1 /* 2 * ARM generic helpers. 3 * 4 * This code is licensed under the GNU GPL v2 or later. 5 * 6 * SPDX-License-Identifier: GPL-2.0-or-later 7 */ 8 9 #include "qemu/osdep.h" 10 #include "qemu/log.h" 11 #include "trace.h" 12 #include "cpu.h" 13 #include "internals.h" 14 #include "cpu-features.h" 15 #include "exec/helper-proto.h" 16 #include "qemu/main-loop.h" 17 #include "qemu/timer.h" 18 #include "qemu/bitops.h" 19 #include "qemu/crc32c.h" 20 #include "qemu/qemu-print.h" 21 #include "exec/exec-all.h" 22 #include <zlib.h> /* For crc32 */ 23 #include "hw/irq.h" 24 #include "sysemu/cpu-timers.h" 25 #include "sysemu/kvm.h" 26 #include "sysemu/tcg.h" 27 #include "qapi/error.h" 28 #include "qemu/guest-random.h" 29 #ifdef CONFIG_TCG 30 #include "semihosting/common-semi.h" 31 #endif 32 #include "cpregs.h" 33 34 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */ 35 36 static void switch_mode(CPUARMState *env, int mode); 37 38 static uint64_t raw_read(CPUARMState *env, const ARMCPRegInfo *ri) 39 { 40 assert(ri->fieldoffset); 41 if (cpreg_field_is_64bit(ri)) { 42 return CPREG_FIELD64(env, ri); 43 } else { 44 return CPREG_FIELD32(env, ri); 45 } 46 } 47 48 void raw_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) 49 { 50 assert(ri->fieldoffset); 51 if (cpreg_field_is_64bit(ri)) { 52 CPREG_FIELD64(env, ri) = value; 53 } else { 54 CPREG_FIELD32(env, ri) = value; 55 } 56 } 57 58 static void *raw_ptr(CPUARMState *env, const ARMCPRegInfo *ri) 59 { 60 return (char *)env + ri->fieldoffset; 61 } 62 63 uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri) 64 { 65 /* Raw read of a coprocessor register (as needed for migration, etc). */ 66 if (ri->type & ARM_CP_CONST) { 67 return ri->resetvalue; 68 } else if (ri->raw_readfn) { 69 return ri->raw_readfn(env, ri); 70 } else if (ri->readfn) { 71 return ri->readfn(env, ri); 72 } else { 73 return raw_read(env, ri); 74 } 75 } 76 77 static void write_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri, 78 uint64_t v) 79 { 80 /* 81 * Raw write of a coprocessor register (as needed for migration, etc). 82 * Note that constant registers are treated as write-ignored; the 83 * caller should check for success by whether a readback gives the 84 * value written. 85 */ 86 if (ri->type & ARM_CP_CONST) { 87 return; 88 } else if (ri->raw_writefn) { 89 ri->raw_writefn(env, ri, v); 90 } else if (ri->writefn) { 91 ri->writefn(env, ri, v); 92 } else { 93 raw_write(env, ri, v); 94 } 95 } 96 97 static bool raw_accessors_invalid(const ARMCPRegInfo *ri) 98 { 99 /* 100 * Return true if the regdef would cause an assertion if you called 101 * read_raw_cp_reg() or write_raw_cp_reg() on it (ie if it is a 102 * program bug for it not to have the NO_RAW flag). 103 * NB that returning false here doesn't necessarily mean that calling 104 * read/write_raw_cp_reg() is safe, because we can't distinguish "has 105 * read/write access functions which are safe for raw use" from "has 106 * read/write access functions which have side effects but has forgotten 107 * to provide raw access functions". 108 * The tests here line up with the conditions in read/write_raw_cp_reg() 109 * and assertions in raw_read()/raw_write(). 110 */ 111 if ((ri->type & ARM_CP_CONST) || 112 ri->fieldoffset || 113 ((ri->raw_writefn || ri->writefn) && (ri->raw_readfn || ri->readfn))) { 114 return false; 115 } 116 return true; 117 } 118 119 bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync) 120 { 121 /* Write the coprocessor state from cpu->env to the (index,value) list. */ 122 int i; 123 bool ok = true; 124 125 for (i = 0; i < cpu->cpreg_array_len; i++) { 126 uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]); 127 const ARMCPRegInfo *ri; 128 uint64_t newval; 129 130 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx); 131 if (!ri) { 132 ok = false; 133 continue; 134 } 135 if (ri->type & ARM_CP_NO_RAW) { 136 continue; 137 } 138 139 newval = read_raw_cp_reg(&cpu->env, ri); 140 if (kvm_sync) { 141 /* 142 * Only sync if the previous list->cpustate sync succeeded. 143 * Rather than tracking the success/failure state for every 144 * item in the list, we just recheck "does the raw write we must 145 * have made in write_list_to_cpustate() read back OK" here. 146 */ 147 uint64_t oldval = cpu->cpreg_values[i]; 148 149 if (oldval == newval) { 150 continue; 151 } 152 153 write_raw_cp_reg(&cpu->env, ri, oldval); 154 if (read_raw_cp_reg(&cpu->env, ri) != oldval) { 155 continue; 156 } 157 158 write_raw_cp_reg(&cpu->env, ri, newval); 159 } 160 cpu->cpreg_values[i] = newval; 161 } 162 return ok; 163 } 164 165 bool write_list_to_cpustate(ARMCPU *cpu) 166 { 167 int i; 168 bool ok = true; 169 170 for (i = 0; i < cpu->cpreg_array_len; i++) { 171 uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]); 172 uint64_t v = cpu->cpreg_values[i]; 173 const ARMCPRegInfo *ri; 174 175 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx); 176 if (!ri) { 177 ok = false; 178 continue; 179 } 180 if (ri->type & ARM_CP_NO_RAW) { 181 continue; 182 } 183 /* 184 * Write value and confirm it reads back as written 185 * (to catch read-only registers and partially read-only 186 * registers where the incoming migration value doesn't match) 187 */ 188 write_raw_cp_reg(&cpu->env, ri, v); 189 if (read_raw_cp_reg(&cpu->env, ri) != v) { 190 ok = false; 191 } 192 } 193 return ok; 194 } 195 196 static void add_cpreg_to_list(gpointer key, gpointer opaque) 197 { 198 ARMCPU *cpu = opaque; 199 uint32_t regidx = (uintptr_t)key; 200 const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, regidx); 201 202 if (!(ri->type & (ARM_CP_NO_RAW | ARM_CP_ALIAS))) { 203 cpu->cpreg_indexes[cpu->cpreg_array_len] = cpreg_to_kvm_id(regidx); 204 /* The value array need not be initialized at this point */ 205 cpu->cpreg_array_len++; 206 } 207 } 208 209 static void count_cpreg(gpointer key, gpointer opaque) 210 { 211 ARMCPU *cpu = opaque; 212 const ARMCPRegInfo *ri; 213 214 ri = g_hash_table_lookup(cpu->cp_regs, key); 215 216 if (!(ri->type & (ARM_CP_NO_RAW | ARM_CP_ALIAS))) { 217 cpu->cpreg_array_len++; 218 } 219 } 220 221 static gint cpreg_key_compare(gconstpointer a, gconstpointer b) 222 { 223 uint64_t aidx = cpreg_to_kvm_id((uintptr_t)a); 224 uint64_t bidx = cpreg_to_kvm_id((uintptr_t)b); 225 226 if (aidx > bidx) { 227 return 1; 228 } 229 if (aidx < bidx) { 230 return -1; 231 } 232 return 0; 233 } 234 235 void init_cpreg_list(ARMCPU *cpu) 236 { 237 /* 238 * Initialise the cpreg_tuples[] array based on the cp_regs hash. 239 * Note that we require cpreg_tuples[] to be sorted by key ID. 240 */ 241 GList *keys; 242 int arraylen; 243 244 keys = g_hash_table_get_keys(cpu->cp_regs); 245 keys = g_list_sort(keys, cpreg_key_compare); 246 247 cpu->cpreg_array_len = 0; 248 249 g_list_foreach(keys, count_cpreg, cpu); 250 251 arraylen = cpu->cpreg_array_len; 252 cpu->cpreg_indexes = g_new(uint64_t, arraylen); 253 cpu->cpreg_values = g_new(uint64_t, arraylen); 254 cpu->cpreg_vmstate_indexes = g_new(uint64_t, arraylen); 255 cpu->cpreg_vmstate_values = g_new(uint64_t, arraylen); 256 cpu->cpreg_vmstate_array_len = cpu->cpreg_array_len; 257 cpu->cpreg_array_len = 0; 258 259 g_list_foreach(keys, add_cpreg_to_list, cpu); 260 261 assert(cpu->cpreg_array_len == arraylen); 262 263 g_list_free(keys); 264 } 265 266 /* 267 * Some registers are not accessible from AArch32 EL3 if SCR.NS == 0. 268 */ 269 static CPAccessResult access_el3_aa32ns(CPUARMState *env, 270 const ARMCPRegInfo *ri, 271 bool isread) 272 { 273 if (!is_a64(env) && arm_current_el(env) == 3 && 274 arm_is_secure_below_el3(env)) { 275 return CP_ACCESS_TRAP_UNCATEGORIZED; 276 } 277 return CP_ACCESS_OK; 278 } 279 280 /* 281 * Some secure-only AArch32 registers trap to EL3 if used from 282 * Secure EL1 (but are just ordinary UNDEF in other non-EL3 contexts). 283 * Note that an access from Secure EL1 can only happen if EL3 is AArch64. 284 * We assume that the .access field is set to PL1_RW. 285 */ 286 static CPAccessResult access_trap_aa32s_el1(CPUARMState *env, 287 const ARMCPRegInfo *ri, 288 bool isread) 289 { 290 if (arm_current_el(env) == 3) { 291 return CP_ACCESS_OK; 292 } 293 if (arm_is_secure_below_el3(env)) { 294 if (env->cp15.scr_el3 & SCR_EEL2) { 295 return CP_ACCESS_TRAP_EL2; 296 } 297 return CP_ACCESS_TRAP_EL3; 298 } 299 /* This will be EL1 NS and EL2 NS, which just UNDEF */ 300 return CP_ACCESS_TRAP_UNCATEGORIZED; 301 } 302 303 /* 304 * Check for traps to performance monitor registers, which are controlled 305 * by MDCR_EL2.TPM for EL2 and MDCR_EL3.TPM for EL3. 306 */ 307 static CPAccessResult access_tpm(CPUARMState *env, const ARMCPRegInfo *ri, 308 bool isread) 309 { 310 int el = arm_current_el(env); 311 uint64_t mdcr_el2 = arm_mdcr_el2_eff(env); 312 313 if (el < 2 && (mdcr_el2 & MDCR_TPM)) { 314 return CP_ACCESS_TRAP_EL2; 315 } 316 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) { 317 return CP_ACCESS_TRAP_EL3; 318 } 319 return CP_ACCESS_OK; 320 } 321 322 /* Check for traps from EL1 due to HCR_EL2.TVM and HCR_EL2.TRVM. */ 323 CPAccessResult access_tvm_trvm(CPUARMState *env, const ARMCPRegInfo *ri, 324 bool isread) 325 { 326 if (arm_current_el(env) == 1) { 327 uint64_t trap = isread ? HCR_TRVM : HCR_TVM; 328 if (arm_hcr_el2_eff(env) & trap) { 329 return CP_ACCESS_TRAP_EL2; 330 } 331 } 332 return CP_ACCESS_OK; 333 } 334 335 /* Check for traps from EL1 due to HCR_EL2.TSW. */ 336 static CPAccessResult access_tsw(CPUARMState *env, const ARMCPRegInfo *ri, 337 bool isread) 338 { 339 if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TSW)) { 340 return CP_ACCESS_TRAP_EL2; 341 } 342 return CP_ACCESS_OK; 343 } 344 345 /* Check for traps from EL1 due to HCR_EL2.TACR. */ 346 static CPAccessResult access_tacr(CPUARMState *env, const ARMCPRegInfo *ri, 347 bool isread) 348 { 349 if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TACR)) { 350 return CP_ACCESS_TRAP_EL2; 351 } 352 return CP_ACCESS_OK; 353 } 354 355 /* Check for traps from EL1 due to HCR_EL2.TTLB. */ 356 static CPAccessResult access_ttlb(CPUARMState *env, const ARMCPRegInfo *ri, 357 bool isread) 358 { 359 if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TTLB)) { 360 return CP_ACCESS_TRAP_EL2; 361 } 362 return CP_ACCESS_OK; 363 } 364 365 /* Check for traps from EL1 due to HCR_EL2.TTLB or TTLBIS. */ 366 static CPAccessResult access_ttlbis(CPUARMState *env, const ARMCPRegInfo *ri, 367 bool isread) 368 { 369 if (arm_current_el(env) == 1 && 370 (arm_hcr_el2_eff(env) & (HCR_TTLB | HCR_TTLBIS))) { 371 return CP_ACCESS_TRAP_EL2; 372 } 373 return CP_ACCESS_OK; 374 } 375 376 #ifdef TARGET_AARCH64 377 /* Check for traps from EL1 due to HCR_EL2.TTLB or TTLBOS. */ 378 static CPAccessResult access_ttlbos(CPUARMState *env, const ARMCPRegInfo *ri, 379 bool isread) 380 { 381 if (arm_current_el(env) == 1 && 382 (arm_hcr_el2_eff(env) & (HCR_TTLB | HCR_TTLBOS))) { 383 return CP_ACCESS_TRAP_EL2; 384 } 385 return CP_ACCESS_OK; 386 } 387 #endif 388 389 static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) 390 { 391 ARMCPU *cpu = env_archcpu(env); 392 393 raw_write(env, ri, value); 394 tlb_flush(CPU(cpu)); /* Flush TLB as domain not tracked in TLB */ 395 } 396 397 static void fcse_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) 398 { 399 ARMCPU *cpu = env_archcpu(env); 400 401 if (raw_read(env, ri) != value) { 402 /* 403 * Unlike real hardware the qemu TLB uses virtual addresses, 404 * not modified virtual addresses, so this causes a TLB flush. 405 */ 406 tlb_flush(CPU(cpu)); 407 raw_write(env, ri, value); 408 } 409 } 410 411 static void contextidr_write(CPUARMState *env, const ARMCPRegInfo *ri, 412 uint64_t value) 413 { 414 ARMCPU *cpu = env_archcpu(env); 415 416 if (raw_read(env, ri) != value && !arm_feature(env, ARM_FEATURE_PMSA) 417 && !extended_addresses_enabled(env)) { 418 /* 419 * For VMSA (when not using the LPAE long descriptor page table 420 * format) this register includes the ASID, so do a TLB flush. 421 * For PMSA it is purely a process ID and no action is needed. 422 */ 423 tlb_flush(CPU(cpu)); 424 } 425 raw_write(env, ri, value); 426 } 427 428 static int alle1_tlbmask(CPUARMState *env) 429 { 430 /* 431 * Note that the 'ALL' scope must invalidate both stage 1 and 432 * stage 2 translations, whereas most other scopes only invalidate 433 * stage 1 translations. 434 */ 435 return (ARMMMUIdxBit_E10_1 | 436 ARMMMUIdxBit_E10_1_PAN | 437 ARMMMUIdxBit_E10_0 | 438 ARMMMUIdxBit_Stage2 | 439 ARMMMUIdxBit_Stage2_S); 440 } 441 442 443 /* IS variants of TLB operations must affect all cores */ 444 static void tlbiall_is_write(CPUARMState *env, const ARMCPRegInfo *ri, 445 uint64_t value) 446 { 447 CPUState *cs = env_cpu(env); 448 449 tlb_flush_all_cpus_synced(cs); 450 } 451 452 static void tlbiasid_is_write(CPUARMState *env, const ARMCPRegInfo *ri, 453 uint64_t value) 454 { 455 CPUState *cs = env_cpu(env); 456 457 tlb_flush_all_cpus_synced(cs); 458 } 459 460 static void tlbimva_is_write(CPUARMState *env, const ARMCPRegInfo *ri, 461 uint64_t value) 462 { 463 CPUState *cs = env_cpu(env); 464 465 tlb_flush_page_all_cpus_synced(cs, value & TARGET_PAGE_MASK); 466 } 467 468 static void tlbimvaa_is_write(CPUARMState *env, const ARMCPRegInfo *ri, 469 uint64_t value) 470 { 471 CPUState *cs = env_cpu(env); 472 473 tlb_flush_page_all_cpus_synced(cs, value & TARGET_PAGE_MASK); 474 } 475 476 /* 477 * Non-IS variants of TLB operations are upgraded to 478 * IS versions if we are at EL1 and HCR_EL2.FB is effectively set to 479 * force broadcast of these operations. 480 */ 481 static bool tlb_force_broadcast(CPUARMState *env) 482 { 483 return arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_FB); 484 } 485 486 static void tlbiall_write(CPUARMState *env, const ARMCPRegInfo *ri, 487 uint64_t value) 488 { 489 /* Invalidate all (TLBIALL) */ 490 CPUState *cs = env_cpu(env); 491 492 if (tlb_force_broadcast(env)) { 493 tlb_flush_all_cpus_synced(cs); 494 } else { 495 tlb_flush(cs); 496 } 497 } 498 499 static void tlbimva_write(CPUARMState *env, const ARMCPRegInfo *ri, 500 uint64_t value) 501 { 502 /* Invalidate single TLB entry by MVA and ASID (TLBIMVA) */ 503 CPUState *cs = env_cpu(env); 504 505 value &= TARGET_PAGE_MASK; 506 if (tlb_force_broadcast(env)) { 507 tlb_flush_page_all_cpus_synced(cs, value); 508 } else { 509 tlb_flush_page(cs, value); 510 } 511 } 512 513 static void tlbiasid_write(CPUARMState *env, const ARMCPRegInfo *ri, 514 uint64_t value) 515 { 516 /* Invalidate by ASID (TLBIASID) */ 517 CPUState *cs = env_cpu(env); 518 519 if (tlb_force_broadcast(env)) { 520 tlb_flush_all_cpus_synced(cs); 521 } else { 522 tlb_flush(cs); 523 } 524 } 525 526 static void tlbimvaa_write(CPUARMState *env, const ARMCPRegInfo *ri, 527 uint64_t value) 528 { 529 /* Invalidate single entry by MVA, all ASIDs (TLBIMVAA) */ 530 CPUState *cs = env_cpu(env); 531 532 value &= TARGET_PAGE_MASK; 533 if (tlb_force_broadcast(env)) { 534 tlb_flush_page_all_cpus_synced(cs, value); 535 } else { 536 tlb_flush_page(cs, value); 537 } 538 } 539 540 static void tlbiall_nsnh_write(CPUARMState *env, const ARMCPRegInfo *ri, 541 uint64_t value) 542 { 543 CPUState *cs = env_cpu(env); 544 545 tlb_flush_by_mmuidx(cs, alle1_tlbmask(env)); 546 } 547 548 static void tlbiall_nsnh_is_write(CPUARMState *env, const ARMCPRegInfo *ri, 549 uint64_t value) 550 { 551 CPUState *cs = env_cpu(env); 552 553 tlb_flush_by_mmuidx_all_cpus_synced(cs, alle1_tlbmask(env)); 554 } 555 556 557 static void tlbiall_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri, 558 uint64_t value) 559 { 560 CPUState *cs = env_cpu(env); 561 562 tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_E2); 563 } 564 565 static void tlbiall_hyp_is_write(CPUARMState *env, const ARMCPRegInfo *ri, 566 uint64_t value) 567 { 568 CPUState *cs = env_cpu(env); 569 570 tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_E2); 571 } 572 573 static void tlbimva_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri, 574 uint64_t value) 575 { 576 CPUState *cs = env_cpu(env); 577 uint64_t pageaddr = value & ~MAKE_64BIT_MASK(0, 12); 578 579 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_E2); 580 } 581 582 static void tlbimva_hyp_is_write(CPUARMState *env, const ARMCPRegInfo *ri, 583 uint64_t value) 584 { 585 CPUState *cs = env_cpu(env); 586 uint64_t pageaddr = value & ~MAKE_64BIT_MASK(0, 12); 587 588 tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, 589 ARMMMUIdxBit_E2); 590 } 591 592 static void tlbiipas2_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri, 593 uint64_t value) 594 { 595 CPUState *cs = env_cpu(env); 596 uint64_t pageaddr = (value & MAKE_64BIT_MASK(0, 28)) << 12; 597 598 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_Stage2); 599 } 600 601 static void tlbiipas2is_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri, 602 uint64_t value) 603 { 604 CPUState *cs = env_cpu(env); 605 uint64_t pageaddr = (value & MAKE_64BIT_MASK(0, 28)) << 12; 606 607 tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, ARMMMUIdxBit_Stage2); 608 } 609 610 static const ARMCPRegInfo cp_reginfo[] = { 611 /* 612 * Define the secure and non-secure FCSE identifier CP registers 613 * separately because there is no secure bank in V8 (no _EL3). This allows 614 * the secure register to be properly reset and migrated. There is also no 615 * v8 EL1 version of the register so the non-secure instance stands alone. 616 */ 617 { .name = "FCSEIDR", 618 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0, 619 .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS, 620 .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_ns), 621 .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, }, 622 { .name = "FCSEIDR_S", 623 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0, 624 .access = PL1_RW, .secure = ARM_CP_SECSTATE_S, 625 .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_s), 626 .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, }, 627 /* 628 * Define the secure and non-secure context identifier CP registers 629 * separately because there is no secure bank in V8 (no _EL3). This allows 630 * the secure register to be properly reset and migrated. In the 631 * non-secure case, the 32-bit register will have reset and migration 632 * disabled during registration as it is handled by the 64-bit instance. 633 */ 634 { .name = "CONTEXTIDR_EL1", .state = ARM_CP_STATE_BOTH, 635 .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1, 636 .access = PL1_RW, .accessfn = access_tvm_trvm, 637 .fgt = FGT_CONTEXTIDR_EL1, 638 .secure = ARM_CP_SECSTATE_NS, 639 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[1]), 640 .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, }, 641 { .name = "CONTEXTIDR_S", .state = ARM_CP_STATE_AA32, 642 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1, 643 .access = PL1_RW, .accessfn = access_tvm_trvm, 644 .secure = ARM_CP_SECSTATE_S, 645 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_s), 646 .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, }, 647 }; 648 649 static const ARMCPRegInfo not_v8_cp_reginfo[] = { 650 /* 651 * NB: Some of these registers exist in v8 but with more precise 652 * definitions that don't use CP_ANY wildcards (mostly in v8_cp_reginfo[]). 653 */ 654 /* MMU Domain access control / MPU write buffer control */ 655 { .name = "DACR", 656 .cp = 15, .opc1 = CP_ANY, .crn = 3, .crm = CP_ANY, .opc2 = CP_ANY, 657 .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, 658 .writefn = dacr_write, .raw_writefn = raw_write, 659 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s), 660 offsetoflow32(CPUARMState, cp15.dacr_ns) } }, 661 /* 662 * ARMv7 allocates a range of implementation defined TLB LOCKDOWN regs. 663 * For v6 and v5, these mappings are overly broad. 664 */ 665 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 0, 666 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP }, 667 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 1, 668 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP }, 669 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 4, 670 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP }, 671 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 8, 672 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP }, 673 /* Cache maintenance ops; some of this space may be overridden later. */ 674 { .name = "CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY, 675 .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W, 676 .type = ARM_CP_NOP | ARM_CP_OVERRIDE }, 677 }; 678 679 static const ARMCPRegInfo not_v6_cp_reginfo[] = { 680 /* 681 * Not all pre-v6 cores implemented this WFI, so this is slightly 682 * over-broad. 683 */ 684 { .name = "WFI_v5", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = 2, 685 .access = PL1_W, .type = ARM_CP_WFI }, 686 }; 687 688 static const ARMCPRegInfo not_v7_cp_reginfo[] = { 689 /* 690 * Standard v6 WFI (also used in some pre-v6 cores); not in v7 (which 691 * is UNPREDICTABLE; we choose to NOP as most implementations do). 692 */ 693 { .name = "WFI_v6", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4, 694 .access = PL1_W, .type = ARM_CP_WFI }, 695 /* 696 * L1 cache lockdown. Not architectural in v6 and earlier but in practice 697 * implemented in 926, 946, 1026, 1136, 1176 and 11MPCore. StrongARM and 698 * OMAPCP will override this space. 699 */ 700 { .name = "DLOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 0, 701 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_data), 702 .resetvalue = 0 }, 703 { .name = "ILOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 1, 704 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_insn), 705 .resetvalue = 0 }, 706 /* v6 doesn't have the cache ID registers but Linux reads them anyway */ 707 { .name = "DUMMY", .cp = 15, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = CP_ANY, 708 .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW, 709 .resetvalue = 0 }, 710 /* 711 * We don't implement pre-v7 debug but most CPUs had at least a DBGDIDR; 712 * implementing it as RAZ means the "debug architecture version" bits 713 * will read as a reserved value, which should cause Linux to not try 714 * to use the debug hardware. 715 */ 716 { .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0, 717 .access = PL0_R, .type = ARM_CP_CONST, .resetvalue = 0 }, 718 /* 719 * MMU TLB control. Note that the wildcarding means we cover not just 720 * the unified TLB ops but also the dside/iside/inner-shareable variants. 721 */ 722 { .name = "TLBIALL", .cp = 15, .crn = 8, .crm = CP_ANY, 723 .opc1 = CP_ANY, .opc2 = 0, .access = PL1_W, .writefn = tlbiall_write, 724 .type = ARM_CP_NO_RAW }, 725 { .name = "TLBIMVA", .cp = 15, .crn = 8, .crm = CP_ANY, 726 .opc1 = CP_ANY, .opc2 = 1, .access = PL1_W, .writefn = tlbimva_write, 727 .type = ARM_CP_NO_RAW }, 728 { .name = "TLBIASID", .cp = 15, .crn = 8, .crm = CP_ANY, 729 .opc1 = CP_ANY, .opc2 = 2, .access = PL1_W, .writefn = tlbiasid_write, 730 .type = ARM_CP_NO_RAW }, 731 { .name = "TLBIMVAA", .cp = 15, .crn = 8, .crm = CP_ANY, 732 .opc1 = CP_ANY, .opc2 = 3, .access = PL1_W, .writefn = tlbimvaa_write, 733 .type = ARM_CP_NO_RAW }, 734 { .name = "PRRR", .cp = 15, .crn = 10, .crm = 2, 735 .opc1 = 0, .opc2 = 0, .access = PL1_RW, .type = ARM_CP_NOP }, 736 { .name = "NMRR", .cp = 15, .crn = 10, .crm = 2, 737 .opc1 = 0, .opc2 = 1, .access = PL1_RW, .type = ARM_CP_NOP }, 738 }; 739 740 static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri, 741 uint64_t value) 742 { 743 uint32_t mask = 0; 744 745 /* In ARMv8 most bits of CPACR_EL1 are RES0. */ 746 if (!arm_feature(env, ARM_FEATURE_V8)) { 747 /* 748 * ARMv7 defines bits for unimplemented coprocessors as RAZ/WI. 749 * ASEDIS [31] and D32DIS [30] are both UNK/SBZP without VFP. 750 * TRCDIS [28] is RAZ/WI since we do not implement a trace macrocell. 751 */ 752 if (cpu_isar_feature(aa32_vfp_simd, env_archcpu(env))) { 753 /* VFP coprocessor: cp10 & cp11 [23:20] */ 754 mask |= R_CPACR_ASEDIS_MASK | 755 R_CPACR_D32DIS_MASK | 756 R_CPACR_CP11_MASK | 757 R_CPACR_CP10_MASK; 758 759 if (!arm_feature(env, ARM_FEATURE_NEON)) { 760 /* ASEDIS [31] bit is RAO/WI */ 761 value |= R_CPACR_ASEDIS_MASK; 762 } 763 764 /* 765 * VFPv3 and upwards with NEON implement 32 double precision 766 * registers (D0-D31). 767 */ 768 if (!cpu_isar_feature(aa32_simd_r32, env_archcpu(env))) { 769 /* D32DIS [30] is RAO/WI if D16-31 are not implemented. */ 770 value |= R_CPACR_D32DIS_MASK; 771 } 772 } 773 value &= mask; 774 } 775 776 /* 777 * For A-profile AArch32 EL3 (but not M-profile secure mode), if NSACR.CP10 778 * is 0 then CPACR.{CP11,CP10} ignore writes and read as 0b00. 779 */ 780 if (arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) && 781 !arm_is_secure(env) && !extract32(env->cp15.nsacr, 10, 1)) { 782 mask = R_CPACR_CP11_MASK | R_CPACR_CP10_MASK; 783 value = (value & ~mask) | (env->cp15.cpacr_el1 & mask); 784 } 785 786 env->cp15.cpacr_el1 = value; 787 } 788 789 static uint64_t cpacr_read(CPUARMState *env, const ARMCPRegInfo *ri) 790 { 791 /* 792 * For A-profile AArch32 EL3 (but not M-profile secure mode), if NSACR.CP10 793 * is 0 then CPACR.{CP11,CP10} ignore writes and read as 0b00. 794 */ 795 uint64_t value = env->cp15.cpacr_el1; 796 797 if (arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) && 798 !arm_is_secure(env) && !extract32(env->cp15.nsacr, 10, 1)) { 799 value = ~(R_CPACR_CP11_MASK | R_CPACR_CP10_MASK); 800 } 801 return value; 802 } 803 804 805 static void cpacr_reset(CPUARMState *env, const ARMCPRegInfo *ri) 806 { 807 /* 808 * Call cpacr_write() so that we reset with the correct RAO bits set 809 * for our CPU features. 810 */ 811 cpacr_write(env, ri, 0); 812 } 813 814 static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri, 815 bool isread) 816 { 817 if (arm_feature(env, ARM_FEATURE_V8)) { 818 /* Check if CPACR accesses are to be trapped to EL2 */ 819 if (arm_current_el(env) == 1 && arm_is_el2_enabled(env) && 820 FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TCPAC)) { 821 return CP_ACCESS_TRAP_EL2; 822 /* Check if CPACR accesses are to be trapped to EL3 */ 823 } else if (arm_current_el(env) < 3 && 824 FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, TCPAC)) { 825 return CP_ACCESS_TRAP_EL3; 826 } 827 } 828 829 return CP_ACCESS_OK; 830 } 831 832 static CPAccessResult cptr_access(CPUARMState *env, const ARMCPRegInfo *ri, 833 bool isread) 834 { 835 /* Check if CPTR accesses are set to trap to EL3 */ 836 if (arm_current_el(env) == 2 && 837 FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, TCPAC)) { 838 return CP_ACCESS_TRAP_EL3; 839 } 840 841 return CP_ACCESS_OK; 842 } 843 844 static const ARMCPRegInfo v6_cp_reginfo[] = { 845 /* prefetch by MVA in v6, NOP in v7 */ 846 { .name = "MVA_prefetch", 847 .cp = 15, .crn = 7, .crm = 13, .opc1 = 0, .opc2 = 1, 848 .access = PL1_W, .type = ARM_CP_NOP }, 849 /* 850 * We need to break the TB after ISB to execute self-modifying code 851 * correctly and also to take any pending interrupts immediately. 852 * So use arm_cp_write_ignore() function instead of ARM_CP_NOP flag. 853 */ 854 { .name = "ISB", .cp = 15, .crn = 7, .crm = 5, .opc1 = 0, .opc2 = 4, 855 .access = PL0_W, .type = ARM_CP_NO_RAW, .writefn = arm_cp_write_ignore }, 856 { .name = "DSB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 4, 857 .access = PL0_W, .type = ARM_CP_NOP }, 858 { .name = "DMB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 5, 859 .access = PL0_W, .type = ARM_CP_NOP }, 860 { .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 2, 861 .access = PL1_RW, .accessfn = access_tvm_trvm, 862 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ifar_s), 863 offsetof(CPUARMState, cp15.ifar_ns) }, 864 .resetvalue = 0, }, 865 /* 866 * Watchpoint Fault Address Register : should actually only be present 867 * for 1136, 1176, 11MPCore. 868 */ 869 { .name = "WFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1, 870 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, }, 871 { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3, 872 .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access, 873 .fgt = FGT_CPACR_EL1, 874 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1), 875 .resetfn = cpacr_reset, .writefn = cpacr_write, .readfn = cpacr_read }, 876 }; 877 878 typedef struct pm_event { 879 uint16_t number; /* PMEVTYPER.evtCount is 16 bits wide */ 880 /* If the event is supported on this CPU (used to generate PMCEID[01]) */ 881 bool (*supported)(CPUARMState *); 882 /* 883 * Retrieve the current count of the underlying event. The programmed 884 * counters hold a difference from the return value from this function 885 */ 886 uint64_t (*get_count)(CPUARMState *); 887 /* 888 * Return how many nanoseconds it will take (at a minimum) for count events 889 * to occur. A negative value indicates the counter will never overflow, or 890 * that the counter has otherwise arranged for the overflow bit to be set 891 * and the PMU interrupt to be raised on overflow. 892 */ 893 int64_t (*ns_per_count)(uint64_t); 894 } pm_event; 895 896 static bool event_always_supported(CPUARMState *env) 897 { 898 return true; 899 } 900 901 static uint64_t swinc_get_count(CPUARMState *env) 902 { 903 /* 904 * SW_INCR events are written directly to the pmevcntr's by writes to 905 * PMSWINC, so there is no underlying count maintained by the PMU itself 906 */ 907 return 0; 908 } 909 910 static int64_t swinc_ns_per(uint64_t ignored) 911 { 912 return -1; 913 } 914 915 /* 916 * Return the underlying cycle count for the PMU cycle counters. If we're in 917 * usermode, simply return 0. 918 */ 919 static uint64_t cycles_get_count(CPUARMState *env) 920 { 921 #ifndef CONFIG_USER_ONLY 922 return muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), 923 ARM_CPU_FREQ, NANOSECONDS_PER_SECOND); 924 #else 925 return cpu_get_host_ticks(); 926 #endif 927 } 928 929 #ifndef CONFIG_USER_ONLY 930 static int64_t cycles_ns_per(uint64_t cycles) 931 { 932 return (ARM_CPU_FREQ / NANOSECONDS_PER_SECOND) * cycles; 933 } 934 935 static bool instructions_supported(CPUARMState *env) 936 { 937 return icount_enabled() == 1; /* Precise instruction counting */ 938 } 939 940 static uint64_t instructions_get_count(CPUARMState *env) 941 { 942 return (uint64_t)icount_get_raw(); 943 } 944 945 static int64_t instructions_ns_per(uint64_t icount) 946 { 947 return icount_to_ns((int64_t)icount); 948 } 949 #endif 950 951 static bool pmuv3p1_events_supported(CPUARMState *env) 952 { 953 /* For events which are supported in any v8.1 PMU */ 954 return cpu_isar_feature(any_pmuv3p1, env_archcpu(env)); 955 } 956 957 static bool pmuv3p4_events_supported(CPUARMState *env) 958 { 959 /* For events which are supported in any v8.1 PMU */ 960 return cpu_isar_feature(any_pmuv3p4, env_archcpu(env)); 961 } 962 963 static uint64_t zero_event_get_count(CPUARMState *env) 964 { 965 /* For events which on QEMU never fire, so their count is always zero */ 966 return 0; 967 } 968 969 static int64_t zero_event_ns_per(uint64_t cycles) 970 { 971 /* An event which never fires can never overflow */ 972 return -1; 973 } 974 975 static const pm_event pm_events[] = { 976 { .number = 0x000, /* SW_INCR */ 977 .supported = event_always_supported, 978 .get_count = swinc_get_count, 979 .ns_per_count = swinc_ns_per, 980 }, 981 #ifndef CONFIG_USER_ONLY 982 { .number = 0x008, /* INST_RETIRED, Instruction architecturally executed */ 983 .supported = instructions_supported, 984 .get_count = instructions_get_count, 985 .ns_per_count = instructions_ns_per, 986 }, 987 { .number = 0x011, /* CPU_CYCLES, Cycle */ 988 .supported = event_always_supported, 989 .get_count = cycles_get_count, 990 .ns_per_count = cycles_ns_per, 991 }, 992 #endif 993 { .number = 0x023, /* STALL_FRONTEND */ 994 .supported = pmuv3p1_events_supported, 995 .get_count = zero_event_get_count, 996 .ns_per_count = zero_event_ns_per, 997 }, 998 { .number = 0x024, /* STALL_BACKEND */ 999 .supported = pmuv3p1_events_supported, 1000 .get_count = zero_event_get_count, 1001 .ns_per_count = zero_event_ns_per, 1002 }, 1003 { .number = 0x03c, /* STALL */ 1004 .supported = pmuv3p4_events_supported, 1005 .get_count = zero_event_get_count, 1006 .ns_per_count = zero_event_ns_per, 1007 }, 1008 }; 1009 1010 /* 1011 * Note: Before increasing MAX_EVENT_ID beyond 0x3f into the 0x40xx range of 1012 * events (i.e. the statistical profiling extension), this implementation 1013 * should first be updated to something sparse instead of the current 1014 * supported_event_map[] array. 1015 */ 1016 #define MAX_EVENT_ID 0x3c 1017 #define UNSUPPORTED_EVENT UINT16_MAX 1018 static uint16_t supported_event_map[MAX_EVENT_ID + 1]; 1019 1020 /* 1021 * Called upon CPU initialization to initialize PMCEID[01]_EL0 and build a map 1022 * of ARM event numbers to indices in our pm_events array. 1023 * 1024 * Note: Events in the 0x40XX range are not currently supported. 1025 */ 1026 void pmu_init(ARMCPU *cpu) 1027 { 1028 unsigned int i; 1029 1030 /* 1031 * Empty supported_event_map and cpu->pmceid[01] before adding supported 1032 * events to them 1033 */ 1034 for (i = 0; i < ARRAY_SIZE(supported_event_map); i++) { 1035 supported_event_map[i] = UNSUPPORTED_EVENT; 1036 } 1037 cpu->pmceid0 = 0; 1038 cpu->pmceid1 = 0; 1039 1040 for (i = 0; i < ARRAY_SIZE(pm_events); i++) { 1041 const pm_event *cnt = &pm_events[i]; 1042 assert(cnt->number <= MAX_EVENT_ID); 1043 /* We do not currently support events in the 0x40xx range */ 1044 assert(cnt->number <= 0x3f); 1045 1046 if (cnt->supported(&cpu->env)) { 1047 supported_event_map[cnt->number] = i; 1048 uint64_t event_mask = 1ULL << (cnt->number & 0x1f); 1049 if (cnt->number & 0x20) { 1050 cpu->pmceid1 |= event_mask; 1051 } else { 1052 cpu->pmceid0 |= event_mask; 1053 } 1054 } 1055 } 1056 } 1057 1058 /* 1059 * Check at runtime whether a PMU event is supported for the current machine 1060 */ 1061 static bool event_supported(uint16_t number) 1062 { 1063 if (number > MAX_EVENT_ID) { 1064 return false; 1065 } 1066 return supported_event_map[number] != UNSUPPORTED_EVENT; 1067 } 1068 1069 static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri, 1070 bool isread) 1071 { 1072 /* 1073 * Performance monitor registers user accessibility is controlled 1074 * by PMUSERENR. MDCR_EL2.TPM and MDCR_EL3.TPM allow configurable 1075 * trapping to EL2 or EL3 for other accesses. 1076 */ 1077 int el = arm_current_el(env); 1078 uint64_t mdcr_el2 = arm_mdcr_el2_eff(env); 1079 1080 if (el == 0 && !(env->cp15.c9_pmuserenr & 1)) { 1081 return CP_ACCESS_TRAP; 1082 } 1083 if (el < 2 && (mdcr_el2 & MDCR_TPM)) { 1084 return CP_ACCESS_TRAP_EL2; 1085 } 1086 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) { 1087 return CP_ACCESS_TRAP_EL3; 1088 } 1089 1090 return CP_ACCESS_OK; 1091 } 1092 1093 static CPAccessResult pmreg_access_xevcntr(CPUARMState *env, 1094 const ARMCPRegInfo *ri, 1095 bool isread) 1096 { 1097 /* ER: event counter read trap control */ 1098 if (arm_feature(env, ARM_FEATURE_V8) 1099 && arm_current_el(env) == 0 1100 && (env->cp15.c9_pmuserenr & (1 << 3)) != 0 1101 && isread) { 1102 return CP_ACCESS_OK; 1103 } 1104 1105 return pmreg_access(env, ri, isread); 1106 } 1107 1108 static CPAccessResult pmreg_access_swinc(CPUARMState *env, 1109 const ARMCPRegInfo *ri, 1110 bool isread) 1111 { 1112 /* SW: software increment write trap control */ 1113 if (arm_feature(env, ARM_FEATURE_V8) 1114 && arm_current_el(env) == 0 1115 && (env->cp15.c9_pmuserenr & (1 << 1)) != 0 1116 && !isread) { 1117 return CP_ACCESS_OK; 1118 } 1119 1120 return pmreg_access(env, ri, isread); 1121 } 1122 1123 static CPAccessResult pmreg_access_selr(CPUARMState *env, 1124 const ARMCPRegInfo *ri, 1125 bool isread) 1126 { 1127 /* ER: event counter read trap control */ 1128 if (arm_feature(env, ARM_FEATURE_V8) 1129 && arm_current_el(env) == 0 1130 && (env->cp15.c9_pmuserenr & (1 << 3)) != 0) { 1131 return CP_ACCESS_OK; 1132 } 1133 1134 return pmreg_access(env, ri, isread); 1135 } 1136 1137 static CPAccessResult pmreg_access_ccntr(CPUARMState *env, 1138 const ARMCPRegInfo *ri, 1139 bool isread) 1140 { 1141 /* CR: cycle counter read trap control */ 1142 if (arm_feature(env, ARM_FEATURE_V8) 1143 && arm_current_el(env) == 0 1144 && (env->cp15.c9_pmuserenr & (1 << 2)) != 0 1145 && isread) { 1146 return CP_ACCESS_OK; 1147 } 1148 1149 return pmreg_access(env, ri, isread); 1150 } 1151 1152 /* 1153 * Bits in MDCR_EL2 and MDCR_EL3 which pmu_counter_enabled() looks at. 1154 * We use these to decide whether we need to wrap a write to MDCR_EL2 1155 * or MDCR_EL3 in pmu_op_start()/pmu_op_finish() calls. 1156 */ 1157 #define MDCR_EL2_PMU_ENABLE_BITS \ 1158 (MDCR_HPME | MDCR_HPMD | MDCR_HPMN | MDCR_HCCD | MDCR_HLP) 1159 #define MDCR_EL3_PMU_ENABLE_BITS (MDCR_SPME | MDCR_SCCD) 1160 1161 /* 1162 * Returns true if the counter (pass 31 for PMCCNTR) should count events using 1163 * the current EL, security state, and register configuration. 1164 */ 1165 static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter) 1166 { 1167 uint64_t filter; 1168 bool e, p, u, nsk, nsu, nsh, m; 1169 bool enabled, prohibited = false, filtered; 1170 bool secure = arm_is_secure(env); 1171 int el = arm_current_el(env); 1172 uint64_t mdcr_el2; 1173 uint8_t hpmn; 1174 1175 /* 1176 * We might be called for M-profile cores where MDCR_EL2 doesn't 1177 * exist and arm_mdcr_el2_eff() will assert, so this early-exit check 1178 * must be before we read that value. 1179 */ 1180 if (!arm_feature(env, ARM_FEATURE_PMU)) { 1181 return false; 1182 } 1183 1184 mdcr_el2 = arm_mdcr_el2_eff(env); 1185 hpmn = mdcr_el2 & MDCR_HPMN; 1186 1187 if (!arm_feature(env, ARM_FEATURE_EL2) || 1188 (counter < hpmn || counter == 31)) { 1189 e = env->cp15.c9_pmcr & PMCRE; 1190 } else { 1191 e = mdcr_el2 & MDCR_HPME; 1192 } 1193 enabled = e && (env->cp15.c9_pmcnten & (1 << counter)); 1194 1195 /* Is event counting prohibited? */ 1196 if (el == 2 && (counter < hpmn || counter == 31)) { 1197 prohibited = mdcr_el2 & MDCR_HPMD; 1198 } 1199 if (secure) { 1200 prohibited = prohibited || !(env->cp15.mdcr_el3 & MDCR_SPME); 1201 } 1202 1203 if (counter == 31) { 1204 /* 1205 * The cycle counter defaults to running. PMCR.DP says "disable 1206 * the cycle counter when event counting is prohibited". 1207 * Some MDCR bits disable the cycle counter specifically. 1208 */ 1209 prohibited = prohibited && env->cp15.c9_pmcr & PMCRDP; 1210 if (cpu_isar_feature(any_pmuv3p5, env_archcpu(env))) { 1211 if (secure) { 1212 prohibited = prohibited || (env->cp15.mdcr_el3 & MDCR_SCCD); 1213 } 1214 if (el == 2) { 1215 prohibited = prohibited || (mdcr_el2 & MDCR_HCCD); 1216 } 1217 } 1218 } 1219 1220 if (counter == 31) { 1221 filter = env->cp15.pmccfiltr_el0; 1222 } else { 1223 filter = env->cp15.c14_pmevtyper[counter]; 1224 } 1225 1226 p = filter & PMXEVTYPER_P; 1227 u = filter & PMXEVTYPER_U; 1228 nsk = arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_NSK); 1229 nsu = arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_NSU); 1230 nsh = arm_feature(env, ARM_FEATURE_EL2) && (filter & PMXEVTYPER_NSH); 1231 m = arm_el_is_aa64(env, 1) && 1232 arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_M); 1233 1234 if (el == 0) { 1235 filtered = secure ? u : u != nsu; 1236 } else if (el == 1) { 1237 filtered = secure ? p : p != nsk; 1238 } else if (el == 2) { 1239 filtered = !nsh; 1240 } else { /* EL3 */ 1241 filtered = m != p; 1242 } 1243 1244 if (counter != 31) { 1245 /* 1246 * If not checking PMCCNTR, ensure the counter is setup to an event we 1247 * support 1248 */ 1249 uint16_t event = filter & PMXEVTYPER_EVTCOUNT; 1250 if (!event_supported(event)) { 1251 return false; 1252 } 1253 } 1254 1255 return enabled && !prohibited && !filtered; 1256 } 1257 1258 static void pmu_update_irq(CPUARMState *env) 1259 { 1260 ARMCPU *cpu = env_archcpu(env); 1261 qemu_set_irq(cpu->pmu_interrupt, (env->cp15.c9_pmcr & PMCRE) && 1262 (env->cp15.c9_pminten & env->cp15.c9_pmovsr)); 1263 } 1264 1265 static bool pmccntr_clockdiv_enabled(CPUARMState *env) 1266 { 1267 /* 1268 * Return true if the clock divider is enabled and the cycle counter 1269 * is supposed to tick only once every 64 clock cycles. This is 1270 * controlled by PMCR.D, but if PMCR.LC is set to enable the long 1271 * (64-bit) cycle counter PMCR.D has no effect. 1272 */ 1273 return (env->cp15.c9_pmcr & (PMCRD | PMCRLC)) == PMCRD; 1274 } 1275 1276 static bool pmevcntr_is_64_bit(CPUARMState *env, int counter) 1277 { 1278 /* Return true if the specified event counter is configured to be 64 bit */ 1279 1280 /* This isn't intended to be used with the cycle counter */ 1281 assert(counter < 31); 1282 1283 if (!cpu_isar_feature(any_pmuv3p5, env_archcpu(env))) { 1284 return false; 1285 } 1286 1287 if (arm_feature(env, ARM_FEATURE_EL2)) { 1288 /* 1289 * MDCR_EL2.HLP still applies even when EL2 is disabled in the 1290 * current security state, so we don't use arm_mdcr_el2_eff() here. 1291 */ 1292 bool hlp = env->cp15.mdcr_el2 & MDCR_HLP; 1293 int hpmn = env->cp15.mdcr_el2 & MDCR_HPMN; 1294 1295 if (counter >= hpmn) { 1296 return hlp; 1297 } 1298 } 1299 return env->cp15.c9_pmcr & PMCRLP; 1300 } 1301 1302 /* 1303 * Ensure c15_ccnt is the guest-visible count so that operations such as 1304 * enabling/disabling the counter or filtering, modifying the count itself, 1305 * etc. can be done logically. This is essentially a no-op if the counter is 1306 * not enabled at the time of the call. 1307 */ 1308 static void pmccntr_op_start(CPUARMState *env) 1309 { 1310 uint64_t cycles = cycles_get_count(env); 1311 1312 if (pmu_counter_enabled(env, 31)) { 1313 uint64_t eff_cycles = cycles; 1314 if (pmccntr_clockdiv_enabled(env)) { 1315 eff_cycles /= 64; 1316 } 1317 1318 uint64_t new_pmccntr = eff_cycles - env->cp15.c15_ccnt_delta; 1319 1320 uint64_t overflow_mask = env->cp15.c9_pmcr & PMCRLC ? \ 1321 1ull << 63 : 1ull << 31; 1322 if (env->cp15.c15_ccnt & ~new_pmccntr & overflow_mask) { 1323 env->cp15.c9_pmovsr |= (1ULL << 31); 1324 pmu_update_irq(env); 1325 } 1326 1327 env->cp15.c15_ccnt = new_pmccntr; 1328 } 1329 env->cp15.c15_ccnt_delta = cycles; 1330 } 1331 1332 /* 1333 * If PMCCNTR is enabled, recalculate the delta between the clock and the 1334 * guest-visible count. A call to pmccntr_op_finish should follow every call to 1335 * pmccntr_op_start. 1336 */ 1337 static void pmccntr_op_finish(CPUARMState *env) 1338 { 1339 if (pmu_counter_enabled(env, 31)) { 1340 #ifndef CONFIG_USER_ONLY 1341 /* Calculate when the counter will next overflow */ 1342 uint64_t remaining_cycles = -env->cp15.c15_ccnt; 1343 if (!(env->cp15.c9_pmcr & PMCRLC)) { 1344 remaining_cycles = (uint32_t)remaining_cycles; 1345 } 1346 int64_t overflow_in = cycles_ns_per(remaining_cycles); 1347 1348 if (overflow_in > 0) { 1349 int64_t overflow_at; 1350 1351 if (!sadd64_overflow(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), 1352 overflow_in, &overflow_at)) { 1353 ARMCPU *cpu = env_archcpu(env); 1354 timer_mod_anticipate_ns(cpu->pmu_timer, overflow_at); 1355 } 1356 } 1357 #endif 1358 1359 uint64_t prev_cycles = env->cp15.c15_ccnt_delta; 1360 if (pmccntr_clockdiv_enabled(env)) { 1361 prev_cycles /= 64; 1362 } 1363 env->cp15.c15_ccnt_delta = prev_cycles - env->cp15.c15_ccnt; 1364 } 1365 } 1366 1367 static void pmevcntr_op_start(CPUARMState *env, uint8_t counter) 1368 { 1369 1370 uint16_t event = env->cp15.c14_pmevtyper[counter] & PMXEVTYPER_EVTCOUNT; 1371 uint64_t count = 0; 1372 if (event_supported(event)) { 1373 uint16_t event_idx = supported_event_map[event]; 1374 count = pm_events[event_idx].get_count(env); 1375 } 1376 1377 if (pmu_counter_enabled(env, counter)) { 1378 uint64_t new_pmevcntr = count - env->cp15.c14_pmevcntr_delta[counter]; 1379 uint64_t overflow_mask = pmevcntr_is_64_bit(env, counter) ? 1380 1ULL << 63 : 1ULL << 31; 1381 1382 if (env->cp15.c14_pmevcntr[counter] & ~new_pmevcntr & overflow_mask) { 1383 env->cp15.c9_pmovsr |= (1 << counter); 1384 pmu_update_irq(env); 1385 } 1386 env->cp15.c14_pmevcntr[counter] = new_pmevcntr; 1387 } 1388 env->cp15.c14_pmevcntr_delta[counter] = count; 1389 } 1390 1391 static void pmevcntr_op_finish(CPUARMState *env, uint8_t counter) 1392 { 1393 if (pmu_counter_enabled(env, counter)) { 1394 #ifndef CONFIG_USER_ONLY 1395 uint16_t event = env->cp15.c14_pmevtyper[counter] & PMXEVTYPER_EVTCOUNT; 1396 uint16_t event_idx = supported_event_map[event]; 1397 uint64_t delta = -(env->cp15.c14_pmevcntr[counter] + 1); 1398 int64_t overflow_in; 1399 1400 if (!pmevcntr_is_64_bit(env, counter)) { 1401 delta = (uint32_t)delta; 1402 } 1403 overflow_in = pm_events[event_idx].ns_per_count(delta); 1404 1405 if (overflow_in > 0) { 1406 int64_t overflow_at; 1407 1408 if (!sadd64_overflow(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), 1409 overflow_in, &overflow_at)) { 1410 ARMCPU *cpu = env_archcpu(env); 1411 timer_mod_anticipate_ns(cpu->pmu_timer, overflow_at); 1412 } 1413 } 1414 #endif 1415 1416 env->cp15.c14_pmevcntr_delta[counter] -= 1417 env->cp15.c14_pmevcntr[counter]; 1418 } 1419 } 1420 1421 void pmu_op_start(CPUARMState *env) 1422 { 1423 unsigned int i; 1424 pmccntr_op_start(env); 1425 for (i = 0; i < pmu_num_counters(env); i++) { 1426 pmevcntr_op_start(env, i); 1427 } 1428 } 1429 1430 void pmu_op_finish(CPUARMState *env) 1431 { 1432 unsigned int i; 1433 pmccntr_op_finish(env); 1434 for (i = 0; i < pmu_num_counters(env); i++) { 1435 pmevcntr_op_finish(env, i); 1436 } 1437 } 1438 1439 void pmu_pre_el_change(ARMCPU *cpu, void *ignored) 1440 { 1441 pmu_op_start(&cpu->env); 1442 } 1443 1444 void pmu_post_el_change(ARMCPU *cpu, void *ignored) 1445 { 1446 pmu_op_finish(&cpu->env); 1447 } 1448 1449 void arm_pmu_timer_cb(void *opaque) 1450 { 1451 ARMCPU *cpu = opaque; 1452 1453 /* 1454 * Update all the counter values based on the current underlying counts, 1455 * triggering interrupts to be raised, if necessary. pmu_op_finish() also 1456 * has the effect of setting the cpu->pmu_timer to the next earliest time a 1457 * counter may expire. 1458 */ 1459 pmu_op_start(&cpu->env); 1460 pmu_op_finish(&cpu->env); 1461 } 1462 1463 static void pmcr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1464 uint64_t value) 1465 { 1466 pmu_op_start(env); 1467 1468 if (value & PMCRC) { 1469 /* The counter has been reset */ 1470 env->cp15.c15_ccnt = 0; 1471 } 1472 1473 if (value & PMCRP) { 1474 unsigned int i; 1475 for (i = 0; i < pmu_num_counters(env); i++) { 1476 env->cp15.c14_pmevcntr[i] = 0; 1477 } 1478 } 1479 1480 env->cp15.c9_pmcr &= ~PMCR_WRITABLE_MASK; 1481 env->cp15.c9_pmcr |= (value & PMCR_WRITABLE_MASK); 1482 1483 pmu_op_finish(env); 1484 } 1485 1486 static void pmswinc_write(CPUARMState *env, const ARMCPRegInfo *ri, 1487 uint64_t value) 1488 { 1489 unsigned int i; 1490 uint64_t overflow_mask, new_pmswinc; 1491 1492 for (i = 0; i < pmu_num_counters(env); i++) { 1493 /* Increment a counter's count iff: */ 1494 if ((value & (1 << i)) && /* counter's bit is set */ 1495 /* counter is enabled and not filtered */ 1496 pmu_counter_enabled(env, i) && 1497 /* counter is SW_INCR */ 1498 (env->cp15.c14_pmevtyper[i] & PMXEVTYPER_EVTCOUNT) == 0x0) { 1499 pmevcntr_op_start(env, i); 1500 1501 /* 1502 * Detect if this write causes an overflow since we can't predict 1503 * PMSWINC overflows like we can for other events 1504 */ 1505 new_pmswinc = env->cp15.c14_pmevcntr[i] + 1; 1506 1507 overflow_mask = pmevcntr_is_64_bit(env, i) ? 1508 1ULL << 63 : 1ULL << 31; 1509 1510 if (env->cp15.c14_pmevcntr[i] & ~new_pmswinc & overflow_mask) { 1511 env->cp15.c9_pmovsr |= (1 << i); 1512 pmu_update_irq(env); 1513 } 1514 1515 env->cp15.c14_pmevcntr[i] = new_pmswinc; 1516 1517 pmevcntr_op_finish(env, i); 1518 } 1519 } 1520 } 1521 1522 static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri) 1523 { 1524 uint64_t ret; 1525 pmccntr_op_start(env); 1526 ret = env->cp15.c15_ccnt; 1527 pmccntr_op_finish(env); 1528 return ret; 1529 } 1530 1531 static void pmselr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1532 uint64_t value) 1533 { 1534 /* 1535 * The value of PMSELR.SEL affects the behavior of PMXEVTYPER and 1536 * PMXEVCNTR. We allow [0..31] to be written to PMSELR here; in the 1537 * meanwhile, we check PMSELR.SEL when PMXEVTYPER and PMXEVCNTR are 1538 * accessed. 1539 */ 1540 env->cp15.c9_pmselr = value & 0x1f; 1541 } 1542 1543 static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1544 uint64_t value) 1545 { 1546 pmccntr_op_start(env); 1547 env->cp15.c15_ccnt = value; 1548 pmccntr_op_finish(env); 1549 } 1550 1551 static void pmccntr_write32(CPUARMState *env, const ARMCPRegInfo *ri, 1552 uint64_t value) 1553 { 1554 uint64_t cur_val = pmccntr_read(env, NULL); 1555 1556 pmccntr_write(env, ri, deposit64(cur_val, 0, 32, value)); 1557 } 1558 1559 static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1560 uint64_t value) 1561 { 1562 pmccntr_op_start(env); 1563 env->cp15.pmccfiltr_el0 = value & PMCCFILTR_EL0; 1564 pmccntr_op_finish(env); 1565 } 1566 1567 static void pmccfiltr_write_a32(CPUARMState *env, const ARMCPRegInfo *ri, 1568 uint64_t value) 1569 { 1570 pmccntr_op_start(env); 1571 /* M is not accessible from AArch32 */ 1572 env->cp15.pmccfiltr_el0 = (env->cp15.pmccfiltr_el0 & PMCCFILTR_M) | 1573 (value & PMCCFILTR); 1574 pmccntr_op_finish(env); 1575 } 1576 1577 static uint64_t pmccfiltr_read_a32(CPUARMState *env, const ARMCPRegInfo *ri) 1578 { 1579 /* M is not visible in AArch32 */ 1580 return env->cp15.pmccfiltr_el0 & PMCCFILTR; 1581 } 1582 1583 static void pmcntenset_write(CPUARMState *env, const ARMCPRegInfo *ri, 1584 uint64_t value) 1585 { 1586 pmu_op_start(env); 1587 value &= pmu_counter_mask(env); 1588 env->cp15.c9_pmcnten |= value; 1589 pmu_op_finish(env); 1590 } 1591 1592 static void pmcntenclr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1593 uint64_t value) 1594 { 1595 pmu_op_start(env); 1596 value &= pmu_counter_mask(env); 1597 env->cp15.c9_pmcnten &= ~value; 1598 pmu_op_finish(env); 1599 } 1600 1601 static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1602 uint64_t value) 1603 { 1604 value &= pmu_counter_mask(env); 1605 env->cp15.c9_pmovsr &= ~value; 1606 pmu_update_irq(env); 1607 } 1608 1609 static void pmovsset_write(CPUARMState *env, const ARMCPRegInfo *ri, 1610 uint64_t value) 1611 { 1612 value &= pmu_counter_mask(env); 1613 env->cp15.c9_pmovsr |= value; 1614 pmu_update_irq(env); 1615 } 1616 1617 static void pmevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri, 1618 uint64_t value, const uint8_t counter) 1619 { 1620 if (counter == 31) { 1621 pmccfiltr_write(env, ri, value); 1622 } else if (counter < pmu_num_counters(env)) { 1623 pmevcntr_op_start(env, counter); 1624 1625 /* 1626 * If this counter's event type is changing, store the current 1627 * underlying count for the new type in c14_pmevcntr_delta[counter] so 1628 * pmevcntr_op_finish has the correct baseline when it converts back to 1629 * a delta. 1630 */ 1631 uint16_t old_event = env->cp15.c14_pmevtyper[counter] & 1632 PMXEVTYPER_EVTCOUNT; 1633 uint16_t new_event = value & PMXEVTYPER_EVTCOUNT; 1634 if (old_event != new_event) { 1635 uint64_t count = 0; 1636 if (event_supported(new_event)) { 1637 uint16_t event_idx = supported_event_map[new_event]; 1638 count = pm_events[event_idx].get_count(env); 1639 } 1640 env->cp15.c14_pmevcntr_delta[counter] = count; 1641 } 1642 1643 env->cp15.c14_pmevtyper[counter] = value & PMXEVTYPER_MASK; 1644 pmevcntr_op_finish(env, counter); 1645 } 1646 /* 1647 * Attempts to access PMXEVTYPER are CONSTRAINED UNPREDICTABLE when 1648 * PMSELR value is equal to or greater than the number of implemented 1649 * counters, but not equal to 0x1f. We opt to behave as a RAZ/WI. 1650 */ 1651 } 1652 1653 static uint64_t pmevtyper_read(CPUARMState *env, const ARMCPRegInfo *ri, 1654 const uint8_t counter) 1655 { 1656 if (counter == 31) { 1657 return env->cp15.pmccfiltr_el0; 1658 } else if (counter < pmu_num_counters(env)) { 1659 return env->cp15.c14_pmevtyper[counter]; 1660 } else { 1661 /* 1662 * We opt to behave as a RAZ/WI when attempts to access PMXEVTYPER 1663 * are CONSTRAINED UNPREDICTABLE. See comments in pmevtyper_write(). 1664 */ 1665 return 0; 1666 } 1667 } 1668 1669 static void pmevtyper_writefn(CPUARMState *env, const ARMCPRegInfo *ri, 1670 uint64_t value) 1671 { 1672 uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7); 1673 pmevtyper_write(env, ri, value, counter); 1674 } 1675 1676 static void pmevtyper_rawwrite(CPUARMState *env, const ARMCPRegInfo *ri, 1677 uint64_t value) 1678 { 1679 uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7); 1680 env->cp15.c14_pmevtyper[counter] = value; 1681 1682 /* 1683 * pmevtyper_rawwrite is called between a pair of pmu_op_start and 1684 * pmu_op_finish calls when loading saved state for a migration. Because 1685 * we're potentially updating the type of event here, the value written to 1686 * c14_pmevcntr_delta by the preceding pmu_op_start call may be for a 1687 * different counter type. Therefore, we need to set this value to the 1688 * current count for the counter type we're writing so that pmu_op_finish 1689 * has the correct count for its calculation. 1690 */ 1691 uint16_t event = value & PMXEVTYPER_EVTCOUNT; 1692 if (event_supported(event)) { 1693 uint16_t event_idx = supported_event_map[event]; 1694 env->cp15.c14_pmevcntr_delta[counter] = 1695 pm_events[event_idx].get_count(env); 1696 } 1697 } 1698 1699 static uint64_t pmevtyper_readfn(CPUARMState *env, const ARMCPRegInfo *ri) 1700 { 1701 uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7); 1702 return pmevtyper_read(env, ri, counter); 1703 } 1704 1705 static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri, 1706 uint64_t value) 1707 { 1708 pmevtyper_write(env, ri, value, env->cp15.c9_pmselr & 31); 1709 } 1710 1711 static uint64_t pmxevtyper_read(CPUARMState *env, const ARMCPRegInfo *ri) 1712 { 1713 return pmevtyper_read(env, ri, env->cp15.c9_pmselr & 31); 1714 } 1715 1716 static void pmevcntr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1717 uint64_t value, uint8_t counter) 1718 { 1719 if (!cpu_isar_feature(any_pmuv3p5, env_archcpu(env))) { 1720 /* Before FEAT_PMUv3p5, top 32 bits of event counters are RES0 */ 1721 value &= MAKE_64BIT_MASK(0, 32); 1722 } 1723 if (counter < pmu_num_counters(env)) { 1724 pmevcntr_op_start(env, counter); 1725 env->cp15.c14_pmevcntr[counter] = value; 1726 pmevcntr_op_finish(env, counter); 1727 } 1728 /* 1729 * We opt to behave as a RAZ/WI when attempts to access PM[X]EVCNTR 1730 * are CONSTRAINED UNPREDICTABLE. 