[v3,3/6] target-arm: add hvc and smc exception emulation handling infrastructure

From: Rob Herring <rob.herring@linaro.org>

Add the infrastructure to handle and emulate hvc and smc exceptions.
This will enable emulation of things such as PSCI calls. This commit
does not change the behavior and will exit with unknown exception.

Signed-off-by: Rob Herring <rob.herring@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 target-arm/cpu-qom.h       |  3 +++
 target-arm/cpu.h           |  2 ++
 target-arm/helper-a64.c    | 16 ++++++++++++++++
 target-arm/helper.c        | 23 +++++++++++++++++++++++
 target-arm/internals.h     | 20 ++++++++++++++++++++
 target-arm/translate-a64.c | 26 +++++++++++++++++---------
 target-arm/translate.c     | 24 +++++++++++++++++-------
 7 files changed, 98 insertions(+), 16 deletions(-)

On 5 September 2014 13:24, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> From: Rob Herring <rob.herring@linaro.org>
>
> Add the infrastructure to handle and emulate hvc and smc exceptions.
> This will enable emulation of things such as PSCI calls. This commit
> does not change the behavior and will exit with unknown exception.

This generally looks ok except that it has nasty interactions
with singlestep debug. For SVC, HVC and SMC instructions that
do something, we want to advance the singlestep state machine
using gen_ss_advance(), so that singlestep of one of these
insns works correctly. For UNDEF instruction patterns we don't
want to advance the state machine, so that we don't treat the
insn we didn't execute like we single-stepped it. Unfortunately
this patch means that SMC and HVC are now "sometimes this
does something but sometimes we act like it UNDEFed"...

This is my suggestion for the best compromise between
"theoretical perfect fidelity to the architecture" and
"not too painful to implement":
at translate time, do:

  if (psci enabled via HVC || EL2 implemented) {
      gen_ss_advance(s);
      gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16));
  } else {
      unallocated_encoding();
  }
and ditto for SMC.

Then in the exception handler have the same code as
now (with fall through to UNDEF if PSCI doesn't
recognise the op). That corresponds to "EL3 firmware
implements PSCI and handles unrecognised ops by
feeding the guest an UNDEF", which nobody would
expect to singlestep cleanly either.

> --- a/target-arm/translate.c
> +++ b/target-arm/translate.c
> @@ -7871,9 +7871,14 @@ static void disas_arm_insn(CPUARMState * env, DisasContext *s)
>          case 7:
>          {
>              int imm16 = extract32(insn, 0, 4) | (extract32(insn, 8, 12) << 4);
> -            /* SMC instruction (op1 == 3)
> -               and undefined instructions (op1 == 0 || op1 == 2)
> -               will trap */
> +            /* HVC and SMC instructions */
> +            if (op1 == 2) {
> +                gen_exception_insn(s, 0, EXCP_HVC, syn_aa32_hvc(imm16));
> +                break;
> +            } else if (op1 == 3) {
> +                gen_exception_insn(s, 0, EXCP_SMC, syn_aa32_smc());
> +                break;
> +            }
>              if (op1 != 1) {
>                  goto illegal_op;
>              }
> @@ -9709,10 +9714,15 @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
>                      goto illegal_op;
>
>                  if (insn & (1 << 26)) {
> -                    /* Secure monitor call (v6Z) */
> -                    qemu_log_mask(LOG_UNIMP,
> -                                  "arm: unimplemented secure monitor call\n");
> -                    goto illegal_op; /* not implemented.  */
> +                    if (!(insn & (1 << 20))) {
> +                        /* Hypervisor call (v7) */
> +                        uint32_t imm16 = extract32(insn, 16, 4) << 12;
> +                        imm16 |= extract32(insn, 0, 12);
> +                        gen_exception_insn(s, 0, EXCP_HVC, syn_aa32_hvc(imm16));
> +                    } else {
> +                        /* Secure monitor call (v6+) */
> +                        gen_exception_insn(s, 0, EXCP_SMC, syn_aa32_smc());
> +                    }
>                  } else {
>                      op = (insn >> 20) & 7;
>                      switch (op) {

