1 /* 2 * QEMU RISC-V PMP (Physical Memory Protection) 3 * 4 * Author: Daire McNamara, daire.mcnamara@emdalo.com 5 * Ivan Griffin, ivan.griffin@emdalo.com 6 * 7 * This provides a RISC-V Physical Memory Protection implementation 8 * 9 * This program is free software; you can redistribute it and/or modify it 10 * under the terms and conditions of the GNU General Public License, 11 * version 2 or later, as published by the Free Software Foundation. 12 * 13 * This program is distributed in the hope it will be useful, but WITHOUT 14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 15 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 16 * more details. 17 * 18 * You should have received a copy of the GNU General Public License along with 19 * this program. If not, see <http://www.gnu.org/licenses/>. 20 */ 21 22 #include "qemu/osdep.h" 23 #include "qemu/log.h" 24 #include "qapi/error.h" 25 #include "cpu.h" 26 #include "trace.h" 27 #include "exec/exec-all.h" 28 29 static bool pmp_write_cfg(CPURISCVState *env, uint32_t addr_index, 30 uint8_t val); 31 static uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t addr_index); 32 33 /* 34 * Accessor method to extract address matching type 'a field' from cfg reg 35 */ 36 static inline uint8_t pmp_get_a_field(uint8_t cfg) 37 { 38 uint8_t a = cfg >> 3; 39 return a & 0x3; 40 } 41 42 /* 43 * Check whether a PMP is locked or not. 44 */ 45 static inline int pmp_is_locked(CPURISCVState *env, uint32_t pmp_index) 46 { 47 /* mseccfg.RLB is set */ 48 if (MSECCFG_RLB_ISSET(env)) { 49 return 0; 50 } 51 52 if (env->pmp_state.pmp[pmp_index].cfg_reg & PMP_LOCK) { 53 return 1; 54 } 55 56 /* Top PMP has no 'next' to check */ 57 if ((pmp_index + 1u) >= MAX_RISCV_PMPS) { 58 return 0; 59 } 60 61 return 0; 62 } 63 64 /* 65 * Count the number of active rules. 66 */ 67 uint32_t pmp_get_num_rules(CPURISCVState *env) 68 { 69 return env->pmp_state.num_rules; 70 } 71 72 /* 73 * Accessor to get the cfg reg for a specific PMP/HART 74 */ 75 static inline uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t pmp_index) 76 { 77 if (pmp_index < MAX_RISCV_PMPS) { 78 return env->pmp_state.pmp[pmp_index].cfg_reg; 79 } 80 81 return 0; 82 } 83 84 85 /* 86 * Accessor to set the cfg reg for a specific PMP/HART 87 * Bounds checks and relevant lock bit. 88 */ 89 static bool pmp_write_cfg(CPURISCVState *env, uint32_t pmp_index, uint8_t val) 90 { 91 if (pmp_index < MAX_RISCV_PMPS) { 92 bool locked = true; 93 94 if (riscv_cpu_cfg(env)->ext_smepmp) { 95 /* mseccfg.RLB is set */ 96 if (MSECCFG_RLB_ISSET(env)) { 97 locked = false; 98 } 99 100 /* mseccfg.MML is not set */ 101 if (!MSECCFG_MML_ISSET(env) && !pmp_is_locked(env, pmp_index)) { 102 locked = false; 103 } 104 105 /* mseccfg.MML is set */ 106 if (MSECCFG_MML_ISSET(env)) { 107 /* not adding execute bit */ 108 if ((val & PMP_LOCK) != 0 && (val & PMP_EXEC) != PMP_EXEC) { 109 locked = false; 110 } 111 /* shared region and not adding X bit */ 112 if ((val & PMP_LOCK) != PMP_LOCK && 113 (val & 0x7) != (PMP_WRITE | PMP_EXEC)) { 114 locked = false; 115 } 116 } 117 } else { 118 if (!pmp_is_locked(env, pmp_index)) { 119 locked = false; 120 } 121 } 122 123 if (locked) { 124 qemu_log_mask(LOG_GUEST_ERROR, "ignoring pmpcfg write - locked\n"); 125 } else if (env->pmp_state.pmp[pmp_index].cfg_reg != val) { 126 /* If !mseccfg.MML then ignore writes with encoding RW=01 */ 127 if ((val & PMP_WRITE) && !