19eb8040cSPeter Maydell /* 29eb8040cSPeter Maydell * ARM TrustZone peripheral protection controller emulation 39eb8040cSPeter Maydell * 49eb8040cSPeter Maydell * Copyright (c) 2018 Linaro Limited 59eb8040cSPeter Maydell * Written by Peter Maydell 69eb8040cSPeter Maydell * 79eb8040cSPeter Maydell * This program is free software; you can redistribute it and/or modify 89eb8040cSPeter Maydell * it under the terms of the GNU General Public License version 2 or 99eb8040cSPeter Maydell * (at your option) any later version. 109eb8040cSPeter Maydell */ 119eb8040cSPeter Maydell 129eb8040cSPeter Maydell /* This is a model of the TrustZone peripheral protection controller (PPC). 139eb8040cSPeter Maydell * It is documented in the ARM CoreLink SIE-200 System IP for Embedded TRM 149eb8040cSPeter Maydell * (DDI 0571G): 159eb8040cSPeter Maydell * https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g 169eb8040cSPeter Maydell * 179eb8040cSPeter Maydell * The PPC sits in front of peripherals and allows secure software to 189eb8040cSPeter Maydell * configure it to either pass through or reject transactions. 199eb8040cSPeter Maydell * Rejected transactions may be configured to either be aborted, or to 209eb8040cSPeter Maydell * behave as RAZ/WI. An interrupt can be signalled for a rejected transaction. 219eb8040cSPeter Maydell * 229eb8040cSPeter Maydell * The PPC has no register interface -- it is configured purely by a 239eb8040cSPeter Maydell * collection of input signals from other hardware in the system. Typically 249eb8040cSPeter Maydell * they are either hardwired or exposed in an ad-hoc register interface by 259eb8040cSPeter Maydell * the SoC that uses the PPC. 269eb8040cSPeter Maydell * 279eb8040cSPeter Maydell * This QEMU model can be used to model either the AHB5 or APB4 TZ PPC, 289eb8040cSPeter Maydell * since the only difference between them is that the AHB version has a 299eb8040cSPeter Maydell * "default" port which has no security checks applied. In QEMU the default 309eb8040cSPeter Maydell * port can be emulated simply by wiring its downstream devices directly 319eb8040cSPeter Maydell * into the parent address space, since the PPC does not need to intercept 329eb8040cSPeter Maydell * transactions there. 339eb8040cSPeter Maydell * 349eb8040cSPeter Maydell * In the hardware, selection of which downstream port to use is done by 359eb8040cSPeter Maydell * the user's decode logic asserting one of the hsel[] signals. In QEMU, 369eb8040cSPeter Maydell * we provide 16 MMIO regions, one per port, and the user maps these into 379eb8040cSPeter Maydell * the desired addresses to implement the address decode. 389eb8040cSPeter Maydell * 399eb8040cSPeter Maydell * QEMU interface: 409eb8040cSPeter Maydell * + sysbus MMIO regions 0..15: MemoryRegions defining the upstream end 4137e571f1SPeter Maydell * of each of the 16 ports of the PPC. When a port is unused (i.e. no 4237e571f1SPeter Maydell * downstream MemoryRegion is connected to it) at the end of the 0..15 4337e571f1SPeter Maydell * range then no sysbus MMIO region is created for its upstream. When an 4437e571f1SPeter Maydell * unused port lies in the middle of the range with other used ports at 4537e571f1SPeter Maydell * higher port numbers, a dummy MMIO region is created to ensure that 4637e571f1SPeter