stove [Wed, 27 Aug 2025 20:36:17 +0000 (13:36 -0700)]
target/riscv: use riscv_csrr in riscv_csr_read
Commit 38c83e8d3a33 ("target/riscv: raise an exception when CSRRS/CSRRC
writes a read-only CSR") changed the behavior of riscv_csrrw, which
would formerly be treated as read-only if the write mask were set to 0.
Fixes an exception being raised when accessing read-only vector CSRs
like vtype.
Fixes: 38c83e8d3a33 ("target/riscv: raise an exception when CSRRS/CSRRC writes a read-only CSR") Signed-off-by: stove <stove@rivosinc.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20250827203617.79947-1-stove@rivosinc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv/kvm: Use riscv_cpu_is_32bit() when handling SBI_DBCN reg
Use the existing riscv_cpu_is_32bit() helper to check for 32-bit CPU.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
Message-ID: <20250924164515.51782-1-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Save stimer and vstimer in CPU vmstate
vmstate_riscv_cpu was missing env.stimer and env.vstimer.
Without migrating these QEMUTimer fields, active S/VS-mode
timer events are lost after snapshot or migration.
Add VMSTATE_TIMER_PTR() entries to save and restore them.
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Signed-off-by: TANG Tiancheng <lyndra@linux.alibaba.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911-timers-v3-4-60508f640050@linux.alibaba.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
hw/intc: Save timers array in RISC-V mtimer VMState
The current 'timecmp' field in vmstate_riscv_mtimer is insufficient to keep
timers functional after migration.
If an mtimer's entry in 'mtimer->timers' is active at the time the snapshot
is taken, it means riscv_aclint_mtimer_write_timecmp() has written to
'mtimecmp' and scheduled a timer into QEMU's main loop 'timer_list'.
During snapshot save, these active timers must also be migrated; otherwise,
after snapshot load there is no mechanism to restore 'mtimer->timers' back
into the 'timer_list', and any pending timer events would be lost.
QEMU's migration framework commonly uses VMSTATE_TIMER_xxx macros to save
and restore 'QEMUTimer' variables. However, 'timers' is a pointer array
with variable length, and vmstate.h did not previously provide a helper
macro for such type.
This commit adds a new macro, 'VMSTATE_TIMER_PTR_VARRAY', to handle saving
and restoring a variable-length array of 'QEMUTimer *'. We then use this
macro to migrate the 'mtimer->timers' array, ensuring that timer events
remain scheduled correctly after snapshot load.
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com> Signed-off-by: TANG Tiancheng <lyndra@linux.alibaba.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911-timers-v3-3-60508f640050@linux.alibaba.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
migration: Add support for a variable-length array of UINT32 pointers
Add support for defining a vmstate field which is a variable-length array
of pointers, and use this to define a VMSTATE_TIMER_PTR_VARRAY() which allows
a variable-length array of QEMUTimer* to be used by devices.
Message-id: 20250909-timers-v1-0-7ee18a9d8f4b@linux.alibaba.com Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: TANG Tiancheng <lyndra@linux.alibaba.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911-timers-v3-2-60508f640050@linux.alibaba.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
In QEMU's RISC-V ACLINT timer model, 'mtime' is not stored directly as a
state variable. It is computed on demand as:
mtime = rtc_r + time_delta
where:
- 'rtc_r' is the current VM virtual time (in ticks) obtained via
cpu_riscv_read_rtc_raw() from QEMU_CLOCK_VIRTUAL.
- 'time_delta' is an offset applied when the guest writes a new 'mtime'
value via riscv_aclint_mtimer_write():
time_delta = value - rtc_r
Under this design, 'rtc_r' is assumed to be monotonically increasing
during VM execution. Even if the guest writes an 'mtime' value smaller
than the current one (making 'time_delta' negative in signed arithmetic,
or underflow in unsigned arithmetic), the computed 'mtime' remains
correct because 'rtc_r_new > rtc_r_old':
mtime_new = rtc_r_new + (value - rtc_r_old)
However, this monotonicity assumption breaks on snapshot load.
Before restoring a snapshot, QEMU resets the guest, which calls
riscv_aclint_mtimer_reset_enter() to set 'mtime' to 0 and recompute
'time_delta' as:
time_delta = 0 - rtc_r_reset
Here, the time_delta differs from the value that was present when the
snapshot was saved. As a result, subsequent reads produce a fixed offset
from the true mtime.
This can be observed with the 'date' command inside the guest: after loading
a snapshot, the reported time appears "frozen" at the save point, and only
resumes correctly after the guest has run long enough to compensate for the
erroneous offset.
The fix is to treat 'time_delta' as part of the device's migratable
state and save/restore it via vmstate. This preserves the correct
relation between 'rtc_r' and 'mtime' across snapshot save/load, ensuring
'mtime' continues incrementing from the precise saved value after
restore.
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Signed-off-by: TANG Tiancheng <lyndra@linux.alibaba.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911-timers-v3-1-60508f640050@linux.alibaba.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Thu, 11 Sep 2025 16:06:46 +0000 (00:06 +0800)]
hw/char: sifive_uart: Add newline to error message
Adds a missing newline character to the error message.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911160647.5710-5-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Thu, 11 Sep 2025 16:06:45 +0000 (00:06 +0800)]
hw/char: sifive_uart: Remove outdated comment about Tx FIFO
Since Tx FIFO is now implemented using "qemu/fifo8.h", remove the comment
that no longer reflects the current implementation.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911160647.5710-4-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Thu, 11 Sep 2025 16:06:44 +0000 (00:06 +0800)]
hw/char: sifive_uart: Avoid pushing Tx FIFO when size is zero
There's no need to call fifo8_push_all() when size is zero.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911160647.5710-3-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Thu, 11 Sep 2025 16:06:43 +0000 (00:06 +0800)]
hw/char: sifive_uart: Raise IRQ according to the Tx/Rx watermark thresholds
Currently, the SiFive UART raises an IRQ whenever:
1. ie.txwm is enabled.
2. ie.rxwm is enabled and the Rx FIFO is not empty.
It does not check the watermark thresholds set by software. However,
since commit [1] changed the SiFive UART character printing from
synchronous to asynchronous, Tx overflows may occur, causing characters
to be dropped when running Linux because:
1. The Linux SiFive UART driver sets the transmit watermark level to 1
[2], meaning a transmit watermark interrupt is raised whenever a
character is enqueued into the Tx FIFO.
2. Upon receiving a transmit watermark interrupt, the Linux driver
transfers up to a full Tx FIFO's worth of characters from the Linux
serial transmit buffer [3], without checking the txdata.full flag
before transferring multiple characters [4].
To fix this issue, we must honor the Tx/Rx watermark thresholds and
raise interrupts only when the Tx threshold is exceeded or the Rx
threshold is undercut.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Signed-off-by: Emmanuel Blot <emmanuel.blot@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911160647.5710-2-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Update OpenSBI and the pre-built opensbi32 and opensbi64 images to
version 1.7.
It has been almost an year since we last updated OpenSBI (at the time,
up to v1.5.1) and we're missing a lot of good stuff from both v1.6 and
v1.7, including SBI 3.0 and RPMI 1.0.
The changelog is too large and tedious to post in the commit msg so I
encourage refering to [1] and [2] to see the new features we're adding
into the QEMU roms.
