xref: /openbmc/qemu/target/ppc/mmu-hash64.c (revision 6832189f)
1 /*
2  *  PowerPC MMU, TLB, SLB and BAT emulation helpers for QEMU.
3  *
4  *  Copyright (c) 2003-2007 Jocelyn Mayer
5  *  Copyright (c) 2013 David Gibson, IBM Corporation
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  */
20 #include "qemu/osdep.h"
21 #include "qemu/units.h"
22 #include "cpu.h"
23 #include "exec/exec-all.h"
24 #include "qemu/error-report.h"
25 #include "qemu/qemu-print.h"
26 #include "sysemu/hw_accel.h"
27 #include "kvm_ppc.h"
28 #include "mmu-hash64.h"
29 #include "exec/log.h"
30 #include "hw/hw.h"
31 #include "internal.h"
32 #include "mmu-book3s-v3.h"
33 #include "helper_regs.h"
34 
35 #ifdef CONFIG_TCG
36 #include "exec/helper-proto.h"
37 #endif
38 
39 /* #define DEBUG_SLB */
40 
41 #ifdef DEBUG_SLB
42 #  define LOG_SLB(...) qemu_log_mask(CPU_LOG_MMU, __VA_ARGS__)
43 #else
44 #  define LOG_SLB(...) do { } while (0)
45 #endif
46 
47 /*
48  * SLB handling
49  */
50 
51 static ppc_slb_t *slb_lookup(PowerPCCPU *cpu, target_ulong eaddr)
52 {
53     CPUPPCState *env = &cpu->env;
54     uint64_t esid_256M, esid_1T;
55     int n;
56 
57     LOG_SLB("%s: eaddr " TARGET_FMT_lx "\n", __func__, eaddr);
58 
59     esid_256M = (eaddr & SEGMENT_MASK_256M) | SLB_ESID_V;
60     esid_1T = (eaddr & SEGMENT_MASK_1T) | SLB_ESID_V;
61 
62     for (n = 0; n < cpu->hash64_opts->slb_size; n++) {
63         ppc_slb_t *slb = &env->slb[n];
64 
65         LOG_SLB("%s: slot %d %016" PRIx64 " %016"
66                     PRIx64 "\n", __func__, n, slb->esid, slb->vsid);
67         /*
68          * We check for 1T matches on all MMUs here - if the MMU
69          * doesn't have 1T segment support, we will have prevented 1T
70          * entries from being inserted in the slbmte code.
71          */
72         if (((slb->esid == esid_256M) &&
73              ((slb->vsid & SLB_VSID_B) == SLB_VSID_B_256M))
74             || ((slb->esid == esid_1T) &&
75                 ((slb->vsid & SLB_VSID_B) == SLB_VSID_B_1T))) {
76             return slb;
77         }
78     }
79 
80     return NULL;
81 }
82 
83 void dump_slb(PowerPCCPU *cpu)
84 {
85     CPUPPCState *env = &cpu->env;
86     int i;
87     uint64_t slbe, slbv;
88 
89     cpu_synchronize_state(CPU(cpu));
90 
91     qemu_printf("SLB\tESID\t\t\tVSID\n");
92     for (i = 0; i < cpu->hash64_opts->slb_size; i++) {
93         slbe = env->slb[i].esid;
94         slbv = env->slb[i].vsid;
95         if (slbe == 0 && slbv == 0) {
96             continue;
97         }
98         qemu_printf("%d\t0x%016" PRIx64 "\t0x%016" PRIx64 "\n",
99                     i, slbe, slbv);
100     }
101 }
102 
103 #ifdef CONFIG_TCG
104 void helper_SLBIA(CPUPPCState *env, uint32_t ih)
105 {
106     PowerPCCPU *cpu = env_archcpu(env);
107     int starting_entry;
108     int n;
109 
110     /*
111      * slbia must always flush all TLB (which is equivalent to ERAT in ppc
112      * architecture). Matching on SLB_ESID_V is not good enough, because slbmte
113      * can overwrite a valid SLB without flushing its lookaside information.
114      *
115      * It would be possible to keep the TLB in synch with the SLB by flushing
116      * when a valid entry is overwritten by slbmte, and therefore slbia would
117      * not have to flush unless it evicts a valid SLB entry. However it is
118      * expected that slbmte is more common than slbia, and slbia is usually
119      * going to evict valid SLB entries, so that tradeoff is unlikely to be a
120      * good one.
121      *
122      * ISA v2.05 introduced IH field with values 0,1,2,6. These all invalidate
123      * the same SLB entries (everything but entry 0), but differ in what
124      * "lookaside information" is invalidated. TCG can ignore this and flush
125      * everything.
126      *
127      * ISA v3.0 introduced additional values 3,4,7, which change what SLBs are
128      * invalidated.
129      */
130 
131     env->tlb_need_flush |= TLB_NEED_LOCAL_FLUSH;
132 
133     starting_entry = 1; /* default for IH=0,1,2,6 */
134 
135     if (env->mmu_model == POWERPC_MMU_3_00) {
136         switch (ih) {
137         case 0x7:
138             /* invalidate no SLBs, but all lookaside information */
139             return;
140 
141         case 0x3:
142         case 0x4:
143             /* also considers SLB entry 0 */
144             starting_entry = 0;
145             break;
146 
147         case 0x5:
148             /* treat undefined values as ih==0, and warn */
149             qemu_log_mask(LOG_GUEST_ERROR,
150                           "slbia undefined IH field %u.\n", ih);
151             break;
152 
153         default:
154             /* 0,1,2,6 */
155             break;
156         }
157     }
158 
159     for (n = starting_entry; n < cpu->hash64_opts->slb_size; n++) {
160         ppc_slb_t *slb = &env->slb[n];
161 
162         if (!(slb->esid & SLB_ESID_V)) {
163             continue;
164         }
165         if (env->mmu_model == POWERPC_MMU_3_00) {
166             if (ih == 0x3 && (slb->vsid & SLB_VSID_C) == 0) {
167                 /* preserves entries with a class value of 0 */
168                 continue;
169             }
170         }
171 
172         slb->esid &= ~SLB_ESID_V;
173     }
174 }
175 
176 #if defined(TARGET_PPC64)
177 void helper_SLBIAG(CPUPPCState *env, target_ulong rs, uint32_t l)
178 {
179     PowerPCCPU *cpu = env_archcpu(env);
180     int n;
181 
182     /*
183      * slbiag must always flush all TLB (which is equivalent to ERAT in ppc
184      * architecture). Matching on SLB_ESID_V is not good enough, because slbmte
185      * can overwrite a valid SLB without flushing its lookaside information.
