1 /* 2 * QEMU RISC-V PMP (Physical Memory Protection) 3 * 4 * Author: Daire McNamara, daire.mcnamara@emdalo.com 5 * Ivan Griffin, ivan.griffin@emdalo.com 6 * 7 * This provides a RISC-V Physical Memory Protection implementation 8 * 9 * This program is free software; you can redistribute it and/or modify it 10 * under the terms and conditions of the GNU General Public License, 11 * version 2 or later, as published by the Free Software Foundation. 12 * 13 * This program is distributed in the hope it will be useful, but WITHOUT 14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 15 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 16 * more details. 17 * 18 * You should have received a copy of the GNU General Public License along with 19 * this program. If not, see <http://www.gnu.org/licenses/>. 20 */ 21 22 /* 23 * PMP (Physical Memory Protection) is as-of-yet unused and needs testing. 24 */ 25 26 #include "qemu/osdep.h" 27 #include "qemu/log.h" 28 #include "qapi/error.h" 29 #include "cpu.h" 30 #include "trace.h" 31 #include "exec/exec-all.h" 32 33 static void pmp_write_cfg(CPURISCVState *env, uint32_t addr_index, 34 uint8_t val); 35 static uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t addr_index); 36 static void pmp_update_rule(CPURISCVState *env, uint32_t pmp_index); 37 38 /* 39 * Accessor method to extract address matching type 'a field' from cfg reg 40 */ 41 static inline uint8_t pmp_get_a_field(uint8_t cfg) 42 { 43 uint8_t a = cfg >> 3; 44 return a & 0x3; 45 } 46 47 /* 48 * Check whether a PMP is locked or not. 49 */ 50 static inline int pmp_is_locked(CPURISCVState *env, uint32_t pmp_index) 51 { 52 53 if (env->pmp_state.pmp[pmp_index].cfg_reg & PMP_LOCK) { 54 return 1; 55 } 56 57 /* Top PMP has no 'next' to check */ 58 if ((pmp_index + 1u) >= MAX_RISCV_PMPS) { 59 return 0; 60 } 61 62 return 0; 63 } 64 65 /* 66 * Count the number of active rules. 67 */ 68 uint32_t pmp_get_num_rules(CPURISCVState *env) 69 { 70 return env->pmp_state.num_rules; 71 } 72 73 /* 74 * Accessor to get the cfg reg for a specific PMP/HART 75 */ 76 static inline uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t pmp_index) 77 { 78 if (pmp_index < MAX_RISCV_PMPS) { 79 return env->pmp_state.pmp[pmp_index].cfg_reg; 80 } 81 82 return 0; 83 } 84 85 86 /* 87 * Accessor to set the cfg reg for a specific PMP/HART 88 * Bounds checks and relevant lock bit. 89 */ 90 static void pmp_write_cfg(CPURISCVState *env, uint32_t pmp_index, uint8_t val) 91 { 92 if (pmp_index < MAX_RISCV_PMPS) { 93 if (!pmp_is_locked(env, pmp_index)) { 94 env->pmp_state.pmp[pmp_index].cfg_reg = val; 95 pmp_update_rule(env, pmp_index); 96 } else { 97 qemu_log_mask(LOG_GUEST_ERROR, "ignoring pmpcfg write - locked\n"); 98 } 99 } else { 100 qemu_log_mask(LOG_GUEST_ERROR, 101 "ignoring pmpcfg write - out of bounds\n"); 102 } 103 } 104 105 static void pmp_decode_napot(target_ulong a, target_ulong *sa, target_ulong *ea) 106 { 107 /* 108 aaaa...aaa0 8-byte NAPOT range 109 aaaa...aa01 16-byte NAPOT range 110 aaaa...a011 32-byte NAPOT range 111 ... 