target/arm: Fix physical address resolution for Stage2

Conversion to probe_access_full missed applying the page offset.

Cc: qemu-stable@nongnu.org
Reported-by: Sid Manning <sidneym@quicinc.com>
Sig

target/arm: Fix physical address resolution for Stage2

Conversion to probe_access_full missed applying the page offset.

Cc: qemu-stable@nongnu.org
Reported-by: Sid Manning <sidneym@quicinc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230126233134.103193-1-richard.henderson@linaro.org
Fixes: f3639a64f602 ("target/arm: Use softmmu tlbs for page table walking")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge tag 'pull-target-arm-20230123' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Widen cnthctl_el2 to uint64_t
* Unify checking for M Main Extension in MRS/

Merge tag 'pull-target-arm-20230123' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Widen cnthctl_el2 to uint64_t
* Unify checking for M Main Extension in MRS/MSR
* bitbang_i2c, versatile_i2c: code cleanups
* SME: refactor SME SM/ZA handling
* Fix physical address resolution for MTE
* Fix in_debug path in S1_ptw_translate
* Don't set EXC_RETURN.ES if Security Extension not present
* Implement DBGCLAIM registers
* Provide stubs for more external debug registers
* Look up ARMCPRegInfo at runtime, not translate time

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmPOjQQZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3vreD/sGr7outToY4FSZ4GGpC1L6
# ZwF6kjmwED/8EVaGZxWOaL2/oNoEav2YSpzUbqCa79jUx5zFBE145zYknL/bZyjS
# VLX9G2vFFCtwFQ9rc2wV/3JmTmMmSCnHqOZPMSVy5vrQKH6d41WFYZEvGpJmCgh6
# YWK4gnMqkuIHmSvxw+S6q9p/3jzPk7c3vy8eRcxp+AMnfSBkYu0kFXmr7yOwscRS
# adT8GFrkj0our/HtYqvzclVzrxcCVF1pWrtrHK7ZSddmElIcztel+1/yQH3T6onj
# aOyRj1WC3+0t9uKwUNTFSHkRUqMqr6XYvRF+cvpe5N7lbfVn57u2TwmPgUwYbZcg
# 8Mbz+LRYENzTYZa59ACxJXXcG0BivXiTwyrFR8Ck0vakcWFAjDzxHOw9CgHkDwPs
# Dd93b04esehIN7MY8/5CSkbx+8ey+YK+o7sofiDCMKcYwooM1Y+Ls21ZcjA5GH+n
# SsXp93SgagndCydD0ftRUlDTtGL7dhzaGpRmYArjeWzOKBbAmv/WfQeH47p3bpaP
# CB2RUjHzYobMGLO0yp9droOaVKqKKLtc7wGzxgJGx6j5FrN0lnCEMRrKrZJ57Q/q
# z4VoRoo0I6Q994/mVanGqXx8cSucyl0Z3HbC633WvrnZXzoM7+7HlQLhpF+yd9+s
# 4lHiw0rPgqXtwEfeMaESSQ==
# =ubIU
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 23 Jan 2023 13:35:00 GMT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20230123' of https://git.linaro.org/people/pmaydell/qemu-arm: (26 commits)
target/arm: Look up ARMCPRegInfo at runtime
target/arm: Reorg do_coproc_insn
target/arm: provide stubs for more external debug registers
target/arm: implement DBGCLAIM registers
target/arm: Don't set EXC_RETURN.ES if Security Extension not present
target/arm: Fix in_debug path in S1_ptw_translate
target/arm: Fix physical address resolution for MTE
target/arm/sme: Unify set_pstate() SM/ZA helpers as set_svcr()
target/arm/sme: Rebuild hflags in aarch64_set_svcr()
target/arm/sme: Reset ZA state in aarch64_set_svcr()
target/arm/sme: Reset SVE state in aarch64_set_svcr()
target/arm/sme: Introduce aarch64_set_svcr()
target/arm/sme: Rebuild hflags in set_pstate() helpers
target/arm/sme: Reorg SME access handling in handle_msr_i()
hw/i2c/versatile_i2c: Rename versatile_i2c -> arm_sbcon_i2c
hw/i2c/versatile_i2c: Use ARM_SBCON_I2C() macro
hw/i2c/versatile_i2c: Replace TYPE_VERSATILE_I2C -> TYPE_ARM_SBCON_I2C
hw/i2c/versatile_i2c: Replace VersatileI2CState -> ArmSbconI2CState
hw/i2c/versatile_i2c: Drop useless casts from void * to pointer
hw/i2c/bitbang_i2c: Convert DPRINTF() to trace events
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Fix in_debug path in S1_ptw_translate

During the conversion, the test against get_phys_addr_lpae got inverted,
meaning that successful translations went to the 'failed' label.

