1 /*
2 * QEMU ARM CPU -- internal functions and types
3 *
4 * Copyright (c) 2014 Linaro Ltd
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see
18 * <http://www.gnu.org/licenses/gpl-2.0.html>
19 *
20 * This header defines functions, types, etc which need to be shared
21 * between different source files within target/arm/ but which are
22 * private to it and not required by the rest of QEMU.
23 */
24
25 #ifndef TARGET_ARM_INTERNALS_H
26 #define TARGET_ARM_INTERNALS_H
27
28 #include "exec/breakpoint.h"
29 #include "hw/registerfields.h"
30 #include "tcg/tcg-gvec-desc.h"
31 #include "syndrome.h"
32 #include "cpu-features.h"
33
34 /* register banks for CPU modes */
35 #define BANK_USRSYS 0
36 #define BANK_SVC 1
37 #define BANK_ABT 2
38 #define BANK_UND 3
39 #define BANK_IRQ 4
40 #define BANK_FIQ 5
41 #define BANK_HYP 6
42 #define BANK_MON 7
43
arm_env_mmu_index(CPUARMState * env)44 static inline int arm_env_mmu_index(CPUARMState *env)
45 {
46 return EX_TBFLAG_ANY(env->hflags, MMUIDX);
47 }
48
excp_is_internal(int excp)49 static inline bool excp_is_internal(int excp)
50 {
51 /* Return true if this exception number represents a QEMU-internal
52 * exception that will not be passed to the guest.
53 */
54 return excp == EXCP_INTERRUPT
55 || excp == EXCP_HLT
56 || excp == EXCP_DEBUG
57 || excp == EXCP_HALTED
58 || excp == EXCP_EXCEPTION_EXIT
59 || excp == EXCP_KERNEL_TRAP
60 || excp == EXCP_SEMIHOST;
61 }
62
63 /*
64 * Default frequency for the generic timer, in Hz.
65 * ARMv8.6 and later CPUs architecturally must use a 1GHz timer; before
66 * that it was an IMPDEF choice, and QEMU initially picked 62.5MHz,
67 * which gives a 16ns tick period.
68 *
69 * We will use the back-compat value:
70 * - for QEMU CPU types added before we standardized on 1GHz
71 * - for versioned machine types with a version of 9.0 or earlier
72 * In any case, the machine model may override via the cntfrq property.
73 */
74 #define GTIMER_DEFAULT_HZ 1000000000
75 #define GTIMER_BACKCOMPAT_HZ 62500000
76
77 /* Bit definitions for the v7M CONTROL register */
78 FIELD(V7M_CONTROL, NPRIV, 0, 1)
79 FIELD(V7M_CONTROL, SPSEL, 1, 1)
80 FIELD(V7M_CONTROL, FPCA, 2, 1)
81 FIELD(V7M_CONTROL, SFPA, 3, 1)
82
83 /* Bit definitions for v7M exception return payload */
84 FIELD(V7M_EXCRET, ES, 0, 1)
85 FIELD(V7M_EXCRET, RES0, 1, 1)
86 FIELD(V7M_EXCRET, SPSEL, 2, 1)
87 FIELD(V7M_EXCRET, MODE, 3, 1)
88 FIELD(V7M_EXCRET, FTYPE, 4, 1)
89 FIELD(V7M_EXCRET, DCRS, 5, 1)
90 FIELD(V7M_EXCRET, S, 6, 1)
91 FIELD(V7M_EXCRET, RES1, 7, 25) /* including the must-be-1 prefix */
92
93 /* Minimum value which is a magic number for exception return */
94 #define EXC_RETURN_MIN_MAGIC 0xff000000
95 /* Minimum number which is a magic number for function or exception return
96 * when using v8M security extension
97 */
98 #define FNC_RETURN_MIN_MAGIC 0xfefffffe
99
100 /* Bit definitions for DBGWCRn and DBGWCRn_EL1 */
101 FIELD(DBGWCR, E, 0, 1)
102 FIELD(DBGWCR, PAC, 1, 2)
103 FIELD(DBGWCR, LSC, 3, 2)
104 FIELD(DBGWCR, BAS, 5, 8)
105 FIELD(DBGWCR, HMC, 13, 1)
106 FIELD(DBGWCR, SSC, 14, 2)
107 FIELD(DBGWCR, LBN, 16, 4)
108 FIELD(DBGWCR, WT, 20, 1)
109 FIELD(DBGWCR, MASK, 24, 5)
110 FIELD(DBGWCR, SSCE, 29, 1)
111
112 #define VTCR_NSW (1u << 29)
113 #define VTCR_NSA (1u << 30)
114 #define VSTCR_SW VTCR_NSW
115 #define VSTCR_SA VTCR_NSA
116
117 /* Bit definitions for CPACR (AArch32 only) */
118 FIELD(CPACR, CP10, 20, 2)
119 FIELD(CPACR, CP11, 22, 2)
120 FIELD(CPACR, TRCDIS, 28, 1) /* matches CPACR_EL1.TTA */
121 FIELD(CPACR, D32DIS, 30, 1) /* up to v7; RAZ in v8 */
122 FIELD(CPACR, ASEDIS, 31, 1)
123
124 /* Bit definitions for CPACR_EL1 (AArch64 only) */
125 FIELD(CPACR_EL1, ZEN, 16, 2)
126 FIELD(CPACR_EL1, FPEN, 20, 2)
127 FIELD(CPACR_EL1, SMEN, 24, 2)
128 FIELD(CPACR_EL1, TTA, 28, 1) /* matches CPACR.TRCDIS */
129
130 /* Bit definitions for HCPTR (AArch32 only) */
131 FIELD(HCPTR, TCP10, 10, 1)
132 FIELD(HCPTR, TCP11, 11, 1)
133 FIELD(HCPTR, TASE, 15, 1)
134 FIELD(HCPTR, TTA, 20, 1)
135 FIELD(HCPTR, TAM, 30, 1) /* matches CPTR_EL2.TAM */
136 FIELD(HCPTR, TCPAC, 31, 1) /* matches CPTR_EL2.TCPAC */
137
138 /* Bit definitions for CPTR_EL2 (AArch64 only) */
139 FIELD(CPTR_EL2, TZ, 8, 1) /* !E2H */
140 FIELD(CPTR_EL2, TFP, 10, 1) /* !E2H, matches HCPTR.TCP10 */
141 FIELD(CPTR_EL2, TSM, 12, 1) /* !E2H */
142 FIELD(CPTR_EL2, ZEN, 16, 2) /* E2H */
143 FIELD(CPTR_EL2, FPEN, 20, 2) /* E2H */
144 FIELD(CPTR_EL2, SMEN, 24, 2) /* E2H */
145 FIELD(CPTR_EL2, TTA, 28, 1)
146 FIELD(CPTR_EL2, TAM, 30, 1) /* matches HCPTR.TAM */
147 FIELD(CPTR_EL2, TCPAC, 31, 1) /* matches HCPTR.TCPAC */
148
149 /* Bit definitions for CPTR_EL3 (AArch64 only) */
150 FIELD(CPTR_EL3, EZ, 8, 1)
151 FIELD(CPTR_EL3, TFP, 10, 1)
152 FIELD(CPTR_EL3, ESM, 12, 1)
153 FIELD(CPTR_EL3, TTA, 20, 1)
154 FIELD(CPTR_EL3, TAM, 30, 1)
155 FIELD(CPTR_EL3, TCPAC, 31, 1)
156
157 #define MDCR_MTPME (1U << 28)
158 #define MDCR_TDCC (1U << 27)
159 #define MDCR_HLP (1U << 26) /* MDCR_EL2 */
160 #define MDCR_SCCD (1U << 23) /* MDCR_EL3 */
161 #define MDCR_HCCD (1U << 23) /* MDCR_EL2 */
162 #define MDCR_EPMAD (1U << 21)
163 #define MDCR_EDAD (1U << 20)
164 #define MDCR_TTRF (1U << 19)
165 #define MDCR_STE (1U << 18) /* MDCR_EL3 */
166 #define MDCR_SPME (1U << 17) /* MDCR_EL3 */
167 #define MDCR_HPMD (1U << 17) /* MDCR_EL2 */
168 #define MDCR_SDD (1U << 16)
169 #define MDCR_SPD (3U << 14)
170 #define MDCR_TDRA (1U << 11)
171 #define MDCR_TDOSA (1U << 10)
172 #define MDCR_TDA (1U << 9)
173 #define MDCR_TDE (1U << 8)
174 #define MDCR_HPME (1U << 7)
175 #define MDCR_TPM (1U << 6)
176 #define MDCR_TPMCR (1U << 5)
177 #define MDCR_HPMN (0x1fU)
178
179 /* Not all of the MDCR_EL3 bits are present in the 32-bit SDCR */
180 #define SDCR_VALID_MASK (MDCR_MTPME | MDCR_TDCC | MDCR_SCCD | \
181 MDCR_EPMAD | MDCR_EDAD | MDCR_TTRF | \
182 MDCR_STE | MDCR_SPME | MDCR_SPD)
183
184 #define TTBCR_N (7U << 0) /* TTBCR.EAE==0 */
185 #define TTBCR_T0SZ (7U << 0) /* TTBCR.EAE==1 */
186 #define TTBCR_PD0 (1U << 4)
187 #define TTBCR_PD1 (1U << 5)
188 #define TTBCR_EPD0 (1U << 7)
189 #define TTBCR_IRGN0 (3U << 8)
190 #define TTBCR_ORGN0 (3U << 10)
191 #define TTBCR_SH0 (3U << 12)
192 #define TTBCR_T1SZ (3U << 16)
193 #define TTBCR_A1 (1U << 22)
194 #define TTBCR_EPD1 (1U << 23)
195 #define TTBCR_IRGN1 (3U << 24)
196 #define TTBCR_ORGN1 (3U << 26)
197 #define TTBCR_SH1 (1U << 28)
198 #define TTBCR_EAE (1U << 31)
199
200 FIELD(VTCR, T0SZ, 0, 6)
201 FIELD(VTCR, SL0, 6, 2)
202 FIELD(VTCR, IRGN0, 8, 2)
203 FIELD(VTCR, ORGN0, 10, 2)
204 FIELD(VTCR, SH0, 12, 2)
205 FIELD(VTCR, TG0, 14, 2)
206 FIELD(VTCR, PS, 16, 3)
207 FIELD(VTCR, VS, 19, 1)
208 FIELD(VTCR, HA, 21, 1)
209 FIELD(VTCR, HD, 22, 1)
210 FIELD(VTCR, HWU59, 25, 1)
211 FIELD(VTCR, HWU60, 26, 1)
212 FIELD(VTCR, HWU61, 27, 1)
213 FIELD(VTCR, HWU62, 28, 1)
214 FIELD(VTCR, NSW, 29, 1)
215 FIELD(VTCR, NSA, 30, 1)
216 FIELD(VTCR, DS, 32, 1)
217 FIELD(VTCR, SL2, 33, 1)
218
219 #define HCRX_ENAS0 (1ULL << 0)
220 #define HCRX_ENALS (1ULL << 1)
221 #define HCRX_ENASR (1ULL << 2)
222 #define HCRX_FNXS (1ULL << 3)
223 #define HCRX_FGTNXS (1ULL << 4)
224 #define HCRX_SMPME (1ULL << 5)
225 #define HCRX_TALLINT (1ULL << 6)
226 #define HCRX_VINMI (1ULL << 7)
227 #define HCRX_VFNMI (1ULL << 8)
228 #define HCRX_CMOW (1ULL << 9)
229 #define HCRX_MCE2 (1ULL << 10)
230 #define HCRX_MSCEN (1ULL << 11)
231
232 #define HPFAR_NS (1ULL << 63)
233
234 #define HSTR_TTEE (1 << 16)
235 #define HSTR_TJDBX (1 << 17)
236
237 /*
238 * Depending on the value of HCR_EL2.E2H, bits 0 and 1
239 * have different bit definitions, and EL1PCTEN might be
240 * bit 0 or bit 10. We use _E2H1 and _E2H0 suffixes to
241 * disambiguate if necessary.
