From patchwork Mon Apr 8 15:23:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 786919 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1101:b0:343:f27d:c44e with SMTP id z1csp1400092wrw; Mon, 8 Apr 2024 08:24:47 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWT68xegXIUN/agmhToOw4+hizdFOIgNEPXq5cZl1AgfKVxhcfnVKTJ5uYgMH7k6PX7OXsd405ez+qRjIr07m1q X-Google-Smtp-Source: AGHT+IFFCNY1jEvBW1nlYCpqFl7cjZwFMXmRS5PasVxztHQzMp8t+ZdStNbNWuSIaq1jFp1WAkZ4 X-Received: by 2002:a05:622a:1922:b0:434:1d97:4efe with SMTP id w34-20020a05622a192200b004341d974efemr11547618qtc.46.1712589886736; Mon, 08 Apr 2024 08:24:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712589886; cv=none; d=google.com; s=arc-20160816; b=FRfKaP1Yrz67LilVQ5Mkat2eRM/zAL77TVwqHCXLnqQijHuhoWTWcApQffaS2xEBzN 6F3gL0/Q0iAhANbBp7cs5jIH0xHhle6PxtXIwgNovM903hLGn98Cmg5dWhL7bpX5tS5A gKcLer9S7KlBU63w22279jV1uwGRC1CmGCG0dw2mNlV2BqvoCWUrWTdDPKKdf/gPbsC5 GCpW4/cGnHA+k2hlXA32qK9cWqxBtc5YNxOvzJgDVIEbXOlhYQ5s44AFNarecWuP0/Gk 2YqtJ3Rh3JY9eq/oKIWF3Zf9LvxtwOu6JJcHwsbzJVZN9qFlRYe15NzfOgAndnsQmBTw 2Qiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=wg/VXaENoh/xfxcfdFul6goMk1e8WqSCaau2y85GsNA=; fh=PnYt+qEB9tAfMKoqBm2xjKOFpYyFFGPudh5cVIoieJM=; b=X0B8G5pwAB10B7KFEMvowUzTN7q0jzHYAW8Ei0IhnP11OZ8b7NPQwsY/aPHKA1984j Ta+1ldHX9CHg2ufShlCnHuyM3CImlFCph0ImWqvjp7QQPE9VjrvQg0kqaztXe3vVeG4T LUTRVB5kDxzhxwXPYa8L4F1ntNs6oxi+lGo5gWASErD+U83Utz4Krbj5hA7xzMG21UUq keAcvGu13lJOjU+KE+WIvjUmKWsP38pWFX+iQvW4O+zLDlyy2kVod6PjmrQJW5LVxbe2 tZQUIHygXQcmms6CIBq4NKdspdf/ygChOlpWymBE4ufqdQ9r6LZZAIBrYk4lKqINMP0y GxJQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HbB5OpS4; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id h19-20020ac85e13000000b00434620a7625si7343848qtx.616.2024.04.08.08.24.46 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 08 Apr 2024 08:24:46 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HbB5OpS4; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rtqqn-0004p9-67; Mon, 08 Apr 2024 11:24:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rtqqd-0004os-Sw for qemu-devel@nongnu.org; Mon, 08 Apr 2024 11:23:52 -0400 Received: from mail-wm1-x333.google.com ([2a00:1450:4864:20::333]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rtqqb-0005QL-Vp for qemu-devel@nongnu.org; Mon, 08 Apr 2024 11:23:51 -0400 Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-4168a5d75c4so5386015e9.0 for ; Mon, 08 Apr 2024 08:23:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712589828; x=1713194628; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=wg/VXaENoh/xfxcfdFul6goMk1e8WqSCaau2y85GsNA=; b=HbB5OpS4rZi82KetqCHc8xP1JFkLmZodT8oH+K/LTai3hRBUshriuceeZwqvD1PsyO X4XOStsfAF5gOJB6Jve+IYF5O9lWAHfIQAKbQ006nKH6sc3Lae2ooBjVSjx1onh5fgoG aQFvignH13MDMSKZsay9VLmKYrKoaZS2+sR3RwRMQcwVaZCIJ4VbS4zlrh0V6c1Kf18S SuqEEGIMoKF5kMturVWLI7wzRzWKRYV58PMBTM95H/MCasH7MzA61HyfnukkCcDf39Nq 1aM8JsI1IQtMbN2u3jfPgblgnDi4ImllqUUKJHEvBSQgFbtu1Mw1nExocTcVJ03SHell 2iJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712589828; x=1713194628; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wg/VXaENoh/xfxcfdFul6goMk1e8WqSCaau2y85GsNA=; b=hhrUyYF3XmNM6Twof3pc1uy2QPxO8Q8s6N1VmbENG7Jf6iWpgrxRFe+P2RDZuvJLWP