From patchwork Tue Feb 20 18:03:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 128946 Delivered-To: patches@linaro.org Received: by 10.46.124.24 with SMTP id x24csp4910129ljc; Tue, 20 Feb 2018 10:03:27 -0800 (PST) X-Google-Smtp-Source: AH8x225ZfxDUqEjZBVYvZkFIq5iApqcERxZ6RhujpI/hQn2RQk/vtONUKkZJGyhthWL0ni26nQ/a X-Received: by 10.28.71.70 with SMTP id u67mr896503wma.46.1519149807322; Tue, 20 Feb 2018 10:03:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519149807; cv=none; d=google.com; s=arc-20160816; b=lwtyYZUIYKL4Y2LRAxfTgaydlAYy1zWv8/uUXAMGf565VRrUWXpzwb5T4W2i81+Q/q /h4ATzj+p3aDv2r/IL+oy01H4AVMpkaLs6vM0f4uoYyKi4XU/Fa6tE4uK+CiucbXIG24 Jv1O1We4JgpQRkZFJ+tbH0SZynDMPQuEUvt6azwDrkiHWBNFKW7vSbMgzLXOnfYBRqTO cUJWkJYmMWDhD+5AahS5p0E9xY6wHQ5QY2lYwDrqFv1ZaK+n+0VAeA4UoyAlBKX1gNTZ xolkDcD+ualq2UOAeB+d+qKMSTHtQt7ijt3EL10X9FNniHfPjk0yUBOCAnaOKxdOEbdH mUKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=6AG7Bg/iFSc7B0hSD09az6z9dp6MUlCvaTMmtEkdIgw=; b=X3jEBchOdDXMCeEefKucEyAtNXd3fMX46HtZ5Cce8KTgHrKDvDbCX1/uHtSbvDb55R RKfo61+wrAekSTqRq0saNGdFPGRkPbN5QVTo02aZjjg5rSnEBHKE/+xxQHMbSvC56edd 4PYZLLMfM4MBZdG3tyhOLJAFFN44wQPXc2EbN5vIojZIVJur9Oab+nC0DrN/Uqb78aOD WRV/BFJUdyOaJuj5uz4AAm93XM4nI5yRwhHY2jeq7Kk2SI9VFuG1inQI6IJMGtGYfcCV vqAyx1Cnb0f5hysVZfEHz2CxqceQ0doxHVvG6Wzd3K/nTLncN/HhI6SSnyUsmSHl5jTR +Ntg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id v30si16043656wrc.492.2018.02.20.10.03.27 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Feb 2018 10:03:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1eoCGE-0008Py-8C; Tue, 20 Feb 2018 18:03:26 +0000 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: patches@linaro.org Subject: [PATCH 00/19] Add Cortex-M33 and mps2-an505 board model Date: Tue, 20 Feb 2018 18:03:06 +0000 Message-Id: <20180220180325.29818-1-peter.maydell@linaro.org> X-Mailer: git-send-email 2.16.1 MIME-Version: 1.0 This patchset enables the Cortex-M33 v8M CPU type and adds a board model for it: the AN505 FPGA image for the MPS2+ devboard. The AN505 uses and extends the "IoT Kit", which is a reference subsystem that includes the CPU and some devices, and is intended to be extended further to build a complete device. Both the IoT Kit and the FPGA use devices documented in the ARM CoreLink SIE-200 System IP for Embedded TRM. Useful documents (these are also linked in comments in the relevant source files): Board TRM: http://infocenter.arm.com/help/topic/com.arm.doc.100112_0200_06_en/versatile_express_cortex_m_prototyping_systems_v2m_mps2_and_v2m_mps2plus_technical_reference_100112_0200_06_en.pdf Application Note AN505 (documenting the FPGA image): http://infocenter.arm.com/help/topic/com.arm.doc.dai0505b/index.html ARMv8M IoT Kit FVP User Guide (ARM ECM0601256): http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ecm0601256/index.html ARM CoreLink SIE-200 System IP for Embedded TRM (DDI 0571G): https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g The most complicated thing here is the various kinds of security controller in the system, so here's a summary of them which will hopefully make the patchset easier to navigate: * Secure Attribution Unit (SAU) -- this is part of the CPU. Rather like the MPU, it provides registers that the guest can use to specify the security attributes for memory regions. The QEMU implementation is already in master. If the SAU says 'no' then a SecureFault exception is taken. * Implementation Defined Attribution Unit (IDAU) -- an implementation defined mechanism for an SoC to specify security attributes for memory. In Cortex-M33 hardware, the CPU puts the address of each memory access out on a special set of signal lines, and the SoC then has to respond with its attribute information for that address. Typically this is set up to be simple combinatorial logic; for this board, for instance the IDAU reports the inverse of address bit 28 as the NS attribute, creating