[Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Fabian Aggeler]

Corrected handling of writes to TTBCR for ARMv8 (previously UNK/SBZP
bits are not RES0) and ARMv7 (new bits PD0/PD1 for CPUs with Security
Extensions).

Bits PD0/PD1 are now respected in get_phys_addr_v6/v5() and
get_level1_table_address.

Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
---
v1 -> v2:
* dropped changes in get_phys_addr_lpae()
* simplified get_level1_table_address as suggested
* fixed checkpath issues

v1: http://lists.gnu.org/archive/html/qemu-devel/2014-05/msg06590.html

 target-arm/cpu.h    | 16 ++++++++++++++
 target-arm/helper.c | 60 ++++++++++++++++++++++++++++++++++++++---------------
 2 files changed, 59 insertions(+), 17 deletions(-)

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 8d04385..b0e8b0c 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -430,6 +430,22 @@ int arm_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, int rw,
 /* Execution state bits.  MRS read as zero, MSR writes ignored.  */
 #define CPSR_EXEC (CPSR_T | CPSR_IT | CPSR_J)
 
+#define TTBCR_N      (7U << 0) /* TTBCR.EAE==0 */
+#define TTBCR_T0SZ   (7U << 0) /* TTBCR.EAE==1 */
+#define TTBCR_PD0    (1U << 4)
+#define TTBCR_PD1    (1U << 5)
+#define TTBCR_EPD0   (1U << 7)
+#define TTBCR_IRGN0  (3U << 8)
+#define TTBCR_ORGN0  (3U << 10)
+#define TTBCR_SH0    (3U << 12)
+#define TTBCR_T1SZ   (3U << 16)
+#define TTBCR_A1     (1U << 22)
+#define TTBCR_EPD1   (1U << 23)
+#define TTBCR_IRGN1  (3U << 24)
+#define TTBCR_ORGN1  (3U << 26)
+#define TTBCR_SH1    (1U << 28)
+#define TTBCR_EAE    (1U << 31)
+
 /* Bit definitions for ARMv8 SPSR (PSTATE) format.
  * Only these are valid when in AArch64 mode; in
  * AArch32 mode SPSRs are basically CPSR-format.
diff --git a/target-arm/helper.c b/target-arm/helper.c
index ec031f5..0b2ebc3 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -312,7 +312,7 @@ static inline bool extended_addresses_enabled(CPUARMState *env)
 {
     return arm_el_is_aa64(env, 1)
         || ((arm_feature(env, ARM_FEATURE_LPAE)
-             && (env->cp15.c2_control & (1U << 31))));
+             && (env->cp15.c2_control & TTBCR_EAE)));
 }
 
 static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
@@ -1413,11 +1413,22 @@ static void vmsa_ttbcr_raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     int maskshift = extract32(value, 0, 3);
 
-    if (arm_feature(env, ARM_FEATURE_LPAE) && (value & (1 << 31))) {
-        value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
-    } else {
-        value &= 7;
+    if (!arm_feature(env, ARM_FEATURE_V8)) {
+        if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) {
+            /* Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when
+             * using Long-desciptor translation table format */
+            value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
+        } else if (arm_feature(env, ARM_FEATURE_EL3)) {
+            /* In an implementation that includes the Security Extensions
+             * TTBCR has additional fields PD0 [4] and PD1 [5] for
+             * Short-descriptor translation table format.
+             */
+            value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N;
+        } else {
+            value &= TTBCR_N;
+        }
     }
+
     /* Note that we always calculate c2_mask and c2_base_mask, but
      * they are only used for short-descriptor tables (ie if EAE is 0);
      * for long-descriptor tables the TTBCR fields are used differently
@@ -3540,17 +3551,24 @@ static inline int check_ap(CPUARMState *env, int ap, int domain_prot,
   }
 }
 