186      *
187      * It would be possible to keep the TLB in synch with the SLB by flushing
188      * when a valid entry is overwritten by slbmte, and therefore slbiag would
189      * not have to flush unless it evicts a valid SLB entry. However it is
190      * expected that slbmte is more common than slbiag, and slbiag is usually
191      * going to evict valid SLB entries, so that tradeoff is unlikely to be a
192      * good one.
193      */
194     env->tlb_need_flush |= TLB_NEED_LOCAL_FLUSH;
195 
196     for (n = 0; n < cpu->hash64_opts->slb_size; n++) {
197         ppc_slb_t *slb = &env->slb[n];
198         slb->esid &= ~SLB_ESID_V;
199     }
200 }
201 #endif
202 
203 static void __helper_slbie(CPUPPCState *env, target_ulong addr,
204                            target_ulong global)
205 {
206     PowerPCCPU *cpu = env_archcpu(env);
207     ppc_slb_t *slb;
208 
209     slb = slb_lookup(cpu, addr);
210     if (!slb) {
211         return;
212     }
213 
214     if (slb->esid & SLB_ESID_V) {
215         slb->esid &= ~SLB_ESID_V;
216 
217         /*
218          * XXX: given the fact that segment size is 256 MB or 1TB,
219          *      and we still don't have a tlb_flush_mask(env, n, mask)
220          *      in QEMU, we just invalidate all TLBs
221          */
222         env->tlb_need_flush |=
223             (global == false ? TLB_NEED_LOCAL_FLUSH : TLB_NEED_GLOBAL_FLUSH);
224     }
225 }
226 
227 void helper_SLBIE(CPUPPCState *env, target_ulong addr)
228 {
229     __helper_slbie(env, addr, false);
230 }
231 
232 void helper_SLBIEG(CPUPPCState *env, target_ulong addr)
233 {
234     __helper_slbie(env, addr, true);
235 }
236 #endif
237 
238 int ppc_store_slb(PowerPCCPU *cpu, target_ulong slot,
239                   target_ulong esid, target_ulong vsid)
240 {
241     CPUPPCState *env = &cpu->env;
242     ppc_slb_t *slb = &env->slb[slot];
243     const PPCHash64SegmentPageSizes *sps = NULL;
244     int i;
245 
246     if (slot >= cpu->hash64_opts->slb_size) {
247         return -1; /* Bad slot number */
248     }
249     if (esid & ~(SLB_ESID_ESID | SLB_ESID_V)) {
250         return -1; /* Reserved bits set */
251     }
252     if (vsid & (SLB_VSID_B & ~SLB_VSID_B_1T)) {
253         return -1; /* Bad segment size */
254     }
255     if ((vsid & SLB_VSID_B) && !(ppc_hash64_has(cpu, PPC_HASH64_1TSEG))) {
256         return -1; /* 1T segment on MMU that doesn't support it */
257     }
258 
259     for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) {
260         const PPCHash64SegmentPageSizes *sps1 = &cpu->hash64_opts->sps[i];
261 
262         if (!sps1->page_shift) {
263             break;
264         }
265 
266         if ((vsid & SLB_VSID_LLP_MASK) == sps1->slb_enc) {
267             sps = sps1;
268             break;
269         }
270     }
271 
272     if (!sps) {
273         error_report("Bad page size encoding in SLB store: slot "TARGET_FMT_lu
274                      " esid 0x"TARGET_FMT_lx" vsid 0x"TARGET_FMT_lx,
275                      slot, esid, vsid);
276         return -1;
277     }
278 
279     slb->esid = esid;
280     slb->vsid = vsid;
281     slb->sps = sps;
282 
283     LOG_SLB("%s: " TARGET_FMT_lu " " TARGET_FMT_lx " - " TARGET_FMT_lx
284             " => %016" PRIx64 " %016" PRIx64 "\n", __func__, slot, esid, vsid,
285             slb->esid, slb->vsid);
286 
287     return 0;
288 }
289 
290 #ifdef CONFIG_TCG
291 static int ppc_load_slb_esid(PowerPCCPU *cpu, target_ulong rb,
292                              target_ulong *rt)
293 {
294     CPUPPCState *env = &cpu->env;
295     int slot = rb & 0xfff;
296     ppc_slb_t *slb = &env->slb[slot];
297 
298     if (slot >= cpu->hash64_opts->slb_size) {
299         return -1;
300     }
301 
302     *rt = slb->esid;
303     return 0;
304 }
305 
306 static int ppc_load_slb_vsid(PowerPCCPU *cpu, target_ulong rb,
307                              target_ulong *rt)
308 {
309     CPUPPCState *env = &cpu->env;
310     int slot = rb & 0xfff;
311     ppc_slb_t *slb = &env->slb[slot];
312 
313     if (slot >= cpu->hash64_opts->slb_size) {
314         return -1;
315     }
316 
317     *rt = slb->vsid;
318     return 0;
319 }
320 
321 static int ppc_find_slb_vsid(PowerPCCPU *cpu, target_ulong rb,
322                              target_ulong *rt)
323 {
324     CPUPPCState *env = &cpu->env;
325     ppc_slb_t *slb;
326 
327     if (!msr_is_64bit(env, env->msr)) {
328         rb &= 0xffffffff;
329     }
330     slb = slb_lookup(cpu, rb);
331     if (slb == NULL) {
332         *rt = (target_ulong)-1ul;
333     } else {
334         *rt = slb->vsid;
335     }
336     return 0;
337 }
338 
