1 /* 2 * PowerPC MMU, TLB, SLB and BAT emulation helpers for QEMU. 3 * 4 * Copyright (c) 2003-2007 Jocelyn Mayer 5 * Copyright (c) 2013 David Gibson, IBM Corporation 6 * 7 * This library is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU Lesser General Public 9 * License as published by the Free Software Foundation; either 10 * version 2.1 of the License, or (at your option) any later version. 11 * 12 * This library is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 * Lesser General Public License for more details. 16 * 17 * You should have received a copy of the GNU Lesser General Public 18 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 19 */ 20 #include "qemu/osdep.h" 21 #include "qemu/units.h" 22 #include "cpu.h" 23 #include "exec/exec-all.h" 24 #include "exec/helper-proto.h" 25 #include "qemu/error-report.h" 26 #include "qemu/qemu-print.h" 27 #include "sysemu/hw_accel.h" 28 #include "kvm_ppc.h" 29 #include "mmu-hash64.h" 30 #include "exec/log.h" 31 #include "hw/hw.h" 32 #include "mmu-book3s-v3.h" 33 34 /* #define DEBUG_SLB */ 35 36 #ifdef DEBUG_SLB 37 # define LOG_SLB(...) qemu_log_mask(CPU_LOG_MMU, __VA_ARGS__) 38 #else 39 # define LOG_SLB(...) do { } while (0) 40 #endif 41 42 /* 43 * SLB handling 44 */ 45 46 static ppc_slb_t *slb_lookup(PowerPCCPU *cpu, target_ulong eaddr) 47 { 48 CPUPPCState *env = &cpu->env; 49 uint64_t esid_256M, esid_1T; 50 int n; 51 52 LOG_SLB("%s: eaddr " TARGET_FMT_lx "\n", __func__, eaddr); 53 54 esid_256M = (eaddr & SEGMENT_MASK_256M) | SLB_ESID_V; 55 esid_1T = (eaddr & SEGMENT_MASK_1T) | SLB_ESID_V; 56 57 for (n = 0; n < cpu->hash64_opts->slb_size; n++) { 58 ppc_slb_t *slb = &env->slb[n]; 59 60 LOG_SLB("%s: slot %d %016" PRIx64 " %016" 61 PRIx64 "\n", __func__, n, slb->esid, slb->vsid); 62 /* 63 * We check for 1T matches on all MMUs here - if the MMU 64 * doesn't have 1T segment support, we will have prevented 1T 65 * entries from being inserted in the slbmte code. 66 */ 67 if (((slb->esid == esid_256M) && 68 ((slb->vsid & SLB_VSID_B) == SLB_VSID_B_256M)) 69 || ((slb->esid == esid_1T) && 70 ((slb->vsid & SLB_VSID_B) == SLB_VSID_B_1T))) { 71 return slb; 72 } 73 } 74 75 return NULL; 76 } 77 78 void dump_slb(PowerPCCPU *cpu) 79 { 80 CPUPPCState *env = &cpu->env; 81 int i; 82 uint64_t slbe, slbv; 83 84 cpu_synchronize_state(CPU(cpu)); 85 86 qemu_printf("SLB\tESID\t\t\tVSID\n"); 87 for (i = 0; i < cpu->hash64_opts->slb_size; i++) { 88 slbe = env->slb[i].esid; 89 slbv = env->slb[i].vsid; 90 if (slbe == 0 && slbv == 0) { 91 continue; 92 } 93 qemu_printf("%d\t0x%016" PRIx64 "\t0x%016" PRIx64 "\n", 94 i, slbe, slbv); 95 } 96 } 97 98 void helper_slbia(CPUPPCState *env, uint32_t ih) 99 { 100 PowerPCCPU *cpu = env_archcpu(env); 101 int starting_entry; 102 int n; 103 104 /* 105 * slbia must always flush all TLB (which is equivalent to ERAT in ppc 106 * architecture). Matching on SLB_ESID_V is not good enough, because slbmte 107 * can overwrite a valid SLB without flushing its lookaside information. 108 * 109 * It would be possible to keep the TLB in synch with the SLB by flushing 110 * when a valid entry is overwritten by slbmte, and therefore slbia would 111 * not have to flush unless it evicts a valid SLB entry. However it is 112 * expected that slbmte is more common than slbia, and slbia is usually 113 * going to evict valid SLB entries, so that tradeoff is unlikely to be a 114 * good one. 115 * 116 * ISA v2.05 introduced IH field with values 0,1,2,6. These all invalidate 117 * the same SLB entries (everything but entry 0), but differ in what 118 * "lookaside information" is invalidated. TCG can ignore this and flush 119 * everything. 120 * 121 * ISA v3.0 introduced additional values 3,4,7, which change what SLBs are 122 * invalidated. 123 */ 124 125 env->tlb_need_flush |= TLB_NEED_LOCAL_FLUSH; 126 127 starting_entry = 1; /* default for IH=0,1,2,6 */ 128 129 if (env->mmu_model == POWERPC_MMU_3_00) { 130 switch (ih) { 131 case 0x7: 132 /* invalidate no SLBs, but all lookaside information */ 133 return; 134 135 case 0x3: 136 case 0x4: 137 /* also considers SLB entry 0 */ 138 starting_entry = 0; 139 break; 140 141 case 0x5: 142 /* treat undefined values as ih==0, and warn */ 143 qemu_log_mask(LOG_GUEST_ERROR, 144 "slbia undefined IH field %u.