-static uint32_t get_level1_table_address(CPUARMState *env, uint32_t address)
+static bool get_level1_table_address(CPUARMState *env, uint32_t *table,
+                                         uint32_t address)
 {
-    uint32_t table;
-
-    if (address & env->cp15.c2_mask)
-        table = env->cp15.ttbr1_el1 & 0xffffc000;
-    else
-        table = env->cp15.ttbr0_el1 & env->cp15.c2_base_mask;
-
-    table |= (address >> 18) & 0x3ffc;
-    return table;
+    if (address & env->cp15.c2_mask) {
+        if ((env->cp15.c2_control & TTBCR_PD1)) {
+            /* Translation table walk disabled for TTBR1 */
+            return false;
+        }
+        *table = env->cp15.ttbr1_el1 & 0xffffc000;
+    } else {
+        if ((env->cp15.c2_control & TTBCR_PD0)) {
+            /* Translation table walk disabled for TTBR0 */
+            return false;
+        }
+        *table = env->cp15.ttbr0_el1 & env->cp15.c2_base_mask;
+    }
+    *table |= (address >> 18) & 0x3ffc;
+    return true;
 }
 
 static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type,
@@ -3569,7 +3587,11 @@ static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type,
 
     /* Pagetable walk.  */
     /* Lookup l1 descriptor.  */
-    table = get_level1_table_address(env, address);
+    if (!get_level1_table_address(env, &table, address)) {
+        /* Section translation fault if page walk is disabled by PD0 or PD1 */
+        code = 5;
+        goto do_fault;
+    }
     desc = ldl_phys(cs->as, table);
     type = (desc & 3);
     domain = (desc >> 5) & 0x0f;
@@ -3667,7 +3689,11 @@ static int get_phys_addr_v6(CPUARMState *env, uint32_t address, int access_type,
 
     /* Pagetable walk.  */
     /* Lookup l1 descriptor.  */
-    table = get_level1_table_address(env, address);
+    if (!get_level1_table_address(env, &table, address)) {
+        /* Section translation fault if page walk is disabled by PD0 or PD1 */
+        code = 5;
+        goto do_fault;
+    }
     desc = ldl_phys(cs->as, table);
     type = (desc & 3);
     if (type == 0 || (type == 3 && !arm_feature(env, ARM_FEATURE_PXN))) {
-- 
1.8.3.2

Re: [Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Greg Bellows]

[-- Attachment #1: Type: text/plain, Size: 6111 bytes --]

Reviewed by: Greg Bellows <greg.bellows@linaro.org>


On 5 June 2014 05:39, Fabian Aggeler <aggelerf@ethz.ch> wrote:

> Corrected handling of writes to TTBCR for ARMv8 (previously UNK/SBZP
> bits are not RES0) and ARMv7 (new bits PD0/PD1 for CPUs with Security
> Extensions).
>
> Bits PD0/PD1 are now respected in get_phys_addr_v6/v5() and
> get_level1_table_address.
>
> Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
> ---
> v1 -> v2:
> * dropped changes in get_phys_addr_lpae()
> * simplified get_level1_table_address as suggested
> * fixed checkpath issues
>
> v1: http://lists.gnu.org/archive/html/qemu-devel/2014-05/msg06590.html
>
>  target-arm/cpu.h    | 16 ++++++++++++++
>  target-arm/helper.c | 60
> ++++++++++++++++++++++++++++++++++++++---------------
>  2 files changed, 59 insertions(+), 17 deletions(-)
>
> diff --git a/target-arm/cpu.h b/target-arm/cpu.h
> index 8d04385..b0e8b0c 100644
> --- a/target-arm/cpu.h
> +++ b/target-arm/cpu.h
> @@ -430,6 +430,22 @@ int arm_cpu_handle_mmu_fault(CPUState *cpu, vaddr
> address, int rw,
>  /* Execution state bits.  MRS read as zero, MSR writes ignored.  */
>  #define CPSR_EXEC (CPSR_T | CPSR_IT | CPSR_J)
>
> +#define TTBCR_N      (7U << 0) /* TTBCR.EAE==0 */
> +#define TTBCR_T0SZ   (7U << 0) /* TTBCR.EAE==1 */
> +#define TTBCR_PD0    (1U << 4)
> +#define TTBCR_PD1    (1U << 5)
> +#define TTBCR_EPD0   (1U << 7)
> +#define TTBCR_IRGN0  (3U << 8)
> +#define TTBCR_ORGN0  (3U << 10)
> +#define TTBCR_SH0    (3U << 12)
> +#define TTBCR_T1SZ   (3U << 16)
> +#define TTBCR_A1     (1U << 22)
> +#define TTBCR_EPD1   (1U << 23)
> +#define TTBCR_IRGN1  (3U << 24)
> +#define TTBCR_ORGN1  (3U << 26)
> +#define TTBCR_SH1    (1U << 28)
> +#define TTBCR_EAE    (1U << 31)
> +
>  /* Bit definitions for ARMv8 SPSR (PSTATE) format.
>   * Only these are valid when in AArch64 mode; in
>   * AArch32 mode SPSRs are basically CPSR-format.
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index ec031f5..0b2ebc3 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -312,7 +312,7 @@ static inline bool
> extended_addresses_enabled(CPUARMState *env)
>  {
>      return arm_el_is_aa64(env, 1)
>          || ((arm_feature(env, ARM_FEATURE_LPAE)
> -             && (env->cp15.c2_control & (1U << 31))));
> +             && (env->cp15.c2_control & TTBCR_EAE)));
>  }
>
>  static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t
> value)
> @@ -1413,11 +1413,22 @@ static void vmsa_ttbcr_raw_write(CPUARMState *env,
> const ARMCPRegInfo *ri,
>  {
>      int maskshift = extract32(value, 0, 3);
>
> -    if (arm_feature(env, ARM_FEATURE_LPAE) && (value & (1 << 31))) {
> -        value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
> -    } else {
> -        value &= 7;
> +    if (!arm_feature(env, ARM_FEATURE_V8)) {
> +        if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) {
> +            /* Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when
> +             * using Long-desciptor translation table format */
> +            value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
> +        } else if (arm_feature(env, ARM_FEATURE_EL3)) {
> +            /* In an implementation that includes the Security Extensions
> +             * TTBCR has additional fields PD0 [4] and PD1 [5] for
> +             * Short-descriptor translation table format.
> +             */
> +            value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N;
> +        } else {
> +            value &= TTBCR_N;
> +        }
>      }
> +
>      /* Note that we always calculate c2_mask and c2_base_mask, but
>       * they are only used for short-descriptor tables (ie if EAE is 0);
>       * for long-descriptor tables the TTBCR fields are used differently
> @@ -3540,17 +3551,24 @@ static inline int check_ap(CPUARMState *env, int
> ap, int domain_prot,
>    }
>  }
>
> -static uint32_t get_level1_table_address(CPUARMState *env, uint32_t
> address)
> +static bool get_level1_table_address(CPUARMState *env, uint32_t *table,
> +                                         uint32_t address)
>  {
> -    uint32_t table;
> -
> -    if (address & env->cp15.c2_mask)
> -        table = env->cp15.ttbr1_el1 & 0xffffc000;
> -    else
> -        table = env->cp15.ttbr0_el1 & env->cp15.c2_base_mask;
> -
> -    table |= (address >> 18) & 0x3ffc;
> -    return table;
> +    if (address & env->cp15.c2_mask) {
> +        if ((env->cp15.c2_control & TTBCR_PD1)) {
> +            /* Translation table walk disabled for TTBR1 */
> +            return false;
> +        }
> +        *table = env->cp15.ttbr1_el1 & 0xffffc000;
> +    } else {
> +        if ((env->cp15.c2_control & TTBCR_PD0)) {
> +            /* Translation table walk disabled for TTBR0 */
> +            return false;
> +        }
> +        *table = env->cp15.ttbr0_el1 & env->cp15.c2_base_mask;
> +    }
> +    *table |= (address >> 18) & 0x3ffc;
> +    return true;
>  }
>
>  static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int
> access_type,
> @@ -3569,7 +3587,11 @@ static int get_phys_addr_v5(CPUARMState *env,
> uint32_t address, int access_type,
>
>      /* Pagetable walk.  */
>      /* Lookup l1 descriptor.  */
> -    table = get_level1_table_address(env, address);
> +    if (!get_level1_table_address(env, &table, address)) {
> +        /* Section translation fault if page walk is disabled by PD0 or
> PD1 */
> +        code = 5;
> +        goto do_fault;
> +    }
>      desc = ldl_phys(cs->as, table);
>      type = (desc & 3);
>      domain = (desc >> 5) & 0x0f;
> @@ -3667,7 +3689,11 @@ static int get_phys_addr_v6(CPUARMState *env,
> uint32_t address, int access_type,
>
>      /* Pagetable walk.  */
>      /* Lookup l1 descriptor.  */
> -    table = get_level1_table_address(env, address);
> +    if (!get_level1_table_address(env, &table, address)) {
> +        /* Section translation fault if page walk is disabled by PD0 or
> PD1 */
> +        code = 5;
> +        goto do_fault;
> +    }
>      desc = ldl_phys(cs->as, table);
>      type = (desc & 3);
>      if (type == 0 || (type == 3 && !arm_feature(env, ARM_FEATURE_PXN))) {
> --
> 1.8.3.2
>
>