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
The MonitorDef API is related to two HMP monitor commands: 'p' and 'x':
(qemu) help p
print|p /fmt expr -- print expression value (use $reg for CPU register access)
(qemu) help x
x /fmt addr -- virtual memory dump starting at 'addr'
For x86, one of the few targets that implements it, it is possible to
print the PC register value with $pc and use the PC value in the 'x'
command as well.
Those 2 commands are hooked into get_monitor_def(), called by
exp_unary() in hmp.c. The function tries to fetch a reg value in two
ways: by reading them directly via a target_monitor_defs array or using
a target_get_monitor_def() helper. In RISC-V we have *A LOT* of
registers and this number will keep getting bigger, so we're opting out
of an array declaration.
We're able to retrieve all regs but vregs because the API only fits an
uint64_t and vregs have 'vlen' size that are bigger than that.
With this patch we can do things such as:
- print CSRs and use their val in expressions:
(qemu) p $mstatus
0xa000000a0
(qemu) p $mstatus & 0xFF
0xa0
- dump the next 10 insn from virtual memory starting at x1 (ra):
Suggested-by: Dr. David Alan Gilbert <dave@treblig.org> Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250703130815.1592493-1-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
linux-user/syscall.c: sync RISC-V hwprobe with Linux
It has been awhile since the last sync. Let's bring QEMU hwprobe support
on par with Linux 6.17-rc4.
A lot of new RISCV_HWPROBE_KEY_* entities are added but this patch is
only adding support for ZICBOM_BLOCK_SIZE.
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250903164043.2828336-1-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Andrew Jones [Thu, 4 Sep 2025 13:27:24 +0000 (08:27 -0500)]
hw/riscv/riscv-iommu: Fix MSI table size limit
The MSI table is not limited to 4k. The only constraint the table has
is that its base address must be aligned to its size, ensuring no
offsets of the table size will overrun when added to the base address
(see "8.5. MSI page tables" of the AIA spec).
Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation") Signed-off-by: Andrew Jones <ajones@ventanamicro.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20250904132723.614507-2-ajones@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Merge tag 'rust-ci-pull-request' of https://gitlab.com/marcandre.lureau/qemu into staging
CI/build-sys fixes for Rust
Collect CI/build-sys patches related to Rust.
# -----BEGIN PGP SIGNATURE-----
#
# iQJQBAABCgA6FiEEh6m9kz+HxgbSdvYt2ujhCXWWnOUFAmjb+PUcHG1hcmNhbmRy
# ZS5sdXJlYXVAcmVkaGF0LmNvbQAKCRDa6OEJdZac5Y3iEAC2C8pc2lPCTGFI+0N/
# eqXwTCeSysbmprhqf3vWXQEke8WgYMGPeZNXqUUnzzRuR5oN7JTy6YNzLCM0jGUp
# QHciTecyPVQjIlWOs+HURqKsrLO2CG1sbWuips1eZ6X8O5KdHLxfFqvyReflEn/z
# G1LHhQEWQzKwR0kj3VVHjyUzeSIJVch8sVONkby4h2DMFO4lHtcrr7VAzKlwKGAt
# kgFgijaLe7xCPktJs7g2x+NfBeRbnQ/3mb3/3pkunx98Dhhis0yTZSyfzlChyVfL
# FwTf/xWgw/0oQ8+c9E/RJz6DVvgjJNASrLumuZWO7HVdDV60cvMwb3xHOcQmAz7t
# +ySKM08jI9lWYIr/tKnwWo1NWFWPzDts0L+M/pRhQ1/pYw8OnYvtwnKd3ClEVRbp
# dYcKRE97t3L8BbWyB5hTvTc0V0IVbOOhfDVZfG/IPqxIKWHeCGLL2PiyKGBgfU2M
# V4okrMbGqWH72HZbLUpMYcaaK9lVv6ng/3AH817giJVnCuNO06m420/7Q8WcX68o
# foIeTbL83h8KCqi8pGCJUW9Wz3/wIk3AYkUKwdISswCL6nSgt7pk7K1fnFwGI4bu
# PqzQITelnRUK0TOvqzbDi6Y3j0p06/bc4TAHoI76Yzi3iUrQL0ynOAFFf6Wk13p9
# EnMAlnsrY9kyJrCMU66lroU/RQ==
# =rMSk
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 30 Sep 2025 08:36:21 AM PDT
# gpg: using RSA key 87A9BD933F87C606D276F62DDAE8E10975969CE5
# gpg: issuer "marcandre.lureau@redhat.com"
# gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" [unknown]
# gpg: aka "Marc-André Lureau <marcandre.lureau@gmail.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 87A9 BD93 3F87 C606 D276 F62D DAE8 E109 7596 9CE5
* tag 'rust-ci-pull-request' of https://gitlab.com/marcandre.lureau/qemu: (23 commits)
build-sys: pass -fvisibility=default for wasm bindgen
build-sys: deprecate mips host
meson: rust-bindgen limit allowlist-file to srcdir/include
tests/freebsd: enable Rust
configure: set the meson executable suffix/ext
tests/lcitool: enable rust & refresh
tests/docker: add ENABLE_RUST environment
tests/lcitool: update to debian13
tests/lcitool: add missing rust-std dep
lcitool/alpine: workaround bindgen issue
lcitool/qemu: include libclang-rt for TSAN
lcitool: update, switch to f41
build-sys: cfi_debug and safe_stack are not compatible
tests/docker/common: print meson log on configure failure
tests/docker: use fully qualified image name for emsdk
tests/docker/common: print errors to stderr
configure: set the bindgen cross target
configure: fix rust meson configuration
scripts/archive-source: use a bash array
scripts/archive-source: silence subprojects downloads
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu into staging
UI-related
Fixes for gtk, sdl2, spice UI backends.
# -----BEGIN PGP SIGNATURE-----
#
# iQJQBAABCgA6FiEEh6m9kz+HxgbSdvYt2ujhCXWWnOUFAmjbjIEcHG1hcmNhbmRy
# ZS5sdXJlYXVAcmVkaGF0LmNvbQAKCRDa6OEJdZac5Q70EACGm3PbuN9NAn0xOxTR
# +uBftfnsdSFuksh6NpTi9IxHrP75VMtepBsxpS1F0HWjKBIvTcSvNMdVIOUyfSWo
# zCT9nIMX0Wk7NKdHRwayW/EQGOrZrbGcI/jwCg0BvfgfTyi1SNQnNCQOH2swG5rz
# gZr6/53PQGrva0cM1PooaqZRGRG+3aPLuMAt2aS3ZDtHNTT6WN5KrvtmNGck8OCL
# uLcsc25WPH1sWQ2yfxj66L+GLdDO0GXAAa88XoBDpnIVrbGiply5tdZlMz4QRjYB
# nxMwTgsFfWSZgCnWie83YhmKPsYcKVinulieUKygS18+VVz0rUEJtsDPjlsyA9Uc
# LP6zgYP0RV9knLfImfpevE5AGtw8FwjV0wlqg30+hNOyZXmpWzyWSN6Kwu72GIIu
# Ox1cY03bxkhGz8KlYqdcGrkxm7SZIEH8IoSoAisRwSA6AchxTT8c8qgeAv5jgk4d
# SrZoAgrgxK70UjuvYRW0ukE5MegXIfZMmKFa254b8zfnlFNSF10LwOiqXsw20IPl
# SGvbTjEkEw/sJlPAZdUr4tEH/Xu1f3OLy4zH2gJiHlHMbgR1ndKiA3JUTpTytOne
# nERTCPX1vXURI27l3JY6hu1NJuy+k+DZE9K/gPFMXnrQk1Ma7qIVyUqPDUOK2WtV
# 8gISszSdbQl6mNxvMjiyy52eZg==
# =7A6g
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 30 Sep 2025 12:53:37 AM PDT
# gpg: using RSA key 87A9BD933F87C606D276F62DDAE8E10975969CE5
# gpg: issuer "marcandre.lureau@redhat.com"
# gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" [unknown]
# gpg: aka "Marc-André Lureau <marcandre.lureau@gmail.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 87A9 BD93 3F87 C606 D276 F62D DAE8 E109 7596 9CE5
* tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
ui/icons/qemu.svg: Add metadata information (author, license) to the logo
ui/sdl2: fix reset scaling binding to be consistent with gtk
ui/spice: fix crash when disabling GL scanout on
ui/spice: Fix abort on macOS
gtk: Skip drawing if console surface is NULL
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
meson: rust-bindgen limit allowlist-file to srcdir/include
gitlab CI restricts usage of directories for the build environment and
cache. Msys64 is installed under project root ($srcdir/msys64). This
confuses rust-bindgen allowlist-file which will generate bindings for
all the system include headers under msys64/.