\n", ih); 145 break; 146 147 default: 148 /* 0,1,2,6 */ 149 break; 150 } 151 } 152 153 for (n = starting_entry; n < cpu->hash64_opts->slb_size; n++) { 154 ppc_slb_t *slb = &env->slb[n]; 155 156 if (!(slb->esid & SLB_ESID_V)) { 157 continue; 158 } 159 if (env->mmu_model == POWERPC_MMU_3_00) { 160 if (ih == 0x3 && (slb->vsid & SLB_VSID_C) == 0) { 161 /* preserves entries with a class value of 0 */ 162 continue; 163 } 164 } 165 166 slb->esid &= ~SLB_ESID_V; 167 } 168 } 169 170 static void __helper_slbie(CPUPPCState *env, target_ulong addr, 171 target_ulong global) 172 { 173 PowerPCCPU *cpu = env_archcpu(env); 174 ppc_slb_t *slb; 175 176 slb = slb_lookup(cpu, addr); 177 if (!slb) { 178 return; 179 } 180 181 if (slb->esid & SLB_ESID_V) { 182 slb->esid &= ~SLB_ESID_V; 183 184 /* 185 * XXX: given the fact that segment size is 256 MB or 1TB, 186 * and we still don't have a tlb_flush_mask(env, n, mask) 187 * in QEMU, we just invalidate all TLBs 188 */ 189 env->tlb_need_flush |= 190 (global == false ? TLB_NEED_LOCAL_FLUSH : TLB_NEED_GLOBAL_FLUSH); 191 } 192 } 193 194 void helper_slbie(CPUPPCState *env, target_ulong addr) 195 { 196 __helper_slbie(env, addr, false); 197 } 198 199 void helper_slbieg(CPUPPCState *env, target_ulong addr) 200 { 201 __helper_slbie(env, addr, true); 202 } 203 204 int ppc_store_slb(PowerPCCPU *cpu, target_ulong slot, 205 target_ulong esid, target_ulong vsid) 206 { 207 CPUPPCState *env = &cpu->env; 208 ppc_slb_t *slb = &env->slb[slot]; 209 const PPCHash64SegmentPageSizes *sps = NULL; 210 int i; 211 212 if (slot >= cpu->hash64_opts->slb_size) { 213 return -1; /* Bad slot number */ 214 } 215 if (esid & ~(SLB_ESID_ESID | SLB_ESID_V)) { 216 return -1; /* Reserved bits set */ 217 } 218 if (vsid & (SLB_VSID_B & ~SLB_VSID_B_1T)) { 219 return -1; /* Bad segment size */ 220 } 221 if ((vsid & SLB_VSID_B) && !(ppc_hash64_has(cpu, PPC_HASH64_1TSEG))) { 222 return -1; /* 1T segment on MMU that doesn't support it */ 223 } 224 225 for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) { 226 const PPCHash64SegmentPageSizes *sps1 = &cpu->hash64_opts->sps[i]; 227 228 if (!sps1->page_shift) { 229 break; 230 } 231 232 if ((vsid & SLB_VSID_LLP_MASK) == sps1->slb_enc) { 233 sps = sps1; 234 break; 235 } 236 } 237 238 if (!sps) { 239 error_report("Bad page size encoding in SLB store: slot "TARGET_FMT_lu 240 " esid 0x"TARGET_FMT_lx" vsid 0x"TARGET_FMT_lx, 241 slot, esid, vsid); 242 return -1; 243 } 244 245 slb->esid = esid; 246 slb->vsid = vsid; 247 slb->sps = sps; 248 249 LOG_SLB("%s: " TARGET_FMT_lu " " TARGET_FMT_lx " - " TARGET_FMT_lx 250 " => %016" PRIx64 " %016" PRIx64 "\n", __func__, slot, esid, vsid, 251 slb->esid, slb->vsid); 252 253 return 0; 254 } 255 256 static int ppc_load_slb_esid(PowerPCCPU *cpu, target_ulong rb, 257 target_ulong *rt) 258 { 259 CPUPPCState *env = &cpu->env; 260 int slot = rb & 0xfff; 261 ppc_slb_t *slb = &env->slb[slot]; 262 263 if (slot >= cpu->hash64_opts->slb_size) { 264 return -1; 265 } 266 267 *rt = slb->esid; 268 return 0; 269 } 270 271 static int ppc_load_slb_vsid(PowerPCCPU *cpu, target_ulong rb, 272 target_ulong *rt) 273 { 274 CPUPPCState *env = &cpu->env; 275 int slot = rb & 0xfff; 276 ppc_slb_t *slb = &env->slb[slot]; 277 278 if (slot >= cpu->hash64_opts->slb_size) { 279 return -1; 280 } 281 282 *rt = slb->vsid; 283 return 0; 284 } 285 286 static int ppc_find_slb_vsid(PowerPCCPU *cpu, target_ulong rb, 287 target_ulong *rt) 288 { 289 CPUPPCState *env = &cpu->env; 290 ppc_slb_t *slb; 291 292 if (!msr_is_64bit(env, env->msr)) { 293 rb &= 0xffffffff; 294 } 295 slb = slb_lookup(cpu, rb); 296 if (slb == NULL) { 297 *rt = (target_ulong)-1ul; 298 } else { 299 *rt = slb->vsid; 300 } 301 return 0; 302 } 303 304 void helper_store_slb(CPUPPCState *env, target_ulong rb, target_ulong rs) 305 { 306 PowerPCCPU *cpu = env_archcpu(env); 307 308 if (ppc_store_slb(cpu, rb & 0xfff, rb & ~0xfffULL, rs) < 0) { 309 raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM, 310 POWERPC_EXCP_INVAL, GETPC()); 311 } 312 } 313 314 target_ulong helper_load_slb_esid(CPUPPCState *env, target_ulong rb) 315 { 316 PowerPCCPU *cpu = env_archcpu(env); 317 target_ulong rt = 0; 318 319 if (ppc_load_slb_esid(cpu, rb, &rt) < 0) { 320 raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM, 321 