xref: /openbmc/qemu/target/ppc/mmu-hash64.c (revision af254a27)
1 /*
2  *  PowerPC MMU, TLB, SLB and BAT emulation helpers for QEMU.
3  *
4  *  Copyright (c) 2003-2007 Jocelyn Mayer
5  *  Copyright (c) 2013 David Gibson, IBM Corporation
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  */
20 #include "qemu/osdep.h"
21 #include "qemu/units.h"
22 #include "cpu.h"
23 #include "exec/exec-all.h"
24 #include "qemu/error-report.h"
25 #include "qemu/qemu-print.h"
26 #include "sysemu/hw_accel.h"
27 #include "kvm_ppc.h"
28 #include "mmu-hash64.h"
29 #include "exec/log.h"
30 #include "hw/hw.h"
31 #include "internal.h"
32 #include "mmu-book3s-v3.h"
33 #include "helper_regs.h"
34 
35 #ifdef CONFIG_TCG
36 #include "exec/helper-proto.h"
37 #endif
38 
39 /* #define DEBUG_SLB */
40 
41 #ifdef DEBUG_SLB
42 #  define LOG_SLB(...) qemu_log_mask(CPU_LOG_MMU, __VA_ARGS__)
43 #else
44 #  define LOG_SLB(...) do { } while (0)
45 #endif
46 
47 /*
48  * SLB handling
49  */
50 
51 static ppc_slb_t *slb_lookup(PowerPCCPU *cpu, target_ulong eaddr)
52 {
53     CPUPPCState *env = &cpu->env;
54     uint64_t esid_256M, esid_1T;
55     int n;
56 
57     LOG_SLB("%s: eaddr " TARGET_FMT_lx "\n", __func__, eaddr);
58 
59     esid_256M = (eaddr & SEGMENT_MASK_256M) | SLB_ESID_V;
60     esid_1T = (eaddr & SEGMENT_MASK_1T) | SLB_ESID_V;
61 
62     for (n = 0; n < cpu->hash64_opts->slb_size; n++) {
63         ppc_slb_t *slb = &env->slb[n];
64 
65         LOG_SLB("%s: slot %d %016" PRIx64 " %016"
66                     PRIx64 "\n", __func__, n, slb->esid, slb->vsid);
67         /*
68          * We check for 1T matches on all MMUs here - if the MMU
69          * doesn't have 1T segment support, we will have prevented 1T
70          * entries from being inserted in the slbmte code.
71          */
72         if (((slb->esid == esid_256M) &&
73              ((slb->vsid & SLB_VSID_B) == SLB_VSID_B_256M))
74             || ((slb->esid == esid_1T) &&
75                 ((slb->vsid & SLB_VSID_B) == SLB_VSID_B_1T))) {
76             return slb;
77         }
78     }
79 
80     return NULL;
81 }
82 
83 void dump_slb(PowerPCCPU *cpu)
84 {
85     CPUPPCState *env = &cpu->env;
86     int i;
87     uint64_t slbe, slbv;
88 
89     cpu_synchronize_state(CPU(cpu));
90 
91     qemu_printf("SLB\tESID\t\t\tVSID\n");
92     for (i = 0; i < cpu->hash64_opts->slb_size; i++) {
93         slbe = env->slb[i].esid;
94         slbv = env->slb[i].vsid;
95         if (slbe == 0 && slbv == 0) {
96             continue;
97         }
98         qemu_printf("%d\t0x%016" PRIx64 "\t0x%016" PRIx64 "\n",
99                     i, slbe, slbv);
100     }
101 }
102 
103 #ifdef CONFIG_TCG
104 void helper_slbia(CPUPPCState *env, uint32_t ih)
105 {
106     PowerPCCPU *cpu = env_archcpu(env);
107     int starting_entry;
108     int n;
109 
110     /*
111      * slbia must always flush all TLB (which is equivalent to ERAT in ppc
112      * architecture). Matching on SLB_ESID_V is not good enough, because slbmte
113      * can overwrite a valid SLB without flushing its lookaside information.
114      *
115      * It would be possible to keep the TLB in synch with the SLB by flushing
116      * when a valid entry is overwritten by slbmte, and therefore slbia would
117      * not have to flush unless it evicts a valid SLB entry. However it is
118      * expected that slbmte is more common than slbia, and slbia is usually
119      * going to evict valid SLB entries, so that tradeoff is unlikely to be a
120      * good one.
121      *
122      * ISA v2.05 introduced IH field with values 0,1,2,6. These all invalidate
123      * the same SLB entries (everything but entry 0), but differ in what
124      * "lookaside information" is invalidated. TCG can ignore this and flush
125      * everything.
126      *
127      * ISA v3.0 introduced additional values 3,4,7, which change what SLBs are
128      * invalidated.
