xref: /openbmc/qemu/target/arm/helper.c (revision bbdbc47b5c6907e065f84e751d127dae3cebfd54)
1 /*
2  * ARM generic helpers.
3  *
4  * This code is licensed under the GNU GPL v2 or later.
5  *
6  * SPDX-License-Identifier: GPL-2.0-or-later
7  */
8 
9 #include "qemu/osdep.h"
10 #include "qemu/log.h"
11 #include "trace.h"
12 #include "cpu.h"
13 #include "internals.h"
14 #include "cpu-features.h"
15 #include "exec/helper-proto.h"
16 #include "exec/page-protection.h"
17 #include "exec/mmap-lock.h"
18 #include "qemu/main-loop.h"
19 #include "qemu/timer.h"
20 #include "qemu/bitops.h"
21 #include "qemu/qemu-print.h"
22 #include "exec/cputlb.h"
23 #include "exec/translation-block.h"
24 #include "hw/irq.h"
25 #include "system/cpu-timers.h"
26 #include "exec/icount.h"
27 #include "system/kvm.h"
28 #include "system/tcg.h"
29 #include "qapi/error.h"
30 #include "qemu/guest-random.h"
31 #ifdef CONFIG_TCG
32 #include "accel/tcg/probe.h"
33 #include "semihosting/common-semi.h"
34 #endif
35 #include "cpregs.h"
36 #include "target/arm/gtimer.h"
37 
38 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
39 
40 static void switch_mode(CPUARMState *env, int mode);
41 
42 static uint64_t raw_read(CPUARMState *env, const ARMCPRegInfo *ri)
43 {
44     assert(ri->fieldoffset);
45     if (cpreg_field_is_64bit(ri)) {
46         return CPREG_FIELD64(env, ri);
47     } else {
48         return CPREG_FIELD32(env, ri);
49     }
50 }
51 
52 void raw_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
53 {
54     assert(ri->fieldoffset);
55     if (cpreg_field_is_64bit(ri)) {
56         CPREG_FIELD64(env, ri) = value;
57     } else {
58         CPREG_FIELD32(env, ri) = value;
59     }
60 }
61 
62 static void *raw_ptr(CPUARMState *env, const ARMCPRegInfo *ri)
63 {
64     return (char *)env + ri->fieldoffset;
65 }
66 
67 uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri)
68 {
69     /* Raw read of a coprocessor register (as needed for migration, etc). */
70     if (ri->type & ARM_CP_CONST) {
71         return ri->resetvalue;
72     } else if (ri->raw_readfn) {
73         return ri->raw_readfn(env, ri);
74     } else if (ri->readfn) {
75         return ri->readfn(env, ri);
76     } else {
77         return raw_read(env, ri);
78     }
79 }
80 
81 static void write_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri,
82                              uint64_t v)
83 {
84     /*
85      * Raw write of a coprocessor register (as needed for migration, etc).
86      * Note that constant registers are treated as write-ignored; the
87      * caller should check for success by whether a readback gives the
88      * value written.
89      */
90     if (ri->type & ARM_CP_CONST) {
91         return;
92     } else if (ri->raw_writefn) {
93         ri->raw_writefn(env, ri, v);
94     } else if (ri->writefn) {
95         ri->writefn(env, ri, v);
96     } else {
97         raw_write(env, ri, v);
98     }
99 }
100 
101 static bool raw_accessors_invalid(const ARMCPRegInfo *ri)
102 {
103    /*
104     * Return true if the regdef would cause an assertion if you called
105     * read_raw_cp_reg() or write_raw_cp_reg() on it (ie if it is a
106     * program bug for it not to have the NO_RAW flag).
107     * NB that returning false here doesn't necessarily mean that calling
108     * read/write_raw_cp_reg() is safe, because we can't distinguish "has
109     * read/write access functions which are safe for raw use" from "has
110     * read/write access functions which have side effects but has forgotten
111     * to provide raw access functions".
112     * The tests here line up with the conditions in read/write_raw_cp_reg()
113     * and assertions in raw_read()/raw_write().
114     */
115     if ((ri->type & ARM_CP_CONST) ||
116         ri->fieldoffset ||
117         ((ri->raw_writefn || ri->writefn) && (ri->raw_readfn || ri->readfn))) {
118         return false;
119     }
120     return true;
121 }
122 
123 bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync)
124 {
125     /* Write the coprocessor state from cpu->env to the (index,value) list. */
126     int i;
127     bool ok = true;
128 
129     for (i = 0; i < cpu->cpreg_array_len; i++) {
130         uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
131         const ARMCPRegInfo *ri;
132         uint64_t newval;
133 
134         ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
135         if (!ri) {
136             ok = false;
137             continue;
138         }
139         if (ri->type & ARM_CP_NO_RAW) {
140             continue;
141         }
142 
143         newval = read_raw_cp_reg(&cpu->env, ri);
144         if (kvm_sync) {
145             /*
146              * Only sync if the previous list->cpustate sync succeeded.
147              * Rather than tracking the success/failure state for every
148              * item in the list, we just recheck "does the raw write we must
149              * have made in write_list_to_cpustate() read back OK" here.
150              */
151             uint64_t oldval = cpu->cpreg_values[i];
152 
153             if (oldval == newval) {
154                 continue;
155             }
156 
157             write_raw_cp_reg(&cpu->env, ri, oldval);
158             if (read_raw_cp_reg(&cpu->env, ri) != oldval) {
159                 continue;
160             }
161 
162             write_raw_cp_reg(&cpu->env, ri, newval);
163         }
164         cpu->cpreg_values[i] = newval;
165     }
166     return ok;
167 }
168 
169 bool write_list_to_cpustate(ARMCPU *cpu)
170 {
171     int i;
172     bool ok = true;
173 
174     for (i = 0; i < cpu->cpreg_array_len; i++) {
175         uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
176         uint64_t v = cpu->cpreg_values[i];
177         const ARMCPRegInfo *ri;
178 
179         ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
180         if (!ri) {
181             ok = false;
182             continue;
183         }
184         if (ri->type & ARM_CP_NO_RAW) {
185             continue;
186         }
187         /*
188          * Write value and confirm it reads back as written
189          * (to catch read-only registers and partially read-only
190          * registers where the incoming migration value doesn't match)
191          */
192         write_raw_cp_reg(&cpu->env, ri, v);
193         if (read_raw_cp_reg(&cpu->env, ri) != v) {
194             ok = false;
195         }
196     }
197     return ok;
198 }
199 
200 static void add_cpreg_to_list(gpointer key, gpointer opaque)
201 {
202     ARMCPU *cpu = opaque;
203     uint32_t regidx = (uintptr_t)key;
204     const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
205 
206     if (!(ri->type & (ARM_CP_NO_RAW | ARM_CP_ALIAS))) {
207         cpu->cpreg_indexes[cpu->cpreg_array_len] = cpreg_to_kvm_id(regidx);
208         /* The value array need not be initialized at this point */
209         cpu->cpreg_array_len++;
210     }
211 }
212 
213 static void count_cpreg(gpointer key, gpointer opaque)
214 {
215     ARMCPU *cpu = opaque;
216     const ARMCPRegInfo *ri;
217 
218     ri = g_hash_table_lookup(cpu->cp_regs, key);
219 
220     if (!(ri->type & (ARM_CP_NO_RAW | ARM_CP_ALIAS))) {
221         cpu->cpreg_array_len++;
222     }
223 }
224 
225 static gint cpreg_key_compare(gconstpointer a, gconstpointer b, gpointer d)
226 {
227     uint64_t aidx = cpreg_to_kvm_id((uintptr_t)a);
228     uint64_t bidx = cpreg_to_kvm_id((uintptr_t)b);
229 
230     if (aidx > bidx) {
231         return 1;
232     }
233     if (aidx < bidx) {
234         return -1;
235     }
236     return 0;
237 }
238 
239 void init_cpreg_list(ARMCPU *cpu)
240 {
241     /*
242      * Initialise the cpreg_tuples[] array based on the cp_regs hash.
243      * Note that we require cpreg_tuples[] to be sorted by key ID.
244      */
245     GList *keys;
246     int arraylen;
247 
248     keys = g_hash_table_get_keys(cpu->cp_regs);
249     keys = g_list_sort_with_data(keys, cpreg_key_compare, NULL);
250 
251     cpu->cpreg_array_len = 0;
252 
253     g_list_foreach(keys, count_cpreg, cpu);
254 
255     arraylen = cpu->cpreg_array_len;
256     cpu->cpreg_indexes = g_new(uint64_t, arraylen);
257     cpu->cpreg_values = g_new(uint64_t, arraylen);
258     cpu->cpreg_vmstate_indexes = g_new(uint64_t, arraylen);
259     cpu->cpreg_vmstate_values = g_new(uint64_t, arraylen);
260     cpu->cpreg_vmstate_array_len = cpu->cpreg_array_len;
261     cpu->cpreg_array_len = 0;
262 
263     g_list_foreach(keys, add_cpreg_to_list, cpu);
264 
265     assert(cpu->cpreg_array_len == arraylen);
266 
267     g_list_free(keys);
268 }
269 
270 static bool arm_pan_enabled(CPUARMState *env)
271 {
272     if (is_a64(env)) {
273         if ((arm_hcr_el2_eff(env) & (HCR_NV | HCR_NV1)) == (HCR_NV | HCR_NV1)) {
274             return false;
275         }
276         return env->pstate & PSTATE_PAN;
277     } else {
278         return env->uncached_cpsr & CPSR_PAN;
279     }
280 }
281 
282 /*
283  * Some registers are not accessible from AArch32 EL3 if SCR.NS == 0.
284  */
285 static CPAccessResult access_el3_aa32ns(CPUARMState *env,
286                                         const ARMCPRegInfo *ri,
287                                         bool isread)
288 {
289     if (!is_a64(env) && arm_current_el(env) == 3 &&
290         arm_is_secure_below_el3(env)) {
291         return CP_ACCESS_UNDEFINED;
292     }
293     return CP_ACCESS_OK;
294 }
295 
296 /*
297  * Some secure-only AArch32 registers trap to EL3 if used from
298  * Secure EL1 (but are just ordinary UNDEF in other non-EL3 contexts).
299  * Note that an access from Secure EL1 can only happen if EL3 is AArch64.
300  * We assume that the .access field is set to PL1_RW.
301  */
302 static CPAccessResult access_trap_aa32s_el1(CPUARMState *env,
303                                             const ARMCPRegInfo *ri,
304                                             bool isread)
305 {
306     if (arm_current_el(env) == 3) {
307         return CP_ACCESS_OK;
308     }
309     if (arm_is_secure_below_el3(env)) {
310         if (env->cp15.scr_el3 & SCR_EEL2) {
311             return CP_ACCESS_TRAP_EL2;
312         }
313         return CP_ACCESS_TRAP_EL3;
314     }
315     /* This will be EL1 NS and EL2 NS, which just UNDEF */
316     return CP_ACCESS_UNDEFINED;
317 }
318 
319 /*
320  * Check for traps to performance monitor registers, which are controlled
321  * by MDCR_EL2.TPM for EL2 and MDCR_EL3.TPM for EL3.
322  */
323 static CPAccessResult access_tpm(CPUARMState *env, const ARMCPRegInfo *ri,
324                                  bool isread)
325 {
326     int el = arm_current_el(env);
327     uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
328 
329     if (el < 2 && (mdcr_el2 & MDCR_TPM)) {
330         return CP_ACCESS_TRAP_EL2;
331     }
332     if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) {
333         return CP_ACCESS_TRAP_EL3;
334     }
335     return CP_ACCESS_OK;
336 }
337 
338 /* Check for traps from EL1 due to HCR_EL2.TVM and HCR_EL2.TRVM.  */
339 CPAccessResult access_tvm_trvm(CPUARMState *env, const ARMCPRegInfo *ri,
340                                bool isread)
341 {
342     if (arm_current_el(env) == 1) {
343         uint64_t trap = isread ? HCR_TRVM : HCR_TVM;
344         if (arm_hcr_el2_eff(env) & trap) {
345             return CP_ACCESS_TRAP_EL2;
346         }
347     }
348     return CP_ACCESS_OK;
349 }
350 
351 /* Check for traps from EL1 due to HCR_EL2.TSW.  */
352 static CPAccessResult access_tsw(CPUARMState *env, const ARMCPRegInfo *ri,
353                                  bool isread)
354 {
355     if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TSW)) {
356         return CP_ACCESS_TRAP_EL2;
357     }
358     return CP_ACCESS_OK;
359 }
360 
361 /* Check for traps from EL1 due to HCR_EL2.TACR.  */
362 static CPAccessResult access_tacr(CPUARMState *env, const ARMCPRegInfo *ri,
363                                   bool isread)
364 {
365     if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TACR)) {
366         return CP_ACCESS_TRAP_EL2;
367     }
368     return CP_ACCESS_OK;
369 }
370 
371 static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
372 {
373     ARMCPU *cpu = env_archcpu(env);
374 
375     raw_write(env, ri, value);
376     tlb_flush(CPU(cpu)); /* Flush TLB as domain not tracked in TLB */
377 }
378 
379 static void fcse_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
380 {
381     ARMCPU *cpu = env_archcpu(env);
382 
383     if (raw_read(env, ri) != value) {
384         /*
385          * Unlike real hardware the qemu TLB uses virtual addresses,
386          * not modified virtual addresses, so this causes a TLB flush.
387          */
388         tlb_flush(CPU(cpu));
389         raw_write(env, ri, value);
390     }
391 }
392 
393 static void contextidr_write(CPUARMState *env, const ARMCPRegInfo *ri,
394                              uint64_t value)
395 {
396     ARMCPU *cpu = env_archcpu(env);
397 
398     if (raw_read(env, ri) != value && !arm_feature(env, ARM_FEATURE_PMSA)
399         && !extended_addresses_enabled(env)) {
400         /*
401          * For VMSA (when not using the LPAE long descriptor page table
402          * format) this register includes the ASID, so do a TLB flush.
403          * For PMSA it is purely a process ID and no action is needed.
404          */
405         tlb_flush(CPU(cpu));
406     }
407     raw_write(env, ri, value);
408 }
409 
410 int alle1_tlbmask(CPUARMState *env)
411 {
412     /*
413      * Note that the 'ALL' scope must invalidate both stage 1 and
414      * stage 2 translations, whereas most other scopes only invalidate
415      * stage 1 translations.
416      *
417      * For AArch32 this is only used for TLBIALLNSNH and VTTBR
418      * writes, so only needs to apply to NS PL1&0, not S PL1&0.
419      */
420     return (ARMMMUIdxBit_E10_1 |
421             ARMMMUIdxBit_E10_1_PAN |
422             ARMMMUIdxBit_E10_0 |
423             ARMMMUIdxBit_Stage2 |
424             ARMMMUIdxBit_Stage2_S);
425 }
426 
427 static const ARMCPRegInfo cp_reginfo[] = {
428     /*
429      * Define the secure and non-secure FCSE identifier CP registers
430      * separately because there is no secure bank in V8 (no _EL3).  This allows
431      * the secure register to be properly reset and migrated. There is also no
432      * v8 EL1 version of the register so the non-secure instance stands alone.
433      */
434     { .name = "FCSEIDR",
435       .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0,
436       .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS,
437       .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_ns),
438       .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, },
439     { .name = "FCSEIDR_S",
440       .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0,
441       .access = PL1_RW, .secure = ARM_CP_SECSTATE_S,
442       .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_s),
443       .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, },
444     /*
445      * Define the secure and non-secure context identifier CP registers
446      * separately because there is no secure bank in V8 (no _EL3).  This allows
447      * the secure register to be properly reset and migrated.  In the
448      * non-secure case, the 32-bit register will have reset and migration
449      * disabled during registration as it is handled by the 64-bit instance.
450      */
451     { .name = "CONTEXTIDR_EL1", .state = ARM_CP_STATE_BOTH,
452       .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1,
453       .access = PL1_RW, .accessfn = access_tvm_trvm,
454       .fgt = FGT_CONTEXTIDR_EL1,
455       .nv2_redirect_offset = 0x108 | NV2_REDIR_NV1,
456       .secure = ARM_CP_SECSTATE_NS,
457       .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[1]),
458       .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
459     { .name = "CONTEXTIDR_S", .state = ARM_CP_STATE_AA32,
460       .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1,
461       .access = PL1_RW, .accessfn = access_tvm_trvm,
462       .secure = ARM_CP_SECSTATE_S,
463       .fieldoffset = offsetof(CPUARMState, cp15.contextidr_s),
464       .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
465 };
466 
467 static const ARMCPRegInfo not_v8_cp_reginfo[] = {
468     /*
469      * NB: Some of these registers exist in v8 but with more precise
470      * definitions that don't use CP_ANY wildcards (mostly in v8_cp_reginfo[]).
471      */
472     /* MMU Domain access control / MPU write buffer control */
473     { .name = "DACR",
474       .cp = 15, .opc1 = CP_ANY, .crn = 3, .crm = CP_ANY, .opc2 = CP_ANY,
475       .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0,
476       .writefn = dacr_write, .raw_writefn = raw_write,
477       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s),
478                              offsetoflow32(CPUARMState, cp15.dacr_ns) } },
479     /*
480      * ARMv7 allocates a range of implementation defined TLB LOCKDOWN regs.
481      * For v6 and v5, these mappings are overly broad.
482      */
483     { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 0,
484       .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
485     { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 1,
486       .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
487     { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 4,
488       .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
489     { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 8,
490       .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
491     /* Cache maintenance ops; some of this space may be overridden later. */
492     { .name = "CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
493       .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
494       .type = ARM_CP_NOP | ARM_CP_OVERRIDE },
495 };
496 
497 static const ARMCPRegInfo not_v6_cp_reginfo[] = {
498     /*
499      * Not all pre-v6 cores implemented this WFI, so this is slightly
500      * over-broad.
501      */
502     { .name = "WFI_v5", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = 2,
503       .access = PL1_W, .type = ARM_CP_WFI },
504 };
505 
506 static const ARMCPRegInfo not_v7_cp_reginfo[] = {
507     /*
508      * Standard v6 WFI (also used in some pre-v6 cores); not in v7 (which
509      * is UNPREDICTABLE; we choose to NOP as most implementations do).
510      */
511     { .name = "WFI_v6", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4,
512       .access = PL1_W, .type = ARM_CP_WFI },
513     /*
514      * L1 cache lockdown. Not architectural in v6 and earlier but in practice
515      * implemented in 926, 946, 1026, 1136, 1176 and 11MPCore. StrongARM and
516      * OMAPCP will override this space.
517      */
518     { .name = "DLOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 0,
519       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_data),
520       .resetvalue = 0 },
521     { .name = "ILOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 1,
522       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_insn),
523       .resetvalue = 0 },
524     /* v6 doesn't have the cache ID registers but Linux reads them anyway */
525     { .name = "DUMMY", .cp = 15, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = CP_ANY,
526       .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
527       .resetvalue = 0 },
528     /*
529      * We don't implement pre-v7 debug but most CPUs had at least a DBGDIDR;
530      * implementing it as RAZ means the "debug architecture version" bits
531      * will read as a reserved value, which should cause Linux to not try
532      * to use the debug hardware.
533      */
534     { .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0,
535       .access = PL0_R, .type = ARM_CP_CONST, .resetvalue = 0 },
536     { .name = "PRRR", .cp = 15, .crn = 10, .crm = 2,
537       .opc1 = 0, .opc2 = 0, .access = PL1_RW, .type = ARM_CP_NOP },
538     { .name = "NMRR", .cp = 15, .crn = 10, .crm = 2,
539       .opc1 = 0, .opc2 = 1, .access = PL1_RW, .type = ARM_CP_NOP },
540 };
541 
542 static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
543                         uint64_t value)
544 {
545     uint32_t mask = 0;
546 
547     /* In ARMv8 most bits of CPACR_EL1 are RES0. */
548     if (!arm_feature(env, ARM_FEATURE_V8)) {
549         /*
550          * ARMv7 defines bits for unimplemented coprocessors as RAZ/WI.
551          * ASEDIS [31] and D32DIS [30] are both UNK/SBZP without VFP.
552          * TRCDIS [28] is RAZ/WI since we do not implement a trace macrocell.
553          */
554         if (cpu_isar_feature(aa32_vfp_simd, env_archcpu(env))) {
555             /* VFP coprocessor: cp10 & cp11 [23:20] */
556             mask |= R_CPACR_ASEDIS_MASK |
557                     R_CPACR_D32DIS_MASK |
558                     R_CPACR_CP11_MASK |
559                     R_CPACR_CP10_MASK;
560 
561             if (!arm_feature(env, ARM_FEATURE_NEON)) {
562                 /* ASEDIS [31] bit is RAO/WI */
563                 value |= R_CPACR_ASEDIS_MASK;
564             }
565 
566             /*
567              * VFPv3 and upwards with NEON implement 32 double precision
568              * registers (D0-D31).
569              */
570             if (!cpu_isar_feature(aa32_simd_r32, env_archcpu(env))) {
571                 /* D32DIS [30] is RAO/WI if D16-31 are not implemented. */
572                 value |= R_CPACR_D32DIS_MASK;
573             }
574         }
575         value &= mask;
576     }
577 
578     /*
579      * For A-profile AArch32 EL3 (but not M-profile secure mode), if NSACR.CP10
580      * is 0 then CPACR.{CP11,CP10} ignore writes and read as 0b00.
581      */
582     if (arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) &&
583         !arm_is_secure(env) && !extract32(env->cp15.nsacr, 10, 1)) {
584         mask = R_CPACR_CP11_MASK | R_CPACR_CP10_MASK;
585         value = (value & ~mask) | (env->cp15.cpacr_el1 & mask);
586     }
587 
588     env->cp15.cpacr_el1 = value;
589 }
590 
591 static uint64_t cpacr_read(CPUARMState *env, const ARMCPRegInfo *ri)
592 {
593     /*
594      * For A-profile AArch32 EL3 (but not M-profile secure mode), if NSACR.CP10
595      * is 0 then CPACR.{CP11,CP10} ignore writes and read as 0b00.
596      */
597     uint64_t value = env->cp15.cpacr_el1;
598 
599     if (arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) &&
600         !arm_is_secure(env) && !extract32(env->cp15.nsacr, 10, 1)) {
601         value = ~(R_CPACR_CP11_MASK | R_CPACR_CP10_MASK);
602     }
603     return value;
604 }
605 
606 
607 static void cpacr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
608 {
609     /*
610      * Call cpacr_write() so that we reset with the correct RAO bits set
611      * for our CPU features.
612      */
613     cpacr_write(env, ri, 0);
614 }
615 
616 static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
617                                    bool isread)
618 {
619     if (arm_feature(env, ARM_FEATURE_V8)) {
620         /* Check if CPACR accesses are to be trapped to EL2 */
621         if (arm_current_el(env) == 1 && arm_is_el2_enabled(env) &&
622             FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TCPAC)) {
623             return CP_ACCESS_TRAP_EL2;
624         /* Check if CPACR accesses are to be trapped to EL3 */
625         } else if (arm_current_el(env) < 3 &&
626                    FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, TCPAC)) {
627             return CP_ACCESS_TRAP_EL3;
628         }
629     }
630 
631     return CP_ACCESS_OK;
632 }
633 
634 static CPAccessResult cptr_access(CPUARMState *env, const ARMCPRegInfo *ri,
635                                   bool isread)
636 {
637     /* Check if CPTR accesses are set to trap to EL3 */
638     if (arm_current_el(env) == 2 &&
639         FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, TCPAC)) {
640         return CP_ACCESS_TRAP_EL3;
641     }
642 
643     return CP_ACCESS_OK;
644 }
645 
646 static const ARMCPRegInfo v6_cp_reginfo[] = {
647     /* prefetch by MVA in v6, NOP in v7 */
648     { .name = "MVA_prefetch",
649       .cp = 15, .crn = 7, .crm = 13, .opc1 = 0, .opc2 = 1,
650       .access = PL1_W, .type = ARM_CP_NOP },
651     /*
652      * We need to break the TB after ISB to execute self-modifying code
653      * correctly and also to take any pending interrupts immediately.
654      * So use arm_cp_write_ignore() function instead of ARM_CP_NOP flag.
655      */
656     { .name = "ISB", .cp = 15, .crn = 7, .crm = 5, .opc1 = 0, .opc2 = 4,
657       .access = PL0_W, .type = ARM_CP_NO_RAW, .writefn = arm_cp_write_ignore },
658     { .name = "DSB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 4,
659       .access = PL0_W, .type = ARM_CP_NOP },
660     { .name = "DMB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 5,
661       .access = PL0_W, .type = ARM_CP_NOP },
662     { .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 2,
663       .access = PL1_RW, .accessfn = access_tvm_trvm,
664       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ifar_s),
665                              offsetof(CPUARMState, cp15.ifar_ns) },
666       .resetvalue = 0, },
667     /*
668      * Watchpoint Fault Address Register : should actually only be present
669      * for 1136, 1176, 11MPCore.
670      */
671     { .name = "WFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1,
672       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, },
673     { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
674       .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
675       .fgt = FGT_CPACR_EL1,
676       .nv2_redirect_offset = 0x100 | NV2_REDIR_NV1,
677       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
678       .resetfn = cpacr_reset, .writefn = cpacr_write, .readfn = cpacr_read },
679 };
680 
681 typedef struct pm_event {
682     uint16_t number; /* PMEVTYPER.evtCount is 16 bits wide */
683     /* If the event is supported on this CPU (used to generate PMCEID[01]) */
684     bool (*supported)(CPUARMState *);
685     /*
686      * Retrieve the current count of the underlying event. The programmed
687      * counters hold a difference from the return value from this function
688      */
689     uint64_t (*get_count)(CPUARMState *);
690     /*
691      * Return how many nanoseconds it will take (at a minimum) for count events
692      * to occur. A negative value indicates the counter will never overflow, or
693      * that the counter has otherwise arranged for the overflow bit to be set
694      * and the PMU interrupt to be raised on overflow.
695      */
696     int64_t (*ns_per_count)(uint64_t);
697 } pm_event;
698 
699 static bool event_always_supported(CPUARMState *env)
700 {
701     return true;
702 }
703 
704 static uint64_t swinc_get_count(CPUARMState *env)
705 {
706     /*
707      * SW_INCR events are written directly to the pmevcntr's by writes to
708      * PMSWINC, so there is no underlying count maintained by the PMU itself
709      */
710     return 0;
711 }
712 
713 static int64_t swinc_ns_per(uint64_t ignored)
714 {
715     return -1;
716 }
717 
718 /*
719  * Return the underlying cycle count for the PMU cycle counters. If we're in
720  * usermode, simply return 0.
721  */
722 static uint64_t cycles_get_count(CPUARMState *env)
723 {
724 #ifndef CONFIG_USER_ONLY
725     return muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
726                    ARM_CPU_FREQ, NANOSECONDS_PER_SECOND);
727 #else
728     return cpu_get_host_ticks();
729 #endif
730 }
731 
732 #ifndef CONFIG_USER_ONLY
733 static int64_t cycles_ns_per(uint64_t cycles)
734 {
735     return (ARM_CPU_FREQ / NANOSECONDS_PER_SECOND) * cycles;
736 }
737 
738 static bool instructions_supported(CPUARMState *env)
739 {
740     /* Precise instruction counting */
741     return icount_enabled() == ICOUNT_PRECISE;
742 }
743 
744 static uint64_t instructions_get_count(CPUARMState *env)
745 {
746     assert(icount_enabled() == ICOUNT_PRECISE);
747     return (uint64_t)icount_get_raw();
748 }
749 
750 static int64_t instructions_ns_per(uint64_t icount)
751 {
752     assert(icount_enabled() == ICOUNT_PRECISE);
753     return icount_to_ns((int64_t)icount);
754 }
755 #endif
756 
757 static bool pmuv3p1_events_supported(CPUARMState *env)
758 {
759     /* For events which are supported in any v8.1 PMU */
760     return cpu_isar_feature(any_pmuv3p1, env_archcpu(env));
761 }
762 
763 static bool pmuv3p4_events_supported(CPUARMState *env)
764 {
765     /* For events which are supported in any v8.1 PMU */
766     return cpu_isar_feature(any_pmuv3p4, env_archcpu(env));
767 }
768 
769 static uint64_t zero_event_get_count(CPUARMState *env)
770 {
771     /* For events which on QEMU never fire, so their count is always zero */
772     return 0;
773 }
774 
775 static int64_t zero_event_ns_per(uint64_t cycles)
776 {
777     /* An event which never fires can never overflow */
778     return -1;
779 }
780 
781 static const pm_event pm_events[] = {
782     { .number = 0x000, /* SW_INCR */
783       .supported = event_always_supported,
784       .get_count = swinc_get_count,
785       .ns_per_count = swinc_ns_per,
786     },
787 #ifndef CONFIG_USER_ONLY
788     { .number = 0x008, /* INST_RETIRED, Instruction architecturally executed */
789       .supported = instructions_supported,
790       .get_count = instructions_get_count,
791       .ns_per_count = instructions_ns_per,
792     },
793     { .number = 0x011, /* CPU_CYCLES, Cycle */
794       .supported = event_always_supported,
795       .get_count = cycles_get_count,
796       .ns_per_count = cycles_ns_per,
797     },
798 #endif
799     { .number = 0x023, /* STALL_FRONTEND */
800       .supported = pmuv3p1_events_supported,
801       .get_count = zero_event_get_count,
802       .ns_per_count = zero_event_ns_per,
803     },
804     { .number = 0x024, /* STALL_BACKEND */
805       .supported = pmuv3p1_events_supported,
806       .get_count = zero_event_get_count,
807       .ns_per_count = zero_event_ns_per,
808     },
809     { .number = 0x03c, /* STALL */
810       .supported = pmuv3p4_events_supported,
811       .get_count = zero_event_get_count,
812       .ns_per_count = zero_event_ns_per,
813     },
814 };
815 
816 /*
817  * Note: Before increasing MAX_EVENT_ID beyond 0x3f into the 0x40xx range of
818  * events (i.e. the statistical profiling extension), this implementation
819  * should first be updated to something sparse instead of the current
820  * supported_event_map[] array.
821  */
822 #define MAX_EVENT_ID 0x3c
823 #define UNSUPPORTED_EVENT UINT16_MAX
824 static uint16_t supported_event_map[MAX_EVENT_ID + 1];
825 
826 /*
827  * Called upon CPU initialization to initialize PMCEID[01]_EL0 and build a map
828  * of ARM event numbers to indices in our pm_events array.
829  *
830  * Note: Events in the 0x40XX range are not currently supported.
831  */
832 void pmu_init(ARMCPU *cpu)
833 {
834     unsigned int i;
835 
836     /*
837      * Empty supported_event_map and cpu->pmceid[01] before adding supported
838      * events to them
839      */
840     for (i = 0; i < ARRAY_SIZE(supported_event_map); i++) {
841         supported_event_map[i] = UNSUPPORTED_EVENT;
842     }
843     cpu->pmceid0 = 0;
844     cpu->pmceid1 = 0;
845 
846     for (i = 0; i < ARRAY_SIZE(pm_events); i++) {
847         const pm_event *cnt = &pm_events[i];
848         assert(cnt->number <= MAX_EVENT_ID);
849         /* We do not currently support events in the 0x40xx range */
850         assert(cnt->number <= 0x3f);
851 
852         if (cnt->supported(&cpu->env)) {
853             supported_event_map[cnt->number] = i;
854             uint64_t event_mask = 1ULL << (cnt->number & 0x1f);
855             if (cnt->number & 0x20) {
856                 cpu->pmceid1 |= event_mask;
857             } else {
858                 cpu->pmceid0 |= event_mask;
859             }
860         }
861     }
862 }
863 
864 /*
865  * Check at runtime whether a PMU event is supported for the current machine
866  */
867 static bool event_supported(uint16_t number)
868 {
869     if (number > MAX_EVENT_ID) {
870         return false;
871     }
872     return supported_event_map[number] != UNSUPPORTED_EVENT;
873 }
874 
875 static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
876                                    bool isread)
877 {
878     /*
879      * Performance monitor registers user accessibility is controlled
880      * by PMUSERENR. MDCR_EL2.TPM and MDCR_EL3.TPM allow configurable
881      * trapping to EL2 or EL3 for other accesses.
882      */
883     int el = arm_current_el(env);
884     uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
885 
886     if (el == 0 && !(env->cp15.c9_pmuserenr & 1)) {
887         return CP_ACCESS_TRAP_EL1;
888     }
889     if (el < 2 && (mdcr_el2 & MDCR_TPM)) {
890         return CP_ACCESS_TRAP_EL2;
891     }
892     if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) {
893         return CP_ACCESS_TRAP_EL3;
894     }
895 
896     return CP_ACCESS_OK;
897 }
898 
899 static CPAccessResult pmreg_access_xevcntr(CPUARMState *env,
900                                            const ARMCPRegInfo *ri,
901                                            bool isread)
902 {
903     /* ER: event counter read trap control */
904     if (arm_feature(env, ARM_FEATURE_V8)
905         && arm_current_el(env) == 0
906         && (env->cp15.c9_pmuserenr & (1 << 3)) != 0
907         && isread) {
908         return CP_ACCESS_OK;
909     }
910 
911     return pmreg_access(env, ri, isread);
912 }
913 
914 static CPAccessResult pmreg_access_swinc(CPUARMState *env,
915                                          const ARMCPRegInfo *ri,
916                                          bool isread)
917 {
918     /* SW: software increment write trap control */
919     if (arm_feature(env, ARM_FEATURE_V8)
920         && arm_current_el(env) == 0
921         && (env->cp15.c9_pmuserenr & (1 << 1)) != 0
922         && !isread) {
923         return CP_ACCESS_OK;
924     }
925 
926     return pmreg_access(env, ri, isread);
927 }
928 
929 static CPAccessResult pmreg_access_selr(CPUARMState *env,
930                                         const ARMCPRegInfo *ri,
931                                         bool isread)
932 {
933     /* ER: event counter read trap control */
934     if (arm_feature(env, ARM_FEATURE_V8)
935         && arm_current_el(env) == 0
936         && (env->cp15.c9_pmuserenr & (1 << 3)) != 0) {
937         return CP_ACCESS_OK;
938     }
939 
940     return pmreg_access(env, ri, isread);
941 }
942 
943 static CPAccessResult pmreg_access_ccntr(CPUARMState *env,
944                                          const ARMCPRegInfo *ri,
945                                          bool isread)
946 {
947     /* CR: cycle counter read trap control */
948     if (arm_feature(env, ARM_FEATURE_V8)
949         && arm_current_el(env) == 0
950         && (env->cp15.c9_pmuserenr & (1 << 2)) != 0
951         && isread) {
952         return CP_ACCESS_OK;
953     }
954 
955     return pmreg_access(env, ri, isread);
956 }
957 
958 /*
959  * Bits in MDCR_EL2 and MDCR_EL3 which pmu_counter_enabled() looks at.
960  * We use these to decide whether we need to wrap a write to MDCR_EL2
961  * or MDCR_EL3 in pmu_op_start()/pmu_op_finish() calls.
962  */
963 #define MDCR_EL2_PMU_ENABLE_BITS \
964     (MDCR_HPME | MDCR_HPMD | MDCR_HPMN | MDCR_HCCD | MDCR_HLP)
965 #define MDCR_EL3_PMU_ENABLE_BITS (MDCR_SPME | MDCR_SCCD)
966 
967 /*
968  * Returns true if the counter (pass 31 for PMCCNTR) should count events using
969  * the current EL, security state, and register configuration.
970  */
971 static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter)
972 {
973     uint64_t filter;
974     bool e, p, u, nsk, nsu, nsh, m;
975     bool enabled, prohibited = false, filtered;
976     bool secure = arm_is_secure(env);
977     int el = arm_current_el(env);
978     uint64_t mdcr_el2;
979     uint8_t hpmn;
980 
981     /*
982      * We might be called for M-profile cores where MDCR_EL2 doesn't
983      * exist and arm_mdcr_el2_eff() will assert, so this early-exit check
984      * must be before we read that value.
985      */
986     if (!arm_feature(env, ARM_FEATURE_PMU)) {
987         return false;
988     }
989 
990     mdcr_el2 = arm_mdcr_el2_eff(env);
991     hpmn = mdcr_el2 & MDCR_HPMN;
992 
993     if (!arm_feature(env, ARM_FEATURE_EL2) ||
994             (counter < hpmn || counter == 31)) {
995         e = env->cp15.c9_pmcr & PMCRE;
996     } else {
997         e = mdcr_el2 & MDCR_HPME;
998     }
999     enabled = e && (env->cp15.c9_pmcnten & (1 << counter));
1000 
1001     /* Is event counting prohibited? */
1002     if (el == 2 && (counter < hpmn || counter == 31)) {
1003         prohibited = mdcr_el2 & MDCR_HPMD;
1004     }
1005     if (secure) {
1006         prohibited = prohibited || !(env->cp15.mdcr_el3 & MDCR_SPME);
1007     }
1008 
1009     if (counter == 31) {
1010         /*
1011          * The cycle counter defaults to running. PMCR.DP says "disable
1012          * the cycle counter when event counting is prohibited".
1013          * Some MDCR bits disable the cycle counter specifically.
1014          */
1015         prohibited = prohibited && env->cp15.c9_pmcr & PMCRDP;
1016         if (cpu_isar_feature(any_pmuv3p5, env_archcpu(env))) {
1017             if (secure) {
1018                 prohibited = prohibited || (env->cp15.mdcr_el3 & MDCR_SCCD);
1019             }
1020             if (el == 2) {
1021                 prohibited = prohibited || (mdcr_el2 & MDCR_HCCD);
1022             }
1023         }
1024     }
1025 
1026     if (counter == 31) {
1027         filter = env->cp15.pmccfiltr_el0;
1028     } else {
1029         filter = env->cp15.c14_pmevtyper[counter];
1030     }
1031 
1032     p   = filter & PMXEVTYPER_P;
1033     u   = filter & PMXEVTYPER_U;
1034     nsk = arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_NSK);
1035     nsu = arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_NSU);
1036     nsh = arm_feature(env, ARM_FEATURE_EL2) && (filter & PMXEVTYPER_NSH);
1037     m   = arm_el_is_aa64(env, 1) &&
1038               arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_M);
1039 
1040     if (el == 0) {
1041         filtered = secure ? u : u != nsu;
1042     } else if (el == 1) {
1043         filtered = secure ? p : p != nsk;
1044     } else if (el == 2) {
1045         filtered = !nsh;
1046     } else { /* EL3 */
1047         filtered = m != p;
1048     }
1049 
1050     if (counter != 31) {
1051         /*
1052          * If not checking PMCCNTR, ensure the counter is setup to an event we
1053          * support
1054          */
1055         uint16_t event = filter & PMXEVTYPER_EVTCOUNT;
1056         if (!event_supported(event)) {
1057             return false;
1058         }
1059     }
1060 
1061     return enabled && !prohibited && !filtered;
1062 }
1063 
1064 static void pmu_update_irq(CPUARMState *env)
1065 {
1066     ARMCPU *cpu = env_archcpu(env);
1067     qemu_set_irq(cpu->pmu_interrupt, (env->cp15.c9_pmcr & PMCRE) &&
1068             (env->cp15.c9_pminten & env->cp15.c9_pmovsr));
1069 }
1070 
1071 static bool pmccntr_clockdiv_enabled(CPUARMState *env)
1072 {
1073     /*
1074      * Return true if the clock divider is enabled and the cycle counter
1075      * is supposed to tick only once every 64 clock cycles. This is
1076      * controlled by PMCR.D, but if PMCR.LC is set to enable the long
1077      * (64-bit) cycle counter PMCR.D has no effect.
1078      */
1079     return (env->cp15.c9_pmcr & (PMCRD | PMCRLC)) == PMCRD;
1080 }
1081 
1082 static bool pmevcntr_is_64_bit(CPUARMState *env, int counter)
1083 {
1084     /* Return true if the specified event counter is configured to be 64 bit */
1085 
1086     /* This isn't intended to be used with the cycle counter */
1087     assert(counter < 31);
1088 
1089     if (!cpu_isar_feature(any_pmuv3p5, env_archcpu(env))) {
1090         return false;
1091     }
1092 
1093     if (arm_feature(env, ARM_FEATURE_EL2)) {
1094         /*
1095          * MDCR_EL2.HLP still applies even when EL2 is disabled in the
1096          * current security state, so we don't use arm_mdcr_el2_eff() here.
1097          */
1098         bool hlp = env->cp15.mdcr_el2 & MDCR_HLP;
1099         int hpmn = env->cp15.mdcr_el2 & MDCR_HPMN;
1100 
1101         if (counter >= hpmn) {
1102             return hlp;
1103         }
1104     }
1105     return env->cp15.c9_pmcr & PMCRLP;
1106 }
1107 
1108 /*
1109  * Ensure c15_ccnt is the guest-visible count so that operations such as
1110  * enabling/disabling the counter or filtering, modifying the count itself,
1111  * etc. can be done logically. This is essentially a no-op if the counter is
1112  * not enabled at the time of the call.
1113  */
1114 static void pmccntr_op_start(CPUARMState *env)
1115 {
1116     uint64_t cycles = cycles_get_count(env);
1117 
1118     if (pmu_counter_enabled(env, 31)) {
1119         uint64_t eff_cycles = cycles;
1120         if (pmccntr_clockdiv_enabled(env)) {
1121             eff_cycles /= 64;
1122         }
1123 
1124         uint64_t new_pmccntr = eff_cycles - env->cp15.c15_ccnt_delta;
1125 
1126         uint64_t overflow_mask = env->cp15.c9_pmcr & PMCRLC ? \
1127                                  1ull << 63 : 1ull << 31;
1128         if (env->cp15.c15_ccnt & ~new_pmccntr & overflow_mask) {
1129             env->cp15.c9_pmovsr |= (1ULL << 31);
1130             pmu_update_irq(env);
1131         }
1132 
1133         env->cp15.c15_ccnt = new_pmccntr;
1134     }
1135     env->cp15.c15_ccnt_delta = cycles;
1136 }
1137 
1138 /*
1139  * If PMCCNTR is enabled, recalculate the delta between the clock and the
1140  * guest-visible count. A call to pmccntr_op_finish should follow every call to
1141  * pmccntr_op_start.
1142  */
1143 static void pmccntr_op_finish(CPUARMState *env)
1144 {
1145     if (pmu_counter_enabled(env, 31)) {
1146 #ifndef CONFIG_USER_ONLY
1147         /* Calculate when the counter will next overflow */
1148         uint64_t remaining_cycles = -env->cp15.c15_ccnt;
1149         if (!(env->cp15.c9_pmcr & PMCRLC)) {
1150             remaining_cycles = (uint32_t)remaining_cycles;
1151         }
1152         int64_t overflow_in = cycles_ns_per(remaining_cycles);
1153 
1154         if (overflow_in > 0) {
1155             int64_t overflow_at;
1156 
1157             if (!sadd64_overflow(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
1158                                  overflow_in, &overflow_at)) {
1159                 ARMCPU *cpu = env_archcpu(env);
1160                 timer_mod_anticipate_ns(cpu->pmu_timer, overflow_at);
1161             }
1162         }
1163 #endif
1164 
1165         uint64_t prev_cycles = env->cp15.c15_ccnt_delta;
1166         if (pmccntr_clockdiv_enabled(env)) {
1167             prev_cycles /= 64;
1168         }
1169         env->cp15.c15_ccnt_delta = prev_cycles - env->cp15.c15_ccnt;
1170     }
1171 }
1172 
1173 static void pmevcntr_op_start(CPUARMState *env, uint8_t counter)
1174 {
1175 
1176     uint16_t event = env->cp15.c14_pmevtyper[counter] & PMXEVTYPER_EVTCOUNT;
1177     uint64_t count = 0;
1178     if (event_supported(event)) {
1179         uint16_t event_idx = supported_event_map[event];
1180         count = pm_events[event_idx].get_count(env);
1181     }
1182 
1183     if (pmu_counter_enabled(env, counter)) {
1184         uint64_t new_pmevcntr = count - env->cp15.c14_pmevcntr_delta[counter];
1185         uint64_t overflow_mask = pmevcntr_is_64_bit(env, counter) ?
1186             1ULL << 63 : 1ULL << 31;
1187 
1188         if (env->cp15.c14_pmevcntr[counter] & ~new_pmevcntr & overflow_mask) {
1189             env->cp15.c9_pmovsr |= (1 << counter);
1190             pmu_update_irq(env);
1191         }
1192         env->cp15.c14_pmevcntr[counter] = new_pmevcntr;
1193     }
1194     env->cp15.c14_pmevcntr_delta[counter] = count;
1195 }
1196 
1197 static void pmevcntr_op_finish(CPUARMState *env, uint8_t counter)
1198 {
1199     if (pmu_counter_enabled(env, counter)) {
1200 #ifndef CONFIG_USER_ONLY
1201         uint16_t event = env->cp15.c14_pmevtyper[counter] & PMXEVTYPER_EVTCOUNT;
1202         uint16_t event_idx = supported_event_map[event];
1203         uint64_t delta = -(env->cp15.c14_pmevcntr[counter] + 1);
1204         int64_t overflow_in;
1205 
1206         if (!pmevcntr_is_64_bit(env, counter)) {
1207             delta = (uint32_t)delta;
1208         }
1209         overflow_in = pm_events[event_idx].ns_per_count(delta);
1210 
1211         if (overflow_in > 0) {
1212             int64_t overflow_at;
1213 
1214             if (!sadd64_overflow(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
1215                                  overflow_in, &overflow_at)) {
1216                 ARMCPU *cpu = env_archcpu(env);
1217                 timer_mod_anticipate_ns(cpu->pmu_timer, overflow_at);
1218             }
1219         }
1220 #endif
1221 
1222         env->cp15.c14_pmevcntr_delta[counter] -=
1223             env->cp15.c14_pmevcntr[counter];
1224     }
1225 }
1226 
1227 void pmu_op_start(CPUARMState *env)
1228 {
1229     unsigned int i;
1230     pmccntr_op_start(env);
1231     for (i = 0; i < pmu_num_counters(env); i++) {
1232         pmevcntr_op_start(env, i);
1233     }
1234 }
1235 
1236 void pmu_op_finish(CPUARMState *env)
1237 {
1238     unsigned int i;
1239     pmccntr_op_finish(env);
1240     for (i = 0; i < pmu_num_counters(env); i++) {
1241         pmevcntr_op_finish(env, i);
1242     }
1243 }
1244 
1245 void pmu_pre_el_change(ARMCPU *cpu, void *ignored)
1246 {
1247     pmu_op_start(&cpu->env);
1248 }
1249 
1250 void pmu_post_el_change(ARMCPU *cpu, void *ignored)
1251 {
1252     pmu_op_finish(&cpu->env);
1253 }
1254 
1255 void arm_pmu_timer_cb(void *opaque)
1256 {
1257     ARMCPU *cpu = opaque;
1258 
1259     /*
1260      * Update all the counter values based on the current underlying counts,
1261      * triggering interrupts to be raised, if necessary. pmu_op_finish() also
1262      * has the effect of setting the cpu->pmu_timer to the next earliest time a
1263      * counter may expire.
1264      */
1265     pmu_op_start(&cpu->env);
1266     pmu_op_finish(&cpu->env);
1267 }
1268 
1269 static void pmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1270                        uint64_t value)
1271 {
1272     pmu_op_start(env);
1273 
1274     if (value & PMCRC) {
1275         /* The counter has been reset */
1276         env->cp15.c15_ccnt = 0;
1277     }
1278 
1279     if (value & PMCRP) {
1280         unsigned int i;
1281         for (i = 0; i < pmu_num_counters(env); i++) {
1282             env->cp15.c14_pmevcntr[i] = 0;
1283         }
1284     }
1285 
1286     env->cp15.c9_pmcr &= ~PMCR_WRITABLE_MASK;
1287     env->cp15.c9_pmcr |= (value & PMCR_WRITABLE_MASK);
1288 
1289     pmu_op_finish(env);
1290 }
1291 
1292 static uint64_t pmcr_read(CPUARMState *env, const ARMCPRegInfo *ri)
1293 {
1294     uint64_t pmcr = env->cp15.c9_pmcr;
1295 
1296     /*
1297      * If EL2 is implemented and enabled for the current security state, reads
1298      * of PMCR.N from EL1 or EL0 return the value of MDCR_EL2.HPMN or HDCR.HPMN.
1299      */
1300     if (arm_current_el(env) <= 1 && arm_is_el2_enabled(env)) {
1301         pmcr &= ~PMCRN_MASK;
1302         pmcr |= (env->cp15.mdcr_el2 & MDCR_HPMN) << PMCRN_SHIFT;
1303     }
1304 
1305     return pmcr;
1306 }
1307 
1308 static void pmswinc_write(CPUARMState *env, const ARMCPRegInfo *ri,
1309                           uint64_t value)
1310 {
1311     unsigned int i;
1312     uint64_t overflow_mask, new_pmswinc;
1313 
1314     for (i = 0; i < pmu_num_counters(env); i++) {
1315         /* Increment a counter's count iff: */
1316         if ((value & (1 << i)) && /* counter's bit is set */
1317                 /* counter is enabled and not filtered */
1318                 pmu_counter_enabled(env, i) &&
1319                 /* counter is SW_INCR */
1320                 (env->cp15.c14_pmevtyper[i] & PMXEVTYPER_EVTCOUNT) == 0x0) {
1321             pmevcntr_op_start(env, i);
1322 
1323             /*
1324              * Detect if this write causes an overflow since we can't predict
1325              * PMSWINC overflows like we can for other events
1326              */
1327             new_pmswinc = env->cp15.c14_pmevcntr[i] + 1;
1328 
1329             overflow_mask = pmevcntr_is_64_bit(env, i) ?
1330                 1ULL << 63 : 1ULL << 31;
1331 
1332             if (env->cp15.c14_pmevcntr[i] & ~new_pmswinc & overflow_mask) {
1333                 env->cp15.c9_pmovsr |= (1 << i);
1334                 pmu_update_irq(env);
1335             }
1336 
1337             env->cp15.c14_pmevcntr[i] = new_pmswinc;
1338 
1339             pmevcntr_op_finish(env, i);
1340         }
1341     }
1342 }
1343 
1344 static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
1345 {
1346     uint64_t ret;
1347     pmccntr_op_start(env);
1348     ret = env->cp15.c15_ccnt;
1349     pmccntr_op_finish(env);
1350     return ret;
1351 }
1352 
1353 static void pmselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1354                          uint64_t value)
1355 {
1356     /*
1357      * The value of PMSELR.SEL affects the behavior of PMXEVTYPER and
1358      * PMXEVCNTR. We allow [0..31] to be written to PMSELR here; in the
1359      * meanwhile, we check PMSELR.SEL when PMXEVTYPER and PMXEVCNTR are
1360      * accessed.
1361      */
1362     env->cp15.c9_pmselr = value & 0x1f;
1363 }
1364 
1365 static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1366                         uint64_t value)
1367 {
1368     pmccntr_op_start(env);
1369     env->cp15.c15_ccnt = value;
1370     pmccntr_op_finish(env);
1371 }
1372 
1373 static void pmccntr_write32(CPUARMState *env, const ARMCPRegInfo *ri,
1374                             uint64_t value)
1375 {
1376     uint64_t cur_val = pmccntr_read(env, NULL);
1377 
1378     pmccntr_write(env, ri, deposit64(cur_val, 0, 32, value));
1379 }
1380 
1381 static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1382                             uint64_t value)
1383 {
1384     pmccntr_op_start(env);
1385     env->cp15.pmccfiltr_el0 = value & PMCCFILTR_EL0;
1386     pmccntr_op_finish(env);
1387 }
1388 
1389 static void pmccfiltr_write_a32(CPUARMState *env, const ARMCPRegInfo *ri,
1390                             uint64_t value)
1391 {
1392     pmccntr_op_start(env);
1393     /* M is not accessible from AArch32 */
1394     env->cp15.pmccfiltr_el0 = (env->cp15.pmccfiltr_el0 & PMCCFILTR_M) |
1395         (value & PMCCFILTR);
1396     pmccntr_op_finish(env);
1397 }
1398 
1399 static uint64_t pmccfiltr_read_a32(CPUARMState *env, const ARMCPRegInfo *ri)
1400 {
1401     /* M is not visible in AArch32 */
1402     return env->cp15.pmccfiltr_el0 & PMCCFILTR;
1403 }
1404 
1405 static void pmcntenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
1406                             uint64_t value)
1407 {
1408     pmu_op_start(env);
1409     value &= pmu_counter_mask(env);
1410     env->cp15.c9_pmcnten |= value;
1411     pmu_op_finish(env);
1412 }
1413 
1414 static void pmcntenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1415                              uint64_t value)
1416 {
1417     pmu_op_start(env);
1418     value &= pmu_counter_mask(env);
1419     env->cp15.c9_pmcnten &= ~value;
1420     pmu_op_finish(env);
1421 }
1422 
1423 static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1424                          uint64_t value)
1425 {
1426     value &= pmu_counter_mask(env);
1427     env->cp15.c9_pmovsr &= ~value;
1428     pmu_update_irq(env);
1429 }
1430 
1431 static void pmovsset_write(CPUARMState *env, const ARMCPRegInfo *ri,
1432                          uint64_t value)
1433 {
1434     value &= pmu_counter_mask(env);
1435     env->cp15.c9_pmovsr |= value;
1436     pmu_update_irq(env);
1437 }
1438 
1439 static void pmevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
1440                              uint64_t value, const uint8_t counter)
1441 {
1442     if (counter == 31) {
1443         pmccfiltr_write(env, ri, value);
1444     } else if (counter < pmu_num_counters(env)) {
1445         pmevcntr_op_start(env, counter);
1446 
1447         /*
1448          * If this counter's event type is changing, store the current
1449          * underlying count for the new type in c14_pmevcntr_delta[counter] so
1450          * pmevcntr_op_finish has the correct baseline when it converts back to
1451          * a delta.
1452          */
1453         uint16_t old_event = env->cp15.c14_pmevtyper[counter] &
1454             PMXEVTYPER_EVTCOUNT;
1455         uint16_t new_event = value & PMXEVTYPER_EVTCOUNT;
1456         if (old_event != new_event) {
1457             uint64_t count = 0;
1458             if (event_supported(new_event)) {
1459                 uint16_t event_idx = supported_event_map[new_event];
1460                 count = pm_events[event_idx].get_count(env);
1461             }
1462             env->cp15.c14_pmevcntr_delta[counter] = count;
1463         }
1464 
1465         env->cp15.c14_pmevtyper[counter] = value & PMXEVTYPER_MASK;
1466         pmevcntr_op_finish(env, counter);
1467     }
1468     /*
1469      * Attempts to access PMXEVTYPER are CONSTRAINED UNPREDICTABLE when
1470      * PMSELR value is equal to or greater than the number of implemented
1471      * counters, but not equal to 0x1f. We opt to behave as a RAZ/WI.
1472      */
1473 }
1474 
1475 static uint64_t pmevtyper_read(CPUARMState *env, const ARMCPRegInfo *ri,
1476                                const uint8_t counter)
1477 {
1478     if (counter == 31) {
1479         return env->cp15.pmccfiltr_el0;
1480     } else if (counter < pmu_num_counters(env)) {
1481         return env->cp15.c14_pmevtyper[counter];
1482     } else {
1483       /*
1484        * We opt to behave as a RAZ/WI when attempts to access PMXEVTYPER
1485        * are CONSTRAINED UNPREDICTABLE. See comments in pmevtyper_write().
1486        */
1487         return 0;
1488     }
1489 }
1490 
1491 static void pmevtyper_writefn(CPUARMState *env, const ARMCPRegInfo *ri,
1492                               uint64_t value)
1493 {
1494     uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7);
1495     pmevtyper_write(env, ri, value, counter);
1496 }
1497 
1498 static void pmevtyper_rawwrite(CPUARMState *env, const ARMCPRegInfo *ri,
1499                                uint64_t value)
1500 {
1501     uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7);
1502     env->cp15.c14_pmevtyper[counter] = value;
1503 
1504     /*
1505      * pmevtyper_rawwrite is called between a pair of pmu_op_start and
1506      * pmu_op_finish calls when loading saved state for a migration. Because
1507      * we're potentially updating the type of event here, the value written to
1508      * c14_pmevcntr_delta by the preceding pmu_op_start call may be for a
1509      * different counter type. Therefore, we need to set this value to the
1510      * current count for the counter type we're writing so that pmu_op_finish
1511      * has the correct count for its calculation.
1512      */
1513     uint16_t event = value & PMXEVTYPER_EVTCOUNT;
1514     if (event_supported(event)) {
1515         uint16_t event_idx = supported_event_map[event];
1516         env->cp15.c14_pmevcntr_delta[counter] =
1517             pm_events[event_idx].get_count(env);
1518     }
1519 }
1520 
1521 static uint64_t pmevtyper_readfn(CPUARMState *env, const ARMCPRegInfo *ri)
1522 {
1523     uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7);
1524     return pmevtyper_read(env, ri, counter);
1525 }
1526 
1527 static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
1528                              uint64_t value)
1529 {
1530     pmevtyper_write(env, ri, value, env->cp15.c9_pmselr & 31);
1531 }
1532 
1533 static uint64_t pmxevtyper_read(CPUARMState *env, const ARMCPRegInfo *ri)
1534 {
1535     return pmevtyper_read(env, ri, env->cp15.c9_pmselr & 31);
1536 }
1537 
1538 static void pmevcntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1539                              uint64_t value, uint8_t counter)
1540 {
1541     if (!cpu_isar_feature(any_pmuv3p5, env_archcpu(env))) {
1542         /* Before FEAT_PMUv3p5, top 32 bits of event counters are RES0 */
1543         value &= MAKE_64BIT_MASK(0, 32);
1544     }
1545     if (counter < pmu_num_counters(env)) {
1546         pmevcntr_op_start(env, counter);
1547         env->cp15.c14_pmevcntr[counter] = value;
1548         pmevcntr_op_finish(env, counter);
1549     }
1550     /*
1551      * We opt to behave as a RAZ/WI when attempts to access PM[X]EVCNTR
1552      * are CONSTRAINED UNPREDICTABLE.
1553      */
1554 }
1555 
1556 static uint64_t pmevcntr_read(CPUARMState *env, const ARMCPRegInfo *ri,
1557                               uint8_t counter)
1558 {
1559     if (counter < pmu_num_counters(env)) {
1560         uint64_t ret;
1561         pmevcntr_op_start(env, counter);
1562         ret = env->cp15.c14_pmevcntr[counter];
1563         pmevcntr_op_finish(env, counter);
1564         if (!cpu_isar_feature(any_pmuv3p5, env_archcpu(env))) {
1565             /* Before FEAT_PMUv3p5, top 32 bits of event counters are RES0 */
1566             ret &= MAKE_64BIT_MASK(0, 32);
1567         }
1568         return ret;
1569     } else {
1570       /*
1571        * We opt to behave as a RAZ/WI when attempts to access PM[X]EVCNTR
1572        * are CONSTRAINED UNPREDICTABLE.
1573        */
1574         return 0;
1575     }
1576 }
1577 
1578 static void pmevcntr_writefn(CPUARMState *env, const ARMCPRegInfo *ri,
1579                              uint64_t value)
1580 {
1581     uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7);
1582     pmevcntr_write(env, ri, value, counter);
1583 }
1584 
1585 static uint64_t pmevcntr_readfn(CPUARMState *env, const ARMCPRegInfo *ri)
1586 {
1587     uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7);
1588     return pmevcntr_read(env, ri, counter);
1589 }
1590 
1591 static void pmevcntr_rawwrite(CPUARMState *env, const ARMCPRegInfo *ri,
1592                              uint64_t value)
1593 {
1594     uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7);
1595     assert(counter < pmu_num_counters(env));
1596     env->cp15.c14_pmevcntr[counter] = value;
1597     pmevcntr_write(env, ri, value, counter);
1598 }
1599 
1600 static uint64_t pmevcntr_rawread(CPUARMState *env, const ARMCPRegInfo *ri)
1601 {
1602     uint8_t counter = ((ri->crm & 3) << 3) | (ri->opc2 & 7);
1603     assert(counter < pmu_num_counters(env));
1604     return env->cp15.c14_pmevcntr[counter];
1605 }
1606 
1607 static void pmxevcntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1608                              uint64_t value)
1609 {
1610     pmevcntr_write(env, ri, value, env->cp15.c9_pmselr & 31);
1611 }
1612 
1613 static uint64_t pmxevcntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
1614 {
1615     return pmevcntr_read(env, ri, env->cp15.c9_pmselr & 31);
1616 }
1617 
1618 static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1619                             uint64_t value)
1620 {
1621     if (arm_feature(env, ARM_FEATURE_V8)) {
1622         env->cp15.c9_pmuserenr = value & 0xf;
1623     } else {
1624         env->cp15.c9_pmuserenr = value & 1;
1625     }
1626 }
1627 
1628 static void pmintenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
1629                              uint64_t value)
1630 {
1631     /* We have no event counters so only the C bit can be changed */
1632     value &= pmu_counter_mask(env);
1633     env->cp15.c9_pminten |= value;
1634     pmu_update_irq(env);
1635 }
1636 
1637 static void pmintenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1638                              uint64_t value)
1639 {
1640     value &= pmu_counter_mask(env);
1641     env->cp15.c9_pminten &= ~value;
1642     pmu_update_irq(env);
1643 }
1644 
1645 static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
1646                        uint64_t value)
1647 {
1648     /*
1649      * Note that even though the AArch64 view of this register has bits
1650      * [10:0] all RES0 we can only mask the bottom 5, to comply with the
1651      * architectural requirements for bits which are RES0 only in some
1652      * contexts. (ARMv8 would permit us to do no masking at all, but ARMv7
1653      * requires the bottom five bits to be RAZ/WI because they're UNK/SBZP.)
1654      */
1655     raw_write(env, ri, value & ~0x1FULL);
1656 }
1657 
1658 static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
1659 {
1660     /* Begin with base v8.0 state.  */
1661     uint64_t valid_mask = 0x3fff;
1662     ARMCPU *cpu = env_archcpu(env);
1663     uint64_t changed;
1664 
1665     /*
1666      * Because SCR_EL3 is the "real" cpreg and SCR is the alias, reset always
1667      * passes the reginfo for SCR_EL3, which has type ARM_CP_STATE_AA64.
1668      * Instead, choose the format based on the mode of EL3.