POWERPC_EXCP_INVAL, GETPC()); 322 } 323 return rt; 324 } 325 326 target_ulong helper_find_slb_vsid(CPUPPCState *env, target_ulong rb) 327 { 328 PowerPCCPU *cpu = env_archcpu(env); 329 target_ulong rt = 0; 330 331 if (ppc_find_slb_vsid(cpu, rb, &rt) < 0) { 332 raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM, 333 POWERPC_EXCP_INVAL, GETPC()); 334 } 335 return rt; 336 } 337 338 target_ulong helper_load_slb_vsid(CPUPPCState *env, target_ulong rb) 339 { 340 PowerPCCPU *cpu = env_archcpu(env); 341 target_ulong rt = 0; 342 343 if (ppc_load_slb_vsid(cpu, rb, &rt) < 0) { 344 raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM, 345 POWERPC_EXCP_INVAL, GETPC()); 346 } 347 return rt; 348 } 349 350 /* Check No-Execute or Guarded Storage */ 351 static inline int ppc_hash64_pte_noexec_guard(PowerPCCPU *cpu, 352 ppc_hash_pte64_t pte) 353 { 354 /* Exec permissions CANNOT take away read or write permissions */ 355 return (pte.pte1 & HPTE64_R_N) || (pte.pte1 & HPTE64_R_G) ? 356 PAGE_READ | PAGE_WRITE : PAGE_READ | PAGE_WRITE | PAGE_EXEC; 357 } 358 359 /* Check Basic Storage Protection */ 360 static int ppc_hash64_pte_prot(PowerPCCPU *cpu, 361 ppc_slb_t *slb, ppc_hash_pte64_t pte) 362 { 363 CPUPPCState *env = &cpu->env; 364 unsigned pp, key; 365 /* 366 * Some pp bit combinations have undefined behaviour, so default 367 * to no access in those cases 368 */ 369 int prot = 0; 370 371 key = !!(msr_pr ? (slb->vsid & SLB_VSID_KP) 372 : (slb->vsid & SLB_VSID_KS)); 373 pp = (pte.pte1 & HPTE64_R_PP) | ((pte.pte1 & HPTE64_R_PP0) >> 61); 374 375 if (key == 0) { 376 switch (pp) { 377 case 0x0: 378 case 0x1: 379 case 0x2: 380 prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; 381 break; 382 383 case 0x3: 384 case 0x6: 385 prot = PAGE_READ | PAGE_EXEC; 386 break; 387 } 388 } else { 389 switch (pp) { 390 case 0x0: 391 case 0x6: 392 break; 393 394 case 0x1: 395 case 0x3: 396 prot = PAGE_READ | PAGE_EXEC; 397 break; 398 399 case 0x2: 400 prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; 401 break; 402 } 403 } 404 405 return prot; 406 } 407 408 /* Check the instruction access permissions specified in the IAMR */ 409 static int ppc_hash64_iamr_prot(PowerPCCPU *cpu, int key) 410 { 411 CPUPPCState *env = &cpu->env; 412 int iamr_bits = (env->spr[SPR_IAMR] >> 2 * (31 - key)) & 0x3; 413 414 /* 415 * An instruction fetch is permitted if the IAMR bit is 0. 416 * If the bit is set, return PAGE_READ | PAGE_WRITE because this bit 417 * can only take away EXEC permissions not READ or WRITE permissions. 418 * If bit is cleared return PAGE_READ | PAGE_WRITE | PAGE_EXEC since 419 * EXEC permissions are allowed. 420 */ 421 return (iamr_bits & 0x1) ? PAGE_READ | PAGE_WRITE : 422 PAGE_READ | PAGE_WRITE | PAGE_EXEC; 423 } 424 425 static int ppc_hash64_amr_prot(PowerPCCPU *cpu, ppc_hash_pte64_t pte) 426 { 427 CPUPPCState *env = &cpu->env; 428 int key, amrbits; 429 int prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; 430 431 /* Only recent MMUs implement Virtual Page Class Key Protection */ 432 if (!ppc_hash64_has(cpu, PPC_HASH64_AMR)) { 433 return prot; 434 } 435 436 key = HPTE64_R_KEY(pte.pte1); 437 amrbits = (env->spr[SPR_AMR] >> 2 * (31 - key)) & 0x3; 438 439 /* fprintf(stderr, "AMR protection: key=%d AMR=0x%" PRIx64 "\n", key, */ 440 /* env->spr[SPR_AMR]); */ 441 442 /* 443 * A store is permitted if the AMR bit is 0. Remove write 444 * protection if it is set. 445 */ 446 if (amrbits & 0x2) { 447 prot &= ~PAGE_WRITE; 448 } 449 /* 450 * A load is permitted if the AMR bit is 0. Remove read 451 * protection if it is set. 452 */ 453 if (amrbits & 0x1) { 454 prot &= ~PAGE_READ; 455 } 456 457 switch (env->mmu_model) { 458 /* 459 * MMU version 2.07 and later support IAMR 460 * Check if the IAMR allows the instruction access - it will return 461 * PAGE_EXEC if it doesn't (and thus that bit will be cleared) or 0 462 * if it does (and prot will be unchanged indicating execution support). 