129      */
130 
131     env->tlb_need_flush |= TLB_NEED_LOCAL_FLUSH;
132 
133     starting_entry = 1; /* default for IH=0,1,2,6 */
134 
135     if (env->mmu_model == POWERPC_MMU_3_00) {
136         switch (ih) {
137         case 0x7:
138             /* invalidate no SLBs, but all lookaside information */
139             return;
140 
141         case 0x3:
142         case 0x4:
143             /* also considers SLB entry 0 */
144             starting_entry = 0;
145             break;
146 
147         case 0x5:
148             /* treat undefined values as ih==0, and warn */
149             qemu_log_mask(LOG_GUEST_ERROR,
150                           "slbia undefined IH field %u.\n", ih);
151             break;
152 
153         default:
154             /* 0,1,2,6 */
155             break;
156         }
157     }
158 
159     for (n = starting_entry; n < cpu->hash64_opts->slb_size; n++) {
160         ppc_slb_t *slb = &env->slb[n];
161 
162         if (!(slb->esid & SLB_ESID_V)) {
163             continue;
164         }
165         if (env->mmu_model == POWERPC_MMU_3_00) {
166             if (ih == 0x3 && (slb->vsid & SLB_VSID_C) == 0) {
167                 /* preserves entries with a class value of 0 */
168                 continue;
169             }
170         }
171 
172         slb->esid &= ~SLB_ESID_V;
173     }
174 }
175 
176 static void __helper_slbie(CPUPPCState *env, target_ulong addr,
177                            target_ulong global)
178 {
179     PowerPCCPU *cpu = env_archcpu(env);
180     ppc_slb_t *slb;
181 
182     slb = slb_lookup(cpu, addr);
183     if (!slb) {
184         return;
185     }
186 
187     if (slb->esid & SLB_ESID_V) {
188         slb->esid &= ~SLB_ESID_V;
189 
190         /*
191          * XXX: given the fact that segment size is 256 MB or 1TB,
192          *      and we still don't have a tlb_flush_mask(env, n, mask)
193          *      in QEMU, we just invalidate all TLBs
194          */
195         env->tlb_need_flush |=
196             (global == false ? TLB_NEED_LOCAL_FLUSH : TLB_NEED_GLOBAL_FLUSH);
197     }
198 }
199 
200 void helper_slbie(CPUPPCState *env, target_ulong addr)
201 {
202     __helper_slbie(env, addr, false);
203 }
204 
205 void helper_slbieg(CPUPPCState *env, target_ulong addr)
206 {
207     __helper_slbie(env, addr, true);
208 }
209 #endif
210 
211 int ppc_store_slb(PowerPCCPU *cpu, target_ulong slot,
212                   target_ulong esid, target_ulong vsid)
213 {
214     CPUPPCState *env = &cpu->env;
215     ppc_slb_t *slb = &env->slb[slot];
216     const PPCHash64SegmentPageSizes *sps = NULL;
217     int i;
218 
219     if (slot >= cpu->hash64_opts->slb_size) {
220         return -1; /* Bad slot number */
221     }
222     if (esid & ~(SLB_ESID_ESID | SLB_ESID_V)) {
223         return -1; /* Reserved bits set */
224     }
225     if (vsid & (SLB_VSID_B & ~SLB_VSID_B_1T)) {
226         return -1; /* Bad segment size */
227     }
228     if ((vsid & SLB_VSID_B) && !(ppc_hash64_has(cpu, PPC_HASH64_1TSEG))) {
229         return -1; /* 1T segment on MMU that doesn't support it */
230     }
231 
232     for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) {
233         const PPCHash64SegmentPageSizes *sps1 = &cpu->hash64_opts->sps[i];
234 
235         if (!sps1->page_shift) {
236             break;
237         }
238 
239         if ((vsid & SLB_VSID_LLP_MASK) == sps1->slb_enc) {
240             sps = sps1;
241             break;
242         }
243     }
244 
245     if (!sps) {
246         error_report("Bad page size encoding in SLB store: slot "TARGET_FMT_lu
247                      " esid 0x"TARGET_FMT_lx" vsid 0x"TARGET_FMT_lx,
248                      slot, esid, vsid);
249         return -1;
250     }
251 
252     slb->esid = esid;
253     slb->vsid = vsid;
254     slb->sps = sps;
255 
256     LOG_SLB("%s: " TARGET_FMT_lu " " TARGET_FMT_lx " - " TARGET_FMT_lx
257             " => %016" PRIx64 " %016" PRIx64 "\n", __func__, slot, esid, vsid,
258             slb->esid, slb->vsid);
259 
260     return 0;
261 }
262 
263 #ifdef CONFIG_TCG
264 static int ppc_load_slb_esid(PowerPCCPU *cpu, target_ulong rb,
265                              target_ulong *rt)
266 {
267     CPUPPCState *env = &cpu->env;
268     int slot = rb & 0xfff;
269     ppc_slb_t *slb = &env->slb[slot];
270 
271     if (slot >= cpu->hash64_opts->slb_size) {
272         return -1;
273     }
274 
275     *rt = slb->esid;
276     return 0;
277 }
278 
279 static int ppc_load_slb_vsid(PowerPCCPU *cpu, target_ulong rb,
280                              target_ulong *rt)
281 {
282     CPUPPCState *env = &cpu->env;
283     int slot = rb & 0xfff;
284     ppc_slb_t *slb = &env->slb[slot];
285 
286     if (slot >= cpu->hash64_opts->slb_size) {
287         return -1;
288     }
289 
290     *rt = slb->vsid;
291     return 0;
292 }
293 
294 static int ppc_find_slb_vsid(PowerPCCPU *cpu, target_ulong rb,
295                              target_ulong *rt)
296 {
297     CPUPPCState *env = &cpu->env;
298     ppc_slb_t *slb;
299 
300     if (!msr_is_64bit(env, env->msr)) {
301         rb &= 0xffffffff;
302     }
303     slb = slb_lookup(cpu, rb);
304     if (slb == NULL) {
305         *rt = (target_ulong)-1ul;
306     } else {
307         *rt = slb->vsid;
308     }
309     return 0;
310 }
311 