1669      */
1670     if (arm_el_is_aa64(env, 3)) {
1671         value |= SCR_FW | SCR_AW;      /* RES1 */
1672         valid_mask &= ~SCR_NET;        /* RES0 */
1673 
1674         if (!cpu_isar_feature(aa64_aa32_el1, cpu) &&
1675             !cpu_isar_feature(aa64_aa32_el2, cpu)) {
1676             value |= SCR_RW;           /* RAO/WI */
1677         }
1678         if (cpu_isar_feature(aa64_ras, cpu)) {
1679             valid_mask |= SCR_TERR;
1680         }
1681         if (cpu_isar_feature(aa64_lor, cpu)) {
1682             valid_mask |= SCR_TLOR;
1683         }
1684         if (cpu_isar_feature(aa64_pauth, cpu)) {
1685             valid_mask |= SCR_API | SCR_APK;
1686         }
1687         if (cpu_isar_feature(aa64_sel2, cpu)) {
1688             valid_mask |= SCR_EEL2;
1689         } else if (cpu_isar_feature(aa64_rme, cpu)) {
1690             /* With RME and without SEL2, NS is RES1 (R_GSWWH, I_DJJQJ). */
1691             value |= SCR_NS;
1692         }
1693         if (cpu_isar_feature(aa64_mte, cpu)) {
1694             valid_mask |= SCR_ATA;
1695         }
1696         if (cpu_isar_feature(aa64_scxtnum, cpu)) {
1697             valid_mask |= SCR_ENSCXT;
1698         }
1699         if (cpu_isar_feature(aa64_doublefault, cpu)) {
1700             valid_mask |= SCR_EASE | SCR_NMEA;
1701         }
1702         if (cpu_isar_feature(aa64_sme, cpu)) {
1703             valid_mask |= SCR_ENTP2;
1704         }
1705         if (cpu_isar_feature(aa64_hcx, cpu)) {
1706             valid_mask |= SCR_HXEN;
1707         }
1708         if (cpu_isar_feature(aa64_fgt, cpu)) {
1709             valid_mask |= SCR_FGTEN;
1710         }
1711         if (cpu_isar_feature(aa64_rme, cpu)) {
1712             valid_mask |= SCR_NSE | SCR_GPF;
1713         }
1714         if (cpu_isar_feature(aa64_ecv, cpu)) {
1715             valid_mask |= SCR_ECVEN;
1716         }
1717     } else {
1718         valid_mask &= ~(SCR_RW | SCR_ST);
1719         if (cpu_isar_feature(aa32_ras, cpu)) {
1720             valid_mask |= SCR_TERR;
1721         }
1722     }
1723 
1724     if (!arm_feature(env, ARM_FEATURE_EL2)) {
1725         valid_mask &= ~SCR_HCE;
1726 
1727         /*
1728          * On ARMv7, SMD (or SCD as it is called in v7) is only
1729          * supported if EL2 exists. The bit is UNK/SBZP when
1730          * EL2 is unavailable. In QEMU ARMv7, we force it to always zero
1731          * when EL2 is unavailable.
1732          * On ARMv8, this bit is always available.
1733          */
1734         if (arm_feature(env, ARM_FEATURE_V7) &&
1735             !arm_feature(env, ARM_FEATURE_V8)) {
1736             valid_mask &= ~SCR_SMD;
1737         }
1738     }
1739 
1740     /* Clear all-context RES0 bits.  */
1741     value &= valid_mask;
1742     changed = env->cp15.scr_el3 ^ value;
1743     env->cp15.scr_el3 = value;
1744 
1745     /*
1746      * If SCR_EL3.{NS,NSE} changes, i.e. change of security state,
1747      * we must invalidate all TLBs below EL3.
1748      */
1749     if (changed & (SCR_NS | SCR_NSE)) {
1750         tlb_flush_by_mmuidx(env_cpu(env), (ARMMMUIdxBit_E10_0 |
1751                                            ARMMMUIdxBit_E20_0 |
1752                                            ARMMMUIdxBit_E10_1 |
1753                                            ARMMMUIdxBit_E20_2 |
1754                                            ARMMMUIdxBit_E10_1_PAN |
1755                                            ARMMMUIdxBit_E20_2_PAN |
1756                                            ARMMMUIdxBit_E2));
1757     }
1758 }
1759 
1760 static void scr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1761 {
1762     /*
1763      * scr_write will set the RES1 bits on an AArch64-only CPU.
1764      * The reset value will be 0x30 on an AArch64-only CPU and 0 otherwise.
1765      */
1766     scr_write(env, ri, 0);
1767 }
1768 
1769 static CPAccessResult access_tid4(CPUARMState *env,
1770                                   const ARMCPRegInfo *ri,
1771                                   bool isread)
1772 {
1773     if (arm_current_el(env) == 1 &&
1774         (arm_hcr_el2_eff(env) & (HCR_TID2 | HCR_TID4))) {
1775         return CP_ACCESS_TRAP_EL2;
1776     }
1777 
1778     return CP_ACCESS_OK;
1779 }
1780 
1781 static uint64_t ccsidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
1782 {
1783     ARMCPU *cpu = env_archcpu(env);
1784 
1785     /*
1786      * Acquire the CSSELR index from the bank corresponding to the CCSIDR
1787      * bank
1788      */
1789     uint32_t index = A32_BANKED_REG_GET(env, csselr,
1790                                         ri->secure & ARM_CP_SECSTATE_S);
1791 
1792     return cpu->ccsidr[index];
1793 }
1794 
1795 static void csselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1796                          uint64_t value)
1797 {
1798     raw_write(env, ri, value & 0xf);
1799 }
1800 
1801 static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
1802 {
1803     CPUState *cs = env_cpu(env);
1804     bool el1 = arm_current_el(env) == 1;
1805     uint64_t hcr_el2 = el1 ? arm_hcr_el2_eff(env) : 0;
1806     uint64_t ret = 0;
1807 
1808     if (hcr_el2 & HCR_IMO) {
1809         if (cs->interrupt_request & CPU_INTERRUPT_VIRQ) {
1810             ret |= CPSR_I;
1811         }
1812         if (cs->interrupt_request & CPU_INTERRUPT_VINMI) {
1813             ret |= ISR_IS;
1814             ret |= CPSR_I;
1815         }
1816     } else {
1817         if (cs->interrupt_request & CPU_INTERRUPT_HARD) {
1818             ret |= CPSR_I;
1819         }
1820 
1821         if (cs->interrupt_request & CPU_INTERRUPT_NMI) {
1822             ret |= ISR_IS;
1823             ret |= CPSR_I;
1824         }
1825     }
1826 
1827     if (hcr_el2 & HCR_FMO) {
1828         if (cs->interrupt_request & CPU_INTERRUPT_VFIQ) {
1829             ret |= CPSR_F;
1830         }
1831         if (cs->interrupt_request & CPU_INTERRUPT_VFNMI) {
1832             ret |= ISR_FS;
1833             ret |= CPSR_F;
1834         }
1835     } else {
1836         if (cs->interrupt_request & CPU_INTERRUPT_FIQ) {
1837             ret |= CPSR_F;
1838         }
1839     }
1840 
1841     if (hcr_el2 & HCR_AMO) {
1842         if (cs->interrupt_request & CPU_INTERRUPT_VSERR) {
1843             ret |= CPSR_A;
1844         }
1845     }
1846 
1847     return ret;
1848 }
1849 
1850 static CPAccessResult access_aa64_tid1(CPUARMState *env, const ARMCPRegInfo *ri,
1851                                        bool isread)
1852 {
1853     if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TID1)) {
1854         return CP_ACCESS_TRAP_EL2;
1855     }
1856 
1857     return CP_ACCESS_OK;
1858 }
1859 
1860 static CPAccessResult access_aa32_tid1(CPUARMState *env, const ARMCPRegInfo *ri,
1861                                        bool isread)
1862 {
1863     if (arm_feature(env, ARM_FEATURE_V8)) {
1864         return access_aa64_tid1(env, ri, isread);
1865     }
1866 
1867     return CP_ACCESS_OK;
1868 }
1869 
1870 static const ARMCPRegInfo v7_cp_reginfo[] = {
1871     /* the old v6 WFI, UNPREDICTABLE in v7 but we choose to NOP */
1872     { .name = "NOP", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4,
1873       .access = PL1_W, .type = ARM_CP_NOP },
1874     /*
1875      * Performance monitors are implementation defined in v7,
1876      * but with an ARM recommended set of registers, which we
1877      * follow.
1878      *
1879      * Performance registers fall into three categories:
1880      *  (a) always UNDEF in PL0, RW in PL1 (PMINTENSET, PMINTENCLR)
1881      *  (b) RO in PL0 (ie UNDEF on write), RW in PL1 (PMUSERENR)
1882      *  (c) UNDEF in PL0 if PMUSERENR.EN==0, otherwise accessible (all others)
1883      * For the cases controlled by PMUSERENR we must set .access to PL0_RW
1884      * or PL0_RO as appropriate and then check PMUSERENR in the helper fn.
1885      */
1886     { .name = "PMCNTENSET", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 1,
1887       .access = PL0_RW, .type = ARM_CP_ALIAS | ARM_CP_IO,
1888       .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten),
1889       .writefn = pmcntenset_write,
1890       .accessfn = pmreg_access,
1891       .fgt = FGT_PMCNTEN,
1892       .raw_writefn = raw_write },
1893     { .name = "PMCNTENSET_EL0", .state = ARM_CP_STATE_AA64, .type = ARM_CP_IO,
1894       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 1,
1895       .access = PL0_RW, .accessfn = pmreg_access,
1896       .fgt = FGT_PMCNTEN,
1897       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten), .resetvalue = 0,
1898       .writefn = pmcntenset_write, .raw_writefn = raw_write },
1899     { .name = "PMCNTENCLR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 2,
1900       .access = PL0_RW,
1901       .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten),
1902       .accessfn = pmreg_access,
1903       .fgt = FGT_PMCNTEN,
1904       .writefn = pmcntenclr_write,
1905       .type = ARM_CP_ALIAS | ARM_CP_IO },
1906     { .name = "PMCNTENCLR_EL0", .state = ARM_CP_STATE_AA64,
1907       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 2,
1908       .access = PL0_RW, .accessfn = pmreg_access,
1909       .fgt = FGT_PMCNTEN,
1910       .type = ARM_CP_ALIAS | ARM_CP_IO,
1911       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten),
1912       .writefn = pmcntenclr_write },
1913     { .name = "PMOVSR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 3,
1914       .access = PL0_RW, .type = ARM_CP_IO,
1915       .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmovsr),
1916       .accessfn = pmreg_access,
1917       .fgt = FGT_PMOVS,
1918       .writefn = pmovsr_write,
1919       .raw_writefn = raw_write },
1920     { .name = "PMOVSCLR_EL0", .state = ARM_CP_STATE_AA64,
1921       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 3,
1922       .access = PL0_RW, .accessfn = pmreg_access,
1923       .fgt = FGT_PMOVS,
1924       .type = ARM_CP_ALIAS | ARM_CP_IO,
1925       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
1926       .writefn = pmovsr_write,
1927       .raw_writefn = raw_write },
1928     { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4,
1929       .access = PL0_W, .accessfn = pmreg_access_swinc,
1930       .fgt = FGT_PMSWINC_EL0,
1931       .type = ARM_CP_NO_RAW | ARM_CP_IO,
1932       .writefn = pmswinc_write },
1933     { .name = "PMSWINC_EL0", .state = ARM_CP_STATE_AA64,
1934       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 4,
1935       .access = PL0_W, .accessfn = pmreg_access_swinc,
1936       .fgt = FGT_PMSWINC_EL0,
1937       .type = ARM_CP_NO_RAW | ARM_CP_IO,
1938       .writefn = pmswinc_write },
1939     { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
1940       .access = PL0_RW, .type = ARM_CP_ALIAS,
1941       .fgt = FGT_PMSELR_EL0,
1942       .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmselr),
1943       .accessfn = pmreg_access_selr, .writefn = pmselr_write,
1944       .raw_writefn = raw_write},
1945     { .name = "PMSELR_EL0", .state = ARM_CP_STATE_AA64,
1946       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 5,
1947       .access = PL0_RW, .accessfn = pmreg_access_selr,
1948       .fgt = FGT_PMSELR_EL0,
1949       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmselr),
1950       .writefn = pmselr_write, .raw_writefn = raw_write, },
1951     { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
1952       .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_ALIAS | ARM_CP_IO,
1953       .fgt = FGT_PMCCNTR_EL0,
1954       .readfn = pmccntr_read, .writefn = pmccntr_write32,
1955       .accessfn = pmreg_access_ccntr },
1956     { .name = "PMCCNTR_EL0", .state = ARM_CP_STATE_AA64,
1957       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 0,
1958       .access = PL0_RW, .accessfn = pmreg_access_ccntr,
1959       .fgt = FGT_PMCCNTR_EL0,
1960       .type = ARM_CP_IO,
1961       .fieldoffset = offsetof(CPUARMState, cp15.c15_ccnt),
1962       .readfn = pmccntr_read, .writefn = pmccntr_write,
1963       .raw_readfn = raw_read, .raw_writefn = raw_write, },
1964     { .name = "PMCCFILTR", .cp = 15, .opc1 = 0, .crn = 14, .crm = 15, .opc2 = 7,
1965       .writefn = pmccfiltr_write_a32, .readfn = pmccfiltr_read_a32,
1966       .access = PL0_RW, .accessfn = pmreg_access,
1967       .fgt = FGT_PMCCFILTR_EL0,
1968       .type = ARM_CP_ALIAS | ARM_CP_IO,
1969       .resetvalue = 0, },
1970     { .name = "PMCCFILTR_EL0", .state = ARM_CP_STATE_AA64,
1971       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 15, .opc2 = 7,
1972       .writefn = pmccfiltr_write, .raw_writefn = raw_write,
1973       .access = PL0_RW, .accessfn = pmreg_access,
1974       .fgt = FGT_PMCCFILTR_EL0,
1975       .type = ARM_CP_IO,
1976       .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0),
1977       .resetvalue = 0, },
1978     { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1,
1979       .access = PL0_RW, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1980       .accessfn = pmreg_access,
1981       .fgt = FGT_PMEVTYPERN_EL0,
1982       .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
1983     { .name = "PMXEVTYPER_EL0", .state = ARM_CP_STATE_AA64,
1984       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 1,
1985       .access = PL0_RW, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1986       .accessfn = pmreg_access,
1987       .fgt = FGT_PMEVTYPERN_EL0,
1988       .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
1989     { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2,
1990       .access = PL0_RW, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1991       .accessfn = pmreg_access_xevcntr,
1992       .fgt = FGT_PMEVCNTRN_EL0,
1993       .writefn = pmxevcntr_write, .readfn = pmxevcntr_read },
1994     { .name = "PMXEVCNTR_EL0", .state = ARM_CP_STATE_AA64,
1995       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 2,
1996       .access = PL0_RW, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1997       .accessfn = pmreg_access_xevcntr,
1998       .fgt = FGT_PMEVCNTRN_EL0,
1999       .writefn = pmxevcntr_write, .readfn = pmxevcntr_read },
2000     { .name = "PMUSERENR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 0,
2001       .access = PL0_R | PL1_RW, .accessfn = access_tpm,
2002       .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmuserenr),
2003       .resetvalue = 0,
2004       .writefn = pmuserenr_write, .raw_writefn = raw_write },
2005     { .name = "PMUSERENR_EL0", .state = ARM_CP_STATE_AA64,
2006       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 14, .opc2 = 0,
2007       .access = PL0_R | PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
2008       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
2009       .resetvalue = 0,
2010       .writefn = pmuserenr_write, .raw_writefn = raw_write },
2011     { .name = "PMINTENSET", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 1,
2012       .access = PL1_RW, .accessfn = access_tpm,
2013       .fgt = FGT_PMINTEN,
2014       .type = ARM_CP_ALIAS | ARM_CP_IO,
2015       .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pminten),
2016       .resetvalue = 0,
2017       .writefn = pmintenset_write, .raw_writefn = raw_write },
2018     { .name = "PMINTENSET_EL1", .state = ARM_CP_STATE_AA64,
2019       .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 1,
2020       .access = PL1_RW, .accessfn = access_tpm,
2021       .fgt = FGT_PMINTEN,
2022       .type = ARM_CP_IO,
2023       .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
2024       .writefn = pmintenset_write, .raw_writefn = raw_write,
2025       .resetvalue = 0x0 },
2026     { .name = "PMINTENCLR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 2,
2027       .access = PL1_RW, .accessfn = access_tpm,
2028       .fgt = FGT_PMINTEN,
2029       .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW,
2030       .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
2031       .writefn = pmintenclr_write, },
2032     { .name = "PMINTENCLR_EL1", .state = ARM_CP_STATE_AA64,
2033       .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 2,
2034       .access = PL1_RW, .accessfn = access_tpm,
2035       .fgt = FGT_PMINTEN,
2036       .type = ARM_CP_ALIAS | ARM_CP_IO | ARM_CP_NO_RAW,
2037       .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
2038       .writefn = pmintenclr_write },
2039     { .name = "CCSIDR", .state = ARM_CP_STATE_BOTH,
2040       .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 0,
2041       .access = PL1_R,
2042       .accessfn = access_tid4,
2043       .fgt = FGT_CCSIDR_EL1,
2044       .readfn = ccsidr_read, .type = ARM_CP_NO_RAW },
2045     { .name = "CSSELR", .state = ARM_CP_STATE_BOTH,
2046       .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 2, .opc2 = 0,
2047       .access = PL1_RW,
2048       .accessfn = access_tid4,
2049       .fgt = FGT_CSSELR_EL1,
2050       .writefn = csselr_write, .resetvalue = 0,
2051       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.csselr_s),
2052                              offsetof(CPUARMState, cp15.csselr_ns) } },
2053     /*
2054      * Auxiliary ID register: this actually has an IMPDEF value but for now
2055      * just RAZ for all cores:
2056      */
2057     { .name = "AIDR", .state = ARM_CP_STATE_BOTH,
2058       .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 7,
2059       .access = PL1_R, .type = ARM_CP_CONST,
2060       .accessfn = access_aa64_tid1,
2061       .fgt = FGT_AIDR_EL1,
2062       .resetvalue = 0 },
2063     /*
2064      * Auxiliary fault status registers: these also are IMPDEF, and we
2065      * choose to RAZ/WI for all cores.
2066      */
2067     { .name = "AFSR0_EL1", .state = ARM_CP_STATE_BOTH,
2068       .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 0,
2069       .access = PL1_RW, .accessfn = access_tvm_trvm,
2070       .fgt = FGT_AFSR0_EL1,
2071       .nv2_redirect_offset = 0x128 | NV2_REDIR_NV1,
2072       .type = ARM_CP_CONST, .resetvalue = 0 },
2073     { .name = "AFSR1_EL1", .state = ARM_CP_STATE_BOTH,
2074       .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 1,
2075       .access = PL1_RW, .accessfn = access_tvm_trvm,
2076       .fgt = FGT_AFSR1_EL1,
2077       .nv2_redirect_offset = 0x130 | NV2_REDIR_NV1,
2078       .type = ARM_CP_CONST, .resetvalue = 0 },
2079     /*
2080      * MAIR can just read-as-written because we don't implement caches
2081      * and so don't need to care about memory attributes.
2082      */
2083     { .name = "MAIR_EL1", .state = ARM_CP_STATE_AA64,
2084       .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0,
2085       .access = PL1_RW, .accessfn = access_tvm_trvm,
2086       .fgt = FGT_MAIR_EL1,
2087       .nv2_redirect_offset = 0x140 | NV2_REDIR_NV1,
2088       .fieldoffset = offsetof(CPUARMState, cp15.mair_el[1]),
2089       .resetvalue = 0 },
2090     { .name = "MAIR_EL3", .state = ARM_CP_STATE_AA64,
2091       .opc0 = 3, .opc1 = 6, .crn = 10, .crm = 2, .opc2 = 0,
2092       .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[3]),
2093       .resetvalue = 0 },
2094     /*
2095      * For non-long-descriptor page tables these are PRRR and NMRR;
2096      * regardless they still act as reads-as-written for QEMU.
2097      */
2098      /*
2099       * MAIR0/1 are defined separately from their 64-bit counterpart which
2100       * allows them to assign the correct fieldoffset based on the endianness
2101       * handled in the field definitions.
2102       */
2103     { .name = "MAIR0", .state = ARM_CP_STATE_AA32,
2104       .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0,
2105       .access = PL1_RW, .accessfn = access_tvm_trvm,
2106       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair0_s),
2107                              offsetof(CPUARMState, cp15.mair0_ns) },
2108       .resetfn = arm_cp_reset_ignore },
2109     { .name = "MAIR1", .state = ARM_CP_STATE_AA32,
2110       .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 1,
2111       .access = PL1_RW, .accessfn = access_tvm_trvm,
2112       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair1_s),
2113                              offsetof(CPUARMState, cp15.mair1_ns) },
2114       .resetfn = arm_cp_reset_ignore },
2115     { .name = "ISR_EL1", .state = ARM_CP_STATE_BOTH,
2116       .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 0,
2117       .fgt = FGT_ISR_EL1,
2118       .type = ARM_CP_NO_RAW, .access = PL1_R, .readfn = isr_read },
2119 };
2120 
2121 static const ARMCPRegInfo pmovsset_cp_reginfo[] = {
2122     /* PMOVSSET is not implemented in v7 before v7ve */
2123     { .name = "PMOVSSET", .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 3,
2124       .access = PL0_RW, .accessfn = pmreg_access,
2125       .fgt = FGT_PMOVS,
2126       .type = ARM_CP_ALIAS | ARM_CP_IO,
2127       .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmovsr),
2128       .writefn = pmovsset_write,
2129       .raw_writefn = raw_write },
2130     { .name = "PMOVSSET_EL0", .state = ARM_CP_STATE_AA64,
2131       .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 14, .opc2 = 3,
2132       .access = PL0_RW, .accessfn = pmreg_access,
2133       .fgt = FGT_PMOVS,
2134       .type = ARM_CP_ALIAS | ARM_CP_IO,
2135       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
2136       .writefn = pmovsset_write,
2137       .raw_writefn = raw_write },
2138 };
2139 
2140 static void teecr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2141                         uint64_t value)
2142 {
2143     value &= 1;
2144     env->teecr = value;
2145 }
2146 
2147 static CPAccessResult teecr_access(CPUARMState *env, const ARMCPRegInfo *ri,
2148                                    bool isread)
2149 {
2150     /*
2151      * HSTR.TTEE only exists in v7A, not v8A, but v8A doesn't have T2EE
2152      * at all, so we don't need to check whether we're v8A.
2153      */
2154     if (arm_current_el(env) < 2 && !arm_is_secure_below_el3(env) &&
2155         (env->cp15.hstr_el2 & HSTR_TTEE)) {
2156         return CP_ACCESS_TRAP_EL2;
2157     }
2158     return CP_ACCESS_OK;
2159 }
2160 
2161 static CPAccessResult teehbr_access(CPUARMState *env, const ARMCPRegInfo *ri,
2162                                     bool isread)
2163 {
2164     if (arm_current_el(env) == 0 && (env->teecr & 1)) {
2165         return CP_ACCESS_TRAP_EL1;
2166     }
2167     return teecr_access(env, ri, isread);
2168 }
2169 
2170 static const ARMCPRegInfo t2ee_cp_reginfo[] = {
2171     { .name = "TEECR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 6, .opc2 = 0,
2172       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, teecr),
2173       .resetvalue = 0,
2174       .writefn = teecr_write, .accessfn = teecr_access },
2175     { .name = "TEEHBR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 6, .opc2 = 0,
2176       .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, teehbr),
2177       .accessfn = teehbr_access, .resetvalue = 0 },
2178 };
2179 
2180 static const ARMCPRegInfo v6k_cp_reginfo[] = {
2181     { .name = "TPIDR_EL0", .state = ARM_CP_STATE_AA64,
2182       .opc0 = 3, .opc1 = 3, .opc2 = 2, .crn = 13, .crm = 0,
2183       .access = PL0_RW,
2184       .fgt = FGT_TPIDR_EL0,
2185       .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[0]), .resetvalue = 0 },
2186     { .name = "TPIDRURW", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 2,
2187       .access = PL0_RW,
2188       .fgt = FGT_TPIDR_EL0,
2189       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrurw_s),
2190                              offsetoflow32(CPUARMState, cp15.tpidrurw_ns) },
2191       .resetfn = arm_cp_reset_ignore },
2192     { .name = "TPIDRRO_EL0", .state = ARM_CP_STATE_AA64,
2193       .opc0 = 3, .opc1 = 3, .opc2 = 3, .crn = 13, .crm = 0,
2194       .access = PL0_R | PL1_W,
2195       .fgt = FGT_TPIDRRO_EL0,
2196       .fieldoffset = offsetof(CPUARMState, cp15.tpidrro_el[0]),
2197       .resetvalue = 0},
2198     { .name = "TPIDRURO", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 3,
2199       .access = PL0_R | PL1_W,
2200       .fgt = FGT_TPIDRRO_EL0,
2201       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidruro_s),
2202                              offsetoflow32(CPUARMState, cp15.tpidruro_ns) },
2203       .resetfn = arm_cp_reset_ignore },
2204     { .name = "TPIDR_EL1", .state = ARM_CP_STATE_AA64,
2205       .opc0 = 3, .opc1 = 0, .opc2 = 4, .crn = 13, .crm = 0,
2206       .access = PL1_RW,
2207       .fgt = FGT_TPIDR_EL1,
2208       .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[1]), .resetvalue = 0 },
2209     { .name = "TPIDRPRW", .opc1 = 0, .cp = 15, .crn = 13, .crm = 0, .opc2 = 4,
2210       .access = PL1_RW,
2211       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrprw_s),
2212                              offsetoflow32(CPUARMState, cp15.tpidrprw_ns) },
2213       .resetvalue = 0 },
2214 };
2215 
2216 static void arm_gt_cntfrq_reset(CPUARMState *env, const ARMCPRegInfo *opaque)
2217 {
2218     ARMCPU *cpu = env_archcpu(env);
2219 
2220     cpu->env.cp15.c14_cntfrq = cpu->gt_cntfrq_hz;
2221 }
2222 
2223 #ifndef CONFIG_USER_ONLY
2224 
2225 static CPAccessResult gt_cntfrq_access(CPUARMState *env, const ARMCPRegInfo *ri,
2226                                        bool isread)
2227 {
2228     /*
2229      * CNTFRQ: not visible from PL0 if both PL0PCTEN and PL0VCTEN are zero.
2230      * Writable only at the highest implemented exception level.
2231      */
2232     int el = arm_current_el(env);
2233     uint64_t hcr;
2234     uint32_t cntkctl;
2235 
2236     switch (el) {
2237     case 0:
2238         hcr = arm_hcr_el2_eff(env);
2239         if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
2240             cntkctl = env->cp15.cnthctl_el2;
2241         } else {
2242             cntkctl = env->cp15.c14_cntkctl;
2243         }
2244         if (!extract32(cntkctl, 0, 2)) {
2245             return CP_ACCESS_TRAP_EL1;
2246         }
2247         break;
2248     case 1:
2249         if (!isread && ri->state == ARM_CP_STATE_AA32 &&
2250             arm_is_secure_below_el3(env)) {
2251             /* Accesses from 32-bit Secure EL1 UNDEF (*not* trap to EL3!) */
2252             return CP_ACCESS_UNDEFINED;
2253         }
2254         break;
2255     case 2:
2256     case 3:
2257         break;
2258     }
2259 
2260     if (!isread && el < arm_highest_el(env)) {
2261         return CP_ACCESS_UNDEFINED;
2262     }
2263 
2264     return CP_ACCESS_OK;
2265 }
2266 
2267 static CPAccessResult gt_counter_access(CPUARMState *env, int timeridx,
2268                                         bool isread)
2269 {
2270     unsigned int cur_el = arm_current_el(env);
2271     bool has_el2 = arm_is_el2_enabled(env);
2272     uint64_t hcr = arm_hcr_el2_eff(env);
2273 
2274     switch (cur_el) {
2275     case 0:
2276         /* If HCR_EL2.<E2H,TGE> == '11': check CNTHCTL_EL2.EL0[PV]CTEN. */
2277         if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
2278             return (extract32(env->cp15.cnthctl_el2, timeridx, 1)
2279                     ? CP_ACCESS_OK : CP_ACCESS_TRAP_EL2);
2280         }
2281 
2282         /* CNT[PV]CT: not visible from PL0 if EL0[PV]CTEN is zero */
2283         if (!extract32(env->cp15.c14_cntkctl, timeridx, 1)) {
2284             return CP_ACCESS_TRAP_EL1;
2285         }
2286         /* fall through */
2287     case 1:
2288         /* Check CNTHCTL_EL2.EL1PCTEN, which changes location based on E2H. */
2289         if (has_el2 && timeridx == GTIMER_PHYS &&
2290             (hcr & HCR_E2H
2291              ? !extract32(env->cp15.cnthctl_el2, 10, 1)
2292              : !extract32(env->cp15.cnthctl_el2, 0, 1))) {
2293             return CP_ACCESS_TRAP_EL2;
2294         }
2295         if (has_el2 && timeridx == GTIMER_VIRT) {
2296             if (FIELD_EX64(env->cp15.cnthctl_el2, CNTHCTL, EL1TVCT)) {
2297                 return CP_ACCESS_TRAP_EL2;
2298             }
2299         }
2300         break;
2301     }
2302     return CP_ACCESS_OK;
2303 }
2304 
2305 static CPAccessResult gt_timer_access(CPUARMState *env, int timeridx,
2306                                       bool isread)
2307 {
2308     unsigned int cur_el = arm_current_el(env);
2309     bool has_el2 = arm_is_el2_enabled(env);
2310     uint64_t hcr = arm_hcr_el2_eff(env);
2311 
2312     switch (cur_el) {
2313     case 0:
2314         if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
2315             /* If HCR_EL2.<E2H,TGE> == '11': check CNTHCTL_EL2.EL0[PV]TEN. */
2316             return (extract32(env->cp15.cnthctl_el2, 9 - timeridx, 1)
2317                     ? CP_ACCESS_OK : CP_ACCESS_TRAP_EL2);
2318         }
2319 
2320         /*
2321          * CNT[PV]_CVAL, CNT[PV]_CTL, CNT[PV]_TVAL: not visible from
2322          * EL0 if EL0[PV]TEN is zero.
2323          */
2324         if (!extract32(env->cp15.c14_cntkctl, 9 - timeridx, 1)) {
2325             return CP_ACCESS_TRAP_EL1;
2326         }
2327         /* fall through */
2328 
2329     case 1:
2330         if (has_el2 && timeridx == GTIMER_PHYS) {
2331             if (hcr & HCR_E2H) {
2332                 /* If HCR_EL2.<E2H,TGE> == '10': check CNTHCTL_EL2.EL1PTEN. */
2333                 if (!extract32(env->cp15.cnthctl_el2, 11, 1)) {
2334                     return CP_ACCESS_TRAP_EL2;
2335                 }
2336             } else {
2337                 /* If HCR_EL2.<E2H> == 0: check CNTHCTL_EL2.EL1PCEN. */
2338                 if (!extract32(env->cp15.cnthctl_el2, 1, 1)) {
2339                     return CP_ACCESS_TRAP_EL2;
2340                 }
2341             }
2342         }
2343         if (has_el2 && timeridx == GTIMER_VIRT) {
2344             if (FIELD_EX64(env->cp15.cnthctl_el2, CNTHCTL, EL1TVT)) {
2345                 return CP_ACCESS_TRAP_EL2;
2346             }
2347         }
2348         break;
2349     }
2350     return CP_ACCESS_OK;
2351 }
2352 
2353 static CPAccessResult gt_pct_access(CPUARMState *env,
2354                                     const ARMCPRegInfo *ri,
2355                                     bool isread)
2356 {
2357     return gt_counter_access(env, GTIMER_PHYS, isread);
2358 }
2359 
2360 static CPAccessResult gt_vct_access(CPUARMState *env,
2361                                     const ARMCPRegInfo *ri,
2362                                     bool isread)
2363 {
2364     return gt_counter_access(env, GTIMER_VIRT, isread);
2365 }
2366 
2367 static CPAccessResult gt_ptimer_access(CPUARMState *env, const ARMCPRegInfo *ri,
2368                                        bool isread)
2369 {
2370     return gt_timer_access(env, GTIMER_PHYS, isread);
2371 }
2372 
2373 static CPAccessResult gt_vtimer_access(CPUARMState *env, const ARMCPRegInfo *ri,
2374                                        bool isread)
2375 {
2376     return gt_timer_access(env, GTIMER_VIRT, isread);
2377 }
2378 
2379 static CPAccessResult gt_stimer_access(CPUARMState *env,
2380                                        const ARMCPRegInfo *ri,
2381                                        bool isread)
2382 {
2383     /*
2384      * The AArch64 register view of the secure physical timer is
2385      * always accessible from EL3, and configurably accessible from
2386      * Secure EL1.
2387      */
2388     switch (arm_current_el(env)) {
2389     case 1:
2390         if (!arm_is_secure(env)) {
2391             return CP_ACCESS_UNDEFINED;
2392         }
2393         if (arm_is_el2_enabled(env)) {
2394             return CP_ACCESS_UNDEFINED;
2395         }
2396         if (!(env->cp15.scr_el3 & SCR_ST)) {
2397             return CP_ACCESS_TRAP_EL3;
2398         }
2399         return CP_ACCESS_OK;
2400     case 0:
2401     case 2:
2402         return CP_ACCESS_UNDEFINED;
2403     case 3:
2404         return CP_ACCESS_OK;
2405     default:
2406         g_assert_not_reached();
2407     }
2408 }
2409 
2410 static CPAccessResult gt_sel2timer_access(CPUARMState *env,
2411                                           const ARMCPRegInfo *ri,
2412                                           bool isread)
2413 {
2414     /*
2415      * The AArch64 register view of the secure EL2 timers are mostly
2416      * accessible from EL3 and EL2 although can also be trapped to EL2
2417      * from EL1 depending on nested virt config.
2418      */
2419     switch (arm_current_el(env)) {
2420     case 0: /* UNDEFINED */
2421         return CP_ACCESS_UNDEFINED;
2422     case 1:
2423         if (!arm_is_secure(env)) {
2424             /* UNDEFINED */
2425             return CP_ACCESS_UNDEFINED;
2426         } else if (arm_hcr_el2_eff(env) & HCR_NV) {
2427             /* Aarch64.SystemAccessTrap(EL2, 0x18) */
2428             return CP_ACCESS_TRAP_EL2;
2429         }
2430         /* UNDEFINED */
2431         return CP_ACCESS_UNDEFINED;
2432     case 2:
2433         if (!arm_is_secure(env)) {
2434             /* UNDEFINED */
2435             return CP_ACCESS_UNDEFINED;
2436         }
2437         return CP_ACCESS_OK;
2438     case 3:
2439         if (env->cp15.scr_el3 & SCR_EEL2) {
2440             return CP_ACCESS_OK;
2441         } else {
2442             return CP_ACCESS_UNDEFINED;
2443         }
2444     default:
2445         g_assert_not_reached();
2446     }
2447 }
2448 
2449 uint64_t gt_get_countervalue(CPUARMState *env)
2450 {
2451     ARMCPU *cpu = env_archcpu(env);
2452 
2453     return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / gt_cntfrq_period_ns(cpu);
2454 }
2455 
2456 static void gt_update_irq(ARMCPU *cpu, int timeridx)
2457 {
2458     CPUARMState *env = &cpu->env;
2459     uint64_t cnthctl = env->cp15.cnthctl_el2;
2460     ARMSecuritySpace ss = arm_security_space(env);
2461     /* ISTATUS && !IMASK */
2462     int irqstate = (env->cp15.c14_timer[timeridx].ctl & 6) == 4;
2463 
2464     /*
2465      * If bit CNTHCTL_EL2.CNT[VP]MASK is set, it overrides IMASK.
2466      * It is RES0 in Secure and NonSecure state.
2467      */
2468     if ((ss == ARMSS_Root || ss == ARMSS_Realm) &&
2469         ((timeridx == GTIMER_VIRT && (cnthctl & R_CNTHCTL_CNTVMASK_MASK)) ||
2470          (timeridx == GTIMER_PHYS && (cnthctl & R_CNTHCTL_CNTPMASK_MASK)))) {
2471         irqstate = 0;
2472     }
2473 
2474     qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate);
2475     trace_arm_gt_update_irq(timeridx, irqstate);
2476 }
2477 
2478 void gt_rme_post_el_change(ARMCPU *cpu, void *ignored)
2479 {
2480     /*
2481      * Changing security state between Root and Secure/NonSecure, which may
2482      * happen when switching EL, can change the effective value of CNTHCTL_EL2
2483      * mask bits. Update the IRQ state accordingly.
2484      */
2485     gt_update_irq(cpu, GTIMER_VIRT);
2486     gt_update_irq(cpu, GTIMER_PHYS);
2487 }
2488 
2489 static uint64_t gt_phys_raw_cnt_offset(CPUARMState *env)
2490 {
2491     if ((env->cp15.scr_el3 & SCR_ECVEN) &&
2492         FIELD_EX64(env->cp15.cnthctl_el2, CNTHCTL, ECV) &&
2493         arm_is_el2_enabled(env) &&
2494         (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
2495         return env->cp15.cntpoff_el2;
2496     }
2497     return 0;
2498 }
2499 
2500 static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
2501 {
2502     /*
2503      * Return the timer offset to use for indirect accesses to the timer.
2504      * This is the Offset value as defined in D12.2.4.1 "Operation of the
2505      * CompareValue views of the timers".
2506      *
2507      * The condition here is not always the same as the condition for
2508      * whether to apply an offset register when doing a direct read of
2509      * the counter sysreg; those conditions are described in the
2510      * access pseudocode for each counter register.
2511      */
2512     switch (timeridx) {
2513     case GTIMER_PHYS:
2514         return gt_phys_raw_cnt_offset(env);
2515     case GTIMER_VIRT:
2516         return env->cp15.cntvoff_el2;
2517     case GTIMER_HYP:
2518     case GTIMER_SEC:
2519     case GTIMER_HYPVIRT:
2520     case GTIMER_S_EL2_PHYS:
2521     case GTIMER_S_EL2_VIRT:
2522         return 0;
2523     default:
2524         g_assert_not_reached();
2525     }
2526 }
2527 
2528 uint64_t gt_direct_access_timer_offset(CPUARMState *env, int timeridx)
2529 {
2530     /*
2531      * Return the timer offset to use for direct accesses to the
2532      * counter registers CNTPCT and CNTVCT, and for direct accesses
2533      * to the CNT*_TVAL registers.
2534      *
2535      * This isn't exactly the same as the indirect-access offset,
2536      * because here we also care about what EL the register access
2537      * is being made from.
2538      *
2539      * This corresponds to the access pseudocode for the registers.
2540      */
2541     uint64_t hcr;
2542 
2543     switch (timeridx) {
2544     case GTIMER_PHYS:
2545         if (arm_current_el(env) >= 2) {
2546             return 0;
2547         }
2548         return gt_phys_raw_cnt_offset(env);
2549     case GTIMER_VIRT:
2550         switch (arm_current_el(env)) {
2551         case 2:
2552             hcr = arm_hcr_el2_eff(env);
2553             if (hcr & HCR_E2H) {
2554                 return 0;
2555             }
2556             break;
2557         case 0:
2558             hcr = arm_hcr_el2_eff(env);
2559             if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
2560                 return 0;
2561             }
2562             break;
2563         }
2564         return env->cp15.cntvoff_el2;
2565     case GTIMER_HYP:
2566     case GTIMER_SEC:
2567     case GTIMER_HYPVIRT:
2568     case GTIMER_S_EL2_PHYS:
2569     case GTIMER_S_EL2_VIRT:
2570         return 0;
2571     default:
2572         g_assert_not_reached();
2573     }
2574 }
2575 
2576 static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
2577 {
2578     ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
2579 
2580     if (gt->ctl & 1) {
2581         /*
2582          * Timer enabled: calculate and set current ISTATUS, irq, and
2583          * reset timer to when ISTATUS next has to change
2584          */
2585         uint64_t offset = gt_indirect_access_timer_offset(&cpu->env, timeridx);
2586         uint64_t count = gt_get_countervalue(&cpu->env);
2587         /* Note that this must be unsigned 64 bit arithmetic: */
2588         int istatus = count - offset >= gt->cval;
2589         uint64_t nexttick;
2590 
2591         gt->ctl = deposit32(gt->ctl, 2, 1, istatus);
2592 
2593         if (istatus) {
2594             /*
2595              * Next transition is when (count - offset) rolls back over to 0.
2596              * If offset > count then this is when count == offset;
2597              * if offset <= count then this is when count == offset + 2^64
2598              * For the latter case we set nexttick to an "as far in future
2599              * as possible" value and let the code below handle it.
2600              */
2601             if (offset > count) {
2602                 nexttick = offset;
2603             } else {
2604                 nexttick = UINT64_MAX;
2605             }
2606         } else {
2607             /*
2608              * Next transition is when (count - offset) == cval, i.e.
2609              * when count == (cval + offset).
2610              * If that would overflow, then again we set up the next interrupt
2611              * for "as far in the future as possible" for the code below.
2612              */
2613             if (uadd64_overflow(gt->cval, offset, &nexttick)) {
2614                 nexttick = UINT64_MAX;
2615             }
2616         }
2617         /*
2618          * Note that the desired next expiry time might be beyond the
2619          * signed-64-bit range of a QEMUTimer -- in this case we just
2620          * set the timer for as far in the future as possible. When the
2621          * timer expires we will reset the timer for any remaining period.
2622          */
2623         if (nexttick > INT64_MAX / gt_cntfrq_period_ns(cpu)) {
2624             timer_mod_ns(cpu->gt_timer[timeridx], INT64_MAX);
2625         } else {
2626             timer_mod(cpu->gt_timer[timeridx], nexttick);
2627         }
2628         trace_arm_gt_recalc(timeridx, nexttick);
2629     } else {
2630         /* Timer disabled: ISTATUS and timer output always clear */
2631         gt->ctl &= ~4;
2632         timer_del(cpu->gt_timer[timeridx]);
2633         trace_arm_gt_recalc_disabled(timeridx);
2634     }
2635     gt_update_irq(cpu, timeridx);
2636 }
2637 
2638 static void gt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri,
2639                            int timeridx)
2640 {
2641     ARMCPU *cpu = env_archcpu(env);
2642 
2643     timer_del(cpu->gt_timer[timeridx]);
2644 }
2645 
2646 static uint64_t gt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
2647 {
2648     uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_PHYS);
2649     return gt_get_countervalue(env) - offset;
2650 }
2651 
2652 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
2653 {
2654     uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_VIRT);
2655     return gt_get_countervalue(env) - offset;
2656 }
2657 
2658 static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2659                           int timeridx,
2660                           uint64_t value)
2661 {
2662     trace_arm_gt_cval_write(timeridx, value);
2663     env->cp15.c14_timer[timeridx].cval = value;
2664     gt_recalc_timer(env_archcpu(env), timeridx);
2665 }
2666 
2667 static uint64_t do_tval_read(CPUARMState *env, int timeridx, uint64_t offset)
2668 {
2669     return (uint32_t)(env->cp15.c14_timer[timeridx].cval -
2670                       (gt_get_countervalue(env) - offset));
2671 }
2672 
2673 static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
2674                              int timeridx)
2675 {
2676     uint64_t offset = gt_direct_access_timer_offset(env, timeridx);
2677 
2678     return do_tval_read(env, timeridx, offset);
2679 }
2680 
2681 static void do_tval_write(CPUARMState *env, int timeridx, uint64_t value,
2682                           uint64_t offset)
2683 {
2684     trace_arm_gt_tval_write(timeridx, value);
2685     env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) - offset +
2686                                          sextract64(value, 0, 32);
2687     gt_recalc_timer(env_archcpu(env), timeridx);
2688 }
2689 
2690 static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2691                           int timeridx,
2692                           uint64_t value)
2693 {
2694     uint64_t offset = gt_direct_access_timer_offset(env, timeridx);
2695 
2696     do_tval_write(env, timeridx, value, offset);
2697 }
2698 
2699 static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
2700                          int timeridx,
2701                          uint64_t value)
2702 {
2703     ARMCPU *cpu = env_archcpu(env);
2704     uint32_t oldval = env->cp15.c14_timer[timeridx].ctl;
2705 
2706     trace_arm_gt_ctl_write(timeridx, value);
2707     env->cp15.c14_timer[timeridx].ctl = deposit64(oldval, 0, 2, value);
2708     if ((oldval ^ value) & 1) {
2709         /* Enable toggled */
2710         gt_recalc_timer(cpu, timeridx);
2711     } else if ((oldval ^ value) & 2) {
2712         /*
2713          * IMASK toggled: don't need to recalculate,
2714          * just set the interrupt line based on ISTATUS
2715          */
2716         trace_arm_gt_imask_toggle(timeridx);
2717         gt_update_irq(cpu, timeridx);
2718     }
2719 }
2720 
2721 static void gt_phys_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
2722 {
2723     gt_timer_reset(env, ri, GTIMER_PHYS);
2724 }
2725 
2726 static void gt_phys_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2727                                uint64_t value)
2728 {
2729     gt_cval_write(env, ri, GTIMER_PHYS, value);
2730 }
2731 
2732 static uint64_t gt_phys_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
2733 {
2734     return gt_tval_read(env, ri, GTIMER_PHYS);
2735 }
2736 
2737 static void gt_phys_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2738                                uint64_t value)
2739 {
2740     gt_tval_write(env, ri, GTIMER_PHYS, value);
2741 }
2742 
2743 static void gt_phys_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
2744                               uint64_t value)
2745 {
2746     gt_ctl_write(env, ri, GTIMER_PHYS, value);
2747 }
2748 
2749 static int gt_phys_redir_timeridx(CPUARMState *env)
2750 {
2751     switch (arm_mmu_idx(env)) {
2752     case ARMMMUIdx_E20_0:
2753     case ARMMMUIdx_E20_2:
2754     case ARMMMUIdx_E20_2_PAN:
2755         return GTIMER_HYP;
2756     default:
2757         return GTIMER_PHYS;
2758     }
2759 }
2760 
2761 static int gt_virt_redir_timeridx(CPUARMState *env)
2762 {
2763     switch (arm_mmu_idx(env)) {
2764     case ARMMMUIdx_E20_0:
2765     case ARMMMUIdx_E20_2:
2766     case ARMMMUIdx_E20_2_PAN:
2767         return GTIMER_HYPVIRT;
2768     default:
2769         return GTIMER_VIRT;
2770     }
2771 }
2772 
2773 static uint64_t gt_phys_redir_cval_read(CPUARMState *env,
2774                                         const ARMCPRegInfo *ri)
2775 {
2776     int timeridx = gt_phys_redir_timeridx(env);
2777     return env->cp15.c14_timer[timeridx].cval;
2778 }
2779 
2780 static void gt_phys_redir_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2781                                      uint64_t value)
2782 {
2783     int timeridx = gt_phys_redir_timeridx(env);
2784     gt_cval_write(env, ri, timeridx, value);
2785 }
2786 
2787 static uint64_t gt_phys_redir_tval_read(CPUARMState *env,
2788                                         const ARMCPRegInfo *ri)
2789 {
2790     int timeridx = gt_phys_redir_timeridx(env);
2791     return gt_tval_read(env, ri, timeridx);
2792 }
2793 
2794 static void gt_phys_redir_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2795                                      uint64_t value)
2796 {
2797     int timeridx = gt_phys_redir_timeridx(env);
2798     gt_tval_write(env, ri, timeridx, value);
2799 }
2800 
2801 static uint64_t gt_phys_redir_ctl_read(CPUARMState *env,
2802                                        const ARMCPRegInfo *ri)
2803 {
2804     int timeridx = gt_phys_redir_timeridx(env);
2805     return env->cp15.c14_timer[timeridx].ctl;
2806 }
2807 
2808 static void gt_phys_redir_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
2809                                     uint64_t value)
2810 {
2811     int timeridx = gt_phys_redir_timeridx(env);
2812     gt_ctl_write(env, ri, timeridx, value);
2813 }
2814 
2815 static void gt_virt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
2816 {
2817     gt_timer_reset(env, ri, GTIMER_VIRT);
2818 }
2819 
2820 static void gt_virt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2821                                uint64_t value)
2822 {
2823     gt_cval_write(env, ri, GTIMER_VIRT, value);
2824 }
2825 
2826 static uint64_t gt_virt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
2827 {
2828     /*
2829      * This is CNTV_TVAL_EL02; unlike the underlying CNTV_TVAL_EL0
2830      * we always apply CNTVOFF_EL2. Special case that here rather
2831      * than going into the generic gt_tval_read() and then having
2832      * to re-detect that it's this register.
2833      * Note that the accessfn/perms mean we know we're at EL2 or EL3 here.
2834      */
2835     return do_tval_read(env, GTIMER_VIRT, env->cp15.cntvoff_el2);
2836 }
2837 
2838 static void gt_virt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2839                                uint64_t value)
2840 {
2841     /* Similarly for writes to CNTV_TVAL_EL02 */
2842     do_tval_write(env, GTIMER_VIRT, value, env->cp15.cntvoff_el2);
2843 }
2844 
2845 static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
2846                               uint64_t value)
2847 {
2848     gt_ctl_write(env, ri, GTIMER_VIRT, value);
2849 }
2850 
2851 static void gt_cnthctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
2852                              uint64_t value)
2853 {
2854     ARMCPU *cpu = env_archcpu(env);
2855     uint32_t oldval = env->cp15.cnthctl_el2;
2856     uint32_t valid_mask =
2857         R_CNTHCTL_EL0PCTEN_E2H1_MASK |
2858         R_CNTHCTL_EL0VCTEN_E2H1_MASK |
2859         R_CNTHCTL_EVNTEN_MASK |
2860         R_CNTHCTL_EVNTDIR_MASK |
2861         R_CNTHCTL_EVNTI_MASK |
2862         R_CNTHCTL_EL0VTEN_MASK |
2863         R_CNTHCTL_EL0PTEN_MASK |
2864         R_CNTHCTL_EL1PCTEN_E2H1_MASK |
2865         R_CNTHCTL_EL1PTEN_MASK;
2866 
2867     if (cpu_isar_feature(aa64_rme, cpu)) {
2868         valid_mask |= R_CNTHCTL_CNTVMASK_MASK | R_CNTHCTL_CNTPMASK_MASK;
2869     }
2870     if (cpu_isar_feature(aa64_ecv_traps, cpu)) {
2871         valid_mask |=
2872             R_CNTHCTL_EL1TVT_MASK |
2873             R_CNTHCTL_EL1TVCT_MASK |
2874             R_CNTHCTL_EL1NVPCT_MASK |
2875             R_CNTHCTL_EL1NVVCT_MASK |
2876             R_CNTHCTL_EVNTIS_MASK;
2877     }
2878     if (cpu_isar_feature(aa64_ecv, cpu)) {
2879         valid_mask |= R_CNTHCTL_ECV_MASK;
2880     }
2881 
2882     /* Clear RES0 bits */
2883     value &= valid_mask;
2884 
2885     raw_write(env, ri, value);
2886 
2887     if ((oldval ^ value) & R_CNTHCTL_CNTVMASK_MASK) {
2888         gt_update_irq(cpu, GTIMER_VIRT);
2889     } else if ((oldval ^ value) & R_CNTHCTL_CNTPMASK_MASK) {
2890         gt_update_irq(cpu, GTIMER_PHYS);
2891     }
2892 }
2893 
2894 static void gt_cntvoff_write(CPUARMState *env, const ARMCPRegInfo *ri,
2895                               uint64_t value)
2896 {
2897     ARMCPU *cpu = env_archcpu(env);
2898 
2899     trace_arm_gt_cntvoff_write(value);
2900     raw_write(env, ri, value);
2901     gt_recalc_timer(cpu, GTIMER_VIRT);
2902 }
2903 
2904 static uint64_t gt_virt_redir_cval_read(CPUARMState *env,
2905                                         const ARMCPRegInfo *ri)
2906 {
2907     int timeridx = gt_virt_redir_timeridx(env);
2908     return env->cp15.c14_timer[timeridx].cval;
2909 }
2910 
2911 static void gt_virt_redir_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2912                                      uint64_t value)
2913 {
2914     int timeridx = gt_virt_redir_timeridx(env);
2915     gt_cval_write(env, ri, timeridx, value);
2916 }
2917 
2918 static uint64_t gt_virt_redir_tval_read(CPUARMState *env,
2919                                         const ARMCPRegInfo *ri)
2920 {
2921     int timeridx = gt_virt_redir_timeridx(env);
2922     return gt_tval_read(env, ri, timeridx);
2923 }
2924 
2925 static void gt_virt_redir_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2926                                      uint64_t value)
2927 {
2928     int timeridx = gt_virt_redir_timeridx(env);
2929     gt_tval_write(env, ri, timeridx, value);
2930 }
2931 
2932 static uint64_t gt_virt_redir_ctl_read(CPUARMState *env,
2933                                        const ARMCPRegInfo *ri)
2934 {
2935     int timeridx = gt_virt_redir_timeridx(env);
2936     return env->cp15.c14_timer[timeridx].ctl;
2937 }
2938 
2939 static void gt_virt_redir_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
2940                                     uint64_t value)
2941 {
2942     int timeridx = gt_virt_redir_timeridx(env);
2943     gt_ctl_write(env, ri, timeridx, value);
2944 }
2945 
2946 static void gt_hyp_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
2947 {
2948     gt_timer_reset(env, ri, GTIMER_HYP);
2949 }
2950 
2951 static void gt_hyp_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2952                               uint64_t value)
2953 {
2954     gt_cval_write(env, ri, GTIMER_HYP, value);
2955 }
2956 
2957 static uint64_t gt_hyp_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
2958 {
2959     return gt_tval_read(env, ri, GTIMER_HYP);
2960 }
2961 
2962 static void gt_hyp_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2963                               uint64_t value)
2964 {
2965     gt_tval_write(env, ri, GTIMER_HYP, value);
2966 }
2967 
2968 static void gt_hyp_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
2969                               uint64_t value)
2970 {
2971     gt_ctl_write(env, ri, GTIMER_HYP, value);
2972 }
2973 
2974 static void gt_sec_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
2975 {
2976     gt_timer_reset(env, ri, GTIMER_SEC);
2977 }
2978 
2979 static void gt_sec_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2980                               uint64_t value)
2981 {
2982     gt_cval_write(env, ri, GTIMER_SEC, value);
2983 }
2984 
2985 static uint64_t gt_sec_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
2986 {
2987     return gt_tval_read(env, ri, GTIMER_SEC);
2988 }
2989 
2990 static void gt_sec_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
2991                               uint64_t value)
2992 {
2993     gt_tval_write(env, ri, GTIMER_SEC, value);
2994 }
2995 
2996 static void gt_sec_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
2997                               uint64_t value)
2998 {
2999     gt_ctl_write(env, ri, GTIMER_SEC, value);
3000 }
3001 
3002 static void gt_sec_pel2_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
3003 {
3004     gt_timer_reset(env, ri, GTIMER_S_EL2_PHYS);
3005 }
3006 
3007 static void gt_sec_pel2_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
3008                                    uint64_t value)
3009 {
3010     gt_cval_write(env, ri, GTIMER_S_EL2_PHYS, value);
3011 }
3012 
3013 static uint64_t gt_sec_pel2_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
3014 {
3015     return gt_tval_read(env, ri, GTIMER_S_EL2_PHYS);
3016 }
3017 
3018 static void gt_sec_pel2_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
3019                               uint64_t value)
3020 {
3021     gt_tval_write(env, ri, GTIMER_S_EL2_PHYS, value);
3022 }
3023 
3024 static void gt_sec_pel2_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
3025                               uint64_t value)
3026 {
3027     gt_ctl_write(env, ri, GTIMER_S_EL2_PHYS, value);
3028 }
3029 
3030 static void gt_sec_vel2_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
3031 {
3032     gt_timer_reset(env, ri, GTIMER_S_EL2_VIRT);
3033 }
3034 
3035 static void gt_sec_vel2_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
3036                               uint64_t value)
3037 {
3038     gt_cval_write(env, ri, GTIMER_S_EL2_VIRT, value);
3039 }
3040 
3041 static uint64_t gt_sec_vel2_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
3042 {
3043     return gt_tval_read(env, ri, GTIMER_S_EL2_VIRT);
3044 }
3045 
3046 static void gt_sec_vel2_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
3047                                    uint64_t value)
3048 {
3049     gt_tval_write(env, ri, GTIMER_S_EL2_VIRT, value);
3050 }
3051 
3052 static void gt_sec_vel2_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
3053                               uint64_t value)
3054 {
3055     gt_ctl_write(env, ri, GTIMER_S_EL2_VIRT, value);
3056 }
3057 
3058 static void gt_hv_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
3059 {
3060     gt_timer_reset(env, ri, GTIMER_HYPVIRT);
3061 }
3062 
3063 static void gt_hv_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
3064                              uint64_t value)
3065 {
3066     gt_cval_write(env, ri, GTIMER_HYPVIRT, value);
3067 }
3068 
3069 static uint64_t gt_hv_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
3070 {
3071     return gt_tval_read(env, ri, GTIMER_HYPVIRT);
3072 }
3073 
3074 static void gt_hv_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
3075                              uint64_t value)
3076 {
3077     gt_tval_write(env, ri, GTIMER_HYPVIRT, value);
3078 }
3079 
3080 static void gt_hv_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
3081                             uint64_t value)
3082 {
3083     gt_ctl_write(env, ri, GTIMER_HYPVIRT, value);
3084 }
3085 
3086 void arm_gt_ptimer_cb(void *opaque)
3087 {
3088     ARMCPU *cpu = opaque;
3089 
3090     gt_recalc_timer(cpu, GTIMER_PHYS);
3091 }
3092 
3093 void arm_gt_vtimer_cb(void *opaque)
3094 {
3095     ARMCPU *cpu = opaque;
3096 
3097     gt_recalc_timer(cpu, GTIMER_VIRT);
3098 }
3099 
3100 void arm_gt_htimer_cb(void *opaque)
3101 {
3102     ARMCPU *cpu = opaque;
3103 
3104     gt_recalc_timer(cpu, GTIMER_HYP);
3105 }
3106 
3107 void arm_gt_stimer_cb(void *opaque)
3108 {
3109     ARMCPU *cpu = opaque;
3110 
3111     gt_recalc_timer(cpu, GTIMER_SEC);
3112 }
3113 
3114 void arm_gt_sel2timer_cb(void *opaque)
3115 {
3116     ARMCPU *cpu = opaque;
3117 
3118     gt_recalc_timer(cpu, GTIMER_S_EL2_PHYS);
3119 }
3120 
3121 void arm_gt_sel2vtimer_cb(void *opaque)
3122 {
3123     ARMCPU *cpu = opaque;
3124 
3125     gt_recalc_timer(cpu, GTIMER_S_EL2_VIRT);
3126 }
3127 
3128 void arm_gt_hvtimer_cb(void *opaque)
3129 {
3130     ARMCPU *cpu = opaque;
3131 
3132     gt_recalc_timer(cpu, GTIMER_HYPVIRT);
3133 }
3134 
3135 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
3136     /*
3137      * Note that CNTFRQ is purely reads-as-written for the benefit
3138      * of software; writing it doesn't actually change the timer frequency.
3139      * Our reset value matches the fixed frequency we implement the timer at.