242 */
243 FIELD(CNTHCTL, EL0PCTEN_E2H1, 0, 1)
244 FIELD(CNTHCTL, EL0VCTEN_E2H1, 1, 1)
245 FIELD(CNTHCTL, EL1PCTEN_E2H0, 0, 1)
246 FIELD(CNTHCTL, EL1PCEN_E2H0, 1, 1)
247 FIELD(CNTHCTL, EVNTEN, 2, 1)
248 FIELD(CNTHCTL, EVNTDIR, 3, 1)
249 FIELD(CNTHCTL, EVNTI, 4, 4)
250 FIELD(CNTHCTL, EL0VTEN, 8, 1)
251 FIELD(CNTHCTL, EL0PTEN, 9, 1)
252 FIELD(CNTHCTL, EL1PCTEN_E2H1, 10, 1)
253 FIELD(CNTHCTL, EL1PTEN, 11, 1)
254 FIELD(CNTHCTL, ECV, 12, 1)
255 FIELD(CNTHCTL, EL1TVT, 13, 1)
256 FIELD(CNTHCTL, EL1TVCT, 14, 1)
257 FIELD(CNTHCTL, EL1NVPCT, 15, 1)
258 FIELD(CNTHCTL, EL1NVVCT, 16, 1)
259 FIELD(CNTHCTL, EVNTIS, 17, 1)
260 FIELD(CNTHCTL, CNTVMASK, 18, 1)
261 FIELD(CNTHCTL, CNTPMASK, 19, 1)
262
263 /* We use a few fake FSR values for internal purposes in M profile.
264 * M profile cores don't have A/R format FSRs, but currently our
265 * get_phys_addr() code assumes A/R profile and reports failures via
266 * an A/R format FSR value. We then translate that into the proper
267 * M profile exception and FSR status bit in arm_v7m_cpu_do_interrupt().
268 * Mostly the FSR values we use for this are those defined for v7PMSA,
269 * since we share some of that codepath. A few kinds of fault are
270 * only for M profile and have no A/R equivalent, though, so we have
271 * to pick a value from the reserved range (which we never otherwise
272 * generate) to use for these.
273 * These values will never be visible to the guest.
274 */
275 #define M_FAKE_FSR_NSC_EXEC 0xf /* NS executing in S&NSC memory */
276 #define M_FAKE_FSR_SFAULT 0xe /* SecureFault INVTRAN, INVEP or AUVIOL */
277
278 /**
279 * raise_exception: Raise the specified exception.
280 * Raise a guest exception with the specified value, syndrome register
281 * and target exception level. This should be called from helper functions,
282 * and never returns because we will longjump back up to the CPU main loop.
283 */
284 G_NORETURN void raise_exception(CPUARMState *env, uint32_t excp,
285 uint32_t syndrome, uint32_t target_el);
286
287 /*
288 * Similarly, but also use unwinding to restore cpu state.
289 */
290 G_NORETURN void raise_exception_ra(CPUARMState *env, uint32_t excp,
291 uint32_t syndrome, uint32_t target_el,
292 uintptr_t ra);
293
294 /*
295 * For AArch64, map a given EL to an index in the banked_spsr array.
296 * Note that this mapping and the AArch32 mapping defined in bank_number()
297 * must agree such that the AArch64<->AArch32 SPSRs have the architecturally
298 * mandated mapping between each other.
299 */
aarch64_banked_spsr_index(unsigned int el)300 static inline unsigned int aarch64_banked_spsr_index(unsigned int el)
301 {
302 static const unsigned int map[4] = {
303 [1] = BANK_SVC, /* EL1. */
304 [2] = BANK_HYP, /* EL2. */
305 [3] = BANK_MON, /* EL3. */
306 };
307 assert(el >= 1 && el <= 3);
308 return map[el];
309 }
310
311 /* Map CPU modes onto saved register banks. */
bank_number(int mode)312 static inline int bank_number(int mode)
313 {
314 switch (mode) {
315 case ARM_CPU_MODE_USR:
316 case ARM_CPU_MODE_SYS:
317 return BANK_USRSYS;
318 case ARM_CPU_MODE_SVC:
319 return BANK_SVC;
320 case ARM_CPU_MODE_ABT:
321 return BANK_ABT;
322 case ARM_CPU_MODE_UND:
323 return BANK_UND;
324 case ARM_CPU_MODE_IRQ:
325 return BANK_IRQ;
326 case ARM_CPU_MODE_FIQ:
327 return BANK_FIQ;
328 case ARM_CPU_MODE_HYP:
329 return BANK_HYP;
330 case ARM_CPU_MODE_MON:
331 return BANK_MON;
332 }
333 g_assert_not_reached();
334 }
335
336 /**
337 * r14_bank_number: Map CPU mode onto register bank for r14
338 *
339 * Given an AArch32 CPU mode, return the index into the saved register
340 * banks to use for the R14 (LR) in that mode. This is the same as
341 * bank_number(), except for the special case of Hyp mode, where
342 * R14 is shared with USR and SYS, unlike its R13 and SPSR.
343 * This should be used as the index into env->banked_r14[], and
344 * bank_number() used for the index into env->banked_r13[] and
345 * env->banked_spsr[].
346 */
r14_bank_number(int mode)347 static inline int r14_bank_number(int mode)
348 {
349 return (mode == ARM_CPU_MODE_HYP) ? BANK_USRSYS : bank_number(mode);
350 }
351
352 void arm_cpu_register(const ARMCPUInfo *info);
353 void aarch64_cpu_register(const ARMCPUInfo *info);
354
355 void register_cp_regs_for_features(ARMCPU *cpu);
356 void init_cpreg_list(ARMCPU *cpu);
357
358 void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu);
359 void arm_translate_init(void);
360
361 void arm_restore_state_to_opc(CPUState *cs,
362 const TranslationBlock *tb,
363 const uint64_t *data);
364
365 #ifdef CONFIG_TCG
366 void arm_cpu_synchronize_from_tb(CPUState *cs, const TranslationBlock *tb);
367 #endif /* CONFIG_TCG */
368
369 typedef enum ARMFPRounding {
370 FPROUNDING_TIEEVEN,
371 FPROUNDING_POSINF,
372 FPROUNDING_NEGINF,
373 FPROUNDING_ZERO,
374 FPROUNDING_TIEAWAY,
375 FPROUNDING_ODD
376 } ARMFPRounding;
377
378 extern const FloatRoundMode arm_rmode_to_sf_map[6];
379
arm_rmode_to_sf(ARMFPRounding rmode)380 static inline FloatRoundMode arm_rmode_to_sf(ARMFPRounding rmode)
381 {
382 assert((unsigned)rmode < ARRAY_SIZE(arm_rmode_to_sf_map));
383 return arm_rmode_to_sf_map[rmode];
384 }
385
aarch64_save_sp(CPUARMState * env,int el)386 static inline void aarch64_save_sp(CPUARMState *env, int el)
387 {
388 if (env->pstate & PSTATE_SP) {
389 env->sp_el[el] = env->xregs[31];
390 } else {
391 env->sp_el[0] = env->xregs[31];
392 }
393 }
394
aarch64_restore_sp(CPUARMState * env,int el)395 static inline void aarch64_restore_sp(CPUARMState *env, int el)
396 {
397 if (env->pstate & PSTATE_SP) {
398 env->xregs[31] = env->sp_el[el];
399 } else {
400 env->xregs[31] = env->sp_el[0];
401 }
402 }
403
update_spsel(CPUARMState * env,uint32_t imm)404 static inline void update_spsel(CPUARMState *env, uint32_t imm)
405 {
406 unsigned int cur_el = arm_current_el(env);
407 /* Update PSTATE SPSel bit; this requires us to update the
408 * working stack pointer in xregs[31].
