xref: /openbmc/qemu/target/riscv/pmp.c (revision d009f26a54f573468be721590a19350c224bc730)
1 /*
2  * QEMU RISC-V PMP (Physical Memory Protection)
3  *
4  * Author: Daire McNamara, daire.mcnamara@emdalo.com
5  *         Ivan Griffin, ivan.griffin@emdalo.com
6  *
7  * This provides a RISC-V Physical Memory Protection implementation
8  *
9  * This program is free software; you can redistribute it and/or modify it
10  * under the terms and conditions of the GNU General Public License,
11  * version 2 or later, as published by the Free Software Foundation.
12  *
13  * This program is distributed in the hope it will be useful, but WITHOUT
14  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
15  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
16  * more details.
17  *
18  * You should have received a copy of the GNU General Public License along with
19  * this program.  If not, see <http://www.gnu.org/licenses/>.
20  */
21 
22 #include "qemu/osdep.h"
23 #include "qemu/log.h"
24 #include "qapi/error.h"
25 #include "cpu.h"
26 #include "trace.h"
27 #include "exec/cputlb.h"
28 #include "exec/page-protection.h"
29 #include "exec/target_page.h"
30 
31 static bool pmp_write_cfg(CPURISCVState *env, uint32_t addr_index,
32                           uint8_t val);
33 static uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t addr_index);
34 
35 /*
36  * Convert the PMP permissions to match the truth table in the Smepmp spec.
37  */
38 static inline uint8_t pmp_get_smepmp_operation(uint8_t cfg)
39 {
40     return ((cfg & PMP_LOCK) >> 4) | ((cfg & PMP_READ) << 2) |
41            (cfg & PMP_WRITE) | ((cfg & PMP_EXEC) >> 2);
42 }
43 
44 /*
45  * Accessor method to extract address matching type 'a field' from cfg reg
46  */
47 static inline uint8_t pmp_get_a_field(uint8_t cfg)
48 {
49     uint8_t a = cfg >> 3;
50     return a & 0x3;
51 }
52 
53 /*
54  * Check whether a PMP is locked or not.
55  */
56 static inline int pmp_is_locked(CPURISCVState *env, uint32_t pmp_index)
57 {
58     if (env->pmp_state.pmp[pmp_index].cfg_reg & PMP_LOCK) {
59         return 1;
60     }
61 
62     return 0;
63 }
64 
65 /*
66  * Check whether a PMP is locked for writing or not.
67  * (i.e. has LOCK flag and mseccfg.RLB is unset)
68  */
69 static int pmp_is_readonly(CPURISCVState *env, uint32_t pmp_index)
70 {
71     return pmp_is_locked(env, pmp_index) && !MSECCFG_RLB_ISSET(env);
72 }
73 
74 /*
75  * Check whether `val` is an invalid Smepmp config value
76  */
77 static int pmp_is_invalid_smepmp_cfg(CPURISCVState *env, uint8_t val)
78 {
79     /* No check if mseccfg.MML is not set or if mseccfg.RLB is set */
80     if (!MSECCFG_MML_ISSET(env) || MSECCFG_RLB_ISSET(env)) {
81         return 0;
82     }
83 
84     /*
85      * Adding a rule with executable privileges that either is M-mode-only
86      * or a locked Shared-Region is not possible
87      */
88     switch (pmp_get_smepmp_operation(val)) {
89     case 0:
90     case 1:
91     case 2:
92     case 3:
93     case 4:
94     case 5:
95     case 6:
96     case 7:
97     case 8:
98     case 12:
99     case 14:
100     case 15:
101         return 0;
102     case 9:
103     case 10:
104     case 11:
105     case 13:
106         return 1;
107     default:
108         g_assert_not_reached();
109     }
110 }
111 
112 /*
113  * Count the number of active rules.
114  */
115 uint32_t pmp_get_num_rules(CPURISCVState *env)
116 {
117      return env->pmp_state.num_rules;
118 }
119 
120 /*
121  * Accessor to get the cfg reg for a specific PMP/HART
122  */
123 static inline uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t pmp_index)
124 {
125     if (pmp_index < MAX_RISCV_PMPS) {
126         return env->pmp_state.pmp[pmp_index].cfg_reg;
127     }
128 
129     return 0;
130 }
131 
132 
133 /*
134  * Accessor to set the cfg reg for a specific PMP/HART
135  * Bounds checks and relevant lock bit.
