xref: /openbmc/qemu/target/riscv/pmp.c (revision 646b5378)
1 /*
2  * QEMU RISC-V PMP (Physical Memory Protection)
3  *
4  * Author: Daire McNamara, daire.mcnamara@emdalo.com
5  *         Ivan Griffin, ivan.griffin@emdalo.com
6  *
7  * This provides a RISC-V Physical Memory Protection implementation
8  *
9  * This program is free software; you can redistribute it and/or modify it
10  * under the terms and conditions of the GNU General Public License,
11  * version 2 or later, as published by the Free Software Foundation.
12  *
13  * This program is distributed in the hope it will be useful, but WITHOUT
14  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
15  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
16  * more details.
17  *
18  * You should have received a copy of the GNU General Public License along with
19  * this program.  If not, see <http://www.gnu.org/licenses/>.
20  */
21 
22 #include "qemu/osdep.h"
23 #include "qemu/log.h"
24 #include "qapi/error.h"
25 #include "cpu.h"
26 #include "trace.h"
27 #include "exec/exec-all.h"
28 #include "exec/page-protection.h"
29 
30 static bool pmp_write_cfg(CPURISCVState *env, uint32_t addr_index,
31                           uint8_t val);
32 static uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t addr_index);
33 
34 /*
35  * Accessor method to extract address matching type 'a field' from cfg reg
36  */
37 static inline uint8_t pmp_get_a_field(uint8_t cfg)
38 {
39     uint8_t a = cfg >> 3;
40     return a & 0x3;
41 }
42 
43 /*
44  * Check whether a PMP is locked or not.
45  */
46 static inline int pmp_is_locked(CPURISCVState *env, uint32_t pmp_index)
47 {
48     /* mseccfg.RLB is set */
49     if (MSECCFG_RLB_ISSET(env)) {
50         return 0;
51     }
52 
53     if (env->pmp_state.pmp[pmp_index].cfg_reg & PMP_LOCK) {
54         return 1;
55     }
56 
57     /* Top PMP has no 'next' to check */
58     if ((pmp_index + 1u) >= MAX_RISCV_PMPS) {
59         return 0;
60     }
61 
62     return 0;
63 }
64 
65 /*
66  * Count the number of active rules.
67  */
68 uint32_t pmp_get_num_rules(CPURISCVState *env)
69 {
70      return env->pmp_state.num_rules;
71 }
72 
73 /*
74  * Accessor to get the cfg reg for a specific PMP/HART
75  */
76 static inline uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t pmp_index)
77 {
78     if (pmp_index < MAX_RISCV_PMPS) {
79         return env->pmp_state.pmp[pmp_index].cfg_reg;
80     }
81 
82     return 0;
83 }
84 
85 
86 /*
87  * Accessor to set the cfg reg for a specific PMP/HART
88  * Bounds checks and relevant lock bit.