(val & PMP_READ) && 128 !MSECCFG_MML_ISSET(env)) { 129 val &= ~(PMP_WRITE | PMP_READ); 130 } 131 env->pmp_state.pmp[pmp_index].cfg_reg = val; 132 pmp_update_rule_addr(env, pmp_index); 133 return true; 134 } 135 } else { 136 qemu_log_mask(LOG_GUEST_ERROR, 137 "ignoring pmpcfg write - out of bounds\n"); 138 } 139 140 return false; 141 } 142 143 void pmp_unlock_entries(CPURISCVState *env) 144 { 145 uint32_t pmp_num = pmp_get_num_rules(env); 146 int i; 147 148 for (i = 0; i < pmp_num; i++) { 149 env->pmp_state.pmp[i].cfg_reg &= ~(PMP_LOCK | PMP_AMATCH); 150 } 151 } 152 153 static void pmp_decode_napot(target_ulong a, target_ulong *sa, 154 target_ulong *ea) 155 { 156 /* 157 * aaaa...aaa0 8-byte NAPOT range 158 * aaaa...aa01 16-byte NAPOT range 159 * aaaa...a011 32-byte NAPOT range 160 * ... 161 * aa01...1111 2^XLEN-byte NAPOT range 162 * a011...1111 2^(XLEN+1)-byte NAPOT range 163 * 0111...1111 2^(XLEN+2)-byte NAPOT range 164 * 1111...1111 Reserved 165 */ 166 a = (a << 2) | 0x3; 167 *sa = a & (a + 1); 168 *ea = a | (a + 1); 169 } 170 171 void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index) 172 { 173 uint8_t this_cfg = env->pmp_state.pmp[pmp_index].cfg_reg; 174 target_ulong this_addr = env->pmp_state.pmp[pmp_index].addr_reg; 175 target_ulong prev_addr = 0u; 176 target_ulong sa = 0u; 177 target_ulong ea = 0u; 178 179 if (pmp_index >= 1u) { 180 prev_addr = env->pmp_state.pmp[pmp_index - 1].addr_reg; 181 } 182 183 switch (pmp_get_a_field(this_cfg)) { 184 case PMP_AMATCH_OFF: 185 sa = 0u; 186 ea = -1; 187 break; 188 189 case PMP_AMATCH_TOR: 190 sa = prev_addr << 2; /* shift up from [xx:0] to [xx+2:2] */ 191 ea = (this_addr << 2) - 1u; 192 if (sa > ea) { 193 sa = ea = 0u; 194 } 195 break; 196 197 case PMP_AMATCH_NA4: 198 sa = this_addr << 2; /* shift up from [xx:0] to [xx+2:2] */ 199 ea = (sa + 4u) - 1u; 200 break; 201 202 case PMP_AMATCH_NAPOT: 203 pmp_decode_napot(this_addr, &sa, &ea); 204 break; 205 206 default: 207 sa = 0u; 208 ea = 0u; 209 break; 210 } 211 212 env->pmp_state.addr[pmp_index].sa = sa; 213 env->pmp_state.addr[pmp_index].ea = ea; 214 } 215 216 void pmp_update_rule_nums(CPURISCVState *env) 217 { 218 int i; 219 220 env->pmp_state.num_rules = 0; 221 for (i = 0; i < MAX_RISCV_PMPS; i++) { 222 const uint8_t a_field = 223 pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg); 224 if (PMP_AMATCH_OFF != a_field) { 225 env->pmp_state.num_rules++; 226 } 227 } 228 } 229 230 static int pmp_is_in_range(CPURISCVState *env, int pmp_index, 231 target_ulong addr) 232 { 233 int result = 0; 234 235 if ((addr >= env->pmp_state.addr[pmp_index].sa) && 236 (addr <= env->pmp_state.addr[pmp_index].ea)) { 237 result = 1; 238 } else { 239 result = 0; 240 } 241 242 return result; 243 } 244 245 /* 246 * Check if the address has required RWX privs when no PMP entry is matched. 