Vasant Hegde [Fri, 16 May 2025 10:05:35 +0000 (15:35 +0530)]
hw/i386/amd_iommu: Fix xtsup when vcpus < 255
If vCPUs > 255 then x86 common code (x86_cpus_init()) call kvm_enable_x2apic().
But if vCPUs <= 255 then the common code won't calls kvm_enable_x2apic().
This is because commit 8c6619f3e692 ("hw/i386/amd_iommu: Simplify non-KVM
checks on XTSup feature") removed the call to kvm_enable_x2apic when xtsup
is "on", which break things when guest is booted with x2apic mode and
there are <= 255 vCPUs.
Fix this by adding back kvm_enable_x2apic() call when xtsup=on.
Sairaj Kodilkar [Fri, 16 May 2025 10:05:34 +0000 (15:35 +0530)]
hw/i386/amd_iommu: Fix device setup failure when PT is on.
Commit c1f46999ef506 ("amd_iommu: Add support for pass though mode")
introduces the support for "pt" flag by enabling nodma memory when
"pt=off". This allowed VFIO devices to successfully register notifiers
by using nodma region.
But, This also broke things when guest is booted with the iommu=nopt
because, devices bypass the IOMMU and use untranslated addresses (IOVA) to
perform DMA reads/writes to the nodma memory region, ultimately resulting in
a failure to setup the devices in the guest.
Fix the above issue by always enabling the amdvi_dev_as->iommu memory region.
But this will once again cause VFIO devices to fail while registering the
notifiers with AMD IOMMU memory region.
Fixes: c1f46999ef506 ("amd_iommu: Add support for pass though mode") Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Message-Id: <20250516100535.4980-2-sarunkod@amd.com> Fixes: c1f46999ef506 ("amd_iommu: Add support for pass though mode") Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Yuri Benditovich [Thu, 15 May 2025 06:32:37 +0000 (09:32 +0300)]
virtio: check for validity of indirect descriptors
virtio processes indirect descriptors even if the respected
feature VIRTIO_RING_F_INDIRECT_DESC was not negotiated.
If qemu is used with reduced set of features to emulate the
hardware device that does not support indirect descriptors,
the will probably trigger problematic flows on the hardware
setup but do not reveal the mistake on qemu.
Add LOG_GUEST_ERROR for such case. This will issue logs with
'-d guest_errors' in the command line
* tag 'pull-qapi-2025-05-28' of https://repo.or.cz/qemu/armbru:
qapi: use imperative style in documentation
qapi: make all generated files common
qapi: remove qapi_specific_outputs from meson.build
qapi: make s390x specific CPU commands unconditionally available
qapi: make most CPU commands unconditionally available
qapi: Make CpuModelExpansionInfo::deprecated-props optional and generic
qapi: remove the misc-target.json file
qapi: make Xen event commands unconditionally available
qapi: make SGX commands unconditionally available
qapi: expose query-gic-capability command unconditionally
qapi: make SEV commands unconditionally available
qapi: expand docs for SEV commands
qapi: expose rtc-reset-reinjection command unconditionally
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'pull-misc-2025-05-28' of https://repo.or.cz/qemu/armbru:
docs/about/removed-features: Move removal notes to tidy up order
docs/about/deprecated: Move deprecation notes to tidy up order
qapi/migration: Deprecate migrate argument @detach
docs/about: Belatedly document tightening of QMP device_add checking
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Wed, 28 May 2025 19:17:25 +0000 (15:17 -0400)]
Merge tag 'pull-tcg-20250528' of https://gitlab.com/rth7680/qemu into staging
accel/tcg: Fix atomic_mmu_lookup vs TLB_FORCE_SLOW
linux-user: implement pgid field of /proc/self/stat
target/sh4: Use MO_ALIGN for system UNALIGN()
target/microblaze: Use TARGET_LONG_BITS == 32 for system mode
accel/tcg: Add TCGCPUOps.pointer_wrap
target/*: Populate TCGCPUOps.pointer_wrap
* tag 'pull-tcg-20250528' of https://gitlab.com/rth7680/qemu: (28 commits)
accel/tcg: Assert TCGCPUOps.pointer_wrap is set
target/sparc: Fill in TCGCPUOps.pointer_wrap
target/s390x: Fill in TCGCPUOps.pointer_wrap
target/riscv: Fill in TCGCPUOps.pointer_wrap
target/ppc: Fill in TCGCPUOps.pointer_wrap
target/mips: Fill in TCGCPUOps.pointer_wrap
target/loongarch: Fill in TCGCPUOps.pointer_wrap
target/i386: Fill in TCGCPUOps.pointer_wrap
target/arm: Fill in TCGCPUOps.pointer_wrap
target: Use cpu_pointer_wrap_uint32 for 32-bit targets
target: Use cpu_pointer_wrap_notreached for strict align targets
accel/tcg: Add TCGCPUOps.pointer_wrap
target/sh4: Use MO_ALIGN for system UNALIGN()
tcg: Drop TCGContext.page_{mask,bits}
tcg: Drop TCGContext.tlb_dyn_max_bits
target/microblaze: Simplify compute_ldst_addr_type{a,b}
target/microblaze: Drop DisasContext.r0
target/microblaze: Use TARGET_LONG_BITS == 32 for system mode
target/microblaze: Fix printf format in mmu_translate
target/microblaze: Use TCGv_i64 for compute_ldst_addr_ea
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Pierrick Bouvier [Thu, 22 May 2025 19:05:39 +0000 (12:05 -0700)]
qapi: make all generated files common
Monolithic files (qapi_nonmodule_outputs) can now be compiled just
once, so we can remove qapi_util_outputs logic.
