1 /* 2 * QEMU RISC-V PMP (Physical Memory Protection) 3 * 4 * Author: Daire McNamara, daire.mcnamara@emdalo.com 5 * Ivan Griffin, ivan.griffin@emdalo.com 6 * 7 * This provides a RISC-V Physical Memory Protection implementation 8 * 9 * This program is free software; you can redistribute it and/or modify it 10 * under the terms and conditions of the GNU General Public License, 11 * version 2 or later, as published by the Free Software Foundation. 12 * 13 * This program is distributed in the hope it will be useful, but WITHOUT 14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 15 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 16 * more details. 17 * 18 * You should have received a copy of the GNU General Public License along with 19 * this program. If not, see <http://www.gnu.org/licenses/>. 20 */ 21 22 #include "qemu/osdep.h" 23 #include "qemu/log.h" 24 #include "qapi/error.h" 25 #include "cpu.h" 26 #include "trace.h" 27 #include "exec/exec-all.h" 28 29 static void pmp_write_cfg(CPURISCVState *env, uint32_t addr_index, 30 uint8_t val); 31 static uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t addr_index); 32 static void pmp_update_rule(CPURISCVState *env, uint32_t pmp_index); 33 34 /* 35 * Accessor method to extract address matching type 'a field' from cfg reg 36 */ 37 static inline uint8_t pmp_get_a_field(uint8_t cfg) 38 { 39 uint8_t a = cfg >> 3; 40 return a & 0x3; 41 } 42 43 /* 44 * Check whether a PMP is locked or not. 45 */ 46 static inline int pmp_is_locked(CPURISCVState *env, uint32_t pmp_index) 47 { 48 49 if (env->pmp_state.pmp[pmp_index].cfg_reg & PMP_LOCK) { 50 return 1; 51 } 52 53 /* Top PMP has no 'next' to check */ 54 if ((pmp_index + 1u) >= MAX_RISCV_PMPS) { 55 return 0; 56 } 57 58 return 0; 59 } 60 61 /* 62 * Count the number of active rules. 63 */ 64 uint32_t pmp_get_num_rules(CPURISCVState *env) 65 { 66 return env->pmp_state.num_rules; 67 } 68 69 /* 70 * Accessor to get the cfg reg for a specific PMP/HART 71 */ 72 static inline uint8_t pmp_read_cfg(CPURISCVState *env, uint32_t pmp_index) 73 { 74 if (pmp_index < MAX_RISCV_PMPS) { 75 return env->pmp_state.pmp[pmp_index].cfg_reg; 76 } 77 78 return 0; 79 } 80 81 82 /* 83 * Accessor to set the cfg reg for a specific PMP/HART 84 * Bounds checks and relevant lock bit. 85 */ 86 static void pmp_write_cfg(CPURISCVState *env, uint32_t pmp_index, uint8_t val) 87 { 88 if (pmp_index < MAX_RISCV_PMPS) { 89 bool locked = true; 90 91 if (riscv_cpu_cfg(env)->epmp) { 92 /* mseccfg.RLB is set */ 93 if (MSECCFG_RLB_ISSET(env)) { 94 locked = false; 95 } 96 97 /* mseccfg.MML is not set */ 98 if (!MSECCFG_MML_ISSET(env) && !pmp_is_locked(env, pmp_index)) { 99 locked = false; 100 } 101 102 /* mseccfg.MML is set */ 103 if (MSECCFG_MML_ISSET(env)) { 104 /* not adding execute bit */ 105 if ((val & PMP_LOCK) != 0 && (val & PMP_EXEC) != PMP_EXEC) { 106 locked = false; 107 } 108 /* shared region and not adding X bit */ 109 if ((val & PMP_LOCK) != PMP_LOCK && 110 (val & 0x7) != (PMP_WRITE | PMP_EXEC)) { 111 locked = false; 112 } 113 } 114 } else { 115 if (!pmp_is_locked(env, pmp_index)) { 116 locked = false; 117 } 118 } 119 120 if (locked) { 121 qemu_log_mask(LOG_GUEST_ERROR, "ignoring pmpcfg write - locked\n"); 122 } else { 123 env->pmp_state.pmp[pmp_index].cfg_reg = val; 124 pmp_update_rule(env, pmp_index); 125 } 126 } else { 127 qemu_log_mask(LOG_GUEST_ERROR, 128 "ignoring pmpcfg write - out of bounds\n"); 129 } 130 } 131 132 static void pmp_decode_napot(target_ulong a, target_ulong *sa, 133 target_ulong *ea) 134 { 135 /* 136 * aaaa...aaa0 8-byte NAPOT range 137 * aaaa...aa01 16-byte NAPOT range 138 * aaaa...a011 32-byte NAPOT range 139 * ... 