3140      */
3141     { .name = "CNTFRQ", .cp = 15, .crn = 14, .crm = 0, .opc1 = 0, .opc2 = 0,
3142       .type = ARM_CP_ALIAS,
3143       .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
3144       .fieldoffset = offsetoflow32(CPUARMState, cp15.c14_cntfrq),
3145     },
3146     { .name = "CNTFRQ_EL0", .state = ARM_CP_STATE_AA64,
3147       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0,
3148       .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
3149       .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq),
3150       .resetfn = arm_gt_cntfrq_reset,
3151     },
3152     /* overall control: mostly access permissions */
3153     { .name = "CNTKCTL", .state = ARM_CP_STATE_BOTH,
3154       .opc0 = 3, .opc1 = 0, .crn = 14, .crm = 1, .opc2 = 0,
3155       .access = PL1_RW,
3156       .fieldoffset = offsetof(CPUARMState, cp15.c14_cntkctl),
3157       .resetvalue = 0,
3158     },
3159     /* per-timer control */
3160     { .name = "CNTP_CTL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
3161       .secure = ARM_CP_SECSTATE_NS,
3162       .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
3163       .accessfn = gt_ptimer_access,
3164       .fieldoffset = offsetoflow32(CPUARMState,
3165                                    cp15.c14_timer[GTIMER_PHYS].ctl),
3166       .readfn = gt_phys_redir_ctl_read, .raw_readfn = raw_read,
3167       .writefn = gt_phys_redir_ctl_write, .raw_writefn = raw_write,
3168     },
3169     { .name = "CNTP_CTL_S",
3170       .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
3171       .secure = ARM_CP_SECSTATE_S,
3172       .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
3173       .accessfn = gt_ptimer_access,
3174       .fieldoffset = offsetoflow32(CPUARMState,
3175                                    cp15.c14_timer[GTIMER_SEC].ctl),
3176       .writefn = gt_sec_ctl_write, .raw_writefn = raw_write,
3177     },
3178     { .name = "CNTP_CTL_EL0", .state = ARM_CP_STATE_AA64,
3179       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 1,
3180       .type = ARM_CP_IO, .access = PL0_RW,
3181       .accessfn = gt_ptimer_access,
3182       .nv2_redirect_offset = 0x180 | NV2_REDIR_NV1,
3183       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl),
3184       .resetvalue = 0,
3185       .readfn = gt_phys_redir_ctl_read, .raw_readfn = raw_read,
3186       .writefn = gt_phys_redir_ctl_write, .raw_writefn = raw_write,
3187     },
3188     { .name = "CNTV_CTL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 1,
3189       .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
3190       .accessfn = gt_vtimer_access,
3191       .fieldoffset = offsetoflow32(CPUARMState,
3192                                    cp15.c14_timer[GTIMER_VIRT].ctl),
3193       .readfn = gt_virt_redir_ctl_read, .raw_readfn = raw_read,
3194       .writefn = gt_virt_redir_ctl_write, .raw_writefn = raw_write,
3195     },
3196     { .name = "CNTV_CTL_EL0", .state = ARM_CP_STATE_AA64,
3197       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 1,
3198       .type = ARM_CP_IO, .access = PL0_RW,
3199       .accessfn = gt_vtimer_access,
3200       .nv2_redirect_offset = 0x170 | NV2_REDIR_NV1,
3201       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl),
3202       .resetvalue = 0,
3203       .readfn = gt_virt_redir_ctl_read, .raw_readfn = raw_read,
3204       .writefn = gt_virt_redir_ctl_write, .raw_writefn = raw_write,
3205     },
3206     /* TimerValue views: a 32 bit downcounting view of the underlying state */
3207     { .name = "CNTP_TVAL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
3208       .secure = ARM_CP_SECSTATE_NS,
3209       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
3210       .accessfn = gt_ptimer_access,
3211       .readfn = gt_phys_redir_tval_read, .writefn = gt_phys_redir_tval_write,
3212     },
3213     { .name = "CNTP_TVAL_S",
3214       .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
3215       .secure = ARM_CP_SECSTATE_S,
3216       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
3217       .accessfn = gt_ptimer_access,
3218       .readfn = gt_sec_tval_read, .writefn = gt_sec_tval_write,
3219     },
3220     { .name = "CNTP_TVAL_EL0", .state = ARM_CP_STATE_AA64,
3221       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 0,
3222       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
3223       .accessfn = gt_ptimer_access, .resetfn = gt_phys_timer_reset,
3224       .readfn = gt_phys_redir_tval_read, .writefn = gt_phys_redir_tval_write,
3225     },
3226     { .name = "CNTV_TVAL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 0,
3227       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
3228       .accessfn = gt_vtimer_access,
3229       .readfn = gt_virt_redir_tval_read, .writefn = gt_virt_redir_tval_write,
3230     },
3231     { .name = "CNTV_TVAL_EL0", .state = ARM_CP_STATE_AA64,
3232       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 0,
3233       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
3234       .accessfn = gt_vtimer_access, .resetfn = gt_virt_timer_reset,
3235       .readfn = gt_virt_redir_tval_read, .writefn = gt_virt_redir_tval_write,
3236     },
3237     /* The counter itself */
3238     { .name = "CNTPCT", .cp = 15, .crm = 14, .opc1 = 0,
3239       .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
3240       .accessfn = gt_pct_access,
3241       .readfn = gt_cnt_read, .resetfn = arm_cp_reset_ignore,
3242     },
3243     { .name = "CNTPCT_EL0", .state = ARM_CP_STATE_AA64,
3244       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 1,
3245       .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
3246       .accessfn = gt_pct_access, .readfn = gt_cnt_read,
3247     },
3248     { .name = "CNTVCT", .cp = 15, .crm = 14, .opc1 = 1,
3249       .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
3250       .accessfn = gt_vct_access,
3251       .readfn = gt_virt_cnt_read, .resetfn = arm_cp_reset_ignore,
3252     },
3253     { .name = "CNTVCT_EL0", .state = ARM_CP_STATE_AA64,
3254       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 2,
3255       .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
3256       .accessfn = gt_vct_access, .readfn = gt_virt_cnt_read,
3257     },
3258     /* Comparison value, indicating when the timer goes off */
3259     { .name = "CNTP_CVAL", .cp = 15, .crm = 14, .opc1 = 2,
3260       .secure = ARM_CP_SECSTATE_NS,
3261       .access = PL0_RW,
3262       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
3263       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
3264       .accessfn = gt_ptimer_access,
3265       .readfn = gt_phys_redir_cval_read, .raw_readfn = raw_read,
3266       .writefn = gt_phys_redir_cval_write, .raw_writefn = raw_write,
3267     },
3268     { .name = "CNTP_CVAL_S", .cp = 15, .crm = 14, .opc1 = 2,
3269       .secure = ARM_CP_SECSTATE_S,
3270       .access = PL0_RW,
3271       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
3272       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
3273       .accessfn = gt_ptimer_access,
3274       .writefn = gt_sec_cval_write, .raw_writefn = raw_write,
3275     },
3276     { .name = "CNTP_CVAL_EL0", .state = ARM_CP_STATE_AA64,
3277       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 2,
3278       .access = PL0_RW,
3279       .type = ARM_CP_IO,
3280       .nv2_redirect_offset = 0x178 | NV2_REDIR_NV1,
3281       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
3282       .resetvalue = 0, .accessfn = gt_ptimer_access,
3283       .readfn = gt_phys_redir_cval_read, .raw_readfn = raw_read,
3284       .writefn = gt_phys_redir_cval_write, .raw_writefn = raw_write,
3285     },
3286     { .name = "CNTV_CVAL", .cp = 15, .crm = 14, .opc1 = 3,
3287       .access = PL0_RW,
3288       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
3289       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
3290       .accessfn = gt_vtimer_access,
3291       .readfn = gt_virt_redir_cval_read, .raw_readfn = raw_read,
3292       .writefn = gt_virt_redir_cval_write, .raw_writefn = raw_write,
3293     },
3294     { .name = "CNTV_CVAL_EL0", .state = ARM_CP_STATE_AA64,
3295       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 2,
3296       .access = PL0_RW,
3297       .type = ARM_CP_IO,
3298       .nv2_redirect_offset = 0x168 | NV2_REDIR_NV1,
3299       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
3300       .resetvalue = 0, .accessfn = gt_vtimer_access,
3301       .readfn = gt_virt_redir_cval_read, .raw_readfn = raw_read,
3302       .writefn = gt_virt_redir_cval_write, .raw_writefn = raw_write,
3303     },
3304     /*
3305      * Secure timer -- this is actually restricted to only EL3
3306      * and configurably Secure-EL1 via the accessfn.
3307      */
3308     { .name = "CNTPS_TVAL_EL1", .state = ARM_CP_STATE_AA64,
3309       .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 0,
3310       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW,
3311       .accessfn = gt_stimer_access,
3312       .readfn = gt_sec_tval_read,
3313       .writefn = gt_sec_tval_write,
3314       .resetfn = gt_sec_timer_reset,
3315     },
3316     { .name = "CNTPS_CTL_EL1", .state = ARM_CP_STATE_AA64,
3317       .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 1,
3318       .type = ARM_CP_IO, .access = PL1_RW,
3319       .accessfn = gt_stimer_access,
3320       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].ctl),
3321       .resetvalue = 0,
3322       .writefn = gt_sec_ctl_write, .raw_writefn = raw_write,
3323     },
3324     { .name = "CNTPS_CVAL_EL1", .state = ARM_CP_STATE_AA64,
3325       .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 2,
3326       .type = ARM_CP_IO, .access = PL1_RW,
3327       .accessfn = gt_stimer_access,
3328       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
3329       .writefn = gt_sec_cval_write, .raw_writefn = raw_write,
3330     },
3331 };
3332 
3333 /*
3334  * FEAT_ECV adds extra views of CNTVCT_EL0 and CNTPCT_EL0 which
3335  * are "self-synchronizing". For QEMU all sysregs are self-synchronizing,
3336  * so our implementations here are identical to the normal registers.
3337  */
3338 static const ARMCPRegInfo gen_timer_ecv_cp_reginfo[] = {
3339     { .name = "CNTVCTSS", .cp = 15, .crm = 14, .opc1 = 9,
3340       .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
3341       .accessfn = gt_vct_access,
3342       .readfn = gt_virt_cnt_read, .resetfn = arm_cp_reset_ignore,
3343     },
3344     { .name = "CNTVCTSS_EL0", .state = ARM_CP_STATE_AA64,
3345       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 6,
3346       .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
3347       .accessfn = gt_vct_access, .readfn = gt_virt_cnt_read,
3348     },
3349     { .name = "CNTPCTSS", .cp = 15, .crm = 14, .opc1 = 8,
3350       .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
3351       .accessfn = gt_pct_access,
3352       .readfn = gt_cnt_read, .resetfn = arm_cp_reset_ignore,
3353     },
3354     { .name = "CNTPCTSS_EL0", .state = ARM_CP_STATE_AA64,
3355       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 5,
3356       .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
3357       .accessfn = gt_pct_access, .readfn = gt_cnt_read,
3358     },
3359 };
3360 
3361 static CPAccessResult gt_cntpoff_access(CPUARMState *env,
3362                                         const ARMCPRegInfo *ri,
3363                                         bool isread)
3364 {
3365     if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) &&
3366         !(env->cp15.scr_el3 & SCR_ECVEN)) {
3367         return CP_ACCESS_TRAP_EL3;
3368     }
3369     return CP_ACCESS_OK;
3370 }
3371 
3372 static void gt_cntpoff_write(CPUARMState *env, const ARMCPRegInfo *ri,
3373                               uint64_t value)
3374 {
3375     ARMCPU *cpu = env_archcpu(env);
3376 
3377     trace_arm_gt_cntpoff_write(value);
3378     raw_write(env, ri, value);
3379     gt_recalc_timer(cpu, GTIMER_PHYS);
3380 }
3381 
3382 static const ARMCPRegInfo gen_timer_cntpoff_reginfo = {
3383     .name = "CNTPOFF_EL2", .state = ARM_CP_STATE_AA64,
3384     .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 6,
3385     .access = PL2_RW, .type = ARM_CP_IO, .resetvalue = 0,
3386     .accessfn = gt_cntpoff_access, .writefn = gt_cntpoff_write,
3387     .nv2_redirect_offset = 0x1a8,
3388     .fieldoffset = offsetof(CPUARMState, cp15.cntpoff_el2),
3389 };
3390 #else
3391 
3392 /*
3393  * In user-mode most of the generic timer registers are inaccessible
3394  * however modern kernels (4.12+) allow access to cntvct_el0
3395  */
3396 
3397 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
3398 {
3399     ARMCPU *cpu = env_archcpu(env);
3400 
3401     /*
3402      * Currently we have no support for QEMUTimer in linux-user so we
3403      * can't call gt_get_countervalue(env), instead we directly
3404      * call the lower level functions.
3405      */
3406     return cpu_get_clock() / gt_cntfrq_period_ns(cpu);
3407 }
3408 
3409 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
3410     { .name = "CNTFRQ_EL0", .state = ARM_CP_STATE_AA64,
3411       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0,
3412       .type = ARM_CP_CONST, .access = PL0_R /* no PL1_RW in linux-user */,
3413       .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq),
3414       .resetfn = arm_gt_cntfrq_reset,
3415     },
3416     { .name = "CNTVCT_EL0", .state = ARM_CP_STATE_AA64,
3417       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 2,
3418       .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
3419       .readfn = gt_virt_cnt_read,
3420     },
3421 };
3422 
3423 /*
3424  * CNTVCTSS_EL0 has the same trap conditions as CNTVCT_EL0, so it also
3425  * is exposed to userspace by Linux.
3426  */
3427 static const ARMCPRegInfo gen_timer_ecv_cp_reginfo[] = {
3428     { .name = "CNTVCTSS_EL0", .state = ARM_CP_STATE_AA64,
3429       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 6,
3430       .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
3431       .readfn = gt_virt_cnt_read,
3432     },
3433 };
3434 
3435 #endif
3436 
3437 static void par_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
3438 {
3439     if (arm_feature(env, ARM_FEATURE_LPAE)) {
3440         raw_write(env, ri, value);
3441     } else if (arm_feature(env, ARM_FEATURE_V7)) {
3442         raw_write(env, ri, value & 0xfffff6ff);
3443     } else {
3444         raw_write(env, ri, value & 0xfffff1ff);
3445     }
3446 }
3447 
3448 #ifndef CONFIG_USER_ONLY
3449 /* get_phys_addr() isn't present for user-mode-only targets */
3450 
3451 static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri,
3452                                  bool isread)
3453 {
3454     if (ri->opc2 & 4) {
3455         /*
3456          * The ATS12NSO* operations must trap to EL3 or EL2 if executed in
3457          * Secure EL1 (which can only happen if EL3 is AArch64).
3458          * They are simply UNDEF if executed from NS EL1.
3459          * They function normally from EL2 or EL3.
3460          */
3461         if (arm_current_el(env) == 1) {
3462             if (arm_is_secure_below_el3(env)) {
3463                 if (env->cp15.scr_el3 & SCR_EEL2) {
3464                     return CP_ACCESS_TRAP_EL2;
3465                 }
3466                 return CP_ACCESS_TRAP_EL3;
3467             }
3468             return CP_ACCESS_UNDEFINED;
3469         }
3470     }
3471     return CP_ACCESS_OK;
3472 }
3473 
3474 #ifdef CONFIG_TCG
3475 static int par_el1_shareability(GetPhysAddrResult *res)
3476 {
3477     /*
3478      * The PAR_EL1.SH field must be 0b10 for Device or Normal-NC
3479      * memory -- see pseudocode PAREncodeShareability().
3480      */
3481     if (((res->cacheattrs.attrs & 0xf0) == 0) ||
3482         res->cacheattrs.attrs == 0x44 || res->cacheattrs.attrs == 0x40) {
3483         return 2;
3484     }
3485     return res->cacheattrs.shareability;
3486 }
3487 
3488 static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
3489                              MMUAccessType access_type, ARMMMUIdx mmu_idx,
3490                              ARMSecuritySpace ss)
3491 {
3492     bool ret;
3493     uint64_t par64;
3494     bool format64 = false;
3495     ARMMMUFaultInfo fi = {};
3496     GetPhysAddrResult res = {};
3497 
3498     /*
3499      * I_MXTJT: Granule protection checks are not performed on the final
3500      * address of a successful translation.  This is a translation not a
3501      * memory reference, so "memop = none = 0".
3502      */
3503     ret = get_phys_addr_with_space_nogpc(env, value, access_type, 0,
3504                                          mmu_idx, ss, &res, &fi);
3505 
3506     /*
3507      * ATS operations only do S1 or S1+S2 translations, so we never
3508      * have to deal with the ARMCacheAttrs format for S2 only.
3509      */
3510     assert(!res.cacheattrs.is_s2_format);
3511 
3512     if (ret) {
3513         /*
3514          * Some kinds of translation fault must cause exceptions rather
3515          * than being reported in the PAR.
3516          */
3517         int current_el = arm_current_el(env);
3518         int target_el;
3519         uint32_t syn, fsr, fsc;
3520         bool take_exc = false;
3521 
3522         if (fi.s1ptw && current_el == 1
3523             && arm_mmu_idx_is_stage1_of_2(mmu_idx)) {
3524             /*
3525              * Synchronous stage 2 fault on an access made as part of the
3526              * translation table walk for AT S1E0* or AT S1E1* insn
3527              * executed from NS EL1. If this is a synchronous external abort
3528              * and SCR_EL3.EA == 1, then we take a synchronous external abort
3529              * to EL3. Otherwise the fault is taken as an exception to EL2,
3530              * and HPFAR_EL2 holds the faulting IPA.
3531              */
3532             if (fi.type == ARMFault_SyncExternalOnWalk &&
3533                 (env->cp15.scr_el3 & SCR_EA)) {
3534                 target_el = 3;
3535             } else {
3536                 env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4;
3537                 if (arm_is_secure_below_el3(env) && fi.s1ns) {
3538                     env->cp15.hpfar_el2 |= HPFAR_NS;
3539                 }
3540                 target_el = 2;
3541             }
3542             take_exc = true;
3543         } else if (fi.type == ARMFault_SyncExternalOnWalk) {
3544             /*
3545              * Synchronous external aborts during a translation table walk
3546              * are taken as Data Abort exceptions.
3547              */
3548             if (fi.stage2) {
3549                 if (current_el == 3) {
3550                     target_el = 3;
3551                 } else {
3552                     target_el = 2;
3553                 }
3554             } else {
3555                 target_el = exception_target_el(env);
3556             }
3557             take_exc = true;
3558         }
3559 
3560         if (take_exc) {
3561             /* Construct FSR and FSC using same logic as arm_deliver_fault() */
3562             if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
3563                 arm_s1_regime_using_lpae_format(env, mmu_idx)) {
3564                 fsr = arm_fi_to_lfsc(&fi);
3565                 fsc = extract32(fsr, 0, 6);
3566             } else {
3567                 fsr = arm_fi_to_sfsc(&fi);
3568                 fsc = 0x3f;
3569             }
3570             /*
3571              * Report exception with ESR indicating a fault due to a
3572              * translation table walk for a cache maintenance instruction.
3573              */
3574             syn = syn_data_abort_no_iss(current_el == target_el, 0,
3575                                         fi.ea, 1, fi.s1ptw, 1, fsc);
3576             env->exception.vaddress = value;
3577             env->exception.fsr = fsr;
3578             raise_exception(env, EXCP_DATA_ABORT, syn, target_el);
3579         }
3580     }
3581 
3582     if (is_a64(env)) {
3583         format64 = true;
3584     } else if (arm_feature(env, ARM_FEATURE_LPAE)) {
3585         /*
3586          * ATS1Cxx:
3587          * * TTBCR.EAE determines whether the result is returned using the
3588          *   32-bit or the 64-bit PAR format
3589          * * Instructions executed in Hyp mode always use the 64bit format
3590          *
3591          * ATS1S2NSOxx uses the 64bit format if any of the following is true:
3592          * * The Non-secure TTBCR.EAE bit is set to 1
3593          * * The implementation includes EL2, and the value of HCR.VM is 1
3594          *
3595          * (Note that HCR.DC makes HCR.VM behave as if it is 1.)
3596          *
3597          * ATS1Hx always uses the 64bit format.
3598          */
3599         format64 = arm_s1_regime_using_lpae_format(env, mmu_idx);
3600 
3601         if (arm_feature(env, ARM_FEATURE_EL2)) {
3602             if (mmu_idx == ARMMMUIdx_E10_0 ||
3603                 mmu_idx == ARMMMUIdx_E10_1 ||
3604                 mmu_idx == ARMMMUIdx_E10_1_PAN) {
3605                 format64 |= env->cp15.hcr_el2 & (HCR_VM | HCR_DC);
3606             } else {
3607                 format64 |= arm_current_el(env) == 2;
3608             }
3609         }
3610     }
3611 
3612     if (format64) {
3613         /* Create a 64-bit PAR */
3614         par64 = (1 << 11); /* LPAE bit always set */
3615         if (!ret) {
3616             par64 |= res.f.phys_addr & ~0xfffULL;
3617             if (!res.f.attrs.secure) {
3618                 par64 |= (1 << 9); /* NS */
3619             }
3620             par64 |= (uint64_t)res.cacheattrs.attrs << 56; /* ATTR */
3621             par64 |= par_el1_shareability(&res) << 7; /* SH */
3622         } else {
3623             uint32_t fsr = arm_fi_to_lfsc(&fi);
3624 
3625             par64 |= 1; /* F */
3626             par64 |= (fsr & 0x3f) << 1; /* FS */
3627             if (fi.stage2) {
3628                 par64 |= (1 << 9); /* S */
3629             }
3630             if (fi.s1ptw) {
3631                 par64 |= (1 << 8); /* PTW */
3632             }
3633         }
3634     } else {
3635         /*
3636          * fsr is a DFSR/IFSR value for the short descriptor
3637          * translation table format (with WnR always clear).
3638          * Convert it to a 32-bit PAR.
3639          */
3640         if (!ret) {
3641             /* We do not set any attribute bits in the PAR */
3642             if (res.f.lg_page_size == 24
3643                 && arm_feature(env, ARM_FEATURE_V7)) {
3644                 par64 = (res.f.phys_addr & 0xff000000) | (1 << 1);
3645             } else {
3646                 par64 = res.f.phys_addr & 0xfffff000;
3647             }
3648             if (!res.f.attrs.secure) {
3649                 par64 |= (1 << 9); /* NS */
3650             }
3651         } else {
3652             uint32_t fsr = arm_fi_to_sfsc(&fi);
3653 
3654             par64 = ((fsr & (1 << 10)) >> 5) | ((fsr & (1 << 12)) >> 6) |
3655                     ((fsr & 0xf) << 1) | 1;
3656         }
3657     }
3658     return par64;
3659 }
3660 #endif /* CONFIG_TCG */
3661 
3662 static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
3663 {
3664 #ifdef CONFIG_TCG
3665     MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD;
3666     uint64_t par64;
3667     ARMMMUIdx mmu_idx;
3668     int el = arm_current_el(env);
3669     ARMSecuritySpace ss = arm_security_space(env);
3670 
3671     switch (ri->opc2 & 6) {
3672     case 0:
3673         /* stage 1 current state PL1: ATS1CPR, ATS1CPW, ATS1CPRP, ATS1CPWP */
3674         switch (el) {
3675         case 3:
3676             if (ri->crm == 9 && arm_pan_enabled(env)) {
3677                 mmu_idx = ARMMMUIdx_E30_3_PAN;
3678             } else {
3679                 mmu_idx = ARMMMUIdx_E3;
3680             }
3681             break;
3682         case 2:
3683             g_assert(ss != ARMSS_Secure);  /* ARMv8.4-SecEL2 is 64-bit only */
3684             /* fall through */
3685         case 1:
3686             if (ri->crm == 9 && arm_pan_enabled(env)) {
3687                 mmu_idx = ARMMMUIdx_Stage1_E1_PAN;
3688             } else {
3689                 mmu_idx = ARMMMUIdx_Stage1_E1;
3690             }
3691             break;
3692         default:
3693             g_assert_not_reached();
3694         }
3695         break;
3696     case 2:
3697         /* stage 1 current state PL0: ATS1CUR, ATS1CUW */
3698         switch (el) {
3699         case 3:
3700             mmu_idx = ARMMMUIdx_E30_0;
3701             break;
3702         case 2:
3703             g_assert(ss != ARMSS_Secure);  /* ARMv8.4-SecEL2 is 64-bit only */
3704             mmu_idx = ARMMMUIdx_Stage1_E0;
3705             break;
3706         case 1:
3707             mmu_idx = ARMMMUIdx_Stage1_E0;
3708             break;
3709         default:
3710             g_assert_not_reached();
3711         }
3712         break;
3713     case 4:
3714         /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */
3715         mmu_idx = ARMMMUIdx_E10_1;
3716         ss = ARMSS_NonSecure;
3717         break;
3718     case 6:
3719         /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */
3720         mmu_idx = ARMMMUIdx_E10_0;
3721         ss = ARMSS_NonSecure;
3722         break;
3723     default:
3724         g_assert_not_reached();
3725     }
3726 
3727     par64 = do_ats_write(env, value, access_type, mmu_idx, ss);
3728 
3729     A32_BANKED_CURRENT_REG_SET(env, par, par64);
3730 #else
3731     /* Handled by hardware accelerator. */
3732     g_assert_not_reached();
3733 #endif /* CONFIG_TCG */
3734 }
3735 
3736 static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
3737                         uint64_t value)
3738 {
3739 #ifdef CONFIG_TCG
3740     MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD;
3741     uint64_t par64;
3742 
3743     /* There is no SecureEL2 for AArch32. */
3744     par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2,
3745                          ARMSS_NonSecure);
3746 
3747     A32_BANKED_CURRENT_REG_SET(env, par, par64);
3748 #else
3749     /* Handled by hardware accelerator. */
3750     g_assert_not_reached();
3751 #endif /* CONFIG_TCG */
3752 }
3753 
3754 static CPAccessResult at_e012_access(CPUARMState *env, const ARMCPRegInfo *ri,
3755                                      bool isread)
3756 {
3757     /*
3758      * R_NYXTL: instruction is UNDEFINED if it applies to an Exception level
3759      * lower than EL3 and the combination SCR_EL3.{NSE,NS} is reserved. This can
3760      * only happen when executing at EL3 because that combination also causes an
3761      * illegal exception return. We don't need to check FEAT_RME either, because
3762      * scr_write() ensures that the NSE bit is not set otherwise.
3763      */
3764     if ((env->cp15.scr_el3 & (SCR_NSE | SCR_NS)) == SCR_NSE) {
3765         return CP_ACCESS_UNDEFINED;
3766     }
3767     return CP_ACCESS_OK;
3768 }
3769 
3770 static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri,
3771                                      bool isread)
3772 {
3773     if (arm_current_el(env) == 3 &&
3774         !(env->cp15.scr_el3 & (SCR_NS | SCR_EEL2))) {
3775         return CP_ACCESS_UNDEFINED;
3776     }
3777     return at_e012_access(env, ri, isread);
3778 }
3779 
3780 static CPAccessResult at_s1e01_access(CPUARMState *env, const ARMCPRegInfo *ri,
3781                                       bool isread)
3782 {
3783     if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_AT)) {
3784         return CP_ACCESS_TRAP_EL2;
3785     }
3786     return at_e012_access(env, ri, isread);
3787 }
3788 
3789 static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
3790                         uint64_t value)
3791 {
3792 #ifdef CONFIG_TCG
3793     MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD;
3794     ARMMMUIdx mmu_idx;
3795     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
3796     bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE);
3797     bool for_el3 = false;
3798     ARMSecuritySpace ss;
3799 
3800     switch (ri->opc2 & 6) {
3801     case 0:
3802         switch (ri->opc1) {
3803         case 0: /* AT S1E1R, AT S1E1W, AT S1E1RP, AT S1E1WP */
3804             if (ri->crm == 9 && arm_pan_enabled(env)) {
3805                 mmu_idx = regime_e20 ?
3806                           ARMMMUIdx_E20_2_PAN : ARMMMUIdx_Stage1_E1_PAN;
3807             } else {
3808                 mmu_idx = regime_e20 ? ARMMMUIdx_E20_2 : ARMMMUIdx_Stage1_E1;
3809             }
3810             break;
3811         case 4: /* AT S1E2R, AT S1E2W */
3812             mmu_idx = hcr_el2 & HCR_E2H ? ARMMMUIdx_E20_2 : ARMMMUIdx_E2;
3813             break;
3814         case 6: /* AT S1E3R, AT S1E3W */
3815             mmu_idx = ARMMMUIdx_E3;
3816             for_el3 = true;
3817             break;
3818         default:
3819             g_assert_not_reached();
3820         }
3821         break;
3822     case 2: /* AT S1E0R, AT S1E0W */
3823         mmu_idx = regime_e20 ? ARMMMUIdx_E20_0 : ARMMMUIdx_Stage1_E0;
3824         break;
3825     case 4: /* AT S12E1R, AT S12E1W */
3826         mmu_idx = regime_e20 ? ARMMMUIdx_E20_2 : ARMMMUIdx_E10_1;
3827         break;
3828     case 6: /* AT S12E0R, AT S12E0W */
3829         mmu_idx = regime_e20 ? ARMMMUIdx_E20_0 : ARMMMUIdx_E10_0;
3830         break;
3831     default:
3832         g_assert_not_reached();
3833     }
3834 
3835     ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env);
3836     env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss);
3837 #else
3838     /* Handled by hardware accelerator. */
3839     g_assert_not_reached();
3840 #endif /* CONFIG_TCG */
3841 }
3842 #endif
3843 
3844 /* Return basic MPU access permission bits.  */
3845 static uint32_t simple_mpu_ap_bits(uint32_t val)
3846 {
3847     uint32_t ret;
3848     uint32_t mask;
3849     int i;
3850     ret = 0;
3851     mask = 3;
3852     for (i = 0; i < 16; i += 2) {
3853         ret |= (val >> i) & mask;
3854         mask <<= 2;
3855     }
3856     return ret;
3857 }
3858 
3859 /* Pad basic MPU access permission bits to extended format.  */
3860 static uint32_t extended_mpu_ap_bits(uint32_t val)
3861 {
3862     uint32_t ret;
3863     uint32_t mask;
3864     int i;
3865     ret = 0;
3866     mask = 3;
3867     for (i = 0; i < 16; i += 2) {
3868         ret |= (val & mask) << i;
3869         mask <<= 2;
3870     }
3871     return ret;
3872 }
3873 
3874 static void pmsav5_data_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
3875                                  uint64_t value)
3876 {
3877     env->cp15.pmsav5_data_ap = extended_mpu_ap_bits(value);
3878 }
3879 
3880 static uint64_t pmsav5_data_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
3881 {
3882     return simple_mpu_ap_bits(env->cp15.pmsav5_data_ap);
3883 }
3884 
3885 static void pmsav5_insn_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
3886                                  uint64_t value)
3887 {
3888     env->cp15.pmsav5_insn_ap = extended_mpu_ap_bits(value);
3889 }
3890 
3891 static uint64_t pmsav5_insn_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
3892 {
3893     return simple_mpu_ap_bits(env->cp15.pmsav5_insn_ap);
3894 }
3895 
3896 static uint64_t pmsav7_read(CPUARMState *env, const ARMCPRegInfo *ri)
3897 {
3898     uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri);
3899 
3900     if (!u32p) {
3901         return 0;
3902     }
3903 
3904     u32p += env->pmsav7.rnr[M_REG_NS];
3905     return *u32p;
3906 }
3907 
3908 static void pmsav7_write(CPUARMState *env, const ARMCPRegInfo *ri,
3909                          uint64_t value)
3910 {
3911     ARMCPU *cpu = env_archcpu(env);
3912     uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri);
3913 
3914     if (!u32p) {
3915         return;
3916     }
3917 
3918     u32p += env->pmsav7.rnr[M_REG_NS];
3919     tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */
3920     *u32p = value;
3921 }
3922 
3923 static void pmsav7_rgnr_write(CPUARMState *env, const ARMCPRegInfo *ri,
3924                               uint64_t value)
3925 {
3926     ARMCPU *cpu = env_archcpu(env);
3927     uint32_t nrgs = cpu->pmsav7_dregion;
3928 
3929     if (value >= nrgs) {
3930         qemu_log_mask(LOG_GUEST_ERROR,
3931                       "PMSAv7 RGNR write >= # supported regions, %" PRIu32
3932                       " > %" PRIu32 "\n", (uint32_t)value, nrgs);
3933         return;
3934     }
3935 
3936     raw_write(env, ri, value);
3937 }
3938 
3939 static void prbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
3940                           uint64_t value)
3941 {
3942     ARMCPU *cpu = env_archcpu(env);
3943 
3944     tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */
3945     env->pmsav8.rbar[M_REG_NS][env->pmsav7.rnr[M_REG_NS]] = value;
3946 }
3947 
3948 static uint64_t prbar_read(CPUARMState *env, const ARMCPRegInfo *ri)
3949 {
3950     return env->pmsav8.rbar[M_REG_NS][env->pmsav7.rnr[M_REG_NS]];
3951 }
3952 
3953 static void prlar_write(CPUARMState *env, const ARMCPRegInfo *ri,
3954                           uint64_t value)
3955 {
3956     ARMCPU *cpu = env_archcpu(env);
3957 
3958     tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */
3959     env->pmsav8.rlar[M_REG_NS][env->pmsav7.rnr[M_REG_NS]] = value;
3960 }
3961 
3962 static uint64_t prlar_read(CPUARMState *env, const ARMCPRegInfo *ri)
3963 {
3964     return env->pmsav8.rlar[M_REG_NS][env->pmsav7.rnr[M_REG_NS]];
3965 }
3966 
3967 static void prselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
3968                            uint64_t value)
3969 {
3970     ARMCPU *cpu = env_archcpu(env);
3971 
3972     /*
3973      * Ignore writes that would select not implemented region.
3974      * This is architecturally UNPREDICTABLE.
3975      */
3976     if (value >= cpu->pmsav7_dregion) {
3977         return;
3978     }
3979 
3980     env->pmsav7.rnr[M_REG_NS] = value;
3981 }
3982 
3983 static void hprbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
3984                           uint64_t value)
3985 {
3986     ARMCPU *cpu = env_archcpu(env);
3987 
3988     tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */
3989     env->pmsav8.hprbar[env->pmsav8.hprselr] = value;
3990 }
3991 
3992 static uint64_t hprbar_read(CPUARMState *env, const ARMCPRegInfo *ri)
3993 {
3994     return env->pmsav8.hprbar[env->pmsav8.hprselr];
3995 }
3996 
3997 static void hprlar_write(CPUARMState *env, const ARMCPRegInfo *ri,
3998                           uint64_t value)
3999 {
4000     ARMCPU *cpu = env_archcpu(env);
4001 
4002     tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */
4003     env->pmsav8.hprlar[env->pmsav8.hprselr] = value;
4004 }
4005 
4006 static uint64_t hprlar_read(CPUARMState *env, const ARMCPRegInfo *ri)
4007 {
4008     return env->pmsav8.hprlar[env->pmsav8.hprselr];
4009 }
4010 
4011 static void hprenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4012                           uint64_t value)
4013 {
4014     uint32_t n;
4015     uint32_t bit;
4016     ARMCPU *cpu = env_archcpu(env);
4017 
4018     /* Ignore writes to unimplemented regions */
4019     int rmax = MIN(cpu->pmsav8r_hdregion, 32);
4020     value &= MAKE_64BIT_MASK(0, rmax);
4021 
4022     tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */
4023 
4024     /* Register alias is only valid for first 32 indexes */
4025     for (n = 0; n < rmax; ++n) {
4026         bit = extract32(value, n, 1);
4027         env->pmsav8.hprlar[n] = deposit32(
4028                     env->pmsav8.hprlar[n], 0, 1, bit);
4029     }
4030 }
4031 
4032 static uint64_t hprenr_read(CPUARMState *env, const ARMCPRegInfo *ri)
4033 {
4034     uint32_t n;
4035     uint32_t result = 0x0;
4036     ARMCPU *cpu = env_archcpu(env);
4037 
4038     /* Register alias is only valid for first 32 indexes */
4039     for (n = 0; n < MIN(cpu->pmsav8r_hdregion, 32); ++n) {
4040         if (env->pmsav8.hprlar[n] & 0x1) {
4041             result |= (0x1 << n);
4042         }
4043     }
4044     return result;
4045 }
4046 
4047 static void hprselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4048                            uint64_t value)
4049 {
4050     ARMCPU *cpu = env_archcpu(env);
4051 
4052     /*
4053      * Ignore writes that would select not implemented region.
4054      * This is architecturally UNPREDICTABLE.
4055      */
4056     if (value >= cpu->pmsav8r_hdregion) {
4057         return;
4058     }
4059 
4060     env->pmsav8.hprselr = value;
4061 }
4062 
4063 static void pmsav8r_regn_write(CPUARMState *env, const ARMCPRegInfo *ri,
4064                           uint64_t value)
4065 {
4066     ARMCPU *cpu = env_archcpu(env);
4067     uint8_t index = (extract32(ri->opc0, 0, 1) << 4) |
4068                     (extract32(ri->crm, 0, 3) << 1) | extract32(ri->opc2, 2, 1);
4069 
4070     tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */
4071 
4072     if (ri->opc1 & 4) {
4073         if (index >= cpu->pmsav8r_hdregion) {
4074             return;
4075         }
4076         if (ri->opc2 & 0x1) {
4077             env->pmsav8.hprlar[index] = value;
4078         } else {
4079             env->pmsav8.hprbar[index] = value;
4080         }
4081     } else {
4082         if (index >= cpu->pmsav7_dregion) {
4083             return;
4084         }
4085         if (ri->opc2 & 0x1) {
4086             env->pmsav8.rlar[M_REG_NS][index] = value;
4087         } else {
4088             env->pmsav8.rbar[M_REG_NS][index] = value;
4089         }
4090     }
4091 }
4092 
4093 static uint64_t pmsav8r_regn_read(CPUARMState *env, const ARMCPRegInfo *ri)
4094 {
4095     ARMCPU *cpu = env_archcpu(env);
4096     uint8_t index = (extract32(ri->opc0, 0, 1) << 4) |
4097                     (extract32(ri->crm, 0, 3) << 1) | extract32(ri->opc2, 2, 1);
4098 
4099     if (ri->opc1 & 4) {
4100         if (index >= cpu->pmsav8r_hdregion) {
4101             return 0x0;
4102         }
4103         if (ri->opc2 & 0x1) {
4104             return env->pmsav8.hprlar[index];
4105         } else {
4106             return env->pmsav8.hprbar[index];
4107         }
4108     } else {
4109         if (index >= cpu->pmsav7_dregion) {
4110             return 0x0;
4111         }
4112         if (ri->opc2 & 0x1) {
4113             return env->pmsav8.rlar[M_REG_NS][index];
4114         } else {
4115             return env->pmsav8.rbar[M_REG_NS][index];
4116         }
4117     }
4118 }
4119 
4120 static const ARMCPRegInfo pmsav8r_cp_reginfo[] = {
4121     { .name = "PRBAR",
4122       .cp = 15, .opc1 = 0, .crn = 6, .crm = 3, .opc2 = 0,
4123       .access = PL1_RW, .type = ARM_CP_NO_RAW,
4124       .accessfn = access_tvm_trvm,
4125       .readfn = prbar_read, .writefn = prbar_write },
4126     { .name = "PRLAR",
4127       .cp = 15, .opc1 = 0, .crn = 6, .crm = 3, .opc2 = 1,
4128       .access = PL1_RW, .type = ARM_CP_NO_RAW,
4129       .accessfn = access_tvm_trvm,
4130       .readfn = prlar_read, .writefn = prlar_write },
4131     { .name = "PRSELR", .resetvalue = 0,
4132       .cp = 15, .opc1 = 0, .crn = 6, .crm = 2, .opc2 = 1,
4133       .access = PL1_RW, .accessfn = access_tvm_trvm,
4134       .writefn = prselr_write,
4135       .fieldoffset = offsetof(CPUARMState, pmsav7.rnr[M_REG_NS]) },
4136     { .name = "HPRBAR", .resetvalue = 0,
4137       .cp = 15, .opc1 = 4, .crn = 6, .crm = 3, .opc2 = 0,
4138       .access = PL2_RW, .type = ARM_CP_NO_RAW,
4139       .readfn = hprbar_read, .writefn = hprbar_write },
4140     { .name = "HPRLAR",
4141       .cp = 15, .opc1 = 4, .crn = 6, .crm = 3, .opc2 = 1,
4142       .access = PL2_RW, .type = ARM_CP_NO_RAW,
4143       .readfn = hprlar_read, .writefn = hprlar_write },
4144     { .name = "HPRSELR", .resetvalue = 0,
4145       .cp = 15, .opc1 = 4, .crn = 6, .crm = 2, .opc2 = 1,
4146       .access = PL2_RW,
4147       .writefn = hprselr_write,
4148       .fieldoffset = offsetof(CPUARMState, pmsav8.hprselr) },
4149     { .name = "HPRENR",
4150       .cp = 15, .opc1 = 4, .crn = 6, .crm = 1, .opc2 = 1,
4151       .access = PL2_RW, .type = ARM_CP_NO_RAW,
4152       .readfn = hprenr_read, .writefn = hprenr_write },
4153 };
4154 
4155 static const ARMCPRegInfo pmsav7_cp_reginfo[] = {
4156     /*
4157      * Reset for all these registers is handled in arm_cpu_reset(),
4158      * because the PMSAv7 is also used by M-profile CPUs, which do
4159      * not register cpregs but still need the state to be reset.
4160      */
4161     { .name = "DRBAR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 0,
4162       .access = PL1_RW, .type = ARM_CP_NO_RAW,
4163       .fieldoffset = offsetof(CPUARMState, pmsav7.drbar),
4164       .readfn = pmsav7_read, .writefn = pmsav7_write,
4165       .resetfn = arm_cp_reset_ignore },
4166     { .name = "DRSR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 2,
4167       .access = PL1_RW, .type = ARM_CP_NO_RAW,
4168       .fieldoffset = offsetof(CPUARMState, pmsav7.drsr),
4169       .readfn = pmsav7_read, .writefn = pmsav7_write,
4170       .resetfn = arm_cp_reset_ignore },
4171     { .name = "DRACR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 4,
4172       .access = PL1_RW, .type = ARM_CP_NO_RAW,
4173       .fieldoffset = offsetof(CPUARMState, pmsav7.dracr),
4174       .readfn = pmsav7_read, .writefn = pmsav7_write,
4175       .resetfn = arm_cp_reset_ignore },
4176     { .name = "RGNR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 2, .opc2 = 0,
4177       .access = PL1_RW,
4178       .fieldoffset = offsetof(CPUARMState, pmsav7.rnr[M_REG_NS]),
4179       .writefn = pmsav7_rgnr_write,
4180       .resetfn = arm_cp_reset_ignore },
4181 };
4182 
4183 static const ARMCPRegInfo pmsav5_cp_reginfo[] = {
4184     { .name = "DATA_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0,
4185       .access = PL1_RW, .type = ARM_CP_ALIAS,
4186       .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap),
4187       .readfn = pmsav5_data_ap_read, .writefn = pmsav5_data_ap_write, },
4188     { .name = "INSN_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1,
4189       .access = PL1_RW, .type = ARM_CP_ALIAS,
4190       .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap),
4191       .readfn = pmsav5_insn_ap_read, .writefn = pmsav5_insn_ap_write, },
4192     { .name = "DATA_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 2,
4193       .access = PL1_RW,
4194       .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap),
4195       .resetvalue = 0, },
4196     { .name = "INSN_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 3,
4197       .access = PL1_RW,
4198       .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap),
4199       .resetvalue = 0, },
4200     { .name = "DCACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
4201       .access = PL1_RW,
4202       .fieldoffset = offsetof(CPUARMState, cp15.c2_data), .resetvalue = 0, },
4203     { .name = "ICACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 1,
4204       .access = PL1_RW,
4205       .fieldoffset = offsetof(CPUARMState, cp15.c2_insn), .resetvalue = 0, },
4206     /* Protection region base and size registers */
4207     { .name = "946_PRBS0", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0,
4208       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
4209       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[0]) },
4210     { .name = "946_PRBS1", .cp = 15, .crn = 6, .crm = 1, .opc1 = 0,
4211       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
4212       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[1]) },
4213     { .name = "946_PRBS2", .cp = 15, .crn = 6, .crm = 2, .opc1 = 0,
4214       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
4215       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[2]) },
4216     { .name = "946_PRBS3", .cp = 15, .crn = 6, .crm = 3, .opc1 = 0,
4217       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
4218       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[3]) },
4219     { .name = "946_PRBS4", .cp = 15, .crn = 6, .crm = 4, .opc1 = 0,
4220       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
4221       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[4]) },
4222     { .name = "946_PRBS5", .cp = 15, .crn = 6, .crm = 5, .opc1 = 0,
4223       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
4224       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[5]) },
4225     { .name = "946_PRBS6", .cp = 15, .crn = 6, .crm = 6, .opc1 = 0,
4226       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
4227       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[6]) },
4228     { .name = "946_PRBS7", .cp = 15, .crn = 6, .crm = 7, .opc1 = 0,
4229       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
4230       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[7]) },
4231 };
4232 
4233 static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4234                              uint64_t value)
4235 {
4236     ARMCPU *cpu = env_archcpu(env);
4237 
4238     if (!arm_feature(env, ARM_FEATURE_V8)) {
4239         if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) {
4240             /*
4241              * Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when
4242              * using Long-descriptor translation table format
4243              */
4244             value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
4245         } else if (arm_feature(env, ARM_FEATURE_EL3)) {
4246             /*
4247              * In an implementation that includes the Security Extensions
4248              * TTBCR has additional fields PD0 [4] and PD1 [5] for
4249              * Short-descriptor translation table format.
4250              */
4251             value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N;
4252         } else {
4253             value &= TTBCR_N;
4254         }
4255     }
4256 
4257     if (arm_feature(env, ARM_FEATURE_LPAE)) {
4258         /*
4259          * With LPAE the TTBCR could result in a change of ASID
4260          * via the TTBCR.A1 bit, so do a TLB flush.
4261          */
4262         tlb_flush(CPU(cpu));
4263     }
4264     raw_write(env, ri, value);
4265 }
4266 
4267 static void vmsa_tcr_el12_write(CPUARMState *env, const ARMCPRegInfo *ri,
4268                                uint64_t value)
4269 {
4270     ARMCPU *cpu = env_archcpu(env);
4271 
4272     /* For AArch64 the A1 bit could result in a change of ASID, so TLB flush. */
4273     tlb_flush(CPU(cpu));
4274     raw_write(env, ri, value);
4275 }
4276 
4277 static void vmsa_ttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4278                             uint64_t value)
4279 {
4280     /* If the ASID changes (with a 64-bit write), we must flush the TLB.  */
4281     if (cpreg_field_is_64bit(ri) &&
4282         extract64(raw_read(env, ri) ^ value, 48, 16) != 0) {
4283         ARMCPU *cpu = env_archcpu(env);
4284         tlb_flush(CPU(cpu));
4285     }
4286     raw_write(env, ri, value);
4287 }
4288 
4289 static void vmsa_tcr_ttbr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,
4290                                     uint64_t value)
4291 {
4292     /*
4293      * If we are running with E2&0 regime, then an ASID is active.
4294      * Flush if that might be changing.  Note we're not checking
4295      * TCR_EL2.A1 to know if this is really the TTBRx_EL2 that
4296      * holds the active ASID, only checking the field that might.
4297      */
4298     if (extract64(raw_read(env, ri) ^ value, 48, 16) &&
4299         (arm_hcr_el2_eff(env) & HCR_E2H)) {
4300         uint16_t mask = ARMMMUIdxBit_E20_2 |
4301                         ARMMMUIdxBit_E20_2_PAN |
4302                         ARMMMUIdxBit_E20_0;
4303         tlb_flush_by_mmuidx(env_cpu(env), mask);
4304     }
4305     raw_write(env, ri, value);
4306 }
4307 
4308 static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4309                         uint64_t value)
4310 {
4311     ARMCPU *cpu = env_archcpu(env);
4312     CPUState *cs = CPU(cpu);
4313 
4314     /*
4315      * A change in VMID to the stage2 page table (Stage2) invalidates
4316      * the stage2 and combined stage 1&2 tlbs (EL10_1 and EL10_0).
4317      */
4318     if (extract64(raw_read(env, ri) ^ value, 48, 16) != 0) {
4319         tlb_flush_by_mmuidx(cs, alle1_tlbmask(env));
4320     }
4321     raw_write(env, ri, value);
4322 }
4323 
4324 static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = {
4325     { .name = "DFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0,
4326       .access = PL1_RW, .accessfn = access_tvm_trvm, .type = ARM_CP_ALIAS,
4327       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dfsr_s),
4328                              offsetoflow32(CPUARMState, cp15.dfsr_ns) }, },
4329     { .name = "IFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1,
4330       .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0,
4331       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.ifsr_s),
4332                              offsetoflow32(CPUARMState, cp15.ifsr_ns) } },
4333     { .name = "DFAR", .cp = 15, .opc1 = 0, .crn = 6, .crm = 0, .opc2 = 0,
4334       .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0,
4335       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.dfar_s),
4336                              offsetof(CPUARMState, cp15.dfar_ns) } },
4337     { .name = "FAR_EL1", .state = ARM_CP_STATE_AA64,
4338       .opc0 = 3, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 0,
4339       .access = PL1_RW, .accessfn = access_tvm_trvm,
4340       .fgt = FGT_FAR_EL1,
4341       .nv2_redirect_offset = 0x220 | NV2_REDIR_NV1,
4342       .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]),
4343       .resetvalue = 0, },
4344 };
4345 
4346 static const ARMCPRegInfo vmsa_cp_reginfo[] = {
4347     { .name = "ESR_EL1", .state = ARM_CP_STATE_AA64,
4348       .opc0 = 3, .crn = 5, .crm = 2, .opc1 = 0, .opc2 = 0,
4349       .access = PL1_RW, .accessfn = access_tvm_trvm,
4350       .fgt = FGT_ESR_EL1,
4351       .nv2_redirect_offset = 0x138 | NV2_REDIR_NV1,
4352       .fieldoffset = offsetof(CPUARMState, cp15.esr_el[1]), .resetvalue = 0, },
4353     { .name = "TTBR0_EL1", .state = ARM_CP_STATE_BOTH,
4354       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0,
4355       .access = PL1_RW, .accessfn = access_tvm_trvm,
4356       .fgt = FGT_TTBR0_EL1,
4357       .nv2_redirect_offset = 0x200 | NV2_REDIR_NV1,
4358       .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,
4359       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
4360                              offsetof(CPUARMState, cp15.ttbr0_ns) } },
4361     { .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,
4362       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1,
4363       .access = PL1_RW, .accessfn = access_tvm_trvm,
4364       .fgt = FGT_TTBR1_EL1,
4365       .nv2_redirect_offset = 0x210 | NV2_REDIR_NV1,
4366       .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,
4367       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
4368                              offsetof(CPUARMState, cp15.ttbr1_ns) } },
4369     { .name = "TCR_EL1", .state = ARM_CP_STATE_AA64,
4370       .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
4371       .access = PL1_RW, .accessfn = access_tvm_trvm,
4372       .fgt = FGT_TCR_EL1,
4373       .nv2_redirect_offset = 0x120 | NV2_REDIR_NV1,
4374       .writefn = vmsa_tcr_el12_write,
4375       .raw_writefn = raw_write,
4376       .resetvalue = 0,
4377       .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[1]) },
4378     { .name = "TTBCR", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
4379       .access = PL1_RW, .accessfn = access_tvm_trvm,
4380       .type = ARM_CP_ALIAS, .writefn = vmsa_ttbcr_write,
4381       .raw_writefn = raw_write,
4382       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tcr_el[3]),
4383                              offsetoflow32(CPUARMState, cp15.tcr_el[1])} },
4384 };
4385 
4386 /*
4387  * Note that unlike TTBCR, writing to TTBCR2 does not require flushing
4388  * qemu tlbs nor adjusting cached masks.
4389  */
4390 static const ARMCPRegInfo ttbcr2_reginfo = {
4391     .name = "TTBCR2", .cp = 15, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 3,
4392     .access = PL1_RW, .accessfn = access_tvm_trvm,
4393     .type = ARM_CP_ALIAS,
4394     .bank_fieldoffsets = {
4395         offsetofhigh32(CPUARMState, cp15.tcr_el[3]),
4396         offsetofhigh32(CPUARMState, cp15.tcr_el[1]),
4397     },
4398 };
4399 
4400 static void omap_ticonfig_write(CPUARMState *env, const ARMCPRegInfo *ri,
4401                                 uint64_t value)
4402 {
4403     env->cp15.c15_ticonfig = value & 0xe7;
4404     /* The OS_TYPE bit in this register changes the reported CPUID! */
4405     env->cp15.c0_cpuid = (value & (1 << 5)) ?
4406         ARM_CPUID_TI915T : ARM_CPUID_TI925T;
4407 }
4408 
4409 static void omap_threadid_write(CPUARMState *env, const ARMCPRegInfo *ri,
4410                                 uint64_t value)
4411 {
4412     env->cp15.c15_threadid = value & 0xffff;
4413 }
4414 
4415 static void omap_wfi_write(CPUARMState *env, const ARMCPRegInfo *ri,
4416                            uint64_t value)
4417 {
4418     /* Wait-for-interrupt (deprecated) */
4419     cpu_interrupt(env_cpu(env), CPU_INTERRUPT_HALT);
4420 }
4421 
4422 static void omap_cachemaint_write(CPUARMState *env, const ARMCPRegInfo *ri,
4423                                   uint64_t value)
4424 {
4425     /*
4426      * On OMAP there are registers indicating the max/min index of dcache lines
4427      * containing a dirty line; cache flush operations have to reset these.
4428      */
4429     env->cp15.c15_i_max = 0x000;
4430     env->cp15.c15_i_min = 0xff0;
4431 }
4432 
4433 static const ARMCPRegInfo omap_cp_reginfo[] = {
4434     { .name = "DFSR", .cp = 15, .crn = 5, .crm = CP_ANY,
4435       .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_OVERRIDE,
4436       .fieldoffset = offsetoflow32(CPUARMState, cp15.esr_el[1]),
4437       .resetvalue = 0, },
4438     { .name = "", .cp = 15, .crn = 15, .crm = 0, .opc1 = 0, .opc2 = 0,
4439       .access = PL1_RW, .type = ARM_CP_NOP },
4440     { .name = "TICONFIG", .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0,
4441       .access = PL1_RW,
4442       .fieldoffset = offsetof(CPUARMState, cp15.c15_ticonfig), .resetvalue = 0,
4443       .writefn = omap_ticonfig_write },
4444     { .name = "IMAX", .cp = 15, .crn = 15, .crm = 2, .opc1 = 0, .opc2 = 0,
4445       .access = PL1_RW,
4446       .fieldoffset = offsetof(CPUARMState, cp15.c15_i_max), .resetvalue = 0, },
4447     { .name = "IMIN", .cp = 15, .crn = 15, .crm = 3, .opc1 = 0, .opc2 = 0,
4448       .access = PL1_RW, .resetvalue = 0xff0,
4449       .fieldoffset = offsetof(CPUARMState, cp15.c15_i_min) },
4450     { .name = "THREADID", .cp = 15, .crn = 15, .crm = 4, .opc1 = 0, .opc2 = 0,
4451       .access = PL1_RW,
4452       .fieldoffset = offsetof(CPUARMState, cp15.c15_threadid), .resetvalue = 0,
4453       .writefn = omap_threadid_write },
4454     { .name = "TI925T_STATUS", .cp = 15, .crn = 15,
4455       .crm = 8, .opc1 = 0, .opc2 = 0, .access = PL1_RW,
4456       .type = ARM_CP_NO_RAW,
4457       .readfn = arm_cp_read_zero, .writefn = omap_wfi_write, },
4458     /*
4459      * TODO: Peripheral port remap register:
4460      * On OMAP2 mcr p15, 0, rn, c15, c2, 4 sets up the interrupt controller
4461      * base address at $rn & ~0xfff and map size of 0x200 << ($rn & 0xfff),
4462      * when MMU is off.
4463      */
4464     { .name = "OMAP_CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
4465       .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
4466       .type = ARM_CP_OVERRIDE | ARM_CP_NO_RAW,
4467       .writefn = omap_cachemaint_write },
4468     { .name = "C9", .cp = 15, .crn = 9,
4469       .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW,
4470       .type = ARM_CP_CONST | ARM_CP_OVERRIDE, .resetvalue = 0 },
4471 };
4472 
4473 static void xscale_cpar_write(CPUARMState *env, const ARMCPRegInfo *ri,
4474                               uint64_t value)
4475 {
4476     env->cp15.c15_cpar = value & 0x3fff;
4477 }
4478 
4479 static const ARMCPRegInfo xscale_cp_reginfo[] = {
4480     { .name = "XSCALE_CPAR",
4481       .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0, .access = PL1_RW,
4482       .fieldoffset = offsetof(CPUARMState, cp15.c15_cpar), .resetvalue = 0,
4483       .writefn = xscale_cpar_write, },
4484     { .name = "XSCALE_AUXCR",
4485       .cp = 15, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 1, .access = PL1_RW,
4486       .fieldoffset = offsetof(CPUARMState, cp15.c1_xscaleauxcr),
4487       .resetvalue = 0, },
4488     /*
4489      * XScale specific cache-lockdown: since we have no cache we NOP these
4490      * and hope the guest does not really rely on cache behaviour.
4491      */
4492     { .name = "XSCALE_LOCK_ICACHE_LINE",
4493       .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
4494       .access = PL1_W, .type = ARM_CP_NOP },
4495     { .name = "XSCALE_UNLOCK_ICACHE",
4496       .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
4497       .access = PL1_W, .type = ARM_CP_NOP },
4498     { .name = "XSCALE_DCACHE_LOCK",
4499       .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 0,
4500       .access = PL1_RW, .type = ARM_CP_NOP },
4501     { .name = "XSCALE_UNLOCK_DCACHE",
4502       .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 1,
4503       .access = PL1_W, .type = ARM_CP_NOP },
4504 };
4505 
4506 static const ARMCPRegInfo dummy_c15_cp_reginfo[] = {
4507     /*
4508      * RAZ/WI the whole crn=15 space, when we don't have a more specific
4509      * implementation of this implementation-defined space.
4510      * Ideally this should eventually disappear in favour of actually
4511      * implementing the correct behaviour for all cores.
4512      */
4513     { .name = "C15_IMPDEF", .cp = 15, .crn = 15,
4514       .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
4515       .access = PL1_RW,
4516       .type = ARM_CP_CONST | ARM_CP_NO_RAW | ARM_CP_OVERRIDE,
4517       .resetvalue = 0 },
4518 };
4519 
4520 static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = {
4521     /* Cache status: RAZ because we have no cache so it's always clean */
4522     { .name = "CDSR", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 6,
4523       .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
4524       .resetvalue = 0 },
4525 };
4526 
4527 static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = {
4528     /* We never have a block transfer operation in progress */
4529     { .name = "BXSR", .cp = 15, .crn = 7, .crm = 12, .opc1 = 0, .opc2 = 4,
4530       .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
4531       .resetvalue = 0 },
4532     /* The cache ops themselves: these all NOP for QEMU */
4533     { .name = "IICR", .cp = 15, .crm = 5, .opc1 = 0,
4534       .access = PL1_W, .type = ARM_CP_NOP | ARM_CP_64BIT },
4535     { .name = "IDCR", .cp = 15, .crm = 6, .opc1 = 0,
4536       .access = PL1_W, .type = ARM_CP_NOP | ARM_CP_64BIT },
4537     { .name = "CDCR", .cp = 15, .crm = 12, .opc1 = 0,
4538       .access = PL0_W, .type = ARM_CP_NOP | ARM_CP_64BIT },
4539     { .name = "PIR", .cp = 15, .crm = 12, .opc1 = 1,
4540       .access = PL0_W, .type = ARM_CP_NOP | ARM_CP_64BIT },
4541     { .name = "PDR", .cp = 15, .crm = 12, .opc1 = 2,
4542       .access = PL0_W, .type = ARM_CP_NOP | ARM_CP_64BIT },
4543     { .name = "CIDCR", .cp = 15, .crm = 14, .opc1 = 0,
4544       .access = PL1_W, .type = ARM_CP_NOP | ARM_CP_64BIT },
4545 };
4546 
4547 static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = {
4548     /*
4549      * The cache test-and-clean instructions always return (1 << 30)
4550      * to indicate that there are no dirty cache lines.
4551      */
4552     { .name = "TC_DCACHE", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 3,
4553       .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
4554       .resetvalue = (1 << 30) },
4555     { .name = "TCI_DCACHE", .cp = 15, .crn = 7, .crm = 14, .opc1 = 0, .opc2 = 3,
4556       .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
4557       .resetvalue = (1 << 30) },
4558 };
4559 
4560 static const ARMCPRegInfo strongarm_cp_reginfo[] = {
4561     /* Ignore ReadBuffer accesses */
4562     { .name = "C9_READBUFFER", .cp = 15, .crn = 9,
4563       .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
4564       .access = PL1_RW, .resetvalue = 0,
4565       .type = ARM_CP_CONST | ARM_CP_OVERRIDE | ARM_CP_NO_RAW },
4566 };
4567 
4568 static uint64_t midr_read(CPUARMState *env, const ARMCPRegInfo *ri)
4569 {
4570     unsigned int cur_el = arm_current_el(env);
4571 
4572     if (arm_is_el2_enabled(env) && cur_el == 1) {
4573         return env->cp15.vpidr_el2;
4574     }
4575     return raw_read(env, ri);
4576 }
4577 
4578 static uint64_t mpidr_read_val(CPUARMState *env)
4579 {
4580     ARMCPU *cpu = env_archcpu(env);
4581     uint64_t mpidr = cpu->mp_affinity;
4582 
4583     if (arm_feature(env, ARM_FEATURE_V7MP)) {
4584         mpidr |= (1U << 31);
4585         /*
4586          * Cores which are uniprocessor (non-coherent)
4587          * but still implement the MP extensions set
4588          * bit 30. (For instance, Cortex-R5).