463 */ 464 case POWERPC_MMU_2_07: 465 case POWERPC_MMU_3_00: 466 prot &= ppc_hash64_iamr_prot(cpu, key); 467 break; 468 default: 469 break; 470 } 471 472 return prot; 473 } 474 475 const ppc_hash_pte64_t *ppc_hash64_map_hptes(PowerPCCPU *cpu, 476 hwaddr ptex, int n) 477 { 478 hwaddr pte_offset = ptex * HASH_PTE_SIZE_64; 479 hwaddr base; 480 hwaddr plen = n * HASH_PTE_SIZE_64; 481 const ppc_hash_pte64_t *hptes; 482 483 if (cpu->vhyp) { 484 PPCVirtualHypervisorClass *vhc = 485 PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp); 486 return vhc->map_hptes(cpu->vhyp, ptex, n); 487 } 488 base = ppc_hash64_hpt_base(cpu); 489 490 if (!base) { 491 return NULL; 492 } 493 494 hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false, 495 MEMTXATTRS_UNSPECIFIED); 496 if (plen < (n * HASH_PTE_SIZE_64)) { 497 hw_error("%s: Unable to map all requested HPTEs\n", __func__); 498 } 499 return hptes; 500 } 501 502 void ppc_hash64_unmap_hptes(PowerPCCPU *cpu, const ppc_hash_pte64_t *hptes, 503 hwaddr ptex, int n) 504 { 505 if (cpu->vhyp) { 506 PPCVirtualHypervisorClass *vhc = 507 PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp); 508 vhc->unmap_hptes(cpu->vhyp, hptes, ptex, n); 509 return; 510 } 511 512 address_space_unmap(CPU(cpu)->as, (void *)hptes, n * HASH_PTE_SIZE_64, 513 false, n * HASH_PTE_SIZE_64); 514 } 515 516 static unsigned hpte_page_shift(const PPCHash64SegmentPageSizes *sps, 517 uint64_t pte0, uint64_t pte1) 518 { 519 int i; 520 521 if (!(pte0 & HPTE64_V_LARGE)) { 522 if (sps->page_shift != 12) { 523 /* 4kiB page in a non 4kiB segment */ 524 return 0; 525 } 526 /* Normal 4kiB page */ 527 return 12; 528 } 529 530 for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) { 531 const PPCHash64PageSize *ps = &sps->enc[i]; 532 uint64_t mask; 533 534 if (!ps->page_shift) { 535 break; 536 } 537 538 if (ps->page_shift == 12) { 539 /* L bit is set so this can't be a 4kiB page */ 540 continue; 541 } 542 543 mask = ((1ULL << ps->page_shift) - 1) & HPTE64_R_RPN; 544 545 if ((pte1 & mask) == ((uint64_t)ps->pte_enc << HPTE64_R_RPN_SHIFT)) { 546 return ps->page_shift; 547 } 548 } 549 550 return 0; /* Bad page size encoding */ 551 } 552 553 static void ppc64_v3_new_to_old_hpte(target_ulong *pte0, target_ulong *pte1) 554 { 555 /* Insert B into pte0 */ 556 *pte0 = (*pte0 & HPTE64_V_COMMON_BITS) | 557 ((*pte1 & HPTE64_R_3_0_SSIZE_MASK) << 558 (HPTE64_V_SSIZE_SHIFT - HPTE64_R_3_0_SSIZE_SHIFT)); 559 560 /* Remove B from pte1 */ 561 *pte1 = *pte1 & ~HPTE64_R_3_0_SSIZE_MASK; 562 } 563 564 565 static hwaddr ppc_hash64_pteg_search(PowerPCCPU *cpu, hwaddr hash, 566 const PPCHash64SegmentPageSizes *sps, 567 target_ulong ptem, 568 ppc_hash_pte64_t *pte, unsigned *pshift) 569 { 570 int i; 571 const ppc_hash_pte64_t *pteg; 572 target_ulong pte0, pte1; 573 target_ulong ptex; 574 575 ptex = (hash & ppc_hash64_hpt_mask(cpu)) * HPTES_PER_GROUP; 576 pteg = ppc_hash64_map_hptes(cpu, ptex, HPTES_PER_GROUP); 577 if (!pteg) { 578 return -1; 579 } 580 for (i = 0; i < HPTES_PER_GROUP; i++) { 581 pte0 = ppc_hash64_hpte0(cpu, pteg, i); 582 /* 583 * pte0 contains the valid bit and must be read before pte1, 584 * otherwise we might see an old pte1 with a new valid bit and 585 * thus an inconsistent hpte value 586 */ 587 smp_rmb(); 588 pte1 = ppc_hash64_hpte1(cpu, pteg, i); 589 590 /* Convert format if necessary */ 591 if (cpu->env.mmu_model == POWERPC_MMU_3_00 && !cpu->vhyp) { 592 ppc64_v3_new_to_old_hpte(&pte0, &pte1); 593 } 594 595 /* This compares V, B, H (secondary) and the AVPN */ 596 if (HPTE64_V_COMPARE(pte0, ptem)) { 597 *pshift = hpte_page_shift(sps, pte0, pte1); 598 /* 599 * If there is no match, ignore the PTE, it could simply 600 * be for a different segment size encoding and the 601 * architecture specifies we should not match. Linux will 602 * potentially leave behind PTEs for the wrong base page 603 * size when demoting segments. 604 */ 605 if (*pshift == 0) { 606 continue; 607 } 608 /* 609 * We don't do anything with pshift yet as qemu TLB only 610 * deals with 4K pages anyway 611 */ 612 pte->pte0 = pte0; 613 pte->pte1 = pte1; 614 ppc_hash64_unmap_hptes(cpu, pteg, ptex, HPTES_PER_GROUP); 615 return ptex + i; 616 } 617 } 618 ppc_hash64_unmap_hptes(cpu, pteg, ptex, HPTES_PER_GROUP); 619 /* 620 * We didn't find a valid entry. 