Y87NiVqmdbsd8W55fLfBXIqPtTkAhAE1x5QDmljmDJzZwNRKS7j6H0LiVZN3KJ1B/pvi cHaZ1BslbWS/AZuk++EAsJ+w6HYm9vIHpdlsFlxTNxQQDJdCLd6qABDWUAMXExoa3zXm E/NuSgRXJ5khvMJwl6dRbW2b+NgFdVKUzHGJa80oUBrHFEEXGTfK/Qu7JMdWla0IRFm1 dRNOn41CKtTX0n/YSYY3fmhdGr85sPQ+Czx7KNAXxF78aaUs7IWmUVd26SsKpVT+pQRK KQDQ== X-Gm-Message-State: AOJu0Yw8R8eSEy2mfbeQMNXhQCwSCbGgHsrGSKCmBFZPpyUdnCGGbePR LrZR85XBzpRFKkEsthX1G6VT3KiSftWHff7/EsBds539leJjw+2Pyc5Fwd3gSrvrB8o+IJSmLcj p X-Received: by 2002:a05:600c:4451:b0:416:2441:eac6 with SMTP id v17-20020a05600c445100b004162441eac6mr8552268wmn.0.1712589828008; Mon, 08 Apr 2024 08:23:48 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id je6-20020a05600c1f8600b0041496734318sm17298667wmb.24.2024.04.08.08.23.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Apr 2024 08:23:47 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 1/2] target/arm: Fix CNTPOFF_EL2 trap to missing EL3 Date: Mon, 8 Apr 2024 16:23:45 +0100 Message-Id: <20240408152346.3937318-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240408152346.3937318-1-peter.maydell@linaro.org> References: <20240408152346.3937318-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::333; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x333.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Pierre-Clément Tosi EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is present, as described by the reference manual (for MRS): /* ... */ elsif PSTATE.EL == EL2 then if Halted() && HaveEL(EL3) && /*...*/ then UNDEFINED; elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then /* ... */ else X[t, 64] = CNTPOFF_EL2; However, the existing implementation of gt_cntpoff_access() always returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In pseudo-code terminology, this corresponds to assuming that HaveEL(EL3) is always true, which is wrong. As a result, QEMU panics in access_check_cp_reg() when started without EL3 and running EL2 code accessing the register (e.g. any recent KVM booting a guest). Therefore, add the HaveEL(EL3) check to gt_cntpoff_access(). Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling") Signed-off-by: Pierre-Clément Tosi Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- target/arm/helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index 3f3a5b55d4a..13ad90cac1e 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -3452,7 +3452,8 @@ static CPAccessResult gt_cntpoff_access(CPUARMState *env, const ARMCPRegInfo *ri, bool isread) { - if (arm_current_el(env) == 2 && !(env->cp15.scr_el3 & SCR_ECVEN)) { + if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) && + !(env->cp15.scr_el3 & SCR_ECVEN)) { return CP_ACCESS_TRAP_EL3; } return CP_ACCESS_OK; From patchwork Mon Apr 8 15:23:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 786920 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1101:b0:343:f27d:c44e with SMTP id z1csp1400096wrw; Mon, 8 Apr 2024 08:24:47 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW9/M6E24S/1xB3KwoooiopEHpj3Dh+9Y6DSZ+XZ1/DzrNgAo/5YfZmnTl4pl0BG8Yk1cYMVDcoarKRB6K120lN X-Google-Smtp-Source: AGHT+IEWlNRgc4MEopSQFlJjzHOr0968t4uv07I3b7m57lkpac3qlQ8JEoGx8Nncg8t/bE2/uXd+ X-Received: by 2002:a05:622a:2a16:b0:434:755e:4c83 with SMTP id hc22-20020a05622a2a1600b00434755e4c83mr8412835qtb.26.1712589887022; Mon, 08 Apr 2024 08:24:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712589887; cv=none; d=google.com; s=arc-20160816; b=oLTXyg/3d/6iC2hJcPiPYQlYq/uZD+gonuKmNo0ipkVrjYxqWEWG/SLo+xgY6gMQQ7 +w2AOxwsiFRjeRyRAKHpA0NV2CMlncm8iRc2mqw1Q4SYGAX/3sY56QNroFlrYwXDdnwU 30RoC/iblSqgjUOk1+gpN0lfI8VyZckgd6vEncMLQTqRi3mKb4r5rnqvOhuYLtNV7c5Z jln4zar0OfTKxgOy1240vT130lZi/ru7bTHelj63e37WnVMGpELy7NEZosVIBaD0auZW tnt14RhHBgMZ7UYa6zKczUXk2PHbFU3JFfRsALaoJnOFBXsCMCjd5ECzZuA6NZDLZycm Ugtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=uw8YHTNyC106MuzA62WIiauW6nzUr+KdLlKVTICYJPA=; fh=PnYt+qEB9tAfMKoqBm2xjKOFpYyFFGPudh5cVIoieJM=; b=CHU1bQRJvx4IXBluASCKQv8SU9MZHEQH6AZelvUb52Mc+G5txEnoGRN9K3bPIZGl/e N+xr/XRNnlOU3Uy6b4cCS4j1e6D7Kw+vGZsytU9K5uYt4IzIz/siQJmERay1QAHnc1d/ dA4PvEYRai0XgCQsijSCDyFNn3GrnIuxy0TL1HYXfiJk+KSb2tbpSYJ8SkLcGAVd13kQ gn1ZMdVOf9xqcEnt+62teq9tPuayanyfVXPQDrvjqrlu/Oo3b/4Qo8BKLkcUZ/ZLN1UU kPx60/XmH3flJpmUYFhRUUuvw2uDZHtB5VP+lSCOvDbf8o6YdM5/mvXiJwYUtve9v9/L QNFA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aAD4PAV5; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id h9-20020ac85e09000000b0043461196b64si7906696qtx.750.2024.04.08.08.24.46 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 08 Apr 2024 08:24:47 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aAD4PAV5; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rtqqr-0004qT-9E; Mon, 08 Apr 2024 11:24:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rtqqf-0004p0-1S for qemu-devel@nongnu.org; Mon, 08 Apr 2024 11:23:53 -0400 Received: from mail-wr1-x431.google.com ([2a00:1450:4864:20::431]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rtqqc-0005QQ-7f for qemu-devel@nongnu.org; Mon, 08 Apr 2024 11:23:52 -0400 Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-34388753650so1965086f8f.3 for ; Mon, 08 Apr 2024 08:23:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712589828; x=1713194628; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uw8YHTNyC106MuzA62WIiauW6nzUr+KdLlKVTICYJPA=; b=aAD4PAV5z+K5/L+dLwI5czMd4fU6QHZGH4OSqlvwU6pew5YDnvCIjserkcwszbvsvj zUO2fZke3yyVVbjeZBXIUZCdZwa0/HjAn7vt2vgTfOVbGMRYq0rZn8Nu3c4bdgiVkB15 CKKpkqEI3WJKUWC0MZLyC/ZB3TZ2HypkyS5XuaIF7fccdiFNFVLEADH7+Czf1H1Tye0H PcYryB/SA5LhetrVH9iTcgX5YhyfE9bEby0J5qEkTLljiOw18xpVWP/lroZLj5Z3ber5 Enwoc1emOT5a7yH9u2Lfiby4fe28PnfYaxoeZuDfFS/p4+dtFl4snPgvoYnD537LpFqN 9MvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712589828; x=1713194628; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uw8YHTNyC106MuzA62WIiauW6nzUr+KdLlKVTICYJPA=; b=eXlQG4a2C7Y83WQ+bx2/D+3XKcnPAXjtVMt9AibFKBeRacwqGo4997ORUZTtN6z/KQ /+2C3ImX4MucU45nt/qE5ynwRx0OEnjcT+3VbxoHzoFEc4p7VEMZJ6cQM3j0I52tQjDq zT4giYpXGQ1aUSzmVYyEG01CWP9yU1A0hjZVs2Obo4qGYrqpupWcTAwgySdzmR02ggaO NwaI6JPmAA1/tlvC4U+yPErxBzjVtoMMDjjPny1e0qgxtxlF6QDrX5DgcyrKXVwieWA6 5uBmdq90q/VrB1TCR3is/+Np6uDVYSx5w2V2LYaQ1uX8m1IOJPWRb5+/8VQ4MAw6S4yP vcfg== X-Gm-Message-State: AOJu0Yz5JlPYZoj9tvlAa+3VcAXtldM2tVxEA1xYuyFzTuTB+N78Y2lY TuCKpE0p5t1HaV82NIE5Rg6ujfXol5U5Jx+ub9fO0No5WTtD0mHAHx/vb/SWQfHosaLjnZeEosg g X-Received: by 2002:a05:6000:b0f:b0:343:9af4:7a90 with SMTP id dj15-20020a0560000b0f00b003439af47a90mr6169536wrb.69.1712589828517; Mon, 08 Apr 2024 08:23:48 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id je6-20020a05600c1f8600b0041496734318sm17298667wmb.24.2024.04.08.08.23.