4589          */
4590         if (cpu->mp_is_up) {
4591             mpidr |= (1u << 30);
4592         }
4593     }
4594     return mpidr;
4595 }
4596 
4597 static uint64_t mpidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
4598 {
4599     unsigned int cur_el = arm_current_el(env);
4600 
4601     if (arm_is_el2_enabled(env) && cur_el == 1) {
4602         return env->cp15.vmpidr_el2;
4603     }
4604     return mpidr_read_val(env);
4605 }
4606 
4607 static const ARMCPRegInfo lpae_cp_reginfo[] = {
4608     /* NOP AMAIR0/1 */
4609     { .name = "AMAIR0", .state = ARM_CP_STATE_BOTH,
4610       .opc0 = 3, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 0,
4611       .access = PL1_RW, .accessfn = access_tvm_trvm,
4612       .fgt = FGT_AMAIR_EL1,
4613       .nv2_redirect_offset = 0x148 | NV2_REDIR_NV1,
4614       .type = ARM_CP_CONST, .resetvalue = 0 },
4615     /* AMAIR1 is mapped to AMAIR_EL1[63:32] */
4616     { .name = "AMAIR1", .cp = 15, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 1,
4617       .access = PL1_RW, .accessfn = access_tvm_trvm,
4618       .type = ARM_CP_CONST, .resetvalue = 0 },
4619     { .name = "PAR", .cp = 15, .crm = 7, .opc1 = 0,
4620       .access = PL1_RW, .type = ARM_CP_64BIT, .resetvalue = 0,
4621       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.par_s),
4622                              offsetof(CPUARMState, cp15.par_ns)} },
4623     { .name = "TTBR0", .cp = 15, .crm = 2, .opc1 = 0,
4624       .access = PL1_RW, .accessfn = access_tvm_trvm,
4625       .type = ARM_CP_64BIT | ARM_CP_ALIAS,
4626       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
4627                              offsetof(CPUARMState, cp15.ttbr0_ns) },
4628       .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },
4629     { .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1,
4630       .access = PL1_RW, .accessfn = access_tvm_trvm,
4631       .type = ARM_CP_64BIT | ARM_CP_ALIAS,
4632       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
4633                              offsetof(CPUARMState, cp15.ttbr1_ns) },
4634       .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },
4635 };
4636 
4637 static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)
4638 {
4639     return vfp_get_fpcr(env);
4640 }
4641 
4642 static void aa64_fpcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4643                             uint64_t value)
4644 {
4645     vfp_set_fpcr(env, value);
4646 }
4647 
4648 static uint64_t aa64_fpsr_read(CPUARMState *env, const ARMCPRegInfo *ri)
4649 {
4650     return vfp_get_fpsr(env);
4651 }
4652 
4653 static void aa64_fpsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4654                             uint64_t value)
4655 {
4656     vfp_set_fpsr(env, value);
4657 }
4658 
4659 static CPAccessResult aa64_daif_access(CPUARMState *env, const ARMCPRegInfo *ri,
4660                                        bool isread)
4661 {
4662     if (arm_current_el(env) == 0 && !(arm_sctlr(env, 0) & SCTLR_UMA)) {
4663         return CP_ACCESS_TRAP_EL1;
4664     }
4665     return CP_ACCESS_OK;
4666 }
4667 
4668 static void aa64_daif_write(CPUARMState *env, const ARMCPRegInfo *ri,
4669                             uint64_t value)
4670 {
4671     env->daif = value & PSTATE_DAIF;
4672 }
4673 
4674 static uint64_t aa64_pan_read(CPUARMState *env, const ARMCPRegInfo *ri)
4675 {
4676     return env->pstate & PSTATE_PAN;
4677 }
4678 
4679 static void aa64_pan_write(CPUARMState *env, const ARMCPRegInfo *ri,
4680                            uint64_t value)
4681 {
4682     env->pstate = (env->pstate & ~PSTATE_PAN) | (value & PSTATE_PAN);
4683 }
4684 
4685 static const ARMCPRegInfo pan_reginfo = {
4686     .name = "PAN", .state = ARM_CP_STATE_AA64,
4687     .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 3,
4688     .type = ARM_CP_NO_RAW, .access = PL1_RW,
4689     .readfn = aa64_pan_read, .writefn = aa64_pan_write
4690 };
4691 
4692 static uint64_t aa64_uao_read(CPUARMState *env, const ARMCPRegInfo *ri)
4693 {
4694     return env->pstate & PSTATE_UAO;
4695 }
4696 
4697 static void aa64_uao_write(CPUARMState *env, const ARMCPRegInfo *ri,
4698                            uint64_t value)
4699 {
4700     env->pstate = (env->pstate & ~PSTATE_UAO) | (value & PSTATE_UAO);
4701 }
4702 
4703 static const ARMCPRegInfo uao_reginfo = {
4704     .name = "UAO", .state = ARM_CP_STATE_AA64,
4705     .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 4,
4706     .type = ARM_CP_NO_RAW, .access = PL1_RW,
4707     .readfn = aa64_uao_read, .writefn = aa64_uao_write
4708 };
4709 
4710 static uint64_t aa64_dit_read(CPUARMState *env, const ARMCPRegInfo *ri)
4711 {
4712     return env->pstate & PSTATE_DIT;
4713 }
4714 
4715 static void aa64_dit_write(CPUARMState *env, const ARMCPRegInfo *ri,
4716                            uint64_t value)
4717 {
4718     env->pstate = (env->pstate & ~PSTATE_DIT) | (value & PSTATE_DIT);
4719 }
4720 
4721 static const ARMCPRegInfo dit_reginfo = {
4722     .name = "DIT", .state = ARM_CP_STATE_AA64,
4723     .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 5,
4724     .type = ARM_CP_NO_RAW, .access = PL0_RW,
4725     .readfn = aa64_dit_read, .writefn = aa64_dit_write
4726 };
4727 
4728 static uint64_t aa64_ssbs_read(CPUARMState *env, const ARMCPRegInfo *ri)
4729 {
4730     return env->pstate & PSTATE_SSBS;
4731 }
4732 
4733 static void aa64_ssbs_write(CPUARMState *env, const ARMCPRegInfo *ri,
4734                            uint64_t value)
4735 {
4736     env->pstate = (env->pstate & ~PSTATE_SSBS) | (value & PSTATE_SSBS);
4737 }
4738 
4739 static const ARMCPRegInfo ssbs_reginfo = {
4740     .name = "SSBS", .state = ARM_CP_STATE_AA64,
4741     .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 6,
4742     .type = ARM_CP_NO_RAW, .access = PL0_RW,
4743     .readfn = aa64_ssbs_read, .writefn = aa64_ssbs_write
4744 };
4745 
4746 static CPAccessResult aa64_cacheop_poc_access(CPUARMState *env,
4747                                               const ARMCPRegInfo *ri,
4748                                               bool isread)
4749 {
4750     /* Cache invalidate/clean to Point of Coherency or Persistence...  */
4751     switch (arm_current_el(env)) {
4752     case 0:
4753         /* ... EL0 must trap to EL1 unless SCTLR_EL1.UCI is set.  */
4754         if (!(arm_sctlr(env, 0) & SCTLR_UCI)) {
4755             return CP_ACCESS_TRAP_EL1;
4756         }
4757         /* fall through */
4758     case 1:
4759         /* ... EL1 must trap to EL2 if HCR_EL2.TPCP is set.  */
4760         if (arm_hcr_el2_eff(env) & HCR_TPCP) {
4761             return CP_ACCESS_TRAP_EL2;
4762         }
4763         break;
4764     }
4765     return CP_ACCESS_OK;
4766 }
4767 
4768 static CPAccessResult do_cacheop_pou_access(CPUARMState *env, uint64_t hcrflags)
4769 {
4770     /* Cache invalidate/clean to Point of Unification... */
4771     switch (arm_current_el(env)) {
4772     case 0:
4773         /* ... EL0 must trap to EL1 unless SCTLR_EL1.UCI is set.  */
4774         if (!(arm_sctlr(env, 0) & SCTLR_UCI)) {
4775             return CP_ACCESS_TRAP_EL1;
4776         }
4777         /* fall through */
4778     case 1:
4779         /* ... EL1 must trap to EL2 if relevant HCR_EL2 flags are set.  */
4780         if (arm_hcr_el2_eff(env) & hcrflags) {
4781             return CP_ACCESS_TRAP_EL2;
4782         }
4783         break;
4784     }
4785     return CP_ACCESS_OK;
4786 }
4787 
4788 static CPAccessResult access_ticab(CPUARMState *env, const ARMCPRegInfo *ri,
4789                                    bool isread)
4790 {
4791     return do_cacheop_pou_access(env, HCR_TICAB | HCR_TPU);
4792 }
4793 
4794 static CPAccessResult access_tocu(CPUARMState *env, const ARMCPRegInfo *ri,
4795                                   bool isread)
4796 {
4797     return do_cacheop_pou_access(env, HCR_TOCU | HCR_TPU);
4798 }
4799 
4800 static CPAccessResult aa64_zva_access(CPUARMState *env, const ARMCPRegInfo *ri,
4801                                       bool isread)
4802 {
4803     int cur_el = arm_current_el(env);
4804 
4805     if (cur_el < 2) {
4806         uint64_t hcr = arm_hcr_el2_eff(env);
4807 
4808         if (cur_el == 0) {
4809             if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
4810                 if (!(env->cp15.sctlr_el[2] & SCTLR_DZE)) {
4811                     return CP_ACCESS_TRAP_EL2;
4812                 }
4813             } else {
4814                 if (!(env->cp15.sctlr_el[1] & SCTLR_DZE)) {
4815                     return CP_ACCESS_TRAP_EL1;
4816                 }
4817                 if (hcr & HCR_TDZ) {
4818                     return CP_ACCESS_TRAP_EL2;
4819                 }
4820             }
4821         } else if (hcr & HCR_TDZ) {
4822             return CP_ACCESS_TRAP_EL2;
4823         }
4824     }
4825     return CP_ACCESS_OK;
4826 }
4827 
4828 static uint64_t aa64_dczid_read(CPUARMState *env, const ARMCPRegInfo *ri)
4829 {
4830     ARMCPU *cpu = env_archcpu(env);
4831     int dzp_bit = 1 << 4;
4832 
4833     /* DZP indicates whether DC ZVA access is allowed */
4834     if (aa64_zva_access(env, NULL, false) == CP_ACCESS_OK) {
4835         dzp_bit = 0;
4836     }
4837     return cpu->dcz_blocksize | dzp_bit;
4838 }
4839 
4840 static CPAccessResult sp_el0_access(CPUARMState *env, const ARMCPRegInfo *ri,
4841                                     bool isread)
4842 {
4843     if (!(env->pstate & PSTATE_SP)) {
4844         /*
4845          * Access to SP_EL0 is undefined if it's being used as
4846          * the stack pointer.
4847          */
4848         return CP_ACCESS_UNDEFINED;
4849     }
4850     return CP_ACCESS_OK;
4851 }
4852 
4853 static uint64_t spsel_read(CPUARMState *env, const ARMCPRegInfo *ri)
4854 {
4855     return env->pstate & PSTATE_SP;
4856 }
4857 
4858 static void spsel_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val)
4859 {
4860     update_spsel(env, val);
4861 }
4862 
4863 static void sctlr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4864                         uint64_t value)
4865 {
4866     ARMCPU *cpu = env_archcpu(env);
4867 
4868     if (arm_feature(env, ARM_FEATURE_PMSA) && !cpu->has_mpu) {
4869         /* M bit is RAZ/WI for PMSA with no MPU implemented */
4870         value &= ~SCTLR_M;
4871     }
4872 
4873     /* ??? Lots of these bits are not implemented.  */
4874 
4875     if (ri->state == ARM_CP_STATE_AA64 && !cpu_isar_feature(aa64_mte, cpu)) {
4876         if (ri->opc1 == 6) { /* SCTLR_EL3 */
4877             value &= ~(SCTLR_ITFSB | SCTLR_TCF | SCTLR_ATA);
4878         } else {
4879             value &= ~(SCTLR_ITFSB | SCTLR_TCF0 | SCTLR_TCF |
4880                        SCTLR_ATA0 | SCTLR_ATA);
4881         }
4882     }
4883 
4884     if (raw_read(env, ri) == value) {
4885         /*
4886          * Skip the TLB flush if nothing actually changed; Linux likes
4887          * to do a lot of pointless SCTLR writes.
4888          */
4889         return;
4890     }
4891 
4892     raw_write(env, ri, value);
4893 
4894     /* This may enable/disable the MMU, so do a TLB flush.  */
4895     tlb_flush(CPU(cpu));
4896 
4897     if (tcg_enabled() && ri->type & ARM_CP_SUPPRESS_TB_END) {
4898         /*
4899          * Normally we would always end the TB on an SCTLR write; see the
4900          * comment in ARMCPRegInfo sctlr initialization below for why Xscale
4901          * is special.  Setting ARM_CP_SUPPRESS_TB_END also stops the rebuild
4902          * of hflags from the translator, so do it here.
4903          */
4904         arm_rebuild_hflags(env);
4905     }
4906 }
4907 
4908 static void mdcr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
4909                            uint64_t value)
4910 {
4911     /*
4912      * Some MDCR_EL3 bits affect whether PMU counters are running:
4913      * if we are trying to change any of those then we must
4914      * bracket this update with PMU start/finish calls.
4915      */
4916     bool pmu_op = (env->cp15.mdcr_el3 ^ value) & MDCR_EL3_PMU_ENABLE_BITS;
4917 
4918     if (pmu_op) {
4919         pmu_op_start(env);
4920     }
4921     env->cp15.mdcr_el3 = value;
4922     if (pmu_op) {
4923         pmu_op_finish(env);
4924     }
4925 }
4926 
4927 static void sdcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4928                        uint64_t value)
4929 {
4930     /* Not all bits defined for MDCR_EL3 exist in the AArch32 SDCR */
4931     mdcr_el3_write(env, ri, value & SDCR_VALID_MASK);
4932 }
4933 
4934 static void mdcr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,
4935                            uint64_t value)
4936 {
4937     /*
4938      * Some MDCR_EL2 bits affect whether PMU counters are running:
4939      * if we are trying to change any of those then we must
4940      * bracket this update with PMU start/finish calls.
4941      */
4942     bool pmu_op = (env->cp15.mdcr_el2 ^ value) & MDCR_EL2_PMU_ENABLE_BITS;
4943 
4944     if (pmu_op) {
4945         pmu_op_start(env);
4946     }
4947     env->cp15.mdcr_el2 = value;
4948     if (pmu_op) {
4949         pmu_op_finish(env);
4950     }
4951 }
4952 
4953 static CPAccessResult access_nv1(CPUARMState *env, const ARMCPRegInfo *ri,
4954                                  bool isread)
4955 {
4956     if (arm_current_el(env) == 1) {
4957         uint64_t hcr_nv = arm_hcr_el2_eff(env) & (HCR_NV | HCR_NV1 | HCR_NV2);
4958 
4959         if (hcr_nv == (HCR_NV | HCR_NV1)) {
4960             return CP_ACCESS_TRAP_EL2;
4961         }
4962     }
4963     return CP_ACCESS_OK;
4964 }
4965 
4966 #ifdef CONFIG_USER_ONLY
4967 /*
4968  * `IC IVAU` is handled to improve compatibility with JITs that dual-map their
4969  * code to get around W^X restrictions, where one region is writable and the
4970  * other is executable.
4971  *
4972  * Since the executable region is never written to we cannot detect code
4973  * changes when running in user mode, and rely on the emulated JIT telling us
4974  * that the code has changed by executing this instruction.
4975  */
4976 static void ic_ivau_write(CPUARMState *env, const ARMCPRegInfo *ri,
4977                           uint64_t value)
4978 {
4979     uint64_t icache_line_mask, start_address, end_address;
4980     const ARMCPU *cpu;
4981 
4982     cpu = env_archcpu(env);
4983 
4984     icache_line_mask = (4 << extract32(cpu->ctr, 0, 4)) - 1;
4985     start_address = value & ~icache_line_mask;
4986     end_address = value | icache_line_mask;
4987 
4988     mmap_lock();
4989 
4990     tb_invalidate_phys_range(env_cpu(env), start_address, end_address);
4991 
4992     mmap_unlock();
4993 }
4994 #endif
4995 
4996 static const ARMCPRegInfo v8_cp_reginfo[] = {
4997     /*
4998      * Minimal set of EL0-visible registers. This will need to be expanded
4999      * significantly for system emulation of AArch64 CPUs.
5000      */
5001     { .name = "NZCV", .state = ARM_CP_STATE_AA64,
5002       .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 2,
5003       .access = PL0_RW, .type = ARM_CP_NZCV },
5004     { .name = "DAIF", .state = ARM_CP_STATE_AA64,
5005       .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 2,
5006       .type = ARM_CP_NO_RAW,
5007       .access = PL0_RW, .accessfn = aa64_daif_access,
5008       .fieldoffset = offsetof(CPUARMState, daif),
5009       .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore },
5010     { .name = "FPCR", .state = ARM_CP_STATE_AA64,
5011       .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4,
5012       .access = PL0_RW, .type = ARM_CP_FPU,
5013       .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
5014     { .name = "FPSR", .state = ARM_CP_STATE_AA64,
5015       .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4,
5016       .access = PL0_RW, .type = ARM_CP_FPU | ARM_CP_SUPPRESS_TB_END,
5017       .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
5018     { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64,
5019       .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0,
5020       .access = PL0_R, .type = ARM_CP_NO_RAW,
5021       .fgt = FGT_DCZID_EL0,
5022       .readfn = aa64_dczid_read },
5023     { .name = "DC_ZVA", .state = ARM_CP_STATE_AA64,
5024       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 1,
5025       .access = PL0_W, .type = ARM_CP_DC_ZVA,
5026 #ifndef CONFIG_USER_ONLY
5027       /* Avoid overhead of an access check that always passes in user-mode */
5028       .accessfn = aa64_zva_access,
5029       .fgt = FGT_DCZVA,
5030 #endif
5031     },
5032     { .name = "CURRENTEL", .state = ARM_CP_STATE_AA64,
5033       .opc0 = 3, .opc1 = 0, .opc2 = 2, .crn = 4, .crm = 2,
5034       .access = PL1_R, .type = ARM_CP_CURRENTEL },
5035     /*
5036      * Instruction cache ops. All of these except `IC IVAU` NOP because we
5037      * don't emulate caches.
5038      */
5039     { .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64,
5040       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
5041       .access = PL1_W, .type = ARM_CP_NOP,
5042       .fgt = FGT_ICIALLUIS,
5043       .accessfn = access_ticab },
5044     { .name = "IC_IALLU", .state = ARM_CP_STATE_AA64,
5045       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0,
5046       .access = PL1_W, .type = ARM_CP_NOP,
5047       .fgt = FGT_ICIALLU,
5048       .accessfn = access_tocu },
5049     { .name = "IC_IVAU", .state = ARM_CP_STATE_AA64,
5050       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1,
5051       .access = PL0_W,
5052       .fgt = FGT_ICIVAU,
5053       .accessfn = access_tocu,
5054 #ifdef CONFIG_USER_ONLY
5055       .type = ARM_CP_NO_RAW,
5056       .writefn = ic_ivau_write
5057 #else
5058       .type = ARM_CP_NOP
5059 #endif
5060     },
5061     /* Cache ops: all NOPs since we don't emulate caches */
5062     { .name = "DC_IVAC", .state = ARM_CP_STATE_AA64,
5063       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,
5064       .access = PL1_W, .accessfn = aa64_cacheop_poc_access,
5065       .fgt = FGT_DCIVAC,
5066       .type = ARM_CP_NOP },
5067     { .name = "DC_ISW", .state = ARM_CP_STATE_AA64,
5068       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2,
5069       .fgt = FGT_DCISW,
5070       .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP },
5071     { .name = "DC_CVAC", .state = ARM_CP_STATE_AA64,
5072       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 1,
5073       .access = PL0_W, .type = ARM_CP_NOP,
5074       .fgt = FGT_DCCVAC,
5075       .accessfn = aa64_cacheop_poc_access },
5076     { .name = "DC_CSW", .state = ARM_CP_STATE_AA64,
5077       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2,
5078       .fgt = FGT_DCCSW,
5079       .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP },
5080     { .name = "DC_CVAU", .state = ARM_CP_STATE_AA64,
5081       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 11, .opc2 = 1,
5082       .access = PL0_W, .type = ARM_CP_NOP,
5083       .fgt = FGT_DCCVAU,
5084       .accessfn = access_tocu },
5085     { .name = "DC_CIVAC", .state = ARM_CP_STATE_AA64,
5086       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 1,
5087       .access = PL0_W, .type = ARM_CP_NOP,
5088       .fgt = FGT_DCCIVAC,
5089       .accessfn = aa64_cacheop_poc_access },
5090     { .name = "DC_CISW", .state = ARM_CP_STATE_AA64,
5091       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2,
5092       .fgt = FGT_DCCISW,
5093       .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP },
5094 #ifndef CONFIG_USER_ONLY
5095     /* 64 bit address translation operations */
5096     { .name = "AT_S1E1R", .state = ARM_CP_STATE_AA64,
5097       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0,
5098       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5099       .fgt = FGT_ATS1E1R,
5100       .accessfn = at_s1e01_access, .writefn = ats_write64 },
5101     { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64,
5102       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1,
5103       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5104       .fgt = FGT_ATS1E1W,
5105       .accessfn = at_s1e01_access, .writefn = ats_write64 },
5106     { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64,
5107       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2,
5108       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5109       .fgt = FGT_ATS1E0R,
5110       .accessfn = at_s1e01_access, .writefn = ats_write64 },
5111     { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
5112       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
5113       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5114       .fgt = FGT_ATS1E0W,
5115       .accessfn = at_s1e01_access, .writefn = ats_write64 },
5116     { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
5117       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4,
5118       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5119       .accessfn = at_e012_access, .writefn = ats_write64 },
5120     { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
5121       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5,
5122       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5123       .accessfn = at_e012_access, .writefn = ats_write64 },
5124     { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
5125       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6,
5126       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5127       .accessfn = at_e012_access, .writefn = ats_write64 },
5128     { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
5129       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7,
5130       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5131       .accessfn = at_e012_access, .writefn = ats_write64 },
5132     /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
5133     { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
5134       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
5135       .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5136       .writefn = ats_write64 },
5137     { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64,
5138       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1,
5139       .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
5140       .writefn = ats_write64 },
5141     { .name = "PAR_EL1", .state = ARM_CP_STATE_AA64,
5142       .type = ARM_CP_ALIAS,
5143       .opc0 = 3, .opc1 = 0, .crn = 7, .crm = 4, .opc2 = 0,
5144       .access = PL1_RW, .resetvalue = 0,
5145       .fgt = FGT_PAR_EL1,
5146       .fieldoffset = offsetof(CPUARMState, cp15.par_el[1]),
5147       .writefn = par_write },
5148 #endif
5149     /* 32 bit cache operations */
5150     { .name = "ICIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
5151       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_ticab },
5152     { .name = "BPIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 6,
5153       .type = ARM_CP_NOP, .access = PL1_W },
5154     { .name = "ICIALLU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0,
5155       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tocu },
5156     { .name = "ICIMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 1,
5157       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tocu },
5158     { .name = "BPIALL", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 6,
5159       .type = ARM_CP_NOP, .access = PL1_W },
5160     { .name = "BPIMVA", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 7,
5161       .type = ARM_CP_NOP, .access = PL1_W },
5162     { .name = "DCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,
5163       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access },
5164     { .name = "DCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2,
5165       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
5166     { .name = "DCCMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 1,
5167       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access },
5168     { .name = "DCCSW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2,
5169       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
5170     { .name = "DCCMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 11, .opc2 = 1,
5171       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tocu },
5172     { .name = "DCCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 1,
5173       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access },
5174     { .name = "DCCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2,
5175       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
5176     /* MMU Domain access control / MPU write buffer control */
5177     { .name = "DACR", .cp = 15, .opc1 = 0, .crn = 3, .crm = 0, .opc2 = 0,
5178       .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0,
5179       .writefn = dacr_write, .raw_writefn = raw_write,
5180       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s),
5181                              offsetoflow32(CPUARMState, cp15.dacr_ns) } },
5182     { .name = "ELR_EL1", .state = ARM_CP_STATE_AA64,
5183       .type = ARM_CP_ALIAS,
5184       .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 1,
5185       .access = PL1_RW, .accessfn = access_nv1,
5186       .nv2_redirect_offset = 0x230 | NV2_REDIR_NV1,
5187       .fieldoffset = offsetof(CPUARMState, elr_el[1]) },
5188     { .name = "SPSR_EL1", .state = ARM_CP_STATE_AA64,
5189       .type = ARM_CP_ALIAS,
5190       .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 0,
5191       .access = PL1_RW, .accessfn = access_nv1,
5192       .nv2_redirect_offset = 0x160 | NV2_REDIR_NV1,
5193       .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_SVC]) },
5194     /*
5195      * We rely on the access checks not allowing the guest to write to the
5196      * state field when SPSel indicates that it's being used as the stack
5197      * pointer.
5198      */
5199     { .name = "SP_EL0", .state = ARM_CP_STATE_AA64,
5200       .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 1, .opc2 = 0,
5201       .access = PL1_RW, .accessfn = sp_el0_access,
5202       .type = ARM_CP_ALIAS,
5203       .fieldoffset = offsetof(CPUARMState, sp_el[0]) },
5204     { .name = "SP_EL1", .state = ARM_CP_STATE_AA64,
5205       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 1, .opc2 = 0,
5206       .nv2_redirect_offset = 0x240,
5207       .access = PL2_RW, .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_KEEP,
5208       .fieldoffset = offsetof(CPUARMState, sp_el[1]) },
5209     { .name = "SPSel", .state = ARM_CP_STATE_AA64,
5210       .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 0,
5211       .type = ARM_CP_NO_RAW,
5212       .access = PL1_RW, .readfn = spsel_read, .writefn = spsel_write },
5213     { .name = "SPSR_IRQ", .state = ARM_CP_STATE_AA64,
5214       .type = ARM_CP_ALIAS,
5215       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 0,
5216       .access = PL2_RW,
5217       .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_IRQ]) },
5218     { .name = "SPSR_ABT", .state = ARM_CP_STATE_AA64,
5219       .type = ARM_CP_ALIAS,
5220       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 1,
5221       .access = PL2_RW,
5222       .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_ABT]) },
5223     { .name = "SPSR_UND", .state = ARM_CP_STATE_AA64,
5224       .type = ARM_CP_ALIAS,
5225       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 2,
5226       .access = PL2_RW,
5227       .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_UND]) },
5228     { .name = "SPSR_FIQ", .state = ARM_CP_STATE_AA64,
5229       .type = ARM_CP_ALIAS,
5230       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 3,
5231       .access = PL2_RW,
5232       .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_FIQ]) },
5233     { .name = "MDCR_EL3", .state = ARM_CP_STATE_AA64,
5234       .type = ARM_CP_IO,
5235       .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 3, .opc2 = 1,
5236       .resetvalue = 0,
5237       .access = PL3_RW,
5238       .writefn = mdcr_el3_write,
5239       .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el3) },
5240     { .name = "SDCR", .type = ARM_CP_ALIAS | ARM_CP_IO,
5241       .cp = 15, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 1,
5242       .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
5243       .writefn = sdcr_write,
5244       .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
5245 };
5246 
5247 /* These are present only when EL1 supports AArch32 */
5248 static const ARMCPRegInfo v8_aa32_el1_reginfo[] = {
5249     { .name = "FPEXC32_EL2", .state = ARM_CP_STATE_AA64,
5250       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 3, .opc2 = 0,
5251       .access = PL2_RW,
5252       .type = ARM_CP_ALIAS | ARM_CP_FPU | ARM_CP_EL3_NO_EL2_KEEP,
5253       .fieldoffset = offsetof(CPUARMState, vfp.xregs[ARM_VFP_FPEXC]) },
5254     { .name = "DACR32_EL2", .state = ARM_CP_STATE_AA64,
5255       .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 0, .opc2 = 0,
5256       .access = PL2_RW, .resetvalue = 0, .type = ARM_CP_EL3_NO_EL2_KEEP,
5257       .writefn = dacr_write, .raw_writefn = raw_write,
5258       .fieldoffset = offsetof(CPUARMState, cp15.dacr32_el2) },
5259     { .name = "IFSR32_EL2", .state = ARM_CP_STATE_AA64,
5260       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 0, .opc2 = 1,
5261       .access = PL2_RW, .resetvalue = 0, .type = ARM_CP_EL3_NO_EL2_KEEP,
5262       .fieldoffset = offsetof(CPUARMState, cp15.ifsr32_el2) },
5263 };
5264 
5265 static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
5266 {
5267     ARMCPU *cpu = env_archcpu(env);
5268 
5269     if (arm_feature(env, ARM_FEATURE_V8)) {
5270         valid_mask |= MAKE_64BIT_MASK(0, 34);  /* ARMv8.0 */
5271     } else {
5272         valid_mask |= MAKE_64BIT_MASK(0, 28);  /* ARMv7VE */
5273     }
5274 
5275     if (arm_feature(env, ARM_FEATURE_EL3)) {
5276         valid_mask &= ~HCR_HCD;
5277     } else if (cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) {
5278         /*
5279          * Architecturally HCR.TSC is RES0 if EL3 is not implemented.
5280          * However, if we're using the SMC PSCI conduit then QEMU is
5281          * effectively acting like EL3 firmware and so the guest at
5282          * EL2 should retain the ability to prevent EL1 from being
5283          * able to make SMC calls into the ersatz firmware, so in
5284          * that case HCR.TSC should be read/write.
5285          */
5286         valid_mask &= ~HCR_TSC;
5287     }
5288 
5289     if (arm_feature(env, ARM_FEATURE_AARCH64)) {
5290         if (cpu_isar_feature(aa64_vh, cpu)) {
5291             valid_mask |= HCR_E2H;
5292         }
5293         if (cpu_isar_feature(aa64_ras, cpu)) {
5294             valid_mask |= HCR_TERR | HCR_TEA;
5295         }
5296         if (cpu_isar_feature(aa64_lor, cpu)) {
5297             valid_mask |= HCR_TLOR;
5298         }
5299         if (cpu_isar_feature(aa64_pauth, cpu)) {
5300             valid_mask |= HCR_API | HCR_APK;
5301         }
5302         if (cpu_isar_feature(aa64_mte, cpu)) {
5303             valid_mask |= HCR_ATA | HCR_DCT | HCR_TID5;
5304         }
5305         if (cpu_isar_feature(aa64_scxtnum, cpu)) {
5306             valid_mask |= HCR_ENSCXT;
5307         }
5308         if (cpu_isar_feature(aa64_fwb, cpu)) {
5309             valid_mask |= HCR_FWB;
5310         }
5311         if (cpu_isar_feature(aa64_rme, cpu)) {
5312             valid_mask |= HCR_GPF;
5313         }
5314         if (cpu_isar_feature(aa64_nv, cpu)) {
5315             valid_mask |= HCR_NV | HCR_NV1 | HCR_AT;
5316         }
5317         if (cpu_isar_feature(aa64_nv2, cpu)) {
5318             valid_mask |= HCR_NV2;
5319         }
5320     }
5321 
5322     if (cpu_isar_feature(any_evt, cpu)) {
5323         valid_mask |= HCR_TTLBIS | HCR_TTLBOS | HCR_TICAB | HCR_TOCU | HCR_TID4;
5324     } else if (cpu_isar_feature(any_half_evt, cpu)) {
5325         valid_mask |= HCR_TICAB | HCR_TOCU | HCR_TID4;
5326     }
5327 
5328     /* Clear RES0 bits.  */
5329     value &= valid_mask;
5330 
5331     /* RW is RAO/WI if EL1 is AArch64 only */
5332     if (!cpu_isar_feature(aa64_aa32_el1, cpu)) {
5333         value |= HCR_RW;
5334     }
5335 
5336     /*
5337      * These bits change the MMU setup:
5338      * HCR_VM enables stage 2 translation
5339      * HCR_PTW forbids certain page-table setups
5340      * HCR_DC disables stage1 and enables stage2 translation
5341      * HCR_DCT enables tagging on (disabled) stage1 translation
5342      * HCR_FWB changes the interpretation of stage2 descriptor bits
5343      * HCR_NV and HCR_NV1 affect interpretation of descriptor bits
5344      */
5345     if ((env->cp15.hcr_el2 ^ value) &
5346         (HCR_VM | HCR_PTW | HCR_DC | HCR_DCT | HCR_FWB | HCR_NV | HCR_NV1)) {
5347         tlb_flush(CPU(cpu));
5348     }
5349     env->cp15.hcr_el2 = value;
5350 
5351     /*
5352      * Updates to VI and VF require us to update the status of
5353      * virtual interrupts, which are the logical OR of these bits
5354      * and the state of the input lines from the GIC. (This requires
5355      * that we have the BQL, which is done by marking the
5356      * reginfo structs as ARM_CP_IO.)
5357      * Note that if a write to HCR pends a VIRQ or VFIQ or VINMI or
5358      * VFNMI, it is never possible for it to be taken immediately
5359      * because VIRQ, VFIQ, VINMI and VFNMI are masked unless running
5360      * at EL0 or EL1, and HCR can only be written at EL2.
5361      */
5362     g_assert(bql_locked());
5363     arm_cpu_update_virq(cpu);
5364     arm_cpu_update_vfiq(cpu);
5365     arm_cpu_update_vserr(cpu);
5366     if (cpu_isar_feature(aa64_nmi, cpu)) {
5367         arm_cpu_update_vinmi(cpu);
5368         arm_cpu_update_vfnmi(cpu);
5369     }
5370 }
5371 
5372 static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
5373 {
5374     do_hcr_write(env, value, 0);
5375 }
5376 
5377 static void hcr_writehigh(CPUARMState *env, const ARMCPRegInfo *ri,
5378                           uint64_t value)
5379 {
5380     /* Handle HCR2 write, i.e. write to high half of HCR_EL2 */
5381     value = deposit64(env->cp15.hcr_el2, 32, 32, value);
5382     do_hcr_write(env, value, MAKE_64BIT_MASK(0, 32));
5383 }
5384 
5385 static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri,
5386                          uint64_t value)
5387 {
5388     /* Handle HCR write, i.e. write to low half of HCR_EL2 */
5389     value = deposit64(env->cp15.hcr_el2, 0, 32, value);
5390     do_hcr_write(env, value, MAKE_64BIT_MASK(32, 32));
5391 }
5392 
5393 static void hcr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
5394 {
5395     /* hcr_write will set the RES1 bits on an AArch64-only CPU */
5396     hcr_write(env, ri, 0);
5397 }
5398 
5399 /*
5400  * Return the effective value of HCR_EL2, at the given security state.
5401  * Bits that are not included here:
5402  * RW       (read from SCR_EL3.RW as needed)
5403  */
5404 uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space)
5405 {
5406     uint64_t ret = env->cp15.hcr_el2;
5407 
5408     assert(space != ARMSS_Root);
5409 
5410     if (!arm_is_el2_enabled_secstate(env, space)) {
5411         /*
5412          * "This register has no effect if EL2 is not enabled in the
5413          * current Security state".  This is ARMv8.4-SecEL2 speak for
5414          * !(SCR_EL3.NS==1 || SCR_EL3.EEL2==1).
5415          *
5416          * Prior to that, the language was "In an implementation that
5417          * includes EL3, when the value of SCR_EL3.NS is 0 the PE behaves
5418          * as if this field is 0 for all purposes other than a direct
5419          * read or write access of HCR_EL2".  With lots of enumeration
5420          * on a per-field basis.  In current QEMU, this is condition
5421          * is arm_is_secure_below_el3.
5422          *
5423          * Since the v8.4 language applies to the entire register, and
5424          * appears to be backward compatible, use that.
5425          */
5426         return 0;
5427     }
5428 
5429     /*
5430      * For a cpu that supports both aarch64 and aarch32, we can set bits
5431      * in HCR_EL2 (e.g. via EL3) that are RES0 when we enter EL2 as aa32.
5432      * Ignore all of the bits in HCR+HCR2 that are not valid for aarch32.
5433      */
5434     if (!arm_el_is_aa64(env, 2)) {
5435         uint64_t aa32_valid;
5436 
5437         /*
5438          * These bits are up-to-date as of ARMv8.6.
5439          * For HCR, it's easiest to list just the 2 bits that are invalid.
5440          * For HCR2, list those that are valid.
5441          */
5442         aa32_valid = MAKE_64BIT_MASK(0, 32) & ~(HCR_RW | HCR_TDZ);
5443         aa32_valid |= (HCR_CD | HCR_ID | HCR_TERR | HCR_TEA | HCR_MIOCNCE |
5444                        HCR_TID4 | HCR_TICAB | HCR_TOCU | HCR_TTLBIS);
5445         ret &= aa32_valid;
5446     }
5447 
5448     if (ret & HCR_TGE) {
5449         /* These bits are up-to-date as of ARMv8.6.  */
5450         if (ret & HCR_E2H) {
5451             ret &= ~(HCR_VM | HCR_FMO | HCR_IMO | HCR_AMO |
5452                      HCR_BSU_MASK | HCR_DC | HCR_TWI | HCR_TWE |
5453                      HCR_TID0 | HCR_TID2 | HCR_TPCP | HCR_TPU |
5454                      HCR_TDZ | HCR_CD | HCR_ID | HCR_MIOCNCE |
5455                      HCR_TID4 | HCR_TICAB | HCR_TOCU | HCR_ENSCXT |
5456                      HCR_TTLBIS | HCR_TTLBOS | HCR_TID5);
5457         } else {
5458             ret |= HCR_FMO | HCR_IMO | HCR_AMO;
5459         }
5460         ret &= ~(HCR_SWIO | HCR_PTW | HCR_VF | HCR_VI | HCR_VSE |
5461                  HCR_FB | HCR_TID1 | HCR_TID3 | HCR_TSC | HCR_TACR |
5462                  HCR_TSW | HCR_TTLB | HCR_TVM | HCR_HCD | HCR_TRVM |
5463                  HCR_TLOR);
5464     }
5465 
5466     return ret;
5467 }
5468 
5469 uint64_t arm_hcr_el2_eff(CPUARMState *env)
5470 {
5471     if (arm_feature(env, ARM_FEATURE_M)) {
5472         return 0;
5473     }
5474     return arm_hcr_el2_eff_secstate(env, arm_security_space_below_el3(env));
5475 }
5476 
5477 /*
5478  * Corresponds to ARM pseudocode function ELIsInHost().
5479  */
5480 bool el_is_in_host(CPUARMState *env, int el)
5481 {
5482     uint64_t mask;
5483 
5484     /*
5485      * Since we only care about E2H and TGE, we can skip arm_hcr_el2_eff().
5486      * Perform the simplest bit tests first, and validate EL2 afterward.
5487      */
5488     if (el & 1) {
5489         return false; /* EL1 or EL3 */
5490     }
5491 
5492     /*
5493      * Note that hcr_write() checks isar_feature_aa64_vh(),
5494      * aka HaveVirtHostExt(), in allowing HCR_E2H to be set.
5495      */
5496     mask = el ? HCR_E2H : HCR_E2H | HCR_TGE;
5497     if ((env->cp15.hcr_el2 & mask) != mask) {
5498         return false;
5499     }
5500 
5501     /* TGE and/or E2H set: double check those bits are currently legal. */
5502     return arm_is_el2_enabled(env) && arm_el_is_aa64(env, 2);
5503 }
5504 
5505 static void hcrx_write(CPUARMState *env, const ARMCPRegInfo *ri,
5506                        uint64_t value)
5507 {
5508     ARMCPU *cpu = env_archcpu(env);
5509     uint64_t valid_mask = 0;
5510 
5511     /* FEAT_MOPS adds MSCEn and MCE2 */
5512     if (cpu_isar_feature(aa64_mops, cpu)) {
5513         valid_mask |= HCRX_MSCEN | HCRX_MCE2;
5514     }
5515 
5516     /* FEAT_NMI adds TALLINT, VINMI and VFNMI */
5517     if (cpu_isar_feature(aa64_nmi, cpu)) {
5518         valid_mask |= HCRX_TALLINT | HCRX_VINMI | HCRX_VFNMI;
5519     }
5520     /* FEAT_CMOW adds CMOW */
5521     if (cpu_isar_feature(aa64_cmow, cpu)) {
5522         valid_mask |= HCRX_CMOW;
5523     }
5524     /* FEAT_XS adds FGTnXS, FnXS */
5525     if (cpu_isar_feature(aa64_xs, cpu)) {
5526         valid_mask |= HCRX_FGTNXS | HCRX_FNXS;
5527     }
5528 
5529     /* Clear RES0 bits.  */
5530     env->cp15.hcrx_el2 = value & valid_mask;
5531 
5532     /*
5533      * Updates to VINMI and VFNMI require us to update the status of
5534      * virtual NMI, which are the logical OR of these bits
5535      * and the state of the input lines from the GIC. (This requires
5536      * that we have the BQL, which is done by marking the
5537      * reginfo structs as ARM_CP_IO.)
5538      * Note that if a write to HCRX pends a VINMI or VFNMI it is never
5539      * possible for it to be taken immediately, because VINMI and
5540      * VFNMI are masked unless running at EL0 or EL1, and HCRX
5541      * can only be written at EL2.
5542      */
5543     if (cpu_isar_feature(aa64_nmi, cpu)) {
5544         g_assert(bql_locked());
5545         arm_cpu_update_vinmi(cpu);
5546         arm_cpu_update_vfnmi(cpu);
5547     }
5548 }
5549 
5550 static CPAccessResult access_hxen(CPUARMState *env, const ARMCPRegInfo *ri,
5551                                   bool isread)
5552 {
5553     if (arm_current_el(env) == 2
5554         && arm_feature(env, ARM_FEATURE_EL3)
5555         && !(env->cp15.scr_el3 & SCR_HXEN)) {
5556         return CP_ACCESS_TRAP_EL3;
5557     }
5558     return CP_ACCESS_OK;
5559 }
5560 
5561 static const ARMCPRegInfo hcrx_el2_reginfo = {
5562     .name = "HCRX_EL2", .state = ARM_CP_STATE_AA64,
5563     .type = ARM_CP_IO,
5564     .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 2,
5565     .access = PL2_RW, .writefn = hcrx_write, .accessfn = access_hxen,
5566     .nv2_redirect_offset = 0xa0,
5567     .fieldoffset = offsetof(CPUARMState, cp15.hcrx_el2),
5568 };
5569 
5570 /* Return the effective value of HCRX_EL2.  */
5571 uint64_t arm_hcrx_el2_eff(CPUARMState *env)
5572 {
5573     /*
5574      * The bits in this register behave as 0 for all purposes other than
5575      * direct reads of the register if SCR_EL3.HXEn is 0.
5576      * If EL2 is not enabled in the current security state, then the
5577      * bit may behave as if 0, or as if 1, depending on the bit.
5578      * For the moment, we treat the EL2-disabled case as taking
5579      * priority over the HXEn-disabled case. This is true for the only
5580      * bit for a feature which we implement where the answer is different
5581      * for the two cases (MSCEn for FEAT_MOPS).
5582      * This may need to be revisited for future bits.
5583      */
5584     if (!arm_is_el2_enabled(env)) {
5585         uint64_t hcrx = 0;
5586         if (cpu_isar_feature(aa64_mops, env_archcpu(env))) {
5587             /* MSCEn behaves as 1 if EL2 is not enabled */
5588             hcrx |= HCRX_MSCEN;
5589         }
5590         return hcrx;
5591     }
5592     if (arm_feature(env, ARM_FEATURE_EL3) && !(env->cp15.scr_el3 & SCR_HXEN)) {
5593         return 0;
5594     }
5595     return env->cp15.hcrx_el2;
5596 }
5597 
5598 static void cptr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,
5599                            uint64_t value)
5600 {
5601     /*
5602      * For A-profile AArch32 EL3, if NSACR.CP10
5603      * is 0 then HCPTR.{TCP11,TCP10} ignore writes and read as 1.
5604      */
5605     if (arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) &&
5606         !arm_is_secure(env) && !extract32(env->cp15.nsacr, 10, 1)) {
5607         uint64_t mask = R_HCPTR_TCP11_MASK | R_HCPTR_TCP10_MASK;
5608         value = (value & ~mask) | (env->cp15.cptr_el[2] & mask);
5609     }
5610     env->cp15.cptr_el[2] = value;
5611 }
5612 
5613 static uint64_t cptr_el2_read(CPUARMState *env, const ARMCPRegInfo *ri)
5614 {
5615     /*
5616      * For A-profile AArch32 EL3, if NSACR.CP10
5617      * is 0 then HCPTR.{TCP11,TCP10} ignore writes and read as 1.
5618      */
5619     uint64_t value = env->cp15.cptr_el[2];
5620 
5621     if (arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) &&
5622         !arm_is_secure(env) && !extract32(env->cp15.nsacr, 10, 1)) {
5623         value |= R_HCPTR_TCP11_MASK | R_HCPTR_TCP10_MASK;
5624     }
5625     return value;
5626 }
5627 
5628 static const ARMCPRegInfo el2_cp_reginfo[] = {
5629     { .name = "HCR_EL2", .state = ARM_CP_STATE_AA64,
5630       .type = ARM_CP_IO,
5631       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
5632       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),
5633       .nv2_redirect_offset = 0x78,
5634       .resetfn = hcr_reset,
5635       .writefn = hcr_write, .raw_writefn = raw_write },
5636     { .name = "HCR", .state = ARM_CP_STATE_AA32,
5637       .type = ARM_CP_ALIAS | ARM_CP_IO,
5638       .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
5639       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),
5640       .writefn = hcr_writelow },
5641     { .name = "HACR_EL2", .state = ARM_CP_STATE_BOTH,
5642       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 7,
5643       .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
5644     { .name = "ELR_EL2", .state = ARM_CP_STATE_AA64,
5645       .type = ARM_CP_ALIAS | ARM_CP_NV2_REDIRECT,
5646       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 1,
5647       .access = PL2_RW,
5648       .fieldoffset = offsetof(CPUARMState, elr_el[2]) },
5649     { .name = "ESR_EL2", .state = ARM_CP_STATE_BOTH,
5650       .type = ARM_CP_NV2_REDIRECT,
5651       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 0,
5652       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[2]) },
5653     { .name = "FAR_EL2", .state = ARM_CP_STATE_BOTH,
5654       .type = ARM_CP_NV2_REDIRECT,
5655       .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 0,
5656       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[2]) },
5657     { .name = "HIFAR", .state = ARM_CP_STATE_AA32,
5658       .type = ARM_CP_ALIAS,
5659       .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 2,
5660       .access = PL2_RW,
5661       .fieldoffset = offsetofhigh32(CPUARMState, cp15.far_el[2]) },
5662     { .name = "SPSR_EL2", .state = ARM_CP_STATE_AA64,
5663       .type = ARM_CP_ALIAS | ARM_CP_NV2_REDIRECT,
5664       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 0,
5665       .access = PL2_RW,
5666       .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_HYP]) },
5667     { .name = "VBAR_EL2", .state = ARM_CP_STATE_BOTH,
5668       .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0,
5669       .access = PL2_RW, .writefn = vbar_write,
5670       .fieldoffset = offsetof(CPUARMState, cp15.vbar_el[2]),
5671       .resetvalue = 0 },
5672     { .name = "SP_EL2", .state = ARM_CP_STATE_AA64,
5673       .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 1, .opc2 = 0,
5674       .access = PL3_RW, .type = ARM_CP_ALIAS,
5675       .fieldoffset = offsetof(CPUARMState, sp_el[2]) },
5676     { .name = "CPTR_EL2", .state = ARM_CP_STATE_BOTH,
5677       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 2,
5678       .access = PL2_RW, .accessfn = cptr_access, .resetvalue = 0,
5679       .fieldoffset = offsetof(CPUARMState, cp15.cptr_el[2]),
5680       .readfn = cptr_el2_read, .writefn = cptr_el2_write },
5681     { .name = "MAIR_EL2", .state = ARM_CP_STATE_BOTH,
5682       .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 0,
5683       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[2]),
5684       .resetvalue = 0 },
5685     { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
5686       .cp = 15, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 1,
5687       .access = PL2_RW, .type = ARM_CP_ALIAS,
5688       .fieldoffset = offsetofhigh32(CPUARMState, cp15.mair_el[2]) },
5689     { .name = "AMAIR_EL2", .state = ARM_CP_STATE_BOTH,
5690       .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 0,
5691       .access = PL2_RW, .type = ARM_CP_CONST,
5692       .resetvalue = 0 },
5693     /* HAMAIR1 is mapped to AMAIR_EL2[63:32] */
5694     { .name = "HAMAIR1", .state = ARM_CP_STATE_AA32,
5695       .cp = 15, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 1,
5696       .access = PL2_RW, .type = ARM_CP_CONST,
5697       .resetvalue = 0 },
5698     { .name = "AFSR0_EL2", .state = ARM_CP_STATE_BOTH,
5699       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 0,
5700       .access = PL2_RW, .type = ARM_CP_CONST,
5701       .resetvalue = 0 },
5702     { .name = "AFSR1_EL2", .state = ARM_CP_STATE_BOTH,
5703       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 1,
5704       .access = PL2_RW, .type = ARM_CP_CONST,
5705       .resetvalue = 0 },
5706     { .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,
5707       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,
5708       .access = PL2_RW, .writefn = vmsa_tcr_el12_write,
5709       .raw_writefn = raw_write,
5710       .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[2]) },
5711     { .name = "VTCR", .state = ARM_CP_STATE_AA32,
5712       .cp = 15, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
5713       .type = ARM_CP_ALIAS,
5714       .access = PL2_RW, .accessfn = access_el3_aa32ns,
5715       .fieldoffset = offsetoflow32(CPUARMState, cp15.vtcr_el2) },
5716     { .name = "VTCR_EL2", .state = ARM_CP_STATE_AA64,
5717       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
5718       .access = PL2_RW,
5719       .nv2_redirect_offset = 0x40,
5720       /* no .writefn needed as this can't cause an ASID change */
5721       .fieldoffset = offsetof(CPUARMState, cp15.vtcr_el2) },
5722     { .name = "VTTBR", .state = ARM_CP_STATE_AA32,
5723       .cp = 15, .opc1 = 6, .crm = 2,
5724       .type = ARM_CP_64BIT | ARM_CP_ALIAS,
5725       .access = PL2_RW, .accessfn = access_el3_aa32ns,
5726       .fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2),
5727       .writefn = vttbr_write, .raw_writefn = raw_write },
5728     { .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,
5729       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,
5730       .access = PL2_RW, .writefn = vttbr_write, .raw_writefn = raw_write,
5731       .nv2_redirect_offset = 0x20,
5732       .fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2) },
5733     { .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,
5734       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,
5735       .access = PL2_RW, .raw_writefn = raw_write, .writefn = sctlr_write,
5736       .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[2]) },
5737     { .name = "TPIDR_EL2", .state = ARM_CP_STATE_BOTH,
5738       .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 2,
5739       .access = PL2_RW, .resetvalue = 0,
5740       .nv2_redirect_offset = 0x90,
5741       .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[2]) },
5742     { .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,
5743       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,
5744       .access = PL2_RW, .resetvalue = 0,
5745       .writefn = vmsa_tcr_ttbr_el2_write, .raw_writefn = raw_write,
5746       .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) },
5747     { .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,
5748       .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,
5749       .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) },
5750 #ifndef CONFIG_USER_ONLY
5751     /*
5752      * Unlike the other EL2-related AT operations, these must
5753      * UNDEF from EL3 if EL2 is not implemented, which is why we
5754      * define them here rather than with the rest of the AT ops.
5755      */
5756     { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
5757       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
5758       .access = PL2_W, .accessfn = at_s1e2_access,
5759       .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC | ARM_CP_EL3_NO_EL2_UNDEF,
5760       .writefn = ats_write64 },
5761     { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
5762       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
5763       .access = PL2_W, .accessfn = at_s1e2_access,
5764       .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC | ARM_CP_EL3_NO_EL2_UNDEF,
5765       .writefn = ats_write64 },
5766     /*
5767      * The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
5768      * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
5769      * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
5770      * to behave as if SCR.NS was 1.
5771      */
5772     { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
5773       .access = PL2_W,
5774       .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
5775     { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
5776       .access = PL2_W,
5777       .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
5778     { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
5779       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
5780       /*
5781        * ARMv7 requires bit 0 and 1 to reset to 1. ARMv8 defines the
5782        * reset values as IMPDEF. We choose to reset to 3 to comply with
5783        * both ARMv7 and ARMv8.
5784        */
5785       .access = PL2_RW, .type = ARM_CP_IO, .resetvalue = 3,
5786       .writefn = gt_cnthctl_write, .raw_writefn = raw_write,
5787       .fieldoffset = offsetof(CPUARMState, cp15.cnthctl_el2) },
5788     { .name = "CNTVOFF_EL2", .state = ARM_CP_STATE_AA64,
5789       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 3,
5790       .access = PL2_RW, .type = ARM_CP_IO, .resetvalue = 0,
5791       .writefn = gt_cntvoff_write,
5792       .nv2_redirect_offset = 0x60,
5793       .fieldoffset = offsetof(CPUARMState, cp15.cntvoff_el2) },
5794     { .name = "CNTVOFF", .cp = 15, .opc1 = 4, .crm = 14,
5795       .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS | ARM_CP_IO,
5796       .writefn = gt_cntvoff_write,
5797       .fieldoffset = offsetof(CPUARMState, cp15.cntvoff_el2) },
5798     { .name = "CNTHP_CVAL_EL2", .state = ARM_CP_STATE_AA64,
5799       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 2,
5800       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].cval),
5801       .type = ARM_CP_IO, .access = PL2_RW,
5802       .writefn = gt_hyp_cval_write, .raw_writefn = raw_write },
5803     { .name = "CNTHP_CVAL", .cp = 15, .opc1 = 6, .crm = 14,
5804       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].cval),
5805       .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_IO,
5806       .writefn = gt_hyp_cval_write, .raw_writefn = raw_write },
5807     { .name = "CNTHP_TVAL_EL2", .state = ARM_CP_STATE_BOTH,
5808       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 0,
5809       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
5810       .resetfn = gt_hyp_timer_reset,
5811       .readfn = gt_hyp_tval_read, .writefn = gt_hyp_tval_write },
5812     { .name = "CNTHP_CTL_EL2", .state = ARM_CP_STATE_BOTH,
5813       .type = ARM_CP_IO,
5814       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 1,
5815       .access = PL2_RW,
5816       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].ctl),
5817       .resetvalue = 0,
5818       .writefn = gt_hyp_ctl_write, .raw_writefn = raw_write },
5819 #endif
5820     { .name = "HPFAR", .state = ARM_CP_STATE_AA32,
5821       .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
5822       .access = PL2_RW, .accessfn = access_el3_aa32ns,
5823       .fieldoffset = offsetof(CPUARMState, cp15.hpfar_el2) },
5824     { .name = "HPFAR_EL2", .state = ARM_CP_STATE_AA64,
5825       .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
5826       .access = PL2_RW,
5827       .fieldoffset = offsetof(CPUARMState, cp15.hpfar_el2) },
5828     { .name = "HSTR_EL2", .state = ARM_CP_STATE_BOTH,
5829       .cp = 15, .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 3,
5830       .access = PL2_RW,
5831       .nv2_redirect_offset = 0x80,
5832       .fieldoffset = offsetof(CPUARMState, cp15.hstr_el2) },
5833 };
5834 
5835 static const ARMCPRegInfo el2_v8_cp_reginfo[] = {
5836     { .name = "HCR2", .state = ARM_CP_STATE_AA32,
5837       .type = ARM_CP_ALIAS | ARM_CP_IO,
5838       .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 4,
5839       .access = PL2_RW,
5840       .fieldoffset = offsetofhigh32(CPUARMState, cp15.hcr_el2),
5841       .writefn = hcr_writehigh },
5842 };
5843 
5844 static CPAccessResult sel2_access(CPUARMState *env, const ARMCPRegInfo *ri,
5845                                   bool isread)
5846 {
5847     if (arm_current_el(env) == 3 || arm_is_secure_below_el3(env)) {
5848         return CP_ACCESS_OK;
5849     }
5850     return CP_ACCESS_UNDEFINED;
5851 }
5852 
5853 static const ARMCPRegInfo el2_sec_cp_reginfo[] = {
5854     { .name = "VSTTBR_EL2", .state = ARM_CP_STATE_AA64,
5855       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 6, .opc2 = 0,
5856       .access = PL2_RW, .accessfn = sel2_access,
5857       .nv2_redirect_offset = 0x30,
5858       .fieldoffset = offsetof(CPUARMState, cp15.vsttbr_el2) },
5859     { .name = "VSTCR_EL2", .state = ARM_CP_STATE_AA64,
5860       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 6, .opc2 = 2,
5861       .access = PL2_RW, .accessfn = sel2_access,
5862       .nv2_redirect_offset = 0x48,
5863       .fieldoffset = offsetof(CPUARMState, cp15.vstcr_el2) },
5864 #ifndef CONFIG_USER_ONLY
5865     /* Secure EL2 Physical Timer */
5866     { .name = "CNTHPS_TVAL_EL2", .state = ARM_CP_STATE_AA64,
5867       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 0,
5868       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
5869       .accessfn = gt_sel2timer_access,
5870       .readfn = gt_sec_pel2_tval_read,
5871       .writefn = gt_sec_pel2_tval_write,
5872       .resetfn = gt_sec_pel2_timer_reset,
5873     },
5874     { .name = "CNTHPS_CTL_EL2", .state = ARM_CP_STATE_AA64,
5875       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 1,
5876       .type = ARM_CP_IO, .access = PL2_RW,
5877       .accessfn = gt_sel2timer_access,
5878       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_PHYS].ctl),
5879       .resetvalue = 0,
5880       .writefn = gt_sec_pel2_ctl_write, .raw_writefn = raw_write,
5881     },
5882     { .name = "CNTHPS_CVAL_EL2", .state = ARM_CP_STATE_AA64,
5883       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 2,
5884       .type = ARM_CP_IO, .access = PL2_RW,
5885       .accessfn = gt_sel2timer_access,
5886       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_PHYS].cval),
5887       .writefn = gt_sec_pel2_cval_write, .raw_writefn = raw_write,
5888     },
5889     /* Secure EL2 Virtual Timer */
5890     { .name = "CNTHVS_TVAL_EL2", .state = ARM_CP_STATE_AA64,
5891       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 0,
5892       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
5893       .accessfn = gt_sel2timer_access,
5894       .readfn = gt_sec_vel2_tval_read,
5895       .writefn = gt_sec_vel2_tval_write,
5896       .resetfn = gt_sec_vel2_timer_reset,
5897     },
5898     { .name = "CNTHVS_CTL_EL2", .state = ARM_CP_STATE_AA64,
5899       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 1,
5900       .type = ARM_CP_IO, .access = PL2_RW,
5901       .accessfn = gt_sel2timer_access,
5902       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_VIRT].ctl),
5903       .resetvalue = 0,
5904       .writefn = gt_sec_vel2_ctl_write, .raw_writefn = raw_write,
5905     },
5906     { .name = "CNTHVS_CVAL_EL2", .state = ARM_CP_STATE_AA64,
5907       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 2,
5908       .type = ARM_CP_IO, .access = PL2_RW,
5909       .accessfn = gt_sel2timer_access,
5910       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_VIRT].cval),
5911       .writefn = gt_sec_vel2_cval_write, .raw_writefn = raw_write,
5912     },
5913 #endif
5914 };
5915 
5916 static CPAccessResult nsacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
5917                                    bool isread)
5918 {
5919     /*
5920      * The NSACR is RW at EL3, and RO for NS EL1 and NS EL2.
5921      * At Secure EL1 it traps to EL3 or EL2.
5922      */
5923     if (arm_current_el(env) == 3) {
5924         return CP_ACCESS_OK;
5925     }
5926     if (arm_is_secure_below_el3(env)) {
5927         if (env->cp15.scr_el3 & SCR_EEL2) {
5928             return CP_ACCESS_TRAP_EL2;
5929         }
5930         return CP_ACCESS_TRAP_EL3;
5931     }
5932     /* Accesses from EL1 NS and EL2 NS are UNDEF for write but allow reads. */
5933     if (isread) {
5934         return CP_ACCESS_OK;
5935     }
5936     return CP_ACCESS_UNDEFINED;
5937 }
5938 
5939 static const ARMCPRegInfo el3_cp_reginfo[] = {
5940     { .name = "SCR_EL3", .state = ARM_CP_STATE_AA64,
5941       .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,
5942       .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),
5943       .resetfn = scr_reset, .writefn = scr_write, .raw_writefn = raw_write },
5944     { .name = "SCR",  .type = ARM_CP_ALIAS | ARM_CP_NEWEL,
5945       .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,
5946       .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
5947       .fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),
5948       .writefn = scr_write, .raw_writefn = raw_write },
5949     { .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64,
5950       .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1,
5951       .access = PL3_RW, .resetvalue = 0,
5952       .fieldoffset = offsetof(CPUARMState, cp15.sder) },
5953     { .name = "SDER",
5954       .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 1,
5955       .access = PL3_RW, .resetvalue = 0,
5956       .fieldoffset = offsetoflow32(CPUARMState, cp15.sder) },
5957     { .name = "MVBAR", .cp = 15, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
5958       .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
5959       .writefn = vbar_write, .resetvalue = 0,
5960       .fieldoffset = offsetof(CPUARMState, cp15.mvbar) },
5961     { .name = "TTBR0_EL3", .state = ARM_CP_STATE_AA64,
5962       .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 0, .opc2 = 0,
5963       .access = PL3_RW, .resetvalue = 0,
5964       .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[3]) },
5965     { .name = "TCR_EL3", .state = ARM_CP_STATE_AA64,
5966       .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 0, .opc2 = 2,
5967       .access = PL3_RW,
5968       /* no .writefn needed as this can't cause an ASID change */
5969       .resetvalue = 0,
5970       .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[3]) },
5971     { .name = "ELR_EL3", .state = ARM_CP_STATE_AA64,
5972       .type = ARM_CP_ALIAS,
5973       .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 1,
5974       .access = PL3_RW,
5975       .fieldoffset = offsetof(CPUARMState, elr_el[3]) },
5976     { .name = "ESR_EL3", .state = ARM_CP_STATE_AA64,
5977       .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 2, .opc2 = 0,
5978       .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[3]) },
5979     { .name = "FAR_EL3", .state = ARM_CP_STATE_AA64,
5980       .opc0 = 3, .opc1 = 6, .crn = 6, .crm = 0, .opc2 = 0,
5981       .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[3]) },
5982     { .name = "SPSR_EL3", .state = ARM_CP_STATE_AA64,
5983       .type = ARM_CP_ALIAS,
5984       .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 0,
5985       .access = PL3_RW,
5986       .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_MON]) },
5987     { .name = "VBAR_EL3", .state = ARM_CP_STATE_AA64,
5988       .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 0,
5989       .access = PL3_RW, .writefn = vbar_write,
5990       .fieldoffset = offsetof(CPUARMState, cp15.vbar_el[3]),
5991       .resetvalue = 0 },
5992     { .name = "CPTR_EL3", .state = ARM_CP_STATE_AA64,
5993       .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 2,
5994       .access = PL3_RW, .accessfn = cptr_access, .resetvalue = 0,
5995       .fieldoffset = offsetof(CPUARMState, cp15.cptr_el[3]) },
5996     { .name = "TPIDR_EL3", .state = ARM_CP_STATE_AA64,
5997       .opc0 = 3, .opc1 = 6, .crn = 13, .crm = 0, .opc2 = 2,
5998       .access = PL3_RW, .resetvalue = 0,
5999       .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[3]) },
6000     { .name = "AMAIR_EL3", .state = ARM_CP_STATE_AA64,
6001       .opc0 = 3, .opc1 = 6, .crn = 10, .crm = 3, .opc2 = 0,
6002       .access = PL3_RW, .type = ARM_CP_CONST,
6003       .resetvalue = 0 },
6004     { .name = "AFSR0_EL3", .state = ARM_CP_STATE_BOTH,
6005       .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 1, .opc2 = 0,
6006       .access = PL3_RW, .type = ARM_CP_CONST,
6007       .resetvalue = 0 },
6008     { .name = "AFSR1_EL3", .state = ARM_CP_STATE_BOTH,
6009       .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 1, .opc2 = 1,
6010       .access = PL3_RW, .type = ARM_CP_CONST,
6011       .resetvalue = 0 },
6012 };
6013 
6014 #ifndef CONFIG_USER_ONLY
6015 
6016 static CPAccessResult e2h_access(CPUARMState *env, const ARMCPRegInfo *ri,
6017                                  bool isread)
6018 {
6019     if (arm_current_el(env) == 1) {
6020         /* This must be a FEAT_NV access */
6021         return CP_ACCESS_OK;
6022     }
6023     if (!(arm_hcr_el2_eff(env) & HCR_E2H)) {
6024         return CP_ACCESS_UNDEFINED;
6025     }
6026     return CP_ACCESS_OK;
6027 }
6028 
6029 static CPAccessResult access_el1nvpct(CPUARMState *env, const ARMCPRegInfo *ri,
6030                                       bool isread)
6031 {
6032     if (arm_current_el(env) == 1) {
6033         /* This must be a FEAT_NV access with NVx == 101 */
6034         if (FIELD_EX64(env->cp15.cnthctl_el2, CNTHCTL, EL1NVPCT)) {
6035             return CP_ACCESS_TRAP_EL2;
6036         }
6037     }
6038     return e2h_access(env, ri, isread);
6039 }
6040 
6041 static CPAccessResult access_el1nvvct(CPUARMState *env, const ARMCPRegInfo *ri,
6042                                       bool isread)
6043 {
6044     if (arm_current_el(env) == 1) {
6045         /* This must be a FEAT_NV access with NVx == 101 */
6046         if (FIELD_EX64(env->cp15.cnthctl_el2, CNTHCTL, EL1NVVCT)) {
6047             return CP_ACCESS_TRAP_EL2;
6048         }
6049     }
6050     return e2h_access(env, ri, isread);
6051 }
6052 
6053 /* Test if system register redirection is to occur in the current state.  */
6054 static bool redirect_for_e2h(CPUARMState *env)
6055 {
6056     return arm_current_el(env) == 2 && (arm_hcr_el2_eff(env) & HCR_E2H);
6057 }
6058 
6059 static uint64_t el2_e2h_read(CPUARMState *env, const ARMCPRegInfo *ri)
6060 {
6061     CPReadFn *readfn;
6062 
6063     if (redirect_for_e2h(env)) {
6064         /* Switch to the saved EL2 version of the register.  */
6065         ri = ri->opaque;
6066         readfn = ri->readfn;
6067     } else {
6068         readfn = ri->orig_readfn;
6069     }
6070     if (readfn == NULL) {
6071         readfn = raw_read;
6072     }
6073     return readfn(env, ri);
6074 }
6075 
6076 static void el2_e2h_write(CPUARMState *env, const ARMCPRegInfo *ri,
6077                           uint64_t value)
6078 {
6079     CPWriteFn *writefn;
6080 
6081     if (redirect_for_e2h(env)) {
6082         /* Switch to the saved EL2 version of the register.  */
6083         ri = ri->opaque;
6084         writefn = ri->writefn;
6085     } else {
6086         writefn = ri->orig_writefn;
6087     }
6088     if (writefn == NULL) {
6089         writefn = raw_write;
6090     }
6091     writefn(env, ri, value);
6092 }
6093 
6094 static uint64_t el2_e2h_e12_read(CPUARMState *env, const ARMCPRegInfo *ri)
6095 {
6096     /* Pass the EL1 register accessor its ri, not the EL12 alias ri */
6097     return ri->orig_readfn(env, ri->opaque);
6098 }
6099 
6100 static void el2_e2h_e12_write(CPUARMState *env, const ARMCPRegInfo *ri,
6101                               uint64_t value)
6102 {
6103     /* Pass the EL1 register accessor its ri, not the EL12 alias ri */
6104     return ri->orig_writefn(env, ri->opaque, value);
6105 }
6106 
6107 static CPAccessResult el2_e2h_e12_access(CPUARMState *env,
6108                                          const ARMCPRegInfo *ri,
6109                                          bool isread)
6110 {
6111     if (arm_current_el(env) == 1) {
6112         /*
6113          * This must be a FEAT_NV access (will either trap or redirect
6114          * to memory). None of the registers with _EL12 aliases want to
6115          * apply their trap controls for this kind of access, so don't
6116          * call the orig_accessfn or do the "UNDEF when E2H is 0" check.