621 */ 622 return -1; 623 } 624 625 static hwaddr ppc_hash64_htab_lookup(PowerPCCPU *cpu, 626 ppc_slb_t *slb, target_ulong eaddr, 627 ppc_hash_pte64_t *pte, unsigned *pshift) 628 { 629 CPUPPCState *env = &cpu->env; 630 hwaddr hash, ptex; 631 uint64_t vsid, epnmask, epn, ptem; 632 const PPCHash64SegmentPageSizes *sps = slb->sps; 633 634 /* 635 * The SLB store path should prevent any bad page size encodings 636 * getting in there, so: 637 */ 638 assert(sps); 639 640 /* If ISL is set in LPCR we need to clamp the page size to 4K */ 641 if (env->spr[SPR_LPCR] & LPCR_ISL) { 642 /* We assume that when using TCG, 4k is first entry of SPS */ 643 sps = &cpu->hash64_opts->sps[0]; 644 assert(sps->page_shift == 12); 645 } 646 647 epnmask = ~((1ULL << sps->page_shift) - 1); 648 649 if (slb->vsid & SLB_VSID_B) { 650 /* 1TB segment */ 651 vsid = (slb->vsid & SLB_VSID_VSID) >> SLB_VSID_SHIFT_1T; 652 epn = (eaddr & ~SEGMENT_MASK_1T) & epnmask; 653 hash = vsid ^ (vsid << 25) ^ (epn >> sps->page_shift); 654 } else { 655 /* 256M segment */ 656 vsid = (slb->vsid & SLB_VSID_VSID) >> SLB_VSID_SHIFT; 657 epn = (eaddr & ~SEGMENT_MASK_256M) & epnmask; 658 hash = vsid ^ (epn >> sps->page_shift); 659 } 660 ptem = (slb->vsid & SLB_VSID_PTEM) | ((epn >> 16) & HPTE64_V_AVPN); 661 ptem |= HPTE64_V_VALID; 662 663 /* Page address translation */ 664 qemu_log_mask(CPU_LOG_MMU, 665 "htab_base " TARGET_FMT_plx " htab_mask " TARGET_FMT_plx 666 " hash " TARGET_FMT_plx "\n", 667 ppc_hash64_hpt_base(cpu), ppc_hash64_hpt_mask(cpu), hash); 668 669 /* Primary PTEG lookup */ 670 qemu_log_mask(CPU_LOG_MMU, 671 "0 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx 672 " vsid=" TARGET_FMT_lx " ptem=" TARGET_FMT_lx 673 " hash=" TARGET_FMT_plx "\n", 674 ppc_hash64_hpt_base(cpu), ppc_hash64_hpt_mask(cpu), 675 vsid, ptem, hash); 676 ptex = ppc_hash64_pteg_search(cpu, hash, sps, ptem, pte, pshift); 677 678 if (ptex == -1) { 679 /* Secondary PTEG lookup */ 680 ptem |= HPTE64_V_SECONDARY; 681 qemu_log_mask(CPU_LOG_MMU, 682 "1 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx 683 " vsid=" TARGET_FMT_lx " api=" TARGET_FMT_lx 684 " hash=" TARGET_FMT_plx "\n", ppc_hash64_hpt_base(cpu), 685 ppc_hash64_hpt_mask(cpu), vsid, ptem, ~hash); 686 687 ptex = ppc_hash64_pteg_search(cpu, ~hash, sps, ptem, pte, pshift); 688 } 689 690 return ptex; 691 } 692 693 unsigned ppc_hash64_hpte_page_shift_noslb(PowerPCCPU *cpu, 694 uint64_t pte0, uint64_t pte1) 695 { 696 int i; 697 698 if (!(pte0 & HPTE64_V_LARGE)) { 699 return 12; 700 } 701 702 /* 703 * The encodings in env->sps need to be carefully chosen so that 704 * this gives an unambiguous result. 705 */ 706 for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) { 707 const PPCHash64SegmentPageSizes *sps = &cpu->hash64_opts->sps[i]; 708 unsigned shift; 709 710 if (!sps->page_shift) { 711 break; 712 } 713 714 shift = hpte_page_shift(sps, pte0, pte1); 715 if (shift) { 716 return shift; 717 } 718 } 719 720 return 0; 721 } 722 723 static bool ppc_hash64_use_vrma(CPUPPCState *env) 724 { 725 switch (env->mmu_model) { 726 case POWERPC_MMU_3_00: 727 /* 728 * ISAv3.0 (POWER9) always uses VRMA, the VPM0 field and RMOR 729 * register no longer exist 730 */ 731 return true; 732 733 default: 734 return !!(env->spr[SPR_LPCR] & LPCR_VPM0); 735 } 736 } 737 738 static void ppc_hash64_set_isi(CPUState *cs, uint64_t error_code) 739 { 740 CPUPPCState *env = &POWERPC_CPU(cs)->env; 741 bool vpm; 742 743 if (msr_ir) { 744 vpm = !!(env->spr[SPR_LPCR] & LPCR_VPM1); 745 } else { 746 vpm = ppc_hash64_use_vrma(env); 747 } 748 if (vpm && !msr_hv) { 749 cs->exception_index = POWERPC_EXCP_HISI; 750 } else { 751 cs->exception_index = POWERPC_EXCP_ISI; 752 } 753 env->error_code = error_code; 754 } 755 756 static void ppc_hash64_set_dsi(CPUState *cs, uint64_t dar, uint64_t dsisr) 757 { 758 CPUPPCState *env = &POWERPC_CPU(cs)->env; 759 bool vpm; 760 761 if (msr_dr) { 762 vpm = !!(env->spr[SPR_LPCR] & LPCR_VPM1); 763 } else { 764 vpm = ppc_hash64_use_vrma(env); 765 } 766 if (vpm && !msr_hv) { 767 cs->exception_index = POWERPC_EXCP_HDSI; 768 env->spr[SPR_HDAR] = dar; 769 env->spr[SPR_HDSISR] = dsisr; 770 } else { 771 cs->exception_index = POWERPC_EXCP_DSI; 772 env->spr[SPR_DAR] = dar; 773 env->spr[SPR_DSISR] = dsisr; 774 } 775 env->error_code = 0; 776 } 777 778 779 static void ppc_hash64_set_r(PowerPCCPU *cpu, hwaddr ptex, uint64_t pte1) 780 { 781 hwaddr base, offset = ptex * HASH_PTE_SIZE_64 + 16; 782 783 if (cpu->vhyp) { 784 PPCVirtualHypervisorClass *vhc = 785 PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp); 786 vhc->hpte_set_r(cpu->vhyp, ptex, pte1); 