140 * aa01...1111 2^XLEN-byte NAPOT range 141 * a011...1111 2^(XLEN+1)-byte NAPOT range 142 * 0111...1111 2^(XLEN+2)-byte NAPOT range 143 * 1111...1111 Reserved 144 */ 145 a = (a << 2) | 0x3; 146 *sa = a & (a + 1); 147 *ea = a | (a + 1); 148 } 149 150 void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index) 151 { 152 uint8_t this_cfg = env->pmp_state.pmp[pmp_index].cfg_reg; 153 target_ulong this_addr = env->pmp_state.pmp[pmp_index].addr_reg; 154 target_ulong prev_addr = 0u; 155 target_ulong sa = 0u; 156 target_ulong ea = 0u; 157 158 if (pmp_index >= 1u) { 159 prev_addr = env->pmp_state.pmp[pmp_index - 1].addr_reg; 160 } 161 162 switch (pmp_get_a_field(this_cfg)) { 163 case PMP_AMATCH_OFF: 164 sa = 0u; 165 ea = -1; 166 break; 167 168 case PMP_AMATCH_TOR: 169 sa = prev_addr << 2; /* shift up from [xx:0] to [xx+2:2] */ 170 ea = (this_addr << 2) - 1u; 171 if (sa > ea) { 172 sa = ea = 0u; 173 } 174 break; 175 176 case PMP_AMATCH_NA4: 177 sa = this_addr << 2; /* shift up from [xx:0] to [xx+2:2] */ 178 ea = (sa + 4u) - 1u; 179 break; 180 181 case PMP_AMATCH_NAPOT: 182 pmp_decode_napot(this_addr, &sa, &ea); 183 break; 184 185 default: 186 sa = 0u; 187 ea = 0u; 188 break; 189 } 190 191 env->pmp_state.addr[pmp_index].sa = sa; 192 env->pmp_state.addr[pmp_index].ea = ea; 193 } 194 195 void pmp_update_rule_nums(CPURISCVState *env) 196 { 197 int i; 198 199 env->pmp_state.num_rules = 0; 200 for (i = 0; i < MAX_RISCV_PMPS; i++) { 201 const uint8_t a_field = 202 pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg); 203 if (PMP_AMATCH_OFF != a_field) { 204 env->pmp_state.num_rules++; 205 } 206 } 207 } 208 209 /* 210 * Convert cfg/addr reg values here into simple 'sa' --> start address and 'ea' 211 * end address values. 212 * This function is called relatively infrequently whereas the check that 213 * an address is within a pmp rule is called often, so optimise that one 214 */ 215 static void pmp_update_rule(CPURISCVState *env, uint32_t pmp_index) 216 { 217 pmp_update_rule_addr(env, pmp_index); 218 pmp_update_rule_nums(env); 219 } 220 221 static int pmp_is_in_range(CPURISCVState *env, int pmp_index, 222 target_ulong addr) 223 { 224 int result = 0; 225 226 if ((addr >= env->pmp_state.addr[pmp_index].sa) && 227 (addr <= env->pmp_state.addr[pmp_index].ea)) { 228 result = 1; 229 } else { 230 result = 0; 231 } 232 233 return result; 234 } 235 236 /* 237 * Check if the address has required RWX privs when no PMP entry is matched. 238 */ 239 static bool pmp_hart_has_privs_default(CPURISCVState *env, target_ulong addr, 240 target_ulong size, pmp_priv_t privs, 241 pmp_priv_t *allowed_privs, 242 target_ulong mode) 243 { 244 bool ret; 245 246 if (riscv_cpu_cfg(env)->epmp) { 247 if (MSECCFG_MMWP_ISSET(env)) { 248 /* 249 * The Machine Mode Whitelist Policy (mseccfg.MMWP) is set 250 * so we default to deny all, even for M-mode. 251 */ 252 *allowed_privs = 0; 253 return false; 254 } else if (MSECCFG_MML_ISSET(env)) { 255 /* 256 * The Machine Mode Lockdown (mseccfg.MML) bit is set 257 * so we can only execute code in M-mode with an applicable 258 * rule. Other modes are disabled. 259 */ 260 if (mode == PRV_M && !(privs & PMP_EXEC)) { 261 ret = true; 262 *allowed_privs = PMP_READ | PMP_WRITE; 263 } else { 264 ret = false; 265 *allowed_privs = 0; 266 } 267 268 return ret; 269 } 270 } 271 272 if (!riscv_cpu_cfg(env)->pmp || (mode == PRV_M)) { 273 /* 274 * Privileged spec v1.10 states if HW doesn't implement any PMP entry 275 * or no PMP entry matches an M-Mode access, the access succeeds. 