[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2 05/13] hw/misc/tz-mpc.c: Implement the Arm Tr
From: |
Auger Eric |
Subject: |
Re: [Qemu-devel] [PATCH v2 05/13] hw/misc/tz-mpc.c: Implement the Arm TrustZone Memory Protection Controller |
Date: |
Thu, 14 Jun 2018 22:12:29 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 |
Hi Peter,
On 06/04/2018 05:29 PM, Peter Maydell wrote:
> Implement the Arm TrustZone Memory Protection Controller, which sits
> in front of RAM and allows secure software to configure it to either
> pass through or reject transactions.
>
> We implement the MPC as a QEMU IOMMU, which will direct transactions
> either through to the devices and memory behind it or to a special
> "never works" AddressSpace if they are blocked.
>
> This initial commit implements the skeleton of the device:
> * it always permits accesses
> * it doesn't implement most of the registers
> * it doesn't implement the interrupt or other behaviour
> for blocked transactions
>
> Signed-off-by: Peter Maydell <address@hidden>
> Reviewed-by: Alex Bennée <address@hidden>
> ---
> hw/misc/Makefile.objs | 1 +
> include/hw/misc/tz-mpc.h | 70 ++++++
> hw/misc/tz-mpc.c | 381 ++++++++++++++++++++++++++++++++
> MAINTAINERS | 2 +
> default-configs/arm-softmmu.mak | 1 +
> hw/misc/trace-events | 7 +
> 6 files changed, 462 insertions(+)
> create mode 100644 include/hw/misc/tz-mpc.h
> create mode 100644 hw/misc/tz-mpc.c
>
> diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
> index 00e834d0f06..7295e676a64 100644
> --- a/hw/misc/Makefile.objs
> +++ b/hw/misc/Makefile.objs
> @@ -61,6 +61,7 @@ obj-$(CONFIG_MIPS_ITU) += mips_itu.o
> obj-$(CONFIG_MPS2_FPGAIO) += mps2-fpgaio.o
> obj-$(CONFIG_MPS2_SCC) += mps2-scc.o
>
> +obj-$(CONFIG_TZ_MPC) += tz-mpc.o
> obj-$(CONFIG_TZ_PPC) += tz-ppc.o
> obj-$(CONFIG_IOTKIT_SECCTL) += iotkit-secctl.o
>
> diff --git a/include/hw/misc/tz-mpc.h b/include/hw/misc/tz-mpc.h
> new file mode 100644
> index 00000000000..b5eaf1699ea
> --- /dev/null
> +++ b/include/hw/misc/tz-mpc.h
> @@ -0,0 +1,70 @@
> +/*
> + * ARM TrustZone memory protection controller emulation
nit AHB5 TrustZone Memory Protection controller? This is the title of
chapter in the spec.
> + *
> + * Copyright (c) 2018 Linaro Limited
> + * Written by Peter Maydell
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 or
> + * (at your option) any later version.
> + */
> +
> +/* This is a model of the TrustZone memory protection controller (MPC).
> + * It is documented in the ARM CoreLink SIE-200 System IP for Embedded TRM
> + * (DDI 0571G):
> + * https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g
> + *
> + * The MPC sits in front of memory and allows secure software to
> + * configure it to either pass through or reject transactions.
> + * Rejected transactions may be configured to either be aborted, or to
> + * behave as RAZ/WI. An interrupt can be signalled for a rejected
> transaction.
> + *
> + * The MPC has a register interface which the guest uses to configure it.
