2 * ARM AHB5 TrustZone Memory Protection Controller emulation
4 * Copyright (c) 2018 Linaro Limited
5 * Written by Peter Maydell
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 or
9 * (at your option) any later version.
12 #include "qemu/osdep.h"
14 #include "qemu/module.h"
15 #include "qapi/error.h"
17 #include "hw/sysbus.h"
18 #include "migration/vmstate.h"
19 #include "hw/registerfields.h"
21 #include "hw/misc/tz-mpc.h"
22 #include "hw/qdev-properties.h"
24 /* Our IOMMU has two IOMMU indexes, one for secure transactions and one for
25 * non-secure transactions.
33 /* Config registers */
35 FIELD(CTRL, SEC_RESP, 4, 1)
36 FIELD(CTRL, AUTOINC, 8, 1)
37 FIELD(CTRL, LOCKDOWN, 31, 1)
43 FIELD(INT_STAT, IRQ, 0, 1)
44 REG32(INT_CLEAR, 0x24)
45 FIELD(INT_CLEAR, IRQ, 0, 1)
47 FIELD(INT_EN, IRQ, 0, 1)
48 REG32(INT_INFO1, 0x2c)
49 REG32(INT_INFO2, 0x30)
50 FIELD(INT_INFO2, HMASTER, 0, 16)
51 FIELD(INT_INFO2, HNONSEC, 16, 1)
52 FIELD(INT_INFO2, CFG_NS, 17, 1)
54 FIELD(INT_SET, IRQ, 0, 1)
68 static const uint8_t tz_mpc_idregs[] = {
69 0x04, 0x00, 0x00, 0x00,
70 0x60, 0xb8, 0x1b, 0x00,
71 0x0d, 0xf0, 0x05, 0xb1,
74 static void tz_mpc_irq_update(TZMPC *s)
76 qemu_set_irq(s->irq, s->int_stat && s->int_en);
79 static void tz_mpc_iommu_notify(TZMPC *s, uint32_t lutidx,
80 uint32_t oldlut, uint32_t newlut)
82 /* Called when the LUT word at lutidx has changed from oldlut to newlut;
83 * must call the IOMMU notifiers for the changed blocks.
85 IOMMUTLBEvent event = {
87 .addr_mask = s->blocksize - 1,
90 hwaddr addr = lutidx * s->blocksize * 32;
93 for (i = 0; i < 32; i++, addr += s->blocksize) {
96 if (!((oldlut ^ newlut) & (1 << i))) {
99 /* This changes the mappings for both the S and the NS space,
100 * so we need to do four notifies: an UNMAP then a MAP for each.
102 block_is_ns = newlut & (1 << i);
104 trace_tz_mpc_iommu_notify(addr);
105 event.entry.iova = addr;
106 event.entry.translated_addr = addr;
108 event.type = IOMMU_NOTIFIER_UNMAP;
109 event.entry.perm = IOMMU_NONE;
110 memory_region_notify_iommu(&s->upstream, IOMMU_IDX_S, event);
111 memory_region_notify_iommu(&s->upstream, IOMMU_IDX_NS, event);
113 event.type = IOMMU_NOTIFIER_MAP;
114 event.entry.perm = IOMMU_RW;
116 event.entry.target_as = &s->blocked_io_as;
118 event.entry.target_as = &s->downstream_as;
120 memory_region_notify_iommu(&s->upstream, IOMMU_IDX_S, event);
122 event.entry.target_as = &s->downstream_as;
124 event.entry.target_as = &s->blocked_io_as;
126 memory_region_notify_iommu(&s->upstream, IOMMU_IDX_NS, event);
130 static void tz_mpc_autoinc_idx(TZMPC *s, unsigned access_size)
132 /* Auto-increment BLK_IDX if necessary */
133 if (access_size == 4 && (s->ctrl & R_CTRL_AUTOINC_MASK)) {
135 s->blk_idx %= s->blk_max;
139 static MemTxResult tz_mpc_reg_read(void *opaque, hwaddr addr,
141 unsigned size, MemTxAttrs attrs)
143 TZMPC *s = TZ_MPC(opaque);
145 uint32_t offset = addr & ~0x3;
147 if (!attrs.secure && offset < A_PIDR4) {
148 /* NS accesses can only see the ID registers */
149 qemu_log_mask(LOG_GUEST_ERROR,
150 "TZ MPC register read: NS access to offset 0x%x\n",
164 /* We are never in "init in progress state", so this just indicates
165 * the block size. s->blocksize == (1 << BLK_CFG + 5), so
166 * BLK_CFG == ctz32(s->blocksize) - 5
168 r = ctz32(s->blocksize) - 5;
174 r = s->blk_lut[s->blk_idx];
175 tz_mpc_autoinc_idx(s, size);
201 r = tz_mpc_idregs[(offset - A_PIDR4) / 4];
205 qemu_log_mask(LOG_GUEST_ERROR,
206 "TZ MPC register read: write-only offset 0x%x\n",
211 qemu_log_mask(LOG_GUEST_ERROR,
212 "TZ MPC register read: bad offset 0x%x\n", offset);
218 /* None of our registers are read-sensitive (except BLK_LUT,
219 * which can special case the "size not 4" case), so just
220 * pull the right bytes out of the word read result.