blocklist-file is also too strict, as it prevents generating all the
recursively dependent types coming from system includes.
Instead, let's not use allowlist-file from the project root,
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250924120426.2158655-17-marcandre.lureau@redhat.com>
build-sys: cfi_debug and safe_stack are not compatible
It fails to link on fedora >= 41:
/usr/bin/ld: /usr/bin/../lib/clang/20/lib/x86_64-redhat-linux-gnu/libclang_rt.safestack.a(safestack.cpp.o): in function `__sanitizer_internal_memcpy':
(.text.__sanitizer_internal_memcpy+0x0): multiple definition of `__sanitizer_internal_memcpy'; /usr/bin/../lib/clang/20/lib/x86_64-redhat-linux-gnu/libclang_rt.ubsan_standalone.a(sanitizer_libc.cpp.o):(.text.__sanitizer_internal_memcpy+0x0): first defined here
/usr/bin/ld: /usr/bin/../lib/clang/20/lib/x86_64-redhat-linux-gnu/libclang_rt.safestack.a(safestack.cpp.o): in function `__sanitizer_internal_memmove':
(.text.__sanitizer_internal_memmove+0x0): multiple definition of `__sanitizer_internal_memmove'; /usr/bin/../lib/clang/20/lib/x86_64-redhat-linux-gnu/libclang_rt.ubsan_standalone.a(sanitizer_libc.cpp.o):(.text.__sanitizer_internal_memmove+0x0): first defined here
/usr/bin/ld: /usr/bin/../lib/clang/20/lib/x86_64-redhat-linux-gnu/libclang_rt.safestack.a(safestack.cpp.o): in function `__sanitizer_internal_memset':
(.text.__sanitizer_internal_memset+0x0): multiple definition of `__sanitizer_internal_memset'; /usr/bin/../lib/clang/20/lib/x86_64-redhat-linux-gnu/libclang_rt.ubsan_standalone.a(sanitizer_libc.cpp.o):(.text.__sanitizer_internal_memset+0x0): first defined here
cfi_debug seems to pull ubsan which has conflicting symbols with safe_stack.
See also: https://bugzilla.redhat.com/show_bug.cgi?id=2397265
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20250924120426.2158655-12-marcandre.lureau@redhat.com>
tests/docker: use fully qualified image name for emsdk
Without it, at least it fails with podman on fc42:
[1/6] STEP 1/15: FROM emscripten/emsdk:3.1.50 AS build-base
Error: creating build container: short-name resolution enforced but cannot prompt without a TTY
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Message-ID: <20250924120426.2158655-10-marcandre.lureau@redhat.com>
It was incorrectly set on the [host_machine] and caused error:
File "/tmp/qemu-test/build/pyvenv/lib/python3.11/site-packages/mesonbuild/envconfig.py", line 281, in from_literal
assert all(isinstance(v, str) for v in raw.values()), 'for mypy'
AssertionError: for mypy
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20250924120426.2158655-7-marcandre.lureau@redhat.com>
build-sys: require -lrt when no shm_open() in std libs
Fail during configure time if the shm functions are missing, as required
by oslib-posix.c. Note, we could further check the presence of the
function in librt.
This is a minor cleanup/improvement.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250924120426.2158655-2-marcandre.lureau@redhat.com>
Thomas Huth [Tue, 30 Sep 2025 07:14:18 +0000 (09:14 +0200)]
ui/icons/qemu.svg: Add metadata information (author, license) to the logo
We've got two versions of the QEMU logo in the repository, one with
the whole word "QEMU" (pc-bios/qemu_logo.svg) and one that only contains
the letter "Q" (ui/icons/qemu.svg). While qemu_logo.svg contains the
proper metadata with license and author information, this is missing
from the ui/icons/qemu.svg file. Copy the meta data there so that
people have a chance to know the license of the file if they only
look at the qemu.svg file.
When spice_qxl_gl_scanout2() isn't available, the fallback code
incorrectly handles NULL arguments to disable the scanout, leading to:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 spice_server_gl_scanout (qxl=0x55a25ce57ae8, fd=0x0, width=0, height=0, offset=0x0, stride=0x0, num_planes=0, format=0, modifier=72057594037927935, y_0_top=0)
at ../ui/spice-display.c:983
983 if (num_planes <= 1) {
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2391334 Fixes: 98a050ca93afd8 ("ui/spice: support multi plane dmabuf scanout") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20250903193818.2460914-1-marcandre.lureau@redhat.com>
Weifeng Liu [Mon, 14 Jul 2025 14:17:54 +0000 (22:17 +0800)]
gtk: Skip drawing if console surface is NULL
In gtk draw/render callbacks, add an early NULL check for the console
surface and skip drawing if it's NULL. Otherwise, attempting to fetch
its width and height crash. This change fixes Coverity CID 1610328.
In practice, this case wouldn't happen at all because we always install
a placeholder surface to the console when there is nothing to display.
Merge tag 'pull-aspeed-20250929' of https://github.com/legoater/qemu into staging
aspeed queue:
* Introduce a new ASPEED OTP memory device model integrated with the
Secure Boot Controller. It includes a new block device backend
('drive' property), is enabled for AST2600 SoCs and AST1030 SoCs.