Cc: qemu-

target/arm: Fix in_debug path in S1_ptw_translate

During the conversion, the test against get_phys_addr_lpae got inverted,
meaning that successful translations went to the 'failed' label.

Cc: qemu-stable@nongnu.org
Fixes: f3639a64f60 ("target/arm: Use softmmu tlbs for page table walking")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1417
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230114054605.2977022-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge tag 'pull-target-arm-20230105' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Implement AArch32 ARMv8-R support
* Add Cortex-R52 CPU
* fix handling of H

Merge tag 'pull-target-arm-20230105' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Implement AArch32 ARMv8-R support
* Add Cortex-R52 CPU
* fix handling of HLT semihosting in system mode
* hw/timer/ixm_epit: cleanup and fix bug in compare handling
* target/arm: Coding style fixes
* target/arm: Clean up includes
* nseries: minor code cleanups
* target/arm: align exposed ID registers with Linux
* hw/arm/smmu-common: remove unnecessary inlines
* i.MX7D: Handle GPT timers
* i.MX7D: Connect IRQs to GPIO devices
* i.MX6UL: Add a specific GPT timer instance
* hw/net: Fix read of uninitialized memory in imx_fec

# gpg: Signature made Thu 05 Jan 2023 16:43:18 GMT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20230105' of https://git.linaro.org/people/pmaydell/qemu-arm: (34 commits)
hw/net: Fix read of uninitialized memory in imx_fec.
i.MX7D: Connect IRQs to GPIO devices.
i.MX6UL: Add a specific GPT timer instance for the i.MX6UL
i.MX7D: Compute clock frequency for the fixed frequency clocks.
i.MX7D: Connect GPT timers to IRQ
hw/arm/smmu-common: Avoid using inlined functions with external linkage
hw/arm/smmu-common: Reduce smmu_inv_notifiers_mr() scope
target/arm: align exposed ID registers with Linux
hw/arm/nseries: Silent -Wmissing-field-initializers warning
hw/arm/nseries: Constify various read-only arrays
hw/input/tsc2xxx: Constify set_transform()'s MouseTransformInfo arg
target/arm: cleanup cpu includes
target/arm: Remove unused includes from helper.c
target/arm: Remove unused includes from m_helper.c
target/arm: Fix checkpatch brace errors in helper.c
target/arm: Fix checkpatch space errors in helper.c
target/arm: Fix checkpatch comment style warnings in helper.c
hw/timer/imx_epit: fix compare timer handling
hw/timer/imx_epit: remove explicit fields cnt and freq
hw/timer/imx_epit: factor out register write handlers
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Add PMSAv8r functionality

Add PMSAv8r translation.

Signed-off-by: Tobias Röhmel <tobias.roehmel@rwth-aachen.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 2022120

target/arm: Add PMSAv8r functionality

Add PMSAv8r translation.

Signed-off-by: Tobias Röhmel <tobias.roehmel@rwth-aachen.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221206102504.165775-7-tobias.roehmel@rwth-aachen.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Make stage_2_format for cache attributes optional

The v8R PMSAv8 has a two-stage MPU translation process, but, unlike
VMSAv8, the stage 2 attributes are in the same format as the stage 1

target/arm: Make stage_2_format for cache attributes optional

The v8R PMSAv8 has a two-stage MPU translation process, but, unlike
VMSAv8, the stage 2 attributes are in the same format as the stage 1
attributes (8-bit MAIR format). Rather than converting the MAIR
format to the format used for VMSA stage 2 (bits [5:2] of a VMSA
stage 2 descriptor) and then converting back to do the attribute
combination, allow combined_attrs_nofwb() to accept s2 attributes
that are already in the MAIR format.