1731 */ 1732 } 1733 1734 static uint64_t pmevcntr_read(CPUARMState *env, const ARMCPRegInfo *ri, 1735 uint8_t counter) 1736 { 1737 if (counter < pmu_num_counters(env)) { 1738 uint64_t ret; 1739 pmevcntr_op_start(env, counter); 1740 ret = env->cp15.c14_pmevcntr[counter]; 1741 pmevcntr_op_finish(env, counter); 1742 if (!cpu_isar_feature(any_pmuv3p5, env_archcpu(env))) { 1743 /* Before FEAT_PMUv3p5, top 32 bits of event counters are RES0 */ 1744 ret &= MAKE_64BIT_MASK(0, 32); 1745 } 1746 return ret; 1747 } else { 1748 /* 1749 * We opt to behave as a RAZ/WI when attempts to access PM[X]EVCNTR 1750 * are CONSTRAINED UNPREDICTABLE. 1751 */ 1752 return 0; 1753 } 1754 } 1755 1756 static void pmevcntr_writefn(CPUARMState *env, const ARMCPRegInfo *ri, 1757 uint64_t value) 1758 { 1759 uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7); 1760 pmevcntr_write(env, ri, value, counter); 1761 } 1762 1763 static uint64_t pmevcntr_readfn(CPUARMState *env, const ARMCPRegInfo *ri) 1764 { 1765 uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7); 1766 return pmevcntr_read(env, ri, counter); 1767 } 1768 1769 static void pmevcntr_rawwrite(CPUARMState *env, const ARMCPRegInfo *ri, 1770 uint64_t value) 1771 { 1772 uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7); 1773 assert(counter < pmu_num_counters(env)); 1774 env->cp15.c14_pmevcntr[counter] = value; 1775 pmevcntr_write(env, ri, value, counter); 1776 } 1777 1778 static uint64_t pmevcntr_rawread(CPUARMState *env, const ARMCPRegInfo *ri) 1779 { 1780 uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7); 1781 assert(counter < pmu_num_counters(env)); 1782 return env->cp15.c14_pmevcntr[counter]; 1783 } 1784 1785 static void pmxevcntr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1786 uint64_t value) 1787 { 1788 pmevcntr_write(env, ri, value, env->cp15.c9_pmselr & 31); 1789 } 1790 1791 static uint64_t pmxevcntr_read(CPUARMState *env, const ARMCPRegInfo *ri) 1792 { 1793 return pmevcntr_read(env, ri, env->cp15.c9_pmselr & 31); 1794 } 1795 1796 static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1797 uint64_t value) 1798 { 1799 if (arm_feature(env, ARM_FEATURE_V8)) { 1800 env->cp15.c9_pmuserenr = value & 0xf; 1801 } else { 1802 env->cp15.c9_pmuserenr = value & 1; 1803 } 1804 } 1805 1806 static void pmintenset_write(CPUARMState *env, const ARMCPRegInfo *ri, 1807 uint64_t value) 1808 { 1809 /* We have no event counters so only the C bit can be changed */ 1810 value &= pmu_counter_mask(env); 1811 env->cp15.c9_pminten |= value; 1812 pmu_update_irq(env); 1813 } 1814 1815 static void pmintenclr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1816 uint64_t value) 1817 { 1818 value &= pmu_counter_mask(env); 1819 env->cp15.c9_pminten &= ~value; 1820 pmu_update_irq(env); 1821 } 1822 1823 static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri, 1824 uint64_t value) 1825 { 1826 /* 1827 * Note that even though the AArch64 view of this register has bits 1828 * [10:0] all RES0 we can only mask the bottom 5, to comply with the 1829 * architectural requirements for bits which are RES0 only in some 1830 * contexts. (ARMv8 would permit us to do no masking at all, but ARMv7 1831 * requires the bottom five bits to be RAZ/WI because they're UNK/SBZP.) 1832 */ 1833 raw_write(env, ri, value & ~0x1FULL); 1834 } 1835 1836 static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) 1837 { 1838 /* Begin with base v8.0 state. */ 1839 uint64_t valid_mask = 0x3fff; 1840 ARMCPU *cpu = env_archcpu(env); 1841 uint64_t changed; 1842 1843 /* 1844 * Because SCR_EL3 is the "real" cpreg and SCR is the alias, reset always 1845 * passes the reginfo for SCR_EL3, which has type ARM_CP_STATE_AA64. 1846 * Instead, choose the format based on the mode of EL3. 1847 */ 1848 if (arm_el_is_aa64(env, 3)) { 1849 value |= SCR_FW | SCR_AW; /* RES1 */ 1850 valid_mask &= ~SCR_NET; /* RES0 */ 1851 1852 if (!cpu_isar_feature(aa64_aa32_el1, cpu) && 1853 !cpu_isar_feature(aa64_aa32_el2, cpu)) { 1854 value |= SCR_RW; /* RAO/WI */ 1855 } 1856 if (cpu_isar_feature(aa64_ras, cpu)) { 1857 valid_mask |= SCR_TERR; 1858 } 1859 if (cpu_isar_feature(aa64_lor, cpu)) { 1860 valid_mask |= SCR_TLOR; 1861 } 1862 if (cpu_isar_feature(aa64_pauth, cpu)) { 1863 valid_mask |= SCR_API | SCR_APK; 1864 } 1865 if (cpu_isar_feature(aa64_sel2, cpu)) { 1866 valid_mask |= SCR_EEL2; 1867 } else if (cpu_isar_feature(aa64_rme, cpu)) { 1868 /* With RME and without SEL2, NS is RES1 (R_GSWWH, I_DJJQJ). */ 1869 value |= SCR_NS; 1870 } 1871 if (cpu_isar_feature(aa64_mte, cpu)) { 1872 valid_mask |= SCR_ATA; 1873 } 1874 if (cpu_isar_feature(aa64_scxtnum, cpu)) { 1875 valid_mask |= SCR_ENSCXT; 1876 } 1877 if (cpu_isar_feature(aa64_doublefault, cpu)) { 1878 valid_mask |= SCR_EASE | SCR_NMEA; 1879 } 1880 if (cpu_isar_feature(aa64_sme, cpu)) { 1881 valid_mask |= SCR_ENTP2; 1882 } 1883 if (cpu_isar_feature(aa64_hcx, cpu)) { 1884 valid_mask |= SCR_HXEN; 1885 } 1886 if (cpu_isar_feature(aa64_fgt, cpu)) { 1887 valid_mask |= SCR_FGTEN; 1888 } 1889 if (cpu_isar_feature(aa64_rme, cpu)) { 1890 valid_mask |= SCR_NSE | SCR_GPF; 1891 } 1892 } else { 1893 valid_mask &= ~(SCR_RW | SCR_ST); 1894 if (cpu_isar_feature(aa32_ras, cpu)) { 1895 valid_mask |= SCR_TERR; 1896 } 1897 } 1898 1899 if (!arm_feature(env, ARM_FEATURE_EL2)) { 1900 valid_mask &= ~SCR_HCE; 1901 1902 /* 1903 * On ARMv7, SMD (or SCD as it is called in v7) is only 1904 * supported if EL2 exists. The bit is UNK/SBZP when 1905 * EL2 is unavailable. In QEMU ARMv7, we force it to always zero 1906 * when EL2 is unavailable. 1907 * On ARMv8, this bit is always available. 1908 */ 1909 if (arm_feature(env, ARM_FEATURE_V7) && 1910 !arm_feature(env, ARM_FEATURE_V8)) { 1911 valid_mask &= ~SCR_SMD; 1912 } 1913 } 1914 1915 /* Clear all-context RES0 bits. */ 1916 value &= valid_mask; 1917 changed = env->cp15.scr_el3 ^ value; 1918 env->cp15.scr_el3 = value; 1919 1920 /* 1921 * If SCR_EL3.{NS,NSE} changes, i.e. change of security state, 1922 * we must invalidate all TLBs below EL3. 1923 */ 1924 if (changed & (SCR_NS | SCR_NSE)) { 1925 tlb_flush_by_mmuidx(env_cpu(env), (ARMMMUIdxBit_E10_0 | 1926 ARMMMUIdxBit_E20_0 | 1927 ARMMMUIdxBit_E10_1 | 1928 ARMMMUIdxBit_E20_2 | 1929 ARMMMUIdxBit_E10_1_PAN | 1930 ARMMMUIdxBit_E20_2_PAN | 1931 ARMMMUIdxBit_E2)); 1932 } 1933 } 1934 1935 static void scr_reset(CPUARMState *env, const ARMCPRegInfo *ri) 1936 { 1937 /* 1938 * scr_write will set the RES1 bits on an AArch64-only CPU. 1939 * The reset value will be 0x30 on an AArch64-only CPU and 0 otherwise. 1940 */ 1941 scr_write(env, ri, 0); 1942 } 1943 1944 static CPAccessResult access_tid4(CPUARMState *env, 1945 const ARMCPRegInfo *ri, 1946 bool isread) 1947 { 1948 if (arm_current_el(env) == 1 && 1949 (arm_hcr_el2_eff(env) & (HCR_TID2 | HCR_TID4))) { 1950 return CP_ACCESS_TRAP_EL2; 1951 } 1952 1953 return CP_ACCESS_OK; 1954 } 1955 1956 static uint64_t ccsidr_read(CPUARMState *env, const ARMCPRegInfo *ri) 1957 { 1958 ARMCPU *cpu = env_archcpu(env); 1959 1960 /* 1961 * Acquire the CSSELR index from the bank corresponding to the CCSIDR 1962 * bank 1963 */ 1964 uint32_t index = A32_BANKED_REG_GET(env, csselr, 1965 ri->secure & ARM_CP_SECSTATE_S); 1966 1967 return cpu->ccsidr[index]; 1968 } 1969 1970 static void csselr_write(CPUARMState *env, const ARMCPRegInfo *ri, 1971 uint64_t value) 1972 { 1973 raw_write(env, ri, value & 0xf); 1974 } 1975 1976 static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri) 1977 { 1978 CPUState *cs = env_cpu(env); 1979 bool el1 = arm_current_el(env) == 1; 1980 uint64_t hcr_el2 = el1 ? arm_hcr_el2_eff(env) : 0; 1981 uint64_t ret = 0; 1982 1983 if (hcr_el2 & HCR_IMO) { 1984 if (cs->interrupt_request & CPU_INTERRUPT_VIRQ) { 1985 ret |= CPSR_I; 1986 } 1987 } else { 1988 if (cs->interrupt_request & CPU_INTERRUPT_HARD) { 1989 ret |= CPSR_I; 1990 } 1991 } 1992 1993 if (hcr_el2 & HCR_FMO) { 1994 if (cs->interrupt_request & CPU_INTERRUPT_VFIQ) { 1995 ret |= CPSR_F; 1996 } 1997 } else { 1998 if (cs->interrupt_request & CPU_INTERRUPT_FIQ) { 1999 ret |= CPSR_F; 2000 } 2001 } 2002 2003 if (hcr_el2 & HCR_AMO) { 2004 if (cs->interrupt_request & CPU_INTERRUPT_VSERR) { 2005 ret |= CPSR_A; 2006 } 2007 } 2008 2009 return ret; 2010 } 2011 2012 static CPAccessResult access_aa64_tid1(CPUARMState *env, const ARMCPRegInfo *ri, 2013 bool isread) 2014 { 2015 if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TID1)) { 2016 return CP_ACCESS_TRAP_EL2; 2017 } 2018 2019 return CP_ACCESS_OK; 2020 } 2021 2022 static CPAccessResult access_aa32_tid1(CPUARMState *env, const ARMCPRegInfo *ri, 2023 bool isread) 2024 { 2025 if (arm_feature(env, ARM_FEATURE_V8)) { 2026 return access_aa64_tid1(env, ri, isread); 2027 } 2028 2029 return CP_ACCESS_OK; 2030 } 2031 2032 static const ARMCPRegInfo v7_cp_reginfo[] = { 2033 /* the old v6 WFI, UNPREDICTABLE in v7 but we choose to NOP */ 2034 { .name = "NOP", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4, 2035 .access = PL1_W, .type = ARM_CP_NOP }, 2036 /* 2037 * Performance monitors are implementation defined in v7, 2038 * but with an ARM recommended set of registers, which we 2039 * follow. 2040 * 2041 * Performance registers fall into three categories: 2042 * (a) always UNDEF in PL0, RW in PL1 (PMINTENSET, PMINTENCLR) 2043 * (b) RO in PL0 (ie UNDEF on write), RW in PL1 (PMUSERENR) 2044 * (c) UNDEF in PL0 if PMUSERENR.EN==0, otherwise accessible (all others) 2045 * For the cases controlled by PMUSERENR we must set .access to PL0_RW 2046 * or PL0_RO as appropriate and then check PMUSERENR in the helper fn. 2047 */ 2048 { .name = "PMCNTENSET", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 1, 2049 .access = PL0_RW, .type = ARM_CP_ALIAS | ARM_CP_IO, 2050 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten), 2051 .writefn = pmcntenset_write, 2052 .accessfn = pmreg_access, 2053 .fgt = FGT_PMCNTEN, 2054 .raw_writefn = raw_write }, 2055 { .name = "PMCNTENSET_EL0", .state = ARM_CP_STATE_AA64, .type = ARM_CP_IO, 2056 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 1, 2057 .access = PL0_RW, .accessfn = pmreg_access, 2058 .fgt = FGT_PMCNTEN, 2059 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten), .resetvalue = 0, 2060 .writefn = pmcntenset_write, .raw_writefn = raw_write }, 2061 { .name = "PMCNTENCLR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 2, 2062 .access = PL0_RW, 2063 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten), 2064 .accessfn = pmreg_access, 2065 .fgt = FGT_PMCNTEN, 2066 .writefn = pmcntenclr_write, 2067 .type = ARM_CP_ALIAS | ARM_CP_IO }, 2068 { .name = "PMCNTENCLR_EL0", .state = ARM_CP_STATE_AA64, 2069 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 2, 2070 .access = PL0_RW, .accessfn = pmreg_access, 2071 .fgt = FGT_PMCNTEN, 2072 .type = ARM_CP_ALIAS | ARM_CP_IO, 2073 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten), 2074 .writefn = pmcntenclr_write }, 2075 { .name = "PMOVSR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 3, 2076 .access = PL0_RW, .type = ARM_CP_IO, 2077 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmovsr), 2078 .accessfn = pmreg_access, 2079 .fgt = FGT_PMOVS, 2080 .writefn = pmovsr_write, 2081 .raw_writefn = raw_write }, 2082 { .name = "PMOVSCLR_EL0", .state = ARM_CP_STATE_AA64, 2083 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 3, 2084 .access = PL0_RW, .accessfn = pmreg_access, 2085 .fgt = FGT_PMOVS, 2086 .type = ARM_CP_ALIAS | ARM_CP_IO, 2087 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr), 2088 .writefn = pmovsr_write, 2089 .raw_writefn = raw_write }, 2090 { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4, 2091 .access = PL0_W, .accessfn = pmreg_access_swinc, 2092 .fgt = FGT_PMSWINC_EL0, 2093 .type = ARM_CP_NO_RAW | ARM_CP_IO, 2094 .writefn = pmswinc_write }, 2095 { .name = "PMSWINC_EL0", .state = ARM_CP_STATE_AA64, 2096 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 4, 2097 .access = PL0_W, .accessfn = pmreg_access_swinc, 2098 .fgt = FGT_PMSWINC_EL0, 2099 .type = ARM_CP_NO_RAW | ARM_CP_IO, 2100 .writefn = pmswinc_write }, 2101 { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5, 2102 .access = PL0_RW, .type = ARM_CP_ALIAS, 2103 .fgt = FGT_PMSELR_EL0, 2104 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmselr), 2105 .accessfn = pmreg_access_selr, .writefn = pmselr_write, 2106 .raw_writefn = raw_write}, 2107 { .name = "PMSELR_EL0", .state = ARM_CP_STATE_AA64, 2108 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 5, 2109 .access = PL0_RW, .accessfn = pmreg_access_selr, 2110 .fgt = FGT_PMSELR_EL0, 2111 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmselr), 2112 .writefn = pmselr_write, .raw_writefn = raw_write, }, 2113 { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0, 2114 .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_ALIAS | ARM_CP_IO, 2115 .fgt = FGT_PMCCNTR_EL0, 2116 .readfn = pmccntr_read, .writefn = pmccntr_write32, 2117 .accessfn = pmreg_access_ccntr }, 2118 { .name = "PMCCNTR_EL0", .state = ARM_CP_STATE_AA64, 2119 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 0, 2120 .access = PL0_RW, .accessfn = pmreg_access_ccntr, 2121 .fgt = FGT_PMCCNTR_EL0, 2122 .type = ARM_CP_IO, 2123 .fieldoffset = offsetof(CPUARMState, cp15.c15_ccnt), 2124 .readfn = pmccntr_read, .writefn = pmccntr_write, 2125 .raw_readfn = raw_read, .raw_writefn = raw_write, }, 2126 { .name = "PMCCFILTR", .cp = 15, .opc1 = 0, .crn = 14, .crm = 15, .opc2 = 7, 2127 .writefn = pmccfiltr_write_a32, .readfn = pmccfiltr_read_a32, 2128 .access = PL0_RW, .accessfn = pmreg_access, 2129 .fgt = FGT_PMCCFILTR_EL0, 2130 .type = ARM_CP_ALIAS | ARM_CP_IO, 2131 .resetvalue = 0, }, 2132 { .name = "PMCCFILTR_EL0", .state = ARM_CP_STATE_AA64, 2133 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 15, .opc2 = 7, 2134 .writefn = pmccfiltr_write, .raw_writefn = raw_write, 2135 .access = PL0_RW, .accessfn = pmreg_access, 2136 .fgt = FGT_PMCCFILTR_EL0, 2137 .type = ARM_CP_IO, 2138 .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0), 2139 .resetvalue = 0, }, 2140 { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1, 2141 .access = PL0_RW, .type = ARM_CP_NO_RAW | ARM_CP_IO, 2142 .accessfn = pmreg_access, 2143 .fgt = FGT_PMEVTYPERN_EL0, 2144 .writefn = pmxevtyper_write, .readfn = pmxevtyper_read }, 2145 { .name = "PMXEVTYPER_EL0", .state = ARM_CP_STATE_AA64, 2146 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 1, 2147 .access = PL0_RW, .type = ARM_CP_NO_RAW | ARM_CP_IO, 2148 .accessfn = pmreg_access, 2149 .fgt = FGT_PMEVTYPERN_EL0, 2150 .writefn = pmxevtyper_write, .readfn = pmxevtyper_read }, 2151 { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2, 2152 .access = PL0_RW, .type = ARM_CP_NO_RAW | ARM_CP_IO, 2153 .accessfn = pmreg_access_xevcntr, 2154 .fgt = FGT_PMEVCNTRN_EL0, 2155 .writefn = pmxevcntr_write, .readfn = pmxevcntr_read }, 2156 { .name = "PMXEVCNTR_EL0", .state = ARM_CP_STATE_AA64, 2157 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 2, 2158 .access = PL0_RW, .type = ARM_CP_NO_RAW | ARM_CP_IO, 2159 .accessfn = pmreg_access_xevcntr, 2160 .fgt = FGT_PMEVCNTRN_EL0, 2161 .writefn = pmxevcntr_write, .readfn = pmxevcntr_read }, 2162 { .name = "PMUSERENR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 0, 2163 .access = PL0_R | PL1_RW, .accessfn = access_tpm, 2164 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmuserenr), 2165 .resetvalue = 0, 2166 .writefn = pmuserenr_write, .raw_writefn = raw_write }, 2167 { .name = "PMUSERENR_EL0", .state = ARM_CP_STATE_AA64, 2168 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 14, .opc2 = 0, 2169 .access = PL0_R | PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS, 2170 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr), 2171 .resetvalue = 0, 2172 .writefn = pmuserenr_write, .raw_writefn = raw_write }, 2173 { .name = "PMINTENSET", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 1, 2174 .access = PL1_RW, .accessfn = access_tpm, 2175 .fgt = FGT_PMINTEN, 2176 .type = ARM_CP_ALIAS | ARM_CP_IO, 2177 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pminten), 2178 .resetvalue = 0, 2179 .writefn = pmintenset_write, .raw_writefn = raw_write }, 2180 { .name = "PMINTENSET_EL1", .state = ARM_CP_STATE_AA64, 2181 .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 1, 2182 .access = PL1_RW, .accessfn = access_tpm, 2183 .fgt = FGT_PMINTEN, 2184 .type = ARM_CP_IO, 2185 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten), 2186 .writefn = pmintenset_write, .raw_writefn = raw_write, 2187 .resetvalue = 0x0 }, 2188 { .name = "PMINTENCLR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 2, 2189 .access = PL1_RW, .accessfn = access_tpm, 2190 .fgt = FGT_PMINTEN, 2191 .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW, 2192 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten), 2193 .writefn = pmintenclr_write, }, 2194 { .name = "PMINTENCLR_EL1", .state = ARM_CP_STATE_AA64, 2195 .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 2, 2196 .access = PL1_RW, .accessfn = access_tpm, 2197 .fgt = FGT_PMINTEN, 2198 .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW, 2199 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten), 2200 .writefn = pmintenclr_write }, 2201 { .name = "CCSIDR", .state = ARM_CP_STATE_BOTH, 2202 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 0, 2203 .access = PL1_R, 2204 .accessfn = access_tid4, 2205 .fgt = FGT_CCSIDR_EL1, 2206 .readfn = ccsidr_read, .type = ARM_CP_NO_RAW }, 2207 { .name = "CSSELR", .state = ARM_CP_STATE_BOTH, 2208 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 2, .opc2 = 0, 2209 .access = PL1_RW, 2210 .accessfn = access_tid4, 2211 .fgt = FGT_CSSELR_EL1, 2212 .writefn = csselr_write, .resetvalue = 0, 2213 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.csselr_s), 2214 offsetof(CPUARMState, cp15.csselr_ns) } }, 2215 /* 2216 * Auxiliary ID register: this actually has an IMPDEF value but for now 2217 * just RAZ for all cores: 2218 */ 2219 { .name = "AIDR", .state = ARM_CP_STATE_BOTH, 2220 .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 7, 2221 .access = PL1_R, .type = ARM_CP_CONST, 2222 .accessfn = access_aa64_tid1, 2223 .fgt = FGT_AIDR_EL1, 2224 .resetvalue = 0 }, 2225 /* 2226 * Auxiliary fault status registers: these also are IMPDEF, and we 2227 * choose to RAZ/WI for all cores. 2228 */ 2229 { .name = "AFSR0_EL1", .state = ARM_CP_STATE_BOTH, 2230 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 0, 2231 .access = PL1_RW, .accessfn = access_tvm_trvm, 2232 .fgt = FGT_AFSR0_EL1, 2233 .type = ARM_CP_CONST, .resetvalue = 0 }, 2234 { .name = "AFSR1_EL1", .state = ARM_CP_STATE_BOTH, 2235 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 1, 2236 .access = PL1_RW, .accessfn = access_tvm_trvm, 2237 .fgt = FGT_AFSR1_EL1, 2238 .type = ARM_CP_CONST, .resetvalue = 0 }, 2239 /* 2240 * MAIR can just read-as-written because we don't implement caches 2241 * and so don't need to care about memory attributes. 2242 */ 2243 { .name = "MAIR_EL1", .state = ARM_CP_STATE_AA64, 2244 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0, 2245 .access = PL1_RW, .accessfn = access_tvm_trvm, 2246 .fgt = FGT_MAIR_EL1, 2247 .fieldoffset = offsetof(CPUARMState, cp15.mair_el[1]), 2248 .resetvalue = 0 }, 2249 { .name = "MAIR_EL3", .state = ARM_CP_STATE_AA64, 2250 .opc0 = 3, .opc1 = 6, .crn = 10, .crm = 2, .opc2 = 0, 2251 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[3]), 2252 .resetvalue = 0 }, 2253 /* 2254 * For non-long-descriptor page tables these are PRRR and NMRR; 2255 * regardless they still act as reads-as-written for QEMU. 2256 */ 2257 /* 2258 * MAIR0/1 are defined separately from their 64-bit counterpart which 2259 * allows them to assign the correct fieldoffset based on the endianness 2260 * handled in the field definitions. 2261 */ 2262 { .name = "MAIR0", .state = ARM_CP_STATE_AA32, 2263 .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0, 2264 .access = PL1_RW, .accessfn = access_tvm_trvm, 2265 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair0_s), 2266 offsetof(CPUARMState, cp15.mair0_ns) }, 2267 .resetfn = arm_cp_reset_ignore }, 2268 { .name = "MAIR1", .state = ARM_CP_STATE_AA32, 2269 .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 1, 2270 .access = PL1_RW, .accessfn = access_tvm_trvm, 2271 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair1_s), 2272 offsetof(CPUARMState, cp15.mair1_ns) }, 2273 .resetfn = arm_cp_reset_ignore }, 2274 { .name = "ISR_EL1", .state = ARM_CP_STATE_BOTH, 2275 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 0, 2276 .fgt = FGT_ISR_EL1, 2277 .type = ARM_CP_NO_RAW, .access = PL1_R, .readfn = isr_read }, 2278 /* 32 bit ITLB invalidates */ 2279 { .name = "ITLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 0, 2280 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2281 .writefn = tlbiall_write }, 2282 { .name = "ITLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 1, 2283 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2284 .writefn = tlbimva_write }, 2285 { .name = "ITLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 2, 2286 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2287 .writefn = tlbiasid_write }, 2288 /* 32 bit DTLB invalidates */ 2289 { .name = "DTLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 0, 2290 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2291 .writefn = tlbiall_write }, 2292 { .name = "DTLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 1, 2293 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2294 .writefn = tlbimva_write }, 2295 { .name = "DTLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 2, 2296 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2297 .writefn = tlbiasid_write }, 2298 /* 32 bit TLB invalidates */ 2299 { .name = "TLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0, 2300 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2301 .writefn = tlbiall_write }, 2302 { .name = "TLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1, 2303 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2304 .writefn = tlbimva_write }, 2305 { .name = "TLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2, 2306 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2307 .writefn = tlbiasid_write }, 2308 { .name = "TLBIMVAA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3, 2309 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 2310 .writefn = tlbimvaa_write }, 2311 }; 2312 2313 static const ARMCPRegInfo v7mp_cp_reginfo[] = { 2314 /* 32 bit TLB invalidates, Inner Shareable */ 2315 { .name = "TLBIALLIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0, 2316 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlbis, 2317 .writefn = tlbiall_is_write }, 2318 { .name = "TLBIMVAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1, 2319 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlbis, 2320 .writefn = tlbimva_is_write }, 2321 { .name = "TLBIASIDIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2, 2322 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlbis, 2323 .writefn = tlbiasid_is_write }, 2324 { .name = "TLBIMVAAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3, 2325 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlbis, 2326 .writefn = tlbimvaa_is_write }, 2327 }; 2328 2329 static const ARMCPRegInfo pmovsset_cp_reginfo[] = { 2330 /* PMOVSSET is not implemented in v7 before v7ve */ 2331 { .name = "PMOVSSET", .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 3, 2332 .access = PL0_RW, .accessfn = pmreg_access, 2333 .fgt = FGT_PMOVS, 2334 .type = ARM_CP_ALIAS | ARM_CP_IO, 2335 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmovsr), 2336 .writefn = pmovsset_write, 2337 .raw_writefn = raw_write }, 2338 { .name = "PMOVSSET_EL0", .state = ARM_CP_STATE_AA64, 2339 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 14, .opc2 = 3, 2340 .access = PL0_RW, .accessfn = pmreg_access, 2341 .fgt = FGT_PMOVS, 2342 .type = ARM_CP_ALIAS | ARM_CP_IO, 2343 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr), 2344 .writefn = pmovsset_write, 2345 .raw_writefn = raw_write }, 2346 }; 2347 2348 static void teecr_write(CPUARMState *env, const ARMCPRegInfo *ri, 2349 uint64_t value) 2350 { 2351 value &= 1; 2352 env->teecr = value; 2353 } 2354 2355 static CPAccessResult teecr_access(CPUARMState *env, const ARMCPRegInfo *ri, 2356 bool isread) 2357 { 2358 /* 2359 * HSTR.TTEE only exists in v7A, not v8A, but v8A doesn't have T2EE 2360 * at all, so we don't need to check whether we're v8A. 2361 */ 2362 if (arm_current_el(env) < 2 && !arm_is_secure_below_el3(env) && 2363 (env->cp15.hstr_el2 & HSTR_TTEE)) { 2364 return CP_ACCESS_TRAP_EL2; 2365 } 2366 return CP_ACCESS_OK; 2367 } 2368 2369 static CPAccessResult teehbr_access(CPUARMState *env, const ARMCPRegInfo *ri, 2370 bool isread) 2371 { 2372 if (arm_current_el(env) == 0 && (env->teecr & 1)) { 2373 return CP_ACCESS_TRAP; 2374 } 2375 return teecr_access(env, ri, isread); 2376 } 2377 2378 static const ARMCPRegInfo t2ee_cp_reginfo[] = { 2379 { .name = "TEECR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 6, .opc2 = 0, 2380 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, teecr), 2381 .resetvalue = 0, 2382 .writefn = teecr_write, .accessfn = teecr_access }, 2383 { .name = "TEEHBR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 6, .opc2 = 0, 2384 .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, teehbr), 2385 .accessfn = teehbr_access, .resetvalue = 0 }, 2386 }; 2387 2388 static const ARMCPRegInfo v6k_cp_reginfo[] = { 2389 { .name = "TPIDR_EL0", .state = ARM_CP_STATE_AA64, 2390 .opc0 = 3, .opc1 = 3, .opc2 = 2, .crn = 13, .crm = 0, 2391 .access = PL0_RW, 2392 .fgt = FGT_TPIDR_EL0, 2393 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[0]), .resetvalue = 0 }, 2394 { .name = "TPIDRURW", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 2, 2395 .access = PL0_RW, 2396 .fgt = FGT_TPIDR_EL0, 2397 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrurw_s), 2398 offsetoflow32(CPUARMState, cp15.tpidrurw_ns) }, 2399 .resetfn = arm_cp_reset_ignore }, 2400 { .name = "TPIDRRO_EL0", .state = ARM_CP_STATE_AA64, 2401 .opc0 = 3, .opc1 = 3, .opc2 = 3, .crn = 13, .crm = 0, 2402 .access = PL0_R | PL1_W, 2403 .fgt = FGT_TPIDRRO_EL0, 2404 .fieldoffset = offsetof(CPUARMState, cp15.tpidrro_el[0]), 2405 .resetvalue = 0}, 2406 { .name = "TPIDRURO", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 3, 2407 .access = PL0_R | PL1_W, 2408 .fgt = FGT_TPIDRRO_EL0, 2409 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidruro_s), 2410 offsetoflow32(CPUARMState, cp15.tpidruro_ns) }, 2411 .resetfn = arm_cp_reset_ignore }, 2412 { .name = "TPIDR_EL1", .state = ARM_CP_STATE_AA64, 2413 .opc0 = 3, .opc1 = 0, .opc2 = 4, .crn = 13, .crm = 0, 2414 .access = PL1_RW, 2415 .fgt = FGT_TPIDR_EL1, 2416 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[1]), .resetvalue = 0 }, 2417 { .name = "TPIDRPRW", .opc1 = 0, .cp = 15, .crn = 13, .crm = 0, .opc2 = 4, 2418 .access = PL1_RW, 2419 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrprw_s), 2420 offsetoflow32(CPUARMState, cp15.tpidrprw_ns) }, 2421 .resetvalue = 0 }, 2422 }; 2423 2424 #ifndef CONFIG_USER_ONLY 2425 2426 static CPAccessResult gt_cntfrq_access(CPUARMState *env, const ARMCPRegInfo *ri, 2427 bool isread) 2428 { 2429 /* 2430 * CNTFRQ: not visible from PL0 if both PL0PCTEN and PL0VCTEN are zero. 2431 * Writable only at the highest implemented exception level. 2432 */ 2433 int el = arm_current_el(env); 2434 uint64_t hcr; 2435 uint32_t cntkctl; 2436 2437 switch (el) { 2438 case 0: 2439 hcr = arm_hcr_el2_eff(env); 2440 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 2441 cntkctl = env->cp15.cnthctl_el2; 2442 } else { 2443 cntkctl = env->cp15.c14_cntkctl; 2444 } 2445 if (!extract32(cntkctl, 0, 2)) { 2446 return CP_ACCESS_TRAP; 2447 } 2448 break; 2449 case 1: 2450 if (!isread && ri->state == ARM_CP_STATE_AA32 && 2451 arm_is_secure_below_el3(env)) { 2452 /* Accesses from 32-bit Secure EL1 UNDEF (*not* trap to EL3!) */ 2453 return CP_ACCESS_TRAP_UNCATEGORIZED; 2454 } 2455 break; 2456 case 2: 2457 case 3: 2458 break; 2459 } 2460 2461 if (!isread && el < arm_highest_el(env)) { 2462 return CP_ACCESS_TRAP_UNCATEGORIZED; 2463 } 2464 2465 return CP_ACCESS_OK; 2466 } 2467 2468 static CPAccessResult gt_counter_access(CPUARMState *env, int timeridx, 2469 bool isread) 2470 { 2471 unsigned int cur_el = arm_current_el(env); 2472 bool has_el2 = arm_is_el2_enabled(env); 2473 uint64_t hcr = arm_hcr_el2_eff(env); 2474 2475 switch (cur_el) { 2476 case 0: 2477 /* If HCR_EL2.<E2H,TGE> == '11': check CNTHCTL_EL2.EL0[PV]CTEN. */ 2478 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 2479 return (extract32(env->cp15.cnthctl_el2, timeridx, 1) 2480 ? CP_ACCESS_OK : CP_ACCESS_TRAP_EL2); 2481 } 2482 2483 /* CNT[PV]CT: not visible from PL0 if EL0[PV]CTEN is zero */ 2484 if (!extract32(env->cp15.c14_cntkctl, timeridx, 1)) { 2485 return CP_ACCESS_TRAP; 2486 } 2487 /* fall through */ 2488 case 1: 2489 /* Check CNTHCTL_EL2.EL1PCTEN, which changes location based on E2H. */ 2490 if (has_el2 && timeridx == GTIMER_PHYS && 2491 (hcr & HCR_E2H 2492 ? !extract32(env->cp15.cnthctl_el2, 10, 1) 2493 : !extract32(env->cp15.cnthctl_el2, 0, 1))) { 2494 return CP_ACCESS_TRAP_EL2; 2495 } 2496 break; 2497 } 2498 return CP_ACCESS_OK; 2499 } 2500 2501 static CPAccessResult gt_timer_access(CPUARMState *env, int timeridx, 2502 bool isread) 2503 { 2504 unsigned int cur_el = arm_current_el(env); 2505 bool has_el2 = arm_is_el2_enabled(env); 2506 uint64_t hcr = arm_hcr_el2_eff(env); 2507 2508 switch (cur_el) { 2509 case 0: 2510 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 2511 /* If HCR_EL2.<E2H,TGE> == '11': check CNTHCTL_EL2.EL0[PV]TEN. */ 2512 return (extract32(env->cp15.cnthctl_el2, 9 - timeridx, 1) 2513 ? CP_ACCESS_OK : CP_ACCESS_TRAP_EL2); 2514 } 2515 2516 /* 2517 * CNT[PV]_CVAL, CNT[PV]_CTL, CNT[PV]_TVAL: not visible from 2518 * EL0 if EL0[PV]TEN is zero. 2519 */ 2520 if (!extract32(env->cp15.c14_cntkctl, 9 - timeridx, 1)) { 2521 return CP_ACCESS_TRAP; 2522 } 2523 /* fall through */ 2524 2525 case 1: 2526 if (has_el2 && timeridx == GTIMER_PHYS) { 2527 if (hcr & HCR_E2H) { 2528 /* If HCR_EL2.<E2H,TGE> == '10': check CNTHCTL_EL2.EL1PTEN. */ 2529 if (!extract32(env->cp15.cnthctl_el2, 11, 1)) { 2530 return CP_ACCESS_TRAP_EL2; 2531 } 2532 } else { 2533 /* If HCR_EL2.<E2H> == 0: check CNTHCTL_EL2.EL1PCEN. */ 2534 if (!extract32(env->cp15.cnthctl_el2, 1, 1)) { 2535 return CP_ACCESS_TRAP_EL2; 2536 } 2537 } 2538 } 2539 break; 2540 } 2541 return CP_ACCESS_OK; 2542 } 2543 2544 static CPAccessResult gt_pct_access(CPUARMState *env, 2545 const ARMCPRegInfo *ri, 2546 bool isread) 2547 { 2548 return gt_counter_access(env, GTIMER_PHYS, isread); 2549 } 2550 2551 static CPAccessResult gt_vct_access(CPUARMState *env, 2552 const ARMCPRegInfo *ri, 2553 bool isread) 2554 { 2555 return gt_counter_access(env, GTIMER_VIRT, isread); 2556 } 2557 2558 static CPAccessResult gt_ptimer_access(CPUARMState *env, const ARMCPRegInfo *ri, 2559 bool isread) 2560 { 2561 return gt_timer_access(env, GTIMER_PHYS, isread); 2562 } 2563 2564 static CPAccessResult gt_vtimer_access(CPUARMState *env, const ARMCPRegInfo *ri, 2565 bool isread) 2566 { 2567 return gt_timer_access(env, GTIMER_VIRT, isread); 2568 } 2569 2570 static CPAccessResult gt_stimer_access(CPUARMState *env, 2571 const ARMCPRegInfo *ri, 2572 bool isread) 2573 { 2574 /* 2575 * The AArch64 register view of the secure physical timer is 2576 * always accessible from EL3, and configurably accessible from 2577 * Secure EL1. 2578 */ 2579 switch (arm_current_el(env)) { 2580 case 1: 2581 if (!arm_is_secure(env)) { 2582 return CP_ACCESS_TRAP; 2583 } 2584 if (!(env->cp15.scr_el3 & SCR_ST)) { 2585 return CP_ACCESS_TRAP_EL3; 2586 } 2587 return CP_ACCESS_OK; 2588 case 0: 2589 case 2: 2590 return CP_ACCESS_TRAP; 2591 case 3: 2592 return CP_ACCESS_OK; 2593 default: 2594 g_assert_not_reached(); 2595 } 2596 } 2597 2598 static uint64_t gt_get_countervalue(CPUARMState *env) 2599 { 2600 ARMCPU *cpu = env_archcpu(env); 2601 2602 return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / gt_cntfrq_period_ns(cpu); 2603 } 2604 2605 static void gt_update_irq(ARMCPU *cpu, int timeridx) 2606 { 2607 CPUARMState *env = &cpu->env; 2608 uint64_t cnthctl = env->cp15.cnthctl_el2; 2609 ARMSecuritySpace ss = arm_security_space(env); 2610 /* ISTATUS && !IMASK */ 2611 int irqstate = (env->cp15.c14_timer[timeridx].ctl & 6) == 4; 2612 2613 /* 2614 * If bit CNTHCTL_EL2.CNT[VP]MASK is set, it overrides IMASK. 2615 * It is RES0 in Secure and NonSecure state. 2616 */ 2617 if ((ss == ARMSS_Root || ss == ARMSS_Realm) && 2618 ((timeridx == GTIMER_VIRT && (cnthctl & CNTHCTL_CNTVMASK)) || 2619 (timeridx == GTIMER_PHYS && (cnthctl & CNTHCTL_CNTPMASK)))) { 2620 irqstate = 0; 2621 } 2622 2623 qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate); 2624 trace_arm_gt_update_irq(timeridx, irqstate); 2625 } 2626 2627 void gt_rme_post_el_change(ARMCPU *cpu, void *ignored) 2628 { 2629 /* 2630 * Changing security state between Root and Secure/NonSecure, which may 2631 * happen when switching EL, can change the effective value of CNTHCTL_EL2 2632 * mask bits. Update the IRQ state accordingly. 2633 */ 2634 gt_update_irq(cpu, GTIMER_VIRT); 2635 gt_update_irq(cpu, GTIMER_PHYS); 2636 } 2637 2638 static void gt_recalc_timer(ARMCPU *cpu, int timeridx) 2639 { 2640 ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx]; 2641 2642 if (gt->ctl & 1) { 2643 /* 2644 * Timer enabled: calculate and set current ISTATUS, irq, and 2645 * reset timer to when ISTATUS next has to change 2646 */ 2647 uint64_t offset = timeridx == GTIMER_VIRT ? 2648 cpu->env.cp15.cntvoff_el2 : 0; 2649 uint64_t count = gt_get_countervalue(&cpu->env); 2650 /* Note that this must be unsigned 64 bit arithmetic: */ 2651 int istatus = count - offset >= gt->cval; 2652 uint64_t nexttick; 2653 2654 gt->ctl = deposit32(gt->ctl, 2, 1, istatus); 2655 2656 if (istatus) { 2657 /* 2658 * Next transition is when (count - offset) rolls back over to 0. 2659 * If offset > count then this is when count == offset; 2660 * if offset <= count then this is when count == offset + 2^64 2661 * For the latter case we set nexttick to an "as far in future 2662 * as possible" value and let the code below handle it. 2663 */ 2664 if (offset > count) { 2665 nexttick = offset; 2666 } else { 2667 nexttick = UINT64_MAX; 2668 } 2669 } else { 2670 /* 2671 * Next transition is when (count - offset) == cval, i.e. 2672 * when count == (cval + offset). 2673 * If that would overflow, then again we set up the next interrupt 2674 * for "as far in the future as possible" for the code below. 2675 */ 2676 if (uadd64_overflow(gt->cval, offset, &nexttick)) { 2677 nexttick = UINT64_MAX; 2678 } 2679 } 2680 /* 2681 * Note that the desired next expiry time might be beyond the 2682 * signed-64-bit range of a QEMUTimer -- in this case we just 2683 * set the timer for as far in the future as possible. When the 2684 * timer expires we will reset the timer for any remaining period. 2685 */ 2686 if (nexttick > INT64_MAX / gt_cntfrq_period_ns(cpu)) { 2687 timer_mod_ns(cpu->gt_timer[timeridx], INT64_MAX); 2688 } else { 2689 timer_mod(cpu->gt_timer[timeridx], nexttick); 2690 } 2691 trace_arm_gt_recalc(timeridx, nexttick); 2692 } else { 2693 /* Timer disabled: ISTATUS and timer output always clear */ 2694 gt->ctl &= ~4; 2695 timer_del(cpu->gt_timer[timeridx]); 2696 trace_arm_gt_recalc_disabled(timeridx); 2697 } 2698 gt_update_irq(cpu, timeridx); 2699 } 2700 2701 static void gt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri, 2702 int timeridx) 2703 { 2704 ARMCPU *cpu = env_archcpu(env); 2705 2706 timer_del(cpu->gt_timer[timeridx]); 2707 } 2708 2709 static uint64_t gt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri) 2710 { 2711 return gt_get_countervalue(env); 2712 } 2713 2714 static uint64_t gt_virt_cnt_offset(CPUARMState *env) 2715 { 2716 uint64_t hcr; 2717 2718 switch (arm_current_el(env)) { 2719 case 2: 2720 hcr = arm_hcr_el2_eff(env); 2721 if (hcr & HCR_E2H) { 2722 return 0; 2723 } 2724 break; 2725 case 0: 2726 hcr = arm_hcr_el2_eff(env); 2727 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 2728 return 0; 2729 } 2730 break; 2731 } 2732 2733 return env->cp15.cntvoff_el2; 2734 } 2735 2736 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri) 2737 { 2738 return gt_get_countervalue(env) - gt_virt_cnt_offset(env); 2739 } 2740 2741 static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2742 int timeridx, 2743 uint64_t value) 2744 { 2745 trace_arm_gt_cval_write(timeridx, value); 2746 env->cp15.c14_timer[timeridx].cval = value; 2747 gt_recalc_timer(env_archcpu(env), timeridx); 2748 } 2749 2750 static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri, 2751 int timeridx) 2752 { 2753 uint64_t offset = 0; 2754 2755 switch (timeridx) { 2756 case GTIMER_VIRT: 2757 case GTIMER_HYPVIRT: 2758 offset = gt_virt_cnt_offset(env); 2759 break; 2760 } 2761 2762 return (uint32_t)(env->cp15.c14_timer[timeridx].cval - 2763 (gt_get_countervalue(env) - offset)); 2764 } 2765 2766 static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2767 int timeridx, 2768 uint64_t value) 2769 { 2770 uint64_t offset = 0; 2771 2772 switch (timeridx) { 2773 case GTIMER_VIRT: 2774 case GTIMER_HYPVIRT: 2775 offset = gt_virt_cnt_offset(env); 2776 break; 2777 } 2778 2779 trace_arm_gt_tval_write(timeridx, value); 2780 env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) - offset + 2781 sextract64(value, 0, 32); 2782 gt_recalc_timer(env_archcpu(env), timeridx); 2783 } 2784 2785 static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 2786 int timeridx, 2787 uint64_t value) 2788 { 2789 ARMCPU *cpu = env_archcpu(env); 2790 uint32_t oldval = env->cp15.c14_timer[timeridx].ctl; 2791 2792 trace_arm_gt_ctl_write(timeridx, value); 2793 env->cp15.c14_timer[timeridx].ctl = deposit64(oldval, 0, 2, value); 2794 if ((oldval ^ value) & 1) { 2795 /* Enable toggled */ 2796 gt_recalc_timer(cpu, timeridx); 2797 } else if ((oldval ^ value) & 2) { 2798 /* 2799 * IMASK toggled: don't need to recalculate, 2800 * just set the interrupt line based on ISTATUS 2801 */ 2802 trace_arm_gt_imask_toggle(timeridx); 2803 gt_update_irq(cpu, timeridx); 2804 } 2805 } 2806 2807 static void gt_phys_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri) 2808 { 2809 gt_timer_reset(env, ri, GTIMER_PHYS); 2810 } 2811 2812 static void gt_phys_cval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2813 uint64_t value) 2814 { 2815 gt_cval_write(env, ri, GTIMER_PHYS, value); 2816 } 2817 2818 static uint64_t gt_phys_tval_read(CPUARMState *env, const ARMCPRegInfo *ri) 2819 { 2820 return gt_tval_read(env, ri, GTIMER_PHYS); 2821 } 2822 2823 static void gt_phys_tval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2824 uint64_t value) 2825 { 2826 gt_tval_write(env, ri, GTIMER_PHYS, value); 2827 } 2828 2829 static void gt_phys_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 2830 uint64_t value) 2831 { 2832 gt_ctl_write(env, ri, GTIMER_PHYS, value); 2833 } 2834 2835 static int gt_phys_redir_timeridx(CPUARMState *env) 2836 { 2837 switch (arm_mmu_idx(env)) { 2838 case ARMMMUIdx_E20_0: 2839 case ARMMMUIdx_E20_2: 2840 case ARMMMUIdx_E20_2_PAN: 2841 return GTIMER_HYP; 2842 default: 2843 return GTIMER_PHYS; 2844 } 2845 } 2846 2847 static int gt_virt_redir_timeridx(CPUARMState *env) 2848 { 2849 switch (arm_mmu_idx(env)) { 2850 case ARMMMUIdx_E20_0: 2851 case ARMMMUIdx_E20_2: 2852 case ARMMMUIdx_E20_2_PAN: 2853 return GTIMER_HYPVIRT; 2854 default: 2855 return GTIMER_VIRT; 2856 } 2857 } 2858 2859 static uint64_t gt_phys_redir_cval_read(CPUARMState *env, 2860 const ARMCPRegInfo *ri) 2861 { 2862 int timeridx = gt_phys_redir_timeridx(env); 2863 return env->cp15.c14_timer[timeridx].cval; 2864 } 2865 2866 static void gt_phys_redir_cval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2867 uint64_t value) 2868 { 2869 int timeridx = gt_phys_redir_timeridx(env); 2870 gt_cval_write(env, ri, timeridx, value); 2871 } 2872 2873 static uint64_t gt_phys_redir_tval_read(CPUARMState *env, 2874 const ARMCPRegInfo *ri) 2875 { 2876 int timeridx = gt_phys_redir_timeridx(env); 2877 return gt_tval_read(env, ri, timeridx); 2878 } 2879 2880 static void gt_phys_redir_tval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2881 uint64_t value) 2882 { 2883 int timeridx = gt_phys_redir_timeridx(env); 2884 gt_tval_write(env, ri, timeridx, value); 2885 } 2886 2887 static uint64_t gt_phys_redir_ctl_read(CPUARMState *env, 2888 const ARMCPRegInfo *ri) 2889 { 2890 int timeridx = gt_phys_redir_timeridx(env); 2891 return env->cp15.c14_timer[timeridx].ctl; 2892 } 2893 2894 static void gt_phys_redir_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 2895 uint64_t value) 2896 { 2897 int timeridx = gt_phys_redir_timeridx(env); 2898 gt_ctl_write(env, ri, timeridx, value); 2899 } 2900 2901 static void gt_virt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri) 2902 { 2903 gt_timer_reset(env, ri, GTIMER_VIRT); 2904 } 2905 2906 static void gt_virt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2907 uint64_t value) 2908 { 2909 gt_cval_write(env, ri, GTIMER_VIRT, value); 2910 } 2911 2912 static uint64_t gt_virt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri) 2913 { 2914 return gt_tval_read(env, ri, GTIMER_VIRT); 2915 } 2916 2917 static void gt_virt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2918 uint64_t value) 2919 { 2920 gt_tval_write(env, ri, GTIMER_VIRT, value); 2921 } 2922 2923 static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 2924 uint64_t value) 2925 { 2926 gt_ctl_write(env, ri, GTIMER_VIRT, value); 2927 } 2928 2929 static void gt_cnthctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 2930 uint64_t value) 2931 { 2932 ARMCPU *cpu = env_archcpu(env); 2933 uint32_t oldval = env->cp15.cnthctl_el2; 2934 2935 raw_write(env, ri, value); 2936 2937 if ((oldval ^ value) & CNTHCTL_CNTVMASK) { 2938 gt_update_irq(cpu, GTIMER_VIRT); 2939 } else if ((oldval ^ value) & CNTHCTL_CNTPMASK) { 2940 gt_update_irq(cpu, GTIMER_PHYS); 2941 } 2942 } 2943 2944 static void gt_cntvoff_write(CPUARMState *env, const ARMCPRegInfo *ri, 2945 uint64_t value) 2946 { 2947 ARMCPU *cpu = env_archcpu(env); 2948 2949 trace_arm_gt_cntvoff_write(value); 2950 raw_write(env, ri, value); 2951 gt_recalc_timer(cpu, GTIMER_VIRT); 2952 } 2953 2954 static uint64_t gt_virt_redir_cval_read(CPUARMState *env, 2955 const ARMCPRegInfo *ri) 2956 { 2957 int timeridx = gt_virt_redir_timeridx(env); 2958 return env->cp15.c14_timer[timeridx].cval; 2959 } 2960 2961 static void gt_virt_redir_cval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2962 uint64_t value) 2963 { 2964 int timeridx = gt_virt_redir_timeridx(env); 2965 gt_cval_write(env, ri, timeridx, value); 2966 } 2967 2968 static uint64_t gt_virt_redir_tval_read(CPUARMState *env, 2969 const ARMCPRegInfo *ri) 2970 { 2971 int timeridx = gt_virt_redir_timeridx(env); 2972 return gt_tval_read(env, ri, timeridx); 2973 } 2974 2975 static void gt_virt_redir_tval_write(CPUARMState *env, const ARMCPRegInfo *ri, 2976 uint64_t value) 2977 { 2978 int timeridx = gt_virt_redir_timeridx(env); 2979 gt_tval_write(env, ri, timeridx, value); 2980 } 2981 2982 static uint64_t gt_virt_redir_ctl_read(CPUARMState *env, 2983 const ARMCPRegInfo *ri) 2984 { 2985 int timeridx = gt_virt_redir_timeridx(env); 2986 return env->cp15.c14_timer[timeridx].ctl; 2987 } 2988 2989 static void gt_virt_redir_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 2990 uint64_t value) 2991 { 2992 int timeridx = gt_virt_redir_timeridx(env); 2993 gt_ctl_write(env, ri, timeridx, value); 2994 } 2995 2996 static void gt_hyp_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri) 2997 { 2998 gt_timer_reset(env, ri, GTIMER_HYP); 2999 } 3000 3001 static void gt_hyp_cval_write(CPUARMState *env, const ARMCPRegInfo *ri, 3002 uint64_t value) 3003 { 3004 gt_cval_write(env, ri, GTIMER_HYP, value); 3005 } 3006 3007 static uint64_t gt_hyp_tval_read(CPUARMState *env, const ARMCPRegInfo *ri) 3008 { 3009 return gt_tval_read(env, ri, GTIMER_HYP); 3010 } 3011 3012 static void gt_hyp_tval_write(CPUARMState *env, const ARMCPRegInfo *ri, 3013 uint64_t value) 3014 { 3015 gt_tval_write(env, ri, GTIMER_HYP, value); 3016 } 3017 3018 static void gt_hyp_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 3019 uint64_t value) 3020 { 3021 gt_ctl_write(env, ri, GTIMER_HYP, value); 3022 } 3023 3024 static void gt_sec_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri) 3025 { 3026 gt_timer_reset(env, ri, GTIMER_SEC); 3027 } 3028 3029 static void gt_sec_cval_write(CPUARMState *env, const ARMCPRegInfo *ri, 3030 uint64_t value) 3031 { 3032 gt_cval_write(env, ri, GTIMER_SEC, value); 3033 } 3034 3035 static uint64_t gt_sec_tval_read(CPUARMState *env, const ARMCPRegInfo *ri) 3036 { 3037 return gt_tval_read(env, ri, GTIMER_SEC); 3038 } 3039 3040 static void gt_sec_tval_write(CPUARMState *env, const ARMCPRegInfo *ri, 3041 uint64_t value) 3042 { 3043 gt_tval_write(env, ri, GTIMER_SEC, value); 3044 } 3045 3046 static void gt_sec_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 3047 uint64_t value) 3048 { 3049 gt_ctl_write(env, ri, GTIMER_SEC, value); 3050 } 3051 3052 static void gt_hv_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri) 3053 { 3054 gt_timer_reset(env, ri, GTIMER_HYPVIRT); 3055 } 3056 3057 static void gt_hv_cval_write(CPUARMState *env, const ARMCPRegInfo *ri, 3058 uint64_t value) 3059 { 3060 gt_cval_write(env, ri, GTIMER_HYPVIRT, value); 3061 } 3062 3063 static uint64_t gt_hv_tval_read(CPUARMState *env, const ARMCPRegInfo *ri) 3064 { 3065 return gt_tval_read(env, ri, GTIMER_HYPVIRT); 3066 } 3067 3068 static void gt_hv_tval_write(CPUARMState *env, const ARMCPRegInfo *ri, 3069 uint64_t value) 3070 { 3071 gt_tval_write(env, ri, GTIMER_HYPVIRT, value); 3072 } 3073 3074 static void gt_hv_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri, 3075 uint64_t value) 3076 { 3077 gt_ctl_write(env, ri, GTIMER_HYPVIRT, value); 3078 } 3079 3080 void arm_gt_ptimer_cb(void *opaque) 3081 { 3082 ARMCPU *cpu = opaque; 3083 3084 gt_recalc_timer(cpu, GTIMER_PHYS); 3085 } 3086 3087 void arm_gt_vtimer_cb(void *opaque) 3088 { 3089 ARMCPU *cpu = opaque; 3090 3091 gt_recalc_timer(cpu, GTIMER_VIRT); 3092 } 3093 3094 void arm_gt_htimer_cb(void *opaque) 3095 { 3096 ARMCPU *cpu = opaque; 3097 3098 gt_recalc_timer(cpu, GTIMER_HYP); 3099 } 3100 3101 void arm_gt_stimer_cb(void *opaque) 3102 { 3103 ARMCPU *cpu = opaque; 3104 3105 gt_recalc_timer(cpu, GTIMER_SEC); 3106 } 3107 3108 void arm_gt_hvtimer_cb(void *opaque) 3109 { 3110 ARMCPU *cpu = opaque; 3111 3112 gt_recalc_timer(cpu, GTIMER_HYPVIRT); 3113 } 3114 3115 static void arm_gt_cntfrq_reset(CPUARMState *env, const ARMCPRegInfo *opaque) 3116 { 3117 ARMCPU *cpu = env_archcpu(env); 3118 3119 cpu->env.cp15.c14_cntfrq = cpu->gt_cntfrq_hz; 3120 } 3121 3122 static const ARMCPRegInfo generic_timer_cp_reginfo[] = { 3123 /* 3124 * Note that CNTFRQ is purely reads-as-written for the benefit 3125 * of software; writing it doesn't actually change the timer frequency. 3126 * Our reset value matches the fixed frequency we implement the timer at. 3127 */ 3128 { .name = "CNTFRQ", .cp = 15, .crn = 14, .crm = 0, .opc1 = 0, .opc2 = 0, 3129 .type = ARM_CP_ALIAS, 3130 .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access, 3131 .fieldoffset = offsetoflow32(CPUARMState, cp15.c14_cntfrq), 3132 }, 3133 { .name = "CNTFRQ_EL0", .state = ARM_CP_STATE_AA64, 3134 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0, 3135 .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access, 3136 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq), 3137 .resetfn = arm_gt_cntfrq_reset, 3138 }, 3139 /* overall control: mostly access permissions */ 3140 { .name = "CNTKCTL", .state = ARM_CP_STATE_BOTH, 3141 .opc0 = 3, .opc1 = 0, .crn = 14, .crm = 1, .opc2 = 0, 3142 .access = PL1_RW, 3143 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntkctl), 3144 .resetvalue = 0, 3145 }, 3146 /* per-timer control */ 3147 { .name = "CNTP_CTL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1, 3148 .secure = ARM_CP_SECSTATE_NS, 3149 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW, 3150 .accessfn = gt_ptimer_access, 3151 .fieldoffset = offsetoflow32(CPUARMState, 3152 cp15.c14_timer[GTIMER_PHYS].ctl), 3153 .readfn = gt_phys_redir_ctl_read, .raw_readfn = raw_read, 3154 .writefn = gt_phys_redir_ctl_write, .raw_writefn = raw_write, 3155 }, 3156 { .name = "CNTP_CTL_S", 3157 .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1, 3158 .secure = ARM_CP_SECSTATE_S, 3159 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW, 3160 .accessfn = gt_ptimer_access, 3161 .fieldoffset = offsetoflow32(CPUARMState, 3162 cp15.c14_timer[GTIMER_SEC].ctl), 3163 .writefn = gt_sec_ctl_write, .raw_writefn = raw_write, 3164 }, 3165 { .name = "CNTP_CTL_EL0", .state = ARM_CP_STATE_AA64, 3166 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 1, 3167 .type = ARM_CP_IO, .access = PL0_RW, 3168 .accessfn = gt_ptimer_access, 3169 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl), 3170 .resetvalue = 0, 3171 .readfn = gt_phys_redir_ctl_read, .raw_readfn = raw_read, 3172 .writefn = gt_phys_redir_ctl_write, .raw_writefn = raw_write, 3173 }, 3174 { .name = "CNTV_CTL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 1, 3175 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW, 3176 .accessfn = gt_vtimer_access, 3177 .fieldoffset = offsetoflow32(CPUARMState, 3178 cp15.c14_timer[GTIMER_VIRT].ctl), 3179 .readfn = gt_virt_redir_ctl_read, .raw_readfn = raw_read, 3180 .writefn = gt_virt_redir_ctl_write, .raw_writefn = raw_write, 3181 }, 3182 { .name = "CNTV_CTL_EL0", .state = ARM_CP_STATE_AA64, 3183 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 1, 3184 .type = ARM_CP_IO, .access = PL0_RW, 3185 .accessfn = gt_vtimer_access, 3186 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl), 3187 .resetvalue = 0, 3188 .readfn = gt_virt_redir_ctl_read, .raw_readfn = raw_read, 3189 .writefn = gt_virt_redir_ctl_write, .raw_writefn = raw_write, 3190 }, 3191 /* TimerValue views: a 32 bit downcounting view of the underlying state */ 3192 { .name = "CNTP_TVAL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0, 3193 .secure = ARM_CP_SECSTATE_NS, 3194 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW, 3195 .accessfn = gt_ptimer_access, 3196 .readfn = gt_phys_redir_tval_read, .writefn = gt_phys_redir_tval_write, 3197 }, 3198 { .name = "CNTP_TVAL_S", 3199 .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0, 3200 .secure = ARM_CP_SECSTATE_S, 3201 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW, 3202 .accessfn = gt_ptimer_access, 3203 .readfn = gt_sec_tval_read, .writefn = gt_sec_tval_write, 3204 }, 3205 { .name = "CNTP_TVAL_EL0", .state = ARM_CP_STATE_AA64, 3206 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 0, 3207 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW, 3208 .accessfn = gt_ptimer_access, .resetfn = gt_phys_timer_reset, 3209 .readfn = gt_phys_redir_tval_read, .writefn = gt_phys_redir_tval_write, 3210 }, 3211 { .name = "CNTV_TVAL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 0, 3212 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW, 3213 .accessfn = gt_vtimer_access, 3214 .readfn = gt_virt_redir_tval_read, .writefn = gt_virt_redir_tval_write, 3215 }, 3216 { .name = "CNTV_TVAL_EL0", .state = ARM_CP_STATE_AA64, 3217 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 0, 3218 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW, 3219 .accessfn = gt_vtimer_access, .resetfn = gt_virt_timer_reset, 3220 .readfn = gt_virt_redir_tval_read, .writefn = gt_virt_redir_tval_write, 3221 }, 3222 /* The counter itself */ 3223 { .name = "CNTPCT", .cp = 15, .crm = 14, .opc1 = 0, 3224 .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO, 3225 .accessfn = gt_pct_access, 3226 .readfn = gt_cnt_read, .resetfn = arm_cp_reset_ignore, 3227 }, 3228 { .name = "CNTPCT_EL0", .state = ARM_CP_STATE_AA64, 3229 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 1, 3230 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO, 3231 .accessfn = gt_pct_access, .readfn = gt_cnt_read, 3232 }, 3233 { .name = "CNTVCT", .cp = 15, .crm = 14, .opc1 = 1, 3234 .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO, 3235 .accessfn = gt_vct_access, 3236 .readfn = gt_virt_cnt_read, .resetfn = arm_cp_reset_ignore, 3237 }, 3238 { .name = "CNTVCT_EL0", .state = ARM_CP_STATE_AA64, 3239 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 2, 3240 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO, 3241 .accessfn = gt_vct_access, .readfn = gt_virt_cnt_read, 3242 }, 3243 /* Comparison value, indicating when the timer goes off */ 3244 { .name = "CNTP_CVAL", .cp = 15, .crm = 14, .opc1 = 2, 3245 .secure = ARM_CP_SECSTATE_NS, 3246 .access = PL0_RW, 3247 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS, 3248 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval), 3249 .accessfn = gt_ptimer_access, 3250 .readfn = gt_phys_redir_cval_read, .raw_readfn = raw_read, 3251 .writefn = gt_phys_redir_cval_write, .raw_writefn = raw_write, 3252 }, 3253 { .name = "CNTP_CVAL_S", .cp = 15, .crm = 14, .opc1 = 2, 3254 .secure = ARM_CP_SECSTATE_S, 3255 .access = PL0_RW, 3256 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS, 3257 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval), 3258 .accessfn = gt_ptimer_access, 3259 .writefn = gt_sec_cval_write, .raw_writefn = raw_write, 3260 }, 3261 { .name = "CNTP_CVAL_EL0", .state = ARM_CP_STATE_AA64, 3262 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 2, 3263 .access = PL0_RW, 3264 .type = ARM_CP_IO, 3265 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval), 3266 .resetvalue = 0, .accessfn = gt_ptimer_access, 3267 .readfn = gt_phys_redir_cval_read, .raw_readfn = raw_read, 3268 .writefn = gt_phys_redir_cval_write, .raw_writefn = raw_write, 3269 }, 3270 { .name = "CNTV_CVAL", .cp = 15, .crm = 14, .opc1 = 3, 3271 .access = PL0_RW, 3272 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS, 3273 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval), 3274 .accessfn = gt_vtimer_access, 3275 .readfn = gt_virt_redir_cval_read, .raw_readfn = raw_read, 3276 .writefn = gt_virt_redir_cval_write, .raw_writefn = raw_write, 3277 }, 3278 { .name = "CNTV_CVAL_EL0", .state = ARM_CP_STATE_AA64, 3279 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 2, 3280 .access = PL0_RW, 3281 .type = ARM_CP_IO, 3282 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval), 3283 .resetvalue = 0, .accessfn = gt_vtimer_access, 3284 .readfn = gt_virt_redir_cval_read, .raw_readfn = raw_read, 3285 .writefn = gt_virt_redir_cval_write, .raw_writefn = raw_write, 3286 }, 3287 /* 3288 * Secure timer -- this is actually restricted to only EL3 3289 * and configurably Secure-EL1 via the accessfn. 