> + *
> + * QEMU interface:
> + * + sysbus MMIO region 0: MemoryRegion for the MPC's config registers
> + * + sysbus MMIO region 1: MemoryRegion for the upstream end of the MPC
> + * + Property "downstream": MemoryRegion defining the downstream memory
> + * + Named GPIO output "irq": set for a transaction-failed interrupt
> + */
> +
> +#ifndef TZ_MPC_H
> +#define TZ_MPC_H
> +
> +#include "hw/sysbus.h"
> +
> +#define TYPE_TZ_MPC "tz-mpc"
> +#define TZ_MPC(obj) OBJECT_CHECK(TZMPC, (obj), TYPE_TZ_MPC)
> +
> +#define TZ_NUM_PORTS 16
> +
> +#define TYPE_TZ_MPC_IOMMU_MEMORY_REGION "tz-mpc-iommu-memory-region"
> +
> +typedef struct TZMPC TZMPC;
> +
> +struct TZMPC {
> + /*< private >*/
> + SysBusDevice parent_obj;
> +
> + /*< public >*/
> +
> + qemu_irq irq;
> +
> + /* Properties */
> + MemoryRegion *downstream;
> +
> + hwaddr blocksize;
> + uint32_t blk_max;
> +
> + /* MemoryRegions exposed to user */
> + MemoryRegion regmr;
> + IOMMUMemoryRegion upstream;
> +
> + /* MemoryRegion used internally */
> + MemoryRegion blocked_io;
> +
> + AddressSpace downstream_as;
> + AddressSpace blocked_io_as;
> +};
> +
> +#endif
> diff --git a/hw/misc/tz-mpc.c b/hw/misc/tz-mpc.c
> new file mode 100644
> index 00000000000..d4467ccc3b2
> --- /dev/null
> +++ b/hw/misc/tz-mpc.c
> @@ -0,0 +1,381 @@
> +/*
> + * ARM TrustZone memory protection controller emulation
> + *
> + * Copyright (c) 2018 Linaro Limited
> + * Written by Peter Maydell
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 or
> + * (at your option) any later version.
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qemu/log.h"
> +#include "qapi/error.h"
> +#include "trace.h"
> +#include "hw/sysbus.h"
> +#include "hw/registerfields.h"
> +#include "hw/misc/tz-mpc.h"
> +
> +/* Our IOMMU has two IOMMU indexes, one for secure transactions and one for
> + * non-secure transactions.
> + */
> +enum {
> + IOMMU_IDX_S,
> + IOMMU_IDX_NS,
> + IOMMU_NUM_INDEXES,
> +};
> +
> +/* Config registers */
> +REG32(CTRL, 0x00)
> +REG32(BLK_MAX, 0x10)
> +REG32(BLK_CFG, 0x14)
> +REG32(BLK_IDX, 0x18)
> +REG32(BLK_LUT, 0x1c)
> +REG32(INT_STAT, 0x20)
> +REG32(INT_CLEAR, 0x24)
> +REG32(INT_EN, 0x28)
> +REG32(INT_INFO1, 0x2c)
> +REG32(INT_INFO2, 0x30)
> +REG32(INT_SET, 0x34)
> +REG32(PIDR4, 0xfd0)
> +REG32(PIDR5, 0xfd4)
> +REG32(PIDR6, 0xfd8)
> +REG32(PIDR7, 0xfdc)
> +REG32(PIDR0, 0xfe0)
> +REG32(PIDR1, 0xfe4)
> +REG32(PIDR2, 0xfe8)
> +REG32(PIDR3, 0xfec)
> +REG32(CIDR0, 0xff0)
> +REG32(CIDR1, 0xff4)
> +REG32(CIDR2, 0xff8)
> +REG32(CIDR3, 0xffc)
> +
> +static const uint8_t tz_mpc_idregs[] = {
> + 0x04, 0x00, 0x00, 0x00,
> + 0x60, 0xb8, 0x1b, 0x00,
> + 0x0d, 0xf0, 0x05, 0xb1,
> +};
> +
> +static MemTxResult tz_mpc_reg_read(void *opaque, hwaddr addr,
> + uint64_t *pdata,
> + unsigned size, MemTxAttrs attrs)
> +{
> + uint64_t r;
> + uint32_t offset = addr & ~0x3;
> +
> + switch (offset) {
> + case A_PIDR4:
> + case A_PIDR5:
> + case A_PIDR6:
> + case A_PIDR7:
> + case A_PIDR0:
> + case A_PIDR1:
> + case A_PIDR2:
> + case A_PIDR3:
> + case A_CIDR0:
> + case A_CIDR1:
> + case A_CIDR2:
> + case A_CIDR3:
> + r = tz_mpc_idregs[(offset - A_PIDR4) / 4];
> + break;
> + case A_INT_CLEAR:
> + case A_INT_SET:
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "TZ MPC register read: write-only offset 0x%x\n",
> + offset);
> + r = 0;
> + break;
> + default:
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "TZ MPC register read: bad offset 0x%x\n", offset);
> + r = 0;
> + break;
> + }
> +
> + if (size != 4) {
> + /* None of our registers are read-sensitive (except BLK_LUT,
> + * which can special case the "size not 4" case), so just
> + * pull the right bytes out of the word read result.