409 */
410 if (!((imm ^ env->pstate) & PSTATE_SP)) {
411 return;
412 }
413 aarch64_save_sp(env, cur_el);
414 env->pstate = deposit32(env->pstate, 0, 1, imm);
415
416 /* We rely on illegal updates to SPsel from EL0 to get trapped
417 * at translation time.
418 */
419 assert(cur_el >= 1 && cur_el <= 3);
420 aarch64_restore_sp(env, cur_el);
421 }
422
423 /*
424 * arm_pamax
425 * @cpu: ARMCPU
426 *
427 * Returns the implementation defined bit-width of physical addresses.
428 * The ARMv8 reference manuals refer to this as PAMax().
429 */
430 unsigned int arm_pamax(ARMCPU *cpu);
431
432 /* Return true if extended addresses are enabled.
433 * This is always the case if our translation regime is 64 bit,
434 * but depends on TTBCR.EAE for 32 bit.
435 */
extended_addresses_enabled(CPUARMState * env)436 static inline bool extended_addresses_enabled(CPUARMState *env)
437 {
438 uint64_t tcr = env->cp15.tcr_el[arm_is_secure(env) ? 3 : 1];
439 if (arm_feature(env, ARM_FEATURE_PMSA) &&
440 arm_feature(env, ARM_FEATURE_V8)) {
441 return true;
442 }
443 return arm_el_is_aa64(env, 1) ||
444 (arm_feature(env, ARM_FEATURE_LPAE) && (tcr & TTBCR_EAE));
445 }
446
447 /* Update a QEMU watchpoint based on the information the guest has set in the
448 * DBGWCR<n>_EL1 and DBGWVR<n>_EL1 registers.
449 */
450 void hw_watchpoint_update(ARMCPU *cpu, int n);
451 /* Update the QEMU watchpoints for every guest watchpoint. This does a
452 * complete delete-and-reinstate of the QEMU watchpoint list and so is
453 * suitable for use after migration or on reset.
454 */
455 void hw_watchpoint_update_all(ARMCPU *cpu);
456 /* Update a QEMU breakpoint based on the information the guest has set in the
457 * DBGBCR<n>_EL1 and DBGBVR<n>_EL1 registers.
458 */
459 void hw_breakpoint_update(ARMCPU *cpu, int n);
460 /* Update the QEMU breakpoints for every guest breakpoint. This does a
461 * complete delete-and-reinstate of the QEMU breakpoint list and so is
462 * suitable for use after migration or on reset.
463 */
464 void hw_breakpoint_update_all(ARMCPU *cpu);
465
466 /* Callback function for checking if a breakpoint should trigger. */
467 bool arm_debug_check_breakpoint(CPUState *cs);
468
469 /* Callback function for checking if a watchpoint should trigger. */
470 bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp);
471
472 /* Adjust addresses (in BE32 mode) before testing against watchpoint
473 * addresses.
474 */
475 vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len);
476
477 /* Callback function for when a watchpoint or breakpoint triggers. */
478 void arm_debug_excp_handler(CPUState *cs);
479
480 #if defined(CONFIG_USER_ONLY) || !defined(CONFIG_TCG)
arm_is_psci_call(ARMCPU * cpu,int excp_type)481 static inline bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
482 {
483 return false;
484 }
arm_handle_psci_call(ARMCPU * cpu)485 static inline void arm_handle_psci_call(ARMCPU *cpu)
486 {
487 g_assert_not_reached();
488 }
489 #else
490 /* Return true if the r0/x0 value indicates that this SMC/HVC is a PSCI call. */
491 bool arm_is_psci_call(ARMCPU *cpu, int excp_type);
492 /* Actually handle a PSCI call */
493 void arm_handle_psci_call(ARMCPU *cpu);
494 #endif
495
496 /**
497 * arm_clear_exclusive: clear the exclusive monitor
498 * @env: CPU env
499 * Clear the CPU's exclusive monitor, like the guest CLREX instruction.
500 */
arm_clear_exclusive(CPUARMState * env)501 static inline void arm_clear_exclusive(CPUARMState *env)
502 {
503 env->exclusive_addr = -1;
504 }
505
506 /**
507 * ARMFaultType: type of an ARM MMU fault
508 * This corresponds to the v8A pseudocode's Fault enumeration,
509 * with extensions for QEMU internal conditions.
510 */
511 typedef enum ARMFaultType {
512 ARMFault_None,
513 ARMFault_AccessFlag,
514 ARMFault_Alignment,
515 ARMFault_Background,
516 ARMFault_Domain,
517 ARMFault_Permission,
518 ARMFault_Translation,
519 ARMFault_AddressSize,
520 ARMFault_SyncExternal,
521 ARMFault_SyncExternalOnWalk,
522 ARMFault_SyncParity,
523 ARMFault_SyncParityOnWalk,
524 ARMFault_AsyncParity,
525 ARMFault_AsyncExternal,
526 ARMFault_Debug,
527 ARMFault_TLBConflict,
528 ARMFault_UnsuppAtomicUpdate,
529 ARMFault_Lockdown,
530 ARMFault_Exclusive,
531 ARMFault_ICacheMaint,
532 ARMFault_QEMU_NSCExec, /* v8M: NS executing in S&NSC memory */
533 ARMFault_QEMU_SFault, /* v8M: SecureFault INVTRAN, INVEP or AUVIOL */
534 ARMFault_GPCFOnWalk,
535 ARMFault_GPCFOnOutput,
536 } ARMFaultType;
537
538 typedef enum ARMGPCF {
539 GPCF_None,
540 GPCF_AddressSize,
541 GPCF_Walk,
542 GPCF_EABT,
543 GPCF_Fail,
544 } ARMGPCF;
545
546 /**
547 * ARMMMUFaultInfo: Information describing an ARM MMU Fault
548 * @type: Type of fault
549 * @gpcf: Subtype of ARMFault_GPCFOn{Walk,Output}.
550 * @level: Table walk level (for translation, access flag and permission faults)
551 * @domain: Domain of the fault address (for non-LPAE CPUs only)
552 * @s2addr: Address that caused a fault at stage 2
553 * @paddr: physical address that caused a fault for gpc
554 * @paddr_space: physical address space that caused a fault for gpc
555 * @stage2: True if we faulted at stage 2
556 * @s1ptw: True if we faulted at stage 2 while doing a stage 1 page-table walk
557 * @s1ns: True if we faulted on a non-secure IPA while in secure state
558 * @ea: True if we should set the EA (external abort type) bit in syndrome
559 */
560 typedef struct ARMMMUFaultInfo ARMMMUFaultInfo;
561 struct ARMMMUFaultInfo {
562 ARMFaultType type;
563 ARMGPCF gpcf;
564 target_ulong s2addr;
565 target_ulong paddr;
566 ARMSecuritySpace paddr_space;
567 int level;
568 int domain;
569 bool stage2;
570 bool s1ptw;
571 bool s1ns;
572 bool ea;
573 };
574
575 /**
576 * arm_fi_to_sfsc: Convert fault info struct to short-format FSC
577 * Compare pseudocode EncodeSDFSC(), though unlike that function
578 * we set up a whole FSR-format code including domain field and
579 * putting the high bit of the FSC into bit 10.
580 */
arm_fi_to_sfsc(ARMMMUFaultInfo * fi)581 static inline uint32_t arm_fi_to_sfsc(ARMMMUFaultInfo *fi)
582 {
583 uint32_t fsc;
584
585 switch (fi->type) {
586 case ARMFault_None:
587 return 0;
588 case ARMFault_AccessFlag:
589 fsc = fi->level == 1 ? 0x3 : 0x6;
590 break;
591 case ARMFault_Alignment:
592 fsc = 0x1;
593 break;
594 case ARMFault_Permission:
595 fsc = fi->level == 1 ? 0xd : 0xf;
596 break;
597 case ARMFault_Domain:
598 fsc = fi->level == 1 ? 0x9 : 0xb;
599 break;
600 case ARMFault_Translation:
601 fsc = fi->level == 1 ? 0x5 : 0x7;
602 break;
603 case ARMFault_SyncExternal:
604 fsc = 0x8 | (fi->ea << 12);
605 break;
606 case ARMFault_SyncExternalOnWalk:
607 fsc = fi->level == 1 ? 0xc : 0xe;
608 fsc |= (fi->ea << 12);
609 break;
610 case ARMFault_SyncParity:
611 fsc = 0x409;
612 break;
613 case ARMFault_SyncParityOnWalk:
614 fsc = fi->level == 1 ? 0x40c : 0x40e;
615 break;
616 case ARMFault_AsyncParity:
617 fsc = 0x408;
618 break;
619 case ARMFault_AsyncExternal:
620 fsc = 0x406 | (fi->ea << 12);
621 break;
622 case ARMFault_Debug:
623 fsc = 0x2;
624 break;
625 case ARMFault_TLBConflict:
626 fsc = 0x400;
627 break;
628 case ARMFault_Lockdown:
629 fsc = 0x404;
630 break;
631 case ARMFault_Exclusive:
632 fsc = 0x405;
633 break;
634 case ARMFault_ICacheMaint:
635 fsc = 0x4;
636 break;
637 case ARMFault_Background:
638 fsc = 0x0;
639 break;
640 case ARMFault_QEMU_NSCExec:
641 fsc = M_FAKE_FSR_NSC_EXEC;
642 break;
643 case ARMFault_QEMU_SFault:
644 fsc = M_FAKE_FSR_SFAULT;
645 break;
646 default:
647 /* Other faults can't occur in a context that requires a
648 * short-format status code.