247 */ 248 static bool pmp_hart_has_privs_default(CPURISCVState *env, pmp_priv_t privs, 249 pmp_priv_t *allowed_privs, 250 target_ulong mode) 251 { 252 bool ret; 253 254 if (MSECCFG_MMWP_ISSET(env)) { 255 /* 256 * The Machine Mode Whitelist Policy (mseccfg.MMWP) is set 257 * so we default to deny all, even for M-mode. 258 */ 259 *allowed_privs = 0; 260 return false; 261 } else if (MSECCFG_MML_ISSET(env)) { 262 /* 263 * The Machine Mode Lockdown (mseccfg.MML) bit is set 264 * so we can only execute code in M-mode with an applicable 265 * rule. Other modes are disabled. 266 */ 267 if (mode == PRV_M && !(privs & PMP_EXEC)) { 268 ret = true; 269 *allowed_privs = PMP_READ | PMP_WRITE; 270 } else { 271 ret = false; 272 *allowed_privs = 0; 273 } 274 275 return ret; 276 } 277 278 if (!riscv_cpu_cfg(env)->pmp || (mode == PRV_M)) { 279 /* 280 * Privileged spec v1.10 states if HW doesn't implement any PMP entry 281 * or no PMP entry matches an M-Mode access, the access succeeds. 282 */ 283 ret = true; 284 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 285 } else { 286 /* 287 * Other modes are not allowed to succeed if they don't * match a rule, 288 * but there are rules. We've checked for no rule earlier in this 289 * function. 290 */ 291 ret = false; 292 *allowed_privs = 0; 293 } 294 295 return ret; 296 } 297 298 299 /* 300 * Public Interface 301 */ 302 303 /* 304 * Check if the address has required RWX privs to complete desired operation 305 * Return true if a pmp rule match or default match 306 * Return false if no match 307 */ 308 bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr, 309 target_ulong size, pmp_priv_t privs, 310 pmp_priv_t *allowed_privs, target_ulong mode) 311 { 312 int i = 0; 313 int pmp_size = 0; 314 target_ulong s = 0; 315 target_ulong e = 0; 316 317 /* Short cut if no rules */ 318 if (0 == pmp_get_num_rules(env)) { 319 return pmp_hart_has_privs_default(env, privs, allowed_privs, mode); 320 } 321 322 if (size == 0) { 323 if (riscv_cpu_cfg(env)->mmu) { 324 /* 325 * If size is unknown (0), assume that all bytes 326 * from addr to the end of the page will be accessed. 327 */ 328 pmp_size = -(addr | TARGET_PAGE_MASK); 329 } else { 330 pmp_size = sizeof(target_ulong); 331 } 332 } else { 333 pmp_size = size; 334 } 335 336 /* 337 * 1.10 draft priv spec states there is an implicit order 338 * from low to high 339 */ 340 for (i = 0; i < MAX_RISCV_PMPS; i++) { 341 s = pmp_is_in_range(env, i, addr); 342 e = pmp_is_in_range(env, i, addr + pmp_size - 1); 343 344 /* partially inside */ 345 if ((s + e) == 1) { 346 qemu_log_mask(LOG_GUEST_ERROR, 347 "pmp violation - access is partially inside\n"); 348 *allowed_privs = 0; 349 return false; 350 } 351 352 /* fully inside */ 353 const uint8_t a_field = 354 pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg); 