> + */
> + r = extract32(r, (addr & 3) * 8, size * 8);
> + }
> +
> + trace_tz_mpc_reg_read(addr, r, size);
> + *pdata = r;
> + return MEMTX_OK;
> +}
> +
> +static MemTxResult tz_mpc_reg_write(void *opaque, hwaddr addr,
> + uint64_t value,
> + unsigned size, MemTxAttrs attrs)
> +{
> + uint32_t offset = addr & ~0x3;
> +
> + trace_tz_mpc_reg_write(addr, value, size);
> +
> + if (size != 4) {
> + /* Expand the byte or halfword write to a full word size.
> + * In most cases we can do this with zeroes; the exceptions
> + * are CTRL, BLK_IDX and BLK_LUT.
> + */
> + uint32_t oldval;
> +
> + switch (offset) {
> + /* As we add support for registers which need expansions
> + * other than zeroes we'll fill in cases here.
> + */
> + default:
> + oldval = 0;
> + break;
> + }
> + value = deposit32(oldval, (addr & 3) * 8, size * 8, value);
> + }
> +
> + switch (offset) {
> + case A_PIDR4:
> + case A_PIDR5:
> + case A_PIDR6:
> + case A_PIDR7:
> + case A_PIDR0:
> + case A_PIDR1:
> + case A_PIDR2:
> + case A_PIDR3:
> + case A_CIDR0:
> + case A_CIDR1:
> + case A_CIDR2:
> + case A_CIDR3:
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "TZ MPC register write: read-only offset 0x%x\n",
> offset);
> + break;
> + default:
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "TZ MPC register write: bad offset 0x%x\n", offset);
> + break;
> + }
> +
> + return MEMTX_OK;
> +}
> +
> +static const MemoryRegionOps tz_mpc_reg_ops = {
> + .read_with_attrs = tz_mpc_reg_read,
> + .write_with_attrs = tz_mpc_reg_write,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + .valid.min_access_size = 1,
> + .valid.max_access_size = 4,
> + .impl.min_access_size = 1,
> + .impl.max_access_size = 4,
> +};
> +
> +/* Accesses only reach these read and write functions if the MPC is
> + * blocking them; non-blocked accesses go directly to the downstream
> + * memory region without passing through this code.