222 r = extract32(r, (addr & 3) * 8, size * 8);
226 trace_tz_mpc_reg_read(addr, r, size);
231 static MemTxResult tz_mpc_reg_write(void *opaque, hwaddr addr,
233 unsigned size, MemTxAttrs attrs)
235 TZMPC *s = TZ_MPC(opaque);
236 uint32_t offset = addr & ~0x3;
238 trace_tz_mpc_reg_write(addr, value, size);
240 if (!attrs.secure && offset < A_PIDR4) {
241 /* NS accesses can only see the ID registers */
242 qemu_log_mask(LOG_GUEST_ERROR,
243 "TZ MPC register write: NS access to offset 0x%x\n",
249 /* Expand the byte or halfword write to a full word size.
250 * In most cases we can do this with zeroes; the exceptions
251 * are CTRL, BLK_IDX and BLK_LUT.
263 oldval = s->blk_lut[s->blk_idx];
269 value = deposit32(oldval, (addr & 3) * 8, size * 8, value);
272 if ((s->ctrl & R_CTRL_LOCKDOWN_MASK) &&
273 (offset == A_CTRL || offset == A_BLK_LUT || offset == A_INT_EN)) {
274 /* Lockdown mode makes these three registers read-only, and
275 * the only way out of it is to reset the device.
277 qemu_log_mask(LOG_GUEST_ERROR, "TZ MPC register write to offset 0x%x "
278 "while MPC is in lockdown mode\n", offset);
284 /* We don't implement the 'data gating' feature so all other bits
285 * are reserved and we make them RAZ/WI.
287 s->ctrl = value & (R_CTRL_SEC_RESP_MASK |
288 R_CTRL_AUTOINC_MASK |
289 R_CTRL_LOCKDOWN_MASK);
292 s->blk_idx = value % s->blk_max;
295 tz_mpc_iommu_notify(s, s->blk_idx, s->blk_lut[s->blk_idx], value);
296 s->blk_lut[s->blk_idx] = value;
297 tz_mpc_autoinc_idx(s, size);
300 if (value & R_INT_CLEAR_IRQ_MASK) {
302 tz_mpc_irq_update(s);
306 s->int_en = value & R_INT_EN_IRQ_MASK;
307 tz_mpc_irq_update(s);
310 if (value & R_INT_SET_IRQ_MASK) {
311 s->int_stat = R_INT_STAT_IRQ_MASK;
312 tz_mpc_irq_update(s);
327 qemu_log_mask(LOG_GUEST_ERROR,
328 "TZ MPC register write: read-only offset 0x%x\n", offset);
331 qemu_log_mask(LOG_GUEST_ERROR,
332 "TZ MPC register write: bad offset 0x%x\n", offset);
339 static const MemoryRegionOps tz_mpc_reg_ops = {
340 .read_with_attrs = tz_mpc_reg_read,
341 .write_with_attrs = tz_mpc_reg_write,
342 .endianness = DEVICE_LITTLE_ENDIAN,
343 .valid.min_access_size = 1,
344 .valid.max_access_size = 4,
345 .impl.min_access_size = 1,
346 .impl.max_access_size = 4,
349 static inline bool tz_mpc_cfg_ns(TZMPC *s, hwaddr addr)
351 /* Return the cfg_ns bit from the LUT for the specified address */
352 hwaddr blknum = addr / s->blocksize;
353 hwaddr blkword = blknum / 32;
354 uint32_t blkbit = 1U << (blknum % 32);
356 /* This would imply the address was larger than the size we
357 * defined this memory region to be, so it can't happen.
359 assert(blkword < s->blk_max);
360 return s->blk_lut[blkword] & blkbit;
363 static MemTxResult tz_mpc_handle_block(TZMPC *s, hwaddr addr, MemTxAttrs attrs)
365 /* Handle a blocked transaction: raise IRQ, capture info, etc */
367 /* First blocked transfer: capture information into INT_INFO1 and
368 * INT_INFO2. Subsequent transfers are still blocked but don't
369 * capture information until the guest clears the interrupt.