787 return; 788 } 789 base = ppc_hash64_hpt_base(cpu); 790 791 792 /* The HW performs a non-atomic byte update */ 793 stb_phys(CPU(cpu)->as, base + offset, ((pte1 >> 8) & 0xff) | 0x01); 794 } 795 796 static void ppc_hash64_set_c(PowerPCCPU *cpu, hwaddr ptex, uint64_t pte1) 797 { 798 hwaddr base, offset = ptex * HASH_PTE_SIZE_64 + 15; 799 800 if (cpu->vhyp) { 801 PPCVirtualHypervisorClass *vhc = 802 PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp); 803 vhc->hpte_set_c(cpu->vhyp, ptex, pte1); 804 return; 805 } 806 base = ppc_hash64_hpt_base(cpu); 807 808 /* The HW performs a non-atomic byte update */ 809 stb_phys(CPU(cpu)->as, base + offset, (pte1 & 0xff) | 0x80); 810 } 811 812 static target_ulong rmls_limit(PowerPCCPU *cpu) 813 { 814 CPUPPCState *env = &cpu->env; 815 /* 816 * In theory the meanings of RMLS values are implementation 817 * dependent. In practice, this seems to have been the set from 818 * POWER4+..POWER8, and RMLS is no longer supported in POWER9. 819 * 820 * Unsupported values mean the OS has shot itself in the 821 * foot. Return a 0-sized RMA in this case, which we expect 822 * to trigger an immediate DSI or ISI 823 */ 824 static const target_ulong rma_sizes[16] = { 825 [0] = 256 * GiB, 826 [1] = 16 * GiB, 827 [2] = 1 * GiB, 828 [3] = 64 * MiB, 829 [4] = 256 * MiB, 830 [7] = 128 * MiB, 831 [8] = 32 * MiB, 832 }; 833 target_ulong rmls = (env->spr[SPR_LPCR] & LPCR_RMLS) >> LPCR_RMLS_SHIFT; 834 835 return rma_sizes[rmls]; 836 } 837 838 static int build_vrma_slbe(PowerPCCPU *cpu, ppc_slb_t *slb) 839 { 840 CPUPPCState *env = &cpu->env; 841 target_ulong lpcr = env->spr[SPR_LPCR]; 842 uint32_t vrmasd = (lpcr & LPCR_VRMASD) >> LPCR_VRMASD_SHIFT; 843 target_ulong vsid = SLB_VSID_VRMA | ((vrmasd << 4) & SLB_VSID_LLP_MASK); 844 int i; 845 846 for (i = 0; i < PPC_PAGE_SIZES_MAX_SZ; i++) { 847 const PPCHash64SegmentPageSizes *sps = &cpu->hash64_opts->sps[i]; 848 849 if (!sps->page_shift) { 850 break; 851 } 852 853 if ((vsid & SLB_VSID_LLP_MASK) == sps->slb_enc) { 854 slb->esid = SLB_ESID_V; 855 slb->vsid = vsid; 856 slb->sps = sps; 857 return 0; 858 } 859 } 860 861 error_report("Bad page size encoding in LPCR[VRMASD]; LPCR=0x" 862 TARGET_FMT_lx, lpcr); 863 864 return -1; 865 } 866 867 int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr, 868 int rwx, int mmu_idx) 869 { 870 CPUState *cs = CPU(cpu); 871 CPUPPCState *env = &cpu->env; 872 ppc_slb_t vrma_slbe; 873 ppc_slb_t *slb; 874 unsigned apshift; 875 hwaddr ptex; 876 ppc_hash_pte64_t pte; 877 int exec_prot, pp_prot, amr_prot, prot; 878 const int need_prot[] = {PAGE_READ, PAGE_WRITE, PAGE_EXEC}; 879 hwaddr raddr; 880 881 assert((rwx == 0) || (rwx == 1) || (rwx == 2)); 882 883 /* 884 * Note on LPCR usage: 970 uses HID4, but our special variant of 885 * store_spr copies relevant fields into env->spr[SPR_LPCR]. 886 * Similarly we filter unimplemented bits when storing into LPCR 887 * depending on the MMU version. This code can thus just use the 888 * LPCR "as-is". 889 */ 890 891 /* 1. Handle real mode accesses */ 892 if (((rwx == 2) && (msr_ir == 0)) || ((rwx != 2) && (msr_dr == 0))) { 893 /* 894 * Translation is supposedly "off", but in real mode the top 4 895 * effective address bits are (mostly) ignored 896 */ 897 raddr = eaddr & 0x0FFFFFFFFFFFFFFFULL; 898 899 if (cpu->vhyp) { 900 /* 901 * In virtual hypervisor mode, there's nothing to do: 902 * EA == GPA == qemu guest address 903 */ 904 } else if (msr_hv || !env->has_hv_mode) { 905 /* In HV mode, add HRMOR if top EA bit is clear */ 906 if (!(eaddr >> 63)) { 907 raddr |= env->spr[SPR_HRMOR]; 908 } 909 } else if (ppc_hash64_use_vrma(env)) { 910 /* Emulated VRMA mode */ 911 slb = &vrma_slbe; 912 if (build_vrma_slbe(cpu, slb) != 0) { 913 /* Invalid VRMA setup, machine check */ 914 cs->exception_index = POWERPC_EXCP_MCHECK; 915 env->error_code = 0; 916 return 1; 917 } 918 919 goto skip_slb_search; 920 } else { 921 target_ulong limit = rmls_limit(cpu); 922 923 /* Emulated old-style RMO mode, bounds check against RMLS */ 924 if (raddr >= limit) { 925 if (rwx == 2) { 926 ppc_hash64_set_isi(cs, SRR1_PROTFAULT); 927 } else { 928 int dsisr = DSISR_PROTFAULT; 929 if (rwx == 1) { 930 dsisr |= DSISR_ISSTORE; 931 } 932 ppc_hash64_set_dsi(cs, eaddr, dsisr); 933 } 934 