276 */ 277 ret = true; 278 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 279 } else { 280 /* 281 * Other modes are not allowed to succeed if they don't * match a rule, 282 * but there are rules. We've checked for no rule earlier in this 283 * function. 284 */ 285 ret = false; 286 *allowed_privs = 0; 287 } 288 289 return ret; 290 } 291 292 293 /* 294 * Public Interface 295 */ 296 297 /* 298 * Check if the address has required RWX privs to complete desired operation 299 * Return true if a pmp rule match or default match 300 * Return false if no match 301 */ 302 bool pmp_hart_has_privs(CPURISCVState *env, target_ulong addr, 303 target_ulong size, pmp_priv_t privs, 304 pmp_priv_t *allowed_privs, target_ulong mode) 305 { 306 int i = 0; 307 bool ret = false; 308 int pmp_size = 0; 309 target_ulong s = 0; 310 target_ulong e = 0; 311 312 /* Short cut if no rules */ 313 if (0 == pmp_get_num_rules(env)) { 314 return pmp_hart_has_privs_default(env, addr, size, privs, 315 allowed_privs, mode); 316 } 317 318 if (size == 0) { 319 if (riscv_cpu_cfg(env)->mmu) { 320 /* 321 * If size is unknown (0), assume that all bytes 322 * from addr to the end of the page will be accessed. 323 */ 324 pmp_size = -(addr | TARGET_PAGE_MASK); 325 } else { 326 pmp_size = sizeof(target_ulong); 327 } 328 } else { 329 pmp_size = size; 330 } 331 332 /* 333 * 1.10 draft priv spec states there is an implicit order 334 * from low to high 335 */ 336 for (i = 0; i < MAX_RISCV_PMPS; i++) { 337 s = pmp_is_in_range(env, i, addr); 338 e = pmp_is_in_range(env, i, addr + pmp_size - 1); 339 340 /* partially inside */ 341 if ((s + e) == 1) { 342 qemu_log_mask(LOG_GUEST_ERROR, 343 "pmp violation - access is partially inside\n"); 344 ret = false; 345 break; 346 } 347 348 /* fully inside */ 349 const uint8_t a_field = 350 pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg); 351 352 /* 353 * Convert the PMP permissions to match the truth table in the 354 * ePMP spec. 355 */ 356 const uint8_t epmp_operation = 357 ((env->pmp_state.pmp[i].cfg_reg & PMP_LOCK) >> 4) | 358 ((env->pmp_state.pmp[i].cfg_reg & PMP_READ) << 2) | 359 (env->pmp_state.pmp[i].cfg_reg & PMP_WRITE) | 360 ((env->pmp_state.pmp[i].cfg_reg & PMP_EXEC) >> 2); 361 362 if (((s + e) == 2) && (PMP_AMATCH_OFF != a_field)) { 363 /* 364 * If the PMP entry is not off and the address is in range, 365 * do the priv check 366 */ 367 if (!MSECCFG_MML_ISSET(env)) { 368 /* 369 * If mseccfg.MML Bit is not set, do pmp priv check 370 * This will always apply to regular PMP. 371 */ 372 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 373 if ((mode != PRV_M) || pmp_is_locked(env, i)) { 374 *allowed_privs &= env->pmp_state.pmp[i].cfg_reg; 375 } 376 } else { 377 /* 378 * If mseccfg.MML Bit set, do the enhanced pmp priv check 379 */ 380 if (mode == PRV_M) { 381 switch (epmp_operation) { 382 case 0: 383 case 1: 384 case 4: 385 case 5: 386 case 6: 387 case 7: 388 case 8: 389 *allowed_privs = 0; 390 break; 391 case 2: 392 case 3: 393 case 14: 394 *allowed_privs = PMP_READ | PMP_WRITE; 395 break; 396 case 9: 397 case 10: 398 *allowed_privs = PMP_EXEC; 399 break; 400 case 11: 401 case 13: 402 *allowed_privs = PMP_READ | PMP_EXEC; 403 break; 404 case 12: 405 case 15: 406 *allowed_privs = PMP_READ; 407 break; 408 default: 409 g_assert_not_reached(); 410 } 411 } else { 412 switch (epmp_operation) { 413 case 0: 414 case 8: 415 case 9: 416 case 12: 417 case 13: 418 case 14: 419 *allowed_privs = 0; 420 break; 421 case 1: 422 case 10: 423 case 11: 424 *allowed_privs = PMP_EXEC; 425 break; 426 case 2: 427 case 4: 428 case 15: 429 *allowed_privs = PMP_READ; 430 break; 431 case 3: 432 case 6: 433 *allowed_privs = PMP_READ | PMP_WRITE; 434 break; 435 case 5: 436 *allowed_privs = PMP_READ | PMP_EXEC; 437 break; 438 case 7: 439 *allowed_privs = PMP_READ | PMP_WRITE | PMP_EXEC; 440 break; 441 default: 442 g_assert_not_reached(); 443 } 444 } 445 } 446 447 /* 448 * If matching address range was found, the protection bits 449 * defined with PMP must be used. We shouldn't fallback on 450 * finding default privileges. 451 */ 452 ret = true; 453 break; 454 } 455 } 456 457 /* No rule matched */ 458 if (!ret) { 459 ret = pmp_hart_has_privs_default(env, addr, size, privs, 460 allowed_privs, mode); 461 } 462 463 return ret; 464 } 465 466 /* 467 * Handle a write to a pmpcfg CSR 468 */ 469 void pmpcfg_csr_write(CPURISCVState *env, uint32_t reg_index, 470 target_ulong val) 471 { 472 int i; 473 uint8_t cfg_val; 474 int pmpcfg_nums = 2 << riscv_cpu_mxl(env); 475 476 trace_pmpcfg_csr_write(env->mhartid, reg_index, val); 477 478 for (i = 0; i < pmpcfg_nums; i++) { 479 cfg_val = (val >> 8 * i) & 0xff; 480 pmp_write_cfg(env, (reg_index * 4) + i, cfg_val); 481 } 482 483 /* If PMP permission of any addr has been changed, flush TLB pages. */ 484 tlb_flush(env_cpu(env)); 485 } 486 487 488 /* 489 * Handle a read from a pmpcfg CSR 490 */ 491 target_ulong pmpcfg_csr_read(CPURISCVState *env, uint32_t reg_index) 492 { 493 int i; 494 target_ulong cfg_val = 0; 495 target_ulong val = 0; 496 int pmpcfg_nums = 2 << riscv_cpu_mxl(env); 497 498 for (i = 0; i < pmpcfg_nums; i++) { 499 val = pmp_read_cfg(env, (reg_index * 4) + i); 500 cfg_val |= (val << (i * 8)); 501 } 502 trace_pmpcfg_csr_read(env->mhartid, reg_index, cfg_val); 503 504 return cfg_val; 505 } 506 507 508 /* 509 * Handle a write to a pmpaddr CSR 510 */ 511 void pmpaddr_csr_write(CPURISCVState *env, uint32_t addr_index, 512 target_ulong val) 513 { 514 trace_pmpaddr_csr_write(env->mhartid, addr_index, val); 515 516 if (addr_index < MAX_RISCV_PMPS) { 517 /* 518 * In TOR mode, need to check the lock bit of the next pmp 519 * (if there is a next). 520 */ 521 if (addr_index + 1 < MAX_RISCV_PMPS) { 522 uint8_t pmp_cfg = env->pmp_state.pmp[addr_index + 1].cfg_reg; 523 524 if (pmp_cfg & PMP_LOCK && 525 PMP_AMATCH_TOR == pmp_get_a_field(pmp_cfg)) { 526 qemu_log_mask(LOG_GUEST_ERROR, 527 "ignoring pmpaddr write - pmpcfg + 1 locked\n"); 528 return; 529 } 530 } 531 532 if (!pmp_is_locked(env, addr_index)) { 533 env->pmp_state.pmp[addr_index].addr_reg = val; 534 pmp_update_rule(env, addr_index); 535 } else { 536 qemu_log_mask(LOG_GUEST_ERROR, 537 "ignoring pmpaddr write - locked\n"); 538 } 539 } else { 540 qemu_log_mask(LOG_GUEST_ERROR, 541 "ignoring pmpaddr write - out of bounds\n"); 542 } 543 } 544 545 546 /* 547 * Handle a read from a pmpaddr CSR 548 */ 549 target_ulong pmpaddr_csr_read(CPURISCVState *env, uint32_t addr_index) 550 { 551 target_ulong val = 0; 552 553 if (addr_index < MAX_RISCV_PMPS) { 554 val = env->pmp_state.pmp[addr_index].addr_reg; 555 trace_pmpaddr_csr_read(env->mhartid, addr_index, val); 556 } else { 557 qemu_log_mask(LOG_GUEST_ERROR, 558 "ignoring pmpaddr read - out of bounds\n"); 559 } 560 561 return val; 562 } 563 564 /* 565 * Handle a write to a mseccfg CSR 566 */ 567 