112 aa01...1111 2^XLEN-byte NAPOT range 113 a011...1111 2^(XLEN+1)-byte NAPOT range 114 0111...1111 2^(XLEN+2)-byte NAPOT range 115 1111...1111 Reserved 116 */ 117 if (a == -1) { 118 *sa = 0u; 119 *ea = -1; 120 return; 121 } else { 122 target_ulong t1 = ctz64(~a); 123 target_ulong base = (a & ~(((target_ulong)1 << t1) - 1)) << 2; 124 target_ulong range = ((target_ulong)1 << (t1 + 3)) - 1; 125 *sa = base; 126 *ea = base + range; 127 } 128 } 129 130 void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index) 131 { 132 uint8_t this_cfg = env->pmp_state.pmp[pmp_index].cfg_reg; 133 target_ulong this_addr = env->pmp_state.pmp[pmp_index].addr_reg; 134 target_ulong prev_addr = 0u; 135 target_ulong sa = 0u; 136 target_ulong ea = 0u; 137 138 if (pmp_index >= 1u) { 139 prev_addr = env->pmp_state.pmp[pmp_index - 1].addr_reg; 140 } 141 142 switch (pmp_get_a_field(this_cfg)) { 143 case PMP_AMATCH_OFF: 144 sa = 0u; 145 ea = -1; 146 break; 147 148 case PMP_AMATCH_TOR: 149 sa = prev_addr << 2; /* shift up from [xx:0] to [xx+2:2] */ 150 ea = (this_addr << 2) - 1u; 151 break; 152 153 case PMP_AMATCH_NA4: 154 sa = this_addr << 2; /* shift up from [xx:0] to [xx+2:2] */ 155 ea = (sa + 4u) - 1u; 156 break; 157 158 case PMP_AMATCH_NAPOT: 159 pmp_decode_napot(this_addr, &sa, &ea); 160 break; 161 162 default: 163 sa = 0u; 164 ea = 0u; 165 break; 166 } 167 168 env->pmp_state.addr[pmp_index].sa = sa; 169 env->pmp_state.addr[pmp_index].ea = ea; 170 } 171 172 void pmp_update_rule_nums(CPURISCVState *env) 173 { 174 int i; 175 176 env->pmp_state.num_rules = 0; 177 for (i = 0; i < MAX_RISCV_PMPS; i++) { 178 const uint8_t a_field = 179 pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg); 180 if (PMP_AMATCH_OFF != a_field) { 181 env->pmp_state.num_rules++; 182 } 183 } 184 } 185 186 /* Convert cfg/addr reg values here into simple 'sa' --> start address and 'ea' 187 * end address values. 188 * This function is called relatively infrequently whereas the check that 189 * an address is within a pmp rule is called often, so optimise that one 190 */ 191 static void pmp_update_rule(CPURISCVState *env, uint32_t pmp_index) 192 { 193 pmp_update_rule_addr(env, pmp_index); 194 pmp_update_rule_nums(env); 195 } 196 197 static int pmp_is_in_range(CPURISCVState *env, int pmp_index, target_ulong addr) 198 { 199 int result = 0; 200 201 if ((addr >= env->pmp_state.addr[pmp_index].sa) 202 && (addr <= env->pmp_state.addr[pmp_index].ea)) { 203 result = 1; 204 } else { 205 result = 0; 206 } 207 208 return result; 209 } 210 211 /* 212 * Check if the address has required RWX privs when no PMP entry is matched. 213 */ 214 static bool pmp_hart_has_privs_default(CPURISCVState *env, target_ulong addr, 215 target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs, 216 target_ulong mode) 217 { 218 bool ret; 219 220 if ((!riscv_feature(env, RISCV_FEATURE_PMP)) || (mode == PRV_M)) { 221 /* 222 * Privileged spec v1.10 states if HW doesn't implement any PMP entry 223 * or no PMP entry matches an M-Mode access, the access succeeds. 224 */ 225 ret = true; 226 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 227 } else { 228 /* 229 * Other modes are not allowed to succeed if they don't * match a rule, 230 * but there are rules. We've checked for no rule earlier in this 231 * function. 