[Qemu-discuss] Question about ARM64 Generic Timer interrupt emulation on Cortex-A53

[bzt]

Dear All,

I'm testing a bare metal application on qemu. This worked great up
until now. I start it with
qemu-system-aarch64 -M raspi3 -kernel kernel8.img

My problem is, although I configure the ARM Generic Timer Non-Secure
EL1 physical timer correctly (according to DDI0487), I don't get an
interrupt. In short, I'm at EL1, VBAR CSSel selects the correct
handler, I have interrupts enabled in PSTATE with DAIFClr etc. I set
up CNTP_CTL_EL0 and CNTP_CVAL_EL0 correctly, I can see the timer
running, and after the given time, I can see CNTP_CTL_EL0 changing to
5 (ISTATUS=1, IMASK=0, ENABLE=1), but ISR_EL1 remains 0.

Checking qemu's source I can see in hw/arm/bcm2836.c line 156 that
CNTPNSIRQ (the one I'm after) is connected to the ARM Control
peripheral. So I've also configured 0x4000040 = (1<<1), 0x4000044 =
(1<<1), 0x4000048 = (1<<1)  and 0x400004C = (1<<1) to enable
nCNTPNSIRQ on all 4 cores. I've also tried to enable ARM and ARM Timer
bits in bcm2836-ic's registers but didn't help.

I can confirm that in target/arm/helper.c line 2416, function
gt_recalc_timer() ISTATUS is set, IMASK is not set and
"qemu_set_irq(cpu->gt_timer_outputs[1], 1);" is called. After that I'm
stuck, because that should call struct IRQState's
cpu->gt_timer_outputs[1]->handler(), but I failed to find what it is
initialized to. Only thing I've found is in target/arm/cpu.c line 717
in function arm_cpu_initfn(), but that does not tell me which function
is used as a handler for GTIMER_PHYS, so I can't follow that path to
figure out which IRQ line in which controller to enable.

Setting ARM Control alone is clearly not enough, so my question is,
what am I missing? Why don't I get an interrupt? Which system/MMIO
register should I set to get the IRQ?

Thanks,
bzt