1 /* 2 * PowerPC Radix MMU mulation helpers for QEMU. 3 * 4 * Copyright (c) 2016 Suraj Jitindar Singh, IBM Corporation 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #include "qemu/osdep.h" 21 #include "cpu.h" 22 #include "exec/exec-all.h" 23 #include "qemu/error-report.h" 24 #include "sysemu/kvm.h" 25 #include "kvm_ppc.h" 26 #include "exec/log.h" 27 #include "internal.h" 28 #include "mmu-radix64.h" 29 #include "mmu-book3s-v3.h" 30 31 static bool ppc_radix64_get_fully_qualified_addr(const CPUPPCState *env, 32 vaddr eaddr, 33 uint64_t *lpid, uint64_t *pid) 34 { 35 /* When EA(2:11) are nonzero, raise a segment interrupt */ 36 if (eaddr & ~R_EADDR_VALID_MASK) { 37 return false; 38 } 39 40 if (msr_hv) { /* MSR[HV] -> Hypervisor/bare metal */ 41 switch (eaddr & R_EADDR_QUADRANT) { 42 case R_EADDR_QUADRANT0: 43 *lpid = 0; 44 *pid = env->spr[SPR_BOOKS_PID]; 45 break; 46 case R_EADDR_QUADRANT1: 47 *lpid = env->spr[SPR_LPIDR]; 48 *pid = env->spr[SPR_BOOKS_PID]; 49 break; 50 case R_EADDR_QUADRANT2: 51 *lpid = env->spr[SPR_LPIDR]; 52 *pid = 0; 53 break; 54 case R_EADDR_QUADRANT3: 55 *lpid = 0; 56 *pid = 0; 57 break; 58 default: 59 g_assert_not_reached(); 60 } 61 } else { /* !MSR[HV] -> Guest */ 62 switch (eaddr & R_EADDR_QUADRANT) { 63 case R_EADDR_QUADRANT0: /* Guest application */ 64 *lpid = env->spr[SPR_LPIDR]; 65 *pid = env->spr[SPR_BOOKS_PID]; 66 break; 67 case R_EADDR_QUADRANT1: /* Illegal */ 68 case R_EADDR_QUADRANT2: 69 return false; 70 case R_EADDR_QUADRANT3: /* Guest OS */ 71 *lpid = env->spr[SPR_LPIDR]; 72 *pid = 0; /* pid set to 0 -> addresses guest operating system */ 73 break; 74 default: 75 g_assert_not_reached(); 76 } 77 } 78 79 return true; 80 } 81 82 static void ppc_radix64_raise_segi(PowerPCCPU *cpu, MMUAccessType access_type, 83 vaddr eaddr) 84 { 85 CPUState *cs = CPU(cpu); 86 CPUPPCState *env = &cpu->env; 87 88 switch (access_type) { 89 case MMU_INST_FETCH: 90 /* Instruction Segment Interrupt */ 91 cs->exception_index = POWERPC_EXCP_ISEG; 92 break; 93 case MMU_DATA_STORE: 94 case MMU_DATA_LOAD: 95 /* Data Segment Interrupt */ 96 cs->exception_index = POWERPC_EXCP_DSEG; 97 env->spr[SPR_DAR] = eaddr; 98 break; 99 default: 100 g_assert_not_reached(); 101 } 102 env->error_code = 0; 103 } 104 105 static inline const char *access_str(MMUAccessType access_type) 106 { 107 return access_type == MMU_DATA_LOAD ? "reading" : 108 (access_type == MMU_DATA_STORE ? "writing" : "execute"); 109 } 110 111 static void ppc_radix64_raise_si(PowerPCCPU *cpu, MMUAccessType access_type, 112 vaddr eaddr, uint32_t cause) 113 { 114 CPUState *cs = CPU(cpu); 115 CPUPPCState *env = &cpu->env; 116 117 qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx" cause %08x\n", 118 __func__, access_str(access_type), 119 eaddr, cause); 120 121 switch (access_type) { 122 case MMU_INST_FETCH: 123 /* Instruction Storage Interrupt */ 124 cs->exception_index = POWERPC_EXCP_ISI; 125 env->error_code = cause; 126 break; 127 case MMU_DATA_STORE: 128 cause |= DSISR_ISSTORE; 