339 void helper_SLBMTE(CPUPPCState *env, target_ulong rb, target_ulong rs)
340 {
341     PowerPCCPU *cpu = env_archcpu(env);
342 
343     if (ppc_store_slb(cpu, rb & 0xfff, rb & ~0xfffULL, rs) < 0) {
344         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
345                                POWERPC_EXCP_INVAL, GETPC());
346     }
347 }
348 
349 target_ulong helper_SLBMFEE(CPUPPCState *env, target_ulong rb)
350 {
351     PowerPCCPU *cpu = env_archcpu(env);
352     target_ulong rt = 0;
353 
354     if (ppc_load_slb_esid(cpu, rb, &rt) < 0) {
355         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
356                                POWERPC_EXCP_INVAL, GETPC());
357     }
358     return rt;
359 }
360 
361 target_ulong helper_SLBFEE(CPUPPCState *env, target_ulong rb)
362 {
363     PowerPCCPU *cpu = env_archcpu(env);
364     target_ulong rt = 0;
365 
366     if (ppc_find_slb_vsid(cpu, rb, &rt) < 0) {
367         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
368                                POWERPC_EXCP_INVAL, GETPC());
369     }
370     return rt;
371 }
372 
373 target_ulong helper_SLBMFEV(CPUPPCState *env, target_ulong rb)
374 {
375     PowerPCCPU *cpu = env_archcpu(env);
376     target_ulong rt = 0;
377 
378     if (ppc_load_slb_vsid(cpu, rb, &rt) < 0) {
379         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
380                                POWERPC_EXCP_INVAL, GETPC());
381     }
382     return rt;
383 }
384 #endif
385 
386 /* Check No-Execute or Guarded Storage */
387 static inline int ppc_hash64_pte_noexec_guard(PowerPCCPU *cpu,
388                                               ppc_hash_pte64_t pte)
389 {
390     /* Exec permissions CANNOT take away read or write permissions */
391     return (pte.pte1 & HPTE64_R_N) || (pte.pte1 & HPTE64_R_G) ?
392             PAGE_READ | PAGE_WRITE : PAGE_READ | PAGE_WRITE | PAGE_EXEC;
393 }
394 
395 /* Check Basic Storage Protection */
396 static int ppc_hash64_pte_prot(int mmu_idx,
397                                ppc_slb_t *slb, ppc_hash_pte64_t pte)
398 {
399     unsigned pp, key;
400     /*
401      * Some pp bit combinations have undefined behaviour, so default
402      * to no access in those cases
403      */
404     int prot = 0;
405 
406     key = !!(mmuidx_pr(mmu_idx) ? (slb->vsid & SLB_VSID_KP)
407              : (slb->vsid & SLB_VSID_KS));
408     pp = (pte.pte1 & HPTE64_R_PP) | ((pte.pte1 & HPTE64_R_PP0) >> 61);
409 
410     if (key == 0) {
411         switch (pp) {
412         case 0x0:
413         case 0x1:
414         case 0x2:
415             prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
416             break;
417 
418         case 0x3:
419         case 0x6:
420             prot = PAGE_READ | PAGE_EXEC;
421             break;
422         }
423     } else {
424         switch (pp) {
425         case 0x0:
426         case 0x6:
427             break;
428 
429         case 0x1:
430         case 0x3:
431             prot = PAGE_READ | PAGE_EXEC;
432             break;
433 
434         case 0x2:
435             prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
436             break;
437         }
438     }
439 
440     return prot;
441 }
442 
443 /* Check the instruction access permissions specified in the IAMR */
444 static int ppc_hash64_iamr_prot(PowerPCCPU *cpu, int key)
445 {
446     CPUPPCState *env = &cpu->env;
447     int iamr_bits = (env->spr[SPR_IAMR] >> 2 * (31 - key)) & 0x3;
448 
449     /*
450      * An instruction fetch is permitted if the IAMR bit is 0.
451      * If the bit is set, return PAGE_READ | PAGE_WRITE because this bit
452      * can only take away EXEC permissions not READ or WRITE permissions.
453      * If bit is cleared return PAGE_READ | PAGE_WRITE | PAGE_EXEC since
454      * EXEC permissions are allowed.
455      */
456     return (iamr_bits & 0x1) ? PAGE_READ | PAGE_WRITE :
457                                PAGE_READ | PAGE_WRITE | PAGE_EXEC;
458 }
459 
460 static int ppc_hash64_amr_prot(PowerPCCPU *cpu, ppc_hash_pte64_t pte)
461 {
462     CPUPPCState *env = &cpu->env;
463     int key, amrbits;
464     int prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
465 
466     /* Only recent MMUs implement Virtual Page Class Key Protection */
467     if (!ppc_hash64_has(cpu, PPC_HASH64_AMR)) {
468         return prot;
469     }
470 
471     key = HPTE64_R_KEY(pte.pte1);
472     amrbits = (env->spr[SPR_AMR] >> 2 * (31 - key)) & 0x3;
473 
474     /* fprintf(stderr, "AMR protection: key=%d AMR=0x%" PRIx64 "\n", key, */
475     /*         env->spr[SPR_AMR]); */
476 
477     /*
478      * A store is permitted if the AMR bit is 0. Remove write
479      * protection if it is set.