> + */
> +static MemTxResult tz_mpc_mem_blocked_read(void *opaque, hwaddr addr,
> + uint64_t *pdata,
> + unsigned size, MemTxAttrs attrs)
> +{
> + trace_tz_mpc_mem_blocked_read(addr, size, attrs.secure);
> +
> + *pdata = 0;
> + return MEMTX_OK;
> +}
> +
> +static MemTxResult tz_mpc_mem_blocked_write(void *opaque, hwaddr addr,
> + uint64_t value,
> + unsigned size, MemTxAttrs attrs)
> +{
> + trace_tz_mpc_mem_blocked_write(addr, value, size, attrs.secure);
> +
> + return MEMTX_OK;
> +}
> +
> +static const MemoryRegionOps tz_mpc_mem_blocked_ops = {
> + .read_with_attrs = tz_mpc_mem_blocked_read,
> + .write_with_attrs = tz_mpc_mem_blocked_write,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + .valid.min_access_size = 1,
> + .valid.max_access_size = 8,
> + .impl.min_access_size = 1,
> + .impl.max_access_size = 8,
> +};
> +
> +static IOMMUTLBEntry tz_mpc_translate(IOMMUMemoryRegion *iommu,
> + hwaddr addr, IOMMUAccessFlags flags,
> + int iommu_idx)
> +{
> + TZMPC *s = TZ_MPC(container_of(iommu, TZMPC, upstream));
> + bool ok;
> +
> + IOMMUTLBEntry ret = {
> + .iova = addr & ~(s->blocksize - 1),
> + .translated_addr = addr & ~(s->blocksize - 1),
> + .addr_mask = s->blocksize - 1,
> + .perm = IOMMU_RW,
> + };
> +
> + /* Look at the per-block configuration for this address, and
> + * return a TLB entry directing the transaction at either
> + * downstream_as or blocked_io_as, as appropriate.
> + * For the moment, always permit accesses.
> + */
> + ok = true;
> +
> + trace_tz_mpc_translate(addr, flags,
> + iommu_idx == IOMMU_IDX_S ? "S" : "NS",
> + ok ? "pass" : "block");
> +
> + ret.target_as = ok ? &s->downstream_as : &s->blocked_io_as;
> + return ret;
> +}
> +
> +static int tz_mpc_attrs_to_index(IOMMUMemoryRegion *iommu, MemTxAttrs attrs)
> +{
> + /* We treat unspecified attributes like secure. Transactions with
> + * unspecified attributes come from places like
> + * cpu_physical_memory_write_rom() for initial image load, and we want
> + * those to pass through the from-reset "everything is secure" config.
> + * All the real during-emulation transactions from the CPU will
> + * specify attributes.
> + */
> + return (attrs.unspecified || attrs.secure) ? IOMMU_IDX_S : IOMMU_IDX_NS;
> +}
> +
> +static int tz_mpc_num_indexes(IOMMUMemoryRegion *iommu)
> +{
> + return IOMMU_NUM_INDEXES;
> +}
> +
> +static void tz_mpc_reset(DeviceState *dev)
> +{
> +}
> +
> +static void tz_mpc_init(Object *obj)
> +{
> + DeviceState *dev = DEVICE(obj);
> + TZMPC *s = TZ_MPC(obj);
> +
> + qdev_init_gpio_out_named(dev, &s->irq, "irq", 1);
> +}
> +
> +static void tz_mpc_realize(DeviceState *dev, Error **errp)
> +{
> + Object *obj = OBJECT(dev);
> + SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
> + TZMPC *s = TZ_MPC(dev);
> + uint64_t size;
> +
> + /* We can't create the upstream end of the port until realize,
> + * as we don't know the size of the MR used as the downstream until then.
> + * We insist on having a downstream, to avoid complicating the code
> + * with handling the "don't know how big this is" case. It's easy
> + * enough for the user to create an unimplemented_device as downstream
> + * if they have nothing else to plug into this.
> + */
> + if (!s->downstream) {
> + error_setg(errp, "MPC 'downstream' link not set");
> + return;
> + }
> +
> + size = memory_region_size(s->downstream);
> +
> + memory_region_init_iommu(&s->upstream, sizeof(s->upstream),
> + TYPE_TZ_MPC_IOMMU_MEMORY_REGION,
> + obj, "tz-mpc-upstream", size);
> +
> + /* In real hardware the block size is configurable. In QEMU we could
> + * make it configurable but will need it to be at least as big as the
> + * target page size so we can execute out of the resulting MRs. Guest
> + * software is supposed to check the block size using the BLK_CFG
> + * register, so make it fixed at the page size.