Functional tests are included
* Changed "ast2700-evb" alias to point to the "ast2700a1-evb" machine
* Introduce support for Aspeed PCIe host controller, including models
for the PCIe Root Complex, Root Port, and PHY. Enabled for the
AST2600 and AST2700 SoCs, and functional tests are included
* Refactor Boot ROM support to improve code reuse across the different
Aspeed machine. This is in preparation of vbootrom support in the
ast2700fc machine
* Improved Error Handling in the AST27x0-fc machine init functions
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmjauRoACgkQUaNDx8/7
# 7KGAxA//YdPPGf8vKhPeblUt0/3760GGhI17TBWJFVZP/aZYcIiE0oRxo5zH0Lne
# YjwFKTtx7GXzbE2wqVCLSt/VPDAEMk6wZGwGvMbmeydssyNjbPuF79+EVYnFsUrQ
# Zkm8YPf/qFcKYFxp8O5GTKedAu70AFDMkFwy2xuBRqE5v0RQJe20+EHaiEC8S+3a
# z5PIZJ74J3m4d+h+BlIHoiPe7hwTiyQ8V4rrWKWupwqDBExZfgNGX0zGPZDOlwOo
# bpV38gb0ugyG93/FJSXyXQqiiH5h+10CaSzc1QuytYtQXAM2qj60Kh86YruTsbLu
# g3TUz+jOgDatTk/MhH8q/gtwDjmqcygGeybbMJZeCzhq1qLIFgJW2KwPNwj8eHCd
# 7jZp6NT9GekVMB+FghApWjc63EozKveJ3wzyHE481GGF7TgvuVF1Km+dVHNPjpBz
# pjXgIeKmDl0hmgGp3Se9S8B1ryWK3+KvuNoKe63UK/NMCkSXF3xTerkU1evJjIrp
# B9Tus7kLRqbDGWPyprp1d7Jv6MKJ6sELKvGHlalMcnzo4vAvQu1RB5s1kYqsCGlY
# 414Bc2v/YdkLxQGU6hCp1rABq3sIdWVzxRJ4c0XalRNZBkOmlsy1p5FaG5RXQdhz
# Gm27nzDAWBeNmWD6Jjjj6VwWmqBbSO4M4mYVTMnTfEaO7y/l1d4=
# =7BzG
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 29 Sep 2025 09:51:38 AM PDT
# gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@redhat.com>" [full]
# gpg: aka "Cédric Le Goater <clg@kaod.org>" [full]
* tag 'pull-aspeed-20250929' of https://github.com/legoater/qemu: (32 commits)
hw/arm/aspeed_ast27x0-fc: Make sub-init functions return bool with errp
hw/arm/aspeed_ast27x0-fc: Drop dead return checks
hw/arm/aspeed: Move aspeed_load_vbootrom to common SoC code
hw/arm/aspeed: Move aspeed_install_boot_rom to common SoC code
hw/arm/aspeed: Move write_boot_rom to common SoC code
hw/arm/aspeed: Move aspeed_board_init_flashes() to common SoC code
tests/functional/arm/test_aspeed_ast2600: Add PCIe and network test
hw/arm/aspeed_ast27x0: Introduce 3 PCIe RCs for AST2700
hw/pci-host/aspeed: Disable Root Device and place Root Port at 00:00.0 to AST2700
hw/pci-host/aspeed: Add AST2700 PCIe config with dedicated H2X blocks
hw/pci-host/aspeed: Add AST2700 PCIe PHY
hw/arm/aspeed_ast2600: Add PCIe RC support (RC_H only)
hw/arm/aspeed: Wire up PCIe devices in SoC model
hw/pci-host/aspeed: Add MSI support and per-RC IOMMU address space
hw/pci-host/aspeed: Add AST2600 PCIe Root Port and make address configurable
hw/pci-host/aspeed: Add AST2600 PCIe Root Device support
hw/pci-host/aspeed: Add AST2600 PCIe config space and host bridge
hw/pci-host/aspeed: Add AST2600 PCIe PHY model
hw/pci/pci_ids: Add PCI vendor ID for ASPEED
tests/functional/arm: Add AST2600 boot test with generated OTP image
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Jamin Lin [Thu, 25 Sep 2025 05:05:32 +0000 (13:05 +0800)]
hw/arm/aspeed_ast27x0-fc: Make sub-init functions return bool with errp
Refactor ast2700fc_ca35_init(), ast2700fc_ssp_init(), and ast2700fc_tsp_init()
to take an Error **errp parameter and return a bool.
Each function now reports failure through the error object and returns false.
Jamin Lin [Thu, 25 Sep 2025 05:05:31 +0000 (13:05 +0800)]
hw/arm/aspeed_ast27x0-fc: Drop dead return checks
1. object_property_set_link() can return false only when it fails, and it
sets an error when it fails. Since passing &error_abort causes an abort,
the function never returns false, and the return statement is effectively
dead code.
2. object_property_set_int() is considered as a routine which shouldn't fail.
So the common practice in models is to pass &error_abort and ignore the returned value.
https://patchwork.kernel.org/project/qemu-devel/patch/20250717034054.1903991-3-jamin_lin@aspeedtech.com/#26540626
Jamin Lin [Thu, 25 Sep 2025 05:05:30 +0000 (13:05 +0800)]
hw/arm/aspeed: Move aspeed_load_vbootrom to common SoC code
Move the vbootrom loader helper into common SoC code so it can be reused
by all ASPEED boards, and decouple the API from AspeedMachineState.
Specifically:
- Move aspeed_load_vbootrom() to hw/arm/aspeed_soc_common.c and
declare it in include/hw/arm/aspeed_soc.h.
- Change the helper’s signature to take AspeedSoCState * instead of
AspeedMachineState *.
- Update aspeed_machine_init() call sites accordingly.
Jamin Lin [Thu, 25 Sep 2025 05:05:29 +0000 (13:05 +0800)]
hw/arm/aspeed: Move aspeed_install_boot_rom to common SoC code
Move the boot ROM install helper into common SoC code so it can be reused
by all ASPEED boards, and decouple the API from AspeedMachineState.
Specifically:
- Move aspeed_install_boot_rom() to hw/arm/aspeed_soc_common.c and
declare it in include/hw/arm/aspeed_soc.h.
- Change the helper’s signature to take AspeedSoCState * and a
MemoryRegion * provided by the caller, instead of AspeedMachineState *.
- Update aspeed_machine_init() call sites accordingly.
Jamin Lin [Thu, 25 Sep 2025 05:05:28 +0000 (13:05 +0800)]
hw/arm/aspeed: Move write_boot_rom to common SoC code
Move the write_boot_rom helper from hw/arm/aspeed.c into
hw/arm/aspeed_soc_common.c so it can be reused by all ASPEED
machines. Export the API as aspeed_write_boot_rom() in
include/hw/arm/aspeed_soc.h and update the existing call site
to use the new helper.
Jamin Lin [Thu, 25 Sep 2025 05:05:27 +0000 (13:05 +0800)]
hw/arm/aspeed: Move aspeed_board_init_flashes() to common SoC code
Relocate aspeed_board_init_flashes() from hw/arm/aspeed.c into
hw/arm/aspeed_soc_common.c so the helper can be reused by all
ASPEED machines. The API was already declared in
include/hw/arm/aspeed_soc.h; this change moves its
implementation out of the machine file to keep aspeed.c cleaner.
Jamin Lin [Fri, 19 Sep 2025 09:30:12 +0000 (17:30 +0800)]
tests/functional/arm/test_aspeed_ast2600: Add PCIe and network test
Extend the AST2600 functional tests with PCIe and network checks.
This patch introduces a new helper "do_ast2600_pcie_test()" that runs "lspci"
on the emulated system and verifies the presence of the expected PCIe devices:
Jamin Lin [Fri, 19 Sep 2025 09:30:11 +0000 (17:30 +0800)]
hw/arm/aspeed_ast27x0: Introduce 3 PCIe RCs for AST2700
Add PCIe Root Complex support to the AST2700 SoC model.
The AST2700 A1 silicon revision provides three PCIe Root Complexes:
PCIe0 with its PHY at 0x12C15000, config (H2X) block at 0x120E0000,
MMIO window at 0x60000000, and GIC IRQ 56.
PCIe1 with its PHY at 0x12C15800, config (H2X) block at 0x120F0000,
MMIO window at 0x80000000, and GIC IRQ 57.
PCIe2 with its PHY at 0x14C1C000, config (H2X) block at 0x140D0000,
MMIO window at 0xA0000000, and IRQ routed through INTC4 bit 31
mapped to GIC IRQ 196.