129 /* fall through */ 130 case MMU_DATA_LOAD: 131 /* Data Storage Interrupt */ 132 cs->exception_index = POWERPC_EXCP_DSI; 133 env->spr[SPR_DSISR] = cause; 134 env->spr[SPR_DAR] = eaddr; 135 env->error_code = 0; 136 break; 137 default: 138 g_assert_not_reached(); 139 } 140 } 141 142 static void ppc_radix64_raise_hsi(PowerPCCPU *cpu, MMUAccessType access_type, 143 vaddr eaddr, hwaddr g_raddr, uint32_t cause) 144 { 145 CPUState *cs = CPU(cpu); 146 CPUPPCState *env = &cpu->env; 147 148 qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx" 0x%" 149 HWADDR_PRIx" cause %08x\n", 150 __func__, access_str(access_type), 151 eaddr, g_raddr, cause); 152 153 switch (access_type) { 154 case MMU_INST_FETCH: 155 /* H Instruction Storage Interrupt */ 156 cs->exception_index = POWERPC_EXCP_HISI; 157 env->spr[SPR_ASDR] = g_raddr; 158 env->error_code = cause; 159 break; 160 case MMU_DATA_STORE: 161 cause |= DSISR_ISSTORE; 162 /* fall through */ 163 case MMU_DATA_LOAD: 164 /* H Data Storage Interrupt */ 165 cs->exception_index = POWERPC_EXCP_HDSI; 166 env->spr[SPR_HDSISR] = cause; 167 env->spr[SPR_HDAR] = eaddr; 168 env->spr[SPR_ASDR] = g_raddr; 169 env->error_code = 0; 170 break; 171 default: 172 g_assert_not_reached(); 173 } 174 } 175 176 static bool ppc_radix64_check_prot(PowerPCCPU *cpu, MMUAccessType access_type, 177 uint64_t pte, int *fault_cause, int *prot, 178 int mmu_idx, bool partition_scoped) 179 { 180 CPUPPCState *env = &cpu->env; 181 int need_prot; 182 183 /* Check Page Attributes (pte58:59) */ 184 if ((pte & R_PTE_ATT) == R_PTE_ATT_NI_IO && access_type == MMU_INST_FETCH) { 185 /* 186 * Radix PTE entries with the non-idempotent I/O attribute are treated 187 * as guarded storage 188 */ 189 *fault_cause |= SRR1_NOEXEC_GUARD; 190 return true; 191 } 192 193 /* Determine permissions allowed by Encoded Access Authority */ 194 if (!partition_scoped && (pte & R_PTE_EAA_PRIV) && msr_pr) { 195 *prot = 0; 196 } else if (mmuidx_pr(mmu_idx) || (pte & R_PTE_EAA_PRIV) || 197 partition_scoped) { 198 *prot = ppc_radix64_get_prot_eaa(pte); 199 } else { /* !msr_pr && !(pte & R_PTE_EAA_PRIV) && !partition_scoped */ 200 *prot = ppc_radix64_get_prot_eaa(pte); 201 *prot &= ppc_radix64_get_prot_amr(cpu); /* Least combined permissions */ 202 } 203 204 /* Check if requested access type is allowed */ 205 need_prot = prot_for_access_type(access_type); 206 if (need_prot & ~*prot) { /* Page Protected for that Access */ 207 *fault_cause |= DSISR_PROTFAULT; 208 return true; 209 } 210 211 return false; 212 } 213 214 static void ppc_radix64_set_rc(PowerPCCPU *cpu, MMUAccessType access_type, 215 uint64_t pte, hwaddr pte_addr, int *prot) 216 { 217 CPUState *cs = CPU(cpu); 218 uint64_t npte; 219 220 npte = pte | R_PTE_R; /* Always set reference bit */ 221 222 if (access_type == MMU_DATA_STORE) { /* Store/Write */ 223 npte |= R_PTE_C; /* Set change bit */ 224 } else { 225 /* 226 * Treat the page as read-only for now, so that a later write 227 * will pass through this