This removes the need for any specific_ss file.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-13-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Pierrick Bouvier [Thu, 22 May 2025 19:05:38 +0000 (12:05 -0700)]
qapi: remove qapi_specific_outputs from meson.build
There is no more QAPI files that need to be compiled per target, so we
can remove this. qapi_specific_outputs is now empty, so we can remove
the associated logic in meson.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-12-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
qapi: make s390x specific CPU commands unconditionally available
This removes the TARGET_S390X and CONFIG_KVM conditions from the
CPU commands that are conceptually specific to s390x. Top level
stubs are provided to cope with non-s390x targets, or builds
without KVM.
The removal of CONFIG_KVM is justified by the fact there is no
conceptual difference between running 'qemu-system-s390x -accel tcg'
on a build with and without KVM built-in, so apps only using TCG
can't rely on the CONFIG_KVM in the schema.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-11-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
qapi: make most CPU commands unconditionally available
This removes the TARGET_* conditions from all the CPU commands
that are conceptually target independent. Top level stubs are
provided to cope with targets which do not currently implement
all of the commands. Adjust the doc comments accordingly.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-10-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
qapi: Make CpuModelExpansionInfo::deprecated-props optional and generic
We'd like to have some unified QAPI schema. Having a structure field
conditional to a target being built in is not very practical.
While @deprecated-props is only used by s390x target, it is generic
enough and could be used by other targets (assuming we expand
CpuModelExpansionType enum values).
Let's always include this field, regardless of the target, but make it
optional. This is not a compatibility break only because the field
remains present always on S390x.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-9-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Observe the pre-existing bug with s390-skeys.c and target/i386/monitor.c
both including qapi-commands-misc-target.h despite not requiring it.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-8-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
qapi: make Xen event commands unconditionally available
This removes the TARGET_I386 condition from the Xen event channel
commands, moving them to the recently introduced misc-i386.json
QAPI file, given they are inherantly i386 specific commands.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Acked-by: David Woodhouse <dwmw@amazon.co.uk> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-7-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
This removes the TARGET_I386 condition from the SGX confidential
virtualization commands, moving them to the recently introduced
misc-i386.json QAPI file, given they are inherantly i386 specific
commands.
Observe a pre-existing bug that the "SGXEPCSection" struct lacked
a TARGET_I386 condition, despite its only usage being behind a
TARGET_I386 condition.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-6-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
This removes the TARGET_ARM condition from the query-gic-capability
command. This requires providing a QMP command stub for non-ARM targets.
This in turn requires moving the command out of misc-target.json, since
that will trigger symbol poisoning errors when built from target
independent code.
Following the earlier precedent, this creates a misc-arm.json file to
hold this ARM specific command.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-5-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
This removes the TARGET_I386 condition from the SEV confidential
virtualization commands, moving them to the recently introduced
misc-i386.json QAPI file, given they are inherantly i386 specific
commands.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-4-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
This removes the TARGET_I386 condition from the rtc-reset-reinjection
command. This requires providing a QMP command stub for non-i386 target.
This in turn requires moving the command out of misc-target.json, since
that will trigger symbol poisoning errors when built from target
independent code.
Rather than putting the command into misc.json, it is proposed to create
misc-$TARGET.json files to hold commands whose impl is conceptually
only applicable to a single target. This gives an obvious docs hint to
consumers that the command is only useful in relation a specific target,
while misc.json is for commands applicable to 2 or more targets.
The current impl of qmp_rtc_reset_reinject() is a no-op if the i386
RTC is disabled in Kconfig, or if the running machine type lack any
RTC device.
The stub impl for non-i386 targets retains this no-op behaviour.