136  */
137 static bool pmp_write_cfg(CPURISCVState *env, uint32_t pmp_index, uint8_t val)
138 {
139     if (pmp_index < MAX_RISCV_PMPS) {
140         if (env->pmp_state.pmp[pmp_index].cfg_reg == val) {
141             /* no change */
142             return false;
143         }
144 
145         if (pmp_is_readonly(env, pmp_index)) {
146             qemu_log_mask(LOG_GUEST_ERROR,
147                           "ignoring pmpcfg write - read only\n");
148         } else if (pmp_is_invalid_smepmp_cfg(env, val)) {
149             qemu_log_mask(LOG_GUEST_ERROR,
150                           "ignoring pmpcfg write - invalid\n");
151         } else {
152             env->pmp_state.pmp[pmp_index].cfg_reg = val;
153             pmp_update_rule_addr(env, pmp_index);
154             return true;
155         }
156     } else {
157         qemu_log_mask(LOG_GUEST_ERROR,
158                       "ignoring pmpcfg write - out of bounds\n");
159     }
160 
161     return false;
162 }
163 
164 void pmp_unlock_entries(CPURISCVState *env)
165 {
166     uint32_t pmp_num = pmp_get_num_rules(env);
167     int i;
168 
169     for (i = 0; i < pmp_num; i++) {
170         env->pmp_state.pmp[i].cfg_reg &= ~(PMP_LOCK | PMP_AMATCH);
171     }
172 }
173 
174 static void pmp_decode_napot(hwaddr a, hwaddr *sa, hwaddr *ea)
175 {
176     /*
177      * aaaa...aaa0   8-byte NAPOT range
178      * aaaa...aa01   16-byte NAPOT range
179      * aaaa...a011   32-byte NAPOT range
180      * ...
181      * aa01...1111   2^XLEN-byte NAPOT range
182      * a011...1111   2^(XLEN+1)-byte NAPOT range
183      * 0111...1111   2^(XLEN+2)-byte NAPOT range
184      * 1111...1111   Reserved
185      */
186     a = (a << 2) | 0x3;
187     *sa = a & (a + 1);
188     *ea = a | (a + 1);
189 }
190 
191 void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index)
192 {
193     uint8_t this_cfg = env->pmp_state.pmp[pmp_index].cfg_reg;
194     target_ulong this_addr = env->pmp_state.pmp[pmp_index].addr_reg;
195     target_ulong prev_addr = 0u;
196     hwaddr sa = 0u;
197     hwaddr ea = 0u;
198 
199     if (pmp_index >= 1u) {
200         prev_addr = env->pmp_state.pmp[pmp_index - 1].addr_reg;
201     }
202 
203     switch (pmp_get_a_field(this_cfg)) {
204     case PMP_AMATCH_OFF:
205         sa = 0u;
206         ea = -1;
207         break;
208 
209     case PMP_AMATCH_TOR:
210         sa = prev_addr << 2; /* shift up from [xx:0] to [xx+2:2] */
211         ea = (this_addr << 2) - 1u;
212         if (sa > ea) {
213             sa = ea = 0u;
214         }
215         break;
216 
217     case PMP_AMATCH_NA4:
218         sa = this_addr << 2; /* shift up from [xx:0] to [xx+2:2] */
219         ea = (sa + 4u) - 1u;
220         break;
221 
222     case PMP_AMATCH_NAPOT:
223         pmp_decode_napot(this_addr, &sa, &ea);
224         break;
225 
226     default:
227         sa = 0u;
228         ea = 0u;
229         break;
230     }
231 
232     env->pmp_state.addr[pmp_index].sa = sa;
233     env->pmp_state.addr[pmp_index].ea = ea;
234 }
235 
236 void pmp_update_rule_nums(CPURISCVState *env)
237 {
238     int i;
239 
240     env->pmp_state.num_rules = 0;
241     for (i = 0; i < MAX_RISCV_PMPS; i++) {
242         const uint8_t a_field =
243             pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg);
244         if (PMP_AMATCH_OFF != a_field) {
245             env->pmp_state.num_rules++;
246         }
247     }
248 }
249 
250 static int pmp_is_in_range(CPURISCVState *env, int pmp_index, hwaddr addr)
251 {
252     int result = 0;
253 
254     if ((addr >= env->pmp_state.addr[pmp_index].sa) &&
255         (addr <= env->pmp_state.addr[pmp_index].ea)) {
256         result = 1;
257     } else {
258         result = 0;
259     }
260 
261     return result;
262 }
263 
264 /*
265  * Check if the address has required RWX privs when no PMP entry is matched.