89  */
90 static bool pmp_write_cfg(CPURISCVState *env, uint32_t pmp_index, uint8_t val)
91 {
92     if (pmp_index < MAX_RISCV_PMPS) {
93         bool locked = true;
94 
95         if (riscv_cpu_cfg(env)->ext_smepmp) {
96             /* mseccfg.RLB is set */
97             if (MSECCFG_RLB_ISSET(env)) {
98                 locked = false;
99             }
100 
101             /* mseccfg.MML is not set */
102             if (!MSECCFG_MML_ISSET(env) && !pmp_is_locked(env, pmp_index)) {
103                 locked = false;
104             }
105 
106             /* mseccfg.MML is set */
107             if (MSECCFG_MML_ISSET(env)) {
108                 /* not adding execute bit */
109                 if ((val & PMP_LOCK) != 0 && (val & PMP_EXEC) != PMP_EXEC) {
110                     locked = false;
111                 }
112                 /* shared region and not adding X bit */
113                 if ((val & PMP_LOCK) != PMP_LOCK &&
114                     (val & 0x7) != (PMP_WRITE | PMP_EXEC)) {
115                     locked = false;
116                 }
117             }
118         } else {
119             if (!pmp_is_locked(env, pmp_index)) {
120                 locked = false;
121             }
122         }
123 
124         if (locked) {
125             qemu_log_mask(LOG_GUEST_ERROR, "ignoring pmpcfg write - locked\n");
126         } else if (env->pmp_state.pmp[pmp_index].cfg_reg != val) {
127             /* If !mseccfg.MML then ignore writes with encoding RW=01 */
128             if ((val & PMP_WRITE) && !(val & PMP_READ) &&
129                 !MSECCFG_MML_ISSET(env)) {
130                 return false;
131             }
132             env->pmp_state.pmp[pmp_index].cfg_reg = val;
133             pmp_update_rule_addr(env, pmp_index);
134             return true;
135         }
136     } else {
137         qemu_log_mask(LOG_GUEST_ERROR,
138                       "ignoring pmpcfg write - out of bounds\n");
139     }
140 
141     return false;
142 }
143 
144 void pmp_unlock_entries(CPURISCVState *env)
145 {
146     uint32_t pmp_num = pmp_get_num_rules(env);
147     int i;
148 
149     for (i = 0; i < pmp_num; i++) {
150         env->pmp_state.pmp[i].cfg_reg &= ~(PMP_LOCK | PMP_AMATCH);
151     }
152 }
153 
154 static void pmp_decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea)
155 {
156     /*
157      * aaaa...aaa0   8-byte NAPOT range
158      * aaaa...aa01   16-byte NAPOT range
159      * aaaa...a011   32-byte NAPOT range
160      * ...
161      * aa01...1111   2^XLEN-byte NAPOT range
162      * a011...1111   2^(XLEN+1)-byte NAPOT range
163      * 0111...1111   2^(XLEN+2)-byte NAPOT range
164      * 1111...1111   Reserved
165      */
166     a = (a << 2) | 0x3;
167     *sa = a & (a + 1);
168     *ea = a | (a + 1);
169 }
170 
171 void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index)
172 {
173     uint8_t this_cfg = env->pmp_state.pmp[pmp_index].cfg_reg;
174     target_ulong this_addr = env->pmp_state.pmp[pmp_index].addr_reg;
175     target_ulong prev_addr = 0u;
176     hwaddr sa = 0u;
177     hwaddr ea = 0u;
178 
179     if (pmp_index >= 1u) {
180         prev_addr = env->pmp_state.pmp[pmp_index - 1].addr_reg;
181     }
182 
183     switch (pmp_get_a_field(this_cfg)) {
184     case PMP_AMATCH_OFF:
185         sa = 0u;
186         ea = -1;
187         break;
188 
189     case PMP_AMATCH_TOR:
190         sa = prev_addr << 2; /* shift up from [xx:0] to [xx+2:2] */
191         ea = (this_addr << 2) - 1u;
192         if (sa > ea) {
193             sa = ea = 0u;
194         }
195         break;
196 
197     case PMP_AMATCH_NA4:
198         sa = this_addr << 2; /* shift up from [xx:0] to [xx+2:2] */
199         ea = (sa + 4u) - 1u;
200         break;
201 
202     case PMP_AMATCH_NAPOT:
203         pmp_decode_napot(this_addr, &sa, &ea);
204         break;
205 
206     default:
207         sa = 0u;
208         ea = 0u;
209         break;
210     }
211 
212     env->pmp_state.addr[pmp_index].sa = sa;
213     env->pmp_state.addr[pmp_index].ea = ea;
214 }
215 
216 void pmp_update_rule_nums(CPURISCVState *env)
217 {
218     int i;
219 
220     env->pmp_state.num_rules = 0;
221     for (i = 0; i < MAX_RISCV_PMPS; i++) {
222         const uint8_t a_field =
223             pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg);
224         if (PMP_AMATCH_OFF != a_field) {
225             env->pmp_state.num_rules++;
226         }
227     }
228 }
229 
230 static int pmp_is_in_range(CPURISCVState *env, int pmp_index, hwaddr addr)
231 {
232     int result = 0;
233 
234     if ((addr >= env->pmp_state.addr[pmp_index].sa) &&
235         (addr <= env->pmp_state.addr[pmp_index].ea)) {
236         result = 1;
237     } else {
238         result = 0;
239     }
240 
241     return result;
242 }
243 
244 /*
245  * Check if the address has required RWX privs when no PMP entry is matched.