6117          */
6118         return CP_ACCESS_OK;
6119     }
6120     /* FOO_EL12 aliases only exist when E2H is 1; otherwise they UNDEF */
6121     if (!(arm_hcr_el2_eff(env) & HCR_E2H)) {
6122         return CP_ACCESS_UNDEFINED;
6123     }
6124     if (ri->orig_accessfn) {
6125         return ri->orig_accessfn(env, ri->opaque, isread);
6126     }
6127     return CP_ACCESS_OK;
6128 }
6129 
6130 static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
6131 {
6132     struct E2HAlias {
6133         uint32_t src_key, dst_key, new_key;
6134         const char *src_name, *dst_name, *new_name;
6135         bool (*feature)(const ARMISARegisters *id);
6136     };
6137 
6138 #define K(op0, op1, crn, crm, op2) \
6139     ENCODE_AA64_CP_REG(CP_REG_ARM64_SYSREG_CP, crn, crm, op0, op1, op2)
6140 
6141     static const struct E2HAlias aliases[] = {
6142         { K(3, 0,  1, 0, 0), K(3, 4,  1, 0, 0), K(3, 5, 1, 0, 0),
6143           "SCTLR", "SCTLR_EL2", "SCTLR_EL12" },
6144         { K(3, 0,  1, 0, 2), K(3, 4,  1, 1, 2), K(3, 5, 1, 0, 2),
6145           "CPACR", "CPTR_EL2", "CPACR_EL12" },
6146         { K(3, 0,  2, 0, 0), K(3, 4,  2, 0, 0), K(3, 5, 2, 0, 0),
6147           "TTBR0_EL1", "TTBR0_EL2", "TTBR0_EL12" },
6148         { K(3, 0,  2, 0, 1), K(3, 4,  2, 0, 1), K(3, 5, 2, 0, 1),
6149           "TTBR1_EL1", "TTBR1_EL2", "TTBR1_EL12" },
6150         { K(3, 0,  2, 0, 2), K(3, 4,  2, 0, 2), K(3, 5, 2, 0, 2),
6151           "TCR_EL1", "TCR_EL2", "TCR_EL12" },
6152         { K(3, 0,  4, 0, 0), K(3, 4,  4, 0, 0), K(3, 5, 4, 0, 0),
6153           "SPSR_EL1", "SPSR_EL2", "SPSR_EL12" },
6154         { K(3, 0,  4, 0, 1), K(3, 4,  4, 0, 1), K(3, 5, 4, 0, 1),
6155           "ELR_EL1", "ELR_EL2", "ELR_EL12" },
6156         { K(3, 0,  5, 1, 0), K(3, 4,  5, 1, 0), K(3, 5, 5, 1, 0),
6157           "AFSR0_EL1", "AFSR0_EL2", "AFSR0_EL12" },
6158         { K(3, 0,  5, 1, 1), K(3, 4,  5, 1, 1), K(3, 5, 5, 1, 1),
6159           "AFSR1_EL1", "AFSR1_EL2", "AFSR1_EL12" },
6160         { K(3, 0,  5, 2, 0), K(3, 4,  5, 2, 0), K(3, 5, 5, 2, 0),
6161           "ESR_EL1", "ESR_EL2", "ESR_EL12" },
6162         { K(3, 0,  6, 0, 0), K(3, 4,  6, 0, 0), K(3, 5, 6, 0, 0),
6163           "FAR_EL1", "FAR_EL2", "FAR_EL12" },
6164         { K(3, 0, 10, 2, 0), K(3, 4, 10, 2, 0), K(3, 5, 10, 2, 0),
6165           "MAIR_EL1", "MAIR_EL2", "MAIR_EL12" },
6166         { K(3, 0, 10, 3, 0), K(3, 4, 10, 3, 0), K(3, 5, 10, 3, 0),
6167           "AMAIR0", "AMAIR_EL2", "AMAIR_EL12" },
6168         { K(3, 0, 12, 0, 0), K(3, 4, 12, 0, 0), K(3, 5, 12, 0, 0),
6169           "VBAR", "VBAR_EL2", "VBAR_EL12" },
6170         { K(3, 0, 13, 0, 1), K(3, 4, 13, 0, 1), K(3, 5, 13, 0, 1),
6171           "CONTEXTIDR_EL1", "CONTEXTIDR_EL2", "CONTEXTIDR_EL12" },
6172         { K(3, 0, 14, 1, 0), K(3, 4, 14, 1, 0), K(3, 5, 14, 1, 0),
6173           "CNTKCTL", "CNTHCTL_EL2", "CNTKCTL_EL12" },
6174 
6175         /*
6176          * Note that redirection of ZCR is mentioned in the description
6177          * of ZCR_EL2, and aliasing in the description of ZCR_EL1, but
6178          * not in the summary table.
6179          */
6180         { K(3, 0,  1, 2, 0), K(3, 4,  1, 2, 0), K(3, 5, 1, 2, 0),
6181           "ZCR_EL1", "ZCR_EL2", "ZCR_EL12", isar_feature_aa64_sve },
6182         { K(3, 0,  1, 2, 6), K(3, 4,  1, 2, 6), K(3, 5, 1, 2, 6),
6183           "SMCR_EL1", "SMCR_EL2", "SMCR_EL12", isar_feature_aa64_sme },
6184 
6185         { K(3, 0,  5, 6, 0), K(3, 4,  5, 6, 0), K(3, 5, 5, 6, 0),
6186           "TFSR_EL1", "TFSR_EL2", "TFSR_EL12", isar_feature_aa64_mte },
6187 
6188         { K(3, 0, 13, 0, 7), K(3, 4, 13, 0, 7), K(3, 5, 13, 0, 7),
6189           "SCXTNUM_EL1", "SCXTNUM_EL2", "SCXTNUM_EL12",
6190           isar_feature_aa64_scxtnum },
6191 
6192         /* TODO: ARMv8.2-SPE -- PMSCR_EL2 */
6193         /* TODO: ARMv8.4-Trace -- TRFCR_EL2 */
6194     };
6195 #undef K
6196 
6197     size_t i;
6198 
6199     for (i = 0; i < ARRAY_SIZE(aliases); i++) {
6200         const struct E2HAlias *a = &aliases[i];
6201         ARMCPRegInfo *src_reg, *dst_reg, *new_reg;
6202         bool ok;
6203 
6204         if (a->feature && !a->feature(&cpu->isar)) {
6205             continue;
6206         }
6207 
6208         src_reg = g_hash_table_lookup(cpu->cp_regs,
6209                                       (gpointer)(uintptr_t)a->src_key);
6210         dst_reg = g_hash_table_lookup(cpu->cp_regs,
6211                                       (gpointer)(uintptr_t)a->dst_key);
6212         g_assert(src_reg != NULL);
6213         g_assert(dst_reg != NULL);
6214 
6215         /* Cross-compare names to detect typos in the keys.  */
6216         g_assert(strcmp(src_reg->name, a->src_name) == 0);
6217         g_assert(strcmp(dst_reg->name, a->dst_name) == 0);
6218 
6219         /* None of the core system registers use opaque; we will.  */
6220         g_assert(src_reg->opaque == NULL);
6221 
6222         /* Create alias before redirection so we dup the right data. */
6223         new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo));
6224 
6225         new_reg->name = a->new_name;
6226         new_reg->type |= ARM_CP_ALIAS;
6227         /* Remove PL1/PL0 access, leaving PL2/PL3 R/W in place.  */
6228         new_reg->access &= PL2_RW | PL3_RW;
6229         /* The new_reg op fields are as per new_key, not the target reg */
6230         new_reg->crn = (a->new_key & CP_REG_ARM64_SYSREG_CRN_MASK)
6231             >> CP_REG_ARM64_SYSREG_CRN_SHIFT;
6232         new_reg->crm = (a->new_key & CP_REG_ARM64_SYSREG_CRM_MASK)
6233             >> CP_REG_ARM64_SYSREG_CRM_SHIFT;
6234         new_reg->opc0 = (a->new_key & CP_REG_ARM64_SYSREG_OP0_MASK)
6235             >> CP_REG_ARM64_SYSREG_OP0_SHIFT;
6236         new_reg->opc1 = (a->new_key & CP_REG_ARM64_SYSREG_OP1_MASK)
6237             >> CP_REG_ARM64_SYSREG_OP1_SHIFT;
6238         new_reg->opc2 = (a->new_key & CP_REG_ARM64_SYSREG_OP2_MASK)
6239             >> CP_REG_ARM64_SYSREG_OP2_SHIFT;
6240         new_reg->opaque = src_reg;
6241         new_reg->orig_readfn = src_reg->readfn ?: raw_read;
6242         new_reg->orig_writefn = src_reg->writefn ?: raw_write;
6243         new_reg->orig_accessfn = src_reg->accessfn;
6244         if (!new_reg->raw_readfn) {
6245             new_reg->raw_readfn = raw_read;
6246         }
6247         if (!new_reg->raw_writefn) {
6248             new_reg->raw_writefn = raw_write;
6249         }
6250         new_reg->readfn = el2_e2h_e12_read;
6251         new_reg->writefn = el2_e2h_e12_write;
6252         new_reg->accessfn = el2_e2h_e12_access;
6253 
6254         /*
6255          * If the _EL1 register is redirected to memory by FEAT_NV2,
6256          * then it shares the offset with the _EL12 register,
6257          * and which one is redirected depends on HCR_EL2.NV1.
6258          */
6259         if (new_reg->nv2_redirect_offset) {
6260             assert(new_reg->nv2_redirect_offset & NV2_REDIR_NV1);
6261             new_reg->nv2_redirect_offset &= ~NV2_REDIR_NV1;
6262             new_reg->nv2_redirect_offset |= NV2_REDIR_NO_NV1;
6263         }
6264 
6265         ok = g_hash_table_insert(cpu->cp_regs,
6266                                  (gpointer)(uintptr_t)a->new_key, new_reg);
6267         g_assert(ok);
6268 
6269         src_reg->opaque = dst_reg;
6270         src_reg->orig_readfn = src_reg->readfn ?: raw_read;
6271         src_reg->orig_writefn = src_reg->writefn ?: raw_write;
6272         if (!src_reg->raw_readfn) {
6273             src_reg->raw_readfn = raw_read;
6274         }
6275         if (!src_reg->raw_writefn) {
6276             src_reg->raw_writefn = raw_write;
6277         }
6278         src_reg->readfn = el2_e2h_read;
6279         src_reg->writefn = el2_e2h_write;
6280     }
6281 }
6282 #endif
6283 
6284 static CPAccessResult ctr_el0_access(CPUARMState *env, const ARMCPRegInfo *ri,
6285                                      bool isread)
6286 {
6287     int cur_el = arm_current_el(env);
6288 
6289     if (cur_el < 2) {
6290         uint64_t hcr = arm_hcr_el2_eff(env);
6291 
6292         if (cur_el == 0) {
6293             if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
6294                 if (!(env->cp15.sctlr_el[2] & SCTLR_UCT)) {
6295                     return CP_ACCESS_TRAP_EL2;
6296                 }
6297             } else {
6298                 if (!(env->cp15.sctlr_el[1] & SCTLR_UCT)) {
6299                     return CP_ACCESS_TRAP_EL1;
6300                 }
6301                 if (hcr & HCR_TID2) {
6302                     return CP_ACCESS_TRAP_EL2;
6303                 }
6304             }
6305         } else if (hcr & HCR_TID2) {
6306             return CP_ACCESS_TRAP_EL2;
6307         }
6308     }
6309 
6310     if (arm_current_el(env) < 2 && arm_hcr_el2_eff(env) & HCR_TID2) {
6311         return CP_ACCESS_TRAP_EL2;
6312     }
6313 
6314     return CP_ACCESS_OK;
6315 }
6316 
6317 /*
6318  * Check for traps to RAS registers, which are controlled
6319  * by HCR_EL2.TERR and SCR_EL3.TERR.
6320  */
6321 static CPAccessResult access_terr(CPUARMState *env, const ARMCPRegInfo *ri,
6322                                   bool isread)
6323 {
6324     int el = arm_current_el(env);
6325 
6326     if (el < 2 && (arm_hcr_el2_eff(env) & HCR_TERR)) {
6327         return CP_ACCESS_TRAP_EL2;
6328     }
6329     if (!arm_is_el3_or_mon(env) && (env->cp15.scr_el3 & SCR_TERR)) {
6330         return CP_ACCESS_TRAP_EL3;
6331     }
6332     return CP_ACCESS_OK;
6333 }
6334 
6335 static uint64_t disr_read(CPUARMState *env, const ARMCPRegInfo *ri)
6336 {
6337     int el = arm_current_el(env);
6338 
6339     if (el < 2 && (arm_hcr_el2_eff(env) & HCR_AMO)) {
6340         return env->cp15.vdisr_el2;
6341     }
6342     if (el < 3 && (env->cp15.scr_el3 & SCR_EA)) {
6343         return 0; /* RAZ/WI */
6344     }
6345     return env->cp15.disr_el1;
6346 }
6347 
6348 static void disr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val)
6349 {
6350     int el = arm_current_el(env);
6351 
6352     if (el < 2 && (arm_hcr_el2_eff(env) & HCR_AMO)) {
6353         env->cp15.vdisr_el2 = val;
6354         return;
6355     }
6356     if (el < 3 && (env->cp15.scr_el3 & SCR_EA)) {
6357         return; /* RAZ/WI */
6358     }
6359     env->cp15.disr_el1 = val;
6360 }
6361 
6362 /*
6363  * Minimal RAS implementation with no Error Records.
6364  * Which means that all of the Error Record registers:
6365  *   ERXADDR_EL1
6366  *   ERXCTLR_EL1
6367  *   ERXFR_EL1
6368  *   ERXMISC0_EL1
6369  *   ERXMISC1_EL1
6370  *   ERXMISC2_EL1
6371  *   ERXMISC3_EL1
6372  *   ERXPFGCDN_EL1  (RASv1p1)
6373  *   ERXPFGCTL_EL1  (RASv1p1)
6374  *   ERXPFGF_EL1    (RASv1p1)
6375  *   ERXSTATUS_EL1
6376  * and
6377  *   ERRSELR_EL1
6378  * may generate UNDEFINED, which is the effect we get by not
6379  * listing them at all.
6380  *
6381  * These registers have fine-grained trap bits, but UNDEF-to-EL1
6382  * is higher priority than FGT-to-EL2 so we do not need to list them
6383  * in order to check for an FGT.
6384  */
6385 static const ARMCPRegInfo minimal_ras_reginfo[] = {
6386     { .name = "DISR_EL1", .state = ARM_CP_STATE_BOTH,
6387       .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 1,
6388       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.disr_el1),
6389       .readfn = disr_read, .writefn = disr_write, .raw_writefn = raw_write },
6390     { .name = "ERRIDR_EL1", .state = ARM_CP_STATE_BOTH,
6391       .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 3, .opc2 = 0,
6392       .access = PL1_R, .accessfn = access_terr,
6393       .fgt = FGT_ERRIDR_EL1,
6394       .type = ARM_CP_CONST, .resetvalue = 0 },
6395     { .name = "VDISR_EL2", .state = ARM_CP_STATE_BOTH,
6396       .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 1, .opc2 = 1,
6397       .nv2_redirect_offset = 0x500,
6398       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vdisr_el2) },
6399     { .name = "VSESR_EL2", .state = ARM_CP_STATE_BOTH,
6400       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 3,
6401       .nv2_redirect_offset = 0x508,
6402       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vsesr_el2) },
6403 };
6404 
6405 /*
6406  * Return the exception level to which exceptions should be taken
6407  * via SVEAccessTrap.  This excludes the check for whether the exception
6408  * should be routed through AArch64.AdvSIMDFPAccessTrap.  That can easily
6409  * be found by testing 0 < fp_exception_el < sve_exception_el.
6410  *
6411  * C.f. the ARM pseudocode function CheckSVEEnabled.  Note that the
6412  * pseudocode does *not* separate out the FP trap checks, but has them
6413  * all in one function.
6414  */
6415 int sve_exception_el(CPUARMState *env, int el)
6416 {
6417 #ifndef CONFIG_USER_ONLY
6418     if (el <= 1 && !el_is_in_host(env, el)) {
6419         switch (FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, ZEN)) {
6420         case 1:
6421             if (el != 0) {
6422                 break;
6423             }
6424             /* fall through */
6425         case 0:
6426         case 2:
6427             return 1;
6428         }
6429     }
6430 
6431     if (el <= 2 && arm_is_el2_enabled(env)) {
6432         /* CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE). */
6433         if (env->cp15.hcr_el2 & HCR_E2H) {
6434             switch (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, ZEN)) {
6435             case 1:
6436                 if (el != 0 || !(env->cp15.hcr_el2 & HCR_TGE)) {
6437                     break;
6438                 }
6439                 /* fall through */
6440             case 0:
6441             case 2:
6442                 return 2;
6443             }
6444         } else {
6445             if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TZ)) {
6446                 return 2;
6447             }
6448         }
6449     }
6450 
6451     /* CPTR_EL3.  Since EZ is negative we must check for EL3.  */
6452     if (arm_feature(env, ARM_FEATURE_EL3)
6453         && !FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, EZ)) {
6454         return 3;
6455     }
6456 #endif
6457     return 0;
6458 }
6459 
6460 /*
6461  * Return the exception level to which exceptions should be taken for SME.
6462  * C.f. the ARM pseudocode function CheckSMEAccess.
6463  */
6464 int sme_exception_el(CPUARMState *env, int el)
6465 {
6466 #ifndef CONFIG_USER_ONLY
6467     if (el <= 1 && !el_is_in_host(env, el)) {
6468         switch (FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, SMEN)) {
6469         case 1:
6470             if (el != 0) {
6471                 break;
6472             }
6473             /* fall through */
6474         case 0:
6475         case 2:
6476             return 1;
6477         }
6478     }
6479 
6480     if (el <= 2 && arm_is_el2_enabled(env)) {
6481         /* CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE). */
6482         if (env->cp15.hcr_el2 & HCR_E2H) {
6483             switch (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, SMEN)) {
6484             case 1:
6485                 if (el != 0 || !(env->cp15.hcr_el2 & HCR_TGE)) {
6486                     break;
6487                 }
6488                 /* fall through */
6489             case 0:
6490             case 2:
6491                 return 2;
6492             }
6493         } else {
6494             if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TSM)) {
6495                 return 2;
6496             }
6497         }
6498     }
6499 
6500     /* CPTR_EL3.  Since ESM is negative we must check for EL3.  */
6501     if (arm_feature(env, ARM_FEATURE_EL3)
6502         && !FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, ESM)) {
6503         return 3;
6504     }
6505 #endif
6506     return 0;
6507 }
6508 
6509 /*
6510  * Given that SVE is enabled, return the vector length for EL.
6511  */
6512 uint32_t sve_vqm1_for_el_sm(CPUARMState *env, int el, bool sm)
6513 {
6514     ARMCPU *cpu = env_archcpu(env);
6515     uint64_t *cr = env->vfp.zcr_el;
6516     uint32_t map = cpu->sve_vq.map;
6517     uint32_t len = ARM_MAX_VQ - 1;
6518 
6519     if (sm) {
6520         cr = env->vfp.smcr_el;
6521         map = cpu->sme_vq.map;
6522     }
6523 
6524     if (el <= 1 && !el_is_in_host(env, el)) {
6525         len = MIN(len, 0xf & (uint32_t)cr[1]);
6526     }
6527     if (el <= 2 && arm_is_el2_enabled(env)) {
6528         len = MIN(len, 0xf & (uint32_t)cr[2]);
6529     }
6530     if (arm_feature(env, ARM_FEATURE_EL3)) {
6531         len = MIN(len, 0xf & (uint32_t)cr[3]);
6532     }
6533 
6534     map &= MAKE_64BIT_MASK(0, len + 1);
6535     if (map != 0) {
6536         return 31 - clz32(map);
6537     }
6538 
6539     /* Bit 0 is always set for Normal SVE -- not so for Streaming SVE. */
6540     assert(sm);
6541     return ctz32(cpu->sme_vq.map);
6542 }
6543 
6544 uint32_t sve_vqm1_for_el(CPUARMState *env, int el)
6545 {
6546     return sve_vqm1_for_el_sm(env, el, FIELD_EX64(env->svcr, SVCR, SM));
6547 }
6548 
6549 static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
6550                       uint64_t value)
6551 {
6552     int cur_el = arm_current_el(env);
6553     int old_len = sve_vqm1_for_el(env, cur_el);
6554     int new_len;
6555 
6556     /* Bits other than [3:0] are RAZ/WI.  */
6557     QEMU_BUILD_BUG_ON(ARM_MAX_VQ > 16);
6558     raw_write(env, ri, value & 0xf);
6559 
6560     /*
6561      * Because we arrived here, we know both FP and SVE are enabled;
6562      * otherwise we would have trapped access to the ZCR_ELn register.
6563      */
6564     new_len = sve_vqm1_for_el(env, cur_el);
6565     if (new_len < old_len) {
6566 #ifdef TARGET_AARCH64
6567         aarch64_sve_narrow_vq(env, new_len + 1);
6568 #endif
6569     }
6570 }
6571 
6572 static const ARMCPRegInfo zcr_reginfo[] = {
6573     { .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
6574       .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
6575       .nv2_redirect_offset = 0x1e0 | NV2_REDIR_NV1,
6576       .access = PL1_RW, .type = ARM_CP_SVE,
6577       .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
6578       .writefn = zcr_write, .raw_writefn = raw_write },
6579     { .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
6580       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
6581       .access = PL2_RW, .type = ARM_CP_SVE,
6582       .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
6583       .writefn = zcr_write, .raw_writefn = raw_write },
6584     { .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
6585       .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
6586       .access = PL3_RW, .type = ARM_CP_SVE,
6587       .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
6588       .writefn = zcr_write, .raw_writefn = raw_write },
6589 };
6590 
6591 #ifdef TARGET_AARCH64
6592 static CPAccessResult access_tpidr2(CPUARMState *env, const ARMCPRegInfo *ri,
6593                                     bool isread)
6594 {
6595     int el = arm_current_el(env);
6596 
6597     if (el == 0) {
6598         uint64_t sctlr = arm_sctlr(env, el);
6599         if (!(sctlr & SCTLR_EnTP2)) {
6600             return CP_ACCESS_TRAP_EL1;
6601         }
6602     }
6603     /* TODO: FEAT_FGT */
6604     if (el < 3
6605         && arm_feature(env, ARM_FEATURE_EL3)
6606         && !(env->cp15.scr_el3 & SCR_ENTP2)) {
6607         return CP_ACCESS_TRAP_EL3;
6608     }
6609     return CP_ACCESS_OK;
6610 }
6611 
6612 static CPAccessResult access_smprimap(CPUARMState *env, const ARMCPRegInfo *ri,
6613                                       bool isread)
6614 {
6615     /* If EL1 this is a FEAT_NV access and CPTR_EL3.ESM doesn't apply */
6616     if (arm_current_el(env) == 2
6617         && arm_feature(env, ARM_FEATURE_EL3)
6618         && !FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, ESM)) {
6619         return CP_ACCESS_TRAP_EL3;
6620     }
6621     return CP_ACCESS_OK;
6622 }
6623 
6624 static CPAccessResult access_smpri(CPUARMState *env, const ARMCPRegInfo *ri,
6625                                    bool isread)
6626 {
6627     if (arm_current_el(env) < 3
6628         && arm_feature(env, ARM_FEATURE_EL3)
6629         && !FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, ESM)) {
6630         return CP_ACCESS_TRAP_EL3;
6631     }
6632     return CP_ACCESS_OK;
6633 }
6634 
6635 /* ResetSVEState */
6636 static void arm_reset_sve_state(CPUARMState *env)
6637 {
6638     memset(env->vfp.zregs, 0, sizeof(env->vfp.zregs));
6639     /* Recall that FFR is stored as pregs[16]. */
6640     memset(env->vfp.pregs, 0, sizeof(env->vfp.pregs));
6641     vfp_set_fpsr(env, 0x0800009f);
6642 }
6643 
6644 void aarch64_set_svcr(CPUARMState *env, uint64_t new, uint64_t mask)
6645 {
6646     uint64_t change = (env->svcr ^ new) & mask;
6647 
6648     if (change == 0) {
6649         return;
6650     }
6651     env->svcr ^= change;
6652 
6653     if (change & R_SVCR_SM_MASK) {
6654         arm_reset_sve_state(env);
6655     }
6656 
6657     /*
6658      * ResetSMEState.
6659      *
6660      * SetPSTATE_ZA zeros on enable and disable.  We can zero this only
6661      * on enable: while disabled, the storage is inaccessible and the
6662      * value does not matter.  We're not saving the storage in vmstate
6663      * when disabled either.
6664      */
6665     if (change & new & R_SVCR_ZA_MASK) {
6666         memset(env->zarray, 0, sizeof(env->zarray));
6667     }
6668 
6669     if (tcg_enabled()) {
6670         arm_rebuild_hflags(env);
6671     }
6672 }
6673 
6674 static void svcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
6675                        uint64_t value)
6676 {
6677     aarch64_set_svcr(env, value, -1);
6678 }
6679 
6680 static void smcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
6681                        uint64_t value)
6682 {
6683     int cur_el = arm_current_el(env);
6684     int old_len = sve_vqm1_for_el(env, cur_el);
6685     int new_len;
6686 
6687     QEMU_BUILD_BUG_ON(ARM_MAX_VQ > R_SMCR_LEN_MASK + 1);
6688     value &= R_SMCR_LEN_MASK | R_SMCR_FA64_MASK;
6689     raw_write(env, ri, value);
6690 
6691     /*
6692      * Note that it is CONSTRAINED UNPREDICTABLE what happens to ZA storage
6693      * when SVL is widened (old values kept, or zeros).  Choose to keep the
6694      * current values for simplicity.  But for QEMU internals, we must still
6695      * apply the narrower SVL to the Zregs and Pregs -- see the comment
6696      * above aarch64_sve_narrow_vq.
6697      */
6698     new_len = sve_vqm1_for_el(env, cur_el);
6699     if (new_len < old_len) {
6700         aarch64_sve_narrow_vq(env, new_len + 1);
6701     }
6702 }
6703 
6704 static const ARMCPRegInfo sme_reginfo[] = {
6705     { .name = "TPIDR2_EL0", .state = ARM_CP_STATE_AA64,
6706       .opc0 = 3, .opc1 = 3, .crn = 13, .crm = 0, .opc2 = 5,
6707       .access = PL0_RW, .accessfn = access_tpidr2,
6708       .fgt = FGT_NTPIDR2_EL0,
6709       .fieldoffset = offsetof(CPUARMState, cp15.tpidr2_el0) },
6710     { .name = "SVCR", .state = ARM_CP_STATE_AA64,
6711       .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 2,
6712       .access = PL0_RW, .type = ARM_CP_SME,
6713       .fieldoffset = offsetof(CPUARMState, svcr),
6714       .writefn = svcr_write, .raw_writefn = raw_write },
6715     { .name = "SMCR_EL1", .state = ARM_CP_STATE_AA64,
6716       .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 6,
6717       .nv2_redirect_offset = 0x1f0 | NV2_REDIR_NV1,
6718       .access = PL1_RW, .type = ARM_CP_SME,
6719       .fieldoffset = offsetof(CPUARMState, vfp.smcr_el[1]),
6720       .writefn = smcr_write, .raw_writefn = raw_write },
6721     { .name = "SMCR_EL2", .state = ARM_CP_STATE_AA64,
6722       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 6,
6723       .access = PL2_RW, .type = ARM_CP_SME,
6724       .fieldoffset = offsetof(CPUARMState, vfp.smcr_el[2]),
6725       .writefn = smcr_write, .raw_writefn = raw_write },
6726     { .name = "SMCR_EL3", .state = ARM_CP_STATE_AA64,
6727       .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 6,
6728       .access = PL3_RW, .type = ARM_CP_SME,
6729       .fieldoffset = offsetof(CPUARMState, vfp.smcr_el[3]),
6730       .writefn = smcr_write, .raw_writefn = raw_write },
6731     { .name = "SMIDR_EL1", .state = ARM_CP_STATE_AA64,
6732       .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 6,
6733       .access = PL1_R, .accessfn = access_aa64_tid1,
6734       /*
6735        * IMPLEMENTOR = 0 (software)
6736        * REVISION    = 0 (implementation defined)
6737        * SMPS        = 0 (no streaming execution priority in QEMU)
6738        * AFFINITY    = 0 (streaming sve mode not shared with other PEs)
6739        */
6740       .type = ARM_CP_CONST, .resetvalue = 0, },
6741     /*
6742      * Because SMIDR_EL1.SMPS is 0, SMPRI_EL1 and SMPRIMAP_EL2 are RES 0.
6743      */
6744     { .name = "SMPRI_EL1", .state = ARM_CP_STATE_AA64,
6745       .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 4,
6746       .access = PL1_RW, .accessfn = access_smpri,
6747       .fgt = FGT_NSMPRI_EL1,
6748       .type = ARM_CP_CONST, .resetvalue = 0 },
6749     { .name = "SMPRIMAP_EL2", .state = ARM_CP_STATE_AA64,
6750       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 5,
6751       .nv2_redirect_offset = 0x1f8,
6752       .access = PL2_RW, .accessfn = access_smprimap,
6753       .type = ARM_CP_CONST, .resetvalue = 0 },
6754 };
6755 
6756 static void gpccr_write(CPUARMState *env, const ARMCPRegInfo *ri,
6757                         uint64_t value)
6758 {
6759     /* L0GPTSZ is RO; other bits not mentioned are RES0. */
6760     uint64_t rw_mask = R_GPCCR_PPS_MASK | R_GPCCR_IRGN_MASK |
6761         R_GPCCR_ORGN_MASK | R_GPCCR_SH_MASK | R_GPCCR_PGS_MASK |
6762         R_GPCCR_GPC_MASK | R_GPCCR_GPCP_MASK;
6763 
6764     env->cp15.gpccr_el3 = (value & rw_mask) | (env->cp15.gpccr_el3 & ~rw_mask);
6765 }
6766 
6767 static void gpccr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
6768 {
6769     env->cp15.gpccr_el3 = FIELD_DP64(0, GPCCR, L0GPTSZ,
6770                                      env_archcpu(env)->reset_l0gptsz);
6771 }
6772 
6773 static const ARMCPRegInfo rme_reginfo[] = {
6774     { .name = "GPCCR_EL3", .state = ARM_CP_STATE_AA64,
6775       .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 1, .opc2 = 6,
6776       .access = PL3_RW, .writefn = gpccr_write, .resetfn = gpccr_reset,
6777       .fieldoffset = offsetof(CPUARMState, cp15.gpccr_el3) },
6778     { .name = "GPTBR_EL3", .state = ARM_CP_STATE_AA64,
6779       .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 1, .opc2 = 4,
6780       .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.gptbr_el3) },
6781     { .name = "MFAR_EL3", .state = ARM_CP_STATE_AA64,
6782       .opc0 = 3, .opc1 = 6, .crn = 6, .crm = 0, .opc2 = 5,
6783       .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mfar_el3) },
6784     { .name = "DC_CIPAPA", .state = ARM_CP_STATE_AA64,
6785       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 14, .opc2 = 1,
6786       .access = PL3_W, .type = ARM_CP_NOP },
6787 };
6788 
6789 static const ARMCPRegInfo rme_mte_reginfo[] = {
6790     { .name = "DC_CIGDPAPA", .state = ARM_CP_STATE_AA64,
6791       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 14, .opc2 = 5,
6792       .access = PL3_W, .type = ARM_CP_NOP },
6793 };
6794 
6795 static void aa64_allint_write(CPUARMState *env, const ARMCPRegInfo *ri,
6796                               uint64_t value)
6797 {
6798     env->pstate = (env->pstate & ~PSTATE_ALLINT) | (value & PSTATE_ALLINT);
6799 }
6800 
6801 static uint64_t aa64_allint_read(CPUARMState *env, const ARMCPRegInfo *ri)
6802 {
6803     return env->pstate & PSTATE_ALLINT;
6804 }
6805 
6806 static CPAccessResult aa64_allint_access(CPUARMState *env,
6807                                          const ARMCPRegInfo *ri, bool isread)
6808 {
6809     if (!isread && arm_current_el(env) == 1 &&
6810         (arm_hcrx_el2_eff(env) & HCRX_TALLINT)) {
6811         return CP_ACCESS_TRAP_EL2;
6812     }
6813     return CP_ACCESS_OK;
6814 }
6815 
6816 static const ARMCPRegInfo nmi_reginfo[] = {
6817     { .name = "ALLINT", .state = ARM_CP_STATE_AA64,
6818       .opc0 = 3, .opc1 = 0, .opc2 = 0, .crn = 4, .crm = 3,
6819       .type = ARM_CP_NO_RAW,
6820       .access = PL1_RW, .accessfn = aa64_allint_access,
6821       .fieldoffset = offsetof(CPUARMState, pstate),
6822       .writefn = aa64_allint_write, .readfn = aa64_allint_read,
6823       .resetfn = arm_cp_reset_ignore },
6824 };
6825 #endif /* TARGET_AARCH64 */
6826 
6827 static void define_pmu_regs(ARMCPU *cpu)
6828 {
6829     /*
6830      * v7 performance monitor control register: same implementor
6831      * field as main ID register, and we implement four counters in
6832      * addition to the cycle count register.
6833      */
6834     unsigned int i, pmcrn = pmu_num_counters(&cpu->env);
6835     ARMCPRegInfo pmcr = {
6836         .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
6837         .access = PL0_RW,
6838         .fgt = FGT_PMCR_EL0,
6839         .type = ARM_CP_IO | ARM_CP_ALIAS,
6840         .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
6841         .accessfn = pmreg_access,
6842         .readfn = pmcr_read, .raw_readfn = raw_read,
6843         .writefn = pmcr_write, .raw_writefn = raw_write,
6844     };
6845     ARMCPRegInfo pmcr64 = {
6846         .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
6847         .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
6848         .access = PL0_RW, .accessfn = pmreg_access,
6849         .fgt = FGT_PMCR_EL0,
6850         .type = ARM_CP_IO,
6851         .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
6852         .resetvalue = cpu->isar.reset_pmcr_el0,
6853         .readfn = pmcr_read, .raw_readfn = raw_read,
6854         .writefn = pmcr_write, .raw_writefn = raw_write,
6855     };
6856 
6857     define_one_arm_cp_reg(cpu, &pmcr);
6858     define_one_arm_cp_reg(cpu, &pmcr64);
6859     for (i = 0; i < pmcrn; i++) {
6860         char *pmevcntr_name = g_strdup_printf("PMEVCNTR%d", i);
6861         char *pmevcntr_el0_name = g_strdup_printf("PMEVCNTR%d_EL0", i);
6862         char *pmevtyper_name = g_strdup_printf("PMEVTYPER%d", i);
6863         char *pmevtyper_el0_name = g_strdup_printf("PMEVTYPER%d_EL0", i);
6864         ARMCPRegInfo pmev_regs[] = {
6865             { .name = pmevcntr_name, .cp = 15, .crn = 14,
6866               .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
6867               .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
6868               .fgt = FGT_PMEVCNTRN_EL0,
6869               .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
6870               .accessfn = pmreg_access_xevcntr },
6871             { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
6872               .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
6873               .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access_xevcntr,
6874               .type = ARM_CP_IO,
6875               .fgt = FGT_PMEVCNTRN_EL0,
6876               .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
6877               .raw_readfn = pmevcntr_rawread,
6878               .raw_writefn = pmevcntr_rawwrite },
6879             { .name = pmevtyper_name, .cp = 15, .crn = 14,
6880               .crm = 12 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
6881               .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
6882               .fgt = FGT_PMEVTYPERN_EL0,
6883               .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
6884               .accessfn = pmreg_access },
6885             { .name = pmevtyper_el0_name, .state = ARM_CP_STATE_AA64,
6886               .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 12 | (3 & (i >> 3)),
6887               .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
6888               .fgt = FGT_PMEVTYPERN_EL0,
6889               .type = ARM_CP_IO,
6890               .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
6891               .raw_writefn = pmevtyper_rawwrite },
6892         };
6893         define_arm_cp_regs(cpu, pmev_regs);
6894         g_free(pmevcntr_name);
6895         g_free(pmevcntr_el0_name);
6896         g_free(pmevtyper_name);
6897         g_free(pmevtyper_el0_name);
6898     }
6899     if (cpu_isar_feature(aa32_pmuv3p1, cpu)) {
6900         ARMCPRegInfo v81_pmu_regs[] = {
6901             { .name = "PMCEID2", .state = ARM_CP_STATE_AA32,
6902               .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 4,
6903               .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
6904               .fgt = FGT_PMCEIDN_EL0,
6905               .resetvalue = extract64(cpu->pmceid0, 32, 32) },
6906             { .name = "PMCEID3", .state = ARM_CP_STATE_AA32,
6907               .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 5,
6908               .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
6909               .fgt = FGT_PMCEIDN_EL0,
6910               .resetvalue = extract64(cpu->pmceid1, 32, 32) },
6911         };
6912         define_arm_cp_regs(cpu, v81_pmu_regs);
6913     }
6914     if (cpu_isar_feature(any_pmuv3p4, cpu)) {
6915         static const ARMCPRegInfo v84_pmmir = {
6916             .name = "PMMIR_EL1", .state = ARM_CP_STATE_BOTH,
6917             .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 6,
6918             .access = PL1_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
6919             .fgt = FGT_PMMIR_EL1,
6920             .resetvalue = 0
6921         };
6922         define_one_arm_cp_reg(cpu, &v84_pmmir);
6923     }
6924 }
6925 
6926 #ifndef CONFIG_USER_ONLY
6927 /*
6928  * We don't know until after realize whether there's a GICv3
6929  * attached, and that is what registers the gicv3 sysregs.
6930  * So we have to fill in the GIC fields in ID_PFR/ID_PFR1_EL1/ID_AA64PFR0_EL1
6931  * at runtime.
6932  */
6933 static uint64_t id_pfr1_read(CPUARMState *env, const ARMCPRegInfo *ri)
6934 {
6935     ARMCPU *cpu = env_archcpu(env);
6936     uint64_t pfr1 = cpu->isar.id_pfr1;
6937 
6938     if (env->gicv3state) {
6939         pfr1 |= 1 << 28;
6940     }
6941     return pfr1;
6942 }
6943 
6944 static uint64_t id_aa64pfr0_read(CPUARMState *env, const ARMCPRegInfo *ri)
6945 {
6946     ARMCPU *cpu = env_archcpu(env);
6947     uint64_t pfr0 = cpu->isar.id_aa64pfr0;
6948 
6949     if (env->gicv3state) {
6950         pfr0 |= 1 << 24;
6951     }
6952     return pfr0;
6953 }
6954 #endif
6955 
6956 /*
6957  * Shared logic between LORID and the rest of the LOR* registers.
6958  * Secure state exclusion has already been dealt with.
6959  */
6960 static CPAccessResult access_lor_ns(CPUARMState *env,
6961                                     const ARMCPRegInfo *ri, bool isread)
6962 {
6963     int el = arm_current_el(env);
6964 
6965     if (el < 2 && (arm_hcr_el2_eff(env) & HCR_TLOR)) {
6966         return CP_ACCESS_TRAP_EL2;
6967     }
6968     if (el < 3 && (env->cp15.scr_el3 & SCR_TLOR)) {
6969         return CP_ACCESS_TRAP_EL3;
6970     }
6971     return CP_ACCESS_OK;
6972 }
6973 
6974 static CPAccessResult access_lor_other(CPUARMState *env,
6975                                        const ARMCPRegInfo *ri, bool isread)
6976 {
6977     if (arm_is_secure_below_el3(env)) {
6978         /* UNDEF if SCR_EL3.NS == 0 */
6979         return CP_ACCESS_UNDEFINED;
6980     }
6981     return access_lor_ns(env, ri, isread);
6982 }
6983 
6984 /*
6985  * A trivial implementation of ARMv8.1-LOR leaves all of these
6986  * registers fixed at 0, which indicates that there are zero
6987  * supported Limited Ordering regions.
6988  */
6989 static const ARMCPRegInfo lor_reginfo[] = {
6990     { .name = "LORSA_EL1", .state = ARM_CP_STATE_AA64,
6991       .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 0,
6992       .access = PL1_RW, .accessfn = access_lor_other,
6993       .fgt = FGT_LORSA_EL1,
6994       .type = ARM_CP_CONST, .resetvalue = 0 },
6995     { .name = "LOREA_EL1", .state = ARM_CP_STATE_AA64,
6996       .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 1,
6997       .access = PL1_RW, .accessfn = access_lor_other,
6998       .fgt = FGT_LOREA_EL1,
6999       .type = ARM_CP_CONST, .resetvalue = 0 },
7000     { .name = "LORN_EL1", .state = ARM_CP_STATE_AA64,
7001       .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 2,
7002       .access = PL1_RW, .accessfn = access_lor_other,
7003       .fgt = FGT_LORN_EL1,
7004       .type = ARM_CP_CONST, .resetvalue = 0 },
7005     { .name = "LORC_EL1", .state = ARM_CP_STATE_AA64,
7006       .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 3,
7007       .access = PL1_RW, .accessfn = access_lor_other,
7008       .fgt = FGT_LORC_EL1,
7009       .type = ARM_CP_CONST, .resetvalue = 0 },
7010     { .name = "LORID_EL1", .state = ARM_CP_STATE_AA64,
7011       .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 7,
7012       .access = PL1_R, .accessfn = access_lor_ns,
7013       .fgt = FGT_LORID_EL1,
7014       .type = ARM_CP_CONST, .resetvalue = 0 },
7015 };
7016 
7017 #ifdef TARGET_AARCH64
7018 static CPAccessResult access_pauth(CPUARMState *env, const ARMCPRegInfo *ri,
7019                                    bool isread)
7020 {
7021     int el = arm_current_el(env);
7022 
7023     if (el < 2 &&
7024         arm_is_el2_enabled(env) &&
7025         !(arm_hcr_el2_eff(env) & HCR_APK)) {
7026         return CP_ACCESS_TRAP_EL2;
7027     }
7028     if (el < 3 &&
7029         arm_feature(env, ARM_FEATURE_EL3) &&
7030         !(env->cp15.scr_el3 & SCR_APK)) {
7031         return CP_ACCESS_TRAP_EL3;
7032     }
7033     return CP_ACCESS_OK;
7034 }
7035 
7036 static const ARMCPRegInfo pauth_reginfo[] = {
7037     { .name = "APDAKEYLO_EL1", .state = ARM_CP_STATE_AA64,
7038       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 0,
7039       .access = PL1_RW, .accessfn = access_pauth,
7040       .fgt = FGT_APDAKEY,
7041       .fieldoffset = offsetof(CPUARMState, keys.apda.lo) },
7042     { .name = "APDAKEYHI_EL1", .state = ARM_CP_STATE_AA64,
7043       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 1,
7044       .access = PL1_RW, .accessfn = access_pauth,
7045       .fgt = FGT_APDAKEY,
7046       .fieldoffset = offsetof(CPUARMState, keys.apda.hi) },
7047     { .name = "APDBKEYLO_EL1", .state = ARM_CP_STATE_AA64,
7048       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 2,
7049       .access = PL1_RW, .accessfn = access_pauth,
7050       .fgt = FGT_APDBKEY,
7051       .fieldoffset = offsetof(CPUARMState, keys.apdb.lo) },
7052     { .name = "APDBKEYHI_EL1", .state = ARM_CP_STATE_AA64,
7053       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 3,
7054       .access = PL1_RW, .accessfn = access_pauth,
7055       .fgt = FGT_APDBKEY,
7056       .fieldoffset = offsetof(CPUARMState, keys.apdb.hi) },
7057     { .name = "APGAKEYLO_EL1", .state = ARM_CP_STATE_AA64,
7058       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 3, .opc2 = 0,
7059       .access = PL1_RW, .accessfn = access_pauth,
7060       .fgt = FGT_APGAKEY,
7061       .fieldoffset = offsetof(CPUARMState, keys.apga.lo) },
7062     { .name = "APGAKEYHI_EL1", .state = ARM_CP_STATE_AA64,
7063       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 3, .opc2 = 1,
7064       .access = PL1_RW, .accessfn = access_pauth,
7065       .fgt = FGT_APGAKEY,
7066       .fieldoffset = offsetof(CPUARMState, keys.apga.hi) },
7067     { .name = "APIAKEYLO_EL1", .state = ARM_CP_STATE_AA64,
7068       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 0,
7069       .access = PL1_RW, .accessfn = access_pauth,
7070       .fgt = FGT_APIAKEY,
7071       .fieldoffset = offsetof(CPUARMState, keys.apia.lo) },
7072     { .name = "APIAKEYHI_EL1", .state = ARM_CP_STATE_AA64,
7073       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 1,
7074       .access = PL1_RW, .accessfn = access_pauth,
7075       .fgt = FGT_APIAKEY,
7076       .fieldoffset = offsetof(CPUARMState, keys.apia.hi) },
7077     { .name = "APIBKEYLO_EL1", .state = ARM_CP_STATE_AA64,
7078       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 2,
7079       .access = PL1_RW, .accessfn = access_pauth,
7080       .fgt = FGT_APIBKEY,
7081       .fieldoffset = offsetof(CPUARMState, keys.apib.lo) },
7082     { .name = "APIBKEYHI_EL1", .state = ARM_CP_STATE_AA64,
7083       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 3,
7084       .access = PL1_RW, .accessfn = access_pauth,
7085       .fgt = FGT_APIBKEY,
7086       .fieldoffset = offsetof(CPUARMState, keys.apib.hi) },
7087 };
7088 
7089 static uint64_t rndr_readfn(CPUARMState *env, const ARMCPRegInfo *ri)
7090 {
7091     Error *err = NULL;
7092     uint64_t ret;
7093 
7094     /* Success sets NZCV = 0000.  */
7095     env->NF = env->CF = env->VF = 0, env->ZF = 1;
7096 
7097     if (qemu_guest_getrandom(&ret, sizeof(ret), &err) < 0) {
7098         /*
7099          * ??? Failed, for unknown reasons in the crypto subsystem.
7100          * The best we can do is log the reason and return the
7101          * timed-out indication to the guest.  There is no reason
7102          * we know to expect this failure to be transitory, so the
7103          * guest may well hang retrying the operation.
7104          */
7105         qemu_log_mask(LOG_UNIMP, "%s: Crypto failure: %s",
7106                       ri->name, error_get_pretty(err));
7107         error_free(err);
7108 
7109         env->ZF = 0; /* NZCF = 0100 */
7110         return 0;
7111     }
7112     return ret;
7113 }
7114 
7115 /* We do not support re-seeding, so the two registers operate the same.  */
7116 static const ARMCPRegInfo rndr_reginfo[] = {
7117     { .name = "RNDR", .state = ARM_CP_STATE_AA64,
7118       .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END | ARM_CP_IO,
7119       .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 4, .opc2 = 0,
7120       .access = PL0_R, .readfn = rndr_readfn },
7121     { .name = "RNDRRS", .state = ARM_CP_STATE_AA64,
7122       .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END | ARM_CP_IO,
7123       .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 4, .opc2 = 1,
7124       .access = PL0_R, .readfn = rndr_readfn },
7125 };
7126 
7127 static void dccvap_writefn(CPUARMState *env, const ARMCPRegInfo *opaque,
7128                           uint64_t value)
7129 {
7130 #ifdef CONFIG_TCG
7131     ARMCPU *cpu = env_archcpu(env);
7132     /* CTR_EL0 System register -> DminLine, bits [19:16] */
7133     uint64_t dline_size = 4 << ((cpu->ctr >> 16) & 0xF);
7134     uint64_t vaddr_in = (uint64_t) value;
7135     uint64_t vaddr = vaddr_in & ~(dline_size - 1);
7136     void *haddr;
7137     int mem_idx = arm_env_mmu_index(env);
7138 
7139     /* This won't be crossing page boundaries */
7140     haddr = probe_read(env, vaddr, dline_size, mem_idx, GETPC());
7141     if (haddr) {
7142 #ifndef CONFIG_USER_ONLY
7143 
7144         ram_addr_t offset;
7145         MemoryRegion *mr;
7146 
7147         /* RCU lock is already being held */
7148         mr = memory_region_from_host(haddr, &offset);
7149 
7150         if (mr) {
7151             memory_region_writeback(mr, offset, dline_size);
7152         }
7153 #endif /*CONFIG_USER_ONLY*/
7154     }
7155 #else
7156     /* Handled by hardware accelerator. */
7157     g_assert_not_reached();
7158 #endif /* CONFIG_TCG */
7159 }
7160 
7161 static const ARMCPRegInfo dcpop_reg[] = {
7162     { .name = "DC_CVAP", .state = ARM_CP_STATE_AA64,
7163       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 1,
7164       .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END,
7165       .fgt = FGT_DCCVAP,
7166       .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn },
7167 };
7168 
7169 static const ARMCPRegInfo dcpodp_reg[] = {
7170     { .name = "DC_CVADP", .state = ARM_CP_STATE_AA64,
7171       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 1,
7172       .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END,
7173       .fgt = FGT_DCCVADP,
7174       .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn },
7175 };
7176 
7177 static CPAccessResult access_aa64_tid5(CPUARMState *env, const ARMCPRegInfo *ri,
7178                                        bool isread)
7179 {
7180     if ((arm_current_el(env) < 2) && (arm_hcr_el2_eff(env) & HCR_TID5)) {
7181         return CP_ACCESS_TRAP_EL2;
7182     }
7183 
7184     return CP_ACCESS_OK;
7185 }
7186 
7187 static CPAccessResult access_mte(CPUARMState *env, const ARMCPRegInfo *ri,
7188                                  bool isread)
7189 {
7190     int el = arm_current_el(env);
7191     if (el < 2 && arm_is_el2_enabled(env)) {
7192         uint64_t hcr = arm_hcr_el2_eff(env);
7193         if (!(hcr & HCR_ATA) && (!(hcr & HCR_E2H) || !(hcr & HCR_TGE))) {
7194             return CP_ACCESS_TRAP_EL2;
7195         }
7196     }
7197     if (el < 3 &&
7198         arm_feature(env, ARM_FEATURE_EL3) &&
7199         !(env->cp15.scr_el3 & SCR_ATA)) {
7200         return CP_ACCESS_TRAP_EL3;
7201     }
7202     return CP_ACCESS_OK;
7203 }
7204 
7205 static CPAccessResult access_tfsr_el1(CPUARMState *env, const ARMCPRegInfo *ri,
7206                                       bool isread)
7207 {
7208     CPAccessResult nv1 = access_nv1(env, ri, isread);
7209 
7210     if (nv1 != CP_ACCESS_OK) {
7211         return nv1;
7212     }
7213     return access_mte(env, ri, isread);
7214 }
7215 
7216 static CPAccessResult access_tfsr_el2(CPUARMState *env, const ARMCPRegInfo *ri,
7217                                       bool isread)
7218 {
7219     /*
7220      * TFSR_EL2: similar to generic access_mte(), but we need to
7221      * account for FEAT_NV. At EL1 this must be a FEAT_NV access;
7222      * if NV2 is enabled then we will redirect this to TFSR_EL1
7223      * after doing the HCR and SCR ATA traps; otherwise this will
7224      * be a trap to EL2 and the HCR/SCR traps do not apply.
7225      */
7226     int el = arm_current_el(env);
7227 
7228     if (el == 1 && (arm_hcr_el2_eff(env) & HCR_NV2)) {
7229         return CP_ACCESS_OK;
7230     }
7231     if (el < 2 && arm_is_el2_enabled(env)) {
7232         uint64_t hcr = arm_hcr_el2_eff(env);
7233         if (!(hcr & HCR_ATA) && (!(hcr & HCR_E2H) || !(hcr & HCR_TGE))) {
7234             return CP_ACCESS_TRAP_EL2;
7235         }
7236     }
7237     if (el < 3 &&
7238         arm_feature(env, ARM_FEATURE_EL3) &&
7239         !(env->cp15.scr_el3 & SCR_ATA)) {
7240         return CP_ACCESS_TRAP_EL3;
7241     }
7242     return CP_ACCESS_OK;
7243 }
7244 
7245 static uint64_t tco_read(CPUARMState *env, const ARMCPRegInfo *ri)
7246 {
7247     return env->pstate & PSTATE_TCO;
7248 }
7249 
7250 static void tco_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val)
7251 {
7252     env->pstate = (env->pstate & ~PSTATE_TCO) | (val & PSTATE_TCO);
7253 }
7254 
7255 static const ARMCPRegInfo mte_reginfo[] = {
7256     { .name = "TFSRE0_EL1", .state = ARM_CP_STATE_AA64,
7257       .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 6, .opc2 = 1,
7258       .access = PL1_RW, .accessfn = access_mte,
7259       .fieldoffset = offsetof(CPUARMState, cp15.tfsr_el[0]) },
7260     { .name = "TFSR_EL1", .state = ARM_CP_STATE_AA64,
7261       .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 6, .opc2 = 0,
7262       .access = PL1_RW, .accessfn = access_tfsr_el1,
7263       .nv2_redirect_offset = 0x190 | NV2_REDIR_NV1,
7264       .fieldoffset = offsetof(CPUARMState, cp15.tfsr_el[1]) },
7265     { .name = "TFSR_EL2", .state = ARM_CP_STATE_AA64,
7266       .type = ARM_CP_NV2_REDIRECT,
7267       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 6, .opc2 = 0,
7268       .access = PL2_RW, .accessfn = access_tfsr_el2,
7269       .fieldoffset = offsetof(CPUARMState, cp15.tfsr_el[2]) },
7270     { .name = "TFSR_EL3", .state = ARM_CP_STATE_AA64,
7271       .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 6, .opc2 = 0,
7272       .access = PL3_RW,
7273       .fieldoffset = offsetof(CPUARMState, cp15.tfsr_el[3]) },
7274     { .name = "RGSR_EL1", .state = ARM_CP_STATE_AA64,
7275       .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 5,
7276       .access = PL1_RW, .accessfn = access_mte,
7277       .fieldoffset = offsetof(CPUARMState, cp15.rgsr_el1) },
7278     { .name = "GCR_EL1", .state = ARM_CP_STATE_AA64,
7279       .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 6,
7280       .access = PL1_RW, .accessfn = access_mte,
7281       .fieldoffset = offsetof(CPUARMState, cp15.gcr_el1) },
7282     { .name = "TCO", .state = ARM_CP_STATE_AA64,
7283       .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 7,
7284       .type = ARM_CP_NO_RAW,
7285       .access = PL0_RW, .readfn = tco_read, .writefn = tco_write },
7286     { .name = "DC_IGVAC", .state = ARM_CP_STATE_AA64,
7287       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 3,
7288       .type = ARM_CP_NOP, .access = PL1_W,
7289       .fgt = FGT_DCIVAC,
7290       .accessfn = aa64_cacheop_poc_access },
7291     { .name = "DC_IGSW", .state = ARM_CP_STATE_AA64,
7292       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 4,
7293       .fgt = FGT_DCISW,
7294       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
7295     { .name = "DC_IGDVAC", .state = ARM_CP_STATE_AA64,
7296       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 5,
7297       .type = ARM_CP_NOP, .access = PL1_W,
7298       .fgt = FGT_DCIVAC,
7299       .accessfn = aa64_cacheop_poc_access },
7300     { .name = "DC_IGDSW", .state = ARM_CP_STATE_AA64,
7301       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 6,
7302       .fgt = FGT_DCISW,
7303       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
7304     { .name = "DC_CGSW", .state = ARM_CP_STATE_AA64,
7305       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 4,
7306       .fgt = FGT_DCCSW,
7307       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
7308     { .name = "DC_CGDSW", .state = ARM_CP_STATE_AA64,
7309       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 6,
7310       .fgt = FGT_DCCSW,
7311       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
7312     { .name = "DC_CIGSW", .state = ARM_CP_STATE_AA64,
7313       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 4,
7314       .fgt = FGT_DCCISW,
7315       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
7316     { .name = "DC_CIGDSW", .state = ARM_CP_STATE_AA64,
7317       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 6,
7318       .fgt = FGT_DCCISW,
7319       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
7320 };
7321 
7322 static const ARMCPRegInfo mte_tco_ro_reginfo[] = {
7323     { .name = "TCO", .state = ARM_CP_STATE_AA64,
7324       .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 7,
7325       .type = ARM_CP_CONST, .access = PL0_RW, },
7326 };
7327 
7328 static const ARMCPRegInfo mte_el0_cacheop_reginfo[] = {
7329     { .name = "DC_CGVAC", .state = ARM_CP_STATE_AA64,
7330       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 3,
7331       .type = ARM_CP_NOP, .access = PL0_W,
7332       .fgt = FGT_DCCVAC,
7333       .accessfn = aa64_cacheop_poc_access },
7334     { .name = "DC_CGDVAC", .state = ARM_CP_STATE_AA64,
7335       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 5,
7336       .type = ARM_CP_NOP, .access = PL0_W,
7337       .fgt = FGT_DCCVAC,
7338       .accessfn = aa64_cacheop_poc_access },
7339     { .name = "DC_CGVAP", .state = ARM_CP_STATE_AA64,
7340       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 3,
7341       .type = ARM_CP_NOP, .access = PL0_W,
7342       .fgt = FGT_DCCVAP,
7343       .accessfn = aa64_cacheop_poc_access },
7344     { .name = "DC_CGDVAP", .state = ARM_CP_STATE_AA64,
7345       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 5,
7346       .type = ARM_CP_NOP, .access = PL0_W,
7347       .fgt = FGT_DCCVAP,
7348       .accessfn = aa64_cacheop_poc_access },
7349     { .name = "DC_CGVADP", .state = ARM_CP_STATE_AA64,
7350       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 3,
7351       .type = ARM_CP_NOP, .access = PL0_W,
7352       .fgt = FGT_DCCVADP,
7353       .accessfn = aa64_cacheop_poc_access },
7354     { .name = "DC_CGDVADP", .state = ARM_CP_STATE_AA64,
7355       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 5,
7356       .type = ARM_CP_NOP, .access = PL0_W,
7357       .fgt = FGT_DCCVADP,
7358       .accessfn = aa64_cacheop_poc_access },
7359     { .name = "DC_CIGVAC", .state = ARM_CP_STATE_AA64,
7360       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 3,
7361       .type = ARM_CP_NOP, .access = PL0_W,
7362       .fgt = FGT_DCCIVAC,
7363       .accessfn = aa64_cacheop_poc_access },
7364     { .name = "DC_CIGDVAC", .state = ARM_CP_STATE_AA64,
7365       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 5,
7366       .type = ARM_CP_NOP, .access = PL0_W,
7367       .fgt = FGT_DCCIVAC,
7368       .accessfn = aa64_cacheop_poc_access },
7369     { .name = "DC_GVA", .state = ARM_CP_STATE_AA64,
7370       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 3,
7371       .access = PL0_W, .type = ARM_CP_DC_GVA,
7372 #ifndef CONFIG_USER_ONLY
7373       /* Avoid overhead of an access check that always passes in user-mode */
7374       .accessfn = aa64_zva_access,
7375       .fgt = FGT_DCZVA,
7376 #endif
7377     },
7378     { .name = "DC_GZVA", .state = ARM_CP_STATE_AA64,
7379       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 4,
7380       .access = PL0_W, .type = ARM_CP_DC_GZVA,
7381 #ifndef CONFIG_USER_ONLY
7382       /* Avoid overhead of an access check that always passes in user-mode */
7383       .accessfn = aa64_zva_access,
7384       .fgt = FGT_DCZVA,
7385 #endif
7386     },
7387 };
7388 
7389 static CPAccessResult access_scxtnum(CPUARMState *env, const ARMCPRegInfo *ri,
7390                                      bool isread)
7391 {
7392     uint64_t hcr = arm_hcr_el2_eff(env);
7393     int el = arm_current_el(env);
7394 
7395     if (el == 0 && !((hcr & HCR_E2H) && (hcr & HCR_TGE))) {
7396         if (env->cp15.sctlr_el[1] & SCTLR_TSCXT) {
7397             if (hcr & HCR_TGE) {
7398                 return CP_ACCESS_TRAP_EL2;
7399             }
7400             return CP_ACCESS_TRAP_EL1;
7401         }
7402     } else if (el < 2 && (env->cp15.sctlr_el[2] & SCTLR_TSCXT)) {
7403         return CP_ACCESS_TRAP_EL2;
7404     }
7405     if (el < 2 && arm_is_el2_enabled(env) && !(hcr & HCR_ENSCXT)) {
7406         return CP_ACCESS_TRAP_EL2;
7407     }
7408     if (el < 3
7409         && arm_feature(env, ARM_FEATURE_EL3)
7410         && !(env->cp15.scr_el3 & SCR_ENSCXT)) {
7411         return CP_ACCESS_TRAP_EL3;
7412     }
7413     return CP_ACCESS_OK;
7414 }
7415 
7416 static CPAccessResult access_scxtnum_el1(CPUARMState *env,
7417                                          const ARMCPRegInfo *ri,
7418                                          bool isread)
7419 {
7420     CPAccessResult nv1 = access_nv1(env, ri, isread);
7421 
7422     if (nv1 != CP_ACCESS_OK) {
7423         return nv1;
7424     }
7425     return access_scxtnum(env, ri, isread);
7426 }
7427 
7428 static const ARMCPRegInfo scxtnum_reginfo[] = {
7429     { .name = "SCXTNUM_EL0", .state = ARM_CP_STATE_AA64,
7430       .opc0 = 3, .opc1 = 3, .crn = 13, .crm = 0, .opc2 = 7,
7431       .access = PL0_RW, .accessfn = access_scxtnum,
7432       .fgt = FGT_SCXTNUM_EL0,
7433       .fieldoffset = offsetof(CPUARMState, scxtnum_el[0]) },
7434     { .name = "SCXTNUM_EL1", .state = ARM_CP_STATE_AA64,
7435       .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 7,
7436       .access = PL1_RW, .accessfn = access_scxtnum_el1,
7437       .fgt = FGT_SCXTNUM_EL1,
7438       .nv2_redirect_offset = 0x188 | NV2_REDIR_NV1,
7439       .fieldoffset = offsetof(CPUARMState, scxtnum_el[1]) },
7440     { .name = "SCXTNUM_EL2", .state = ARM_CP_STATE_AA64,
7441       .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 7,
7442       .access = PL2_RW, .accessfn = access_scxtnum,
7443       .fieldoffset = offsetof(CPUARMState, scxtnum_el[2]) },
7444     { .name = "SCXTNUM_EL3", .state = ARM_CP_STATE_AA64,
7445       .opc0 = 3, .opc1 = 6, .crn = 13, .crm = 0, .opc2 = 7,
7446       .access = PL3_RW,
7447       .fieldoffset = offsetof(CPUARMState, scxtnum_el[3]) },
7448 };
7449 
7450 static CPAccessResult access_fgt(CPUARMState *env, const ARMCPRegInfo *ri,
7451                                  bool isread)
7452 {
7453     if (arm_current_el(env) == 2 &&
7454         arm_feature(env, ARM_FEATURE_EL3) && !(env->cp15.scr_el3 & SCR_FGTEN)) {
7455         return CP_ACCESS_TRAP_EL3;
7456     }
7457     return CP_ACCESS_OK;
7458 }
7459 
7460 static const ARMCPRegInfo fgt_reginfo[] = {
7461     { .name = "HFGRTR_EL2", .state = ARM_CP_STATE_AA64,
7462       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 4,
7463       .nv2_redirect_offset = 0x1b8,
7464       .access = PL2_RW, .accessfn = access_fgt,
7465       .fieldoffset = offsetof(CPUARMState, cp15.fgt_read[FGTREG_HFGRTR]) },
7466     { .name = "HFGWTR_EL2", .state = ARM_CP_STATE_AA64,
7467       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 5,
7468       .nv2_redirect_offset = 0x1c0,
7469       .access = PL2_RW, .accessfn = access_fgt,
7470       .fieldoffset = offsetof(CPUARMState, cp15.fgt_write[FGTREG_HFGWTR]) },
7471     { .name = "HDFGRTR_EL2", .state = ARM_CP_STATE_AA64,
7472       .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 1, .opc2 = 4,
7473       .nv2_redirect_offset = 0x1d0,
7474       .access = PL2_RW, .accessfn = access_fgt,
7475       .fieldoffset = offsetof(CPUARMState, cp15.fgt_read[FGTREG_HDFGRTR]) },
7476     { .name = "HDFGWTR_EL2", .state = ARM_CP_STATE_AA64,
7477       .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 1, .opc2 = 5,
7478       .nv2_redirect_offset = 0x1d8,
7479       .access = PL2_RW, .accessfn = access_fgt,
7480       .fieldoffset = offsetof(CPUARMState, cp15.fgt_write[FGTREG_HDFGWTR]) },
7481     { .name = "HFGITR_EL2", .state = ARM_CP_STATE_AA64,
7482       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 6,
7483       .nv2_redirect_offset = 0x1c8,
7484       .access = PL2_RW, .accessfn = access_fgt,
7485       .fieldoffset = offsetof(CPUARMState, cp15.fgt_exec[FGTREG_HFGITR]) },
7486 };
7487 
7488 static void vncr_write(CPUARMState *env, const ARMCPRegInfo *ri,
7489                        uint64_t value)
7490 {
7491     /*
7492      * Clear the RES0 bottom 12 bits; this means at runtime we can guarantee
7493      * that VNCR_EL2 + offset is 64-bit aligned. We don't need to do anything
7494      * about the RESS bits at the top -- we choose the "generate an EL2
7495      * translation abort on use" CONSTRAINED UNPREDICTABLE option (i.e. let
7496      * the ptw.c code detect the resulting invalid address).