> + */
> + s->blocksize = memory_region_iommu_get_min_page_size(&s->upstream);
> + if (size % s->blocksize != 0) {
> + error_setg(errp,
> + "MPC 'downstream' size %" PRId64
> + " is not a multiple of %" HWADDR_PRIx " bytes",
> + size, s->blocksize);
> + object_unref(OBJECT(&s->upstream));
> + return;
> + }
> +
> + /* BLK_MAX is the max value of BLK_IDX, which indexes an array of 32-bit
> + * words, each bit of which indicates one block.
> + */
> + s->blk_max = DIV_ROUND_UP(size / s->blocksize, 32);
> +
> + memory_region_init_io(&s->regmr, obj, &tz_mpc_reg_ops,
> + s, "tz-mpc-regs", 0x1000);
> + sysbus_init_mmio(sbd, &s->regmr);
> +
> + sysbus_init_mmio(sbd, MEMORY_REGION(&s->upstream));
> +
> + /* This memory region is not exposed to users of this device as a
> + * sysbus MMIO region, but is instead used internally as something
> + * that our IOMMU translate function might direct accesses to.
> + */
> + memory_region_init_io(&s->blocked_io, obj, &tz_mpc_mem_blocked_ops,
> + s, "tz-mpc-blocked-io", size);
> +
> + address_space_init(&s->downstream_as, s->downstream,
> + "tz-mpc-downstream");
> + address_space_init(&s->blocked_io_as, &s->blocked_io,
> + "tz-mpc-blocked-io");
> +}
> +
> +static const VMStateDescription tz_mpc_vmstate = {
> + .name = "tz-mpc",
> + .version_id = 1,
> + .minimum_version_id = 1,
> + .fields = (VMStateField[]) {
> + VMSTATE_END_OF_LIST()
> + }
> +};
> +
> +static Property tz_mpc_properties[] = {
> + DEFINE_PROP_LINK("downstream", TZMPC, downstream,
> + TYPE_MEMORY_REGION, MemoryRegion *),
> + DEFINE_PROP_END_OF_LIST(),
> +};
> +
> +static void tz_mpc_class_init(ObjectClass *klass, void *data)
> +{
> + DeviceClass *dc = DEVICE_CLASS(klass);
> +
> + dc->realize = tz_mpc_realize;
> + dc->vmsd = &tz_mpc_vmstate;
> + dc->reset = tz_mpc_reset;
> + dc->props = tz_mpc_properties;
> +}
> +
> +static const TypeInfo tz_mpc_info = {
> + .name = TYPE_TZ_MPC,
> + .parent = TYPE_SYS_BUS_DEVICE,
> + .instance_size = sizeof(TZMPC),
> + .instance_init = tz_mpc_init,
> + .class_init = tz_mpc_class_init,
> +};
> +
> +static void tz_mpc_iommu_memory_region_class_init(ObjectClass *klass,
> + void *data)
> +{
> + IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
> +
> + imrc->translate = tz_mpc_translate;
> + imrc->attrs_to_index = tz_mpc_attrs_to_index;
> + imrc->num_indexes = tz_mpc_num_indexes;
> +}
> +
> +static const TypeInfo tz_mpc_iommu_memory_region_info = {
> + .name = TYPE_TZ_MPC_IOMMU_MEMORY_REGION,
> + .parent = TYPE_IOMMU_MEMORY_REGION,
> + .class_init = tz_mpc_iommu_memory_region_class_init,
> +};
> +
> +static void tz_mpc_register_types(void)
> +{
> + type_register_static(&tz_mpc_info);
> + type_register_static(&tz_mpc_iommu_memory_region_info);
> +}
> +
> +type_init(tz_mpc_register_types);
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 41cd3736a9b..9b712b92021 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -449,6 +449,8 @@ F: hw/char/cmsdk-apb-uart.c
