target-arm: Avoid unnecessary TLB flush on TCR_EL2, TCR_EL3 writes
[qemu.git] / target-arm / helper.c
1 #include "qemu/osdep.h"
2 #include "cpu.h"
3 #include "internals.h"
4 #include "exec/gdbstub.h"
5 #include "exec/helper-proto.h"
6 #include "qemu/host-utils.h"
7 #include "sysemu/arch_init.h"
8 #include "sysemu/sysemu.h"
9 #include "qemu/bitops.h"
10 #include "qemu/crc32c.h"
11 #include "exec/cpu_ldst.h"
12 #include "arm_ldst.h"
13 #include <zlib.h> /* For crc32 */
14 #include "exec/semihost.h"
15 #include "sysemu/kvm.h"
16
17 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
18
19 #ifndef CONFIG_USER_ONLY
20 static bool get_phys_addr(CPUARMState *env, target_ulong address,
21 int access_type, ARMMMUIdx mmu_idx,
22 hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
23 target_ulong *page_size, uint32_t *fsr,
24 ARMMMUFaultInfo *fi);
25
26 static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
27 int access_type, ARMMMUIdx mmu_idx,
28 hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
29 target_ulong *page_size_ptr, uint32_t *fsr,
30 ARMMMUFaultInfo *fi);
31
32 /* Definitions for the PMCCNTR and PMCR registers */
33 #define PMCRD 0x8
34 #define PMCRC 0x4
35 #define PMCRE 0x1
36 #endif
37
38 static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
39 {
40 int nregs;
41
42 /* VFP data registers are always little-endian. */
43 nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
44 if (reg < nregs) {
45 stfq_le_p(buf, env->vfp.regs[reg]);
46 return 8;
47 }
48 if (arm_feature(env, ARM_FEATURE_NEON)) {
49 /* Aliases for Q regs. */
50 nregs += 16;
51 if (reg < nregs) {
52 stfq_le_p(buf, env->vfp.regs[(reg - 32) * 2]);
53 stfq_le_p(buf + 8, env->vfp.regs[(reg - 32) * 2 + 1]);
54 return 16;
55 }
56 }
57 switch (reg - nregs) {
58 case 0: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSID]); return 4;
59 case 1: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSCR]); return 4;
60 case 2: stl_p(buf, env->vfp.xregs[ARM_VFP_FPEXC]); return 4;
61 }
62 return 0;
63 }
64
65 static int vfp_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
66 {
67 int nregs;
68
69 nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
70 if (reg < nregs) {
71 env->vfp.regs[reg] = ldfq_le_p(buf);
72 return 8;
73 }
74 if (arm_feature(env, ARM_FEATURE_NEON)) {
75 nregs += 16;
76 if (reg < nregs) {
77 env->vfp.regs[(reg - 32) * 2] = ldfq_le_p(buf);
78 env->vfp.regs[(reg - 32) * 2 + 1] = ldfq_le_p(buf + 8);
79 return 16;
80 }
81 }
82 switch (reg - nregs) {
83 case 0: env->vfp.xregs[ARM_VFP_FPSID] = ldl_p(buf); return 4;
84 case 1: env->vfp.xregs[ARM_VFP_FPSCR] = ldl_p(buf); return 4;
85 case 2: env->vfp.xregs[ARM_VFP_FPEXC] = ldl_p(buf) & (1 << 30); return 4;
86 }
87 return 0;
88 }
89
90 static int aarch64_fpu_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
91 {
92 switch (reg) {
93 case 0 ... 31:
94 /* 128 bit FP register */
95 stfq_le_p(buf, env->vfp.regs[reg * 2]);
96 stfq_le_p(buf + 8, env->vfp.regs[reg * 2 + 1]);
97 return 16;
98 case 32:
99 /* FPSR */
100 stl_p(buf, vfp_get_fpsr(env));
101 return 4;
102 case 33:
103 /* FPCR */
104 stl_p(buf, vfp_get_fpcr(env));
105 return 4;
106 default:
107 return 0;
108 }
109 }
110
111 static int aarch64_fpu_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
112 {
113 switch (reg) {
114 case 0 ... 31:
115 /* 128 bit FP register */
116 env->vfp.regs[reg * 2] = ldfq_le_p(buf);
117 env->vfp.regs[reg * 2 + 1] = ldfq_le_p(buf + 8);
118 return 16;
119 case 32:
120 /* FPSR */
121 vfp_set_fpsr(env, ldl_p(buf));
122 return 4;
123 case 33:
124 /* FPCR */
125 vfp_set_fpcr(env, ldl_p(buf));
126 return 4;
127 default:
128 return 0;
129 }
130 }
131
132 static uint64_t raw_read(CPUARMState *env, const ARMCPRegInfo *ri)
133 {
134 assert(ri->fieldoffset);
135 if (cpreg_field_is_64bit(ri)) {
136 return CPREG_FIELD64(env, ri);
137 } else {
138 return CPREG_FIELD32(env, ri);
139 }
140 }
141
142 static void raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
143 uint64_t value)
144 {
145 assert(ri->fieldoffset);
146 if (cpreg_field_is_64bit(ri)) {
147 CPREG_FIELD64(env, ri) = value;
148 } else {
149 CPREG_FIELD32(env, ri) = value;
150 }
151 }
152
153 static void *raw_ptr(CPUARMState *env, const ARMCPRegInfo *ri)
154 {
155 return (char *)env + ri->fieldoffset;
156 }
157
158 uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri)
159 {
160 /* Raw read of a coprocessor register (as needed for migration, etc). */
161 if (ri->type & ARM_CP_CONST) {
162 return ri->resetvalue;
163 } else if (ri->raw_readfn) {
164 return ri->raw_readfn(env, ri);
165 } else if (ri->readfn) {
166 return ri->readfn(env, ri);
167 } else {
168 return raw_read(env, ri);
169 }
170 }
171
172 static void write_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri,
173 uint64_t v)
174 {
175 /* Raw write of a coprocessor register (as needed for migration, etc).
176 * Note that constant registers are treated as write-ignored; the
177 * caller should check for success by whether a readback gives the
178 * value written.
179 */
180 if (ri->type & ARM_CP_CONST) {
181 return;
182 } else if (ri->raw_writefn) {
183 ri->raw_writefn(env, ri, v);
184 } else if (ri->writefn) {
185 ri->writefn(env, ri, v);
186 } else {
187 raw_write(env, ri, v);
188 }
189 }
190
191 static bool raw_accessors_invalid(const ARMCPRegInfo *ri)
192 {
193 /* Return true if the regdef would cause an assertion if you called
194 * read_raw_cp_reg() or write_raw_cp_reg() on it (ie if it is a
195 * program bug for it not to have the NO_RAW flag).
196 * NB that returning false here doesn't necessarily mean that calling
197 * read/write_raw_cp_reg() is safe, because we can't distinguish "has
198 * read/write access functions which are safe for raw use" from "has
199 * read/write access functions which have side effects but has forgotten
200 * to provide raw access functions".
201 * The tests here line up with the conditions in read/write_raw_cp_reg()
202 * and assertions in raw_read()/raw_write().
203 */
204 if ((ri->type & ARM_CP_CONST) ||
205 ri->fieldoffset ||
206 ((ri->raw_writefn || ri->writefn) && (ri->raw_readfn || ri->readfn))) {
207 return false;
208 }
209 return true;
210 }
211
212 bool write_cpustate_to_list(ARMCPU *cpu)
213 {
214 /* Write the coprocessor state from cpu->env to the (index,value) list. */
215 int i;
216 bool ok = true;
217
218 for (i = 0; i < cpu->cpreg_array_len; i++) {
219 uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
220 const ARMCPRegInfo *ri;
221
222 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
223 if (!ri) {
224 ok = false;
225 continue;
226 }
227 if (ri->type & ARM_CP_NO_RAW) {
228 continue;
229 }
230 cpu->cpreg_values[i] = read_raw_cp_reg(&cpu->env, ri);
231 }
232 return ok;
233 }
234
235 bool write_list_to_cpustate(ARMCPU *cpu)
236 {
237 int i;
238 bool ok = true;
239
240 for (i = 0; i < cpu->cpreg_array_len; i++) {
241 uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
242 uint64_t v = cpu->cpreg_values[i];
243 const ARMCPRegInfo *ri;
244
245 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
246 if (!ri) {
247 ok = false;
248 continue;
