From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59375) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eyzhF-0004PE-B8 for qemu-devel@nongnu.org; Thu, 22 Mar 2018 08:51:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eyzhE-0002vL-7t for qemu-devel@nongnu.org; Thu, 22 Mar 2018 08:51:57 -0400 Received: from mail-ot0-x243.google.com ([2607:f8b0:4003:c0f::243]:42421) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eyzhE-0002vA-1s for qemu-devel@nongnu.org; Thu, 22 Mar 2018 08:51:56 -0400 Received: by mail-ot0-x243.google.com with SMTP id v23-v6so9297703oth.9 for ; Thu, 22 Mar 2018 05:51:55 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20180315133441.24149-1-peter.maydell@linaro.org> References: <20180315133441.24149-1-peter.maydell@linaro.org> From: Peter Maydell Date: Thu, 22 Mar 2018 12:51:34 +0000 Message-ID: Content-Type: text/plain; charset="UTF-8" Subject: Re: [Qemu-devel] [PATCH for-2.12] hw/intc/arm_gicv3: Fix secure-GIC NS ICC_PMR and ICC_RPR accesses List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-arm , QEMU Developers Cc: "patches@linaro.org" Ping for code review -- it would be nice to put this bugfix into rc1. thanks -- PMM On 15 March 2018 at 13:34, Peter Maydell wrote: > If the GIC has the security extension support enabled, then a > non-secure access to ICC_PMR must take account of the non-secure > view of interrupt priorities, where real priorities 0..0x7f > are secure-only and not visible to the non-secure guest, and > priorities 0x80..0xff are shown to the guest as if they were > 0x00..0xff. We had the logic here wrong: > * on reads, the priority is in the secure range if bit 7 > is clear, not if it is set > * on writes, we want to set bit 7, not mask everything else > > Our ICC_RPR read code had the same error as ICC_PMR. > > (Compare the GICv3 spec pseudocode functions ICC_RPR_EL1 > and ICC_PMR_EL1.) > > Fixes: https://bugs.launchpad.net/qemu/+bug/1748434 > Signed-off-by: Peter Maydell > --- > hw/intc/arm_gicv3_cpuif.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c > index 5cbafaf497..26f5eeda94 100644 > --- a/hw/intc/arm_gicv3_cpuif.c > +++ b/hw/intc/arm_gicv3_cpuif.c > @@ -836,7 +836,7 @@ static uint64_t icc_pmr_read(CPUARMState *env, const ARMCPRegInfo *ri) > /* NS access and Group 0 is inaccessible to NS: return the > * NS view of the current priority > */ > - if (value & 0x80) { > + if ((value & 0x80) == 0) { > /* Secure priorities not visible to NS */ > value = 0; > } else if (value != 0xff) { > @@ -871,7 +871,7 @@ static void icc_pmr_write(CPUARMState *env, const ARMCPRegInfo *ri, > /* Current PMR in the secure range, don't allow NS to change it */ > return; > } > - value = (value >> 1) & 0x80; > + value = (value >> 1) | 0x80; > } > cs->icc_pmr_el1 = value; > gicv3_cpuif_update(cs); > @@ -1609,7 +1609,7 @@ static uint64_t icc_rpr_read(CPUARMState *env, const ARMCPRegInfo *ri) > if (arm_feature(env, ARM_FEATURE_EL3) && > !arm_is_secure(env) && (env->cp15.scr_el3 & SCR_FIQ)) { > /* NS GIC access and Group 0 is inaccessible to NS */ > - if (prio & 0x80) { > + if ((prio & 0x80) == 0) { > /* NS mustn't see priorities in the Secure half of the range */ > prio = 0; > } else if (prio != 0xff) { > -- > 2.16.2