> F: include/hw/char/cmsdk-apb-uart.h
> F: hw/misc/tz-ppc.c
> F: include/hw/misc/tz-ppc.h
> +F: hw/misc/tz-mpc.c
> +F: include/hw/misc/tz-mpc.h
>
> ARM cores
> M: Peter Maydell <address@hidden>
> diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
> index 8ba2558b36a..0f7dc2eb315 100644
> --- a/default-configs/arm-softmmu.mak
> +++ b/default-configs/arm-softmmu.mak
> @@ -107,6 +107,7 @@ CONFIG_CMSDK_APB_UART=y
> CONFIG_MPS2_FPGAIO=y
> CONFIG_MPS2_SCC=y
>
> +CONFIG_TZ_MPC=y
> CONFIG_TZ_PPC=y
> CONFIG_IOTKIT=y
> CONFIG_IOTKIT_SECCTL=y
> diff --git a/hw/misc/trace-events b/hw/misc/trace-events
> index ec5a9f0da13..72bf9d57000 100644
> --- a/hw/misc/trace-events
> +++ b/hw/misc/trace-events
> @@ -84,6 +84,13 @@ mos6522_set_sr_int(void) "set sr_int"
> mos6522_write(uint64_t addr, uint64_t val) "reg=0x%"PRIx64 " val=0x%"PRIx64
> mos6522_read(uint64_t addr, unsigned val) "reg=0x%"PRIx64 " val=0x%x"
>
> +# hw/misc/tz-mpc.c
> +tz_mpc_reg_read(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs
> read: offset 0x%x data 0x%" PRIx64 " size %u"
> +tz_mpc_reg_write(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs
> write: offset 0x%x data 0x%" PRIx64 " size %u"
> +tz_mpc_mem_blocked_read(uint64_t addr, unsigned size, bool secure) "TZ MPC
> blocked read: offset 0x%" PRIx64 " size %u secure %d"
> +tz_mpc_mem_blocked_write(uint64_t addr, uint64_t data, unsigned size, bool
> secure) "TZ MPC blocked write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size
> %u secure %d"
> +tz_mpc_translate(uint64_t addr, int flags, const char *idx, const char *res)
> "TZ MPC translate: addr 0x%" PRIx64 " flags 0x%x iommu_idx %s: %s"
> +
> # hw/misc/tz-ppc.c
> tz_ppc_reset(void) "TZ PPC: reset"
> tz_ppc_cfg_nonsec(int n, int level) "TZ PPC: cfg_nonsec[%d] = %d"
>
Reviewed-by: Eric Auger <address@hidden>
Thanks
Eric
- Re: [Qemu-devel] [PATCH v2 07/13] hw/misc/tz-mpc.c: Implement correct blocked-access behaviour, (continued)
- [Qemu-devel] [PATCH v2 09/13] hw/core/or-irq: Support more than 16 inputs to an OR gate, Peter Maydell, 2018/06/04
- [Qemu-devel] [PATCH v2 08/13] hw/misc/tz_mpc.c: Honour the BLK_LUT settings in translate, Peter Maydell, 2018/06/04
- [Qemu-devel] [PATCH v2 10/13] hw/misc/iotkit-secctl.c: Implement SECMPCINTSTATUS, Peter Maydell, 2018/06/04
- [Qemu-devel] [PATCH v2 03/13] iommu: Add IOMMU index argument to translate method, Peter Maydell, 2018/06/04
- [Qemu-devel] [PATCH v2 01/13] iommu: Add IOMMU index concept to IOMMU API, Peter Maydell, 2018/06/04
- [Qemu-devel] [PATCH v2 05/13] hw/misc/tz-mpc.c: Implement the Arm TrustZone Memory Protection Controller, Peter Maydell, 2018/06/04
- [Qemu-devel] [PATCH v2 06/13] hw/misc/tz-mpc.c: Implement registers, Peter Maydell, 2018/06/04
- Re: [Qemu-devel] [PATCH v2 06/13] hw/misc/tz-mpc.c: Implement registers, Auger Eric, 2018/06/15