[-- Attachment #2: Type: text/html, Size: 7857 bytes --]

Re: [Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Peter Maydell]

On 5 June 2014 11:39, Fabian Aggeler <aggelerf@ethz.ch> wrote:
> Corrected handling of writes to TTBCR for ARMv8 (previously UNK/SBZP
> bits are not RES0) and ARMv7 (new bits PD0/PD1 for CPUs with Security
> Extensions).
>
> Bits PD0/PD1 are now respected in get_phys_addr_v6/v5() and
> get_level1_table_address.
>
> Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>

Applied to target-arm.next.

> -static uint32_t get_level1_table_address(CPUARMState *env, uint32_t address)
> +static bool get_level1_table_address(CPUARMState *env, uint32_t *table,
> +                                         uint32_t address)

(I tidied up this line so the 'uint32_t' lines up with the
'CPUARMState' on the previous line.)

thanks
-- PMM

Re: [Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Peter Maydell]

On 9 June 2014 12:27, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 5 June 2014 11:39, Fabian Aggeler <aggelerf@ethz.ch> wrote:
>> Corrected handling of writes to TTBCR for ARMv8 (previously UNK/SBZP
>> bits are not RES0) and ARMv7 (new bits PD0/PD1 for CPUs with Security
>> Extensions).
>>
>> Bits PD0/PD1 are now respected in get_phys_addr_v6/v5() and
>> get_level1_table_address.
>>
>> Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
>
> Applied to target-arm.next.

Unapplied -- the 'goto do_fault' codepaths in get_phys_addr_v5()
end up using 'domain' in constructing the returned fault status
code without ever initialising it.

Since this is a first level Translation fault, the DFSR Domain
field is UNKNOWN, so it should be sufficient to set it to 0.
You might as well just set it to 0 when it's defined at the top
of the function, as get_phys_addr_v6() does.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Aggeler Fabian]

On 09 Jun 2014, at 17:18, Peter Maydell <peter.maydell@linaro.org> wrote:

> On 9 June 2014 12:27, Peter Maydell <peter.maydell@linaro.org> wrote:
>> On 5 June 2014 11:39, Fabian Aggeler <aggelerf@ethz.ch> wrote:
>>> Corrected handling of writes to TTBCR for ARMv8 (previously UNK/SBZP
>>> bits are not RES0) and ARMv7 (new bits PD0/PD1 for CPUs with Security
>>> Extensions).
>>> 
>>> Bits PD0/PD1 are now respected in get_phys_addr_v6/v5() and
>>> get_level1_table_address.
>>> 
>>> Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
>> 
>> Applied to target-arm.next.
> 
> Unapplied -- the 'goto do_fault' codepaths in get_phys_addr_v5()
> end up using 'domain' in constructing the returned fault status
> code without ever initialising it.
> 
> Since this is a first level Translation fault, the DFSR Domain
> field is UNKNOWN, so it should be sufficient to set it to 0.
> You might as well just set it to 0 when it's defined at the top
> of the function, as get_phys_addr_v6() does.
> 
> thanks
> -- PMM

Thanks, I will send a v3 with domain initialised.

Fabian

Re: [Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Peter Maydell]

On 10 June 2014 18:00, Aggeler  Fabian <aggelerf@student.ethz.ch> wrote:
> Obviously not v2 but v3 (subject). Sorry for that, please ignore it as I am going to resend.

You don't need to resend just for that. Applied to target-arm.next.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Aggeler Fabian]

Obviously not v2 but v3 (subject). Sorry for that, please ignore it as I am going to resend.