return 1; 935 } 936 937 raddr |= env->spr[SPR_RMOR]; 938 } 939 tlb_set_page(cs, eaddr & TARGET_PAGE_MASK, raddr & TARGET_PAGE_MASK, 940 PAGE_READ | PAGE_WRITE | PAGE_EXEC, mmu_idx, 941 TARGET_PAGE_SIZE); 942 return 0; 943 } 944 945 /* 2. Translation is on, so look up the SLB */ 946 slb = slb_lookup(cpu, eaddr); 947 if (!slb) { 948 /* No entry found, check if in-memory segment tables are in use */ 949 if (ppc64_use_proc_tbl(cpu)) { 950 /* TODO - Unsupported */ 951 error_report("Segment Table Support Unimplemented"); 952 exit(1); 953 } 954 /* Segment still not found, generate the appropriate interrupt */ 955 if (rwx == 2) { 956 cs->exception_index = POWERPC_EXCP_ISEG; 957 env->error_code = 0; 958 } else { 959 cs->exception_index = POWERPC_EXCP_DSEG; 960 env->error_code = 0; 961 env->spr[SPR_DAR] = eaddr; 962 } 963 return 1; 964 } 965 966 skip_slb_search: 967 968 /* 3. Check for segment level no-execute violation */ 969 if ((rwx == 2) && (slb->vsid & SLB_VSID_N)) { 970 ppc_hash64_set_isi(cs, SRR1_NOEXEC_GUARD); 971 return 1; 972 } 973 974 /* 4. Locate the PTE in the hash table */ 975 ptex = ppc_hash64_htab_lookup(cpu, slb, eaddr, &pte, &apshift); 976 if (ptex == -1) { 977 if (rwx == 2) { 978 ppc_hash64_set_isi(cs, SRR1_NOPTE); 979 } else { 980 int dsisr = DSISR_NOPTE; 981 if (rwx == 1) { 982 dsisr |= DSISR_ISSTORE; 983 } 984 ppc_hash64_set_dsi(cs, eaddr, dsisr); 985 } 986 return 1; 987 } 988 qemu_log_mask(CPU_LOG_MMU, 989 "found PTE at index %08" HWADDR_PRIx "\n", ptex); 990 991 /* 5. Check access permissions */ 992 993 exec_prot = ppc_hash64_pte_noexec_guard(cpu, pte); 994 pp_prot = ppc_hash64_pte_prot(cpu, slb, pte); 995 amr_prot = ppc_hash64_amr_prot(cpu, pte); 996 prot = exec_prot & pp_prot & amr_prot; 997 998 if ((need_prot[rwx] & ~prot) != 0) { 999 /* Access right violation */ 1000 qemu_log_mask(CPU_LOG_MMU, "PTE access rejected\n"); 1001 if (rwx == 2) { 1002 int srr1 = 0; 1003 if (PAGE_EXEC & ~exec_prot) { 1004 srr1 |= SRR1_NOEXEC_GUARD; /* Access violates noexec or guard */ 1005 } else if (PAGE_EXEC & ~pp_prot) { 1006 srr1 |= SRR1_PROTFAULT; /* Access violates access authority */ 1007 } 1008 if (PAGE_EXEC & ~amr_prot) { 1009 srr1 |= SRR1_IAMR; /* Access violates virt pg class key prot */ 1010 } 1011 ppc_hash64_set_isi(cs, srr1); 1012 } else { 1013 int dsisr = 0; 1014 if (need_prot[rwx] & ~pp_prot) { 1015 dsisr |= DSISR_PROTFAULT; 1016 } 1017 if (rwx == 1) { 1018 dsisr |= DSISR_ISSTORE; 1019 } 1020 if (need_prot[rwx] & ~amr_prot) { 1021 dsisr |= DSISR_AMR; 1022 } 1023 ppc_hash64_set_dsi(cs, eaddr, dsisr); 1024 } 1025 return 1; 1026 } 1027 1028 qemu_log_mask(CPU_LOG_MMU, "PTE access granted !\n"); 1029 1030 /* 6. Update PTE referenced and changed bits if necessary */ 1031 1032 if (!(pte.pte1 & HPTE64_R_R)) { 1033 ppc_hash64_set_r(cpu, ptex, pte.pte1); 1034 } 1035 if (!(pte.pte1 & HPTE64_R_C)) { 1036 if (rwx == 1) { 1037 ppc_hash64_set_c(cpu, ptex, pte.pte1); 1038 } else { 1039 /* 1040 * Treat the page as read-only for now, so that a later write 1041 * will pass through this function again to set the C bit 1042 */ 1043 prot &= ~PAGE_WRITE; 1044 } 1045 } 1046 1047 /* 7. Determine the real address from the PTE */ 1048 1049 raddr = deposit64(pte.pte1 & HPTE64_R_RPN, 0, apshift, eaddr); 1050 1051 tlb_set_page(cs, eaddr & TARGET_PAGE_MASK, raddr & TARGET_PAGE_MASK, 1052 prot, mmu_idx, 1ULL << apshift); 1053 1054 return 0; 1055 } 1056 1057 hwaddr ppc_hash64_get_phys_page_debug(PowerPCCPU *cpu, target_ulong addr) 1058 { 1059 CPUPPCState *env = &cpu->env; 1060 ppc_slb_t vrma_slbe; 1061 ppc_slb_t *slb; 1062 hwaddr ptex, raddr; 1063 ppc_hash_pte64_t pte; 1064 unsigned apshift; 1065 1066 /* Handle real mode */ 1067 if (msr_dr == 0) { 1068 /* In real mode the top 4 effective address bits are ignored */ 1069 raddr = addr & 0x0FFFFFFFFFFFFFFFULL; 1070 1071 if (cpu->vhyp) { 1072 /* 1073 * In virtual hypervisor mode, there's nothing to do: 1074 * EA == GPA == qemu guest address 1075 */ 1076 return raddr; 1077 } else if ((msr_hv || !env->has_hv_mode) && !