3290 */ 3291 { .name = "CNTPS_TVAL_EL1", .state = ARM_CP_STATE_AA64, 3292 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 0, 3293 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW, 3294 .accessfn = gt_stimer_access, 3295 .readfn = gt_sec_tval_read, 3296 .writefn = gt_sec_tval_write, 3297 .resetfn = gt_sec_timer_reset, 3298 }, 3299 { .name = "CNTPS_CTL_EL1", .state = ARM_CP_STATE_AA64, 3300 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 1, 3301 .type = ARM_CP_IO, .access = PL1_RW, 3302 .accessfn = gt_stimer_access, 3303 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].ctl), 3304 .resetvalue = 0, 3305 .writefn = gt_sec_ctl_write, .raw_writefn = raw_write, 3306 }, 3307 { .name = "CNTPS_CVAL_EL1", .state = ARM_CP_STATE_AA64, 3308 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 2, 3309 .type = ARM_CP_IO, .access = PL1_RW, 3310 .accessfn = gt_stimer_access, 3311 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval), 3312 .writefn = gt_sec_cval_write, .raw_writefn = raw_write, 3313 }, 3314 }; 3315 3316 static CPAccessResult e2h_access(CPUARMState *env, const ARMCPRegInfo *ri, 3317 bool isread) 3318 { 3319 if (!(arm_hcr_el2_eff(env) & HCR_E2H)) { 3320 return CP_ACCESS_TRAP; 3321 } 3322 return CP_ACCESS_OK; 3323 } 3324 3325 #else 3326 3327 /* 3328 * In user-mode most of the generic timer registers are inaccessible 3329 * however modern kernels (4.12+) allow access to cntvct_el0 3330 */ 3331 3332 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri) 3333 { 3334 ARMCPU *cpu = env_archcpu(env); 3335 3336 /* 3337 * Currently we have no support for QEMUTimer in linux-user so we 3338 * can't call gt_get_countervalue(env), instead we directly 3339 * call the lower level functions. 3340 */ 3341 return cpu_get_clock() / gt_cntfrq_period_ns(cpu); 3342 } 3343 3344 static const ARMCPRegInfo generic_timer_cp_reginfo[] = { 3345 { .name = "CNTFRQ_EL0", .state = ARM_CP_STATE_AA64, 3346 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0, 3347 .type = ARM_CP_CONST, .access = PL0_R /* no PL1_RW in linux-user */, 3348 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq), 3349 .resetvalue = NANOSECONDS_PER_SECOND / GTIMER_SCALE, 3350 }, 3351 { .name = "CNTVCT_EL0", .state = ARM_CP_STATE_AA64, 3352 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 2, 3353 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO, 3354 .readfn = gt_virt_cnt_read, 3355 }, 3356 }; 3357 3358 #endif 3359 3360 static void par_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) 3361 { 3362 if (arm_feature(env, ARM_FEATURE_LPAE)) { 3363 raw_write(env, ri, value); 3364 } else if (arm_feature(env, ARM_FEATURE_V7)) { 3365 raw_write(env, ri, value & 0xfffff6ff); 3366 } else { 3367 raw_write(env, ri, value & 0xfffff1ff); 3368 } 3369 } 3370 3371 #ifndef CONFIG_USER_ONLY 3372 /* get_phys_addr() isn't present for user-mode-only targets */ 3373 3374 static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri, 3375 bool isread) 3376 { 3377 if (ri->opc2 & 4) { 3378 /* 3379 * The ATS12NSO* operations must trap to EL3 or EL2 if executed in 3380 * Secure EL1 (which can only happen if EL3 is AArch64). 3381 * They are simply UNDEF if executed from NS EL1. 3382 * They function normally from EL2 or EL3. 3383 */ 3384 if (arm_current_el(env) == 1) { 3385 if (arm_is_secure_below_el3(env)) { 3386 if (env->cp15.scr_el3 & SCR_EEL2) { 3387 return CP_ACCESS_TRAP_EL2; 3388 } 3389 return CP_ACCESS_TRAP_EL3; 3390 } 3391 return CP_ACCESS_TRAP_UNCATEGORIZED; 3392 } 3393 } 3394 return CP_ACCESS_OK; 3395 } 3396 3397 #ifdef CONFIG_TCG 3398 static int par_el1_shareability(GetPhysAddrResult *res) 3399 { 3400 /* 3401 * The PAR_EL1.SH field must be 0b10 for Device or Normal-NC 3402 * memory -- see pseudocode PAREncodeShareability(). 3403 */ 3404 if (((res->cacheattrs.attrs & 0xf0) == 0) || 3405 res->cacheattrs.attrs == 0x44 || res->cacheattrs.attrs == 0x40) { 3406 return 2; 3407 } 3408 return res->cacheattrs.shareability; 3409 } 3410 3411 static uint64_t do_ats_write(CPUARMState *env, uint64_t value, 3412 MMUAccessType access_type, ARMMMUIdx mmu_idx, 3413 ARMSecuritySpace ss) 3414 { 3415 bool ret; 3416 uint64_t par64; 3417 bool format64 = false; 3418 ARMMMUFaultInfo fi = {}; 3419 GetPhysAddrResult res = {}; 3420 3421 /* 3422 * I_MXTJT: Granule protection checks are not performed on the final address 3423 * of a successful translation. 3424 */ 3425 ret = get_phys_addr_with_space_nogpc(env, value, access_type, mmu_idx, ss, 3426 &res, &fi); 3427 3428 /* 3429 * ATS operations only do S1 or S1+S2 translations, so we never 3430 * have to deal with the ARMCacheAttrs format for S2 only. 3431 */ 3432 assert(!res.cacheattrs.is_s2_format); 3433 3434 if (ret) { 3435 /* 3436 * Some kinds of translation fault must cause exceptions rather 3437 * than being reported in the PAR. 3438 */ 3439 int current_el = arm_current_el(env); 3440 int target_el; 3441 uint32_t syn, fsr, fsc; 3442 bool take_exc = false; 3443 3444 if (fi.s1ptw && current_el == 1 3445 && arm_mmu_idx_is_stage1_of_2(mmu_idx)) { 3446 /* 3447 * Synchronous stage 2 fault on an access made as part of the 3448 * translation table walk for AT S1E0* or AT S1E1* insn 3449 * executed from NS EL1. If this is a synchronous external abort 3450 * and SCR_EL3.EA == 1, then we take a synchronous external abort 3451 * to EL3. Otherwise the fault is taken as an exception to EL2, 3452 * and HPFAR_EL2 holds the faulting IPA. 3453 */ 3454 if (fi.type == ARMFault_SyncExternalOnWalk && 3455 (env->cp15.scr_el3 & SCR_EA)) { 3456 target_el = 3; 3457 } else { 3458 env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4; 3459 if (arm_is_secure_below_el3(env) && fi.s1ns) { 3460 env->cp15.hpfar_el2 |= HPFAR_NS; 3461 } 3462 target_el = 2; 3463 } 3464 take_exc = true; 3465 } else if (fi.type == ARMFault_SyncExternalOnWalk) { 3466 /* 3467 * Synchronous external aborts during a translation table walk 3468 * are taken as Data Abort exceptions. 3469 */ 3470 if (fi.stage2) { 3471 if (current_el == 3) { 3472 target_el = 3; 3473 } else { 3474 target_el = 2; 3475 } 3476 } else { 3477 target_el = exception_target_el(env); 3478 } 3479 take_exc = true; 3480 } 3481 3482 if (take_exc) { 3483 /* Construct FSR and FSC using same logic as arm_deliver_fault() */ 3484 if (target_el == 2 || arm_el_is_aa64(env, target_el) || 3485 arm_s1_regime_using_lpae_format(env, mmu_idx)) { 3486 fsr = arm_fi_to_lfsc(&fi); 3487 fsc = extract32(fsr, 0, 6); 3488 } else { 3489 fsr = arm_fi_to_sfsc(&fi); 3490 fsc = 0x3f; 3491 } 3492 /* 3493 * Report exception with ESR indicating a fault due to a 3494 * translation table walk for a cache maintenance instruction. 3495 */ 3496 syn = syn_data_abort_no_iss(current_el == target_el, 0, 3497 fi.ea, 1, fi.s1ptw, 1, fsc); 3498 env->exception.vaddress = value; 3499 env->exception.fsr = fsr; 3500 raise_exception(env, EXCP_DATA_ABORT, syn, target_el); 3501 } 3502 } 3503 3504 if (is_a64(env)) { 3505 format64 = true; 3506 } else if (arm_feature(env, ARM_FEATURE_LPAE)) { 3507 /* 3508 * ATS1Cxx: 3509 * * TTBCR.EAE determines whether the result is returned using the 3510 * 32-bit or the 64-bit PAR format 3511 * * Instructions executed in Hyp mode always use the 64bit format 3512 * 3513 * ATS1S2NSOxx uses the 64bit format if any of the following is true: 3514 * * The Non-secure TTBCR.EAE bit is set to 1 3515 * * The implementation includes EL2, and the value of HCR.VM is 1 3516 * 3517 * (Note that HCR.DC makes HCR.VM behave as if it is 1.) 3518 * 3519 * ATS1Hx always uses the 64bit format. 3520 */ 3521 format64 = arm_s1_regime_using_lpae_format(env, mmu_idx); 3522 3523 if (arm_feature(env, ARM_FEATURE_EL2)) { 3524 if (mmu_idx == ARMMMUIdx_E10_0 || 3525 mmu_idx == ARMMMUIdx_E10_1 || 3526 mmu_idx == ARMMMUIdx_E10_1_PAN) { 3527 format64 |= env->cp15.hcr_el2 & (HCR_VM | HCR_DC); 3528 } else { 3529 format64 |= arm_current_el(env) == 2; 3530 } 3531 } 3532 } 3533 3534 if (format64) { 3535 /* Create a 64-bit PAR */ 3536 par64 = (1 << 11); /* LPAE bit always set */ 3537 if (!ret) { 3538 par64 |= res.f.phys_addr & ~0xfffULL; 3539 if (!res.f.attrs.secure) { 3540 par64 |= (1 << 9); /* NS */ 3541 } 3542 par64 |= (uint64_t)res.cacheattrs.attrs << 56; /* ATTR */ 3543 par64 |= par_el1_shareability(&res) << 7; /* SH */ 3544 } else { 3545 uint32_t fsr = arm_fi_to_lfsc(&fi); 3546 3547 par64 |= 1; /* F */ 3548 par64 |= (fsr & 0x3f) << 1; /* FS */ 3549 if (fi.stage2) { 3550 par64 |= (1 << 9); /* S */ 3551 } 3552 if (fi.s1ptw) { 3553 par64 |= (1 << 8); /* PTW */ 3554 } 3555 } 3556 } else { 3557 /* 3558 * fsr is a DFSR/IFSR value for the short descriptor 3559 * translation table format (with WnR always clear). 3560 * Convert it to a 32-bit PAR. 3561 */ 3562 if (!ret) { 3563 /* We do not set any attribute bits in the PAR */ 3564 if (res.f.lg_page_size == 24 3565 && arm_feature(env, ARM_FEATURE_V7)) { 3566 par64 = (res.f.phys_addr & 0xff000000) | (1 << 1); 3567 } else { 3568 par64 = res.f.phys_addr & 0xfffff000; 3569 } 3570 if (!res.f.attrs.secure) { 3571 par64 |= (1 << 9); /* NS */ 3572 } 3573 } else { 3574 uint32_t fsr = arm_fi_to_sfsc(&fi); 3575 3576 par64 = ((fsr & (1 << 10)) >> 5) | ((fsr & (1 << 12)) >> 6) | 3577 ((fsr & 0xf) << 1) | 1; 3578 } 3579 } 3580 return par64; 3581 } 3582 #endif /* CONFIG_TCG */ 3583 3584 static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) 3585 { 3586 #ifdef CONFIG_TCG 3587 MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD; 3588 uint64_t par64; 3589 ARMMMUIdx mmu_idx; 3590 int el = arm_current_el(env); 3591 ARMSecuritySpace ss = arm_security_space(env); 3592 3593 switch (ri->opc2 & 6) { 3594 case 0: 3595 /* stage 1 current state PL1: ATS1CPR, ATS1CPW, ATS1CPRP, ATS1CPWP */ 3596 switch (el) { 3597 case 3: 3598 mmu_idx = ARMMMUIdx_E3; 3599 break; 3600 case 2: 3601 g_assert(ss != ARMSS_Secure); /* ARMv8.4-SecEL2 is 64-bit only */ 3602 /* fall through */ 3603 case 1: 3604 if (ri->crm == 9 && (env->uncached_cpsr & CPSR_PAN)) { 3605 mmu_idx = ARMMMUIdx_Stage1_E1_PAN; 3606 } else { 3607 mmu_idx = ARMMMUIdx_Stage1_E1; 3608 } 3609 break; 3610 default: 3611 g_assert_not_reached(); 3612 } 3613 break; 3614 case 2: 3615 /* stage 1 current state PL0: ATS1CUR, ATS1CUW */ 3616 switch (el) { 3617 case 3: 3618 mmu_idx = ARMMMUIdx_E10_0; 3619 break; 3620 case 2: 3621 g_assert(ss != ARMSS_Secure); /* ARMv8.4-SecEL2 is 64-bit only */ 3622 mmu_idx = ARMMMUIdx_Stage1_E0; 3623 break; 3624 case 1: 3625 mmu_idx = ARMMMUIdx_Stage1_E0; 3626 break; 3627 default: 3628 g_assert_not_reached(); 3629 } 3630 break; 3631 case 4: 3632 /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */ 3633 mmu_idx = ARMMMUIdx_E10_1; 3634 ss = ARMSS_NonSecure; 3635 break; 3636 case 6: 3637 /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */ 3638 mmu_idx = ARMMMUIdx_E10_0; 3639 ss = ARMSS_NonSecure; 3640 break; 3641 default: 3642 g_assert_not_reached(); 3643 } 3644 3645 par64 = do_ats_write(env, value, access_type, mmu_idx, ss); 3646 3647 A32_BANKED_CURRENT_REG_SET(env, par, par64); 3648 #else 3649 /* Handled by hardware accelerator. */ 3650 g_assert_not_reached(); 3651 #endif /* CONFIG_TCG */ 3652 } 3653 3654 static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri, 3655 uint64_t value) 3656 { 3657 #ifdef CONFIG_TCG 3658 MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD; 3659 uint64_t par64; 3660 3661 /* There is no SecureEL2 for AArch32. */ 3662 par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2, 3663 ARMSS_NonSecure); 3664 3665 A32_BANKED_CURRENT_REG_SET(env, par, par64); 3666 #else 3667 /* Handled by hardware accelerator. */ 3668 g_assert_not_reached(); 3669 #endif /* CONFIG_TCG */ 3670 } 3671 3672 static CPAccessResult at_e012_access(CPUARMState *env, const ARMCPRegInfo *ri, 3673 bool isread) 3674 { 3675 /* 3676 * R_NYXTL: instruction is UNDEFINED if it applies to an Exception level 3677 * lower than EL3 and the combination SCR_EL3.{NSE,NS} is reserved. This can 3678 * only happen when executing at EL3 because that combination also causes an 3679 * illegal exception return. We don't need to check FEAT_RME either, because 3680 * scr_write() ensures that the NSE bit is not set otherwise. 3681 */ 3682 if ((env->cp15.scr_el3 & (SCR_NSE | SCR_NS)) == SCR_NSE) { 3683 return CP_ACCESS_TRAP; 3684 } 3685 return CP_ACCESS_OK; 3686 } 3687 3688 static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri, 3689 bool isread) 3690 { 3691 if (arm_current_el(env) == 3 && 3692 !(env->cp15.scr_el3 & (SCR_NS | SCR_EEL2))) { 3693 return CP_ACCESS_TRAP; 3694 } 3695 return at_e012_access(env, ri, isread); 3696 } 3697 3698 static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, 3699 uint64_t value) 3700 { 3701 #ifdef CONFIG_TCG 3702 MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD; 3703 ARMMMUIdx mmu_idx; 3704 uint64_t hcr_el2 = arm_hcr_el2_eff(env); 3705 bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE); 3706 3707 switch (ri->opc2 & 6) { 3708 case 0: 3709 switch (ri->opc1) { 3710 case 0: /* AT S1E1R, AT S1E1W, AT S1E1RP, AT S1E1WP */ 3711 if (ri->crm == 9 && (env->pstate & PSTATE_PAN)) { 3712 mmu_idx = regime_e20 ? 3713 ARMMMUIdx_E20_2_PAN : ARMMMUIdx_Stage1_E1_PAN; 3714 } else { 3715 mmu_idx = regime_e20 ? ARMMMUIdx_E20_2 : ARMMMUIdx_Stage1_E1; 3716 } 3717 break; 3718 case 4: /* AT S1E2R, AT S1E2W */ 3719 mmu_idx = hcr_el2 & HCR_E2H ? ARMMMUIdx_E20_2 : ARMMMUIdx_E2; 3720 break; 3721 case 6: /* AT S1E3R, AT S1E3W */ 3722 mmu_idx = ARMMMUIdx_E3; 3723 break; 3724 default: 3725 g_assert_not_reached(); 3726 } 3727 break; 3728 case 2: /* AT S1E0R, AT S1E0W */ 3729 mmu_idx = regime_e20 ? ARMMMUIdx_E20_0 : ARMMMUIdx_Stage1_E0; 3730 break; 3731 case 4: /* AT S12E1R, AT S12E1W */ 3732 mmu_idx = regime_e20 ? ARMMMUIdx_E20_2 : ARMMMUIdx_E10_1; 3733 break; 3734 case 6: /* AT S12E0R, AT S12E0W */ 3735 mmu_idx = regime_e20 ? ARMMMUIdx_E20_0 : ARMMMUIdx_E10_0; 3736 break; 3737 default: 3738 g_assert_not_reached(); 3739 } 3740 3741 env->cp15.par_el[1] = do_ats_write(env, value, access_type, 3742 mmu_idx, arm_security_space(env)); 3743 #else 3744 /* Handled by hardware accelerator. */ 3745 g_assert_not_reached(); 3746 #endif /* CONFIG_TCG */ 3747 } 3748 #endif 3749 3750 /* Return basic MPU access permission bits. */ 3751 static uint32_t simple_mpu_ap_bits(uint32_t val) 3752 { 3753 uint32_t ret; 3754 uint32_t mask; 3755 int i; 3756 ret = 0; 3757 mask = 3; 3758 for (i = 0; i < 16; i += 2) { 3759 ret |= (val >> i) & mask; 3760 mask <<= 2; 3761 } 3762 return ret; 3763 } 3764 3765 /* Pad basic MPU access permission bits to extended format. */ 3766 static uint32_t extended_mpu_ap_bits(uint32_t val) 3767 { 3768 uint32_t ret; 3769 uint32_t mask; 3770 int i; 3771 ret = 0; 3772 mask = 3; 3773 for (i = 0; i < 16; i += 2) { 3774 ret |= (val & mask) << i; 3775 mask <<= 2; 3776 } 3777 return ret; 3778 } 3779 3780 static void pmsav5_data_ap_write(CPUARMState *env, const ARMCPRegInfo *ri, 3781 uint64_t value) 3782 { 3783 env->cp15.pmsav5_data_ap = extended_mpu_ap_bits(value); 3784 } 3785 3786 static uint64_t pmsav5_data_ap_read(CPUARMState *env, const ARMCPRegInfo *ri) 3787 { 3788 return simple_mpu_ap_bits(env->cp15.pmsav5_data_ap); 3789 } 3790 3791 static void pmsav5_insn_ap_write(CPUARMState *env, const ARMCPRegInfo *ri, 3792 uint64_t value) 3793 { 3794 env->cp15.pmsav5_insn_ap = extended_mpu_ap_bits(value); 3795 } 3796 3797 static uint64_t pmsav5_insn_ap_read(CPUARMState *env, const ARMCPRegInfo *ri) 3798 { 3799 return simple_mpu_ap_bits(env->cp15.pmsav5_insn_ap); 3800 } 3801 3802 static uint64_t pmsav7_read(CPUARMState *env, const ARMCPRegInfo *ri) 3803 { 3804 uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri); 3805 3806 if (!u32p) { 3807 return 0; 3808 } 3809 3810 u32p += env->pmsav7.rnr[M_REG_NS]; 3811 return *u32p; 3812 } 3813 3814 static void pmsav7_write(CPUARMState *env, const ARMCPRegInfo *ri, 3815 uint64_t value) 3816 { 3817 ARMCPU *cpu = env_archcpu(env); 3818 uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri); 3819 3820 if (!u32p) { 3821 return; 3822 } 3823 3824 u32p += env->pmsav7.rnr[M_REG_NS]; 3825 tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */ 3826 *u32p = value; 3827 } 3828 3829 static void pmsav7_rgnr_write(CPUARMState *env, const ARMCPRegInfo *ri, 3830 uint64_t value) 3831 { 3832 ARMCPU *cpu = env_archcpu(env); 3833 uint32_t nrgs = cpu->pmsav7_dregion; 3834 3835 if (value >= nrgs) { 3836 qemu_log_mask(LOG_GUEST_ERROR, 3837 "PMSAv7 RGNR write >= # supported regions, %" PRIu32 3838 " > %" PRIu32 "\n", (uint32_t)value, nrgs); 3839 return; 3840 } 3841 3842 raw_write(env, ri, value); 3843 } 3844 3845 static void prbar_write(CPUARMState *env, const ARMCPRegInfo *ri, 3846 uint64_t value) 3847 { 3848 ARMCPU *cpu = env_archcpu(env); 3849 3850 tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */ 3851 env->pmsav8.rbar[M_REG_NS][env->pmsav7.rnr[M_REG_NS]] = value; 3852 } 3853 3854 static uint64_t prbar_read(CPUARMState *env, const ARMCPRegInfo *ri) 3855 { 3856 return env->pmsav8.rbar[M_REG_NS][env->pmsav7.rnr[M_REG_NS]]; 3857 } 3858 3859 static void prlar_write(CPUARMState *env, const ARMCPRegInfo *ri, 3860 uint64_t value) 3861 { 3862 ARMCPU *cpu = env_archcpu(env); 3863 3864 tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */ 3865 env->pmsav8.rlar[M_REG_NS][env->pmsav7.rnr[M_REG_NS]] = value; 3866 } 3867 3868 static uint64_t prlar_read(CPUARMState *env, const ARMCPRegInfo *ri) 3869 { 3870 return env->pmsav8.rlar[M_REG_NS][env->pmsav7.rnr[M_REG_NS]]; 3871 } 3872 3873 static void prselr_write(CPUARMState *env, const ARMCPRegInfo *ri, 3874 uint64_t value) 3875 { 3876 ARMCPU *cpu = env_archcpu(env); 3877 3878 /* 3879 * Ignore writes that would select not implemented region. 3880 * This is architecturally UNPREDICTABLE. 3881 */ 3882 if (value >= cpu->pmsav7_dregion) { 3883 return; 3884 } 3885 3886 env->pmsav7.rnr[M_REG_NS] = value; 3887 } 3888 3889 static void hprbar_write(CPUARMState *env, const ARMCPRegInfo *ri, 3890 uint64_t value) 3891 { 3892 ARMCPU *cpu = env_archcpu(env); 3893 3894 tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */ 3895 env->pmsav8.hprbar[env->pmsav8.hprselr] = value; 3896 } 3897 3898 static uint64_t hprbar_read(CPUARMState *env, const ARMCPRegInfo *ri) 3899 { 3900 return env->pmsav8.hprbar[env->pmsav8.hprselr]; 3901 } 3902 3903 static void hprlar_write(CPUARMState *env, const ARMCPRegInfo *ri, 3904 uint64_t value) 3905 { 3906 ARMCPU *cpu = env_archcpu(env); 3907 3908 tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */ 3909 env->pmsav8.hprlar[env->pmsav8.hprselr] = value; 3910 } 3911 3912 static uint64_t hprlar_read(CPUARMState *env, const ARMCPRegInfo *ri) 3913 { 3914 return env->pmsav8.hprlar[env->pmsav8.hprselr]; 3915 } 3916 3917 static void hprenr_write(CPUARMState *env, const ARMCPRegInfo *ri, 3918 uint64_t value) 3919 { 3920 uint32_t n; 3921 uint32_t bit; 3922 ARMCPU *cpu = env_archcpu(env); 3923 3924 /* Ignore writes to unimplemented regions */ 3925 int rmax = MIN(cpu->pmsav8r_hdregion, 32); 3926 value &= MAKE_64BIT_MASK(0, rmax); 3927 3928 tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */ 3929 3930 /* Register alias is only valid for first 32 indexes */ 3931 for (n = 0; n < rmax; ++n) { 3932 bit = extract32(value, n, 1); 3933 env->pmsav8.hprlar[n] = deposit32( 3934 env->pmsav8.hprlar[n], 0, 1, bit); 3935 } 3936 } 3937 3938 static uint64_t hprenr_read(CPUARMState *env, const ARMCPRegInfo *ri) 3939 { 3940 uint32_t n; 3941 uint32_t result = 0x0; 3942 ARMCPU *cpu = env_archcpu(env); 3943 3944 /* Register alias is only valid for first 32 indexes */ 3945 for (n = 0; n < MIN(cpu->pmsav8r_hdregion, 32); ++n) { 3946 if (env->pmsav8.hprlar[n] & 0x1) { 3947 result |= (0x1 << n); 3948 } 3949 } 3950 return result; 3951 } 3952 3953 static void hprselr_write(CPUARMState *env, const ARMCPRegInfo *ri, 3954 uint64_t value) 3955 { 3956 ARMCPU *cpu = env_archcpu(env); 3957 3958 /* 3959 * Ignore writes that would select not implemented region. 3960 * This is architecturally UNPREDICTABLE. 3961 */ 3962 if (value >= cpu->pmsav8r_hdregion) { 3963 return; 3964 } 3965 3966 env->pmsav8.hprselr = value; 3967 } 3968 3969 static void pmsav8r_regn_write(CPUARMState *env, const ARMCPRegInfo *ri, 3970 uint64_t value) 3971 { 3972 ARMCPU *cpu = env_archcpu(env); 3973 uint8_t index = (extract32(ri->opc0, 0, 1) << 4) | 3974 (extract32(ri->crm, 0, 3) << 1) | extract32(ri->opc2, 2, 1); 3975 3976 tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */ 3977 3978 if (ri->opc1 & 4) { 3979 if (index >= cpu->pmsav8r_hdregion) { 3980 return; 3981 } 3982 if (ri->opc2 & 0x1) { 3983 env->pmsav8.hprlar[index] = value; 3984 } else { 3985 env->pmsav8.hprbar[index] = value; 3986 } 3987 } else { 3988 if (index >= cpu->pmsav7_dregion) { 3989 return; 3990 } 3991 if (ri->opc2 & 0x1) { 3992 env->pmsav8.rlar[M_REG_NS][index] = value; 3993 } else { 3994 env->pmsav8.rbar[M_REG_NS][index] = value; 3995 } 3996 } 3997 } 3998 3999 static uint64_t pmsav8r_regn_read(CPUARMState *env, const ARMCPRegInfo *ri) 4000 { 4001 ARMCPU *cpu = env_archcpu(env); 4002 uint8_t index = (extract32(ri->opc0, 0, 1) << 4) | 4003 (extract32(ri->crm, 0, 3) << 1) | extract32(ri->opc2, 2, 1); 4004 4005 if (ri->opc1 & 4) { 4006 if (index >= cpu->pmsav8r_hdregion) { 4007 return 0x0; 4008 } 4009 if (ri->opc2 & 0x1) { 4010 return env->pmsav8.hprlar[index]; 4011 } else { 4012 return env->pmsav8.hprbar[index]; 4013 } 4014 } else { 4015 if (index >= cpu->pmsav7_dregion) { 4016 return 0x0; 4017 } 4018 if (ri->opc2 & 0x1) { 4019 return env->pmsav8.rlar[M_REG_NS][index]; 4020 } else { 4021 return env->pmsav8.rbar[M_REG_NS][index]; 4022 } 4023 } 4024 } 4025 4026 static const ARMCPRegInfo pmsav8r_cp_reginfo[] = { 4027 { .name = "PRBAR", 4028 .cp = 15, .opc1 = 0, .crn = 6, .crm = 3, .opc2 = 0, 4029 .access = PL1_RW, .type = ARM_CP_NO_RAW, 4030 .accessfn = access_tvm_trvm, 4031 .readfn = prbar_read, .writefn = prbar_write }, 4032 { .name = "PRLAR", 4033 .cp = 15, .opc1 = 0, .crn = 6, .crm = 3, .opc2 = 1, 4034 .access = PL1_RW, .type = ARM_CP_NO_RAW, 4035 .accessfn = access_tvm_trvm, 4036 .readfn = prlar_read, .writefn = prlar_write }, 4037 { .name = "PRSELR", .resetvalue = 0, 4038 .cp = 15, .opc1 = 0, .crn = 6, .crm = 2, .opc2 = 1, 4039 .access = PL1_RW, .accessfn = access_tvm_trvm, 4040 .writefn = prselr_write, 4041 .fieldoffset = offsetof(CPUARMState, pmsav7.rnr[M_REG_NS]) }, 4042 { .name = "HPRBAR", .resetvalue = 0, 4043 .cp = 15, .opc1 = 4, .crn = 6, .crm = 3, .opc2 = 0, 4044 .access = PL2_RW, .type = ARM_CP_NO_RAW, 4045 .readfn = hprbar_read, .writefn = hprbar_write }, 4046 { .name = "HPRLAR", 4047 .cp = 15, .opc1 = 4, .crn = 6, .crm = 3, .opc2 = 1, 4048 .access = PL2_RW, .type = ARM_CP_NO_RAW, 4049 .readfn = hprlar_read, .writefn = hprlar_write }, 4050 { .name = "HPRSELR", .resetvalue = 0, 4051 .cp = 15, .opc1 = 4, .crn = 6, .crm = 2, .opc2 = 1, 4052 .access = PL2_RW, 4053 .writefn = hprselr_write, 4054 .fieldoffset = offsetof(CPUARMState, pmsav8.hprselr) }, 4055 { .name = "HPRENR", 4056 .cp = 15, .opc1 = 4, .crn = 6, .crm = 1, .opc2 = 1, 4057 .access = PL2_RW, .type = ARM_CP_NO_RAW, 4058 .readfn = hprenr_read, .writefn = hprenr_write }, 4059 }; 4060 4061 static const ARMCPRegInfo pmsav7_cp_reginfo[] = { 4062 /* 4063 * Reset for all these registers is handled in arm_cpu_reset(), 4064 * because the PMSAv7 is also used by M-profile CPUs, which do 4065 * not register cpregs but still need the state to be reset. 4066 */ 4067 { .name = "DRBAR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 0, 4068 .access = PL1_RW, .type = ARM_CP_NO_RAW, 4069 .fieldoffset = offsetof(CPUARMState, pmsav7.drbar), 4070 .readfn = pmsav7_read, .writefn = pmsav7_write, 4071 .resetfn = arm_cp_reset_ignore }, 4072 { .name = "DRSR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 2, 4073 .access = PL1_RW, .type = ARM_CP_NO_RAW, 4074 .fieldoffset = offsetof(CPUARMState, pmsav7.drsr), 4075 .readfn = pmsav7_read, .writefn = pmsav7_write, 4076 .resetfn = arm_cp_reset_ignore }, 4077 { .name = "DRACR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 4, 4078 .access = PL1_RW, .type = ARM_CP_NO_RAW, 4079 .fieldoffset = offsetof(CPUARMState, pmsav7.dracr), 4080 .readfn = pmsav7_read, .writefn = pmsav7_write, 4081 .resetfn = arm_cp_reset_ignore }, 4082 { .name = "RGNR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 2, .opc2 = 0, 4083 .access = PL1_RW, 4084 .fieldoffset = offsetof(CPUARMState, pmsav7.rnr[M_REG_NS]), 4085 .writefn = pmsav7_rgnr_write, 4086 .resetfn = arm_cp_reset_ignore }, 4087 }; 4088 4089 static const ARMCPRegInfo pmsav5_cp_reginfo[] = { 4090 { .name = "DATA_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0, 4091 .access = PL1_RW, .type = ARM_CP_ALIAS, 4092 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap), 4093 .readfn = pmsav5_data_ap_read, .writefn = pmsav5_data_ap_write, }, 4094 { .name = "INSN_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1, 4095 .access = PL1_RW, .type = ARM_CP_ALIAS, 4096 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap), 4097 .readfn = pmsav5_insn_ap_read, .writefn = pmsav5_insn_ap_write, }, 4098 { .name = "DATA_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 2, 4099 .access = PL1_RW, 4100 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap), 4101 .resetvalue = 0, }, 4102 { .name = "INSN_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 3, 4103 .access = PL1_RW, 4104 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap), 4105 .resetvalue = 0, }, 4106 { .name = "DCACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0, 4107 .access = PL1_RW, 4108 .fieldoffset = offsetof(CPUARMState, cp15.c2_data), .resetvalue = 0, }, 4109 { .name = "ICACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 1, 4110 .access = PL1_RW, 4111 .fieldoffset = offsetof(CPUARMState, cp15.c2_insn), .resetvalue = 0, }, 4112 /* Protection region base and size registers */ 4113 { .name = "946_PRBS0", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, 4114 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0, 4115 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[0]) }, 4116 { .name = "946_PRBS1", .cp = 15, .crn = 6, .crm = 1, .opc1 = 0, 4117 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0, 4118 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[1]) }, 4119 { .name = "946_PRBS2", .cp = 15, .crn = 6, .crm = 2, .opc1 = 0, 4120 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0, 4121 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[2]) }, 4122 { .name = "946_PRBS3", .cp = 15, .crn = 6, .crm = 3, .opc1 = 0, 4123 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0, 4124 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[3]) }, 4125 { .name = "946_PRBS4", .cp = 15, .crn = 6, .crm = 4, .opc1 = 0, 4126 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0, 4127 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[4]) }, 4128 { .name = "946_PRBS5", .cp = 15, .crn = 6, .crm = 5, .opc1 = 0, 4129 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0, 4130 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[5]) }, 4131 { .name = "946_PRBS6", .cp = 15, .crn = 6, .crm = 6, .opc1 = 0, 4132 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0, 4133 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[6]) }, 4134 { .name = "946_PRBS7", .cp = 15, .crn = 6, .crm = 7, .opc1 = 0, 4135 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0, 4136 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[7]) }, 4137 }; 4138 4139 static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri, 4140 uint64_t value) 4141 { 4142 ARMCPU *cpu = env_archcpu(env); 4143 4144 if (!arm_feature(env, ARM_FEATURE_V8)) { 4145 if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) { 4146 /* 4147 * Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when 4148 * using Long-descriptor translation table format 4149 */ 4150 value &= ~((7 << 19) | (3 << 14) | (0xf << 3)); 4151 } else if (arm_feature(env, ARM_FEATURE_EL3)) { 4152 /* 4153 * In an implementation that includes the Security Extensions 4154 * TTBCR has additional fields PD0 [4] and PD1 [5] for 4155 * Short-descriptor translation table format. 4156 */ 4157 value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N; 4158 } else { 4159 value &= TTBCR_N; 4160 } 4161 } 4162 4163 if (arm_feature(env, ARM_FEATURE_LPAE)) { 4164 /* 4165 * With LPAE the TTBCR could result in a change of ASID 4166 * via the TTBCR.A1 bit, so do a TLB flush. 4167 */ 4168 tlb_flush(CPU(cpu)); 4169 } 4170 raw_write(env, ri, value); 4171 } 4172 4173 static void vmsa_tcr_el12_write(CPUARMState *env, const ARMCPRegInfo *ri, 4174 uint64_t value) 4175 { 4176 ARMCPU *cpu = env_archcpu(env); 4177 4178 /* For AArch64 the A1 bit could result in a change of ASID, so TLB flush. */ 4179 tlb_flush(CPU(cpu)); 4180 raw_write(env, ri, value); 4181 } 4182 4183 static void vmsa_ttbr_write(CPUARMState *env, const ARMCPRegInfo *ri, 4184 uint64_t value) 4185 { 4186 /* If the ASID changes (with a 64-bit write), we must flush the TLB. */ 4187 if (cpreg_field_is_64bit(ri) && 4188 extract64(raw_read(env, ri) ^ value, 48, 16) != 0) { 4189 ARMCPU *cpu = env_archcpu(env); 4190 tlb_flush(CPU(cpu)); 4191 } 4192 raw_write(env, ri, value); 4193 } 4194 4195 static void vmsa_tcr_ttbr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri, 4196 uint64_t value) 4197 { 4198 /* 4199 * If we are running with E2&0 regime, then an ASID is active. 4200 * Flush if that might be changing. Note we're not checking 4201 * TCR_EL2.A1 to know if this is really the TTBRx_EL2 that 4202 * holds the active ASID, only checking the field that might. 4203 */ 4204 if (extract64(raw_read(env, ri) ^ value, 48, 16) && 4205 (arm_hcr_el2_eff(env) & HCR_E2H)) { 4206 uint16_t mask = ARMMMUIdxBit_E20_2 | 4207 ARMMMUIdxBit_E20_2_PAN | 4208 ARMMMUIdxBit_E20_0; 4209 tlb_flush_by_mmuidx(env_cpu(env), mask); 4210 } 4211 raw_write(env, ri, value); 4212 } 4213 4214 static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri, 4215 uint64_t value) 4216 { 4217 ARMCPU *cpu = env_archcpu(env); 4218 CPUState *cs = CPU(cpu); 4219 4220 /* 4221 * A change in VMID to the stage2 page table (Stage2) invalidates 4222 * the stage2 and combined stage 1&2 tlbs (EL10_1 and EL10_0). 4223 */ 4224 if (extract64(raw_read(env, ri) ^ value, 48, 16) != 0) { 4225 tlb_flush_by_mmuidx(cs, alle1_tlbmask(env)); 4226 } 4227 raw_write(env, ri, value); 4228 } 4229 4230 static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = { 4231 { .name = "DFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0, 4232 .access = PL1_RW, .accessfn = access_tvm_trvm, .type = ARM_CP_ALIAS, 4233 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dfsr_s), 4234 offsetoflow32(CPUARMState, cp15.dfsr_ns) }, }, 4235 { .name = "IFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1, 4236 .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, 4237 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.ifsr_s), 4238 offsetoflow32(CPUARMState, cp15.ifsr_ns) } }, 4239 { .name = "DFAR", .cp = 15, .opc1 = 0, .crn = 6, .crm = 0, .opc2 = 0, 4240 .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, 4241 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.dfar_s), 4242 offsetof(CPUARMState, cp15.dfar_ns) } }, 4243 { .name = "FAR_EL1", .state = ARM_CP_STATE_AA64, 4244 .opc0 = 3, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 0, 4245 .access = PL1_RW, .accessfn = access_tvm_trvm, 4246 .fgt = FGT_FAR_EL1, 4247 .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]), 4248 .resetvalue = 0, }, 4249 }; 4250 4251 static const ARMCPRegInfo vmsa_cp_reginfo[] = { 4252 { .name = "ESR_EL1", .state = ARM_CP_STATE_AA64, 4253 .opc0 = 3, .crn = 5, .crm = 2, .opc1 = 0, .opc2 = 0, 4254 .access = PL1_RW, .accessfn = access_tvm_trvm, 4255 .fgt = FGT_ESR_EL1, 4256 .fieldoffset = offsetof(CPUARMState, cp15.esr_el[1]), .resetvalue = 0, }, 4257 { .name = "TTBR0_EL1", .state = ARM_CP_STATE_BOTH, 4258 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0, 4259 .access = PL1_RW, .accessfn = access_tvm_trvm, 4260 .fgt = FGT_TTBR0_EL1, 4261 .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write, 4262 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s), 4263 offsetof(CPUARMState, cp15.ttbr0_ns) } }, 4264 { .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH, 4265 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1, 4266 .access = PL1_RW, .accessfn = access_tvm_trvm, 4267 .fgt = FGT_TTBR1_EL1, 4268 .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write, 4269 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s), 4270 offsetof(CPUARMState, cp15.ttbr1_ns) } }, 4271 { .name = "TCR_EL1", .state = ARM_CP_STATE_AA64, 4272 .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2, 4273 .access = PL1_RW, .accessfn = access_tvm_trvm, 4274 .fgt = FGT_TCR_EL1, 4275 .writefn = vmsa_tcr_el12_write, 4276 .raw_writefn = raw_write, 4277 .resetvalue = 0, 4278 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[1]) }, 4279 { .name = "TTBCR", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2, 4280 .access = PL1_RW, .accessfn = access_tvm_trvm, 4281 .type = ARM_CP_ALIAS, .writefn = vmsa_ttbcr_write, 4282 .raw_writefn = raw_write, 4283 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tcr_el[3]), 4284 offsetoflow32(CPUARMState, cp15.tcr_el[1])} }, 4285 }; 4286 4287 /* 4288 * Note that unlike TTBCR, writing to TTBCR2 does not require flushing 4289 * qemu tlbs nor adjusting cached masks. 4290 */ 4291 static const ARMCPRegInfo ttbcr2_reginfo = { 4292 .name = "TTBCR2", .cp = 15, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 3, 4293 .access = PL1_RW, .accessfn = access_tvm_trvm, 4294 .type = ARM_CP_ALIAS, 4295 .bank_fieldoffsets = { 4296 offsetofhigh32(CPUARMState, cp15.tcr_el[3]), 4297 offsetofhigh32(CPUARMState, cp15.tcr_el[1]), 4298 }, 4299 }; 4300 4301 static void omap_ticonfig_write(CPUARMState *env, const ARMCPRegInfo *ri, 4302 uint64_t value) 4303 { 4304 env->cp15.c15_ticonfig = value & 0xe7; 4305 /* The OS_TYPE bit in this register changes the reported CPUID! */ 4306 env->cp15.c0_cpuid = (value & (1 << 5)) ? 4307 ARM_CPUID_TI915T : ARM_CPUID_TI925T; 4308 } 4309 4310 static void omap_threadid_write(CPUARMState *env, const ARMCPRegInfo *ri, 4311 uint64_t value) 4312 { 4313 env->cp15.c15_threadid = value & 0xffff; 4314 } 4315 4316 static void omap_wfi_write(CPUARMState *env, const ARMCPRegInfo *ri, 4317 uint64_t value) 4318 { 4319 /* Wait-for-interrupt (deprecated) */ 4320 cpu_interrupt(env_cpu(env), CPU_INTERRUPT_HALT); 4321 } 4322 4323 static void omap_cachemaint_write(CPUARMState *env, const ARMCPRegInfo *ri, 4324 uint64_t value) 4325 { 4326 /* 4327 * On OMAP there are registers indicating the max/min index of dcache lines 4328 * containing a dirty line; cache flush operations have to reset these. 4329 */ 4330 env->cp15.c15_i_max = 0x000; 4331 env->cp15.c15_i_min = 0xff0; 4332 } 4333 4334 static const ARMCPRegInfo omap_cp_reginfo[] = { 4335 { .name = "DFSR", .cp = 15, .crn = 5, .crm = CP_ANY, 4336 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_OVERRIDE, 4337 .fieldoffset = offsetoflow32(CPUARMState, cp15.esr_el[1]), 4338 .resetvalue = 0, }, 4339 { .name = "", .cp = 15, .crn = 15, .crm = 0, .opc1 = 0, .opc2 = 0, 4340 .access = PL1_RW, .type = ARM_CP_NOP }, 4341 { .name = "TICONFIG", .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0, 4342 .access = PL1_RW, 4343 .fieldoffset = offsetof(CPUARMState, cp15.c15_ticonfig), .resetvalue = 0, 4344 .writefn = omap_ticonfig_write }, 4345 { .name = "IMAX", .cp = 15, .crn = 15, .crm = 2, .opc1 = 0, .opc2 = 0, 4346 .access = PL1_RW, 4347 .fieldoffset = offsetof(CPUARMState, cp15.c15_i_max), .resetvalue = 0, }, 4348 { .name = "IMIN", .cp = 15, .crn = 15, .crm = 3, .opc1 = 0, .opc2 = 0, 4349 .access = PL1_RW, .resetvalue = 0xff0, 4350 .fieldoffset = offsetof(CPUARMState, cp15.c15_i_min) }, 4351 { .name = "THREADID", .cp = 15, .crn = 15, .crm = 4, .opc1 = 0, .opc2 = 0, 4352 .access = PL1_RW, 4353 .fieldoffset = offsetof(CPUARMState, cp15.c15_threadid), .resetvalue = 0, 4354 .writefn = omap_threadid_write }, 4355 { .name = "TI925T_STATUS", .cp = 15, .crn = 15, 4356 .crm = 8, .opc1 = 0, .opc2 = 0, .access = PL1_RW, 4357 .type = ARM_CP_NO_RAW, 4358 .readfn = arm_cp_read_zero, .writefn = omap_wfi_write, }, 4359 /* 4360 * TODO: Peripheral port remap register: 4361 * On OMAP2 mcr p15, 0, rn, c15, c2, 4 sets up the interrupt controller 4362 * base address at $rn & ~0xfff and map size of 0x200 << ($rn & 0xfff), 4363 * when MMU is off. 4364 */ 4365 { .name = "OMAP_CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY, 4366 .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W, 4367 .type = ARM_CP_OVERRIDE | ARM_CP_NO_RAW, 4368 .writefn = omap_cachemaint_write }, 4369 { .name = "C9", .cp = 15, .crn = 9, 4370 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, 4371 .type = ARM_CP_CONST | ARM_CP_OVERRIDE, .resetvalue = 0 }, 4372 }; 4373 4374 static void xscale_cpar_write(CPUARMState *env, const ARMCPRegInfo *ri, 4375 uint64_t value) 4376 { 4377 env->cp15.c15_cpar = value & 0x3fff; 4378 } 4379 4380 static const ARMCPRegInfo xscale_cp_reginfo[] = { 4381 { .name = "XSCALE_CPAR", 4382 .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0, .access = PL1_RW, 4383 .fieldoffset = offsetof(CPUARMState, cp15.c15_cpar), .resetvalue = 0, 4384 .writefn = xscale_cpar_write, }, 4385 { .name = "XSCALE_AUXCR", 4386 .cp = 15, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 1, .access = PL1_RW, 4387 .fieldoffset = offsetof(CPUARMState, cp15.c1_xscaleauxcr), 4388 .resetvalue = 0, }, 4389 /* 4390 * XScale specific cache-lockdown: since we have no cache we NOP these 4391 * and hope the guest does not really rely on cache behaviour. 4392 */ 4393 { .name = "XSCALE_LOCK_ICACHE_LINE", 4394 .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0, 4395 .access = PL1_W, .type = ARM_CP_NOP }, 4396 { .name = "XSCALE_UNLOCK_ICACHE", 4397 .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1, 4398 .access = PL1_W, .type = ARM_CP_NOP }, 4399 { .name = "XSCALE_DCACHE_LOCK", 4400 .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 0, 4401 .access = PL1_RW, .type = ARM_CP_NOP }, 4402 { .name = "XSCALE_UNLOCK_DCACHE", 4403 .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 1, 4404 .access = PL1_W, .type = ARM_CP_NOP }, 4405 }; 4406 4407 static const ARMCPRegInfo dummy_c15_cp_reginfo[] = { 4408 /* 4409 * RAZ/WI the whole crn=15 space, when we don't have a more specific 4410 * implementation of this implementation-defined space. 4411 * Ideally this should eventually disappear in favour of actually 4412 * implementing the correct behaviour for all cores. 4413 */ 4414 { .name = "C15_IMPDEF", .cp = 15, .crn = 15, 4415 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, 4416 .access = PL1_RW, 4417 .type = ARM_CP_CONST | ARM_CP_NO_RAW | ARM_CP_OVERRIDE, 4418 .resetvalue = 0 }, 4419 }; 4420 4421 static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = { 4422 /* Cache status: RAZ because we have no cache so it's always clean */ 4423 { .name = "CDSR", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 6, 4424 .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW, 4425 .resetvalue = 0 }, 4426 }; 4427 4428 static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = { 4429 /* We never have a block transfer operation in progress */ 4430 { .name = "BXSR", .cp = 15, .crn = 7, .crm = 12, .opc1 = 0, .opc2 = 4, 4431 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW, 4432 .resetvalue = 0 }, 4433 /* The cache ops themselves: these all NOP for QEMU */ 4434 { .name = "IICR", .cp = 15, .crm = 5, .opc1 = 0, 4435 .access = PL1_W, .type = ARM_CP_NOP | ARM_CP_64BIT }, 4436 { .name = "IDCR", .cp = 15, .crm = 6, .opc1 = 0, 4437 .access = PL1_W, .type = ARM_CP_NOP | ARM_CP_64BIT }, 4438 { .name = "CDCR", .cp = 15, .crm = 12, .opc1 = 0, 4439 .access = PL0_W, .type = ARM_CP_NOP | ARM_CP_64BIT }, 4440 { .name = "PIR", .cp = 15, .crm = 12, .opc1 = 1, 4441 .access = PL0_W, .type = ARM_CP_NOP | ARM_CP_64BIT }, 4442 { .name = "PDR", .cp = 15, .crm = 12, .opc1 = 2, 4443 .access = PL0_W, .type = ARM_CP_NOP | ARM_CP_64BIT }, 4444 { .name = "CIDCR", .cp = 15, .crm = 14, .opc1 = 0, 4445 .access = PL1_W, .type = ARM_CP_NOP | ARM_CP_64BIT }, 4446 }; 4447 4448 static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = { 4449 /* 4450 * The cache test-and-clean instructions always return (1 << 30) 4451 * to indicate that there are no dirty cache lines. 4452 */ 4453 { .name = "TC_DCACHE", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 3, 4454 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW, 4455 .resetvalue = (1 << 30) }, 4456 { .name = "TCI_DCACHE", .cp = 15, .crn = 7, .crm = 14, .opc1 = 0, .opc2 = 3, 4457 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW, 4458 .resetvalue = (1 << 30) }, 4459 }; 4460 4461 static const ARMCPRegInfo strongarm_cp_reginfo[] = { 4462 /* Ignore ReadBuffer accesses */ 4463 { .name = "C9_READBUFFER", .cp = 15, .crn = 9, 4464 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, 4465 .access = PL1_RW, .resetvalue = 0, 4466 .type = ARM_CP_CONST | ARM_CP_OVERRIDE | ARM_CP_NO_RAW }, 4467 }; 4468 4469 static uint64_t midr_read(CPUARMState *env, const ARMCPRegInfo *ri) 4470 { 4471 unsigned int cur_el = arm_current_el(env); 4472 4473 if (arm_is_el2_enabled(env) && cur_el == 1) { 4474 return env->cp15.vpidr_el2; 4475 } 4476 return raw_read(env, ri); 4477 } 4478 4479 static uint64_t mpidr_read_val(CPUARMState *env) 4480 { 4481 ARMCPU *cpu = env_archcpu(env); 4482 uint64_t mpidr = cpu->mp_affinity; 4483 4484 if (arm_feature(env, ARM_FEATURE_V7MP)) { 4485 mpidr |= (1U << 31); 4486 /* 4487 * Cores which are uniprocessor (non-coherent) 4488 * but still implement the MP extensions set 4489 * bit 30. (For instance, Cortex-R5). 4490 */ 4491 if (cpu->mp_is_up) { 4492 mpidr |= (1u << 30); 4493 } 4494 } 4495 return mpidr; 4496 } 4497 4498 static uint64_t mpidr_read(CPUARMState *env, const ARMCPRegInfo *ri) 4499 { 4500 unsigned int cur_el = arm_current_el(env); 4501 4502 if (arm_is_el2_enabled(env) && cur_el == 1) { 4503 return env->cp15.vmpidr_el2; 4504 } 4505 return mpidr_read_val(env); 4506 } 4507 4508 static const ARMCPRegInfo lpae_cp_reginfo[] = { 4509 /* NOP AMAIR0/1 */ 4510 { .name = "AMAIR0", .state = ARM_CP_STATE_BOTH, 4511 .opc0 = 3, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 0, 4512 .access = PL1_RW, .accessfn = access_tvm_trvm, 4513 .fgt = FGT_AMAIR_EL1, 4514 .type = ARM_CP_CONST, .resetvalue = 0 }, 4515 /* AMAIR1 is mapped to AMAIR_EL1[63:32] */ 4516 { .name = "AMAIR1", .cp = 15, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 1, 4517 .access = PL1_RW, .accessfn = access_tvm_trvm, 4518 .type = ARM_CP_CONST, .resetvalue = 0 }, 4519 { .name = "PAR", .cp = 15, .crm = 7, .opc1 = 0, 4520 .access = PL1_RW, .type = ARM_CP_64BIT, .resetvalue = 0, 4521 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.par_s), 4522 offsetof(CPUARMState, cp15.par_ns)} }, 4523 { .name = "TTBR0", .cp = 15, .crm = 2, .opc1 = 0, 4524 .access = PL1_RW, .accessfn = access_tvm_trvm, 4525 .type = ARM_CP_64BIT | ARM_CP_ALIAS, 4526 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s), 4527 offsetof(CPUARMState, cp15.ttbr0_ns) }, 4528 .writefn = vmsa_ttbr_write, .raw_writefn = raw_write }, 4529 { .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1, 4530 .access = PL1_RW, .accessfn = access_tvm_trvm, 4531 .type = ARM_CP_64BIT | ARM_CP_ALIAS, 4532 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s), 4533 offsetof(CPUARMState, cp15.ttbr1_ns) }, 4534 .writefn = vmsa_ttbr_write, .raw_writefn = raw_write }, 4535 }; 4536 4537 static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri) 4538 { 4539 return vfp_get_fpcr(env); 4540 } 4541 4542 static void aa64_fpcr_write(CPUARMState *env, const ARMCPRegInfo *ri, 4543 uint64_t value) 4544 { 4545 vfp_set_fpcr(env, value); 4546 } 4547 4548 static uint64_t aa64_fpsr_read(CPUARMState *env, const ARMCPRegInfo *ri) 4549 { 4550 return vfp_get_fpsr(env); 4551 } 4552 4553 static void aa64_fpsr_write(CPUARMState *env, const ARMCPRegInfo *ri, 4554 uint64_t value) 4555 { 4556 vfp_set_fpsr(env, value); 4557 } 4558 4559 static CPAccessResult aa64_daif_access(CPUARMState *env, const ARMCPRegInfo *ri, 4560 bool isread) 4561 { 4562 if (arm_current_el(env) == 0 && !(arm_sctlr(env, 0) & SCTLR_UMA)) { 4563 return CP_ACCESS_TRAP; 4564 } 4565 return CP_ACCESS_OK; 4566 } 4567 4568 static void aa64_daif_write(CPUARMState *env, const ARMCPRegInfo *ri, 4569 uint64_t value) 4570 { 4571 env->daif = value & PSTATE_DAIF; 4572 } 4573 4574 static uint64_t aa64_pan_read(CPUARMState *env, const ARMCPRegInfo *ri) 4575 { 4576 return env->pstate & PSTATE_PAN; 4577 } 4578 4579 static void aa64_pan_write(CPUARMState *env, const ARMCPRegInfo *ri, 4580 uint64_t value) 4581 { 4582 env->pstate = (env->pstate & ~PSTATE_PAN) | (value & PSTATE_PAN); 4583 } 4584 4585 static const ARMCPRegInfo pan_reginfo = { 4586 .name = "PAN", .state = ARM_CP_STATE_AA64, 4587 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 3, 4588 .type = ARM_CP_NO_RAW, .access = PL1_RW, 4589 .readfn = aa64_pan_read, .writefn = aa64_pan_write 4590 }; 4591 4592 static uint64_t aa64_uao_read(CPUARMState *env, const ARMCPRegInfo *ri) 4593 { 4594 return env->pstate & PSTATE_UAO; 4595 } 4596 4597 static void aa64_uao_write(CPUARMState *env, const ARMCPRegInfo *ri, 4598 uint64_t value) 4599 { 4600 env->pstate = (env->pstate & ~PSTATE_UAO) | (value & PSTATE_UAO); 4601 } 4602 4603 static const ARMCPRegInfo uao_reginfo = { 4604 .name = "UAO", .state = ARM_CP_STATE_AA64, 4605 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 4, 4606 .type = ARM_CP_NO_RAW, .access = PL1_RW, 4607 .readfn = aa64_uao_read, .writefn = aa64_uao_write 4608 }; 4609 4610 static uint64_t aa64_dit_read(CPUARMState *env, const ARMCPRegInfo *ri) 4611 { 4612 return env->pstate & PSTATE_DIT; 4613 } 4614 4615 static void aa64_dit_write(CPUARMState *env, const ARMCPRegInfo *ri, 4616 uint64_t value) 4617 { 4618 env->pstate = (env->pstate & ~PSTATE_DIT) | (value & PSTATE_DIT); 4619 } 4620 4621 static const ARMCPRegInfo dit_reginfo = { 4622 .name = "DIT", .state = ARM_CP_STATE_AA64, 4623 .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 5, 4624 .type = ARM_CP_NO_RAW, .access = PL0_RW, 4625 .readfn = aa64_dit_read, .writefn = aa64_dit_write 4626 }; 4627 4628 static uint64_t aa64_ssbs_read(CPUARMState *env, const ARMCPRegInfo *ri) 4629 { 4630 return env->pstate & PSTATE_SSBS; 4631 } 4632 4633 static void aa64_ssbs_write(CPUARMState *env, const ARMCPRegInfo *ri, 4634 uint64_t value) 4635 { 4636 env->pstate = (env->pstate & ~PSTATE_SSBS) | (value & PSTATE_SSBS); 4637 } 4638 4639 static const ARMCPRegInfo ssbs_reginfo = { 4640 .name = "SSBS", .state = ARM_CP_STATE_AA64, 4641 .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 6, 4642 .type = ARM_CP_NO_RAW, .access = PL0_RW, 4643 .readfn = aa64_ssbs_read, .writefn = aa64_ssbs_write 4644 }; 4645 4646 static CPAccessResult aa64_cacheop_poc_access(CPUARMState *env, 4647 const ARMCPRegInfo *ri, 4648 bool isread) 4649 { 4650 /* Cache invalidate/clean to Point of Coherency or Persistence... */ 4651 switch (arm_current_el(env)) { 4652 case 0: 4653 /* ... EL0 must UNDEF unless SCTLR_EL1.UCI is set. */ 4654 if (!(arm_sctlr(env, 0) & SCTLR_UCI)) { 4655 return CP_ACCESS_TRAP; 4656 } 4657 /* fall through */ 4658 case 1: 4659 /* ... EL1 must trap to EL2 if HCR_EL2.TPCP is set. */ 4660 if (arm_hcr_el2_eff(env) & HCR_TPCP) { 4661 return CP_ACCESS_TRAP_EL2; 4662 } 4663 break; 4664 } 4665 return CP_ACCESS_OK; 4666 } 4667 4668 static CPAccessResult do_cacheop_pou_access(CPUARMState *env, uint64_t hcrflags) 4669 { 4670 /* Cache invalidate/clean to Point of Unification... */ 4671 switch (arm_current_el(env)) { 4672 case 0: 4673 /* ... EL0 must UNDEF unless SCTLR_EL1.UCI is set. */ 4674 if (!(arm_sctlr(env, 0) & SCTLR_UCI)) { 4675 return CP_ACCESS_TRAP; 4676 } 4677 /* fall through */ 4678 case 1: 4679 /* ... EL1 must trap to EL2 if relevant HCR_EL2 flags are set. */ 4680 if (arm_hcr_el2_eff(env) & hcrflags) { 4681 return CP_ACCESS_TRAP_EL2; 4682 } 4683 break; 4684 } 4685 return CP_ACCESS_OK; 4686 } 4687 4688 static CPAccessResult access_ticab(CPUARMState *env, const ARMCPRegInfo *ri, 4689 bool isread) 4690 { 4691 return do_cacheop_pou_access(env, HCR_TICAB | HCR_TPU); 4692 } 4693 4694 static CPAccessResult access_tocu(CPUARMState *env, const ARMCPRegInfo *ri, 4695 bool isread) 4696 { 4697 return do_cacheop_pou_access(env, HCR_TOCU | HCR_TPU); 4698 } 4699 4700 /* 4701 * See: D4.7.2 TLB maintenance requirements and the TLB maintenance instructions 4702 * Page D4-1736 (DDI0487A.b) 4703 */ 4704 4705 static int vae1_tlbmask(CPUARMState *env) 4706 { 4707 uint64_t hcr = arm_hcr_el2_eff(env); 4708 uint16_t mask; 4709 4710 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 4711 mask = ARMMMUIdxBit_E20_2 | 4712 ARMMMUIdxBit_E20_2_PAN | 4713 ARMMMUIdxBit_E20_0; 4714 } else { 4715 mask = ARMMMUIdxBit_E10_1 | 4716 ARMMMUIdxBit_E10_1_PAN | 4717 ARMMMUIdxBit_E10_0; 4718 } 4719 return mask; 4720 } 4721 4722 static int vae2_tlbmask(CPUARMState *env) 4723 { 4724 uint64_t hcr = arm_hcr_el2_eff(env); 4725 uint16_t mask; 4726 4727 if (hcr & HCR_E2H) { 4728 mask = ARMMMUIdxBit_E20_2 | 4729 ARMMMUIdxBit_E20_2_PAN | 4730 ARMMMUIdxBit_E20_0; 4731 } else { 4732 mask = ARMMMUIdxBit_E2; 4733 } 4734 return mask; 4735 } 4736 4737 /* Return 56 if TBI is enabled, 64 otherwise. */ 4738 static int tlbbits_for_regime(CPUARMState *env, ARMMMUIdx mmu_idx, 4739 uint64_t addr) 4740 { 4741 uint64_t tcr = regime_tcr(env, mmu_idx); 4742 int tbi = aa64_va_parameter_tbi(tcr, mmu_idx); 4743 int select = extract64(addr, 55, 1); 4744 4745 return (tbi >> select) & 1 ? 56 : 64; 4746 } 4747 4748 static int vae1_tlbbits(CPUARMState *env, uint64_t addr) 4749 { 4750 uint64_t hcr = arm_hcr_el2_eff(env); 4751 ARMMMUIdx mmu_idx; 4752 4753 /* Only the regime of the mmu_idx below is significant. */ 4754 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 4755 mmu_idx = ARMMMUIdx_E20_0; 4756 } else { 4757 mmu_idx = ARMMMUIdx_E10_0; 4758 } 4759 4760 return tlbbits_for_regime(env, mmu_idx, addr); 4761 } 4762 4763 static int vae2_tlbbits(CPUARMState *env, uint64_t addr) 4764 { 4765 uint64_t hcr = arm_hcr_el2_eff(env); 4766 ARMMMUIdx mmu_idx; 4767 4768 /* 4769 * Only the regime of the mmu_idx below is significant. 4770 * Regime EL2&0 has two ranges with separate TBI configuration, while EL2 4771 * only has one. 4772 */ 4773 if (hcr & HCR_E2H) { 4774 mmu_idx = ARMMMUIdx_E20_2; 4775 } else { 4776 mmu_idx = ARMMMUIdx_E2; 4777 } 4778 4779 return tlbbits_for_regime(env, mmu_idx, addr); 4780 } 4781 4782 static void tlbi_aa64_vmalle1is_write(CPUARMState *env, const ARMCPRegInfo *ri, 4783 uint64_t value) 4784 { 4785 CPUState *cs = env_cpu(env); 4786 int mask = vae1_tlbmask(env); 4787 4788 tlb_flush_by_mmuidx_all_cpus_synced(cs, mask); 4789 } 4790 4791 static void tlbi_aa64_vmalle1_write(CPUARMState *env, const ARMCPRegInfo *ri, 4792 uint64_t value) 4793 { 4794 CPUState *cs = env_cpu(env); 4795 int mask = vae1_tlbmask(env); 4796 4797 if (tlb_force_broadcast(env)) { 4798 tlb_flush_by_mmuidx_all_cpus_synced(cs, mask); 4799 } else { 4800 tlb_flush_by_mmuidx(cs, mask); 4801 } 4802 } 4803 4804 static int e2_tlbmask(CPUARMState *env) 4805 { 4806 return (ARMMMUIdxBit_E20_0 | 4807 ARMMMUIdxBit_E20_2 | 4808 ARMMMUIdxBit_E20_2_PAN | 4809 ARMMMUIdxBit_E2); 4810 } 4811 4812 static void tlbi_aa64_alle1_write(CPUARMState *env, const ARMCPRegInfo *ri, 4813 uint64_t value) 4814 { 4815 CPUState *cs = env_cpu(env); 4816 int mask = alle1_tlbmask(env); 4817 4818 tlb_flush_by_mmuidx(cs, mask); 4819 } 4820 4821 static void tlbi_aa64_alle2_write(CPUARMState *env, const ARMCPRegInfo *ri, 4822 uint64_t value) 4823 { 4824 CPUState *cs = env_cpu(env); 4825 int mask = e2_tlbmask(env); 4826 4827 tlb_flush_by_mmuidx(cs, mask); 4828 } 4829 4830 static void tlbi_aa64_alle3_write(CPUARMState *env, const ARMCPRegInfo *ri, 4831 uint64_t value) 4832 { 4833 ARMCPU *cpu = env_archcpu(env); 4834 CPUState *cs = CPU(cpu); 4835 4836 tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_E3); 4837 } 4838 4839 static void tlbi_aa64_alle1is_write(CPUARMState *env, const ARMCPRegInfo *ri, 4840 uint64_t value) 4841 { 4842 CPUState *cs = env_cpu(env); 4843 int mask = alle1_tlbmask(env); 4844 4845 tlb_flush_by_mmuidx_all_cpus_synced(cs, mask); 4846 } 4847 4848 static void tlbi_aa64_alle2is_write(CPUARMState *env, const ARMCPRegInfo *ri, 4849 uint64_t value) 4850 { 4851 CPUState *cs = env_cpu(env); 4852 int mask = e2_tlbmask(env); 4853 4854 tlb_flush_by_mmuidx_all_cpus_synced(cs, mask); 4855 } 4856 4857 static void tlbi_aa64_alle3is_write(CPUARMState *env, const ARMCPRegInfo *ri, 4858 uint64_t value) 4859 { 4860 CPUState *cs = env_cpu(env); 4861 4862 tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_E3); 4863 } 4864 4865 static void tlbi_aa64_vae2_write(CPUARMState *env, const ARMCPRegInfo *ri, 4866 uint64_t value) 4867 { 4868 /* 4869 * Invalidate by VA, EL2 4870 * Currently handles both VAE2 and VALE2, since we don't support 4871 * flush-last-level-only. 4872 */ 4873 CPUState *cs = env_cpu(env); 4874 int mask = vae2_tlbmask(env); 4875 uint64_t pageaddr = sextract64(value << 12, 0, 56); 4876 int bits = vae2_tlbbits(env, pageaddr); 4877 4878 tlb_flush_page_bits_by_mmuidx(cs, pageaddr, mask, bits); 4879 } 4880 4881 static void tlbi_aa64_vae3_write(CPUARMState *env, const ARMCPRegInfo *ri, 4882 uint64_t value) 4883 { 4884 /* 4885 * Invalidate by VA, EL3 4886 * Currently handles both VAE3 and VALE3, since we don't support 4887 * flush-last-level-only. 4888 */ 4889 ARMCPU *cpu = env_archcpu(env); 4890 CPUState *cs = CPU(cpu); 4891 uint64_t pageaddr = sextract64(value << 12, 0, 56); 4892 4893 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_E3); 4894 } 4895 4896 static void tlbi_aa64_vae1is_write(CPUARMState *env, const ARMCPRegInfo *ri, 4897 uint64_t value) 4898 { 4899 CPUState *cs = env_cpu(env); 4900 int mask = vae1_tlbmask(env); 4901 uint64_t pageaddr = sextract64(value << 12, 0, 56); 4902 int bits = vae1_tlbbits(env, pageaddr); 4903 4904 tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, mask, bits); 4905 } 4906 4907 static void tlbi_aa64_vae1_write(CPUARMState *env, const ARMCPRegInfo *ri, 4908 uint64_t value) 4909 { 4910 /* 4911 * Invalidate by VA, EL1&0 (AArch64 version). 