266  */
267 static bool pmp_hart_has_privs_default(CPURISCVState *env, pmp_priv_t privs,
268                                        pmp_priv_t *allowed_privs,
269                                        target_ulong mode)
270 {
271     bool ret;
272 
273     if (MSECCFG_MMWP_ISSET(env)) {
274         /*
275          * The Machine Mode Whitelist Policy (mseccfg.MMWP) is set
276          * so we default to deny all, even for M-mode.
277          */
278         *allowed_privs = 0;
279         return false;
280     } else if (MSECCFG_MML_ISSET(env)) {
281         /*
282          * The Machine Mode Lockdown (mseccfg.MML) bit is set
283          * so we can only execute code in M-mode with an applicable
284          * rule. Other modes are disabled.
285          */
286         if (mode == PRV_M && !(privs & PMP_EXEC)) {
287             ret = true;
288             *allowed_privs = PMP_READ | PMP_WRITE;
289         } else {
290             ret = false;
291             *allowed_privs = 0;
292         }
293 
294         return ret;
295     }
296 
297     if (!riscv_cpu_cfg(env)->pmp || (mode == PRV_M)) {
298         /*
299          * Privileged spec v1.10 states if HW doesn't implement any PMP entry
300          * or no PMP entry matches an M-Mode access, the access succeeds.
301          */
302         ret = true;
303         *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
304     } else {
305         /*
306          * Other modes are not allowed to succeed if they don't * match a rule,
307          * but there are rules. We've checked for no rule earlier in this
308          * function.
309          */
310         ret = false;
311         *allowed_privs = 0;
312     }
313 
314     return ret;
315 }
316 
317 
318 /*
319  * Public Interface
320  */
321 
322 /*
323  * Check if the address has required RWX privs to complete desired operation
324  * Return true if a pmp rule match or default match
325  * Return false if no match
326  */
327 bool pmp_hart_has_privs(CPURISCVState *env, hwaddr addr,
328                         target_ulong size, pmp_priv_t privs,
329                         pmp_priv_t *allowed_privs, target_ulong mode)
330 {
331     int i = 0;
332     int pmp_size = 0;
333     hwaddr s = 0;
334     hwaddr e = 0;
335 
336     /* Short cut if no rules */
337     if (0 == pmp_get_num_rules(env)) {
338         return pmp_hart_has_privs_default(env, privs, allowed_privs, mode);
339     }
340 
341     if (size == 0) {
342         if (riscv_cpu_cfg(env)->mmu) {
343             /*
344              * If size is unknown (0), assume that all bytes
345              * from addr to the end of the page will be accessed.
346              */
347             pmp_size = -(addr | TARGET_PAGE_MASK);
348         } else {
349             pmp_size = 2 << riscv_cpu_mxl(env);
350         }
351     } else {
352         pmp_size = size;
353     }
354 
355     /*
356      * 1.10 draft priv spec states there is an implicit order
357      * from low to high
358      */
359     for (i = 0; i < MAX_RISCV_PMPS; i++) {
360         s = pmp_is_in_range(env, i, addr);
361         e = pmp_is_in_range(env, i, addr + pmp_size - 1);
362 
363         /* partially inside */
364         if ((s + e) == 1) {
365             qemu_log_mask(LOG_GUEST_ERROR,
366                           "pmp violation - access is partially inside\n");
367             *allowed_privs = 0;
368             return false;
369         }
370 
371         /* fully inside */
372         const uint8_t a_field =
373             pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg);
374 
375         if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) {
376             /*
377              * If the PMP entry is not off and the address is in range,
378              * do the priv check
379              */
380             if (!MSECCFG_MML_ISSET(env)) {
381                 /*
382                  * If mseccfg.MML Bit is not set, do pmp priv check
383                  * This will always apply to regular PMP.
