1 /* 2 * QEMU RISC-V PMP (Physical Memory Protection) 3 * 4 * Author: Daire McNamara, daire.mcnamara@emdalo.com 5 * Ivan Griffin, ivan.griffin@emdalo.com 6 * 7 * This provides a RISC-V Physical Memory Protection implementation 8 * 9 * This program is free software; you can redistribute it and/or modify it 10 * under the terms and conditions of the GNU General Public License, 11 * version 2 or later, as published by the Free Software Foundation. 12 * 13 * This program is distributed in the hope it will be useful, but WITHOUT 14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 15 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 16 * more details. 17 * 18 * You should have received a copy of the GNU General Public License along with 19 * this program. If not, see <http://www.gnu.org/licenses/>. 20 */ 21 22 #include "qemu/osdep.h" 23 #include "qemu/log.h" 24 #include "qapi/error.h" 25 #include "cpu.h" 26 #include "trace.h" 27 #include "exec/exec-all.h" 28 #include "exec/page-protection.h" 29 30 static bool pmp_write_cfg(CPURISCVState *env, uint32_t addr_index, 31 uint8_t val); 32 static uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t addr_index); 33 34 /* 35 * Accessor method to extract address matching type 'a field' from cfg reg 36 */ 37 static inline uint8_t pmp_get_a_field(uint8_t cfg) 38 { 39 uint8_t a = cfg >> 3; 40 return a & 0x3; 41 } 42 43 /* 44 * Check whether a PMP is locked or not. 45 */ 46 static inline int pmp_is_locked(CPURISCVState *env, uint32_t pmp_index) 47 { 48 /* mseccfg.RLB is set */ 49 if (MSECCFG_RLB_ISSET(env)) { 50 return 0; 51 } 52 53 if (env->pmp_state.pmp[pmp_index].cfg_reg & PMP_LOCK) { 54 return 1; 55 } 56 57 /* Top PMP has no 'next' to check */ 58 if ((pmp_index + 1u) >= MAX_RISCV_PMPS) { 59 return 0; 60 } 61 62 return 0; 63 } 64 65 /* 66 * Count the number of active rules. 67 */ 68 uint32_t pmp_get_num_rules(CPURISCVState *env) 69 { 70 return env->pmp_state.num_rules; 71 } 72 73 /* 74 * Accessor to get the cfg reg for a specific PMP/HART 75 */ 76 static inline uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t pmp_index) 77 { 78 if (pmp_index < MAX_RISCV_PMPS) { 79 return env->pmp_state.pmp[pmp_index].cfg_reg; 80 } 81 82 return 0; 83 } 84 85 86 /* 87 * Accessor to set the cfg reg for a specific PMP/HART 88 * Bounds checks and relevant lock bit. 89 */ 90 static bool pmp_write_cfg(CPURISCVState *env, uint32_t pmp_index, uint8_t val) 91 { 92 if (pmp_index < MAX_RISCV_PMPS) { 93 bool locked = true; 94 95 if (riscv_cpu_cfg(env)->ext_smepmp) { 96 /* mseccfg.RLB is set */ 97 if (MSECCFG_RLB_ISSET(env)) { 98 locked = false; 99 } 100 101 /* mseccfg.MML is not set */ 102 if (!MSECCFG_MML_ISSET(env) && !pmp_is_locked(env, pmp_index)) { 103 locked = false; 104 } 105 106 /* mseccfg.MML is set */ 107 if (MSECCFG_MML_ISSET(env)) { 108 /* not adding execute bit */ 109 if ((val & PMP_LOCK) != 0 && (val & PMP_EXEC) != PMP_EXEC) { 110 locked = false; 111 } 112 /* shared region and not adding X bit */ 113 if ((val & PMP_LOCK) != PMP_LOCK && 114 (val & 0x7) != (PMP_WRITE | PMP_EXEC)) { 115 locked = false; 116 } 117 } 118 } else { 119 if (!pmp_is_locked(env, pmp_index)) { 120 locked = false; 121 } 122 } 123 124 if (locked) { 125 qemu_log_mask(LOG_GUEST_ERROR, "ignoring pmpcfg write - locked\n"); 126 } else if (env->pmp_state.pmp[pmp_index].cfg_reg != val) { 127 /* If !mseccfg.MML then ignore writes with encoding RW=01 */ 128 if ((val & PMP_WRITE) && !