312 void helper_store_slb(CPUPPCState *env, target_ulong rb, target_ulong rs)
313 {
314     PowerPCCPU *cpu = env_archcpu(env);
315 
316     if (ppc_store_slb(cpu, rb & 0xfff, rb & ~0xfffULL, rs) < 0) {
317         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
318                                POWERPC_EXCP_INVAL, GETPC());
319     }
320 }
321 
322 target_ulong helper_load_slb_esid(CPUPPCState *env, target_ulong rb)
323 {
324     PowerPCCPU *cpu = env_archcpu(env);
325     target_ulong rt = 0;
326 
327     if (ppc_load_slb_esid(cpu, rb, &rt) < 0) {
328         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
329                                POWERPC_EXCP_INVAL, GETPC());
330     }
331     return rt;
332 }
333 
334 target_ulong helper_find_slb_vsid(CPUPPCState *env, target_ulong rb)
335 {
336     PowerPCCPU *cpu = env_archcpu(env);
337     target_ulong rt = 0;
338 
339     if (ppc_find_slb_vsid(cpu, rb, &rt) < 0) {
340         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
341                                POWERPC_EXCP_INVAL, GETPC());
342     }
343     return rt;
344 }
345 
346 target_ulong helper_load_slb_vsid(CPUPPCState *env, target_ulong rb)
347 {
348     PowerPCCPU *cpu = env_archcpu(env);
349     target_ulong rt = 0;
350 
351     if (ppc_load_slb_vsid(cpu, rb, &rt) < 0) {
352         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
353                                POWERPC_EXCP_INVAL, GETPC());
354     }
355     return rt;
356 }
357 #endif
358 
359 /* Check No-Execute or Guarded Storage */
360 static inline int ppc_hash64_pte_noexec_guard(PowerPCCPU *cpu,
361                                               ppc_hash_pte64_t pte)
362 {
363     /* Exec permissions CANNOT take away read or write permissions */
364     return (pte.pte1 & HPTE64_R_N) || (pte.pte1 & HPTE64_R_G) ?
365             PAGE_READ | PAGE_WRITE : PAGE_READ | PAGE_WRITE | PAGE_EXEC;
366 }
367 
368 /* Check Basic Storage Protection */
369 static int ppc_hash64_pte_prot(int mmu_idx,
370                                ppc_slb_t *slb, ppc_hash_pte64_t pte)
371 {
372     unsigned pp, key;
373     /*
374      * Some pp bit combinations have undefined behaviour, so default
375      * to no access in those cases
376      */
377     int prot = 0;
378 
379     key = !!(mmuidx_pr(mmu_idx) ? (slb->vsid & SLB_VSID_KP)
380              : (slb->vsid & SLB_VSID_KS));
381     pp = (pte.pte1 & HPTE64_R_PP) | ((pte.pte1 & HPTE64_R_PP0) >> 61);
382 
383     if (key == 0) {
384         switch (pp) {
385         case 0x0:
386         case 0x1:
387         case 0x2:
388             prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
389             break;
390 
391         case 0x3:
392         case 0x6:
393             prot = PAGE_READ | PAGE_EXEC;
394             break;
395         }
396     } else {
397         switch (pp) {
398         case 0x0:
399         case 0x6:
400             break;
401 
402         case 0x1:
403         case 0x3:
404             prot = PAGE_READ | PAGE_EXEC;
405             break;
406 
407         case 0x2:
408             prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
409             break;
410         }
411     }
412 
413     return prot;
414 }
415 
416 /* Check the instruction access permissions specified in the IAMR */
417 static int ppc_hash64_iamr_prot(PowerPCCPU *cpu, int key)
418 {
419     CPUPPCState *env = &cpu->env;
420     int iamr_bits = (env->spr[SPR_IAMR] >> 2 * (31 - key)) & 0x3;
421 
422     /*
423      * An instruction fetch is permitted if the IAMR bit is 0.
424      * If the bit is set, return PAGE_READ | PAGE_WRITE because this bit
425      * can only take away EXEC permissions not READ or WRITE permissions.
426      * If bit is cleared return PAGE_READ | PAGE_WRITE | PAGE_EXEC since
427      * EXEC permissions are allowed.
428      */
429     return (iamr_bits & 0x1) ? PAGE_READ | PAGE_WRITE :
430                                PAGE_READ | PAGE_WRITE | PAGE_EXEC;
431 }
432 
433 static int ppc_hash64_amr_prot(PowerPCCPU *cpu, ppc_hash_pte64_t pte)
434 {
435     CPUPPCState *env = &cpu->env;
436     int key, amrbits;
437     int prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
438 
439     /* Only recent MMUs implement Virtual Page Class Key Protection */
440     if (!ppc_hash64_has(cpu, PPC_HASH64_AMR)) {
441         return prot;
442     }
443 
444     key = HPTE64_R_KEY(pte.pte1);
445     amrbits = (env->spr[SPR_AMR] >> 2 * (31 - key)) & 0x3;
446 
447     /* fprintf(stderr, "AMR protection: key=%d AMR=0x%" PRIx64 "\n", key, */
448     /*         env->spr[SPR_AMR]); */
449 
450     /*
451      * A store is permitted if the AMR bit is 0. Remove write
452      * protection if it is set.
453      */
454     if (amrbits & 0x2) {
455         prot &= ~PAGE_WRITE;
456     }
457     /*
458      * A load is permitted if the AMR bit is 0. Remove read
459      * protection if it is set.
460      */
461     if (amrbits & 0x1) {
462         prot &= ~PAGE_READ;
463     }
464 
465     switch (env->mmu_model) {
466     /*
467      * MMU version 2.07 and later support IAMR
468      * Check if the IAMR allows the instruction access - it will return
469      * PAGE_EXEC if it doesn't (and thus that bit will be cleared) or 0
470      * if it does (and prot will be unchanged indicating execution support).