Each RC instantiates a PHY device, a PCIe config (H2X) bridge, and an MMIO
alias region. The per-RC MMIO alias size is 0x20000000. The AST2700 A0
silicon revision does not support PCIe Root Complexes, so pcie_num is set
to 0 in that variant.
Jamin Lin [Fri, 19 Sep 2025 09:30:09 +0000 (17:30 +0800)]
hw/pci-host/aspeed: Add AST2700 PCIe config with dedicated H2X blocks
Introduce PCIe config (H2X) support for the AST2700 SoC.
Unlike the AST2600, the AST2700 provides three independent Root Complexes,
each with its own H2X (AHB to PCIe bridge) register block of size 0x100.
All RCs use the same MSI address (0x000000F0). The H2X block includes
two different access paths:
1. CFGI (internal bridge): used to access the host bridge itself, always
with BDF=0. The AST2700 controller simplifies the design by exposing
only one register (H2X_CFGI_TLP) with fields for ADDR[15:0], BEN[19:16],
and WR[20]. This is not a full TLP descriptor as in the external case.
For QEMU readability and code reuse, the model converts H2X_CFGI_TLP
into a standard TLP TX descriptor with BDF forced to 0 and then calls
the existing helpers aspeed_pcie_cfg_readwrite() and
aspeed_pcie_cfg_translate_write().
2. CFGE (external EP access): used to access external endpoints. The
AST2700 design provides H2X_CFGE_TLP1 and a small FIFO at H2X_CFGE_TLPN.
For reads, TX DESC0 is stored in TLP1 and DESC1/DESC2 in TLPN FIFO
slots. For writes, TX DESC0 is stored in TLP1, DESC1/DESC2 in TLPN
FIFO[0..1], and TX write data in TLPN FIFO[2].
The implementation extends AspeedPCIECfgState with a small FIFO and index,
wires up new register definitions for AST2700, and adds a specific ops
table and class (TYPE_ASPEED_2700_PCIE_CFG). The reset handler clears the
FIFO state. Interrupt and MSI status registers are also supported.
This provides enough modeling for firmware and drivers to use any of the
three PCIe RCs on AST2700 with their own dedicated H2X config window,
while reusing existing TLP decode helpers in QEMU.
Jamin Lin [Fri, 19 Sep 2025 09:30:08 +0000 (17:30 +0800)]
hw/pci-host/aspeed: Add AST2700 PCIe PHY
Introduce a PCIe Host Controller PHY model for AST2700. This adds an
AST2700 specific PHY type (TYPE_ASPEED_2700_PCIE_PHY) with a 0x800 byte
register space and link-status bits compatible with the firmware’s
expectations.
AST2700 provides three PCIe RCs; PCIe0 and PCIe1 are GEN4, PCIe2 is
GEN2. The PHY exposes:
PEHR_2700_LINK_GEN2 at 0x344, bit 18 indicates GEN2 link up
PEHR_2700_LINK_GEN4 at 0x358, bit 8 indicates GEN4 link up
In real hardware these GEN2/GEN4 link bits are mutually exclusive.
QEMU does not model GEN2 vs GEN4 signaling differences, so the reset
handler sets both bits to 1. This keeps the model simple and lets
firmware see the link as up; firmware will read the appropriate
register per RC port to infer the intended mode.
The header gains TYPE_ASPEED_2700_PCIE_PHY; the new class derives from
TYPE_ASPEED_PCIE_PHY, sets nr_regs to 0x800 >> 2, and installs an
AST2700 reset routine that programs the class code (0x06040011) and the
GEN2/GEN4 status bits.
Jamin Lin [Fri, 19 Sep 2025 09:30:07 +0000 (17:30 +0800)]
hw/arm/aspeed_ast2600: Add PCIe RC support (RC_H only)
Wire up the PCIe Root Complex in the AST2600 SoC model.
According to the AST2600 firmware driver, only the RC_H controller is
supported. RC_H uses PCIe PHY1 at 0x1e6ed200 and the PCIe config (H2X)
register block at 0x1e770000. The RC_H MMIO window is mapped at
0x70000000–0x80000000. RC_L is not modeled. The RC_H interrupt is
wired to IRQ 168. Only RC_H is realized and connected to the SoC
interrupt controller.
The SoC integration initializes PCIe PHY1, instantiates a single RC
instance, wires its MMIO regions, and connects its interrupt. An alias
region is added to map the RC MMIO space into the guest physical address
space.
This provides enough functionality for firmware and guest drivers to
discover and use the AST2600 RC_H Root Complex while leaving RC_L
unimplemented.
Jamin Lin [Fri, 19 Sep 2025 09:30:06 +0000 (17:30 +0800)]
hw/arm/aspeed: Wire up PCIe devices in SoC model
Add PCIe controller and PHY instances to the Aspeed SoC state and device
enum. This prepares the SoC model to host PCIe Root Complexes and their
associated PHYs.
Although the AST2600 supports only a single Root Complex, the AST2700
provides three Root Complexes. For this reason, the model defines arrays
of three PCIe config/PHY objects and enumerates three PCIe device IDs so
that both SoCs can be represented consistently.
Jamin Lin [Fri, 19 Sep 2025 09:30:05 +0000 (17:30 +0800)]
hw/pci-host/aspeed: Add MSI support and per-RC IOMMU address space
Add MSI support to the ASPEED PCIe RC/Config model and introduce a per-RC
"IOMMU root" address space to correctly route MSI writes.
On AST2700 all RCs use the same MSI address, and the MSI target is PCI
system memory (not normal DRAM). If the MSI window were mapped into real
system RAM, an endpoint's write could be observed by other RCs and
spuriously trigger their interrupts. To avoid this, each RC now owns an
isolated IOMMU root AddressSpace that contains a small MSI window and a
DRAM alias region for normal DMA.
The MSI window captures writes and asserts the RC IRQ. MSI status bits
are tracked in new H2X RC_H registers (R_H2X_RC_H_MSI_EN{0,1} and
R_H2X_RC_H_MSI_STS{0,1}). Clearing all status bits drops the IRQ. The
default MSI address is set to 0x1e77005c and can be overridden via the
msi-addr property.
This keeps MSI traffic contained within each RC while preserving normal
DMA to system DRAM. It enables correct MSI/MSI-X interrupt delivery when
multiple RCs use the same MSI target address.
Jamin Lin [Fri, 19 Sep 2025 09:30:04 +0000 (17:30 +0800)]
hw/pci-host/aspeed: Add AST2600 PCIe Root Port and make address configurable
Introduce an ASPEED PCIe Root Port and wire it under the RC. The root port
is modeled as TYPE_ASPEED_PCIE_ROOT_PORT (subclass of TYPE_PCIE_ROOT_PORT).
Key changes:
- Add TYPE_ASPEED_PCIE_ROOT_PORT (PCIESlot-based) with vendor/device IDs
and AER capability offset.
- Extend AspeedPCIERcState to embed a root_port instance and a
configurable rp_addr.
- Add "rp-addr" property to the RC to place the root port at a specific
devfn on the root bus.
- Set the root port's "chassis" property to ensure a unique chassis per RC.
- Extend AspeedPCIECfgClass with rc_rp_addr defaulting to PCI_DEVFN(8,0).
Rationale:
- AST2600 places the root port at 80:08.0 (bus 0x80, dev 8, fn 0).
- AST2700 must place the root port at 00:00.0, and it supports three RCs.
Each root port must therefore be uniquely identifiable; uses the
PCIe "chassis" ID for that.