(val & PMP_READ) && 129 !MSECCFG_MML_ISSET(env)) { 130 return false; 131 } 132 env->pmp_state.pmp[pmp_index].cfg_reg = val; 133 pmp_update_rule_addr(env, pmp_index); 134 return true; 135 } 136 } else { 137 qemu_log_mask(LOG_GUEST_ERROR, 138 "ignoring pmpcfg write - out of bounds\n"); 139 } 140 141 return false; 142 } 143 144 void pmp_unlock_entries(CPURISCVState *env) 145 { 146 uint32_t pmp_num = pmp_get_num_rules(env); 147 int i; 148 149 for (i = 0; i < pmp_num; i++) { 150 env->pmp_state.pmp[i].cfg_reg &= ~(PMP_LOCK | PMP_AMATCH); 151 } 152 } 153 154 static void pmp_decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea) 155 { 156 /* 157 * aaaa...aaa0 8-byte NAPOT range 158 * aaaa...aa01 16-byte NAPOT range 159 * aaaa...a011 32-byte NAPOT range 160 * ... 161 * aa01...1111 2^XLEN-byte NAPOT range 162 * a011...1111 2^(XLEN+1)-byte NAPOT range 163 * 0111...1111 2^(XLEN+2)-byte NAPOT range 164 * 1111...1111 Reserved 165 */ 166 a = (a << 2) | 0x3; 167 *sa = a & (a + 1); 168 *ea = a | (a + 1); 169 } 170 171 void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index) 172 { 173 uint8_t this_cfg = env->pmp_state.pmp[pmp_index].cfg_reg; 174 target_ulong this_addr = env->pmp_state.pmp[pmp_index].addr_reg; 175 target_ulong prev_addr = 0u; 176 hwaddr sa = 0u; 177 hwaddr ea = 0u; 178 179 if (pmp_index >= 1u) { 180 prev_addr = env->pmp_state.pmp[pmp_index - 1].addr_reg; 181 } 182 183 switch (pmp_get_a_field(this_cfg)) { 184 case PMP_AMATCH_OFF: 185 sa = 0u; 186 ea = -1; 187 break; 188 189 case PMP_AMATCH_TOR: 190 sa = prev_addr << 2; /* shift up from [xx:0] to [xx+2:2] */ 191 ea = (this_addr << 2) - 1u; 192 if (sa > ea) { 193 sa = ea = 0u; 194 } 195 break; 196 197 case PMP_AMATCH_NA4: 198 sa = this_addr << 2; /* shift up from [xx:0] to [xx+2:2] */ 199 ea = (sa + 4u) - 1u; 200 break; 201 202 case PMP_AMATCH_NAPOT: 203 pmp_decode_napot(this_addr, &sa, &ea); 204 break; 205 206 default: 207 sa = 0u; 208 ea = 0u; 209 break; 210 } 211 212 env->pmp_state.addr[pmp_index].sa = sa; 213 env->pmp_state.addr[pmp_index].ea = ea; 214 } 215 216 void pmp_update_rule_nums(CPURISCVState *env) 217 { 218 int i; 219 220 env->pmp_state.num_rules = 0; 221 for (i = 0; i < MAX_RISCV_PMPS; i++) { 222 const uint8_t a_field = 223 pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg); 224 if (PMP_AMATCH_OFF != a_field) { 225 env->pmp_state.num_rules++; 226 } 227 } 228 } 229 230 static int pmp_is_in_range(CPURISCVState *env, int pmp_index, hwaddr addr) 231 { 232 int result = 0; 233 234 if ((addr >= env->pmp_state.addr[pmp_index].sa) && 235 (addr <= env->pmp_state.addr[pmp_index].ea)) { 236 result = 1; 237 } else { 238 result = 0; 239 } 240 241 return result; 242 } 243 244 /* 245 * Check if the address has required RWX privs when no PMP entry is matched. 