function again to set the C bit. 228 */ 229 *prot &= ~PAGE_WRITE; 230 } 231 232 if (pte ^ npte) { /* If pte has changed then write it back */ 233 stq_phys(cs->as, pte_addr, npte); 234 } 235 } 236 237 static int ppc_radix64_next_level(AddressSpace *as, vaddr eaddr, 238 uint64_t *pte_addr, uint64_t *nls, 239 int *psize, uint64_t *pte, int *fault_cause) 240 { 241 uint64_t index, pde; 242 243 if (*nls < 5) { /* Directory maps less than 2**5 entries */ 244 *fault_cause |= DSISR_R_BADCONFIG; 245 return 1; 246 } 247 248 /* Read page <directory/table> entry from guest address space */ 249 pde = ldq_phys(as, *pte_addr); 250 if (!(pde & R_PTE_VALID)) { /* Invalid Entry */ 251 *fault_cause |= DSISR_NOPTE; 252 return 1; 253 } 254 255 *pte = pde; 256 *psize -= *nls; 257 if (!(pde & R_PTE_LEAF)) { /* Prepare for next iteration */ 258 *nls = pde & R_PDE_NLS; 259 index = eaddr >> (*psize - *nls); /* Shift */ 260 index &= ((1UL << *nls) - 1); /* Mask */ 261 *pte_addr = (pde & R_PDE_NLB) + (index * sizeof(pde)); 262 } 263 return 0; 264 } 265 266 static int ppc_radix64_walk_tree(AddressSpace *as, vaddr eaddr, 267 uint64_t base_addr, uint64_t nls, 268 hwaddr *raddr, int *psize, uint64_t *pte, 269 int *fault_cause, hwaddr *pte_addr) 270 { 271 uint64_t index, pde, rpn , mask; 272 273 if (nls < 5) { /* Directory maps less than 2**5 entries */ 274 *fault_cause |= DSISR_R_BADCONFIG; 275 return 1; 276 } 277 278 index = eaddr >> (*psize - nls); /* Shift */ 279 index &= ((1UL << nls) - 1); /* Mask */ 280 *pte_addr = base_addr + (index * sizeof(pde)); 281 do { 282 int ret; 283 284 ret = ppc_radix64_next_level(as, eaddr, pte_addr, &nls, psize, &pde, 285 fault_cause); 286 if (ret) { 287 return ret; 288 } 289 } while (!(pde & R_PTE_LEAF)); 290 291 *pte = pde; 292 rpn = pde & R_PTE_RPN; 293 mask = (1UL << *psize) - 1; 294 295 /* Or high bits of rpn and low bits to ea to form whole real addr */ 296 *raddr = (rpn & ~mask) | (eaddr & mask); 297 return 0; 298 } 299 300 static bool validate_pate(PowerPCCPU *cpu, uint64_t lpid, ppc_v3_pate_t *pate) 301 { 302 CPUPPCState *env = &cpu->env; 303 304 if (!(pate->dw0 & PATE0_HR)) { 305 return false; 306 } 307 if (lpid == 0 && !msr_hv) { 308 return false; 309 } 310 if ((pate->dw0 & PATE1_R_PRTS) < 5) { 311 return false; 312 } 313 /* More checks ... */ 314 return true; 315 } 316 317 static int ppc_radix64_partition_scoped_xlate(PowerPCCPU *cpu, 318 MMUAccessType access_type, 319 vaddr eaddr, hwaddr g_raddr, 320 ppc_v3_pate_t pate, 321 hwaddr *h_raddr, int *h_prot, 322 int *h_page_size, bool pde_addr, 323 int mmu_idx, bool guest_visible) 324 { 325 int fault_cause = 0; 326 hwaddr pte_addr; 327 uint64_t pte; 328 329 qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx 330 " mmu_idx %u 0x%"HWADDR_PRIx"\n", 331 __func__, access_str(access_type), 332 eaddr, mmu_idx, g_raddr); 333 334 *h_page_size = PRTBE_R_GET_RTS(pate.dw0); 335 /* No valid pte or access denied due to protection */ 336 if (ppc_radix64_walk_tree(CPU(cpu)->as, g_raddr, pate.dw0 & PRTBE_R_RPDB, 337 pate.dw0 & PRTBE_R_RPDS, h_raddr, h_page_size, 338 &pte, &fault_cause, &pte_addr) || 339 ppc_radix64_check_prot(cpu, access_type, pte, 340 &fault_cause, h_prot, mmu_idx, true)) { 341 if (pde_addr) { /* address being translated was that of a guest pde */ 342 fault_cause |= DSISR_PRTABLE_FAULT; 343 } 344 if (guest_visible) { 345 ppc_radix64_raise_hsi(cpu, access_type, eaddr, g_raddr, fault_cause); 346 } 347 return 1; 348 } 349 350 if (guest_visible) { 351 ppc_radix64_set_rc(cpu, access_type, pte, pte_addr, h_prot); 352 } 353 354 return 0; 355 } 356 357 static int ppc_radix64_process_scoped_xlate(PowerPCCPU *cpu, 358 MMUAccessType access_type, 359 vaddr eaddr, uint64_t pid, 360 ppc_v3_pate_t pate, hwaddr *g_raddr, 361 int *g_prot, int *g_page_size, 362 int mmu_idx, bool guest_visible) 363 { 364 CPUState *cs = CPU(cpu); 365 CPUPPCState *env = &cpu->env; 366 uint64_t offset, size, prtbe_addr, prtbe0, base_addr, nls, index, pte; 367 int fault_cause = 0, h_page_size, h_prot; 368 hwaddr h_raddr, pte_addr; 369 int ret; 370 371 qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx 372 " mmu_idx %u pid %"PRIu64"\n", 373 __func__, access_str(access_type), 374 eaddr, mmu_idx, pid); 375 376 /* Index Process Table by PID to Find Corresponding Process Table Entry */ 377 offset = pid * sizeof(struct prtb_entry); 378 size = 1ULL << ((pate.dw1 & PATE1_R_PRTS) + 12); 379 if (offset >= size) { 380 /* offset exceeds size of the process table */ 381 if (guest_visible) { 382 ppc_radix64_raise_si(cpu, access_type, eaddr, DSISR_NOPTE); 383 } 384 return 1; 385 } 386 prtbe_addr = (pate.dw1 & PATE1_R_PRTB) + offset; 387 388 if (cpu->vhyp) { 389 prtbe0 = ldq_phys(cs->as, prtbe_addr); 390 } else { 391 /* 392 * Process table addresses are subject to partition-scoped 393 * translation 394 * 395 * On a Radix host, the partition-scoped page table for LPID=0 396 * is only used to translate the effective addresses of the 397 * process table entries. 398 */ 399 ret = ppc_radix64_partition_scoped_xlate(cpu, 0, eaddr, prtbe_addr, 400 pate, &h_raddr, &h_prot, 401 &h_page_size, true, 402 /* mmu_idx is 5 because we're translating from hypervisor scope */ 403 5, guest_visible); 404 if (ret) { 405 return ret; 406 } 407 prtbe0 = ldq_phys(cs->as, h_raddr); 408 } 409 410 /* Walk Radix Tree from Process Table Entry to Convert EA to RA */ 411 *g_page_size = PRTBE_R_GET_RTS(prtbe0); 412 base_addr = prtbe0 & PRTBE_R_RPDB; 413 nls = prtbe0 & PRTBE_R_RPDS; 414 if (msr_hv || cpu->vhyp) { 415 /* 416 * Can treat process table addresses as real addresses 417 */ 418 ret = ppc_radix64_walk_tree(cs->as, eaddr & R_EADDR_MASK, base_addr, 419 nls, g_raddr, g_page_size, &pte, 420 &fault_cause, &pte_addr); 421 if (ret) { 422 /* No valid PTE */ 423 if (guest_visible) { 424 ppc_radix64_raise_si(cpu, access_type, eaddr, fault_cause); 425 } 426 return ret; 427 } 428 } else { 429 uint64_t rpn, mask; 430 431 index = (eaddr & R_EADDR_MASK) >> (*g_page_size - nls); /* Shift */ 432 