4912 * Currently handles all of VAE1, VAAE1, VAALE1 and VALE1, 4913 * since we don't support flush-for-specific-ASID-only or 4914 * flush-last-level-only. 4915 */ 4916 CPUState *cs = env_cpu(env); 4917 int mask = vae1_tlbmask(env); 4918 uint64_t pageaddr = sextract64(value << 12, 0, 56); 4919 int bits = vae1_tlbbits(env, pageaddr); 4920 4921 if (tlb_force_broadcast(env)) { 4922 tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, mask, bits); 4923 } else { 4924 tlb_flush_page_bits_by_mmuidx(cs, pageaddr, mask, bits); 4925 } 4926 } 4927 4928 static void tlbi_aa64_vae2is_write(CPUARMState *env, const ARMCPRegInfo *ri, 4929 uint64_t value) 4930 { 4931 CPUState *cs = env_cpu(env); 4932 int mask = vae2_tlbmask(env); 4933 uint64_t pageaddr = sextract64(value << 12, 0, 56); 4934 int bits = vae2_tlbbits(env, pageaddr); 4935 4936 tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, mask, bits); 4937 } 4938 4939 static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri, 4940 uint64_t value) 4941 { 4942 CPUState *cs = env_cpu(env); 4943 uint64_t pageaddr = sextract64(value << 12, 0, 56); 4944 int bits = tlbbits_for_regime(env, ARMMMUIdx_E3, pageaddr); 4945 4946 tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, 4947 ARMMMUIdxBit_E3, bits); 4948 } 4949 4950 static int ipas2e1_tlbmask(CPUARMState *env, int64_t value) 4951 { 4952 /* 4953 * The MSB of value is the NS field, which only applies if SEL2 4954 * is implemented and SCR_EL3.NS is not set (i.e. in secure mode). 4955 */ 4956 return (value >= 0 4957 && cpu_isar_feature(aa64_sel2, env_archcpu(env)) 4958 && arm_is_secure_below_el3(env) 4959 ? ARMMMUIdxBit_Stage2_S 4960 : ARMMMUIdxBit_Stage2); 4961 } 4962 4963 static void tlbi_aa64_ipas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri, 4964 uint64_t value) 4965 { 4966 CPUState *cs = env_cpu(env); 4967 int mask = ipas2e1_tlbmask(env, value); 4968 uint64_t pageaddr = sextract64(value << 12, 0, 56); 4969 4970 if (tlb_force_broadcast(env)) { 4971 tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, mask); 4972 } else { 4973 tlb_flush_page_by_mmuidx(cs, pageaddr, mask); 4974 } 4975 } 4976 4977 static void tlbi_aa64_ipas2e1is_write(CPUARMState *env, const ARMCPRegInfo *ri, 4978 uint64_t value) 4979 { 4980 CPUState *cs = env_cpu(env); 4981 int mask = ipas2e1_tlbmask(env, value); 4982 uint64_t pageaddr = sextract64(value << 12, 0, 56); 4983 4984 tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, mask); 4985 } 4986 4987 #ifdef TARGET_AARCH64 4988 typedef struct { 4989 uint64_t base; 4990 uint64_t length; 4991 } TLBIRange; 4992 4993 static ARMGranuleSize tlbi_range_tg_to_gran_size(int tg) 4994 { 4995 /* 4996 * Note that the TLBI range TG field encoding differs from both 4997 * TG0 and TG1 encodings. 4998 */ 4999 switch (tg) { 5000 case 1: 5001 return Gran4K; 5002 case 2: 5003 return Gran16K; 5004 case 3: 5005 return Gran64K; 5006 default: 5007 return GranInvalid; 5008 } 5009 } 5010 5011 static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx, 5012 uint64_t value) 5013 { 5014 unsigned int page_size_granule, page_shift, num, scale, exponent; 5015 /* Extract one bit to represent the va selector in use. */ 5016 uint64_t select = sextract64(value, 36, 1); 5017 ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true, false); 5018 TLBIRange ret = { }; 5019 ARMGranuleSize gran; 5020 5021 page_size_granule = extract64(value, 46, 2); 5022 gran = tlbi_range_tg_to_gran_size(page_size_granule); 5023 5024 /* The granule encoded in value must match the granule in use. */ 5025 if (gran != param.gran) { 5026 qemu_log_mask(LOG_GUEST_ERROR, "Invalid tlbi page size granule %d\n", 5027 page_size_granule); 5028 return ret; 5029 } 5030 5031 page_shift = arm_granule_bits(gran); 5032 num = extract64(value, 39, 5); 5033 scale = extract64(value, 44, 2); 5034 exponent = (5 * scale) + 1; 5035 5036 ret.length = (num + 1) << (exponent + page_shift); 5037 5038 if (param.select) { 5039 ret.base = sextract64(value, 0, 37); 5040 } else { 5041 ret.base = extract64(value, 0, 37); 5042 } 5043 if (param.ds) { 5044 /* 5045 * With DS=1, BaseADDR is always shifted 16 so that it is able 5046 * to address all 52 va bits. The input address is perforce 5047 * aligned on a 64k boundary regardless of translation granule. 5048 */ 5049 page_shift = 16; 5050 } 5051 ret.base <<= page_shift; 5052 5053 return ret; 5054 } 5055 5056 static void do_rvae_write(CPUARMState *env, uint64_t value, 5057 int idxmap, bool synced) 5058 { 5059 ARMMMUIdx one_idx = ARM_MMU_IDX_A | ctz32(idxmap); 5060 TLBIRange range; 5061 int bits; 5062 5063 range = tlbi_aa64_get_range(env, one_idx, value); 5064 bits = tlbbits_for_regime(env, one_idx, range.base); 5065 5066 if (synced) { 5067 tlb_flush_range_by_mmuidx_all_cpus_synced(env_cpu(env), 5068 range.base, 5069 range.length, 5070 idxmap, 5071 bits); 5072 } else { 5073 tlb_flush_range_by_mmuidx(env_cpu(env), range.base, 5074 range.length, idxmap, bits); 5075 } 5076 } 5077 5078 static void tlbi_aa64_rvae1_write(CPUARMState *env, 5079 const ARMCPRegInfo *ri, 5080 uint64_t value) 5081 { 5082 /* 5083 * Invalidate by VA range, EL1&0. 5084 * Currently handles all of RVAE1, RVAAE1, RVAALE1 and RVALE1, 5085 * since we don't support flush-for-specific-ASID-only or 5086 * flush-last-level-only. 5087 */ 5088 5089 do_rvae_write(env, value, vae1_tlbmask(env), 5090 tlb_force_broadcast(env)); 5091 } 5092 5093 static void tlbi_aa64_rvae1is_write(CPUARMState *env, 5094 const ARMCPRegInfo *ri, 5095 uint64_t value) 5096 { 5097 /* 5098 * Invalidate by VA range, Inner/Outer Shareable EL1&0. 5099 * Currently handles all of RVAE1IS, RVAE1OS, RVAAE1IS, RVAAE1OS, 5100 * RVAALE1IS, RVAALE1OS, RVALE1IS and RVALE1OS, since we don't support 5101 * flush-for-specific-ASID-only, flush-last-level-only or inner/outer 5102 * shareable specific flushes. 5103 */ 5104 5105 do_rvae_write(env, value, vae1_tlbmask(env), true); 5106 } 5107 5108 static void tlbi_aa64_rvae2_write(CPUARMState *env, 5109 const ARMCPRegInfo *ri, 5110 uint64_t value) 5111 { 5112 /* 5113 * Invalidate by VA range, EL2. 5114 * Currently handles all of RVAE2 and RVALE2, 5115 * since we don't support flush-for-specific-ASID-only or 5116 * flush-last-level-only. 5117 */ 5118 5119 do_rvae_write(env, value, vae2_tlbmask(env), 5120 tlb_force_broadcast(env)); 5121 5122 5123 } 5124 5125 static void tlbi_aa64_rvae2is_write(CPUARMState *env, 5126 const ARMCPRegInfo *ri, 5127 uint64_t value) 5128 { 5129 /* 5130 * Invalidate by VA range, Inner/Outer Shareable, EL2. 5131 * Currently handles all of RVAE2IS, RVAE2OS, RVALE2IS and RVALE2OS, 5132 * since we don't support flush-for-specific-ASID-only, 5133 * flush-last-level-only or inner/outer shareable specific flushes. 5134 */ 5135 5136 do_rvae_write(env, value, vae2_tlbmask(env), true); 5137 5138 } 5139 5140 static void tlbi_aa64_rvae3_write(CPUARMState *env, 5141 const ARMCPRegInfo *ri, 5142 uint64_t value) 5143 { 5144 /* 5145 * Invalidate by VA range, EL3. 5146 * Currently handles all of RVAE3 and RVALE3, 5147 * since we don't support flush-for-specific-ASID-only or 5148 * flush-last-level-only. 5149 */ 5150 5151 do_rvae_write(env, value, ARMMMUIdxBit_E3, tlb_force_broadcast(env)); 5152 } 5153 5154 static void tlbi_aa64_rvae3is_write(CPUARMState *env, 5155 const ARMCPRegInfo *ri, 5156 uint64_t value) 5157 { 5158 /* 5159 * Invalidate by VA range, EL3, Inner/Outer Shareable. 5160 * Currently handles all of RVAE3IS, RVAE3OS, RVALE3IS and RVALE3OS, 5161 * since we don't support flush-for-specific-ASID-only, 5162 * flush-last-level-only or inner/outer specific flushes. 5163 */ 5164 5165 do_rvae_write(env, value, ARMMMUIdxBit_E3, true); 5166 } 5167 5168 static void tlbi_aa64_ripas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri, 5169 uint64_t value) 5170 { 5171 do_rvae_write(env, value, ipas2e1_tlbmask(env, value), 5172 tlb_force_broadcast(env)); 5173 } 5174 5175 static void tlbi_aa64_ripas2e1is_write(CPUARMState *env, 5176 const ARMCPRegInfo *ri, 5177 uint64_t value) 5178 { 5179 do_rvae_write(env, value, ipas2e1_tlbmask(env, value), true); 5180 } 5181 #endif 5182 5183 static CPAccessResult aa64_zva_access(CPUARMState *env, const ARMCPRegInfo *ri, 5184 bool isread) 5185 { 5186 int cur_el = arm_current_el(env); 5187 5188 if (cur_el < 2) { 5189 uint64_t hcr = arm_hcr_el2_eff(env); 5190 5191 if (cur_el == 0) { 5192 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 5193 if (!(env->cp15.sctlr_el[2] & SCTLR_DZE)) { 5194 return CP_ACCESS_TRAP_EL2; 5195 } 5196 } else { 5197 if (!(env->cp15.sctlr_el[1] & SCTLR_DZE)) { 5198 return CP_ACCESS_TRAP; 5199 } 5200 if (hcr & HCR_TDZ) { 5201 return CP_ACCESS_TRAP_EL2; 5202 } 5203 } 5204 } else if (hcr & HCR_TDZ) { 5205 return CP_ACCESS_TRAP_EL2; 5206 } 5207 } 5208 return CP_ACCESS_OK; 5209 } 5210 5211 static uint64_t aa64_dczid_read(CPUARMState *env, const ARMCPRegInfo *ri) 5212 { 5213 ARMCPU *cpu = env_archcpu(env); 5214 int dzp_bit = 1 << 4; 5215 5216 /* DZP indicates whether DC ZVA access is allowed */ 5217 if (aa64_zva_access(env, NULL, false) == CP_ACCESS_OK) { 5218 dzp_bit = 0; 5219 } 5220 return cpu->dcz_blocksize | dzp_bit; 5221 } 5222 5223 static CPAccessResult sp_el0_access(CPUARMState *env, const ARMCPRegInfo *ri, 5224 bool isread) 5225 { 5226 if (!(env->pstate & PSTATE_SP)) { 5227 /* 5228 * Access to SP_EL0 is undefined if it's being used as 5229 * the stack pointer. 5230 */ 5231 return CP_ACCESS_TRAP_UNCATEGORIZED; 5232 } 5233 return CP_ACCESS_OK; 5234 } 5235 5236 static uint64_t spsel_read(CPUARMState *env, const ARMCPRegInfo *ri) 5237 { 5238 return env->pstate & PSTATE_SP; 5239 } 5240 5241 static void spsel_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val) 5242 { 5243 update_spsel(env, val); 5244 } 5245 5246 static void sctlr_write(CPUARMState *env, const ARMCPRegInfo *ri, 5247 uint64_t value) 5248 { 5249 ARMCPU *cpu = env_archcpu(env); 5250 5251 if (arm_feature(env, ARM_FEATURE_PMSA) && !cpu->has_mpu) { 5252 /* M bit is RAZ/WI for PMSA with no MPU implemented */ 5253 value &= ~SCTLR_M; 5254 } 5255 5256 /* ??? Lots of these bits are not implemented. */ 5257 5258 if (ri->state == ARM_CP_STATE_AA64 && !cpu_isar_feature(aa64_mte, cpu)) { 5259 if (ri->opc1 == 6) { /* SCTLR_EL3 */ 5260 value &= ~(SCTLR_ITFSB | SCTLR_TCF | SCTLR_ATA); 5261 } else { 5262 value &= ~(SCTLR_ITFSB | SCTLR_TCF0 | SCTLR_TCF | 5263 SCTLR_ATA0 | SCTLR_ATA); 5264 } 5265 } 5266 5267 if (raw_read(env, ri) == value) { 5268 /* 5269 * Skip the TLB flush if nothing actually changed; Linux likes 5270 * to do a lot of pointless SCTLR writes. 5271 */ 5272 return; 5273 } 5274 5275 raw_write(env, ri, value); 5276 5277 /* This may enable/disable the MMU, so do a TLB flush. */ 5278 tlb_flush(CPU(cpu)); 5279 5280 if (tcg_enabled() && ri->type & ARM_CP_SUPPRESS_TB_END) { 5281 /* 5282 * Normally we would always end the TB on an SCTLR write; see the 5283 * comment in ARMCPRegInfo sctlr initialization below for why Xscale 5284 * is special. Setting ARM_CP_SUPPRESS_TB_END also stops the rebuild 5285 * of hflags from the translator, so do it here. 5286 */ 5287 arm_rebuild_hflags(env); 5288 } 5289 } 5290 5291 static void mdcr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri, 5292 uint64_t value) 5293 { 5294 /* 5295 * Some MDCR_EL3 bits affect whether PMU counters are running: 5296 * if we are trying to change any of those then we must 5297 * bracket this update with PMU start/finish calls. 5298 */ 5299 bool pmu_op = (env->cp15.mdcr_el3 ^ value) & MDCR_EL3_PMU_ENABLE_BITS; 5300 5301 if (pmu_op) { 5302 pmu_op_start(env); 5303 } 5304 env->cp15.mdcr_el3 = value; 5305 if (pmu_op) { 5306 pmu_op_finish(env); 5307 } 5308 } 5309 5310 static void sdcr_write(CPUARMState *env, const ARMCPRegInfo *ri, 5311 uint64_t value) 5312 { 5313 /* Not all bits defined for MDCR_EL3 exist in the AArch32 SDCR */ 5314 mdcr_el3_write(env, ri, value & SDCR_VALID_MASK); 5315 } 5316 5317 static void mdcr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri, 5318 uint64_t value) 5319 { 5320 /* 5321 * Some MDCR_EL2 bits affect whether PMU counters are running: 5322 * if we are trying to change any of those then we must 5323 * bracket this update with PMU start/finish calls. 5324 */ 5325 bool pmu_op = (env->cp15.mdcr_el2 ^ value) & MDCR_EL2_PMU_ENABLE_BITS; 5326 5327 if (pmu_op) { 5328 pmu_op_start(env); 5329 } 5330 env->cp15.mdcr_el2 = value; 5331 if (pmu_op) { 5332 pmu_op_finish(env); 5333 } 5334 } 5335 5336 #ifdef CONFIG_USER_ONLY 5337 /* 5338 * `IC IVAU` is handled to improve compatibility with JITs that dual-map their 5339 * code to get around W^X restrictions, where one region is writable and the 5340 * other is executable. 5341 * 5342 * Since the executable region is never written to we cannot detect code 5343 * changes when running in user mode, and rely on the emulated JIT telling us 5344 * that the code has changed by executing this instruction. 5345 */ 5346 static void ic_ivau_write(CPUARMState *env, const ARMCPRegInfo *ri, 5347 uint64_t value) 5348 { 5349 uint64_t icache_line_mask, start_address, end_address; 5350 const ARMCPU *cpu; 5351 5352 cpu = env_archcpu(env); 5353 5354 icache_line_mask = (4 << extract32(cpu->ctr, 0, 4)) - 1; 5355 start_address = value & ~icache_line_mask; 5356 end_address = value | icache_line_mask; 5357 5358 mmap_lock(); 5359 5360 tb_invalidate_phys_range(start_address, end_address); 5361 5362 mmap_unlock(); 5363 } 5364 #endif 5365 5366 static const ARMCPRegInfo v8_cp_reginfo[] = { 5367 /* 5368 * Minimal set of EL0-visible registers. This will need to be expanded 5369 * significantly for system emulation of AArch64 CPUs. 5370 */ 5371 { .name = "NZCV", .state = ARM_CP_STATE_AA64, 5372 .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 2, 5373 .access = PL0_RW, .type = ARM_CP_NZCV }, 5374 { .name = "DAIF", .state = ARM_CP_STATE_AA64, 5375 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 2, 5376 .type = ARM_CP_NO_RAW, 5377 .access = PL0_RW, .accessfn = aa64_daif_access, 5378 .fieldoffset = offsetof(CPUARMState, daif), 5379 .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore }, 5380 { .name = "FPCR", .state = ARM_CP_STATE_AA64, 5381 .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4, 5382 .access = PL0_RW, .type = ARM_CP_FPU | ARM_CP_SUPPRESS_TB_END, 5383 .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write }, 5384 { .name = "FPSR", .state = ARM_CP_STATE_AA64, 5385 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4, 5386 .access = PL0_RW, .type = ARM_CP_FPU | ARM_CP_SUPPRESS_TB_END, 5387 .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write }, 5388 { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64, 5389 .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0, 5390 .access = PL0_R, .type = ARM_CP_NO_RAW, 5391 .fgt = FGT_DCZID_EL0, 5392 .readfn = aa64_dczid_read }, 5393 { .name = "DC_ZVA", .state = ARM_CP_STATE_AA64, 5394 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 1, 5395 .access = PL0_W, .type = ARM_CP_DC_ZVA, 5396 #ifndef CONFIG_USER_ONLY 5397 /* Avoid overhead of an access check that always passes in user-mode */ 5398 .accessfn = aa64_zva_access, 5399 .fgt = FGT_DCZVA, 5400 #endif 5401 }, 5402 { .name = "CURRENTEL", .state = ARM_CP_STATE_AA64, 5403 .opc0 = 3, .opc1 = 0, .opc2 = 2, .crn = 4, .crm = 2, 5404 .access = PL1_R, .type = ARM_CP_CURRENTEL }, 5405 /* 5406 * Instruction cache ops. All of these except `IC IVAU` NOP because we 5407 * don't emulate caches. 5408 */ 5409 { .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64, 5410 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0, 5411 .access = PL1_W, .type = ARM_CP_NOP, 5412 .fgt = FGT_ICIALLUIS, 5413 .accessfn = access_ticab }, 5414 { .name = "IC_IALLU", .state = ARM_CP_STATE_AA64, 5415 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0, 5416 .access = PL1_W, .type = ARM_CP_NOP, 5417 .fgt = FGT_ICIALLU, 5418 .accessfn = access_tocu }, 5419 { .name = "IC_IVAU", .state = ARM_CP_STATE_AA64, 5420 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1, 5421 .access = PL0_W, 5422 .fgt = FGT_ICIVAU, 5423 .accessfn = access_tocu, 5424 #ifdef CONFIG_USER_ONLY 5425 .type = ARM_CP_NO_RAW, 5426 .writefn = ic_ivau_write 5427 #else 5428 .type = ARM_CP_NOP 5429 #endif 5430 }, 5431 /* Cache ops: all NOPs since we don't emulate caches */ 5432 { .name = "DC_IVAC", .state = ARM_CP_STATE_AA64, 5433 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1, 5434 .access = PL1_W, .accessfn = aa64_cacheop_poc_access, 5435 .fgt = FGT_DCIVAC, 5436 .type = ARM_CP_NOP }, 5437 { .name = "DC_ISW", .state = ARM_CP_STATE_AA64, 5438 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2, 5439 .fgt = FGT_DCISW, 5440 .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, 5441 { .name = "DC_CVAC", .state = ARM_CP_STATE_AA64, 5442 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 1, 5443 .access = PL0_W, .type = ARM_CP_NOP, 5444 .fgt = FGT_DCCVAC, 5445 .accessfn = aa64_cacheop_poc_access }, 5446 { .name = "DC_CSW", .state = ARM_CP_STATE_AA64, 5447 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2, 5448 .fgt = FGT_DCCSW, 5449 .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, 5450 { .name = "DC_CVAU", .state = ARM_CP_STATE_AA64, 5451 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 11, .opc2 = 1, 5452 .access = PL0_W, .type = ARM_CP_NOP, 5453 .fgt = FGT_DCCVAU, 5454 .accessfn = access_tocu }, 5455 { .name = "DC_CIVAC", .state = ARM_CP_STATE_AA64, 5456 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 1, 5457 .access = PL0_W, .type = ARM_CP_NOP, 5458 .fgt = FGT_DCCIVAC, 5459 .accessfn = aa64_cacheop_poc_access }, 5460 { .name = "DC_CISW", .state = ARM_CP_STATE_AA64, 5461 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2, 5462 .fgt = FGT_DCCISW, 5463 .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, 5464 /* TLBI operations */ 5465 { .name = "TLBI_VMALLE1IS", .state = ARM_CP_STATE_AA64, 5466 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0, 5467 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 5468 .fgt = FGT_TLBIVMALLE1IS, 5469 .writefn = tlbi_aa64_vmalle1is_write }, 5470 { .name = "TLBI_VAE1IS", .state = ARM_CP_STATE_AA64, 5471 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1, 5472 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 5473 .fgt = FGT_TLBIVAE1IS, 5474 .writefn = tlbi_aa64_vae1is_write }, 5475 { .name = "TLBI_ASIDE1IS", .state = ARM_CP_STATE_AA64, 5476 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2, 5477 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 5478 .fgt = FGT_TLBIASIDE1IS, 5479 .writefn = tlbi_aa64_vmalle1is_write }, 5480 { .name = "TLBI_VAAE1IS", .state = ARM_CP_STATE_AA64, 5481 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3, 5482 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 5483 .fgt = FGT_TLBIVAAE1IS, 5484 .writefn = tlbi_aa64_vae1is_write }, 5485 { .name = "TLBI_VALE1IS", .state = ARM_CP_STATE_AA64, 5486 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5, 5487 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 5488 .fgt = FGT_TLBIVALE1IS, 5489 .writefn = tlbi_aa64_vae1is_write }, 5490 { .name = "TLBI_VAALE1IS", .state = ARM_CP_STATE_AA64, 5491 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7, 5492 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 5493 .fgt = FGT_TLBIVAALE1IS, 5494 .writefn = tlbi_aa64_vae1is_write }, 5495 { .name = "TLBI_VMALLE1", .state = ARM_CP_STATE_AA64, 5496 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0, 5497 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 5498 .fgt = FGT_TLBIVMALLE1, 5499 .writefn = tlbi_aa64_vmalle1_write }, 5500 { .name = "TLBI_VAE1", .state = ARM_CP_STATE_AA64, 5501 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1, 5502 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 5503 .fgt = FGT_TLBIVAE1, 5504 .writefn = tlbi_aa64_vae1_write }, 5505 { .name = "TLBI_ASIDE1", .state = ARM_CP_STATE_AA64, 5506 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2, 5507 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 5508 .fgt = FGT_TLBIASIDE1, 5509 .writefn = tlbi_aa64_vmalle1_write }, 5510 { .name = "TLBI_VAAE1", .state = ARM_CP_STATE_AA64, 5511 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3, 5512 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 5513 .fgt = FGT_TLBIVAAE1, 5514 .writefn = tlbi_aa64_vae1_write }, 5515 { .name = "TLBI_VALE1", .state = ARM_CP_STATE_AA64, 5516 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5, 5517 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 5518 .fgt = FGT_TLBIVALE1, 5519 .writefn = tlbi_aa64_vae1_write }, 5520 { .name = "TLBI_VAALE1", .state = ARM_CP_STATE_AA64, 5521 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7, 5522 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 5523 .fgt = FGT_TLBIVAALE1, 5524 .writefn = tlbi_aa64_vae1_write }, 5525 { .name = "TLBI_IPAS2E1IS", .state = ARM_CP_STATE_AA64, 5526 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 1, 5527 .access = PL2_W, .type = ARM_CP_NO_RAW, 5528 .writefn = tlbi_aa64_ipas2e1is_write }, 5529 { .name = "TLBI_IPAS2LE1IS", .state = ARM_CP_STATE_AA64, 5530 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 5, 5531 .access = PL2_W, .type = ARM_CP_NO_RAW, 5532 .writefn = tlbi_aa64_ipas2e1is_write }, 5533 { .name = "TLBI_ALLE1IS", .state = ARM_CP_STATE_AA64, 5534 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 4, 5535 .access = PL2_W, .type = ARM_CP_NO_RAW, 5536 .writefn = tlbi_aa64_alle1is_write }, 5537 { .name = "TLBI_VMALLS12E1IS", .state = ARM_CP_STATE_AA64, 5538 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 6, 5539 .access = PL2_W, .type = ARM_CP_NO_RAW, 5540 .writefn = tlbi_aa64_alle1is_write }, 5541 { .name = "TLBI_IPAS2E1", .state = ARM_CP_STATE_AA64, 5542 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 1, 5543 .access = PL2_W, .type = ARM_CP_NO_RAW, 5544 .writefn = tlbi_aa64_ipas2e1_write }, 5545 { .name = "TLBI_IPAS2LE1", .state = ARM_CP_STATE_AA64, 5546 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 5, 5547 .access = PL2_W, .type = ARM_CP_NO_RAW, 5548 .writefn = tlbi_aa64_ipas2e1_write }, 5549 { .name = "TLBI_ALLE1", .state = ARM_CP_STATE_AA64, 5550 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 4, 5551 .access = PL2_W, .type = ARM_CP_NO_RAW, 5552 .writefn = tlbi_aa64_alle1_write }, 5553 { .name = "TLBI_VMALLS12E1", .state = ARM_CP_STATE_AA64, 5554 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 6, 5555 .access = PL2_W, .type = ARM_CP_NO_RAW, 5556 .writefn = tlbi_aa64_alle1is_write }, 5557 #ifndef CONFIG_USER_ONLY 5558 /* 64 bit address translation operations */ 5559 { .name = "AT_S1E1R", .state = ARM_CP_STATE_AA64, 5560 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0, 5561 .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5562 .fgt = FGT_ATS1E1R, 5563 .accessfn = at_e012_access, .writefn = ats_write64 }, 5564 { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64, 5565 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1, 5566 .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5567 .fgt = FGT_ATS1E1W, 5568 .accessfn = at_e012_access, .writefn = ats_write64 }, 5569 { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64, 5570 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2, 5571 .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5572 .fgt = FGT_ATS1E0R, 5573 .accessfn = at_e012_access, .writefn = ats_write64 }, 5574 { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64, 5575 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3, 5576 .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5577 .fgt = FGT_ATS1E0W, 5578 .accessfn = at_e012_access, .writefn = ats_write64 }, 5579 { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64, 5580 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4, 5581 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5582 .accessfn = at_e012_access, .writefn = ats_write64 }, 5583 { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64, 5584 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5, 5585 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5586 .accessfn = at_e012_access, .writefn = ats_write64 }, 5587 { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64, 5588 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6, 5589 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5590 .accessfn = at_e012_access, .writefn = ats_write64 }, 5591 { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64, 5592 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7, 5593 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5594 .accessfn = at_e012_access, .writefn = ats_write64 }, 5595 /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */ 5596 { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64, 5597 .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0, 5598 .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5599 .writefn = ats_write64 }, 5600 { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64, 5601 .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1, 5602 .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 5603 .writefn = ats_write64 }, 5604 { .name = "PAR_EL1", .state = ARM_CP_STATE_AA64, 5605 .type = ARM_CP_ALIAS, 5606 .opc0 = 3, .opc1 = 0, .crn = 7, .crm = 4, .opc2 = 0, 5607 .access = PL1_RW, .resetvalue = 0, 5608 .fgt = FGT_PAR_EL1, 5609 .fieldoffset = offsetof(CPUARMState, cp15.par_el[1]), 5610 .writefn = par_write }, 5611 #endif 5612 /* TLB invalidate last level of translation table walk */ 5613 { .name = "TLBIMVALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5, 5614 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlbis, 5615 .writefn = tlbimva_is_write }, 5616 { .name = "TLBIMVAALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7, 5617 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlbis, 5618 .writefn = tlbimvaa_is_write }, 5619 { .name = "TLBIMVAL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5, 5620 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 5621 .writefn = tlbimva_write }, 5622 { .name = "TLBIMVAAL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7, 5623 .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, 5624 .writefn = tlbimvaa_write }, 5625 { .name = "TLBIMVALH", .cp = 15, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 5, 5626 .type = ARM_CP_NO_RAW, .access = PL2_W, 5627 .writefn = tlbimva_hyp_write }, 5628 { .name = "TLBIMVALHIS", 5629 .cp = 15, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 5, 5630 .type = ARM_CP_NO_RAW, .access = PL2_W, 5631 .writefn = tlbimva_hyp_is_write }, 5632 { .name = "TLBIIPAS2", 5633 .cp = 15, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 1, 5634 .type = ARM_CP_NO_RAW, .access = PL2_W, 5635 .writefn = tlbiipas2_hyp_write }, 5636 { .name = "TLBIIPAS2IS", 5637 .cp = 15, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 1, 5638 .type = ARM_CP_NO_RAW, .access = PL2_W, 5639 .writefn = tlbiipas2is_hyp_write }, 5640 { .name = "TLBIIPAS2L", 5641 .cp = 15, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 5, 5642 .type = ARM_CP_NO_RAW, .access = PL2_W, 5643 .writefn = tlbiipas2_hyp_write }, 5644 { .name = "TLBIIPAS2LIS", 5645 .cp = 15, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 5, 5646 .type = ARM_CP_NO_RAW, .access = PL2_W, 5647 .writefn = tlbiipas2is_hyp_write }, 5648 /* 32 bit cache operations */ 5649 { .name = "ICIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0, 5650 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_ticab }, 5651 { .name = "BPIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 6, 5652 .type = ARM_CP_NOP, .access = PL1_W }, 5653 { .name = "ICIALLU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0, 5654 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tocu }, 5655 { .name = "ICIMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 1, 5656 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tocu }, 5657 { .name = "BPIALL", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 6, 5658 .type = ARM_CP_NOP, .access = PL1_W }, 5659 { .name = "BPIMVA", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 7, 5660 .type = ARM_CP_NOP, .access = PL1_W }, 5661 { .name = "DCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1, 5662 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access }, 5663 { .name = "DCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2, 5664 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 5665 { .name = "DCCMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 1, 5666 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access }, 5667 { .name = "DCCSW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2, 5668 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 5669 { .name = "DCCMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 11, .opc2 = 1, 5670 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tocu }, 5671 { .name = "DCCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 1, 5672 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access }, 5673 { .name = "DCCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2, 5674 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 5675 /* MMU Domain access control / MPU write buffer control */ 5676 { .name = "DACR", .cp = 15, .opc1 = 0, .crn = 3, .crm = 0, .opc2 = 0, 5677 .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, 5678 .writefn = dacr_write, .raw_writefn = raw_write, 5679 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s), 5680 offsetoflow32(CPUARMState, cp15.dacr_ns) } }, 5681 { .name = "ELR_EL1", .state = ARM_CP_STATE_AA64, 5682 .type = ARM_CP_ALIAS, 5683 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 1, 5684 .access = PL1_RW, 5685 .fieldoffset = offsetof(CPUARMState, elr_el[1]) }, 5686 { .name = "SPSR_EL1", .state = ARM_CP_STATE_AA64, 5687 .type = ARM_CP_ALIAS, 5688 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 0, 5689 .access = PL1_RW, 5690 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_SVC]) }, 5691 /* 5692 * We rely on the access checks not allowing the guest to write to the 5693 * state field when SPSel indicates that it's being used as the stack 5694 * pointer. 5695 */ 5696 { .name = "SP_EL0", .state = ARM_CP_STATE_AA64, 5697 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 1, .opc2 = 0, 5698 .access = PL1_RW, .accessfn = sp_el0_access, 5699 .type = ARM_CP_ALIAS, 5700 .fieldoffset = offsetof(CPUARMState, sp_el[0]) }, 5701 { .name = "SP_EL1", .state = ARM_CP_STATE_AA64, 5702 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 1, .opc2 = 0, 5703 .access = PL2_RW, .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_KEEP, 5704 .fieldoffset = offsetof(CPUARMState, sp_el[1]) }, 5705 { .name = "SPSel", .state = ARM_CP_STATE_AA64, 5706 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 0, 5707 .type = ARM_CP_NO_RAW, 5708 .access = PL1_RW, .readfn = spsel_read, .writefn = spsel_write }, 5709 { .name = "FPEXC32_EL2", .state = ARM_CP_STATE_AA64, 5710 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 3, .opc2 = 0, 5711 .access = PL2_RW, 5712 .type = ARM_CP_ALIAS | ARM_CP_FPU | ARM_CP_EL3_NO_EL2_KEEP, 5713 .fieldoffset = offsetof(CPUARMState, vfp.xregs[ARM_VFP_FPEXC]) }, 5714 { .name = "DACR32_EL2", .state = ARM_CP_STATE_AA64, 5715 .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 0, .opc2 = 0, 5716 .access = PL2_RW, .resetvalue = 0, .type = ARM_CP_EL3_NO_EL2_KEEP, 5717 .writefn = dacr_write, .raw_writefn = raw_write, 5718 .fieldoffset = offsetof(CPUARMState, cp15.dacr32_el2) }, 5719 { .name = "IFSR32_EL2", .state = ARM_CP_STATE_AA64, 5720 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 0, .opc2 = 1, 5721 .access = PL2_RW, .resetvalue = 0, .type = ARM_CP_EL3_NO_EL2_KEEP, 5722 .fieldoffset = offsetof(CPUARMState, cp15.ifsr32_el2) }, 5723 { .name = "SPSR_IRQ", .state = ARM_CP_STATE_AA64, 5724 .type = ARM_CP_ALIAS, 5725 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 0, 5726 .access = PL2_RW, 5727 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_IRQ]) }, 5728 { .name = "SPSR_ABT", .state = ARM_CP_STATE_AA64, 5729 .type = ARM_CP_ALIAS, 5730 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 1, 5731 .access = PL2_RW, 5732 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_ABT]) }, 5733 { .name = "SPSR_UND", .state = ARM_CP_STATE_AA64, 5734 .type = ARM_CP_ALIAS, 5735 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 2, 5736 .access = PL2_RW, 5737 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_UND]) }, 5738 { .name = "SPSR_FIQ", .state = ARM_CP_STATE_AA64, 5739 .type = ARM_CP_ALIAS, 5740 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 3, 5741 .access = PL2_RW, 5742 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_FIQ]) }, 5743 { .name = "MDCR_EL3", .state = ARM_CP_STATE_AA64, 5744 .type = ARM_CP_IO, 5745 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 3, .opc2 = 1, 5746 .resetvalue = 0, 5747 .access = PL3_RW, 5748 .writefn = mdcr_el3_write, 5749 .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el3) }, 5750 { .name = "SDCR", .type = ARM_CP_ALIAS | ARM_CP_IO, 5751 .cp = 15, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 1, 5752 .access = PL1_RW, .accessfn = access_trap_aa32s_el1, 5753 .writefn = sdcr_write, 5754 .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) }, 5755 }; 5756 5757 static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask) 5758 { 5759 ARMCPU *cpu = env_archcpu(env); 5760 5761 if (arm_feature(env, ARM_FEATURE_V8)) { 5762 valid_mask |= MAKE_64BIT_MASK(0, 34); /* ARMv8.0 */ 5763 } else { 5764 valid_mask |= MAKE_64BIT_MASK(0, 28); /* ARMv7VE */ 5765 } 5766 5767 if (arm_feature(env, ARM_FEATURE_EL3)) { 5768 valid_mask &= ~HCR_HCD; 5769 } else if (cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) { 5770 /* 5771 * Architecturally HCR.TSC is RES0 if EL3 is not implemented. 5772 * However, if we're using the SMC PSCI conduit then QEMU is 5773 * effectively acting like EL3 firmware and so the guest at 5774 * EL2 should retain the ability to prevent EL1 from being 5775 * able to make SMC calls into the ersatz firmware, so in 5776 * that case HCR.TSC should be read/write. 5777 */ 5778 valid_mask &= ~HCR_TSC; 5779 } 5780 5781 if (arm_feature(env, ARM_FEATURE_AARCH64)) { 5782 if (cpu_isar_feature(aa64_vh, cpu)) { 5783 valid_mask |= HCR_E2H; 5784 } 5785 if (cpu_isar_feature(aa64_ras, cpu)) { 5786 valid_mask |= HCR_TERR | HCR_TEA; 5787 } 5788 if (cpu_isar_feature(aa64_lor, cpu)) { 5789 valid_mask |= HCR_TLOR; 5790 } 5791 if (cpu_isar_feature(aa64_pauth, cpu)) { 5792 valid_mask |= HCR_API | HCR_APK; 5793 } 5794 if (cpu_isar_feature(aa64_mte, cpu)) { 5795 valid_mask |= HCR_ATA | HCR_DCT | HCR_TID5; 5796 } 5797 if (cpu_isar_feature(aa64_scxtnum, cpu)) { 5798 valid_mask |= HCR_ENSCXT; 5799 } 5800 if (cpu_isar_feature(aa64_fwb, cpu)) { 5801 valid_mask |= HCR_FWB; 5802 } 5803 if (cpu_isar_feature(aa64_rme, cpu)) { 5804 valid_mask |= HCR_GPF; 5805 } 5806 } 5807 5808 if (cpu_isar_feature(any_evt, cpu)) { 5809 valid_mask |= HCR_TTLBIS | HCR_TTLBOS | HCR_TICAB | HCR_TOCU | HCR_TID4; 5810 } else if (cpu_isar_feature(any_half_evt, cpu)) { 5811 valid_mask |= HCR_TICAB | HCR_TOCU | HCR_TID4; 5812 } 5813 5814 /* Clear RES0 bits. */ 5815 value &= valid_mask; 5816 5817 /* 5818 * These bits change the MMU setup: 5819 * HCR_VM enables stage 2 translation 5820 * HCR_PTW forbids certain page-table setups 5821 * HCR_DC disables stage1 and enables stage2 translation 5822 * HCR_DCT enables tagging on (disabled) stage1 translation 5823 * HCR_FWB changes the interpretation of stage2 descriptor bits 5824 */ 5825 if ((env->cp15.hcr_el2 ^ value) & 5826 (HCR_VM | HCR_PTW | HCR_DC | HCR_DCT | HCR_FWB)) { 5827 tlb_flush(CPU(cpu)); 5828 } 5829 env->cp15.hcr_el2 = value; 5830 5831 /* 5832 * Updates to VI and VF require us to update the status of 5833 * virtual interrupts, which are the logical OR of these bits 5834 * and the state of the input lines from the GIC. (This requires 5835 * that we have the iothread lock, which is done by marking the 5836 * reginfo structs as ARM_CP_IO.) 5837 * Note that if a write to HCR pends a VIRQ or VFIQ it is never 5838 * possible for it to be taken immediately, because VIRQ and 5839 * VFIQ are masked unless running at EL0 or EL1, and HCR 5840 * can only be written at EL2. 5841 */ 5842 g_assert(qemu_mutex_iothread_locked()); 5843 arm_cpu_update_virq(cpu); 5844 arm_cpu_update_vfiq(cpu); 5845 arm_cpu_update_vserr(cpu); 5846 } 5847 5848 static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) 5849 { 5850 do_hcr_write(env, value, 0); 5851 } 5852 5853 static void hcr_writehigh(CPUARMState *env, const ARMCPRegInfo *ri, 5854 uint64_t value) 5855 { 5856 /* Handle HCR2 write, i.e. write to high half of HCR_EL2 */ 5857 value = deposit64(env->cp15.hcr_el2, 32, 32, value); 5858 do_hcr_write(env, value, MAKE_64BIT_MASK(0, 32)); 5859 } 5860 5861 static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri, 5862 uint64_t value) 5863 { 5864 /* Handle HCR write, i.e. write to low half of HCR_EL2 */ 5865 value = deposit64(env->cp15.hcr_el2, 0, 32, value); 5866 do_hcr_write(env, value, MAKE_64BIT_MASK(32, 32)); 5867 } 5868 5869 /* 5870 * Return the effective value of HCR_EL2, at the given security state. 5871 * Bits that are not included here: 5872 * RW (read from SCR_EL3.RW as needed) 5873 */ 5874 uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space) 5875 { 5876 uint64_t ret = env->cp15.hcr_el2; 5877 5878 assert(space != ARMSS_Root); 5879 5880 if (!arm_is_el2_enabled_secstate(env, space)) { 5881 /* 5882 * "This register has no effect if EL2 is not enabled in the 5883 * current Security state". This is ARMv8.4-SecEL2 speak for 5884 * !(SCR_EL3.NS==1 || SCR_EL3.EEL2==1). 5885 * 5886 * Prior to that, the language was "In an implementation that 5887 * includes EL3, when the value of SCR_EL3.NS is 0 the PE behaves 5888 * as if this field is 0 for all purposes other than a direct 5889 * read or write access of HCR_EL2". With lots of enumeration 5890 * on a per-field basis. In current QEMU, this is condition 5891 * is arm_is_secure_below_el3. 5892 * 5893 * Since the v8.4 language applies to the entire register, and 5894 * appears to be backward compatible, use that. 5895 */ 5896 return 0; 5897 } 5898 5899 /* 5900 * For a cpu that supports both aarch64 and aarch32, we can set bits 5901 * in HCR_EL2 (e.g. via EL3) that are RES0 when we enter EL2 as aa32. 5902 * Ignore all of the bits in HCR+HCR2 that are not valid for aarch32. 5903 */ 5904 if (!arm_el_is_aa64(env, 2)) { 5905 uint64_t aa32_valid; 5906 5907 /* 5908 * These bits are up-to-date as of ARMv8.6. 5909 * For HCR, it's easiest to list just the 2 bits that are invalid. 5910 * For HCR2, list those that are valid. 5911 */ 5912 aa32_valid = MAKE_64BIT_MASK(0, 32) & ~(HCR_RW | HCR_TDZ); 5913 aa32_valid |= (HCR_CD | HCR_ID | HCR_TERR | HCR_TEA | HCR_MIOCNCE | 5914 HCR_TID4 | HCR_TICAB | HCR_TOCU | HCR_TTLBIS); 5915 ret &= aa32_valid; 5916 } 5917 5918 if (ret & HCR_TGE) { 5919 /* These bits are up-to-date as of ARMv8.6. */ 5920 if (ret & HCR_E2H) { 5921 ret &= ~(HCR_VM | HCR_FMO | HCR_IMO | HCR_AMO | 5922 HCR_BSU_MASK | HCR_DC | HCR_TWI | HCR_TWE | 5923 HCR_TID0 | HCR_TID2 | HCR_TPCP | HCR_TPU | 5924 HCR_TDZ | HCR_CD | HCR_ID | HCR_MIOCNCE | 5925 HCR_TID4 | HCR_TICAB | HCR_TOCU | HCR_ENSCXT | 5926 HCR_TTLBIS | HCR_TTLBOS | HCR_TID5); 5927 } else { 5928 ret |= HCR_FMO | HCR_IMO | HCR_AMO; 5929 } 5930 ret &= ~(HCR_SWIO | HCR_PTW | HCR_VF | HCR_VI | HCR_VSE | 5931 HCR_FB | HCR_TID1 | HCR_TID3 | HCR_TSC | HCR_TACR | 5932 HCR_TSW | HCR_TTLB | HCR_TVM | HCR_HCD | HCR_TRVM | 5933 HCR_TLOR); 5934 } 5935 5936 return ret; 5937 } 5938 5939 uint64_t arm_hcr_el2_eff(CPUARMState *env) 5940 { 5941 if (arm_feature(env, ARM_FEATURE_M)) { 5942 return 0; 5943 } 5944 return arm_hcr_el2_eff_secstate(env, arm_security_space_below_el3(env)); 5945 } 5946 5947 /* 5948 * Corresponds to ARM pseudocode function ELIsInHost(). 5949 */ 5950 bool el_is_in_host(CPUARMState *env, int el) 5951 { 5952 uint64_t mask; 5953 5954 /* 5955 * Since we only care about E2H and TGE, we can skip arm_hcr_el2_eff(). 5956 * Perform the simplest bit tests first, and validate EL2 afterward. 5957 */ 5958 if (el & 1) { 5959 return false; /* EL1 or EL3 */ 5960 } 5961 5962 /* 5963 * Note that hcr_write() checks isar_feature_aa64_vh(), 5964 * aka HaveVirtHostExt(), in allowing HCR_E2H to be set. 5965 */ 5966 mask = el ? HCR_E2H : HCR_E2H | HCR_TGE; 5967 if ((env->cp15.hcr_el2 & mask) != mask) { 5968 return false; 5969 } 5970 5971 /* TGE and/or E2H set: double check those bits are currently legal. */ 5972 return arm_is_el2_enabled(env) && arm_el_is_aa64(env, 2); 5973 } 5974 5975 static void hcrx_write(CPUARMState *env, const ARMCPRegInfo *ri, 5976 uint64_t value) 5977 { 5978 uint64_t valid_mask = 0; 5979 5980 /* FEAT_MOPS adds MSCEn and MCE2 */ 5981 if (cpu_isar_feature(aa64_mops, env_archcpu(env))) { 5982 valid_mask |= HCRX_MSCEN | HCRX_MCE2; 5983 } 5984 5985 /* Clear RES0 bits. */ 5986 env->cp15.hcrx_el2 = value & valid_mask; 5987 } 5988 5989 static CPAccessResult access_hxen(CPUARMState *env, const ARMCPRegInfo *ri, 5990 bool isread) 5991 { 5992 if (arm_current_el(env) < 3 5993 && arm_feature(env, ARM_FEATURE_EL3) 5994 && !(env->cp15.scr_el3 & SCR_HXEN)) { 5995 return CP_ACCESS_TRAP_EL3; 5996 } 5997 return CP_ACCESS_OK; 5998 } 5999 6000 static const ARMCPRegInfo hcrx_el2_reginfo = { 6001 .name = "HCRX_EL2", .state = ARM_CP_STATE_AA64, 6002 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 2, 6003 .access = PL2_RW, .writefn = hcrx_write, .accessfn = access_hxen, 6004 .fieldoffset = offsetof(CPUARMState, cp15.hcrx_el2), 6005 }; 6006 6007 /* Return the effective value of HCRX_EL2. */ 6008 uint64_t arm_hcrx_el2_eff(CPUARMState *env) 6009 { 6010 /* 6011 * The bits in this register behave as 0 for all purposes other than 6012 * direct reads of the register if SCR_EL3.HXEn is 0. 6013 * If EL2 is not enabled in the current security state, then the 6014 * bit may behave as if 0, or as if 1, depending on the bit. 6015 * For the moment, we treat the EL2-disabled case as taking 6016 * priority over the HXEn-disabled case. This is true for the only 6017 * bit for a feature which we implement where the answer is different 6018 * for the two cases (MSCEn for FEAT_MOPS). 6019 * This may need to be revisited for future bits. 6020 */ 6021 if (!arm_is_el2_enabled(env)) { 6022 uint64_t hcrx = 0; 6023 if (cpu_isar_feature(aa64_mops, env_archcpu(env))) { 6024 /* MSCEn behaves as 1 if EL2 is not enabled */ 6025 hcrx |= HCRX_MSCEN; 6026 } 6027 return hcrx; 6028 } 6029 if (arm_feature(env, ARM_FEATURE_EL3) && !(env->cp15.scr_el3 & SCR_HXEN)) { 6030 return 0; 6031 } 6032 return env->cp15.hcrx_el2; 6033 } 6034 6035 static void cptr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri, 6036 uint64_t value) 6037 { 6038 /* 6039 * For A-profile AArch32 EL3, if NSACR.CP10 6040 * is 0 then HCPTR.{TCP11,TCP10} ignore writes and read as 1. 6041 */ 6042 if (arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) && 6043 !arm_is_secure(env) && !extract32(env->cp15.nsacr, 10, 1)) { 6044 uint64_t mask = R_HCPTR_TCP11_MASK | R_HCPTR_TCP10_MASK; 6045 value = (value & ~mask) | (env->cp15.cptr_el[2] & mask); 6046 } 6047 env->cp15.cptr_el[2] = value; 6048 } 6049 6050 static uint64_t cptr_el2_read(CPUARMState *env, const ARMCPRegInfo *ri) 6051 { 6052 /* 6053 * For A-profile AArch32 EL3, if NSACR.CP10 6054 * is 0 then HCPTR.{TCP11,TCP10} ignore writes and read as 1. 6055 */ 6056 uint64_t value = env->cp15.cptr_el[2]; 6057 6058 if (arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) && 6059 !arm_is_secure(env) && !extract32(env->cp15.nsacr, 10, 1)) { 6060 value |= R_HCPTR_TCP11_MASK | R_HCPTR_TCP10_MASK; 6061 } 6062 return value; 6063 } 6064 6065 static const ARMCPRegInfo el2_cp_reginfo[] = { 6066 { .name = "HCR_EL2", .state = ARM_CP_STATE_AA64, 6067 .type = ARM_CP_IO, 6068 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0, 6069 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2), 6070 .writefn = hcr_write, .raw_writefn = raw_write }, 6071 { .name = "HCR", .state = ARM_CP_STATE_AA32, 6072 .type = ARM_CP_ALIAS | ARM_CP_IO, 6073 .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0, 6074 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2), 6075 .writefn = hcr_writelow }, 6076 { .name = "HACR_EL2", .state = ARM_CP_STATE_BOTH, 6077 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 7, 6078 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, 6079 { .name = "ELR_EL2", .state = ARM_CP_STATE_AA64, 6080 .type = ARM_CP_ALIAS, 6081 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 1, 6082 .access = PL2_RW, 6083 .fieldoffset = offsetof(CPUARMState, elr_el[2]) }, 6084 { .name = "ESR_EL2", .state = ARM_CP_STATE_BOTH, 6085 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 0, 6086 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[2]) }, 6087 { .name = "FAR_EL2", .state = ARM_CP_STATE_BOTH, 6088 .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 0, 6089 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[2]) }, 6090 { .name = "HIFAR", .state = ARM_CP_STATE_AA32, 6091 .type = ARM_CP_ALIAS, 6092 .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 2, 6093 .access = PL2_RW, 6094 .fieldoffset = offsetofhigh32(CPUARMState, cp15.far_el[2]) }, 6095 { .name = "SPSR_EL2", .state = ARM_CP_STATE_AA64, 6096 .type = ARM_CP_ALIAS, 6097 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 0, 6098 .access = PL2_RW, 6099 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_HYP]) }, 6100 { .name = "VBAR_EL2", .state = ARM_CP_STATE_BOTH, 6101 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0, 6102 .access = PL2_RW, .writefn = vbar_write, 6103 .fieldoffset = offsetof(CPUARMState, cp15.vbar_el[2]), 6104 .resetvalue = 0 }, 6105 { .name = "SP_EL2", .state = ARM_CP_STATE_AA64, 6106 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 1, .opc2 = 0, 6107 .access = PL3_RW, .type = ARM_CP_ALIAS, 6108 .fieldoffset = offsetof(CPUARMState, sp_el[2]) }, 6109 { .name = "CPTR_EL2", .state = ARM_CP_STATE_BOTH, 6110 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 2, 6111 .access = PL2_RW, .accessfn = cptr_access, .resetvalue = 0, 6112 .fieldoffset = offsetof(CPUARMState, cp15.cptr_el[2]), 6113 .readfn = cptr_el2_read, .writefn = cptr_el2_write }, 6114 { .name = "MAIR_EL2", .state = ARM_CP_STATE_BOTH, 6115 .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 0, 6116 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[2]), 6117 .resetvalue = 0 }, 6118 { .name = "HMAIR1", .state = ARM_CP_STATE_AA32, 6119 .cp = 15, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 1, 6120 .access = PL2_RW, .type = ARM_CP_ALIAS, 6121 .fieldoffset = offsetofhigh32(CPUARMState, cp15.mair_el[2]) }, 6122 { .name = "AMAIR_EL2", .state = ARM_CP_STATE_BOTH, 6123 .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 0, 6124 .access = PL2_RW, .type = ARM_CP_CONST, 6125 .resetvalue = 0 }, 6126 /* HAMAIR1 is mapped to AMAIR_EL2[63:32] */ 6127 { .name = "HAMAIR1", .state = ARM_CP_STATE_AA32, 6128 .cp = 15, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 1, 6129 .access = PL2_RW, .type = ARM_CP_CONST, 6130 .resetvalue = 0 }, 6131 { .name = "AFSR0_EL2", .state = ARM_CP_STATE_BOTH, 6132 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 0, 6133 .access = PL2_RW, .type = ARM_CP_CONST, 6134 .resetvalue = 0 }, 6135 { .name = "AFSR1_EL2", .state = ARM_CP_STATE_BOTH, 6136 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 1, 6137 .access = PL2_RW, .type = ARM_CP_CONST, 6138 .resetvalue = 0 }, 6139 { .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH, 6140 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2, 6141 .access = PL2_RW, .writefn = vmsa_tcr_el12_write, 6142 .raw_writefn = raw_write, 6143 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[2]) }, 6144 { .name = "VTCR", .state = ARM_CP_STATE_AA32, 6145 .cp = 15, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2, 6146 .type = ARM_CP_ALIAS, 6147 .access = PL2_RW, .accessfn = access_el3_aa32ns, 6148 .fieldoffset = offsetoflow32(CPUARMState, cp15.vtcr_el2) }, 6149 { .name = "VTCR_EL2", .state = ARM_CP_STATE_AA64, 6150 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2, 6151 .access = PL2_RW, 6152 /* no .writefn needed as this can't cause an ASID change */ 6153 .fieldoffset = offsetof(CPUARMState, cp15.vtcr_el2) }, 6154 { .name = "VTTBR", .state = ARM_CP_STATE_AA32, 6155 .cp = 15, .opc1 = 6, .crm = 2, 6156 .type = ARM_CP_64BIT | ARM_CP_ALIAS, 6157 .access = PL2_RW, .accessfn = access_el3_aa32ns, 6158 .fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2), 6159 .writefn = vttbr_write, .raw_writefn = raw_write }, 6160 { .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64, 6161 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0, 6162 .access = PL2_RW, .writefn = vttbr_write, .raw_writefn = raw_write, 6163 .fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2) }, 6164 { .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH, 6165 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0, 6166 .access = PL2_RW, .raw_writefn = raw_write, .writefn = sctlr_write, 6167 .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[2]) }, 6168 { .name = "TPIDR_EL2", .state = ARM_CP_STATE_BOTH, 6169 .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 2, 6170 .access = PL2_RW, .resetvalue = 0, 6171 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[2]) }, 6172 { .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64, 6173 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0, 6174 .access = PL2_RW, .resetvalue = 0, 6175 .writefn = vmsa_tcr_ttbr_el2_write, .raw_writefn = raw_write, 6176 .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) }, 6177 { .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2, 6178 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS, 6179 .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) }, 6180 { .name = "TLBIALLNSNH", 6181 .cp = 15, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 4, 6182 .type = ARM_CP_NO_RAW, .access = PL2_W, 6183 .writefn = tlbiall_nsnh_write }, 6184 { .name = "TLBIALLNSNHIS", 6185 .cp = 15, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 4, 6186 .type = ARM_CP_NO_RAW, .access = PL2_W, 6187 .writefn = tlbiall_nsnh_is_write }, 6188 { .name = "TLBIALLH", .cp = 15, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 0, 6189 .type = ARM_CP_NO_RAW, .access = PL2_W, 6190 .writefn = tlbiall_hyp_write }, 6191 { .name = "TLBIALLHIS", .cp = 15, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 0, 6192 .type = ARM_CP_NO_RAW, .access = PL2_W, 6193 .writefn = tlbiall_hyp_is_write }, 6194 { .name = "TLBIMVAH", .cp = 15, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 1, 6195 .type = ARM_CP_NO_RAW, .access = PL2_W, 6196 .writefn = tlbimva_hyp_write }, 6197 { .name = "TLBIMVAHIS", .cp = 15, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 1, 6198 .type = ARM_CP_NO_RAW, .access = PL2_W, 6199 .writefn = tlbimva_hyp_is_write }, 6200 { .name = "TLBI_ALLE2", .state = ARM_CP_STATE_AA64, 6201 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 0, 6202 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 6203 .writefn = tlbi_aa64_alle2_write }, 6204 { .name = "TLBI_VAE2", .state = ARM_CP_STATE_AA64, 6205 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 1, 6206 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 6207 .writefn = tlbi_aa64_vae2_write }, 6208 { .name = "TLBI_VALE2", .state = ARM_CP_STATE_AA64, 6209 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 5, 6210 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 6211 .writefn = tlbi_aa64_vae2_write }, 6212 { .name = "TLBI_ALLE2IS", .state = ARM_CP_STATE_AA64, 6213 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 0, 6214 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 6215 .writefn = tlbi_aa64_alle2is_write }, 6216 { .name = "TLBI_VAE2IS", .state = ARM_CP_STATE_AA64, 6217 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 1, 6218 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 6219 .writefn = tlbi_aa64_vae2is_write }, 6220 { .name = "TLBI_VALE2IS", .state = ARM_CP_STATE_AA64, 6221 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 5, 6222 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 6223 .writefn = tlbi_aa64_vae2is_write }, 6224 #ifndef CONFIG_USER_ONLY 6225 /* 6226 * Unlike the other EL2-related AT operations, these must 6227 * UNDEF from EL3 if EL2 is not implemented, which is why we 6228 * define them here rather than with the rest of the AT ops. 6229 */ 6230 { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64, 6231 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0, 6232 .access = PL2_W, .accessfn = at_s1e2_access, 6233 .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC | ARM_CP_EL3_NO_EL2_UNDEF, 6234 .writefn = ats_write64 }, 6235 { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64, 6236 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1, 6237 .access = PL2_W, .accessfn = at_s1e2_access, 6238 .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC | ARM_CP_EL3_NO_EL2_UNDEF, 6239 .writefn = ats_write64 }, 6240 /* 6241 * The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE 6242 * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3 6243 * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose 6244 * to behave as if SCR.NS was 1. 6245 */ 6246 { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0, 6247 .access = PL2_W, 6248 .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC }, 6249 { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1, 6250 .access = PL2_W, 6251 .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC }, 6252 { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH, 6253 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0, 6254 /* 6255 * ARMv7 requires bit 0 and 1 to reset to 1. ARMv8 defines the 6256 * reset values as IMPDEF. We choose to reset to 3 to comply with 6257 * both ARMv7 and ARMv8. 6258 */ 6259 .access = PL2_RW, .type = ARM_CP_IO, .resetvalue = 3, 6260 .writefn = gt_cnthctl_write, .raw_writefn = raw_write, 6261 .fieldoffset = offsetof(CPUARMState, cp15.cnthctl_el2) }, 6262 { .name = "CNTVOFF_EL2", .state = ARM_CP_STATE_AA64, 6263 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 3, 6264 .access = PL2_RW, .type = ARM_CP_IO, .resetvalue = 0, 6265 .writefn = gt_cntvoff_write, 6266 .fieldoffset = offsetof(CPUARMState, cp15.cntvoff_el2) }, 6267 { .name = "CNTVOFF", .cp = 15, .opc1 = 4, .crm = 14, 6268 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS | ARM_CP_IO, 6269 .writefn = gt_cntvoff_write, 6270 .fieldoffset = offsetof(CPUARMState, cp15.cntvoff_el2) }, 6271 { .name = "CNTHP_CVAL_EL2", .state = ARM_CP_STATE_AA64, 6272 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 2, 6273 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].cval), 6274 .type = ARM_CP_IO, .access = PL2_RW, 6275 .writefn = gt_hyp_cval_write, .raw_writefn = raw_write }, 6276 { .name = "CNTHP_CVAL", .cp = 15, .opc1 = 6, .crm = 14, 6277 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].cval), 6278 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_IO, 6279 .writefn = gt_hyp_cval_write, .raw_writefn = raw_write }, 6280 { .name = "CNTHP_TVAL_EL2", .state = ARM_CP_STATE_BOTH, 6281 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 0, 6282 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW, 6283 .resetfn = gt_hyp_timer_reset, 6284 .readfn = gt_hyp_tval_read, .writefn = gt_hyp_tval_write }, 6285 { .name = "CNTHP_CTL_EL2", .state = ARM_CP_STATE_BOTH, 6286 .type = ARM_CP_IO, 6287 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 1, 6288 .access = PL2_RW, 6289 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].ctl), 6290 .resetvalue = 0, 6291 .writefn = gt_hyp_ctl_write, .raw_writefn = raw_write }, 6292 #endif 6293 { .name = "HPFAR", .state = ARM_CP_STATE_AA32, 6294 .