649 */
650 g_assert_not_reached();
651 }
652
653 fsc |= (fi->domain << 4);
654 return fsc;
655 }
656
657 /**
658 * arm_fi_to_lfsc: Convert fault info struct to long-format FSC
659 * Compare pseudocode EncodeLDFSC(), though unlike that function
660 * we fill in also the LPAE bit 9 of a DFSR format.
661 */
arm_fi_to_lfsc(ARMMMUFaultInfo * fi)662 static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi)
663 {
664 uint32_t fsc;
665
666 switch (fi->type) {
667 case ARMFault_None:
668 return 0;
669 case ARMFault_AddressSize:
670 assert(fi->level >= -1 && fi->level <= 3);
671 if (fi->level < 0) {
672 fsc = 0b101001;
673 } else {
674 fsc = fi->level;
675 }
676 break;
677 case ARMFault_AccessFlag:
678 assert(fi->level >= 0 && fi->level <= 3);
679 fsc = 0b001000 | fi->level;
680 break;
681 case ARMFault_Permission:
682 assert(fi->level >= 0 && fi->level <= 3);
683 fsc = 0b001100 | fi->level;
684 break;
685 case ARMFault_Translation:
686 assert(fi->level >= -1 && fi->level <= 3);
687 if (fi->level < 0) {
688 fsc = 0b101011;
689 } else {
690 fsc = 0b000100 | fi->level;
691 }
692 break;
693 case ARMFault_SyncExternal:
694 fsc = 0x10 | (fi->ea << 12);
695 break;
696 case ARMFault_SyncExternalOnWalk:
697 assert(fi->level >= -1 && fi->level <= 3);
698 if (fi->level < 0) {
699 fsc = 0b010011;
700 } else {
701 fsc = 0b010100 | fi->level;
702 }
703 fsc |= fi->ea << 12;
704 break;
705 case ARMFault_SyncParity:
706 fsc = 0x18;
707 break;
708 case ARMFault_SyncParityOnWalk:
709 assert(fi->level >= -1 && fi->level <= 3);
710 if (fi->level < 0) {
711 fsc = 0b011011;
712 } else {
713 fsc = 0b011100 | fi->level;
714 }
715 break;
716 case ARMFault_AsyncParity:
717 fsc = 0x19;
718 break;
719 case ARMFault_AsyncExternal:
720 fsc = 0x11 | (fi->ea << 12);
721 break;
722 case ARMFault_Alignment:
723 fsc = 0x21;
724 break;
725 case ARMFault_Debug:
726 fsc = 0x22;
727 break;
728 case ARMFault_TLBConflict:
729 fsc = 0x30;
730 break;
731 case ARMFault_UnsuppAtomicUpdate:
732 fsc = 0x31;
733 break;
734 case ARMFault_Lockdown:
735 fsc = 0x34;
736 break;
737 case ARMFault_Exclusive:
738 fsc = 0x35;
739 break;
740 case ARMFault_GPCFOnWalk:
741 assert(fi->level >= -1 && fi->level <= 3);
742 if (fi->level < 0) {
743 fsc = 0b100011;
744 } else {
745 fsc = 0b100100 | fi->level;
746 }
747 break;
748 case ARMFault_GPCFOnOutput:
749 fsc = 0b101000;
750 break;
751 default:
752 /* Other faults can't occur in a context that requires a
753 * long-format status code.
754 */
755 g_assert_not_reached();
756 }
757
758 fsc |= 1 << 9;
759 return fsc;
760 }
761
arm_extabort_type(MemTxResult result)762 static inline bool arm_extabort_type(MemTxResult result)
763 {
764 /* The EA bit in syndromes and fault status registers is an
765 * IMPDEF classification of external aborts. ARM implementations
766 * usually use this to indicate AXI bus Decode error (0) or
767 * Slave error (1); in QEMU we follow that.
768 */
769 return result != MEMTX_DECODE_ERROR;
770 }
771
772 #ifdef CONFIG_USER_ONLY
773 void arm_cpu_record_sigsegv(CPUState *cpu, vaddr addr,
774 MMUAccessType access_type,
775 bool maperr, uintptr_t ra);
776 void arm_cpu_record_sigbus(CPUState *cpu, vaddr addr,
777 MMUAccessType access_type, uintptr_t ra);
778 #else
779 bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
780 MMUAccessType access_type, int mmu_idx,
781 bool probe, uintptr_t retaddr);
782 #endif
783
arm_to_core_mmu_idx(ARMMMUIdx mmu_idx)784 static inline int arm_to_core_mmu_idx(ARMMMUIdx mmu_idx)
785 {
786 return mmu_idx & ARM_MMU_IDX_COREIDX_MASK;
787 }
788
core_to_arm_mmu_idx(CPUARMState * env,int mmu_idx)789 static inline ARMMMUIdx core_to_arm_mmu_idx(CPUARMState *env, int mmu_idx)
790 {
791 if (arm_feature(env, ARM_FEATURE_M)) {
792 return mmu_idx | ARM_MMU_IDX_M;
793 } else {
794 return mmu_idx | ARM_MMU_IDX_A;
795 }
796 }
797
core_to_aa64_mmu_idx(int mmu_idx)798 static inline ARMMMUIdx core_to_aa64_mmu_idx(int mmu_idx)
799 {
800 /* AArch64 is always a-profile. */
801 return mmu_idx | ARM_MMU_IDX_A;
802 }
803
804 int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx);
805
806 /* Return the MMU index for a v7M CPU in the specified security state */
807 ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate);
808
809 /*
810 * Return true if the stage 1 translation regime is using LPAE
811 * format page tables
812 */
813 bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx);
814
815 /* Raise a data fault alignment exception for the specified virtual address */
816 G_NORETURN void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
817 MMUAccessType access_type,
818 int mmu_idx, uintptr_t retaddr);
819
820 #ifndef CONFIG_USER_ONLY
821 /* arm_cpu_do_transaction_failed: handle a memory system error response
822 * (eg "no device/memory present at address") by raising an external abort
823 * exception
824 */
825 void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
826 vaddr addr, unsigned size,
827 MMUAccessType access_type,
828 int mmu_idx, MemTxAttrs attrs,
829 MemTxResult response, uintptr_t retaddr);
830 #endif
831
832 /* Call any registered EL change hooks */
arm_call_pre_el_change_hook(ARMCPU * cpu)833 static inline void arm_call_pre_el_change_hook(ARMCPU *cpu)
834 {
835 ARMELChangeHook *hook, *next;
836 QLIST_FOREACH_SAFE(hook, &cpu->pre_el_change_hooks, node, next) {
837 hook->hook(cpu, hook->opaque);
838 }
839 }
arm_call_el_change_hook(ARMCPU * cpu)840 static inline void arm_call_el_change_hook(ARMCPU *cpu)
841 {
842 ARMELChangeHook *hook, *next;
843 QLIST_FOREACH_SAFE(hook, &cpu->el_change_hooks, node, next) {
844 hook->hook(cpu, hook->opaque);
845 }
846 }
847
848 /* Return true if this address translation regime has two ranges. */
regime_has_2_ranges(ARMMMUIdx mmu_idx)849 static inline bool regime_has_2_ranges(ARMMMUIdx mmu_idx)
850 {
851 switch (mmu_idx) {
852 case ARMMMUIdx_Stage1_E0:
853 case ARMMMUIdx_Stage1_E1:
854 case ARMMMUIdx_Stage1_E1_PAN:
855 case ARMMMUIdx_E10_0:
856 case ARMMMUIdx_E10_1:
857 case ARMMMUIdx_E10_1_PAN:
858 case ARMMMUIdx_E20_0:
859 case ARMMMUIdx_E20_2:
860 case ARMMMUIdx_E20_2_PAN:
861 return true;
862 default:
863 return false;
864 }
865 }
866
regime_is_pan(CPUARMState * env,ARMMMUIdx mmu_idx)867 static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
868 {
869 switch (mmu_idx) {
870 case ARMMMUIdx_Stage1_E1_PAN:
871 case ARMMMUIdx_E10_1_PAN:
872 case ARMMMUIdx_E20_2_PAN:
873 return true;
874 default:
875 return false;
876 }
877 }
878
regime_is_stage2(ARMMMUIdx mmu_idx)879 static inline bool regime_is_stage2(ARMMMUIdx mmu_idx)
880 {
881 return mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S;
882 }
883
884 /* Return the exception level which controls this address translation regime */
regime_el(CPUARMState * env,ARMMMUIdx mmu_idx)885 static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
886 {
887 switch (mmu_idx) {
888 case ARMMMUIdx_E20_0:
889 case ARMMMUIdx_E20_2:
890 case ARMMMUIdx_E20_2_PAN:
891 case ARMMMUIdx_Stage2:
892 case ARMMMUIdx_Stage2_S:
893 case ARMMMUIdx_E2:
894 return 2;
895 case ARMMMUIdx_E3:
896 return 3;
897 case ARMMMUIdx_E10_0:
898 case ARMMMUIdx_Stage1_E0:
899 return arm_el_is_aa64(env, 3) || !arm_is_secure_below_el3(env) ? 1 : 3;
900 case ARMMMUIdx_Stage1_E1:
901 case ARMMMUIdx_Stage1_E1_PAN:
902 case ARMMMUIdx_E10_1:
903 case ARMMMUIdx_E10_1_PAN:
904 case ARMMMUIdx_MPrivNegPri:
905 case ARMMMUIdx_MUserNegPri:
906 case ARMMMUIdx_MPriv:
907 case ARMMMUIdx_MUser:
908 case ARMMMUIdx_MSPrivNegPri:
909 case ARMMMUIdx_MSUserNegPri:
910 case ARMMMUIdx_MSPriv:
911 case ARMMMUIdx_MSUser:
912 return 1;
913 default:
914 g_assert_not_reached();
915 }
916 }
917
regime_is_user(CPUARMState * env,ARMMMUIdx mmu_idx)918 static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
919 {
920 switch (mmu_idx) {
921 case ARMMMUIdx_E20_0:
922 case ARMMMUIdx_Stage1_E0:
923 case ARMMMUIdx_MUser:
924 case ARMMMUIdx_MSUser:
925 case ARMMMUIdx_MUserNegPri:
926 case ARMMMUIdx_MSUserNegPri:
927 return true;
928 default:
929 return false;
930 case ARMMMUIdx_E10_0:
931 case ARMMMUIdx_E10_1:
932 case ARMMMUIdx_E10_1_PAN:
933 g_assert_not_reached();
934 }
935 }
936
937 /* Return the SCTLR value which controls this address translation regime */
regime_sctlr(CPUARMState * env,ARMMMUIdx mmu_idx)938 static inline uint64_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx)
939 {
940 return env->cp15.sctlr_el[regime_el(env, mmu_idx)];
941 }
942
943 /*
944 * These are the fields in VTCR_EL2 which affect both the Secure stage 2
945 * and the Non-Secure stage 2 translation regimes (and hence which are
946 * not present in VSTCR_EL2).