384                  */
385                 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
386                 if ((mode != PRV_M) || pmp_is_locked(env, i)) {
387                     *allowed_privs &= env->pmp_state.pmp[i].cfg_reg;
388                 }
389             } else {
390                 /*
391                  * If mseccfg.MML Bit set, do the enhanced pmp priv check
392                  */
393                 const uint8_t smepmp_operation =
394                     pmp_get_smepmp_operation(env->pmp_state.pmp[i].cfg_reg);
395 
396                 if (mode == PRV_M) {
397                     switch (smepmp_operation) {
398                     case 0:
399                     case 1:
400                     case 4:
401                     case 5:
402                     case 6:
403                     case 7:
404                     case 8:
405                         *allowed_privs = 0;
406                         break;
407                     case 2:
408                     case 3:
409                     case 14:
410                         *allowed_privs = PMP_READ | PMP_WRITE;
411                         break;
412                     case 9:
413                     case 10:
414                         *allowed_privs = PMP_EXEC;
415                         break;
416                     case 11:
417                     case 13:
418                         *allowed_privs = PMP_READ | PMP_EXEC;
419                         break;
420                     case 12:
421                     case 15:
422                         *allowed_privs = PMP_READ;
423                         break;
424                     default:
425                         g_assert_not_reached();
426                     }
427                 } else {
428                     switch (smepmp_operation) {
429                     case 0:
430                     case 8:
431                     case 9:
432                     case 12:
433                     case 13:
434                     case 14:
435                         *allowed_privs = 0;
436                         break;
437                     case 1:
438                     case 10:
439                     case 11:
440                         *allowed_privs = PMP_EXEC;
441                         break;
442                     case 2:
443                     case 4:
444                     case 15:
445                         *allowed_privs = PMP_READ;
446                         break;
447                     case 3:
448                     case 6:
449                         *allowed_privs = PMP_READ | PMP_WRITE;
450                         break;
451                     case 5:
452                         *allowed_privs = PMP_READ | PMP_EXEC;
453                         break;
454                     case 7:
455                         *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC;
456                         break;
457                     default:
458                         g_assert_not_reached();
459                     }
460                 }
461             }
462 
463             /*
464              * If matching address range was found, the protection bits
465              * defined with PMP must be used. We shouldn't fallback on
466              * finding default privileges.
467              */
468             return (privs & *allowed_privs) == privs;
469         }
470     }
471 
472     /* No rule matched */
473     return pmp_hart_has_privs_default(env, privs, allowed_privs, mode);
474 }
475 
476 /*
477  * Handle a write to a pmpcfg CSR
478  */
479 void pmpcfg_csr_write(CPURISCVState *env, uint32_t reg_index,
480                       target_ulong val)
481 {
482     int i;
483     uint8_t cfg_val;
484     int pmpcfg_nums = 2 << riscv_cpu_mxl(env);
485     bool modified = false;
486 
487     trace_pmpcfg_csr_write(env->mhartid, reg_index, val);
488 
489     for (i = 0; i < pmpcfg_nums; i++) {
490         cfg_val = (val >> 8 * i)  & 0xff;
491         modified |= pmp_write_cfg(env, (reg_index * 4) + i, cfg_val);
492     }
493 
494     /* If PMP permission of any addr has been changed, flush TLB pages. */
495     if (modified) {
496         pmp_update_rule_nums(env);
497         tlb_flush(env_cpu(env));
498     }
499 }
500 
501 
502 /*
503  * Handle a read from a pmpcfg CSR
504  */
505 target_ulong pmpcfg_csr_read(CPURISCVState *env, uint32_t reg_index)
506 {
507     int i;
508     target_ulong cfg_val = 0;
509     target_ulong val = 0;
510     int pmpcfg_nums = 2 << riscv_cpu_mxl(env);
511 
512     for (i = 0; i < pmpcfg_nums; i++) {
513         val = pmp_read_cfg(env, (reg_index * 4) + i);
514         cfg_val |= (val << (i * 8));
515     }
516     trace_pmpcfg_csr_read(env->mhartid, reg_index, cfg_val);
517 
518     return cfg_val;
519 }
520 
521 
522 /*
523  * Handle a write to a pmpaddr CSR
524  */
525 void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index,
526                        target_ulong val)
527 {
528     trace_pmpaddr_csr_write(env->mhartid, addr_index, val);
529     bool is_next_cfg_tor = false;
530 
531     if (addr_index < MAX_RISCV_PMPS) {
532         if (env->pmp_state.pmp[addr_index].addr_reg == val) {
533             /* no change */
534             return;
535         }
536 
537         /*
538          * In TOR mode, need to check the lock bit of the next pmp
539          * (if there is a next).
