target/ppc: Expect page translation hash addresses to be aligned
The page translation hash addresses are aligned:
remove the misleading MO_UNALN flag.
Reported-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-5-philmd@linaro.org>
target/ppc: Inline cpu_ld/st_data_ra() calls in do_hash()
In preparation of removing the cpu_ld*_data_ra() and
cpu_st*_data_ra() calls, inline them. No logical change
intended.
We note the page translation hash address is expected to
be aligned, so the MO_UNALN flag is misleading. Next commit
will remove it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-4-philmd@linaro.org>
target/ppc: Inline cpu_ld/st_mmuidx_ra() calls in memory helpers
In preparation of removing the cpu_ld*_mmuidx_ra() and
cpu_st*_mmuidx_ra() calls, inline them.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-3-philmd@linaro.org>
target/ppc: Inline cpu_ldl_data_ra() calls in ICBI helpers
Inline the cpu_ldl_data_ra() call in preparation of
removing it. Since the returned value is discarded,
don't bother to set the access endianness.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-2-philmd@linaro.org>
My dictionary says the former spelling is incorrect.
Message-ID: <52339e58-4366-4b7c-872f-b28e05370a5d@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Oliver Steffen [Fri, 30 Jan 2026 05:47:14 +0000 (06:47 +0100)]
igvm: Fill MADT IGVM parameter field on x86_64
Use the new acpi_build_madt_standalone() function to fill the MADT
parameter field.
The IGVM parameter can be consumed by Coconut SVSM [1], instead of
relying on the fw_cfg interface, which has caused problems before due to
unexpected access [2,3]. Using IGVM parameters is the default way for
Coconut SVSM across hypervisors; switching over would allow removing
specialized code paths for QEMU in Coconut.
Coconut SVSM needs to know the SMP configuration, but does not look at
any other ACPI data, nor does it interact with the PCI bus settings.
Since the MADT is static and not linked with other ACPI tables, it can
be supplied stand-alone like this.
Generating the MADT twice (during ACPI table building and IGVM processing)
seems acceptable, since there is no infrastructure to obtain the MADT
out of the ACPI table memory area.
In any case OVMF, which runs after SVSM has already been initialized,
will continue reading all ACPI tables via fw_cfg and provide fixed up
ACPI data to the OS as before without any changes.
The IGVM parameter handler is implemented for the i386 machine target
and stubbed for all others.
Oliver Steffen [Fri, 30 Jan 2026 05:47:13 +0000 (06:47 +0100)]
igvm: Only build stubs if igvm is enabled
Change meson script to only include the IGVM stubs file if the IGVM
feature is enabled. It is used to handle architecture specific
differences within the IGVM backend, not to provide stubs of the backend
itself.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Message-ID: <20260130054714.715928-9-osteffen@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Oliver Steffen [Fri, 30 Jan 2026 05:47:12 +0000 (06:47 +0100)]
igvm: Pass machine state to IGVM file processing
Pass the full MachineState to the IGVM backend during file processing,
instead of just the ConfidentialGuestSupport struct (which is a member
of the MachineState).
This replaces the cgs parameter of qigvm_process_file() with the machine
state to make it available in the IGVM processing context.
We will use it later to generate MADT data there to pass to the guest
as IGVM parameter.
Reviewed-by: Luigi Leonardi <leonardi@redhat.com> Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Message-ID: <20260130054714.715928-8-osteffen@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Oliver Steffen [Fri, 30 Jan 2026 05:47:11 +0000 (06:47 +0100)]
igvm: Refactor qigvm_parameter_insert
Use qigvm_find_param_entry() also in qigvm_parameter_insert().
This changes behavior: Processing now stops after the first parameter
entry found. That is OK, because we expect only one matching entry
anyway.
Reviewed-by: Luigi Leonardi <leonardi@redhat.com> Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Message-ID: <20260130054714.715928-7-osteffen@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Oliver Steffen [Fri, 30 Jan 2026 05:47:09 +0000 (06:47 +0100)]
igvm: Move structs to internal header
Move QIgvm and QIgvmParameter struct definitions from the source file
into an IGVM internal header file to allow implementing architecture
specific IGVM code in other places, for example target/i386/igvm.c.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Message-ID: <20260130054714.715928-5-osteffen@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Gerd Hoffmann [Mon, 26 Jan 2026 12:37:55 +0000 (13:37 +0100)]
igvm: move igvm file processing to reset callbacks
Move igvm file processing from machine init to reset callbacks. With
that the igvm file is properly re-loaded on reset. Also the loading
happens later in the init process now. This will simplify future
support for some IGVM parameters which depend on initialization steps
which happen after machine init.
Gerd Hoffmann [Mon, 26 Jan 2026 12:37:53 +0000 (13:37 +0100)]
igvm: move file load to complete callback
Add UserCreatableClass->complete callback function for igvm-cfg object.
Move file loading and parsing of the igvm file from the process function
to the new complete() callback function. Keep the igvm file loaded
after processing, release it in finalize() instead, so we parse it only
once.
Gerd Hoffmann [Mon, 26 Jan 2026 12:37:52 +0000 (13:37 +0100)]
igvm: make igvm-cfg object resettable
Add TYPE_RESETTABLE_INTERFACE to interfaces. Register callbacks for the
reset phases. Add trace points for logging and debugging. No
functional change, that will come in followup patches.