7497      */
7498     env->cp15.vncr_el2 = value & ~0xfffULL;
7499 }
7500 
7501 static const ARMCPRegInfo nv2_reginfo[] = {
7502     { .name = "VNCR_EL2", .state = ARM_CP_STATE_AA64,
7503       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 2, .opc2 = 0,
7504       .access = PL2_RW,
7505       .writefn = vncr_write,
7506       .nv2_redirect_offset = 0xb0,
7507       .fieldoffset = offsetof(CPUARMState, cp15.vncr_el2) },
7508 };
7509 
7510 #endif /* TARGET_AARCH64 */
7511 
7512 static CPAccessResult access_predinv(CPUARMState *env, const ARMCPRegInfo *ri,
7513                                      bool isread)
7514 {
7515     int el = arm_current_el(env);
7516 
7517     if (el == 0) {
7518         uint64_t sctlr = arm_sctlr(env, el);
7519         if (!(sctlr & SCTLR_EnRCTX)) {
7520             return CP_ACCESS_TRAP_EL1;
7521         }
7522     } else if (el == 1) {
7523         uint64_t hcr = arm_hcr_el2_eff(env);
7524         if (hcr & HCR_NV) {
7525             return CP_ACCESS_TRAP_EL2;
7526         }
7527     }
7528     return CP_ACCESS_OK;
7529 }
7530 
7531 static const ARMCPRegInfo predinv_reginfo[] = {
7532     { .name = "CFP_RCTX", .state = ARM_CP_STATE_AA64,
7533       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 3, .opc2 = 4,
7534       .fgt = FGT_CFPRCTX,
7535       .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv },
7536     { .name = "DVP_RCTX", .state = ARM_CP_STATE_AA64,
7537       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 3, .opc2 = 5,
7538       .fgt = FGT_DVPRCTX,
7539       .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv },
7540     { .name = "CPP_RCTX", .state = ARM_CP_STATE_AA64,
7541       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 3, .opc2 = 7,
7542       .fgt = FGT_CPPRCTX,
7543       .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv },
7544     /*
7545      * Note the AArch32 opcodes have a different OPC1.
7546      */
7547     { .name = "CFPRCTX", .state = ARM_CP_STATE_AA32,
7548       .cp = 15, .opc1 = 0, .crn = 7, .crm = 3, .opc2 = 4,
7549       .fgt = FGT_CFPRCTX,
7550       .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv },
7551     { .name = "DVPRCTX", .state = ARM_CP_STATE_AA32,
7552       .cp = 15, .opc1 = 0, .crn = 7, .crm = 3, .opc2 = 5,
7553       .fgt = FGT_DVPRCTX,
7554       .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv },
7555     { .name = "CPPRCTX", .state = ARM_CP_STATE_AA32,
7556       .cp = 15, .opc1 = 0, .crn = 7, .crm = 3, .opc2 = 7,
7557       .fgt = FGT_CPPRCTX,
7558       .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv },
7559 };
7560 
7561 static uint64_t ccsidr2_read(CPUARMState *env, const ARMCPRegInfo *ri)
7562 {
7563     /* Read the high 32 bits of the current CCSIDR */
7564     return extract64(ccsidr_read(env, ri), 32, 32);
7565 }
7566 
7567 static const ARMCPRegInfo ccsidr2_reginfo[] = {
7568     { .name = "CCSIDR2", .state = ARM_CP_STATE_BOTH,
7569       .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 2,
7570       .access = PL1_R,
7571       .accessfn = access_tid4,
7572       .readfn = ccsidr2_read, .type = ARM_CP_NO_RAW },
7573 };
7574 
7575 static CPAccessResult access_aa64_tid3(CPUARMState *env, const ARMCPRegInfo *ri,
7576                                        bool isread)
7577 {
7578     if ((arm_current_el(env) < 2) && (arm_hcr_el2_eff(env) & HCR_TID3)) {
7579         return CP_ACCESS_TRAP_EL2;
7580     }
7581 
7582     return CP_ACCESS_OK;
7583 }
7584 
7585 static CPAccessResult access_aa32_tid3(CPUARMState *env, const ARMCPRegInfo *ri,
7586                                        bool isread)
7587 {
7588     if (arm_feature(env, ARM_FEATURE_V8)) {
7589         return access_aa64_tid3(env, ri, isread);
7590     }
7591 
7592     return CP_ACCESS_OK;
7593 }
7594 
7595 static CPAccessResult access_jazelle(CPUARMState *env, const ARMCPRegInfo *ri,
7596                                      bool isread)
7597 {
7598     if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TID0)) {
7599         return CP_ACCESS_TRAP_EL2;
7600     }
7601 
7602     return CP_ACCESS_OK;
7603 }
7604 
7605 static CPAccessResult access_joscr_jmcr(CPUARMState *env,
7606                                         const ARMCPRegInfo *ri, bool isread)
7607 {
7608     /*
7609      * HSTR.TJDBX traps JOSCR and JMCR accesses, but it exists only
7610      * in v7A, not in v8A.
7611      */
7612     if (!arm_feature(env, ARM_FEATURE_V8) &&
7613         arm_current_el(env) < 2 && !arm_is_secure_below_el3(env) &&
7614         (env->cp15.hstr_el2 & HSTR_TJDBX)) {
7615         return CP_ACCESS_TRAP_EL2;
7616     }
7617     return CP_ACCESS_OK;
7618 }
7619 
7620 static const ARMCPRegInfo jazelle_regs[] = {
7621     { .name = "JIDR",
7622       .cp = 14, .crn = 0, .crm = 0, .opc1 = 7, .opc2 = 0,
7623       .access = PL1_R, .accessfn = access_jazelle,
7624       .type = ARM_CP_CONST, .resetvalue = 0 },
7625     { .name = "JOSCR",
7626       .cp = 14, .crn = 1, .crm = 0, .opc1 = 7, .opc2 = 0,
7627       .accessfn = access_joscr_jmcr,
7628       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
7629     { .name = "JMCR",
7630       .cp = 14, .crn = 2, .crm = 0, .opc1 = 7, .opc2 = 0,
7631       .accessfn = access_joscr_jmcr,
7632       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
7633 };
7634 
7635 static const ARMCPRegInfo contextidr_el2 = {
7636     .name = "CONTEXTIDR_EL2", .state = ARM_CP_STATE_AA64,
7637     .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 1,
7638     .access = PL2_RW,
7639     .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[2])
7640 };
7641 
7642 static const ARMCPRegInfo vhe_reginfo[] = {
7643     { .name = "TTBR1_EL2", .state = ARM_CP_STATE_AA64,
7644       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 1,
7645       .access = PL2_RW, .writefn = vmsa_tcr_ttbr_el2_write,
7646       .raw_writefn = raw_write,
7647       .fieldoffset = offsetof(CPUARMState, cp15.ttbr1_el[2]) },
7648 #ifndef CONFIG_USER_ONLY
7649     { .name = "CNTHV_CVAL_EL2", .state = ARM_CP_STATE_AA64,
7650       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 3, .opc2 = 2,
7651       .fieldoffset =
7652         offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYPVIRT].cval),
7653       .type = ARM_CP_IO, .access = PL2_RW,
7654       .writefn = gt_hv_cval_write, .raw_writefn = raw_write },
7655     { .name = "CNTHV_TVAL_EL2", .state = ARM_CP_STATE_BOTH,
7656       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 3, .opc2 = 0,
7657       .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
7658       .resetfn = gt_hv_timer_reset,
7659       .readfn = gt_hv_tval_read, .writefn = gt_hv_tval_write },
7660     { .name = "CNTHV_CTL_EL2", .state = ARM_CP_STATE_BOTH,
7661       .type = ARM_CP_IO,
7662       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 3, .opc2 = 1,
7663       .access = PL2_RW,
7664       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYPVIRT].ctl),
7665       .writefn = gt_hv_ctl_write, .raw_writefn = raw_write },
7666     { .name = "CNTP_CTL_EL02", .state = ARM_CP_STATE_AA64,
7667       .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 2, .opc2 = 1,
7668       .type = ARM_CP_IO | ARM_CP_ALIAS,
7669       .access = PL2_RW, .accessfn = access_el1nvpct,
7670       .nv2_redirect_offset = 0x180 | NV2_REDIR_NO_NV1,
7671       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl),
7672       .writefn = gt_phys_ctl_write, .raw_writefn = raw_write },
7673     { .name = "CNTV_CTL_EL02", .state = ARM_CP_STATE_AA64,
7674       .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 3, .opc2 = 1,
7675       .type = ARM_CP_IO | ARM_CP_ALIAS,
7676       .access = PL2_RW, .accessfn = access_el1nvvct,
7677       .nv2_redirect_offset = 0x170 | NV2_REDIR_NO_NV1,
7678       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl),
7679       .writefn = gt_virt_ctl_write, .raw_writefn = raw_write },
7680     { .name = "CNTP_TVAL_EL02", .state = ARM_CP_STATE_AA64,
7681       .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 2, .opc2 = 0,
7682       .type = ARM_CP_NO_RAW | ARM_CP_IO | ARM_CP_ALIAS,
7683       .access = PL2_RW, .accessfn = e2h_access,
7684       .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write },
7685     { .name = "CNTV_TVAL_EL02", .state = ARM_CP_STATE_AA64,
7686       .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 3, .opc2 = 0,
7687       .type = ARM_CP_NO_RAW | ARM_CP_IO | ARM_CP_ALIAS,
7688       .access = PL2_RW, .accessfn = e2h_access,
7689       .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write },
7690     { .name = "CNTP_CVAL_EL02", .state = ARM_CP_STATE_AA64,
7691       .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 2, .opc2 = 2,
7692       .type = ARM_CP_IO | ARM_CP_ALIAS,
7693       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
7694       .nv2_redirect_offset = 0x178 | NV2_REDIR_NO_NV1,
7695       .access = PL2_RW, .accessfn = access_el1nvpct,
7696       .writefn = gt_phys_cval_write, .raw_writefn = raw_write },
7697     { .name = "CNTV_CVAL_EL02", .state = ARM_CP_STATE_AA64,
7698       .opc0 = 3, .opc1 = 5, .crn = 14, .crm = 3, .opc2 = 2,
7699       .type = ARM_CP_IO | ARM_CP_ALIAS,
7700       .nv2_redirect_offset = 0x168 | NV2_REDIR_NO_NV1,
7701       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
7702       .access = PL2_RW, .accessfn = access_el1nvvct,
7703       .writefn = gt_virt_cval_write, .raw_writefn = raw_write },
7704 #endif
7705 };
7706 
7707 #ifndef CONFIG_USER_ONLY
7708 static const ARMCPRegInfo ats1e1_reginfo[] = {
7709     { .name = "AT_S1E1RP", .state = ARM_CP_STATE_AA64,
7710       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 0,
7711       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
7712       .fgt = FGT_ATS1E1RP,
7713       .accessfn = at_s1e01_access, .writefn = ats_write64 },
7714     { .name = "AT_S1E1WP", .state = ARM_CP_STATE_AA64,
7715       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1,
7716       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
7717       .fgt = FGT_ATS1E1WP,
7718       .accessfn = at_s1e01_access, .writefn = ats_write64 },
7719 };
7720 
7721 static const ARMCPRegInfo ats1cp_reginfo[] = {
7722     { .name = "ATS1CPRP",
7723       .cp = 15, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 0,
7724       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
7725       .writefn = ats_write },
7726     { .name = "ATS1CPWP",
7727       .cp = 15, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1,
7728       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
7729       .writefn = ats_write },
7730 };
7731 #endif
7732 
7733 /*
7734  * ACTLR2 and HACTLR2 map to ACTLR_EL1[63:32] and
7735  * ACTLR_EL2[63:32]. They exist only if the ID_MMFR4.AC2 field
7736  * is non-zero, which is never for ARMv7, optionally in ARMv8
7737  * and mandatorily for ARMv8.2 and up.
7738  * ACTLR2 is banked for S and NS if EL3 is AArch32. Since QEMU's
7739  * implementation is RAZ/WI we can ignore this detail, as we
7740  * do for ACTLR.
7741  */
7742 static const ARMCPRegInfo actlr2_hactlr2_reginfo[] = {
7743     { .name = "ACTLR2", .state = ARM_CP_STATE_AA32,
7744       .cp = 15, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 3,
7745       .access = PL1_RW, .accessfn = access_tacr,
7746       .type = ARM_CP_CONST, .resetvalue = 0 },
7747     { .name = "HACTLR2", .state = ARM_CP_STATE_AA32,
7748       .cp = 15, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 3,
7749       .access = PL2_RW, .type = ARM_CP_CONST,
7750       .resetvalue = 0 },
7751 };
7752 
7753 void register_cp_regs_for_features(ARMCPU *cpu)
7754 {
7755     /* Register all the coprocessor registers based on feature bits */
7756     CPUARMState *env = &cpu->env;
7757     if (arm_feature(env, ARM_FEATURE_M)) {
7758         /* M profile has no coprocessor registers */
7759         return;
7760     }
7761 
7762     define_arm_cp_regs(cpu, cp_reginfo);
7763     if (!arm_feature(env, ARM_FEATURE_V8)) {
7764         /*
7765          * Must go early as it is full of wildcards that may be
7766          * overridden by later definitions.
7767          */
7768         define_arm_cp_regs(cpu, not_v8_cp_reginfo);
7769     }
7770 
7771     define_tlb_insn_regs(cpu);
7772 
7773     if (arm_feature(env, ARM_FEATURE_V6)) {
7774         /* The ID registers all have impdef reset values */
7775         ARMCPRegInfo v6_idregs[] = {
7776             { .name = "ID_PFR0", .state = ARM_CP_STATE_BOTH,
7777               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
7778               .access = PL1_R, .type = ARM_CP_CONST,
7779               .accessfn = access_aa32_tid3,
7780               .resetvalue = cpu->isar.id_pfr0 },
7781             /*
7782              * ID_PFR1 is not a plain ARM_CP_CONST because we don't know
7783              * the value of the GIC field until after we define these regs.
7784              */
7785             { .name = "ID_PFR1", .state = ARM_CP_STATE_BOTH,
7786               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 1,
7787               .access = PL1_R, .type = ARM_CP_NO_RAW,
7788               .accessfn = access_aa32_tid3,
7789 #ifdef CONFIG_USER_ONLY
7790               .type = ARM_CP_CONST,
7791               .resetvalue = cpu->isar.id_pfr1,
7792 #else
7793               .type = ARM_CP_NO_RAW,
7794               .accessfn = access_aa32_tid3,
7795               .readfn = id_pfr1_read,
7796               .writefn = arm_cp_write_ignore
7797 #endif
7798             },
7799             { .name = "ID_DFR0", .state = ARM_CP_STATE_BOTH,
7800               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 2,
7801               .access = PL1_R, .type = ARM_CP_CONST,
7802               .accessfn = access_aa32_tid3,
7803               .resetvalue = cpu->isar.id_dfr0 },
7804             { .name = "ID_AFR0", .state = ARM_CP_STATE_BOTH,
7805               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 3,
7806               .access = PL1_R, .type = ARM_CP_CONST,
7807               .accessfn = access_aa32_tid3,
7808               .resetvalue = cpu->id_afr0 },
7809             { .name = "ID_MMFR0", .state = ARM_CP_STATE_BOTH,
7810               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 4,
7811               .access = PL1_R, .type = ARM_CP_CONST,
7812               .accessfn = access_aa32_tid3,
7813               .resetvalue = cpu->isar.id_mmfr0 },
7814             { .name = "ID_MMFR1", .state = ARM_CP_STATE_BOTH,
7815               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 5,
7816               .access = PL1_R, .type = ARM_CP_CONST,
7817               .accessfn = access_aa32_tid3,
7818               .resetvalue = cpu->isar.id_mmfr1 },
7819             { .name = "ID_MMFR2", .state = ARM_CP_STATE_BOTH,
7820               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 6,
7821               .access = PL1_R, .type = ARM_CP_CONST,
7822               .accessfn = access_aa32_tid3,
7823               .resetvalue = cpu->isar.id_mmfr2 },
7824             { .name = "ID_MMFR3", .state = ARM_CP_STATE_BOTH,
7825               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 7,
7826               .access = PL1_R, .type = ARM_CP_CONST,
7827               .accessfn = access_aa32_tid3,
7828               .resetvalue = cpu->isar.id_mmfr3 },
7829             { .name = "ID_ISAR0", .state = ARM_CP_STATE_BOTH,
7830               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
7831               .access = PL1_R, .type = ARM_CP_CONST,
7832               .accessfn = access_aa32_tid3,
7833               .resetvalue = cpu->isar.id_isar0 },
7834             { .name = "ID_ISAR1", .state = ARM_CP_STATE_BOTH,
7835               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 1,
7836               .access = PL1_R, .type = ARM_CP_CONST,
7837               .accessfn = access_aa32_tid3,
7838               .resetvalue = cpu->isar.id_isar1 },
7839             { .name = "ID_ISAR2", .state = ARM_CP_STATE_BOTH,
7840               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,
7841               .access = PL1_R, .type = ARM_CP_CONST,
7842               .accessfn = access_aa32_tid3,
7843               .resetvalue = cpu->isar.id_isar2 },
7844             { .name = "ID_ISAR3", .state = ARM_CP_STATE_BOTH,
7845               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 3,
7846               .access = PL1_R, .type = ARM_CP_CONST,
7847               .accessfn = access_aa32_tid3,
7848               .resetvalue = cpu->isar.id_isar3 },
7849             { .name = "ID_ISAR4", .state = ARM_CP_STATE_BOTH,
7850               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 4,
7851               .access = PL1_R, .type = ARM_CP_CONST,
7852               .accessfn = access_aa32_tid3,
7853               .resetvalue = cpu->isar.id_isar4 },
7854             { .name = "ID_ISAR5", .state = ARM_CP_STATE_BOTH,
7855               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 5,
7856               .access = PL1_R, .type = ARM_CP_CONST,
7857               .accessfn = access_aa32_tid3,
7858               .resetvalue = cpu->isar.id_isar5 },
7859             { .name = "ID_MMFR4", .state = ARM_CP_STATE_BOTH,
7860               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6,
7861               .access = PL1_R, .type = ARM_CP_CONST,
7862               .accessfn = access_aa32_tid3,
7863               .resetvalue = cpu->isar.id_mmfr4 },
7864             { .name = "ID_ISAR6", .state = ARM_CP_STATE_BOTH,
7865               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 7,
7866               .access = PL1_R, .type = ARM_CP_CONST,
7867               .accessfn = access_aa32_tid3,
7868               .resetvalue = cpu->isar.id_isar6 },
7869         };
7870         define_arm_cp_regs(cpu, v6_idregs);
7871         define_arm_cp_regs(cpu, v6_cp_reginfo);
7872     } else {
7873         define_arm_cp_regs(cpu, not_v6_cp_reginfo);
7874     }
7875     if (arm_feature(env, ARM_FEATURE_V6K)) {
7876         define_arm_cp_regs(cpu, v6k_cp_reginfo);
7877     }
7878     if (arm_feature(env, ARM_FEATURE_V7VE)) {
7879         define_arm_cp_regs(cpu, pmovsset_cp_reginfo);
7880     }
7881     if (arm_feature(env, ARM_FEATURE_V7)) {
7882         ARMCPRegInfo clidr = {
7883             .name = "CLIDR", .state = ARM_CP_STATE_BOTH,
7884             .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 1,
7885             .access = PL1_R, .type = ARM_CP_CONST,
7886             .accessfn = access_tid4,
7887             .fgt = FGT_CLIDR_EL1,
7888             .resetvalue = cpu->clidr
7889         };
7890         define_one_arm_cp_reg(cpu, &clidr);
7891         define_arm_cp_regs(cpu, v7_cp_reginfo);
7892         define_debug_regs(cpu);
7893         define_pmu_regs(cpu);
7894     } else {
7895         define_arm_cp_regs(cpu, not_v7_cp_reginfo);
7896     }
7897     if (arm_feature(env, ARM_FEATURE_V8)) {
7898         /*
7899          * v8 ID registers, which all have impdef reset values.
7900          * Note that within the ID register ranges the unused slots
7901          * must all RAZ, not UNDEF; future architecture versions may
7902          * define new registers here.
7903          * ID registers which are AArch64 views of the AArch32 ID registers
7904          * which already existed in v6 and v7 are handled elsewhere,
7905          * in v6_idregs[].
7906          */
7907         int i;
7908         ARMCPRegInfo v8_idregs[] = {
7909             /*
7910              * ID_AA64PFR0_EL1 is not a plain ARM_CP_CONST in system
7911              * emulation because we don't know the right value for the
7912              * GIC field until after we define these regs.
7913              */
7914             { .name = "ID_AA64PFR0_EL1", .state = ARM_CP_STATE_AA64,
7915               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 0,
7916               .access = PL1_R,
7917 #ifdef CONFIG_USER_ONLY
7918               .type = ARM_CP_CONST,
7919               .resetvalue = cpu->isar.id_aa64pfr0
7920 #else
7921               .type = ARM_CP_NO_RAW,
7922               .accessfn = access_aa64_tid3,
7923               .readfn = id_aa64pfr0_read,
7924               .writefn = arm_cp_write_ignore
7925 #endif
7926             },
7927             { .name = "ID_AA64PFR1_EL1", .state = ARM_CP_STATE_AA64,
7928               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 1,
7929               .access = PL1_R, .type = ARM_CP_CONST,
7930               .accessfn = access_aa64_tid3,
7931               .resetvalue = cpu->isar.id_aa64pfr1},
7932             { .name = "ID_AA64PFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
7933               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 2,
7934               .access = PL1_R, .type = ARM_CP_CONST,
7935               .accessfn = access_aa64_tid3,
7936               .resetvalue = 0 },
7937             { .name = "ID_AA64PFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
7938               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 3,
7939               .access = PL1_R, .type = ARM_CP_CONST,
7940               .accessfn = access_aa64_tid3,
7941               .resetvalue = 0 },
7942             { .name = "ID_AA64ZFR0_EL1", .state = ARM_CP_STATE_AA64,
7943               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 4,
7944               .access = PL1_R, .type = ARM_CP_CONST,
7945               .accessfn = access_aa64_tid3,
7946               .resetvalue = cpu->isar.id_aa64zfr0 },
7947             { .name = "ID_AA64SMFR0_EL1", .state = ARM_CP_STATE_AA64,
7948               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 5,
7949               .access = PL1_R, .type = ARM_CP_CONST,
7950               .accessfn = access_aa64_tid3,
7951               .resetvalue = cpu->isar.id_aa64smfr0 },
7952             { .name = "ID_AA64PFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
7953               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 6,
7954               .access = PL1_R, .type = ARM_CP_CONST,
7955               .accessfn = access_aa64_tid3,
7956               .resetvalue = 0 },
7957             { .name = "ID_AA64PFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
7958               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 7,
7959               .access = PL1_R, .type = ARM_CP_CONST,
7960               .accessfn = access_aa64_tid3,
7961               .resetvalue = 0 },
7962             { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64,
7963               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
7964               .access = PL1_R, .type = ARM_CP_CONST,
7965               .accessfn = access_aa64_tid3,
7966               .resetvalue = cpu->isar.id_aa64dfr0 },
7967             { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
7968               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
7969               .access = PL1_R, .type = ARM_CP_CONST,
7970               .accessfn = access_aa64_tid3,
7971               .resetvalue = cpu->isar.id_aa64dfr1 },
7972             { .name = "ID_AA64DFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
7973               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 2,
7974               .access = PL1_R, .type = ARM_CP_CONST,
7975               .accessfn = access_aa64_tid3,
7976               .resetvalue = 0 },
7977             { .name = "ID_AA64DFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
7978               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 3,
7979               .access = PL1_R, .type = ARM_CP_CONST,
7980               .accessfn = access_aa64_tid3,
7981               .resetvalue = 0 },
7982             { .name = "ID_AA64AFR0_EL1", .state = ARM_CP_STATE_AA64,
7983               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 4,
7984               .access = PL1_R, .type = ARM_CP_CONST,
7985               .accessfn = access_aa64_tid3,
7986               .resetvalue = cpu->id_aa64afr0 },
7987             { .name = "ID_AA64AFR1_EL1", .state = ARM_CP_STATE_AA64,
7988               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 5,
7989               .access = PL1_R, .type = ARM_CP_CONST,
7990               .accessfn = access_aa64_tid3,
7991               .resetvalue = cpu->id_aa64afr1 },
7992             { .name = "ID_AA64AFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
7993               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 6,
7994               .access = PL1_R, .type = ARM_CP_CONST,
7995               .accessfn = access_aa64_tid3,
7996               .resetvalue = 0 },
7997             { .name = "ID_AA64AFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
7998               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 7,
7999               .access = PL1_R, .type = ARM_CP_CONST,
8000               .accessfn = access_aa64_tid3,
8001               .resetvalue = 0 },
8002             { .name = "ID_AA64ISAR0_EL1", .state = ARM_CP_STATE_AA64,
8003               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 0,
8004               .access = PL1_R, .type = ARM_CP_CONST,
8005               .accessfn = access_aa64_tid3,
8006               .resetvalue = cpu->isar.id_aa64isar0 },
8007             { .name = "ID_AA64ISAR1_EL1", .state = ARM_CP_STATE_AA64,
8008               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 1,
8009               .access = PL1_R, .type = ARM_CP_CONST,
8010               .accessfn = access_aa64_tid3,
8011               .resetvalue = cpu->isar.id_aa64isar1 },
8012             { .name = "ID_AA64ISAR2_EL1", .state = ARM_CP_STATE_AA64,
8013               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 2,
8014               .access = PL1_R, .type = ARM_CP_CONST,
8015               .accessfn = access_aa64_tid3,
8016               .resetvalue = cpu->isar.id_aa64isar2 },
8017             { .name = "ID_AA64ISAR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8018               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 3,
8019               .access = PL1_R, .type = ARM_CP_CONST,
8020               .accessfn = access_aa64_tid3,
8021               .resetvalue = 0 },
8022             { .name = "ID_AA64ISAR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8023               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 4,
8024               .access = PL1_R, .type = ARM_CP_CONST,
8025               .accessfn = access_aa64_tid3,
8026               .resetvalue = 0 },
8027             { .name = "ID_AA64ISAR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8028               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 5,
8029               .access = PL1_R, .type = ARM_CP_CONST,
8030               .accessfn = access_aa64_tid3,
8031               .resetvalue = 0 },
8032             { .name = "ID_AA64ISAR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8033               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 6,
8034               .access = PL1_R, .type = ARM_CP_CONST,
8035               .accessfn = access_aa64_tid3,
8036               .resetvalue = 0 },
8037             { .name = "ID_AA64ISAR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8038               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 7,
8039               .access = PL1_R, .type = ARM_CP_CONST,
8040               .accessfn = access_aa64_tid3,
8041               .resetvalue = 0 },
8042             { .name = "ID_AA64MMFR0_EL1", .state = ARM_CP_STATE_AA64,
8043               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
8044               .access = PL1_R, .type = ARM_CP_CONST,
8045               .accessfn = access_aa64_tid3,
8046               .resetvalue = cpu->isar.id_aa64mmfr0 },
8047             { .name = "ID_AA64MMFR1_EL1", .state = ARM_CP_STATE_AA64,
8048               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 1,
8049               .access = PL1_R, .type = ARM_CP_CONST,
8050               .accessfn = access_aa64_tid3,
8051               .resetvalue = cpu->isar.id_aa64mmfr1 },
8052             { .name = "ID_AA64MMFR2_EL1", .state = ARM_CP_STATE_AA64,
8053               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 2,
8054               .access = PL1_R, .type = ARM_CP_CONST,
8055               .accessfn = access_aa64_tid3,
8056               .resetvalue = cpu->isar.id_aa64mmfr2 },
8057             { .name = "ID_AA64MMFR3_EL1", .state = ARM_CP_STATE_AA64,
8058               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 3,
8059               .access = PL1_R, .type = ARM_CP_CONST,
8060               .accessfn = access_aa64_tid3,
8061               .resetvalue = cpu->isar.id_aa64mmfr3 },
8062             { .name = "ID_AA64MMFR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8063               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 4,
8064               .access = PL1_R, .type = ARM_CP_CONST,
8065               .accessfn = access_aa64_tid3,
8066               .resetvalue = 0 },
8067             { .name = "ID_AA64MMFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8068               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 5,
8069               .access = PL1_R, .type = ARM_CP_CONST,
8070               .accessfn = access_aa64_tid3,
8071               .resetvalue = 0 },
8072             { .name = "ID_AA64MMFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8073               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 6,
8074               .access = PL1_R, .type = ARM_CP_CONST,
8075               .accessfn = access_aa64_tid3,
8076               .resetvalue = 0 },
8077             { .name = "ID_AA64MMFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
8078               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 7,
8079               .access = PL1_R, .type = ARM_CP_CONST,
8080               .accessfn = access_aa64_tid3,
8081               .resetvalue = 0 },
8082             { .name = "MVFR0_EL1", .state = ARM_CP_STATE_AA64,
8083               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 0,
8084               .access = PL1_R, .type = ARM_CP_CONST,
8085               .accessfn = access_aa64_tid3,
8086               .resetvalue = cpu->isar.mvfr0 },
8087             { .name = "MVFR1_EL1", .state = ARM_CP_STATE_AA64,
8088               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 1,
8089               .access = PL1_R, .type = ARM_CP_CONST,
8090               .accessfn = access_aa64_tid3,
8091               .resetvalue = cpu->isar.mvfr1 },
8092             { .name = "MVFR2_EL1", .state = ARM_CP_STATE_AA64,
8093               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
8094               .access = PL1_R, .type = ARM_CP_CONST,
8095               .accessfn = access_aa64_tid3,
8096               .resetvalue = cpu->isar.mvfr2 },
8097             /*
8098              * "0, c0, c3, {0,1,2}" are the encodings corresponding to
8099              * AArch64 MVFR[012]_EL1. Define the STATE_AA32 encoding
8100              * as RAZ, since it is in the "reserved for future ID
8101              * registers, RAZ" part of the AArch32 encoding space.
8102              */
8103             { .name = "RES_0_C0_C3_0", .state = ARM_CP_STATE_AA32,
8104               .cp = 15, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 0,
8105               .access = PL1_R, .type = ARM_CP_CONST,
8106               .accessfn = access_aa64_tid3,
8107               .resetvalue = 0 },
8108             { .name = "RES_0_C0_C3_1", .state = ARM_CP_STATE_AA32,
8109               .cp = 15, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 1,
8110               .access = PL1_R, .type = ARM_CP_CONST,
8111               .accessfn = access_aa64_tid3,
8112               .resetvalue = 0 },
8113             { .name = "RES_0_C0_C3_2", .state = ARM_CP_STATE_AA32,
8114               .cp = 15, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
8115               .access = PL1_R, .type = ARM_CP_CONST,
8116               .accessfn = access_aa64_tid3,
8117               .resetvalue = 0 },
8118             /*
8119              * Other encodings in "0, c0, c3, ..." are STATE_BOTH because
8120              * they're also RAZ for AArch64, and in v8 are gradually
8121              * being filled with AArch64-view-of-AArch32-ID-register
8122              * for new ID registers.
8123              */
8124             { .name = "RES_0_C0_C3_3", .state = ARM_CP_STATE_BOTH,
8125               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 3,
8126               .access = PL1_R, .type = ARM_CP_CONST,
8127               .accessfn = access_aa64_tid3,
8128               .resetvalue = 0 },
8129             { .name = "ID_PFR2", .state = ARM_CP_STATE_BOTH,
8130               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 4,
8131               .access = PL1_R, .type = ARM_CP_CONST,
8132               .accessfn = access_aa64_tid3,
8133               .resetvalue = cpu->isar.id_pfr2 },
8134             { .name = "ID_DFR1", .state = ARM_CP_STATE_BOTH,
8135               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 5,
8136               .access = PL1_R, .type = ARM_CP_CONST,
8137               .accessfn = access_aa64_tid3,
8138               .resetvalue = cpu->isar.id_dfr1 },
8139             { .name = "ID_MMFR5", .state = ARM_CP_STATE_BOTH,
8140               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 6,
8141               .access = PL1_R, .type = ARM_CP_CONST,
8142               .accessfn = access_aa64_tid3,
8143               .resetvalue = cpu->isar.id_mmfr5 },
8144             { .name = "RES_0_C0_C3_7", .state = ARM_CP_STATE_BOTH,
8145               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 7,
8146               .access = PL1_R, .type = ARM_CP_CONST,
8147               .accessfn = access_aa64_tid3,
8148               .resetvalue = 0 },
8149             { .name = "PMCEID0", .state = ARM_CP_STATE_AA32,
8150               .cp = 15, .opc1 = 0, .crn = 9, .crm = 12, .opc2 = 6,
8151               .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
8152               .fgt = FGT_PMCEIDN_EL0,
8153               .resetvalue = extract64(cpu->pmceid0, 0, 32) },
8154             { .name = "PMCEID0_EL0", .state = ARM_CP_STATE_AA64,
8155               .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 6,
8156               .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
8157               .fgt = FGT_PMCEIDN_EL0,
8158               .resetvalue = cpu->pmceid0 },
8159             { .name = "PMCEID1", .state = ARM_CP_STATE_AA32,
8160               .cp = 15, .opc1 = 0, .crn = 9, .crm = 12, .opc2 = 7,
8161               .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
8162               .fgt = FGT_PMCEIDN_EL0,
8163               .resetvalue = extract64(cpu->pmceid1, 0, 32) },
8164             { .name = "PMCEID1_EL0", .state = ARM_CP_STATE_AA64,
8165               .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 7,
8166               .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
8167               .fgt = FGT_PMCEIDN_EL0,
8168               .resetvalue = cpu->pmceid1 },
8169         };
8170 #ifdef CONFIG_USER_ONLY
8171         static const ARMCPRegUserSpaceInfo v8_user_idregs[] = {
8172             { .name = "ID_AA64PFR0_EL1",
8173               .exported_bits = R_ID_AA64PFR0_FP_MASK |
8174                                R_ID_AA64PFR0_ADVSIMD_MASK |
8175                                R_ID_AA64PFR0_SVE_MASK |
8176                                R_ID_AA64PFR0_DIT_MASK,
8177               .fixed_bits = (0x1u << R_ID_AA64PFR0_EL0_SHIFT) |
8178                             (0x1u << R_ID_AA64PFR0_EL1_SHIFT) },
8179             { .name = "ID_AA64PFR1_EL1",
8180               .exported_bits = R_ID_AA64PFR1_BT_MASK |
8181                                R_ID_AA64PFR1_SSBS_MASK |
8182                                R_ID_AA64PFR1_MTE_MASK |
8183                                R_ID_AA64PFR1_SME_MASK },
8184             { .name = "ID_AA64PFR*_EL1_RESERVED",
8185               .is_glob = true },
8186             { .name = "ID_AA64ZFR0_EL1",
8187               .exported_bits = R_ID_AA64ZFR0_SVEVER_MASK |
8188                                R_ID_AA64ZFR0_AES_MASK |
8189                                R_ID_AA64ZFR0_BITPERM_MASK |
8190                                R_ID_AA64ZFR0_BFLOAT16_MASK |
8191                                R_ID_AA64ZFR0_B16B16_MASK |
8192                                R_ID_AA64ZFR0_SHA3_MASK |
8193                                R_ID_AA64ZFR0_SM4_MASK |
8194                                R_ID_AA64ZFR0_I8MM_MASK |
8195                                R_ID_AA64ZFR0_F32MM_MASK |
8196                                R_ID_AA64ZFR0_F64MM_MASK },
8197             { .name = "ID_AA64SMFR0_EL1",
8198               .exported_bits = R_ID_AA64SMFR0_F32F32_MASK |
8199                                R_ID_AA64SMFR0_BI32I32_MASK |
8200                                R_ID_AA64SMFR0_B16F32_MASK |
8201                                R_ID_AA64SMFR0_F16F32_MASK |
8202                                R_ID_AA64SMFR0_I8I32_MASK |
8203                                R_ID_AA64SMFR0_F16F16_MASK |
8204                                R_ID_AA64SMFR0_B16B16_MASK |
8205                                R_ID_AA64SMFR0_I16I32_MASK |
8206                                R_ID_AA64SMFR0_F64F64_MASK |
8207                                R_ID_AA64SMFR0_I16I64_MASK |
8208                                R_ID_AA64SMFR0_SMEVER_MASK |
8209                                R_ID_AA64SMFR0_FA64_MASK },
8210             { .name = "ID_AA64MMFR0_EL1",
8211               .exported_bits = R_ID_AA64MMFR0_ECV_MASK,
8212               .fixed_bits = (0xfu << R_ID_AA64MMFR0_TGRAN64_SHIFT) |
8213                             (0xfu << R_ID_AA64MMFR0_TGRAN4_SHIFT) },
8214             { .name = "ID_AA64MMFR1_EL1",
8215               .exported_bits = R_ID_AA64MMFR1_AFP_MASK },
8216             { .name = "ID_AA64MMFR2_EL1",
8217               .exported_bits = R_ID_AA64MMFR2_AT_MASK },
8218             { .name = "ID_AA64MMFR3_EL1",
8219               .exported_bits = 0 },
8220             { .name = "ID_AA64MMFR*_EL1_RESERVED",
8221               .is_glob = true },
8222             { .name = "ID_AA64DFR0_EL1",
8223               .fixed_bits = (0x6u << R_ID_AA64DFR0_DEBUGVER_SHIFT) },
8224             { .name = "ID_AA64DFR1_EL1" },
8225             { .name = "ID_AA64DFR*_EL1_RESERVED",
8226               .is_glob = true },
8227             { .name = "ID_AA64AFR*",
8228               .is_glob = true },
8229             { .name = "ID_AA64ISAR0_EL1",
8230               .exported_bits = R_ID_AA64ISAR0_AES_MASK |
8231                                R_ID_AA64ISAR0_SHA1_MASK |
8232                                R_ID_AA64ISAR0_SHA2_MASK |
8233                                R_ID_AA64ISAR0_CRC32_MASK |
8234                                R_ID_AA64ISAR0_ATOMIC_MASK |
8235                                R_ID_AA64ISAR0_RDM_MASK |
8236                                R_ID_AA64ISAR0_SHA3_MASK |
8237                                R_ID_AA64ISAR0_SM3_MASK |
8238                                R_ID_AA64ISAR0_SM4_MASK |
8239                                R_ID_AA64ISAR0_DP_MASK |
8240                                R_ID_AA64ISAR0_FHM_MASK |
8241                                R_ID_AA64ISAR0_TS_MASK |
8242                                R_ID_AA64ISAR0_RNDR_MASK },
8243             { .name = "ID_AA64ISAR1_EL1",
8244               .exported_bits = R_ID_AA64ISAR1_DPB_MASK |
8245                                R_ID_AA64ISAR1_APA_MASK |
8246                                R_ID_AA64ISAR1_API_MASK |
8247                                R_ID_AA64ISAR1_JSCVT_MASK |
8248                                R_ID_AA64ISAR1_FCMA_MASK |
8249                                R_ID_AA64ISAR1_LRCPC_MASK |
8250                                R_ID_AA64ISAR1_GPA_MASK |
8251                                R_ID_AA64ISAR1_GPI_MASK |
8252                                R_ID_AA64ISAR1_FRINTTS_MASK |
8253                                R_ID_AA64ISAR1_SB_MASK |
8254                                R_ID_AA64ISAR1_BF16_MASK |
8255                                R_ID_AA64ISAR1_DGH_MASK |
8256                                R_ID_AA64ISAR1_I8MM_MASK },
8257             { .name = "ID_AA64ISAR2_EL1",
8258               .exported_bits = R_ID_AA64ISAR2_WFXT_MASK |
8259                                R_ID_AA64ISAR2_RPRES_MASK |
8260                                R_ID_AA64ISAR2_GPA3_MASK |
8261                                R_ID_AA64ISAR2_APA3_MASK |
8262                                R_ID_AA64ISAR2_MOPS_MASK |
8263                                R_ID_AA64ISAR2_BC_MASK |
8264                                R_ID_AA64ISAR2_RPRFM_MASK |
8265                                R_ID_AA64ISAR2_CSSC_MASK },
8266             { .name = "ID_AA64ISAR*_EL1_RESERVED",
8267               .is_glob = true },
8268         };
8269         modify_arm_cp_regs(v8_idregs, v8_user_idregs);
8270 #endif
8271         /*
8272          * RVBAR_EL1 and RMR_EL1 only implemented if EL1 is the highest EL.
8273          * TODO: For RMR, a write with bit 1 set should do something with
8274          * cpu_reset(). In the meantime, "the bit is strictly a request",
8275          * so we are in spec just ignoring writes.
8276          */
8277         if (!arm_feature(env, ARM_FEATURE_EL3) &&
8278             !arm_feature(env, ARM_FEATURE_EL2)) {
8279             ARMCPRegInfo el1_reset_regs[] = {
8280                 { .name = "RVBAR_EL1", .state = ARM_CP_STATE_BOTH,
8281                   .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
8282                   .access = PL1_R,
8283                   .fieldoffset = offsetof(CPUARMState, cp15.rvbar) },
8284                 { .name = "RMR_EL1", .state = ARM_CP_STATE_BOTH,
8285                   .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 2,
8286                   .access = PL1_RW, .type = ARM_CP_CONST,
8287                   .resetvalue = arm_feature(env, ARM_FEATURE_AARCH64) }
8288             };
8289             define_arm_cp_regs(cpu, el1_reset_regs);
8290         }
8291         define_arm_cp_regs(cpu, v8_idregs);
8292         define_arm_cp_regs(cpu, v8_cp_reginfo);
8293         if (cpu_isar_feature(aa64_aa32_el1, cpu)) {
8294             define_arm_cp_regs(cpu, v8_aa32_el1_reginfo);
8295         }
8296 
8297         for (i = 4; i < 16; i++) {
8298             /*
8299              * Encodings in "0, c0, {c4-c7}, {0-7}" are RAZ for AArch32.
8300              * For pre-v8 cores there are RAZ patterns for these in
8301              * id_pre_v8_midr_cp_reginfo[]; for v8 we do that here.
8302              * v8 extends the "must RAZ" part of the ID register space
8303              * to also cover c0, 0, c{8-15}, {0-7}.
8304              * These are STATE_AA32 because in the AArch64 sysreg space
8305              * c4-c7 is where the AArch64 ID registers live (and we've
8306              * already defined those in v8_idregs[]), and c8-c15 are not
8307              * "must RAZ" for AArch64.
8308              */
8309             g_autofree char *name = g_strdup_printf("RES_0_C0_C%d_X", i);
8310             ARMCPRegInfo v8_aa32_raz_idregs = {
8311                 .name = name,
8312                 .state = ARM_CP_STATE_AA32,
8313                 .cp = 15, .opc1 = 0, .crn = 0, .crm = i, .opc2 = CP_ANY,
8314                 .access = PL1_R, .type = ARM_CP_CONST,
8315                 .accessfn = access_aa64_tid3,
8316                 .resetvalue = 0 };
8317             define_one_arm_cp_reg(cpu, &v8_aa32_raz_idregs);
8318         }
8319     }
8320 
8321     /*
8322      * Register the base EL2 cpregs.
8323      * Pre v8, these registers are implemented only as part of the
8324      * Virtualization Extensions (EL2 present).  Beginning with v8,
8325      * if EL2 is missing but EL3 is enabled, mostly these become
8326      * RES0 from EL3, with some specific exceptions.
8327      */
8328     if (arm_feature(env, ARM_FEATURE_EL2)
8329         || (arm_feature(env, ARM_FEATURE_EL3)
8330             && arm_feature(env, ARM_FEATURE_V8))) {
8331         uint64_t vmpidr_def = mpidr_read_val(env);
8332         ARMCPRegInfo vpidr_regs[] = {
8333             { .name = "VPIDR", .state = ARM_CP_STATE_AA32,
8334               .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
8335               .access = PL2_RW, .accessfn = access_el3_aa32ns,
8336               .resetvalue = cpu->midr,
8337               .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_C_NZ,
8338               .fieldoffset = offsetoflow32(CPUARMState, cp15.vpidr_el2) },
8339             { .name = "VPIDR_EL2", .state = ARM_CP_STATE_AA64,
8340               .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
8341               .access = PL2_RW, .resetvalue = cpu->midr,
8342               .type = ARM_CP_EL3_NO_EL2_C_NZ,
8343               .nv2_redirect_offset = 0x88,
8344               .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
8345             { .name = "VMPIDR", .state = ARM_CP_STATE_AA32,
8346               .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
8347               .access = PL2_RW, .accessfn = access_el3_aa32ns,
8348               .resetvalue = vmpidr_def,
8349               .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_C_NZ,
8350               .fieldoffset = offsetoflow32(CPUARMState, cp15.vmpidr_el2) },
8351             { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_AA64,
8352               .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
8353               .access = PL2_RW, .resetvalue = vmpidr_def,
8354               .type = ARM_CP_EL3_NO_EL2_C_NZ,
8355               .nv2_redirect_offset = 0x50,
8356               .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
8357         };
8358         /*
8359          * The only field of MDCR_EL2 that has a defined architectural reset
8360          * value is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N.
8361          */
8362         ARMCPRegInfo mdcr_el2 = {
8363             .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH, .type = ARM_CP_IO,
8364             .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
8365             .writefn = mdcr_el2_write,
8366             .access = PL2_RW, .resetvalue = pmu_num_counters(env),
8367             .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2),
8368         };
8369         define_one_arm_cp_reg(cpu, &mdcr_el2);
8370         define_arm_cp_regs(cpu, vpidr_regs);
8371         define_arm_cp_regs(cpu, el2_cp_reginfo);
8372         if (arm_feature(env, ARM_FEATURE_V8)) {
8373             define_arm_cp_regs(cpu, el2_v8_cp_reginfo);
8374         }
8375         if (cpu_isar_feature(aa64_sel2, cpu)) {
8376             define_arm_cp_regs(cpu, el2_sec_cp_reginfo);
8377         }
8378         /*
8379          * RVBAR_EL2 and RMR_EL2 only implemented if EL2 is the highest EL.
8380          * See commentary near RMR_EL1.
8381          */
8382         if (!arm_feature(env, ARM_FEATURE_EL3)) {
8383             static const ARMCPRegInfo el2_reset_regs[] = {
8384                 { .name = "RVBAR_EL2", .state = ARM_CP_STATE_AA64,
8385                   .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 1,
8386                   .access = PL2_R,
8387                   .fieldoffset = offsetof(CPUARMState, cp15.rvbar) },
8388                 { .name = "RVBAR", .type = ARM_CP_ALIAS,
8389                   .cp = 15, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
8390                   .access = PL2_R,
8391                   .fieldoffset = offsetof(CPUARMState, cp15.rvbar) },
8392                 { .name = "RMR_EL2", .state = ARM_CP_STATE_AA64,
8393                   .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 2,
8394                   .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 1 },
8395             };
8396             define_arm_cp_regs(cpu, el2_reset_regs);
8397         }
8398     }
8399 
8400     /* Register the base EL3 cpregs. */
8401     if (arm_feature(env, ARM_FEATURE_EL3)) {
8402         define_arm_cp_regs(cpu, el3_cp_reginfo);
8403         ARMCPRegInfo el3_regs[] = {
8404             { .name = "RVBAR_EL3", .state = ARM_CP_STATE_AA64,
8405               .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 1,
8406               .access = PL3_R,
8407               .fieldoffset = offsetof(CPUARMState, cp15.rvbar), },
8408             { .name = "RMR_EL3", .state = ARM_CP_STATE_AA64,
8409               .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 2,
8410               .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 1 },
8411             { .name = "RMR", .state = ARM_CP_STATE_AA32,
8412               .cp = 15, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 2,
8413               .access = PL3_RW, .type = ARM_CP_CONST,
8414               .resetvalue = arm_feature(env, ARM_FEATURE_AARCH64) },
8415             { .name = "SCTLR_EL3", .state = ARM_CP_STATE_AA64,
8416               .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 0,
8417               .access = PL3_RW,
8418               .raw_writefn = raw_write, .writefn = sctlr_write,
8419               .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[3]),
8420               .resetvalue = cpu->reset_sctlr },
8421         };
8422 
8423         define_arm_cp_regs(cpu, el3_regs);
8424     }
8425     /*
8426      * The behaviour of NSACR is sufficiently various that we don't
8427      * try to describe it in a single reginfo:
8428      *  if EL3 is 64 bit, then trap to EL3 from S EL1,
8429      *     reads as constant 0xc00 from NS EL1 and NS EL2
8430      *  if EL3 is 32 bit, then RW at EL3, RO at NS EL1 and NS EL2
8431      *  if v7 without EL3, register doesn't exist
8432      *  if v8 without EL3, reads as constant 0xc00 from NS EL1 and NS EL2
8433      */
8434     if (arm_feature(env, ARM_FEATURE_EL3)) {
8435         if (arm_feature(env, ARM_FEATURE_AARCH64)) {
8436             static const ARMCPRegInfo nsacr = {
8437                 .name = "NSACR", .type = ARM_CP_CONST,
8438                 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
8439                 .access = PL1_RW, .accessfn = nsacr_access,
8440                 .resetvalue = 0xc00
8441             };
8442             define_one_arm_cp_reg(cpu, &nsacr);
8443         } else {
8444             static const ARMCPRegInfo nsacr = {
8445                 .name = "NSACR",
8446                 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
8447                 .access = PL3_RW | PL1_R,
8448                 .resetvalue = 0,
8449                 .fieldoffset = offsetof(CPUARMState, cp15.nsacr)
8450             };
8451             define_one_arm_cp_reg(cpu, &nsacr);
8452         }
8453     } else {
8454         if (arm_feature(env, ARM_FEATURE_V8)) {
8455             static const ARMCPRegInfo nsacr = {
8456                 .name = "NSACR", .type = ARM_CP_CONST,
8457                 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
8458                 .access = PL1_R,
8459                 .resetvalue = 0xc00
8460             };
8461             define_one_arm_cp_reg(cpu, &nsacr);
8462         }
8463     }
8464 
8465     if (arm_feature(env, ARM_FEATURE_PMSA)) {
8466         if (arm_feature(env, ARM_FEATURE_V6)) {
8467             /* PMSAv6 not implemented */
8468             assert(arm_feature(env, ARM_FEATURE_V7));
8469             define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
8470             define_arm_cp_regs(cpu, pmsav7_cp_reginfo);
8471         } else {
8472             define_arm_cp_regs(cpu, pmsav5_cp_reginfo);
8473         }
8474     } else {
8475         define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
8476         define_arm_cp_regs(cpu, vmsa_cp_reginfo);
8477         /* TTCBR2 is introduced with ARMv8.2-AA32HPD.  */
8478         if (cpu_isar_feature(aa32_hpd, cpu)) {
8479             define_one_arm_cp_reg(cpu, &ttbcr2_reginfo);
8480         }
8481     }
8482     if (arm_feature(env, ARM_FEATURE_THUMB2EE)) {
8483         define_arm_cp_regs(cpu, t2ee_cp_reginfo);
8484     }
8485     if (arm_feature(env, ARM_FEATURE_GENERIC_TIMER)) {
8486         define_arm_cp_regs(cpu, generic_timer_cp_reginfo);
8487     }
8488     if (cpu_isar_feature(aa64_ecv_traps, cpu)) {
8489         define_arm_cp_regs(cpu, gen_timer_ecv_cp_reginfo);
8490     }
8491 #ifndef CONFIG_USER_ONLY
8492     if (cpu_isar_feature(aa64_ecv, cpu)) {
8493         define_one_arm_cp_reg(cpu, &gen_timer_cntpoff_reginfo);
8494     }
8495 #endif
8496     if (arm_feature(env, ARM_FEATURE_VAPA)) {
8497         ARMCPRegInfo vapa_cp_reginfo[] = {
8498             { .name = "PAR", .cp = 15, .crn = 7, .crm = 4, .opc1 = 0, .opc2 = 0,
8499               .access = PL1_RW, .resetvalue = 0,
8500               .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.par_s),
8501                                      offsetoflow32(CPUARMState, cp15.par_ns) },
8502               .writefn = par_write},
8503 #ifndef CONFIG_USER_ONLY
8504             /* This underdecoding is safe because the reginfo is NO_RAW. */
8505             { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
8506               .access = PL1_W, .accessfn = ats_access,
8507               .writefn = ats_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
8508 #endif
8509         };
8510 
8511         /*
8512          * When LPAE exists this 32-bit PAR register is an alias of the
8513          * 64-bit AArch32 PAR register defined in lpae_cp_reginfo[]
8514          */
8515         if (arm_feature(env, ARM_FEATURE_LPAE)) {
8516             vapa_cp_reginfo[0].type = ARM_CP_ALIAS | ARM_CP_NO_GDB;
8517         }
8518         define_arm_cp_regs(cpu, vapa_cp_reginfo);
8519     }
8520     if (arm_feature(env, ARM_FEATURE_CACHE_TEST_CLEAN)) {
8521         define_arm_cp_regs(cpu, cache_test_clean_cp_reginfo);
8522     }
8523     if (arm_feature(env, ARM_FEATURE_CACHE_DIRTY_REG)) {
8524         define_arm_cp_regs(cpu, cache_dirty_status_cp_reginfo);
8525     }
8526     if (arm_feature(env, ARM_FEATURE_CACHE_BLOCK_OPS)) {
8527         define_arm_cp_regs(cpu, cache_block_ops_cp_reginfo);
8528     }
8529     if (arm_feature(env, ARM_FEATURE_OMAPCP)) {
8530         define_arm_cp_regs(cpu, omap_cp_reginfo);
8531     }
8532     if (arm_feature(env, ARM_FEATURE_STRONGARM)) {
8533         define_arm_cp_regs(cpu, strongarm_cp_reginfo);
8534     }
8535     if (arm_feature(env, ARM_FEATURE_XSCALE)) {
8536         define_arm_cp_regs(cpu, xscale_cp_reginfo);
8537     }
8538     if (arm_feature(env, ARM_FEATURE_DUMMY_C15_REGS)) {
8539         define_arm_cp_regs(cpu, dummy_c15_cp_reginfo);
8540     }
8541     if (arm_feature(env, ARM_FEATURE_LPAE)) {
8542         define_arm_cp_regs(cpu, lpae_cp_reginfo);
8543     }
8544     if (cpu_isar_feature(aa32_jazelle, cpu)) {
8545         define_arm_cp_regs(cpu, jazelle_regs);
8546     }
8547     /*
8548      * Slightly awkwardly, the OMAP and StrongARM cores need all of
8549      * cp15 crn=0 to be writes-ignored, whereas for other cores they should
8550      * be read-only (ie write causes UNDEF exception).
8551      */
8552     {
8553         ARMCPRegInfo id_pre_v8_midr_cp_reginfo[] = {
8554             /*
8555              * Pre-v8 MIDR space.
8556              * Note that the MIDR isn't a simple constant register because
8557              * of the TI925 behaviour where writes to another register can
8558              * cause the MIDR value to change.
8559              *
8560              * Unimplemented registers in the c15 0 0 0 space default to
8561              * MIDR. Define MIDR first as this entire space, then CTR, TCMTR
8562              * and friends override accordingly.