246  */
247 static bool pmp_hart_has_privs_default(CPURISCVState *env, pmp_priv_t privs,
248                                        pmp_priv_t *allowed_privs,
249                                        target_ulong mode)
250 {
251     bool ret;
252 
253     if (MSECCFG_MMWP_ISSET(env)) {
254         /*
255          * The Machine Mode Whitelist Policy (mseccfg.MMWP) is set
256          * so we default to deny all, even for M-mode.
257          */
258         *allowed_privs = 0;
259         return false;
260     } else if (MSECCFG_MML_ISSET(env)) {
261         /*
262          * The Machine Mode Lockdown (mseccfg.MML) bit is set
263          * so we can only execute code in M-mode with an applicable
264          * rule. Other modes are disabled.
265          */
266         if (mode == PRV_M && !(privs & PMP_EXEC)) {
267             ret = true;
268             *allowed_privs = PMP_READ | PMP_WRITE;
269         } else {
270             ret = false;
271             *allowed_privs = 0;
272         }
273 
274         return ret;
275     }
276 
277     if (!riscv_cpu_cfg(env)->pmp || (mode == PRV_M)) {
278         /*
279          * Privileged spec v1.10 states if HW doesn't implement any PMP entry
280          * or no PMP entry matches an M-Mode access, the access succeeds.
281          */
282         ret = true;
283         *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
284     } else {
285         /*
286          * Other modes are not allowed to succeed if they don't * match a rule,
287          * but there are rules. We've checked for no rule earlier in this
288          * function.
289          */
290         ret = false;
291         *allowed_privs = 0;
292     }
293 
294     return ret;
295 }
296 
297 
298 /*
299  * Public Interface
300  */
301 
302 /*
303  * Check if the address has required RWX privs to complete desired operation
304  * Return true if a pmp rule match or default match
305  * Return false if no match
306  */
307 bool pmp_hart_has_privs(CPURISCVState *env, hwaddr addr,
308                         target_ulong size, pmp_priv_t privs,
309                         pmp_priv_t *allowed_privs, target_ulong mode)
310 {
311     int i = 0;
312     int pmp_size = 0;
313     hwaddr s = 0;
314     hwaddr e = 0;
315 
316     /* Short cut if no rules */
317     if (0 == pmp_get_num_rules(env)) {
318         return pmp_hart_has_privs_default(env, privs, allowed_privs, mode);
319     }
320 
321     if (size == 0) {
322         if (riscv_cpu_cfg(env)->mmu) {
323             /*
324              * If size is unknown (0), assume that all bytes
325              * from addr to the end of the page will be accessed.
326              */
327             pmp_size = -(addr | TARGET_PAGE_MASK);
328         } else {
329             pmp_size = 2 << riscv_cpu_mxl(env);
330         }
331     } else {
332         pmp_size = size;
333     }
334 
335     /*
336      * 1.10 draft priv spec states there is an implicit order
337      * from low to high
338      */
339     for (i = 0; i < MAX_RISCV_PMPS; i++) {
340         s = pmp_is_in_range(env, i, addr);
341         e = pmp_is_in_range(env, i, addr + pmp_size - 1);
342 
343         /* partially inside */
344         if ((s + e) == 1) {
345             qemu_log_mask(LOG_GUEST_ERROR,
346                           "pmp violation - access is partially inside\n");
347             *allowed_privs = 0;
348             return false;
349         }
350 
351         /* fully inside */
352         const uint8_t a_field =
353             pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg);
354 
355         /*
356          * Convert the PMP permissions to match the truth table in the
357          * Smepmp spec.