Merge tag 'hw-misc-20260202' of https://github.com/philmd/qemu into staging
Misc HW & memory API patches
- Add unit test for qemu_hexdump()
- Remove legacy native endianness API uses on the Alpha target
- Remove unused memory_region_init_rom_device_nomigrate()
- Fix use-after-free in NvmeNamespace "bootindex" suffix
- Correct documentation of SCSI Rotation Rate field
- Make iotlb_to_section() work with non-CPU AddressSpaces
- Reduce few monitor target-specific methods
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmmBFLoACgkQ4+MsLN6t
# wN4jrhAAjSb6hqXTTGWqVdyovdjCWmUOa3b8CZvTVycI2xTRA2HDqawnZSZrYwJS
# Wz20vyfylaoVI9OUibQOYBrpuZw1TBI4G7IeLBgdtzVW6oygIiHO1IlhtEENJtm7
# IXOMoU59ToQ85JWUZN6dwd6mbhBkR5roPJzJseyh/D5gf3t7/BE+jMXyAPNgls2A
# jnrgxw/1f1/DnIfAwbKaQfPuTVGerFmuicLhZsIrE9KFW2z8+acEPckAQKugsUqO
# vRrNz4m5ekNIijQfQwgU5XMhLDmiOfh0lRruecWOmCham3IKUaQ4YngGiArM8Q/p
# I9zcejrISWqlEYteu65OvB0ZOStEDGuCCu+sCDdvvFLTTfzkAEyyAKf4+rLdYS3L
# AWk1pm5YRQUb62VdNnFYXNVatDODixOSj2icoj4ojud2J9BsdHgvf7qPJ9IMgp2a
# eGnLj/F/38OUKRkj6kzzIUf5t/g9ZmC+JsdLcW1EleQLGiv4+yXqiH7c7swalXK5
# dZCjIrr92/iiemx9/kIi6oxkjlibzhDm9fF0NLoHhMOs9YGarbJx+J1YjRfQSnvh
# MehsqLV/D8KQvhy4VLsrEIPEx53g38SnXeHKBmyBXvZKeD2aqvzfaSilgHbrmFpu
# F6fD8FASkS+QVK0Fo+zOU7Zq3wuMebiDD7ioiE1JO8yg3KFS8jQ=
# =djFg
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 03 Feb 2026 07:18:50 AM AEST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'hw-misc-20260202' of https://github.com/philmd/qemu:
monitor: Reduce target-specific methods
monitor: Add hmp_cmds_for_target() helper
monitor: Reduce target-specific declarations
target/i386: Include missing 'svm.h' header in 'sev.h'
system/physmem: Remove the assertion of page-aligned section number
accel/tcg: Fix iotlb_to_section() for different AddressSpace
accel/tcg: Send the CPUTLBEntryFull struct into io_prepare()
hw/ide, scsi-disk: Fix typo on the rotation_rate documentation
hw/nvme: Fix bootindex suffix use-after-free
memory: Add internal memory_region_set_ops helper function
memory: Remove memory_region_init_rom_device_nomigrate()
target/alpha: Replace legacy ld_phys() -> address_space_ld()
configs/targets: Forbid Alpha to use legacy native endianness APIs
target/alpha: Inline translator_ldl()
target/alpha: Use explicit little-endian LD/ST API
tests/unit: add unit test for qemu_hexdump()
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
The following methods don't use target-specific code anymore:
- hmp_compare_cmd()
- monitor_register_hmp()
- monitor_register_hmp_info_hrt()
Move them to hmp.c which is target-agnostic, being built once.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dave@treblig.org>
Message-Id: <20260129164039.58472-5-philmd@linaro.org>
HMPCommand arrays are filled with target-specific
commands, so defined in a target-specific unit.
Introduce the hmp_cmds_for_target() to allow
target-agnostic code to access the arrays.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dave@treblig.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-Id: <20260129164039.58472-4-philmd@linaro.org>
Some declarations do not depend on target-specific types,
move them out of "monitor/hmp-target.h" to "monitor/hmp.h".
Commit 409e9f7131e ("mos6522: add "info via" HMP command
for debugging") declared hmp_info_via() is declared twice.
Remove the one in "hw/misc/mos6522.h" otherwise we get:
In file included from ../hw/misc/mos6522.c:33:
include/monitor/hmp.h:43:6: error: redundant redeclaration of 'hmp_info_via' [-Werror=redundant-decls]
43 | void hmp_info_via(Monitor *mon, const QDict *qdict);
| ^~~~~~~~~~~~
In file included from ../hw/misc/mos6522.c:29:
include/hw/misc/mos6522.h:175:6: note: previous declaration of 'hmp_info_via' with type 'void(Monitor *, const QDict *)'
175 | void hmp_info_via(Monitor *mon, const QDict *qdict);
| ^~~~~~~~~~~~
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20260129164039.58472-3-philmd@linaro.org>
target/i386: Include missing 'svm.h' header in 'sev.h'
"target/i386/sev.h" uses the vmcb_seg structure type, which
is defined in "target/i386/svm.h". Current builds succeed
because the files including "target/i386/sev.h" also include
"monitor/hmp-target.h", itself including "cpu.h" and finally
"target/i386/svm.h".
Include the latter, otherwise removing "cpu.h" from
"monitor/hmp-target.h" triggers:
../target/i386/sev.h:62:21: error: field has incomplete type 'struct vmcb_seg'
62 | struct vmcb_seg es;
| ^
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Message-Id: <20260129164039.58472-2-philmd@linaro.org>
Jim Shu [Wed, 28 Jan 2026 15:23:48 +0000 (23:23 +0800)]
system/physmem: Remove the assertion of page-aligned section number
We don't need to OR the physical section number anymore since we now
directly have a pointer on the memory section.