- Providing a configurable "rp-addr" lets platforms select the correct
devfn per SoC family, while the "chassis" property ensures uniqueness
across multiple RC instances on AST2700.
Jamin Lin [Fri, 19 Sep 2025 09:30:03 +0000 (17:30 +0800)]
hw/pci-host/aspeed: Add AST2600 PCIe Root Device support
Introduce a PCIe Root Device for AST2600 platform.
The AST2600 root complex exposes a PCIe root device at bus 80, devfn 0.
This root device is implemented as a child of the PCIe RC and modeled
as a host bridge PCI function (class_id = PCI_CLASS_BRIDGE_HOST).
Key changes:
- Add a new device type "aspeed.pcie-root-device".
- Instantiate the root device as part of AspeedPCIERcState.
- Initialize it during RC realize() and attach it to the root bus.
- Mark the root device as non-user-creatable.
- Add RC boolean property "has-rd" to control whether the Root Device is
created (platforms can enable/disable it as needed).
Note: Only AST2600 implements this PCIe root device. AST2700 does not
provide one.
Jamin Lin [Fri, 19 Sep 2025 09:30:02 +0000 (17:30 +0800)]
hw/pci-host/aspeed: Add AST2600 PCIe config space and host bridge
Introduce PCIe config and host bridge model for the AST2600 platform.
This patch adds support for the H2X (AHB to PCIe Bus Bridge) controller
with a 0x100 byte register space. The register layout is shared between
two root complexes: 0x00–0x7f is common, 0x80–0xbf for RC_L, and 0xc0–0xff
for RC_H. Only RC_H is modeled in this implementation.
The RC_H bus uses bus numbers in the 0x80–0xff range instead of the
standard root bus 0x00. To allow the PCI subsystem to discover devices,
the host bridge logic remaps the root bus number back to 0x00 whenever the
configured bus number matches the "bus-nr" property.
New MMIO callbacks are added for the H2X config space:
- aspeed_pcie_cfg_read() and aspeed_pcie_cfg_write() handle register
accesses.
- aspeed_pcie_cfg_readwrite() provides configuration read/write support.
- aspeed_pcie_cfg_translate_write() handles PCIe byte-enable semantics for
write operations.
The reset handler initializes the H2X register block with default values
as defined in the AST2600 datasheet.
Additional changes:
- Implement ASPEED PCIe root complex (TYPE_ASPEED_PCIE_RC).
- Wire up interrupt propagation via aspeed_pcie_rc_set_irq().
- Add tracepoints for config read/write and INTx handling.
Jamin Lin [Fri, 19 Sep 2025 09:30:01 +0000 (17:30 +0800)]
hw/pci-host/aspeed: Add AST2600 PCIe PHY model
This patch introduces an initial ASPEED PCIe PHY/host controller model to
support the AST2600 SoC. It provides a simple register block with MMIO
read/write callbacks, integration into the build system, and trace events
for debugging.
Key changes:
1. PCIe PHY MMIO read/write callbacks
Implemented aspeed_pcie_phy_read() and aspeed_pcie_phy_write() to
handle 32-bit register accesses.
2. Build system and Kconfig integration
Added CONFIG_PCI_EXPRESS_ASPEED in hw/pci-host/Kconfig and meson
rules.
Updated ASPEED_SOC in hw/arm/Kconfig to imply PCI_DEVICES and select
PCI_EXPRESS_ASPEED.
3. Trace events for debug
New tracepoints aspeed_pcie_phy_read and aspeed_pcie_phy_write allow
monitoring MMIO accesses.
4. Register space and defaults (AST2600 reference)
Expose a 0x100 register space, as documented in the AST2600 datasheet.
On reset, set default values:
PEHR_ID: Vendor ID = ASPEED, Device ID = 0x1150
PEHR_CLASS_CODE = 0x06040006
PEHR_DATALINK = 0xD7040022
PEHR_LINK: bit[5] set to 1 to indicate link up.
This provides a skeleton device for the AST2600 platform. It enables
firmware to detect the PCIe link as up by default and allows future
extension.
This commit is the starting point of the series to introduce ASPEED PCIe
Root Complex (RC) support. Based on previous work from Cédric Le Goater,
the following commits in this series extend and refine the implementation:
- Add a PCIe Root Port so that devices can be attached without requiring an
extra bridge.
- Restrict the Root Port device instantiation to the AST2600 platform.
- Integrate aspeed_cfg_translate_write() to support both AST2600 and AST2700.
- Add MSI support and a preliminary RC IOMMU address space.
- Fix issues with MSI interrupt clearing.
- Extend support to the AST2700 SoC.
- Drop the AST2600 RC_L support.
- Introduce PCIe RC functional tests covering both AST2600 and AST2700.
tests/functional/arm: Add AST2600 boot test with generated OTP image
Add a functional test that boots an AST2600 machine with a generated
OTP image. The test verifies that OTP contents are read during early
boot and that the system reaches the expected console prompt.
tests/functional/arm: Add AST1030 boot test with generated OTP image
Add a functional test that boots an AST1030 machine with a generated
OTP image. The test verifies that OTP contents are read during early
boot and that the system reaches the expected console prompt.
tests/functional/arm: Add helper to generate OTP images
Add a small helper that generates OTP images at test time. This lets
multiple test cases create default OTP contents without shipping prebuilt
fixtures and keeps the tests self-contained.
Jamin Lin [Tue, 2 Sep 2025 06:25:50 +0000 (14:25 +0800)]
hw/arm/aspeed Move ast2700-evb alias to ast2700a1-evb
This patch moves the "ast2700-evb" alias from the A0 to A1.
The A0 machine remains available via its explicit name
("ast2700a0-evb"), while functional tests are updated to
target A0 by name instead of relying on the generic alias.
Add documentation for the OTP memory module used by AST2600 and AST1030
SoCs, and describe options for using a pre-generated image or an
internal buffer. Include example commands for configuration and image
generation.
Kane-Chen-AS [Tue, 12 Aug 2025 09:40:05 +0000 (17:40 +0800)]
hw/misc/aspeed_sbc: Handle OTP write command for voltage mode registers
Extend OTP command handling to recognize specific voltage mode register
addresses and emulate the expected hardware behavior. Without this
change, legitimate voltage mode change requests would be incorrectly
reported as "Unknown command" and logged as an error.
This implementation does not perform actual mode changes, but ensures
that valid requests are accepted and ignored as per hardware behavior.
Kane-Chen-AS [Tue, 12 Aug 2025 09:40:04 +0000 (17:40 +0800)]
hw/misc/aspeed_sbc: Add CAMP2 support for OTP data reads
The OTP space contains three types of entries: data, conf, and strap.
Data entries consist of two DWORDs, while the other types contain
only one DWORD. This change adds the R_CAMP2 register (0x024 / 4) to
store the second DWORD when reading from the OTP data region.
With this enhancement, OTP reads now correctly return both DWORDs for
data entries via the CAMP registers, along with improved address
validation and error handling.
Kane-Chen-AS [Tue, 12 Aug 2025 09:40:02 +0000 (17:40 +0800)]
hw/nvram/aspeed_otp: Add OTP programming semantics and tracing
Implement correct OTP programming behavior for Aspeed OTP:
- Support read-modify-write flow with one-way bit programming:
* prog_bit uses 0s as the "to-be-programmed" mask.
* Even-indexed words: 0->1, odd-indexed words: 1->0.
* Reject non-programmable requests and log conflicts.
