]>
Commit | Line | Data |
---|---|---|
211e701d PM |
1 | /* |
2 | * ARM TrustZone master security controller emulation | |
3 | * | |
4 | * Copyright (c) 2018 Linaro Limited | |
5 | * Written by Peter Maydell | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License version 2 or | |
9 | * (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #include "qemu/osdep.h" | |
13 | #include "qemu/log.h" | |
0b8fa32f | 14 | #include "qemu/module.h" |
211e701d PM |
15 | #include "qapi/error.h" |
16 | #include "trace.h" | |
17 | #include "hw/sysbus.h" | |
18 | #include "hw/registerfields.h" | |
19 | #include "hw/misc/tz-msc.h" | |
20 | ||
21 | static void tz_msc_update_irq(TZMSC *s) | |
22 | { | |
23 | bool level = s->irq_status; | |
24 | ||
25 | trace_tz_msc_update_irq(level); | |
26 | qemu_set_irq(s->irq, level); | |
27 | } | |
28 | ||
29 | static void tz_msc_cfg_nonsec(void *opaque, int n, int level) | |
30 | { | |
31 | TZMSC *s = TZ_MSC(opaque); | |
32 | ||
33 | trace_tz_msc_cfg_nonsec(level); | |
34 | s->cfg_nonsec = level; | |
35 | } | |
36 | ||
37 | static void tz_msc_cfg_sec_resp(void *opaque, int n, int level) | |
38 | { | |
39 | TZMSC *s = TZ_MSC(opaque); | |
40 | ||
41 | trace_tz_msc_cfg_sec_resp(level); | |
42 | s->cfg_sec_resp = level; | |
43 | } | |
44 | ||
45 | static void tz_msc_irq_clear(void *opaque, int n, int level) | |
46 | { | |
47 | TZMSC *s = TZ_MSC(opaque); | |
48 | ||
49 | trace_tz_msc_irq_clear(level); | |
50 | ||
51 | s->irq_clear = level; | |
52 | if (level) { | |
53 | s->irq_status = false; | |
54 | tz_msc_update_irq(s); | |
55 | } | |
56 | } | |
57 | ||
58 | /* The MSC may either block a transaction by aborting it, block a | |
59 | * transaction by making it RAZ/WI, allow it through with | |
60 | * MemTxAttrs indicating a secure transaction, or allow it with | |
61 | * MemTxAttrs indicating a non-secure transaction. | |
62 | */ | |
63 | typedef enum MSCAction { | |
64 | MSCBlockAbort, | |
65 | MSCBlockRAZWI, | |
66 | MSCAllowSecure, | |
67 | MSCAllowNonSecure, | |
68 | } MSCAction; | |
69 | ||
70 | static MSCAction tz_msc_check(TZMSC *s, hwaddr addr) | |
71 | { | |
72 | /* | |
73 | * Check whether to allow an access from the bus master, returning | |
74 | * an MSCAction indicating the required behaviour. If the transaction | |
75 | * is blocked, the caller must check cfg_sec_resp to determine | |
76 | * whether to abort or RAZ/WI the transaction. | |
77 | */ | |
78 | IDAUInterfaceClass *iic = IDAU_INTERFACE_GET_CLASS(s->idau); | |
79 | IDAUInterface *ii = IDAU_INTERFACE(s->idau); | |
80 | bool idau_exempt = false, idau_ns = true, idau_nsc = true; | |
81 | int idau_region = IREGION_NOTVALID; | |
82 | ||
83 | iic->check(ii, addr, &idau_region, &idau_exempt, &idau_ns, &idau_nsc); | |
84 | ||
85 | if (idau_exempt) { | |
86 | /* | |
87 | * Uncheck region -- OK, transaction type depends on | |
88 | * whether bus master is configured as Secure or NonSecure | |
89 | */ | |
90 | return s->cfg_nonsec ? MSCAllowNonSecure : MSCAllowSecure; | |
91 | } | |
92 | ||
93 | if (idau_ns) { | |
94 | /* NonSecure region -- always forward as NS transaction */ | |
95 | return MSCAllowNonSecure; | |
96 | } | |
97 | ||
98 | if (!s->cfg_nonsec) { | |
99 | /* Access to Secure region by Secure bus master: OK */ | |
100 | return MSCAllowSecure; | |
101 | } | |
102 | ||