We move the assert() to combined_attrs_fwb(), because that function
really does require a VMSA stage 2 attribute format. (We will never
get there for v8R, because PMSAv8 does not implement FEAT_S2FWB.)

Signed-off-by: Tobias Röhmel <tobias.roehmel@rwth-aachen.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221206102504.165775-4-tobias.roehmel@rwth-aachen.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm:Set lg_page_size to 0 if either S1 or S2 asks for it

In get_phys_addr_twostage() we set the lg_page_size of the result to
the maximum of the stage 1 and stage 2 page sizes. This works fo

target/arm:Set lg_page_size to 0 if either S1 or S2 asks for it

In get_phys_addr_twostage() we set the lg_page_size of the result to
the maximum of the stage 1 and stage 2 page sizes. This works for
the case where we do want to create a TLB entry, because we know the
common TLB code only creates entries of the TARGET_PAGE_SIZE and
asking for a size larger than that only means that invalidations
invalidate the whole larger area. However, if lg_page_size is
smaller than TARGET_PAGE_SIZE this effectively means "don't create a
TLB entry"; in this case if either S1 or S2 said "this covers less
than a page and can't go in a TLB" then the final result also should
be marked that way. Set the resulting page size to 0 if either
stage asked for a less-than-a-page entry, and expand the comment
to explain what's going on.

This has no effect for VMSA because currently the VMSA lookup always
returns results that cover at least TARGET_PAGE_SIZE; however when we
add v8R support it will reuse this code path, and for v8R the S1 and
S2 results can be smaller than TARGET_PAGE_SIZE.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221212142708.610090-1-peter.maydell@linaro.org

show more ...

Merge tag 'pull-target-arm-20221122' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm:
* Fix broken 5-level pagetable handling
* Fix debug accesses when EL2 is present

#

Merge tag 'pull-target-arm-20221122' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm:
* Fix broken 5-level pagetable handling
* Fix debug accesses when EL2 is present

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmN8+tgZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3t+mD/sGzXb5BjKl0JeREHAh6swI
# niodZz0hf67UYITIQJMBu8KiFjAowk726qkwSOJyjQ7ot1N/zy6z3X8SbHLBF8qe
# xHJwVIvDADRKQ4j9y9chVof0Bg8+6274kFwcl/FR/gTFxQex+jzNmk6RzV1D5n3D
# gSKYVT1DJmr/qiWdoNxfuOPsbF44+ADskyeSLKmhN7SgK3JRDSfOTYb0AwIzm4Ue
# CL3rfNBkAsF6j9ygWHH0uff7ztWLZiCY1l+zXtOzzwZbrxMdSK6TCHgliNJ/9F/i
# D1vLr0A+J82ubADOHsTq5dE4tyYUkz/JQLCaoQWul7q08nz4i5XLFxBFUzll+H55
# yHCIzgbt2DOVICW2bzJR9fqI11cyeXY+ftRHVcA17mBKKXLEMg2ziIQ2yw0cugdD
# eaCcOLXgpLpMgCfFLDFOhZb9j0Q0TNEiKu9ZOVJrMDj5uT4HwctJ0PnPlHxaz6pC
# d9CdT1+J/omN8HYvZmBF1t9y3Y1dVKO9cOEFwcT2nTOqfLXirlKH7BeP9rdH96xi
# jSvixFrliUTjFGyW6AK8VoqXIx7rYK5OlWWdTnZhhERdjbVGkbPgc3O9ZYH9dJKO
# lUGmXZAguMbruXjDjGijNOSY1Vf/aTfbjCoOi3NoDbDQqAh8UjXUvUWbdjKo9uF+
# CtY6fnorIekqT2mYWNfkfQ==
# =Oh+/
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 22 Nov 2022 11:37:44 EST
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20221122' of https://git.linaro.org/people/pmaydell/qemu-arm:
target/arm: Use signed quantity to represent VMSAv8-64 translation level
target/arm: Don't do two-stage lookup if stage 2 is disabled

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

show more ...

target/arm: Use signed quantity to represent VMSAv8-64 translation level

The LPA2 extension implements 52-bit virtual addressing for 4k and 16k
translation granules, and for the former, this means a

target/arm: Use signed quantity to represent VMSAv8-64 translation level

The LPA2 extension implements 52-bit virtual addressing for 4k and 16k
translation granules, and for the former, this means an additional level
of translation is needed. This means we start counting at -1 instead of
0 when doing a walk, and so 'level' is now a signed quantity, and should
be typed as such. So turn it from uint32_t into int32_t.