540          */
541         if (addr_index + 1 < MAX_RISCV_PMPS) {
542             uint8_t pmp_cfg = env->pmp_state.pmp[addr_index + 1].cfg_reg;
543             is_next_cfg_tor = PMP_AMATCH_TOR == pmp_get_a_field(pmp_cfg);
544 
545             if (pmp_is_readonly(env, addr_index + 1) && is_next_cfg_tor) {
546                 qemu_log_mask(LOG_GUEST_ERROR,
547                               "ignoring pmpaddr write - pmpcfg+1 read only\n");
548                 return;
549             }
550         }
551 
552         if (!pmp_is_readonly(env, addr_index)) {
553             env->pmp_state.pmp[addr_index].addr_reg = val;
554             pmp_update_rule_addr(env, addr_index);
555             if (is_next_cfg_tor) {
556                 pmp_update_rule_addr(env, addr_index + 1);
557             }
558             tlb_flush(env_cpu(env));
559         } else {
560             qemu_log_mask(LOG_GUEST_ERROR,
561                           "ignoring pmpaddr write - read only\n");
562         }
563     } else {
564         qemu_log_mask(LOG_GUEST_ERROR,
565                       "ignoring pmpaddr write - out of bounds\n");
566     }
567 }
568 
569 
570 /*
571  * Handle a read from a pmpaddr CSR
572  */
573 target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index)
574 {
575     target_ulong val = 0;
576 
577     if (addr_index < MAX_RISCV_PMPS) {
578         val = env->pmp_state.pmp[addr_index].addr_reg;
579         trace_pmpaddr_csr_read(env->mhartid, addr_index, val);
580     } else {
581         qemu_log_mask(LOG_GUEST_ERROR,
582                       "ignoring pmpaddr read - out of bounds\n");
583     }
584 
585     return val;
586 }
587 
588 /*
589  * Handle a write to a mseccfg CSR
590  */
591 void mseccfg_csr_write(CPURISCVState *env, target_ulong val)
592 {
593     int i;
594     uint64_t mask = MSECCFG_MMWP | MSECCFG_MML;
595     /* Update PMM field only if the value is valid according to Zjpm v1.0 */
596     if (riscv_cpu_cfg(env)->ext_smmpm &&
597         riscv_cpu_mxl(env) == MXL_RV64 &&
598         get_field(val, MSECCFG_PMM) != PMM_FIELD_RESERVED) {
599         mask |= MSECCFG_PMM;
600     }
601 
602     trace_mseccfg_csr_write(env->mhartid, val);
603 
604     /* RLB cannot be enabled if it's already 0 and if any regions are locked */
605     if (!MSECCFG_RLB_ISSET(env)) {
606         for (i = 0; i < MAX_RISCV_PMPS; i++) {
607             if (pmp_is_locked(env, i)) {
608                 val &= ~MSECCFG_RLB;
609                 break;
610             }
611         }
612     }
613 
614     if (riscv_cpu_cfg(env)->ext_smepmp) {
615         /* Sticky bits */
616         val |= (env->mseccfg & mask);
617         if ((val ^ env->mseccfg) & mask) {
618             tlb_flush(env_cpu(env));
619         }
620     } else {
621         mask |= MSECCFG_RLB;
622         val &= ~(mask);
623     }
624 
625     /* M-mode forward cfi to be enabled if cfi extension is implemented */
626     if (env_archcpu(env)->cfg.ext_zicfilp) {
627         val |= (val & MSECCFG_MLPE);
628     }
629 
630     env->mseccfg = val;
631 }
632 
633 /*
634  * Handle a read from a mseccfg CSR
635  */
636 target_ulong mseccfg_csr_read(CPURISCVState *env)
637 {
638     trace_mseccfg_csr_read(env->mhartid, env->mseccfg);
639     return env->mseccfg;
640 }
641 
642 /*
643  * Calculate the TLB size.