355 356 /* 357 * Convert the PMP permissions to match the truth table in the 358 * Smepmp spec. 359 */ 360 const uint8_t smepmp_operation = 361 ((env->pmp_state.pmp[i].cfg_reg & PMP_LOCK) >> 4) | 362 ((env->pmp_state.pmp[i].cfg_reg & PMP_READ) << 2) | 363 (env->pmp_state.pmp[i].cfg_reg & PMP_WRITE) | 364 ((env->pmp_state.pmp[i].cfg_reg & PMP_EXEC) >> 2); 365 366 if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) { 367 /* 368 * If the PMP entry is not off and the address is in range, 369 * do the priv check 370 */ 371 if (!MSECCFG_MML_ISSET(env)) { 372 /* 373 * If mseccfg.MML Bit is not set, do pmp priv check 374 * This will always apply to regular PMP. 375 */ 376 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 377 if ((mode != PRV_M) || pmp_is_locked(env, i)) { 378 *allowed_privs &= env->pmp_state.pmp[i].cfg_reg; 379 } 380 } else { 381 /* 382 * If mseccfg.MML Bit set, do the enhanced pmp priv check 383 */ 384 if (mode == PRV_M) { 385 switch (smepmp_operation) { 386 case 0: 387 case 1: 388 case 4: 389 case 5: 390 case 6: 391 case 7: 392 case 8: 393 *allowed_privs = 0; 394 break; 395 case 2: 396 case 3: 397 case 14: 398 *allowed_privs = PMP_READ | PMP_WRITE; 399 break; 400 case 9: 401 case 10: 402 *allowed_privs = PMP_EXEC; 403 break; 404 case 11: 405 case 13: 406 *allowed_privs = PMP_READ | PMP_EXEC; 407 break; 408 case 12: 409 case 15: 410 *allowed_privs = PMP_READ; 411 break; 412 default: 413 g_assert_not_reached(); 414 } 415 } else { 416 switch (smepmp_operation) { 417 case 0: 418 case 8: 419 case 9: 420 case 12: 421 case 13: 422 case 14: 423 *allowed_privs = 0; 424 break; 425 case 1: 426 case 10: 427 case 11: 428 *allowed_privs = PMP_EXEC; 429 break; 430 case 2: 431 case 4: 432 case 15: 433 *allowed_privs = PMP_READ; 434 break; 435 case 3: 436 case 6: 437 *allowed_privs = PMP_READ | PMP_WRITE; 438 break; 439 case 5: 440 *allowed_privs = PMP_READ | PMP_EXEC; 441 break; 442 case 7: 443 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 444 break; 445 default: 446 g_assert_not_reached(); 447 } 448 } 449 } 450 451 /* 452 * If matching address range was found, the protection bits 453 * defined with PMP must be used. We shouldn't fallback on 454 * finding default privileges. 455 */ 456 return (privs & *allowed_privs) == privs; 457 } 458 } 459 460 /* No rule matched */ 461 return pmp_hart_has_privs_default(env, privs, allowed_privs, mode); 462 } 463 464 /* 465 * Handle a write to a pmpcfg CSR 466 */ 467 void pmpcfg_csr_write(CPURISCVState *env, uint32_t reg_index, 468 target_ulong val) 469 { 470 int i; 471 uint8_t cfg_val; 472 int pmpcfg_nums = 2 << riscv_cpu_mxl(env); 473 bool modified = false; 474 475 trace_pmpcfg_csr_write(env->mhartid, reg_index, val); 476 477 for (i = 0; i < pmpcfg_nums; i++) { 478 cfg_val = (val >> 8 * i) & 0xff; 479 modified |= pmp_write_cfg(env, (reg_index * 4) + i, cfg_val); 480 } 481 482 /* If PMP permission of any addr has been changed, flush TLB pages. */ 483 if (modified) { 484 pmp_update_rule_nums(env); 