103 | /* Attempted access to Secure region by NS bus master: block */ | |
104 | trace_tz_msc_access_blocked(addr); | |
105 | if (!s->cfg_sec_resp) { | |
106 | return MSCBlockRAZWI; | |
107 | } | |
108 | ||
109 | /* | |
110 | * The TRM isn't clear on behaviour if irq_clear is high when a | |
111 | * transaction is blocked. We assume that the MSC behaves like the | |
112 | * PPC, where holding irq_clear high suppresses the interrupt. | |
113 | */ | |
114 | if (!s->irq_clear) { | |
115 | s->irq_status = true; | |
116 | tz_msc_update_irq(s); | |
117 | } | |
118 | return MSCBlockAbort; | |
119 | } | |
120 | ||
121 | static MemTxResult tz_msc_read(void *opaque, hwaddr addr, uint64_t *pdata, | |
122 | unsigned size, MemTxAttrs attrs) | |
123 | { | |
124 | TZMSC *s = opaque; | |
125 | AddressSpace *as = &s->downstream_as; | |
126 | uint64_t data; | |
127 | MemTxResult res; | |
128 | ||
129 | switch (tz_msc_check(s, addr)) { | |
130 | case MSCBlockAbort: | |
131 | return MEMTX_ERROR; | |
132 | case MSCBlockRAZWI: | |
133 | *pdata = 0; | |
134 | return MEMTX_OK; | |
135 | case MSCAllowSecure: | |
136 | attrs.secure = 1; | |
137 | attrs.unspecified = 0; | |
138 | break; | |
139 | case MSCAllowNonSecure: | |
140 | attrs.secure = 0; | |
141 | attrs.unspecified = 0; | |
142 | break; | |
143 | } | |
144 | ||
145 | switch (size) { | |
146 | case 1: | |
147 | data = address_space_ldub(as, addr, attrs, &res); | |
148 | break; | |
149 | case 2: | |
150 | data = address_space_lduw_le(as, addr, attrs, &res); | |
151 | break; | |
152 | case 4: | |
153 | data = address_space_ldl_le(as, addr, attrs, &res); | |
154 | break; | |
155 | case 8: | |
156 | data = address_space_ldq_le(as, addr, attrs, &res); | |
157 | break; | |
158 | default: | |
159 | g_assert_not_reached(); | |
160 | } | |
161 | *pdata = data; | |
162 | return res; | |
163 | } | |
164 | ||
165 | static MemTxResult tz_msc_write(void *opaque, hwaddr addr, uint64_t val, | |
166 | unsigned size, MemTxAttrs attrs) | |
167 | { | |
168 | TZMSC *s = opaque; | |
169 | AddressSpace *as = &s->downstream_as; | |
170 | MemTxResult res; | |
171 | ||
172 | switch (tz_msc_check(s, addr)) { | |
173 | case MSCBlockAbort: | |
174 | return MEMTX_ERROR; | |
175 | case MSCBlockRAZWI: | |
176 | return MEMTX_OK; | |
177 | case MSCAllowSecure: | |
178 | attrs.secure = 1; | |
179 | attrs.unspecified = 0; | |
180 | break; | |
181 | case MSCAllowNonSecure: | |
182 | attrs.secure = 0; | |
183 | attrs.unspecified = 0; | |
184 | break; | |
185 | } | |
186 | ||
187 | switch (size) { | |
188 | case 1: | |
189 | address_space_stb(as, addr, val, attrs, &res); | |
190 | break; | |
191 | case 2: | |
192 | address_space_stw_le(as, addr, val, attrs, &res); | |
193 | break; | |
194 | case 4: | |
195 | address_space_stl_le(as, addr, val, attrs, &res); | |
196 | break; | |
197 | case 8: | |
198 | address_space_stq_le(as, addr, val, attrs, &res); | |
199 | break; | |
200 | default: | |
201 | g_assert_not_reached(); | |
202 | } | |
203 | return res; | |
204 | } | |
205 | ||
206 | static const MemoryRegionOps tz_msc_ops = { | |
207 | .read_with_attrs = tz_msc_read, | |
208 | .write_with_attrs = tz_msc_write, | |
209 | .endianness = DEVICE_LITTLE_ENDIAN, | |
210 | }; | |
211 | ||
212 | static void tz_msc_reset(DeviceState *dev) | |
213 | { | |
214 | TZMSC *s = TZ_MSC(dev); | |
215 | ||
216 | trace_tz_msc_reset(); | |