Signed-off-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260128152348.2095427-4-jim.shu@sifive.com>
[PMD: Reworded description per Pierrick's comment] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jim Shu [Wed, 28 Jan 2026 15:23:47 +0000 (23:23 +0800)]
accel/tcg: Fix iotlb_to_section() for different AddressSpace
'CPUTLBEntryFull.xlat_section' stores section_index in last 12 bits to
find the correct section when CPU access the IO region over the IOTLB.
However, section_index is only unique inside single AddressSpace. If
address space translation is over IOMMUMemoryRegion, it could return
section from other AddressSpace. 'iotlb_to_section()' API only finds the
sections from CPU's AddressSpace so that it couldn't find section in
other AddressSpace. Thus, using 'iotlb_to_section()' API will find the
wrong section and QEMU will have wrong load/store access.
To fix this bug of iotlb_to_section(), store complete MemoryRegionSection
pointer in CPUTLBEntryFull to replace the section_index in xlat_section.
Rename 'xlat_section' to 'xlat' as we remove last 12 bits section_index
inside. Also, since we directly use section pointer in the
CPUTLBEntryFull (full->section), we can remove the unused functions:
iotlb_to_section(), memory_region_section_get_iotlb().
This bug occurs only when
(1) IOMMUMemoryRegion is in the path of CPU access.
(2) IOMMUMemoryRegion returns different target_as and the section is in
the IO region.
Common IOMMU devices don't have this issue since they are only in the
path of DMA access. Currently, the bug only occurs when ARM MPC device
(hw/misc/tz-mpc.c) returns 'blocked_io_as' to emulate blocked access
handling. Upcoming RISC-V wgChecker [1] and IOPMP [2] devices are also
affected by this bug.
Signed-off-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Mark Burton <mburton@qti.qualcomm.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260128152348.2095427-3-jim.shu@sifive.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jim Shu [Wed, 28 Jan 2026 15:23:46 +0000 (23:23 +0800)]
accel/tcg: Send the CPUTLBEntryFull struct into io_prepare()
To let io_prepare() function use the multiple members in
CPUTLBEntryFull struct, send the full struct instead of 'xlat_section'
member as the argument.
It is the preliminary patch of next commit.
Signed-off-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Mark Burton <mburton@qti.qualcomm.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260128152348.2095427-2-jim.shu@sifive.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Alberto Garcia [Wed, 28 Jan 2026 10:25:46 +0000 (11:25 +0100)]
hw/ide, scsi-disk: Fix typo on the rotation_rate documentation
Correct values according to the Medium Rotation Rate field from the
Block Device Characteristics VPD page (B1h) of the SCSI specification.
Signed-off-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260128102548.224237-1-berto@igalia.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Prefer the address_space_ld/st API over the legacy ld_phys()
because it allow checking for bus access fault.
Since we removed the last legacy uses of the legacy ldst_phys()
API, set the TARGET_NOT_USING_LEGACY_LDST_PHYS_API variable to
hide the legacy API to alpha binaries, avoiding further API uses
to creep in.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251224160040.88612-7-philmd@linaro.org>
configs/targets: Forbid Alpha to use legacy native endianness APIs
All Alpha-related binaries are buildable without a single use
of the legacy "native endian" API. Unset the transitional
TARGET_USE_LEGACY_NATIVE_ENDIAN_API definition to forbid
further uses of the legacy API.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251224160040.88612-6-philmd@linaro.org>
Directly use the inlined form, expanding MO_TE -> MO_LE
since Alpha use little-endian order.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251224160040.88612-5-philmd@linaro.org>
Test that the fix in commit 20aa05edc2c ("util/hexdump: fix
QEMU_HEXDUMP_LINE_WIDTH logic") make sense.
To not break compilation when we build without 'block', move
hexdump.c out of "if have_block" in meson.build.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20260202112826.38018-1-philmd@linaro.org>
Ilia Levi [Mon, 22 Dec 2025 12:35:59 +0000 (14:35 +0200)]
tests/qtest/ufs-test: Add test for mcq completion queue wraparound
Added a test that sends 32 NOP Out commands asynchronously. Since the CQ
has 31 entries by default, this tests the scenario where CQ processing
needs to wait for space to become available.
Additionally, added two minor fixes to existing tests:
* advance CQ head after reading from CQ
* initialize command descriptor slots bitmap in ufs_init()
Signed-off-by: Ilia Levi <ilia.levi@intel.com> Acked-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Jeuk Kim <jeuk20.kim@samsung.com> Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
Ilia Levi [Mon, 22 Dec 2025 12:35:58 +0000 (14:35 +0200)]
hw/ufs: Fix mcq completion queue wraparound
Currently, ufs_mcq_process_cq() writes to the CQ without checking whether
there is available space. This can cause CQ entries to be discarded and
overwritten. The solution is to stop writing when CQ is full and exert
backpressure on the affected SQs. This is similar to how NVMe CQs operate.
Signed-off-by: Ilia Levi <ilia.levi@intel.com> Reviewed-by: Jeuk Kim <jeuk20.kim@samsung.com> Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
Jeuk Kim [Tue, 27 Jan 2026 05:02:50 +0000 (14:02 +0900)]
hw/ufs: fix CQE endianness and UPIU length
Round-trip UTRD fields through cpu_to_le/ le_to_cpu when building MCQ CQEs to
keep BE hosts correct. Also avoid double BE conversion of response
data_segment_length and document the LE round-trip.