I'm pretty sure you can't do the A32/T32 HVC/SMC
like this, because of oddball cases like SMC in
an IT block. Look at the way we handle SWI by
setting s->is_jmp and then doing the actual
gen_exception() work in the tail end of the
main loop. (It might be possible to do HVC
the way you have it since HVC in an IT block
is UNPREDICTABLE, but let's do it all the same
way...)

thanks
-- PMM

On 9 September 2014 19:45, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 5 September 2014 13:24, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>> From: Rob Herring <rob.herring@linaro.org>
>>
>> Add the infrastructure to handle and emulate hvc and smc exceptions.
>> This will enable emulation of things such as PSCI calls. This commit
>> does not change the behavior and will exit with unknown exception.
>
> This generally looks ok except that it has nasty interactions
> with singlestep debug. For SVC, HVC and SMC instructions that
> do something, we want to advance the singlestep state machine
> using gen_ss_advance(), so that singlestep of one of these
> insns works correctly. For UNDEF instruction patterns we don't
> want to advance the state machine, so that we don't treat the
> insn we didn't execute like we single-stepped it. Unfortunately
> this patch means that SMC and HVC are now "sometimes this
> does something but sometimes we act like it UNDEFed"...
>
> This is my suggestion for the best compromise between
> "theoretical perfect fidelity to the architecture" and
> "not too painful to implement":
> at translate time, do:
>
>   if (psci enabled via HVC || EL2 implemented) {
>       gen_ss_advance(s);
>       gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16));
>   } else {
>       unallocated_encoding();
>   }
> and ditto for SMC.
>

OK, so does that mean I need to add fields to DisasContext for these
functions to inspect at the translation stage, and copy the
PSCI_METHOD_[SVC|HVC|NONE] values in it?
Or is there another way to get at that information at that stage?

> Then in the exception handler have the same code as
> now (with fall through to UNDEF if PSCI doesn't
> recognise the op). That corresponds to "EL3 firmware
> implements PSCI and handles unrecognised ops by
> feeding the guest an UNDEF", which nobody would
> expect to singlestep cleanly either.
>

ok

>> --- a/target-arm/translate.c
>> +++ b/target-arm/translate.c
>> @@ -7871,9 +7871,14 @@ static void disas_arm_insn(CPUARMState * env, DisasContext *s)
>>          case 7:
>>          {
>>              int imm16 = extract32(insn, 0, 4) | (extract32(insn, 8, 12) << 4);
>> -            /* SMC instruction (op1 == 3)
>> -               and undefined instructions (op1 == 0 || op1 == 2)
>> -               will trap */
>> +            /* HVC and SMC instructions */
>> +            if (op1 == 2) {
>> +                gen_exception_insn(s, 0, EXCP_HVC, syn_aa32_hvc(imm16));
>> +                break;
>> +            } else if (op1 == 3) {
>> +                gen_exception_insn(s, 0, EXCP_SMC, syn_aa32_smc());
>> +                break;
>> +            }
>>              if (op1 != 1) {
>>                  goto illegal_op;
>>              }
>> @@ -9709,10 +9714,15 @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
>>                      goto illegal_op;
>>
>>                  if (insn & (1 << 26)) {
>> -                    /* Secure monitor call (v6Z) */
>> -                    qemu_log_mask(LOG_UNIMP,
>> -                                  "arm: unimplemented secure monitor call\n");
>> -                    goto illegal_op; /* not implemented.  */
>> +                    if (!(insn & (1 << 20))) {
>> +                        /* Hypervisor call (v7) */
>> +                        uint32_t imm16 = extract32(insn, 16, 4) << 12;
>> +                        imm16 |= extract32(insn, 0, 12);
>> +                        gen_exception_insn(s, 0, EXCP_HVC, syn_aa32_hvc(imm16));
>> +                    } else {
>> +                        /* Secure monitor call (v6+) */
>> +                        gen_exception_insn(s, 0, EXCP_SMC, syn_aa32_smc());
>> +                    }
>>                  } else {
>>                      op = (insn >> 20) & 7;
>>                      switch (op) {
>
> I'm pretty sure you can't do the A32/T32 HVC/SMC
> like this, because of oddball cases like SMC in
> an IT block. Look at the way we handle SWI by
> setting s->is_jmp and then doing the actual
> gen_exception() work in the tail end of the
> main loop. (It might be possible to do HVC
> the way you have it since HVC in an IT block
> is UNPREDICTABLE, but let's do it all the same
> way...)
>