947 */
948 #define VTCR_SHARED_FIELD_MASK \
949 (R_VTCR_IRGN0_MASK | R_VTCR_ORGN0_MASK | R_VTCR_SH0_MASK | \
950 R_VTCR_PS_MASK | R_VTCR_VS_MASK | R_VTCR_HA_MASK | R_VTCR_HD_MASK | \
951 R_VTCR_DS_MASK)
952
953 /* Return the value of the TCR controlling this translation regime */
regime_tcr(CPUARMState * env,ARMMMUIdx mmu_idx)954 static inline uint64_t regime_tcr(CPUARMState *env, ARMMMUIdx mmu_idx)
955 {
956 if (mmu_idx == ARMMMUIdx_Stage2) {
957 return env->cp15.vtcr_el2;
958 }
959 if (mmu_idx == ARMMMUIdx_Stage2_S) {
960 /*
961 * Secure stage 2 shares fields from VTCR_EL2. We merge those
962 * in with the VSTCR_EL2 value to synthesize a single VTCR_EL2 format
963 * value so the callers don't need to special case this.
964 *
965 * If a future architecture change defines bits in VSTCR_EL2 that
966 * overlap with these VTCR_EL2 fields we may need to revisit this.
967 */
968 uint64_t v = env->cp15.vstcr_el2 & ~VTCR_SHARED_FIELD_MASK;
969 v |= env->cp15.vtcr_el2 & VTCR_SHARED_FIELD_MASK;
970 return v;
971 }
972 return env->cp15.tcr_el[regime_el(env, mmu_idx)];
973 }
974
975 /* Return true if the translation regime is using LPAE format page tables */
regime_using_lpae_format(CPUARMState * env,ARMMMUIdx mmu_idx)976 static inline bool regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx)
977 {
978 int el = regime_el(env, mmu_idx);
979 if (el == 2 || arm_el_is_aa64(env, el)) {
980 return true;
981 }
982 if (arm_feature(env, ARM_FEATURE_PMSA) &&
983 arm_feature(env, ARM_FEATURE_V8)) {
984 return true;
985 }
986 if (arm_feature(env, ARM_FEATURE_LPAE)
987 && (regime_tcr(env, mmu_idx) & TTBCR_EAE)) {
988 return true;
989 }
990 return false;
991 }
992
993 /**
994 * arm_num_brps: Return number of implemented breakpoints.
995 * Note that the ID register BRPS field is "number of bps - 1",
996 * and we return the actual number of breakpoints.
997 */
arm_num_brps(ARMCPU * cpu)998 static inline int arm_num_brps(ARMCPU *cpu)
999 {
1000 if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
1001 return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) + 1;
1002 } else {
1003 return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, BRPS) + 1;
1004 }
1005 }
1006
1007 /**
1008 * arm_num_wrps: Return number of implemented watchpoints.
1009 * Note that the ID register WRPS field is "number of wps - 1",
1010 * and we return the actual number of watchpoints.
1011 */
arm_num_wrps(ARMCPU * cpu)1012 static inline int arm_num_wrps(ARMCPU *cpu)
1013 {
1014 if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
1015 return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) + 1;
1016 } else {
1017 return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, WRPS) + 1;
1018 }
1019 }
1020
1021 /**
1022 * arm_num_ctx_cmps: Return number of implemented context comparators.
1023 * Note that the ID register CTX_CMPS field is "number of cmps - 1",
1024 * and we return the actual number of comparators.
1025 */
arm_num_ctx_cmps(ARMCPU * cpu)1026 static inline int arm_num_ctx_cmps(ARMCPU *cpu)
1027 {
1028 if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
1029 return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) + 1;
1030 } else {
1031 return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, CTX_CMPS) + 1;
1032 }
1033 }
1034
1035 /**
1036 * v7m_using_psp: Return true if using process stack pointer
1037 * Return true if the CPU is currently using the process stack
1038 * pointer, or false if it is using the main stack pointer.
1039 */
v7m_using_psp(CPUARMState * env)1040 static inline bool v7m_using_psp(CPUARMState *env)
1041 {
1042 /* Handler mode always uses the main stack; for thread mode
1043 * the CONTROL.SPSEL bit determines the answer.
1044 * Note that in v7M it is not possible to be in Handler mode with
1045 * CONTROL.SPSEL non-zero, but in v8M it is, so we must check both.
1046 */
1047 return !arm_v7m_is_handler_mode(env) &&
1048 env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_SPSEL_MASK;
1049 }
1050
1051 /**
1052 * v7m_sp_limit: Return SP limit for current CPU state
1053 * Return the SP limit value for the current CPU security state
1054 * and stack pointer.
1055 */
v7m_sp_limit(CPUARMState * env)1056 static inline uint32_t v7m_sp_limit(CPUARMState *env)
1057 {
1058 if (v7m_using_psp(env)) {
1059 return env->v7m.psplim[env->v7m.secure];
1060 } else {
1061 return env->v7m.msplim[env->v7m.secure];
1062 }
1063 }
1064
1065 /**
1066 * v7m_cpacr_pass:
1067 * Return true if the v7M CPACR permits access to the FPU for the specified
1068 * security state and privilege level.
1069 */
v7m_cpacr_pass(CPUARMState * env,bool is_secure,bool is_priv)1070 static inline bool v7m_cpacr_pass(CPUARMState *env,
1071 bool is_secure, bool is_priv)
1072 {
1073 switch (extract32(env->v7m.cpacr[is_secure], 20, 2)) {
1074 case 0:
1075 case 2: /* UNPREDICTABLE: we treat like 0 */
1076 return false;
1077 case 1:
1078 return is_priv;
1079 case 3:
1080 return true;
1081 default:
1082 g_assert_not_reached();
1083 }
1084 }
1085
1086 /**
1087 * aarch32_mode_name(): Return name of the AArch32 CPU mode
1088 * @psr: Program Status Register indicating CPU mode
1089 *
1090 * Returns, for debug logging purposes, a printable representation
1091 * of the AArch32 CPU mode ("svc", "usr", etc) as indicated by
1092 * the low bits of the specified PSR.
1093 */
aarch32_mode_name(uint32_t psr)1094 static inline const char *aarch32_mode_name(uint32_t psr)
1095 {
1096 static const char cpu_mode_names[16][4] = {
1097 "usr", "fiq", "irq", "svc", "???", "???", "mon", "abt",
1098 "???", "???", "hyp", "und", "???", "???", "???", "sys"
1099 };
1100
1101 return cpu_mode_names[psr & 0xf];
1102 }
1103
1104 /**
1105 * arm_cpu_update_virq: Update CPU_INTERRUPT_VIRQ bit in cs->interrupt_request
1106 *
1107 * Update the CPU_INTERRUPT_VIRQ bit in cs->interrupt_request, following
1108 * a change to either the input VIRQ line from the GIC or the HCR_EL2.VI bit.
1109 * Must be called with the BQL held.
1110 */
1111 void arm_cpu_update_virq(ARMCPU *cpu);
1112
1113 /**
1114 * arm_cpu_update_vfiq: Update CPU_INTERRUPT_VFIQ bit in cs->interrupt_request
1115 *
1116 * Update the CPU_INTERRUPT_VFIQ bit in cs->interrupt_request, following
1117 * a change to either the input VFIQ line from the GIC or the HCR_EL2.VF bit.
1118 * Must be called with the BQL held.
1119 */
1120 void arm_cpu_update_vfiq(ARMCPU *cpu);
1121
1122 /**
1123 * arm_cpu_update_vinmi: Update CPU_INTERRUPT_VINMI bit in cs->interrupt_request
1124 *
1125 * Update the CPU_INTERRUPT_VINMI bit in cs->interrupt_request, following
1126 * a change to either the input VNMI line from the GIC or the HCRX_EL2.VINMI.
1127 * Must be called with the BQL held.