void mseccfg_csr_write(CPURISCVState *env, target_ulong val) 568 { 569 int i; 570 571 trace_mseccfg_csr_write(env->mhartid, val); 572 573 /* RLB cannot be enabled if it's already 0 and if any regions are locked */ 574 if (!MSECCFG_RLB_ISSET(env)) { 575 for (i = 0; i < MAX_RISCV_PMPS; i++) { 576 if (pmp_is_locked(env, i)) { 577 val &= ~MSECCFG_RLB; 578 break; 579 } 580 } 581 } 582 583 /* Sticky bits */ 584 val |= (env->mseccfg & (MSECCFG_MMWP | MSECCFG_MML)); 585 586 env->mseccfg = val; 587 } 588 589 /* 590 * Handle a read from a mseccfg CSR 591 */ 592 target_ulong mseccfg_csr_read(CPURISCVState *env) 593 { 594 trace_mseccfg_csr_read(env->mhartid, env->mseccfg); 595 return env->mseccfg; 596 } 597 598 /* 599 * Calculate the TLB size. 600 * It's possible that PMP regions only cover partial of the TLB page, and 601 * this may split the page into regions with different permissions. 602 * For example if PMP0 is (0x80000008~0x8000000F, R) and PMP1 is (0x80000000 603 * ~0x80000FFF, RWX), then region 0x80000008~0x8000000F has R permission, and 604 * the other regions in this page have RWX permissions. 605 * A write access to 0x80000000 will match PMP1. However we cannot cache the 606 * translation result in the TLB since this will make the write access to 607 * 0x80000008 bypass the check of PMP0. 608 * To avoid this we return a size of 1 (which means no caching) if the PMP 609 * region only covers partial of the TLB page. 610 */ 611 target_ulong pmp_get_tlb_size(CPURISCVState *env, target_ulong addr) 612 { 613 target_ulong pmp_sa; 614 target_ulong pmp_ea; 615 target_ulong tlb_sa = addr & ~(TARGET_PAGE_SIZE - 1); 616 target_ulong tlb_ea = tlb_sa + TARGET_PAGE_SIZE - 1; 617 int i; 618 619 /* 620 * If PMP is not supported or there are no PMP rules, the TLB page will not 621 * be split into regions with different permissions by PMP so we set the 622 * size to TARGET_PAGE_SIZE. 623 */ 624 if (!riscv_cpu_cfg(env)->pmp || !pmp_get_num_rules(env)) { 625 return TARGET_PAGE_SIZE; 626 } 627 628 for (i = 0; i < MAX_RISCV_PMPS; i++) { 629 if (pmp_get_a_field(env->pmp_state.pmp[i].cfg_reg) == PMP_AMATCH_OFF) { 630 continue; 631 } 632 633 pmp_sa = env->pmp_state.addr[i].sa; 634 pmp_ea = env->pmp_state.addr[i].ea; 635 636 /* 637 * Only the first PMP entry that covers (whole or partial of) the TLB 638 * page really matters: 639 * If it covers the whole TLB page, set the size to TARGET_PAGE_SIZE, 640 * since the following PMP entries have lower priority and will not 641 * affect the permissions of the page. 642 * If it only covers partial of the TLB page, set the size to 1 since 643 * the allowed permissions of the region may be different from other 644 * region of the page. 645 */ 646 if (pmp_sa <= tlb_sa && pmp_ea >= tlb_ea) { 647 return TARGET_PAGE_SIZE; 648 } else if ((pmp_sa >= tlb_sa && pmp_sa <= tlb_ea) || 649 (pmp_ea >= tlb_sa && pmp_ea <= tlb_ea)) { 650 return 1; 651 } 652 } 653 654 /* 655 * If no PMP entry matches the TLB page, the TLB page will also not be 656 * split into regions with different permissions by PMP so we set the size 657 * to TARGET_PAGE_SIZE. 658 */ 659 return TARGET_PAGE_SIZE; 660 } 661 662 /* 663 * Convert PMP privilege to TLB page privilege. 664 */ 665 int pmp_priv_to_page_prot(pmp_priv_t pmp_priv) 666 { 667 int prot = 0; 668 669 if (pmp_priv & PMP_READ) { 670 prot |= PAGE_READ; 671 } 672 if (pmp_priv & PMP_WRITE) { 673 prot |= PAGE_WRITE; 674 } 675 if (pmp_priv & PMP_EXEC) { 676 prot |= PAGE_EXEC; 677 } 678 679 return prot; 680 } 681