358          */
359         const uint8_t smepmp_operation =
360             ((env->pmp_state.pmp[i].cfg_reg & PMP_LOCK) >> 4) |
361             ((env->pmp_state.pmp[i].cfg_reg & PMP_READ) << 2) |
362             (env->pmp_state.pmp[i].cfg_reg & PMP_WRITE) |
363             ((env->pmp_state.pmp[i].cfg_reg & PMP_EXEC) >> 2);
364 
365         if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) {
366             /*
367              * If the PMP entry is not off and the address is in range,
368              * do the priv check
369              */
370             if (!MSECCFG_MML_ISSET(env)) {
371                 /*
372                  * If mseccfg.MML Bit is not set, do pmp priv check
373                  * This will always apply to regular PMP.
374                  */
375                 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
376                 if ((mode != PRV_M) || pmp_is_locked(env, i)) {
377                     *allowed_privs &= env->pmp_state.pmp[i].cfg_reg;
378                 }
379             } else {
380                 /*
381                  * If mseccfg.MML Bit set, do the enhanced pmp priv check
382                  */
383                 if (mode == PRV_M) {
384                     switch (smepmp_operation) {
385                     case 0:
386                     case 1:
387                     case 4:
388                     case 5:
389                     case 6:
390                     case 7:
391                     case 8:
392                         *allowed_privs = 0;
393                         break;
394                     case 2:
395                     case 3:
396                     case 14:
397                         *allowed_privs = PMP_READ | PMP_WRITE;
398                         break;
399                     case 9:
400                     case 10:
401                         *allowed_privs = PMP_EXEC;
402                         break;
403                     case 11:
404                     case 13:
405                         *allowed_privs = PMP_READ | PMP_EXEC;
406                         break;
407                     case 12:
408                     case 15:
409                         *allowed_privs = PMP_READ;
410                         break;
411                     default:
412                         g_assert_not_reached();
413                     }
414                 } else {
415                     switch (smepmp_operation) {
416                     case 0:
417                     case 8:
418                     case 9:
419                     case 12:
420                     case 13:
421                     case 14:
422                         *allowed_privs = 0;
423                         break;
424                     case 1:
425                     case 10:
426                     case 11:
427                         *allowed_privs = PMP_EXEC;
428                         break;
429                     case 2:
430                     case 4:
431                     case 15:
432                         *allowed_privs = PMP_READ;
433                         break;
434                     case 3:
435                     case 6:
436                         *allowed_privs = PMP_READ | PMP_WRITE;
437                         break;
438                     case 5:
439                         *allowed_privs = PMP_READ | PMP_EXEC;
440                         break;
441                     case 7:
442                         *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
443                         break;
444                     default:
445                         g_assert_not_reached();
446                     }
447                 }
448             }
449 
450             /*
451              * If matching address range was found, the protection bits
452              * defined with PMP must be used. We shouldn't fallback on
453              * finding default privileges.
454              */
455             return (privs & *allowed_privs) == privs;
456         }
457     }
458 
459     /* No rule matched */
460     return pmp_hart_has_privs_default(env, privs, allowed_privs, mode);
461 }
462 
463 /*
464  * Handle a write to a pmpcfg CSR
465  */
466 void pmpcfg_csr_write(CPURISCVState *env, uint32_t reg_index,
467                       target_ulong val)
468 {
469     int i;
470     uint8_t cfg_val;
471     int pmpcfg_nums = 2 << riscv_cpu_mxl(env);
472     bool modified = false;
473 
474     trace_pmpcfg_csr_write(env->mhartid, reg_index, val);
475 
476     for (i = 0; i < pmpcfg_nums; i++) {
477         cfg_val = (val >> 8 * i)  & 0xff;
478         modified |= pmp_write_cfg(env, (reg_index * 4) + i, cfg_val);
479     }
480 
481     /* If PMP permission of any addr has been changed, flush TLB pages. */
482     if (modified) {
483         pmp_update_rule_nums(env);
484         tlb_flush(env_cpu(env));
485     }
486 }
487 
488 
489 /*
490  * Handle a read from a pmpcfg CSR
491  */
492 target_ulong pmpcfg_csr_read(CPURISCVState *env, uint32_t reg_index)
493 {
494     int i;
495     target_ulong cfg_val = 0;
496     target_ulong val = 0;
497     int pmpcfg_nums = 2 << riscv_cpu_mxl(env);
498 
499     for (i = 0; i < pmpcfg_nums; i++) {
500         val = pmp_read_cfg(env, (reg_index * 4) + i);
501         cfg_val |= (val << (i * 8));
502     }
503     trace_pmpcfg_csr_read(env->mhartid, reg_index, cfg_val);
504 
505     return cfg_val;
506 }
507 
508 
509 /*
510  * Handle a write to a pmpaddr CSR
511  */
512 void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index,
513                        target_ulong val)
514 {
515     trace_pmpaddr_csr_write(env->mhartid, addr_index, val);
516     bool is_next_cfg_tor = false;
517 
518     if (addr_index < MAX_RISCV_PMPS) {
519         /*
520          * In TOR mode, need to check the lock bit of the next pmp
521          * (if there is a next).