- Enable unaligned accesses in MemoryRegionOps.
Since each OTP address maps to a 1DW (4B) or 2DW (8B) block in the
backing store, upper-layer accesses may be unaligned to block
boundaries.
This matches the irreversible, word-parity-dependent programming rules
of Aspeed SoCs and exposes changes via QEMU trace events.
Kane-Chen-AS [Tue, 12 Aug 2025 09:40:01 +0000 (17:40 +0800)]
hw/nvram/aspeed_otp: Add 'drive' property to support block backend
This patch introduces a 'drive' property to the Aspeed OTP device,
allowing it to be backed by a block device. Users can now preload
OTP data via QEMU CLI using a block backend.
Kane-Chen-AS [Tue, 12 Aug 2025 09:39:59 +0000 (17:39 +0800)]
hw/misc/aspeed_sbc: Connect ASPEED OTP memory device to SBC
This patch connects the aspeed.otp device to the ASPEED Secure Boot
Controller (SBC) model. It implements OTP memory access via the SBC's
command interface and enables emulation of secure fuse programming
flows.
The following OTP commands are supported:
- READ: reads a 32-bit word from OTP memory into internal registers
- PROG: programs a 32-bit word value to the specified OTP address
Trace events are added to observe read/program operations and command
handling flow.
Kane-Chen-AS [Tue, 12 Aug 2025 09:39:58 +0000 (17:39 +0800)]
hw/nvram/aspeed_otp: Add ASPEED OTP memory device model
Introduce a QEMU device model for ASPEED's One-Time Programmable (OTP)
memory.
This model simulates a word-addressable OTP region used for secure
fuse storage. The OTP memory can operate with an internal memory
buffer.
The OTP model provides a memory-like interface through a dedicated
AddressSpace, allowing other device models (e.g., SBC) to issue
transactions as if accessing a memory-mapped region.
* Support for PowerNV11 and PPE42 CPU/Machines.
* Deprecation of Power8E and Power8NVL
* Decodetree patches for some floating-point instructions
* Minor bug fixes, improvements in ppc/spapr/xive/xics.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEa4EM1tK+EPOIPSFCRUTplPnWj7sFAmjZgYQACgkQRUTplPnW
# j7uNJQ/8Cbr3xqyCyyqL+MM+Ze1PbXe4xSgdg13A1sNU3IHTffB77DCQVOxjudUS
# uo+XHVFssc4SKDZYjEzXFnYpzRpbZzfcuhG4kgn9QQ3VyKP+2xe6kWLleDbB6ds1
# e9ZAW6Ryk4R3ZFLnZzGfEdltliaoIn6zy4R25oJfJUgIRt0Xz++GBxll+Tdr8Exy
# qstvvyyjeTiIS3kA1zk6fbhDRJKKBsA0L1G1Pk6AuTMKa1RRTCniA36idnGVFAuY
# ef8WCEQYQS0do9Ytai06Tp1QNRVMG2y+AsKbSQRMi92lFfn+qhvA29OJd5TNvXtp
# LNiIfXHo3jLjGBUP13iVN8b8udWdis9BayvA/OwDaKWgononEHb9nqJgzVJR4n7t
# DxxUxcSCiEXOpObtklrKhi1nDt16nXPZ/bnnreMSWzxHBZK1My7qnI3S0hA7c11z
# YgssB5wJbRaETaEVzQfWfAcSaPpXBzBEXOAJcbd+Ni6w9SxXz2OrhckTOvfrXpmI
# XQ1KFUCkmTtXF1qB+oEihlrvG2qjdGuleRZdyiktaM2psBFgN/2gHl3S+JjL9kiY
# 9FdBffr/2K604l7EQkAYWixe2WMMsjHVHpuxJ7opG7MMSXJZq9cXKIK+tbkSNoRO
# Ia6Qr6eWJWjFF3y4OZCbYAOVU77ez6lo7kRj0e99fOjxfI+UuWU=
# =Fjdq
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 28 Sep 2025 11:42:12 AM PDT
# gpg: using RSA key 6B810CD6D2BE10F3883D21424544E994F9D68FBB
# gpg: Good signature from "Harsh Prateek Bora <harsh.prateek.bora@gmail.com>" [undefined]
# gpg: aka "Harsh Prateek Bora <harshpb@linux.ibm.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6B81 0CD6 D2BE 10F3 883D 2142 4544 E994 F9D6 8FBB
* tag 'pull-ppc-for-20250928-20250929' of https://gitlab.com/harshpb/qemu: (27 commits)
target/ppc: use MAKE_64BIT_MASK for mcrfs exception clear mask
target/ppc: Deprecate Power8E and Power8NVL
target/ppc: Introduce macro for deprecating PowerPC CPUs
target/ppc: Move remaining floating-point move instructions to decodetree.
target/ppc: Move floating-point move instructions to decodetree.
target/ppc: Move floating-point compare instructions to decodetree.
target/ppc: Move floating-point rounding and conversion instructions to decodetree.
ppc/xive2: Fix integer overflow warning in xive2_redistribute()
ppc/spapr: init lrdr-capapcity phys with ram size if maxmem not provided
hw/intc/xics: Add missing call to register vmstate_icp_server
tests/functional: Add test for IBM PPE42 instructions
hw/ppc: Add a test machine for the IBM PPE42 CPU
hw/ppc: Support for an IBM PPE42 CPU decrementer
target/ppc: Add IBM PPE42 special instructions
target/ppc: Support for IBM PPE42 MMU
target/ppc: Add IBM PPE42 exception model
target/ppc: IBM PPE42 exception flags and regs
target/ppc: Add IBM PPE42 family of processors
target/ppc: IBM PPE42 general regs and flags
tests/powernv: Add PowerNV test for Power11
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
target/ppc: use MAKE_64BIT_MASK for mcrfs exception clear mask
In gen_mcrfs() the FPSCR nibble mask is computed as:
`~((0xF << shift) & FP_EX_CLEAR_BITS)`
Here, 0xF is of type int, so the left shift is performed in
32-bit signed arithmetic. For bfa=0 we get shift=28,
and (0xF << 28) = 0xF0000000, which is not representable as a 32-bit
signed int. Static analyzers flag this as a potential integer
overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Aditya Gupta [Sat, 7 Jun 2025 11:04:11 +0000 (16:34 +0530)]
target/ppc: Introduce macro for deprecating PowerPC CPUs
QEMU has a way to deprecate CPUs by setting the 'deprecation_note' in
CPUClass.
Currently PowerPC CPUs don't use this deprecation process.
Introduce 'POWERPC_DEPRECATED_CPU' macro to deprecate particular PowerPC
CPUs in future.
With the change, QEMU will print a warning like below when the
deprecated CPU/Chips are used (example output if power8nvl is deprecated):
$ ./build/qemu-system-ppc64 -M powernv8 --cpu power8nvl -nographic
qemu-system-ppc64: warning: CPU model power8nvl_v1.0-powerpc64-cpu is deprecated -- CPU is unmaintained.
...
Also, print '(deprecated)' for deprecated CPUs in 'qemu-system-ppc64
--cpu ?' (example output if power8nvl is deprecated):
$ ./build/qemu-system-ppc64 --cpu help
...
power8e (alias for power8e_v2.1)
power8nvl_v1.0 PVR 004c0100 (deprecated)
power8nvl (alias for power8nvl_v1.0)
power8_v2.0 PVR 004d0200
...