485 tlb_flush(env_cpu(env)); 486 } 487 } 488 489 490 /* 491 * Handle a read from a pmpcfg CSR 492 */ 493 target_ulong pmpcfg_csr_read(CPURISCVState *env, uint32_t reg_index) 494 { 495 int i; 496 target_ulong cfg_val = 0; 497 target_ulong val = 0; 498 int pmpcfg_nums = 2 << riscv_cpu_mxl(env); 499 500 for (i = 0; i < pmpcfg_nums; i++) { 501 val = pmp_read_cfg(env, (reg_index * 4) + i); 502 cfg_val |= (val << (i * 8)); 503 } 504 trace_pmpcfg_csr_read(env->mhartid, reg_index, cfg_val); 505 506 return cfg_val; 507 } 508 509 510 /* 511 * Handle a write to a pmpaddr CSR 512 */ 513 void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index, 514 target_ulong val) 515 { 516 trace_pmpaddr_csr_write(env->mhartid, addr_index, val); 517 bool is_next_cfg_tor = false; 518 519 if (addr_index < MAX_RISCV_PMPS) { 520 /* 521 * In TOR mode, need to check the lock bit of the next pmp 522 * (if there is a next). 523 */ 524 if (addr_index + 1 < MAX_RISCV_PMPS) { 525 uint8_t pmp_cfg = env->pmp_state.pmp[addr_index + 1].cfg_reg; 526 is_next_cfg_tor = PMP_AMATCH_TOR == pmp_get_a_field(pmp_cfg); 527 528 if (pmp_cfg & PMP_LOCK && is_next_cfg_tor) { 529 qemu_log_mask(LOG_GUEST_ERROR, 530 "ignoring pmpaddr write - pmpcfg + 1 locked\n"); 531 return; 532 } 533 } 534 535 if (!pmp_is_locked(env, addr_index)) { 536 if (env->pmp_state.pmp[addr_index].addr_reg != val) { 537 env->pmp_state.pmp[addr_index].addr_reg = val; 538 pmp_update_rule_addr(env, addr_index); 539 if (is_next_cfg_tor) { 540 pmp_update_rule_addr(env, addr_index + 1); 541 } 542 tlb_flush(env_cpu(env)); 543 } 544 } else { 545 qemu_log_mask(LOG_GUEST_ERROR, 546 "ignoring pmpaddr write - locked\n"); 547 } 548 } else { 549 qemu_log_mask(LOG_GUEST_ERROR, 550 "ignoring pmpaddr write - out of bounds\n"); 551 } 552 } 553 554 555 /* 556 * Handle a read from a pmpaddr CSR 557 */ 558 target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index) 559 { 560 target_ulong val = 0; 561 562 if (addr_index < MAX_RISCV_PMPS) { 563 val = env->pmp_state.pmp[addr_index].addr_reg; 564 trace_pmpaddr_csr_read(env->mhartid, addr_index, val); 565 } else { 566 qemu_log_mask(LOG_GUEST_ERROR, 567 "ignoring pmpaddr read - out of bounds\n"); 568 } 569 570 return val; 571 } 572 573 /* 574 * Handle a write to a mseccfg CSR 575 */ 576 void mseccfg_csr_write(CPURISCVState *env, target_ulong val) 577 { 578 int i; 579 580 trace_mseccfg_csr_write(env->mhartid, val); 581 582 /* RLB cannot be enabled if it's already 0 and if any regions are locked */ 583 if (!MSECCFG_RLB_ISSET(env)) { 584 for (i = 0; i < MAX_RISCV_PMPS; i++) { 585 if (pmp_is_locked(env, i)) { 586 val &= ~MSECCFG_RLB; 587 break; 588 } 589 } 590 } 591 592 if (riscv_cpu_cfg(env)->ext_smepmp) { 593 /* Sticky bits */ 594 val |= (env->mseccfg & (MSECCFG_MMWP | MSECCFG_MML)); 595 if ((val ^ env->mseccfg) & (MSECCFG_MMWP | MSECCFG_MML)) { 596 tlb_flush(env_cpu(env)); 597 } 598 } else { 599 val &= ~(MSECCFG_MMWP | MSECCFG_MML | MSECCFG_RLB); 600 } 601 602 env->mseccfg = val; 603 } 604 605 /* 606 * Handle a read from a mseccfg CSR 607 */ 608 target_ulong mseccfg_csr_read(CPURISCVState *env) 609 { 610 trace_mseccfg_csr_read(env->mhartid, env->mseccfg); 611 return env->mseccfg; 612 } 613 614 /* 615 * Calculate the TLB size. 616 * It's possible that PMP regions only cover partial of the TLB page, and 617 * this may split the page into regions with different permissions. 