522          */
523         if (addr_index + 1 < MAX_RISCV_PMPS) {
524             uint8_t pmp_cfg = env->pmp_state.pmp[addr_index + 1].cfg_reg;
525             is_next_cfg_tor = PMP_AMATCH_TOR == pmp_get_a_field(pmp_cfg);
526 
527             if (pmp_cfg & PMP_LOCK && is_next_cfg_tor) {
528                 qemu_log_mask(LOG_GUEST_ERROR,
529                               "ignoring pmpaddr write - pmpcfg + 1 locked\n");
530                 return;
531             }
532         }
533 
534         if (!pmp_is_locked(env, addr_index)) {
535             if (env->pmp_state.pmp[addr_index].addr_reg != val) {
536                 env->pmp_state.pmp[addr_index].addr_reg = val;
537                 pmp_update_rule_addr(env, addr_index);
538                 if (is_next_cfg_tor) {
539                     pmp_update_rule_addr(env, addr_index + 1);
540                 }
541                 tlb_flush(env_cpu(env));
542             }
543         } else {
544             qemu_log_mask(LOG_GUEST_ERROR,
545                           "ignoring pmpaddr write - locked\n");
546         }
547     } else {
548         qemu_log_mask(LOG_GUEST_ERROR,
549                       "ignoring pmpaddr write - out of bounds\n");
550     }
551 }
552 
553 
554 /*
555  * Handle a read from a pmpaddr CSR
556  */
557 target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index)
558 {
559     target_ulong val = 0;
560 
561     if (addr_index < MAX_RISCV_PMPS) {
562         val = env->pmp_state.pmp[addr_index].addr_reg;
563         trace_pmpaddr_csr_read(env->mhartid, addr_index, val);
564     } else {
565         qemu_log_mask(LOG_GUEST_ERROR,
566                       "ignoring pmpaddr read - out of bounds\n");
567     }
568 
569     return val;
570 }
571 
572 /*
573  * Handle a write to a mseccfg CSR
574  */
575 void mseccfg_csr_write(CPURISCVState *env, target_ulong val)
576 {
577     int i;
578 
579     trace_mseccfg_csr_write(env->mhartid, val);
580 
581     /* RLB cannot be enabled if it's already 0 and if any regions are locked */
582     if (!MSECCFG_RLB_ISSET(env)) {
583         for (i = 0; i < MAX_RISCV_PMPS; i++) {
584             if (pmp_is_locked(env, i)) {
585                 val &= ~MSECCFG_RLB;
586                 break;
587             }
588         }
589     }
590 
591     if (riscv_cpu_cfg(env)->ext_smepmp) {
592         /* Sticky bits */
593         val |= (env->mseccfg & (MSECCFG_MMWP | MSECCFG_MML));
594         if ((val ^ env->mseccfg) & (MSECCFG_MMWP | MSECCFG_MML)) {
595             tlb_flush(env_cpu(env));
596         }
597     } else {
598         val &= ~(MSECCFG_MMWP | MSECCFG_MML | MSECCFG_RLB);
599     }
600 
601     /* M-mode forward cfi to be enabled if cfi extension is implemented */
602     if (env_archcpu(env)->cfg.ext_zicfilp) {
603         val |= (val & MSECCFG_MLPE);
604     }
605 
606     env->mseccfg = val;
607 }
608 
609 /*
610  * Handle a read from a mseccfg CSR
611  */
612 target_ulong mseccfg_csr_read(CPURISCVState *env)
613 {
614     trace_mseccfg_csr_read(env->mhartid, env->mseccfg);
615     return env->mseccfg;
616 }
617 
618 /*
619  * Calculate the TLB size.