249 }
250 if (ri->type & ARM_CP_NO_RAW) {
251 continue;
252 }
253 /* Write value and confirm it reads back as written
254 * (to catch read-only registers and partially read-only
255 * registers where the incoming migration value doesn't match)
256 */
257 write_raw_cp_reg(&cpu->env, ri, v);
258 if (read_raw_cp_reg(&cpu->env, ri) != v) {
259 ok = false;
260 }
261 }
262 return ok;
263 }
264
265 static void add_cpreg_to_list(gpointer key, gpointer opaque)
266 {
267 ARMCPU *cpu = opaque;
268 uint64_t regidx;
269 const ARMCPRegInfo *ri;
270
271 regidx = *(uint32_t *)key;
272 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
273
274 if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
275 cpu->cpreg_indexes[cpu->cpreg_array_len] = cpreg_to_kvm_id(regidx);
276 /* The value array need not be initialized at this point */
277 cpu->cpreg_array_len++;
278 }
279 }
280
281 static void count_cpreg(gpointer key, gpointer opaque)
282 {
283 ARMCPU *cpu = opaque;
284 uint64_t regidx;
285 const ARMCPRegInfo *ri;
286
287 regidx = *(uint32_t *)key;
288 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
289
290 if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
291 cpu->cpreg_array_len++;
292 }
293 }
294
295 static gint cpreg_key_compare(gconstpointer a, gconstpointer b)
296 {
297 uint64_t aidx = cpreg_to_kvm_id(*(uint32_t *)a);
298 uint64_t bidx = cpreg_to_kvm_id(*(uint32_t *)b);
299
300 if (aidx > bidx) {
301 return 1;
302 }
303 if (aidx < bidx) {
304 return -1;
305 }
306 return 0;
307 }
308
309 void init_cpreg_list(ARMCPU *cpu)
310 {
311 /* Initialise the cpreg_tuples[] array based on the cp_regs hash.
312 * Note that we require cpreg_tuples[] to be sorted by key ID.
313 */
314 GList *keys;
315 int arraylen;
316
317 keys = g_hash_table_get_keys(cpu->cp_regs);
318 keys = g_list_sort(keys, cpreg_key_compare);
319
320 cpu->cpreg_array_len = 0;
321
322 g_list_foreach(keys, count_cpreg, cpu);
323
324 arraylen = cpu->cpreg_array_len;
325 cpu->cpreg_indexes = g_new(uint64_t, arraylen);
326 cpu->cpreg_values = g_new(uint64_t, arraylen);
327 cpu->cpreg_vmstate_indexes = g_new(uint64_t, arraylen);
328 cpu->cpreg_vmstate_values = g_new(uint64_t, arraylen);
329 cpu->cpreg_vmstate_array_len = cpu->cpreg_array_len;
330 cpu->cpreg_array_len = 0;
331
332 g_list_foreach(keys, add_cpreg_to_list, cpu);
333
334 assert(cpu->cpreg_array_len == arraylen);
335
336 g_list_free(keys);
337 }
338
339 /*
340 * Some registers are not accessible if EL3.NS=0 and EL3 is using AArch32 but
341 * they are accessible when EL3 is using AArch64 regardless of EL3.NS.
342 *
343 * access_el3_aa32ns: Used to check AArch32 register views.
344 * access_el3_aa32ns_aa64any: Used to check both AArch32/64 register views.
345 */
346 static CPAccessResult access_el3_aa32ns(CPUARMState *env,
347 const ARMCPRegInfo *ri,
348 bool isread)
349 {
350 bool secure = arm_is_secure_below_el3(env);
351
352 assert(!arm_el_is_aa64(env, 3));
353 if (secure) {
354 return CP_ACCESS_TRAP_UNCATEGORIZED;
355 }
356 return CP_ACCESS_OK;
357 }
358
359 static CPAccessResult access_el3_aa32ns_aa64any(CPUARMState *env,
360 const ARMCPRegInfo *ri,
361 bool isread)
362 {
363 if (!arm_el_is_aa64(env, 3)) {
364 return access_el3_aa32ns(env, ri, isread);
365 }
366 return CP_ACCESS_OK;
367 }
368
369 /* Some secure-only AArch32 registers trap to EL3 if used from
370 * Secure EL1 (but are just ordinary UNDEF in other non-EL3 contexts).
371 * Note that an access from Secure EL1 can only happen if EL3 is AArch64.
372 * We assume that the .access field is set to PL1_RW.