Yeah, makes sense. I will also add ARCH(6K) and ARCH(7) checks, for
SMC and HVC respectively.
(I don't suppose there is any point in adding TZ and VIRT feature bits
for this atm)

On 9 September 2014 22:51, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> On 9 September 2014 19:45, Peter Maydell <peter.maydell@linaro.org> wrote:
>> This is my suggestion for the best compromise between
>> "theoretical perfect fidelity to the architecture" and
>> "not too painful to implement":
>> at translate time, do:
>>
>>   if (psci enabled via HVC || EL2 implemented) {
>>       gen_ss_advance(s);
>>       gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16));
>>   } else {
>>       unallocated_encoding();
>>   }
>> and ditto for SMC.
>>
>
> OK, so does that mean I need to add fields to DisasContext for these
> functions to inspect at the translation stage, and copy the
> PSCI_METHOD_[SVC|HVC|NONE] values in it?

You only need one field in DisasContext, but yes.
(The idea of DisasContext and not giving most of translate-a64.c
access to the CPU object is that it makes it hard to accidentally
access stuff in the CPU object that's not valid to depend on at
translate time, because it's an easy to spot and easy to review
change if something new gets added. PSCI method type is
OK because it's constant for the life of the simulation.)

> Yeah, makes sense. I will also add ARCH(6K) and ARCH(7) checks, for
> SMC and HVC respectively.
> (I don't suppose there is any point in adding TZ and VIRT feature bits
> for this atm)

We already have ARM_FEATURE_EL2 and ARM_FEATURE_EL3,
actually. You should probably look at Edgar's patchset on list which
adds proper SMC/HVC support -- that has failed review on a
few of the early patches but the middle of the set includes
some which also change this area:
http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg02865.html
http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg02866.html
I don't want this patchset to depend on that one but you
might find the shape of the code useful. (It doesn't do anything
in the 32 bit code, though.)

thanks
-- PMM

On 9 September 2014 23:59, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 9 September 2014 22:51, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>> On 9 September 2014 19:45, Peter Maydell <peter.maydell@linaro.org> wrote:
>>> This is my suggestion for the best compromise between
>>> "theoretical perfect fidelity to the architecture" and
>>> "not too painful to implement":
>>> at translate time, do:
>>>
>>>   if (psci enabled via HVC || EL2 implemented) {
>>>       gen_ss_advance(s);
>>>       gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16));
>>>   } else {
>>>       unallocated_encoding();
>>>   }
>>> and ditto for SMC.
>>>
>>
>> OK, so does that mean I need to add fields to DisasContext for these
>> functions to inspect at the translation stage, and copy the
>> PSCI_METHOD_[SVC|HVC|NONE] values in it?
>
> You only need one field in DisasContext, but yes.
> (The idea of DisasContext and not giving most of translate-a64.c
> access to the CPU object is that it makes it hard to accidentally
> access stuff in the CPU object that's not valid to depend on at
> translate time, because it's an easy to spot and easy to review
> change if something new gets added. PSCI method type is
> OK because it's constant for the life of the simulation.)
>