Regards,
Fabian

On 10 Jun 2014, at 16:12, Fabian Aggeler <aggelerf@ethz.ch> wrote:

> Corrected handling of writes to TTBCR for ARMv8 (previously UNK/SBZP
> bits are not RES0) and ARMv7 (new bits PD0/PD1 for CPUs with Security
> Extensions).
> 
> Bits PD0/PD1 are now respected in get_phys_addr_v6/v5() and
> get_level1_table_address.
> 
> Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
> ---
> v2 -> v3:
> * rebased
> * initializing domain in get_phys_addr_v5() as done in get_phys_addr_v6()
> 
> v2: http://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01197.html
> 
> target-arm/cpu.h    | 16 ++++++++++++++
> target-arm/helper.c | 62 +++++++++++++++++++++++++++++++++++++----------------
> 2 files changed, 60 insertions(+), 18 deletions(-)
> 
> diff --git a/target-arm/cpu.h b/target-arm/cpu.h
> index 79e7f82..369d472 100644
> --- a/target-arm/cpu.h
> +++ b/target-arm/cpu.h
> @@ -430,6 +430,22 @@ int arm_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, int rw,
> /* Execution state bits.  MRS read as zero, MSR writes ignored.  */
> #define CPSR_EXEC (CPSR_T | CPSR_IT | CPSR_J)
> 
> +#define TTBCR_N      (7U << 0) /* TTBCR.EAE==0 */
> +#define TTBCR_T0SZ   (7U << 0) /* TTBCR.EAE==1 */
> +#define TTBCR_PD0    (1U << 4)
> +#define TTBCR_PD1    (1U << 5)
> +#define TTBCR_EPD0   (1U << 7)
> +#define TTBCR_IRGN0  (3U << 8)
> +#define TTBCR_ORGN0  (3U << 10)
> +#define TTBCR_SH0    (3U << 12)
> +#define TTBCR_T1SZ   (3U << 16)
> +#define TTBCR_A1     (1U << 22)
> +#define TTBCR_EPD1   (1U << 23)
> +#define TTBCR_IRGN1  (3U << 24)
> +#define TTBCR_ORGN1  (3U << 26)
> +#define TTBCR_SH1    (1U << 28)
> +#define TTBCR_EAE    (1U << 31)
> +
> /* Bit definitions for ARMv8 SPSR (PSTATE) format.
>  * Only these are valid when in AArch64 mode; in
>  * AArch32 mode SPSRs are basically CPSR-format.
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 050c409..12285cd 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -312,7 +312,7 @@ static inline bool extended_addresses_enabled(CPUARMState *env)
> {
>     return arm_el_is_aa64(env, 1)
>         || ((arm_feature(env, ARM_FEATURE_LPAE)
> -             && (env->cp15.c2_control & (1U << 31))));
> +             && (env->cp15.c2_control & TTBCR_EAE)));
> }
> 
> static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
> @@ -1413,11 +1413,22 @@ static void vmsa_ttbcr_raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
> {
>     int maskshift = extract32(value, 0, 3);
> 
> -    if (arm_feature(env, ARM_FEATURE_LPAE) && (value & (1 << 31))) {
> -        value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
> -    } else {
> -        value &= 7;
> +    if (!arm_feature(env, ARM_FEATURE_V8)) {
> +        if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) {
> +            /* Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when
> +             * using Long-desciptor translation table format */
> +            value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
> +        } else if (arm_feature(env, ARM_FEATURE_EL3)) {
> +            /* In an implementation that includes the Security Extensions
> +             * TTBCR has additional fields PD0 [4] and PD1 [5] for
> +             * Short-descriptor translation table format.
> +             */
> +            value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N;
> +        } else {
> +            value &= TTBCR_N;
> +        }
>     }
> +
>     /* Note that we always calculate c2_mask and c2_base_mask, but
>      * they are only used for short-descriptor tables (ie if EAE is 0);
>      * for long-descriptor tables the TTBCR fields are used differently
> @@ -3540,17 +3551,24 @@ static inline int check_ap(CPUARMState *env, int ap, int domain_prot,
>   }
> }
> 
> -static uint32_t get_level1_table_address(CPUARMState *env, uint32_t address)
> +static bool get_level1_table_address(CPUARMState *env, uint32_t *table,
> +                                         uint32_t address)
> {
> -    uint32_t table;
> -
> -    if (address & env->cp15.c2_mask)
> -        table = env->cp15.ttbr1_el1 & 0xffffc000;
> -    else
> -        table = env->cp15.ttbr0_el1 & env->cp15.c2_base_mask;
> -
> -    table |= (address >> 18) & 0x3ffc;
> -    return table;
> +    if (address & env->cp15.c2_mask) {
> +        if ((env->cp15.c2_control & TTBCR_PD1)) {
> +            /* Translation table walk disabled for TTBR1 */
> +            return false;
> +        }
> +        *table = env->cp15.ttbr1_el1 & 0xffffc000;
> +    } else {
> +        if ((env->cp15.c2_control & TTBCR_PD0)) {
> +            /* Translation table walk disabled for TTBR0 */
> +            return false;
> +        }
> +        *table = env->cp15.ttbr0_el1 & env->cp15.c2_base_mask;
> +    }
> +    *table |= (address >> 18) & 0x3ffc;
> +    return true;
> }
> 
> static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type,
> @@ -3563,13 +3581,17 @@ static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type,
>     uint32_t desc;
>     int type;
>     int ap;
> -    int domain;
> +    int domain = 0;
>     int domain_prot;
>     hwaddr phys_addr;
> 
>     /* Pagetable walk.  */
>     /* Lookup l1 descriptor.  */
> -    table = get_level1_table_address(env, address);
> +    if (!get_level1_table_address(env, &table, address)) {
> +        /* Section translation fault if page walk is disabled by PD0 or PD1 */
> +        code = 5;
> +        goto do_fault;
> +    }
>     desc = ldl_phys(cs->as, table);
>     type = (desc & 3);
>     domain = (desc >> 5) & 0x0f;
> @@ -3667,7 +3689,11 @@ static int get_phys_addr_v6(CPUARMState *env, uint32_t address, int access_type,
> 
>     /* Pagetable walk.  */
>     /* Lookup l1 descriptor.  */
> -    table = get_level1_table_address(env, address);
> +    if (!get_level1_table_address(env, &table, address)) {
> +        /* Section translation fault if page walk is disabled by PD0 or PD1 */
> +        code = 5;
> +        goto do_fault;
> +    }
>     desc = ldl_phys(cs->as, table);
>     type = (desc & 3);
>     if (type == 0 || (type == 3 && !arm_feature(env, ARM_FEATURE_PXN))) {
> -- 
> 1.8.3.2
> 
> 
> 