index &= ((1UL << nls) - 1); /* Mask */ 433 pte_addr = base_addr + (index * sizeof(pte)); 434 435 /* 436 * Each process table address is subject to a partition-scoped 437 * translation 438 */ 439 do { 440 ret = ppc_radix64_partition_scoped_xlate(cpu, 0, eaddr, pte_addr, 441 pate, &h_raddr, &h_prot, 442 &h_page_size, true, 443 /* mmu_idx is 5 because we're translating from hypervisor scope */ 444 5, guest_visible); 445 if (ret) { 446 return ret; 447 } 448 449 ret = ppc_radix64_next_level(cs->as, eaddr & R_EADDR_MASK, &h_raddr, 450 &nls, g_page_size, &pte, &fault_cause); 451 if (ret) { 452 /* No valid pte */ 453 if (guest_visible) { 454 ppc_radix64_raise_si(cpu, access_type, eaddr, fault_cause); 455 } 456 return ret; 457 } 458 pte_addr = h_raddr; 459 } while (!(pte & R_PTE_LEAF)); 460 461 rpn = pte & R_PTE_RPN; 462 mask = (1UL << *g_page_size) - 1; 463 464 /* Or high bits of rpn and low bits to ea to form whole real addr */ 465 *g_raddr = (rpn & ~mask) | (eaddr & mask); 466 } 467 468 if (ppc_radix64_check_prot(cpu, access_type, pte, &fault_cause, 469 g_prot, mmu_idx, false)) { 470 /* Access denied due to protection */ 471 if (guest_visible) { 472 ppc_radix64_raise_si(cpu, access_type, eaddr, fault_cause); 473 } 474 return 1; 475 } 476 477 if (guest_visible) { 478 ppc_radix64_set_rc(cpu, access_type, pte, pte_addr, g_prot); 479 } 480 481 return 0; 482 } 483 484 /* 485 * Radix tree translation is a 2 steps translation process: 486 * 487 * 1. Process-scoped translation: Guest Eff Addr -> Guest Real Addr 488 * 2. Partition-scoped translation: Guest Real Addr -> Host Real Addr 489 * 490 * MSR[HV] 491 * +-------------+----------------+---------------+ 492 * | | HV = 0 | HV = 1 | 493 * +-------------+----------------+---------------+ 494 * | Relocation | Partition | No | 495 * | = Off | Scoped | Translation | 496 * Relocation +-------------+----------------+---------------+ 497 * | Relocation | Partition & | Process | 498 * | = On | Process Scoped | Scoped | 499 * +-------------+----------------+---------------+ 500 */ 501 static bool ppc_radix64_xlate_impl(PowerPCCPU *cpu, vaddr eaddr, 502 MMUAccessType access_type, hwaddr *raddr, 503 int *psizep, int *protp, int mmu_idx, 504 bool guest_visible) 505 { 506 CPUPPCState *env = &cpu->env; 507 uint64_t lpid, pid; 508 ppc_v3_pate_t pate; 509 int psize, prot; 510 hwaddr g_raddr; 511 bool relocation; 512 513 assert(!(mmuidx_hv(mmu_idx) && cpu->vhyp)); 514 515 relocation = !mmuidx_real(mmu_idx); 516 517 /* HV or virtual hypervisor Real Mode Access */ 518 if (!relocation && (mmuidx_hv(mmu_idx) || cpu->vhyp)) { 519 /* In real mode top 4 effective addr bits (mostly) ignored */ 520 *raddr = eaddr & 0x0FFFFFFFFFFFFFFFULL; 521 522 /* In HV mode, add HRMOR if top EA bit is clear */ 523 if (mmuidx_hv(mmu_idx) || !env->has_hv_mode) { 524 if (!(eaddr >> 63)) { 525 *raddr |= env->spr[SPR_HRMOR]; 526 } 527 } 528 *protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC; 529 *psizep = TARGET_PAGE_BITS; 530 return true; 531 } 532 533 /* 534 * Check UPRT (we avoid the check in real mode to deal with 535 * transitional states during kexec. 