Jeuk Kim [Mon, 2 Feb 2026 05:31:03 +0000 (14:31 +0900)]
hw/ufs: Ensure DBC of PRDT uses only lower 18 bits
The UFS spec defines the PRDT data byte count as an 18-bit field. This
commit masks the value to the lower 18 bits to prevent incorrect
transfer lengths and ensure compliance.
Merge tag 'pull-target-arm-20260129' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* Support SMMUv3 acceleration
* A few other minor cleanups and fixes
# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAml7hesZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3mFyEACUDY0XTLaqkCLQyeJc1OAg
# +oH6sRblPCJpBT3Y8eFUiDjH/2amSdxADxNmE7B/+ltD2InXJ6lHfPsA+F7QiaXD
# 7D0vKQ9LlQiv2KXwH75xEqTkG1W0m/9OLhnuyygiBIA+hjvCU5wuCmJ3AIAZOdV1
# haiW5Dg4++nxjyFNJOdC7IVCb8xIMO7rlITG4aAFhl8VOT9Orx/kJYvBCnk2flFP
# +X8JQuI3kn5ew4iTahsvAnsxTSn403u/A7j1PT8I4cODnRoV7rNF4L+LmtROHkIs
# Fkqz5LI7yN8IQeh8/kDxXr25tZnwsQ2xrBLcZsyMelVDN4fXj2+HDn+ohCNV+xIh
# 65mlQkPZ+uos4PBLgXRmuRHfvt4EBYBwAx/iRk4D+NPmHbNGlznKBRiy/7/HpFsr
# JH3XYJBW6iqmqbvfCfGJ83aiSfTkRYE/k/w8JPBO9ko8nmuqMwlCysHfBfmr/zU3
# 2MHzx+CcQ6kWEh7bi3R1r/r0LPtzT9Y4xsZKKhGyjKmwmA7eNbVCbpzbTmxWICcP
# donH/9ecAX+il7/hZOZliG7050HeSPuZC+pM7BkJlLuiKDpfwn/hBeIPJu4JGna7
# N4qRls6rO3IOchzQk9eFewie1575xUV/BDUlNsXE2ZdN0n8XgSHd9lBXzlLeOoV+
# cjg2O1Iwi+53Nb4G5Ap74Q==
# =JEwH
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 30 Jan 2026 03:08:11 AM AEDT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [unknown]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [unknown]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [unknown]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* tag 'pull-target-arm-20260129' of https://gitlab.com/pm215/qemu: (43 commits)
arm: add DCZID_EL0 to idregs array
arm: add {get,set}_dczid_bs helpers
docs/system: update FEAT_BBML[12] references
MAINTAINERS: add emulation.rst to ARM TCG CPUs
target/arm/hvf: Sync CNTV_CTL_EL0 & CNTV_CVAL_EL0
target/arm/hvf: Move hvf_sysreg_[read, write]_cp() functions around
hw/arm/smmuv3-accel: Make SubstreamID support configurable
hw/vfio/pci: Synthesize PASID capability for vfio-pci devices
hw/pci: Factor out common PASID capability initialization
hw/pci: Add helper to insert PCIe extended capability at a fixed offset
backends/iommufd: Add get_pasid_info() callback
backends/iommufd: Retrieve PASID width from iommufd_backend_get_device_info()
hw/arm/smmuv3-accel: Add property to specify OAS bits
hw/arm/smmuv3-accel: Add support for ATS
hw/arm/smmuv3-accel: Add a property to specify RIL support
hw/arm/smmuv3: Add accel property for SMMUv3 device
hw/arm/smmuv3: Block migration when accel is enabled
tests/qtest/bios-tables-test: Update IORT blobs after revision upgrade
hw/arm/virt-acpi-build: Add IORT RMR regions to handle MSI nested binding
tests/qtest/bios-tables-test: Prepare for IORT revison upgrade
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAml8t/AACgkQ+9DbCVqe
# KkS5qAf/QBhD/1MDM9Ecry3IuWf6xFaxQIndwPD0C+32ijmTLjpve6w2/zDx7HRY
# a1Eu2+kOziWUvNrRHNwWOQjPZP5kJnXzs9KK7EEQiBaPJJgJpLTTAmmw6bafS2Pu
# Xxxxr5sm0ePFNBLvURYvS7HPq9BQe0QCBxyAmtVyDsDMgfVjp0+PfX/rAop5C9r/
# 9KHwj4PdCB1GmrOA9WUIHm+slQsmdr8fEBCfEwQSEoPRz4vCg0knterz/tu845U1
# 3/EqNPgEo8KQkcR3GhLx6EQsvNYciQo3iEXVaz8A8PkyPSzQUNal+lSrSqAuHN3Z
# Dvss2hDCtJlhdAZHo4X2sXFHHQmCuQ==
# =Grpn
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 31 Jan 2026 12:53:52 AM AEDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-11.0-testing-fixes-300126-1' of https://gitlab.com/stsquad/qemu:
tests/functional: migrate sbsa_ref test images
tests/docker: rename wasm cross container
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Alex Bennée [Wed, 28 Jan 2026 10:58:39 +0000 (10:58 +0000)]
tests/functional: migrate sbsa_ref test images
As the builds in codelinaro.org are going away migrate the binaries to
share.linaro.org. As the hotlinks don't encode the filename we need to
explicitly tell uncompress how to handle the files.