[Qemu-devel] [PATCH v2] target-arm: implement PD0/PD1 bits for TTBCR

[Fabian Aggeler]

Corrected handling of writes to TTBCR for ARMv8 (previously UNK/SBZP
bits are not RES0) and ARMv7 (new bits PD0/PD1 for CPUs with Security
Extensions).

Bits PD0/PD1 are now respected in get_phys_addr_v6/v5() and
get_level1_table_address.

Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
---
v2 -> v3:
* rebased
* initializing domain in get_phys_addr_v5() as done in get_phys_addr_v6()

v2: http://lists.gnu.org/archive/html/qemu-devel/2014-06/msg01197.html

 target-arm/cpu.h    | 16 ++++++++++++++
 target-arm/helper.c | 62 +++++++++++++++++++++++++++++++++++++----------------
 2 files changed, 60 insertions(+), 18 deletions(-)

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 79e7f82..369d472 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -430,6 +430,22 @@ int arm_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, int rw,
 /* Execution state bits.  MRS read as zero, MSR writes ignored.  */
 #define CPSR_EXEC (CPSR_T | CPSR_IT | CPSR_J)
 
+#define TTBCR_N      (7U << 0) /* TTBCR.EAE==0 */
+#define TTBCR_T0SZ   (7U << 0) /* TTBCR.EAE==1 */
+#define TTBCR_PD0    (1U << 4)
+#define TTBCR_PD1    (1U << 5)
+#define TTBCR_EPD0   (1U << 7)
+#define TTBCR_IRGN0  (3U << 8)
+#define TTBCR_ORGN0  (3U << 10)
+#define TTBCR_SH0    (3U << 12)
+#define TTBCR_T1SZ   (3U << 16)
+#define TTBCR_A1     (1U << 22)
+#define TTBCR_EPD1   (1U << 23)
+#define TTBCR_IRGN1  (3U << 24)
+#define TTBCR_ORGN1  (3U << 26)
+#define TTBCR_SH1    (1U << 28)
+#define TTBCR_EAE    (1U << 31)
+
 /* Bit definitions for ARMv8 SPSR (PSTATE) format.
  * Only these are valid when in AArch64 mode; in
  * AArch32 mode SPSRs are basically CPSR-format.
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 050c409..12285cd 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -312,7 +312,7 @@ static inline bool extended_addresses_enabled(CPUARMState *env)
 {
     return arm_el_is_aa64(env, 1)
         || ((arm_feature(env, ARM_FEATURE_LPAE)
-             && (env->cp15.c2_control & (1U << 31))));
+             && (env->cp15.c2_control & TTBCR_EAE)));
 }
 