8563              */
8564             { .name = "MIDR",
8565               .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = CP_ANY,
8566               .access = PL1_R, .resetvalue = cpu->midr,
8567               .writefn = arm_cp_write_ignore, .raw_writefn = raw_write,
8568               .readfn = midr_read,
8569               .fieldoffset = offsetof(CPUARMState, cp15.c0_cpuid),
8570               .type = ARM_CP_OVERRIDE },
8571             /* crn = 0 op1 = 0 crm = 3..7 : currently unassigned; we RAZ. */
8572             { .name = "DUMMY",
8573               .cp = 15, .crn = 0, .crm = 3, .opc1 = 0, .opc2 = CP_ANY,
8574               .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
8575             { .name = "DUMMY",
8576               .cp = 15, .crn = 0, .crm = 4, .opc1 = 0, .opc2 = CP_ANY,
8577               .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
8578             { .name = "DUMMY",
8579               .cp = 15, .crn = 0, .crm = 5, .opc1 = 0, .opc2 = CP_ANY,
8580               .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
8581             { .name = "DUMMY",
8582               .cp = 15, .crn = 0, .crm = 6, .opc1 = 0, .opc2 = CP_ANY,
8583               .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
8584             { .name = "DUMMY",
8585               .cp = 15, .crn = 0, .crm = 7, .opc1 = 0, .opc2 = CP_ANY,
8586               .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
8587         };
8588         ARMCPRegInfo id_v8_midr_cp_reginfo[] = {
8589             { .name = "MIDR_EL1", .state = ARM_CP_STATE_BOTH,
8590               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 0,
8591               .access = PL1_R, .type = ARM_CP_NO_RAW, .resetvalue = cpu->midr,
8592               .fgt = FGT_MIDR_EL1,
8593               .fieldoffset = offsetof(CPUARMState, cp15.c0_cpuid),
8594               .readfn = midr_read },
8595             /* crn = 0 op1 = 0 crm = 0 op2 = 7 : AArch32 aliases of MIDR */
8596             { .name = "MIDR", .type = ARM_CP_ALIAS | ARM_CP_CONST,
8597               .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 7,
8598               .access = PL1_R, .resetvalue = cpu->midr },
8599             { .name = "REVIDR_EL1", .state = ARM_CP_STATE_BOTH,
8600               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 6,
8601               .access = PL1_R,
8602               .accessfn = access_aa64_tid1,
8603               .fgt = FGT_REVIDR_EL1,
8604               .type = ARM_CP_CONST, .resetvalue = cpu->revidr },
8605         };
8606         ARMCPRegInfo id_v8_midr_alias_cp_reginfo = {
8607             .name = "MIDR", .type = ARM_CP_ALIAS | ARM_CP_CONST | ARM_CP_NO_GDB,
8608             .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 4,
8609             .access = PL1_R, .resetvalue = cpu->midr
8610         };
8611         ARMCPRegInfo id_cp_reginfo[] = {
8612             /* These are common to v8 and pre-v8 */
8613             { .name = "CTR",
8614               .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 1,
8615               .access = PL1_R, .accessfn = ctr_el0_access,
8616               .type = ARM_CP_CONST, .resetvalue = cpu->ctr },
8617             { .name = "CTR_EL0", .state = ARM_CP_STATE_AA64,
8618               .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 0, .crm = 0,
8619               .access = PL0_R, .accessfn = ctr_el0_access,
8620               .fgt = FGT_CTR_EL0,
8621               .type = ARM_CP_CONST, .resetvalue = cpu->ctr },
8622             /* TCMTR and TLBTR exist in v8 but have no 64-bit versions */
8623             { .name = "TCMTR",
8624               .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 2,
8625               .access = PL1_R,
8626               .accessfn = access_aa32_tid1,
8627               .type = ARM_CP_CONST, .resetvalue = 0 },
8628         };
8629         /* TLBTR is specific to VMSA */
8630         ARMCPRegInfo id_tlbtr_reginfo = {
8631               .name = "TLBTR",
8632               .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 3,
8633               .access = PL1_R,
8634               .accessfn = access_aa32_tid1,
8635               .type = ARM_CP_CONST, .resetvalue = 0,
8636         };
8637         /* MPUIR is specific to PMSA V6+ */
8638         ARMCPRegInfo id_mpuir_reginfo = {
8639               .name = "MPUIR",
8640               .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 4,
8641               .access = PL1_R, .type = ARM_CP_CONST,
8642               .resetvalue = cpu->pmsav7_dregion << 8
8643         };
8644         /* HMPUIR is specific to PMSA V8 */
8645         ARMCPRegInfo id_hmpuir_reginfo = {
8646             .name = "HMPUIR",
8647             .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 4,
8648             .access = PL2_R, .type = ARM_CP_CONST,
8649             .resetvalue = cpu->pmsav8r_hdregion
8650         };
8651         static const ARMCPRegInfo crn0_wi_reginfo = {
8652             .name = "CRN0_WI", .cp = 15, .crn = 0, .crm = CP_ANY,
8653             .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_W,
8654             .type = ARM_CP_NOP | ARM_CP_OVERRIDE
8655         };
8656 #ifdef CONFIG_USER_ONLY
8657         static const ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
8658             { .name = "MIDR_EL1",
8659               .exported_bits = R_MIDR_EL1_REVISION_MASK |
8660                                R_MIDR_EL1_PARTNUM_MASK |
8661                                R_MIDR_EL1_ARCHITECTURE_MASK |
8662                                R_MIDR_EL1_VARIANT_MASK |
8663                                R_MIDR_EL1_IMPLEMENTER_MASK },
8664             { .name = "REVIDR_EL1" },
8665         };
8666         modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo);
8667 #endif
8668         if (arm_feature(env, ARM_FEATURE_OMAPCP) ||
8669             arm_feature(env, ARM_FEATURE_STRONGARM)) {
8670             size_t i;
8671             /*
8672              * Register the blanket "writes ignored" value first to cover the
8673              * whole space. Then update the specific ID registers to allow write
8674              * access, so that they ignore writes rather than causing them to
8675              * UNDEF.
8676              */
8677             define_one_arm_cp_reg(cpu, &crn0_wi_reginfo);
8678             for (i = 0; i < ARRAY_SIZE(id_pre_v8_midr_cp_reginfo); ++i) {
8679                 id_pre_v8_midr_cp_reginfo[i].access = PL1_RW;
8680             }
8681             for (i = 0; i < ARRAY_SIZE(id_cp_reginfo); ++i) {
8682                 id_cp_reginfo[i].access = PL1_RW;
8683             }
8684             id_mpuir_reginfo.access = PL1_RW;
8685             id_tlbtr_reginfo.access = PL1_RW;
8686         }
8687         if (arm_feature(env, ARM_FEATURE_V8)) {
8688             define_arm_cp_regs(cpu, id_v8_midr_cp_reginfo);
8689             if (!arm_feature(env, ARM_FEATURE_PMSA)) {
8690                 define_one_arm_cp_reg(cpu, &id_v8_midr_alias_cp_reginfo);
8691             }
8692         } else {
8693             define_arm_cp_regs(cpu, id_pre_v8_midr_cp_reginfo);
8694         }
8695         define_arm_cp_regs(cpu, id_cp_reginfo);
8696         if (!arm_feature(env, ARM_FEATURE_PMSA)) {
8697             define_one_arm_cp_reg(cpu, &id_tlbtr_reginfo);
8698         } else if (arm_feature(env, ARM_FEATURE_PMSA) &&
8699                    arm_feature(env, ARM_FEATURE_V8)) {
8700             uint32_t i = 0;
8701             char *tmp_string;
8702 
8703             define_one_arm_cp_reg(cpu, &id_mpuir_reginfo);
8704             define_one_arm_cp_reg(cpu, &id_hmpuir_reginfo);
8705             define_arm_cp_regs(cpu, pmsav8r_cp_reginfo);
8706 
8707             /* Register alias is only valid for first 32 indexes */
8708             for (i = 0; i < MIN(cpu->pmsav7_dregion, 32); ++i) {
8709                 uint8_t crm = 0b1000 | extract32(i, 1, 3);
8710                 uint8_t opc1 = extract32(i, 4, 1);
8711                 uint8_t opc2 = extract32(i, 0, 1) << 2;
8712 
8713                 tmp_string = g_strdup_printf("PRBAR%u", i);
8714                 ARMCPRegInfo tmp_prbarn_reginfo = {
8715                     .name = tmp_string, .type = ARM_CP_ALIAS | ARM_CP_NO_RAW,
8716                     .cp = 15, .opc1 = opc1, .crn = 6, .crm = crm, .opc2 = opc2,
8717                     .access = PL1_RW, .resetvalue = 0,
8718                     .accessfn = access_tvm_trvm,
8719                     .writefn = pmsav8r_regn_write, .readfn = pmsav8r_regn_read
8720                 };
8721                 define_one_arm_cp_reg(cpu, &tmp_prbarn_reginfo);
8722                 g_free(tmp_string);
8723 
8724                 opc2 = extract32(i, 0, 1) << 2 | 0x1;
8725                 tmp_string = g_strdup_printf("PRLAR%u", i);
8726                 ARMCPRegInfo tmp_prlarn_reginfo = {
8727                     .name = tmp_string, .type = ARM_CP_ALIAS | ARM_CP_NO_RAW,
8728                     .cp = 15, .opc1 = opc1, .crn = 6, .crm = crm, .opc2 = opc2,
8729                     .access = PL1_RW, .resetvalue = 0,
8730                     .accessfn = access_tvm_trvm,
8731                     .writefn = pmsav8r_regn_write, .readfn = pmsav8r_regn_read
8732                 };
8733                 define_one_arm_cp_reg(cpu, &tmp_prlarn_reginfo);
8734                 g_free(tmp_string);
8735             }
8736 
8737             /* Register alias is only valid for first 32 indexes */
8738             for (i = 0; i < MIN(cpu->pmsav8r_hdregion, 32); ++i) {
8739                 uint8_t crm = 0b1000 | extract32(i, 1, 3);
8740                 uint8_t opc1 = 0b100 | extract32(i, 4, 1);
8741                 uint8_t opc2 = extract32(i, 0, 1) << 2;
8742 
8743                 tmp_string = g_strdup_printf("HPRBAR%u", i);
8744                 ARMCPRegInfo tmp_hprbarn_reginfo = {
8745                     .name = tmp_string,
8746                     .type = ARM_CP_NO_RAW,
8747                     .cp = 15, .opc1 = opc1, .crn = 6, .crm = crm, .opc2 = opc2,
8748                     .access = PL2_RW, .resetvalue = 0,
8749                     .writefn = pmsav8r_regn_write, .readfn = pmsav8r_regn_read
8750                 };
8751                 define_one_arm_cp_reg(cpu, &tmp_hprbarn_reginfo);
8752                 g_free(tmp_string);
8753 
8754                 opc2 = extract32(i, 0, 1) << 2 | 0x1;
8755                 tmp_string = g_strdup_printf("HPRLAR%u", i);
8756                 ARMCPRegInfo tmp_hprlarn_reginfo = {
8757                     .name = tmp_string,
8758                     .type = ARM_CP_NO_RAW,
8759                     .cp = 15, .opc1 = opc1, .crn = 6, .crm = crm, .opc2 = opc2,
8760                     .access = PL2_RW, .resetvalue = 0,
8761                     .writefn = pmsav8r_regn_write, .readfn = pmsav8r_regn_read
8762                 };
8763                 define_one_arm_cp_reg(cpu, &tmp_hprlarn_reginfo);
8764                 g_free(tmp_string);
8765             }
8766         } else if (arm_feature(env, ARM_FEATURE_V7)) {
8767             define_one_arm_cp_reg(cpu, &id_mpuir_reginfo);
8768         }
8769     }
8770 
8771     if (arm_feature(env, ARM_FEATURE_MPIDR)) {
8772         ARMCPRegInfo mpidr_cp_reginfo[] = {
8773             { .name = "MPIDR_EL1", .state = ARM_CP_STATE_BOTH,
8774               .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
8775               .fgt = FGT_MPIDR_EL1,
8776               .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
8777         };
8778 #ifdef CONFIG_USER_ONLY
8779         static const ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
8780             { .name = "MPIDR_EL1",
8781               .fixed_bits = 0x0000000080000000 },
8782         };
8783         modify_arm_cp_regs(mpidr_cp_reginfo, mpidr_user_cp_reginfo);
8784 #endif
8785         define_arm_cp_regs(cpu, mpidr_cp_reginfo);
8786     }
8787 
8788     if (arm_feature(env, ARM_FEATURE_AUXCR)) {
8789         ARMCPRegInfo auxcr_reginfo[] = {
8790             { .name = "ACTLR_EL1", .state = ARM_CP_STATE_BOTH,
8791               .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 1,
8792               .access = PL1_RW, .accessfn = access_tacr,
8793               .nv2_redirect_offset = 0x118,
8794               .type = ARM_CP_CONST, .resetvalue = cpu->reset_auxcr },
8795             { .name = "ACTLR_EL2", .state = ARM_CP_STATE_BOTH,
8796               .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 1,
8797               .access = PL2_RW, .type = ARM_CP_CONST,
8798               .resetvalue = 0 },
8799             { .name = "ACTLR_EL3", .state = ARM_CP_STATE_AA64,
8800               .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 1,
8801               .access = PL3_RW, .type = ARM_CP_CONST,
8802               .resetvalue = 0 },
8803         };
8804         define_arm_cp_regs(cpu, auxcr_reginfo);
8805         if (cpu_isar_feature(aa32_ac2, cpu)) {
8806             define_arm_cp_regs(cpu, actlr2_hactlr2_reginfo);
8807         }
8808     }
8809 
8810     if (arm_feature(env, ARM_FEATURE_CBAR)) {
8811         /*
8812          * CBAR is IMPDEF, but common on Arm Cortex-A implementations.
8813          * There are two flavours:
8814          *  (1) older 32-bit only cores have a simple 32-bit CBAR
8815          *  (2) 64-bit cores have a 64-bit CBAR visible to AArch64, plus a
8816          *      32-bit register visible to AArch32 at a different encoding
8817          *      to the "flavour 1" register and with the bits rearranged to
8818          *      be able to squash a 64-bit address into the 32-bit view.
8819          * We distinguish the two via the ARM_FEATURE_AARCH64 flag, but
8820          * in future if we support AArch32-only configs of some of the
8821          * AArch64 cores we might need to add a specific feature flag
8822          * to indicate cores with "flavour 2" CBAR.
8823          */
8824         if (arm_feature(env, ARM_FEATURE_V8)) {
8825             /* 32 bit view is [31:18] 0...0 [43:32]. */
8826             uint32_t cbar32 = (extract64(cpu->reset_cbar, 18, 14) << 18)
8827                 | extract64(cpu->reset_cbar, 32, 12);
8828             ARMCPRegInfo cbar_reginfo[] = {
8829                 { .name = "CBAR",
8830                   .type = ARM_CP_CONST,
8831                   .cp = 15, .crn = 15, .crm = 3, .opc1 = 1, .opc2 = 0,
8832                   .access = PL1_R, .resetvalue = cbar32 },
8833                 { .name = "CBAR_EL1", .state = ARM_CP_STATE_AA64,
8834                   .type = ARM_CP_CONST,
8835                   .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 0,
8836                   .access = PL1_R, .resetvalue = cpu->reset_cbar },
8837             };
8838             /* We don't implement a r/w 64 bit CBAR currently */
8839             assert(arm_feature(env, ARM_FEATURE_CBAR_RO));
8840             define_arm_cp_regs(cpu, cbar_reginfo);
8841         } else {
8842             ARMCPRegInfo cbar = {
8843                 .name = "CBAR",
8844                 .cp = 15, .crn = 15, .crm = 0, .opc1 = 4, .opc2 = 0,
8845                 .access = PL1_R | PL3_W, .resetvalue = cpu->reset_cbar,
8846                 .fieldoffset = offsetof(CPUARMState,
8847                                         cp15.c15_config_base_address)
8848             };
8849             if (arm_feature(env, ARM_FEATURE_CBAR_RO)) {
8850                 cbar.access = PL1_R;
8851                 cbar.fieldoffset = 0;
8852                 cbar.type = ARM_CP_CONST;
8853             }
8854             define_one_arm_cp_reg(cpu, &cbar);
8855         }
8856     }
8857 
8858     if (arm_feature(env, ARM_FEATURE_VBAR)) {
8859         static const ARMCPRegInfo vbar_cp_reginfo[] = {
8860             { .name = "VBAR", .state = ARM_CP_STATE_BOTH,
8861               .opc0 = 3, .crn = 12, .crm = 0, .opc1 = 0, .opc2 = 0,
8862               .access = PL1_RW, .writefn = vbar_write,
8863               .accessfn = access_nv1,
8864               .fgt = FGT_VBAR_EL1,
8865               .nv2_redirect_offset = 0x250 | NV2_REDIR_NV1,
8866               .bank_fieldoffsets = { offsetof(CPUARMState, cp15.vbar_s),
8867                                      offsetof(CPUARMState, cp15.vbar_ns) },
8868               .resetvalue = 0 },
8869         };
8870         define_arm_cp_regs(cpu, vbar_cp_reginfo);
8871     }
8872 
8873     /* Generic registers whose values depend on the implementation */
8874     {
8875         ARMCPRegInfo sctlr = {
8876             .name = "SCTLR", .state = ARM_CP_STATE_BOTH,
8877             .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0,
8878             .access = PL1_RW, .accessfn = access_tvm_trvm,
8879             .fgt = FGT_SCTLR_EL1,
8880             .nv2_redirect_offset = 0x110 | NV2_REDIR_NV1,
8881             .bank_fieldoffsets = { offsetof(CPUARMState, cp15.sctlr_s),
8882                                    offsetof(CPUARMState, cp15.sctlr_ns) },
8883             .writefn = sctlr_write, .resetvalue = cpu->reset_sctlr,
8884             .raw_writefn = raw_write,
8885         };
8886         if (arm_feature(env, ARM_FEATURE_XSCALE)) {
8887             /*
8888              * Normally we would always end the TB on an SCTLR write, but Linux
8889              * arch/arm/mach-pxa/sleep.S expects two instructions following
8890              * an MMU enable to execute from cache.  Imitate this behaviour.
8891              */
8892             sctlr.type |= ARM_CP_SUPPRESS_TB_END;
8893         }
8894         define_one_arm_cp_reg(cpu, &sctlr);
8895 
8896         if (arm_feature(env, ARM_FEATURE_PMSA) &&
8897             arm_feature(env, ARM_FEATURE_V8)) {
8898             ARMCPRegInfo vsctlr = {
8899                 .name = "VSCTLR", .state = ARM_CP_STATE_AA32,
8900                 .cp = 15, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,
8901                 .access = PL2_RW, .resetvalue = 0x0,
8902                 .fieldoffset = offsetoflow32(CPUARMState, cp15.vsctlr),
8903             };
8904             define_one_arm_cp_reg(cpu, &vsctlr);
8905         }
8906     }
8907 
8908     if (cpu_isar_feature(aa64_lor, cpu)) {
8909         define_arm_cp_regs(cpu, lor_reginfo);
8910     }
8911     if (cpu_isar_feature(aa64_pan, cpu)) {
8912         define_one_arm_cp_reg(cpu, &pan_reginfo);
8913     }
8914 #ifndef CONFIG_USER_ONLY
8915     if (cpu_isar_feature(aa64_ats1e1, cpu)) {
8916         define_arm_cp_regs(cpu, ats1e1_reginfo);
8917     }
8918     if (cpu_isar_feature(aa32_ats1e1, cpu)) {
8919         define_arm_cp_regs(cpu, ats1cp_reginfo);
8920     }
8921 #endif
8922     if (cpu_isar_feature(aa64_uao, cpu)) {
8923         define_one_arm_cp_reg(cpu, &uao_reginfo);
8924     }
8925 
8926     if (cpu_isar_feature(aa64_dit, cpu)) {
8927         define_one_arm_cp_reg(cpu, &dit_reginfo);
8928     }
8929     if (cpu_isar_feature(aa64_ssbs, cpu)) {
8930         define_one_arm_cp_reg(cpu, &ssbs_reginfo);
8931     }
8932     if (cpu_isar_feature(any_ras, cpu)) {
8933         define_arm_cp_regs(cpu, minimal_ras_reginfo);
8934     }
8935 
8936     if (cpu_isar_feature(aa64_vh, cpu) ||
8937         cpu_isar_feature(aa64_debugv8p2, cpu)) {
8938         define_one_arm_cp_reg(cpu, &contextidr_el2);
8939     }
8940     if (arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu)) {
8941         define_arm_cp_regs(cpu, vhe_reginfo);
8942     }
8943 
8944     if (cpu_isar_feature(aa64_sve, cpu)) {
8945         define_arm_cp_regs(cpu, zcr_reginfo);
8946     }
8947 
8948     if (cpu_isar_feature(aa64_hcx, cpu)) {
8949         define_one_arm_cp_reg(cpu, &hcrx_el2_reginfo);
8950     }
8951 
8952 #ifdef TARGET_AARCH64
8953     if (cpu_isar_feature(aa64_sme, cpu)) {
8954         define_arm_cp_regs(cpu, sme_reginfo);
8955     }
8956     if (cpu_isar_feature(aa64_pauth, cpu)) {
8957         define_arm_cp_regs(cpu, pauth_reginfo);
8958     }
8959     if (cpu_isar_feature(aa64_rndr, cpu)) {
8960         define_arm_cp_regs(cpu, rndr_reginfo);
8961     }
8962     /* Data Cache clean instructions up to PoP */
8963     if (cpu_isar_feature(aa64_dcpop, cpu)) {
8964         define_one_arm_cp_reg(cpu, dcpop_reg);
8965 
8966         if (cpu_isar_feature(aa64_dcpodp, cpu)) {
8967             define_one_arm_cp_reg(cpu, dcpodp_reg);
8968         }
8969     }
8970 
8971     /*
8972      * If full MTE is enabled, add all of the system registers.
8973      * If only "instructions available at EL0" are enabled,
8974      * then define only a RAZ/WI version of PSTATE.TCO.
8975      */
8976     if (cpu_isar_feature(aa64_mte, cpu)) {
8977         ARMCPRegInfo gmid_reginfo = {
8978             .name = "GMID_EL1", .state = ARM_CP_STATE_AA64,
8979             .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 4,
8980             .access = PL1_R, .accessfn = access_aa64_tid5,
8981             .type = ARM_CP_CONST, .resetvalue = cpu->gm_blocksize,
8982         };
8983         define_one_arm_cp_reg(cpu, &gmid_reginfo);
8984         define_arm_cp_regs(cpu, mte_reginfo);
8985         define_arm_cp_regs(cpu, mte_el0_cacheop_reginfo);
8986     } else if (cpu_isar_feature(aa64_mte_insn_reg, cpu)) {
8987         define_arm_cp_regs(cpu, mte_tco_ro_reginfo);
8988         define_arm_cp_regs(cpu, mte_el0_cacheop_reginfo);
8989     }
8990 
8991     if (cpu_isar_feature(aa64_scxtnum, cpu)) {
8992         define_arm_cp_regs(cpu, scxtnum_reginfo);
8993     }
8994 
8995     if (cpu_isar_feature(aa64_fgt, cpu)) {
8996         define_arm_cp_regs(cpu, fgt_reginfo);
8997     }
8998 
8999     if (cpu_isar_feature(aa64_rme, cpu)) {
9000         define_arm_cp_regs(cpu, rme_reginfo);
9001         if (cpu_isar_feature(aa64_mte, cpu)) {
9002             define_arm_cp_regs(cpu, rme_mte_reginfo);
9003         }
9004     }
9005 
9006     if (cpu_isar_feature(aa64_nv2, cpu)) {
9007         define_arm_cp_regs(cpu, nv2_reginfo);
9008     }
9009 
9010     if (cpu_isar_feature(aa64_nmi, cpu)) {
9011         define_arm_cp_regs(cpu, nmi_reginfo);
9012     }
9013 #endif
9014 
9015     if (cpu_isar_feature(any_predinv, cpu)) {
9016         define_arm_cp_regs(cpu, predinv_reginfo);
9017     }
9018 
9019     if (cpu_isar_feature(any_ccidx, cpu)) {
9020         define_arm_cp_regs(cpu, ccsidr2_reginfo);
9021     }
9022 
9023 #ifndef CONFIG_USER_ONLY
9024     /*
9025      * Register redirections and aliases must be done last,
9026      * after the registers from the other extensions have been defined.
9027      */
9028     if (arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu)) {
9029         define_arm_vh_e2h_redirects_aliases(cpu);
9030     }
9031 #endif
9032 }
9033 
9034 /*
9035  * Private utility function for define_one_arm_cp_reg_with_opaque():
9036  * add a single reginfo struct to the hash table.
9037  */
9038 static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
9039                                    void *opaque, CPState state,
9040                                    CPSecureState secstate,
9041                                    int crm, int opc1, int opc2,
9042                                    const char *name)
9043 {
9044     CPUARMState *env = &cpu->env;
9045     uint32_t key;
9046     ARMCPRegInfo *r2;
9047     bool is64 = r->type & ARM_CP_64BIT;
9048     bool ns = secstate & ARM_CP_SECSTATE_NS;
9049     int cp = r->cp;
9050     size_t name_len;
9051     bool make_const;
9052 
9053     switch (state) {
9054     case ARM_CP_STATE_AA32:
9055         /* We assume it is a cp15 register if the .cp field is left unset. */
9056         if (cp == 0 && r->state == ARM_CP_STATE_BOTH) {
9057             cp = 15;
9058         }
9059         key = ENCODE_CP_REG(cp, is64, ns, r->crn, crm, opc1, opc2);
9060         break;
9061     case ARM_CP_STATE_AA64:
9062         /*
9063          * To allow abbreviation of ARMCPRegInfo definitions, we treat
9064          * cp == 0 as equivalent to the value for "standard guest-visible
9065          * sysreg".  STATE_BOTH definitions are also always "standard sysreg"
9066          * in their AArch64 view (the .cp value may be non-zero for the
9067          * benefit of the AArch32 view).
9068          */
9069         if (cp == 0 || r->state == ARM_CP_STATE_BOTH) {
9070             cp = CP_REG_ARM64_SYSREG_CP;
9071         }
9072         key = ENCODE_AA64_CP_REG(cp, r->crn, crm, r->opc0, opc1, opc2);
9073         break;
9074     default:
9075         g_assert_not_reached();
9076     }
9077 
9078     /* Overriding of an existing definition must be explicitly requested. */
9079     if (!(r->type & ARM_CP_OVERRIDE)) {
9080         const ARMCPRegInfo *oldreg = get_arm_cp_reginfo(cpu->cp_regs, key);
9081         if (oldreg) {
9082             assert(oldreg->type & ARM_CP_OVERRIDE);
9083         }
9084     }
9085 
9086     /*
9087      * Eliminate registers that are not present because the EL is missing.
9088      * Doing this here makes it easier to put all registers for a given
9089      * feature into the same ARMCPRegInfo array and define them all at once.
9090      */
9091     make_const = false;
9092     if (arm_feature(env, ARM_FEATURE_EL3)) {
9093         /*
9094          * An EL2 register without EL2 but with EL3 is (usually) RES0.
9095          * See rule RJFFP in section D1.1.3 of DDI0487H.a.
9096          */
9097         int min_el = ctz32(r->access) / 2;
9098         if (min_el == 2 && !arm_feature(env, ARM_FEATURE_EL2)) {
9099             if (r->type & ARM_CP_EL3_NO_EL2_UNDEF) {
9100                 return;
9101             }
9102             make_const = !(r->type & ARM_CP_EL3_NO_EL2_KEEP);
9103         }
9104     } else {
9105         CPAccessRights max_el = (arm_feature(env, ARM_FEATURE_EL2)
9106                                  ? PL2_RW : PL1_RW);
9107         if ((r->access & max_el) == 0) {
9108             return;
9109         }
9110     }
9111 
9112     /* Combine cpreg and name into one allocation. */
9113     name_len = strlen(name) + 1;
9114     r2 = g_malloc(sizeof(*r2) + name_len);
9115     *r2 = *r;
9116     r2->name = memcpy(r2 + 1, name, name_len);
9117 
9118     /*
9119      * Update fields to match the instantiation, overwiting wildcards
9120      * such as CP_ANY, ARM_CP_STATE_BOTH, or ARM_CP_SECSTATE_BOTH.
9121      */
9122     r2->cp = cp;
9123     r2->crm = crm;
9124     r2->opc1 = opc1;
9125     r2->opc2 = opc2;
9126     r2->state = state;
9127     r2->secure = secstate;
9128     if (opaque) {
9129         r2->opaque = opaque;
9130     }
9131 
9132     if (make_const) {
9133         /* This should not have been a very special register to begin. */
9134         int old_special = r2->type & ARM_CP_SPECIAL_MASK;
9135         assert(old_special == 0 || old_special == ARM_CP_NOP);
9136         /*
9137          * Set the special function to CONST, retaining the other flags.
9138          * This is important for e.g. ARM_CP_SVE so that we still
9139          * take the SVE trap if CPTR_EL3.EZ == 0.
9140          */
9141         r2->type = (r2->type & ~ARM_CP_SPECIAL_MASK) | ARM_CP_CONST;
9142         /*
9143          * Usually, these registers become RES0, but there are a few
9144          * special cases like VPIDR_EL2 which have a constant non-zero
9145          * value with writes ignored.
9146          */
9147         if (!(r->type & ARM_CP_EL3_NO_EL2_C_NZ)) {
9148             r2->resetvalue = 0;
9149         }
9150         /*
9151          * ARM_CP_CONST has precedence, so removing the callbacks and
9152          * offsets are not strictly necessary, but it is potentially
9153          * less confusing to debug later.
9154          */
9155         r2->readfn = NULL;
9156         r2->writefn = NULL;
9157         r2->raw_readfn = NULL;
9158         r2->raw_writefn = NULL;
9159         r2->resetfn = NULL;
9160         r2->fieldoffset = 0;
9161         r2->bank_fieldoffsets[0] = 0;
9162         r2->bank_fieldoffsets[1] = 0;
9163     } else {
9164         bool isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1];
9165 
9166         if (isbanked) {
9167             /*
9168              * Register is banked (using both entries in array).
9169              * Overwriting fieldoffset as the array is only used to define
9170              * banked registers but later only fieldoffset is used.
9171              */
9172             r2->fieldoffset = r->bank_fieldoffsets[ns];
9173         }
9174         if (state == ARM_CP_STATE_AA32) {
9175             if (isbanked) {
9176                 /*
9177                  * If the register is banked then we don't need to migrate or
9178                  * reset the 32-bit instance in certain cases:
9179                  *
9180                  * 1) If the register has both 32-bit and 64-bit instances
9181                  *    then we can count on the 64-bit instance taking care
9182                  *    of the non-secure bank.
9183                  * 2) If ARMv8 is enabled then we can count on a 64-bit
9184                  *    version taking care of the secure bank.  This requires
9185                  *    that separate 32 and 64-bit definitions are provided.
9186                  */
9187                 if ((r->state == ARM_CP_STATE_BOTH && ns) ||
9188                     (arm_feature(env, ARM_FEATURE_V8) && !ns)) {
9189                     r2->type |= ARM_CP_ALIAS;
9190                 }
9191             } else if ((secstate != r->secure) && !ns) {
9192                 /*
9193                  * The register is not banked so we only want to allow
9194                  * migration of the non-secure instance.
9195                  */
9196                 r2->type |= ARM_CP_ALIAS;
9197             }
9198 
9199             if (HOST_BIG_ENDIAN &&
9200                 r->state == ARM_CP_STATE_BOTH && r2->fieldoffset) {
9201                 r2->fieldoffset += sizeof(uint32_t);
9202             }
9203         }
9204     }
9205 
9206     /*
9207      * By convention, for wildcarded registers only the first
9208      * entry is used for migration; the others are marked as
9209      * ALIAS so we don't try to transfer the register
9210      * multiple times. Special registers (ie NOP/WFI) are
9211      * never migratable and not even raw-accessible.
9212      */
9213     if (r2->type & ARM_CP_SPECIAL_MASK) {
9214         r2->type |= ARM_CP_NO_RAW;
9215     }
9216     if (((r->crm == CP_ANY) && crm != 0) ||
9217         ((r->opc1 == CP_ANY) && opc1 != 0) ||
9218         ((r->opc2 == CP_ANY) && opc2 != 0)) {
9219         r2->type |= ARM_CP_ALIAS | ARM_CP_NO_GDB;
9220     }
9221 
9222     /*
9223      * Check that raw accesses are either forbidden or handled. Note that
9224      * we can't assert this earlier because the setup of fieldoffset for
9225      * banked registers has to be done first.
9226      */
9227     if (!(r2->type & ARM_CP_NO_RAW)) {
9228         assert(!raw_accessors_invalid(r2));
9229     }
9230 
9231     g_hash_table_insert(cpu->cp_regs, (gpointer)(uintptr_t)key, r2);
9232 }
9233 
9234 
9235 void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
9236                                        const ARMCPRegInfo *r, void *opaque)
9237 {
9238     /*
9239      * Define implementations of coprocessor registers.
9240      * We store these in a hashtable because typically
9241      * there are less than 150 registers in a space which
9242      * is 16*16*16*8*8 = 262144 in size.
9243      * Wildcarding is supported for the crm, opc1 and opc2 fields.
9244      * If a register is defined twice then the second definition is
9245      * used, so this can be used to define some generic registers and
9246      * then override them with implementation specific variations.
9247      * At least one of the original and the second definition should
9248      * include ARM_CP_OVERRIDE in its type bits -- this is just a guard
9249      * against accidental use.
9250      *
9251      * The state field defines whether the register is to be
9252      * visible in the AArch32 or AArch64 execution state. If the
9253      * state is set to ARM_CP_STATE_BOTH then we synthesise a
9254      * reginfo structure for the AArch32 view, which sees the lower
9255      * 32 bits of the 64 bit register.
9256      *
9257      * Only registers visible in AArch64 may set r->opc0; opc0 cannot
9258      * be wildcarded. AArch64 registers are always considered to be 64
9259      * bits; the ARM_CP_64BIT* flag applies only to the AArch32 view of
9260      * the register, if any.
9261      */
9262     int crm, opc1, opc2;
9263     int crmmin = (r->crm == CP_ANY) ? 0 : r->crm;
9264     int crmmax = (r->crm == CP_ANY) ? 15 : r->crm;
9265     int opc1min = (r->opc1 == CP_ANY) ? 0 : r->opc1;
9266     int opc1max = (r->opc1 == CP_ANY) ? 7 : r->opc1;
9267     int opc2min = (r->opc2 == CP_ANY) ? 0 : r->opc2;
9268     int opc2max = (r->opc2 == CP_ANY) ? 7 : r->opc2;
9269     CPState state;
9270 
9271     /* 64 bit registers have only CRm and Opc1 fields */
9272     assert(!((r->type & ARM_CP_64BIT) && (r->opc2 || r->crn)));
9273     /* op0 only exists in the AArch64 encodings */
9274     assert((r->state != ARM_CP_STATE_AA32) || (r->opc0 == 0));
9275     /* AArch64 regs are all 64 bit so ARM_CP_64BIT is meaningless */
9276     assert((r->state != ARM_CP_STATE_AA64) || !(r->type & ARM_CP_64BIT));
9277     /*
9278      * This API is only for Arm's system coprocessors (14 and 15) or
9279      * (M-profile or v7A-and-earlier only) for implementation defined
9280      * coprocessors in the range 0..7.  Our decode assumes this, since
9281      * 8..13 can be used for other insns including VFP and Neon. See
9282      * valid_cp() in translate.c.  Assert here that we haven't tried
9283      * to use an invalid coprocessor number.
9284      */
9285     switch (r->state) {
9286     case ARM_CP_STATE_BOTH:
9287         /* 0 has a special meaning, but otherwise the same rules as AA32. */
9288         if (r->cp == 0) {
9289             break;
9290         }
9291         /* fall through */
9292     case ARM_CP_STATE_AA32:
9293         if (arm_feature(&cpu->env, ARM_FEATURE_V8) &&
9294             !arm_feature(&cpu->env, ARM_FEATURE_M)) {
9295             assert(r->cp >= 14 && r->cp <= 15);
9296         } else {
9297             assert(r->cp < 8 || (r->cp >= 14 && r->cp <= 15));
9298         }
9299         break;
9300     case ARM_CP_STATE_AA64:
9301         assert(r->cp == 0 || r->cp == CP_REG_ARM64_SYSREG_CP);
9302         break;
9303     default:
9304         g_assert_not_reached();
9305     }
9306     /*
9307      * The AArch64 pseudocode CheckSystemAccess() specifies that op1
9308      * encodes a minimum access level for the register. We roll this
9309      * runtime check into our general permission check code, so check
9310      * here that the reginfo's specified permissions are strict enough
9311      * to encompass the generic architectural permission check.
9312      */
9313     if (r->state != ARM_CP_STATE_AA32) {
9314         CPAccessRights mask;
9315         switch (r->opc1) {
9316         case 0:
9317             /* min_EL EL1, but some accessible to EL0 via kernel ABI */
9318             mask = PL0U_R | PL1_RW;
9319             break;
9320         case 1: case 2:
9321             /* min_EL EL1 */
9322             mask = PL1_RW;
9323             break;
9324         case 3:
9325             /* min_EL EL0 */
9326             mask = PL0_RW;
9327             break;
9328         case 4:
9329         case 5:
9330             /* min_EL EL2 */
9331             mask = PL2_RW;
9332             break;
9333         case 6:
9334             /* min_EL EL3 */
9335             mask = PL3_RW;
9336             break;
9337         case 7:
9338             /* min_EL EL1, secure mode only (we don't check the latter) */
9339             mask = PL1_RW;
9340             break;
9341         default:
9342             /* broken reginfo with out-of-range opc1 */
9343             g_assert_not_reached();
9344         }
9345         /* assert our permissions are not too lax (stricter is fine) */
9346         assert((r->access & ~mask) == 0);
9347     }
9348 
9349     /*
9350      * Check that the register definition has enough info to handle
9351      * reads and writes if they are permitted.
9352      */
9353     if (!(r->type & (ARM_CP_SPECIAL_MASK | ARM_CP_CONST))) {
9354         if (r->access & PL3_R) {
9355             assert((r->fieldoffset ||
9356                    (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) ||
9357                    r->readfn);
9358         }
9359         if (r->access & PL3_W) {
9360             assert((r->fieldoffset ||
9361                    (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) ||
9362                    r->writefn);
9363         }
9364     }
9365 
9366     for (crm = crmmin; crm <= crmmax; crm++) {
9367         for (opc1 = opc1min; opc1 <= opc1max; opc1++) {
9368             for (opc2 = opc2min; opc2 <= opc2max; opc2++) {
9369                 for (state = ARM_CP_STATE_AA32;
9370                      state <= ARM_CP_STATE_AA64; state++) {
9371                     if (r->state != state && r->state != ARM_CP_STATE_BOTH) {
9372                         continue;
9373                     }
9374                     if ((r->type & ARM_CP_ADD_TLBI_NXS) &&
9375                         cpu_isar_feature(aa64_xs, cpu)) {
9376                         /*
9377                          * This is a TLBI insn which has an NXS variant. The
9378                          * NXS variant is at the same encoding except that
9379                          * crn is +1, and has the same behaviour except for
9380                          * fine-grained trapping. Add the NXS insn here and
9381                          * then fall through to add the normal register.
9382                          * add_cpreg_to_hashtable() copies the cpreg struct
9383                          * and name that it is passed, so it's OK to use
9384                          * a local struct here.
9385                          */
9386                         ARMCPRegInfo nxs_ri = *r;
9387                         g_autofree char *name = g_strdup_printf("%sNXS", r->name);
9388 
9389                         assert(state == ARM_CP_STATE_AA64);
9390                         assert(nxs_ri.crn < 0xf);
9391                         nxs_ri.crn++;
9392                         if (nxs_ri.fgt) {
9393                             nxs_ri.fgt |= R_FGT_NXS_MASK;
9394                         }
9395                         add_cpreg_to_hashtable(cpu, &nxs_ri, opaque, state,
9396                                                ARM_CP_SECSTATE_NS,
9397                                                crm, opc1, opc2, name);
9398                     }
9399                     if (state == ARM_CP_STATE_AA32) {
9400                         /*
9401                          * Under AArch32 CP registers can be common
9402                          * (same for secure and non-secure world) or banked.
9403                          */
9404                         char *name;
9405 
9406                         switch (r->secure) {
9407                         case ARM_CP_SECSTATE_S:
9408                         case ARM_CP_SECSTATE_NS:
9409                             add_cpreg_to_hashtable(cpu, r, opaque, state,
9410                                                    r->secure, crm, opc1, opc2,
9411                                                    r->name);
9412                             break;
9413                         case ARM_CP_SECSTATE_BOTH:
9414                             name = g_strdup_printf("%s_S", r->name);
9415                             add_cpreg_to_hashtable(cpu, r, opaque, state,
9416                                                    ARM_CP_SECSTATE_S,
9417                                                    crm, opc1, opc2, name);
9418                             g_free(name);
9419                             add_cpreg_to_hashtable(cpu, r, opaque, state,
9420                                                    ARM_CP_SECSTATE_NS,
9421                                                    crm, opc1, opc2, r->name);
9422                             break;
9423                         default:
9424                             g_assert_not_reached();
9425                         }
9426                     } else {
9427                         /*
9428                          * AArch64 registers get mapped to non-secure instance
9429                          * of AArch32
9430                          */
9431                         add_cpreg_to_hashtable(cpu, r, opaque, state,
9432                                                ARM_CP_SECSTATE_NS,
9433                                                crm, opc1, opc2, r->name);
9434                     }
9435                 }
9436             }
9437         }
9438     }
9439 }
9440 
9441 /* Define a whole list of registers */
9442 void define_arm_cp_regs_with_opaque_len(ARMCPU *cpu, const ARMCPRegInfo *regs,
9443                                         void *opaque, size_t len)
9444 {
9445     size_t i;
9446     for (i = 0; i < len; ++i) {
9447         define_one_arm_cp_reg_with_opaque(cpu, regs + i, opaque);
9448     }
9449 }
9450 
9451 /*
9452  * Modify ARMCPRegInfo for access from userspace.
9453  *
9454  * This is a data driven modification directed by
9455  * ARMCPRegUserSpaceInfo. All registers become ARM_CP_CONST as
9456  * user-space cannot alter any values and dynamic values pertaining to
9457  * execution state are hidden from user space view anyway.
9458  */
9459 void modify_arm_cp_regs_with_len(ARMCPRegInfo *regs, size_t regs_len,
9460                                  const ARMCPRegUserSpaceInfo *mods,
9461                                  size_t mods_len)
9462 {
9463     for (size_t mi = 0; mi < mods_len; ++mi) {
9464         const ARMCPRegUserSpaceInfo *m = mods + mi;
9465         GPatternSpec *pat = NULL;
9466 
9467         if (m->is_glob) {
9468             pat = g_pattern_spec_new(m->name);
9469         }
9470         for (size_t ri = 0; ri < regs_len; ++ri) {
9471             ARMCPRegInfo *r = regs + ri;
9472 
9473             if (pat && g_pattern_match_string(pat, r->name)) {
9474                 r->type = ARM_CP_CONST;
9475                 r->access = PL0U_R;
9476                 r->resetvalue = 0;
9477                 /* continue */
9478             } else if (strcmp(r->name, m->name) == 0) {
9479                 r->type = ARM_CP_CONST;
9480                 r->access = PL0U_R;
9481                 r->resetvalue &= m->exported_bits;
9482                 r->resetvalue |= m->fixed_bits;
9483                 break;
9484             }
9485         }
9486         if (pat) {
9487             g_pattern_spec_free(pat);
9488         }
9489     }
9490 }
9491 
9492 const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp)
9493 {
9494     return g_hash_table_lookup(cpregs, (gpointer)(uintptr_t)encoded_cp);
9495 }
9496 
9497 void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
9498                          uint64_t value)
9499 {
9500     /* Helper coprocessor write function for write-ignore registers */
9501 }
9502 
9503 uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri)
9504 {
9505     /* Helper coprocessor write function for read-as-zero registers */
9506     return 0;
9507 }
9508 
9509 void arm_cp_reset_ignore(CPUARMState *env, const ARMCPRegInfo *opaque)
9510 {
9511     /* Helper coprocessor reset function for do-nothing-on-reset registers */
9512 }
9513 
9514 static int bad_mode_switch(CPUARMState *env, int mode, CPSRWriteType write_type)
9515 {
9516     /*
9517      * Return true if it is not valid for us to switch to
9518      * this CPU mode (ie all the UNPREDICTABLE cases in
9519      * the ARM ARM CPSRWriteByInstr pseudocode).
9520      */
9521 
9522     /* Changes to or from Hyp via MSR and CPS are illegal. */
9523     if (write_type == CPSRWriteByInstr &&
9524         ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_HYP ||
9525          mode == ARM_CPU_MODE_HYP)) {
9526         return 1;
9527     }
9528 
9529     switch (mode) {
9530     case ARM_CPU_MODE_USR:
9531         return 0;
9532     case ARM_CPU_MODE_SYS:
9533     case ARM_CPU_MODE_SVC:
9534     case ARM_CPU_MODE_ABT:
9535     case ARM_CPU_MODE_UND:
9536     case ARM_CPU_MODE_IRQ:
9537     case ARM_CPU_MODE_FIQ:
9538         /*
9539          * Note that we don't implement the IMPDEF NSACR.RFR which in v7
9540          * allows FIQ mode to be Secure-only. (In v8 this doesn't exist.)
9541          */
9542         /*
9543          * If HCR.TGE is set then changes from Monitor to NS PL1 via MSR
9544          * and CPS are treated as illegal mode changes.
9545          */
9546         if (write_type == CPSRWriteByInstr &&
9547             (env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON &&
9548             (arm_hcr_el2_eff(env) & HCR_TGE)) {
9549             return 1;
9550         }
9551         return 0;
9552     case ARM_CPU_MODE_HYP:
9553         return !arm_is_el2_enabled(env) || arm_current_el(env) < 2;
9554     case ARM_CPU_MODE_MON:
9555         return arm_current_el(env) < 3;
9556     default:
9557         return 1;
9558     }
9559 }
9560 
9561 uint32_t cpsr_read(CPUARMState *env)
9562 {
9563     int ZF;
9564     ZF = (env->ZF == 0);
9565     return env->uncached_cpsr | (env->NF & 0x80000000) | (ZF << 30) |
9566         (env->CF << 29) | ((env->VF & 0x80000000) >> 3) | (env->QF << 27)
9567         | (env->thumb << 5) | ((env->condexec_bits & 3) << 25)
9568         | ((env->condexec_bits & 0xfc) << 8)
9569         | (env->GE << 16) | (env->daif & CPSR_AIF);
9570 }
9571 
9572 void cpsr_write(CPUARMState *env, uint32_t val, uint32_t mask,
9573                 CPSRWriteType write_type)
9574 {
9575     uint32_t changed_daif;
9576     bool rebuild_hflags = (write_type != CPSRWriteRaw) &&
9577         (mask & (CPSR_M | CPSR_E | CPSR_IL));
9578 
9579     if (mask & CPSR_NZCV) {
9580         env->ZF = (~val) & CPSR_Z;
9581         env->NF = val;
9582         env->CF = (val >> 29) & 1;
9583         env->VF = (val << 3) & 0x80000000;
9584     }
9585     if (mask & CPSR_Q) {
9586         env->QF = ((val & CPSR_Q) != 0);
9587     }
9588     if (mask & CPSR_T) {
9589         env->thumb = ((val & CPSR_T) != 0);
9590     }
9591     if (mask & CPSR_IT_0_1) {
9592         env->condexec_bits &= ~3;
9593         env->condexec_bits |= (val >> 25) & 3;
9594     }
9595     if (mask & CPSR_IT_2_7) {
9596         env->condexec_bits &= 3;
9597         env->condexec_bits |= (val >> 8) & 0xfc;
9598     }
9599     if (mask & CPSR_GE) {
9600         env->GE = (val >> 16) & 0xf;
9601     }
9602 
9603     /*
9604      * In a V7 implementation that includes the security extensions but does
9605      * not include Virtualization Extensions the SCR.FW and SCR.AW bits control
9606      * whether non-secure software is allowed to change the CPSR_F and CPSR_A
9607      * bits respectively.
9608      *
9609      * In a V8 implementation, it is permitted for privileged software to
9610      * change the CPSR A/F bits regardless of the SCR.AW/FW bits.
9611      */
9612     if (write_type != CPSRWriteRaw && !arm_feature(env, ARM_FEATURE_V8) &&
9613         arm_feature(env, ARM_FEATURE_EL3) &&
9614         !arm_feature(env, ARM_FEATURE_EL2) &&
9615         !arm_is_secure(env)) {
9616 
9617         changed_daif = (env->daif ^ val) & mask;
9618 
9619         if (changed_daif & CPSR_A) {
9620             /*
9621              * Check to see if we are allowed to change the masking of async
9622              * abort exceptions from a non-secure state.
9623              */
9624             if (!(env->cp15.scr_el3 & SCR_AW)) {
9625                 qemu_log_mask(LOG_GUEST_ERROR,
9626                               "Ignoring attempt to switch CPSR_A flag from "
9627                               "non-secure world with SCR.AW bit clear\n");
9628                 mask &= ~CPSR_A;
9629             }
9630         }
9631 
9632         if (changed_daif & CPSR_F) {
9633             /*
9634              * Check to see if we are allowed to change the masking of FIQ
9635              * exceptions from a non-secure state.
9636              */
9637             if (!(env->cp15.scr_el3 & SCR_FW)) {
9638                 qemu_log_mask(LOG_GUEST_ERROR,
9639                               "Ignoring attempt to switch CPSR_F flag from "
9640                               "non-secure world with SCR.FW bit clear\n");
9641                 mask &= ~CPSR_F;
9642             }
9643 
9644             /*
9645              * Check whether non-maskable FIQ (NMFI) support is enabled.
9646              * If this bit is set software is not allowed to mask
9647              * FIQs, but is allowed to set CPSR_F to 0.
9648              */
9649             if ((A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_NMFI) &&
9650                 (val & CPSR_F)) {
9651                 qemu_log_mask(LOG_GUEST_ERROR,
9652                               "Ignoring attempt to enable CPSR_F flag "
9653                               "(non-maskable FIQ [NMFI] support enabled)\n");
9654                 mask &= ~CPSR_F;
9655             }
9656         }
9657     }
9658 
9659     env->daif &= ~(CPSR_AIF & mask);
9660     env->daif |= val & CPSR_AIF & mask;
9661 
9662     if (write_type != CPSRWriteRaw &&
9663         ((env->uncached_cpsr ^ val) & mask & CPSR_M)) {
9664         if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_USR) {
9665             /*
9666              * Note that we can only get here in USR mode if this is a
9667              * gdb stub write; for this case we follow the architectural
9668              * behaviour for guest writes in USR mode of ignoring an attempt
9669              * to switch mode. (Those are caught by translate.c for writes
9670              * triggered by guest instructions.)
9671              */
9672             mask &= ~CPSR_M;
9673         } else if (bad_mode_switch(env, val & CPSR_M, write_type)) {
9674             /*
9675              * Attempt to switch to an invalid mode: this is UNPREDICTABLE in
9676              * v7, and has defined behaviour in v8:
9677              *  + leave CPSR.M untouched
9678              *  + allow changes to the other CPSR fields
9679              *  + set PSTATE.IL
9680              * For user changes via the GDB stub, we don't set PSTATE.IL,
9681              * as this would be unnecessarily harsh for a user error.
9682              */
9683             mask &= ~CPSR_M;
9684             if (write_type != CPSRWriteByGDBStub &&
9685                 arm_feature(env, ARM_FEATURE_V8)) {
9686                 mask |= CPSR_IL;
9687                 val |= CPSR_IL;
9688             }
9689             qemu_log_mask(LOG_GUEST_ERROR,
9690                           "Illegal AArch32 mode switch attempt from %s to %s\n",
9691                           aarch32_mode_name(env->uncached_cpsr),
9692                           aarch32_mode_name(val));
9693         } else {
9694             qemu_log_mask(CPU_LOG_INT, "%s %s to %s PC 0x%" PRIx32 "\n",
9695                           write_type == CPSRWriteExceptionReturn ?
9696                           "Exception return from AArch32" :
9697                           "AArch32 mode switch from",
9698                           aarch32_mode_name(env->uncached_cpsr),
9699                           aarch32_mode_name(val), env->regs[15]);
9700             switch_mode(env, val & CPSR_M);
9701         }
9702     }
9703     mask &= ~CACHED_CPSR_BITS;
9704     env->uncached_cpsr = (env->uncached_cpsr & ~mask) | (val & mask);
9705     if (tcg_enabled() && rebuild_hflags) {
9706         arm_rebuild_hflags(env);
9707     }
9708 }
9709 
9710 #ifdef CONFIG_USER_ONLY
9711 
9712 static void switch_mode(CPUARMState *env, int mode)
9713 {
9714     ARMCPU *cpu = env_archcpu(env);
9715 
9716     if (mode != ARM_CPU_MODE_USR) {
9717         cpu_abort(CPU(cpu), "Tried to switch out of user mode\n");
9718     }
9719 }
9720 
9721 uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
9722                                  uint32_t cur_el, bool secure)
9723 {
9724     return 1;
9725 }
9726 
9727 void aarch64_sync_64_to_32(CPUARMState *env)
9728 {
9729     g_assert_not_reached();
9730 }
9731 
9732 #else
9733 
9734 static void switch_mode(CPUARMState *env, int mode)
9735 {
9736     int old_mode;
9737     int i;
9738 
9739     old_mode = env->uncached_cpsr & CPSR_M;
9740     if (mode == old_mode) {
9741         return;
9742     }
9743 
9744     if (old_mode == ARM_CPU_MODE_FIQ) {
9745         memcpy(env->fiq_regs, env->regs + 8, 5 * sizeof(uint32_t));
9746         memcpy(env->regs + 8, env->usr_regs, 5 * sizeof(uint32_t));
9747     } else if (mode == ARM_CPU_MODE_FIQ) {
9748         memcpy(env->usr_regs, env->regs + 8, 5 * sizeof(uint32_t));
9749         memcpy(env->regs + 8, env->fiq_regs, 5 * sizeof(uint32_t));
9750     }
9751 
9752     i = bank_number(old_mode);
9753     env->banked_r13[i] = env->regs[13];
9754     env->banked_spsr[i] = env->spsr;
9755 
9756     i = bank_number(mode);
9757     env->regs[13] = env->banked_r13[i];
9758     env->spsr = env->banked_spsr[i];
9759 
9760     env->banked_r14[r14_bank_number(old_mode)] = env->regs[14];
9761     env->regs[14] = env->banked_r14[r14_bank_number(mode)];
9762 }
9763 
9764 /*
9765  * Physical Interrupt Target EL Lookup Table
9766  *
9767  * [ From ARM ARM section G1.13.4 (Table G1-15) ]
9768  *
9769  * The below multi-dimensional table is used for looking up the target
9770  * exception level given numerous condition criteria.  Specifically, the
9771  * target EL is based on SCR and HCR routing controls as well as the
9772  * currently executing EL and secure state.
9773  *
9774  *    Dimensions:
9775  *    target_el_table[2][2][2][2][2][4]
9776  *                    |  |  |  |  |  +--- Current EL
9777  *                    |  |  |  |  +------ Non-secure(0)/Secure(1)
9778  *                    |  |  |  +--------- HCR mask override
9779  *                    |  |  +------------ SCR exec state control
9780  *                    |  +--------------- SCR mask override
9781  *                    +------------------ 32-bit(0)/64-bit(1) EL3
9782  *
9783  *    The table values are as such:
9784  *    0-3 = EL0-EL3
9785  *     -1 = Cannot occur
9786  *
9787  * The ARM ARM target EL table includes entries indicating that an "exception
9788  * is not taken".  The two cases where this is applicable are:
9789  *    1) An exception is taken from EL3 but the SCR does not have the exception
9790  *    routed to EL3.
9791  *    2) An exception is taken from EL2 but the HCR does not have the exception
9792  *    routed to EL2.
9793  * In these two cases, the below table contain a target of EL1.  This value is
9794  * returned as it is expected that the consumer of the table data will check
9795  * for "target EL >= current EL" to ensure the exception is not taken.
9796  *
9797  *            SCR     HCR
9798  *         64  EA     AMO                 From
9799  *        BIT IRQ     IMO      Non-secure         Secure
9800  *        EL3 FIQ  RW FMO   EL0 EL1 EL2 EL3   EL0 EL1 EL2 EL3
9801  */
9802 static const int8_t target_el_table[2][2][2][2][2][4] = {
9803     {{{{/* 0   0   0   0 */{ 1,  1,  2, -1 },{ 3, -1, -1,  3 },},
9804        {/* 0   0   0   1 */{ 2,  2,  2, -1 },{ 3, -1, -1,  3 },},},
9805       {{/* 0   0   1   0 */{ 1,  1,  2, -1 },{ 3, -1, -1,  3 },},
9806        {/* 0   0   1   1 */{ 2,  2,  2, -1 },{ 3, -1, -1,  3 },},},},
9807      {{{/* 0   1   0   0 */{ 3,  3,  3, -1 },{ 3, -1, -1,  3 },},
9808        {/* 0   1   0   1 */{ 3,  3,  3, -1 },{ 3, -1, -1,  3 },},},
9809       {{/* 0   1   1   0 */{ 3,  3,  3, -1 },{ 3, -1, -1,  3 },},
9810        {/* 0   1   1   1 */{ 3,  3,  3, -1 },{ 3, -1, -1,  3 },},},},},
9811     {{{{/* 1   0   0   0 */{ 1,  1,  2, -1 },{ 1,  1, -1,  1 },},
9812        {/* 1   0   0   1 */{ 2,  2,  2, -1 },{ 2,  2, -1,  1 },},},
9813       {{/* 1   0   1   0 */{ 1,  1,  1, -1 },{ 1,  1,  1,  1 },},
9814        {/* 1   0   1   1 */{ 2,  2,  2, -1 },{ 2,  2,  2,  1 },},},},
9815      {{{/* 1   1   0   0 */{ 3,  3,  3, -1 },{ 3,  3, -1,  3 },},
9816        {/* 1   1   0   1 */{ 3,  3,  3, -1 },{ 3,  3, -1,  3 },},},
9817       {{/* 1   1   1   0 */{ 3,  3,  3, -1 },{ 3,  3,  3,  3 },},
9818        {/* 1   1   1   1 */{ 3,  3,  3, -1 },{ 3,  3,  3,  3 },},},},},
9819 };
9820 
9821 /*
9822  * Determine the target EL for physical exceptions
9823  */
9824 uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
9825                                  uint32_t cur_el, bool secure)
9826 {
9827     CPUARMState *env = cpu_env(cs);
9828     bool rw;
9829     bool scr;
9830     bool hcr;
9831     int target_el;
9832     /* Is the highest EL AArch64? */
9833     bool is64 = arm_feature(env, ARM_FEATURE_AARCH64);
9834     uint64_t hcr_el2;
9835 
9836     if (arm_feature(env, ARM_FEATURE_EL3)) {
9837         rw = arm_scr_rw_eff(env);
9838     } else {
9839         /*
9840          * Either EL2 is the highest EL (and so the EL2 register width
9841          * is given by is64); or there is no EL2 or EL3, in which case
9842          * the value of 'rw' does not affect the table lookup anyway.
9843          */
9844         rw = is64;
9845     }
9846 
9847     hcr_el2 = arm_hcr_el2_eff(env);
9848     switch (excp_idx) {
9849     case EXCP_IRQ:
9850     case EXCP_NMI:
9851         scr = ((env->cp15.scr_el3 & SCR_IRQ) == SCR_IRQ);
9852         hcr = hcr_el2 & HCR_IMO;
9853         break;
9854     case EXCP_FIQ:
9855         scr = ((env->cp15.scr_el3 & SCR_FIQ) == SCR_FIQ);
9856         hcr = hcr_el2 & HCR_FMO;
9857         break;
9858     default:
9859         scr = ((env->cp15.scr_el3 & SCR_EA) == SCR_EA);
9860         hcr = hcr_el2 & HCR_AMO;
9861         break;
9862     };
9863 
9864     /*
9865      * For these purposes, TGE and AMO/IMO/FMO both force the
9866      * interrupt to EL2.  Fold TGE into the bit extracted above.
9867      */
9868     hcr |= (hcr_el2 & HCR_TGE) != 0;
9869 
9870     /* Perform a table-lookup for the target EL given the current state */
9871     target_el = target_el_table[is64][scr][rw][hcr][secure][cur_el];
9872 
9873     assert(target_el > 0);
9874 
9875     return target_el;
9876 }
9877 
9878 void arm_log_exception(CPUState *cs)
9879 {
9880     int idx = cs->exception_index;
9881 
9882     if (qemu_loglevel_mask(CPU_LOG_INT)) {
9883         const char *exc = NULL;
9884         static const char * const excnames[] = {
9885             [EXCP_UDEF] = "Undefined Instruction",
9886             [EXCP_SWI] = "SVC",
9887             [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
9888             [EXCP_DATA_ABORT] = "Data Abort",
9889             [EXCP_IRQ] = "IRQ",
9890             [EXCP_FIQ] = "FIQ",
9891             [EXCP_BKPT] = "Breakpoint",
9892             [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
9893             [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
9894             [EXCP_HVC] = "Hypervisor Call",
9895             [EXCP_HYP_TRAP] = "Hypervisor Trap",
9896             [EXCP_SMC] = "Secure Monitor Call",
9897             [EXCP_VIRQ] = "Virtual IRQ",
9898             [EXCP_VFIQ] = "Virtual FIQ",
9899             [EXCP_SEMIHOST] = "Semihosting call",
9900             [EXCP_NOCP] = "v7M NOCP UsageFault",
9901             [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
9902             [EXCP_STKOF] = "v8M STKOF UsageFault",
9903             [EXCP_LAZYFP] = "v7M exception during lazy FP stacking",
9904             [EXCP_LSERR] = "v8M LSERR UsageFault",
9905             [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
9906             [EXCP_DIVBYZERO] = "v7M DIVBYZERO UsageFault",
9907             [EXCP_VSERR] = "Virtual SERR",
9908             [EXCP_GPC] = "Granule Protection Check",
9909             [EXCP_NMI] = "NMI",
9910             [EXCP_VINMI] = "Virtual IRQ NMI",
9911             [EXCP_VFNMI] = "Virtual FIQ NMI",
9912             [EXCP_MON_TRAP] = "Monitor Trap",
9913         };
9914 
9915         if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
9916             exc = excnames[idx];
9917         }
9918         if (!exc) {
9919             exc = "unknown";
9920         }
9921         qemu_log_mask(CPU_LOG_INT, "Taking exception %d [%s] on CPU %d\n",
9922                       idx, exc, cs->cpu_index);
9923     }
9924 }
9925 
9926 /*
9927  * Function used to synchronize QEMU's AArch64 register set with AArch32
9928  * register set.  This is necessary when switching between AArch32 and AArch64
9929  * execution state.
9930  */
9931 void aarch64_sync_32_to_64(CPUARMState *env)
9932 {
9933     int i;
9934     uint32_t mode = env->uncached_cpsr & CPSR_M;
9935 
9936     /* We can blanket copy R[0:7] to X[0:7] */
9937     for (i = 0; i < 8; i++) {
9938         env->xregs[i] = env->regs[i];
9939     }
9940 
9941     /*
9942      * Unless we are in FIQ mode, x8-x12 come from the user registers r8-r12.
9943      * Otherwise, they come from the banked user regs.
9944      */
9945     if (mode == ARM_CPU_MODE_FIQ) {
9946         for (i = 8; i < 13; i++) {
9947             env->xregs[i] = env->usr_regs[i - 8];
9948         }
9949     } else {
9950         for (i = 8; i < 13; i++) {
9951             env->xregs[i] = env->regs[i];
9952         }
9953     }
9954 
9955     /*
9956      * Registers x13-x23 are the various mode SP and FP registers. Registers
9957      * r13 and r14 are only copied if we are in that mode, otherwise we copy
9958      * from the mode banked register.