232 */ 233 ret = false; 234 *allowed_privs = 0; 235 } 236 237 return ret; 238 } 239 240 241 /* 242 * Public Interface 243 */ 244 245 /* 246 * Check if the address has required RWX privs to complete desired operation 247 */ 248 bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr, 249 target_ulong size, pmp_priv_t privs, pmp_priv_t *allowed_privs, 250 target_ulong mode) 251 { 252 int i = 0; 253 int ret = -1; 254 int pmp_size = 0; 255 target_ulong s = 0; 256 target_ulong e = 0; 257 258 /* Short cut if no rules */ 259 if (0 == pmp_get_num_rules(env)) { 260 return pmp_hart_has_privs_default(env, addr, size, privs, 261 allowed_privs, mode); 262 } 263 264 if (size == 0) { 265 if (riscv_feature(env, RISCV_FEATURE_MMU)) { 266 /* 267 * If size is unknown (0), assume that all bytes 268 * from addr to the end of the page will be accessed. 269 */ 270 pmp_size = -(addr | TARGET_PAGE_MASK); 271 } else { 272 pmp_size = sizeof(target_ulong); 273 } 274 } else { 275 pmp_size = size; 276 } 277 278 /* 1.10 draft priv spec states there is an implicit order 279 from low to high */ 280 for (i = 0; i < MAX_RISCV_PMPS; i++) { 281 s = pmp_is_in_range(env, i, addr); 282 e = pmp_is_in_range(env, i, addr + pmp_size - 1); 283 284 /* partially inside */ 285 if ((s + e) == 1) { 286 qemu_log_mask(LOG_GUEST_ERROR, 287 "pmp violation - access is partially inside\n"); 288 ret = 0; 289 break; 290 } 291 292 /* fully inside */ 293 const uint8_t a_field = 294 pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg); 295 296 /* 297 * If the PMP entry is not off and the address is in range, do the priv 298 * check 299 */ 300 if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) { 301 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 302 if ((mode != PRV_M) || pmp_is_locked(env, i)) { 303 *allowed_privs &= env->pmp_state.pmp[i].cfg_reg; 304 } 305 306 ret = ((privs & *allowed_privs) == privs); 307 break; 308 } 309 } 310 311 /* No rule matched */ 312 if (ret == -1) { 313 return pmp_hart_has_privs_default(env, addr, size, privs, 314 allowed_privs, mode); 315 } 316 317 return ret == 1 ? true : false; 318 } 319 320 /* 321 * Handle a write to a pmpcfg CSP 322 */ 323 void pmpcfg_csr_write(CPURISCVState *env, uint32_t reg_index, 324 target_ulong val) 325 { 326 int i; 327 uint8_t cfg_val; 328 329 trace_pmpcfg_csr_write(env->mhartid, reg_index, val); 330 331 if ((reg_index & 1) && (sizeof(target_ulong) == 8)) { 332 qemu_log_mask(LOG_GUEST_ERROR, 333 "ignoring pmpcfg write - incorrect address\n"); 334 return; 335 } 336 337 for (i = 0; i < sizeof(target_ulong); i++) { 338 cfg_val = (val >> 8 * i) & 0xff; 339 pmp_write_cfg(env, (reg_index * 4) + i, cfg_val); 340 } 341 342 /* If PMP permission of any addr has been changed, flush TLB pages. */ 343 tlb_flush(env_cpu(env)); 344 } 345 346 347 /* 348 * Handle a read from a pmpcfg CSP 349 */ 350 target_ulong pmpcfg_csr_read(CPURISCVState *env, uint32_t reg_index) 351 { 352 int i; 353 target_ulong cfg_val = 0; 354 target_ulong val = 0; 355 356 for (i = 0; i < sizeof(target_ulong); i++) { 357 val = pmp_read_cfg(env, (reg_index * 4) + i); 358 cfg_val |= (val << (i * 8)); 359 } 360 trace_pmpcfg_csr_read(env->mhartid, reg_index, cfg_val); 361 362 return cfg_val; 363 } 364 365 366 /* 367 * Handle a write to a pmpaddr CSP 368 */ 369 void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index, 370 target_ulong val) 371 { 372 trace_pmpaddr_csr_write(env->mhartid, addr_index, val); 373 374 if (addr_index < MAX_RISCV_PMPS) { 375 /* 376 * In TOR mode, need to check the lock bit of the next pmp 377 * (if there is a next). 