217 | s->cfg_sec_resp = false; | |
218 | s->cfg_nonsec = false; | |
219 | s->irq_clear = 0; | |
220 | s->irq_status = 0; | |
221 | } | |
222 | ||
223 | static void tz_msc_init(Object *obj) | |
224 | { | |
225 | DeviceState *dev = DEVICE(obj); | |
226 | TZMSC *s = TZ_MSC(obj); | |
227 | ||
228 | qdev_init_gpio_in_named(dev, tz_msc_cfg_nonsec, "cfg_nonsec", 1); | |
229 | qdev_init_gpio_in_named(dev, tz_msc_cfg_sec_resp, "cfg_sec_resp", 1); | |
230 | qdev_init_gpio_in_named(dev, tz_msc_irq_clear, "irq_clear", 1); | |
231 | qdev_init_gpio_out_named(dev, &s->irq, "irq", 1); | |
232 | } | |
233 | ||
234 | static void tz_msc_realize(DeviceState *dev, Error **errp) | |
235 | { | |
236 | Object *obj = OBJECT(dev); | |
237 | SysBusDevice *sbd = SYS_BUS_DEVICE(dev); | |
238 | TZMSC *s = TZ_MSC(dev); | |
239 | const char *name = "tz-msc-downstream"; | |
240 | uint64_t size; | |
241 | ||
242 | /* | |
243 | * We can't create the upstream end of the port until realize, | |
244 | * as we don't know the size of the MR used as the downstream until then. | |
245 | * We insist on having a downstream, to avoid complicating the | |
246 | * code with handling the "don't know how big this is" case. It's easy | |
247 | * enough for the user to create an unimplemented_device as downstream | |
248 | * if they have nothing else to plug into this. | |
249 | */ | |
250 | if (!s->downstream) { | |
251 | error_setg(errp, "MSC 'downstream' link not set"); | |
252 | return; | |
253 | } | |
254 | if (!s->idau) { | |
255 | error_setg(errp, "MSC 'idau' link not set"); | |
256 | return; | |
257 | } | |
258 | ||
259 | size = memory_region_size(s->downstream); | |
260 | address_space_init(&s->downstream_as, s->downstream, name); | |
261 | memory_region_init_io(&s->upstream, obj, &tz_msc_ops, s, name, size); | |
262 | sysbus_init_mmio(sbd, &s->upstream); | |
263 | } | |
264 | ||
265 | static const VMStateDescription tz_msc_vmstate = { | |
266 | .name = "tz-msc", | |
267 | .version_id = 1, | |
268 | .minimum_version_id = 1, | |
269 | .fields = (VMStateField[]) { | |
270 | VMSTATE_BOOL(cfg_nonsec, TZMSC), | |
271 | VMSTATE_BOOL(cfg_sec_resp, TZMSC), | |
272 | VMSTATE_BOOL(irq_clear, TZMSC), | |
273 | VMSTATE_BOOL(irq_status, TZMSC), | |
274 | VMSTATE_END_OF_LIST() | |
275 | } | |
276 | }; | |
277 | ||
278 | static Property tz_msc_properties[] = { | |
279 | DEFINE_PROP_LINK("downstream", TZMSC, downstream, | |
280 | TYPE_MEMORY_REGION, MemoryRegion *), | |
281 | DEFINE_PROP_LINK("idau", TZMSC, idau, | |
282 | TYPE_IDAU_INTERFACE, IDAUInterface *), | |
283 | DEFINE_PROP_END_OF_LIST(), | |
284 | }; | |
285 | ||
286 | static void tz_msc_class_init(ObjectClass *klass, void *data) | |
287 | { | |
288 | DeviceClass *dc = DEVICE_CLASS(klass); | |
289 | ||
290 | dc->realize = tz_msc_realize; | |
291 | dc->vmsd = &tz_msc_vmstate; | |
292 | dc->reset = tz_msc_reset; | |
293 | dc->props = tz_msc_properties; | |
294 | } | |
295 | ||
296 | static const TypeInfo tz_msc_info = { | |
297 | .name = TYPE_TZ_MSC, | |
298 | .parent = TYPE_SYS_BUS_DEVICE, | |
299 | .instance_size = sizeof(TZMSC), | |
300 | .instance_init = tz_msc_init, | |
301 | .class_init = tz_msc_class_init, | |
302 | }; | |
303 | ||
304 | static void tz_msc_register_types(void) | |
305 | { | |
306 | type_register_static(&tz_msc_info); | |
307 | } | |
308 | ||
309 | type_init(tz_msc_register_types); |