a series of 256MB regions NS/S/NS/S... over the whole address space. If the IDAU attributes are more restrictive than the SAU then the IDAU overrides the SAU settings. Again, transgressions get a SecureFault. In QEMU we define a QOM interface for the IDAU which can then be implemented by the SoC or board class. In this series patch 4 has the interface definition and the CPU use of it; patch 18 has the SoC implementation of its end. * The Peripheral Protection Controller (PPC) is part of the interconnect fabric outside the CPU. It sits in front of non-TrustZone aware devices and can configurably block attempts to access them from the wrong security state or privilege mode. Blocked transactions can be configured to either cause a bus error, or to be RAZ/WI. The PPC has no register interface of its own, but is configured by setting signal lines into it. It's one of the devices in the SIE-200 TRM. * The Memory Protection Controller (MPC) is similar in purpose to the PPC but specifically for sitting in front of RAM. It allows more granular configuration of protection so that one RAM can be split between Secure and Nonsecure. The IoTKit and FPGA should have MPCs, but I have not implemented them in this patchset (it seemed big enough as it is :-)) It's also documented in the SIE-200 TRM. * The Master Security Controller (MSC) sits in front of the transaction master interface of a non-trustzone-aware device that can initiate memory transactions (DMA controllers, for instance). It allows transactions made by the device to be configurably blocked, so that a DMA controller can be given to the non-secure world but prevented from making accesses to secure-only memory. Like the PPC, it has no register interface and is configured using signal lines. It's documented in the SIE-200 TRM. I haven't implemented the MSC in this patchset. * The IoT Kit security controller is an ad-hoc collection of registers that let the guest configure various bits of the IoT Kit subsystem. It includes registers that control both the 2 PPCs in the IoT Kit and the 5 PPCs in the FPGA, and also registers to control the MSCs. The QEMU implementation is in patches 15-17 (and used in subsequent patches). Patch series structure: Patches 1..3 make the Arm -kernel loading code honour the CPU's AddressSpace -- this is necessary for this board because most of the devices and RAM don't live in address_space_system(). They've already been on-list and reviewed; included here to make the series self-contained. Patches 4 and 5 are the CPU end of the IDAU. Patches 6 and 7 allow the board/SoC code to specify the reset value of the secure Vector Table Offset Register. This is configurable for Cortex-M33 hardware, and on this board it's not zero. Patch 8 adds the CPU definition for the Cortex-M33, since we now have all the component parts. At this point the only major missing feature in our v8M emulation is the stack-limit checking; there may of course still be lurking bugs. Patches 9 and 10 are trivial bugfixes/adjustments. Patch 11 adds a qdev_init_gpio_in_named_with_opaque() function that's identical to the existing qdev_init_gpio_in_named() but allows an arbitrary opaque pointer to be passed to the irq handler function rather than it having to be the DeviceState pointer. This gets used in the IoTKit device object later. Patch 12 implements a TYPE_SPLIT_IRQ device that is a QoMified equivalent of our qemu_irq_split() function. It's more flexible because you can specify how many output lines it has, and it fits better in a QoM-style device too. (The diffstat in this cover letter seems to have decided this is a copy of or-irq with changes, but the patch itself does not represent it in that silly way.) Patch 13 implements the FPGAIO device which is a trivial bit of miscellaneous registers in the AN505 FPGA image. Patch 14 is the Peripheral Protection Controller model. Patches 