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260128105839.3487840-3-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Wed, 28 Jan 2026 10:58:38 +0000 (10:58 +0000)]
tests/docker: rename wasm cross container
Now we are 64 bit only there is no need to keep the generic name. This
also fixes a check failure in the weekly container build which was
checking containers based on the expansion of DOCKER_IMAGES which is
based of the dockerfile names.
Remove the DOCKERFILE bits that were added to handle multiple
containers from the same dockerfile.
Fixes: 4203ea0247f (gitlab-ci: Add build tests for wasm64) Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20260128105839.3487840-2-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Merge tag 'pr-plugins-20260129' of https://gitlab.com/pbo-linaro/qemu into staging
Changes:
- contrib/plugins/hotblocks: Minor bug fixes and add limit argument (Alex Bradbury <asb@igalia.com>)
- linux-user: introduce syscall-filter plugin API (Ziyang Zhang <functioner@sjtu.edu.cn>)
- plugins: return bool from register r/w API (Florian Hofhammer <florian.hofhammer@fhofhammer.de>)
- plugins: enable C++ plugins (Pierrick Bouvier <pierrick.bouvier@linaro.org>)
- plugins: reduce source conflicts in plugins list (Pierrick Bouvier <pierrick.bouvier@linaro.org>)
# -----BEGIN PGP SIGNATURE-----
#
# iQGzBAABCgAdFiEEZrmU7KFPfy5auggff5BUDQoc0A8FAml7mhoACgkQf5BUDQoc
# 0A/L+gv/VGFWxKwZHu2S6rmIc8BXlShTDj9drJDJjcaRuLi+mXe6fjhEXL7UjIKf
# 4Zq+VtoBRdakuefhw4xcrCSGNScRdG64h/qz9z2mCzZVtlTJDlhoL7QV8TXxciLV
# 1MAQbiY7AXD66Geu9XrXQ1EOV3McdjMaf6DiJ0LcUUxIn9PYxSpuhpfBa89kyGVH
# qDVlel2rvj6DUtdciHAisy1sElDO1Lc3T4EoM74k3zX6XJLs3anZ3PlV1Gg2UL9e
# ORzh2dgckXXxFbFcrRUaS6baDVzAWddMfNWhMljIqdypI4VxWJfkYnEO4RPhqXBO
# saglpNjlZeFXfymBV4ZgjKjoAB0CRWDZs8CZ5i74jvO5NuoDyrMn8kOD2NlMTUi5
# g4QOyXXfRhETqMLeeuhJFcWAredBl23LNxKIRJeYaFnWBszx1QnYTKB2qxxIW0RC
# /H861Wn4scDh2hA0FT+78mpDNKBZf24oUdazMDb2qZUkpOKlf17jibfewACOBR13
# nNProazp
# =qS+z
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 30 Jan 2026 04:34:18 AM AEDT
# gpg: using RSA key 66B994ECA14F7F2E5ABA081F7F90540D0A1CD00F
# gpg: Good signature from "Pierrick Bouvier <pierrick.bouvier@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 66B9 94EC A14F 7F2E 5ABA 081F 7F90 540D 0A1C D00F
* tag 'pr-plugins-20260129' of https://gitlab.com/pbo-linaro/qemu: (21 commits)
plugins: reduce source conflicts in plugins list
contrib/plugins: add empty cpp plugin
meson: update C++ standard to C++23
qga/vss-win32: fix clang warning with C++20
meson: enable cpp (optionally) for plugins
meson: fix supported compiler arguments in other languages than C
plugins: move qemu-plugin.h to include/plugins/
tests/tcg/plugins/mem.c: remove dependency on qemu headers
plugins: define plugin API symbols as extern "C" when compiling in C++
plugins: use complete filename for defining plugins sources
plugins: factorize plugin dependencies and library details
plugins: move win32_linker.c file to plugins directory
plugins: return bool from register r/w API
tcg tests: add a test to verify the syscall filter plugin API
linux-user: add plugin API to filter syscalls
linux-user: move user/syscall-trace.h to linux-user/syscall.c
contrib/plugins/hotblocks: Allow limit to be set as a command line argument
docs/about/emulation: Add documentation for hotblocks plugin arguments
contrib/plugins/hotblocks: Print uint64_t with PRIu64 rather than PRId64
contrib/plugins/hotblocks: Fix off by one error in iteration of sorted blocks
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Pierrick Bouvier [Tue, 30 Dec 2025 20:19:18 +0000 (12:19 -0800)]
contrib/plugins: add empty cpp plugin
This plugin makes sure we can compile in C++ while including qemu-plugin
header. It includes all C++ standard headers, up to C++23 standard,
minus the ones that are missing in the oldest environments we need to
build for.
Pierrick Bouvier [Tue, 30 Dec 2025 20:19:01 +0000 (12:19 -0800)]
meson: update C++ standard to C++23
C++ is evolving faster than C, so it's useful to enable new standards,
especially for standard library.
Update to most recent standard available in our build environments.
Pierrick Bouvier [Wed, 31 Dec 2025 02:47:23 +0000 (18:47 -0800)]
meson: fix supported compiler arguments in other languages than C
qemu_common_flags are only checked for c compiler, even though they
are applied to c++ and objc. This is a problem when C compiler is gcc,
and C++ compiler is clang, creating a possible mismatch.