However, it is now reporting an Error mentioning this command is not
available for current target.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250522190542.588267-2-pierrick.bouvier@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Cc: qemu-riscv@nongnu.org Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Song Gao <gaosong@loongson.cn> Reviewed-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Cc: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
target: Use cpu_pointer_wrap_uint32 for 32-bit targets
M68K, MicroBlaze, OpenRISC, RX, TriCore and Xtensa are
all 32-bit targets. AVR is more complicated, but using
a 32-bit wrap preserves current behaviour.
Cc: Michael Rolnik <mrolnik@gmail.com> Cc: Laurent Vivier <laurent@vivier.eu> Cc: Stafford Horne <shorne@gmail.com> Cc: Yoshinori Sato <ysato@users.sourceforge.jp> Cc: Max Filippov <jcmvbkbc@gmail.com>
Tested-by Bastian Koppelmann <kbastian@mail.uni-paderborn.de> (tricore) Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
This was an extremely minor optimization for aarch64
and x86_64, to use a 32-bit AND instruction when the
guest softmmu tlb maximum was sufficiently small.
Both hosts can simply use a 64-bit AND insn instead.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Require TCGv_i32 and TCGv be identical, so drop
the extensions. Return constants when possible
instead of a mov into a temporary. Return register
inputs unchanged when possible.
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
target/microblaze: Implement extended address load/store out of line
Use helpers and address_space_ld/st instead of inline
loads and stores. This allows us to perform operations
on physical addresses wider than virtual addresses.
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Andreas Schwab [Tue, 20 May 2025 14:07:37 +0000 (16:07 +0200)]
linux-user: implement pgid field of /proc/self/stat
Signed-off-by: Andreas Schwab <schwab@suse.de> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <mvmfrgzcr4m.fsf@suse.de>
docs/about/removed-features: Move removal notes to tidy up order
The removal notes within a section are mostly in version order. Move
the few that aren't so they are.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20250521063711.29840-5-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
docs/about/deprecated: Move deprecation notes to tidy up order
The deprecation notes within a section are mostly in version order.
Move the few that aren't so they are.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20250521063711.29840-4-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
docs/about: Belatedly document tightening of QMP device_add checking
Commit 4d8b0f0a9536 (v6.2.0) deprecated incorrectly typed device_add
arguments. Commit be93fd53723c (qdev-monitor: avoid QemuOpts in QMP
device_add) fixed them for v9.2.0, but neglected to update
documentation. Do that now.
Cc: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20250521063711.29840-2-armbru@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[Commit message typo corrected]
target/sparc: don't set FSR_NVA when comparing unordered floats
FSR_NVA should be set when one of the operands is a signaling NaN or
when using FCMPEx instructions. But those cases are already handled
within check_ieee_exception or floatxx_compare functions.
Otherwise, it should be left untouched.
FTR, this was detected by inf-compare-[5678] tests within gcc
testsuites.
Signed-off-by: Clément Chigot <chigot@adacore.com>
Message-Id: <20250425093513.863289-1-chigot@adacore.com> Acked-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Stefan Hajnoczi [Mon, 26 May 2025 14:16:59 +0000 (10:16 -0400)]
Merge tag 'pull-aspeed-20250526' of https://github.com/legoater/qemu into staging
aspeed queue:
* Fixed memory leaks in qtest tests
* Reworked and fixed HACE (crypto) model for AST2700 SoC
* Extended HACE qtest tests
* Fixed RAM size detection on BE hosts
* Added network backends to ast2700fc machine
* Mapped main SoC memory into system memory on multi SoC machines
* tag 'pull-aspeed-20250526' of https://github.com/legoater/qemu: (39 commits)
docs: Remove ast2700fc from Aspeed family boards
hw/arm/fby35: Map BMC memory into system memory
hw/arm/aspeed_ast27x0-fc: Map ca35 memory into system memory
hw/arm/aspeed_ast27x0: Fix unimplemented region overlap with vbootrom
hw/arm/aspeed_ast2700-fc: Reduce ca35 ram size to align with ast2700a1
hw/arm/aspeed_ast2700-fc: Add network support
hw/arm/aspeed_ast27x0: Fix RAM size detection failure on BE hosts
hw/intc/aspeed Fix coding style
hw/intc/aspeed: Set impl.min_access_size to 4
test/qtest/hace: Add tests for AST2700
test/qtest/hace: Support to validate 64-bit hmac key buffer addresses
test/qtest/hace: Support to test upper 32 bits of digest and source addresses
test/qtest/hace: Support 64-bit source and digest addresses for AST2700
test/qtest/hace: Update source data and digest data type to 64-bit
test/qtest/hace: Add tests for AST1030
test/qtest/hace: Add SHA-384 tests for AST2600
test/qtest/hace: Add SHA-384 test cases for ASPEED HACE model
test/qtest/hace: Adjust test address range for AST1030 due to SRAM limitations
test/qtest/hace: Specify explicit array sizes for test vectors and hash results
test/qtest: Introduce a new aspeed-hace-utils.c to place common testcases
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Steven Lee [Fri, 23 May 2025 09:31:41 +0000 (17:31 +0800)]
hw/arm/aspeed_ast27x0-fc: Map ca35 memory into system memory
Map the CA35 memory region as a subregion of system_memory to ensure
a valid FlatView. This prevents failures in APIs that rely on the
global memory view, such as rom_check_and_register_reset().