378 */ 379 if (addr_index + 1 < MAX_RISCV_PMPS) { 380 uint8_t pmp_cfg = env->pmp_state.pmp[addr_index + 1].cfg_reg; 381 382 if (pmp_cfg & PMP_LOCK && 383 PMP_AMATCH_TOR == pmp_get_a_field(pmp_cfg)) { 384 qemu_log_mask(LOG_GUEST_ERROR, 385 "ignoring pmpaddr write - pmpcfg + 1 locked\n"); 386 return; 387 } 388 } 389 390 if (!pmp_is_locked(env, addr_index)) { 391 env->pmp_state.pmp[addr_index].addr_reg = val; 392 pmp_update_rule(env, addr_index); 393 } else { 394 qemu_log_mask(LOG_GUEST_ERROR, 395 "ignoring pmpaddr write - locked\n"); 396 } 397 } else { 398 qemu_log_mask(LOG_GUEST_ERROR, 399 "ignoring pmpaddr write - out of bounds\n"); 400 } 401 } 402 403 404 /* 405 * Handle a read from a pmpaddr CSP 406 */ 407 target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index) 408 { 409 target_ulong val = 0; 410 411 if (addr_index < MAX_RISCV_PMPS) { 412 val = env->pmp_state.pmp[addr_index].addr_reg; 413 trace_pmpaddr_csr_read(env->mhartid, addr_index, val); 414 } else { 415 qemu_log_mask(LOG_GUEST_ERROR, 416 "ignoring pmpaddr read - out of bounds\n"); 417 } 418 419 return val; 420 } 421 422 /* 423 * Handle a write to a mseccfg CSR 424 */ 425 void mseccfg_csr_write(CPURISCVState *env, target_ulong val) 426 { 427 int i; 428 429 trace_mseccfg_csr_write(env->mhartid, val); 430 431 /* RLB cannot be enabled if it's already 0 and if any regions are locked */ 432 if (!MSECCFG_RLB_ISSET(env)) { 433 for (i = 0; i < MAX_RISCV_PMPS; i++) { 434 if (pmp_is_locked(env, i)) { 435 val &= ~MSECCFG_RLB; 436 break; 437 } 438 } 439 } 440 441 /* Sticky bits */ 442 val |= (env->mseccfg & (MSECCFG_MMWP | MSECCFG_MML)); 443 444 env->mseccfg = val; 445 } 446 447 /* 448 * Handle a read from a mseccfg CSR 449 */ 450 target_ulong mseccfg_csr_read(CPURISCVState *env) 451 { 452 trace_mseccfg_csr_read(env->mhartid, env->mseccfg); 453 return env->mseccfg; 454 } 455 456 /* 457 * Calculate the TLB size if the start address or the end address of 458 * PMP entry is presented in thie TLB page. 459 */ 460 static target_ulong pmp_get_tlb_size(CPURISCVState *env, int pmp_index, 461 target_ulong tlb_sa, target_ulong tlb_ea) 462 { 463 target_ulong pmp_sa = env->pmp_state.addr[pmp_index].sa; 464 target_ulong pmp_ea = env->pmp_state.addr[pmp_index].ea; 465 466 if (pmp_sa >= tlb_sa && pmp_ea <= tlb_ea) { 467 return pmp_ea - pmp_sa + 1; 468 } 469 470 if (pmp_sa >= tlb_sa && pmp_sa <= tlb_ea && pmp_ea >= tlb_ea) { 471 return tlb_ea - pmp_sa + 1; 472 } 473 474 if (pmp_ea <= tlb_ea && pmp_ea >= tlb_sa && pmp_sa <= tlb_sa) { 475 return pmp_ea - tlb_sa + 1; 476 } 477 478 return 0; 479 } 480 481 /* 482 * Check is there a PMP entry which range covers this page. If so, 483 * try to find the minimum granularity for the TLB size. 484 */ 485 bool pmp_is_range_in_tlb(CPURISCVState *env, hwaddr tlb_sa, 486 target_ulong *tlb_size) 487 { 488 int i; 489 target_ulong val; 490 target_ulong tlb_ea = (tlb_sa + TARGET_PAGE_SIZE - 1); 491 492 for (i = 0; i < MAX_RISCV_PMPS; i++) { 493 val = pmp_get_tlb_size(env, i, tlb_sa, tlb_ea); 494 if (val) { 495 if (*tlb_size == 0 || *tlb_size > val) { 496 *tlb_size = val; 497 } 498 } 499 } 500 501 if (*tlb_size != 0) { 502 return true; 503 } 504 505 return false; 506 } 507 508 /* 509 * Convert PMP privilege to TLB page privilege. 510 */ 511 int pmp_priv_to_page_prot(pmp_priv_t pmp_priv) 512 { 513 int prot = 0; 514 515 if (pmp_priv & PMP_READ) { 516 prot |= PAGE_READ; 517 } 518 if (pmp_priv & PMP_WRITE) { 519 prot |= PAGE_WRITE; 520 } 521 if (pmp_priv & PMP_EXEC) { 522 prot |= PAGE_EXEC; 523 } 524 525 return prot; 526 } 527