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Apr 2024 08:23:48 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 2/2] target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 Date: Mon, 8 Apr 2024 16:23:46 +0100 Message-Id: <20240408152346.3937318-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240408152346.3937318-1-peter.maydell@linaro.org> References: <20240408152346.3937318-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::431; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x431.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org When we do an AT address translation operation, the page table walk is supposed to be performed in the context of the EL we're doing the walk for, so for instance an AT S1E2R walk is done for EL2. In the pseudocode an EL is passed to AArch64.AT(), which calls SecurityStateAtEL() to find the security state that we should be doing the walk with. In ats_write64() we get this wrong, instead using the current security space always. This is fine for AT operations performed from EL1 and EL2, because there the current security state and the security state for the lower EL are the same. But for AT operations performed from EL3, the current security state is always either Secure or Root, whereas we want to use the security state defined by SCR_EL3.{NS,NSE} for the walk. This affects not just guests using FEAT_RME but also ones where EL3 is Secure state and the EL3 code is trying to do an AT for a NonSecure EL2 or EL1. Use arm_security_space_below_el3() to get the SecuritySpace to pass to do_ats_write() for all AT operations except the AT S1E3* operations. Cc: qemu-stable@nongnu.org Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250 Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org --- target/arm/helper.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index 13ad90cac1e..a620481d7cf 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -3879,6 +3879,8 @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, ARMMMUIdx mmu_idx; uint64_t hcr_el2 = arm_hcr_el2_eff(env); bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE); + bool for_el3 = false; + ARMSecuritySpace ss; switch (ri->opc2 & 6) { case 0: @@ -3896,6 +3898,7 @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, break; case 6: /* AT S1E3R, AT S1E3W */ mmu_idx = ARMMMUIdx_E3; + for_el3 = true; break; default: g_assert_not_reached(); @@ -3914,8 +3917,8 @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, g_assert_not_reached(); } - env->cp15.par_el[1] = do_ats_write(env, value, access_type, - mmu_idx, arm_security_space(env)); + ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env); + env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss); #else /* Handled by hardware accelerator. */ g_assert_not_reached();