1128 */
1129 void arm_cpu_update_vinmi(ARMCPU *cpu);
1130
1131 /**
1132 * arm_cpu_update_vfnmi: Update CPU_INTERRUPT_VFNMI bit in cs->interrupt_request
1133 *
1134 * Update the CPU_INTERRUPT_VFNMI bit in cs->interrupt_request, following
1135 * a change to the HCRX_EL2.VFNMI.
1136 * Must be called with the BQL held.
1137 */
1138 void arm_cpu_update_vfnmi(ARMCPU *cpu);
1139
1140 /**
1141 * arm_cpu_update_vserr: Update CPU_INTERRUPT_VSERR bit
1142 *
1143 * Update the CPU_INTERRUPT_VSERR bit in cs->interrupt_request,
1144 * following a change to the HCR_EL2.VSE bit.
1145 */
1146 void arm_cpu_update_vserr(ARMCPU *cpu);
1147
1148 /**
1149 * arm_mmu_idx_el:
1150 * @env: The cpu environment
1151 * @el: The EL to use.
1152 *
1153 * Return the full ARMMMUIdx for the translation regime for EL.
1154 */
1155 ARMMMUIdx arm_mmu_idx_el(CPUARMState *env, int el);
1156
1157 /**
1158 * arm_mmu_idx:
1159 * @env: The cpu environment
1160 *
1161 * Return the full ARMMMUIdx for the current translation regime.
1162 */
1163 ARMMMUIdx arm_mmu_idx(CPUARMState *env);
1164
1165 /**
1166 * arm_stage1_mmu_idx:
1167 * @env: The cpu environment
1168 *
1169 * Return the ARMMMUIdx for the stage1 traversal for the current regime.
1170 */
1171 #ifdef CONFIG_USER_ONLY
stage_1_mmu_idx(ARMMMUIdx mmu_idx)1172 static inline ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
1173 {
1174 return ARMMMUIdx_Stage1_E0;
1175 }
arm_stage1_mmu_idx(CPUARMState * env)1176 static inline ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env)
1177 {
1178 return ARMMMUIdx_Stage1_E0;
1179 }
1180 #else
1181 ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx);
1182 ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env);
1183 #endif
1184
1185 /**
1186 * arm_mmu_idx_is_stage1_of_2:
1187 * @mmu_idx: The ARMMMUIdx to test
1188 *
1189 * Return true if @mmu_idx is a NOTLB mmu_idx that is the
1190 * first stage of a two stage regime.
1191 */
arm_mmu_idx_is_stage1_of_2(ARMMMUIdx mmu_idx)1192 static inline bool arm_mmu_idx_is_stage1_of_2(ARMMMUIdx mmu_idx)
1193 {
1194 switch (mmu_idx) {
1195 case ARMMMUIdx_Stage1_E0:
1196 case ARMMMUIdx_Stage1_E1:
1197 case ARMMMUIdx_Stage1_E1_PAN:
1198 return true;
1199 default:
1200 return false;
1201 }
1202 }
1203
aarch32_cpsr_valid_mask(uint64_t features,const ARMISARegisters * id)1204 static inline uint32_t aarch32_cpsr_valid_mask(uint64_t features,
1205 const ARMISARegisters *id)
1206 {
1207 uint32_t valid = CPSR_M | CPSR_AIF | CPSR_IL | CPSR_NZCV;
1208
1209 if ((features >> ARM_FEATURE_V4T) & 1) {
1210 valid |= CPSR_T;
1211 }
1212 if ((features >> ARM_FEATURE_V5) & 1) {
1213 valid |= CPSR_Q; /* V5TE in reality*/
1214 }
1215 if ((features >> ARM_FEATURE_V6) & 1) {
1216 valid |= CPSR_E | CPSR_GE;
1217 }
1218 if ((features >> ARM_FEATURE_THUMB2) & 1) {
1219 valid |= CPSR_IT;
1220 }
1221 if (isar_feature_aa32_jazelle(id)) {
1222 valid |= CPSR_J;
1223 }
1224 if (isar_feature_aa32_pan(id)) {
1225 valid |= CPSR_PAN;
1226 }
1227 if (isar_feature_aa32_dit(id)) {
1228 valid |= CPSR_DIT;
1229 }
1230 if (isar_feature_aa32_ssbs(id)) {
1231 valid |= CPSR_SSBS;
1232 }
1233
1234 return valid;
1235 }
1236
aarch64_pstate_valid_mask(const ARMISARegisters * id)1237 static inline uint32_t aarch64_pstate_valid_mask(const ARMISARegisters *id)
1238 {
1239 uint32_t valid;
1240
1241 valid = PSTATE_M | PSTATE_DAIF | PSTATE_IL | PSTATE_SS | PSTATE_NZCV;
1242 if (isar_feature_aa64_bti(id)) {
1243 valid |= PSTATE_BTYPE;
1244 }
1245 if (isar_feature_aa64_pan(id)) {
1246 valid |= PSTATE_PAN;
1247 }
1248 if (isar_feature_aa64_uao(id)) {
1249 valid |= PSTATE_UAO;
1250 }
1251 if (isar_feature_aa64_dit(id)) {
1252 valid |= PSTATE_DIT;
1253 }
1254 if (isar_feature_aa64_ssbs(id)) {
1255 valid |= PSTATE_SSBS;
1256 }
1257 if (isar_feature_aa64_mte(id)) {
1258 valid |= PSTATE_TCO;
1259 }
1260 if (isar_feature_aa64_nmi(id)) {
1261 valid |= PSTATE_ALLINT;
1262 }
1263
1264 return valid;
1265 }
1266
1267 /* Granule size (i.e. page size) */
1268 typedef enum ARMGranuleSize {
1269 /* Same order as TG0 encoding */
1270 Gran4K,
1271 Gran64K,
1272 Gran16K,
1273 GranInvalid,
1274 } ARMGranuleSize;
1275
1276 /**
1277 * arm_granule_bits: Return address size of the granule in bits
1278 *
1279 * Return the address size of the granule in bits. This corresponds
1280 * to the pseudocode TGxGranuleBits().
1281 */
arm_granule_bits(ARMGranuleSize gran)1282 static inline int arm_granule_bits(ARMGranuleSize gran)
1283 {
1284 switch (gran) {
1285 case Gran64K:
1286 return 16;
1287 case Gran16K:
1288 return 14;
1289 case Gran4K:
1290 return 12;
1291 default:
1292 g_assert_not_reached();
1293 }
1294 }
1295
1296 /*
1297 * Parameters of a given virtual address, as extracted from the
1298 * translation control register (TCR) for a given regime.
1299 */
1300 typedef struct ARMVAParameters {
1301 unsigned tsz : 8;
1302 unsigned ps : 3;
1303 unsigned sh : 2;
1304 unsigned select : 1;
1305 bool tbi : 1;
1306 bool epd : 1;
1307 bool hpd : 1;
1308 bool tsz_oob : 1; /* tsz has been clamped to legal range */
1309 bool ds : 1;
1310 bool ha : 1;
1311 bool hd : 1;
1312 ARMGranuleSize gran : 2;
1313 } ARMVAParameters;
1314
1315 /**
1316 * aa64_va_parameters: Return parameters for an AArch64 virtual address
1317 * @env: CPU
1318 * @va: virtual address to look up
1319 * @mmu_idx: determines translation regime to use
1320 * @data: true if this is a data access
1321 * @el1_is_aa32: true if we are asking about stage 2 when EL1 is AArch32
1322 * (ignored if @mmu_idx is for a stage 1 regime; only affects tsz/tsz_oob)
1323 */
1324 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
1325 ARMMMUIdx mmu_idx, bool data,
1326 bool el1_is_aa32);
1327
1328 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx);
1329 int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx);
1330 int aa64_va_parameter_tcma(uint64_t tcr, ARMMMUIdx mmu_idx);
1331
1332 /* Determine if allocation tags are available. */
allocation_tag_access_enabled(CPUARMState * env,int el,uint64_t sctlr)1333 static inline bool allocation_tag_access_enabled(CPUARMState *env, int el,
1334 uint64_t sctlr)
1335 {
1336 if (el < 3
1337 && arm_feature(env, ARM_FEATURE_EL3)
1338 && !(env->cp15.scr_el3 & SCR_ATA)) {
1339 return false;
1340 }
1341 if (el < 2 && arm_is_el2_enabled(env)) {
1342 uint64_t hcr = arm_hcr_el2_eff(env);
1343 if (!(hcr & HCR_ATA) && (!(hcr & HCR_E2H) || !(hcr & HCR_TGE))) {
1344 return false;
1345 }
1346 }
1347 sctlr &= (el == 0 ? SCTLR_ATA0 : SCTLR_ATA);
1348 return sctlr != 0;
1349 }
1350
1351 #ifndef CONFIG_USER_ONLY
1352
1353 /* Security attributes for an address, as returned by v8m_security_lookup. */
1354 typedef struct V8M_SAttributes {
1355 bool subpage; /* true if these attrs don't cover the whole TARGET_PAGE */
1356 bool ns;
1357 bool nsc;
1358 uint8_t sregion;
1359 bool srvalid;
1360 uint8_t iregion;
1361 bool irvalid;
1362 } V8M_SAttributes;
1363
1364 void v8m_security_lookup(CPUARMState *env, uint32_t address,
1365 MMUAccessType access_type, ARMMMUIdx mmu_idx,
1366 bool secure, V8M_SAttributes *sattrs);
1367
1368 /* Cacheability and shareability attributes for a memory access */
1369 typedef struct ARMCacheAttrs {
1370 /*
1371 * If is_s2_format is true, attrs is the S2 descriptor bits [5:2]
1372 * Otherwise, attrs is the same as the MAIR_EL1 8-bit format
1373 */
1374 unsigned int attrs:8;
1375 unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
1376 bool is_s2_format:1;
1377 } ARMCacheAttrs;
1378
1379 /* Fields that are valid upon success. */
1380 typedef struct GetPhysAddrResult {
1381 CPUTLBEntryFull f;
1382 ARMCacheAttrs cacheattrs;
1383 } GetPhysAddrResult;
1384
1385 /**
1386 * get_phys_addr: get the physical address for a virtual address
1387 * @env: CPUARMState
1388 * @address: virtual address to get physical address for
1389 * @access_type: 0 for read, 1 for write, 2 for execute
1390 * @mmu_idx: MMU index indicating required translation regime
1391 * @result: set on translation success.