480      */
481     if (amrbits & 0x2) {
482         prot &= ~PAGE_WRITE;
483     }
484     /*
485      * A load is permitted if the AMR bit is 0. Remove read
486      * protection if it is set.
487      */
488     if (amrbits & 0x1) {
489         prot &= ~PAGE_READ;
490     }
491 
492     switch (env->mmu_model) {
493     /*
494      * MMU version 2.07 and later support IAMR
495      * Check if the IAMR allows the instruction access - it will return
496      * PAGE_EXEC if it doesn't (and thus that bit will be cleared) or 0
497      * if it does (and prot will be unchanged indicating execution support).
498      */
499     case POWERPC_MMU_2_07:
500     case POWERPC_MMU_3_00:
501         prot &= ppc_hash64_iamr_prot(cpu, key);
502         break;
503     default:
504         break;
505     }
506 
507     return prot;
508 }
509 
510 const ppc_hash_pte64_t *ppc_hash64_map_hptes(PowerPCCPU *cpu,
511                                              hwaddr ptex, int n)
512 {
513     hwaddr pte_offset = ptex * HASH_PTE_SIZE_64;
514     hwaddr base;
515     hwaddr plen = n * HASH_PTE_SIZE_64;
516     const ppc_hash_pte64_t *hptes;
517 
518     if (cpu->vhyp) {
519         PPCVirtualHypervisorClass *vhc =
520             PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
521         return vhc->map_hptes(cpu->vhyp, ptex, n);
522     }
523     base = ppc_hash64_hpt_base(cpu);
524 
525     if (!base) {
526         return NULL;
527     }
528 
529     hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false,
530                               MEMTXATTRS_UNSPECIFIED);
531     if (plen < (n * HASH_PTE_SIZE_64)) {
532         hw_error("%s: Unable to map all requested HPTEs\n", __func__);
533     }
534     return hptes;
535 }
536 
537 void ppc_hash64_unmap_hptes(PowerPCCPU *cpu, const ppc_hash_pte64_t *hptes,
538                             hwaddr ptex, int n)
539 {
540     if (cpu->vhyp) {
541         PPCVirtualHypervisorClass *vhc =
542             PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
543         vhc->unmap_hptes(cpu->vhyp, hptes, ptex, n);
544         return;
545     }
546 
547     address_space_unmap(CPU(cpu)->as, (void *)hptes, n * HASH_PTE_SIZE_64,
548                         false, n * HASH_PTE_SIZE_64);
549 }
550 
551 static unsigned hpte_page_shift(const PPCHash64SegmentPageSizes *sps,
552                                 uint64_t pte0, uint64_t pte1)
553 {
554     int i;
555 
556     if (!(pte0 & HPTE64_V_LARGE)) {
557         if (sps->page_shift != 12) {
558             /* 4kiB page in a non 4kiB segment */
559             return 0;
560         }
561         /* Normal 4kiB page */
562         return 12;
563     }
564 
565     for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) {
566         const PPCHash64PageSize *ps = &sps->enc[i];
567         uint64_t mask;
568 
569         if (!ps->page_shift) {
570             break;
571         }
572 
573         if (ps->page_shift == 12) {
574             /* L bit is set so this can't be a 4kiB page */
575             continue;
576         }
577 
578         mask = ((1ULL << ps->page_shift) - 1) & HPTE64_R_RPN;
579 
580         if ((pte1 & mask) == ((uint64_t)ps->pte_enc << HPTE64_R_RPN_SHIFT)) {
581             return ps->page_shift;
582         }
583     }
584 
585     return 0; /* Bad page size encoding */
586 }
587 
588 static void ppc64_v3_new_to_old_hpte(target_ulong *pte0, target_ulong *pte1)
589 {
590     /* Insert B into pte0 */
591     *pte0 = (*pte0 & HPTE64_V_COMMON_BITS) |
592             ((*pte1 & HPTE64_R_3_0_SSIZE_MASK) <<
593              (HPTE64_V_SSIZE_SHIFT - HPTE64_R_3_0_SSIZE_SHIFT));
594 
595     /* Remove B from pte1 */
596     *pte1 = *pte1 & ~HPTE64_R_3_0_SSIZE_MASK;
597 }
598 
599 
600 static hwaddr ppc_hash64_pteg_search(PowerPCCPU *cpu, hwaddr hash,
601                                      const PPCHash64SegmentPageSizes *sps,
602                                      target_ulong ptem,
603                                      ppc_hash_pte64_t *pte, unsigned *pshift)
604 {
605     int i;
606     const ppc_hash_pte64_t *pteg;
607     target_ulong pte0, pte1;
608     target_ulong ptex;
609 
610     ptex = (hash & ppc_hash64_hpt_mask(cpu)) * HPTES_PER_GROUP;
611     pteg = ppc_hash64_map_hptes(cpu, ptex, HPTES_PER_GROUP);
612     if (!pteg) {
613         return -1;
614     }
615     for (i = 0; i < HPTES_PER_GROUP; i++) {
616         pte0 = ppc_hash64_hpte0(cpu, pteg, i);
617         /*
618          * pte0 contains the valid bit and must be read before pte1,
619          * otherwise we might see an old pte1 with a new valid bit and
620          * thus an inconsistent hpte value
621          */
622         smp_rmb();
623         pte1 = ppc_hash64_hpte1(cpu, pteg, i);
624 
625         /* Convert format if necessary */
626         if (cpu->env.mmu_model == POWERPC_MMU_3_00 && !cpu->vhyp) {
627             ppc64_v3_new_to_old_hpte(&pte0, &pte1);
628         }
629 
630         /* This compares V, B, H (secondary) and the AVPN */
631         if (HPTE64_V_COMPARE(pte0, ptem)) {
632             *pshift = hpte_page_shift(sps, pte0, pte1);
633             /*
634              * If there is no match, ignore the PTE, it could simply
635              * be for a different segment size encoding and the
636              * architecture specifies we should not match. Linux will
637              * potentially leave behind PTEs for the wrong base page
638              * size when demoting segments.