373 */
374 static CPAccessResult access_trap_aa32s_el1(CPUARMState *env,
375 const ARMCPRegInfo *ri,
376 bool isread)
377 {
378 if (arm_current_el(env) == 3) {
379 return CP_ACCESS_OK;
380 }
381 if (arm_is_secure_below_el3(env)) {
382 return CP_ACCESS_TRAP_EL3;
383 }
384 /* This will be EL1 NS and EL2 NS, which just UNDEF */
385 return CP_ACCESS_TRAP_UNCATEGORIZED;
386 }
387
388 /* Check for traps to "powerdown debug" registers, which are controlled
389 * by MDCR.TDOSA
390 */
391 static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri,
392 bool isread)
393 {
394 int el = arm_current_el(env);
395
396 if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TDOSA)
397 && !arm_is_secure_below_el3(env)) {
398 return CP_ACCESS_TRAP_EL2;
399 }
400 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDOSA)) {
401 return CP_ACCESS_TRAP_EL3;
402 }
403 return CP_ACCESS_OK;
404 }
405
406 /* Check for traps to "debug ROM" registers, which are controlled
407 * by MDCR_EL2.TDRA for EL2 but by the more general MDCR_EL3.TDA for EL3.
408 */
409 static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri,
410 bool isread)
411 {
412 int el = arm_current_el(env);
413
414 if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TDRA)
415 && !arm_is_secure_below_el3(env)) {
416 return CP_ACCESS_TRAP_EL2;
417 }
418 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) {
419 return CP_ACCESS_TRAP_EL3;
420 }
421 return CP_ACCESS_OK;
422 }
423
424 /* Check for traps to general debug registers, which are controlled
425 * by MDCR_EL2.TDA for EL2 and MDCR_EL3.TDA for EL3.
426 */
427 static CPAccessResult access_tda(CPUARMState *env, const ARMCPRegInfo *ri,
428 bool isread)
429 {
430 int el = arm_current_el(env);
431
432 if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TDA)
433 && !arm_is_secure_below_el3(env)) {
434 return CP_ACCESS_TRAP_EL2;
435 }
436 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) {
437 return CP_ACCESS_TRAP_EL3;
438 }
439 return CP_ACCESS_OK;
440 }
441
442 /* Check for traps to performance monitor registers, which are controlled
443 * by MDCR_EL2.TPM for EL2 and MDCR_EL3.TPM for EL3.
444 */
445 static CPAccessResult access_tpm(CPUARMState *env, const ARMCPRegInfo *ri,
446 bool isread)
447 {
448 int el = arm_current_el(env);
449
450 if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TPM)
451 && !arm_is_secure_below_el3(env)) {
452 return CP_ACCESS_TRAP_EL2;
453 }
454 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) {
455 return CP_ACCESS_TRAP_EL3;
456 }
457 return CP_ACCESS_OK;
458 }
459
460 static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
461 {
462 ARMCPU *cpu = arm_env_get_cpu(env);
463
464 raw_write(env, ri, value);
465 tlb_flush(CPU(cpu), 1); /* Flush TLB as domain not tracked in TLB */
466 }
467
468 static void fcse_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
469 {
470 ARMCPU *cpu = arm_env_get_cpu(env);
471
472 if (raw_read(env, ri) != value) {
473 /* Unlike real hardware the qemu TLB uses virtual addresses,
474 * not modified virtual addresses, so this causes a TLB flush.
475 */
476 tlb_flush(CPU(cpu), 1);
477 raw_write(env, ri, value);
478 }
479 }
480
481 static void contextidr_write(CPUARMState *env, const ARMCPRegInfo *ri,
482 uint64_t value)
483 {
484 ARMCPU *cpu = arm_env_get_cpu(env);
485
486 if (raw_read(env, ri) != value && !arm_feature(env, ARM_FEATURE_MPU)
487 && !extended_addresses_enabled(env)) {
488 /* For VMSA (when not using the LPAE long descriptor page table
489 * format) this register includes the ASID, so do a TLB flush.
490 * For PMSA it is purely a process ID and no action is needed.