Steven Lee [Fri, 23 May 2025 09:31:40 +0000 (17:31 +0800)]
hw/arm/aspeed_ast27x0: Fix unimplemented region overlap with vbootrom
The unimplemented memory region overlaps with the VBootROM address
range, causing incorrect memory layout.
This patch adjusts the size and start address of the unimplemented
region to avoid collision. The IO memory region (ASPEED_DEV_IOMEM) is
now moved to 0x20000 to reserve space for VBootROM at 0x0.
Although the memory range 0x20000 - 0x10000000 is undefined in the
datasheet and should not be required, further testing shows OP-TEE
or U-Boot may access 0x400000 during early boot.
Removing the unimplemented region causes firmware hangs.
To prevent unexpected accesses, retain the region as a safeguard.
Jamin Lin [Thu, 22 May 2025 02:33:04 +0000 (10:33 +0800)]
hw/arm/aspeed_ast27x0: Fix RAM size detection failure on BE hosts
On big-endian hosts, the aspeed_ram_capacity_write() function previously passed
the address of a 64-bit "data" variable directly to address_space_write(),
assuming host and guest endianness matched.
However, the data is expected to be written in little-endian format to DRAM.
On big-endian hosts, this led to incorrect data being written into DRAM,
which caused the guest firmware to misdetect the DRAM size.
As a result, U-Boot fails to boot and hangs.
- Replaces the "address_space_write()" call with "address_space_stl_le()",
which performs an explicit 32-bit little-endian write.
- Updating the MemoryRegionOps to restrict access to exactly 4 bytes
using .valid.{min,max}_access_size = 4 and .impl.min_access_size = 4.
Jamin Lin [Thu, 22 May 2025 02:33:02 +0000 (10:33 +0800)]
hw/intc/aspeed: Set impl.min_access_size to 4
This patch explicitly sets ".impl.min_access_size = 4" to match the
declared ".valid.min_access_size = 4", enforcing stricter access size
checking and preventing inconsistent partial accesses to the interrupt
controller registers.
Jamin Lin [Thu, 15 May 2025 08:10:00 +0000 (16:10 +0800)]
test/qtest/hace: Add tests for AST2700
The HACE models in AST2600 and AST2700 are nearly identical. Based on the
AST2600 test cases, new tests have been added for AST2700.
Implemented test functions for SHA-256, SHA-384, SHA-512, and MD5.
Added scatter-gather and accumulation test variants.
For AST2700, the HACE controller base address starts at "0x12070000", and
the DRAM start address is "0x4_00000000".
Jamin Lin [Thu, 15 May 2025 08:09:59 +0000 (16:09 +0800)]
test/qtest/hace: Support to validate 64-bit hmac key buffer addresses
Added "key" and "key_hi" fields to "AspeedMasks" for 64-bit addresses test.
Updated "aspeed_test_addresses" to validate "HACE_HASH_KEY_BUFF" and
"HACE_HASH_KEY_BUFF_HI".
Ensured correct masking of 64-bit addresses by checking both lower and upper
32-bit registers.
Jamin Lin [Thu, 15 May 2025 08:09:58 +0000 (16:09 +0800)]
test/qtest/hace: Support to test upper 32 bits of digest and source addresses
Added "src_hi" and "dest_hi" fields to "AspeedMasks" for 64-bit addresses test.
Updated "aspeed_test_addresses" to validate "HACE_HASH_SRC_HI" and
"HACE_HASH_DIGEST_HI".
Ensured correct masking of 64-bit addresses by checking both lower and upper
32-bit registers.
Jamin Lin [Thu, 15 May 2025 08:09:57 +0000 (16:09 +0800)]
test/qtest/hace: Support 64-bit source and digest addresses for AST2700
Added "HACE_HASH_SRC_HI" and "HACE_HASH_DIGEST_HI", "HACE_HASH_KEY_BUFF_HI"
registers to store upper 32 bits.
Updated "write_regs" to handle 64-bit source and digest addresses.