15-17 implement the IoT Kit security controller; I split it into 3 pieces because it's quite a lot of code in one patch otherwise. Some of the devices in the IoT Kit are just unimplemented-device stubs for now. Patch 18 implements the IoT Kit object, which is pretty similar to an SoC container object. Finally, patch 19 provides the new board model. Most of the devices are left as unimplemented-device stubs, but all the stubs are correctly wired into the right PPCs. Incidentally, for the new devices in this patchset I've adopted the convention of having the header file include a "QEMU interface" comment that summarizes and documents all the GPIO lines, IRQs, sysbus memory regions and QOM properties that code that instantiates the device needs to know. It's a bit ad-hoc but it seems like it's worth documenting somehow... Some of the patches contain a variant on the sysbus_init_child() helper function I proposed the other day. Since that seems to have run into discussion about how best to do it I've just put some file-local functions to decrease the verbosity of the code for the moment, to avoid a dependency there. You can find a git branch with this series at https://git.linaro.org/people/peter.maydell/qemu-arm.git v8m I'm afraid I don't know of any publicly available test images for the board at the moment. thanks -- PMM Peter Maydell (19): loader: Add new load_ramdisk_as() hw/arm/boot: Honour CPU's address space for image loads hw/arm/armv7m: Honour CPU's address space for image loads target/arm: Define an IDAU interface armv7m: Forward idau property to CPU object target/arm: Define init-svtor property for the reset secure VTOR value armv7m: Forward init-svtor property to CPU object target/arm: Add Cortex-M33 hw/misc/unimp: Move struct to header file include/hw/or-irq.h: Add missing include guard qdev: Add new qdev_init_gpio_in_named_with_opaque() hw/core/split-irq: Device that splits IRQ lines hw/misc/mps2-fpgaio: FPGA control block for MPS2 AN505 hw/misc/tz-ppc: Model TrustZone peripheral protection controller hw/misc/iotkit-secctl: Arm IoT Kit security controller initial skeleton hw/misc/iotkit-secctl: Add handling for PPCs hw/misc/iotkit-secctl: Add remaining simple registers hw/arm/iotkit: Model Arm IOT Kit mps2-an505: New board model: MPS2 with AN505 Cortex-M33 FPGA image hw/arm/Makefile.objs | 2 + hw/core/Makefile.objs | 1 + hw/misc/Makefile.objs | 4 + include/hw/arm/armv7m.h | 5 + include/hw/arm/iotkit.h | 109 +++++ include/hw/{or-irq.h => core/split-irq.h} | 32 +- include/hw/irq.h | 4 +- include/hw/loader.h | 12 +- include/hw/misc/iotkit-secctl.h | 103 +++++ include/hw/misc/mps2-fpgaio.h | 43 ++ include/hw/misc/tz-ppc.h | 101 +++++ include/hw/misc/unimp.h | 10 + include/hw/or-irq.h | 5 + include/hw/qdev-core.h | 30 +- target/arm/cpu.h | 6 + target/arm/idau.h | 61 +++ hw/arm/armv7m.c | 30 +- hw/arm/boot.c | 119 +++-- hw/arm/iotkit.c | 598 +++++++++++++++++++++++++ hw/arm/mps2-tz.c | 504 +++++++++++++++++++++ hw/core/loader.c | 8 +- hw/core/qdev.c | 8 +- hw/core/split-irq.c | 89 ++++ hw/misc/iotkit-secctl.c | 706 ++++++++++++++++++++++++++++++ hw/misc/mps2-fpgaio.c | 176 ++++++++ hw/misc/tz-ppc.c | 302 +++++++++++++ hw/misc/unimp.c | 10 - target/arm/cpu.c | 64 ++- target/arm/helper.c | 28 +- default-configs/arm-softmmu.mak | 5 + hw/misc/trace-events | 24 + 31 files changed, 3119 insertions(+), 80 deletions(-) create mode 100644 include/hw/arm/iotkit.h copy include/hw/{or-irq.h => core/split-irq.h} (63%) create mode 100644 include/hw/misc/iotkit-secctl.h create mode 100644 include/hw/misc/mps2-fpgaio.h create mode 100644 include/hw/misc/tz-ppc.h create mode 100644 target/arm/idau.h create mode 100644 hw/arm/iotkit.c create mode 100644 hw/arm/mps2-tz.c create mode 100644 hw/core/split-irq.c create mode 100644 hw/misc/iotkit-secctl.c create mode 100644 hw/misc/mps2-fpgaio.c create mode 100644 hw/misc/tz-ppc.c -- 2.16.1