This avoids a level of -1 getting misinterpreted as being >= 3, and
terminating a page table walk prematurely with a bogus output address.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Don't do two-stage lookup if stage 2 is disabled

In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if
the CPU supports EL2. However, we don't check here that stage 2 is
a

target/arm: Don't do two-stage lookup if stage 2 is disabled

In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if
the CPU supports EL2. However, we don't check here that stage 2 is
actually enabled. Instead we only check that inside
get_phys_addr_twostage() to skip stage 2 translation. This means
that even if stage 2 is disabled we still tell the stage 1 lookup to
do its page table walks via stage 2.

This works by luck for normal CPU accesses, but it breaks for debug
accesses, which are used by the disassembler and also by semihosting
file reads and writes, because the debug case takes a different code
path inside S1_ptw_translate().

This means that setups that use semihosting for file loads are broken
(a regression since 7.1, introduced in recent ptw refactoring), and
that sometimes disassembly in debug logs reports "unable to read
memory" rather than showing the guest insns.

Fix the bug by hoisting the "is stage 2 enabled?" check up to
get_phys_addr_with_struct(), so that we handle S2 disabled the same
way we do the "no EL2" case, with a simple single stage lookup.

Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221121212404.1450382-1-peter.maydell@linaro.org

show more ...

Merge tag 'pull-target-arm-20221121' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* hw/sd: Fix sun4i allwinner-sdhost for U-Boot
* hw/intc: add implementation

Merge tag 'pull-target-arm-20221121' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* hw/sd: Fix sun4i allwinner-sdhost for U-Boot
* hw/intc: add implementation of GICD_IIDR to Arm GIC
* tests/avocado/boot_linux.py: Bump aarch64 virt test timeout
* target/arm: Limit LPA2 effective output address when TCR.DS == 0

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmN7disZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3i8sEACcJmCKplkJ3KlBqBCXdldF
# pNQde6fIAEvUtFGkPr8OLFixIp13aLlw3/7sieHl6o76GMw1u26kd/qTykypID/T
# j3rxZC7ospo2j3MfLLy0TiG/fwzCwa6G0SIdKUOjkwX52IgWE/gUlvtjJvtLcNEN
# nta2dm5PWcF6fxDZwdYUGo3akwi8qbIlBxUeQR3VTUzXC+7F22pDzA8lp8QpHeW0
# inaLNtlEbRc5+rnOuwhOK5mnYiTwTN40vEz89v940Ii/CIFmPOAmx2rxsrmnVbLq
# uGqzXoN4OMurl2gco7LUMS2mshVBfpVOyZqaaXn/3dXkQ/W1fN37iCZF8Z2E8P2M
# YvcdxgYWoFmP7mlr9S1k4RgQTGVRS9j6XviGi62Zra2enNx5769JUhJFifQBYqLA
# V3FcizuHqUKsItJtGMO3gXR02BEE53o8c6WJ18uflTNVaY9wZ5MDqgGw/hKmfWLS
# /mjFdwwTbW7IZ0beW3pl9szXAduhGNoegTsfkn9xrANa62Jx1GSs/G0+mdSnA9oL
# 1YB2EDidiTlizbrn0aK+Lgls5/FG9qP+ReY7GhW2ZYvPuKesja6BJEAyEW6Xg3Sj
# D70L8/AzZtn8AHu/aKotLZ6UHVTNxFg4AHwte9fJYrZe72e6aR+8XQaCBPz47pi8
# NHAnGWWc28SdNCau7I8uMg==
# =0yEm
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 21 Nov 2022 07:59:23 EST
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20221121' of https://git.linaro.org/people/pmaydell/qemu-arm:
target/arm: Limit LPA2 effective output address when TCR.DS == 0
tests/avocado/boot_linux.py: Bump aarch64 virt test timeout to 720s
hw/intc: add implementation of GICD_IIDR to Arm GIC
hw/intc: clean-up access to GIC multi-byte registers
hw/sd: Fix sun4i allwinner-sdhost for U-Boot

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

show more ...