491 */
492 tlb_flush(CPU(cpu), 1);
493 }
494 raw_write(env, ri, value);
495 }
496
497 static void tlbiall_write(CPUARMState *env, const ARMCPRegInfo *ri,
498 uint64_t value)
499 {
500 /* Invalidate all (TLBIALL) */
501 ARMCPU *cpu = arm_env_get_cpu(env);
502
503 tlb_flush(CPU(cpu), 1);
504 }
505
506 static void tlbimva_write(CPUARMState *env, const ARMCPRegInfo *ri,
507 uint64_t value)
508 {
509 /* Invalidate single TLB entry by MVA and ASID (TLBIMVA) */
510 ARMCPU *cpu = arm_env_get_cpu(env);
511
512 tlb_flush_page(CPU(cpu), value & TARGET_PAGE_MASK);
513 }
514
515 static void tlbiasid_write(CPUARMState *env, const ARMCPRegInfo *ri,
516 uint64_t value)
517 {
518 /* Invalidate by ASID (TLBIASID) */
519 ARMCPU *cpu = arm_env_get_cpu(env);
520
521 tlb_flush(CPU(cpu), value == 0);
522 }
523
524 static void tlbimvaa_write(CPUARMState *env, const ARMCPRegInfo *ri,
525 uint64_t value)
526 {
527 /* Invalidate single entry by MVA, all ASIDs (TLBIMVAA) */
528 ARMCPU *cpu = arm_env_get_cpu(env);
529
530 tlb_flush_page(CPU(cpu), value & TARGET_PAGE_MASK);
531 }
532
533 /* IS variants of TLB operations must affect all cores */
534 static void tlbiall_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
535 uint64_t value)
536 {
537 CPUState *other_cs;
538
539 CPU_FOREACH(other_cs) {
540 tlb_flush(other_cs, 1);
541 }
542 }
543
544 static void tlbiasid_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
545 uint64_t value)
546 {
547 CPUState *other_cs;
548
549 CPU_FOREACH(other_cs) {
550 tlb_flush(other_cs, value == 0);
551 }
552 }
553
554 static void tlbimva_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
555 uint64_t value)
556 {
557 CPUState *other_cs;
558
559 CPU_FOREACH(other_cs) {
560 tlb_flush_page(other_cs, value & TARGET_PAGE_MASK);
561 }
562 }
563
564 static void tlbimvaa_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
565 uint64_t value)
566 {
567 CPUState *other_cs;
568
569 CPU_FOREACH(other_cs) {
570 tlb_flush_page(other_cs, value & TARGET_PAGE_MASK);
571 }
572 }
573
574 static const ARMCPRegInfo cp_reginfo[] = {
575 /* Define the secure and non-secure FCSE identifier CP registers
576 * separately because there is no secure bank in V8 (no _EL3). This allows
577 * the secure register to be properly reset and migrated. There is also no
578 * v8 EL1 version of the register so the non-secure instance stands alone.
579 */
580 { .name = "FCSEIDR(NS)",
581 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0,
582 .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS,
583 .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_ns),
584 .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, },
585 { .name = "FCSEIDR(S)",
586 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0,
587 .access = PL1_RW, .secure = ARM_CP_SECSTATE_S,
588 .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_s),
589 .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, },
590 /* Define the secure and non-secure context identifier CP registers
591 * separately because there is no secure bank in V8 (no _EL3). This allows
592 * the secure register to be properly reset and migrated. In the
593 * non-secure case, the 32-bit register will have reset and migration
594 * disabled during registration as it is handled by the 64-bit instance.
595 */
596 { .name = "CONTEXTIDR_EL1", .state = ARM_CP_STATE_BOTH,
597 .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1,
598 .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS,
599 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[1]),
600 .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
601 { .name = "CONTEXTIDR(S)", .state = ARM_CP_STATE_AA32,
602 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1,
603 .access = PL1_RW, .secure = ARM_CP_SECSTATE_S,
604 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_s),
605 .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
606 REGINFO_SENTINEL
607 };
608
609 static const ARMCPRegInfo not_v8_cp_reginfo[] = {
610 /* NB: Some of these registers exist in v8 but with more precise
611 * definitions that don't use CP_ANY wildcards (mostly in v8_cp_reginfo[]).
612 */
613 /* MMU Domain access control / MPU write buffer control */
614 { .name = "DACR",
615 .cp = 15, .opc1 = CP_ANY, .crn = 3, .crm = CP_ANY, .opc2 = CP_ANY,
616 .access = PL1_RW, .resetvalue = 0,
617 .writefn = dacr_write, .raw_writefn = raw_write,
618 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s),
619 offsetoflow32(CPUARMState, cp15.dacr_ns) } },
620 /* ARMv7 allocates a range of implementation defined TLB LOCKDOWN regs.