Maydell * port N's upstream is always sysbus MMIO region N. Dummy regions should 4737e571f1SPeter Maydell * not be mapped, and will assert if any access is made to them. 489eb8040cSPeter Maydell * + Property "port[0..15]": MemoryRegion defining the downstream device(s) 499eb8040cSPeter Maydell * for each of the 16 ports of the PPC 509eb8040cSPeter Maydell * + Named GPIO inputs "cfg_nonsec[0..15]": set to 1 if the port should be 519eb8040cSPeter Maydell * accessible to NonSecure transactions 529eb8040cSPeter Maydell * + Named GPIO inputs "cfg_ap[0..15]": set to 1 if the port should be 539eb8040cSPeter Maydell * accessible to non-privileged transactions 549eb8040cSPeter Maydell * + Named GPIO input "cfg_sec_resp": set to 1 if a rejected transaction should 559eb8040cSPeter Maydell * result in a transaction error, or 0 for the transaction to RAZ/WI 569eb8040cSPeter Maydell * + Named GPIO input "irq_enable": set to 1 to enable interrupts 579eb8040cSPeter Maydell * + Named GPIO input "irq_clear": set to 1 to clear a pending interrupt 589eb8040cSPeter Maydell * + Named GPIO output "irq": set for a transaction-failed interrupt 599eb8040cSPeter Maydell * + Property "NONSEC_MASK": if a bit is set in this mask then accesses to 609eb8040cSPeter Maydell * the associated port do not have the TZ security check performed. (This 619eb8040cSPeter Maydell * corresponds to the hardware allowing this to be set as a Verilog 629eb8040cSPeter Maydell * parameter.) 639eb8040cSPeter Maydell */ 649eb8040cSPeter Maydell 659eb8040cSPeter Maydell #ifndef TZ_PPC_H 669eb8040cSPeter Maydell #define TZ_PPC_H 679eb8040cSPeter Maydell 689eb8040cSPeter Maydell #include "hw/sysbus.h" 69db1015e9SEduardo Habkost #include "qom/object.h" 709eb8040cSPeter Maydell 719eb8040cSPeter Maydell #define TYPE_TZ_PPC "tz-ppc" 72*8063396bSEduardo Habkost OBJECT_DECLARE_SIMPLE_TYPE(TZPPC, TZ_PPC) 739eb8040cSPeter Maydell 749eb8040cSPeter Maydell #define TZ_NUM_PORTS 16 759eb8040cSPeter Maydell 769eb8040cSPeter Maydell 779eb8040cSPeter Maydell typedef struct TZPPCPort { 789eb8040cSPeter Maydell TZPPC *ppc; 799eb8040cSPeter Maydell MemoryRegion upstream; 809eb8040cSPeter Maydell AddressSpace downstream_as; 819eb8040cSPeter Maydell MemoryRegion *downstream; 829eb8040cSPeter Maydell } TZPPCPort; 839eb8040cSPeter Maydell 849eb8040cSPeter Maydell struct TZPPC { 859eb8040cSPeter Maydell /*< private >*/ 869eb8040cSPeter Maydell SysBusDevice parent_obj; 879eb8040cSPeter Maydell 889eb8040cSPeter Maydell /*< public >*/ 899eb8040cSPeter Maydell 909eb8040cSPeter Maydell /* State: these just track the values of our input signals */ 919eb8040cSPeter Maydell bool cfg_nonsec[TZ_NUM_PORTS]; 929eb8040cSPeter Maydell bool cfg_ap[TZ_NUM_PORTS]; 939eb8040cSPeter Maydell bool cfg_sec_resp; 949eb8040cSPeter Maydell bool irq_enable; 959eb8040cSPeter Maydell bool irq_clear; 969eb8040cSPeter Maydell /* State: are we asserting irq ? */ 979eb8040cSPeter Maydell bool irq_status; 989eb8040cSPeter Maydell 999eb8040cSPeter Maydell qemu_irq irq; 1009eb8040cSPeter Maydell 1019eb8040cSPeter Maydell /* Properties */ 1029eb8040cSPeter Maydell uint32_t nonsec_mask; 1039eb8040cSPeter Maydell 1049eb8040cSPeter Maydell TZPPCPort port[TZ_NUM_PORTS]; 1059eb8040cSPeter Maydell }; 1069eb8040cSPeter Maydell 1079eb8040cSPeter Maydell #endif 108