620  * It's possible that PMP regions only cover partial of the TLB page, and
621  * this may split the page into regions with different permissions.
622  * For example if PMP0 is (0x80000008~0x8000000F, R) and PMP1 is (0x80000000
623  * ~0x80000FFF, RWX), then region 0x80000008~0x8000000F has R permission, and
624  * the other regions in this page have RWX permissions.
625  * A write access to 0x80000000 will match PMP1. However we cannot cache the
626  * translation result in the TLB since this will make the write access to
627  * 0x80000008 bypass the check of PMP0.
628  * To avoid this we return a size of 1 (which means no caching) if the PMP
629  * region only covers partial of the TLB page.
630  */
631 target_ulong pmp_get_tlb_size(CPURISCVState *env, hwaddr addr)
632 {
633     hwaddr pmp_sa;
634     hwaddr pmp_ea;
635     hwaddr tlb_sa = addr & ~(TARGET_PAGE_SIZE - 1);
636     hwaddr tlb_ea = tlb_sa + TARGET_PAGE_SIZE - 1;
637     int i;
638 
639     /*
640      * If PMP is not supported or there are no PMP rules, the TLB page will not
641      * be split into regions with different permissions by PMP so we set the
642      * size to TARGET_PAGE_SIZE.
643      */
644     if (!riscv_cpu_cfg(env)->pmp || !pmp_get_num_rules(env)) {
645         return TARGET_PAGE_SIZE;
646     }
647 
648     for (i = 0; i < MAX_RISCV_PMPS; i++) {
649         if (pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg) == PMP_AMATCH_OFF) {
650             continue;
651         }
652 
653         pmp_sa = env->pmp_state.addr[i].sa;
654         pmp_ea = env->pmp_state.addr[i].ea;
655 
656         /*
657          * Only the first PMP entry that covers (whole or partial of) the TLB
658          * page really matters:
659          * If it covers the whole TLB page, set the size to TARGET_PAGE_SIZE,
660          * since the following PMP entries have lower priority and will not
661          * affect the permissions of the page.
662          * If it only covers partial of the TLB page, set the size to 1 since
663          * the allowed permissions of the region may be different from other
664          * region of the page.
665          */
666         if (pmp_sa <= tlb_sa && pmp_ea >= tlb_ea) {
667             return TARGET_PAGE_SIZE;
668         } else if ((pmp_sa >= tlb_sa && pmp_sa <= tlb_ea) ||
669                    (pmp_ea >= tlb_sa && pmp_ea <= tlb_ea)) {
670             return 1;
671         }
672     }
673 
674     /*
675      * If no PMP entry matches the TLB page, the TLB page will also not be
676      * split into regions with different permissions by PMP so we set the size
677      * to TARGET_PAGE_SIZE.
678      */
679     return TARGET_PAGE_SIZE;
680 }
681 
682 /*
683  * Convert PMP privilege to TLB page privilege.
684  */
685 int pmp_priv_to_page_prot(pmp_priv_t pmp_priv)
686 {
687     int prot = 0;
688 
689     if (pmp_priv & PMP_READ) {
690         prot |= PAGE_READ;
691     }
692     if (pmp_priv & PMP_WRITE) {
693         prot |= PAGE_WRITE;
694     }
695     if (pmp_priv & PMP_EXEC) {
696         prot |= PAGE_EXEC;
697     }
698 
699     return prot;
700 }
701