471      */
472     case POWERPC_MMU_2_07:
473     case POWERPC_MMU_3_00:
474         prot &= ppc_hash64_iamr_prot(cpu, key);
475         break;
476     default:
477         break;
478     }
479 
480     return prot;
481 }
482 
483 const ppc_hash_pte64_t *ppc_hash64_map_hptes(PowerPCCPU *cpu,
484                                              hwaddr ptex, int n)
485 {
486     hwaddr pte_offset = ptex * HASH_PTE_SIZE_64;
487     hwaddr base;
488     hwaddr plen = n * HASH_PTE_SIZE_64;
489     const ppc_hash_pte64_t *hptes;
490 
491     if (cpu->vhyp) {
492         PPCVirtualHypervisorClass *vhc =
493             PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
494         return vhc->map_hptes(cpu->vhyp, ptex, n);
495     }
496     base = ppc_hash64_hpt_base(cpu);
497 
498     if (!base) {
499         return NULL;
500     }
501 
502     hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false,
503                               MEMTXATTRS_UNSPECIFIED);
504     if (plen < (n * HASH_PTE_SIZE_64)) {
505         hw_error("%s: Unable to map all requested HPTEs\n", __func__);
506     }
507     return hptes;
508 }
509 
510 void ppc_hash64_unmap_hptes(PowerPCCPU *cpu, const ppc_hash_pte64_t *hptes,
511                             hwaddr ptex, int n)
512 {
513     if (cpu->vhyp) {
514         PPCVirtualHypervisorClass *vhc =
515             PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
516         vhc->unmap_hptes(cpu->vhyp, hptes, ptex, n);
517         return;
518     }
519 
520     address_space_unmap(CPU(cpu)->as, (void *)hptes, n * HASH_PTE_SIZE_64,
521                         false, n * HASH_PTE_SIZE_64);
522 }
523 
524 static unsigned hpte_page_shift(const PPCHash64SegmentPageSizes *sps,
525                                 uint64_t pte0, uint64_t pte1)
526 {
527     int i;
528 
529     if (!(pte0 & HPTE64_V_LARGE)) {
530         if (sps->page_shift != 12) {
531             /* 4kiB page in a non 4kiB segment */
532             return 0;
533         }
534         /* Normal 4kiB page */
535         return 12;
536     }
537 
538     for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) {
539         const PPCHash64PageSize *ps = &sps->enc[i];
540         uint64_t mask;
541 
542         if (!ps->page_shift) {
543             break;
544         }
545 
546         if (ps->page_shift == 12) {
547             /* L bit is set so this can't be a 4kiB page */
548             continue;
549         }
550 
551         mask = ((1ULL << ps->page_shift) - 1) & HPTE64_R_RPN;
552 
553         if ((pte1 & mask) == ((uint64_t)ps->pte_enc << HPTE64_R_RPN_SHIFT)) {
554             return ps->page_shift;
555         }
556     }
557 
558     return 0; /* Bad page size encoding */
559 }
560 
561 static void ppc64_v3_new_to_old_hpte(target_ulong *pte0, target_ulong *pte1)
562 {
563     /* Insert B into pte0 */
564     *pte0 = (*pte0 & HPTE64_V_COMMON_BITS) |
565             ((*pte1 & HPTE64_R_3_0_SSIZE_MASK) <<
566              (HPTE64_V_SSIZE_SHIFT - HPTE64_R_3_0_SSIZE_SHIFT));
567 
568     /* Remove B from pte1 */
569     *pte1 = *pte1 & ~HPTE64_R_3_0_SSIZE_MASK;
570 }
571 
572 
573 static hwaddr ppc_hash64_pteg_search(PowerPCCPU *cpu, hwaddr hash,
574                                      const PPCHash64SegmentPageSizes *sps,
575                                      target_ulong ptem,
576                                      ppc_hash_pte64_t *pte, unsigned *pshift)
577 {
578     int i;
579     const ppc_hash_pte64_t *pteg;
580     target_ulong pte0, pte1;
581     target_ulong ptex;
582 
583     ptex = (hash & ppc_hash64_hpt_mask(cpu)) * HPTES_PER_GROUP;
584     pteg = ppc_hash64_map_hptes(cpu, ptex, HPTES_PER_GROUP);
585     if (!pteg) {
586         return -1;
587     }
588     for (i = 0; i < HPTES_PER_GROUP; i++) {
589         pte0 = ppc_hash64_hpte0(cpu, pteg, i);
590         /*
591          * pte0 contains the valid bit and must be read before pte1,
592          * otherwise we might see an old pte1 with a new valid bit and
593          * thus an inconsistent hpte value
594          */
595         smp_rmb();
596         pte1 = ppc_hash64_hpte1(cpu, pteg, i);
597 
598         /* Convert format if necessary */
599         if (cpu->env.mmu_model == POWERPC_MMU_3_00 && !cpu->vhyp) {
600             ppc64_v3_new_to_old_hpte(&pte0, &pte1);
601         }
602 
603         /* This compares V, B, H (secondary) and the AVPN */
604         if (HPTE64_V_COMPARE(pte0, ptem)) {
605             *pshift = hpte_page_shift(sps, pte0, pte1);
606             /*
607              * If there is no match, ignore the PTE, it could simply
608              * be for a different segment size encoding and the
609              * architecture specifies we should not match. Linux will
610              * potentially leave behind PTEs for the wrong base page
611              * size when demoting segments.