Jamin Lin [Thu, 15 May 2025 08:09:56 +0000 (16:09 +0800)]
test/qtest/hace: Update source data and digest data type to 64-bit
Currently, the hash data source and digest result buffer addresses are set to
32-bit. However, the AST2700 CPU is a 64-bit Cortex-A35 architecture, and its
DRAM base address is also 64-bit.
To support AST2700, update the hash data source address and digest result buffer
address to use 64-bit addressing.
Jamin Lin [Thu, 15 May 2025 08:09:55 +0000 (16:09 +0800)]
test/qtest/hace: Add tests for AST1030
The HACE model in AST2600 and AST1030 is identical. Referencing the AST2600
test cases, new tests have been created for AST1030.
Implemented test functions for SHA-256, SHA-384, SHA-512, and MD5.
Added scatter-gather and accumulation test variants.
For AST1030, the HACE controller base address starts at "0x7e6d0000", and the
SDRAM start address is "0x0".
Jamin Lin [Thu, 15 May 2025 08:09:54 +0000 (16:09 +0800)]
test/qtest/hace: Add SHA-384 tests for AST2600
Introduced "test_sha384_ast2600" to validate SHA-384 hashing.
Added "test_sha384_sg_ast2600" for scatter-gather SHA-384 verification.
Implemented "test_sha384_accum_ast2600" to test SHA-384 accumulation.
Registered new test cases in "main" to ensure execution.
Jamin Lin [Thu, 15 May 2025 08:09:53 +0000 (16:09 +0800)]
test/qtest/hace: Add SHA-384 test cases for ASPEED HACE model
Introduced SHA-384 test functions to verify hashing operations.
Extended support for scatter-gather ("_sg") and accumulation ("_accum") tests.
Updated test result vectors for SHA-384 validation.
Jamin Lin [Thu, 15 May 2025 08:09:52 +0000 (16:09 +0800)]
test/qtest/hace: Adjust test address range for AST1030 due to SRAM limitations
The digest_addr is set to "src_addr + 0x1000000", where src_addr is the DRAM
base address. However, the value 0x1000000 (16MB) is too large because the
AST1030 does not support DRAM, and its SRAM size is only 768KB.
A range size of 0x10000 (64KB) is sufficient for HACE test cases, as the test
vector size does not exceed 64KB.
Updates:
1. Direct Access Mode
Update digest_addr to "src_addr + 0x10000" in the following functions:
aspeed_test_md5
aspeed_test_sha256
aspeed_test_sha512
2. Scatter-Gather (SG) Mode
Update source address for different SG buffer addresses in the following
functions:
src_addr1 = src_addr + 0x10000
src_addr2 = src_addr + 0x20000
src_addr3 = src_addr + 0x30000
digest_addr = src_addr + 0x40000
aspeed_test_sha256_sg
aspeed_test_sha512_sg
3. ACC Mode Update
Update the SG List start address: src_addr + 0x10000
Update the SG List buffer size to 0x30000 (192KB).
Jamin Lin [Thu, 15 May 2025 08:09:51 +0000 (16:09 +0800)]
test/qtest/hace: Specify explicit array sizes for test vectors and hash results
To enhance code readability and prevent potential buffer overflows or unintended
size assumptions, this commit updates all fixed-size array declarations to use
explicit array sizes.
Jamin Lin [Thu, 15 May 2025 08:09:50 +0000 (16:09 +0800)]
test/qtest: Introduce a new aspeed-hace-utils.c to place common testcases
The test cases for the ASPEED HACE model were originally placed in
aspeed_hace-test.c. However, this test file only supports ARM32. To enable
compatibility with all ASPEED SoCs, including the AST2700, which uses the
AArch64 architecture, this update introduces a new source file,
aspeed-hace-utils.c.
All common APIs and test cases have been moved from aspeed_hace-test.c to
aspeed-hace-utils.c to facilitate reuse across different ASPEED SoCs.
As a result, these test cases can now be reused for AST2700 and future ASPEED
SoC testing.
Jamin Lin [Thu, 15 May 2025 08:09:48 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Support to dump plaintext and digest for better debugging
1. Added "hace_hexdump()" to dump a contiguous buffer using qemu_hexdump.
2. Added "hace_iov_hexdump()" to flatten and dump scatter-gather source vectors.
3. Introduced a new trace event: "aspeed_hace_hexdump".
Jamin Lin [Thu, 15 May 2025 08:09:46 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Support DMA 64 bits dram address
According to the AST2700 design, the data source address is 64-bit, with
R_HASH_SRC_HI storing bits [63:32] and R_HASH_SRC storing bits [31:0].