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4, 6295 .access = PL2_RW, .accessfn = access_el3_aa32ns, 6296 .fieldoffset = offsetof(CPUARMState, cp15.hpfar_el2) }, 6297 { .name = "HPFAR_EL2", .state = ARM_CP_STATE_AA64, 6298 .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4, 6299 .access = PL2_RW, 6300 .fieldoffset = offsetof(CPUARMState, cp15.hpfar_el2) }, 6301 { .name = "HSTR_EL2", .state = ARM_CP_STATE_BOTH, 6302 .cp = 15, .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 3, 6303 .access = PL2_RW, 6304 .fieldoffset = offsetof(CPUARMState, cp15.hstr_el2) }, 6305 }; 6306 6307 static const ARMCPRegInfo el2_v8_cp_reginfo[] = { 6308 { .name = "HCR2", .state = ARM_CP_STATE_AA32, 6309 .type = ARM_CP_ALIAS | ARM_CP_IO, 6310 .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 4, 6311 .access = PL2_RW, 6312 .fieldoffset = offsetofhigh32(CPUARMState, cp15.hcr_el2), 6313 .writefn = hcr_writehigh }, 6314 }; 6315 6316 static CPAccessResult sel2_access(CPUARMState *env, const ARMCPRegInfo *ri, 6317 bool isread) 6318 { 6319 if (arm_current_el(env) == 3 || arm_is_secure_below_el3(env)) { 6320 return CP_ACCESS_OK; 6321 } 6322 return CP_ACCESS_TRAP_UNCATEGORIZED; 6323 } 6324 6325 static const ARMCPRegInfo el2_sec_cp_reginfo[] = { 6326 { .name = "VSTTBR_EL2", .state = ARM_CP_STATE_AA64, 6327 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 6, .opc2 = 0, 6328 .access = PL2_RW, .accessfn = sel2_access, 6329 .fieldoffset = offsetof(CPUARMState, cp15.vsttbr_el2) }, 6330 { .name = "VSTCR_EL2", .state = ARM_CP_STATE_AA64, 6331 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 6, .opc2 = 2, 6332 .access = PL2_RW, .accessfn = sel2_access, 6333 .fieldoffset = offsetof(CPUARMState, cp15.vstcr_el2) }, 6334 }; 6335 6336 static CPAccessResult nsacr_access(CPUARMState *env, const ARMCPRegInfo *ri, 6337 bool isread) 6338 { 6339 /* 6340 * The NSACR is RW at EL3, and RO for NS EL1 and NS EL2. 6341 * At Secure EL1 it traps to EL3 or EL2. 6342 */ 6343 if (arm_current_el(env) == 3) { 6344 return CP_ACCESS_OK; 6345 } 6346 if (arm_is_secure_below_el3(env)) { 6347 if (env->cp15.scr_el3 & SCR_EEL2) { 6348 return CP_ACCESS_TRAP_EL2; 6349 } 6350 return CP_ACCESS_TRAP_EL3; 6351 } 6352 /* Accesses from EL1 NS and EL2 NS are UNDEF for write but allow reads. */ 6353 if (isread) { 6354 return CP_ACCESS_OK; 6355 } 6356 return CP_ACCESS_TRAP_UNCATEGORIZED; 6357 } 6358 6359 static const ARMCPRegInfo el3_cp_reginfo[] = { 6360 { .name = "SCR_EL3", .state = ARM_CP_STATE_AA64, 6361 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0, 6362 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3), 6363 .resetfn = scr_reset, .writefn = scr_write, .raw_writefn = raw_write }, 6364 { .name = "SCR", .type = ARM_CP_ALIAS | ARM_CP_NEWEL, 6365 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0, 6366 .access = PL1_RW, .accessfn = access_trap_aa32s_el1, 6367 .fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3), 6368 .writefn = scr_write, .raw_writefn = raw_write }, 6369 { .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64, 6370 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1, 6371 .access = PL3_RW, .resetvalue = 0, 6372 .fieldoffset = offsetof(CPUARMState, cp15.sder) }, 6373 { .name = "SDER", 6374 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 1, 6375 .access = PL3_RW, .resetvalue = 0, 6376 .fieldoffset = offsetoflow32(CPUARMState, cp15.sder) }, 6377 { .name = "MVBAR", .cp = 15, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1, 6378 .access = PL1_RW, .accessfn = access_trap_aa32s_el1, 6379 .writefn = vbar_write, .resetvalue = 0, 6380 .fieldoffset = offsetof(CPUARMState, cp15.mvbar) }, 6381 { .name = "TTBR0_EL3", .state = ARM_CP_STATE_AA64, 6382 .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 0, .opc2 = 0, 6383 .access = PL3_RW, .resetvalue = 0, 6384 .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[3]) }, 6385 { .name = "TCR_EL3", .state = ARM_CP_STATE_AA64, 6386 .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 0, .opc2 = 2, 6387 .access = PL3_RW, 6388 /* no .writefn needed as this can't cause an ASID change */ 6389 .resetvalue = 0, 6390 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[3]) }, 6391 { .name = "ELR_EL3", .state = ARM_CP_STATE_AA64, 6392 .type = ARM_CP_ALIAS, 6393 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 1, 6394 .access = PL3_RW, 6395 .fieldoffset = offsetof(CPUARMState, elr_el[3]) }, 6396 { .name = "ESR_EL3", .state = ARM_CP_STATE_AA64, 6397 .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 2, .opc2 = 0, 6398 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[3]) }, 6399 { .name = "FAR_EL3", .state = ARM_CP_STATE_AA64, 6400 .opc0 = 3, .opc1 = 6, .crn = 6, .crm = 0, .opc2 = 0, 6401 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[3]) }, 6402 { .name = "SPSR_EL3", .state = ARM_CP_STATE_AA64, 6403 .type = ARM_CP_ALIAS, 6404 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 0, 6405 .access = PL3_RW, 6406 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_MON]) }, 6407 { .name = "VBAR_EL3", .state = ARM_CP_STATE_AA64, 6408 .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 0, 6409 .access = PL3_RW, .writefn = vbar_write, 6410 .fieldoffset = offsetof(CPUARMState, cp15.vbar_el[3]), 6411 .resetvalue = 0 }, 6412 { .name = "CPTR_EL3", .state = ARM_CP_STATE_AA64, 6413 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 2, 6414 .access = PL3_RW, .accessfn = cptr_access, .resetvalue = 0, 6415 .fieldoffset = offsetof(CPUARMState, cp15.cptr_el[3]) }, 6416 { .name = "TPIDR_EL3", .state = ARM_CP_STATE_AA64, 6417 .opc0 = 3, .opc1 = 6, .crn = 13, .crm = 0, .opc2 = 2, 6418 .access = PL3_RW, .resetvalue = 0, 6419 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[3]) }, 6420 { .name = "AMAIR_EL3", .state = ARM_CP_STATE_AA64, 6421 .opc0 = 3, .opc1 = 6, .crn = 10, .crm = 3, .opc2 = 0, 6422 .access = PL3_RW, .type = ARM_CP_CONST, 6423 .resetvalue = 0 }, 6424 { .name = "AFSR0_EL3", .state = ARM_CP_STATE_BOTH, 6425 .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 1, .opc2 = 0, 6426 .access = PL3_RW, .type = ARM_CP_CONST, 6427 .resetvalue = 0 }, 6428 { .name = "AFSR1_EL3", .state = ARM_CP_STATE_BOTH, 6429 .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 1, .opc2 = 1, 6430 .access = PL3_RW, .type = ARM_CP_CONST, 6431 .resetvalue = 0 }, 6432 { .name = "TLBI_ALLE3IS", .state = ARM_CP_STATE_AA64, 6433 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 3, .opc2 = 0, 6434 .access = PL3_W, .type = ARM_CP_NO_RAW, 6435 .writefn = tlbi_aa64_alle3is_write }, 6436 { .name = "TLBI_VAE3IS", .state = ARM_CP_STATE_AA64, 6437 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 3, .opc2 = 1, 6438 .access = PL3_W, .type = ARM_CP_NO_RAW, 6439 .writefn = tlbi_aa64_vae3is_write }, 6440 { .name = "TLBI_VALE3IS", .state = ARM_CP_STATE_AA64, 6441 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 3, .opc2 = 5, 6442 .access = PL3_W, .type = ARM_CP_NO_RAW, 6443 .writefn = tlbi_aa64_vae3is_write }, 6444 { .name = "TLBI_ALLE3", .state = ARM_CP_STATE_AA64, 6445 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 0, 6446 .access = PL3_W, .type = ARM_CP_NO_RAW, 6447 .writefn = tlbi_aa64_alle3_write }, 6448 { .name = "TLBI_VAE3", .state = ARM_CP_STATE_AA64, 6449 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 1, 6450 .access = PL3_W, .type = ARM_CP_NO_RAW, 6451 .writefn = tlbi_aa64_vae3_write }, 6452 { .name = "TLBI_VALE3", .state = ARM_CP_STATE_AA64, 6453 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 5, 6454 .access = PL3_W, .type = ARM_CP_NO_RAW, 6455 .writefn = tlbi_aa64_vae3_write }, 6456 }; 6457 6458 #ifndef CONFIG_USER_ONLY 6459 /* Test if system register redirection is to occur in the current state. */ 6460 static bool redirect_for_e2h(CPUARMState *env) 6461 { 6462 return arm_current_el(env) == 2 && (arm_hcr_el2_eff(env) & HCR_E2H); 6463 } 6464 6465 static uint64_t el2_e2h_read(CPUARMState *env, const ARMCPRegInfo *ri) 6466 { 6467 CPReadFn *readfn; 6468 6469 if (redirect_for_e2h(env)) { 6470 /* Switch to the saved EL2 version of the register. */ 6471 ri = ri->opaque; 6472 readfn = ri->readfn; 6473 } else { 6474 readfn = ri->orig_readfn; 6475 } 6476 if (readfn == NULL) { 6477 readfn = raw_read; 6478 } 6479 return readfn(env, ri); 6480 } 6481 6482 static void el2_e2h_write(CPUARMState *env, const ARMCPRegInfo *ri, 6483 uint64_t value) 6484 { 6485 CPWriteFn *writefn; 6486 6487 if (redirect_for_e2h(env)) { 6488 /* Switch to the saved EL2 version of the register. */ 6489 ri = ri->opaque; 6490 writefn = ri->writefn; 6491 } else { 6492 writefn = ri->orig_writefn; 6493 } 6494 if (writefn == NULL) { 6495 writefn = raw_write; 6496 } 6497 writefn(env, ri, value); 6498 } 6499 6500 static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu) 6501 { 6502 struct E2HAlias { 6503 uint32_t src_key, dst_key, new_key; 6504 const char *src_name, *dst_name, *new_name; 6505 bool (*feature)(const ARMISARegisters *id); 6506 }; 6507 6508 #define K(op0, op1, crn, crm, op2) \ 6509 ENCODE_AA64_CP_REG(CP_REG_ARM64_SYSREG_CP, crn, crm, op0, op1, op2) 6510 6511 static const struct E2HAlias aliases[] = { 6512 { K(3, 0, 1, 0, 0), K(3, 4, 1, 0, 0), K(3, 5, 1, 0, 0), 6513 "SCTLR", "SCTLR_EL2", "SCTLR_EL12" }, 6514 { K(3, 0, 1, 0, 2), K(3, 4, 1, 1, 2), K(3, 5, 1, 0, 2), 6515 "CPACR", "CPTR_EL2", "CPACR_EL12" }, 6516 { K(3, 0, 2, 0, 0), K(3, 4, 2, 0, 0), K(3, 5, 2, 0, 0), 6517 "TTBR0_EL1", "TTBR0_EL2", "TTBR0_EL12" }, 6518 { K(3, 0, 2, 0, 1), K(3, 4, 2, 0, 1), K(3, 5, 2, 0, 1), 6519 "TTBR1_EL1", "TTBR1_EL2", "TTBR1_EL12" }, 6520 { K(3, 0, 2, 0, 2), K(3, 4, 2, 0, 2), K(3, 5, 2, 0, 2), 6521 "TCR_EL1", "TCR_EL2", "TCR_EL12" }, 6522 { K(3, 0, 4, 0, 0), K(3, 4, 4, 0, 0), K(3, 5, 4, 0, 0), 6523 "SPSR_EL1", "SPSR_EL2", "SPSR_EL12" }, 6524 { K(3, 0, 4, 0, 1), K(3, 4, 4, 0, 1), K(3, 5, 4, 0, 1), 6525 "ELR_EL1", "ELR_EL2", "ELR_EL12" }, 6526 { K(3, 0, 5, 1, 0), K(3, 4, 5, 1, 0), K(3, 5, 5, 1, 0), 6527 "AFSR0_EL1", "AFSR0_EL2", "AFSR0_EL12" }, 6528 { K(3, 0, 5, 1, 1), K(3, 4, 5, 1, 1), K(3, 5, 5, 1, 1), 6529 "AFSR1_EL1", "AFSR1_EL2", "AFSR1_EL12" }, 6530 { K(3, 0, 5, 2, 0), K(3, 4, 5, 2, 0), K(3, 5, 5, 2, 0), 6531 "ESR_EL1", "ESR_EL2", "ESR_EL12" }, 6532 { K(3, 0, 6, 0, 0), K(3, 4, 6, 0, 0), K(3, 5, 6, 0, 0), 6533 "FAR_EL1", "FAR_EL2", "FAR_EL12" }, 6534 { K(3, 0, 10, 2, 0), K(3, 4, 10, 2, 0), K(3, 5, 10, 2, 0), 6535 "MAIR_EL1", "MAIR_EL2", "MAIR_EL12" }, 6536 { K(3, 0, 10, 3, 0), K(3, 4, 10, 3, 0), K(3, 5, 10, 3, 0), 6537 "AMAIR0", "AMAIR_EL2", "AMAIR_EL12" }, 6538 { K(3, 0, 12, 0, 0), K(3, 4, 12, 0, 0), K(3, 5, 12, 0, 0), 6539 "VBAR", "VBAR_EL2", "VBAR_EL12" }, 6540 { K(3, 0, 13, 0, 1), K(3, 4, 13, 0, 1), K(3, 5, 13, 0, 1), 6541 "CONTEXTIDR_EL1", "CONTEXTIDR_EL2", "CONTEXTIDR_EL12" }, 6542 { K(3, 0, 14, 1, 0), K(3, 4, 14, 1, 0), K(3, 5, 14, 1, 0), 6543 "CNTKCTL", "CNTHCTL_EL2", "CNTKCTL_EL12" }, 6544 6545 /* 6546 * Note that redirection of ZCR is mentioned in the description 6547 * of ZCR_EL2, and aliasing in the description of ZCR_EL1, but 6548 * not in the summary table. 6549 */ 6550 { K(3, 0, 1, 2, 0), K(3, 4, 1, 2, 0), K(3, 5, 1, 2, 0), 6551 "ZCR_EL1", "ZCR_EL2", "ZCR_EL12", isar_feature_aa64_sve }, 6552 { K(3, 0, 1, 2, 6), K(3, 4, 1, 2, 6), K(3, 5, 1, 2, 6), 6553 "SMCR_EL1", "SMCR_EL2", "SMCR_EL12", isar_feature_aa64_sme }, 6554 6555 { K(3, 0, 5, 6, 0), K(3, 4, 5, 6, 0), K(3, 5, 5, 6, 0), 6556 "TFSR_EL1", "TFSR_EL2", "TFSR_EL12", isar_feature_aa64_mte }, 6557 6558 { K(3, 0, 13, 0, 7), K(3, 4, 13, 0, 7), K(3, 5, 13, 0, 7), 6559 "SCXTNUM_EL1", "SCXTNUM_EL2", "SCXTNUM_EL12", 6560 isar_feature_aa64_scxtnum }, 6561 6562 /* TODO: ARMv8.2-SPE -- PMSCR_EL2 */ 6563 /* TODO: ARMv8.4-Trace -- TRFCR_EL2 */ 6564 }; 6565 #undef K 6566 6567 size_t i; 6568 6569 for (i = 0; i < ARRAY_SIZE(aliases); i++) { 6570 const struct E2HAlias *a = &aliases[i]; 6571 ARMCPRegInfo *src_reg, *dst_reg, *new_reg; 6572 bool ok; 6573 6574 if (a->feature && !a->feature(&cpu->isar)) { 6575 continue; 6576 } 6577 6578 src_reg = g_hash_table_lookup(cpu->cp_regs, 6579 (gpointer)(uintptr_t)a->src_key); 6580 dst_reg = g_hash_table_lookup(cpu->cp_regs, 6581 (gpointer)(uintptr_t)a->dst_key); 6582 g_assert(src_reg != NULL); 6583 g_assert(dst_reg != NULL); 6584 6585 /* Cross-compare names to detect typos in the keys. */ 6586 g_assert(strcmp(src_reg->name, a->src_name) == 0); 6587 g_assert(strcmp(dst_reg->name, a->dst_name) == 0); 6588 6589 /* None of the core system registers use opaque; we will. */ 6590 g_assert(src_reg->opaque == NULL); 6591 6592 /* Create alias before redirection so we dup the right data. */ 6593 new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo)); 6594 6595 new_reg->name = a->new_name; 6596 new_reg->type |= ARM_CP_ALIAS; 6597 /* Remove PL1/PL0 access, leaving PL2/PL3 R/W in place. */ 6598 new_reg->access &= PL2_RW | PL3_RW; 6599 6600 ok = g_hash_table_insert(cpu->cp_regs, 6601 (gpointer)(uintptr_t)a->new_key, new_reg); 6602 g_assert(ok); 6603 6604 src_reg->opaque = dst_reg; 6605 src_reg->orig_readfn = src_reg->readfn ?: raw_read; 6606 src_reg->orig_writefn = src_reg->writefn ?: raw_write; 6607 if (!src_reg->raw_readfn) { 6608 src_reg->raw_readfn = raw_read; 6609 } 6610 if (!src_reg->raw_writefn) { 6611 src_reg->raw_writefn = raw_write; 6612 } 6613 src_reg->readfn = el2_e2h_read; 6614 src_reg->writefn = el2_e2h_write; 6615 } 6616 } 6617 #endif 6618 6619 static CPAccessResult ctr_el0_access(CPUARMState *env, const ARMCPRegInfo *ri, 6620 bool isread) 6621 { 6622 int cur_el = arm_current_el(env); 6623 6624 if (cur_el < 2) { 6625 uint64_t hcr = arm_hcr_el2_eff(env); 6626 6627 if (cur_el == 0) { 6628 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 6629 if (!(env->cp15.sctlr_el[2] & SCTLR_UCT)) { 6630 return CP_ACCESS_TRAP_EL2; 6631 } 6632 } else { 6633 if (!(env->cp15.sctlr_el[1] & SCTLR_UCT)) { 6634 return CP_ACCESS_TRAP; 6635 } 6636 if (hcr & HCR_TID2) { 6637 return CP_ACCESS_TRAP_EL2; 6638 } 6639 } 6640 } else if (hcr & HCR_TID2) { 6641 return CP_ACCESS_TRAP_EL2; 6642 } 6643 } 6644 6645 if (arm_current_el(env) < 2 && arm_hcr_el2_eff(env) & HCR_TID2) { 6646 return CP_ACCESS_TRAP_EL2; 6647 } 6648 6649 return CP_ACCESS_OK; 6650 } 6651 6652 /* 6653 * Check for traps to RAS registers, which are controlled 6654 * by HCR_EL2.TERR and SCR_EL3.TERR. 6655 */ 6656 static CPAccessResult access_terr(CPUARMState *env, const ARMCPRegInfo *ri, 6657 bool isread) 6658 { 6659 int el = arm_current_el(env); 6660 6661 if (el < 2 && (arm_hcr_el2_eff(env) & HCR_TERR)) { 6662 return CP_ACCESS_TRAP_EL2; 6663 } 6664 if (el < 3 && (env->cp15.scr_el3 & SCR_TERR)) { 6665 return CP_ACCESS_TRAP_EL3; 6666 } 6667 return CP_ACCESS_OK; 6668 } 6669 6670 static uint64_t disr_read(CPUARMState *env, const ARMCPRegInfo *ri) 6671 { 6672 int el = arm_current_el(env); 6673 6674 if (el < 2 && (arm_hcr_el2_eff(env) & HCR_AMO)) { 6675 return env->cp15.vdisr_el2; 6676 } 6677 if (el < 3 && (env->cp15.scr_el3 & SCR_EA)) { 6678 return 0; /* RAZ/WI */ 6679 } 6680 return env->cp15.disr_el1; 6681 } 6682 6683 static void disr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val) 6684 { 6685 int el = arm_current_el(env); 6686 6687 if (el < 2 && (arm_hcr_el2_eff(env) & HCR_AMO)) { 6688 env->cp15.vdisr_el2 = val; 6689 return; 6690 } 6691 if (el < 3 && (env->cp15.scr_el3 & SCR_EA)) { 6692 return; /* RAZ/WI */ 6693 } 6694 env->cp15.disr_el1 = val; 6695 } 6696 6697 /* 6698 * Minimal RAS implementation with no Error Records. 6699 * Which means that all of the Error Record registers: 6700 * ERXADDR_EL1 6701 * ERXCTLR_EL1 6702 * ERXFR_EL1 6703 * ERXMISC0_EL1 6704 * ERXMISC1_EL1 6705 * ERXMISC2_EL1 6706 * ERXMISC3_EL1 6707 * ERXPFGCDN_EL1 (RASv1p1) 6708 * ERXPFGCTL_EL1 (RASv1p1) 6709 * ERXPFGF_EL1 (RASv1p1) 6710 * ERXSTATUS_EL1 6711 * and 6712 * ERRSELR_EL1 6713 * may generate UNDEFINED, which is the effect we get by not 6714 * listing them at all. 6715 * 6716 * These registers have fine-grained trap bits, but UNDEF-to-EL1 6717 * is higher priority than FGT-to-EL2 so we do not need to list them 6718 * in order to check for an FGT. 6719 */ 6720 static const ARMCPRegInfo minimal_ras_reginfo[] = { 6721 { .name = "DISR_EL1", .state = ARM_CP_STATE_BOTH, 6722 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 1, 6723 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.disr_el1), 6724 .readfn = disr_read, .writefn = disr_write, .raw_writefn = raw_write }, 6725 { .name = "ERRIDR_EL1", .state = ARM_CP_STATE_BOTH, 6726 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 3, .opc2 = 0, 6727 .access = PL1_R, .accessfn = access_terr, 6728 .fgt = FGT_ERRIDR_EL1, 6729 .type = ARM_CP_CONST, .resetvalue = 0 }, 6730 { .name = "VDISR_EL2", .state = ARM_CP_STATE_BOTH, 6731 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 1, .opc2 = 1, 6732 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vdisr_el2) }, 6733 { .name = "VSESR_EL2", .state = ARM_CP_STATE_BOTH, 6734 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 3, 6735 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vsesr_el2) }, 6736 }; 6737 6738 /* 6739 * Return the exception level to which exceptions should be taken 6740 * via SVEAccessTrap. This excludes the check for whether the exception 6741 * should be routed through AArch64.AdvSIMDFPAccessTrap. That can easily 6742 * be found by testing 0 < fp_exception_el < sve_exception_el. 6743 * 6744 * C.f. the ARM pseudocode function CheckSVEEnabled. Note that the 6745 * pseudocode does *not* separate out the FP trap checks, but has them 6746 * all in one function. 6747 */ 6748 int sve_exception_el(CPUARMState *env, int el) 6749 { 6750 #ifndef CONFIG_USER_ONLY 6751 if (el <= 1 && !el_is_in_host(env, el)) { 6752 switch (FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, ZEN)) { 6753 case 1: 6754 if (el != 0) { 6755 break; 6756 } 6757 /* fall through */ 6758 case 0: 6759 case 2: 6760 return 1; 6761 } 6762 } 6763 6764 if (el <= 2 && arm_is_el2_enabled(env)) { 6765 /* CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE). */ 6766 if (env->cp15.hcr_el2 & HCR_E2H) { 6767 switch (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, ZEN)) { 6768 case 1: 6769 if (el != 0 || !(env->cp15.hcr_el2 & HCR_TGE)) { 6770 break; 6771 } 6772 /* fall through */ 6773 case 0: 6774 case 2: 6775 return 2; 6776 } 6777 } else { 6778 if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TZ)) { 6779 return 2; 6780 } 6781 } 6782 } 6783 6784 /* CPTR_EL3. Since EZ is negative we must check for EL3. */ 6785 if (arm_feature(env, ARM_FEATURE_EL3) 6786 && !FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, EZ)) { 6787 return 3; 6788 } 6789 #endif 6790 return 0; 6791 } 6792 6793 /* 6794 * Return the exception level to which exceptions should be taken for SME. 6795 * C.f. the ARM pseudocode function CheckSMEAccess. 6796 */ 6797 int sme_exception_el(CPUARMState *env, int el) 6798 { 6799 #ifndef CONFIG_USER_ONLY 6800 if (el <= 1 && !el_is_in_host(env, el)) { 6801 switch (FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, SMEN)) { 6802 case 1: 6803 if (el != 0) { 6804 break; 6805 } 6806 /* fall through */ 6807 case 0: 6808 case 2: 6809 return 1; 6810 } 6811 } 6812 6813 if (el <= 2 && arm_is_el2_enabled(env)) { 6814 /* CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE). */ 6815 if (env->cp15.hcr_el2 & HCR_E2H) { 6816 switch (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, SMEN)) { 6817 case 1: 6818 if (el != 0 || !(env->cp15.hcr_el2 & HCR_TGE)) { 6819 break; 6820 } 6821 /* fall through */ 6822 case 0: 6823 case 2: 6824 return 2; 6825 } 6826 } else { 6827 if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TSM)) { 6828 return 2; 6829 } 6830 } 6831 } 6832 6833 /* CPTR_EL3. Since ESM is negative we must check for EL3. */ 6834 if (arm_feature(env, ARM_FEATURE_EL3) 6835 && !FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, ESM)) { 6836 return 3; 6837 } 6838 #endif 6839 return 0; 6840 } 6841 6842 /* 6843 * Given that SVE is enabled, return the vector length for EL. 6844 */ 6845 uint32_t sve_vqm1_for_el_sm(CPUARMState *env, int el, bool sm) 6846 { 6847 ARMCPU *cpu = env_archcpu(env); 6848 uint64_t *cr = env->vfp.zcr_el; 6849 uint32_t map = cpu->sve_vq.map; 6850 uint32_t len = ARM_MAX_VQ - 1; 6851 6852 if (sm) { 6853 cr = env->vfp.smcr_el; 6854 map = cpu->sme_vq.map; 6855 } 6856 6857 if (el <= 1 && !el_is_in_host(env, el)) { 6858 len = MIN(len, 0xf & (uint32_t)cr[1]); 6859 } 6860 if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) { 6861 len = MIN(len, 0xf & (uint32_t)cr[2]); 6862 } 6863 if (arm_feature(env, ARM_FEATURE_EL3)) { 6864 len = MIN(len, 0xf & (uint32_t)cr[3]); 6865 } 6866 6867 map &= MAKE_64BIT_MASK(0, len + 1); 6868 if (map != 0) { 6869 return 31 - clz32(map); 6870 } 6871 6872 /* Bit 0 is always set for Normal SVE -- not so for Streaming SVE. */ 6873 assert(sm); 6874 return ctz32(cpu->sme_vq.map); 6875 } 6876 6877 uint32_t sve_vqm1_for_el(CPUARMState *env, int el) 6878 { 6879 return sve_vqm1_for_el_sm(env, el, FIELD_EX64(env->svcr, SVCR, SM)); 6880 } 6881 6882 static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri, 6883 uint64_t value) 6884 { 6885 int cur_el = arm_current_el(env); 6886 int old_len = sve_vqm1_for_el(env, cur_el); 6887 int new_len; 6888 6889 /* Bits other than [3:0] are RAZ/WI. */ 6890 QEMU_BUILD_BUG_ON(ARM_MAX_VQ > 16); 6891 raw_write(env, ri, value & 0xf); 6892 6893 /* 6894 * Because we arrived here, we know both FP and SVE are enabled; 6895 * otherwise we would have trapped access to the ZCR_ELn register. 6896 */ 6897 new_len = sve_vqm1_for_el(env, cur_el); 6898 if (new_len < old_len) { 6899 aarch64_sve_narrow_vq(env, new_len + 1); 6900 } 6901 } 6902 6903 static const ARMCPRegInfo zcr_reginfo[] = { 6904 { .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64, 6905 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0, 6906 .access = PL1_RW, .type = ARM_CP_SVE, 6907 .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]), 6908 .writefn = zcr_write, .raw_writefn = raw_write }, 6909 { .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64, 6910 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0, 6911 .access = PL2_RW, .type = ARM_CP_SVE, 6912 .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]), 6913 .writefn = zcr_write, .raw_writefn = raw_write }, 6914 { .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64, 6915 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0, 6916 .access = PL3_RW, .type = ARM_CP_SVE, 6917 .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]), 6918 .writefn = zcr_write, .raw_writefn = raw_write }, 6919 }; 6920 6921 #ifdef TARGET_AARCH64 6922 static CPAccessResult access_tpidr2(CPUARMState *env, const ARMCPRegInfo *ri, 6923 bool isread) 6924 { 6925 int el = arm_current_el(env); 6926 6927 if (el == 0) { 6928 uint64_t sctlr = arm_sctlr(env, el); 6929 if (!(sctlr & SCTLR_EnTP2)) { 6930 return CP_ACCESS_TRAP; 6931 } 6932 } 6933 /* TODO: FEAT_FGT */ 6934 if (el < 3 6935 && arm_feature(env, ARM_FEATURE_EL3) 6936 && !(env->cp15.scr_el3 & SCR_ENTP2)) { 6937 return CP_ACCESS_TRAP_EL3; 6938 } 6939 return CP_ACCESS_OK; 6940 } 6941 6942 static CPAccessResult access_esm(CPUARMState *env, const ARMCPRegInfo *ri, 6943 bool isread) 6944 { 6945 /* TODO: FEAT_FGT for SMPRI_EL1 but not SMPRIMAP_EL2 */ 6946 if (arm_current_el(env) < 3 6947 && arm_feature(env, ARM_FEATURE_EL3) 6948 && !FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, ESM)) { 6949 return CP_ACCESS_TRAP_EL3; 6950 } 6951 return CP_ACCESS_OK; 6952 } 6953 6954 /* ResetSVEState */ 6955 static void arm_reset_sve_state(CPUARMState *env) 6956 { 6957 memset(env->vfp.zregs, 0, sizeof(env->vfp.zregs)); 6958 /* Recall that FFR is stored as pregs[16]. */ 6959 memset(env->vfp.pregs, 0, sizeof(env->vfp.pregs)); 6960 vfp_set_fpcr(env, 0x0800009f); 6961 } 6962 6963 void aarch64_set_svcr(CPUARMState *env, uint64_t new, uint64_t mask) 6964 { 6965 uint64_t change = (env->svcr ^ new) & mask; 6966 6967 if (change == 0) { 6968 return; 6969 } 6970 env->svcr ^= change; 6971 6972 if (change & R_SVCR_SM_MASK) { 6973 arm_reset_sve_state(env); 6974 } 6975 6976 /* 6977 * ResetSMEState. 6978 * 6979 * SetPSTATE_ZA zeros on enable and disable. We can zero this only 6980 * on enable: while disabled, the storage is inaccessible and the 6981 * value does not matter. We're not saving the storage in vmstate 6982 * when disabled either. 6983 */ 6984 if (change & new & R_SVCR_ZA_MASK) { 6985 memset(env->zarray, 0, sizeof(env->zarray)); 6986 } 6987 6988 if (tcg_enabled()) { 6989 arm_rebuild_hflags(env); 6990 } 6991 } 6992 6993 static void svcr_write(CPUARMState *env, const ARMCPRegInfo *ri, 6994 uint64_t value) 6995 { 6996 aarch64_set_svcr(env, value, -1); 6997 } 6998 6999 static void smcr_write(CPUARMState *env, const ARMCPRegInfo *ri, 7000 uint64_t value) 7001 { 7002 int cur_el = arm_current_el(env); 7003 int old_len = sve_vqm1_for_el(env, cur_el); 7004 int new_len; 7005 7006 QEMU_BUILD_BUG_ON(ARM_MAX_VQ > R_SMCR_LEN_MASK + 1); 7007 value &= R_SMCR_LEN_MASK | R_SMCR_FA64_MASK; 7008 raw_write(env, ri, value); 7009 7010 /* 7011 * Note that it is CONSTRAINED UNPREDICTABLE what happens to ZA storage 7012 * when SVL is widened (old values kept, or zeros). Choose to keep the 7013 * current values for simplicity. But for QEMU internals, we must still 7014 * apply the narrower SVL to the Zregs and Pregs -- see the comment 7015 * above aarch64_sve_narrow_vq. 7016 */ 7017 new_len = sve_vqm1_for_el(env, cur_el); 7018 if (new_len < old_len) { 7019 aarch64_sve_narrow_vq(env, new_len + 1); 7020 } 7021 } 7022 7023 static const ARMCPRegInfo sme_reginfo[] = { 7024 { .name = "TPIDR2_EL0", .state = ARM_CP_STATE_AA64, 7025 .opc0 = 3, .opc1 = 3, .crn = 13, .crm = 0, .opc2 = 5, 7026 .access = PL0_RW, .accessfn = access_tpidr2, 7027 .fgt = FGT_NTPIDR2_EL0, 7028 .fieldoffset = offsetof(CPUARMState, cp15.tpidr2_el0) }, 7029 { .name = "SVCR", .state = ARM_CP_STATE_AA64, 7030 .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 2, 7031 .access = PL0_RW, .type = ARM_CP_SME, 7032 .fieldoffset = offsetof(CPUARMState, svcr), 7033 .writefn = svcr_write, .raw_writefn = raw_write }, 7034 { .name = "SMCR_EL1", .state = ARM_CP_STATE_AA64, 7035 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 6, 7036 .access = PL1_RW, .type = ARM_CP_SME, 7037 .fieldoffset = offsetof(CPUARMState, vfp.smcr_el[1]), 7038 .writefn = smcr_write, .raw_writefn = raw_write }, 7039 { .name = "SMCR_EL2", .state = ARM_CP_STATE_AA64, 7040 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 6, 7041 .access = PL2_RW, .type = ARM_CP_SME, 7042 .fieldoffset = offsetof(CPUARMState, vfp.smcr_el[2]), 7043 .writefn = smcr_write, .raw_writefn = raw_write }, 7044 { .name = "SMCR_EL3", .state = ARM_CP_STATE_AA64, 7045 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 6, 7046 .access = PL3_RW, .type = ARM_CP_SME, 7047 .fieldoffset = offsetof(CPUARMState, vfp.smcr_el[3]), 7048 .writefn = smcr_write, .raw_writefn = raw_write }, 7049 { .name = "SMIDR_EL1", .state = ARM_CP_STATE_AA64, 7050 .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 6, 7051 .access = PL1_R, .accessfn = access_aa64_tid1, 7052 /* 7053 * IMPLEMENTOR = 0 (software) 7054 * REVISION = 0 (implementation defined) 7055 * SMPS = 0 (no streaming execution priority in QEMU) 7056 * AFFINITY = 0 (streaming sve mode not shared with other PEs) 7057 */ 7058 .type = ARM_CP_CONST, .resetvalue = 0, }, 7059 /* 7060 * Because SMIDR_EL1.SMPS is 0, SMPRI_EL1 and SMPRIMAP_EL2 are RES 0. 7061 */ 7062 { .name = "SMPRI_EL1", .state = ARM_CP_STATE_AA64, 7063 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 4, 7064 .access = PL1_RW, .accessfn = access_esm, 7065 .fgt = FGT_NSMPRI_EL1, 7066 .type = ARM_CP_CONST, .resetvalue = 0 }, 7067 { .name = "SMPRIMAP_EL2", .state = ARM_CP_STATE_AA64, 7068 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 5, 7069 .access = PL2_RW, .accessfn = access_esm, 7070 .type = ARM_CP_CONST, .resetvalue = 0 }, 7071 }; 7072 7073 static void tlbi_aa64_paall_write(CPUARMState *env, const ARMCPRegInfo *ri, 7074 uint64_t value) 7075 { 7076 CPUState *cs = env_cpu(env); 7077 7078 tlb_flush(cs); 7079 } 7080 7081 static void gpccr_write(CPUARMState *env, const ARMCPRegInfo *ri, 7082 uint64_t value) 7083 { 7084 /* L0GPTSZ is RO; other bits not mentioned are RES0. */ 7085 uint64_t rw_mask = R_GPCCR_PPS_MASK | R_GPCCR_IRGN_MASK | 7086 R_GPCCR_ORGN_MASK | R_GPCCR_SH_MASK | R_GPCCR_PGS_MASK | 7087 R_GPCCR_GPC_MASK | R_GPCCR_GPCP_MASK; 7088 7089 env->cp15.gpccr_el3 = (value & rw_mask) | (env->cp15.gpccr_el3 & ~rw_mask); 7090 } 7091 7092 static void gpccr_reset(CPUARMState *env, const ARMCPRegInfo *ri) 7093 { 7094 env->cp15.gpccr_el3 = FIELD_DP64(0, GPCCR, L0GPTSZ, 7095 env_archcpu(env)->reset_l0gptsz); 7096 } 7097 7098 static void tlbi_aa64_paallos_write(CPUARMState *env, const ARMCPRegInfo *ri, 7099 uint64_t value) 7100 { 7101 CPUState *cs = env_cpu(env); 7102 7103 tlb_flush_all_cpus_synced(cs); 7104 } 7105 7106 static const ARMCPRegInfo rme_reginfo[] = { 7107 { .name = "GPCCR_EL3", .state = ARM_CP_STATE_AA64, 7108 .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 1, .opc2 = 6, 7109 .access = PL3_RW, .writefn = gpccr_write, .resetfn = gpccr_reset, 7110 .fieldoffset = offsetof(CPUARMState, cp15.gpccr_el3) }, 7111 { .name = "GPTBR_EL3", .state = ARM_CP_STATE_AA64, 7112 .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 1, .opc2 = 4, 7113 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.gptbr_el3) }, 7114 { .name = "MFAR_EL3", .state = ARM_CP_STATE_AA64, 7115 .opc0 = 3, .opc1 = 6, .crn = 6, .crm = 0, .opc2 = 5, 7116 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mfar_el3) }, 7117 { .name = "TLBI_PAALL", .state = ARM_CP_STATE_AA64, 7118 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 4, 7119 .access = PL3_W, .type = ARM_CP_NO_RAW, 7120 .writefn = tlbi_aa64_paall_write }, 7121 { .name = "TLBI_PAALLOS", .state = ARM_CP_STATE_AA64, 7122 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 4, 7123 .access = PL3_W, .type = ARM_CP_NO_RAW, 7124 .writefn = tlbi_aa64_paallos_write }, 7125 /* 7126 * QEMU does not have a way to invalidate by physical address, thus 7127 * invalidating a range of physical addresses is accomplished by 7128 * flushing all tlb entries in the outer shareable domain, 7129 * just like PAALLOS. 7130 */ 7131 { .name = "TLBI_RPALOS", .state = ARM_CP_STATE_AA64, 7132 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 4, .opc2 = 7, 7133 .access = PL3_W, .type = ARM_CP_NO_RAW, 7134 .writefn = tlbi_aa64_paallos_write }, 7135 { .name = "TLBI_RPAOS", .state = ARM_CP_STATE_AA64, 7136 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 4, .opc2 = 3, 7137 .access = PL3_W, .type = ARM_CP_NO_RAW, 7138 .writefn = tlbi_aa64_paallos_write }, 7139 { .name = "DC_CIPAPA", .state = ARM_CP_STATE_AA64, 7140 .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 14, .opc2 = 1, 7141 .access = PL3_W, .type = ARM_CP_NOP }, 7142 }; 7143 7144 static const ARMCPRegInfo rme_mte_reginfo[] = { 7145 { .name = "DC_CIGDPAPA", .state = ARM_CP_STATE_AA64, 7146 .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 14, .opc2 = 5, 7147 .access = PL3_W, .type = ARM_CP_NOP }, 7148 }; 7149 #endif /* TARGET_AARCH64 */ 7150 7151 static void define_pmu_regs(ARMCPU *cpu) 7152 { 7153 /* 7154 * v7 performance monitor control register: same implementor 7155 * field as main ID register, and we implement four counters in 7156 * addition to the cycle count register. 7157 */ 7158 unsigned int i, pmcrn = pmu_num_counters(&cpu->env); 7159 ARMCPRegInfo pmcr = { 7160 .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0, 7161 .access = PL0_RW, 7162 .fgt = FGT_PMCR_EL0, 7163 .type = ARM_CP_IO | ARM_CP_ALIAS, 7164 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr), 7165 .accessfn = pmreg_access, .writefn = pmcr_write, 7166 .raw_writefn = raw_write, 7167 }; 7168 ARMCPRegInfo pmcr64 = { 7169 .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64, 7170 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0, 7171 .access = PL0_RW, .accessfn = pmreg_access, 7172 .fgt = FGT_PMCR_EL0, 7173 .type = ARM_CP_IO, 7174 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr), 7175 .resetvalue = cpu->isar.reset_pmcr_el0, 7176 .writefn = pmcr_write, .raw_writefn = raw_write, 7177 }; 7178 7179 define_one_arm_cp_reg(cpu, &pmcr); 7180 define_one_arm_cp_reg(cpu, &pmcr64); 7181 for (i = 0; i < pmcrn; i++) { 7182 char *pmevcntr_name = g_strdup_printf("PMEVCNTR%d", i); 7183 char *pmevcntr_el0_name = g_strdup_printf("PMEVCNTR%d_EL0", i); 7184 char *pmevtyper_name = g_strdup_printf("PMEVTYPER%d", i); 7185 char *pmevtyper_el0_name = g_strdup_printf("PMEVTYPER%d_EL0", i); 7186 ARMCPRegInfo pmev_regs[] = { 7187 { .name = pmevcntr_name, .cp = 15, .crn = 14, 7188 .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7, 7189 .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS, 7190 .fgt = FGT_PMEVCNTRN_EL0, 7191 .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn, 7192 .accessfn = pmreg_access_xevcntr }, 7193 { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64, 7194 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)), 7195 .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access_xevcntr, 7196 .type = ARM_CP_IO, 7197 .fgt = FGT_PMEVCNTRN_EL0, 7198 .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn, 7199 .raw_readfn = pmevcntr_rawread, 7200 .raw_writefn = pmevcntr_rawwrite }, 7201 { .name = pmevtyper_name, .cp = 15, .crn = 14, 7202 .crm = 12 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7, 7203 .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS, 7204 .fgt = FGT_PMEVTYPERN_EL0, 7205 .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn, 7206 .accessfn = pmreg_access }, 7207 { .name = pmevtyper_el0_name, .state = ARM_CP_STATE_AA64, 7208 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 12 | (3 & (i >> 3)), 7209 .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access, 7210 .fgt = FGT_PMEVTYPERN_EL0, 7211 .type = ARM_CP_IO, 7212 .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn, 7213 .raw_writefn = pmevtyper_rawwrite }, 7214 }; 7215 define_arm_cp_regs(cpu, pmev_regs); 7216 g_free(pmevcntr_name); 7217 g_free(pmevcntr_el0_name); 7218 g_free(pmevtyper_name); 7219 g_free(pmevtyper_el0_name); 7220 } 7221 if (cpu_isar_feature(aa32_pmuv3p1, cpu)) { 7222 ARMCPRegInfo v81_pmu_regs[] = { 7223 { .name = "PMCEID2", .state = ARM_CP_STATE_AA32, 7224 .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 4, 7225 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST, 7226 .fgt = FGT_PMCEIDN_EL0, 7227 .resetvalue = extract64(cpu->pmceid0, 32, 32) }, 7228 { .name = "PMCEID3", .state = ARM_CP_STATE_AA32, 7229 .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 5, 7230 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST, 7231 .fgt = FGT_PMCEIDN_EL0, 7232 .resetvalue = extract64(cpu->pmceid1, 32, 32) }, 7233 }; 7234 define_arm_cp_regs(cpu, v81_pmu_regs); 7235 } 7236 if (cpu_isar_feature(any_pmuv3p4, cpu)) { 7237 static const ARMCPRegInfo v84_pmmir = { 7238 .name = "PMMIR_EL1", .state = ARM_CP_STATE_BOTH, 7239 .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 6, 7240 .access = PL1_R, .accessfn = pmreg_access, .type = ARM_CP_CONST, 7241 .fgt = FGT_PMMIR_EL1, 7242 .resetvalue = 0 7243 }; 7244 define_one_arm_cp_reg(cpu, &v84_pmmir); 7245 } 7246 } 7247 7248 #ifndef CONFIG_USER_ONLY 7249 /* 7250 * We don't know until after realize whether there's a GICv3 7251 * attached, and that is what registers the gicv3 sysregs. 7252 * So we have to fill in the GIC fields in ID_PFR/ID_PFR1_EL1/ID_AA64PFR0_EL1 7253 * at runtime. 7254 */ 7255 static uint64_t id_pfr1_read(CPUARMState *env, const ARMCPRegInfo *ri) 7256 { 7257 ARMCPU *cpu = env_archcpu(env); 7258 uint64_t pfr1 = cpu->isar.id_pfr1; 7259 7260 if (env->gicv3state) { 7261 pfr1 |= 1 << 28; 7262 } 7263 return pfr1; 7264 } 7265 7266 static uint64_t id_aa64pfr0_read(CPUARMState *env, const ARMCPRegInfo *ri) 7267 { 7268 ARMCPU *cpu = env_archcpu(env); 7269 uint64_t pfr0 = cpu->isar.id_aa64pfr0; 7270 7271 if (env->gicv3state) { 7272 pfr0 |= 1 << 24; 7273 } 7274 return pfr0; 7275 } 7276 #endif 7277 7278 /* 7279 * Shared logic between LORID and the rest of the LOR* registers. 7280 * Secure state exclusion has already been dealt with. 7281 */ 7282 static CPAccessResult access_lor_ns(CPUARMState *env, 7283 const ARMCPRegInfo *ri, bool isread) 7284 { 7285 int el = arm_current_el(env); 7286 7287 if (el < 2 && (arm_hcr_el2_eff(env) & HCR_TLOR)) { 7288 return CP_ACCESS_TRAP_EL2; 7289 } 7290 if (el < 3 && (env->cp15.scr_el3 & SCR_TLOR)) { 7291 return CP_ACCESS_TRAP_EL3; 7292 } 7293 return CP_ACCESS_OK; 7294 } 7295 7296 static CPAccessResult access_lor_other(CPUARMState *env, 7297 const ARMCPRegInfo *ri, bool isread) 7298 { 7299 if (arm_is_secure_below_el3(env)) { 7300 /* Access denied in secure mode. */ 7301 return CP_ACCESS_TRAP; 7302 } 7303 return access_lor_ns(env, ri, isread); 7304 } 7305 7306 /* 7307 * A trivial implementation of ARMv8.1-LOR leaves all of these 7308 * registers fixed at 0, which indicates that there are zero 7309 * supported Limited Ordering regions. 7310 */ 7311 static const ARMCPRegInfo lor_reginfo[] = { 7312 { .name = "LORSA_EL1", .state = ARM_CP_STATE_AA64, 7313 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 0, 7314 .access = PL1_RW, .accessfn = access_lor_other, 7315 .fgt = FGT_LORSA_EL1, 7316 .type = ARM_CP_CONST, .resetvalue = 0 }, 7317 { .name = "LOREA_EL1", .state = ARM_CP_STATE_AA64, 7318 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 1, 7319 .access = PL1_RW, .accessfn = access_lor_other, 7320 .fgt = FGT_LOREA_EL1, 7321 .type = ARM_CP_CONST, .resetvalue = 0 }, 7322 { .name = "LORN_EL1", .state = ARM_CP_STATE_AA64, 7323 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 2, 7324 .access = PL1_RW, .accessfn = access_lor_other, 7325 .fgt = FGT_LORN_EL1, 7326 .type = ARM_CP_CONST, .resetvalue = 0 }, 7327 { .name = "LORC_EL1", .state = ARM_CP_STATE_AA64, 7328 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 3, 7329 .access = PL1_RW, .accessfn = access_lor_other, 7330 .fgt = FGT_LORC_EL1, 7331 .type = ARM_CP_CONST, .resetvalue = 0 }, 7332 { .name = "LORID_EL1", .state = ARM_CP_STATE_AA64, 7333 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 7, 7334 .access = PL1_R, .accessfn = access_lor_ns, 7335 .fgt = FGT_LORID_EL1, 7336 .type = ARM_CP_CONST, .resetvalue = 0 }, 7337 }; 7338 7339 #ifdef TARGET_AARCH64 7340 static CPAccessResult access_pauth(CPUARMState *env, const ARMCPRegInfo *ri, 7341 bool isread) 7342 { 7343 int el = arm_current_el(env); 7344 7345 if (el < 2 && 7346 arm_is_el2_enabled(env) && 7347 !(arm_hcr_el2_eff(env) & HCR_APK)) { 7348 return CP_ACCESS_TRAP_EL2; 7349 } 7350 if (el < 3 && 7351 arm_feature(env, ARM_FEATURE_EL3) && 7352 !(env->cp15.scr_el3 & SCR_APK)) { 7353 return CP_ACCESS_TRAP_EL3; 7354 } 7355 return CP_ACCESS_OK; 7356 } 7357 7358 static const ARMCPRegInfo pauth_reginfo[] = { 7359 { .name = "APDAKEYLO_EL1", .state = ARM_CP_STATE_AA64, 7360 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 0, 7361 .access = PL1_RW, .accessfn = access_pauth, 7362 .fgt = FGT_APDAKEY, 7363 .fieldoffset = offsetof(CPUARMState, keys.apda.lo) }, 7364 { .name = "APDAKEYHI_EL1", .state = ARM_CP_STATE_AA64, 7365 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 1, 7366 .access = PL1_RW, .accessfn = access_pauth, 7367 .fgt = FGT_APDAKEY, 7368 .fieldoffset = offsetof(CPUARMState, keys.apda.hi) }, 7369 { .name = "APDBKEYLO_EL1", .state = ARM_CP_STATE_AA64, 7370 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 2, 7371 .access = PL1_RW, .accessfn = access_pauth, 7372 .fgt = FGT_APDBKEY, 7373 .fieldoffset = offsetof(CPUARMState, keys.apdb.lo) }, 7374 { .name = "APDBKEYHI_EL1", .state = ARM_CP_STATE_AA64, 7375 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 3, 7376 .access = PL1_RW, .accessfn = access_pauth, 7377 .fgt = FGT_APDBKEY, 7378 .fieldoffset = offsetof(CPUARMState, keys.apdb.hi) }, 7379 { .name = "APGAKEYLO_EL1", .state = ARM_CP_STATE_AA64, 7380 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 3, .opc2 = 0, 7381 .access = PL1_RW, .accessfn = access_pauth, 7382 .fgt = FGT_APGAKEY, 7383 .fieldoffset = offsetof(CPUARMState, keys.apga.lo) }, 7384 { .name = "APGAKEYHI_EL1", .state = ARM_CP_STATE_AA64, 7385 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 3, .opc2 = 1, 7386 .access = PL1_RW, .accessfn = access_pauth, 7387 .fgt = FGT_APGAKEY, 7388 .fieldoffset = offsetof(CPUARMState, keys.apga.hi) }, 7389 { .name = "APIAKEYLO_EL1", .state = ARM_CP_STATE_AA64, 7390 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 0, 7391 .access = PL1_RW, .accessfn = access_pauth, 7392 .fgt = FGT_APIAKEY, 7393 .fieldoffset = offsetof(CPUARMState, keys.apia.lo) }, 7394 { .name = "APIAKEYHI_EL1", .state = ARM_CP_STATE_AA64, 7395 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 1, 7396 .access = PL1_RW, .accessfn = access_pauth, 7397 .fgt = FGT_APIAKEY, 7398 .fieldoffset = offsetof(CPUARMState, keys.apia.hi) }, 7399 { .name = "APIBKEYLO_EL1", .state = ARM_CP_STATE_AA64, 7400 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 2, 7401 .access = PL1_RW, .accessfn = access_pauth, 7402 .fgt = FGT_APIBKEY, 7403 .fieldoffset = offsetof(CPUARMState, keys.apib.lo) }, 7404 { .name = "APIBKEYHI_EL1", .state = ARM_CP_STATE_AA64, 7405 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 3, 7406 .access = PL1_RW, .accessfn = access_pauth, 7407 .fgt = FGT_APIBKEY, 7408 .fieldoffset = offsetof(CPUARMState, keys.apib.hi) }, 7409 }; 7410 7411 static const ARMCPRegInfo tlbirange_reginfo[] = { 7412 { .name = "TLBI_RVAE1IS", .state = ARM_CP_STATE_AA64, 7413 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 2, .opc2 = 1, 7414 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 7415 .fgt = FGT_TLBIRVAE1IS, 7416 .writefn = tlbi_aa64_rvae1is_write }, 7417 { .name = "TLBI_RVAAE1IS", .state = ARM_CP_STATE_AA64, 7418 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 2, .opc2 = 3, 7419 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 7420 .fgt = FGT_TLBIRVAAE1IS, 7421 .writefn = tlbi_aa64_rvae1is_write }, 7422 { .name = "TLBI_RVALE1IS", .state = ARM_CP_STATE_AA64, 7423 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 2, .opc2 = 5, 7424 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 7425 .fgt = FGT_TLBIRVALE1IS, 7426 .writefn = tlbi_aa64_rvae1is_write }, 7427 { .name = "TLBI_RVAALE1IS", .state = ARM_CP_STATE_AA64, 7428 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 2, .opc2 = 7, 7429 .access = PL1_W, .accessfn = access_ttlbis, .type = ARM_CP_NO_RAW, 7430 .fgt = FGT_TLBIRVAALE1IS, 7431 .writefn = tlbi_aa64_rvae1is_write }, 7432 { .name = "TLBI_RVAE1OS", .state = ARM_CP_STATE_AA64, 7433 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 1, 7434 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7435 .fgt = FGT_TLBIRVAE1OS, 7436 .writefn = tlbi_aa64_rvae1is_write }, 7437 { .name = "TLBI_RVAAE1OS", .state = ARM_CP_STATE_AA64, 7438 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 3, 7439 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7440 .fgt = FGT_TLBIRVAAE1OS, 7441 .writefn = tlbi_aa64_rvae1is_write }, 7442 { .name = "TLBI_RVALE1OS", .state = ARM_CP_STATE_AA64, 7443 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 5, 7444 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7445 .fgt = FGT_TLBIRVALE1OS, 7446 .writefn = tlbi_aa64_rvae1is_write }, 7447 { .name = "TLBI_RVAALE1OS", .state = ARM_CP_STATE_AA64, 7448 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 7, 7449 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7450 .fgt = FGT_TLBIRVAALE1OS, 7451 .writefn = tlbi_aa64_rvae1is_write }, 7452 { .name = "TLBI_RVAE1", .state = ARM_CP_STATE_AA64, 7453 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 1, 7454 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 7455 .fgt = FGT_TLBIRVAE1, 7456 .writefn = tlbi_aa64_rvae1_write }, 7457 { .name = "TLBI_RVAAE1", .state = ARM_CP_STATE_AA64, 7458 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 3, 7459 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 7460 .fgt = FGT_TLBIRVAAE1, 7461 .writefn = tlbi_aa64_rvae1_write }, 7462 { .name = "TLBI_RVALE1", .state = ARM_CP_STATE_AA64, 7463 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 5, 7464 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 7465 .fgt = FGT_TLBIRVALE1, 7466 .writefn = tlbi_aa64_rvae1_write }, 7467 { .name = "TLBI_RVAALE1", .state = ARM_CP_STATE_AA64, 7468 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 7, 7469 .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, 7470 .fgt = FGT_TLBIRVAALE1, 7471 .writefn = tlbi_aa64_rvae1_write }, 7472 { .name = "TLBI_RIPAS2E1IS", .state = ARM_CP_STATE_AA64, 7473 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 2, 7474 .access = PL2_W, .type = ARM_CP_NO_RAW, 7475 .writefn = tlbi_aa64_ripas2e1is_write }, 7476 { .name = "TLBI_RIPAS2LE1IS", .state = ARM_CP_STATE_AA64, 7477 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 6, 7478 .access = PL2_W, .type = ARM_CP_NO_RAW, 7479 .writefn = tlbi_aa64_ripas2e1is_write }, 7480 { .name = "TLBI_RVAE2IS", .state = ARM_CP_STATE_AA64, 7481 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 2, .opc2 = 1, 7482 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7483 .writefn = tlbi_aa64_rvae2is_write }, 7484 { .name = "TLBI_RVALE2IS", .state = ARM_CP_STATE_AA64, 7485 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 2, .opc2 = 5, 7486 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7487 .writefn = tlbi_aa64_rvae2is_write }, 7488 { .name = "TLBI_RIPAS2E1", .state = ARM_CP_STATE_AA64, 7489 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 2, 7490 .access = PL2_W, .type = ARM_CP_NO_RAW, 7491 .writefn = tlbi_aa64_ripas2e1_write }, 7492 { .name = "TLBI_RIPAS2LE1", .state = ARM_CP_STATE_AA64, 7493 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 6, 7494 .access = PL2_W, .type = ARM_CP_NO_RAW, 7495 .writefn = tlbi_aa64_ripas2e1_write }, 7496 { .name = "TLBI_RVAE2OS", .state = ARM_CP_STATE_AA64, 7497 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 1, 7498 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7499 .writefn = tlbi_aa64_rvae2is_write }, 7500 { .name = "TLBI_RVALE2OS", .state = ARM_CP_STATE_AA64, 7501 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 5, 7502 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7503 .writefn = tlbi_aa64_rvae2is_write }, 7504 { .name = "TLBI_RVAE2", .state = ARM_CP_STATE_AA64, 7505 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 6, .opc2 = 1, 7506 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7507 .writefn = tlbi_aa64_rvae2_write }, 7508 { .name = "TLBI_RVALE2", .state = ARM_CP_STATE_AA64, 7509 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 6, .opc2 = 5, 7510 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7511 .writefn = tlbi_aa64_rvae2_write }, 7512 { .name = "TLBI_RVAE3IS", .state = ARM_CP_STATE_AA64, 7513 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 2, .opc2 = 1, 7514 .access = PL3_W, .type = ARM_CP_NO_RAW, 7515 .writefn = tlbi_aa64_rvae3is_write }, 7516 { .name = "TLBI_RVALE3IS", .state = ARM_CP_STATE_AA64, 7517 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 2, .opc2 = 5, 7518 .access = PL3_W, .type = ARM_CP_NO_RAW, 7519 .writefn = tlbi_aa64_rvae3is_write }, 7520 { .name = "TLBI_RVAE3OS", .state = ARM_CP_STATE_AA64, 7521 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 5, .opc2 = 1, 7522 .access = PL3_W, .type = ARM_CP_NO_RAW, 7523 .writefn = tlbi_aa64_rvae3is_write }, 7524 { .name = "TLBI_RVALE3OS", .state = ARM_CP_STATE_AA64, 7525 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 5, .opc2 = 5, 7526 .access = PL3_W, .type = ARM_CP_NO_RAW, 7527 .writefn = tlbi_aa64_rvae3is_write }, 7528 { .name = "TLBI_RVAE3", .state = ARM_CP_STATE_AA64, 7529 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 6, .opc2 = 1, 7530 .access = PL3_W, .type = ARM_CP_NO_RAW, 7531 .writefn = tlbi_aa64_rvae3_write }, 7532 { .name = "TLBI_RVALE3", .state = ARM_CP_STATE_AA64, 7533 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 6, .opc2 = 5, 7534 .access = PL3_W, .type = ARM_CP_NO_RAW, 7535 .writefn = tlbi_aa64_rvae3_write }, 7536 }; 7537 7538 static const ARMCPRegInfo tlbios_reginfo[] = { 7539 { .name = "TLBI_VMALLE1OS", .state = ARM_CP_STATE_AA64, 7540 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 1, .opc2 = 0, 7541 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7542 .fgt = FGT_TLBIVMALLE1OS, 7543 .writefn = tlbi_aa64_vmalle1is_write }, 7544 { .name = "TLBI_VAE1OS", .state = ARM_CP_STATE_AA64, 7545 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 1, .opc2 = 1, 7546 .fgt = FGT_TLBIVAE1OS, 7547 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7548 .writefn = tlbi_aa64_vae1is_write }, 7549 { .name = "TLBI_ASIDE1OS", .state = ARM_CP_STATE_AA64, 7550 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 1, .opc2 = 2, 7551 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7552 .fgt = FGT_TLBIASIDE1OS, 7553 .writefn = tlbi_aa64_vmalle1is_write }, 7554 { .name = "TLBI_VAAE1OS", .state = ARM_CP_STATE_AA64, 7555 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 1, .opc2 = 3, 7556 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7557 .fgt = FGT_TLBIVAAE1OS, 7558 .writefn = tlbi_aa64_vae1is_write }, 7559 { .name = "TLBI_VALE1OS", .state = ARM_CP_STATE_AA64, 7560 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 1, .opc2 = 5, 7561 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7562 .fgt = FGT_TLBIVALE1OS, 7563 .writefn = tlbi_aa64_vae1is_write }, 7564 { .name = "TLBI_VAALE1OS", .state = ARM_CP_STATE_AA64, 7565 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 1, .opc2 = 7, 7566 .access = PL1_W, .accessfn = access_ttlbos, .type = ARM_CP_NO_RAW, 7567 .fgt = FGT_TLBIVAALE1OS, 7568 .writefn = tlbi_aa64_vae1is_write }, 7569 { .name = "TLBI_ALLE2OS", .state = ARM_CP_STATE_AA64, 7570 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 0, 7571 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7572 .writefn = tlbi_aa64_alle2is_write }, 7573 { .name = "TLBI_VAE2OS", .state = ARM_CP_STATE_AA64, 7574 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 1, 7575 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7576 .writefn = tlbi_aa64_vae2is_write }, 7577 { .name = "TLBI_ALLE1OS", .state = ARM_CP_STATE_AA64, 7578 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 4, 7579 .access = PL2_W, .type = ARM_CP_NO_RAW, 7580 .writefn = tlbi_aa64_alle1is_write }, 7581 { .name = "TLBI_VALE2OS", .state = ARM_CP_STATE_AA64, 7582 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 5, 7583 .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF, 7584 .writefn = tlbi_aa64_vae2is_write }, 7585 { .name = "TLBI_VMALLS12E1OS", .state = ARM_CP_STATE_AA64, 7586 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 6, 7587 .access = PL2_W, .type = ARM_CP_NO_RAW, 7588 .writefn = tlbi_aa64_alle1is_write }, 7589 { .name = "TLBI_IPAS2E1OS", .state = ARM_CP_STATE_AA64, 7590 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 0, 7591 .access = PL2_W, .type = ARM_CP_NOP }, 7592 { .name = "TLBI_RIPAS2E1OS", .state = ARM_CP_STATE_AA64, 7593 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 3, 7594 .access = PL2_W, .type = ARM_CP_NOP }, 7595 { .name = "TLBI_IPAS2LE1OS", .state = ARM_CP_STATE_AA64, 7596 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 4, 7597 .access = PL2_W, .type = ARM_CP_NOP }, 7598 { .name = "TLBI_RIPAS2LE1OS", .state = ARM_CP_STATE_AA64, 7599 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 7, 7600 .access = PL2_W, .type = ARM_CP_NOP }, 7601 { .name = "TLBI_ALLE3OS", .state = ARM_CP_STATE_AA64, 7602 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 0, 7603 .access = PL3_W, .type = ARM_CP_NO_RAW, 7604 .writefn = tlbi_aa64_alle3is_write }, 7605 { .name = "TLBI_VAE3OS", .state = ARM_CP_STATE_AA64, 7606 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 1, 7607 .access = PL3_W, .type = ARM_CP_NO_RAW, 7608 .writefn = tlbi_aa64_vae3is_write }, 7609 { .name = "TLBI_VALE3OS", .state = ARM_CP_STATE_AA64, 7610 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 5, 7611 .access = PL3_W, .type = ARM_CP_NO_RAW, 7612 .writefn = tlbi_aa64_vae3is_write }, 7613 }; 7614 7615 static uint64_t rndr_readfn(CPUARMState *env, const ARMCPRegInfo *ri) 7616 { 7617 Error *err = NULL; 7618 uint64_t ret; 7619 7620 /* Success sets NZCV = 0000. */ 7621 env->NF = env->CF = env->VF = 0, env->ZF = 1; 7622 7623 if (qemu_guest_getrandom(&ret, sizeof(ret), &err) < 0) { 7624 /* 7625 * ??? Failed, for unknown reasons in the crypto subsystem. 7626 * The best we can do is log the reason and return the 7627 * timed-out indication to the guest. There is no reason 7628 * we know to expect this failure to be transitory, so the 7629 * guest may well hang retrying the operation. 7630 */ 7631 qemu_log_mask(LOG_UNIMP, "%s: Crypto failure: %s", 7632 ri->name, error_get_pretty(err)); 7633 error_free(err); 7634 7635 env->ZF = 0; /* NZCF = 0100 */ 7636 return 0; 7637 } 7638 return ret; 7639 } 7640 7641 /* We do not support re-seeding, so the two registers operate the same. */ 7642 static const ARMCPRegInfo rndr_reginfo[] = { 7643 { .name = "RNDR", .state = ARM_CP_STATE_AA64, 7644 .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END | ARM_CP_IO, 7645 .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 4, .opc2 = 0, 7646 .access = PL0_R, .readfn = rndr_readfn }, 7647 { .name = "RNDRRS", .state = ARM_CP_STATE_AA64, 7648 .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END | ARM_CP_IO, 7649 .