621 * For v6 and v5, these mappings are overly broad.
622 */
623 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 0,
624 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
625 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 1,
626 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
627 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 4,
628 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
629 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 8,
630 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
631 /* Cache maintenance ops; some of this space may be overridden later. */
632 { .name = "CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
633 .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
634 .type = ARM_CP_NOP | ARM_CP_OVERRIDE },
635 REGINFO_SENTINEL
636 };
637
638 static const ARMCPRegInfo not_v6_cp_reginfo[] = {
639 /* Not all pre-v6 cores implemented this WFI, so this is slightly
640 * over-broad.
641 */
642 { .name = "WFI_v5", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = 2,
643 .access = PL1_W, .type = ARM_CP_WFI },
644 REGINFO_SENTINEL
645 };
646
647 static const ARMCPRegInfo not_v7_cp_reginfo[] = {
648 /* Standard v6 WFI (also used in some pre-v6 cores); not in v7 (which
649 * is UNPREDICTABLE; we choose to NOP as most implementations do).
650 */
651 { .name = "WFI_v6", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4,
652 .access = PL1_W, .type = ARM_CP_WFI },
653 /* L1 cache lockdown. Not architectural in v6 and earlier but in practice
654 * implemented in 926, 946, 1026, 1136, 1176 and 11MPCore. StrongARM and
655 * OMAPCP will override this space.
656 */
657 { .name = "DLOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 0,
658 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_data),
659 .resetvalue = 0 },
660 { .name = "ILOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 1,
661 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_insn),
662 .resetvalue = 0 },
663 /* v6 doesn't have the cache ID registers but Linux reads them anyway */
664 { .name = "DUMMY", .cp = 15, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = CP_ANY,
665 .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
666 .resetvalue = 0 },
667 /* We don't implement pre-v7 debug but most CPUs had at least a DBGDIDR;
668 * implementing it as RAZ means the "debug architecture version" bits
669 * will read as a reserved value, which should cause Linux to not try
670 * to use the debug hardware.
671 */
672 { .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0,
673 .access = PL0_R, .type = ARM_CP_CONST, .resetvalue = 0 },
674 /* MMU TLB control. Note that the wildcarding means we cover not just
675 * the unified TLB ops but also the dside/iside/inner-shareable variants.
676 */
677 { .name = "TLBIALL", .cp = 15, .crn = 8, .crm = CP_ANY,
678 .opc1 = CP_ANY, .opc2 = 0, .access = PL1_W, .writefn = tlbiall_write,
679 .type = ARM_CP_NO_RAW },
680 { .name = "TLBIMVA", .cp = 15, .crn = 8, .crm = CP_ANY,
681 .opc1 = CP_ANY, .opc2 = 1, .access = PL1_W, .writefn = tlbimva_write,
682 .type = ARM_CP_NO_RAW },
683 { .name = "TLBIASID", .cp = 15, .crn = 8, .crm = CP_ANY,
684 .opc1 = CP_ANY, .opc2 = 2, .access = PL1_W, .writefn = tlbiasid_write,
685 .type = ARM_CP_NO_RAW },
686 { .name = "TLBIMVAA", .cp = 15, .crn = 8, .crm = CP_ANY,
687 .opc1 = CP_ANY, .opc2 = 3, .access = PL1_W, .writefn = tlbimvaa_write,
688 .type = ARM_CP_NO_RAW },
689 { .name = "PRRR", .cp = 15, .crn = 10, .crm = 2,
690 .opc1 = 0, .opc2 = 0, .access = PL1_RW, .type = ARM_CP_NOP },
691 { .name = "NMRR", .cp = 15, .crn = 10, .crm = 2,
692 .opc1 = 0, .opc2 = 1, .access = PL1_RW, .type = ARM_CP_NOP },
693 REGINFO_SENTINEL
694 };
695
696 static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
697 uint64_t value)
698 {
699 uint32_t mask = 0;
700
701 /* In ARMv8 most bits of CPACR_EL1 are RES0. */
702 if (!arm_feature(env, ARM_FEATURE_V8)) {
703 /* ARMv7 defines bits for unimplemented coprocessors as RAZ/WI.