One concrete example is option -fzero-call-used-regs=used-gpr with
ubuntu2204 container, which is supported by gcc, but not by clang, thus
leading to a failure when compiling a C++ TCG plugin.
This change has two benefits:
- ensure plugins can't include anything else from QEMU than plugins API
- when compiling a C++ module, solves the header conflict with iostream
header that includes transitively the wrong ctype.h, which already
exists in include/qemu.
By Hyrum's law, there was already one usage of other headers with mem
plugin, which has been eliminated in previous commit.
tests/tcg/plugins/mem.c: remove dependency on qemu headers
This plugin uses endianness conversion primitives from QEMU headers. As
next commit will strongly isolate plugins code from those headers, those
primitives can't be used anymore.
glib.h provides such primitives:
https://docs.gtk.org/glib/conversion-macros.html#byte-order-conversion
The qemu_plugin_{read,write} register API previously was inconsistent
with regard to its docstring (where a return value of both -1 and 0
would indicate an error) and to the memory read/write APIs, which
already return a boolean value to indicate success or failure.
Returning the number of bytes read or written is superfluous, as the
GByteArray* passed to the API functions already encodes the length.
See the linked thread for more details.
This patch moves from returning an int (number of bytes read/written) to
returning a bool from the register read/write API, bumps the plugin API
version, and adjusts plugins and tests accordingly.
Ziyang Zhang [Sun, 14 Dec 2025 14:46:20 +0000 (22:46 +0800)]
tcg tests: add a test to verify the syscall filter plugin API
Register a syscall filter callback in tests/tcg/plugins/sycall.c,
returns a specific value for a magic system call number, and check
it in tests/tcg/multiarch/test-plugin-syscall-filter.c.
Signed-off-by: Ziyang Zhang <functioner@sjtu.edu.cn> Co-authored-by: Mingyuan Xia <xiamy@ultrarisc.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
[Pierrick - Changed syscall number to 4096 to make it work with mips32]
[Pierrick - Skip test when compiling without plugins enabled] Link: https://lore.kernel.org/qemu-devel/20251214144620.179282-3-functioner@sjtu.edu.cn Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Ziyang Zhang [Sun, 14 Dec 2025 14:46:19 +0000 (22:46 +0800)]
linux-user: add plugin API to filter syscalls
This commit adds a syscall filter API to the TCG plugin API set.
Plugins can register a filter callback to QEMU to decide whether
to intercept a syscall, process it and bypass the QEMU syscall
handler.
Alex Bradbury [Tue, 2 Dec 2025 23:05:58 +0000 (23:05 +0000)]
contrib/plugins/hotblocks: Allow limit to be set as a command line argument
Also add documentation for this argument. This allows the default of 20
to be overridden, and is helpful for using the hotblocks plugin for
analysis scripts that require collecting data on a larger number of
blocks (e.g. setting limit=0 to dump information on all blocks).
Alex Bradbury [Tue, 2 Dec 2025 23:05:55 +0000 (23:05 +0000)]
contrib/plugins/hotblocks: Fix off by one error in iteration of sorted blocks
The logic to iterate over the hottest blocks will never reach the last
item in the list, as it checks `it->next != NULL` before entering the
loop. It's hard to trigger this off-by-one error with the default
limit=20, but it is a bug and is problematic if that default is changed
to something larger.
Cornelia Huck [Mon, 5 Jan 2026 15:41:19 +0000 (16:41 +0100)]
arm: add DCZID_EL0 to idregs array
Continue moving ID registers to the idregs array, so that we
eventually can switch to an autogenerated cpu-sysregs.h.inc.
This requires a bit of care, since we still have to handle the EL
specific part (DCZID_EL0.DZP). The value previously saved in
cpu->dcz_blocksize is now kept in DCZID_EL.BS (transparent to
callers using the wrappers.)
KVM currently does not support DCZID_EL0 via ONE_REG, assert that
we're not trying to do anything with it until it does.
Signed-off-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Sebastian Ott <sebott@redhat.com>
Message-id: 20260105154119.59853-3-cohuck@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Cornelia Huck [Mon, 5 Jan 2026 15:41:18 +0000 (16:41 +0100)]
arm: add {get,set}_dczid_bs helpers
Most accesses to cpu->dcz_blocksize really care about
DCZID_EL0.BS (i.e. the part of the register that does not change at
different EL.) Wean them off directly dealing with cpu->dcz_blocksize
so that we can switch to handling DCZID_EL0 differently in a followup
patch.
Signed-off-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Sebastian Ott <sebott@redhat.com>
Message-id: 20260105154119.59853-2-cohuck@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Tue, 27 Jan 2026 14:55:55 +0000 (14:55 +0000)]
docs/system: update FEAT_BBML[12] references
It looks like the features were renamed to include the levels at some
point. To make it easier to match features up to the Arm ARM update to
use the full name.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org
Message-id: 20260127145555.3070590-1-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/arm/smmuv3-accel: Make SubstreamID support configurable
QEMU SMMUv3 currently reports no SubstreamID support, forcing SSID to
zero. This prevents accelerated use cases such as Shared Virtual
Addressing (SVA), which require multiple Stage-1 context descriptors
indexed by SubstreamID.
Add a new "ssidsize" property to explicitly configure the number of bits
used for SubstreamIDs. A value greater than zero enables SubstreamID
support and advertises PASID capability to the vIOMMU.