9959      */
9960     if (mode == ARM_CPU_MODE_USR || mode == ARM_CPU_MODE_SYS) {
9961         env->xregs[13] = env->regs[13];
9962         env->xregs[14] = env->regs[14];
9963     } else {
9964         env->xregs[13] = env->banked_r13[bank_number(ARM_CPU_MODE_USR)];
9965         /* HYP is an exception in that it is copied from r14 */
9966         if (mode == ARM_CPU_MODE_HYP) {
9967             env->xregs[14] = env->regs[14];
9968         } else {
9969             env->xregs[14] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_USR)];
9970         }
9971     }
9972 
9973     if (mode == ARM_CPU_MODE_HYP) {
9974         env->xregs[15] = env->regs[13];
9975     } else {
9976         env->xregs[15] = env->banked_r13[bank_number(ARM_CPU_MODE_HYP)];
9977     }
9978 
9979     if (mode == ARM_CPU_MODE_IRQ) {
9980         env->xregs[16] = env->regs[14];
9981         env->xregs[17] = env->regs[13];
9982     } else {
9983         env->xregs[16] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_IRQ)];
9984         env->xregs[17] = env->banked_r13[bank_number(ARM_CPU_MODE_IRQ)];
9985     }
9986 
9987     if (mode == ARM_CPU_MODE_SVC) {
9988         env->xregs[18] = env->regs[14];
9989         env->xregs[19] = env->regs[13];
9990     } else {
9991         env->xregs[18] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_SVC)];
9992         env->xregs[19] = env->banked_r13[bank_number(ARM_CPU_MODE_SVC)];
9993     }
9994 
9995     if (mode == ARM_CPU_MODE_ABT) {
9996         env->xregs[20] = env->regs[14];
9997         env->xregs[21] = env->regs[13];
9998     } else {
9999         env->xregs[20] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_ABT)];
10000         env->xregs[21] = env->banked_r13[bank_number(ARM_CPU_MODE_ABT)];
10001     }
10002 
10003     if (mode == ARM_CPU_MODE_UND) {
10004         env->xregs[22] = env->regs[14];
10005         env->xregs[23] = env->regs[13];
10006     } else {
10007         env->xregs[22] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_UND)];
10008         env->xregs[23] = env->banked_r13[bank_number(ARM_CPU_MODE_UND)];
10009     }
10010 
10011     /*
10012      * Registers x24-x30 are mapped to r8-r14 in FIQ mode.  If we are in FIQ
10013      * mode, then we can copy from r8-r14.  Otherwise, we copy from the
10014      * FIQ bank for r8-r14.
10015      */
10016     if (mode == ARM_CPU_MODE_FIQ) {
10017         for (i = 24; i < 31; i++) {
10018             env->xregs[i] = env->regs[i - 16];   /* X[24:30] <- R[8:14] */
10019         }
10020     } else {
10021         for (i = 24; i < 29; i++) {
10022             env->xregs[i] = env->fiq_regs[i - 24];
10023         }
10024         env->xregs[29] = env->banked_r13[bank_number(ARM_CPU_MODE_FIQ)];
10025         env->xregs[30] = env->banked_r14[r14_bank_number(ARM_CPU_MODE_FIQ)];
10026     }
10027 
10028     env->pc = env->regs[15];
10029 }
10030 
10031 /*
10032  * Function used to synchronize QEMU's AArch32 register set with AArch64
10033  * register set.  This is necessary when switching between AArch32 and AArch64
10034  * execution state.
10035  */
10036 void aarch64_sync_64_to_32(CPUARMState *env)
10037 {
10038     int i;
10039     uint32_t mode = env->uncached_cpsr & CPSR_M;
10040 
10041     /* We can blanket copy X[0:7] to R[0:7] */
10042     for (i = 0; i < 8; i++) {
10043         env->regs[i] = env->xregs[i];
10044     }
10045 
10046     /*
10047      * Unless we are in FIQ mode, r8-r12 come from the user registers x8-x12.
10048      * Otherwise, we copy x8-x12 into the banked user regs.
10049      */
10050     if (mode == ARM_CPU_MODE_FIQ) {
10051         for (i = 8; i < 13; i++) {
10052             env->usr_regs[i - 8] = env->xregs[i];
10053         }
10054     } else {
10055         for (i = 8; i < 13; i++) {
10056             env->regs[i] = env->xregs[i];
10057         }
10058     }
10059 
10060     /*
10061      * Registers r13 & r14 depend on the current mode.
10062      * If we are in a given mode, we copy the corresponding x registers to r13
10063      * and r14.  Otherwise, we copy the x register to the banked r13 and r14
10064      * for the mode.
10065      */
10066     if (mode == ARM_CPU_MODE_USR || mode == ARM_CPU_MODE_SYS) {
10067         env->regs[13] = env->xregs[13];
10068         env->regs[14] = env->xregs[14];
10069     } else {
10070         env->banked_r13[bank_number(ARM_CPU_MODE_USR)] = env->xregs[13];
10071 
10072         /*
10073          * HYP is an exception in that it does not have its own banked r14 but
10074          * shares the USR r14
10075          */
10076         if (mode == ARM_CPU_MODE_HYP) {
10077             env->regs[14] = env->xregs[14];
10078         } else {
10079             env->banked_r14[r14_bank_number(ARM_CPU_MODE_USR)] = env->xregs[14];
10080         }
10081     }
10082 
10083     if (mode == ARM_CPU_MODE_HYP) {
10084         env->regs[13] = env->xregs[15];
10085     } else {
10086         env->banked_r13[bank_number(ARM_CPU_MODE_HYP)] = env->xregs[15];
10087     }
10088 
10089     if (mode == ARM_CPU_MODE_IRQ) {
10090         env->regs[14] = env->xregs[16];
10091         env->regs[13] = env->xregs[17];
10092     } else {
10093         env->banked_r14[r14_bank_number(ARM_CPU_MODE_IRQ)] = env->xregs[16];
10094         env->banked_r13[bank_number(ARM_CPU_MODE_IRQ)] = env->xregs[17];
10095     }
10096 
10097     if (mode == ARM_CPU_MODE_SVC) {
10098         env->regs[14] = env->xregs[18];
10099         env->regs[13] = env->xregs[19];
10100     } else {
10101         env->banked_r14[r14_bank_number(ARM_CPU_MODE_SVC)] = env->xregs[18];
10102         env->banked_r13[bank_number(ARM_CPU_MODE_SVC)] = env->xregs[19];
10103     }
10104 
10105     if (mode == ARM_CPU_MODE_ABT) {
10106         env->regs[14] = env->xregs[20];
10107         env->regs[13] = env->xregs[21];
10108     } else {
10109         env->banked_r14[r14_bank_number(ARM_CPU_MODE_ABT)] = env->xregs[20];
10110         env->banked_r13[bank_number(ARM_CPU_MODE_ABT)] = env->xregs[21];
10111     }
10112 
10113     if (mode == ARM_CPU_MODE_UND) {
10114         env->regs[14] = env->xregs[22];
10115         env->regs[13] = env->xregs[23];
10116     } else {
10117         env->banked_r14[r14_bank_number(ARM_CPU_MODE_UND)] = env->xregs[22];
10118         env->banked_r13[bank_number(ARM_CPU_MODE_UND)] = env->xregs[23];
10119     }
10120 
10121     /*
10122      * Registers x24-x30 are mapped to r8-r14 in FIQ mode.  If we are in FIQ
10123      * mode, then we can copy to r8-r14.  Otherwise, we copy to the
10124      * FIQ bank for r8-r14.
10125      */
10126     if (mode == ARM_CPU_MODE_FIQ) {
10127         for (i = 24; i < 31; i++) {
10128             env->regs[i - 16] = env->xregs[i];   /* X[24:30] -> R[8:14] */
10129         }
10130     } else {
10131         for (i = 24; i < 29; i++) {
10132             env->fiq_regs[i - 24] = env->xregs[i];
10133         }
10134         env->banked_r13[bank_number(ARM_CPU_MODE_FIQ)] = env->xregs[29];
10135         env->banked_r14[r14_bank_number(ARM_CPU_MODE_FIQ)] = env->xregs[30];
10136     }
10137 
10138     env->regs[15] = env->pc;
10139 }
10140 
10141 static void take_aarch32_exception(CPUARMState *env, int new_mode,
10142                                    uint32_t mask, uint32_t offset,
10143                                    uint32_t newpc)
10144 {
10145     int new_el;
10146 
10147     /* Change the CPU state so as to actually take the exception. */
10148     switch_mode(env, new_mode);
10149 
10150     /*
10151      * For exceptions taken to AArch32 we must clear the SS bit in both
10152      * PSTATE and in the old-state value we save to SPSR_<mode>, so zero it now.
10153      */
10154     env->pstate &= ~PSTATE_SS;
10155     env->spsr = cpsr_read(env);
10156     /* Clear IT bits.  */
10157     env->condexec_bits = 0;
10158     /* Switch to the new mode, and to the correct instruction set.  */
10159     env->uncached_cpsr = (env->uncached_cpsr & ~CPSR_M) | new_mode;
10160 
10161     /* This must be after mode switching. */
10162     new_el = arm_current_el(env);
10163 
10164     /* Set new mode endianness */
10165     env->uncached_cpsr &= ~CPSR_E;
10166     if (env->cp15.sctlr_el[new_el] & SCTLR_EE) {
10167         env->uncached_cpsr |= CPSR_E;
10168     }
10169     /* J and IL must always be cleared for exception entry */
10170     env->uncached_cpsr &= ~(CPSR_IL | CPSR_J);
10171     env->daif |= mask;
10172 
10173     if (cpu_isar_feature(aa32_ssbs, env_archcpu(env))) {
10174         if (env->cp15.sctlr_el[new_el] & SCTLR_DSSBS_32) {
10175             env->uncached_cpsr |= CPSR_SSBS;
10176         } else {
10177             env->uncached_cpsr &= ~CPSR_SSBS;
10178         }
10179     }
10180 
10181     if (new_mode == ARM_CPU_MODE_HYP) {
10182         env->thumb = (env->cp15.sctlr_el[2] & SCTLR_TE) != 0;
10183         env->elr_el[2] = env->regs[15];
10184     } else {
10185         /* CPSR.PAN is normally preserved preserved unless...  */
10186         if (cpu_isar_feature(aa32_pan, env_archcpu(env))) {
10187             switch (new_el) {
10188             case 3:
10189                 if (!arm_is_secure_below_el3(env)) {
10190                     /* ... the target is EL3, from non-secure state.  */
10191                     env->uncached_cpsr &= ~CPSR_PAN;
10192                     break;
10193                 }
10194                 /* ... the target is EL3, from secure state ... */
10195                 /* fall through */
10196             case 1:
10197                 /* ... the target is EL1 and SCTLR.SPAN is 0.  */
10198                 if (!(env->cp15.sctlr_el[new_el] & SCTLR_SPAN)) {
10199                     env->uncached_cpsr |= CPSR_PAN;
10200                 }
10201                 break;
10202             }
10203         }
10204         /*
10205          * this is a lie, as there was no c1_sys on V4T/V5, but who cares
10206          * and we should just guard the thumb mode on V4
10207          */
10208         if (arm_feature(env, ARM_FEATURE_V4T)) {
10209             env->thumb =
10210                 (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_TE) != 0;
10211         }
10212         env->regs[14] = env->regs[15] + offset;
10213     }
10214     env->regs[15] = newpc;
10215 
10216     if (tcg_enabled()) {
10217         arm_rebuild_hflags(env);
10218     }
10219 }
10220 
10221 static void arm_cpu_do_interrupt_aarch32_hyp(CPUState *cs)
10222 {
10223     /*
10224      * Handle exception entry to Hyp mode; this is sufficiently
10225      * different to entry to other AArch32 modes that we handle it
10226      * separately here.
10227      *
10228      * The vector table entry used is always the 0x14 Hyp mode entry point,
10229      * unless this is an UNDEF/SVC/HVC/abort taken from Hyp to Hyp.
10230      * The offset applied to the preferred return address is always zero
10231      * (see DDI0487C.a section G1.12.3).
10232      * PSTATE A/I/F masks are set based only on the SCR.EA/IRQ/FIQ values.
10233      */
10234     uint32_t addr, mask;
10235     ARMCPU *cpu = ARM_CPU(cs);
10236     CPUARMState *env = &cpu->env;
10237 
10238     switch (cs->exception_index) {
10239     case EXCP_UDEF:
10240         addr = 0x04;
10241         break;
10242     case EXCP_SWI:
10243         addr = 0x08;
10244         break;
10245     case EXCP_BKPT:
10246         /* Fall through to prefetch abort.  */
10247     case EXCP_PREFETCH_ABORT:
10248         env->cp15.ifar_s = env->exception.vaddress;
10249         qemu_log_mask(CPU_LOG_INT, "...with HIFAR 0x%x\n",
10250                       (uint32_t)env->exception.vaddress);
10251         addr = 0x0c;
10252         break;
10253     case EXCP_DATA_ABORT:
10254         env->cp15.dfar_s = env->exception.vaddress;
10255         qemu_log_mask(CPU_LOG_INT, "...with HDFAR 0x%x\n",
10256                       (uint32_t)env->exception.vaddress);
10257         addr = 0x10;
10258         break;
10259     case EXCP_IRQ:
10260         addr = 0x18;
10261         break;
10262     case EXCP_FIQ:
10263         addr = 0x1c;
10264         break;
10265     case EXCP_HVC:
10266         addr = 0x08;
10267         break;
10268     case EXCP_HYP_TRAP:
10269         addr = 0x14;
10270         break;
10271     default:
10272         cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
10273     }
10274 
10275     if (cs->exception_index != EXCP_IRQ && cs->exception_index != EXCP_FIQ) {
10276         if (!arm_feature(env, ARM_FEATURE_V8)) {
10277             /*
10278              * QEMU syndrome values are v8-style. v7 has the IL bit
10279              * UNK/SBZP for "field not valid" cases, where v8 uses RES1.
10280              * If this is a v7 CPU, squash the IL bit in those cases.
10281              */
10282             if (cs->exception_index == EXCP_PREFETCH_ABORT ||
10283                 (cs->exception_index == EXCP_DATA_ABORT &&
10284                  !(env->exception.syndrome & ARM_EL_ISV)) ||
10285                 syn_get_ec(env->exception.syndrome) == EC_UNCATEGORIZED) {
10286                 env->exception.syndrome &= ~ARM_EL_IL;
10287             }
10288         }
10289         env->cp15.esr_el[2] = env->exception.syndrome;
10290     }
10291 
10292     if (arm_current_el(env) != 2 && addr < 0x14) {
10293         addr = 0x14;
10294     }
10295 
10296     mask = 0;
10297     if (!(env->cp15.scr_el3 & SCR_EA)) {
10298         mask |= CPSR_A;
10299     }
10300     if (!(env->cp15.scr_el3 & SCR_IRQ)) {
10301         mask |= CPSR_I;
10302     }
10303     if (!(env->cp15.scr_el3 & SCR_FIQ)) {
10304         mask |= CPSR_F;
10305     }
10306 
10307     addr += env->cp15.hvbar;
10308 
10309     take_aarch32_exception(env, ARM_CPU_MODE_HYP, mask, 0, addr);
10310 }
10311 
10312 static void arm_cpu_do_interrupt_aarch32(CPUState *cs)
10313 {
10314     ARMCPU *cpu = ARM_CPU(cs);
10315     CPUARMState *env = &cpu->env;
10316     uint32_t addr;
10317     uint32_t mask;
10318     int new_mode;
10319     uint32_t offset;
10320     uint32_t moe;
10321 
10322     /* If this is a debug exception we must update the DBGDSCR.MOE bits */
10323     switch (syn_get_ec(env->exception.syndrome)) {
10324     case EC_BREAKPOINT:
10325     case EC_BREAKPOINT_SAME_EL:
10326         moe = 1;
10327         break;
10328     case EC_WATCHPOINT:
10329     case EC_WATCHPOINT_SAME_EL:
10330         moe = 10;
10331         break;
10332     case EC_AA32_BKPT:
10333         moe = 3;
10334         break;
10335     case EC_VECTORCATCH:
10336         moe = 5;
10337         break;
10338     default:
10339         moe = 0;
10340         break;
10341     }
10342 
10343     if (moe) {
10344         env->cp15.mdscr_el1 = deposit64(env->cp15.mdscr_el1, 2, 4, moe);
10345     }
10346 
10347     if (env->exception.target_el == 2) {
10348         /* Debug exceptions are reported differently on AArch32 */
10349         switch (syn_get_ec(env->exception.syndrome)) {
10350         case EC_BREAKPOINT:
10351         case EC_BREAKPOINT_SAME_EL:
10352         case EC_AA32_BKPT:
10353         case EC_VECTORCATCH:
10354             env->exception.syndrome = syn_insn_abort(arm_current_el(env) == 2,
10355                                                      0, 0, 0x22);
10356             break;
10357         case EC_WATCHPOINT:
10358             env->exception.syndrome = syn_set_ec(env->exception.syndrome,
10359                                                  EC_DATAABORT);
10360             break;
10361         case EC_WATCHPOINT_SAME_EL:
10362             env->exception.syndrome = syn_set_ec(env->exception.syndrome,
10363                                                  EC_DATAABORT_SAME_EL);
10364             break;
10365         }
10366         arm_cpu_do_interrupt_aarch32_hyp(cs);
10367         return;
10368     }
10369 
10370     switch (cs->exception_index) {
10371     case EXCP_UDEF:
10372         new_mode = ARM_CPU_MODE_UND;
10373         addr = 0x04;
10374         mask = CPSR_I;
10375         if (env->thumb) {
10376             offset = 2;
10377         } else {
10378             offset = 4;
10379         }
10380         break;
10381     case EXCP_SWI:
10382         new_mode = ARM_CPU_MODE_SVC;
10383         addr = 0x08;
10384         mask = CPSR_I;
10385         /* The PC already points to the next instruction.  */
10386         offset = 0;
10387         break;
10388     case EXCP_BKPT:
10389         /* Fall through to prefetch abort.  */
10390     case EXCP_PREFETCH_ABORT:
10391         A32_BANKED_CURRENT_REG_SET(env, ifsr, env->exception.fsr);
10392         A32_BANKED_CURRENT_REG_SET(env, ifar, env->exception.vaddress);
10393         qemu_log_mask(CPU_LOG_INT, "...with IFSR 0x%x IFAR 0x%x\n",
10394                       env->exception.fsr, (uint32_t)env->exception.vaddress);
10395         new_mode = ARM_CPU_MODE_ABT;
10396         addr = 0x0c;
10397         mask = CPSR_A | CPSR_I;
10398         offset = 4;
10399         break;
10400     case EXCP_DATA_ABORT:
10401         A32_BANKED_CURRENT_REG_SET(env, dfsr, env->exception.fsr);
10402         A32_BANKED_CURRENT_REG_SET(env, dfar, env->exception.vaddress);
10403         qemu_log_mask(CPU_LOG_INT, "...with DFSR 0x%x DFAR 0x%x\n",
10404                       env->exception.fsr,
10405                       (uint32_t)env->exception.vaddress);
10406         new_mode = ARM_CPU_MODE_ABT;
10407         addr = 0x10;
10408         mask = CPSR_A | CPSR_I;
10409         offset = 8;
10410         break;
10411     case EXCP_IRQ:
10412         new_mode = ARM_CPU_MODE_IRQ;
10413         addr = 0x18;
10414         /* Disable IRQ and imprecise data aborts.  */
10415         mask = CPSR_A | CPSR_I;
10416         offset = 4;
10417         if (env->cp15.scr_el3 & SCR_IRQ) {
10418             /* IRQ routed to monitor mode */
10419             new_mode = ARM_CPU_MODE_MON;
10420             mask |= CPSR_F;
10421         }
10422         break;
10423     case EXCP_FIQ:
10424         new_mode = ARM_CPU_MODE_FIQ;
10425         addr = 0x1c;
10426         /* Disable FIQ, IRQ and imprecise data aborts.  */
10427         mask = CPSR_A | CPSR_I | CPSR_F;
10428         if (env->cp15.scr_el3 & SCR_FIQ) {
10429             /* FIQ routed to monitor mode */
10430             new_mode = ARM_CPU_MODE_MON;
10431         }
10432         offset = 4;
10433         break;
10434     case EXCP_VIRQ:
10435         new_mode = ARM_CPU_MODE_IRQ;
10436         addr = 0x18;
10437         /* Disable IRQ and imprecise data aborts.  */
10438         mask = CPSR_A | CPSR_I;
10439         offset = 4;
10440         break;
10441     case EXCP_VFIQ:
10442         new_mode = ARM_CPU_MODE_FIQ;
10443         addr = 0x1c;
10444         /* Disable FIQ, IRQ and imprecise data aborts.  */
10445         mask = CPSR_A | CPSR_I | CPSR_F;
10446         offset = 4;
10447         break;
10448     case EXCP_VSERR:
10449         {
10450             /*
10451              * Note that this is reported as a data abort, but the DFAR
10452              * has an UNKNOWN value.  Construct the SError syndrome from
10453              * AET and ExT fields.
10454              */
10455             ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal, };
10456 
10457             if (extended_addresses_enabled(env)) {
10458                 env->exception.fsr = arm_fi_to_lfsc(&fi);
10459             } else {
10460                 env->exception.fsr = arm_fi_to_sfsc(&fi);
10461             }
10462             env->exception.fsr |= env->cp15.vsesr_el2 & 0xd000;
10463             A32_BANKED_CURRENT_REG_SET(env, dfsr, env->exception.fsr);
10464             qemu_log_mask(CPU_LOG_INT, "...with IFSR 0x%x\n",
10465                           env->exception.fsr);
10466 
10467             new_mode = ARM_CPU_MODE_ABT;
10468             addr = 0x10;
10469             mask = CPSR_A | CPSR_I;
10470             offset = 8;
10471         }
10472         break;
10473     case EXCP_SMC:
10474         new_mode = ARM_CPU_MODE_MON;
10475         addr = 0x08;
10476         mask = CPSR_A | CPSR_I | CPSR_F;
10477         offset = 0;
10478         break;
10479     case EXCP_MON_TRAP:
10480         new_mode = ARM_CPU_MODE_MON;
10481         addr = 0x04;
10482         mask = CPSR_A | CPSR_I | CPSR_F;
10483         if (env->thumb) {
10484             offset = 2;
10485         } else {
10486             offset = 4;
10487         }
10488         break;
10489     default:
10490         cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
10491         return; /* Never happens.  Keep compiler happy.  */
10492     }
10493 
10494     if (new_mode == ARM_CPU_MODE_MON) {
10495         addr += env->cp15.mvbar;
10496     } else if (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_V) {
10497         /* High vectors. When enabled, base address cannot be remapped. */
10498         addr += 0xffff0000;
10499     } else {
10500         /*
10501          * ARM v7 architectures provide a vector base address register to remap
10502          * the interrupt vector table.
10503          * This register is only followed in non-monitor mode, and is banked.
10504          * Note: only bits 31:5 are valid.
10505          */
10506         addr += A32_BANKED_CURRENT_REG_GET(env, vbar);
10507     }
10508 
10509     if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON) {
10510         env->cp15.scr_el3 &= ~SCR_NS;
10511     }
10512 
10513     take_aarch32_exception(env, new_mode, mask, offset, addr);
10514 }
10515 
10516 static int aarch64_regnum(CPUARMState *env, int aarch32_reg)
10517 {
10518     /*
10519      * Return the register number of the AArch64 view of the AArch32
10520      * register @aarch32_reg. The CPUARMState CPSR is assumed to still
10521      * be that of the AArch32 mode the exception came from.
10522      */
10523     int mode = env->uncached_cpsr & CPSR_M;
10524 
10525     switch (aarch32_reg) {
10526     case 0 ... 7:
10527         return aarch32_reg;
10528     case 8 ... 12:
10529         return mode == ARM_CPU_MODE_FIQ ? aarch32_reg + 16 : aarch32_reg;
10530     case 13:
10531         switch (mode) {
10532         case ARM_CPU_MODE_USR:
10533         case ARM_CPU_MODE_SYS:
10534             return 13;
10535         case ARM_CPU_MODE_HYP:
10536             return 15;
10537         case ARM_CPU_MODE_IRQ:
10538             return 17;
10539         case ARM_CPU_MODE_SVC:
10540             return 19;
10541         case ARM_CPU_MODE_ABT:
10542             return 21;
10543         case ARM_CPU_MODE_UND:
10544             return 23;
10545         case ARM_CPU_MODE_FIQ:
10546             return 29;
10547         default:
10548             g_assert_not_reached();
10549         }
10550     case 14:
10551         switch (mode) {
10552         case ARM_CPU_MODE_USR:
10553         case ARM_CPU_MODE_SYS:
10554         case ARM_CPU_MODE_HYP:
10555             return 14;
10556         case ARM_CPU_MODE_IRQ:
10557             return 16;
10558         case ARM_CPU_MODE_SVC:
10559             return 18;
10560         case ARM_CPU_MODE_ABT:
10561             return 20;
10562         case ARM_CPU_MODE_UND:
10563             return 22;
10564         case ARM_CPU_MODE_FIQ:
10565             return 30;
10566         default:
10567             g_assert_not_reached();
10568         }
10569     case 15:
10570         return 31;
10571     default:
10572         g_assert_not_reached();
10573     }
10574 }
10575 
10576 static uint32_t cpsr_read_for_spsr_elx(CPUARMState *env)
10577 {
10578     uint32_t ret = cpsr_read(env);
10579 
10580     /* Move DIT to the correct location for SPSR_ELx */
10581     if (ret & CPSR_DIT) {
10582         ret &= ~CPSR_DIT;
10583         ret |= PSTATE_DIT;
10584     }
10585     /* Merge PSTATE.SS into SPSR_ELx */
10586     ret |= env->pstate & PSTATE_SS;
10587 
10588     return ret;
10589 }
10590 
10591 static bool syndrome_is_sync_extabt(uint32_t syndrome)
10592 {
10593     /* Return true if this syndrome value is a synchronous external abort */
10594     switch (syn_get_ec(syndrome)) {
10595     case EC_INSNABORT:
10596     case EC_INSNABORT_SAME_EL:
10597     case EC_DATAABORT:
10598     case EC_DATAABORT_SAME_EL:
10599         /* Look at fault status code for all the synchronous ext abort cases */
10600         switch (syndrome & 0x3f) {
10601         case 0x10:
10602         case 0x13:
10603         case 0x14:
10604         case 0x15:
10605         case 0x16:
10606         case 0x17:
10607             return true;
10608         default:
10609             return false;
10610         }
10611     default:
10612         return false;
10613     }
10614 }
10615 
10616 /* Handle exception entry to a target EL which is using AArch64 */
10617 static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
10618 {
10619     ARMCPU *cpu = ARM_CPU(cs);
10620     CPUARMState *env = &cpu->env;
10621     unsigned int new_el = env->exception.target_el;
10622     target_ulong addr = env->cp15.vbar_el[new_el];
10623     unsigned int new_mode = aarch64_pstate_mode(new_el, true);
10624     unsigned int old_mode;
10625     unsigned int cur_el = arm_current_el(env);
10626     int rt;
10627 
10628     if (tcg_enabled()) {
10629         /*
10630          * Note that new_el can never be 0.  If cur_el is 0, then
10631          * el0_a64 is is_a64(), else el0_a64 is ignored.
10632          */
10633 #ifdef TARGET_AARCH64
10634         aarch64_sve_change_el(env, cur_el, new_el, is_a64(env));
10635 #endif
10636     }
10637 
10638     if (cur_el < new_el) {
10639         /*
10640          * Entry vector offset depends on whether the implemented EL
10641          * immediately lower than the target level is using AArch32 or AArch64
10642          */
10643         bool is_aa64;
10644         uint64_t hcr;
10645 
10646         switch (new_el) {
10647         case 3:
10648             is_aa64 = arm_scr_rw_eff(env);
10649             break;
10650         case 2:
10651             hcr = arm_hcr_el2_eff(env);
10652             if ((hcr & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
10653                 is_aa64 = (hcr & HCR_RW) != 0;
10654                 break;
10655             }
10656             /* fall through */
10657         case 1:
10658             is_aa64 = is_a64(env);
10659             break;
10660         default:
10661             g_assert_not_reached();
10662         }
10663 
10664         if (is_aa64) {
10665             addr += 0x400;
10666         } else {
10667             addr += 0x600;
10668         }
10669     } else if (pstate_read(env) & PSTATE_SP) {
10670         addr += 0x200;
10671     }
10672 
10673     switch (cs->exception_index) {
10674     case EXCP_GPC:
10675         qemu_log_mask(CPU_LOG_INT, "...with MFAR 0x%" PRIx64 "\n",
10676                       env->cp15.mfar_el3);
10677         /* fall through */
10678     case EXCP_PREFETCH_ABORT:
10679     case EXCP_DATA_ABORT:
10680         /*
10681          * FEAT_DoubleFault allows synchronous external aborts taken to EL3
10682          * to be taken to the SError vector entrypoint.
10683          */
10684         if (new_el == 3 && (env->cp15.scr_el3 & SCR_EASE) &&
10685             syndrome_is_sync_extabt(env->exception.syndrome)) {
10686             addr += 0x180;
10687         }
10688         env->cp15.far_el[new_el] = env->exception.vaddress;
10689         qemu_log_mask(CPU_LOG_INT, "...with FAR 0x%" PRIx64 "\n",
10690                       env->cp15.far_el[new_el]);
10691         /* fall through */
10692     case EXCP_BKPT:
10693     case EXCP_UDEF:
10694     case EXCP_SWI:
10695     case EXCP_HVC:
10696     case EXCP_HYP_TRAP:
10697     case EXCP_SMC:
10698         switch (syn_get_ec(env->exception.syndrome)) {
10699         case EC_ADVSIMDFPACCESSTRAP:
10700             /*
10701              * QEMU internal FP/SIMD syndromes from AArch32 include the
10702              * TA and coproc fields which are only exposed if the exception
10703              * is taken to AArch32 Hyp mode. Mask them out to get a valid
10704              * AArch64 format syndrome.
10705              */
10706             env->exception.syndrome &= ~MAKE_64BIT_MASK(0, 20);
10707             break;
10708         case EC_CP14RTTRAP:
10709         case EC_CP15RTTRAP:
10710         case EC_CP14DTTRAP:
10711             /*
10712              * For a trap on AArch32 MRC/MCR/LDC/STC the Rt field is currently
10713              * the raw register field from the insn; when taking this to
10714              * AArch64 we must convert it to the AArch64 view of the register
10715              * number. Notice that we read a 4-bit AArch32 register number and
10716              * write back a 5-bit AArch64 one.
10717              */
10718             rt = extract32(env->exception.syndrome, 5, 4);
10719             rt = aarch64_regnum(env, rt);
10720             env->exception.syndrome = deposit32(env->exception.syndrome,
10721                                                 5, 5, rt);
10722             break;
10723         case EC_CP15RRTTRAP:
10724         case EC_CP14RRTTRAP:
10725             /* Similarly for MRRC/MCRR traps for Rt and Rt2 fields */
10726             rt = extract32(env->exception.syndrome, 5, 4);
10727             rt = aarch64_regnum(env, rt);
10728             env->exception.syndrome = deposit32(env->exception.syndrome,
10729                                                 5, 5, rt);
10730             rt = extract32(env->exception.syndrome, 10, 4);
10731             rt = aarch64_regnum(env, rt);
10732             env->exception.syndrome = deposit32(env->exception.syndrome,
10733                                                 10, 5, rt);
10734             break;
10735         }
10736         env->cp15.esr_el[new_el] = env->exception.syndrome;
10737         break;
10738     case EXCP_IRQ:
10739     case EXCP_VIRQ:
10740     case EXCP_NMI:
10741     case EXCP_VINMI:
10742         addr += 0x80;
10743         break;
10744     case EXCP_FIQ:
10745     case EXCP_VFIQ:
10746     case EXCP_VFNMI:
10747         addr += 0x100;
10748         break;
10749     case EXCP_VSERR:
10750         addr += 0x180;
10751         /* Construct the SError syndrome from IDS and ISS fields. */
10752         env->exception.syndrome = syn_serror(env->cp15.vsesr_el2 & 0x1ffffff);
10753         env->cp15.esr_el[new_el] = env->exception.syndrome;
10754         break;
10755     default:
10756         cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
10757     }
10758 
10759     if (is_a64(env)) {
10760         old_mode = pstate_read(env);
10761         aarch64_save_sp(env, arm_current_el(env));
10762         env->elr_el[new_el] = env->pc;
10763 
10764         if (cur_el == 1 && new_el == 1) {
10765             uint64_t hcr = arm_hcr_el2_eff(env);
10766             if ((hcr & (HCR_NV | HCR_NV1 | HCR_NV2)) == HCR_NV ||
10767                 (hcr & (HCR_NV | HCR_NV2)) == (HCR_NV | HCR_NV2)) {
10768                 /*
10769                  * FEAT_NV, FEAT_NV2 may need to report EL2 in the SPSR
10770                  * by setting M[3:2] to 0b10.
10771                  * If NV2 is disabled, change SPSR when NV,NV1 == 1,0 (I_ZJRNN)
10772                  * If NV2 is enabled, change SPSR when NV is 1 (I_DBTLM)
10773                  */
10774                 old_mode = deposit32(old_mode, 2, 2, 2);
10775             }
10776         }
10777     } else {
10778         old_mode = cpsr_read_for_spsr_elx(env);
10779         env->elr_el[new_el] = env->regs[15];
10780 
10781         aarch64_sync_32_to_64(env);
10782 
10783         env->condexec_bits = 0;
10784     }
10785     env->banked_spsr[aarch64_banked_spsr_index(new_el)] = old_mode;
10786 
10787     qemu_log_mask(CPU_LOG_INT, "...with SPSR 0x%x\n", old_mode);
10788     qemu_log_mask(CPU_LOG_INT, "...with ELR 0x%" PRIx64 "\n",
10789                   env->elr_el[new_el]);
10790 
10791     if (cpu_isar_feature(aa64_pan, cpu)) {
10792         /* The value of PSTATE.PAN is normally preserved, except when ... */
10793         new_mode |= old_mode & PSTATE_PAN;
10794         switch (new_el) {
10795         case 2:
10796             /* ... the target is EL2 with HCR_EL2.{E2H,TGE} == '11' ...  */
10797             if ((arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE))
10798                 != (HCR_E2H | HCR_TGE)) {
10799                 break;
10800             }
10801             /* fall through */
10802         case 1:
10803             /* ... the target is EL1 ... */
10804             /* ... and SCTLR_ELx.SPAN == 0, then set to 1.  */
10805             if ((env->cp15.sctlr_el[new_el] & SCTLR_SPAN) == 0) {
10806                 new_mode |= PSTATE_PAN;
10807             }
10808             break;
10809         }
10810     }
10811     if (cpu_isar_feature(aa64_mte, cpu)) {
10812         new_mode |= PSTATE_TCO;
10813     }
10814 
10815     if (cpu_isar_feature(aa64_ssbs, cpu)) {
10816         if (env->cp15.sctlr_el[new_el] & SCTLR_DSSBS_64) {
10817             new_mode |= PSTATE_SSBS;
10818         } else {
10819             new_mode &= ~PSTATE_SSBS;
10820         }
10821     }
10822 
10823     if (cpu_isar_feature(aa64_nmi, cpu)) {
10824         if (!(env->cp15.sctlr_el[new_el] & SCTLR_SPINTMASK)) {
10825             new_mode |= PSTATE_ALLINT;
10826         } else {
10827             new_mode &= ~PSTATE_ALLINT;
10828         }
10829     }
10830 
10831     pstate_write(env, PSTATE_DAIF | new_mode);
10832     env->aarch64 = true;
10833     aarch64_restore_sp(env, new_el);
10834 
10835     if (tcg_enabled()) {
10836         helper_rebuild_hflags_a64(env, new_el);
10837     }
10838 
10839     env->pc = addr;
10840 
10841     qemu_log_mask(CPU_LOG_INT, "...to EL%d PC 0x%" PRIx64 " PSTATE 0x%x\n",
10842                   new_el, env->pc, pstate_read(env));
10843 }
10844 
10845 /*
10846  * Do semihosting call and set the appropriate return value. All the
10847  * permission and validity checks have been done at translate time.
10848  *
10849  * We only see semihosting exceptions in TCG only as they are not
10850  * trapped to the hypervisor in KVM.
10851  */
10852 #ifdef CONFIG_TCG
10853 static void tcg_handle_semihosting(CPUState *cs)
10854 {
10855     ARMCPU *cpu = ARM_CPU(cs);
10856     CPUARMState *env = &cpu->env;
10857 
10858     if (is_a64(env)) {
10859         qemu_log_mask(CPU_LOG_INT,
10860                       "...handling as semihosting call 0x%" PRIx64 "\n",
10861                       env->xregs[0]);
10862         do_common_semihosting(cs);
10863         env->pc += 4;
10864     } else {
10865         qemu_log_mask(CPU_LOG_INT,
10866                       "...handling as semihosting call 0x%x\n",
10867                       env->regs[0]);
10868         do_common_semihosting(cs);
10869         env->regs[15] += env->thumb ? 2 : 4;
10870     }
10871 }
10872 #endif
10873 
10874 /*
10875  * Handle a CPU exception for A and R profile CPUs.
10876  * Do any appropriate logging, handle PSCI calls, and then hand off
10877  * to the AArch64-entry or AArch32-entry function depending on the
10878  * target exception level's register width.
10879  *
10880  * Note: this is used for both TCG (as the do_interrupt tcg op),
10881  *       and KVM to re-inject guest debug exceptions, and to
10882  *       inject a Synchronous-External-Abort.
10883  */
10884 void arm_cpu_do_interrupt(CPUState *cs)
10885 {
10886     ARMCPU *cpu = ARM_CPU(cs);
10887     CPUARMState *env = &cpu->env;
10888     unsigned int new_el = env->exception.target_el;
10889 
10890     assert(!arm_feature(env, ARM_FEATURE_M));
10891 
10892     arm_log_exception(cs);
10893     qemu_log_mask(CPU_LOG_INT, "...from EL%d to EL%d\n", arm_current_el(env),
10894                   new_el);
10895     if (qemu_loglevel_mask(CPU_LOG_INT)
10896         && !excp_is_internal(cs->exception_index)) {
10897         qemu_log_mask(CPU_LOG_INT, "...with ESR 0x%x/0x%" PRIx32 "\n",
10898                       syn_get_ec(env->exception.syndrome),
10899                       env->exception.syndrome);
10900     }
10901 
10902     if (tcg_enabled() && arm_is_psci_call(cpu, cs->exception_index)) {
10903         arm_handle_psci_call(cpu);
10904         qemu_log_mask(CPU_LOG_INT, "...handled as PSCI call\n");
10905         return;
10906     }
10907 
10908     /*
10909      * Semihosting semantics depend on the register width of the code
10910      * that caused the exception, not the target exception level, so
10911      * must be handled here.
10912      */
10913 #ifdef CONFIG_TCG
10914     if (cs->exception_index == EXCP_SEMIHOST) {
10915         tcg_handle_semihosting(cs);
10916         return;
10917     }
10918 #endif
10919 
10920     /*
10921      * Hooks may change global state so BQL should be held, also the
10922      * BQL needs to be held for any modification of
10923      * cs->interrupt_request.
10924      */
10925     g_assert(bql_locked());
10926 
10927     arm_call_pre_el_change_hook(cpu);
10928 
10929     assert(!excp_is_internal(cs->exception_index));
10930     if (arm_el_is_aa64(env, new_el)) {
10931         arm_cpu_do_interrupt_aarch64(cs);
10932     } else {
10933         arm_cpu_do_interrupt_aarch32(cs);
10934     }
10935 
10936     arm_call_el_change_hook(cpu);
10937 
10938     if (!kvm_enabled()) {
10939         cs->interrupt_request |= CPU_INTERRUPT_EXITTB;
10940     }
10941 }
10942 #endif /* !CONFIG_USER_ONLY */
10943 
10944 uint64_t arm_sctlr(CPUARMState *env, int el)
10945 {
10946     /* Only EL0 needs to be adjusted for EL1&0 or EL2&0 or EL3&0 */
10947     if (el == 0) {
10948         ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0);
10949         switch (mmu_idx) {
10950         case ARMMMUIdx_E20_0:
10951             el = 2;
10952             break;
10953         case ARMMMUIdx_E30_0:
10954             el = 3;
10955             break;
10956         default:
10957             el = 1;
10958             break;
10959         }
10960     }
10961     return env->cp15.sctlr_el[el];
10962 }
10963 
10964 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
10965 {
10966     if (regime_has_2_ranges(mmu_idx)) {
10967         return extract64(tcr, 37, 2);
10968     } else if (regime_is_stage2(mmu_idx)) {
10969         return 0; /* VTCR_EL2 */
10970     } else {
10971         /* Replicate the single TBI bit so we always have 2 bits.  */
10972         return extract32(tcr, 20, 1) * 3;
10973     }
10974 }
10975 
10976 int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx)
10977 {
10978     if (regime_has_2_ranges(mmu_idx)) {
10979         return extract64(tcr, 51, 2);
10980     } else if (regime_is_stage2(mmu_idx)) {
10981         return 0; /* VTCR_EL2 */
10982     } else {
10983         /* Replicate the single TBID bit so we always have 2 bits.  */
10984         return extract32(tcr, 29, 1) * 3;
10985     }
10986 }
10987 
10988 int aa64_va_parameter_tcma(uint64_t tcr, ARMMMUIdx mmu_idx)
10989 {
10990     if (regime_has_2_ranges(mmu_idx)) {
10991         return extract64(tcr, 57, 2);
10992     } else {
10993         /* Replicate the single TCMA bit so we always have 2 bits.  */
10994         return extract32(tcr, 30, 1) * 3;
10995     }
10996 }
10997 
10998 static ARMGranuleSize tg0_to_gran_size(int tg)
10999 {
11000     switch (tg) {
11001     case 0:
11002         return Gran4K;
11003     case 1:
11004         return Gran64K;
11005     case 2:
11006         return Gran16K;
11007     default:
11008         return GranInvalid;
11009     }
11010 }
11011 
11012 static ARMGranuleSize tg1_to_gran_size(int tg)
11013 {
11014     switch (tg) {
11015     case 1:
11016         return Gran16K;
11017     case 2:
11018         return Gran4K;
11019     case 3:
11020         return Gran64K;
11021     default:
11022         return GranInvalid;
11023     }
11024 }
11025 
11026 static inline bool have4k(ARMCPU *cpu, bool stage2)
11027 {
11028     return stage2 ? cpu_isar_feature(aa64_tgran4_2, cpu)
11029         : cpu_isar_feature(aa64_tgran4, cpu);
11030 }
11031 
11032 static inline bool have16k(ARMCPU *cpu, bool stage2)
11033 {
11034     return stage2 ? cpu_isar_feature(aa64_tgran16_2, cpu)
11035         : cpu_isar_feature(aa64_tgran16, cpu);
11036 }
11037 
11038 static inline bool have64k(ARMCPU *cpu, bool stage2)
11039 {
11040     return stage2 ? cpu_isar_feature(aa64_tgran64_2, cpu)
11041         : cpu_isar_feature(aa64_tgran64, cpu);
11042 }
11043 
11044 static ARMGranuleSize sanitize_gran_size(ARMCPU *cpu, ARMGranuleSize gran,
11045                                          bool stage2)
11046 {
11047     switch (gran) {
11048     case Gran4K:
11049         if (have4k(cpu, stage2)) {
11050             return gran;
11051         }
11052         break;
11053     case Gran16K:
11054         if (have16k(cpu, stage2)) {
11055             return gran;
11056         }
11057         break;
11058     case Gran64K:
11059         if (have64k(cpu, stage2)) {
11060             return gran;
11061         }
11062         break;
11063     case GranInvalid:
11064         break;
11065     }
11066     /*
11067      * If the guest selects a granule size that isn't implemented,
11068      * the architecture requires that we behave as if it selected one
11069      * that is (with an IMPDEF choice of which one to pick). We choose
11070      * to implement the smallest supported granule size.
11071      */
11072     if (have4k(cpu, stage2)) {
11073         return Gran4K;
11074     }
11075     if (have16k(cpu, stage2)) {
11076         return Gran16K;
11077     }
11078     assert(have64k(cpu, stage2));
11079     return Gran64K;
11080 }
11081 
11082 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
11083                                    ARMMMUIdx mmu_idx, bool data,
11084                                    bool el1_is_aa32)
11085 {
11086     uint64_t tcr = regime_tcr(env, mmu_idx);
11087     bool epd, hpd, tsz_oob, ds, ha, hd;
11088     int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
11089     ARMGranuleSize gran;
11090     ARMCPU *cpu = env_archcpu(env);
11091     bool stage2 = regime_is_stage2(mmu_idx);
11092 
11093     if (!regime_has_2_ranges(mmu_idx)) {
11094         select = 0;
11095         tsz = extract32(tcr, 0, 6);
11096         gran = tg0_to_gran_size(extract32(tcr, 14, 2));
11097         if (stage2) {
11098             /* VTCR_EL2 */
11099             hpd = false;
11100         } else {
11101             hpd = extract32(tcr, 24, 1);
11102         }
11103         epd = false;
11104         sh = extract32(tcr, 12, 2);
11105         ps = extract32(tcr, 16, 3);
11106         ha = extract32(tcr, 21, 1) && cpu_isar_feature(aa64_hafs, cpu);
11107         hd = extract32(tcr, 22, 1) && cpu_isar_feature(aa64_hdbs, cpu);
11108         ds = extract64(tcr, 32, 1);
11109     } else {
11110         bool e0pd;
11111 
11112         /*
11113          * Bit 55 is always between the two regions, and is canonical for
11114          * determining if address tagging is enabled.
11115          */
11116         select = extract64(va, 55, 1);
11117         if (!select) {
11118             tsz = extract32(tcr, 0, 6);
11119             gran = tg0_to_gran_size(extract32(tcr, 14, 2));
11120             epd = extract32(tcr, 7, 1);
11121             sh = extract32(tcr, 12, 2);
11122             hpd = extract64(tcr, 41, 1);
11123             e0pd = extract64(tcr, 55, 1);
11124         } else {
11125             tsz = extract32(tcr, 16, 6);
11126             gran = tg1_to_gran_size(extract32(tcr, 30, 2));
11127             epd = extract32(tcr, 23, 1);
11128             sh = extract32(tcr, 28, 2);
11129             hpd = extract64(tcr, 42, 1);
11130             e0pd = extract64(tcr, 56, 1);
11131         }
11132         ps = extract64(tcr, 32, 3);
11133         ha = extract64(tcr, 39, 1) && cpu_isar_feature(aa64_hafs, cpu);
11134         hd = extract64(tcr, 40, 1) && cpu_isar_feature(aa64_hdbs, cpu);
11135         ds = extract64(tcr, 59, 1);
11136 
11137         if (e0pd && cpu_isar_feature(aa64_e0pd, cpu) &&
11138             regime_is_user(env, mmu_idx)) {
11139             epd = true;
11140         }
11141     }
11142 
11143     gran = sanitize_gran_size(cpu, gran, stage2);
11144 
11145     if (cpu_isar_feature(aa64_st, cpu)) {
11146         max_tsz = 48 - (gran == Gran64K);
11147     } else {
11148         max_tsz = 39;
11149     }
11150 
11151     /*
11152      * DS is RES0 unless FEAT_LPA2 is supported for the given page size;
11153      * adjust the effective value of DS, as documented.
11154      */
11155     min_tsz = 16;
11156     if (gran == Gran64K) {
11157         if (cpu_isar_feature(aa64_lva, cpu)) {
11158             min_tsz = 12;
11159         }
11160         ds = false;
11161     } else if (ds) {
11162         if (regime_is_stage2(mmu_idx)) {
11163             if (gran == Gran16K) {
11164                 ds = cpu_isar_feature(aa64_tgran16_2_lpa2, cpu);
11165             } else {
11166                 ds = cpu_isar_feature(aa64_tgran4_2_lpa2, cpu);
11167             }
11168         } else {
11169             if (gran == Gran16K) {
11170                 ds = cpu_isar_feature(aa64_tgran16_lpa2, cpu);
11171             } else {
11172                 ds = cpu_isar_feature(aa64_tgran4_lpa2, cpu);
11173             }
11174         }
11175         if (ds) {
11176             min_tsz = 12;
11177         }
11178     }
11179 
11180     if (stage2 && el1_is_aa32) {
11181         /*
11182          * For AArch32 EL1 the min txsz (and thus max IPA size) requirements
11183          * are loosened: a configured IPA of 40 bits is permitted even if
11184          * the implemented PA is less than that (and so a 40 bit IPA would
11185          * fault for an AArch64 EL1). See R_DTLMN.
11186          */
11187         min_tsz = MIN(min_tsz, 24);
11188     }
11189 
11190     if (tsz > max_tsz) {
11191         tsz = max_tsz;
11192         tsz_oob = true;
11193     } else if (tsz < min_tsz) {
11194         tsz = min_tsz;
11195         tsz_oob = true;
11196     } else {
11197         tsz_oob = false;
11198     }
11199 
11200     /* Present TBI as a composite with TBID.  */
11201     tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
11202     if (!data) {
11203         tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);
11204     }
11205     tbi = (tbi >> select) & 1;
11206 
11207     return (ARMVAParameters) {
11208         .tsz = tsz,
11209         .ps = ps,
11210         .sh = sh,
11211         .select = select,
11212         .tbi = tbi,
11213         .epd = epd,
11214         .hpd = hpd,
11215         .tsz_oob = tsz_oob,
11216         .ds = ds,
11217         .ha = ha,
11218         .hd = ha && hd,
11219         .gran = gran,
11220     };
11221 }
11222 
11223 
11224 /*
11225  * Return the exception level to which FP-disabled exceptions should
11226  * be taken, or 0 if FP is enabled.
11227  */
11228 int fp_exception_el(CPUARMState *env, int cur_el)
11229 {
11230 #ifndef CONFIG_USER_ONLY
11231     uint64_t hcr_el2;
11232 
11233     /*
11234      * CPACR and the CPTR registers don't exist before v6, so FP is
11235      * always accessible
11236      */
11237     if (!arm_feature(env, ARM_FEATURE_V6)) {
11238         return 0;
11239     }
11240 
11241     if (arm_feature(env, ARM_FEATURE_M)) {
11242         /* CPACR can cause a NOCP UsageFault taken to current security state */
11243         if (!v7m_cpacr_pass(env, env->v7m.secure, cur_el != 0)) {
11244             return 1;
11245         }
11246 
11247         if (arm_feature(env, ARM_FEATURE_M_SECURITY) && !env->v7m.secure) {
11248             if (!extract32(env->v7m.nsacr, 10, 1)) {
11249                 /* FP insns cause a NOCP UsageFault taken to Secure */
11250                 return 3;
11251             }
11252         }
11253 
11254         return 0;
11255     }
11256 
11257     hcr_el2 = arm_hcr_el2_eff(env);
11258 
11259     /*
11260      * The CPACR controls traps to EL1, or PL1 if we're 32 bit:
11261      * 0, 2 : trap EL0 and EL1/PL1 accesses
11262      * 1    : trap only EL0 accesses
11263      * 3    : trap no accesses
11264      * This register is ignored if E2H+TGE are both set.
11265      */
11266     if ((hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
11267         int fpen = FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, FPEN);
11268 
11269         switch (fpen) {
11270         case 1:
11271             if (cur_el != 0) {
11272                 break;
11273             }
11274             /* fall through */
11275         case 0:
11276         case 2:
11277             /* Trap from Secure PL0 or PL1 to Secure PL1. */
11278             if (!arm_el_is_aa64(env, 3)
11279                 && (cur_el == 3 || arm_is_secure_below_el3(env))) {
11280                 return 3;
11281             }
11282             if (cur_el <= 1) {
11283                 return 1;
11284             }
11285             break;
11286         }
11287     }
11288 
11289     /*
11290      * The NSACR allows A-profile AArch32 EL3 and M-profile secure mode
11291      * to control non-secure access to the FPU. It doesn't have any
11292      * effect if EL3 is AArch64 or if EL3 doesn't exist at all.
11293      */
11294     if ((arm_feature(env, ARM_FEATURE_EL3) && !arm_el_is_aa64(env, 3) &&
11295          cur_el <= 2 && !arm_is_secure_below_el3(env))) {
11296         if (!extract32(env->cp15.nsacr, 10, 1)) {
11297             /* FP insns act as UNDEF */
11298             return cur_el == 2 ? 2 : 1;
11299         }
11300     }
11301 
11302     /*
11303      * CPTR_EL2 is present in v7VE or v8, and changes format
11304      * with HCR_EL2.E2H (regardless of TGE).
11305      */
11306     if (cur_el <= 2) {
11307         if (hcr_el2 & HCR_E2H) {
11308             switch (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, FPEN)) {
11309             case 1:
11310                 if (cur_el != 0 || !(hcr_el2 & HCR_TGE)) {
11311                     break;
11312                 }
11313                 /* fall through */
11314             case 0:
11315             case 2:
11316                 return 2;
11317             }
11318         } else if (arm_is_el2_enabled(env)) {
11319             if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TFP)) {
11320                 return 2;
11321             }
11322         }
11323     }
11324 
11325     /* CPTR_EL3 : present in v8 */
11326     if (FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, TFP)) {
11327         /* Trap all FP ops to EL3 */
11328         return 3;
11329     }
11330 #endif
11331     return 0;
11332 }
11333 
11334 /* Return the exception level we're running at if this is our mmu_idx */
11335 int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx)
11336 {
11337     if (mmu_idx & ARM_MMU_IDX_M) {
11338         return mmu_idx & ARM_MMU_IDX_M_PRIV;
11339     }
11340 
11341     switch (mmu_idx) {
11342     case ARMMMUIdx_E10_0:
11343     case ARMMMUIdx_E20_0:
11344     case ARMMMUIdx_E30_0:
11345         return 0;
11346     case ARMMMUIdx_E10_1:
11347     case ARMMMUIdx_E10_1_PAN:
11348         return 1;
11349     case ARMMMUIdx_E2:
11350     case ARMMMUIdx_E20_2:
11351     case ARMMMUIdx_E20_2_PAN:
11352         return 2;
11353     case ARMMMUIdx_E3:
11354     case ARMMMUIdx_E30_3_PAN:
11355         return 3;
11356     default:
11357         g_assert_not_reached();
11358     }
11359 }
11360 
11361 #ifndef CONFIG_TCG
11362 ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate)
11363 {
11364     g_assert_not_reached();
11365 }
11366 #endif
11367 
11368 ARMMMUIdx arm_mmu_idx_el(CPUARMState *env, int el)
11369 {
11370     ARMMMUIdx idx;
11371     uint64_t hcr;
11372 
11373     if (arm_feature(env, ARM_FEATURE_M)) {
11374         return arm_v7m_mmu_idx_for_secstate(env, env->v7m.secure);
11375     }
11376 
11377     /* See ARM pseudo-function ELIsInHost.  */
11378     switch (el) {
11379     case 0:
11380         hcr = arm_hcr_el2_eff(env);
11381         if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
11382             idx = ARMMMUIdx_E20_0;
11383         } else if (arm_is_secure_below_el3(env) &&
11384                    !arm_el_is_aa64(env, 3)) {
11385             idx = ARMMMUIdx_E30_0;
11386         } else {
11387             idx = ARMMMUIdx_E10_0;
11388         }
11389         break;
11390     case 1:
11391         if (arm_pan_enabled(env)) {
11392             idx = ARMMMUIdx_E10_1_PAN;
11393         } else {
11394             idx = ARMMMUIdx_E10_1;
11395         }
11396         break;
11397     case 2:
11398         /* Note that TGE does not apply at EL2.  */
11399         if (arm_hcr_el2_eff(env) & HCR_E2H) {
11400             if (arm_pan_enabled(env)) {
11401                 idx = ARMMMUIdx_E20_2_PAN;
11402             } else {
11403                 idx = ARMMMUIdx_E20_2;
11404             }
11405         } else {
11406             idx = ARMMMUIdx_E2;
11407         }
11408         break;
11409     case 3:
11410         if (!arm_el_is_aa64(env, 3) && arm_pan_enabled(env)) {
11411             return ARMMMUIdx_E30_3_PAN;
11412         }
11413         return ARMMMUIdx_E3;
11414     default:
11415         g_assert_not_reached();
11416     }
11417 
11418     return idx;
11419 }
11420 
11421 ARMMMUIdx arm_mmu_idx(CPUARMState *env)
11422 {
11423     return arm_mmu_idx_el(env, arm_current_el(env));
11424 }
11425 
11426 #ifdef TARGET_AARCH64
11427 /*
11428  * The manual says that when SVE is enabled and VQ is widened the
11429  * implementation is allowed to zero the previously inaccessible
11430  * portion of the registers.  The corollary to that is that when
11431  * SVE is enabled and VQ is narrowed we are also allowed to zero
11432  * the now inaccessible portion of the registers.
11433  *
11434  * The intent of this is that no predicate bit beyond VQ is ever set.
11435  * Which means that some operations on predicate registers themselves
11436  * may operate on full uint64_t or even unrolled across the maximum
11437  * uint64_t[4].  Performing 4 bits of host arithmetic unconditionally
11438  * may well be cheaper than conditionals to restrict the operation
11439  * to the relevant portion of a uint16_t[16].
11440  */
11441 void aarch64_sve_narrow_vq(CPUARMState *env, unsigned vq)
11442 {
11443     int i, j;
11444     uint64_t pmask;
11445 
11446     assert(vq >= 1 && vq <= ARM_MAX_VQ);
11447     assert(vq <= env_archcpu(env)->sve_max_vq);
11448 
11449     /* Zap the high bits of the zregs.  */
11450     for (i = 0; i < 32; i++) {
11451         memset(&env->vfp.zregs[i].d[2 * vq], 0, 16 * (ARM_MAX_VQ - vq));
11452     }
11453 
11454     /* Zap the high bits of the pregs and ffr.  */
11455     pmask = 0;
11456     if (vq & 3) {
11457         pmask = ~(-1ULL << (16 * (vq & 3)));
11458     }
11459     for (j = vq / 4; j < ARM_MAX_VQ / 4; j++) {
11460         for (i = 0; i < 17; ++i) {
11461             env->vfp.pregs[i].p[j] &= pmask;
11462         }
11463         pmask = 0;
11464     }
11465 }
11466 
11467 static uint32_t sve_vqm1_for_el_sm_ena(CPUARMState *env, int el, bool sm)
11468 {
11469     int exc_el;
11470 
11471     if (sm) {
11472         exc_el = sme_exception_el(env, el);
11473     } else {
11474         exc_el = sve_exception_el(env, el);
11475     }
11476     if (exc_el) {
11477         return 0; /* disabled */
11478     }
11479     return sve_vqm1_for_el_sm(env, el, sm);
11480 }
11481 
11482 /*
11483  * Notice a change in SVE vector size when changing EL.
11484  */
11485 void aarch64_sve_change_el(CPUARMState *env, int old_el,
11486                            int new_el, bool el0_a64)
11487 {
11488     ARMCPU *cpu = env_archcpu(env);
11489     int old_len, new_len;
11490     bool old_a64, new_a64, sm;
11491 
11492     /* Nothing to do if no SVE.  */
11493     if (!cpu_isar_feature(aa64_sve, cpu)) {
11494         return;
11495     }
11496 
11497     /* Nothing to do if FP is disabled in either EL.  */
11498     if (fp_exception_el(env, old_el) || fp_exception_el(env, new_el)) {
11499         return;
11500     }
11501 
11502     old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
11503     new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
11504 
11505     /*
11506      * Both AArch64.TakeException and AArch64.ExceptionReturn
11507      * invoke ResetSVEState when taking an exception from, or
11508      * returning to, AArch32 state when PSTATE.SM is enabled.
11509      */
11510     sm = FIELD_EX64(env->svcr, SVCR, SM);
11511     if (old_a64 != new_a64 && sm) {
11512         arm_reset_sve_state(env);
11513         return;
11514     }
11515 
11516     /*
11517      * DDI0584A.d sec 3.2: "If SVE instructions are disabled or trapped
11518      * at ELx, or not available because the EL is in AArch32 state, then
11519      * for all purposes other than a direct read, the ZCR_ELx.LEN field
11520      * has an effective value of 0".
11521      *
11522      * Consider EL2 (aa64, vq=4) -> EL0 (aa32) -> EL1 (aa64, vq=0).
11523      * If we ignore aa32 state, we would fail to see the vq4->vq0 transition
11524      * from EL2->EL1.  Thus we go ahead and narrow when entering aa32 so that
11525      * we already have the correct register contents when encountering the
11526      * vq0->vq0 transition between EL0->EL1.
11527      */
11528     old_len = new_len = 0;
11529     if (old_a64) {
11530         old_len = sve_vqm1_for_el_sm_ena(env, old_el, sm);
11531     }
11532     if (new_a64) {
11533         new_len = sve_vqm1_for_el_sm_ena(env, new_el, sm);
11534     }
11535 
11536     /* When changing vector length, clear inaccessible state.  */
11537     if (new_len < old_len) {
11538 #ifdef TARGET_AARCH64
11539         aarch64_sve_narrow_vq(env, new_len + 1);
11540 #endif
11541     }
11542 }
11543 #endif
11544 
11545 #ifndef CONFIG_USER_ONLY
11546 ARMSecuritySpace arm_security_space(CPUARMState *env)
11547 {
11548     if (arm_feature(env, ARM_FEATURE_M)) {
11549         return arm_secure_to_space(env->v7m.secure);
11550     }
11551 
11552     /*
11553      * If EL3 is not supported then the secure state is implementation
11554      * defined, in which case QEMU defaults to non-secure.
11555      */
11556     if (!arm_feature(env, ARM_FEATURE_EL3)) {
11557         return ARMSS_NonSecure;
11558     }
11559 
11560     /* Check for AArch64 EL3 or AArch32 Mon. */
11561     if (is_a64(env)) {
11562         if (extract32(env->pstate, 2, 2) == 3) {
11563             if (cpu_isar_feature(aa64_rme, env_archcpu(env))) {
11564                 return ARMSS_Root;
11565             } else {
11566                 return ARMSS_Secure;
11567             }
11568         }
11569     } else {
11570         if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON) {
11571             return ARMSS_Secure;
11572         }
11573     }
11574 
11575     return arm_security_space_below_el3(env);
11576 }
11577 
11578 ARMSecuritySpace arm_security_space_below_el3(CPUARMState *env)
11579 {
11580     assert(!arm_feature(env, ARM_FEATURE_M));
11581 
11582     /*
11583      * If EL3 is not supported then the secure state is implementation
11584      * defined, in which case QEMU defaults to non-secure.
11585      */
11586     if (!arm_feature(env, ARM_FEATURE_EL3)) {
11587         return ARMSS_NonSecure;
11588     }
11589 
11590     /*
11591      * Note NSE cannot be set without RME, and NSE & !NS is Reserved.
11592      * Ignoring NSE when !NS retains consistency without having to
11593      * modify other predicates.
11594      */
11595     if (!(env->cp15.scr_el3 & SCR_NS)) {
11596         return ARMSS_Secure;
11597     } else if (env->cp15.scr_el3 & SCR_NSE) {
11598         return ARMSS_Realm;
11599     } else {
11600         return ARMSS_NonSecure;
11601     }
11602 }
11603 #endif /* !CONFIG_USER_ONLY */
11604