Suggested-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Aditya Gupta <adityag@linux.ibm.com> Tested-by: Anushree Mathur <anushree.mathur@linux.ibm.com> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Link: https://lore.kernel.org/r/20250607110412.2342511-2-adityag@linux.ibm.com
Message-ID: <20250607110412.2342511-2-adityag@linux.ibm.com>
Chinmay Rath [Thu, 19 Jun 2025 09:58:39 +0000 (15:28 +0530)]
target/ppc: Move remaining floating-point move instructions to decodetree.
Move below instructions to decodetree specification:
fcpsgn, fmrg{e, o}w : X-form
The changes were verified by validating that the tcg ops generated by
those instructions remain the same, which were captured with the '-d
in_asm,op' flag.
Chinmay Rath [Thu, 19 Jun 2025 09:58:38 +0000 (15:28 +0530)]
target/ppc: Move floating-point move instructions to decodetree.
Move below instructions to decodetree specification:
f{mr, neg, abs, nabs} : X-form
The changes were verified by validating that the tcg ops generated by
those instructions remain the same, which were captured with the '-d
in_asm,op' flag.
Chinmay Rath [Thu, 19 Jun 2025 09:58:37 +0000 (15:28 +0530)]
target/ppc: Move floating-point compare instructions to decodetree.
Move below instructions to decodetree specification :
fcmp{u, o} : X-form
The changes were verified by validating that the tcg ops generated by
those instructions remain the same, which were captured with the '-d
in_asm,op' flag.
Chinmay Rath [Thu, 19 Jun 2025 09:58:36 +0000 (15:28 +0530)]
target/ppc: Move floating-point rounding and conversion instructions to decodetree.
Move below instructions to decodetree specification :
fr{sp, in, iz, im}[s][.],
fcti{w, d}[u, z, uz][s][.],
fcfid[s, u, us][s][.] : X-form
The changes were verified by validating that the tcg ops generated by
those instructions remain the same, which were captured with the '-d
in_asm,op' flag.
Gautam Menghani [Mon, 11 Aug 2025 07:49:11 +0000 (13:19 +0530)]
ppc/xive2: Fix integer overflow warning in xive2_redistribute()
Coverity reported an integer overflow warning in xive2_redistribute()
where the code does a left shift operation "0xffffffff << crowd". Fix the
warning by using a 64 byte integer type. Also refactor the calculation
into dedicated routines.
Resolves: Coverity CID 1612608 Fixes: 555e446019f5 ("ppc/xive2: Support redistribution of group interrupts") Reviewed-by: Glenn Miles <milesg@linux.ibm.com> Signed-off-by: Gautam Menghani <gautam@linux.ibm.com> Reviewed-by: Amit Machhiwal <amachhiw@linux.ibm.com> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Link: https://lore.kernel.org/r/20250811074912.162774-1-gautam@linux.ibm.com
Message-ID: <20250811074912.162774-1-gautam@linux.ibm.com>
ppc/spapr: init lrdr-capapcity phys with ram size if maxmem not provided
lrdr-capacity contains phys field which communicates the maximum address
in bytes and therefore, the most memory that can be allocated to this
partition. This is usually populated when maxmem is provided alongwith
memory size on qemu command line. However since maxmem is an optional
param, this leads to bits being set to 0 in absence of maxmem param.
Fix this by initializing the respective bits as per total mem size in
such case.
Reported-by: Gaurav Batra <gbatra@us.ibm.com> Tested-by: David Christensen <drc@linux.ibm.com> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Reviewed-by: Shivaprasad G Bhat <sbhat@linux.ibm.com> Link: https://lore.kernel.org/r/20250506042903.76250-1-harshpb@linux.ibm.com
Message-ID: <20250506042903.76250-1-harshpb@linux.ibm.com>
Glenn Miles [Thu, 25 Sep 2025 20:17:47 +0000 (15:17 -0500)]
tests/functional: Add test for IBM PPE42 instructions
Adds a functional test for the IBM PPE42 instructions which
downloads a test image from a public github repo and then
loads and executes the image.
(see https://github.com/milesg-github/ppe42-tests for details)
Test status is checked by periodically issuing 'info register'
commands and checking the NIP value. If the NIP is 0xFFF80200
then the test successfully executed to completion. If the
machine stops before the test completes or if a 90 second
timeout is reached, then the test is marked as having failed.
This test does not test any PowerPC instructions as it is
expected that these instructions are well covered in other
tests. Only instructions that are unique to the IBM PPE42
processor are tested.
Glenn Miles [Thu, 25 Sep 2025 20:17:46 +0000 (15:17 -0500)]
hw/ppc: Add a test machine for the IBM PPE42 CPU
Adds a test machine for the IBM PPE42 processor, including a
DEC, FIT, WDT and 512 KiB of ram.
The purpose of this machine is only to provide a generic platform
for testing instructions of the recently added PPE42 processor
model which is used extensively in the IBM Power9, Power10 and
future Power server processors.
Glenn Miles [Thu, 25 Sep 2025 20:17:45 +0000 (15:17 -0500)]
hw/ppc: Support for an IBM PPE42 CPU decrementer
The IBM PPE42 processors support a 32-bit decrementer
that can raise an external interrupt when DEC[0]
transitions from a 0 to a -1 (a non-negative value to a
negative value). It also continues decrementing
even after this condition is met.
The BookE timer is slightly different in that it
raises an interrupt when the DEC value reaches 0
and stops decrementing at that point.
Support a PPE42 version of the BookE timer by
adding a new PPC_TIMER_PPE flag that has the timer
code look for the transition from a non-negative value
to a negative value and allows the value to
continue decrementing.
Glenn Miles [Thu, 25 Sep 2025 20:17:43 +0000 (15:17 -0500)]
target/ppc: Support for IBM PPE42 MMU
The IBM PPE42 processor only supports real mode
addressing and does not distinguish between
problem and supervisor states. It also uses
the IR and DR MSR bits for other purposes.
Therefore, add a check for PPE42 when we update
hflags and cause it to ignore the IR and DR bits
when calculating MMU indexes.
Glenn Miles [Thu, 25 Sep 2025 20:17:42 +0000 (15:17 -0500)]
target/ppc: Add IBM PPE42 exception model
Add support for the IBM PPE42 exception model including
new exception vectors, exception priorities and setting
of PPE42 SPRs for determining the cause of an exception.
Glenn Miles [Thu, 25 Sep 2025 20:17:40 +0000 (15:17 -0500)]
target/ppc: Add IBM PPE42 family of processors
Adds the IBM PPE42 family of 32-bit processors supporting
the PPE42, PPE42X and PPE42XM processor versions. These
processors are used as embedded processors in the IBM
Power9, Power10 and Power12 processors for various
tasks. It is basically a stripped down version of the
IBM PowerPC 405 processor, with some added instructions
for handling 64-bit loads and stores.
For more information on the PPE 42 processor please visit:
Does not yet support exceptions, new PPE42 instructions and
does not prevent access to some invalid instructions and
registers (currently allows access to invalid GPR's and CR
fields).
tests/powernv: Switch to buildroot images instead of op-build
As op-build images haven't been updated from long time (and may not get
updated in future), use buildroot images provided by cedric [1].
Use existing nvme device being used in the test to mount the initrd.
Also replace the check for "zImage loaded message" to skiboot's message
when it starts the kernel: "Starting kernel at", since we are no longer
using zImage from op-build
This is required for newer processor tests such as Power11, as the
op-build kernel image is old and doesn't support Power11.
projects / thirdparty / qemu.git / log