1392 * @fi: set to fault info if the translation fails
1393 *
1394 * Find the physical address corresponding to the given virtual address,
1395 * by doing a translation table walk on MMU based systems or using the
1396 * MPU state on MPU based systems.
1397 *
1398 * Returns false if the translation was successful. Otherwise, phys_ptr, attrs,
1399 * prot and page_size may not be filled in, and the populated fsr value provides
1400 * information on why the translation aborted, in the format of a
1401 * DFSR/IFSR fault register, with the following caveats:
1402 * * we honour the short vs long DFSR format differences.
1403 * * the WnR bit is never set (the caller must do this).
1404 * * for PSMAv5 based systems we don't bother to return a full FSR format
1405 * value.
1406 */
1407 bool get_phys_addr(CPUARMState *env, target_ulong address,
1408 MMUAccessType access_type, ARMMMUIdx mmu_idx,
1409 GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
1410 __attribute__((nonnull));
1411
1412 /**
1413 * get_phys_addr_with_space_nogpc: get the physical address for a virtual
1414 * address
1415 * @env: CPUARMState
1416 * @address: virtual address to get physical address for
1417 * @access_type: 0 for read, 1 for write, 2 for execute
1418 * @mmu_idx: MMU index indicating required translation regime
1419 * @space: security space for the access
1420 * @result: set on translation success.
1421 * @fi: set to fault info if the translation fails
1422 *
1423 * Similar to get_phys_addr, but use the given security space and don't perform
1424 * a Granule Protection Check on the resulting address.
1425 */
1426 bool get_phys_addr_with_space_nogpc(CPUARMState *env, target_ulong address,
1427 MMUAccessType access_type,
1428 ARMMMUIdx mmu_idx, ARMSecuritySpace space,
1429 GetPhysAddrResult *result,
1430 ARMMMUFaultInfo *fi)
1431 __attribute__((nonnull));
1432
1433 bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
1434 MMUAccessType access_type, ARMMMUIdx mmu_idx,
1435 bool is_secure, GetPhysAddrResult *result,
1436 ARMMMUFaultInfo *fi, uint32_t *mregion);
1437
1438 void arm_log_exception(CPUState *cs);
1439
1440 #endif /* !CONFIG_USER_ONLY */
1441
1442 /*
1443 * SVE predicates are 1/8 the size of SVE vectors, and cannot use
1444 * the same simd_desc() encoding due to restrictions on size.
1445 * Use these instead.
1446 */
1447 FIELD(PREDDESC, OPRSZ, 0, 6)
1448 FIELD(PREDDESC, ESZ, 6, 2)
1449 FIELD(PREDDESC, DATA, 8, 24)
1450
1451 /*
1452 * The SVE simd_data field, for memory ops, contains either
1453 * rd (5 bits) or a shift count (2 bits).
1454 */
1455 #define SVE_MTEDESC_SHIFT 5
1456
1457 /* Bits within a descriptor passed to the helper_mte_check* functions. */
1458 FIELD(MTEDESC, MIDX, 0, 4)
1459 FIELD(MTEDESC, TBI, 4, 2)
1460 FIELD(MTEDESC, TCMA, 6, 2)
1461 FIELD(MTEDESC, WRITE, 8, 1)
1462 FIELD(MTEDESC, ALIGN, 9, 3)
1463 FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - SVE_MTEDESC_SHIFT - 12) /* size - 1 */
1464
1465 bool mte_probe(CPUARMState *env, uint32_t desc, uint64_t ptr);
1466 uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
1467
1468 /**
1469 * mte_mops_probe: Check where the next MTE failure is for a FEAT_MOPS operation
1470 * @env: CPU env
1471 * @ptr: start address of memory region (dirty pointer)
1472 * @size: length of region (guaranteed not to cross a page boundary)
1473 * @desc: MTEDESC descriptor word (0 means no MTE checks)
1474 * Returns: the size of the region that can be copied without hitting
1475 * an MTE tag failure
1476 *
1477 * Note that we assume that the caller has already checked the TBI
1478 * and TCMA bits with mte_checks_needed() and an MTE check is definitely
1479 * required.
1480 */
1481 uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
1482 uint32_t desc);
1483
1484 /**
1485 * mte_mops_probe_rev: Check where the next MTE failure is for a FEAT_MOPS
1486 * operation going in the reverse direction
1487 * @env: CPU env
1488 * @ptr: *end* address of memory region (dirty pointer)
1489 * @size: length of region (guaranteed not to cross a page boundary)
1490 * @desc: MTEDESC descriptor word (0 means no MTE checks)
1491 * Returns: the size of the region that can be copied without hitting
1492 * an MTE tag failure
1493 *
1494 * Note that we assume that the caller has already checked the TBI
1495 * and TCMA bits with mte_checks_needed() and an MTE check is definitely
1496 * required.
1497 */
1498 uint64_t mte_mops_probe_rev(CPUARMState *env, uint64_t ptr, uint64_t size,
1499 uint32_t desc);
1500
1501 /**
1502 * mte_check_fail: Record an MTE tag check failure
1503 * @env: CPU env
1504 * @desc: MTEDESC descriptor word
1505 * @dirty_ptr: Failing dirty address
1506 * @ra: TCG retaddr
1507 *
1508 * This may never return (if the MTE tag checks are configured to fault).
1509 */
1510 void mte_check_fail(CPUARMState *env, uint32_t desc,
1511 uint64_t dirty_ptr, uintptr_t ra);
1512
1513 /**
1514 * mte_mops_set_tags: Set MTE tags for a portion of a FEAT_MOPS operation
1515 * @env: CPU env
1516 * @dirty_ptr: Start address of memory region (dirty pointer)
1517 * @size: length of region (guaranteed not to cross page boundary)
1518 * @desc: MTEDESC descriptor word
1519 */
1520 void mte_mops_set_tags(CPUARMState *env, uint64_t dirty_ptr, uint64_t size,
1521 uint32_t desc);
1522
allocation_tag_from_addr(uint64_t ptr)1523 static inline int allocation_tag_from_addr(uint64_t ptr)
1524 {
1525 return extract64(ptr, 56, 4);
1526 }
1527
address_with_allocation_tag(uint64_t ptr,int rtag)1528 static inline uint64_t address_with_allocation_tag(uint64_t ptr, int rtag)
1529 {
1530 return deposit64(ptr, 56, 4, rtag);
1531 }
1532
1533 /* Return true if tbi bits mean that the access is checked. */
tbi_check(uint32_t desc,int bit55)1534 static inline bool tbi_check(uint32_t desc, int bit55)
1535 {
1536 return (desc >> (R_MTEDESC_TBI_SHIFT + bit55)) & 1;
1537 }
1538
1539 /* Return true if tcma bits mean that the access is unchecked. */
tcma_check(uint32_t desc,int bit55,int ptr_tag)1540 static inline bool tcma_check(uint32_t desc, int bit55, int ptr_tag)
1541 {
1542 /*
1543 * We had extracted bit55 and ptr_tag for other reasons, so fold
1544 * (ptr<59:55> == 00000 || ptr<59:55> == 11111) into a single test.
1545 */
1546 bool match = ((ptr_tag + bit55) & 0xf) == 0;
1547 bool tcma = (desc >> (R_MTEDESC_TCMA_SHIFT + bit55)) & 1;
1548 return tcma && match;
1549 }
1550
1551 /*
1552 * For TBI, ideally, we would do nothing. Proper behaviour on fault is
1553 * for the tag to be present in the FAR_ELx register. But for user-only
1554 * mode, we do not have a TLB with which to implement this, so we must
1555 * remove the top byte.
1556 */
useronly_clean_ptr(uint64_t ptr)1557 static inline uint64_t useronly_clean_ptr(uint64_t ptr)
1558 {
1559 #ifdef CONFIG_USER_ONLY
1560 /* TBI0 is known to be enabled, while TBI1 is disabled. */
1561 ptr &= sextract64(ptr, 0, 56);
1562 #endif
1563 return ptr;
1564 }
1565
useronly_maybe_clean_ptr(uint32_t desc,uint64_t ptr)1566 static inline uint64_t useronly_maybe_clean_ptr(uint32_t desc, uint64_t ptr)
1567 {
1568 #ifdef CONFIG_USER_ONLY
1569 int64_t clean_ptr = sextract64(ptr, 0, 56);
1570 if (tbi_check(desc, clean_ptr < 0)) {
1571 ptr = clean_ptr;
1572 }
1573 #endif
1574 return ptr;
1575 }
1576
1577 /* Values for M-profile PSR.ECI for MVE insns */
1578 enum MVEECIState {
1579 ECI_NONE = 0, /* No completed beats */
1580 ECI_A0 = 1, /* Completed: A0 */
1581 ECI_A0A1 = 2, /* Completed: A0, A1 */
1582 /* 3 is reserved */
1583 ECI_A0A1A2 = 4, /* Completed: A0, A1, A2 */
1584 ECI_A0A1A2B0 = 5, /* Completed: A0, A1, A2, B0 */
1585 /* All other values reserved */
1586 };
1587
1588 /* Definitions for the PMU registers */
1589 #define PMCRN_MASK 0xf800
1590 #define PMCRN_SHIFT 11
1591 #define PMCRLP 0x80
1592 #define PMCRLC 0x40
1593 #define PMCRDP 0x20
1594 #define PMCRX 0x10
1595 #define PMCRD 0x8
1596 #define PMCRC 0x4
1597 #define PMCRP 0x2
1598 #define PMCRE 0x1
1599 /*
1600 * Mask of PMCR bits writable by guest (not including WO bits like C, P,
1601 * which can be written as 1 to trigger behaviour but which stay RAZ).