618 * For example if PMP0 is (0x80000008~0x8000000F, R) and PMP1 is (0x80000000 619 * ~0x80000FFF, RWX), then region 0x80000008~0x8000000F has R permission, and 620 * the other regions in this page have RWX permissions. 621 * A write access to 0x80000000 will match PMP1. However we cannot cache the 622 * translation result in the TLB since this will make the write access to 623 * 0x80000008 bypass the check of PMP0. 624 * To avoid this we return a size of 1 (which means no caching) if the PMP 625 * region only covers partial of the TLB page. 626 */ 627 target_ulong pmp_get_tlb_size(CPURISCVState *env, target_ulong addr) 628 { 629 target_ulong pmp_sa; 630 target_ulong pmp_ea; 631 target_ulong tlb_sa = addr & ~(TARGET_PAGE_SIZE - 1); 632 target_ulong tlb_ea = tlb_sa + TARGET_PAGE_SIZE - 1; 633 int i; 634 635 /* 636 * If PMP is not supported or there are no PMP rules, the TLB page will not 637 * be split into regions with different permissions by PMP so we set the 638 * size to TARGET_PAGE_SIZE. 639 */ 640 if (!riscv_cpu_cfg(env)->pmp || !pmp_get_num_rules(env)) { 641 return TARGET_PAGE_SIZE; 642 } 643 644 for (i = 0; i < MAX_RISCV_PMPS; i++) { 645 if (pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg) == PMP_AMATCH_OFF) { 646 continue; 647 } 648 649 pmp_sa = env->pmp_state.addr[i].sa; 650 pmp_ea = env->pmp_state.addr[i].ea; 651 652 /* 653 * Only the first PMP entry that covers (whole or partial of) the TLB 654 * page really matters: 655 * If it covers the whole TLB page, set the size to TARGET_PAGE_SIZE, 656 * since the following PMP entries have lower priority and will not 657 * affect the permissions of the page. 658 * If it only covers partial of the TLB page, set the size to 1 since 659 * the allowed permissions of the region may be different from other 660 * region of the page. 661 */ 662 if (pmp_sa <= tlb_sa && pmp_ea >= tlb_ea) { 663 return TARGET_PAGE_SIZE; 664 } else if ((pmp_sa >= tlb_sa && pmp_sa <= tlb_ea) || 665 (pmp_ea >= tlb_sa && pmp_ea <= tlb_ea)) { 666 return 1; 667 } 668 } 669 670 /* 671 * If no PMP entry matches the TLB page, the TLB page will also not be 672 * split into regions with different permissions by PMP so we set the size 673 * to TARGET_PAGE_SIZE. 674 */ 675 return TARGET_PAGE_SIZE; 676 } 677 678 /* 679 * Convert PMP privilege to TLB page privilege. 680 */ 681 int pmp_priv_to_page_prot(pmp_priv_t pmp_priv) 682 { 683 int prot = 0; 684 685 if (pmp_priv & PMP_READ) { 686 prot |= PAGE_READ; 687 } 688 if (pmp_priv & PMP_WRITE) { 689 prot |= PAGE_WRITE; 690 } 691 if (pmp_priv & PMP_EXEC) { 692 prot |= PAGE_EXEC; 693 } 694 695 return prot; 696 } 697