612              */
613             if (*pshift == 0) {
614                 continue;
615             }
616             /*
617              * We don't do anything with pshift yet as qemu TLB only
618              * deals with 4K pages anyway
619              */
620             pte->pte0 = pte0;
621             pte->pte1 = pte1;
622             ppc_hash64_unmap_hptes(cpu, pteg, ptex, HPTES_PER_GROUP);
623             return ptex + i;
624         }
625     }
626     ppc_hash64_unmap_hptes(cpu, pteg, ptex, HPTES_PER_GROUP);
627     /*
628      * We didn't find a valid entry.
629      */
630     return -1;
631 }
632 
633 static hwaddr ppc_hash64_htab_lookup(PowerPCCPU *cpu,
634                                      ppc_slb_t *slb, target_ulong eaddr,
635                                      ppc_hash_pte64_t *pte, unsigned *pshift)
636 {
637     CPUPPCState *env = &cpu->env;
638     hwaddr hash, ptex;
639     uint64_t vsid, epnmask, epn, ptem;
640     const PPCHash64SegmentPageSizes *sps = slb->sps;
641 
642     /*
643      * The SLB store path should prevent any bad page size encodings
644      * getting in there, so:
645      */
646     assert(sps);
647 
648     /* If ISL is set in LPCR we need to clamp the page size to 4K */
649     if (env->spr[SPR_LPCR] & LPCR_ISL) {
650         /* We assume that when using TCG, 4k is first entry of SPS */
651         sps = &cpu->hash64_opts->sps[0];
652         assert(sps->page_shift == 12);
653     }
654 
655     epnmask = ~((1ULL << sps->page_shift) - 1);
656 
657     if (slb->vsid & SLB_VSID_B) {
658         /* 1TB segment */
659         vsid = (slb->vsid & SLB_VSID_VSID) >> SLB_VSID_SHIFT_1T;
660         epn = (eaddr & ~SEGMENT_MASK_1T) & epnmask;
661         hash = vsid ^ (vsid << 25) ^ (epn >> sps->page_shift);
662     } else {
663         /* 256M segment */
664         vsid = (slb->vsid & SLB_VSID_VSID) >> SLB_VSID_SHIFT;
665         epn = (eaddr & ~SEGMENT_MASK_256M) & epnmask;
666         hash = vsid ^ (epn >> sps->page_shift);
667     }
668     ptem = (slb->vsid & SLB_VSID_PTEM) | ((epn >> 16) & HPTE64_V_AVPN);
669     ptem |= HPTE64_V_VALID;
670 
671     /* Page address translation */
672     qemu_log_mask(CPU_LOG_MMU,
673             "htab_base " TARGET_FMT_plx " htab_mask " TARGET_FMT_plx
674             " hash " TARGET_FMT_plx "\n",
675             ppc_hash64_hpt_base(cpu), ppc_hash64_hpt_mask(cpu), hash);
676 
677     /* Primary PTEG lookup */
678     qemu_log_mask(CPU_LOG_MMU,
679             "0 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
680             " vsid=" TARGET_FMT_lx " ptem=" TARGET_FMT_lx
681             " hash=" TARGET_FMT_plx "\n",
682             ppc_hash64_hpt_base(cpu), ppc_hash64_hpt_mask(cpu),
683             vsid, ptem,  hash);
684     ptex = ppc_hash64_pteg_search(cpu, hash, sps, ptem, pte, pshift);
685 
686     if (ptex == -1) {
687         /* Secondary PTEG lookup */
688         ptem |= HPTE64_V_SECONDARY;
689         qemu_log_mask(CPU_LOG_MMU,
690                 "1 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
691                 " vsid=" TARGET_FMT_lx " api=" TARGET_FMT_lx
692                 " hash=" TARGET_FMT_plx "\n", ppc_hash64_hpt_base(cpu),
693                 ppc_hash64_hpt_mask(cpu), vsid, ptem, ~hash);
694 
695         ptex = ppc_hash64_pteg_search(cpu, ~hash, sps, ptem, pte, pshift);
696     }
697 
698     return ptex;
699 }
700 
701 unsigned ppc_hash64_hpte_page_shift_noslb(PowerPCCPU *cpu,
702                                           uint64_t pte0, uint64_t pte1)
703 {
704     int i;
705 
706     if (!(pte0 & HPTE64_V_LARGE)) {
707         return 12;
708     }
709 
710     /*
711      * The encodings in env->sps need to be carefully chosen so that
712      * this gives an unambiguous result.