Similarly, the digest address is 64-bit, with R_HASH_DEST_HI storing bits
[63:32] and R_HASH_DEST storing bits [31:0].
To maintain compatibility with older SoCs such as the AST2600, the AST2700 HW
automatically set bit 34 of the 64-bit sg_addr. As a result, the firmware
only needs to provide a 32-bit sg_addr containing bits [31:0]. This is
sufficient for the AST2700, as it uses a DRAM offset rather than a DRAM
address.
Introduce a has_dma64 class attribute and set it to true for the AST2700.
Jamin Lin [Thu, 15 May 2025 08:09:45 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Add support for source, digest, key buffer 64 bit addresses
According to the AST2700 design, the data source address is 64-bit, with
R_HASH_SRC_HI storing bits [63:32] and R_HASH_SRC storing bits [31:0].
Similarly, the digest address is 64-bit, with R_HASH_DIGEST_HI storing bits
[63:32] and R_HASH_DIGEST storing bits [31:0]. The HMAC key buffer address is also
64-bit, with R_HASH_KEY_BUFF_HI storing bits [63:32] and R_HASH_KEY_BUFF storing
bits [31:0].
The AST2700 supports a maximum DRAM size of 8 GB, with a DRAM addressable range
from 0x0_0000_0000 to 0x1_FFFF_FFFF. Since this range fits within 34 bits, only
bits [33:0] are needed to store the DRAM offset. To optimize address storage,
the high physical address bits [1:0] of the source, digest and key buffer
addresses are stored as dram_offset bits [33:32].
To achieve this, a src_hi_mask with a mask value of 0x3 is introduced, ensuring
that src_addr_hi consists of bits [1:0]. The final src_addr is computed as
(src_addr_hi[1:0] << 32) | src_addr[31:0], representing the DRAM offset within
bits [33:0].
Similarly, a dest_hi_mask with a mask value of 0x3 is introduced to ensure that
dest_addr_hi consists of bits [1:0]. The final dest_addr is calculated as
(dest_addr_hi[1:0] << 32) | dest_addr[31:0], representing the DRAM offset within
bits [33:0].
Additionally, a key_hi_mask with a mask value of 0x3 is introduced to ensure
that key_buf_addr_hi consists of bits [1:0]. The final key_buf_addr is
determined as (key_buf_addr_hi[1:0] << 32) | key_buf_addr[31:0], representing
the DRAM offset within bits [33:0].
This approach eliminates the need to reduce the high part of the DRAM physical
address for DMA operations. Previously, this was calculated as
(high physical address bits [7:0] - 4), since the DRAM start address is
0x4_00000000, making the high part address [7:0] - 4.
Jamin Lin [Thu, 15 May 2025 08:09:44 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Move register size to instance class and dynamically allocate regs
Dynamically allocate the register array by removing the hardcoded
ASPEED_HACE_NR_REGS macro.
To support different register sizes across SoC variants, introduce a new
"nr_regs" class attribute and replace the static "regs" array with dynamically
allocated memory.
Add a new "aspeed_hace_unrealize" function to properly free the allocated "regs"
memory during device cleanup.
Remove the bounds checking in the MMIO read/write handlers since the
MemoryRegion size now matches the (register array size << 2).
This commit updates the VMState fields accordingly. The VMState version was
already bumped in a previous patch of this series, so no further version change
is needed.
Jamin Lin [Thu, 15 May 2025 08:09:43 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Support accumulative mode for direct access mode
Enable accumulative mode for direct access mode operations. In direct access
mode, only a single source buffer is used, so the "iovec" count is set to 1.
If "acc_mode" is enabled:
1. Accumulate "total_req_len" with the current request length ("plen").
2. Check for padding and determine whether this is the final request.
Jamin Lin [Thu, 15 May 2025 08:09:42 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Rename R_HASH_DEST to R_HASH_DIGEST and introduce 64-bit hash digest address helper
Renaming R_HASH_DEST to R_HASH_DIGEST for better semantic clarity.
The AST2700 CPU, based on the Cortex-A35, features a 64-bit DRAM address space.
To prepare for future AST2700 support, this change introduces a new helper
function hash_get_digest_addr() to encapsulate digest address extraction logic
and improve code readability.
Jamin Lin [Thu, 15 May 2025 08:09:41 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Introduce 64-bit hash source address helper function
The AST2700 CPU, based on the Cortex-A35, is a 64-bit processor, and its DRAM
address space is also 64-bit. To support future AST2700 updates, the source
hash buffer address data type is being updated to 64-bit.
Introduces the "hash_get_source_addr()" helper function to extract the source hash
buffer address.