374 s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, HMASTER,
375 attrs.requester_id & 0xffff);
376 s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, HNONSEC,
378 s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, CFG_NS,
379 tz_mpc_cfg_ns(s, addr));
380 s->int_stat |= R_INT_STAT_IRQ_MASK;
381 tz_mpc_irq_update(s);
384 /* Generate bus error if desired; otherwise RAZ/WI */
385 return (s->ctrl & R_CTRL_SEC_RESP_MASK) ? MEMTX_ERROR : MEMTX_OK;
388 /* Accesses only reach these read and write functions if the MPC is
389 * blocking them; non-blocked accesses go directly to the downstream
390 * memory region without passing through this code.
392 static MemTxResult tz_mpc_mem_blocked_read(void *opaque, hwaddr addr,
394 unsigned size, MemTxAttrs attrs)
396 TZMPC *s = TZ_MPC(opaque);
398 trace_tz_mpc_mem_blocked_read(addr, size, attrs.secure);
401 return tz_mpc_handle_block(s, addr, attrs);
404 static MemTxResult tz_mpc_mem_blocked_write(void *opaque, hwaddr addr,
406 unsigned size, MemTxAttrs attrs)
408 TZMPC *s = TZ_MPC(opaque);
410 trace_tz_mpc_mem_blocked_write(addr, value, size, attrs.secure);
412 return tz_mpc_handle_block(s, addr, attrs);
415 static const MemoryRegionOps tz_mpc_mem_blocked_ops = {
416 .read_with_attrs = tz_mpc_mem_blocked_read,
417 .write_with_attrs = tz_mpc_mem_blocked_write,
418 .endianness = DEVICE_LITTLE_ENDIAN,
419 .valid.min_access_size = 1,
420 .valid.max_access_size = 8,
421 .impl.min_access_size = 1,
422 .impl.max_access_size = 8,
425 static IOMMUTLBEntry tz_mpc_translate(IOMMUMemoryRegion *iommu,
426 hwaddr addr, IOMMUAccessFlags flags,
429 TZMPC *s = TZ_MPC(container_of(iommu, TZMPC, upstream));
432 IOMMUTLBEntry ret = {
433 .iova = addr & ~(s->blocksize - 1),
434 .translated_addr = addr & ~(s->blocksize - 1),
435 .addr_mask = s->blocksize - 1,
439 /* Look at the per-block configuration for this address, and
440 * return a TLB entry directing the transaction at either
441 * downstream_as or blocked_io_as, as appropriate.
442 * If the LUT cfg_ns bit is 1, only non-secure transactions
443 * may pass. If the bit is 0, only secure transactions may pass.
445 ok = tz_mpc_cfg_ns(s, addr) == (iommu_idx == IOMMU_IDX_NS);
447 trace_tz_mpc_translate(addr, flags,
448 iommu_idx == IOMMU_IDX_S ? "S" : "NS",
449 ok ? "pass" : "block");
451 ret.target_as = ok ? &s->downstream_as : &s->blocked_io_as;
455 static int tz_mpc_attrs_to_index(IOMMUMemoryRegion *iommu, MemTxAttrs attrs)
457 /* We treat unspecified attributes like secure. Transactions with
458 * unspecified attributes come from places like
459 * rom_reset() for initial image load, and we want
460 * those to pass through the from-reset "everything is secure" config.
461 * All the real during-emulation transactions from the CPU will
462 * specify attributes.
464 return (attrs.unspecified || attrs.secure) ? IOMMU_IDX_S : IOMMU_IDX_NS;
467 static int tz_mpc_num_indexes(IOMMUMemoryRegion *iommu)
469 return IOMMU_NUM_INDEXES;
472 static void tz_mpc_reset(DeviceState *dev)
474 TZMPC *s = TZ_MPC(dev);
476 s->ctrl = 0x00000100;
483 memset(s->blk_lut, 0, s->blk_max * sizeof(uint32_t));
486 static void tz_mpc_init(Object *obj)
488 DeviceState *dev = DEVICE(obj);
489 TZMPC *s = TZ_MPC(obj);
491 qdev_init_gpio_out_named(dev, &s->irq, "irq", 1);
494 static void tz_mpc_realize(DeviceState *dev, Error **errp)
496 Object *obj = OBJECT(dev);
497 SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
498 TZMPC *s = TZ_MPC(dev);
501 /* We can't create the upstream end of the port until realize,
502 * as we don't know the size of the MR used as the downstream until then.
503 * We insist on having a downstream, to avoid complicating the code
504 * with handling the "don't know how big this is" case. It's easy
505 * enough for the user to create an unimplemented_device as downstream
506 * if they have nothing else to plug into this.