246 */ 247 static bool pmp_hart_has_privs_default(CPURISCVState *env, pmp_priv_t privs, 248 pmp_priv_t *allowed_privs, 249 target_ulong mode) 250 { 251 bool ret; 252 253 if (MSECCFG_MMWP_ISSET(env)) { 254 /* 255 * The Machine Mode Whitelist Policy (mseccfg.MMWP) is set 256 * so we default to deny all, even for M-mode. 257 */ 258 *allowed_privs = 0; 259 return false; 260 } else if (MSECCFG_MML_ISSET(env)) { 261 /* 262 * The Machine Mode Lockdown (mseccfg.MML) bit is set 263 * so we can only execute code in M-mode with an applicable 264 * rule. Other modes are disabled. 265 */ 266 if (mode == PRV_M && !(privs & PMP_EXEC)) { 267 ret = true; 268 *allowed_privs = PMP_READ | PMP_WRITE; 269 } else { 270 ret = false; 271 *allowed_privs = 0; 272 } 273 274 return ret; 275 } 276 277 if (!riscv_cpu_cfg(env)->pmp || (mode == PRV_M)) { 278 /* 279 * Privileged spec v1.10 states if HW doesn't implement any PMP entry 280 * or no PMP entry matches an M-Mode access, the access succeeds. 281 */ 282 ret = true; 283 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 284 } else { 285 /* 286 * Other modes are not allowed to succeed if they don't * match a rule, 287 * but there are rules. We've checked for no rule earlier in this 288 * function. 289 */ 290 ret = false; 291 *allowed_privs = 0; 292 } 293 294 return ret; 295 } 296 297 298 /* 299 * Public Interface 300 */ 301 302 /* 303 * Check if the address has required RWX privs to complete desired operation 304 * Return true if a pmp rule match or default match 305 * Return false if no match 306 */ 307 bool pmp_hart_has_privs(CPURISCVState *env, hwaddr addr, 308 target_ulong size, pmp_priv_t privs, 309 pmp_priv_t *allowed_privs, target_ulong mode) 310 { 311 int i = 0; 312 int pmp_size = 0; 313 hwaddr s = 0; 314 hwaddr e = 0; 315 316 /* Short cut if no rules */ 317 if (0 == pmp_get_num_rules(env)) { 318 return pmp_hart_has_privs_default(env, privs, allowed_privs, mode); 319 } 320 321 if (size == 0) { 322 if (riscv_cpu_cfg(env)->mmu) { 323 /* 324 * If size is unknown (0), assume that all bytes 325 * from addr to the end of the page will be accessed. 326 */ 327 pmp_size = -(addr | TARGET_PAGE_MASK); 328 } else { 329 pmp_size = 2 << riscv_cpu_mxl(env); 330 } 331 } else { 332 pmp_size = size; 333 } 334 335 /* 336 * 1.10 draft priv spec states there is an implicit order 337 * from low to high 338 */ 339 for (i = 0; i < MAX_RISCV_PMPS; i++) { 340 s = pmp_is_in_range(env, i, addr); 341 e = pmp_is_in_range(env, i, addr + pmp_size - 1); 342 343 /* partially inside */ 344 if ((s + e) == 1) { 345 qemu_log_mask(LOG_GUEST_ERROR, 346 "pmp violation - access is partially inside\n"); 347 *allowed_privs = 0; 348 return false; 349 } 350 351 /* fully inside */ 352 const uint8_t a_field = 353 pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg); 354 355 /* 356 * Convert the PMP permissions to match the