536 */ 537 if (guest_visible && !ppc64_use_proc_tbl(cpu)) { 538 qemu_log_mask(LOG_GUEST_ERROR, 539 "LPCR:UPRT not set in radix mode ! LPCR=" 540 TARGET_FMT_lx "\n", env->spr[SPR_LPCR]); 541 } 542 543 /* Virtual Mode Access - get the fully qualified address */ 544 if (!ppc_radix64_get_fully_qualified_addr(&cpu->env, eaddr, &lpid, &pid)) { 545 if (guest_visible) { 546 ppc_radix64_raise_segi(cpu, access_type, eaddr); 547 } 548 return false; 549 } 550 551 /* Get Process Table */ 552 if (cpu->vhyp) { 553 PPCVirtualHypervisorClass *vhc; 554 vhc = PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp); 555 vhc->get_pate(cpu->vhyp, &pate); 556 } else { 557 if (!ppc64_v3_get_pate(cpu, lpid, &pate)) { 558 if (guest_visible) { 559 ppc_radix64_raise_si(cpu, access_type, eaddr, DSISR_NOPTE); 560 } 561 return false; 562 } 563 if (!validate_pate(cpu, lpid, &pate)) { 564 if (guest_visible) { 565 ppc_radix64_raise_si(cpu, access_type, eaddr, DSISR_R_BADCONFIG); 566 } 567 return false; 568 } 569 } 570 571 *psizep = INT_MAX; 572 *protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC; 573 574 /* 575 * Perform process-scoped translation if relocation enabled. 576 * 577 * - Translates an effective address to a host real address in 578 * quadrants 0 and 3 when HV=1. 579 * 580 * - Translates an effective address to a guest real address. 581 */ 582 if (relocation) { 583 int ret = ppc_radix64_process_scoped_xlate(cpu, access_type, eaddr, pid, 584 pate, &g_raddr, &prot, 585 &psize, mmu_idx, guest_visible); 586 if (ret) { 587 return false; 588 } 589 *psizep = MIN(*psizep, psize); 590 *protp &= prot; 591 } else { 592 g_raddr = eaddr & R_EADDR_MASK; 593 } 594 595 if (cpu->vhyp) { 596 *raddr = g_raddr; 597 } else { 598 /* 599 * Perform partition-scoped translation if !HV or HV access to 600 * quadrants 1 or 2. Translates a guest real address to a host 601 * real address. 602 */ 603 if (lpid || !mmuidx_hv(mmu_idx)) { 604 int ret; 605 606 ret = ppc_radix64_partition_scoped_xlate(cpu, access_type, eaddr, 607 g_raddr, pate, raddr, 608 &prot, &psize, false, 609 mmu_idx, guest_visible); 610 if (ret) { 611 return false; 612 } 613 *psizep = MIN(*psizep, psize); 614 *protp &= prot; 615 } else { 616 *raddr = g_raddr; 617 } 618 } 619 620 return true; 621 } 622 623 bool ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type, 624 hwaddr *raddrp, int *psizep, int *protp, int mmu_idx, 625 bool guest_visible) 626 { 627 bool ret = ppc_radix64_xlate_impl(cpu, eaddr, access_type, raddrp, 628 psizep, protp, mmu_idx, guest_visible); 629 630 qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx 631 " mmu_idx %u (prot %c%c%c) -> 0x%"HWADDR_PRIx"\n", 632 __func__, access_str(access_type), 633 eaddr, mmu_idx, 634 *protp & PAGE_READ ? 'r' : '-', 635 *protp & PAGE_WRITE ? 'w' : '-', 636 *protp & PAGE_EXEC ? 'x' : '-', 637 *raddrp); 638 639 return ret; 640 } 641