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 4, .opc2 = 1, 7650 .access = PL0_R, .readfn = rndr_readfn }, 7651 }; 7652 7653 static void dccvap_writefn(CPUARMState *env, const ARMCPRegInfo *opaque, 7654 uint64_t value) 7655 { 7656 ARMCPU *cpu = env_archcpu(env); 7657 /* CTR_EL0 System register -> DminLine, bits [19:16] */ 7658 uint64_t dline_size = 4 << ((cpu->ctr >> 16) & 0xF); 7659 uint64_t vaddr_in = (uint64_t) value; 7660 uint64_t vaddr = vaddr_in & ~(dline_size - 1); 7661 void *haddr; 7662 int mem_idx = cpu_mmu_index(env, false); 7663 7664 /* This won't be crossing page boundaries */ 7665 haddr = probe_read(env, vaddr, dline_size, mem_idx, GETPC()); 7666 if (haddr) { 7667 #ifndef CONFIG_USER_ONLY 7668 7669 ram_addr_t offset; 7670 MemoryRegion *mr; 7671 7672 /* RCU lock is already being held */ 7673 mr = memory_region_from_host(haddr, &offset); 7674 7675 if (mr) { 7676 memory_region_writeback(mr, offset, dline_size); 7677 } 7678 #endif /*CONFIG_USER_ONLY*/ 7679 } 7680 } 7681 7682 static const ARMCPRegInfo dcpop_reg[] = { 7683 { .name = "DC_CVAP", .state = ARM_CP_STATE_AA64, 7684 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 1, 7685 .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END, 7686 .fgt = FGT_DCCVAP, 7687 .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn }, 7688 }; 7689 7690 static const ARMCPRegInfo dcpodp_reg[] = { 7691 { .name = "DC_CVADP", .state = ARM_CP_STATE_AA64, 7692 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 1, 7693 .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END, 7694 .fgt = FGT_DCCVADP, 7695 .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn }, 7696 }; 7697 7698 static CPAccessResult access_aa64_tid5(CPUARMState *env, const ARMCPRegInfo *ri, 7699 bool isread) 7700 { 7701 if ((arm_current_el(env) < 2) && (arm_hcr_el2_eff(env) & HCR_TID5)) { 7702 return CP_ACCESS_TRAP_EL2; 7703 } 7704 7705 return CP_ACCESS_OK; 7706 } 7707 7708 static CPAccessResult access_mte(CPUARMState *env, const ARMCPRegInfo *ri, 7709 bool isread) 7710 { 7711 int el = arm_current_el(env); 7712 7713 if (el < 2 && arm_is_el2_enabled(env)) { 7714 uint64_t hcr = arm_hcr_el2_eff(env); 7715 if (!(hcr & HCR_ATA) && (!(hcr & HCR_E2H) || !(hcr & HCR_TGE))) { 7716 return CP_ACCESS_TRAP_EL2; 7717 } 7718 } 7719 if (el < 3 && 7720 arm_feature(env, ARM_FEATURE_EL3) && 7721 !(env->cp15.scr_el3 & SCR_ATA)) { 7722 return CP_ACCESS_TRAP_EL3; 7723 } 7724 return CP_ACCESS_OK; 7725 } 7726 7727 static uint64_t tco_read(CPUARMState *env, const ARMCPRegInfo *ri) 7728 { 7729 return env->pstate & PSTATE_TCO; 7730 } 7731 7732 static void tco_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val) 7733 { 7734 env->pstate = (env->pstate & ~PSTATE_TCO) | (val & PSTATE_TCO); 7735 } 7736 7737 static const ARMCPRegInfo mte_reginfo[] = { 7738 { .name = "TFSRE0_EL1", .state = ARM_CP_STATE_AA64, 7739 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 6, .opc2 = 1, 7740 .access = PL1_RW, .accessfn = access_mte, 7741 .fieldoffset = offsetof(CPUARMState, cp15.tfsr_el[0]) }, 7742 { .name = "TFSR_EL1", .state = ARM_CP_STATE_AA64, 7743 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 6, .opc2 = 0, 7744 .access = PL1_RW, .accessfn = access_mte, 7745 .fieldoffset = offsetof(CPUARMState, cp15.tfsr_el[1]) }, 7746 { .name = "TFSR_EL2", .state = ARM_CP_STATE_AA64, 7747 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 6, .opc2 = 0, 7748 .access = PL2_RW, .accessfn = access_mte, 7749 .fieldoffset = offsetof(CPUARMState, cp15.tfsr_el[2]) }, 7750 { .name = "TFSR_EL3", .state = ARM_CP_STATE_AA64, 7751 .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 6, .opc2 = 0, 7752 .access = PL3_RW, 7753 .fieldoffset = offsetof(CPUARMState, cp15.tfsr_el[3]) }, 7754 { .name = "RGSR_EL1", .state = ARM_CP_STATE_AA64, 7755 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 5, 7756 .access = PL1_RW, .accessfn = access_mte, 7757 .fieldoffset = offsetof(CPUARMState, cp15.rgsr_el1) }, 7758 { .name = "GCR_EL1", .state = ARM_CP_STATE_AA64, 7759 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 6, 7760 .access = PL1_RW, .accessfn = access_mte, 7761 .fieldoffset = offsetof(CPUARMState, cp15.gcr_el1) }, 7762 { .name = "TCO", .state = ARM_CP_STATE_AA64, 7763 .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 7, 7764 .type = ARM_CP_NO_RAW, 7765 .access = PL0_RW, .readfn = tco_read, .writefn = tco_write }, 7766 { .name = "DC_IGVAC", .state = ARM_CP_STATE_AA64, 7767 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 3, 7768 .type = ARM_CP_NOP, .access = PL1_W, 7769 .fgt = FGT_DCIVAC, 7770 .accessfn = aa64_cacheop_poc_access }, 7771 { .name = "DC_IGSW", .state = ARM_CP_STATE_AA64, 7772 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 4, 7773 .fgt = FGT_DCISW, 7774 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 7775 { .name = "DC_IGDVAC", .state = ARM_CP_STATE_AA64, 7776 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 5, 7777 .type = ARM_CP_NOP, .access = PL1_W, 7778 .fgt = FGT_DCIVAC, 7779 .accessfn = aa64_cacheop_poc_access }, 7780 { .name = "DC_IGDSW", .state = ARM_CP_STATE_AA64, 7781 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 6, 7782 .fgt = FGT_DCISW, 7783 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 7784 { .name = "DC_CGSW", .state = ARM_CP_STATE_AA64, 7785 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 4, 7786 .fgt = FGT_DCCSW, 7787 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 7788 { .name = "DC_CGDSW", .state = ARM_CP_STATE_AA64, 7789 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 6, 7790 .fgt = FGT_DCCSW, 7791 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 7792 { .name = "DC_CIGSW", .state = ARM_CP_STATE_AA64, 7793 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 4, 7794 .fgt = FGT_DCCISW, 7795 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 7796 { .name = "DC_CIGDSW", .state = ARM_CP_STATE_AA64, 7797 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 6, 7798 .fgt = FGT_DCCISW, 7799 .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, 7800 }; 7801 7802 static const ARMCPRegInfo mte_tco_ro_reginfo[] = { 7803 { .name = "TCO", .state = ARM_CP_STATE_AA64, 7804 .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 7, 7805 .type = ARM_CP_CONST, .access = PL0_RW, }, 7806 }; 7807 7808 static const ARMCPRegInfo mte_el0_cacheop_reginfo[] = { 7809 { .name = "DC_CGVAC", .state = ARM_CP_STATE_AA64, 7810 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 3, 7811 .type = ARM_CP_NOP, .access = PL0_W, 7812 .fgt = FGT_DCCVAC, 7813 .accessfn = aa64_cacheop_poc_access }, 7814 { .name = "DC_CGDVAC", .state = ARM_CP_STATE_AA64, 7815 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 5, 7816 .type = ARM_CP_NOP, .access = PL0_W, 7817 .fgt = FGT_DCCVAC, 7818 .accessfn = aa64_cacheop_poc_access }, 7819 { .name = "DC_CGVAP", .state = ARM_CP_STATE_AA64, 7820 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 3, 7821 .type = ARM_CP_NOP, .access = PL0_W, 7822 .fgt = FGT_DCCVAP, 7823 .accessfn = aa64_cacheop_poc_access }, 7824 { .name = "DC_CGDVAP", .state = ARM_CP_STATE_AA64, 7825 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 5, 7826 .type = ARM_CP_NOP, .access = PL0_W, 7827 .fgt = FGT_DCCVAP, 7828 .accessfn = aa64_cacheop_poc_access }, 7829 { .name = "DC_CGVADP", .state = ARM_CP_STATE_AA64, 7830 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 3, 7831 .type = ARM_CP_NOP, .access = PL0_W, 7832 .fgt = FGT_DCCVADP, 7833 .accessfn = aa64_cacheop_poc_access }, 7834 { .name = "DC_CGDVADP", .state = ARM_CP_STATE_AA64, 7835 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 5, 7836 .type = ARM_CP_NOP, .access = PL0_W, 7837 .fgt = FGT_DCCVADP, 7838 .accessfn = aa64_cacheop_poc_access }, 7839 { .name = "DC_CIGVAC", .state = ARM_CP_STATE_AA64, 7840 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 3, 7841 .type = ARM_CP_NOP, .access = PL0_W, 7842 .fgt = FGT_DCCIVAC, 7843 .accessfn = aa64_cacheop_poc_access }, 7844 { .name = "DC_CIGDVAC", .state = ARM_CP_STATE_AA64, 7845 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 5, 7846 .type = ARM_CP_NOP, .access = PL0_W, 7847 .fgt = FGT_DCCIVAC, 7848 .accessfn = aa64_cacheop_poc_access }, 7849 { .name = "DC_GVA", .state = ARM_CP_STATE_AA64, 7850 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 3, 7851 .access = PL0_W, .type = ARM_CP_DC_GVA, 7852 #ifndef CONFIG_USER_ONLY 7853 /* Avoid overhead of an access check that always passes in user-mode */ 7854 .accessfn = aa64_zva_access, 7855 .fgt = FGT_DCZVA, 7856 #endif 7857 }, 7858 { .name = "DC_GZVA", .state = ARM_CP_STATE_AA64, 7859 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 4, 7860 .access = PL0_W, .type = ARM_CP_DC_GZVA, 7861 #ifndef CONFIG_USER_ONLY 7862 /* Avoid overhead of an access check that always passes in user-mode */ 7863 .accessfn = aa64_zva_access, 7864 .fgt = FGT_DCZVA, 7865 #endif 7866 }, 7867 }; 7868 7869 static CPAccessResult access_scxtnum(CPUARMState *env, const ARMCPRegInfo *ri, 7870 bool isread) 7871 { 7872 uint64_t hcr = arm_hcr_el2_eff(env); 7873 int el = arm_current_el(env); 7874 7875 if (el == 0 && !((hcr & HCR_E2H) && (hcr & HCR_TGE))) { 7876 if (env->cp15.sctlr_el[1] & SCTLR_TSCXT) { 7877 if (hcr & HCR_TGE) { 7878 return CP_ACCESS_TRAP_EL2; 7879 } 7880 return CP_ACCESS_TRAP; 7881 } 7882 } else if (el < 2 && (env->cp15.sctlr_el[2] & SCTLR_TSCXT)) { 7883 return CP_ACCESS_TRAP_EL2; 7884 } 7885 if (el < 2 && arm_is_el2_enabled(env) && !(hcr & HCR_ENSCXT)) { 7886 return CP_ACCESS_TRAP_EL2; 7887 } 7888 if (el < 3 7889 && arm_feature(env, ARM_FEATURE_EL3) 7890 && !(env->cp15.scr_el3 & SCR_ENSCXT)) { 7891 return CP_ACCESS_TRAP_EL3; 7892 } 7893 return CP_ACCESS_OK; 7894 } 7895 7896 static const ARMCPRegInfo scxtnum_reginfo[] = { 7897 { .name = "SCXTNUM_EL0", .state = ARM_CP_STATE_AA64, 7898 .opc0 = 3, .opc1 = 3, .crn = 13, .crm = 0, .opc2 = 7, 7899 .access = PL0_RW, .accessfn = access_scxtnum, 7900 .fgt = FGT_SCXTNUM_EL0, 7901 .fieldoffset = offsetof(CPUARMState, scxtnum_el[0]) }, 7902 { .name = "SCXTNUM_EL1", .state = ARM_CP_STATE_AA64, 7903 .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 7, 7904 .access = PL1_RW, .accessfn = access_scxtnum, 7905 .fgt = FGT_SCXTNUM_EL1, 7906 .fieldoffset = offsetof(CPUARMState, scxtnum_el[1]) }, 7907 { .name = "SCXTNUM_EL2", .state = ARM_CP_STATE_AA64, 7908 .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 7, 7909 .access = PL2_RW, .accessfn = access_scxtnum, 7910 .fieldoffset = offsetof(CPUARMState, scxtnum_el[2]) }, 7911 { .name = "SCXTNUM_EL3", .state = ARM_CP_STATE_AA64, 7912 .opc0 = 3, .opc1 = 6, .crn = 13, .crm = 0, .opc2 = 7, 7913 .access = PL3_RW, 7914 .fieldoffset = offsetof(CPUARMState, scxtnum_el[3]) }, 7915 }; 7916 7917 static CPAccessResult access_fgt(CPUARMState *env, const ARMCPRegInfo *ri, 7918 bool isread) 7919 { 7920 if (arm_current_el(env) == 2 && 7921 arm_feature(env, ARM_FEATURE_EL3) && !(env->cp15.scr_el3 & SCR_FGTEN)) { 7922 return CP_ACCESS_TRAP_EL3; 7923 } 7924 return CP_ACCESS_OK; 7925 } 7926 7927 static const ARMCPRegInfo fgt_reginfo[] = { 7928 { .name = "HFGRTR_EL2", .state = ARM_CP_STATE_AA64, 7929 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 4, 7930 .access = PL2_RW, .accessfn = access_fgt, 7931 .fieldoffset = offsetof(CPUARMState, cp15.fgt_read[FGTREG_HFGRTR]) }, 7932 { .name = "HFGWTR_EL2", .state = ARM_CP_STATE_AA64, 7933 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 5, 7934 .access = PL2_RW, .accessfn = access_fgt, 7935 .fieldoffset = offsetof(CPUARMState, cp15.fgt_write[FGTREG_HFGWTR]) }, 7936 { .name = "HDFGRTR_EL2", .state = ARM_CP_STATE_AA64, 7937 .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 1, .opc2 = 4, 7938 .access = PL2_RW, .accessfn = access_fgt, 7939 .fieldoffset = offsetof(CPUARMState, cp15.fgt_read[FGTREG_HDFGRTR]) }, 7940 { .name = "HDFGWTR_EL2", .state = ARM_CP_STATE_AA64, 7941 .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 1, .opc2 = 5, 7942 .access = PL2_RW, .accessfn = access_fgt, 7943 .fieldoffset = offsetof(CPUARMState, cp15.fgt_write[FGTREG_HDFGWTR]) }, 7944 { .name = "HFGITR_EL2", .state = ARM_CP_STATE_AA64, 7945 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 6, 7946 .access = PL2_RW, .accessfn = access_fgt, 7947 .fieldoffset = offsetof(CPUARMState, cp15.fgt_exec[FGTREG_HFGITR]) }, 7948 }; 7949 #endif /* TARGET_AARCH64 */ 7950 7951 static CPAccessResult access_predinv(CPUARMState *env, const ARMCPRegInfo *ri, 7952 bool isread) 7953 { 7954 int el = arm_current_el(env); 7955 7956 if (el == 0) { 7957 uint64_t sctlr = arm_sctlr(env, el); 7958 if (!(sctlr & SCTLR_EnRCTX)) { 7959 return CP_ACCESS_TRAP; 7960 } 7961 } else if (el == 1) { 7962 uint64_t hcr = arm_hcr_el2_eff(env); 7963 if (hcr & HCR_NV) { 7964 return CP_ACCESS_TRAP_EL2; 7965 } 7966 } 7967 return CP_ACCESS_OK; 7968 } 7969 7970 static const ARMCPRegInfo predinv_reginfo[] = { 7971 { .name = "CFP_RCTX", .state = ARM_CP_STATE_AA64, 7972 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 3, .opc2 = 4, 7973 .fgt = FGT_CFPRCTX, 7974 .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv }, 7975 { .name = "DVP_RCTX", .state = ARM_CP_STATE_AA64, 7976 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 3, .opc2 = 5, 7977 .fgt = FGT_DVPRCTX, 7978 .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv }, 7979 { .name = "CPP_RCTX", .state = ARM_CP_STATE_AA64, 7980 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 3, .opc2 = 7, 7981 .fgt = FGT_CPPRCTX, 7982 .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv }, 7983 /* 7984 * Note the AArch32 opcodes have a different OPC1. 7985 */ 7986 { .name = "CFPRCTX", .state = ARM_CP_STATE_AA32, 7987 .cp = 15, .opc1 = 0, .crn = 7, .crm = 3, .opc2 = 4, 7988 .fgt = FGT_CFPRCTX, 7989 .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv }, 7990 { .name = "DVPRCTX", .state = ARM_CP_STATE_AA32, 7991 .cp = 15, .opc1 = 0, .crn = 7, .crm = 3, .opc2 = 5, 7992 .fgt = FGT_DVPRCTX, 7993 .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv }, 7994 { .name = "CPPRCTX", .state = ARM_CP_STATE_AA32, 7995 .cp = 15, .opc1 = 0, .crn = 7, .crm = 3, .opc2 = 7, 7996 .fgt = FGT_CPPRCTX, 7997 .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv }, 7998 }; 7999 8000 static uint64_t ccsidr2_read(CPUARMState *env, const ARMCPRegInfo *ri) 8001 { 8002 /* Read the high 32 bits of the current CCSIDR */ 8003 return extract64(ccsidr_read(env, ri), 32, 32); 8004 } 8005 8006 static const ARMCPRegInfo ccsidr2_reginfo[] = { 8007 { .name = "CCSIDR2", .state = ARM_CP_STATE_BOTH, 8008 .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 2, 8009 .access = PL1_R, 8010 .accessfn = access_tid4, 8011 .readfn = ccsidr2_read, .type = ARM_CP_NO_RAW }, 8012 }; 8013 8014 static CPAccessResult access_aa64_tid3(CPUARMState *env, const ARMCPRegInfo *ri, 8015 bool isread) 8016 { 8017 if ((arm_current_el(env) < 2) && (arm_hcr_el2_eff(env) & HCR_TID3)) { 8018 return CP_ACCESS_TRAP_EL2; 8019 } 8020 8021 return CP_ACCESS_OK; 8022 } 8023 8024 static CPAccessResult access_aa32_tid3(CPUARMState *env, const ARMCPRegInfo *ri, 8025 bool isread) 8026 { 8027 if (arm_feature(env, ARM_FEATURE_V8)) { 8028 return access_aa64_tid3(env, ri, isread); 8029 } 8030 8031 return CP_ACCESS_OK; 8032 } 8033 8034 static CPAccessResult access_jazelle(CPUARMState *env, const ARMCPRegInfo *ri, 8035 bool isread) 8036 { 8037 if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TID0)) { 8038 return CP_ACCESS_TRAP_EL2; 8039 } 8040 8041 return CP_ACCESS_OK; 8042 } 8043 8044 static CPAccessResult access_joscr_jmcr(CPUARMState *env, 8045 const ARMCPRegInfo *ri, bool isread) 8046 { 8047 /* 8048 * HSTR.TJDBX traps JOSCR and JMCR accesses, but it exists only 8049 * in v7A, not in v8A. 8050 */ 8051 if (!arm_feature(env, ARM_FEATURE_V8) && 8052 arm_current_el(env) < 2 && !arm_is_secure_below_el3(env) && 8053 (env->cp15.hstr_el2 & HSTR_TJDBX)) { 8054 return CP_ACCESS_TRAP_EL2; 8055 } 8056 return CP_ACCESS_OK; 8057 } 8058 8059 static const ARMCPRegInfo jazelle_regs[] = { 8060 { .name = "JIDR", 8061 .cp = 14, .crn = 0, .crm = 0, .opc1 = 7, .opc2 = 0, 8062 .access = PL1_R, .accessfn = access_jazelle, 8063 .type = ARM_CP_CONST, .resetvalue = 0 }, 8064 { .name = "JOSCR", 8065 .cp = 14, .crn = 1, .crm = 0, .opc1 = 7, .opc2 = 0, 8066 .accessfn = access_joscr_jmcr, 8067 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, 8068 { .name = "JMCR", 8069 .cp = 14, .crn = 2, .crm = 0, .opc1 = 7, .opc2 = 0, 8070 .accessfn = access_joscr_jmcr, 8071 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, 8072 }; 8073 8074 static const ARMCPRegInfo contextidr_el2 = { 8075 .name = "CONTEXTIDR_EL2", .state = ARM_CP_STATE_AA64, 8076 .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 1, 8077 .access = PL2_RW, 8078 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[2]) 8079 }; 8080 8081 static const ARMCPRegInfo vhe_reginfo[] = { 8082 { .name = "TTBR1_EL2", .state = ARM_CP_STATE_AA64, 8083 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 1, 8084 .access = PL2_RW, .writefn = vmsa_tcr_ttbr_el2_write, 8085 .raw_writefn = raw_write, 8086 .fieldoffset = offsetof(CPUARMState, cp15.ttbr1_el[2]) }, 8087 #ifndef CONFIG_USER_ONLY 8088 { .name = "CNTHV_CVAL_EL2", .state = ARM_CP_STATE_AA64, 8089 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 3, .opc2 = 2, 8090 .fieldoffset = 8091 offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYPVIRT].cval), 8092 .type = ARM_CP_IO, .access = PL2_RW, 8093 .writefn = gt_hv_cval_write, .raw_writefn = raw_write }, 8094 { .name = "CNTHV_TVAL_EL2", .state = ARM_CP_STATE_BOTH, 8095 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 3, .opc2 = 0, 8096 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW, 8097 .resetfn = gt_hv_timer_reset, 8098 .readfn = gt_hv_tval_read, .writefn = gt_hv_tval_write }, 8099 { .name = "CNTHV_CTL_EL2", .state = ARM_CP_STATE_BOTH, 8100 .type = ARM_CP_IO, 8101 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 3, .opc2 = 1, 8102 .access = PL2_RW, 8103 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYPVIRT].ctl), 8104 .writefn = gt_hv_ctl_write, .raw_writefn = raw_write }, 8105 { .name = "CNTP_CTL_EL02", .state = ARM_CP_STATE_AA64, 8106 .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 2, .opc2 = 1, 8107 .type = ARM_CP_IO | ARM_CP_ALIAS, 8108 .access = PL2_RW, .accessfn = e2h_access, 8109 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl), 8110 .writefn = gt_phys_ctl_write, .raw_writefn = raw_write }, 8111 { .name = "CNTV_CTL_EL02", .state = ARM_CP_STATE_AA64, 8112 .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 3, .opc2 = 1, 8113 .type = ARM_CP_IO | ARM_CP_ALIAS, 8114 .access = PL2_RW, .accessfn = e2h_access, 8115 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl), 8116 .writefn = gt_virt_ctl_write, .raw_writefn = raw_write }, 8117 { .name = "CNTP_TVAL_EL02", .state = ARM_CP_STATE_AA64, 8118 .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 2, .opc2 = 0, 8119 .type = ARM_CP_NO_RAW | ARM_CP_IO | ARM_CP_ALIAS, 8120 .access = PL2_RW, .accessfn = e2h_access, 8121 .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write }, 8122 { .name = "CNTV_TVAL_EL02", .state = ARM_CP_STATE_AA64, 8123 .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 3, .opc2 = 0, 8124 .type = ARM_CP_NO_RAW | ARM_CP_IO | ARM_CP_ALIAS, 8125 .access = PL2_RW, .accessfn = e2h_access, 8126 .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write }, 8127 { .name = "CNTP_CVAL_EL02", .state = ARM_CP_STATE_AA64, 8128 .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 2, .opc2 = 2, 8129 .type = ARM_CP_IO | ARM_CP_ALIAS, 8130 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval), 8131 .access = PL2_RW, .accessfn = e2h_access, 8132 .writefn = gt_phys_cval_write, .raw_writefn = raw_write }, 8133 { .name = "CNTV_CVAL_EL02", .state = ARM_CP_STATE_AA64, 8134 .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 3, .opc2 = 2, 8135 .type = ARM_CP_IO | ARM_CP_ALIAS, 8136 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval), 8137 .access = PL2_RW, .accessfn = e2h_access, 8138 .writefn = gt_virt_cval_write, .raw_writefn = raw_write }, 8139 #endif 8140 }; 8141 8142 #ifndef CONFIG_USER_ONLY 8143 static const ARMCPRegInfo ats1e1_reginfo[] = { 8144 { .name = "AT_S1E1RP", .state = ARM_CP_STATE_AA64, 8145 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 0, 8146 .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 8147 .fgt = FGT_ATS1E1RP, 8148 .accessfn = at_e012_access, .writefn = ats_write64 }, 8149 { .name = "AT_S1E1WP", .state = ARM_CP_STATE_AA64, 8150 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1, 8151 .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 8152 .fgt = FGT_ATS1E1WP, 8153 .accessfn = at_e012_access, .writefn = ats_write64 }, 8154 }; 8155 8156 static const ARMCPRegInfo ats1cp_reginfo[] = { 8157 { .name = "ATS1CPRP", 8158 .cp = 15, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 0, 8159 .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 8160 .writefn = ats_write }, 8161 { .name = "ATS1CPWP", 8162 .cp = 15, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1, 8163 .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, 8164 .writefn = ats_write }, 8165 }; 8166 #endif 8167 8168 /* 8169 * ACTLR2 and HACTLR2 map to ACTLR_EL1[63:32] and 8170 * ACTLR_EL2[63:32]. They exist only if the ID_MMFR4.AC2 field 8171 * is non-zero, which is never for ARMv7, optionally in ARMv8 8172 * and mandatorily for ARMv8.2 and up. 8173 * ACTLR2 is banked for S and NS if EL3 is AArch32. Since QEMU's 8174 * implementation is RAZ/WI we can ignore this detail, as we 8175 * do for ACTLR. 8176 */ 8177 static const ARMCPRegInfo actlr2_hactlr2_reginfo[] = { 8178 { .name = "ACTLR2", .state = ARM_CP_STATE_AA32, 8179 .cp = 15, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 3, 8180 .access = PL1_RW, .accessfn = access_tacr, 8181 .type = ARM_CP_CONST, .resetvalue = 0 }, 8182 { .name = "HACTLR2", .state = ARM_CP_STATE_AA32, 8183 .cp = 15, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 3, 8184 .access = PL2_RW, .type = ARM_CP_CONST, 8185 .resetvalue = 0 }, 8186 }; 8187 8188 void register_cp_regs_for_features(ARMCPU *cpu) 8189 { 8190 /* Register all the coprocessor registers based on feature bits */ 8191 CPUARMState *env = &cpu->env; 8192 if (arm_feature(env, ARM_FEATURE_M)) { 8193 /* M profile has no coprocessor registers */ 8194 return; 8195 } 8196 8197 define_arm_cp_regs(cpu, cp_reginfo); 8198 if (!arm_feature(env, ARM_FEATURE_V8)) { 8199 /* 8200 * Must go early as it is full of wildcards that may be 8201 * overridden by later definitions. 8202 */ 8203 define_arm_cp_regs(cpu, not_v8_cp_reginfo); 8204 } 8205 8206 if (arm_feature(env, ARM_FEATURE_V6)) { 8207 /* The ID registers all have impdef reset values */ 8208 ARMCPRegInfo v6_idregs[] = { 8209 { .name = "ID_PFR0", .state = ARM_CP_STATE_BOTH, 8210 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0, 8211 .access = PL1_R, .type = ARM_CP_CONST, 8212 .accessfn = access_aa32_tid3, 8213 .resetvalue = cpu->isar.id_pfr0 }, 8214 /* 8215 * ID_PFR1 is not a plain ARM_CP_CONST because we don't know 8216 * the value of the GIC field until after we define these regs. 8217 */ 8218 { .name = "ID_PFR1", .state = ARM_CP_STATE_BOTH, 8219 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 1, 8220 .access = PL1_R, .type = ARM_CP_NO_RAW, 8221 .accessfn = access_aa32_tid3, 8222 #ifdef CONFIG_USER_ONLY 8223 .type = ARM_CP_CONST, 8224 .resetvalue = cpu->isar.id_pfr1, 8225 #else 8226 .type = ARM_CP_NO_RAW, 8227 .accessfn = access_aa32_tid3, 8228 .readfn = id_pfr1_read, 8229 .writefn = arm_cp_write_ignore 8230 #endif 8231 }, 8232 { .name = "ID_DFR0", .state = ARM_CP_STATE_BOTH, 8233 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 2, 8234 .access = PL1_R, .type = ARM_CP_CONST, 8235 .accessfn = access_aa32_tid3, 8236 .resetvalue = cpu->isar.id_dfr0 }, 8237 { .name = "ID_AFR0", .state = ARM_CP_STATE_BOTH, 8238 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 3, 8239 .access = PL1_R, .type = ARM_CP_CONST, 8240 .accessfn = access_aa32_tid3, 8241 .resetvalue = cpu->id_afr0 }, 8242 { .name = "ID_MMFR0", .state = ARM_CP_STATE_BOTH, 8243 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 4, 8244 .access = PL1_R, .type = ARM_CP_CONST, 8245 .accessfn = access_aa32_tid3, 8246 .resetvalue = cpu->isar.id_mmfr0 }, 8247 { .name = "ID_MMFR1", .state = ARM_CP_STATE_BOTH, 8248 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 5, 8249 .access = PL1_R, .type = ARM_CP_CONST, 8250 .accessfn = access_aa32_tid3, 8251 .resetvalue = cpu->isar.id_mmfr1 }, 8252 { .name = "ID_MMFR2", .state = ARM_CP_STATE_BOTH, 8253 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 6, 8254 .access = PL1_R, .type = ARM_CP_CONST, 8255 .accessfn = access_aa32_tid3, 8256 .resetvalue = cpu->isar.id_mmfr2 }, 8257 { .name = "ID_MMFR3", .state = ARM_CP_STATE_BOTH, 8258 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 7, 8259 .access = PL1_R, .type = ARM_CP_CONST, 8260 .accessfn = access_aa32_tid3, 8261 .resetvalue = cpu->isar.id_mmfr3 }, 8262 { .name = "ID_ISAR0", .state = ARM_CP_STATE_BOTH, 8263 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0, 8264 .access = PL1_R, .type = ARM_CP_CONST, 8265 .accessfn = access_aa32_tid3, 8266 .resetvalue = cpu->isar.id_isar0 }, 8267 { .name = "ID_ISAR1", .state = ARM_CP_STATE_BOTH, 8268 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 1, 8269 .access = PL1_R, .type = ARM_CP_CONST, 8270 .accessfn = access_aa32_tid3, 8271 .resetvalue = cpu->isar.id_isar1 }, 8272 { .name = "ID_ISAR2", .state = ARM_CP_STATE_BOTH, 8273 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2, 8274 .access = PL1_R, .type = ARM_CP_CONST, 8275 .accessfn = access_aa32_tid3, 8276 .resetvalue = cpu->isar.id_isar2 }, 8277 { .name = "ID_ISAR3", .state = ARM_CP_STATE_BOTH, 8278 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 3, 8279 .access = PL1_R, .type = ARM_CP_CONST, 8280 .accessfn = access_aa32_tid3, 8281 .resetvalue = cpu->isar.id_isar3 }, 8282 { .name = "ID_ISAR4", .state = ARM_CP_STATE_BOTH, 8283 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 4, 8284 .access = PL1_R, .type = ARM_CP_CONST, 8285 .accessfn = access_aa32_tid3, 8286 .resetvalue = cpu->isar.id_isar4 }, 8287 { .name = "ID_ISAR5", .state = ARM_CP_STATE_BOTH, 8288 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 5, 8289 .access = PL1_R, .type = ARM_CP_CONST, 8290 .accessfn = access_aa32_tid3, 8291 .resetvalue = cpu->isar.id_isar5 }, 8292 { .name = "ID_MMFR4", .state = ARM_CP_STATE_BOTH, 8293 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6, 8294 .access = PL1_R, .type = ARM_CP_CONST, 8295 .accessfn = access_aa32_tid3, 8296 .resetvalue = cpu->isar.id_mmfr4 }, 8297 { .name = "ID_ISAR6", .state = ARM_CP_STATE_BOTH, 8298 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 7, 8299 .access = PL1_R, .type = ARM_CP_CONST, 8300 .accessfn = access_aa32_tid3, 8301 .resetvalue = cpu->isar.id_isar6 }, 8302 }; 8303 define_arm_cp_regs(cpu, v6_idregs); 8304 define_arm_cp_regs(cpu, v6_cp_reginfo); 8305 } else { 8306 define_arm_cp_regs(cpu, not_v6_cp_reginfo); 8307 } 8308 if (arm_feature(env, ARM_FEATURE_V6K)) { 8309 define_arm_cp_regs(cpu, v6k_cp_reginfo); 8310 } 8311 if (arm_feature(env, ARM_FEATURE_V7MP) && 8312 !arm_feature(env, ARM_FEATURE_PMSA)) { 8313 define_arm_cp_regs(cpu, v7mp_cp_reginfo); 8314 } 8315 if (arm_feature(env, ARM_FEATURE_V7VE)) { 8316 define_arm_cp_regs(cpu, pmovsset_cp_reginfo); 8317 } 8318 if (arm_feature(env, ARM_FEATURE_V7)) { 8319 ARMCPRegInfo clidr = { 8320 .name = "CLIDR", .state = ARM_CP_STATE_BOTH, 8321 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 1, 8322 .access = PL1_R, .type = ARM_CP_CONST, 8323 .accessfn = access_tid4, 8324 .fgt = FGT_CLIDR_EL1, 8325 .resetvalue = cpu->clidr 8326 }; 8327 define_one_arm_cp_reg(cpu, &clidr); 8328 define_arm_cp_regs(cpu, v7_cp_reginfo); 8329 define_debug_regs(cpu); 8330 define_pmu_regs(cpu); 8331 } else { 8332 define_arm_cp_regs(cpu, not_v7_cp_reginfo); 8333 } 8334 if (arm_feature(env, ARM_FEATURE_V8)) { 8335 /* 8336 * v8 ID registers, which all have impdef reset values. 8337 * Note that within the ID register ranges the unused slots 8338 * must all RAZ, not UNDEF; future architecture versions may 8339 * define new registers here. 8340 * ID registers which are AArch64 views of the AArch32 ID registers 8341 * which already existed in v6 and v7 are handled elsewhere, 8342 * in v6_idregs[]. 8343 */ 8344 int i; 8345 ARMCPRegInfo v8_idregs[] = { 8346 /* 8347 * ID_AA64PFR0_EL1 is not a plain ARM_CP_CONST in system 8348 * emulation because we don't know the right value for the 8349 * GIC field until after we define these regs. 8350 */ 8351 { .name = "ID_AA64PFR0_EL1", .state = ARM_CP_STATE_AA64, 8352 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 0, 8353 .access = PL1_R, 8354 #ifdef CONFIG_USER_ONLY 8355 .type = ARM_CP_CONST, 8356 .resetvalue = cpu->isar.id_aa64pfr0 8357 #else 8358 .type = ARM_CP_NO_RAW, 8359 .accessfn = access_aa64_tid3, 8360 .readfn = id_aa64pfr0_read, 8361 .writefn = arm_cp_write_ignore 8362 #endif 8363 }, 8364 { .name = "ID_AA64PFR1_EL1", .state = ARM_CP_STATE_AA64, 8365 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 1, 8366 .access = PL1_R, .type = ARM_CP_CONST, 8367 .accessfn = access_aa64_tid3, 8368 .resetvalue = cpu->isar.id_aa64pfr1}, 8369 { .name = "ID_AA64PFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8370 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 2, 8371 .access = PL1_R, .type = ARM_CP_CONST, 8372 .accessfn = access_aa64_tid3, 8373 .resetvalue = 0 }, 8374 { .name = "ID_AA64PFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8375 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 3, 8376 .access = PL1_R, .type = ARM_CP_CONST, 8377 .accessfn = access_aa64_tid3, 8378 .resetvalue = 0 }, 8379 { .name = "ID_AA64ZFR0_EL1", .state = ARM_CP_STATE_AA64, 8380 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 4, 8381 .access = PL1_R, .type = ARM_CP_CONST, 8382 .accessfn = access_aa64_tid3, 8383 .resetvalue = cpu->isar.id_aa64zfr0 }, 8384 { .name = "ID_AA64SMFR0_EL1", .state = ARM_CP_STATE_AA64, 8385 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 5, 8386 .access = PL1_R, .type = ARM_CP_CONST, 8387 .accessfn = access_aa64_tid3, 8388 .resetvalue = cpu->isar.id_aa64smfr0 }, 8389 { .name = "ID_AA64PFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8390 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 6, 8391 .access = PL1_R, .type = ARM_CP_CONST, 8392 .accessfn = access_aa64_tid3, 8393 .resetvalue = 0 }, 8394 { .name = "ID_AA64PFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8395 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 7, 8396 .access = PL1_R, .type = ARM_CP_CONST, 8397 .accessfn = access_aa64_tid3, 8398 .resetvalue = 0 }, 8399 { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64, 8400 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0, 8401 .access = PL1_R, .type = ARM_CP_CONST, 8402 .accessfn = access_aa64_tid3, 8403 .resetvalue = cpu->isar.id_aa64dfr0 }, 8404 { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64, 8405 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1, 8406 .access = PL1_R, .type = ARM_CP_CONST, 8407 .accessfn = access_aa64_tid3, 8408 .resetvalue = cpu->isar.id_aa64dfr1 }, 8409 { .name = "ID_AA64DFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8410 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 2, 8411 .access = PL1_R, .type = ARM_CP_CONST, 8412 .accessfn = access_aa64_tid3, 8413 .resetvalue = 0 }, 8414 { .name = "ID_AA64DFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8415 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 3, 8416 .access = PL1_R, .type = ARM_CP_CONST, 8417 .accessfn = access_aa64_tid3, 8418 .resetvalue = 0 }, 8419 { .name = "ID_AA64AFR0_EL1", .state = ARM_CP_STATE_AA64, 8420 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 4, 8421 .access = PL1_R, .type = ARM_CP_CONST, 8422 .accessfn = access_aa64_tid3, 8423 .resetvalue = cpu->id_aa64afr0 }, 8424 { .name = "ID_AA64AFR1_EL1", .state = ARM_CP_STATE_AA64, 8425 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 5, 8426 .access = PL1_R, .type = ARM_CP_CONST, 8427 .accessfn = access_aa64_tid3, 8428 .resetvalue = cpu->id_aa64afr1 }, 8429 { .name = "ID_AA64AFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8430 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 6, 8431 .access = PL1_R, .type = ARM_CP_CONST, 8432 .accessfn = access_aa64_tid3, 8433 .resetvalue = 0 }, 8434 { .name = "ID_AA64AFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8435 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 7, 8436 .access = PL1_R, .type = ARM_CP_CONST, 8437 .accessfn = access_aa64_tid3, 8438 .resetvalue = 0 }, 8439 { .name = "ID_AA64ISAR0_EL1", .state = ARM_CP_STATE_AA64, 8440 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 0, 8441 .access = PL1_R, .type = ARM_CP_CONST, 8442 .accessfn = access_aa64_tid3, 8443 .resetvalue = cpu->isar.id_aa64isar0 }, 8444 { .name = "ID_AA64ISAR1_EL1", .state = ARM_CP_STATE_AA64, 8445 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 1, 8446 .access = PL1_R, .type = ARM_CP_CONST, 8447 .accessfn = access_aa64_tid3, 8448 .resetvalue = cpu->isar.id_aa64isar1 }, 8449 { .name = "ID_AA64ISAR2_EL1", .state = ARM_CP_STATE_AA64, 8450 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 2, 8451 .access = PL1_R, .type = ARM_CP_CONST, 8452 .accessfn = access_aa64_tid3, 8453 .resetvalue = cpu->isar.id_aa64isar2 }, 8454 { .name = "ID_AA64ISAR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8455 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 3, 8456 .access = PL1_R, .type = ARM_CP_CONST, 8457 .accessfn = access_aa64_tid3, 8458 .resetvalue = 0 }, 8459 { .name = "ID_AA64ISAR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8460 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 4, 8461 .access = PL1_R, .type = ARM_CP_CONST, 8462 .accessfn = access_aa64_tid3, 8463 .resetvalue = 0 }, 8464 { .name = "ID_AA64ISAR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8465 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 5, 8466 .access = PL1_R, .type = ARM_CP_CONST, 8467 .accessfn = access_aa64_tid3, 8468 .resetvalue = 0 }, 8469 { .name = "ID_AA64ISAR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8470 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 6, 8471 .access = PL1_R, .type = ARM_CP_CONST, 8472 .accessfn = access_aa64_tid3, 8473 .resetvalue = 0 }, 8474 { .name = "ID_AA64ISAR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8475 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 7, 8476 .access = PL1_R, .type = ARM_CP_CONST, 8477 .accessfn = access_aa64_tid3, 8478 .resetvalue = 0 }, 8479 { .name = "ID_AA64MMFR0_EL1", .state = ARM_CP_STATE_AA64, 8480 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0, 8481 .access = PL1_R, .type = ARM_CP_CONST, 8482 .accessfn = access_aa64_tid3, 8483 .resetvalue = cpu->isar.id_aa64mmfr0 }, 8484 { .name = "ID_AA64MMFR1_EL1", .state = ARM_CP_STATE_AA64, 8485 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 1, 8486 .access = PL1_R, .type = ARM_CP_CONST, 8487 .accessfn = access_aa64_tid3, 8488 .resetvalue = cpu->isar.id_aa64mmfr1 }, 8489 { .name = "ID_AA64MMFR2_EL1", .state = ARM_CP_STATE_AA64, 8490 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 2, 8491 .access = PL1_R, .type = ARM_CP_CONST, 8492 .accessfn = access_aa64_tid3, 8493 .resetvalue = cpu->isar.id_aa64mmfr2 }, 8494 { .name = "ID_AA64MMFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8495 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 3, 8496 .access = PL1_R, .type = ARM_CP_CONST, 8497 .accessfn = access_aa64_tid3, 8498 .resetvalue = 0 }, 8499 { .name = "ID_AA64MMFR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8500 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 4, 8501 .access = PL1_R, .type = ARM_CP_CONST, 8502 .accessfn = access_aa64_tid3, 8503 .resetvalue = 0 }, 8504 { .name = "ID_AA64MMFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8505 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 5, 8506 .access = PL1_R, .type = ARM_CP_CONST, 8507 .accessfn = access_aa64_tid3, 8508 .resetvalue = 0 }, 8509 { .name = "ID_AA64MMFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8510 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 6, 8511 .access = PL1_R, .type = ARM_CP_CONST, 8512 .accessfn = access_aa64_tid3, 8513 .resetvalue = 0 }, 8514 { .name = "ID_AA64MMFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64, 8515 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 7, 8516 .access = PL1_R, .type = ARM_CP_CONST, 8517 .accessfn = access_aa64_tid3, 8518 .resetvalue = 0 }, 8519 { .name = "MVFR0_EL1", .state = ARM_CP_STATE_AA64, 8520 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 0, 8521 .access = PL1_R, .type = ARM_CP_CONST, 8522 .accessfn = access_aa64_tid3, 8523 .resetvalue = cpu->isar.mvfr0 }, 8524 { .name = "MVFR1_EL1", .state = ARM_CP_STATE_AA64, 8525 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 1, 8526 .access = PL1_R, .type = ARM_CP_CONST, 8527 .accessfn = access_aa64_tid3, 8528 .resetvalue = cpu->isar.mvfr1 }, 8529 { .name = "MVFR2_EL1", .state = ARM_CP_STATE_AA64, 8530 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2, 8531 .access = PL1_R, .type = ARM_CP_CONST, 8532 .accessfn = access_aa64_tid3, 8533 .resetvalue = cpu->isar.mvfr2 }, 8534 /* 8535 * "0, c0, c3, {0,1,2}" are the encodings corresponding to 8536 * AArch64 MVFR[012]_EL1. Define the STATE_AA32 encoding 8537 * as RAZ, since it is in the "reserved for future ID 8538 * registers, RAZ" part of the AArch32 encoding space. 8539 */ 8540 { .name = "RES_0_C0_C3_0", .state = ARM_CP_STATE_AA32, 8541 .cp = 15, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 0, 8542 .access = PL1_R, .type = ARM_CP_CONST, 8543 .accessfn = access_aa64_tid3, 8544 .resetvalue = 0 }, 8545 { .name = "RES_0_C0_C3_1", .state = ARM_CP_STATE_AA32, 8546 .cp = 15, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 1, 8547 .access = PL1_R, .type = ARM_CP_CONST, 8548 .accessfn = access_aa64_tid3, 8549 .resetvalue = 0 }, 8550 { .name = "RES_0_C0_C3_2", .state = ARM_CP_STATE_AA32, 8551 .cp = 15, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2, 8552 .access = PL1_R, .type = ARM_CP_CONST, 8553 .accessfn = access_aa64_tid3, 8554 .resetvalue = 0 }, 8555 /* 8556 * Other encodings in "0, c0, c3, ..." are STATE_BOTH because 8557 * they're also RAZ for AArch64, and in v8 are gradually 8558 * being filled with AArch64-view-of-AArch32-ID-register 8559 * for new ID registers. 8560 */ 8561 { .name = "RES_0_C0_C3_3", .state = ARM_CP_STATE_BOTH, 8562 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 3, 8563 .access = PL1_R, .type = ARM_CP_CONST, 8564 .accessfn = access_aa64_tid3, 8565 .resetvalue = 0 }, 8566 { .name = "ID_PFR2", .state = ARM_CP_STATE_BOTH, 8567 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 4, 8568 .access = PL1_R, .type = ARM_CP_CONST, 8569 .accessfn = access_aa64_tid3, 8570 .resetvalue = cpu->isar.id_pfr2 }, 8571 { .name = "ID_DFR1", .state = ARM_CP_STATE_BOTH, 8572 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 5, 8573 .access = PL1_R, .type = ARM_CP_CONST, 8574 .accessfn = access_aa64_tid3, 8575 .resetvalue = cpu->isar.id_dfr1 }, 8576 { .name = "ID_MMFR5", .state = ARM_CP_STATE_BOTH, 8577 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 6, 8578 .access = PL1_R, .type = ARM_CP_CONST, 8579 .accessfn = access_aa64_tid3, 8580 .resetvalue = cpu->isar.id_mmfr5 }, 8581 { .name = "RES_0_C0_C3_7", .state = ARM_CP_STATE_BOTH, 8582 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 7, 8583 .access = PL1_R, .type = ARM_CP_CONST, 8584 .accessfn = access_aa64_tid3, 8585 .resetvalue = 0 }, 8586 { .name = "PMCEID0", .state = ARM_CP_STATE_AA32, 8587 .cp = 15, .opc1 = 0, .crn = 9, .crm = 12, .opc2 = 6, 8588 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST, 8589 .fgt = FGT_PMCEIDN_EL0, 8590 .resetvalue = extract64(cpu->pmceid0, 0, 32) }, 8591 { .name = "PMCEID0_EL0", .state = ARM_CP_STATE_AA64, 8592 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 6, 8593 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST, 8594 .fgt = FGT_PMCEIDN_EL0, 8595 .resetvalue = cpu->pmceid0 }, 8596 { .name = "PMCEID1", .state = ARM_CP_STATE_AA32, 8597 .cp = 15, .opc1 = 0, .crn = 9, .crm = 12, .opc2 = 7, 8598 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST, 8599 .fgt = FGT_PMCEIDN_EL0, 8600 .resetvalue = extract64(cpu->pmceid1, 0, 32) }, 8601 { .name = "PMCEID1_EL0", .state = ARM_CP_STATE_AA64, 8602 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 7, 8603 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST, 8604 .fgt = FGT_PMCEIDN_EL0, 8605 .resetvalue = cpu->pmceid1 }, 8606 }; 8607 #ifdef CONFIG_USER_ONLY 8608 static const ARMCPRegUserSpaceInfo v8_user_idregs[] = { 8609 { .name = "ID_AA64PFR0_EL1", 8610 .exported_bits = R_ID_AA64PFR0_FP_MASK | 8611 R_ID_AA64PFR0_ADVSIMD_MASK | 8612 R_ID_AA64PFR0_SVE_MASK | 8613 R_ID_AA64PFR0_DIT_MASK, 8614 .fixed_bits = (0x1u << R_ID_AA64PFR0_EL0_SHIFT) | 8615 (0x1u << R_ID_AA64PFR0_EL1_SHIFT) }, 8616 { .name = "ID_AA64PFR1_EL1", 8617 .exported_bits = R_ID_AA64PFR1_BT_MASK | 8618 R_ID_AA64PFR1_SSBS_MASK | 8619 R_ID_AA64PFR1_MTE_MASK | 8620 R_ID_AA64PFR1_SME_MASK }, 8621 { .name = "ID_AA64PFR*_EL1_RESERVED", 8622 .is_glob = true }, 8623 { .name = "ID_AA64ZFR0_EL1", 8624 .exported_bits = R_ID_AA64ZFR0_SVEVER_MASK | 8625 R_ID_AA64ZFR0_AES_MASK | 8626 R_ID_AA64ZFR0_BITPERM_MASK | 8627 R_ID_AA64ZFR0_BFLOAT16_MASK | 8628 R_ID_AA64ZFR0_SHA3_MASK | 8629 R_ID_AA64ZFR0_SM4_MASK | 8630 R_ID_AA64ZFR0_I8MM_MASK | 8631 R_ID_AA64ZFR0_F32MM_MASK | 8632 R_ID_AA64ZFR0_F64MM_MASK }, 8633 { .name = "ID_AA64SMFR0_EL1", 8634 .exported_bits = R_ID_AA64SMFR0_F32F32_MASK | 8635 R_ID_AA64SMFR0_BI32I32_MASK | 8636 R_ID_AA64SMFR0_B16F32_MASK | 8637 R_ID_AA64SMFR0_F16F32_MASK | 8638 R_ID_AA64SMFR0_I8I32_MASK | 8639 R_ID_AA64SMFR0_F16F16_MASK | 8640 R_ID_AA64SMFR0_B16B16_MASK | 8641 R_ID_AA64SMFR0_I16I32_MASK | 8642 R_ID_AA64SMFR0_F64F64_MASK | 8643 R_ID_AA64SMFR0_I16I64_MASK | 8644 R_ID_AA64SMFR0_SMEVER_MASK | 8645 R_ID_AA64SMFR0_FA64_MASK }, 8646 { .name = "ID_AA64MMFR0_EL1", 8647 .exported_bits = R_ID_AA64MMFR0_ECV_MASK, 8648 .fixed_bits = (0xfu << R_ID_AA64MMFR0_TGRAN64_SHIFT) | 8649 (0xfu << R_ID_AA64MMFR0_TGRAN4_SHIFT) }, 8650 { .name = "ID_AA64MMFR1_EL1", 8651 .exported_bits = R_ID_AA64MMFR1_AFP_MASK }, 8652 { .name = "ID_AA64MMFR2_EL1", 8653 .exported_bits = R_ID_AA64MMFR2_AT_MASK }, 8654 { .name = "ID_AA64MMFR*_EL1_RESERVED", 8655 .is_glob = true }, 8656 { .name = "ID_AA64DFR0_EL1", 8657 .fixed_bits = (0x6u << R_ID_AA64DFR0_DEBUGVER_SHIFT) }, 8658 { .name = "ID_AA64DFR1_EL1" }, 8659 { .name = "ID_AA64DFR*_EL1_RESERVED", 8660 .is_glob = true }, 8661 { .name = "ID_AA64AFR*", 8662 .is_glob = true }, 8663 { .name = "ID_AA64ISAR0_EL1", 8664 .exported_bits = R_ID_AA64ISAR0_AES_MASK | 8665 R_ID_AA64ISAR0_SHA1_MASK | 8666 R_ID_AA64ISAR0_SHA2_MASK | 8667 R_ID_AA64ISAR0_CRC32_MASK | 8668 R_ID_AA64ISAR0_ATOMIC_MASK | 8669 R_ID_AA64ISAR0_RDM_MASK | 8670 R_ID_AA64ISAR0_SHA3_MASK | 8671 R_ID_AA64ISAR0_SM3_MASK | 8672 R_ID_AA64ISAR0_SM4_MASK | 8673 R_ID_AA64ISAR0_DP_MASK | 8674 R_ID_AA64ISAR0_FHM_MASK | 8675 R_ID_AA64ISAR0_TS_MASK | 8676 R_ID_AA64ISAR0_RNDR_MASK }, 8677 { .name = "ID_AA64ISAR1_EL1", 8678 .exported_bits = R_ID_AA64ISAR1_DPB_MASK | 8679 R_ID_AA64ISAR1_APA_MASK | 8680 R_ID_AA64ISAR1_API_MASK | 8681 R_ID_AA64ISAR1_JSCVT_MASK | 8682 R_ID_AA64ISAR1_FCMA_MASK | 8683 R_ID_AA64ISAR1_LRCPC_MASK | 8684 R_ID_AA64ISAR1_GPA_MASK | 8685 R_ID_AA64ISAR1_GPI_MASK | 8686 R_ID_AA64ISAR1_FRINTTS_MASK | 8687 R_ID_AA64ISAR1_SB_MASK | 8688 R_ID_AA64ISAR1_BF16_MASK | 8689 R_ID_AA64ISAR1_DGH_MASK | 8690 R_ID_AA64ISAR1_I8MM_MASK }, 8691 { .name = "ID_AA64ISAR2_EL1", 8692 .exported_bits = R_ID_AA64ISAR2_WFXT_MASK | 8693 R_ID_AA64ISAR2_RPRES_MASK | 8694 R_ID_AA64ISAR2_GPA3_MASK | 8695 R_ID_AA64ISAR2_APA3_MASK | 8696 R_ID_AA64ISAR2_MOPS_MASK | 8697 R_ID_AA64ISAR2_BC_MASK | 8698 R_ID_AA64ISAR2_RPRFM_MASK | 8699 R_ID_AA64ISAR2_CSSC_MASK }, 8700 { .name = "ID_AA64ISAR*_EL1_RESERVED", 8701 .is_glob = true }, 8702 }; 8703 modify_arm_cp_regs(v8_idregs, v8_user_idregs); 8704 #endif 8705 /* 8706 * RVBAR_EL1 and RMR_EL1 only implemented if EL1 is the highest EL. 8707 * TODO: For RMR, a write with bit 1 set should do something with 8708 * cpu_reset(). In the meantime, "the bit is strictly a request", 8709 * so we are in spec just ignoring writes. 8710 */ 8711 if (!arm_feature(env, ARM_FEATURE_EL3) && 8712 !arm_feature(env, ARM_FEATURE_EL2)) { 8713 ARMCPRegInfo el1_reset_regs[] = { 8714 { .name = "RVBAR_EL1", .state = ARM_CP_STATE_BOTH, 8715 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1, 8716 .access = PL1_R, 8717 .fieldoffset = offsetof(CPUARMState, cp15.rvbar) }, 8718 { .name = "RMR_EL1", .state = ARM_CP_STATE_BOTH, 8719 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 2, 8720 .access = PL1_RW, .type = ARM_CP_CONST, 8721 .resetvalue = arm_feature(env, ARM_FEATURE_AARCH64) } 8722 }; 8723 define_arm_cp_regs(cpu, el1_reset_regs); 8724 } 8725 define_arm_cp_regs(cpu, v8_idregs); 8726 define_arm_cp_regs(cpu, v8_cp_reginfo); 8727 8728 for (i = 4; i < 16; i++) { 8729 /* 8730 * Encodings in "0, c0, {c4-c7}, {0-7}" are RAZ for AArch32. 8731 * For pre-v8 cores there are RAZ patterns for these in 8732 * id_pre_v8_midr_cp_reginfo[]; for v8 we do that here. 8733 * v8 extends the "must RAZ" part of the ID register space 8734 * to also cover c0, 0, c{8-15}, {0-7}. 8735 * These are STATE_AA32 because in the AArch64 sysreg space 8736 * c4-c7 is where the AArch64 ID registers live (and we've 8737 * already defined those in v8_idregs[]), and c8-c15 are not 8738 * "must RAZ" for AArch64. 8739 */ 8740 g_autofree char *name = g_strdup_printf("RES_0_C0_C%d_X", i); 8741 ARMCPRegInfo v8_aa32_raz_idregs = { 8742 .name = name, 8743 .state = ARM_CP_STATE_AA32, 8744 .cp = 15, .opc1 = 0, .crn = 0, .crm = i, .opc2 = CP_ANY, 8745 .access = PL1_R, .type = ARM_CP_CONST, 8746 .accessfn = access_aa64_tid3, 8747 .resetvalue = 0 }; 8748 define_one_arm_cp_reg(cpu, &v8_aa32_raz_idregs); 8749 } 8750 } 8751 8752 /* 8753 * Register the base EL2 cpregs. 8754 * Pre v8, these registers are implemented only as part of the 8755 * Virtualization Extensions (EL2 present). Beginning with v8, 8756 * if EL2 is missing but EL3 is enabled, mostly these become 8757 * RES0 from EL3, with some specific exceptions. 8758 */ 8759 if (arm_feature(env, ARM_FEATURE_EL2) 8760 || (arm_feature(env, ARM_FEATURE_EL3) 8761 && arm_feature(env, ARM_FEATURE_V8))) { 8762 uint64_t vmpidr_def = mpidr_read_val(env); 8763 ARMCPRegInfo vpidr_regs[] = { 8764 { .name = "VPIDR", .state = ARM_CP_STATE_AA32, 8765 .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0, 8766 .access = PL2_RW, .accessfn = access_el3_aa32ns, 8767 .resetvalue = cpu->midr, 8768 .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_C_NZ, 8769 .fieldoffset = offsetoflow32(CPUARMState, cp15.vpidr_el2) }, 8770 { .name = "VPIDR_EL2", .state = ARM_CP_STATE_AA64, 8771 .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0, 8772 .access = PL2_RW, .resetvalue = cpu->midr, 8773 .type = ARM_CP_EL3_NO_EL2_C_NZ, 8774 .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) }, 8775 { .name = "VMPIDR", .state = ARM_CP_STATE_AA32, 8776 .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5, 8777 .access = PL2_RW, .accessfn = access_el3_aa32ns, 8778 .resetvalue = vmpidr_def, 8779 .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_C_NZ, 8780 .fieldoffset = offsetoflow32(CPUARMState, cp15.vmpidr_el2) }, 8781 { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_AA64, 8782 .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5, 8783 .access = PL2_RW, .resetvalue = vmpidr_def, 8784 .type = ARM_CP_EL3_NO_EL2_C_NZ, 8785 .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) }, 8786 }; 8787 /* 8788 * The only field of MDCR_EL2 that has a defined architectural reset 8789 * value is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N. 8790 */ 8791 ARMCPRegInfo mdcr_el2 = { 8792 .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH, .type = ARM_CP_IO, 8793 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1, 8794 .writefn = mdcr_el2_write, 8795 .access = PL2_RW, .resetvalue = pmu_num_counters(env), 8796 .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2), 8797 }; 8798 define_one_arm_cp_reg(cpu, &mdcr_el2); 8799 define_arm_cp_regs(cpu, vpidr_regs); 8800 define_arm_cp_regs(cpu, el2_cp_reginfo); 8801 if (arm_feature(env, ARM_FEATURE_V8)) { 8802 define_arm_cp_regs(cpu, el2_v8_cp_reginfo); 8803 } 8804 if (cpu_isar_feature(aa64_sel2, cpu)) { 8805 define_arm_cp_regs(cpu, el2_sec_cp_reginfo); 8806 } 8807 /* 8808 * RVBAR_EL2 and RMR_EL2 only implemented if EL2 is the highest EL. 8809 * See commentary near RMR_EL1. 8810 */ 8811 if (!arm_feature(env, ARM_FEATURE_EL3)) { 8812 static const ARMCPRegInfo el2_reset_regs[] = { 8813 { .name = "RVBAR_EL2", .state = ARM_CP_STATE_AA64, 8814 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 1, 8815 .access = PL2_R, 8816 .fieldoffset = offsetof(CPUARMState, cp15.rvbar) }, 8817 { .name = "RVBAR", .type = ARM_CP_ALIAS, 8818 .cp = 15, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1, 8819 .access = PL2_R, 8820 .fieldoffset = offsetof(CPUARMState, cp15.rvbar) }, 8821 { .name = "RMR_EL2", .state = ARM_CP_STATE_AA64, 8822 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 2, 8823 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 1 }, 8824 }; 8825 define_arm_cp_regs(cpu, el2_reset_regs); 8826 } 8827 } 8828 8829 /* Register the base EL3 cpregs. */ 8830 if (arm_feature(env, ARM_FEATURE_EL3)) { 8831 define_arm_cp_regs(cpu, el3_cp_reginfo); 8832 ARMCPRegInfo el3_regs[] = { 8833 { .name = "RVBAR_EL3", .state = ARM_CP_STATE_AA64, 8834 .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 1, 8835 .access = PL3_R, 8836 .fieldoffset = offsetof(CPUARMState, cp15.rvbar), }, 8837 { .name = "RMR_EL3", .state = ARM_CP_STATE_AA64, 8838 .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 2, 8839 .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 1 }, 8840 { .name = "RMR", .state = ARM_CP_STATE_AA32, 8841 .cp = 15, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 2, 8842 .access = PL3_RW, .type = ARM_CP_CONST, 8843 .resetvalue = arm_feature(env, ARM_FEATURE_AARCH64) }, 8844 { .name = "SCTLR_EL3", .state = ARM_CP_STATE_AA64, 8845 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 0, 8846 .access = PL3_RW, 8847 .raw_writefn = raw_write, .writefn = sctlr_write, 8848 .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[3]), 8849 .resetvalue = cpu->reset_sctlr }, 8850 }; 8851 8852 define_arm_cp_regs(cpu, el3_regs); 8853 } 8854 /* 8855 * The behaviour of NSACR is sufficiently various that we don't 8856 * try to describe it in a single reginfo: 8857 * if EL3 is 64 bit, then trap to EL3 from S EL1, 8858 * reads as constant 0xc00 from NS EL1 and NS EL2 8859 * if EL3 is 32 bit, then RW at EL3, RO at NS EL1 and NS EL2 8860 * if v7 without EL3, register doesn't exist 8861 * if v8 without EL3, reads as constant 0xc00 from NS EL1 and NS EL2 8862 */ 8863 if (arm_feature(env, ARM_FEATURE_EL3)) { 8864 if (arm_feature(env, ARM_FEATURE_AARCH64)) { 8865 static const ARMCPRegInfo nsacr = { 8866 .name = "NSACR", .type = ARM_CP_CONST, 8867 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2, 8868 .access = PL1_RW, .accessfn = nsacr_access, 8869 .resetvalue = 0xc00 8870 }; 8871 define_one_arm_cp_reg(cpu, &nsacr); 8872 } else { 8873 static const ARMCPRegInfo nsacr = { 8874 .name = "NSACR", 8875 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2, 8876 .access = PL3_RW | PL1_R, 8877 .resetvalue = 0, 8878 .fieldoffset = offsetof(CPUARMState, cp15.nsacr) 8879 }; 8880 define_one_arm_cp_reg(cpu, &nsacr); 8881 } 8882 } else { 8883 if (arm_feature(env, ARM_FEATURE_V8)) { 8884 static const ARMCPRegInfo nsacr = { 8885 .name = "NSACR", .type = ARM_CP_CONST, 8886 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2, 8887 .access = PL1_R, 8888 .resetvalue = 0xc00 8889 }; 8890 define_one_arm_cp_reg(cpu, &nsacr); 8891 } 8892 } 8893 8894 if (arm_feature(env, ARM_FEATURE_PMSA)) { 8895 if (arm_feature(env, ARM_FEATURE_V6)) { 8896 /* PMSAv6 not implemented */ 8897 assert(arm_feature(env, ARM_FEATURE_V7)); 8898 define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo); 8899 define_arm_cp_regs(cpu, pmsav7_cp_reginfo); 8900 } else { 8901 define_arm_cp_regs(cpu, pmsav5_cp_reginfo); 8902 } 8903 } else { 8904 define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo); 8905 define_arm_cp_regs(cpu, vmsa_cp_reginfo); 8906 /* TTCBR2 is introduced with ARMv8.2-AA32HPD. */ 8907 if (cpu_isar_feature(aa32_hpd, cpu)) { 8908 define_one_arm_cp_reg(cpu, &ttbcr2_reginfo); 8909 } 8910 } 8911 if (arm_feature(env, ARM_FEATURE_THUMB2EE)) { 8912 define_arm_cp_regs(cpu, t2ee_cp_reginfo); 8913 } 8914 if (arm_feature(env, ARM_FEATURE_GENERIC_TIMER)) { 8915 define_arm_cp_regs(cpu, generic_timer_cp_reginfo); 8916 } 8917 if (arm_feature(env, ARM_FEATURE_VAPA)) { 8918 ARMCPRegInfo vapa_cp_reginfo[] = { 8919 { .name = "PAR", .cp = 15, .crn = 7, .crm = 4, .opc1 = 0, .opc2 = 0, 8920 .access = PL1_RW, .resetvalue = 0, 8921 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.par_s), 8922 offsetoflow32(CPUARMState, cp15.par_ns) }, 8923 .writefn = par_write}, 8924 #ifndef CONFIG_USER_ONLY 8925 /* This underdecoding is safe because the reginfo is NO_RAW. */ 8926 { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY, 8927 .access = PL1_W, .accessfn = ats_access, 8928 .writefn = ats_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC }, 8929 #endif 8930 }; 8931 8932 /* 8933 * When LPAE exists this 32-bit PAR register is an alias of the 8934 * 64-bit AArch32 PAR register defined in lpae_cp_reginfo[] 8935 */ 8936 if (arm_feature(env, ARM_FEATURE_LPAE)) { 8937 vapa_cp_reginfo[0].type = ARM_CP_ALIAS | ARM_CP_NO_GDB; 8938 } 8939 define_arm_cp_regs(cpu, vapa_cp_reginfo); 8940 } 8941 if (arm_feature(env, ARM_FEATURE_CACHE_TEST_CLEAN)) { 8942 define_arm_cp_regs(cpu, cache_test_clean_cp_reginfo); 8943 } 8944 if (arm_feature(env, ARM_FEATURE_CACHE_DIRTY_REG)) { 8945 define_arm_cp_regs(cpu, cache_dirty_status_cp_reginfo); 8946 } 8947 if (arm_feature(env, ARM_FEATURE_CACHE_BLOCK_OPS)) { 8948 define_arm_cp_regs(cpu, cache_block_ops_cp_reginfo); 8949 } 8950 if (arm_feature(env, ARM_FEATURE_OMAPCP)) { 8951 define_arm_cp_regs(cpu, omap_cp_reginfo); 8952 } 8953 if (arm_feature(env, ARM_FEATURE_STRONGARM)) { 8954 define_arm_cp_regs(cpu, strongarm_cp_reginfo); 8955 } 8956 if (arm_feature(env, ARM_FEATURE_XSCALE)) { 8957 define_arm_cp_regs(cpu, xscale_cp_reginfo); 8958 } 8959 if (arm_feature(env, ARM_FEATURE_DUMMY_C15_REGS)) { 8960 define_arm_cp_regs(cpu, dummy_c15_cp_reginfo); 8961 } 8962 if (arm_feature(env, ARM_FEATURE_LPAE)) { 8963 define_arm_cp_regs(cpu, lpae_cp_reginfo); 8964 } 8965 if (cpu_isar_feature(aa32_jazelle, cpu)) { 8966 define_arm_cp_regs(cpu, jazelle_regs); 8967 } 8968 /* 8969 * Slightly awkwardly, the OMAP and StrongARM cores need all of 8970 * cp15 crn=0 to be writes-ignored, whereas for other cores they should 8971 * be read-only (ie write causes UNDEF exception). 8972 */ 8973 { 8974 ARMCPRegInfo id_pre_v8_midr_cp_reginfo[] = { 8975 /* 8976 * Pre-v8 MIDR space. 