truth table in the 357 * Smepmp spec. 358 */ 359 const uint8_t smepmp_operation = 360 ((env->pmp_state.pmp[i].cfg_reg & PMP_LOCK) >> 4) | 361 ((env->pmp_state.pmp[i].cfg_reg & PMP_READ) << 2) | 362 (env->pmp_state.pmp[i].cfg_reg & PMP_WRITE) | 363 ((env->pmp_state.pmp[i].cfg_reg & PMP_EXEC) >> 2); 364 365 if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) { 366 /* 367 * If the PMP entry is not off and the address is in range, 368 * do the priv check 369 */ 370 if (!MSECCFG_MML_ISSET(env)) { 371 /* 372 * If mseccfg.MML Bit is not set, do pmp priv check 373 * This will always apply to regular PMP. 374 */ 375 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 376 if ((mode != PRV_M) || pmp_is_locked(env, i)) { 377 *allowed_privs &= env->pmp_state.pmp[i].cfg_reg; 378 } 379 } else { 380 /* 381 * If mseccfg.MML Bit set, do the enhanced pmp priv check 382 */ 383 if (mode == PRV_M) { 384 switch (smepmp_operation) { 385 case 0: 386 case 1: 387 case 4: 388 case 5: 389 case 6: 390 case 7: 391 case 8: 392 *allowed_privs = 0; 393 break; 394 case 2: 395 case 3: 396 case 14: 397 *allowed_privs = PMP_READ | PMP_WRITE; 398 break; 399 case 9: 400 case 10: 401 *allowed_privs = PMP_EXEC; 402 break; 403 case 11: 404 case 13: 405 *allowed_privs = PMP_READ | PMP_EXEC; 406 break; 407 case 12: 408 case 15: 409 *allowed_privs = PMP_READ; 410 break; 411 default: 412 g_assert_not_reached(); 413 } 414 } else { 415 switch (smepmp_operation) { 416 case 0: 417 case 8: 418 case 9: 419 case 12: 420 case 13: 421 case 14: 422 *allowed_privs = 0; 423 break; 424 case 1: 425 case 10: 426 case 11: 427 *allowed_privs = PMP_EXEC; 428 break; 429 case 2: 430 case 4: 431 case 15: 432 *allowed_privs = PMP_READ; 433 break; 434 case 3: 435 case 6: 436 *allowed_privs = PMP_READ | PMP_WRITE; 437 break; 438 case 5: 439 *allowed_privs = PMP_READ | PMP_EXEC; 440 break; 441 case 7: 442 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 443 break; 444 default: 445 g_assert_not_reached(); 446 } 447 } 448 } 449 450 /* 451 * If matching address range was found, the protection bits 452 * defined with PMP must be used. We shouldn't fallback on 453 * finding default privileges. 454 */ 455 return (privs & *allowed_privs) == privs; 456 } 457 } 458 459 /* No rule matched */ 460 return pmp_hart_has_privs_default(env, privs, allowed_privs, mode); 461 } 462 463 /* 464 * Handle a write to a pmpcfg CSR 465 */ 466 void pmpcfg_csr_write(CPURISCVState *env, uint32_t reg_index, 467 target_ulong val) 468 { 469 int i; 470 uint8_t cfg_val; 471 int pmpcfg_nums = 2 << riscv_cpu_mxl(env); 472 bool modified = false; 473 474 trace_pmpcfg_csr_write(env->mhartid, reg_index, val); 475 476 for (i = 0; i < pmpcfg_nums; i++) { 477 cfg_val = (val >> 8 * i) & 0xff; 478 modified |= pmp_write_cfg(env, (reg_index * 4) + i, cfg_val); 479 } 480 481 /* If PMP permission of any addr has been changed, flush TLB pages. */ 482 if (modified) { 483 pmp_update_rule_nums(env); 484 tlb_flush(env_cpu(env)); 485 } 486 } 487 488 489 /* 490 * Handle a read from a