provide a signed-off-by line, which tells us you have
the legal right to submit it and are happy for us to
include it in QEMU under QEMU's licensing terms.
(You can look at
http://wiki.qemu.org/Contribute/SubmitAPatch#Patch_emails_must_include_a_Signed-off-by:_line
if you want more details.)

You can provide a signoff just by replying to this email
with a line which reads
"Signed-off-by: Your Name <your.email@here>".

A couple of notes: this bug only affects boards which
have a write_board_setup function, which means only
highbank/midway, raspi2, and xilinx_zynq; that's probably
why we didn't spot it earlier.

thanks
-- PMM

Re: [Qemu-devel] [Bug 1572329] [NEW] ARM emulation: r0 != 0 on boot

[Sylvain Garrigues]

Signed-off-by: Sylvain Garrigues <sylvain@sylvaingarrigues.com>

Fix link register patch follows:

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index 5975fbf..5876945 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -68,7 +68,7 @@ static const ARMInsnFixup bootloader_aarch64[] = {
  */
 
 static const ARMInsnFixup bootloader[] = {
-    { 0xe28fe008 }, /* add     lr, pc, #8 */
+    { 0xe28fe004 }, /* add     lr, pc, #4 */
     { 0xe51ff004 }, /* ldr     pc, [pc, #-4] */
     { 0, FIXUP_BOARD_SETUP },
 #define BOOTLOADER_NO_BOARD_SETUP_OFFSET 3


> Le 20 avr. 2016 à 16:21, Peter Maydell <peter.maydell@linaro.org> a écrit :
> 
> On 19 April 2016 at 23:34, Sylvain <sylvain@sylvaingarrigues.com> wrote:
>> # arm-softmmu/qemu-system-arm -M raspi2 -m 1024 -smp 4 -kernel
>> kernel.bin -serial stdio -dtb rpi2.dtb
>> 
>> My code shows r0 = 0x31 while it should be 0.
> 
> Hi. Thanks for this bug report and the patch. In order
> for us to be able to use your patch, we'll need you to
> provide a signed-off-by line, which tells us you have
> the legal right to submit it and are happy for us to
> include it in QEMU under QEMU's licensing terms.
> (You can look at
> http://wiki.qemu.org/Contribute/SubmitAPatch#Patch_emails_must_include_a_Signed-off-by:_line
> if you want more details.)
> 
> You can provide a signoff just by replying to this email
> with a line which reads
> "Signed-off-by: Your Name <your.email@here>".
> 
> A couple of notes: this bug only affects boards which
> have a write_board_setup function, which means only
> highbank/midway, raspi2, and xilinx_zynq; that's probably
> why we didn't spot it earlier.
> 
> thanks
> -- PMM

[Qemu-devel] [Bug 1572329] Re: ARM bootloader does not set r0 to 0

[Peter Maydell]

Fix committed: b4850e5ae9607f9f31932


** Changed in: qemu
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1572329

Title:
  ARM bootloader does not set r0 to 0

Status in QEMU:
  Fix Committed

Bug description:
  The link register is not properly set up in the ARM bootloader code,
  leading to the instruction which sets r0 to 0x00000000 to be skipped.

  As a consequence, r0 may hold the value leaked from the board setup
  code.

  For instance, if using arm_write_secure_board_setup_dummy_smc, r0
  holds 0x00000031.

  Attached is a patch to fix the issue.

  Please include Sylvain Garrigues <sylvain@sylvaingarrigues.com> in the
  commit log.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1572329/+subscriptions

[Qemu-devel] [Bug 1572329] Re: ARM bootloader does not set r0 to 0

[T. Huth]

Should be part of QEMU 2.6 ==> Fix released

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1572329

Title:
  ARM bootloader does not set r0 to 0

Status in QEMU:
  Fix Released

Bug description:
  The link register is not properly set up in the ARM bootloader code,
  leading to the instruction which sets r0 to 0x00000000 to be skipped.

  As a consequence, r0 may hold the value leaked from the board setup
  code.

  For instance, if using arm_write_secure_board_setup_dummy_smc, r0
  holds 0x00000031.

  Attached is a patch to fix the issue.

  Please include Sylvain Garrigues <sylvain@sylvaingarrigues.com> in the
  commit log.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1572329/+subscriptions