8977 * Note that the MIDR isn't a simple constant register because 8978 * of the TI925 behaviour where writes to another register can 8979 * cause the MIDR value to change. 8980 * 8981 * Unimplemented registers in the c15 0 0 0 space default to 8982 * MIDR. Define MIDR first as this entire space, then CTR, TCMTR 8983 * and friends override accordingly. 8984 */ 8985 { .name = "MIDR", 8986 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = CP_ANY, 8987 .access = PL1_R, .resetvalue = cpu->midr, 8988 .writefn = arm_cp_write_ignore, .raw_writefn = raw_write, 8989 .readfn = midr_read, 8990 .fieldoffset = offsetof(CPUARMState, cp15.c0_cpuid), 8991 .type = ARM_CP_OVERRIDE }, 8992 /* crn = 0 op1 = 0 crm = 3..7 : currently unassigned; we RAZ. */ 8993 { .name = "DUMMY", 8994 .cp = 15, .crn = 0, .crm = 3, .opc1 = 0, .opc2 = CP_ANY, 8995 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 }, 8996 { .name = "DUMMY", 8997 .cp = 15, .crn = 0, .crm = 4, .opc1 = 0, .opc2 = CP_ANY, 8998 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 }, 8999 { .name = "DUMMY", 9000 .cp = 15, .crn = 0, .crm = 5, .opc1 = 0, .opc2 = CP_ANY, 9001 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 }, 9002 { .name = "DUMMY", 9003 .cp = 15, .crn = 0, .crm = 6, .opc1 = 0, .opc2 = CP_ANY, 9004 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 }, 9005 { .name = "DUMMY", 9006 .cp = 15, .crn = 0, .crm = 7, .opc1 = 0, .opc2 = CP_ANY, 9007 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 }, 9008 }; 9009 ARMCPRegInfo id_v8_midr_cp_reginfo[] = { 9010 { .name = "MIDR_EL1", .state = ARM_CP_STATE_BOTH, 9011 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 0, 9012 .access = PL1_R, .type = ARM_CP_NO_RAW, .resetvalue = cpu->midr, 9013 .fgt = FGT_MIDR_EL1, 9014 .fieldoffset = offsetof(CPUARMState, cp15.c0_cpuid), 9015 .readfn = midr_read }, 9016 /* crn = 0 op1 = 0 crm = 0 op2 = 7 : AArch32 aliases of MIDR */ 9017 { .name = "MIDR", .type = ARM_CP_ALIAS | ARM_CP_CONST, 9018 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 7, 9019 .access = PL1_R, .resetvalue = cpu->midr }, 9020 { .name = "REVIDR_EL1", .state = ARM_CP_STATE_BOTH, 9021 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 6, 9022 .access = PL1_R, 9023 .accessfn = access_aa64_tid1, 9024 .fgt = FGT_REVIDR_EL1, 9025 .type = ARM_CP_CONST, .resetvalue = cpu->revidr }, 9026 }; 9027 ARMCPRegInfo id_v8_midr_alias_cp_reginfo = { 9028 .name = "MIDR", .type = ARM_CP_ALIAS | ARM_CP_CONST | ARM_CP_NO_GDB, 9029 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 4, 9030 .access = PL1_R, .resetvalue = cpu->midr 9031 }; 9032 ARMCPRegInfo id_cp_reginfo[] = { 9033 /* These are common to v8 and pre-v8 */ 9034 { .name = "CTR", 9035 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 1, 9036 .access = PL1_R, .accessfn = ctr_el0_access, 9037 .type = ARM_CP_CONST, .resetvalue = cpu->ctr }, 9038 { .name = "CTR_EL0", .state = ARM_CP_STATE_AA64, 9039 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 0, .crm = 0, 9040 .access = PL0_R, .accessfn = ctr_el0_access, 9041 .fgt = FGT_CTR_EL0, 9042 .type = ARM_CP_CONST, .resetvalue = cpu->ctr }, 9043 /* TCMTR and TLBTR exist in v8 but have no 64-bit versions */ 9044 { .name = "TCMTR", 9045 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 2, 9046 .access = PL1_R, 9047 .accessfn = access_aa32_tid1, 9048 .type = ARM_CP_CONST, .resetvalue = 0 }, 9049 }; 9050 /* TLBTR is specific to VMSA */ 9051 ARMCPRegInfo id_tlbtr_reginfo = { 9052 .name = "TLBTR", 9053 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 3, 9054 .access = PL1_R, 9055 .accessfn = access_aa32_tid1, 9056 .type = ARM_CP_CONST, .resetvalue = 0, 9057 }; 9058 /* MPUIR is specific to PMSA V6+ */ 9059 ARMCPRegInfo id_mpuir_reginfo = { 9060 .name = "MPUIR", 9061 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 4, 9062 .access = PL1_R, .type = ARM_CP_CONST, 9063 .resetvalue = cpu->pmsav7_dregion << 8 9064 }; 9065 /* HMPUIR is specific to PMSA V8 */ 9066 ARMCPRegInfo id_hmpuir_reginfo = { 9067 .name = "HMPUIR", 9068 .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 4, 9069 .access = PL2_R, .type = ARM_CP_CONST, 9070 .resetvalue = cpu->pmsav8r_hdregion 9071 }; 9072 static const ARMCPRegInfo crn0_wi_reginfo = { 9073 .name = "CRN0_WI", .cp = 15, .crn = 0, .crm = CP_ANY, 9074 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_W, 9075 .type = ARM_CP_NOP | ARM_CP_OVERRIDE 9076 }; 9077 #ifdef CONFIG_USER_ONLY 9078 static const ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = { 9079 { .name = "MIDR_EL1", 9080 .exported_bits = R_MIDR_EL1_REVISION_MASK | 9081 R_MIDR_EL1_PARTNUM_MASK | 9082 R_MIDR_EL1_ARCHITECTURE_MASK | 9083 R_MIDR_EL1_VARIANT_MASK | 9084 R_MIDR_EL1_IMPLEMENTER_MASK }, 9085 { .name = "REVIDR_EL1" }, 9086 }; 9087 modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo); 9088 #endif 9089 if (arm_feature(env, ARM_FEATURE_OMAPCP) || 9090 arm_feature(env, ARM_FEATURE_STRONGARM)) { 9091 size_t i; 9092 /* 9093 * Register the blanket "writes ignored" value first to cover the 9094 * whole space. Then update the specific ID registers to allow write 9095 * access, so that they ignore writes rather than causing them to 9096 * UNDEF. 9097 */ 9098 define_one_arm_cp_reg(cpu, &crn0_wi_reginfo); 9099 for (i = 0; i < ARRAY_SIZE(id_pre_v8_midr_cp_reginfo); ++i) { 9100 id_pre_v8_midr_cp_reginfo[i].access = PL1_RW; 9101 } 9102 for (i = 0; i < ARRAY_SIZE(id_cp_reginfo); ++i) { 9103 id_cp_reginfo[i].access = PL1_RW; 9104 } 9105 id_mpuir_reginfo.access = PL1_RW; 9106 id_tlbtr_reginfo.access = PL1_RW; 9107 } 9108 if (arm_feature(env, ARM_FEATURE_V8)) { 9109 define_arm_cp_regs(cpu, id_v8_midr_cp_reginfo); 9110 if (!arm_feature(env, ARM_FEATURE_PMSA)) { 9111 define_one_arm_cp_reg(cpu, &id_v8_midr_alias_cp_reginfo); 9112 } 9113 } else { 9114 define_arm_cp_regs(cpu, id_pre_v8_midr_cp_reginfo); 9115 } 9116 define_arm_cp_regs(cpu, id_cp_reginfo); 9117 if (!arm_feature(env, ARM_FEATURE_PMSA)) { 9118 define_one_arm_cp_reg(cpu, &id_tlbtr_reginfo); 9119 } else if (arm_feature(env, ARM_FEATURE_PMSA) && 9120 arm_feature(env, ARM_FEATURE_V8)) { 9121 uint32_t i = 0; 9122 char *tmp_string; 9123 9124 define_one_arm_cp_reg(cpu, &id_mpuir_reginfo); 9125 define_one_arm_cp_reg(cpu, &id_hmpuir_reginfo); 9126 define_arm_cp_regs(cpu, pmsav8r_cp_reginfo); 9127 9128 /* Register alias is only valid for first 32 indexes */ 9129 for (i = 0; i < MIN(cpu->pmsav7_dregion, 32); ++i) { 9130 uint8_t crm = 0b1000 | extract32(i, 1, 3); 9131 uint8_t opc1 = extract32(i, 4, 1); 9132 uint8_t opc2 = extract32(i, 0, 1) << 2; 9133 9134 tmp_string = g_strdup_printf("PRBAR%u", i); 9135 ARMCPRegInfo tmp_prbarn_reginfo = { 9136 .name = tmp_string, .type = ARM_CP_ALIAS | ARM_CP_NO_RAW, 9137 .cp = 15, .opc1 = opc1, .crn = 6, .crm = crm, .opc2 = opc2, 9138 .access = PL1_RW, .resetvalue = 0, 9139 .accessfn = access_tvm_trvm, 9140 .writefn = pmsav8r_regn_write, .readfn = pmsav8r_regn_read 9141 }; 9142 define_one_arm_cp_reg(cpu, &tmp_prbarn_reginfo); 9143 g_free(tmp_string); 9144 9145 opc2 = extract32(i, 0, 1) << 2 | 0x1; 9146 tmp_string = g_strdup_printf("PRLAR%u", i); 9147 ARMCPRegInfo tmp_prlarn_reginfo = { 9148 .name = tmp_string, .type = ARM_CP_ALIAS | ARM_CP_NO_RAW, 9149 .cp = 15, .opc1 = opc1, .crn = 6, .crm = crm, .opc2 = opc2, 9150 .access = PL1_RW, .resetvalue = 0, 9151 .accessfn = access_tvm_trvm, 9152 .writefn = pmsav8r_regn_write, .readfn = pmsav8r_regn_read 9153 }; 9154 define_one_arm_cp_reg(cpu, &tmp_prlarn_reginfo); 9155 g_free(tmp_string); 9156 } 9157 9158 /* Register alias is only valid for first 32 indexes */ 9159 for (i = 0; i < MIN(cpu->pmsav8r_hdregion, 32); ++i) { 9160 uint8_t crm = 0b1000 | extract32(i, 1, 3); 9161 uint8_t opc1 = 0b100 | extract32(i, 4, 1); 9162 uint8_t opc2 = extract32(i, 0, 1) << 2; 9163 9164 tmp_string = g_strdup_printf("HPRBAR%u", i); 9165 ARMCPRegInfo tmp_hprbarn_reginfo = { 9166 .name = tmp_string, 9167 .type = ARM_CP_NO_RAW, 9168 .cp = 15, .opc1 = opc1, .crn = 6, .crm = crm, .opc2 = opc2, 9169 .access = PL2_RW, .resetvalue = 0, 9170 .writefn = pmsav8r_regn_write, .readfn = pmsav8r_regn_read 9171 }; 9172 define_one_arm_cp_reg(cpu, &tmp_hprbarn_reginfo); 9173 g_free(tmp_string); 9174 9175 opc2 = extract32(i, 0, 1) << 2 | 0x1; 9176 tmp_string = g_strdup_printf("HPRLAR%u", i); 9177 ARMCPRegInfo tmp_hprlarn_reginfo = { 9178 .name = tmp_string, 9179 .type = ARM_CP_NO_RAW, 9180 .cp = 15, .opc1 = opc1, .crn = 6, .crm = crm, .opc2 = opc2, 9181 .access = PL2_RW, .resetvalue = 0, 9182 .writefn = pmsav8r_regn_write, .readfn = pmsav8r_regn_read 9183 }; 9184 define_one_arm_cp_reg(cpu, &tmp_hprlarn_reginfo); 9185 g_free(tmp_string); 9186 } 9187 } else if (arm_feature(env, ARM_FEATURE_V7)) { 9188 define_one_arm_cp_reg(cpu, &id_mpuir_reginfo); 9189 } 9190 } 9191 9192 if (arm_feature(env, ARM_FEATURE_MPIDR)) { 9193 ARMCPRegInfo mpidr_cp_reginfo[] = { 9194 { .name = "MPIDR_EL1", .state = ARM_CP_STATE_BOTH, 9195 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5, 9196 .fgt = FGT_MPIDR_EL1, 9197 .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW }, 9198 }; 9199 #ifdef CONFIG_USER_ONLY 9200 static const ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = { 9201 { .name = "MPIDR_EL1", 9202 .fixed_bits = 0x0000000080000000 }, 9203 }; 9204 modify_arm_cp_regs(mpidr_cp_reginfo, mpidr_user_cp_reginfo); 9205 #endif 9206 define_arm_cp_regs(cpu, mpidr_cp_reginfo); 9207 } 9208 9209 if (arm_feature(env, ARM_FEATURE_AUXCR)) { 9210 ARMCPRegInfo auxcr_reginfo[] = { 9211 { .name = "ACTLR_EL1", .state = ARM_CP_STATE_BOTH, 9212 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 1, 9213 .access = PL1_RW, .accessfn = access_tacr, 9214 .type = ARM_CP_CONST, .resetvalue = cpu->reset_auxcr }, 9215 { .name = "ACTLR_EL2", .state = ARM_CP_STATE_BOTH, 9216 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 1, 9217 .access = PL2_RW, .type = ARM_CP_CONST, 9218 .resetvalue = 0 }, 9219 { .name = "ACTLR_EL3", .state = ARM_CP_STATE_AA64, 9220 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 1, 9221 .access = PL3_RW, .type = ARM_CP_CONST, 9222 .resetvalue = 0 }, 9223 }; 9224 define_arm_cp_regs(cpu, auxcr_reginfo); 9225 if (cpu_isar_feature(aa32_ac2, cpu)) { 9226 define_arm_cp_regs(cpu, actlr2_hactlr2_reginfo); 9227 } 9228 } 9229 9230 if (arm_feature(env, ARM_FEATURE_CBAR)) { 9231 /* 9232 * CBAR is IMPDEF, but common on Arm Cortex-A implementations. 9233 * There are two flavours: 9234 * (1) older 32-bit only cores have a simple 32-bit CBAR 9235 * (2) 64-bit cores have a 64-bit CBAR visible to AArch64, plus a 9236 * 32-bit register visible to AArch32 at a different encoding 9237 * to the "flavour 1" register and with the bits rearranged to 9238 * be able to squash a 64-bit address into the 32-bit view. 9239 * We distinguish the two via the ARM_FEATURE_AARCH64 flag, but 9240 * in future if we support AArch32-only configs of some of the 9241 * AArch64 cores we might need to add a specific feature flag 9242 * to indicate cores with "flavour 2" CBAR. 9243 */ 9244 if (arm_feature(env, ARM_FEATURE_AARCH64)) { 9245 /* 32 bit view is [31:18] 0...0 [43:32]. */ 9246 uint32_t cbar32 = (extract64(cpu->reset_cbar, 18, 14) << 18) 9247 | extract64(cpu->reset_cbar, 32, 12); 9248 ARMCPRegInfo cbar_reginfo[] = { 9249 { .name = "CBAR", 9250 .type = ARM_CP_CONST, 9251 .cp = 15, .crn = 15, .crm = 3, .opc1 = 1, .opc2 = 0, 9252 .access = PL1_R, .resetvalue = cbar32 }, 9253 { .name = "CBAR_EL1", .state = ARM_CP_STATE_AA64, 9254 .type = ARM_CP_CONST, 9255 .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 0, 9256 .access = PL1_R, .resetvalue = cpu->reset_cbar }, 9257 }; 9258 /* We don't implement a r/w 64 bit CBAR currently */ 9259 assert(arm_feature(env, ARM_FEATURE_CBAR_RO)); 9260 define_arm_cp_regs(cpu, cbar_reginfo); 9261 } else { 9262 ARMCPRegInfo cbar = { 9263 .name = "CBAR", 9264 .cp = 15, .crn = 15, .crm = 0, .opc1 = 4, .opc2 = 0, 9265 .access = PL1_R | PL3_W, .resetvalue = cpu->reset_cbar, 9266 .fieldoffset = offsetof(CPUARMState, 9267 cp15.c15_config_base_address) 9268 }; 9269 if (arm_feature(env, ARM_FEATURE_CBAR_RO)) { 9270 cbar.access = PL1_R; 9271 cbar.fieldoffset = 0; 9272 cbar.type = ARM_CP_CONST; 9273 } 9274 define_one_arm_cp_reg(cpu, &cbar); 9275 } 9276 } 9277 9278 if (arm_feature(env, ARM_FEATURE_VBAR)) { 9279 static const ARMCPRegInfo vbar_cp_reginfo[] = { 9280 { .name = "VBAR", .state = ARM_CP_STATE_BOTH, 9281 .opc0 = 3, .crn = 12, .crm = 0, .opc1 = 0, .opc2 = 0, 9282 .access = PL1_RW, .writefn = vbar_write, 9283 .fgt = FGT_VBAR_EL1, 9284 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.vbar_s), 9285 offsetof(CPUARMState, cp15.vbar_ns) }, 9286 .resetvalue = 0 }, 9287 }; 9288 define_arm_cp_regs(cpu, vbar_cp_reginfo); 9289 } 9290 9291 /* Generic registers whose values depend on the implementation */ 9292 { 9293 ARMCPRegInfo sctlr = { 9294 .name = "SCTLR", .state = ARM_CP_STATE_BOTH, 9295 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0, 9296 .access = PL1_RW, .accessfn = access_tvm_trvm, 9297 .fgt = FGT_SCTLR_EL1, 9298 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.sctlr_s), 9299 offsetof(CPUARMState, cp15.sctlr_ns) }, 9300 .writefn = sctlr_write, .resetvalue = cpu->reset_sctlr, 9301 .raw_writefn = raw_write, 9302 }; 9303 if (arm_feature(env, ARM_FEATURE_XSCALE)) { 9304 /* 9305 * Normally we would always end the TB on an SCTLR write, but Linux 9306 * arch/arm/mach-pxa/sleep.S expects two instructions following 9307 * an MMU enable to execute from cache. Imitate this behaviour. 9308 */ 9309 sctlr.type |= ARM_CP_SUPPRESS_TB_END; 9310 } 9311 define_one_arm_cp_reg(cpu, &sctlr); 9312 9313 if (arm_feature(env, ARM_FEATURE_PMSA) && 9314 arm_feature(env, ARM_FEATURE_V8)) { 9315 ARMCPRegInfo vsctlr = { 9316 .name = "VSCTLR", .state = ARM_CP_STATE_AA32, 9317 .cp = 15, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0, 9318 .access = PL2_RW, .resetvalue = 0x0, 9319 .fieldoffset = offsetoflow32(CPUARMState, cp15.vsctlr), 9320 }; 9321 define_one_arm_cp_reg(cpu, &vsctlr); 9322 } 9323 } 9324 9325 if (cpu_isar_feature(aa64_lor, cpu)) { 9326 define_arm_cp_regs(cpu, lor_reginfo); 9327 } 9328 if (cpu_isar_feature(aa64_pan, cpu)) { 9329 define_one_arm_cp_reg(cpu, &pan_reginfo); 9330 } 9331 #ifndef CONFIG_USER_ONLY 9332 if (cpu_isar_feature(aa64_ats1e1, cpu)) { 9333 define_arm_cp_regs(cpu, ats1e1_reginfo); 9334 } 9335 if (cpu_isar_feature(aa32_ats1e1, cpu)) { 9336 define_arm_cp_regs(cpu, ats1cp_reginfo); 9337 } 9338 #endif 9339 if (cpu_isar_feature(aa64_uao, cpu)) { 9340 define_one_arm_cp_reg(cpu, &uao_reginfo); 9341 } 9342 9343 if (cpu_isar_feature(aa64_dit, cpu)) { 9344 define_one_arm_cp_reg(cpu, &dit_reginfo); 9345 } 9346 if (cpu_isar_feature(aa64_ssbs, cpu)) { 9347 define_one_arm_cp_reg(cpu, &ssbs_reginfo); 9348 } 9349 if (cpu_isar_feature(any_ras, cpu)) { 9350 define_arm_cp_regs(cpu, minimal_ras_reginfo); 9351 } 9352 9353 if (cpu_isar_feature(aa64_vh, cpu) || 9354 cpu_isar_feature(aa64_debugv8p2, cpu)) { 9355 define_one_arm_cp_reg(cpu, &contextidr_el2); 9356 } 9357 if (arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu)) { 9358 define_arm_cp_regs(cpu, vhe_reginfo); 9359 } 9360 9361 if (cpu_isar_feature(aa64_sve, cpu)) { 9362 define_arm_cp_regs(cpu, zcr_reginfo); 9363 } 9364 9365 if (cpu_isar_feature(aa64_hcx, cpu)) { 9366 define_one_arm_cp_reg(cpu, &hcrx_el2_reginfo); 9367 } 9368 9369 #ifdef TARGET_AARCH64 9370 if (cpu_isar_feature(aa64_sme, cpu)) { 9371 define_arm_cp_regs(cpu, sme_reginfo); 9372 } 9373 if (cpu_isar_feature(aa64_pauth, cpu)) { 9374 define_arm_cp_regs(cpu, pauth_reginfo); 9375 } 9376 if (cpu_isar_feature(aa64_rndr, cpu)) { 9377 define_arm_cp_regs(cpu, rndr_reginfo); 9378 } 9379 if (cpu_isar_feature(aa64_tlbirange, cpu)) { 9380 define_arm_cp_regs(cpu, tlbirange_reginfo); 9381 } 9382 if (cpu_isar_feature(aa64_tlbios, cpu)) { 9383 define_arm_cp_regs(cpu, tlbios_reginfo); 9384 } 9385 /* Data Cache clean instructions up to PoP */ 9386 if (cpu_isar_feature(aa64_dcpop, cpu)) { 9387 define_one_arm_cp_reg(cpu, dcpop_reg); 9388 9389 if (cpu_isar_feature(aa64_dcpodp, cpu)) { 9390 define_one_arm_cp_reg(cpu, dcpodp_reg); 9391 } 9392 } 9393 9394 /* 9395 * If full MTE is enabled, add all of the system registers. 9396 * If only "instructions available at EL0" are enabled, 9397 * then define only a RAZ/WI version of PSTATE.TCO. 9398 */ 9399 if (cpu_isar_feature(aa64_mte, cpu)) { 9400 ARMCPRegInfo gmid_reginfo = { 9401 .name = "GMID_EL1", .state = ARM_CP_STATE_AA64, 9402 .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 4, 9403 .access = PL1_R, .accessfn = access_aa64_tid5, 9404 .type = ARM_CP_CONST, .resetvalue = cpu->gm_blocksize, 9405 }; 9406 define_one_arm_cp_reg(cpu, &gmid_reginfo); 9407 define_arm_cp_regs(cpu, mte_reginfo); 9408 define_arm_cp_regs(cpu, mte_el0_cacheop_reginfo); 9409 } else if (cpu_isar_feature(aa64_mte_insn_reg, cpu)) { 9410 define_arm_cp_regs(cpu, mte_tco_ro_reginfo); 9411 define_arm_cp_regs(cpu, mte_el0_cacheop_reginfo); 9412 } 9413 9414 if (cpu_isar_feature(aa64_scxtnum, cpu)) { 9415 define_arm_cp_regs(cpu, scxtnum_reginfo); 9416 } 9417 9418 if (cpu_isar_feature(aa64_fgt, cpu)) { 9419 define_arm_cp_regs(cpu, fgt_reginfo); 9420 } 9421 9422 if (cpu_isar_feature(aa64_rme, cpu)) { 9423 define_arm_cp_regs(cpu, rme_reginfo); 9424 if (cpu_isar_feature(aa64_mte, cpu)) { 9425 define_arm_cp_regs(cpu, rme_mte_reginfo); 9426 } 9427 } 9428 #endif 9429 9430 if (cpu_isar_feature(any_predinv, cpu)) { 9431 define_arm_cp_regs(cpu, predinv_reginfo); 9432 } 9433 9434 if (cpu_isar_feature(any_ccidx, cpu)) { 9435 define_arm_cp_regs(cpu, ccsidr2_reginfo); 9436 } 9437 9438 #ifndef CONFIG_USER_ONLY 9439 /* 9440 * Register redirections and aliases must be done last, 9441 * after the registers from the other extensions have been defined. 9442 */ 9443 if (arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu)) { 9444 define_arm_vh_e2h_redirects_aliases(cpu); 9445 } 9446 #endif 9447 } 9448 9449 /* Sort alphabetically by type name, except for "any". */ 9450 static gint arm_cpu_list_compare(gconstpointer a, gconstpointer b) 9451 { 9452 ObjectClass *class_a = (ObjectClass *)a; 9453 ObjectClass *class_b = (ObjectClass *)b; 9454 const char *name_a, *name_b; 9455 9456 name_a = object_class_get_name(class_a); 9457 name_b = object_class_get_name(class_b); 9458 if (strcmp(name_a, "any-" TYPE_ARM_CPU) == 0) { 9459 return 1; 9460 } else if (strcmp(name_b, "any-" TYPE_ARM_CPU) == 0) { 9461 return -1; 9462 } else { 9463 return strcmp(name_a, name_b); 9464 } 9465 } 9466 9467 static void arm_cpu_list_entry(gpointer data, gpointer user_data) 9468 { 9469 ObjectClass *oc = data; 9470 CPUClass *cc = CPU_CLASS(oc); 9471 const char *typename; 9472 char *name; 9473 9474 typename = object_class_get_name(oc); 9475 name = g_strndup(typename, strlen(typename) - strlen("-" TYPE_ARM_CPU)); 9476 if (cc->deprecation_note) { 9477 qemu_printf(" %s (deprecated)\n", name); 9478 } else { 9479 qemu_printf(" %s\n", name); 9480 } 9481 g_free(name); 9482 } 9483 9484 void arm_cpu_list(void) 9485 { 9486 GSList *list; 9487 9488 list = object_class_get_list(TYPE_ARM_CPU, false); 9489 list = g_slist_sort(list, arm_cpu_list_compare); 9490 qemu_printf("Available CPUs:\n"); 9491 g_slist_foreach(list, arm_cpu_list_entry, NULL); 9492 g_slist_free(list); 9493 } 9494 9495 /* 9496 * Private utility function for define_one_arm_cp_reg_with_opaque(): 9497 * add a single reginfo struct to the hash table. 9498 */ 9499 static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r, 9500 void *opaque, CPState state, 9501 CPSecureState secstate, 9502 int crm, int opc1, int opc2, 9503 const char *name) 9504 { 9505 CPUARMState *env = &cpu->env; 9506 uint32_t key; 9507 ARMCPRegInfo *r2; 9508 bool is64 = r->type & ARM_CP_64BIT; 9509 bool ns = secstate & ARM_CP_SECSTATE_NS; 9510 int cp = r->cp; 9511 size_t name_len; 9512 bool make_const; 9513 9514 switch (state) { 9515 case ARM_CP_STATE_AA32: 9516 /* We assume it is a cp15 register if the .cp field is left unset. */ 9517 if (cp == 0 && r->state == ARM_CP_STATE_BOTH) { 9518 cp = 15; 9519 } 9520 key = ENCODE_CP_REG(cp, is64, ns, r->crn, crm, opc1, opc2); 9521 break; 9522 case ARM_CP_STATE_AA64: 9523 /* 9524 * To allow abbreviation of ARMCPRegInfo definitions, we treat 9525 * cp == 0 as equivalent to the value for "standard guest-visible 9526 * sysreg". STATE_BOTH definitions are also always "standard sysreg" 9527 * in their AArch64 view (the .cp value may be non-zero for the 9528 * benefit of the AArch32 view). 9529 */ 9530 if (cp == 0 || r->state == ARM_CP_STATE_BOTH) { 9531 cp = CP_REG_ARM64_SYSREG_CP; 9532 } 9533 key = ENCODE_AA64_CP_REG(cp, r->crn, crm, r->opc0, opc1, opc2); 9534 break; 9535 default: 9536 g_assert_not_reached(); 9537 } 9538 9539 /* Overriding of an existing definition must be explicitly requested. */ 9540 if (!(r->type & ARM_CP_OVERRIDE)) { 9541 const ARMCPRegInfo *oldreg = get_arm_cp_reginfo(cpu->cp_regs, key); 9542 if (oldreg) { 9543 assert(oldreg->type & ARM_CP_OVERRIDE); 9544 } 9545 } 9546 9547 /* 9548 * Eliminate registers that are not present because the EL is missing. 9549 * Doing this here makes it easier to put all registers for a given 9550 * feature into the same ARMCPRegInfo array and define them all at once. 9551 */ 9552 make_const = false; 9553 if (arm_feature(env, ARM_FEATURE_EL3)) { 9554 /* 9555 * An EL2 register without EL2 but with EL3 is (usually) RES0. 9556 * See rule RJFFP in section D1.1.3 of DDI0487H.a. 9557 */ 9558 int min_el = ctz32(r->access) / 2; 9559 if (min_el == 2 && !arm_feature(env, ARM_FEATURE_EL2)) { 9560 if (r->type & ARM_CP_EL3_NO_EL2_UNDEF) { 9561 return; 9562 } 9563 make_const = !(r->type & ARM_CP_EL3_NO_EL2_KEEP); 9564 } 9565 } else { 9566 CPAccessRights max_el = (arm_feature(env, ARM_FEATURE_EL2) 9567 ? PL2_RW : PL1_RW); 9568 if ((r->access & max_el) == 0) { 9569 return; 9570 } 9571 } 9572 9573 /* Combine cpreg and name into one allocation. */ 9574 name_len = strlen(name) + 1; 9575 r2 = g_malloc(sizeof(*r2) + name_len); 9576 *r2 = *r; 9577 r2->name = memcpy(r2 + 1, name, name_len); 9578 9579 /* 9580 * Update fields to match the instantiation, overwiting wildcards 9581 * such as CP_ANY, ARM_CP_STATE_BOTH, or ARM_CP_SECSTATE_BOTH. 9582 */ 9583 r2->cp = cp; 9584 r2->crm = crm; 9585 r2->opc1 = opc1; 9586 r2->opc2 = opc2; 9587 r2->state = state; 9588 r2->secure = secstate; 9589 if (opaque) { 9590 r2->opaque = opaque; 9591 } 9592 9593 if (make_const) { 9594 /* This should not have been a very special register to begin. */ 9595 int old_special = r2->type & ARM_CP_SPECIAL_MASK; 9596 assert(old_special == 0 || old_special == ARM_CP_NOP); 9597 /* 9598 * Set the special function to CONST, retaining the other flags. 9599 * This is important for e.g. ARM_CP_SVE so that we still 9600 * take the SVE trap if CPTR_EL3.EZ == 0. 9601 */ 9602 r2->type = (r2->type & ~ARM_CP_SPECIAL_MASK) | ARM_CP_CONST; 9603 /* 9604 * Usually, these registers become RES0, but there are a few 9605 * special cases like VPIDR_EL2 which have a constant non-zero 9606 * value with writes ignored. 9607 */ 9608 if (!(r->type & ARM_CP_EL3_NO_EL2_C_NZ)) { 9609 r2->resetvalue = 0; 9610 } 9611 /* 9612 * ARM_CP_CONST has precedence, so removing the callbacks and 9613 * offsets are not strictly necessary, but it is potentially 9614 * less confusing to debug later. 9615 */ 9616 r2->readfn = NULL; 9617 r2->writefn = NULL; 9618 r2->raw_readfn = NULL; 9619 r2->raw_writefn = NULL; 9620 r2->resetfn = NULL; 9621 r2->fieldoffset = 0; 9622 r2->bank_fieldoffsets[0] = 0; 9623 r2->bank_fieldoffsets[1] = 0; 9624 } else { 9625 bool isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]; 9626 9627 if (isbanked) { 9628 /* 9629 * Register is banked (using both entries in array). 9630 * Overwriting fieldoffset as the array is only used to define 9631 * banked registers but later only fieldoffset is used. 9632 */ 9633 r2->fieldoffset = r->bank_fieldoffsets[ns]; 9634 } 9635 if (state == ARM_CP_STATE_AA32) { 9636 if (isbanked) { 9637 /* 9638 * If the register is banked then we don't need to migrate or 9639 * reset the 32-bit instance in certain cases: 9640 * 9641 * 1) If the register has both 32-bit and 64-bit instances 9642 * then we can count on the 64-bit instance taking care 9643 * of the non-secure bank. 9644 * 2) If ARMv8 is enabled then we can count on a 64-bit 9645 * version taking care of the secure bank. This requires 9646 * that separate 32 and 64-bit definitions are provided. 9647 */ 9648 if ((r->state == ARM_CP_STATE_BOTH && ns) || 9649 (arm_feature(env, ARM_FEATURE_V8) && !ns)) { 9650 r2->type |= ARM_CP_ALIAS; 9651 } 9652 } else if ((secstate != r->secure) && !ns) { 9653 /* 9654 * The register is not banked so we only want to allow 9655 * migration of the non-secure instance. 9656 */ 9657 r2->type |= ARM_CP_ALIAS; 9658 } 9659 9660 if (HOST_BIG_ENDIAN && 9661 r->state == ARM_CP_STATE_BOTH && r2->fieldoffset) { 9662 r2->fieldoffset += sizeof(uint32_t); 9663 } 9664 } 9665 } 9666 9667 /* 9668 * By convention, for wildcarded registers only the first 9669 * entry is used for migration; the others are marked as 9670 * ALIAS so we don't try to transfer the register 9671 * multiple times. Special registers (ie NOP/WFI) are 9672 * never migratable and not even raw-accessible. 9673 */ 9674 if (r2->type & ARM_CP_SPECIAL_MASK) { 9675 r2->type |= ARM_CP_NO_RAW; 9676 } 9677 if (((r->crm == CP_ANY) && crm != 0) || 9678 ((r->opc1 == CP_ANY) && opc1 != 0) || 9679 ((r->opc2 == CP_ANY) && opc2 != 0)) { 9680 r2->type |= ARM_CP_ALIAS | ARM_CP_NO_GDB; 9681 } 9682 9683 /* 9684 * Check that raw accesses are either forbidden or handled. Note that 9685 * we can't assert this earlier because the setup of fieldoffset for 9686 * banked registers has to be done first. 9687 */ 9688 if (!(r2->type & ARM_CP_NO_RAW)) { 9689 assert(!raw_accessors_invalid(r2)); 9690 } 9691 9692 g_hash_table_insert(cpu->cp_regs, (gpointer)(uintptr_t)key, r2); 9693 } 9694 9695 9696 void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu, 9697 const ARMCPRegInfo *r, void *opaque) 9698 { 9699 /* 9700 * Define implementations of coprocessor registers. 9701 * We store these in a hashtable because typically 9702 * there are less than 150 registers in a space which 9703 * is 16*16*16*8*8 = 262144 in size. 9704 * Wildcarding is supported for the crm, opc1 and opc2 fields. 9705 * If a register is defined twice then the second definition is 9706 * used, so this can be used to define some generic registers and 9707 * then override them with implementation specific variations. 9708 * At least one of the original and the second definition should 9709 * include ARM_CP_OVERRIDE in its type bits -- this is just a guard 9710 * against accidental use. 9711 * 9712 * The state field defines whether the register is to be 9713 * visible in the AArch32 or AArch64 execution state. If the 9714 * state is set to ARM_CP_STATE_BOTH then we synthesise a 9715 * reginfo structure for the AArch32 view, which sees the lower 9716 * 32 bits of the 64 bit register. 9717 * 9718 * Only registers visible in AArch64 may set r->opc0; opc0 cannot 9719 * be wildcarded. AArch64 registers are always considered to be 64 9720 * bits; the ARM_CP_64BIT* flag applies only to the AArch32 view of 9721 * the register, if any. 9722 */ 9723 int crm, opc1, opc2; 9724 int crmmin = (r->crm == CP_ANY) ? 0 : r->crm; 9725 int crmmax = (r->crm == CP_ANY) ? 15 : r->crm; 9726 int opc1min = (r->opc1 == CP_ANY) ? 0 : r->opc1; 9727 int opc1max = (r->opc1 == CP_ANY) ? 7 : r->opc1; 9728 int opc2min = (r->opc2 == CP_ANY) ? 0 : r->opc2; 9729 int opc2max = (r->opc2 == CP_ANY) ? 7 : r->opc2; 9730 CPState state; 9731 9732 /* 64 bit registers have only CRm and Opc1 fields */ 9733 assert(!((r->type & ARM_CP_64BIT) && (r->opc2 || r->crn))); 9734 /* op0 only exists in the AArch64 encodings */ 9735 assert((r->state != ARM_CP_STATE_AA32) || (r->opc0 == 0)); 9736 /* AArch64 regs are all 64 bit so ARM_CP_64BIT is meaningless */ 9737 assert((r->state != ARM_CP_STATE_AA64) || !(r->type & ARM_CP_64BIT)); 9738 /* 9739 * This API is only for Arm's system coprocessors (14 and 15) or 9740 * (M-profile or v7A-and-earlier only) for implementation defined 9741 * coprocessors in the range 0..7. Our decode assumes this, since 9742 * 8..13 can be used for other insns including VFP and Neon. See 9743 * valid_cp() in translate.c. Assert here that we haven't tried 9744 * to use an invalid coprocessor number. 9745 */ 9746 switch (r->state) { 9747 case ARM_CP_STATE_BOTH: 9748 /* 0 has a special meaning, but otherwise the same rules as AA32. */ 9749 if (r->cp == 0) { 9750 break; 9751 } 9752 /* fall through */ 9753 case ARM_CP_STATE_AA32: 9754 if (arm_feature(&cpu->env, ARM_FEATURE_V8) && 9755 !arm_feature(&cpu->env, ARM_FEATURE_M)) { 9756 assert(r->cp >= 14 && r->cp <= 15); 9757 } else { 9758 assert(r->cp < 8 || (r->cp >= 14 && r->cp <= 15)); 9759 } 9760 break; 9761 case ARM_CP_STATE_AA64: 9762 assert(r->cp == 0 || r->cp == CP_REG_ARM64_SYSREG_CP); 9763 break; 9764 default: 9765 g_assert_not_reached(); 9766 } 9767 /* 9768 * The AArch64 pseudocode CheckSystemAccess() specifies that op1 9769 * encodes a minimum access level for the register. We roll this 9770 * runtime check into our general permission check code, so check 9771 * here that the reginfo's specified permissions are strict enough 9772 * to encompass the generic architectural permission check. 9773 */ 9774 if (r->state != ARM_CP_STATE_AA32) { 9775 CPAccessRights mask; 9776 switch (r->opc1) { 9777 case 0: 9778 /* min_EL EL1, but some accessible to EL0 via kernel ABI */ 9779 mask = PL0U_R | PL1_RW; 9780 break; 9781 case 1: case 2: 9782 /* min_EL EL1 */ 9783 mask = PL1_RW; 9784 break; 9785 case 3: 9786 /* min_EL EL0 */ 9787 mask = PL0_RW; 9788 break; 9789 case 4: 9790 case 5: 9791 /* min_EL EL2 */ 9792 mask = PL2_RW; 9793 break; 9794 case 6: 9795 /* min_EL EL3 */ 9796 mask = PL3_RW; 9797 break; 9798 case 7: 9799 /* min_EL EL1, secure mode only (we don't check the latter) */ 9800 mask = PL1_RW; 9801 break; 9802 default: 9803 /* broken reginfo with out-of-range opc1 */ 9804 g_assert_not_reached(); 9805 } 9806 /* assert our permissions are not too lax (stricter is fine) */ 9807 assert((r->access & ~mask) == 0); 9808 } 9809 9810 /* 9811 * Check that the register definition has enough info to handle 9812 * reads and writes if they are permitted. 9813 */ 9814 if (!(r->type & (ARM_CP_SPECIAL_MASK | ARM_CP_CONST))) { 9815 if (r->access & PL3_R) { 9816 assert((r->fieldoffset || 9817 (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) || 9818 r->readfn); 9819 } 9820 if (r->access & PL3_W) { 9821 assert((r->fieldoffset || 9822 (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) || 9823 r->writefn); 9824 } 9825 } 9826 9827 for (crm = crmmin; crm <= crmmax; crm++) { 9828 for (opc1 = opc1min; opc1 <= opc1max; opc1++) { 9829 for (opc2 = opc2min; opc2 <= opc2max; opc2++) { 9830 for (state = ARM_CP_STATE_AA32; 9831 state <= ARM_CP_STATE_AA64; state++) { 9832 if (r->state != state && r->state != ARM_CP_STATE_BOTH) { 9833 continue; 9834 } 9835 if (state == ARM_CP_STATE_AA32) { 9836 /* 9837 * Under AArch32 CP registers can be common 9838 * (same for secure and non-secure world) or banked. 9839 */ 9840 char *name; 9841 9842 switch (r->secure) { 9843 case ARM_CP_SECSTATE_S: 9844 case ARM_CP_SECSTATE_NS: 9845 add_cpreg_to_hashtable(cpu, r, opaque, state, 9846 r->secure, crm, opc1, opc2, 9847 r->name); 9848 break; 9849 case ARM_CP_SECSTATE_BOTH: 9850 name = g_strdup_printf("%s_S", r->name); 9851 add_cpreg_to_hashtable(cpu, r, opaque, state, 9852 ARM_CP_SECSTATE_S, 9853 crm, opc1, opc2, name); 9854 g_free(name); 9855 add_cpreg_to_hashtable(cpu, r, opaque, state, 9856 ARM_CP_SECSTATE_NS, 9857 crm, opc1, opc2, r->name); 9858 break; 9859 default: 9860 g_assert_not_reached(); 9861 } 9862 } else { 9863 /* 9864 * AArch64 registers get mapped to non-secure instance 9865 * of AArch32 9866 */ 9867 add_cpreg_to_hashtable(cpu, r, opaque, state, 9868 ARM_CP_SECSTATE_NS, 9869 crm, opc1, opc2, r->name); 9870 } 9871 } 9872 } 9873 } 9874 } 9875 } 9876 9877 /* Define a whole list of registers */ 9878 void define_arm_cp_regs_with_opaque_len(ARMCPU *cpu, const ARMCPRegInfo *regs, 9879 void *opaque, size_t len) 9880 { 9881 size_t i; 9882 for (i = 0; i < len; ++i) { 9883 define_one_arm_cp_reg_with_opaque(cpu, regs + i, opaque); 9884 } 9885 } 9886 9887 /* 9888 * Modify ARMCPRegInfo for access from userspace. 9889 * 9890 * This is a data driven modification directed by 9891 * ARMCPRegUserSpaceInfo. All registers become ARM_CP_CONST as 9892 * user-space cannot alter any values and dynamic values pertaining to 9893 * execution state are hidden from user space view anyway. 9894 */ 9895 void modify_arm_cp_regs_with_len(ARMCPRegInfo *regs, size_t regs_len, 9896 const ARMCPRegUserSpaceInfo *mods, 9897 size_t mods_len) 9898 { 9899 for (size_t mi = 0; mi < mods_len; ++mi) { 9900 const ARMCPRegUserSpaceInfo *m = mods + mi; 9901 GPatternSpec *pat = NULL; 9902 9903 if (m->is_glob) { 9904 pat = g_pattern_spec_new(m->name); 9905 } 9906 for (size_t ri = 0; ri < regs_len; ++ri) { 9907 ARMCPRegInfo *r = regs + ri; 9908 9909 if (pat && g_pattern_match_string(pat, r->name)) { 9910 r->type = ARM_CP_CONST; 9911 r->access = PL0U_R; 9912 r->resetvalue = 0; 9913 /* continue */ 9914 } else if (strcmp(r->name, m->name) == 0) { 9915 r->type = ARM_CP_CONST; 9916 r->access = PL0U_R; 9917 r->resetvalue &= m->exported_bits; 9918 r->resetvalue |= m->fixed_bits; 9919 break; 9920 } 9921 } 9922 if (pat) { 9923 g_pattern_spec_free(pat); 9924 } 9925 } 9926 } 9927 9928 const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp) 9929 { 9930 return g_hash_table_lookup(cpregs, (gpointer)(uintptr_t)encoded_cp); 9931 } 9932 9933 void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri, 9934 uint64_t value) 9935 { 9936 /* Helper coprocessor write function for write-ignore registers */ 9937 } 9938 9939 uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri) 9940 { 9941 /* Helper coprocessor write function for read-as-zero registers */ 9942 return 0; 9943 } 9944 9945 void arm_cp_reset_ignore(CPUARMState *env, const ARMCPRegInfo *opaque) 9946 { 9947 /* Helper coprocessor reset function for do-nothing-on-reset registers */ 9948 } 9949 9950 static int bad_mode_switch(CPUARMState *env, int mode, CPSRWriteType write_type) 9951 { 9952 /* 9953 * Return true if it is not valid for us to switch to 9954 * this CPU mode (ie all the UNPREDICTABLE cases in 9955 * the ARM ARM CPSRWriteByInstr pseudocode). 9956 */ 9957 9958 /* Changes to or from Hyp via MSR and CPS are illegal. */ 9959 if (write_type == CPSRWriteByInstr && 9960 ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_HYP || 9961 mode == ARM_CPU_MODE_HYP)) { 9962 return 1; 9963 } 9964 9965 switch (mode) { 9966 case ARM_CPU_MODE_USR: 9967 return 0; 9968 case ARM_CPU_MODE_SYS: 9969 case ARM_CPU_MODE_SVC: 9970 case ARM_CPU_MODE_ABT: 9971 case ARM_CPU_MODE_UND: 9972 case ARM_CPU_MODE_IRQ: 9973 case ARM_CPU_MODE_FIQ: 9974 /* 9975 * Note that we don't implement the IMPDEF NSACR.RFR which in v7 9976 * allows FIQ mode to be Secure-only. (In v8 this doesn't exist.) 9977 */ 9978 /* 9979 * If HCR.TGE is set then changes from Monitor to NS PL1 via MSR 9980 * and CPS are treated as illegal mode changes. 9981 */ 9982 if (write_type == CPSRWriteByInstr && 9983 (env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON && 9984 (arm_hcr_el2_eff(env) & HCR_TGE)) { 9985 return 1; 9986 } 9987 return 0; 9988 case ARM_CPU_MODE_HYP: 9989 return !arm_is_el2_enabled(env) || arm_current_el(env) < 2; 9990 case ARM_CPU_MODE_MON: 9991 return arm_current_el(env) < 3; 9992 default: 9993 return 1; 9994 } 9995 } 9996 9997 uint32_t cpsr_read(CPUARMState *env) 9998 { 9999 int ZF; 10000 ZF = (env->ZF == 0); 10001 return env->uncached_cpsr | (env->NF & 0x80000000) | (ZF << 30) | 10002 (env->CF << 29) | ((env->VF & 0x80000000) >> 3) | (env->QF << 27) 10003 | (env->thumb << 5) | ((env->condexec_bits & 3) << 25) 10004 | ((env->condexec_bits & 0xfc) << 8) 10005 | (env->GE << 16) | (env->daif & CPSR_AIF); 10006 } 10007 10008 void cpsr_write(CPUARMState *env, uint32_t val, uint32_t mask, 10009 CPSRWriteType write_type) 10010 { 10011 uint32_t changed_daif; 10012 bool rebuild_hflags = (write_type != CPSRWriteRaw) && 10013 (mask & (CPSR_M | CPSR_E | CPSR_IL)); 10014 10015 if (mask & CPSR_NZCV) { 10016 env->ZF = (~val) & CPSR_Z; 10017 env->NF = val; 10018 env->CF = (val >> 29) & 1; 10019 env->VF = (val << 3) & 0x80000000; 10020 } 10021 if (mask & CPSR_Q) { 10022 env->QF = ((val & CPSR_Q) != 0); 10023 } 10024 if (mask & CPSR_T) { 10025 env->thumb = ((val & CPSR_T) != 0); 10026 } 10027 if (mask & CPSR_IT_0_1) { 10028 env->condexec_bits &= ~3; 10029 env->condexec_bits |= (val >> 25) & 3; 10030 } 10031 if (mask & CPSR_IT_2_7) { 10032 env->condexec_bits &= 3; 10033 env->condexec_bits |= (val >> 8) & 0xfc; 10034 } 10035 if (mask & CPSR_GE) { 10036 env->GE = (val >> 16) & 0xf; 10037 } 10038 10039 /* 10040 * In a V7 implementation that includes the security extensions but does 10041 * not include Virtualization Extensions the SCR.FW and SCR.AW bits control 10042 * whether non-secure software is allowed to change the CPSR_F and CPSR_A 10043 * bits respectively. 10044 * 10045 * In a V8 implementation, it is permitted for privileged software to 10046 * change the CPSR A/F bits regardless of the SCR.AW/FW bits. 10047 */ 10048 if (write_type != CPSRWriteRaw && !arm_feature(env, ARM_FEATURE_V8) && 10049 arm_feature(env, ARM_FEATURE_EL3) && 10050 !arm_feature(env, ARM_FEATURE_EL2) && 10051 !arm_is_secure(env)) { 10052 10053 changed_daif = (env->daif ^ val) & mask; 10054 10055 if (changed_daif & CPSR_A) { 10056 /* 10057 * Check to see if we are allowed to change the masking of async 10058 * abort exceptions from a non-secure state. 10059 */ 10060 if (!(env->cp15.scr_el3 & SCR_AW)) { 10061 qemu_log_mask(LOG_GUEST_ERROR, 10062 "Ignoring attempt to switch CPSR_A flag from " 10063 "non-secure world with SCR.AW bit clear\n"); 10064 mask &= ~CPSR_A; 10065 } 10066 } 10067 10068 if (changed_daif & CPSR_F) { 10069 /* 10070 * Check to see if we are allowed to change the masking of FIQ 10071 * exceptions from a non-secure state. 10072 */ 10073 if (!(env->cp15.scr_el3 & SCR_FW)) { 10074 qemu_log_mask(LOG_GUEST_ERROR, 10075 "Ignoring attempt to switch CPSR_F flag from " 10076 "non-secure world with SCR.FW bit clear\n"); 10077 mask &= ~CPSR_F; 10078 } 10079 10080 /* 10081 * Check whether non-maskable FIQ (NMFI) support is enabled. 10082 * If this bit is set software is not allowed to mask 10083 * FIQs, but is allowed to set CPSR_F to 0. 10084 */ 10085 if ((A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_NMFI) && 10086 (val & CPSR_F)) { 10087 qemu_log_mask(LOG_GUEST_ERROR, 10088 "Ignoring attempt to enable CPSR_F flag " 10089 "(non-maskable FIQ [NMFI] support enabled)\n"); 10090 mask &= ~CPSR_F; 10091 } 10092 } 10093 } 10094 10095 env->daif &= ~(CPSR_AIF & mask); 10096 env->daif |= val & CPSR_AIF & mask; 10097 10098 if (write_type != CPSRWriteRaw && 10099 ((env->uncached_cpsr ^ val) & mask & CPSR_M)) { 10100 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_USR) { 10101 /* 10102 * Note that we can only get here in USR mode if this is a 10103 * gdb stub write; for this case we follow the architectural 10104 * behaviour for guest writes in USR mode of ignoring an attempt 10105 * to switch mode. (Those are caught by translate.c for writes 10106 * triggered by guest instructions.) 10107 */ 10108 mask &= ~CPSR_M; 10109 } else if (bad_mode_switch(env, val & CPSR_M, write_type)) { 10110 /* 10111 * Attempt to switch to an invalid mode: this is UNPREDICTABLE in 10112 * v7, and has defined behaviour in v8: 10113 * + leave CPSR.M untouched 10114 * + allow changes to the other CPSR fields 10115 * + set PSTATE.IL 10116 * For user changes via the GDB stub, we don't set PSTATE.IL, 10117 * as this would be unnecessarily harsh for a user error. 10118 */ 10119 mask &= ~CPSR_M; 10120 if (write_type != CPSRWriteByGDBStub && 10121 arm_feature(env, ARM_FEATURE_V8)) { 10122 mask |= CPSR_IL; 10123 val |= CPSR_IL; 10124 } 10125 qemu_log_mask(LOG_GUEST_ERROR, 10126 "Illegal AArch32 mode switch attempt from %s to %s\n", 10127 aarch32_mode_name(env->uncached_cpsr), 10128 aarch32_mode_name(val)); 10129 } else { 10130 qemu_log_mask(CPU_LOG_INT, "%s %s to %s PC 0x%" PRIx32 "\n", 10131 write_type == CPSRWriteExceptionReturn ? 10132 "Exception return from AArch32" : 10133 "AArch32 mode switch from", 10134 aarch32_mode_name(env->uncached_cpsr), 10135 aarch32_mode_name(val), env->regs[15]); 10136 switch_mode(env, val & CPSR_M); 10137 } 10138 } 10139 mask &= ~CACHED_CPSR_BITS; 10140 env->uncached_cpsr = (env->uncached_cpsr & ~mask) | (val & mask); 10141 if (tcg_enabled() && rebuild_hflags) { 10142 arm_rebuild_hflags(env); 10143 } 10144 } 10145 10146 /* Sign/zero extend */ 10147 uint32_t HELPER(sxtb16)(uint32_t x) 10148 { 10149 uint32_t res; 10150 res = (uint16_t)(int8_t)x; 10151 res |= (uint32_t)(int8_t)(x >> 16) << 16; 10152 return res; 10153 } 10154 10155 static void handle_possible_div0_trap(CPUARMState *env, uintptr_t ra) 10156 { 10157 /* 10158 * Take a division-by-zero exception if necessary; otherwise return 10159 * to get the usual non-trapping division behaviour (result of 0) 10160 */ 10161 if (arm_feature(env, ARM_FEATURE_M) 10162 && (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_DIV_0_TRP_MASK)) { 10163 raise_exception_ra(env, EXCP_DIVBYZERO, 0, 1, ra); 10164 } 10165 } 10166 10167 uint32_t HELPER(uxtb16)(uint32_t x) 10168 { 10169 uint32_t res; 10170 res = (uint16_t)(uint8_t)x; 10171 res |= (uint32_t)(uint8_t)(x >> 16) << 16; 10172 return res; 10173 } 10174 10175 int32_t HELPER(sdiv)(CPUARMState *env, int32_t num, int32_t den) 10176 { 10177 if (den == 0) { 10178 handle_possible_div0_trap(env, GETPC()); 10179 return 0; 10180 } 10181 if (num == INT_MIN && den == -1) { 10182 return INT_MIN; 10183 } 10184 return num / den; 10185 } 10186 10187 uint32_t HELPER(udiv)(CPUARMState *env, uint32_t num, uint32_t den) 10188 { 10189 if (den == 0) { 10190 handle_possible_div0_trap(env, GETPC()); 10191 return 0; 10192 } 10193 return num / den; 10194 } 10195 10196 uint32_t HELPER(rbit)(uint32_t x) 10197 { 10198 return revbit32(x); 10199 } 10200 10201 #ifdef CONFIG_USER_ONLY 10202 10203 static void switch_mode(CPUARMState *env, int mode) 10204 { 10205 ARMCPU *cpu = env_archcpu(env); 10206 10207 if (mode != ARM_CPU_MODE_USR) { 10208 cpu_abort(CPU(cpu), "Tried to switch out of user mode\n"); 10209 } 10210 } 10211 10212 uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx, 10213 uint32_t cur_el, bool secure) 10214 { 10215 return 1; 10216 } 10217 10218 void aarch64_sync_64_to_32(CPUARMState *env) 10219 { 10220 g_assert_not_reached(); 10221 } 10222 10223 #else 10224 10225 static void switch_mode(CPUARMState *env, int mode) 10226 { 10227 int old_mode; 10228 int i; 10229 10230 old_mode = env->uncached_cpsr & CPSR_M; 10231 if (mode == old_mode) { 10232 return; 10233 } 10234 10235 if (old_mode == ARM_CPU_MODE_FIQ) { 10236 memcpy(env->fiq_regs, env->regs + 8, 5 * sizeof(uint32_t)); 10237 memcpy(env->regs + 8, env->usr_regs, 5 * sizeof(uint32_t)); 10238 } else if (mode == ARM_CPU_MODE_FIQ) { 10239 memcpy(env->usr_regs, env->regs + 8, 5 * sizeof(uint32_t)); 10240 memcpy(env->regs + 8, env->fiq_regs, 5 * sizeof(uint32_t)); 10241 } 10242 10243 i = bank_number(old_mode); 10244 env->banked_r13[i] = env->regs[13]; 10245 env->banked_spsr[i] = env->spsr; 10246 10247 i = bank_number(mode); 10248 env->regs[13] = env->banked_r13[i]; 10249 env->spsr = env->banked_spsr[i]; 10250 10251 env->banked_r14[r14_bank_number(old_mode)] = env->regs[14]; 10252 env->regs[14] = env->banked_r14[r14_bank_number(mode)]; 10253 } 10254 10255 /* 10256 * Physical Interrupt Target EL Lookup Table 10257 * 10258 * [ From ARM ARM section G1.13.4 (Table G1-15) ] 10259 * 10260 * The below multi-dimensional table is used for looking up the target 10261 * exception level given numerous condition criteria. Specifically, the 10262 * target EL is based on SCR and HCR routing controls as well as the 10263 * currently executing EL and secure state. 10264 * 10265 * Dimensions: 10266 * target_el_table[2][2][2][2][2][4] 10267 * | | | | | +--- Current EL 10268 * | | | | +------ Non-secure(0)/Secure(1) 10269 * | | | +--------- HCR mask override 10270 * | | +------------ SCR exec state control 10271 * | +--------------- SCR mask override 10272 * +------------------ 32-bit(0)/64-bit(1) EL3 10273 * 10274 * The table values are as such: 10275 * 0-3 = EL0-EL3 10276 * -1 = Cannot occur 10277 * 10278 * The ARM ARM target EL table includes entries indicating that an "exception 10279 * is not taken". The two cases where this is applicable are: 10280 * 1) An exception is taken from EL3 but the SCR does not have the exception 10281 * routed to EL3. 10282 * 2) An exception is taken from EL2 but the HCR does not have the exception 10283 * routed to EL2. 10284 * In these two cases, the below table contain a target of EL1. This value is 10285 * returned as it is expected that the consumer of the table data will check 10286 * for "target EL >= current EL" to ensure the exception is not taken. 10287 * 10288 * SCR HCR 10289 * 64 EA AMO From 10290 * BIT IRQ IMO Non-secure Secure 10291 * EL3 FIQ RW FMO EL0 EL1 EL2 EL3 EL0 EL1 EL2 EL3 10292 */ 10293 static const int8_t target_el_table[2][2][2][2][2][4] = { 10294 {{{{/* 0 0 0 0 */{ 1, 1, 2, -1 },{ 3, -1, -1, 3 },}, 10295 {/* 0 0 0 1 */{ 2, 2, 2, -1 },{ 3, -1, -1, 3 },},}, 10296 {{/* 0 0 1 0 */{ 1, 1, 2, -1 },{ 3, -1, -1, 3 },}, 10297 {/* 0 0 1 1 */{ 2, 2, 2, -1 },{ 3, -1, -1, 3 },},},}, 10298 {{{/* 0 1 0 0 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },}, 10299 {/* 0 1 0 1 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},}, 10300 {{/* 0 1 1 0 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },}, 10301 {/* 0 1 1 1 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},},},}, 10302 {{{{/* 1 0 0 0 */{ 1, 1, 2, -1 },{ 1, 1, -1, 1 },}, 10303 {/* 1 0 0 1 */{ 2, 2, 2, -1 },{ 2, 2, -1, 1 },},}, 10304 {{/* 1 0 1 0 */{ 1, 1, 1, -1 },{ 1, 1, 1, 1 },}, 10305 {/* 1 0 1 1 */{ 2, 2, 2, -1 },{ 2, 2, 2, 1 },},},}, 10306 {{{/* 1 1 0 0 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },}, 10307 {/* 1 1 0 1 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},}, 10308 {{/* 1 1 1 0 */{ 3, 3, 3, -1 },{ 3, 3, 3, 3 },}, 10309 {/* 1 1 1 1 */{ 3, 3, 3, -1 },{ 3, 3, 3, 3 },},},},}, 10310 }; 10311 10312 /* 10313 * Determine the target EL for physical exceptions 10314 */ 10315 uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx, 10316 uint32_t cur_el, bool secure) 10317 { 10318 CPUARMState *env = cpu_env(cs); 10319 bool rw; 10320 bool scr; 10321 bool hcr; 10322 int target_el; 10323 /* Is the highest EL AArch64? */ 10324 bool is64 = arm_feature(env, ARM_FEATURE_AARCH64); 10325 uint64_t hcr_el2; 10326 10327 if (arm_feature(env, ARM_FEATURE_EL3)) { 10328 rw = ((env->cp15.scr_el3 & SCR_RW) == SCR_RW); 10329 } else { 10330 /* 10331 * Either EL2 is the highest EL (and so the EL2 register width 10332 * is given by is64); or there is no EL2 or EL3, in which case 10333 * the value of 'rw' does not affect the table lookup anyway. 10334 */ 10335 rw = is64; 10336 } 10337 10338 hcr_el2 = arm_hcr_el2_eff(env); 10339 switch (excp_idx) { 10340 case EXCP_IRQ: 10341 scr = ((env->cp15.scr_el3 & SCR_IRQ) == SCR_IRQ); 10342 hcr = hcr_el2 & HCR_IMO; 10343 break; 10344 case EXCP_FIQ: 10345 scr = ((env->cp15.scr_el3 & SCR_FIQ) == SCR_FIQ); 10346 hcr = hcr_el2 & HCR_FMO; 10347 break; 10348 default: 10349 scr = ((env->cp15.scr_el3 & SCR_EA) == SCR_EA); 10350 hcr = hcr_el2 & HCR_AMO; 10351 break; 10352 }; 10353 10354 /* 10355 * For these purposes, TGE and AMO/IMO/FMO both force the 10356 * interrupt to EL2. Fold TGE into the bit extracted above. 10357 */ 10358 hcr |= (hcr_el2 & HCR_TGE) != 0; 10359 10360 /* Perform a table-lookup for the target EL given the current state */ 10361 target_el = target_el_table[is64][scr][rw][hcr][secure][cur_el]; 10362 10363 assert(target_el > 0); 10364 10365 return target_el; 10366 } 10367 10368 void arm_log_exception(CPUState *cs) 10369 { 10370 int idx = cs->exception_index; 10371 10372 if (qemu_loglevel_mask(CPU_LOG_INT)) { 10373 const char *exc = NULL; 10374 static const char * const excnames[] = { 10375 [EXCP_UDEF] = "Undefined Instruction", 10376 [EXCP_SWI] = "SVC", 10377 [EXCP_PREFETCH_ABORT] = "Prefetch Abort", 10378 [EXCP_DATA_ABORT] = "Data Abort", 10379 [EXCP_IRQ] = "IRQ", 10380 [EXCP_FIQ] = "FIQ", 10381 [EXCP_BKPT] = "Breakpoint", 10382 [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit", 10383 [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage", 10384 [EXCP_HVC] = "Hypervisor Call", 10385 [EXCP_HYP_TRAP] = "Hypervisor Trap", 10386 [EXCP_SMC] = "Secure Monitor Call", 10387 [EXCP_VIRQ] = "Virtual IRQ", 10388 [EXCP_VFIQ] = "Virtual FIQ", 10389 [EXCP_SEMIHOST] = "Semihosting call", 10390 [EXCP_NOCP] = "v7M NOCP UsageFault", 10391 [EXCP_INVSTATE] = "v7M INVSTATE UsageFault", 10392 [EXCP_STKOF] = "v8M STKOF UsageFault", 10393 [EXCP_LAZYFP] = "v7M exception during lazy FP stacking", 10394 [EXCP_LSERR] = "v8M LSERR UsageFault", 10395 [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault", 10396 [EXCP_DIVBYZERO] = "v7M DIVBYZERO UsageFault", 10397 [EXCP_VSERR] = "Virtual SERR", 10398 [EXCP_GPC] = "Granule Protection Check", 10399 }; 10400 10401 if (idx >= 0 && idx < ARRAY_SIZE(excnames)) { 10402 exc = excnames[idx]; 10403 } 10404 if (!exc) { 10405 exc = "unknown"; 10406 } 10407 qemu_log_mask(CPU_LOG_INT, "Taking exception %d [%s] on CPU %d\n", 10408 idx, exc, cs->cpu_index); 10409 } 10410 } 10411 10412 /* 10413 * Function used to synchronize QEMU's AArch64 register set with AArch32 10414 * register set. This is necessary when switching between AArch32 and AArch64 10415 * execution state. 10416 */ 10417 void aarch64_sync_32_to_64(CPUARMState *env) 10418 { 10419 int i; 10420 uint32_t mode = env->uncached_cpsr & CPSR_M; 10421 10422 /* We can blanket copy R[0:7] to X[0:7] */ 10423 for (i = 0; i < 8; i++) { 10424 env->xregs[i] = env->regs[i]; 10425 } 10426 10427 /* 10428 * Unless we are in FIQ mode, x8-x12 come from the user registers r8-r12. 10429 * Otherwise, they come from the banked user regs. 10430 */ 10431 if (mode == ARM_CPU_MODE_FIQ) { 10432 for (i = 8; i < 13; i++) { 10433 env->xregs[i] = env->usr_regs[i - 8]; 10434 } 10435 } else { 10436 for (i = 8; i < 13; i++) { 10437 env->xregs[i] = env->regs[i]; 10438 } 10439 } 10440 10441 /* 10442 * Registers x13-x23 are the various mode SP and FP registers. Registers 10443 * r13 and r14 are only copied if we are in that mode, otherwise we copy 10444 * from the mode banked register. 10445 */ 10446 if (mode == ARM_CPU_MODE_USR || mode == ARM_CPU_MODE_SYS) { 10447 env->xregs[13] = env->regs[13]; 10448 env->xregs[14] = env->regs[14]; 10449 } else { 10450 env->xregs[13] = env->banked_r13[bank_number(ARM_CPU_MODE_USR)]; 10451 /* HYP is an exception in that it is copied from r14 */ 10452 if (mode == ARM_CPU_MODE_HYP) { 10453 env->xregs[14] = env->regs[14]; 10454 } else { 10455 env->xregs[14] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_USR)]; 10456 } 10457 } 10458 10459 if (mode == ARM_CPU_MODE_HYP) { 10460 env->xregs[15] = env->regs[13]; 10461 } else { 10462 env->xregs[15] = env->banked_r13[bank_number(ARM_CPU_MODE_HYP)]; 10463 } 10464 10465 if (mode == ARM_CPU_MODE_IRQ) { 10466 env->xregs[16] = env->regs[14]; 10467 env->xregs[17] = env->regs[13]; 10468 } else { 10469 env->xregs[16] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_IRQ)]; 10470 env->xregs[17] = env->banked_r13[bank_number(ARM_CPU_MODE_IRQ)]; 10471 } 10472 10473 if (mode == ARM_CPU_MODE_SVC) { 10474 env->xregs[18] = env->regs[14]; 10475 env->xregs[19] = env->regs[13]; 10476 } else { 10477 env->xregs[18] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_SVC)]; 10478 env->xregs[19] = env->banked_r13[bank_number(ARM_CPU_MODE_SVC)]; 10479 } 10480 10481 if (mode == ARM_CPU_MODE_ABT) { 10482 env->xregs[20] = env->regs[14]; 10483 env->xregs[21] = env->regs[13]; 10484 } else { 10485 env->xregs[20] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_ABT)]; 10486 env->xregs[21] = env->banked_r13[bank_number(ARM_CPU_MODE_ABT)]; 10487 } 10488 10489 if (mode == ARM_CPU_MODE_UND) { 10490 env->xregs[22] = env->regs[14]; 10491 env->xregs[23] = env->regs[13]; 10492 } else { 10493 env->xregs[22] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_UND)]; 10494 env->xregs[23] = env->banked_r13[bank_number(ARM_CPU_MODE_UND)]; 10495 } 10496 10497 /* 10498 * Registers x24-x30 are mapped to r8-r14 in FIQ mode. If we are in FIQ 10499 * mode, then we can copy from r8-r14. Otherwise, we copy from the 10500 * FIQ bank for r8-r14. 10501 */ 10502 if (mode == ARM_CPU_MODE_FIQ) { 10503 for (i = 24; i < 31; i++) { 10504 env->xregs[i] = env->regs[i - 16]; /* X[24:30] <- R[8:14] */ 10505 } 10506 } else { 10507 for (i = 24; i < 29; i++) { 10508 env->xregs[i] = env->fiq_regs[i - 24]; 10509 } 10510 env->xregs[29] = env->banked_r13[bank_number(ARM_CPU_MODE_FIQ)]; 10511 env->xregs[30] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_FIQ)]; 10512 } 10513 10514 env->pc = env->regs[15]; 10515 } 10516 10517 /* 10518 * Function used to synchronize QEMU's AArch32 register set with AArch64 10519 * register set. This is necessary when switching between AArch32 and AArch64 10520 * execution state. 10521 */ 10522 void aarch64_sync_64_to_32(CPUARMState *env) 10523 { 10524 int i; 10525 uint32_t mode = env->uncached_cpsr & CPSR_M; 10526 10527 /* We can blanket copy X[0:7] to R[0:7] */ 10528 for (i = 0; i < 8; i++) { 10529 env->regs[i] = env->xregs[i]; 10530 } 10531 10532 /* 10533 * Unless we are in FIQ mode, r8-r12 come from the user registers x8-x12. 