(addr >> 63)) { 1078 /* In HV mode, add HRMOR if top EA bit is clear */ 1079 return raddr | env->spr[SPR_HRMOR]; 1080 } else if (ppc_hash64_use_vrma(env)) { 1081 /* Emulated VRMA mode */ 1082 slb = &vrma_slbe; 1083 if (build_vrma_slbe(cpu, slb) != 0) { 1084 return -1; 1085 } 1086 } else { 1087 target_ulong limit = rmls_limit(cpu); 1088 1089 /* Emulated old-style RMO mode, bounds check against RMLS */ 1090 if (raddr >= limit) { 1091 return -1; 1092 } 1093 return raddr | env->spr[SPR_RMOR]; 1094 } 1095 } else { 1096 slb = slb_lookup(cpu, addr); 1097 if (!slb) { 1098 return -1; 1099 } 1100 } 1101 1102 ptex = ppc_hash64_htab_lookup(cpu, slb, addr, &pte, &apshift); 1103 if (ptex == -1) { 1104 return -1; 1105 } 1106 1107 return deposit64(pte.pte1 & HPTE64_R_RPN, 0, apshift, addr) 1108 & TARGET_PAGE_MASK; 1109 } 1110 1111 void ppc_hash64_tlb_flush_hpte(PowerPCCPU *cpu, target_ulong ptex, 1112 target_ulong pte0, target_ulong pte1) 1113 { 1114 /* 1115 * XXX: given the fact that there are too many segments to 1116 * invalidate, and we still don't have a tlb_flush_mask(env, n, 1117 * mask) in QEMU, we just invalidate all TLBs 1118 */ 1119 cpu->env.tlb_need_flush = TLB_NEED_GLOBAL_FLUSH | TLB_NEED_LOCAL_FLUSH; 1120 } 1121 1122 void ppc_store_lpcr(PowerPCCPU *cpu, target_ulong val) 1123 { 1124 PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu); 1125 CPUPPCState *env = &cpu->env; 1126 1127 env->spr[SPR_LPCR] = val & pcc->lpcr_mask; 1128 } 1129 1130 void helper_store_lpcr(CPUPPCState *env, target_ulong val) 1131 { 1132 PowerPCCPU *cpu = env_archcpu(env); 1133 1134 ppc_store_lpcr(cpu, val); 1135 } 1136 1137 void ppc_hash64_init(PowerPCCPU *cpu) 1138 { 1139 CPUPPCState *env = &cpu->env; 1140 PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu); 1141 1142 if (!pcc->hash64_opts) { 1143 assert(!mmu_is_64bit(env->mmu_model)); 1144 return; 1145 } 1146 1147 cpu->hash64_opts = g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_opts)); 1148 } 1149 1150 void ppc_hash64_finalize(PowerPCCPU *cpu) 1151 { 1152 g_free(cpu->hash64_opts); 1153 } 1154 1155 const PPCHash64Options ppc_hash64_opts_basic = { 1156 .flags = 0, 1157 .slb_size = 64, 1158 .sps = { 1159 { .page_shift = 12, /* 4K */ 1160 .slb_enc = 0, 1161 .enc = { { .page_shift = 12, .pte_enc = 0 } } 1162 }, 1163 { .page_shift = 24, /* 16M */ 1164 .slb_enc = 0x100, 1165 .enc = { { .page_shift = 24, .pte_enc = 0 } } 1166 }, 1167 }, 1168 }; 1169 1170 const PPCHash64Options ppc_hash64_opts_POWER7 = { 1171 .flags = PPC_HASH64_1TSEG | PPC_HASH64_AMR | PPC_HASH64_CI_LARGEPAGE, 1172 .slb_size = 32, 1173 .sps = { 1174 { 1175 .page_shift = 12, /* 4K */ 1176 .slb_enc = 0, 1177 .enc = { { .page_shift = 12, .pte_enc = 0 }, 1178 { .page_shift = 16, .pte_enc = 0x7 }, 1179 { .page_shift = 24, .pte_enc = 0x38 }, }, 1180 }, 1181 { 1182 .page_shift = 16, /* 64K */ 1183 .slb_enc = SLB_VSID_64K, 1184 .enc = { { .page_shift = 16, .pte_enc = 0x1 }, 1185 { .page_shift = 24, .pte_enc = 0x8 }, }, 1186 }, 1187 { 1188 .page_shift = 24, /* 16M */ 1189 .slb_enc = SLB_VSID_16M, 1190 .enc = { { .page_shift = 24, .pte_enc = 0 }, }, 1191 }, 1192 { 1193 .page_shift = 34, /* 16G */ 1194 .slb_enc = SLB_VSID_16G, 1195 .enc = { { .page_shift = 34, .pte_enc = 0x3 }, }, 1196 }, 1197 } 1198 }; 1199 1200 void ppc_hash64_filter_pagesizes(PowerPCCPU *cpu, 1201 bool (*cb)(void *, uint32_t, uint32_t), 1202 void *opaque) 1203 { 1204 PPCHash64Options *opts = cpu->hash64_opts; 1205 int i; 1206 int n = 0; 1207 bool ci_largepage = false; 1208 1209 assert(opts); 1210 1211 n = 0; 1212 for (i = 0; i < ARRAY_SIZE(opts->sps); i++) { 1213 PPCHash64SegmentPageSizes *sps = &opts->sps[i]; 1214 int j; 1215 int m = 0; 1216 1217 assert(n <= i); 1218 1219 if (!sps->page_shift) { 1220 break; 1221 } 1222 1223 for (j = 0; j < ARRAY_SIZE(sps->enc); j++) { 1224 PPCHash64PageSize *ps = &sps->enc[j]; 1225 1226 assert(m <= j); 1227 if (!ps->page_shift) { 1228 break; 1229 } 1230 1231 if (cb(opaque, sps->page_shift, ps->page_shift)) { 1232 if (ps->page_shift >= 16) { 1233 ci_largepage = true; 1234 } 1235 sps->enc[m++] = *ps; 1236 } 1237 } 1238 1239 /* Clear rest of the row */ 1240 for (j = m; j < ARRAY_SIZE(sps->enc); j++) { 1241 memset(&sps->enc[j], 0, sizeof(sps->enc[j])); 1242 } 1243 1244 if (m) { 1245 n++; 1246 } 1247 } 1248 1249 /* Clear the rest of the table */ 1250 for (i = n; i < ARRAY_SIZE(opts->sps); i++) { 1251 memset(&opts->sps[i], 0, sizeof(opts->sps[i])); 1252 } 1253 1254 if (!ci_largepage) { 1255 opts->flags &= ~PPC_HASH64_CI_LARGEPAGE; 1256 } 1257 } 1258