713      */
714     for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) {
715         const PPCHash64SegmentPageSizes *sps = &cpu->hash64_opts->sps[i];
716         unsigned shift;
717 
718         if (!sps->page_shift) {
719             break;
720         }
721 
722         shift = hpte_page_shift(sps, pte0, pte1);
723         if (shift) {
724             return shift;
725         }
726     }
727 
728     return 0;
729 }
730 
731 static bool ppc_hash64_use_vrma(CPUPPCState *env)
732 {
733     switch (env->mmu_model) {
734     case POWERPC_MMU_3_00:
735         /*
736          * ISAv3.0 (POWER9) always uses VRMA, the VPM0 field and RMOR
737          * register no longer exist
738          */
739         return true;
740 
741     default:
742         return !!(env->spr[SPR_LPCR] & LPCR_VPM0);
743     }
744 }
745 
746 static void ppc_hash64_set_isi(CPUState *cs, int mmu_idx, uint64_t error_code)
747 {
748     CPUPPCState *env = &POWERPC_CPU(cs)->env;
749     bool vpm;
750 
751     if (!mmuidx_real(mmu_idx)) {
752         vpm = !!(env->spr[SPR_LPCR] & LPCR_VPM1);
753     } else {
754         vpm = ppc_hash64_use_vrma(env);
755     }
756     if (vpm && !mmuidx_hv(mmu_idx)) {
757         cs->exception_index = POWERPC_EXCP_HISI;
758     } else {
759         cs->exception_index = POWERPC_EXCP_ISI;
760     }
761     env->error_code = error_code;
762 }
763 
764 static void ppc_hash64_set_dsi(CPUState *cs, int mmu_idx, uint64_t dar, uint64_t dsisr)
765 {
766     CPUPPCState *env = &POWERPC_CPU(cs)->env;
767     bool vpm;
768 
769     if (!mmuidx_real(mmu_idx)) {
770         vpm = !!(env->spr[SPR_LPCR] & LPCR_VPM1);
771     } else {
772         vpm = ppc_hash64_use_vrma(env);
773     }
774     if (vpm && !mmuidx_hv(mmu_idx)) {
775         cs->exception_index = POWERPC_EXCP_HDSI;
776         env->spr[SPR_HDAR] = dar;
777         env->spr[SPR_HDSISR] = dsisr;
778     } else {
779         cs->exception_index = POWERPC_EXCP_DSI;
780         env->spr[SPR_DAR] = dar;
781         env->spr[SPR_DSISR] = dsisr;
782    }
783     env->error_code = 0;
784 }
785 
786 
787 static void ppc_hash64_set_r(PowerPCCPU *cpu, hwaddr ptex, uint64_t pte1)
788 {
789     hwaddr base, offset = ptex * HASH_PTE_SIZE_64 + HPTE64_DW1_R;
790 
791     if (cpu->vhyp) {
792         PPCVirtualHypervisorClass *vhc =
793             PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
794         vhc->hpte_set_r(cpu->vhyp, ptex, pte1);
795         return;
796     }
797     base = ppc_hash64_hpt_base(cpu);
798 
799 
800     /* The HW performs a non-atomic byte update */
801     stb_phys(CPU(cpu)->as, base + offset, ((pte1 >> 8) & 0xff) | 0x01);
802 }
803 
804 static void ppc_hash64_set_c(PowerPCCPU *cpu, hwaddr ptex, uint64_t pte1)
805 {
806     hwaddr base, offset = ptex * HASH_PTE_SIZE_64 + HPTE64_DW1_C;
807 
808     if (cpu->vhyp) {
809         PPCVirtualHypervisorClass *vhc =
810             PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
811         vhc->hpte_set_c(cpu->vhyp, ptex, pte1);
812         return;
813     }
814     base = ppc_hash64_hpt_base(cpu);
815 
816     /* The HW performs a non-atomic byte update */
817     stb_phys(CPU(cpu)->as, base + offset, (pte1 & 0xff) | 0x80);
818 }
819 
820 static target_ulong rmls_limit(PowerPCCPU *cpu)
821 {
822     CPUPPCState *env = &cpu->env;
823     /*
824      * In theory the meanings of RMLS values are implementation
825      * dependent.  In practice, this seems to have been the set from
826      * POWER4+..POWER8, and RMLS is no longer supported in POWER9.
827      *
828      * Unsupported values mean the OS has shot itself in the
829      * foot. Return a 0-sized RMA in this case, which we expect
830      * to trigger an immediate DSI or ISI
831      */
832     static const target_ulong rma_sizes[16] = {
833         [0] = 256 * GiB,
834         [1] = 16 * GiB,
835         [2] = 1 * GiB,
836         [3] = 64 * MiB,
837         [4] = 256 * MiB,
838         [7] = 128 * MiB,
839         [8] = 32 * MiB,
840     };
841     target_ulong rmls = (env->spr[SPR_LPCR] & LPCR_RMLS) >> LPCR_RMLS_SHIFT;
842 
843     return rma_sizes[rmls];
844 }
845 
846 static int build_vrma_slbe(PowerPCCPU *cpu, ppc_slb_t *slb)
847 {
848     CPUPPCState *env = &cpu->env;
849     target_ulong lpcr = env->spr[SPR_LPCR];
850     uint32_t vrmasd = (lpcr & LPCR_VRMASD) >> LPCR_VRMASD_SHIFT;
851     target_ulong vsid = SLB_VSID_VRMA | ((vrmasd << 4) & SLB_VSID_LLP_MASK);
852     int i;
853 
854     for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) {
855         const PPCHash64SegmentPageSizes *sps = &cpu->hash64_opts->sps[i];
856 
857         if (!sps->page_shift) {
858             break;
859         }
860 
861         if ((vsid & SLB_VSID_LLP_MASK) == sps->slb_enc) {
862             slb->esid = SLB_ESID_V;
863             slb->vsid = vsid;
864             slb->sps = sps;
865             return 0;
866         }
867     }
868 
869     error_report("Bad page size encoding in LPCR[VRMASD]; LPCR=0x"
870                  TARGET_FMT_lx, lpcr);
871 
872     return -1;
873 }
874 
875 bool ppc_hash64_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
876                       hwaddr *raddrp, int *psizep, int *protp, int mmu_idx,
877                       bool guest_visible)
878 {
879     CPUState *cs = CPU(cpu);
880     CPUPPCState *env = &cpu->env;
881     ppc_slb_t vrma_slbe;
882     ppc_slb_t *slb;
883     unsigned apshift;
884     hwaddr ptex;
885     ppc_hash_pte64_t pte;
886     int exec_prot, pp_prot, amr_prot, prot;
887     int need_prot;
888     hwaddr raddr;
889 
890     /*
891      * Note on LPCR usage: 970 uses HID4, but our special variant of
892      * store_spr copies relevant fields into env->spr[SPR_LPCR].