The requested SSIDSIZE is validated against host SMMUv3 capabilities and
is only supported when accel=on.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-38-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/vfio/pci: Synthesize PASID capability for vfio-pci devices
Add support for synthesizing a PCIe PASID extended capability for
vfio-pci devices when PASID is enabled via a vIOMMU and supported by
the host IOMMU backend.
PASID capability parameters are retrieved via IOMMUFD APIs and the
capability is inserted into the PCIe extended capability list using
the insertion helper. A new x-vpasid-cap-offset property allows
explicit control over the placement; by default the capability is
placed at the end of the PCIe extended configuration space.
If the kernel does not expose PASID information or insertion fails,
the device continues without PASID support.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com> Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Message-id: 20260126104342.253965-37-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/pci: Factor out common PASID capability initialization
Refactor PCIe PASID capability initialization by moving the common
register init into a new helper, pcie_pasid_common_init().
Subsequent patch to synthesize a vPASID will make use of this
helper.
No functional change intended.
Cc: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com> Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Message-id: 20260126104342.253965-36-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/pci: Add helper to insert PCIe extended capability at a fixed offset
Add pcie_insert_capability(), a helper to insert a PCIe extended
capability into an existing extended capability list at a caller
specified offset.
Unlike pcie_add_capability(), which always appends a capability to the
end of the list, this helper preserves the existing list ordering while
allowing insertion at an arbitrary offset.
The helper only validates that the insertion does not overwrite an
existing PCIe extended capability header, since corrupting a header
would break the extended capability linked list. Validation of overlaps
with other configuration space registers or capability-specific
register blocks is left to the caller.
Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com> Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Message-id: 20260126104342.253965-35-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
backends/iommufd: Add get_pasid_info() callback
The get_pasid_info callback retrieves PASID capability information
when the HostIOMMUDevice backend supports it. Currently, only the
Linux IOMMUFD backend provides this information.
This will be used by a subsequent patch to synthesize a PASID
capability for vfio-pci devices behind a vIOMMU that supports PASID.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com> Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Message-id: 20260126104342.253965-34-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/arm/smmuv3-accel: Add property to specify OAS bits
QEMU SMMUv3 currently sets the output address size (OAS) to 44 bits.
With accelerator mode enabled, a device may use SVA, where CPU page tables
are shared with the SMMU, requiring an OAS at least as large as the
CPU’s output address size. A user option is added to configure this.
However, the OAS value advertised by the virtual SMMU must remain
compatible with the capabilities of the host SMMUv3. In accelerated
mode, the host SMMU performs stage-2 translation and must be able to
consume the intermediate physical addresses (IPA) produced by stage-1.
The OAS exposed by the virtual SMMU defines the maximum IPA width that
stage-1 translations may generate. For AArch64 implementations, the
maximum usable IPA size on the host SMMU is determined by its own OAS.
Check that the configured OAS does not exceed what the host SMMU
can safely support.
Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-32-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/arm/smmuv3-accel: Add support for ATS
QEMU SMMUv3 does not enable ATS (Address Translation Services) by default.
When accelerated mode is enabled and the host SMMUv3 supports ATS, it can
be useful to report ATS capability to the guest so it can take advantage
of it if the device also supports ATS.
Note: ATS support cannot be reliably detected from the host SMMUv3 IDR
registers alone, as firmware ACPI IORT tables may override them. The
user must therefore ensure the support before enabling it.
The ATS support enabled here is only relevant for vfio-pci endpoints,
as SMMUv3 accelerated mode does not support emulated endpoint devices.
QEMU’s SMMUv3 implementation still lacks support for handling ATS
translation requests, which would be required for emulated endpoints.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-31-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/arm/smmuv3: Add accel property for SMMUv3 device
Add an "accel" property to enable SMMUv3 accelerator mode.
Accelerator mode relies on IORT RMR entries for MSI support and is
therefore not supported when booting with a device tree.
In this mode, the host SMMUv3 operates in nested translation
(Stage-1 + Stage-2), with the guest owning the Stage-1 page tables.
Expose only Stage-1 to the guest to ensure it uses the correct page
table format
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-29-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Eric Auger [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/arm/virt-acpi-build: Add IORT RMR regions to handle MSI nested binding
To handle SMMUv3 accel=on mode(which configures the host SMMUv3 in nested
mode), it is practical to expose the guest with reserved memory regions
(RMRs) covering the IOVAs used by the host kernel to map physical MSI
doorbells.
Those IOVAs belong to [0x8000000, 0x8100000] matching MSI_IOVA_BASE and
MSI_IOVA_LENGTH definitions in kernel arm-smmu-v3 driver. This is the
window used to allocate IOVAs matching physical MSI doorbells.
With those RMRs, the guest is forced to use a flat mapping for this range.
Hence the assigned device is programmed with one IOVA from this range.
Stage 1, owned by the guest has a flat mapping for this IOVA. Stage2,
owned by the VMM then enforces a mapping from this IOVA to the physical
MSI doorbell.
The creation of those RMR nodes is only relevant if nested stage SMMU is
in use, along with VFIO. As VFIO devices can be hotplugged, all RMRs need
to be created in advance.
Initialise AcpiIortSMMUv3Dev structures to avoid using uninitialised
state when building the IORT, as legacy and device SMMUv3 paths
populate different fields now(e.g. accel).
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/arm/virt: Set PCI preserve_config for accel SMMUv3
Introduce a new pci_preserve_config field in virt machine state which
allows the generation of DSM #5. This field is only set if accel SMMU
is instantiated.