644  * It's possible that PMP regions only cover partial of the TLB page, and
645  * this may split the page into regions with different permissions.
646  * For example if PMP0 is (0x80000008~0x8000000F, R) and PMP1 is (0x80000000
647  * ~0x80000FFF, RWX), then region 0x80000008~0x8000000F has R permission, and
648  * the other regions in this page have RWX permissions.
649  * A write access to 0x80000000 will match PMP1. However we cannot cache the
650  * translation result in the TLB since this will make the write access to
651  * 0x80000008 bypass the check of PMP0.
652  * To avoid this we return a size of 1 (which means no caching) if the PMP
653  * region only covers partial of the TLB page.
654  */
655 target_ulong pmp_get_tlb_size(CPURISCVState *env, hwaddr addr)
656 {
657     hwaddr pmp_sa;
658     hwaddr pmp_ea;
659     hwaddr tlb_sa = addr & ~(TARGET_PAGE_SIZE - 1);
660     hwaddr tlb_ea = tlb_sa + TARGET_PAGE_SIZE - 1;
661     int i;
662 
663     /*
664      * If PMP is not supported or there are no PMP rules, the TLB page will not
665      * be split into regions with different permissions by PMP so we set the
666      * size to TARGET_PAGE_SIZE.
667      */
668     if (!riscv_cpu_cfg(env)->pmp || !pmp_get_num_rules(env)) {
669         return TARGET_PAGE_SIZE;
670     }
671 
672     for (i = 0; i < MAX_RISCV_PMPS; i++) {
673         if (pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg) == PMP_AMATCH_OFF) {
674             continue;
675         }
676 
677         pmp_sa = env->pmp_state.addr[i].sa;
678         pmp_ea = env->pmp_state.addr[i].ea;
679 
680         /*
681          * Only the first PMP entry that covers (whole or partial of) the TLB
682          * page really matters:
683          * If it covers the whole TLB page, set the size to TARGET_PAGE_SIZE,
684          * since the following PMP entries have lower priority and will not
685          * affect the permissions of the page.
686          * If it only covers partial of the TLB page, set the size to 1 since
687          * the allowed permissions of the region may be different from other
688          * region of the page.
689          */
690         if (pmp_sa <= tlb_sa && pmp_ea >= tlb_ea) {
691             return TARGET_PAGE_SIZE;
692         } else if ((pmp_sa >= tlb_sa && pmp_sa <= tlb_ea) ||
693                    (pmp_ea >= tlb_sa && pmp_ea <= tlb_ea)) {
694             return 1;
695         }
696     }
697 
698     /*
699      * If no PMP entry matches the TLB page, the TLB page will also not be
700      * split into regions with different permissions by PMP so we set the size
701      * to TARGET_PAGE_SIZE.
702      */
703     return TARGET_PAGE_SIZE;
704 }
705 
706 /*
707  * Convert PMP privilege to TLB page privilege.
708  */
709 int pmp_priv_to_page_prot(pmp_priv_t pmp_priv)
710 {
711     int prot = 0;
712 
713     if (pmp_priv & PMP_READ) {
714         prot |= PAGE_READ;
715     }
716     if (pmp_priv & PMP_WRITE) {
717         prot |= PAGE_WRITE;
718     }
719     if (pmp_priv & PMP_EXEC) {
720         prot |= PAGE_EXEC;
721     }
722 
723     return prot;
724 }
725