893      * Similarly we filter unimplemented bits when storing into LPCR
894      * depending on the MMU version. This code can thus just use the
895      * LPCR "as-is".
896      */
897 
898     /* 1. Handle real mode accesses */
899     if (mmuidx_real(mmu_idx)) {
900         /*
901          * Translation is supposedly "off", but in real mode the top 4
902          * effective address bits are (mostly) ignored
903          */
904         raddr = eaddr & 0x0FFFFFFFFFFFFFFFULL;
905 
906         if (cpu->vhyp) {
907             /*
908              * In virtual hypervisor mode, there's nothing to do:
909              *   EA == GPA == qemu guest address
910              */
911         } else if (mmuidx_hv(mmu_idx) || !env->has_hv_mode) {
912             /* In HV mode, add HRMOR if top EA bit is clear */
913             if (!(eaddr >> 63)) {
914                 raddr |= env->spr[SPR_HRMOR];
915             }
916         } else if (ppc_hash64_use_vrma(env)) {
917             /* Emulated VRMA mode */
918             slb = &vrma_slbe;
919             if (build_vrma_slbe(cpu, slb) != 0) {
920                 /* Invalid VRMA setup, machine check */
921                 if (guest_visible) {
922                     cs->exception_index = POWERPC_EXCP_MCHECK;
923                     env->error_code = 0;
924                 }
925                 return false;
926             }
927 
928             goto skip_slb_search;
929         } else {
930             target_ulong limit = rmls_limit(cpu);
931 
932             /* Emulated old-style RMO mode, bounds check against RMLS */
933             if (raddr >= limit) {
934                 if (!guest_visible) {
935                     return false;
936                 }
937                 switch (access_type) {
938                 case MMU_INST_FETCH:
939                     ppc_hash64_set_isi(cs, mmu_idx, SRR1_PROTFAULT);
940                     break;
941                 case MMU_DATA_LOAD:
942                     ppc_hash64_set_dsi(cs, mmu_idx, eaddr, DSISR_PROTFAULT);
943                     break;
944                 case MMU_DATA_STORE:
945                     ppc_hash64_set_dsi(cs, mmu_idx, eaddr,
946                                        DSISR_PROTFAULT | DSISR_ISSTORE);
947                     break;
948                 default:
949                     g_assert_not_reached();
950                 }
951                 return false;
952             }
953 
954             raddr |= env->spr[SPR_RMOR];
955         }
956 
957         *raddrp = raddr;
958         *protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
959         *psizep = TARGET_PAGE_BITS;
960         return true;
961     }
962 
963     /* 2. Translation is on, so look up the SLB */
964     slb = slb_lookup(cpu, eaddr);
965     if (!slb) {
966         /* No entry found, check if in-memory segment tables are in use */
967         if (ppc64_use_proc_tbl(cpu)) {
968             /* TODO - Unsupported */
969             error_report("Segment Table Support Unimplemented");
970             exit(1);
971         }
972         /* Segment still not found, generate the appropriate interrupt */
973         if (!guest_visible) {
974             return false;
975         }
976         switch (access_type) {
977         case MMU_INST_FETCH:
978             cs->exception_index = POWERPC_EXCP_ISEG;
979             env->error_code = 0;
980             break;
981         case MMU_DATA_LOAD:
982         case MMU_DATA_STORE:
983             cs->exception_index = POWERPC_EXCP_DSEG;
984             env->error_code = 0;
985             env->spr[SPR_DAR] = eaddr;
986             break;
987         default:
988             g_assert_not_reached();
989         }
990         return false;
991     }
992 
993  skip_slb_search:
994 
995     /* 3. Check for segment level no-execute violation */
996     if (access_type == MMU_INST_FETCH && (slb->vsid & SLB_VSID_N)) {
997         if (guest_visible) {
998             ppc_hash64_set_isi(cs, mmu_idx, SRR1_NOEXEC_GUARD);
999         }
1000         return false;
1001     }
1002 
1003     /* 4. Locate the PTE in the hash table */
1004     ptex = ppc_hash64_htab_lookup(cpu, slb, eaddr, &pte, &apshift);
1005     if (ptex == -1) {
1006         if (!guest_visible) {
1007             return false;
1008         }
1009         switch (access_type) {
1010         case MMU_INST_FETCH:
1011             ppc_hash64_set_isi(cs, mmu_idx, SRR1_NOPTE);
1012             break;
1013         case MMU_DATA_LOAD:
1014             ppc_hash64_set_dsi(cs, mmu_idx, eaddr, DSISR_NOPTE);
1015             break;
1016         case MMU_DATA_STORE:
1017             ppc_hash64_set_dsi(cs, mmu_idx, eaddr, DSISR_NOPTE | DSISR_ISSTORE);
1018             break;
1019         default:
1020             g_assert_not_reached();
1021         }
1022         return false;
1023     }
1024     qemu_log_mask(CPU_LOG_MMU,
1025                   "found PTE at index %08" HWADDR_PRIx "\n", ptex);
1026 
1027     /* 5. Check access permissions */
1028 
1029     exec_prot = ppc_hash64_pte_noexec_guard(cpu, pte);
1030     pp_prot = ppc_hash64_pte_prot(mmu_idx, slb, pte);