639              */
640             if (*pshift == 0) {
641                 continue;
642             }
643             /*
644              * We don't do anything with pshift yet as qemu TLB only
645              * deals with 4K pages anyway
646              */
647             pte->pte0 = pte0;
648             pte->pte1 = pte1;
649             ppc_hash64_unmap_hptes(cpu, pteg, ptex, HPTES_PER_GROUP);
650             return ptex + i;
651         }
652     }
653     ppc_hash64_unmap_hptes(cpu, pteg, ptex, HPTES_PER_GROUP);
654     /*
655      * We didn't find a valid entry.
656      */
657     return -1;
658 }
659 
660 static hwaddr ppc_hash64_htab_lookup(PowerPCCPU *cpu,
661                                      ppc_slb_t *slb, target_ulong eaddr,
662                                      ppc_hash_pte64_t *pte, unsigned *pshift)
663 {
664     CPUPPCState *env = &cpu->env;
665     hwaddr hash, ptex;
666     uint64_t vsid, epnmask, epn, ptem;
667     const PPCHash64SegmentPageSizes *sps = slb->sps;
668 
669     /*
670      * The SLB store path should prevent any bad page size encodings
671      * getting in there, so:
672      */
673     assert(sps);
674 
675     /* If ISL is set in LPCR we need to clamp the page size to 4K */
676     if (env->spr[SPR_LPCR] & LPCR_ISL) {
677         /* We assume that when using TCG, 4k is first entry of SPS */
678         sps = &cpu->hash64_opts->sps[0];
679         assert(sps->page_shift == 12);
680     }
681 
682     epnmask = ~((1ULL << sps->page_shift) - 1);
683 
684     if (slb->vsid & SLB_VSID_B) {
685         /* 1TB segment */
686         vsid = (slb->vsid & SLB_VSID_VSID) >> SLB_VSID_SHIFT_1T;
687         epn = (eaddr & ~SEGMENT_MASK_1T) & epnmask;
688         hash = vsid ^ (vsid << 25) ^ (epn >> sps->page_shift);
689     } else {
690         /* 256M segment */
691         vsid = (slb->vsid & SLB_VSID_VSID) >> SLB_VSID_SHIFT;
692         epn = (eaddr & ~SEGMENT_MASK_256M) & epnmask;
693         hash = vsid ^ (epn >> sps->page_shift);
694     }
695     ptem = (slb->vsid & SLB_VSID_PTEM) | ((epn >> 16) & HPTE64_V_AVPN);
696     ptem |= HPTE64_V_VALID;
697 
698     /* Page address translation */
699     qemu_log_mask(CPU_LOG_MMU,
700             "htab_base " HWADDR_FMT_plx " htab_mask " HWADDR_FMT_plx
701             " hash " HWADDR_FMT_plx "\n",
702             ppc_hash64_hpt_base(cpu), ppc_hash64_hpt_mask(cpu), hash);
703 
704     /* Primary PTEG lookup */
705     qemu_log_mask(CPU_LOG_MMU,
706             "0 htab=" HWADDR_FMT_plx "/" HWADDR_FMT_plx
707             " vsid=" TARGET_FMT_lx " ptem=" TARGET_FMT_lx
708             " hash=" HWADDR_FMT_plx "\n",
709             ppc_hash64_hpt_base(cpu), ppc_hash64_hpt_mask(cpu),
710             vsid, ptem,  hash);
711     ptex = ppc_hash64_pteg_search(cpu, hash, sps, ptem, pte, pshift);
712 
713     if (ptex == -1) {
714         /* Secondary PTEG lookup */
715         ptem |= HPTE64_V_SECONDARY;
716         qemu_log_mask(CPU_LOG_MMU,
717                 "1 htab=" HWADDR_FMT_plx "/" HWADDR_FMT_plx
718                 " vsid=" TARGET_FMT_lx " api=" TARGET_FMT_lx
719                 " hash=" HWADDR_FMT_plx "\n", ppc_hash64_hpt_base(cpu),
720                 ppc_hash64_hpt_mask(cpu), vsid, ptem, ~hash);
721 
722         ptex = ppc_hash64_pteg_search(cpu, ~hash, sps, ptem, pte, pshift);
723     }
724 
725     return ptex;
726 }
727 
728 unsigned ppc_hash64_hpte_page_shift_noslb(PowerPCCPU *cpu,
729                                           uint64_t pte0, uint64_t pte1)
730 {
731     int i;
732 
733     if (!(pte0 & HPTE64_V_LARGE)) {
734         return 12;
735     }
736 
737     /*
738      * The encodings in env->sps need to be carefully chosen so that
739      * this gives an unambiguous result.