In a subsequent patch, SMMUv3 accel mode will make use of IORT RMR nodes
to enable nested translation of MSI doorbell addresses. IORT RMR requires
_DSM #5 to be set for the PCI host bridge so that the Guest kernel
preserves the PCI boot configuration.
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-24-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Eric Auger [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/pci-host/gpex: Allow to generate preserve boot config DSM #5
Add a 'preserve_config' field in struct GPEXConfig and, if set, generate
the _DSM function #5 for preserving PCI boot configurations.
This will be used for SMMUv3 accel=on support in subsequent patch. When
SMMUv3 acceleration (accel=on) is enabled, QEMU exposes IORT Reserved
Memory Region (RMR) nodes to support MSI doorbell translations. As per
the Arm IORT specification, using IORT RMRs mandates the presence of
_DSM function #5 so that the OS retains the firmware-assigned PCI
configuration. Hence, this patch adds conditional support for generating
_DSM #5.
According to the ACPI Specification, Revision 6.6, Section 9.1.1 -
“_DSM (Device Specific Method)”,
"
If Function Index is zero, the return is a buffer containing one bit for
each function index, starting with zero. Bit 0 indicates whether there
is support for any functions other than function 0 for the specified
UUID and Revision ID. If set to zero, no functions are supported (other
than function zero) for the specified UUID and Revision ID. If set to
one, at least one additional function is supported. For all other bits
in the buffer, a bit is set to zero to indicate if that function index
is not supported for the specific UUID and Revision ID. (For example,
bit 1 set to 0 indicates that function index 1 is not supported for the
specific UUID and Revision ID.)
"
Please refer PCI Firmware Specification, Revision 3.3, Section 4.6.5 —
"_DSM for Preserving PCI Boot Configurations" for Function 5 of _DSM
method.
Also, while at it, move the byte_list declaration to the top of the
function for clarity.
For now, the check is to make sure the features are in sync to enable
basic accelerated SMMUv3 support. AIDR is not checked, as hardware
implementations often provide a mix of architecture features regardless
of the revision reported in AIDR.
Note that SSIDSIZE check will be added later when support for PASID is
introduced.
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-22-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/arm/smmuv3: Initialize ID registers early during realize()
Factor out ID register init into smmuv3_init_id_regs() and call it from
realize(). This ensures ID registers are initialized early for use in the
accelerated SMMUv3 path and will be utilized in subsequent patch.
Other registers remain initialized in smmuv3_reset().
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-21-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:05 +0000 (13:32 +0000)]
hw/arm/virt: Set msi-gpa property
Set the MSI doorbell GPA property for accelerated SMMUv3 devices for use
by KVM MSI setup. Also, since any meaningful use of vfio-pci devices with
an accelerated SMMUv3 requires both KVM and a kernel irqchip, ensure
those are specified when accel=on is selected.
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-19-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Accelerated SMMUv3 instances rely on the physical SMMUv3 for nested
translation (guest Stage-1, host Stage-2). In this mode, the guest Stage-1
tables are programmed directly into hardware, and QEMU must not attempt to
walk them for translation, as doing so is not reliably safe. For vfio-pci
endpoints behind such a vSMMU, the only translation QEMU needs to perform
is for the MSI doorbell used during KVM MSI setup.
Implement the callback so that kvm_arch_fixup_msi_route() can retrieve the
MSI doorbell GPA directly, instead of attempting a software walk of the
guest translation tables.
Also introduce an SMMUv3 device property to carry the MSI doorbell GPA.
This property will be set by the virt machine in a subsequent patch.
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-18-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Shameer Kolothum [Thu, 29 Jan 2026 13:32:04 +0000 (13:32 +0000)]
hw/pci/pci: Introduce a callback to retrieve the MSI doorbell GPA directly
For certain vIOMMU implementations, such as SMMUv3 in accelerated mode,
the translation tables are programmed directly into the physical SMMUv3
in a nested configuration. While QEMU knows where the guest tables live,
safely walking them in software would require trapping and ordering all
guest invalidations on every command queue. Without this, QEMU could race
with guest updates and walk stale or freed page tables.
This constraint is fundamental to the design of HW-accelerated vSMMU when
used with downstream vfio-pci endpoint devices, where QEMU must never walk
guest translation tables and must rely on the physical SMMU for
translation. Future accelerated vSMMU features, such as virtual CMDQ, will
also prevent trapping invalidations, reinforcing this restriction.
For vfio-pci endpoints behind such a vSMMU, the only translation QEMU
needs is for the MSI doorbell used when setting up KVM MSI route tables.
Instead of attempting a software walk, introduce an optional vIOMMU
callback that returns the MSI doorbell GPA directly.
kvm_arch_fixup_msi_route() uses this callback when available and ignores
the guest provided IOVA in that case.
If the vIOMMU does not implement the callback, we fall back to the
existing IOMMU based address space translation path.
This ensures correct MSI routing for accelerated SMMUv3 + VFIO passthrough
while avoiding unsafe software walks of guest translation tables.
As a related change, replace RCU_READ_LOCK_GUARD() with explicit
rcu_read_lock()/rcu_read_unlock(). The introduction of an early goto
(set_doorbell) path means the RCU read side critical section can no longer
be safely scoped using RCU_READ_LOCK_GUARD().
Cc: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-id: 20260126104342.253965-17-skolothumtho@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
projects / thirdparty / qemu.git / log