1031     amr_prot = ppc_hash64_amr_prot(cpu, pte);
1032     prot = exec_prot & pp_prot & amr_prot;
1033 
1034     need_prot = prot_for_access_type(access_type);
1035     if (need_prot & ~prot) {
1036         /* Access right violation */
1037         qemu_log_mask(CPU_LOG_MMU, "PTE access rejected\n");
1038         if (!guest_visible) {
1039             return false;
1040         }
1041         if (access_type == MMU_INST_FETCH) {
1042             int srr1 = 0;
1043             if (PAGE_EXEC & ~exec_prot) {
1044                 srr1 |= SRR1_NOEXEC_GUARD; /* Access violates noexec or guard */
1045             } else if (PAGE_EXEC & ~pp_prot) {
1046                 srr1 |= SRR1_PROTFAULT; /* Access violates access authority */
1047             }
1048             if (PAGE_EXEC & ~amr_prot) {
1049                 srr1 |= SRR1_IAMR; /* Access violates virt pg class key prot */
1050             }
1051             ppc_hash64_set_isi(cs, mmu_idx, srr1);
1052         } else {
1053             int dsisr = 0;
1054             if (need_prot & ~pp_prot) {
1055                 dsisr |= DSISR_PROTFAULT;
1056             }
1057             if (access_type == MMU_DATA_STORE) {
1058                 dsisr |= DSISR_ISSTORE;
1059             }
1060             if (need_prot & ~amr_prot) {
1061                 dsisr |= DSISR_AMR;
1062             }
1063             ppc_hash64_set_dsi(cs, mmu_idx, eaddr, dsisr);
1064         }
1065         return false;
1066     }
1067 
1068     qemu_log_mask(CPU_LOG_MMU, "PTE access granted !\n");
1069 
1070     /* 6. Update PTE referenced and changed bits if necessary */
1071 
1072     if (!(pte.pte1 & HPTE64_R_R)) {
1073         ppc_hash64_set_r(cpu, ptex, pte.pte1);
1074     }
1075     if (!(pte.pte1 & HPTE64_R_C)) {
1076         if (access_type == MMU_DATA_STORE) {
1077             ppc_hash64_set_c(cpu, ptex, pte.pte1);
1078         } else {
1079             /*
1080              * Treat the page as read-only for now, so that a later write
1081              * will pass through this function again to set the C bit
1082              */
1083             prot &= ~PAGE_WRITE;
1084         }
1085     }
1086 
1087     /* 7. Determine the real address from the PTE */
1088 
1089     *raddrp = deposit64(pte.pte1 & HPTE64_R_RPN, 0, apshift, eaddr);
1090     *protp = prot;
1091     *psizep = apshift;
1092     return true;
1093 }
1094 
1095 void ppc_hash64_tlb_flush_hpte(PowerPCCPU *cpu, target_ulong ptex,
1096                                target_ulong pte0, target_ulong pte1)
1097 {
1098     /*
1099      * XXX: given the fact that there are too many segments to
1100      * invalidate, and we still don't have a tlb_flush_mask(env, n,
1101      * mask) in QEMU, we just invalidate all TLBs
1102      */
1103     cpu->env.tlb_need_flush = TLB_NEED_GLOBAL_FLUSH | TLB_NEED_LOCAL_FLUSH;
1104 }
1105 
1106 #ifdef CONFIG_TCG
1107 void helper_store_lpcr(CPUPPCState *env, target_ulong val)
1108 {
1109     PowerPCCPU *cpu = env_archcpu(env);
1110 
1111     ppc_store_lpcr(cpu, val);
1112 }
1113 #endif
1114 
1115 void ppc_hash64_init(PowerPCCPU *cpu)
1116 {
1117     CPUPPCState *env = &cpu->env;
1118     PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
1119 
1120     if (!pcc->hash64_opts) {
1121         assert(!mmu_is_64bit(env->mmu_model));
1122         return;
1123     }
1124 
1125     cpu->hash64_opts = g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_opts));
1126 }
1127 
1128 void ppc_hash64_finalize(PowerPCCPU *cpu)
1129 {
1130     g_free(cpu->hash64_opts);
1131 }
1132 
1133 const PPCHash64Options ppc_hash64_opts_basic = {
1134     .flags = 0,
1135     .slb_size = 64,
1136     .sps = {
1137         { .page_shift = 12, /* 4K */
1138           .slb_enc = 0,
1139           .enc = { { .page_shift = 12, .pte_enc = 0 } }
1140         },
1141         { .page_shift = 24, /* 16M */
1142           .slb_enc = 0x100,
1143           .enc = { { .page_shift = 24, .pte_enc = 0 } }
1144         },
1145     },
1146 };
1147 
1148 const PPCHash64Options ppc_hash64_opts_POWER7 = {
1149     .flags = PPC_HASH64_1TSEG | PPC_HASH64_AMR | PPC_HASH64_CI_LARGEPAGE,
1150     .slb_size = 32,
1151     .sps = {
1152         {
1153             .page_shift = 12, /* 4K */
1154             .slb_enc = 0,
1155             .enc = { { .page_shift = 12, .pte_enc = 0 },
1156                      { .page_shift = 16, .pte_enc = 0x7 },
1157                      { .page_shift = 24, .pte_enc = 0x38 }, },
1158         },
1159         {
1160             .page_shift = 16, /* 64K */
1161             .slb_enc = SLB_VSID_64K,
1162             .enc = { { .page_shift = 16, .pte_enc = 0x1 },
1163                      { .page_shift = 24, .pte_enc = 0x8 }, },
1164         },
1165         {
1166             .page_shift = 24, /* 16M */
1167             .slb_enc = SLB_VSID_16M,
1168             .enc = { { .page_shift = 24, .pte_enc = 0 }, },
1169         },
1170         {
1171             .page_shift = 34, /* 16G */
1172             .slb_enc = SLB_VSID_16G,
1173             .enc = { { .page_shift = 34, .pte_enc = 0x3 }, },
1174         },
1175     }
1176 };
1177 
1178 
1179