pmpcfg CSR 491 */ 492 target_ulong pmpcfg_csr_read(CPURISCVState *env, uint32_t reg_index) 493 { 494 int i; 495 target_ulong cfg_val = 0; 496 target_ulong val = 0; 497 int pmpcfg_nums = 2 << riscv_cpu_mxl(env); 498 499 for (i = 0; i < pmpcfg_nums; i++) { 500 val = pmp_read_cfg(env, (reg_index * 4) + i); 501 cfg_val |= (val << (i * 8)); 502 } 503 trace_pmpcfg_csr_read(env->mhartid, reg_index, cfg_val); 504 505 return cfg_val; 506 } 507 508 509 /* 510 * Handle a write to a pmpaddr CSR 511 */ 512 void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index, 513 target_ulong val) 514 { 515 trace_pmpaddr_csr_write(env->mhartid, addr_index, val); 516 bool is_next_cfg_tor = false; 517 518 if (addr_index < MAX_RISCV_PMPS) { 519 /* 520 * In TOR mode, need to check the lock bit of the next pmp 521 * (if there is a next). 522 */ 523 if (addr_index + 1 < MAX_RISCV_PMPS) { 524 uint8_t pmp_cfg = env->pmp_state.pmp[addr_index + 1].cfg_reg; 525 is_next_cfg_tor = PMP_AMATCH_TOR == pmp_get_a_field(pmp_cfg); 526 527 if (pmp_cfg & PMP_LOCK && is_next_cfg_tor) { 528 qemu_log_mask(LOG_GUEST_ERROR, 529 "ignoring pmpaddr write - pmpcfg + 1 locked\n"); 530 return; 531 } 532 } 533 534 if (!pmp_is_locked(env, addr_index)) { 535 if (env->pmp_state.pmp[addr_index].addr_reg != val) { 536 env->pmp_state.pmp[addr_index].addr_reg = val; 537 pmp_update_rule_addr(env, addr_index); 538 if (is_next_cfg_tor) { 539 pmp_update_rule_addr(env, addr_index + 1); 540 } 541 tlb_flush(env_cpu(env)); 542 } 543 } else { 544 qemu_log_mask(LOG_GUEST_ERROR, 545 "ignoring pmpaddr write - locked\n"); 546 } 547 } else { 548 qemu_log_mask(LOG_GUEST_ERROR, 549 "ignoring pmpaddr write - out of bounds\n"); 550 } 551 } 552 553 554 /* 555 * Handle a read from a pmpaddr CSR 556 */ 557 target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index) 558 { 559 target_ulong val = 0; 560 561 if (addr_index < MAX_RISCV_PMPS) { 562 val = env->pmp_state.pmp[addr_index].addr_reg; 563 trace_pmpaddr_csr_read(env->mhartid, addr_index, val); 564 } else { 565 qemu_log_mask(LOG_GUEST_ERROR, 566 "ignoring pmpaddr read - out of bounds\n"); 567 } 568 569 return val; 570 } 571 572 /* 573 * Handle a write to a mseccfg CSR 574 */ 575 void mseccfg_csr_write(CPURISCVState *env, target_ulong val) 576 { 577 int i; 578 579 trace_mseccfg_csr_write(env->mhartid, val); 580 581 /* RLB cannot be enabled if it's already 0 and if any regions are locked */ 582 if (!MSECCFG_RLB_ISSET(env)) { 583 for (i = 0; i < MAX_RISCV_PMPS; i++) { 584 if (pmp_is_locked(env, i)) { 585 val &= ~MSECCFG_RLB; 586 break; 587 } 588 } 589 } 590 591 if (riscv_cpu_cfg(env)->ext_smepmp) { 592 /* Sticky bits */ 593 val |= (env->mseccfg & (MSECCFG_MMWP | MSECCFG_MML)); 594 if ((val ^ env->mseccfg) & (MSECCFG_MMWP | MSECCFG_MML)) { 595 tlb_flush(env_cpu(env)); 596 } 597 } else { 598 val &= ~(MSECCFG_MMWP | MSECCFG_MML | MSECCFG_RLB); 599 } 600 601 /* M-mode forward cfi to be enabled if cfi extension is implemented */ 602 if (env_archcpu(env)->cfg.ext_zicfilp) { 603 val |= (val & MSECCFG_MLPE); 604 } 605 606 env->mseccfg = val; 607 } 608 609 /* 610 * Handle a read from a mseccfg CSR 611 */ 612 target_ulong mseccfg_csr_read(CPURISCVState *env) 613 { 614 trace_mseccfg_csr_read(env->mhartid, env->mseccfg); 615 return env->mseccfg; 616 } 617 618 /* 619 * Calculate the TLB size. 620 * It's possible that PMP regions only cover partial of the TLB page, and 621 * this may split the page into regions with different permissions. 