508 if (!s->downstream) {
509 error_setg(errp, "MPC 'downstream' link not set");
513 size = memory_region_size(s->downstream);
515 memory_region_init_iommu(&s->upstream, sizeof(s->upstream),
516 TYPE_TZ_MPC_IOMMU_MEMORY_REGION,
517 obj, "tz-mpc-upstream", size);
519 /* In real hardware the block size is configurable. In QEMU we could
520 * make it configurable but will need it to be at least as big as the
521 * target page size so we can execute out of the resulting MRs. Guest
522 * software is supposed to check the block size using the BLK_CFG
523 * register, so make it fixed at the page size.
525 s->blocksize = memory_region_iommu_get_min_page_size(&s->upstream);
526 if (size % s->blocksize != 0) {
528 "MPC 'downstream' size %" PRId64
529 " is not a multiple of %" HWADDR_PRIx " bytes",
531 object_unref(OBJECT(&s->upstream));
535 /* BLK_MAX is the max value of BLK_IDX, which indexes an array of 32-bit
536 * words, each bit of which indicates one block.
538 s->blk_max = DIV_ROUND_UP(size / s->blocksize, 32);
540 memory_region_init_io(&s->regmr, obj, &tz_mpc_reg_ops,
541 s, "tz-mpc-regs", 0x1000);
542 sysbus_init_mmio(sbd, &s->regmr);
544 sysbus_init_mmio(sbd, MEMORY_REGION(&s->upstream));
546 /* This memory region is not exposed to users of this device as a
547 * sysbus MMIO region, but is instead used internally as something
548 * that our IOMMU translate function might direct accesses to.
550 memory_region_init_io(&s->blocked_io, obj, &tz_mpc_mem_blocked_ops,
551 s, "tz-mpc-blocked-io", size);
553 address_space_init(&s->downstream_as, s->downstream,
554 "tz-mpc-downstream");
555 address_space_init(&s->blocked_io_as, &s->blocked_io,
556 "tz-mpc-blocked-io");
558 s->blk_lut = g_new0(uint32_t, s->blk_max);
561 static int tz_mpc_post_load(void *opaque, int version_id)
563 TZMPC *s = TZ_MPC(opaque);
565 /* Check the incoming data doesn't point blk_idx off the end of blk_lut. */
566 if (s->blk_idx >= s->blk_max) {
572 static const VMStateDescription tz_mpc_vmstate = {
575 .minimum_version_id = 1,
576 .post_load = tz_mpc_post_load,
577 .fields = (VMStateField[]) {
578 VMSTATE_UINT32(ctrl, TZMPC),
579 VMSTATE_UINT32(blk_idx, TZMPC),
580 VMSTATE_UINT32(int_stat, TZMPC),
581 VMSTATE_UINT32(int_en, TZMPC),
582 VMSTATE_UINT32(int_info1, TZMPC),
583 VMSTATE_UINT32(int_info2, TZMPC),
584 VMSTATE_VARRAY_UINT32(blk_lut, TZMPC, blk_max,
585 0, vmstate_info_uint32, uint32_t),
586 VMSTATE_END_OF_LIST()
590 static Property tz_mpc_properties[] = {
591 DEFINE_PROP_LINK("downstream", TZMPC, downstream,
592 TYPE_MEMORY_REGION, MemoryRegion *),
593 DEFINE_PROP_END_OF_LIST(),
596 static void tz_mpc_class_init(ObjectClass *klass, void *data)
598 DeviceClass *dc = DEVICE_CLASS(klass);
600 dc->realize = tz_mpc_realize;
601 dc->vmsd = &tz_mpc_vmstate;
602 dc->reset = tz_mpc_reset;
603 device_class_set_props(dc, tz_mpc_properties);
606 static const TypeInfo tz_mpc_info = {
608 .parent = TYPE_SYS_BUS_DEVICE,
609 .instance_size = sizeof(TZMPC),
610 .instance_init = tz_mpc_init,
611 .class_init = tz_mpc_class_init,
614 static void tz_mpc_iommu_memory_region_class_init(ObjectClass *klass,
617 IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
619 imrc->translate = tz_mpc_translate;
620 imrc->attrs_to_index = tz_mpc_attrs_to_index;
621 imrc->num_indexes = tz_mpc_num_indexes;
624 static const TypeInfo tz_mpc_iommu_memory_region_info = {
625 .name = TYPE_TZ_MPC_IOMMU_MEMORY_REGION,
626 .parent = TYPE_IOMMU_MEMORY_REGION,
627 .class_init = tz_mpc_iommu_memory_region_class_init,
630 static void tz_mpc_register_types(void)
632 type_register_static(&tz_mpc_info);
633 type_register_static(&tz_mpc_iommu_memory_region_info);
636 type_init(tz_mpc_register_types);
projects / qemu.git / blob