Jamin Lin [Thu, 15 May 2025 08:09:40 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Extract accumulation-mode hash execution into helper function
To improve code readability and maintainability of do_hash_operation(), this
commit introduces a new helper function: hash_execute_acc_mode().
This function encapsulates the full flow for accumulation mode, including
context initialization, update, conditional finalization, and digest writeback
with I/O vector unmapping.
Jamin Lin [Thu, 15 May 2025 08:09:38 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Extract digest write and iov unmap into helper function
To improve code readability and maintainability of do_hash_operation(), this
commit introduces a new helper function: hash_write_digest_and_unmap_iov().
The helper consolidates the final digest writeback and subsequent unmapping of
the I/O vectors into a single routine.
Jamin Lin [Thu, 15 May 2025 08:09:37 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Extract SG-mode hash buffer setup into helper function
To improve code readability and maintainability of do_hash_operation(), this
commit introduces a new helper function: hash_prepare_sg_iov().
This function handles scatter-gather (SG) mode setup, including SG list
parsing, address mapping, and optional accumulation mode support with
padding detection.
Jamin Lin [Thu, 15 May 2025 08:09:36 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Extract direct mode hash buffer setup into helper function
To improve code readability and maintainability of do_hash_operation(), this
commit introduces a new helper function: hash_prepare_direct_iov().
This function encapsulates the logic for setting up the I/O vector (iov)
in direct mode (non-scatter-gather).
Jamin Lin [Thu, 15 May 2025 08:09:35 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Ensure HASH_IRQ is always set to prevent firmware hang
Currently, if the program encounters an unsupported algorithm, it does not set
the HASH_IRQ bit in the status register and send an interrupt to indicate
command completion. As a result, the FW gets stuck waiting for a completion
signal from the HACE module.
Additionally, in do_hash_operation, if an error occurs within the conditional
statement, the HASH_IRQ bit is not set in the status register. This causes the
firmware to continuously send HASH commands, as it is unaware that the HACE
model has completed processing the command.
To fix this, the HASH_IRQ bit in the status register must always be set to
ensure that the firmware receives an interrupt from the HACE module, preventing
it from getting stuck or repeatedly sending HASH commands.
Jamin Lin [Thu, 15 May 2025 08:09:34 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Improve readability and consistency in variable naming
Currently, users define multiple local variables within different if-statements.
To improve readability and maintain consistency in variable naming, rename the
variables accordingly.
Introduced "sg_addr" to clearly indicate the scatter-gather mode buffer address.
Jamin Lin [Thu, 15 May 2025 08:09:33 +0000 (16:09 +0800)]
hw/misc/aspeed_hace: Remove unused code for better readability
In the previous design of the hash framework, accumulative hashing was not
supported. To work around this limitation, commit 5cd7d85 introduced an
iov_cache array to store all the hash data from firmware.
Once the ASPEED HACE model collected all the data, it passed the iov_cache to
the hash API to calculate the final digest.
However, with commit e3c0752, the hash framework now supports accumulative
hashing. This allows us to refactor the ASPEED HACE model, removing redundant
logic and simplifying the implementation for better readability and
maintainability.
As a result, the iov_count variable is no longer needed—it was previously used
to track how many cached entries were used for hashing.
To maintain VMSTATE compatibility after removing this field, the VMSTATE_VERSION
is bumped to 2
This cleanup follows significant changes in commit 4c1d0af4a28d, making the
model more readable.
- Deleted "iov_cache" and "iov_count" from "AspeedHACEState".
- Removed "reconstruct_iov" function and related logic.
- Simplified "do_hash_operation" by eliminating redundant checks.