10534 * Otherwise, we copy x8-x12 into the banked user regs. 10535 */ 10536 if (mode == ARM_CPU_MODE_FIQ) { 10537 for (i = 8; i < 13; i++) { 10538 env->usr_regs[i - 8] = env->xregs[i]; 10539 } 10540 } else { 10541 for (i = 8; i < 13; i++) { 10542 env->regs[i] = env->xregs[i]; 10543 } 10544 } 10545 10546 /* 10547 * Registers r13 & r14 depend on the current mode. 10548 * If we are in a given mode, we copy the corresponding x registers to r13 10549 * and r14. Otherwise, we copy the x register to the banked r13 and r14 10550 * for the mode. 10551 */ 10552 if (mode == ARM_CPU_MODE_USR || mode == ARM_CPU_MODE_SYS) { 10553 env->regs[13] = env->xregs[13]; 10554 env->regs[14] = env->xregs[14]; 10555 } else { 10556 env->banked_r13[bank_number(ARM_CPU_MODE_USR)] = env->xregs[13]; 10557 10558 /* 10559 * HYP is an exception in that it does not have its own banked r14 but 10560 * shares the USR r14 10561 */ 10562 if (mode == ARM_CPU_MODE_HYP) { 10563 env->regs[14] = env->xregs[14]; 10564 } else { 10565 env->banked_r14[r14_bank_number(ARM_CPU_MODE_USR)] = env->xregs[14]; 10566 } 10567 } 10568 10569 if (mode == ARM_CPU_MODE_HYP) { 10570 env->regs[13] = env->xregs[15]; 10571 } else { 10572 env->banked_r13[bank_number(ARM_CPU_MODE_HYP)] = env->xregs[15]; 10573 } 10574 10575 if (mode == ARM_CPU_MODE_IRQ) { 10576 env->regs[14] = env->xregs[16]; 10577 env->regs[13] = env->xregs[17]; 10578 } else { 10579 env->banked_r14[r14_bank_number(ARM_CPU_MODE_IRQ)] = env->xregs[16]; 10580 env->banked_r13[bank_number(ARM_CPU_MODE_IRQ)] = env->xregs[17]; 10581 } 10582 10583 if (mode == ARM_CPU_MODE_SVC) { 10584 env->regs[14] = env->xregs[18]; 10585 env->regs[13] = env->xregs[19]; 10586 } else { 10587 env->banked_r14[r14_bank_number(ARM_CPU_MODE_SVC)] = env->xregs[18]; 10588 env->banked_r13[bank_number(ARM_CPU_MODE_SVC)] = env->xregs[19]; 10589 } 10590 10591 if (mode == ARM_CPU_MODE_ABT) { 10592 env->regs[14] = env->xregs[20]; 10593 env->regs[13] = env->xregs[21]; 10594 } else { 10595 env->banked_r14[r14_bank_number(ARM_CPU_MODE_ABT)] = env->xregs[20]; 10596 env->banked_r13[bank_number(ARM_CPU_MODE_ABT)] = env->xregs[21]; 10597 } 10598 10599 if (mode == ARM_CPU_MODE_UND) { 10600 env->regs[14] = env->xregs[22]; 10601 env->regs[13] = env->xregs[23]; 10602 } else { 10603 env->banked_r14[r14_bank_number(ARM_CPU_MODE_UND)] = env->xregs[22]; 10604 env->banked_r13[bank_number(ARM_CPU_MODE_UND)] = env->xregs[23]; 10605 } 10606 10607 /* 10608 * Registers x24-x30 are mapped to r8-r14 in FIQ mode. If we are in FIQ 10609 * mode, then we can copy to r8-r14. Otherwise, we copy to the 10610 * FIQ bank for r8-r14. 10611 */ 10612 if (mode == ARM_CPU_MODE_FIQ) { 10613 for (i = 24; i < 31; i++) { 10614 env->regs[i - 16] = env->xregs[i]; /* X[24:30] -> R[8:14] */ 10615 } 10616 } else { 10617 for (i = 24; i < 29; i++) { 10618 env->fiq_regs[i - 24] = env->xregs[i]; 10619 } 10620 env->banked_r13[bank_number(ARM_CPU_MODE_FIQ)] = env->xregs[29]; 10621 env->banked_r14[r14_bank_number(ARM_CPU_MODE_FIQ)] = env->xregs[30]; 10622 } 10623 10624 env->regs[15] = env->pc; 10625 } 10626 10627 static void take_aarch32_exception(CPUARMState *env, int new_mode, 10628 uint32_t mask, uint32_t offset, 10629 uint32_t newpc) 10630 { 10631 int new_el; 10632 10633 /* Change the CPU state so as to actually take the exception. */ 10634 switch_mode(env, new_mode); 10635 10636 /* 10637 * For exceptions taken to AArch32 we must clear the SS bit in both 10638 * PSTATE and in the old-state value we save to SPSR_<mode>, so zero it now. 10639 */ 10640 env->pstate &= ~PSTATE_SS; 10641 env->spsr = cpsr_read(env); 10642 /* Clear IT bits. */ 10643 env->condexec_bits = 0; 10644 /* Switch to the new mode, and to the correct instruction set. */ 10645 env->uncached_cpsr = (env->uncached_cpsr & ~CPSR_M) | new_mode; 10646 10647 /* This must be after mode switching. */ 10648 new_el = arm_current_el(env); 10649 10650 /* Set new mode endianness */ 10651 env->uncached_cpsr &= ~CPSR_E; 10652 if (env->cp15.sctlr_el[new_el] & SCTLR_EE) { 10653 env->uncached_cpsr |= CPSR_E; 10654 } 10655 /* J and IL must always be cleared for exception entry */ 10656 env->uncached_cpsr &= ~(CPSR_IL | CPSR_J); 10657 env->daif |= mask; 10658 10659 if (cpu_isar_feature(aa32_ssbs, env_archcpu(env))) { 10660 if (env->cp15.sctlr_el[new_el] & SCTLR_DSSBS_32) { 10661 env->uncached_cpsr |= CPSR_SSBS; 10662 } else { 10663 env->uncached_cpsr &= ~CPSR_SSBS; 10664 } 10665 } 10666 10667 if (new_mode == ARM_CPU_MODE_HYP) { 10668 env->thumb = (env->cp15.sctlr_el[2] & SCTLR_TE) != 0; 10669 env->elr_el[2] = env->regs[15]; 10670 } else { 10671 /* CPSR.PAN is normally preserved preserved unless... */ 10672 if (cpu_isar_feature(aa32_pan, env_archcpu(env))) { 10673 switch (new_el) { 10674 case 3: 10675 if (!arm_is_secure_below_el3(env)) { 10676 /* ... the target is EL3, from non-secure state. */ 10677 env->uncached_cpsr &= ~CPSR_PAN; 10678 break; 10679 } 10680 /* ... the target is EL3, from secure state ... */ 10681 /* fall through */ 10682 case 1: 10683 /* ... the target is EL1 and SCTLR.SPAN is 0. */ 10684 if (!(env->cp15.sctlr_el[new_el] & SCTLR_SPAN)) { 10685 env->uncached_cpsr |= CPSR_PAN; 10686 } 10687 break; 10688 } 10689 } 10690 /* 10691 * this is a lie, as there was no c1_sys on V4T/V5, but who cares 10692 * and we should just guard the thumb mode on V4 10693 */ 10694 if (arm_feature(env, ARM_FEATURE_V4T)) { 10695 env->thumb = 10696 (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_TE) != 0; 10697 } 10698 env->regs[14] = env->regs[15] + offset; 10699 } 10700 env->regs[15] = newpc; 10701 10702 if (tcg_enabled()) { 10703 arm_rebuild_hflags(env); 10704 } 10705 } 10706 10707 static void arm_cpu_do_interrupt_aarch32_hyp(CPUState *cs) 10708 { 10709 /* 10710 * Handle exception entry to Hyp mode; this is sufficiently 10711 * different to entry to other AArch32 modes that we handle it 10712 * separately here. 10713 * 10714 * The vector table entry used is always the 0x14 Hyp mode entry point, 10715 * unless this is an UNDEF/SVC/HVC/abort taken from Hyp to Hyp. 10716 * The offset applied to the preferred return address is always zero 10717 * (see DDI0487C.a section G1.12.3). 10718 * PSTATE A/I/F masks are set based only on the SCR.EA/IRQ/FIQ values. 10719 */ 10720 uint32_t addr, mask; 10721 ARMCPU *cpu = ARM_CPU(cs); 10722 CPUARMState *env = &cpu->env; 10723 10724 switch (cs->exception_index) { 10725 case EXCP_UDEF: 10726 addr = 0x04; 10727 break; 10728 case EXCP_SWI: 10729 addr = 0x08; 10730 break; 10731 case EXCP_BKPT: 10732 /* Fall through to prefetch abort. */ 10733 case EXCP_PREFETCH_ABORT: 10734 env->cp15.ifar_s = env->exception.vaddress; 10735 qemu_log_mask(CPU_LOG_INT, "...with HIFAR 0x%x\n", 10736 (uint32_t)env->exception.vaddress); 10737 addr = 0x0c; 10738 break; 10739 case EXCP_DATA_ABORT: 10740 env->cp15.dfar_s = env->exception.vaddress; 10741 qemu_log_mask(CPU_LOG_INT, "...with HDFAR 0x%x\n", 10742 (uint32_t)env->exception.vaddress); 10743 addr = 0x10; 10744 break; 10745 case EXCP_IRQ: 10746 addr = 0x18; 10747 break; 10748 case EXCP_FIQ: 10749 addr = 0x1c; 10750 break; 10751 case EXCP_HVC: 10752 addr = 0x08; 10753 break; 10754 case EXCP_HYP_TRAP: 10755 addr = 0x14; 10756 break; 10757 default: 10758 cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index); 10759 } 10760 10761 if (cs->exception_index != EXCP_IRQ && cs->exception_index != EXCP_FIQ) { 10762 if (!arm_feature(env, ARM_FEATURE_V8)) { 10763 /* 10764 * QEMU syndrome values are v8-style. v7 has the IL bit 10765 * UNK/SBZP for "field not valid" cases, where v8 uses RES1. 10766 * If this is a v7 CPU, squash the IL bit in those cases. 10767 */ 10768 if (cs->exception_index == EXCP_PREFETCH_ABORT || 10769 (cs->exception_index == EXCP_DATA_ABORT && 10770 !(env->exception.syndrome & ARM_EL_ISV)) || 10771 syn_get_ec(env->exception.syndrome) == EC_UNCATEGORIZED) { 10772 env->exception.syndrome &= ~ARM_EL_IL; 10773 } 10774 } 10775 env->cp15.esr_el[2] = env->exception.syndrome; 10776 } 10777 10778 if (arm_current_el(env) != 2 && addr < 0x14) { 10779 addr = 0x14; 10780 } 10781 10782 mask = 0; 10783 if (!(env->cp15.scr_el3 & SCR_EA)) { 10784 mask |= CPSR_A; 10785 } 10786 if (!(env->cp15.scr_el3 & SCR_IRQ)) { 10787 mask |= CPSR_I; 10788 } 10789 if (!(env->cp15.scr_el3 & SCR_FIQ)) { 10790 mask |= CPSR_F; 10791 } 10792 10793 addr += env->cp15.hvbar; 10794 10795 take_aarch32_exception(env, ARM_CPU_MODE_HYP, mask, 0, addr); 10796 } 10797 10798 static void arm_cpu_do_interrupt_aarch32(CPUState *cs) 10799 { 10800 ARMCPU *cpu = ARM_CPU(cs); 10801 CPUARMState *env = &cpu->env; 10802 uint32_t addr; 10803 uint32_t mask; 10804 int new_mode; 10805 uint32_t offset; 10806 uint32_t moe; 10807 10808 /* If this is a debug exception we must update the DBGDSCR.MOE bits */ 10809 switch (syn_get_ec(env->exception.syndrome)) { 10810 case EC_BREAKPOINT: 10811 case EC_BREAKPOINT_SAME_EL: 10812 moe = 1; 10813 break; 10814 case EC_WATCHPOINT: 10815 case EC_WATCHPOINT_SAME_EL: 10816 moe = 10; 10817 break; 10818 case EC_AA32_BKPT: 10819 moe = 3; 10820 break; 10821 case EC_VECTORCATCH: 10822 moe = 5; 10823 break; 10824 default: 10825 moe = 0; 10826 break; 10827 } 10828 10829 if (moe) { 10830 env->cp15.mdscr_el1 = deposit64(env->cp15.mdscr_el1, 2, 4, moe); 10831 } 10832 10833 if (env->exception.target_el == 2) { 10834 /* Debug exceptions are reported differently on AArch32 */ 10835 switch (syn_get_ec(env->exception.syndrome)) { 10836 case EC_BREAKPOINT: 10837 case EC_BREAKPOINT_SAME_EL: 10838 case EC_AA32_BKPT: 10839 case EC_VECTORCATCH: 10840 env->exception.syndrome = syn_insn_abort(arm_current_el(env) == 2, 10841 0, 0, 0x22); 10842 break; 10843 case EC_WATCHPOINT: 10844 env->exception.syndrome = syn_set_ec(env->exception.syndrome, 10845 EC_DATAABORT); 10846 break; 10847 case EC_WATCHPOINT_SAME_EL: 10848 env->exception.syndrome = syn_set_ec(env->exception.syndrome, 10849 EC_DATAABORT_SAME_EL); 10850 break; 10851 } 10852 arm_cpu_do_interrupt_aarch32_hyp(cs); 10853 return; 10854 } 10855 10856 switch (cs->exception_index) { 10857 case EXCP_UDEF: 10858 new_mode = ARM_CPU_MODE_UND; 10859 addr = 0x04; 10860 mask = CPSR_I; 10861 if (env->thumb) { 10862 offset = 2; 10863 } else { 10864 offset = 4; 10865 } 10866 break; 10867 case EXCP_SWI: 10868 new_mode = ARM_CPU_MODE_SVC; 10869 addr = 0x08; 10870 mask = CPSR_I; 10871 /* The PC already points to the next instruction. */ 10872 offset = 0; 10873 break; 10874 case EXCP_BKPT: 10875 /* Fall through to prefetch abort. */ 10876 case EXCP_PREFETCH_ABORT: 10877 A32_BANKED_CURRENT_REG_SET(env, ifsr, env->exception.fsr); 10878 A32_BANKED_CURRENT_REG_SET(env, ifar, env->exception.vaddress); 10879 qemu_log_mask(CPU_LOG_INT, "...with IFSR 0x%x IFAR 0x%x\n", 10880 env->exception.fsr, (uint32_t)env->exception.vaddress); 10881 new_mode = ARM_CPU_MODE_ABT; 10882 addr = 0x0c; 10883 mask = CPSR_A | CPSR_I; 10884 offset = 4; 10885 break; 10886 case EXCP_DATA_ABORT: 10887 A32_BANKED_CURRENT_REG_SET(env, dfsr, env->exception.fsr); 10888 A32_BANKED_CURRENT_REG_SET(env, dfar, env->exception.vaddress); 10889 qemu_log_mask(CPU_LOG_INT, "...with DFSR 0x%x DFAR 0x%x\n", 10890 env->exception.fsr, 10891 (uint32_t)env->exception.vaddress); 10892 new_mode = ARM_CPU_MODE_ABT; 10893 addr = 0x10; 10894 mask = CPSR_A | CPSR_I; 10895 offset = 8; 10896 break; 10897 case EXCP_IRQ: 10898 new_mode = ARM_CPU_MODE_IRQ; 10899 addr = 0x18; 10900 /* Disable IRQ and imprecise data aborts. */ 10901 mask = CPSR_A | CPSR_I; 10902 offset = 4; 10903 if (env->cp15.scr_el3 & SCR_IRQ) { 10904 /* IRQ routed to monitor mode */ 10905 new_mode = ARM_CPU_MODE_MON; 10906 mask |= CPSR_F; 10907 } 10908 break; 10909 case EXCP_FIQ: 10910 new_mode = ARM_CPU_MODE_FIQ; 10911 addr = 0x1c; 10912 /* Disable FIQ, IRQ and imprecise data aborts. */ 10913 mask = CPSR_A | CPSR_I | CPSR_F; 10914 if (env->cp15.scr_el3 & SCR_FIQ) { 10915 /* FIQ routed to monitor mode */ 10916 new_mode = ARM_CPU_MODE_MON; 10917 } 10918 offset = 4; 10919 break; 10920 case EXCP_VIRQ: 10921 new_mode = ARM_CPU_MODE_IRQ; 10922 addr = 0x18; 10923 /* Disable IRQ and imprecise data aborts. */ 10924 mask = CPSR_A | CPSR_I; 10925 offset = 4; 10926 break; 10927 case EXCP_VFIQ: 10928 new_mode = ARM_CPU_MODE_FIQ; 10929 addr = 0x1c; 10930 /* Disable FIQ, IRQ and imprecise data aborts. */ 10931 mask = CPSR_A | CPSR_I | CPSR_F; 10932 offset = 4; 10933 break; 10934 case EXCP_VSERR: 10935 { 10936 /* 10937 * Note that this is reported as a data abort, but the DFAR 10938 * has an UNKNOWN value. Construct the SError syndrome from 10939 * AET and ExT fields. 10940 */ 10941 ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal, }; 10942 10943 if (extended_addresses_enabled(env)) { 10944 env->exception.fsr = arm_fi_to_lfsc(&fi); 10945 } else { 10946 env->exception.fsr = arm_fi_to_sfsc(&fi); 10947 } 10948 env->exception.fsr |= env->cp15.vsesr_el2 & 0xd000; 10949 A32_BANKED_CURRENT_REG_SET(env, dfsr, env->exception.fsr); 10950 qemu_log_mask(CPU_LOG_INT, "...with IFSR 0x%x\n", 10951 env->exception.fsr); 10952 10953 new_mode = ARM_CPU_MODE_ABT; 10954 addr = 0x10; 10955 mask = CPSR_A | CPSR_I; 10956 offset = 8; 10957 } 10958 break; 10959 case EXCP_SMC: 10960 new_mode = ARM_CPU_MODE_MON; 10961 addr = 0x08; 10962 mask = CPSR_A | CPSR_I | CPSR_F; 10963 offset = 0; 10964 break; 10965 default: 10966 cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index); 10967 return; /* Never happens. Keep compiler happy. */ 10968 } 10969 10970 if (new_mode == ARM_CPU_MODE_MON) { 10971 addr += env->cp15.mvbar; 10972 } else if (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_V) { 10973 /* High vectors. When enabled, base address cannot be remapped. */ 10974 addr += 0xffff0000; 10975 } else { 10976 /* 10977 * ARM v7 architectures provide a vector base address register to remap 10978 * the interrupt vector table. 10979 * This register is only followed in non-monitor mode, and is banked. 10980 * Note: only bits 31:5 are valid. 10981 */ 10982 addr += A32_BANKED_CURRENT_REG_GET(env, vbar); 10983 } 10984 10985 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON) { 10986 env->cp15.scr_el3 &= ~SCR_NS; 10987 } 10988 10989 take_aarch32_exception(env, new_mode, mask, offset, addr); 10990 } 10991 10992 static int aarch64_regnum(CPUARMState *env, int aarch32_reg) 10993 { 10994 /* 10995 * Return the register number of the AArch64 view of the AArch32 10996 * register @aarch32_reg. The CPUARMState CPSR is assumed to still 10997 * be that of the AArch32 mode the exception came from. 10998 */ 10999 int mode = env->uncached_cpsr & CPSR_M; 11000 11001 switch (aarch32_reg) { 11002 case 0 ... 7: 11003 return aarch32_reg; 11004 case 8 ... 12: 11005 return mode == ARM_CPU_MODE_FIQ ? aarch32_reg + 16 : aarch32_reg; 11006 case 13: 11007 switch (mode) { 11008 case ARM_CPU_MODE_USR: 11009 case ARM_CPU_MODE_SYS: 11010 return 13; 11011 case ARM_CPU_MODE_HYP: 11012 return 15; 11013 case ARM_CPU_MODE_IRQ: 11014 return 17; 11015 case ARM_CPU_MODE_SVC: 11016 return 19; 11017 case ARM_CPU_MODE_ABT: 11018 return 21; 11019 case ARM_CPU_MODE_UND: 11020 return 23; 11021 case ARM_CPU_MODE_FIQ: 11022 return 29; 11023 default: 11024 g_assert_not_reached(); 11025 } 11026 case 14: 11027 switch (mode) { 11028 case ARM_CPU_MODE_USR: 11029 case ARM_CPU_MODE_SYS: 11030 case ARM_CPU_MODE_HYP: 11031 return 14; 11032 case ARM_CPU_MODE_IRQ: 11033 return 16; 11034 case ARM_CPU_MODE_SVC: 11035 return 18; 11036 case ARM_CPU_MODE_ABT: 11037 return 20; 11038 case ARM_CPU_MODE_UND: 11039 return 22; 11040 case ARM_CPU_MODE_FIQ: 11041 return 30; 11042 default: 11043 g_assert_not_reached(); 11044 } 11045 case 15: 11046 return 31; 11047 default: 11048 g_assert_not_reached(); 11049 } 11050 } 11051 11052 static uint32_t cpsr_read_for_spsr_elx(CPUARMState *env) 11053 { 11054 uint32_t ret = cpsr_read(env); 11055 11056 /* Move DIT to the correct location for SPSR_ELx */ 11057 if (ret & CPSR_DIT) { 11058 ret &= ~CPSR_DIT; 11059 ret |= PSTATE_DIT; 11060 } 11061 /* Merge PSTATE.SS into SPSR_ELx */ 11062 ret |= env->pstate & PSTATE_SS; 11063 11064 return ret; 11065 } 11066 11067 static bool syndrome_is_sync_extabt(uint32_t syndrome) 11068 { 11069 /* Return true if this syndrome value is a synchronous external abort */ 11070 switch (syn_get_ec(syndrome)) { 11071 case EC_INSNABORT: 11072 case EC_INSNABORT_SAME_EL: 11073 case EC_DATAABORT: 11074 case EC_DATAABORT_SAME_EL: 11075 /* Look at fault status code for all the synchronous ext abort cases */ 11076 switch (syndrome & 0x3f) { 11077 case 0x10: 11078 case 0x13: 11079 case 0x14: 11080 case 0x15: 11081 case 0x16: 11082 case 0x17: 11083 return true; 11084 default: 11085 return false; 11086 } 11087 default: 11088 return false; 11089 } 11090 } 11091 11092 /* Handle exception entry to a target EL which is using AArch64 */ 11093 static void arm_cpu_do_interrupt_aarch64(CPUState *cs) 11094 { 11095 ARMCPU *cpu = ARM_CPU(cs); 11096 CPUARMState *env = &cpu->env; 11097 unsigned int new_el = env->exception.target_el; 11098 target_ulong addr = env->cp15.vbar_el[new_el]; 11099 unsigned int new_mode = aarch64_pstate_mode(new_el, true); 11100 unsigned int old_mode; 11101 unsigned int cur_el = arm_current_el(env); 11102 int rt; 11103 11104 if (tcg_enabled()) { 11105 /* 11106 * Note that new_el can never be 0. If cur_el is 0, then 11107 * el0_a64 is is_a64(), else el0_a64 is ignored. 11108 */ 11109 aarch64_sve_change_el(env, cur_el, new_el, is_a64(env)); 11110 } 11111 11112 if (cur_el < new_el) { 11113 /* 11114 * Entry vector offset depends on whether the implemented EL 11115 * immediately lower than the target level is using AArch32 or AArch64 11116 */ 11117 bool is_aa64; 11118 uint64_t hcr; 11119 11120 switch (new_el) { 11121 case 3: 11122 is_aa64 = (env->cp15.scr_el3 & SCR_RW) != 0; 11123 break; 11124 case 2: 11125 hcr = arm_hcr_el2_eff(env); 11126 if ((hcr & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) { 11127 is_aa64 = (hcr & HCR_RW) != 0; 11128 break; 11129 } 11130 /* fall through */ 11131 case 1: 11132 is_aa64 = is_a64(env); 11133 break; 11134 default: 11135 g_assert_not_reached(); 11136 } 11137 11138 if (is_aa64) { 11139 addr += 0x400; 11140 } else { 11141 addr += 0x600; 11142 } 11143 } else if (pstate_read(env) & PSTATE_SP) { 11144 addr += 0x200; 11145 } 11146 11147 switch (cs->exception_index) { 11148 case EXCP_GPC: 11149 qemu_log_mask(CPU_LOG_INT, "...with MFAR 0x%" PRIx64 "\n", 11150 env->cp15.mfar_el3); 11151 /* fall through */ 11152 case EXCP_PREFETCH_ABORT: 11153 case EXCP_DATA_ABORT: 11154 /* 11155 * FEAT_DoubleFault allows synchronous external aborts taken to EL3 11156 * to be taken to the SError vector entrypoint. 11157 */ 11158 if (new_el == 3 && (env->cp15.scr_el3 & SCR_EASE) && 11159 syndrome_is_sync_extabt(env->exception.syndrome)) { 11160 addr += 0x180; 11161 } 11162 env->cp15.far_el[new_el] = env->exception.vaddress; 11163 qemu_log_mask(CPU_LOG_INT, "...with FAR 0x%" PRIx64 "\n", 11164 env->cp15.far_el[new_el]); 11165 /* fall through */ 11166 case EXCP_BKPT: 11167 case EXCP_UDEF: 11168 case EXCP_SWI: 11169 case EXCP_HVC: 11170 case EXCP_HYP_TRAP: 11171 case EXCP_SMC: 11172 switch (syn_get_ec(env->exception.syndrome)) { 11173 case EC_ADVSIMDFPACCESSTRAP: 11174 /* 11175 * QEMU internal FP/SIMD syndromes from AArch32 include the 11176 * TA and coproc fields which are only exposed if the exception 11177 * is taken to AArch32 Hyp mode. Mask them out to get a valid 11178 * AArch64 format syndrome. 11179 */ 11180 env->exception.syndrome &= ~MAKE_64BIT_MASK(0, 20); 11181 break; 11182 case EC_CP14RTTRAP: 11183 case EC_CP15RTTRAP: 11184 case EC_CP14DTTRAP: 11185 /* 11186 * For a trap on AArch32 MRC/MCR/LDC/STC the Rt field is currently 11187 * the raw register field from the insn; when taking this to 11188 * AArch64 we must convert it to the AArch64 view of the register 11189 * number. Notice that we read a 4-bit AArch32 register number and 11190 * write back a 5-bit AArch64 one. 11191 */ 11192 rt = extract32(env->exception.syndrome, 5, 4); 11193 rt = aarch64_regnum(env, rt); 11194 env->exception.syndrome = deposit32(env->exception.syndrome, 11195 5, 5, rt); 11196 break; 11197 case EC_CP15RRTTRAP: 11198 case EC_CP14RRTTRAP: 11199 /* Similarly for MRRC/MCRR traps for Rt and Rt2 fields */ 11200 rt = extract32(env->exception.syndrome, 5, 4); 11201 rt = aarch64_regnum(env, rt); 11202 env->exception.syndrome = deposit32(env->exception.syndrome, 11203 5, 5, rt); 11204 rt = extract32(env->exception.syndrome, 10, 4); 11205 rt = aarch64_regnum(env, rt); 11206 env->exception.syndrome = deposit32(env->exception.syndrome, 11207 10, 5, rt); 11208 break; 11209 } 11210 env->cp15.esr_el[new_el] = env->exception.syndrome; 11211 break; 11212 case EXCP_IRQ: 11213 case EXCP_VIRQ: 11214 addr += 0x80; 11215 break; 11216 case EXCP_FIQ: 11217 case EXCP_VFIQ: 11218 addr += 0x100; 11219 break; 11220 case EXCP_VSERR: 11221 addr += 0x180; 11222 /* Construct the SError syndrome from IDS and ISS fields. */ 11223 env->exception.syndrome = syn_serror(env->cp15.vsesr_el2 & 0x1ffffff); 11224 env->cp15.esr_el[new_el] = env->exception.syndrome; 11225 break; 11226 default: 11227 cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index); 11228 } 11229 11230 if (is_a64(env)) { 11231 old_mode = pstate_read(env); 11232 aarch64_save_sp(env, arm_current_el(env)); 11233 env->elr_el[new_el] = env->pc; 11234 } else { 11235 old_mode = cpsr_read_for_spsr_elx(env); 11236 env->elr_el[new_el] = env->regs[15]; 11237 11238 aarch64_sync_32_to_64(env); 11239 11240 env->condexec_bits = 0; 11241 } 11242 env->banked_spsr[aarch64_banked_spsr_index(new_el)] = old_mode; 11243 11244 qemu_log_mask(CPU_LOG_INT, "...with ELR 0x%" PRIx64 "\n", 11245 env->elr_el[new_el]); 11246 11247 if (cpu_isar_feature(aa64_pan, cpu)) { 11248 /* The value of PSTATE.PAN is normally preserved, except when ... */ 11249 new_mode |= old_mode & PSTATE_PAN; 11250 switch (new_el) { 11251 case 2: 11252 /* ... the target is EL2 with HCR_EL2.{E2H,TGE} == '11' ... */ 11253 if ((arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) 11254 != (HCR_E2H | HCR_TGE)) { 11255 break; 11256 } 11257 /* fall through */ 11258 case 1: 11259 /* ... the target is EL1 ... */ 11260 /* ... and SCTLR_ELx.SPAN == 0, then set to 1. */ 11261 if ((env->cp15.sctlr_el[new_el] & SCTLR_SPAN) == 0) { 11262 new_mode |= PSTATE_PAN; 11263 } 11264 break; 11265 } 11266 } 11267 if (cpu_isar_feature(aa64_mte, cpu)) { 11268 new_mode |= PSTATE_TCO; 11269 } 11270 11271 if (cpu_isar_feature(aa64_ssbs, cpu)) { 11272 if (env->cp15.sctlr_el[new_el] & SCTLR_DSSBS_64) { 11273 new_mode |= PSTATE_SSBS; 11274 } else { 11275 new_mode &= ~PSTATE_SSBS; 11276 } 11277 } 11278 11279 pstate_write(env, PSTATE_DAIF | new_mode); 11280 env->aarch64 = true; 11281 aarch64_restore_sp(env, new_el); 11282 11283 if (tcg_enabled()) { 11284 helper_rebuild_hflags_a64(env, new_el); 11285 } 11286 11287 env->pc = addr; 11288 11289 qemu_log_mask(CPU_LOG_INT, "...to EL%d PC 0x%" PRIx64 " PSTATE 0x%x\n", 11290 new_el, env->pc, pstate_read(env)); 11291 } 11292 11293 /* 11294 * Do semihosting call and set the appropriate return value. All the 11295 * permission and validity checks have been done at translate time. 11296 * 11297 * We only see semihosting exceptions in TCG only as they are not 11298 * trapped to the hypervisor in KVM. 11299 */ 11300 #ifdef CONFIG_TCG 11301 static void tcg_handle_semihosting(CPUState *cs) 11302 { 11303 ARMCPU *cpu = ARM_CPU(cs); 11304 CPUARMState *env = &cpu->env; 11305 11306 if (is_a64(env)) { 11307 qemu_log_mask(CPU_LOG_INT, 11308 "...handling as semihosting call 0x%" PRIx64 "\n", 11309 env->xregs[0]); 11310 do_common_semihosting(cs); 11311 env->pc += 4; 11312 } else { 11313 qemu_log_mask(CPU_LOG_INT, 11314 "...handling as semihosting call 0x%x\n", 11315 env->regs[0]); 11316 do_common_semihosting(cs); 11317 env->regs[15] += env->thumb ? 2 : 4; 11318 } 11319 } 11320 #endif 11321 11322 /* 11323 * Handle a CPU exception for A and R profile CPUs. 11324 * Do any appropriate logging, handle PSCI calls, and then hand off 11325 * to the AArch64-entry or AArch32-entry function depending on the 11326 * target exception level's register width. 11327 * 11328 * Note: this is used for both TCG (as the do_interrupt tcg op), 11329 * and KVM to re-inject guest debug exceptions, and to 11330 * inject a Synchronous-External-Abort. 11331 */ 11332 void arm_cpu_do_interrupt(CPUState *cs) 11333 { 11334 ARMCPU *cpu = ARM_CPU(cs); 11335 CPUARMState *env = &cpu->env; 11336 unsigned int new_el = env->exception.target_el; 11337 11338 assert(!arm_feature(env, ARM_FEATURE_M)); 11339 11340 arm_log_exception(cs); 11341 qemu_log_mask(CPU_LOG_INT, "...from EL%d to EL%d\n", arm_current_el(env), 11342 new_el); 11343 if (qemu_loglevel_mask(CPU_LOG_INT) 11344 && !excp_is_internal(cs->exception_index)) { 11345 qemu_log_mask(CPU_LOG_INT, "...with ESR 0x%x/0x%" PRIx32 "\n", 11346 syn_get_ec(env->exception.syndrome), 11347 env->exception.syndrome); 11348 } 11349 11350 if (tcg_enabled() && arm_is_psci_call(cpu, cs->exception_index)) { 11351 arm_handle_psci_call(cpu); 11352 qemu_log_mask(CPU_LOG_INT, "...handled as PSCI call\n"); 11353 return; 11354 } 11355 11356 /* 11357 * Semihosting semantics depend on the register width of the code 11358 * that caused the exception, not the target exception level, so 11359 * must be handled here. 11360 */ 11361 #ifdef CONFIG_TCG 11362 if (cs->exception_index == EXCP_SEMIHOST) { 11363 tcg_handle_semihosting(cs); 11364 return; 11365 } 11366 #endif 11367 11368 /* 11369 * Hooks may change global state so BQL should be held, also the 11370 * BQL needs to be held for any modification of 11371 * cs->interrupt_request. 11372 */ 11373 g_assert(qemu_mutex_iothread_locked()); 11374 11375 arm_call_pre_el_change_hook(cpu); 11376 11377 assert(!excp_is_internal(cs->exception_index)); 11378 if (arm_el_is_aa64(env, new_el)) { 11379 arm_cpu_do_interrupt_aarch64(cs); 11380 } else { 11381 arm_cpu_do_interrupt_aarch32(cs); 11382 } 11383 11384 arm_call_el_change_hook(cpu); 11385 11386 if (!kvm_enabled()) { 11387 cs->interrupt_request |= CPU_INTERRUPT_EXITTB; 11388 } 11389 } 11390 #endif /* !CONFIG_USER_ONLY */ 11391 11392 uint64_t arm_sctlr(CPUARMState *env, int el) 11393 { 11394 /* Only EL0 needs to be adjusted for EL1&0 or EL2&0. */ 11395 if (el == 0) { 11396 ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0); 11397 el = mmu_idx == ARMMMUIdx_E20_0 ? 2 : 1; 11398 } 11399 return env->cp15.sctlr_el[el]; 11400 } 11401 11402 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx) 11403 { 11404 if (regime_has_2_ranges(mmu_idx)) { 11405 return extract64(tcr, 37, 2); 11406 } else if (regime_is_stage2(mmu_idx)) { 11407 return 0; /* VTCR_EL2 */ 11408 } else { 11409 /* Replicate the single TBI bit so we always have 2 bits. */ 11410 return extract32(tcr, 20, 1) * 3; 11411 } 11412 } 11413 11414 int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx) 11415 { 11416 if (regime_has_2_ranges(mmu_idx)) { 11417 return extract64(tcr, 51, 2); 11418 } else if (regime_is_stage2(mmu_idx)) { 11419 return 0; /* VTCR_EL2 */ 11420 } else { 11421 /* Replicate the single TBID bit so we always have 2 bits. */ 11422 return extract32(tcr, 29, 1) * 3; 11423 } 11424 } 11425 11426 int aa64_va_parameter_tcma(uint64_t tcr, ARMMMUIdx mmu_idx) 11427 { 11428 if (regime_has_2_ranges(mmu_idx)) { 11429 return extract64(tcr, 57, 2); 11430 } else { 11431 /* Replicate the single TCMA bit so we always have 2 bits. */ 11432 return extract32(tcr, 30, 1) * 3; 11433 } 11434 } 11435 11436 static ARMGranuleSize tg0_to_gran_size(int tg) 11437 { 11438 switch (tg) { 11439 case 0: 11440 return Gran4K; 11441 case 1: 11442 return Gran64K; 11443 case 2: 11444 return Gran16K; 11445 default: 11446 return GranInvalid; 11447 } 11448 } 11449 11450 static ARMGranuleSize tg1_to_gran_size(int tg) 11451 { 11452 switch (tg) { 11453 case 1: 11454 return Gran16K; 11455 case 2: 11456 return Gran4K; 11457 case 3: 11458 return Gran64K; 11459 default: 11460 return GranInvalid; 11461 } 11462 } 11463 11464 static inline bool have4k(ARMCPU *cpu, bool stage2) 11465 { 11466 return stage2 ? cpu_isar_feature(aa64_tgran4_2, cpu) 11467 : cpu_isar_feature(aa64_tgran4, cpu); 11468 } 11469 11470 static inline bool have16k(ARMCPU *cpu, bool stage2) 11471 { 11472 return stage2 ? cpu_isar_feature(aa64_tgran16_2, cpu) 11473 : cpu_isar_feature(aa64_tgran16, cpu); 11474 } 11475 11476 static inline bool have64k(ARMCPU *cpu, bool stage2) 11477 { 11478 return stage2 ? cpu_isar_feature(aa64_tgran64_2, cpu) 11479 : cpu_isar_feature(aa64_tgran64, cpu); 11480 } 11481 11482 static ARMGranuleSize sanitize_gran_size(ARMCPU *cpu, ARMGranuleSize gran, 11483 bool stage2) 11484 { 11485 switch (gran) { 11486 case Gran4K: 11487 if (have4k(cpu, stage2)) { 11488 return gran; 11489 } 11490 break; 11491 case Gran16K: 11492 if (have16k(cpu, stage2)) { 11493 return gran; 11494 } 11495 break; 11496 case Gran64K: 11497 if (have64k(cpu, stage2)) { 11498 return gran; 11499 } 11500 break; 11501 case GranInvalid: 11502 break; 11503 } 11504 /* 11505 * If the guest selects a granule size that isn't implemented, 11506 * the architecture requires that we behave as if it selected one 11507 * that is (with an IMPDEF choice of which one to pick). We choose 11508 * to implement the smallest supported granule size. 11509 */ 11510 if (have4k(cpu, stage2)) { 11511 return Gran4K; 11512 } 11513 if (have16k(cpu, stage2)) { 11514 return Gran16K; 11515 } 11516 assert(have64k(cpu, stage2)); 11517 return Gran64K; 11518 } 11519 11520 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va, 11521 ARMMMUIdx mmu_idx, bool data, 11522 bool el1_is_aa32) 11523 { 11524 uint64_t tcr = regime_tcr(env, mmu_idx); 11525 bool epd, hpd, tsz_oob, ds, ha, hd; 11526 int select, tsz, tbi, max_tsz, min_tsz, ps, sh; 11527 ARMGranuleSize gran; 11528 ARMCPU *cpu = env_archcpu(env); 11529 bool stage2 = regime_is_stage2(mmu_idx); 11530 11531 if (!regime_has_2_ranges(mmu_idx)) { 11532 select = 0; 11533 tsz = extract32(tcr, 0, 6); 11534 gran = tg0_to_gran_size(extract32(tcr, 14, 2)); 11535 if (stage2) { 11536 /* VTCR_EL2 */ 11537 hpd = false; 11538 } else { 11539 hpd = extract32(tcr, 24, 1); 11540 } 11541 epd = false; 11542 sh = extract32(tcr, 12, 2); 11543 ps = extract32(tcr, 16, 3); 11544 ha = extract32(tcr, 21, 1) && cpu_isar_feature(aa64_hafs, cpu); 11545 hd = extract32(tcr, 22, 1) && cpu_isar_feature(aa64_hdbs, cpu); 11546 ds = extract64(tcr, 32, 1); 11547 } else { 11548 bool e0pd; 11549 11550 /* 11551 * Bit 55 is always between the two regions, and is canonical for 11552 * determining if address tagging is enabled. 11553 */ 11554 select = extract64(va, 55, 1); 11555 if (!select) { 11556 tsz = extract32(tcr, 0, 6); 11557 gran = tg0_to_gran_size(extract32(tcr, 14, 2)); 11558 epd = extract32(tcr, 7, 1); 11559 sh = extract32(tcr, 12, 2); 11560 hpd = extract64(tcr, 41, 1); 11561 e0pd = extract64(tcr, 55, 1); 11562 } else { 11563 tsz = extract32(tcr, 16, 6); 11564 gran = tg1_to_gran_size(extract32(tcr, 30, 2)); 11565 epd = extract32(tcr, 23, 1); 11566 sh = extract32(tcr, 28, 2); 11567 hpd = extract64(tcr, 42, 1); 11568 e0pd = extract64(tcr, 56, 1); 11569 } 11570 ps = extract64(tcr, 32, 3); 11571 ha = extract64(tcr, 39, 1) && cpu_isar_feature(aa64_hafs, cpu); 11572 hd = extract64(tcr, 40, 1) && cpu_isar_feature(aa64_hdbs, cpu); 11573 ds = extract64(tcr, 59, 1); 11574 11575 if (e0pd && cpu_isar_feature(aa64_e0pd, cpu) && 11576 regime_is_user(env, mmu_idx)) { 11577 epd = true; 11578 } 11579 } 11580 11581 gran = sanitize_gran_size(cpu, gran, stage2); 11582 11583 if (cpu_isar_feature(aa64_st, cpu)) { 11584 max_tsz = 48 - (gran == Gran64K); 11585 } else { 11586 max_tsz = 39; 11587 } 11588 11589 /* 11590 * DS is RES0 unless FEAT_LPA2 is supported for the given page size; 11591 * adjust the effective value of DS, as documented. 11592 */ 11593 min_tsz = 16; 11594 if (gran == Gran64K) { 11595 if (cpu_isar_feature(aa64_lva, cpu)) { 11596 min_tsz = 12; 11597 } 11598 ds = false; 11599 } else if (ds) { 11600 if (regime_is_stage2(mmu_idx)) { 11601 if (gran == Gran16K) { 11602 ds = cpu_isar_feature(aa64_tgran16_2_lpa2, cpu); 11603 } else { 11604 ds = cpu_isar_feature(aa64_tgran4_2_lpa2, cpu); 11605 } 11606 } else { 11607 if (gran == Gran16K) { 11608 ds = cpu_isar_feature(aa64_tgran16_lpa2, cpu); 11609 } else { 11610 ds = cpu_isar_feature(aa64_tgran4_lpa2, cpu); 11611 } 11612 } 11613 if (ds) { 11614 min_tsz = 12; 11615 } 11616 } 11617 11618 if (stage2 && el1_is_aa32) { 11619 /* 11620 * For AArch32 EL1 the min txsz (and thus max IPA size) requirements 11621 * are loosened: a configured IPA of 40 bits is permitted even if 11622 * the implemented PA is less than that (and so a 40 bit IPA would 11623 * fault for an AArch64 EL1). See R_DTLMN. 11624 */ 11625 min_tsz = MIN(min_tsz, 24); 11626 } 11627 11628 if (tsz > max_tsz) { 11629 tsz = max_tsz; 11630 tsz_oob = true; 11631 } else if (tsz < min_tsz) { 11632 tsz = min_tsz; 11633 tsz_oob = true; 11634 } else { 11635 tsz_oob = false; 11636 } 11637 11638 /* Present TBI as a composite with TBID. */ 11639 tbi = aa64_va_parameter_tbi(tcr, mmu_idx); 11640 if (!data) { 11641 tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx); 11642 } 11643 tbi = (tbi >> select) & 1; 11644 11645 return (ARMVAParameters) { 11646 .tsz = tsz, 11647 .ps = ps, 11648 .sh = sh, 11649 .select = select, 11650 .tbi = tbi, 11651 .epd = epd, 11652 .hpd = hpd, 11653 .tsz_oob = tsz_oob, 11654 .ds = ds, 11655 .ha = ha, 11656 .hd = ha && hd, 11657 .gran = gran, 11658 }; 11659 } 11660 11661 /* 11662 * Note that signed overflow is undefined in C. The following routines are 11663 * careful to use unsigned types where modulo arithmetic is required. 11664 * Failure to do so _will_ break on newer gcc. 11665 */ 11666 11667 /* Signed saturating arithmetic. */ 11668 11669 /* Perform 16-bit signed saturating addition. */ 11670 static inline uint16_t add16_sat(uint16_t a, uint16_t b) 11671 { 11672 uint16_t res; 11673 11674 res = a + b; 11675 if (((res ^ a) & 0x8000) && !((a ^ b) & 0x8000)) { 11676 if (a & 0x8000) { 11677 res = 0x8000; 11678 } else { 11679 res = 0x7fff; 11680 } 11681 } 11682 return res; 11683 } 11684 11685 /* Perform 8-bit signed saturating addition. */ 11686 static inline uint8_t add8_sat(uint8_t a, uint8_t b) 11687 { 11688 uint8_t res; 11689 11690 res = a + b; 11691 if (((res ^ a) & 0x80) && !((a ^ b) & 0x80)) { 11692 if (a & 0x80) { 11693 res = 0x80; 11694 } else { 11695 res = 0x7f; 11696 } 11697 } 11698 return res; 11699 } 11700 11701 /* Perform 16-bit signed saturating subtraction. */ 11702 static inline uint16_t sub16_sat(uint16_t a, uint16_t b) 11703 { 11704 uint16_t res; 11705 11706 res = a - b; 11707 if (((res ^ a) & 0x8000) && ((a ^ b) & 0x8000)) { 11708 if (a & 0x8000) { 11709 res = 0x8000; 11710 } else { 11711 res = 0x7fff; 11712 } 11713 } 11714 return res; 11715 } 11716 11717 /* Perform 8-bit signed saturating subtraction. */ 11718 static inline uint8_t sub8_sat(uint8_t a, uint8_t b) 11719 { 11720 uint8_t res; 11721 11722 res = a - b; 11723 if (((res ^ a) & 0x80) && ((a ^ b) & 0x80)) { 11724 if (a & 0x80) { 11725 res = 0x80; 11726 } else { 11727 res = 0x7f; 11728 } 11729 } 11730 return res; 11731 } 11732 11733 #define ADD16(a, b, n) RESULT(add16_sat(a, b), n, 16); 11734 #define SUB16(a, b, n) RESULT(sub16_sat(a, b), n, 16); 11735 #define ADD8(a, b, n) RESULT(add8_sat(a, b), n, 8); 11736 #define SUB8(a, b, n) RESULT(sub8_sat(a, b), n, 8); 11737 #define PFX q 11738 11739 #include "op_addsub.h" 11740 11741 /* Unsigned saturating arithmetic. */ 11742 static inline uint16_t add16_usat(uint16_t a, uint16_t b) 11743 { 11744 uint16_t res; 11745 res = a + b; 11746 if (res < a) { 11747 res = 0xffff; 11748 } 11749 return res; 11750 } 11751 11752 static inline uint16_t sub16_usat(uint16_t a, uint16_t b) 11753 { 11754 if (a > b) { 11755 return a - b; 11756 } else { 11757 return 0; 11758 } 11759 } 11760 11761 static inline uint8_t add8_usat(uint8_t a, uint8_t b) 11762 { 11763 uint8_t res; 11764 res = a + b; 11765 if (res < a) { 11766 res = 0xff; 11767 } 11768 return res; 11769 } 11770 11771 static inline uint8_t sub8_usat(uint8_t a, uint8_t b) 11772 { 11773 if (a > b) { 11774 return a - b; 11775 } else { 11776 return 0; 11777 } 11778 } 11779 11780 #define ADD16(a, b, n) RESULT(add16_usat(a, b), n, 16); 11781 #define SUB16(a, b, n) RESULT(sub16_usat(a, b), n, 16); 11782 #define ADD8(a, b, n) RESULT(add8_usat(a, b), n, 8); 11783 #define SUB8(a, b, n) RESULT(sub8_usat(a, b), n, 8); 11784 #define PFX uq 11785 11786 #include "op_addsub.h" 11787 11788 /* Signed modulo arithmetic. */ 11789 #define SARITH16(a, b, n, op) do { \ 11790 int32_t sum; \ 11791 sum = (int32_t)(int16_t)(a) op (int32_t)(int16_t)(b); \ 11792 RESULT(sum, n, 16); \ 11793 if (sum >= 0) \ 11794 ge |= 3 << (n * 2); \ 11795 } while (0) 11796 11797 #define SARITH8(a, b, n, op) do { \ 11798 int32_t sum; \ 11799 sum = (int32_t)(int8_t)(a) op (int32_t)(int8_t)(b); \ 11800 RESULT(sum, n, 8); \ 11801 if (sum >= 0) \ 11802 ge |= 1 << n; \ 11803 } while (0) 11804 11805 11806 #define ADD16(a, b, n) SARITH16(a, b, n, +) 11807 #define SUB16(a, b, n) SARITH16(a, b, n, -) 11808 #define ADD8(a, b, n) SARITH8(a, b, n, +) 11809 #define SUB8(a, b, n) SARITH8(a, b, n, -) 11810 #define PFX s 11811 #define ARITH_GE 11812 11813 #include "op_addsub.h" 11814 11815 /* Unsigned modulo arithmetic. */ 11816 #define ADD16(a, b, n) do { \ 11817 uint32_t sum; \ 11818 sum = (uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b); \ 11819 RESULT(sum, n, 16); \ 11820 if ((sum >> 16) == 1) \ 11821 ge |= 3 << (n * 2); \ 11822 } while (0) 11823 11824 #define ADD8(a, b, n) do { \ 11825 uint32_t sum; \ 11826 sum = (uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b); \ 11827 RESULT(sum, n, 8); \ 11828 if ((sum >> 8) == 1) \ 11829 ge |= 1 << n; \ 11830 } while (0) 11831 11832 #define SUB16(a, b, n) do { \ 11833 uint32_t sum; \ 11834 sum = (uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b); \ 11835 RESULT(sum, n, 16); \ 11836 if ((sum >> 16) == 0) \ 11837 ge |= 3 << (n * 2); \ 11838 } while (0) 11839 11840 #define SUB8(a, b, n) do { \ 11841 uint32_t sum; \ 11842 sum = (uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b); \ 11843 RESULT(sum, n, 8); \ 11844 if ((sum >> 8) == 0) \ 11845 ge |= 1 << n; \ 11846 } while (0) 11847 11848 #define PFX u 11849 #define ARITH_GE 11850 11851 #include "op_addsub.h" 11852 11853 /* Halved signed arithmetic. */ 11854 #define ADD16(a, b, n) \ 11855 RESULT(((int32_t)(int16_t)(a) + (int32_t)(int16_t)(b)) >> 1, n, 16) 11856 #define SUB16(a, b, n) \ 11857 RESULT(((int32_t)(int16_t)(a) - (int32_t)(int16_t)(b)) >> 1, n, 16) 11858 #define ADD8(a, b, n) \ 11859 RESULT(((int32_t)(int8_t)(a) + (int32_t)(int8_t)(b)) >> 1, n, 8) 11860 #define SUB8(a, b, n) \ 11861 RESULT(((int32_t)(int8_t)(a) - (int32_t)(int8_t)(b)) >> 1, n, 8) 11862 #define PFX sh 11863 11864 #include "op_addsub.h" 11865 11866 /* Halved unsigned arithmetic. */ 11867 #define ADD16(a, b, n) \ 11868 RESULT(((uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b)) >> 1, n, 16) 11869 #define SUB16(a, b, n) \ 11870 RESULT(((uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b)) >> 1, n, 16) 11871 #define ADD8(a, b, n) \ 11872 RESULT(((uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b)) >> 1, n, 8) 11873 #define SUB8(a, b, n) \ 11874 RESULT(((uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b)) >> 1, n, 8) 11875 #define PFX uh 11876 11877 #include "op_addsub.h" 11878 11879 static inline uint8_t do_usad(uint8_t a, uint8_t b) 11880 { 11881 if (a > b) { 11882 return a - b; 11883 } else { 11884 return b - a; 11885 } 11886 } 11887 11888 /* Unsigned sum of absolute byte differences. */ 11889 uint32_t HELPER(usad8)(uint32_t a, uint32_t b) 11890 { 11891 uint32_t sum; 11892 sum = do_usad(a, b); 11893 sum += do_usad(a >> 8, b >> 8); 11894 sum += do_usad(a >> 16, b >> 16); 11895 sum += do_usad(a >> 24, b >> 24); 11896 return sum; 11897 } 11898 11899 /* For ARMv6 SEL instruction. */ 11900 uint32_t HELPER(sel_flags)(uint32_t flags, uint32_t a, uint32_t b) 11901 { 11902 uint32_t mask; 11903 11904 mask = 0; 11905 if (flags & 1) { 11906 mask |= 0xff; 11907 } 11908 if (flags & 2) { 11909 mask |= 0xff00; 11910 } 11911 if (flags & 4) { 11912 mask |= 0xff0000; 11913 } 11914 if (flags & 8) { 11915 mask |= 0xff000000; 11916 } 11917 return (a & mask) | (b & ~mask); 11918 } 11919 11920 /* 11921 * CRC helpers. 11922 * The upper bytes of val (above the number specified by 'bytes') must have 11923 * been zeroed out by the caller. 11924 */ 11925 uint32_t HELPER(crc32)(uint32_t acc, uint32_t val, uint32_t bytes) 11926 { 11927 uint8_t buf[4]; 11928 11929 stl_le_p(buf, val); 11930 11931 /* zlib crc32 converts the accumulator and output to one's complement. */ 11932 return crc32(acc ^ 0xffffffff, buf, bytes) ^ 0xffffffff; 11933 } 11934 11935 uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes) 11936 { 11937 uint8_t buf[4]; 11938 11939 stl_le_p(buf, val); 11940 11941 /* Linux crc32c converts the output to one's complement. */ 11942 return crc32c(acc, buf, bytes) ^ 0xffffffff; 11943 } 11944 11945 /* 11946 * Return the exception level to which FP-disabled exceptions should 11947 * be taken, or 0 if FP is enabled. 11948 */ 11949 int fp_exception_el(CPUARMState *env, int cur_el) 11950 { 11951 #ifndef CONFIG_USER_ONLY 11952 uint64_t hcr_el2; 11953 11954 /* 11955 * CPACR and the CPTR registers don't exist before v6, so FP is 11956 * always accessible 11957 */ 11958 if (!arm_feature(env, ARM_FEATURE_V6)) { 11959 return 0; 11960 } 11961 11962 if (arm_feature(env, ARM_FEATURE_M)) { 11963 /* CPACR can cause a NOCP UsageFault taken to current security state */ 11964 if (!v7m_cpacr_pass(env, env->v7m.secure, cur_el != 0)) { 11965 return 1; 11966 } 11967 11968 if (arm_feature(env, ARM_FEATURE_M_SECURITY) && !env->v7m.secure) { 11969 if (!extract32(env->v7m.nsacr, 10, 1)) { 11970 /* FP insns cause a NOCP UsageFault taken to Secure */ 11971 return 3; 11972 } 11973 } 11974 11975 return 0; 11976 } 11977 11978 hcr_el2 = arm_hcr_el2_eff(env); 11979 11980 /* 11981 * The CPACR controls traps to EL1, or PL1 if we're 32 bit: 11982 * 0, 2 : trap EL0 and EL1/PL1 accesses 11983 * 1 : trap only EL0 accesses 11984 * 3 : trap no accesses 11985 * This register is ignored if E2H+TGE are both set. 11986 */ 11987 if ((hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) { 11988 int fpen = FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, FPEN); 11989 11990 switch (fpen) { 11991 case 1: 11992 if (cur_el != 0) { 11993 break; 11994 } 11995 /* fall through */ 11996 case 0: 11997 case 2: 11998 /* Trap from Secure PL0 or PL1 to Secure PL1. */ 11999 if (!arm_el_is_aa64(env, 3) 12000 && (cur_el == 3 || arm_is_secure_below_el3(env))) { 12001 return 3; 12002 } 12003 if (cur_el <= 1) { 12004 return 1; 12005 } 12006 break; 12007 } 12008 } 12009 12010 /* 12011 * The NSACR allows A-profile AArch32 EL3 and M-profile secure mode 12012 * to control non-secure access to the FPU. It doesn't have any 12013 * effect if EL3 is AArch64 or if EL3 doesn't exist at all. 12014 */ 12015 if ((arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) && 12016 cur_el <= 2 && !arm_is_secure_below_el3(env))) { 12017 if (!extract32(env->cp15.nsacr, 10, 1)) { 12018 /* FP insns act as UNDEF */ 12019 return cur_el == 2 ? 2 : 1; 12020 } 12021 } 12022 12023 /* 12024 * CPTR_EL2 is present in v7VE or v8, and changes format 12025 * with HCR_EL2.E2H (regardless of TGE). 12026 */ 12027 if (cur_el <= 2) { 12028 if (hcr_el2 & HCR_E2H) { 12029 switch (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, FPEN)) { 12030 case 1: 12031 if (cur_el != 0 || !(hcr_el2 & HCR_TGE)) { 12032 break; 12033 } 12034 /* fall through */ 12035 case 0: 12036 case 2: 12037 return 2; 12038 } 12039 } else if (arm_is_el2_enabled(env)) { 12040 if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TFP)) { 12041 return 2; 12042 } 12043 } 12044 } 12045 12046 /* CPTR_EL3 : present in v8 */ 12047 if (FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, TFP)) { 12048 /* Trap all FP ops to EL3 */ 12049 return 3; 12050 } 12051 #endif 12052 return 0; 12053 } 12054 12055 /* Return the exception level we're running at if this is our mmu_idx */ 12056 int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx) 12057 { 12058 if (mmu_idx & ARM_MMU_IDX_M) { 12059 return mmu_idx & ARM_MMU_IDX_M_PRIV; 12060 } 12061 12062 switch (mmu_idx) { 12063 case ARMMMUIdx_E10_0: 12064 case ARMMMUIdx_E20_0: 12065 return 0; 12066 case ARMMMUIdx_E10_1: 12067 case ARMMMUIdx_E10_1_PAN: 12068 return 1; 12069 case ARMMMUIdx_E2: 12070 case ARMMMUIdx_E20_2: 12071 case ARMMMUIdx_E20_2_PAN: 12072 return 2; 12073 case ARMMMUIdx_E3: 12074 return 3; 12075 default: 12076 g_assert_not_reached(); 12077 } 12078 } 12079 12080 #ifndef CONFIG_TCG 12081 ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate) 12082 { 12083 g_assert_not_reached(); 12084 } 12085 #endif 12086 12087 static bool arm_pan_enabled(CPUARMState *env) 12088 { 12089 if (is_a64(env)) { 12090 return env->pstate & PSTATE_PAN; 12091 } else { 12092 return env->uncached_cpsr & CPSR_PAN; 12093 } 12094 } 12095 12096 ARMMMUIdx arm_mmu_idx_el(CPUARMState *env, int el) 12097 { 12098 ARMMMUIdx idx; 12099 uint64_t hcr; 12100 12101 if (arm_feature(env, ARM_FEATURE_M)) { 12102 return arm_v7m_mmu_idx_for_secstate(env, env->v7m.secure); 12103 } 12104 12105 /* See ARM pseudo-function ELIsInHost. */ 12106 switch (el) { 12107 case 0: 12108 hcr = arm_hcr_el2_eff(env); 12109 if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { 12110 idx = ARMMMUIdx_E20_0; 12111 } else { 12112 idx = ARMMMUIdx_E10_0; 12113 } 12114 break; 12115 case 1: 12116 if (arm_pan_enabled(env)) { 12117 idx = ARMMMUIdx_E10_1_PAN; 12118 } else { 12119 idx = ARMMMUIdx_E10_1; 12120 } 12121 break; 12122 case 2: 12123 /* Note that TGE does not apply at EL2. */ 12124 if (arm_hcr_el2_eff(env) & HCR_E2H) { 12125 if (arm_pan_enabled(env)) { 12126 idx = ARMMMUIdx_E20_2_PAN; 12127 } else { 12128 idx = ARMMMUIdx_E20_2; 12129 } 12130 } else { 12131 idx = ARMMMUIdx_E2; 12132 } 12133 break; 12134 case 3: 12135 return ARMMMUIdx_E3; 12136 default: 12137 g_assert_not_reached(); 12138 } 12139 12140 return idx; 12141 } 12142 12143 ARMMMUIdx arm_mmu_idx(CPUARMState *env) 12144 { 12145 return arm_mmu_idx_el(env, arm_current_el(env)); 12146 } 12147 12148 static bool mve_no_pred(CPUARMState *env) 12149 { 12150 /* 12151 * Return true if there is definitely no predication of MVE 12152 * instructions by VPR or LTPSIZE. (Returning false even if there 12153 * isn't any predication is OK; generated code will just be 12154 * a little worse.) 12155 * If the CPU does not implement MVE then this TB flag is always 0. 12156 * 12157 * NOTE: if you change this logic, the "recalculate s->mve_no_pred" 12158 * logic in gen_update_fp_context() needs to be updated to match. 12159 * 12160 * We do not include the effect of the ECI bits here -- they are 12161 * tracked in other TB flags. This simplifies the logic for 12162 * "when did we emit code that changes the MVE_NO_PRED TB flag 12163 * and thus need to end the TB?". 12164 */ 12165 if (cpu_isar_feature(aa32_mve, env_archcpu(env))) { 12166 return false; 12167 } 12168 if (env->v7m.vpr) { 12169 return false; 12170 } 12171 if (env->v7m.ltpsize < 4) { 12172 return false; 12173 } 12174 return true; 12175 } 12176 12177 void cpu_get_tb_cpu_state(CPUARMState *env, vaddr *pc, 12178 uint64_t *cs_base, uint32_t *pflags) 12179 { 12180 CPUARMTBFlags flags; 12181 12182 assert_hflags_rebuild_correctly(env); 12183 flags = env->hflags; 12184 12185 if (EX_TBFLAG_ANY(flags, AARCH64_STATE)) { 12186 *pc = env->pc; 12187 if (cpu_isar_feature(aa64_bti, env_archcpu(env))) { 12188 DP_TBFLAG_A64(flags, BTYPE, env->btype); 12189 } 12190 } else { 12191 *pc = env->regs[15]; 12192 12193 if (arm_feature(env, ARM_FEATURE_M)) { 12194 if (arm_feature(env, ARM_FEATURE_M_SECURITY) && 12195 FIELD_EX32(env->v7m.fpccr[M_REG_S], V7M_FPCCR, S) 12196 != env->v7m.secure) { 12197 DP_TBFLAG_M32(flags, FPCCR_S_WRONG, 1); 12198 } 12199 12200 if ((env->v7m.fpccr[env->v7m.secure] & R_V7M_FPCCR_ASPEN_MASK) && 12201 (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) || 12202 (env->v7m.secure && 12203 !(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)))) { 12204 /* 12205 * ASPEN is set, but FPCA/SFPA indicate that there is no 12206 * active FP context; we must create a new FP context before 12207 * executing any FP insn. 12208 */ 12209 DP_TBFLAG_M32(flags, NEW_FP_CTXT_NEEDED, 1); 12210 } 12211 12212 bool is_secure = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK; 12213 if (env->v7m.fpccr[is_secure] & R_V7M_FPCCR_LSPACT_MASK) { 12214 DP_TBFLAG_M32(flags, LSPACT, 1); 12215 } 12216 12217 if (mve_no_pred(env)) { 12218 DP_TBFLAG_M32(flags, MVE_NO_PRED, 1); 12219 } 12220 } else { 12221 /* 12222 * Note that XSCALE_CPAR shares bits with VECSTRIDE. 12223 * Note that VECLEN+VECSTRIDE are RES0 for M-profile. 12224 */ 12225 if (arm_feature(env, ARM_FEATURE_XSCALE)) { 12226 DP_TBFLAG_A32(flags, XSCALE_CPAR, env->cp15.c15_cpar); 12227 } else { 12228 DP_TBFLAG_A32(flags, VECLEN, env->vfp.vec_len); 12229 DP_TBFLAG_A32(flags, VECSTRIDE, env->vfp.vec_stride); 12230 } 12231 if (env->vfp.xregs[ARM_VFP_FPEXC] & (1 << 30)) { 12232 DP_TBFLAG_A32(flags, VFPEN, 1); 12233 } 12234 } 12235 12236 DP_TBFLAG_AM32(flags, THUMB, env->thumb); 12237 DP_TBFLAG_AM32(flags, CONDEXEC, env->condexec_bits); 12238 } 12239 12240 /* 12241 * The SS_ACTIVE and PSTATE_SS bits correspond to the state machine 12242 * states defined in the ARM ARM for software singlestep: 12243 * SS_ACTIVE PSTATE.SS State 12244 * 0 x Inactive (the TB flag for SS is always 0) 12245 * 1 0 Active-pending 12246 * 1 1 Active-not-pending 12247 * SS_ACTIVE is set in hflags; PSTATE__SS is computed every TB. 12248 */ 12249 if (EX_TBFLAG_ANY(flags, SS_ACTIVE) && (env->pstate & PSTATE_SS)) { 12250 DP_TBFLAG_ANY(flags, PSTATE__SS, 1); 12251 } 12252 12253 *pflags = flags.flags; 12254 *cs_base = flags.flags2; 12255 } 12256 12257 #ifdef TARGET_AARCH64 12258 /* 12259 * The manual says that when SVE is enabled and VQ is widened the 12260 * implementation is allowed to zero the previously inaccessible 12261 * portion of the registers. The corollary to that is that when 12262 * SVE is enabled and VQ is narrowed we are also allowed to zero 12263 * the now inaccessible portion of the registers. 12264 * 12265 * The intent of this is that no predicate bit beyond VQ is ever set. 12266 * Which means that some operations on predicate registers themselves 12267 * may operate on full uint64_t or even unrolled across the maximum 12268 * uint64_t[4]. Performing 4 bits of host arithmetic unconditionally 12269 * may well be cheaper than conditionals to restrict the operation 12270 * to the relevant portion of a uint16_t[16]. 12271 */ 12272 void aarch64_sve_narrow_vq(CPUARMState *env, unsigned vq) 12273 { 12274 int i, j; 12275 uint64_t pmask; 12276 12277 assert(vq >= 1 && vq <= ARM_MAX_VQ); 12278 assert(vq <= env_archcpu(env)->sve_max_vq); 12279 12280 /* Zap the high bits of the zregs. */ 12281 for (i = 0; i < 32; i++) { 12282 memset(&env->vfp.zregs[i].d[2 * vq], 0, 16 * (ARM_MAX_VQ - vq)); 12283 } 12284 12285 /* Zap the high bits of the pregs and ffr. */ 12286 pmask = 0; 12287 if (vq & 3) { 12288 pmask = ~(-1ULL << (16 * (vq & 3))); 12289 } 12290 for (j = vq / 4; j < ARM_MAX_VQ / 4; j++) { 12291 for (i = 0; i < 17; ++i) { 12292 env->vfp.pregs[i].p[j] &= pmask; 12293 } 12294 pmask = 0; 12295 } 12296 } 12297 12298 static uint32_t sve_vqm1_for_el_sm_ena(CPUARMState *env, int el, bool sm) 12299 { 12300 int exc_el; 12301 12302 if (sm) { 12303 exc_el = sme_exception_el(env, el); 12304 } else { 12305 exc_el = sve_exception_el(env, el); 12306 } 12307 if (exc_el) { 12308 return 0; /* disabled */ 12309 } 12310 return sve_vqm1_for_el_sm(env, el, sm); 12311 } 12312 12313 /* 12314 * Notice a change in SVE vector size when changing EL. 12315 */ 12316 void aarch64_sve_change_el(CPUARMState *env, int old_el, 12317 int new_el, bool el0_a64) 12318 { 12319 ARMCPU *cpu = env_archcpu(env); 12320 int old_len, new_len; 12321 bool old_a64, new_a64, sm; 12322 12323 /* Nothing to do if no SVE. */ 12324 if (!cpu_isar_feature(aa64_sve, cpu)) { 12325 return; 12326 } 12327 12328 /* Nothing to do if FP is disabled in either EL. */ 12329 if (fp_exception_el(env, old_el) || fp_exception_el(env, new_el)) { 12330 return; 12331 } 12332 12333 old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64; 12334 new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64; 12335 12336 /* 12337 * Both AArch64.TakeException and AArch64.ExceptionReturn 12338 * invoke ResetSVEState when taking an exception from, or 12339 * returning to, AArch32 state when PSTATE.SM is enabled. 12340 */ 12341 sm = FIELD_EX64(env->svcr, SVCR, SM); 12342 if (old_a64 != new_a64 && sm) { 12343 arm_reset_sve_state(env); 12344 return; 12345 } 12346 12347 /* 12348 * DDI0584A.d sec 3.2: "If SVE instructions are disabled or trapped 12349 * at ELx, or not available because the EL is in AArch32 state, then 12350 * for all purposes other than a direct read, the ZCR_ELx.LEN field 12351 * has an effective value of 0". 12352 * 12353 * Consider EL2 (aa64, vq=4) -> EL0 (aa32) -> EL1 (aa64, vq=0). 12354 * If we ignore aa32 state, we would fail to see the vq4->vq0 transition 12355 * from EL2->EL1. Thus we go ahead and narrow when entering aa32 so that 12356 * we already have the correct register contents when encountering the 12357 * vq0->vq0 transition between EL0->EL1. 12358 */ 12359 old_len = new_len = 0; 12360 if (old_a64) { 12361 old_len = sve_vqm1_for_el_sm_ena(env, old_el, sm); 12362 } 12363 if (new_a64) { 12364 new_len = sve_vqm1_for_el_sm_ena(env, new_el, sm); 12365 } 12366 12367 /* When changing vector length, clear inaccessible state. */ 12368 if (new_len < old_len) { 12369 aarch64_sve_narrow_vq(env, new_len + 1); 12370 } 12371 } 12372 #endif 12373 12374 #ifndef CONFIG_USER_ONLY 12375 ARMSecuritySpace arm_security_space(CPUARMState *env) 12376 { 12377 if (arm_feature(env, ARM_FEATURE_M)) { 12378 return arm_secure_to_space(env->v7m.secure); 12379 } 12380 12381 /* 12382 * If EL3 is not supported then the secure state is implementation 12383 * defined, in which case QEMU defaults to non-secure. 12384 */ 12385 if (!arm_feature(env, ARM_FEATURE_EL3)) { 12386 return ARMSS_NonSecure; 12387 } 12388 12389 /* Check for AArch64 EL3 or AArch32 Mon. */ 12390 if (is_a64(env)) { 12391 if (extract32(env->pstate, 2, 2) == 3) { 12392 if (cpu_isar_feature(aa64_rme, env_archcpu(env))) { 12393 return ARMSS_Root; 12394 } else { 12395 return ARMSS_Secure; 12396 } 12397 } 12398 } else { 12399 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON) { 12400 return ARMSS_Secure; 12401 } 12402 } 12403 12404 return arm_security_space_below_el3(env); 12405 } 12406 12407 ARMSecuritySpace arm_security_space_below_el3(CPUARMState *env) 12408 { 12409 assert(!arm_feature(env, ARM_FEATURE_M)); 12410 12411 /* 12412 * If EL3 is not supported then the secure state is implementation 12413 * defined, in which case QEMU defaults to non-secure. 12414 */ 12415 if (!arm_feature(env, ARM_FEATURE_EL3)) { 12416 return ARMSS_NonSecure; 12417 } 12418 12419 /* 12420 * Note NSE cannot be set without RME, and NSE & !NS is Reserved. 12421 * Ignoring NSE when !NS retains consistency without having to 12422 * modify other predicates. 12423 */ 12424 if (!(env->cp15.scr_el3 & SCR_NS)) { 12425 return ARMSS_Secure; 12426 } else if (env->cp15.scr_el3 & SCR_NSE) { 12427 return ARMSS_Realm; 12428 } else { 12429 return ARMSS_NonSecure; 12430 } 12431 } 12432 #endif /* !CONFIG_USER_ONLY */ 12433