OK

>> Yeah, makes sense. I will also add ARCH(6K) and ARCH(7) checks, for
>> SMC and HVC respectively.
>> (I don't suppose there is any point in adding TZ and VIRT feature bits
>> for this atm)
>
> We already have ARM_FEATURE_EL2 and ARM_FEATURE_EL3,
> actually. You should probably look at Edgar's patchset on list which
> adds proper SMC/HVC support -- that has failed review on a
> few of the early patches but the middle of the set includes
> some which also change this area:
> http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg02865.html
> http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg02866.html
> I don't want this patchset to depend on that one but you
> might find the shape of the code useful. (It doesn't do anything
> in the 32 bit code, though.)
>

I had a peek, and there is indeed substantial overlap, but not in an
incompatible way afaict
Setting ARM_FEATURE_EL[2|3] and then only emulate some HVC/SMC calls
under some circumstances is probably not the right way to go.
In fact, I think they are mutually exclusive, i.e., it probably makes
little sense to fully emulate EL2 /and/ use the HVC conduit for PSCI
at the same time.

We also have v4 of the TZ patches which do provide 32-bit EL3 support, but
not EL2.  Maybe good to align with this code as well.

http://lists.gnu.org/archive/html/qemu-devel/2014-06/msg07347.html


On 9 September 2014 16:59, Peter Maydell <peter.maydell@linaro.org> wrote:

> On 9 September 2014 22:51, Ard Biesheuvel <ard.biesheuvel@linaro.org>
> wrote:
> > On 9 September 2014 19:45, Peter Maydell <peter.maydell@linaro.org>
> wrote:
> >> This is my suggestion for the best compromise between
> >> "theoretical perfect fidelity to the architecture" and
> >> "not too painful to implement":
> >> at translate time, do:
> >>
> >>   if (psci enabled via HVC || EL2 implemented) {
> >>       gen_ss_advance(s);
> >>       gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16));
> >>   } else {
> >>       unallocated_encoding();
> >>   }
> >> and ditto for SMC.
> >>
> >
> > OK, so does that mean I need to add fields to DisasContext for these
> > functions to inspect at the translation stage, and copy the
> > PSCI_METHOD_[SVC|HVC|NONE] values in it?
>
> You only need one field in DisasContext, but yes.
> (The idea of DisasContext and not giving most of translate-a64.c
> access to the CPU object is that it makes it hard to accidentally
> access stuff in the CPU object that's not valid to depend on at
> translate time, because it's an easy to spot and easy to review
> change if something new gets added. PSCI method type is
> OK because it's constant for the life of the simulation.)
>
> > Yeah, makes sense. I will also add ARCH(6K) and ARCH(7) checks, for
> > SMC and HVC respectively.
> > (I don't suppose there is any point in adding TZ and VIRT feature bits
> > for this atm)
>
> We already have ARM_FEATURE_EL2 and ARM_FEATURE_EL3,
> actually. You should probably look at Edgar's patchset on list which
> adds proper SMC/HVC support -- that has failed review on a
> few of the early patches but the middle of the set includes
> some which also change this area:
> http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg02865.html
> http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg02866.html
> I don't want this patchset to depend on that one but you
> might find the shape of the code useful. (It doesn't do anything
> in the 32 bit code, though.)
>
> thanks
> -- PMM
>
>

On 10 September 2014 17:42, Greg Bellows <greg.bellows@linaro.org> wrote:
> We also have v4 of the TZ patches which do provide 32-bit EL3 support, but
> not EL2.  Maybe good to align with this code as well.
>
> http://lists.gnu.org/archive/html/qemu-devel/2014-06/msg07347.html
>

As far as I can tell, there is very little overlap, only patch 8/33
contains some stuff that we added as well.
I expect PSCI handling and emulation of hvc and/or smc to be mutually
exclusive, nothing we won't be able to handle with a couple of
conditionals.

My apologies for not aligning with you beforehand, I just adopted some
patches from Rob that I needed for reset and poweroff under UEFI, and
I had no idea there was so much in flight already.