 static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
@@ -1413,11 +1413,22 @@ static void vmsa_ttbcr_raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     int maskshift = extract32(value, 0, 3);
 
-    if (arm_feature(env, ARM_FEATURE_LPAE) && (value & (1 << 31))) {
-        value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
-    } else {
-        value &= 7;
+    if (!arm_feature(env, ARM_FEATURE_V8)) {
+        if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) {
+            /* Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when
+             * using Long-desciptor translation table format */
+            value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
+        } else if (arm_feature(env, ARM_FEATURE_EL3)) {
+            /* In an implementation that includes the Security Extensions
+             * TTBCR has additional fields PD0 [4] and PD1 [5] for
+             * Short-descriptor translation table format.
+             */
+            value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N;
+        } else {
+            value &= TTBCR_N;
+        }
     }
+
     /* Note that we always calculate c2_mask and c2_base_mask, but
      * they are only used for short-descriptor tables (ie if EAE is 0);
      * for long-descriptor tables the TTBCR fields are used differently
@@ -3540,17 +3551,24 @@ static inline int check_ap(CPUARMState *env, int ap, int domain_prot,
   }
 }
 
-static uint32_t get_level1_table_address(CPUARMState *env, uint32_t address)
+static bool get_level1_table_address(CPUARMState *env, uint32_t *table,
+                                         uint32_t address)
 {
-    uint32_t table;
-
-    if (address & env->cp15.c2_mask)
-        table = env->cp15.ttbr1_el1 & 0xffffc000;
-    else
-        table = env->cp15.ttbr0_el1 & env->cp15.c2_base_mask;
-
-    table |= (address >> 18) & 0x3ffc;
-    return table;
+    if (address & env->cp15.c2_mask) {
+        if ((env->cp15.c2_control & TTBCR_PD1)) {
+            /* Translation table walk disabled for TTBR1 */
+            return false;
+        }
+        *table = env->cp15.ttbr1_el1 & 0xffffc000;
+    } else {
+        if ((env->cp15.c2_control & TTBCR_PD0)) {
+            /* Translation table walk disabled for TTBR0 */
+            return false;
+        }
+        *table = env->cp15.ttbr0_el1 & env->cp15.c2_base_mask;
+    }
+    *table |= (address >> 18) & 0x3ffc;
+    return true;
 }
 
 static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type,
@@ -3563,13 +3581,17 @@ static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type,
     uint32_t desc;
     int type;
     int ap;
-    int domain;
+    int domain = 0;
     int domain_prot;
     hwaddr phys_addr;
 
     /* Pagetable walk.  */
     /* Lookup l1 descriptor.  */
-    table = get_level1_table_address(env, address);
+    if (!get_level1_table_address(env, &table, address)) {
+        /* Section translation fault if page walk is disabled by PD0 or PD1 */
+        code = 5;
+        goto do_fault;
+    }
     desc = ldl_phys(cs->as, table);
     type = (desc & 3);
     domain = (desc >> 5) & 0x0f;
@@ -3667,7 +3689,11 @@ static int get_phys_addr_v6(CPUARMState *env, uint32_t address, int access_type,
 
     /* Pagetable walk.  */
     /* Lookup l1 descriptor.  */
-    table = get_level1_table_address(env, address);
+    if (!get_level1_table_address(env, &table, address)) {
+        /* Section translation fault if page walk is disabled by PD0 or PD1 */
+        code = 5;
+        goto do_fault;
+    }
     desc = ldl_phys(cs->as, table);
     type = (desc & 3);
     if (type == 0 || (type == 3 && !arm_feature(env, ARM_FEATURE_PXN))) {
-- 
1.8.3.2