target/arm: Limit LPA2 effective output address when TCR.DS == 0

With LPA2, the effective output address size is at most 48 bits when
TCR.DS == 0. This case is currently unhandled in the page table

target/arm: Limit LPA2 effective output address when TCR.DS == 0

With LPA2, the effective output address size is at most 48 bits when
TCR.DS == 0. This case is currently unhandled in the page table walker,
where we happily assume LVA/64k granule when outputsize > 48 and
param.ds == 0, resulting in the wrong conversion to be used from a
page table descriptor to a physical address.

if (outputsize > 48) {
if (param.ds) {
descaddr |= extract64(descriptor, 8, 2) << 50;
} else {
descaddr |= extract64(descriptor, 12, 4) << 48;
}

So cap the outputsize to 48 when TCR.DS is cleared, as per the
architecture.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221116170316.259695-1-ardb@kernel.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge tag 'pull-target-arm-20221104' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Fix regression booting Trusted Firmware
* Honor HCR_E2H and HCR_TGE in ats_

Merge tag 'pull-target-arm-20221104' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Fix regression booting Trusted Firmware
* Honor HCR_E2H and HCR_TGE in ats_write64()
* Copy the entire vector in DO_ZIP
* Fix Privileged Access Never (PAN) for aarch32
* Make TLBIOS and TLBIRANGE ops trap on HCR_EL2.TTLB
* Set SCR_EL3.HXEn when direct booting kernel
* Set SME and SVE EL3 vector lengths when direct booting kernel

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmNk+KkZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3vUsD/9SYZP3ne2OZxBe8he98jJ5
# 6apODiBksBLUM+1bKEoYW8Kw4XpS10I1Tbnxe7n0bNAfIiZlsZ7HJAJaYWy4MX4k
# Bq0v1EIFo+Obumocc14ZzWcw9yPpHOGavKHXfPxTtIw0amtOmh3aMBPuOZKiMSaq
# TdI/8654DbAOY3Hp/r6WnXwEgAc23kx/PtGhQFdU4iWhzTdeQeFkgCCsVMO02zFQ
# ZM4wiAATpfNfgf5+Wxoin6RQ8nI9PF+Xf7HhN3d1CiXju3vOl+geYNkubJzIopv1
# itLcnvduYE6+5oJsnXZ4FDNO6/nnqWRNqtyDf0/NjLROfj84BPJpZqMX+FR6Q0I0
# d+4/oEw4A46qfaS5b4/YelbJOiUgiViWU1Xs3g2dkeTMT8CyGfDrJ2HRDKN7AaHo
# llL7s1calkX2oSs+gU0BAw8xRETGwMBSOpF6JmPVh277LjvWfN1vsJzVUG3wrSXL
# G7qa2h+fHV5Xu876sc/i0+d4qHuqcE/EU86VQ6X40f+dRzN02rkSCPAxzGFwLXOr
# 8fl5MsX6z5pqcubnzxkhi66ZHc6fXsvtUjKBxyrVpMyjMlV9PTJ2Q1RCgVctErXk
# lDzsLuplzPSjZBy3Peib/rLnmYUxJHyPe0RFYIumzZv/UHwL4GjZgkI842UVBpAL
# FvIGblcCXHhdP4UFvqgZhw==
# =Fcb4
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 04 Nov 2022 07:34:01 EDT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20221104' of https://git.linaro.org/people/pmaydell/qemu-arm:
target/arm: Two fixes for secure ptw
target/arm: Honor HCR_E2H and HCR_TGE in ats_write64()
target/arm: Copy the entire vector in DO_ZIP
target/arm: Fix Privileged Access Never (PAN) for aarch32
target/arm: Make TLBIOS and TLBIRANGE ops trap on HCR_EL2.TTLB
hw/arm/boot: Set SCR_EL3.HXEn when booting kernel
hw/arm/boot: Set SME and SVE EL3 vector lengths when booting kernel

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

show more ...

target/arm: Two fixes for secure ptw

Reversed the sense of non-secure in get_phys_addr_lpae,
and failed to initialize attrs.secure for ARMMMUIdx_Phys_S.

Fixes: 48da29e4 ("target/arm: Add ptw_idx to

target/arm: Two fixes for secure ptw

Reversed the sense of non-secure in get_phys_addr_lpae,
and failed to initialize attrs.secure for ARMMMUIdx_Phys_S.