Fabiano Rosas [Fri, 9 May 2025 17:50:47 +0000 (14:50 -0300)]
tests/qtest/ast2700-smc-test: Fix leak
ASAN spotted a leak of the memory used to hold the tmp_path:
Direct leak of 35 byte(s) in 1 object(s) allocated from:
#0 0x55e29aa96da9 in malloc ../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7fe0cfb26518 in g_malloc ../glib/gmem.c:106
#2 0x7fe0cfb4146e in g_strconcat ../glib/gstrfuncs.c:629
#3 0x7fe0cfb0a78f in g_get_tmp_name ../glib/gfileutils.c:1742
#4 0x7fe0cfb0b00b in g_file_open_tmp ../glib/gfileutils.c:1802
#5 0x55e29ab53961 in test_ast2700_evb ../tests/qtest/ast2700-smc-test.c:20:10
#6 0x55e29ab53803 in main ../tests/qtest/ast2700-smc-test.c:65:5
#7 0x7fe0cf7bd24c in __libc_start_main ../csu/libc-start.c:308
#8 0x55e29a9f7759 in _start ../sysdeps/x86_64/start.S:120
Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com>
Message-ID: <20250509175047.26066-1-farosas@suse.de> Signed-off-by: Cédric Le Goater <clg@redhat.com>
* tag 'audio-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
audio: Reset rate control when adding bytes
alsaaudio: Set try-poll to false by default
audio: add float sample endianness converters
audio/mixeng: remove unnecessary pointer type casts
hw/audio/asc: replace g_malloc0() with g_malloc()
hw/audio/asc: fix SIGSEGV in asc_realize()
audio: fix size calculation in AUD_get_buffer_size_out()
audio: fix SIGSEGV in AUD_get_buffer_size_out()
tests/functional: use 'none' audio driver for q800 tests
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
ui/gtk-egl: Render guest content with padding in fixed-scale mode
ui/gtk-gl-area: Render guest content with padding in fixed-scale mode
ui/gtk: Consider scaling when propagating ui info
ui/gtk: Don't update scale in fixed scale mode in gtk-egl.c
ui/sdl: Consider scaling in mouse event handling
ui/gtk: Update scales in fixed-scale mode when rendering GL area
gtk/ui: Introduce helper gd_update_scale
ui/gtk: Use consistent naming for variables in different coordinates
ui/gtk: Document scale and coordinate handling
ui/vdagent: remove migration blocker
ui/vdagent: add migration support
ui/vdagent: factor out clipboard peer registration
ui/vdagent: keep "connected" state
ui/vdagent: replace Buffer with GByteArray
ui/clipboard: delay clipboard update when not running
ui/clipboard: add vmstate_cbinfo
ui/clipboard: split out QemuClipboardContent
ui/clipboard: use int for selection field
ui/gtk: warn if setting the clipboard failed
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Akihiko Odaki [Mon, 17 Mar 2025 08:05:29 +0000 (17:05 +0900)]
audio: Reset rate control when adding bytes
Commit 90320051ea99 ("spiceaudio: add a pcm_ops buffer_get_free
function") caused to emit messages saying "Resetting rate control"
frequently when the guest generates no frames.
audio_rate_peek_bytes() resets the rate control when frames < 0 ||
frames > 65536 where frames is the rate-limited number of frames.
Resetting when frames < 0 is sensible as the number simply doesn't make
sense.
There is a problem when frames > 65536. It implies the guest stopped
generating frames for a while so it makes sense to reset the rate
control when the guest resumed generating frames. However, the
commit mentioned earlier broke this assumption by letting spiceaudio
call audio_rate_peek_bytes() whether the guest is generating frames or
not.
Reset the rate control in audio_rate_add_bytes(), which is called only
when actually adding frames, according to the previous call to
audio_rate_peek_bytes() to avoid frequent rate control resets even when
the guest generates no frame.
BALATON Zoltan [Sun, 16 Mar 2025 00:20:46 +0000 (01:20 +0100)]
alsaaudio: Set try-poll to false by default
Quoting Volker Rümelin: "try-poll=on tells the ALSA backend to try to
use an event loop instead of the audio timer. This works most of the
time. But the poll event handler in the ALSA backend has a bug. For
example, if the guest can't provide enough audio frames in time, the
ALSA buffer is only partly full and the event handler will be called
again and again on every iteration of the main loop. This increases
the processor load and the guest has less processor time to provide
new audio frames in time. I have two examples where a guest can't
recover from this situation and the guest seems to hang."
One reproducer I've found is booting MorphOS demo iso on
qemu-system-ppc -machine pegasos2 -audio alsa which should play a
startup sound but instead it freezes. Even when it does not hang it
plays choppy sound. Volker suggested using command line to set
try-poll=off saying: "The try-poll=off arguments are typically
necessary, because the alsa backend has a design issue with
try-poll=on. If the guest can't provide enough audio frames, it's
really unhelpful to ask for new audio frames on every main loop
iteration until the guest can provide enough audio frames. Timer based
playback doesn't have that problem."
But users cannot easily find this option and having a non-working
default is really unhelpful so to make life easier just set it to
false by default which works until the issue with the alsa backend can
be fixed.
Volker Rümelin [Thu, 15 May 2025 05:44:29 +0000 (07:44 +0200)]
audio: add float sample endianness converters
Commit ed2a4a7941 ("audio: proper support for float samples in
mixeng") added support for float audio samples. As there were no
audio frontend devices with float support at that time, the code
was limited to native endian float samples.
When nobody was paying attention, an audio device that supports
floating point samples crept in with commit eb9ad377bb
("virtio-sound: handle control messages and streams").
Add code for the audio subsystem to convert float samples to the
correct endianness.
The type punning code was taken from the PipeWire project.
projects / thirdparty / qemu.git / log