On 10 September 2014 17:13, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> As far as I can tell, there is very little overlap, only patch 8/33
> contains some stuff that we added as well.
> I expect PSCI handling and emulation of hvc and/or smc to be mutually
> exclusive, nothing we won't be able to handle with a couple of
> conditionals.

Agreed.

> My apologies for not aligning with you beforehand, I just adopted some
> patches from Rob that I needed for reset and poweroff under UEFI, and
> I had no idea there was so much in flight already.

The other stuff needs to come together into something coherent
anyway; I expect your changes to land first.

-- PMM

No problem, just wanted to point it out in case it helps.

Greg

On 10 September 2014 11:13, Ard Biesheuvel <ard.biesheuvel@linaro.org>
wrote:

> On 10 September 2014 17:42, Greg Bellows <greg.bellows@linaro.org> wrote:
> > We also have v4 of the TZ patches which do provide 32-bit EL3 support,
> but
> > not EL2.  Maybe good to align with this code as well.
> >
> > http://lists.gnu.org/archive/html/qemu-devel/2014-06/msg07347.html
> >
>
> As far as I can tell, there is very little overlap, only patch 8/33
> contains some stuff that we added as well.
> I expect PSCI handling and emulation of hvc and/or smc to be mutually
> exclusive, nothing we won't be able to handle with a couple of
> conditionals.
>
> My apologies for not aligning with you beforehand, I just adopted some
> patches from Rob that I needed for reset and poweroff under UEFI, and
> I had no idea there was so much in flight already.
>
> --
> Ard.
>
> >
> > On 9 September 2014 16:59, Peter Maydell <peter.maydell@linaro.org>
> wrote:
> >>
> >> On 9 September 2014 22:51, Ard Biesheuvel <ard.biesheuvel@linaro.org>
> >> wrote:
> >> > On 9 September 2014 19:45, Peter Maydell <peter.maydell@linaro.org>
> >> > wrote:
> >> >> This is my suggestion for the best compromise between
> >> >> "theoretical perfect fidelity to the architecture" and
> >> >> "not too painful to implement":
> >> >> at translate time, do:
> >> >>
> >> >>   if (psci enabled via HVC || EL2 implemented) {
> >> >>       gen_ss_advance(s);
> >> >>       gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16));
> >> >>   } else {
> >> >>       unallocated_encoding();
> >> >>   }
> >> >> and ditto for SMC.
> >> >>
> >> >
> >> > OK, so does that mean I need to add fields to DisasContext for these
> >> > functions to inspect at the translation stage, and copy the
> >> > PSCI_METHOD_[SVC|HVC|NONE] values in it?
> >>
> >> You only need one field in DisasContext, but yes.
> >> (The idea of DisasContext and not giving most of translate-a64.c
> >> access to the CPU object is that it makes it hard to accidentally
> >> access stuff in the CPU object that's not valid to depend on at
> >> translate time, because it's an easy to spot and easy to review
> >> change if something new gets added. PSCI method type is
> >> OK because it's constant for the life of the simulation.)
> >>
> >> > Yeah, makes sense. I will also add ARCH(6K) and ARCH(7) checks, for
> >> > SMC and HVC respectively.
> >> > (I don't suppose there is any point in adding TZ and VIRT feature bits
> >> > for this atm)
> >>
> >> We already have ARM_FEATURE_EL2 and ARM_FEATURE_EL3,
> >> actually. You should probably look at Edgar's patchset on list which
> >> adds proper SMC/HVC support -- that has failed review on a
> >> few of the early patches but the middle of the set includes
> >> some which also change this area:
> >> http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg02865.html
> >> http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg02866.html
> >> I don't want this patchset to depend on that one but you
> >> might find the shape of the code useful. (It doesn't do anything
> >> in the 32 bit code, though.)
> >>
> >> thanks
> >> -- PMM
> >>
> >
>