740      */
741     for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) {
742         const PPCHash64SegmentPageSizes *sps = &cpu->hash64_opts->sps[i];
743         unsigned shift;
744 
745         if (!sps->page_shift) {
746             break;
747         }
748 
749         shift = hpte_page_shift(sps, pte0, pte1);
750         if (shift) {
751             return shift;
752         }
753     }
754 
755     return 0;
756 }
757 
758 static bool ppc_hash64_use_vrma(CPUPPCState *env)
759 {
760     switch (env->mmu_model) {
761     case POWERPC_MMU_3_00:
762         /*
763          * ISAv3.0 (POWER9) always uses VRMA, the VPM0 field and RMOR
764          * register no longer exist
765          */
766         return true;
767 
768     default:
769         return !!(env->spr[SPR_LPCR] & LPCR_VPM0);
770     }
771 }
772 
773 static void ppc_hash64_set_isi(CPUState *cs, int mmu_idx, uint64_t error_code)
774 {
775     CPUPPCState *env = &POWERPC_CPU(cs)->env;
776     bool vpm;
777 
778     if (!mmuidx_real(mmu_idx)) {
779         vpm = !!(env->spr[SPR_LPCR] & LPCR_VPM1);
780     } else {
781         vpm = ppc_hash64_use_vrma(env);
782     }
783     if (vpm && !mmuidx_hv(mmu_idx)) {
784         cs->exception_index = POWERPC_EXCP_HISI;
785     } else {
786         cs->exception_index = POWERPC_EXCP_ISI;
787     }
788     env->error_code = error_code;
789 }
790 
791 static void ppc_hash64_set_dsi(CPUState *cs, int mmu_idx, uint64_t dar, uint64_t dsisr)
792 {
793     CPUPPCState *env = &POWERPC_CPU(cs)->env;
794     bool vpm;
795 
796     if (!mmuidx_real(mmu_idx)) {
797         vpm = !!(env->spr[SPR_LPCR] & LPCR_VPM1);
798     } else {
799         vpm = ppc_hash64_use_vrma(env);
800     }
801     if (vpm && !mmuidx_hv(mmu_idx)) {
802         cs->exception_index = POWERPC_EXCP_HDSI;
803         env->spr[SPR_HDAR] = dar;
804         env->spr[SPR_HDSISR] = dsisr;
805     } else {
806         cs->exception_index = POWERPC_EXCP_DSI;
807         env->spr[SPR_DAR] = dar;
808         env->spr[SPR_DSISR] = dsisr;
809    }
810     env->error_code = 0;
811 }
812 
813 
814 static void ppc_hash64_set_r(PowerPCCPU *cpu, hwaddr ptex, uint64_t pte1)
815 {
816     hwaddr base, offset = ptex * HASH_PTE_SIZE_64 + HPTE64_DW1_R;
817 
818     if (cpu->vhyp) {
819         PPCVirtualHypervisorClass *vhc =
820             PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
821         vhc->hpte_set_r(cpu->vhyp, ptex, pte1);
822         return;
823     }
824     base = ppc_hash64_hpt_base(cpu);
825 
826 
827     /* The HW performs a non-atomic byte update */
828     stb_phys(CPU(cpu)->as, base + offset, ((pte1 >> 8) & 0xff) | 0x01);
829 }
830 
831 static void ppc_hash64_set_c(PowerPCCPU *cpu, hwaddr ptex, uint64_t pte1)
832 {
833     hwaddr base, offset = ptex * HASH_PTE_SIZE_64 + HPTE64_DW1_C;
834 
835     if (cpu->vhyp) {
836         PPCVirtualHypervisorClass *vhc =
837             PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
838         vhc->hpte_set_c(cpu->vhyp, ptex, pte1);
839         return;
840     }
841     base = ppc_hash64_hpt_base(cpu);
842 
843     /* The HW performs a non-atomic byte update */
844     stb_phys(CPU(cpu)->as, base + offset, (pte1 & 0xff) | 0x80);
845 }
846 
847 static target_ulong rmls_limit(PowerPCCPU *cpu)
848 {
849     CPUPPCState *env = &cpu->env;
850     /*
851      * In theory the meanings of RMLS values are implementation
852      * dependent.  In practice, this seems to have been the set from
853      * POWER4+..POWER8, and RMLS is no longer supported in POWER9.
854      *
855      * Unsupported values mean the OS has shot itself in the
856      * foot. Return a 0-sized RMA in this case, which we expect
857      * to trigger an immediate DSI or ISI
858      */
859     static const target_ulong rma_sizes[16] = {
860         [0] = 256 * GiB,
861         [1] = 16 * GiB,
862         [2] = 1 * GiB,
863         [3] = 64 * MiB,
864         [4] = 256 * MiB,
865         [7] = 128 * MiB,
866         [8] = 32 * MiB,
867     };
868     target_ulong rmls = (env->spr[SPR_LPCR] & LPCR_RMLS) >> LPCR_RMLS_SHIFT;
869 
870     return rma_sizes[rmls];
871 }
872 
873 static int build_vrma_slbe(PowerPCCPU *cpu, ppc_slb_t *slb)
874 {
875     CPUPPCState *env = &cpu->env;
876     target_ulong lpcr = env->spr[SPR_LPCR];
877     uint32_t vrmasd = (lpcr & LPCR_VRMASD) >> LPCR_VRMASD_SHIFT;
878     target_ulong vsid = SLB_VSID_VRMA | ((vrmasd << 4) & SLB_VSID_LLP_MASK);
879     int i;
880 
881     for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) {
882         const PPCHash64SegmentPageSizes *sps = &cpu->hash64_opts->sps[i];
883 
884         if (!sps->page_shift) {
885             break;
886         }
887 
888         if ((vsid & SLB_VSID_LLP_MASK) == sps->slb_enc) {
889             slb->esid = SLB_ESID_V;
890             slb->vsid = vsid;
891             slb->sps = sps;
892             return 0;
893         }
894     }
895 
896     error_report("Bad page size encoding in LPCR[VRMASD]; LPCR=0x"
897                  TARGET_FMT_lx, lpcr);
898 
899     return -1;
900 }
901 
902 bool ppc_hash64_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
903                       hwaddr *raddrp, int *psizep, int *protp, int mmu_idx,
904                       bool guest_visible)
905 {
906     CPUState *cs = CPU(cpu);
907     CPUPPCState *env = &cpu->env;
908     ppc_slb_t vrma_slbe;
909     ppc_slb_t *slb;
910     unsigned apshift;
911     hwaddr ptex;
912     ppc_hash_pte64_t pte;
913     int exec_prot, pp_prot, amr_prot, prot;
914     int need_prot;
915     hwaddr raddr;
916 
917     /*
918      * Note on LPCR usage: 970 uses HID4, but our special variant of
919      * store_spr copies relevant fields into env->spr[SPR_LPCR].