Fixes: 48da29e4 ("target/arm: Add ptw_idx to S1Translate")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1293
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Fix Privileged Access Never (PAN) for aarch32

When we implemented the PAN support we theoretically wanted
to support it for both AArch32 and AArch64, but in practice
several bugs made it

target/arm: Fix Privileged Access Never (PAN) for aarch32

When we implemented the PAN support we theoretically wanted
to support it for both AArch32 and AArch64, but in practice
several bugs made it essentially unusable with an AArch32
guest. Fix all those problems:

- Use CPSR.PAN to check for PAN state in aarch32 mode
- throw permission fault during address translation when PAN is
enabled and kernel tries to access user acessible page
- ignore SCTLR_XP bit for armv7 and armv8 (conflicts with SCTLR_SPAN).

Signed-off-by: Timofey Kutergin <tkutergin@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221027112619.2205229-1-tkutergin@gmail.com
[PMM: tweak commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge tag 'pull-target-arm-20221027' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Implement FEAT_E0PD
* Implement FEAT_HAFDBS
* honor HCR_E2H and HCR_TGE in

Merge tag 'pull-target-arm-20221027' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Implement FEAT_E0PD
* Implement FEAT_HAFDBS
* honor HCR_E2H and HCR_TGE in arm_excp_unmasked()
* hw/arm/virt: Fix devicetree warnings about the virtio-iommu node
* hw/core/resettable: fix reset level counting
* hw/hyperv/hyperv.c: Use device_cold_reset() instead of device_legacy_reset()
* imx: reload cmp timer outside of the reload ptimer transaction
* x86: do not re-randomize RNG seed on snapshot load
* m68k/virt: do not re-randomize RNG seed on snapshot load
* m68k/q800: do not re-randomize RNG seed on snapshot load
* arm: re-randomize rng-seed on reboot
* riscv: re-randomize rng-seed on reboot
* mips/boston: re-randomize rng-seed on reboot
* openrisc: re-randomize rng-seed on reboot
* rx: re-randomize rng-seed on reboot

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmNagAQZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3sv6D/0VXf61t6IcmQ342L5IeUeA
# jixouWQhma3WwFDjbEo3BehgBhdwH2gxF8XWZNudV1x5P4JbCwiD/sm9FKtNY3IX
# lOpcg4F7Ge6EHCEQ5PM75G4TNQBw1BTwGuNrXm8kpVZ7i7C4Zo3gzbqVYv59d406
# fMwZBZwwavn9xYI/ZOUq3CKv2W/xrveFIEfafQB1mmcu4azZRLlOdMXvsMY/Te1/
# GQ+0RPcemNfvfFwYfMKT9dqiCWgqzAoiGQNH2944mTnoJJMsI0JLcXP2z/4fFfYv
# J1m7mhOO9KiqUWzxJofQOgQIic1q6AY0lLw272mA/rbwwlmlm/bNl1DGE5Lyw64d
# t/dDWE6X8IHPqPzqqrOd8vpKIKUriDSL83D5uULpPXaQwyckTFDsAMu5VX4uswbm
# B+SizTghSNwMbOq1XsQg6DDiHEelbwwrltsLOSQujXrrngtSxjWXuFgWem4gT8HL
# uVQtrfrASV/gNBLRNX73vuL6pJaTEVqk53JI8MamZEIRLO1s6/nreOR13E+0611T
# iMywoOhAQA3RDe9NU0zgg6EGyskRZQG1CRTDQAz1sAt8WcHokg7Yj7LlfGE+/+Bh
# 4cIuJI56Uf3DJF51A52+roaQkZDJZZkfE1EG8uMDIWszP5v2GDcwx3AS3FLuaDfH
# QHPsecbzEURFTmdt5VrKzg==
# =RD6C
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 27 Oct 2022 08:56:36 EDT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20221027' of https://git.linaro.org/people/pmaydell/qemu-arm: (31 commits)
mips/malta: pass RNG seed via env var and re-randomize on reboot
rx: re-randomize rng-seed on reboot
openrisc: re-randomize rng-seed on reboot
mips/boston: re-randomize rng-seed on reboot
m68k/q800: do not re-randomize RNG seed on snapshot load
m68k/virt: do not re-randomize RNG seed on snapshot load
riscv: re-randomize rng-seed on reboot
arm: re-randomize rng-seed on reboot
x86: do not re-randomize RNG seed on snapshot load
device-tree: add re-randomization helper function
reset: allow registering handlers that aren't called by snapshot loading
target/arm: Use the max page size in a 2-stage ptw
target/arm: Implement FEAT_HAFDBS, dirty bit portion
target/arm: Implement FEAT_HAFDBS, access flag portion
target/arm: Tidy merging of attributes from descriptor and table
target/arm: Consider GP an attribute in get_phys_addr_lpae
target/arm: Don't shift attrs in get_phys_addr_lpae
target/arm: Fix fault reporting in get_phys_addr_lpae
target/arm: Remove loop from get_phys_addr_lpae
target/arm: Add ARMFault_UnsuppAtomicUpdate
...