622 * For example if PMP0 is (0x80000008~0x8000000F, R) and PMP1 is (0x80000000 623 * ~0x80000FFF, RWX), then region 0x80000008~0x8000000F has R permission, and 624 * the other regions in this page have RWX permissions. 625 * A write access to 0x80000000 will match PMP1. However we cannot cache the 626 * translation result in the TLB since this will make the write access to 627 * 0x80000008 bypass the check of PMP0. 628 * To avoid this we return a size of 1 (which means no caching) if the PMP 629 * region only covers partial of the TLB page. 630 */ 631 target_ulong pmp_get_tlb_size(CPURISCVState *env, hwaddr addr) 632 { 633 hwaddr pmp_sa; 634 hwaddr pmp_ea; 635 hwaddr tlb_sa = addr & ~(TARGET_PAGE_SIZE - 1); 636 hwaddr tlb_ea = tlb_sa + TARGET_PAGE_SIZE - 1; 637 int i; 638 639 /* 640 * If PMP is not supported or there are no PMP rules, the TLB page will not 641 * be split into regions with different permissions by PMP so we set the 642 * size to TARGET_PAGE_SIZE. 643 */ 644 if (!riscv_cpu_cfg(env)->pmp || !pmp_get_num_rules(env)) { 645 return TARGET_PAGE_SIZE; 646 } 647 648 for (i = 0; i < MAX_RISCV_PMPS; i++) { 649 if (pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg) == PMP_AMATCH_OFF) { 650 continue; 651 } 652 653 pmp_sa = env->pmp_state.addr[i].sa; 654 pmp_ea = env->pmp_state.addr[i].ea; 655 656 /* 657 * Only the first PMP entry that covers (whole or partial of) the TLB 658 * page really matters: 659 * If it covers the whole TLB page, set the size to TARGET_PAGE_SIZE, 660 * since the following PMP entries have lower priority and will not 661 * affect the permissions of the page. 662 * If it only covers partial of the TLB page, set the size to 1 since 663 * the allowed permissions of the region may be different from other 664 * region of the page. 665 */ 666 if (pmp_sa <= tlb_sa && pmp_ea >= tlb_ea) { 667 return TARGET_PAGE_SIZE; 668 } else if ((pmp_sa >= tlb_sa && pmp_sa <= tlb_ea) || 669 (pmp_ea >= tlb_sa && pmp_ea <= tlb_ea)) { 670 return 1; 671 } 672 } 673 674 /* 675 * If no PMP entry matches the TLB page, the TLB page will also not be 676 * split into regions with different permissions by PMP so we set the size 677 * to TARGET_PAGE_SIZE. 678 */ 679 return TARGET_PAGE_SIZE; 680 } 681 682 /* 683 * Convert PMP privilege to TLB page privilege. 684 */ 685 int pmp_priv_to_page_prot(pmp_priv_t pmp_priv) 686 { 687 int prot = 0; 688 689 if (pmp_priv & PMP_READ) { 690 prot |= PAGE_READ; 691 } 692 if (pmp_priv & PMP_WRITE) { 693 prot |= PAGE_WRITE; 694 } 695 if (pmp_priv & PMP_EXEC) { 696 prot |= PAGE_EXEC; 697 } 698 699 return prot; 700 } 701