920      * Similarly we filter unimplemented bits when storing into LPCR
921      * depending on the MMU version. This code can thus just use the
922      * LPCR "as-is".
923      */
924 
925     /* 1. Handle real mode accesses */
926     if (mmuidx_real(mmu_idx)) {
927         /*
928          * Translation is supposedly "off", but in real mode the top 4
929          * effective address bits are (mostly) ignored
930          */
931         raddr = eaddr & 0x0FFFFFFFFFFFFFFFULL;
932 
933         if (cpu->vhyp) {
934             /*
935              * In virtual hypervisor mode, there's nothing to do:
936              *   EA == GPA == qemu guest address
937              */
938         } else if (mmuidx_hv(mmu_idx) || !env->has_hv_mode) {
939             /* In HV mode, add HRMOR if top EA bit is clear */
940             if (!(eaddr >> 63)) {
941                 raddr |= env->spr[SPR_HRMOR];
942             }
943         } else if (ppc_hash64_use_vrma(env)) {
944             /* Emulated VRMA mode */
945             slb = &vrma_slbe;
946             if (build_vrma_slbe(cpu, slb) != 0) {
947                 /* Invalid VRMA setup, machine check */
948                 if (guest_visible) {
949                     cs->exception_index = POWERPC_EXCP_MCHECK;
950                     env->error_code = 0;
951                 }
952                 return false;
953             }
954 
955             goto skip_slb_search;
956         } else {
957             target_ulong limit = rmls_limit(cpu);
958 
959             /* Emulated old-style RMO mode, bounds check against RMLS */
960             if (raddr >= limit) {
961                 if (!guest_visible) {
962                     return false;
963                 }
964                 switch (access_type) {
965                 case MMU_INST_FETCH:
966                     ppc_hash64_set_isi(cs, mmu_idx, SRR1_PROTFAULT);
967                     break;
968                 case MMU_DATA_LOAD:
969                     ppc_hash64_set_dsi(cs, mmu_idx, eaddr, DSISR_PROTFAULT);
970                     break;
971                 case MMU_DATA_STORE:
972                     ppc_hash64_set_dsi(cs, mmu_idx, eaddr,
973                                        DSISR_PROTFAULT | DSISR_ISSTORE);
974                     break;
975                 default:
976                     g_assert_not_reached();
977                 }
978                 return false;
979             }
980 
981             raddr |= env->spr[SPR_RMOR];
982         }
983 
984         *raddrp = raddr;
985         *protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
986         *psizep = TARGET_PAGE_BITS;
987         return true;
988     }
989 
990     /* 2. Translation is on, so look up the SLB */
991     slb = slb_lookup(cpu, eaddr);
992     if (!slb) {
993         /* No entry found, check if in-memory segment tables are in use */
994         if (ppc64_use_proc_tbl(cpu)) {
995             /* TODO - Unsupported */
996             error_report("Segment Table Support Unimplemented");
997             exit(1);
998         }
999         /* Segment still not found, generate the appropriate interrupt */
1000         if (!guest_visible) {
1001             return false;
1002         }
1003         switch (access_type) {
1004         case MMU_INST_FETCH:
1005             cs->exception_index = POWERPC_EXCP_ISEG;
1006             env->error_code = 0;
1007             break;
1008         case MMU_DATA_LOAD:
1009         case MMU_DATA_STORE:
1010             cs->exception_index = POWERPC_EXCP_DSEG;
1011             env->error_code = 0;
1012             env->spr[SPR_DAR] = eaddr;
1013             break;
1014         default:
1015             g_assert_not_reached();
1016         }
1017         return false;
1018     }
1019 
1020  skip_slb_search:
1021 
1022     /* 3. Check for segment level no-execute violation */
1023     if (access_type == MMU_INST_FETCH && (slb->vsid & SLB_VSID_N)) {
1024         if (guest_visible) {
1025             ppc_hash64_set_isi(cs, mmu_idx, SRR1_NOEXEC_GUARD);
1026         }
1027         return false;
1028     }
1029 
1030     /* 4. Locate the PTE in the hash table */
1031     ptex = ppc_hash64_htab_lookup(cpu, slb, eaddr, &pte, &apshift);
1032     if (ptex == -1) {
1033         if (!guest_visible) {
1034             return false;
1035         }
1036         switch (access_type) {
1037         case MMU_INST_FETCH:
1038             ppc_hash64_set_isi(cs, mmu_idx, SRR1_NOPTE);
1039             break;
1040         case MMU_DATA_LOAD:
1041             ppc_hash64_set_dsi(cs, mmu_idx, eaddr, DSISR_NOPTE);
1042             break;
1043         case MMU_DATA_STORE:
1044             ppc_hash64_set_dsi(cs, mmu_idx, eaddr, DSISR_NOPTE | DSISR_ISSTORE);
1045             break;
1046         default:
1047             g_assert_not_reached();
1048         }
1049         return false;
1050     }
1051     qemu_log_mask(CPU_LOG_MMU,
1052                   "found PTE at index %08" HWADDR_PRIx "\n", ptex);
1053 
1054     /* 5. Check access permissions */
1055 
1056     exec_prot = ppc_hash64_pte_noexec_guard(cpu, pte);
1057     pp_prot = ppc_hash64_pte_prot(mmu_idx, slb, pte);