1602 */
1603 #define PMCR_WRITABLE_MASK (PMCRLP | PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
1604
1605 #define PMXEVTYPER_P 0x80000000
1606 #define PMXEVTYPER_U 0x40000000
1607 #define PMXEVTYPER_NSK 0x20000000
1608 #define PMXEVTYPER_NSU 0x10000000
1609 #define PMXEVTYPER_NSH 0x08000000
1610 #define PMXEVTYPER_M 0x04000000
1611 #define PMXEVTYPER_MT 0x02000000
1612 #define PMXEVTYPER_EVTCOUNT 0x0000ffff
1613 #define PMXEVTYPER_MASK (PMXEVTYPER_P | PMXEVTYPER_U | PMXEVTYPER_NSK | \
1614 PMXEVTYPER_NSU | PMXEVTYPER_NSH | \
1615 PMXEVTYPER_M | PMXEVTYPER_MT | \
1616 PMXEVTYPER_EVTCOUNT)
1617
1618 #define PMCCFILTR 0xf8000000
1619 #define PMCCFILTR_M PMXEVTYPER_M
1620 #define PMCCFILTR_EL0 (PMCCFILTR | PMCCFILTR_M)
1621
pmu_num_counters(CPUARMState * env)1622 static inline uint32_t pmu_num_counters(CPUARMState *env)
1623 {
1624 ARMCPU *cpu = env_archcpu(env);
1625
1626 return (cpu->isar.reset_pmcr_el0 & PMCRN_MASK) >> PMCRN_SHIFT;
1627 }
1628
1629 /* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */
pmu_counter_mask(CPUARMState * env)1630 static inline uint64_t pmu_counter_mask(CPUARMState *env)
1631 {
1632 return (1ULL << 31) | ((1ULL << pmu_num_counters(env)) - 1);
1633 }
1634
1635 #ifdef TARGET_AARCH64
1636 GDBFeature *arm_gen_dynamic_svereg_feature(CPUState *cpu, int base_reg);
1637 int aarch64_gdb_get_sve_reg(CPUState *cs, GByteArray *buf, int reg);
1638 int aarch64_gdb_set_sve_reg(CPUState *cs, uint8_t *buf, int reg);
1639 int aarch64_gdb_get_fpu_reg(CPUState *cs, GByteArray *buf, int reg);
1640 int aarch64_gdb_set_fpu_reg(CPUState *cs, uint8_t *buf, int reg);
1641 int aarch64_gdb_get_pauth_reg(CPUState *cs, GByteArray *buf, int reg);
1642 int aarch64_gdb_set_pauth_reg(CPUState *cs, uint8_t *buf, int reg);
1643 void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp);
1644 void arm_cpu_sme_finalize(ARMCPU *cpu, Error **errp);
1645 void arm_cpu_pauth_finalize(ARMCPU *cpu, Error **errp);
1646 void arm_cpu_lpa2_finalize(ARMCPU *cpu, Error **errp);
1647 void aarch64_max_tcg_initfn(Object *obj);
1648 void aarch64_add_pauth_properties(Object *obj);
1649 void aarch64_add_sve_properties(Object *obj);
1650 void aarch64_add_sme_properties(Object *obj);
1651 #endif
1652
1653 /* Read the CONTROL register as the MRS instruction would. */
1654 uint32_t arm_v7m_mrs_control(CPUARMState *env, uint32_t secure);
1655
1656 /*
1657 * Return a pointer to the location where we currently store the
1658 * stack pointer for the requested security state and thread mode.
1659 * This pointer will become invalid if the CPU state is updated
1660 * such that the stack pointers are switched around (eg changing
1661 * the SPSEL control bit).
1662 */
1663 uint32_t *arm_v7m_get_sp_ptr(CPUARMState *env, bool secure,
1664 bool threadmode, bool spsel);
1665
1666 bool el_is_in_host(CPUARMState *env, int el);
1667
1668 void aa32_max_features(ARMCPU *cpu);
1669 int exception_target_el(CPUARMState *env);
1670 bool arm_singlestep_active(CPUARMState *env);
1671 bool arm_generate_debug_exceptions(CPUARMState *env);
1672
1673 /**
1674 * pauth_ptr_mask:
1675 * @param: parameters defining the MMU setup
1676 *
1677 * Return a mask of the address bits that contain the authentication code,
1678 * given the MMU config defined by @param.
1679 */
pauth_ptr_mask(ARMVAParameters param)1680 static inline uint64_t pauth_ptr_mask(ARMVAParameters param)
1681 {
1682 int bot_pac_bit = 64 - param.tsz;
1683 int top_pac_bit = 64 - 8 * param.tbi;
1684
1685 return MAKE_64BIT_MASK(bot_pac_bit, top_pac_bit - bot_pac_bit);
1686 }
1687
1688 /* Add the cpreg definitions for debug related system registers */
1689 void define_debug_regs(ARMCPU *cpu);
1690
1691 /* Effective value of MDCR_EL2 */
arm_mdcr_el2_eff(CPUARMState * env)1692 static inline uint64_t arm_mdcr_el2_eff(CPUARMState *env)
1693 {
1694 return arm_is_el2_enabled(env) ? env->cp15.mdcr_el2 : 0;
1695 }
1696
1697 /* Powers of 2 for sve_vq_map et al. */
1698 #define SVE_VQ_POW2_MAP \
1699 ((1 << (1 - 1)) | (1 << (2 - 1)) | \
1700 (1 << (4 - 1)) | (1 << (8 - 1)) | (1 << (16 - 1)))
1701
1702 /*
1703 * Return true if it is possible to take a fine-grained-trap to EL2.
1704 */
arm_fgt_active(CPUARMState * env,int el)1705 static inline bool arm_fgt_active(CPUARMState *env, int el)
1706 {
1707 /*
1708 * The Arm ARM only requires the "{E2H,TGE} != {1,1}" test for traps
1709 * that can affect EL0, but it is harmless to do the test also for
1710 * traps on registers that are only accessible at EL1 because if the test
1711 * returns true then we can't be executing at EL1 anyway.
1712 * FGT traps only happen when EL2 is enabled and EL1 is AArch64;
1713 * traps from AArch32 only happen for the EL0 is AArch32 case.
1714 */
1715 return cpu_isar_feature(aa64_fgt, env_archcpu(env)) &&
1716 el < 2 && arm_is_el2_enabled(env) &&
1717 arm_el_is_aa64(env, 1) &&
1718 (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE) &&
1719 (!arm_feature(env, ARM_FEATURE_EL3) || (env->cp15.scr_el3 & SCR_FGTEN));
1720 }
1721
1722 void assert_hflags_rebuild_correctly(CPUARMState *env);
1723
1724 /*
1725 * Although the ARM implementation of hardware assisted debugging
1726 * allows for different breakpoints per-core, the current GDB
1727 * interface treats them as a global pool of registers (which seems to
1728 * be the case for x86, ppc and s390). As a result we store one copy
1729 * of registers which is used for all active cores.
1730 *
1731 * Write access is serialised by virtue of the GDB protocol which
1732 * updates things. Read access (i.e. when the values are copied to the
1733 * vCPU) is also gated by GDB's run control.
1734 *
1735 * This is not unreasonable as most of the time debugging kernels you
1736 * never know which core will eventually execute your function.
1737 */
1738
1739 typedef struct {
1740 uint64_t bcr;
1741 uint64_t bvr;
1742 } HWBreakpoint;
1743
1744 /*
1745 * The watchpoint registers can cover more area than the requested
1746 * watchpoint so we need to store the additional information
1747 * somewhere. We also need to supply a CPUWatchpoint to the GDB stub
1748 * when the watchpoint is hit.
1749 */
1750 typedef struct {
1751 uint64_t wcr;
1752 uint64_t wvr;
1753 CPUWatchpoint details;
1754 } HWWatchpoint;
1755
1756 /* Maximum and current break/watch point counts */
1757 extern int max_hw_bps, max_hw_wps;
1758 extern GArray *hw_breakpoints, *hw_watchpoints;
1759
1760 #define cur_hw_wps (hw_watchpoints->len)
1761 #define cur_hw_bps (hw_breakpoints->len)
1762 #define get_hw_bp(i) (&g_array_index(hw_breakpoints, HWBreakpoint, i))
1763 #define get_hw_wp(i) (&g_array_index(hw_watchpoints, HWWatchpoint, i))
1764
1765 bool find_hw_breakpoint(CPUState *cpu, target_ulong pc);
1766 int insert_hw_breakpoint(target_ulong pc);
1767 int delete_hw_breakpoint(target_ulong pc);
1768
1769 bool check_watchpoint_in_range(int i, target_ulong addr);
1770 CPUWatchpoint *find_hw_watchpoint(CPUState *cpu, target_ulong addr);
1771 int insert_hw_watchpoint(target_ulong addr, target_ulong len, int type);
1772 int delete_hw_watchpoint(target_ulong addr, target_ulong len, int type);
1773 #endif
1774