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

show more ...

target/arm: Use the max page size in a 2-stage ptw

We had only been reporting the stage2 page size. This causes
problems if stage1 is using a larger page size (16k, 2M, etc),
but stage2 is using a

target/arm: Use the max page size in a 2-stage ptw

We had only been reporting the stage2 page size. This causes
problems if stage1 is using a larger page size (16k, 2M, etc),
but stage2 is using a smaller page size, because cputlb does
not set large_page_{addr,mask} properly.

Fix by using the max of the two page sizes.

Reported-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Implement FEAT_HAFDBS, dirty bit portion

Perform the atomic update for hardware management of the dirty bit.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id:

target/arm: Implement FEAT_HAFDBS, dirty bit portion

Perform the atomic update for hardware management of the dirty bit.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Implement FEAT_HAFDBS, access flag portion

Perform the atomic update for hardware management of the access flag.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Ric

target/arm: Implement FEAT_HAFDBS, access flag portion

Perform the atomic update for hardware management of the access flag.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-13-richard.henderson@linaro.org
[PMM: Fix accidental PROT_WRITE to PAGE_WRITE; add missing
main-loop.h include]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Tidy merging of attributes from descriptor and table

Replace some gotos with some nested if statements.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex

target/arm: Tidy merging of attributes from descriptor and table

Replace some gotos with some nested if statements.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Consider GP an attribute in get_phys_addr_lpae

Both GP and DBM are in the upper attribute block.
Extend the computation of attrs to include them,
then simplify the setting of guarded.

R

target/arm: Consider GP an attribute in get_phys_addr_lpae

Both GP and DBM are in the upper attribute block.
Extend the computation of attrs to include them,
then simplify the setting of guarded.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Don't shift attrs in get_phys_addr_lpae

Leave the upper and lower attributes in the place they originate
from in the descriptor. Shifting them around is confusing, since
one cannot read

target/arm: Don't shift attrs in get_phys_addr_lpae

Leave the upper and lower attributes in the place they originate
from in the descriptor. Shifting them around is confusing, since
one cannot read the bit numbers out of the manual. Also, new
attributes have been added which would alter the shifts.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20221024051851.3074715-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Fix fault reporting in get_phys_addr_lpae

Always overriding fi->type was incorrect, as we would not properly
propagate the fault type from S1_ptw_translate, or arm_ldq_ptw.
Simplify thin

target/arm: Fix fault reporting in get_phys_addr_lpae

Always overriding fi->type was incorrect, as we would not properly
propagate the fault type from S1_ptw_translate, or arm_ldq_ptw.
Simplify things by providing a new label for a translation fault.
For other faults, store into fi directly.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Remove loop from get_phys_addr_lpae

The unconditional loop was used both to iterate over levels
and to control parsing of attributes. Use an explicit goto
in both cases.

While this app

target/arm: Remove loop from get_phys_addr_lpae

The unconditional loop was used both to iterate over levels
and to control parsing of attributes. Use an explicit goto
in both cases.

While this appears less clean for iterating over levels, we
will need to jump back into the middle of this loop for
atomic updates, which is even uglier.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Move S1_ptw_translate outside arm_ld[lq]_ptw

Separate S1 translation from the actual lookup.
Will enable lpae hardware updates.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Sig

target/arm: Move S1_ptw_translate outside arm_ld[lq]_ptw

Separate S1 translation from the actual lookup.
Will enable lpae hardware updates.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...