1058     amr_prot = ppc_hash64_amr_prot(cpu, pte);
1059     prot = exec_prot & pp_prot & amr_prot;
1060 
1061     need_prot = prot_for_access_type(access_type);
1062     if (need_prot & ~prot) {
1063         /* Access right violation */
1064         qemu_log_mask(CPU_LOG_MMU, "PTE access rejected\n");
1065         if (!guest_visible) {
1066             return false;
1067         }
1068         if (access_type == MMU_INST_FETCH) {
1069             int srr1 = 0;
1070             if (PAGE_EXEC & ~exec_prot) {
1071                 srr1 |= SRR1_NOEXEC_GUARD; /* Access violates noexec or guard */
1072             } else if (PAGE_EXEC & ~pp_prot) {
1073                 srr1 |= SRR1_PROTFAULT; /* Access violates access authority */
1074             }
1075             if (PAGE_EXEC & ~amr_prot) {
1076                 srr1 |= SRR1_IAMR; /* Access violates virt pg class key prot */
1077             }
1078             ppc_hash64_set_isi(cs, mmu_idx, srr1);
1079         } else {
1080             int dsisr = 0;
1081             if (need_prot & ~pp_prot) {
1082                 dsisr |= DSISR_PROTFAULT;
1083             }
1084             if (access_type == MMU_DATA_STORE) {
1085                 dsisr |= DSISR_ISSTORE;
1086             }
1087             if (need_prot & ~amr_prot) {
1088                 dsisr |= DSISR_AMR;
1089             }
1090             ppc_hash64_set_dsi(cs, mmu_idx, eaddr, dsisr);
1091         }
1092         return false;
1093     }
1094 
1095     qemu_log_mask(CPU_LOG_MMU, "PTE access granted !\n");
1096 
1097     /* 6. Update PTE referenced and changed bits if necessary */
1098 
1099     if (!(pte.pte1 & HPTE64_R_R)) {
1100         ppc_hash64_set_r(cpu, ptex, pte.pte1);
1101     }
1102     if (!(pte.pte1 & HPTE64_R_C)) {
1103         if (access_type == MMU_DATA_STORE) {
1104             ppc_hash64_set_c(cpu, ptex, pte.pte1);
1105         } else {
1106             /*
1107              * Treat the page as read-only for now, so that a later write
1108              * will pass through this function again to set the C bit
1109              */
1110             prot &= ~PAGE_WRITE;
1111         }
1112     }
1113 
1114     /* 7. Determine the real address from the PTE */
1115 
1116     *raddrp = deposit64(pte.pte1 & HPTE64_R_RPN, 0, apshift, eaddr);
1117     *protp = prot;
1118     *psizep = apshift;
1119     return true;
1120 }
1121 
1122 void ppc_hash64_tlb_flush_hpte(PowerPCCPU *cpu, target_ulong ptex,
1123                                target_ulong pte0, target_ulong pte1)
1124 {
1125     /*
1126      * XXX: given the fact that there are too many segments to
1127      * invalidate, and we still don't have a tlb_flush_mask(env, n,
1128      * mask) in QEMU, we just invalidate all TLBs
1129      */
1130     cpu->env.tlb_need_flush = TLB_NEED_GLOBAL_FLUSH | TLB_NEED_LOCAL_FLUSH;
1131 }
1132 
1133 #ifdef CONFIG_TCG
1134 void helper_store_lpcr(CPUPPCState *env, target_ulong val)
1135 {
1136     PowerPCCPU *cpu = env_archcpu(env);
1137 
1138     ppc_store_lpcr(cpu, val);
1139 }
1140 #endif
1141 
1142 void ppc_hash64_init(PowerPCCPU *cpu)
1143 {
1144     CPUPPCState *env = &cpu->env;
1145     PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
1146 
1147     if (!pcc->hash64_opts) {
1148         assert(!mmu_is_64bit(env->mmu_model));
1149         return;
1150     }
1151 
1152     cpu->hash64_opts = g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_opts));
1153 }
1154 
1155 void ppc_hash64_finalize(PowerPCCPU *cpu)
1156 {
1157     g_free(cpu->hash64_opts);
1158 }
1159 
1160 const PPCHash64Options ppc_hash64_opts_basic = {
1161     .flags = 0,
1162     .slb_size = 64,
1163     .sps = {
1164         { .page_shift = 12, /* 4K */
1165           .slb_enc = 0,
1166           .enc = { { .page_shift = 12, .pte_enc = 0 } }
1167         },
1168         { .page_shift = 24, /* 16M */
1169           .slb_enc = 0x100,
1170           .enc = { { .page_shift = 24, .pte_enc = 0 } }
1171         },
1172     },
1173 };
1174 
1175 const PPCHash64Options ppc_hash64_opts_POWER7 = {
1176     .flags = PPC_HASH64_1TSEG | PPC_HASH64_AMR | PPC_HASH64_CI_LARGEPAGE,
1177     .slb_size = 32,
1178     .sps = {
1179         {
1180             .page_shift = 12, /* 4K */
1181             .slb_enc = 0,
1182             .enc = { { .page_shift = 12, .pte_enc = 0 },
1183                      { .page_shift = 16, .pte_enc = 0x7 },
1184                      { .page_shift = 24, .pte_enc = 0x38 }, },
1185         },
1186         {
1187             .page_shift = 16, /* 64K */
1188             .slb_enc = SLB_VSID_64K,
1189             .enc = { { .page_shift = 16, .pte_enc = 0x1 },
1190                      { .page_shift = 24, .pte_enc = 0x8 }, },
1191         },
1192         {
1193             .page_shift = 24, /* 16M */
1194             .slb_enc = SLB_VSID_16M,
1195             .enc = { { .page_shift = 24, .pte_enc = 0 }, },
1196         },
1197         {
1198             .page_shift = 34, /* 16G */
1199             .slb_enc = SLB_VSID_16G,
1200             .enc = { { .page_shift = 34, .pte_enc = 0x3 }, },
1201         },
1202     }
1203 };
1204 
1205 
1206