704 * ASEDIS [31] and D32DIS [30] are both UNK/SBZP without VFP.
705 * TRCDIS [28] is RAZ/WI since we do not implement a trace macrocell.
706 */
707 if (arm_feature(env, ARM_FEATURE_VFP)) {
708 /* VFP coprocessor: cp10 & cp11 [23:20] */
709 mask |= (1 << 31) | (1 << 30) | (0xf << 20);
710
711 if (!arm_feature(env, ARM_FEATURE_NEON)) {
712 /* ASEDIS [31] bit is RAO/WI */
713 value |= (1 << 31);
714 }
715
716 /* VFPv3 and upwards with NEON implement 32 double precision
717 * registers (D0-D31).
718 */
719 if (!arm_feature(env, ARM_FEATURE_NEON) ||
720 !arm_feature(env, ARM_FEATURE_VFP3)) {
721 /* D32DIS [30] is RAO/WI if D16-31 are not implemented. */
722 value |= (1 << 30);
723 }
724 }
725 value &= mask;
726 }
727 env->cp15.cpacr_el1 = value;
728 }
729
730 static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
731 bool isread)
732 {
733 if (arm_feature(env, ARM_FEATURE_V8)) {
734 /* Check if CPACR accesses are to be trapped to EL2 */
735 if (arm_current_el(env) == 1 &&
736 (env->cp15.cptr_el[2] & CPTR_TCPAC) && !arm_is_secure(env)) {
737 return CP_ACCESS_TRAP_EL2;
738 /* Check if CPACR accesses are to be trapped to EL3 */
739 } else if (arm_current_el(env) < 3 &&
740 (env->cp15.cptr_el[3] & CPTR_TCPAC)) {
741 return CP_ACCESS_TRAP_EL3;
742 }
743 }
744
745 return CP_ACCESS_OK;
746 }
747
748 static CPAccessResult cptr_access(CPUARMState *env, const ARMCPRegInfo *ri,
749 bool isread)
750 {
751 /* Check if CPTR accesses are set to trap to EL3 */
752 if (arm_current_el(env) == 2 && (env->cp15.cptr_el[3] & CPTR_TCPAC)) {
753 return CP_ACCESS_TRAP_EL3;
754 }
755
756 return CP_ACCESS_OK;
757 }
758
759 static const ARMCPRegInfo v6_cp_reginfo[] = {
760 /* prefetch by MVA in v6, NOP in v7 */
761 { .name = "MVA_prefetch",
762 .cp = 15, .crn = 7, .crm = 13, .opc1 = 0, .opc2 = 1,
763 .access = PL1_W, .type = ARM_CP_NOP },
764 /* We need to break the TB after ISB to execute self-modifying code
765 * correctly and also to take any pending interrupts immediately.
766 * So use arm_cp_write_ignore() function instead of ARM_CP_NOP flag.
767 */
768 { .name = "ISB", .cp = 15, .crn = 7, .crm = 5, .opc1 = 0, .opc2 = 4,
769 .access = PL0_W, .type = ARM_CP_NO_RAW, .writefn = arm_cp_write_ignore },
770 { .name = "DSB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 4,
771 .access = PL0_W, .type = ARM_CP_NOP },
772 { .name = "DMB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 5,
773 .access = PL0_W, .type = ARM_CP_NOP },
774 { .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 2,
775 .access = PL1_RW,
776 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ifar_s),
777 offsetof(CPUARMState, cp15.ifar_ns) },
778 .resetvalue = 0, },
779 /* Watchpoint Fault Address Register : should actually only be present
780 * for 1136, 1176, 11MPCore.
781 */
782 { .name = "WFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1,
783 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, },
784 { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
785 .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
786 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
787 .resetvalue = 0, .writefn = cpacr_write },
788 REGINFO_SENTINEL
789 };
790
791 static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
792 bool isread)
793 {
794 /* Performance monitor registers user accessibility is controlled
795 * by PMUSERENR. MDCR_EL2.TPM and MDCR_EL3.TPM allow configurable
796 * trapping to EL2 or EL3 for other accesses.
797 */
798 int el = arm_current_el(env);
799
800 if (el == 0 && !env->cp15.c9_pmuserenr) {
801 return CP_ACCESS_TRAP;
802 }
803 if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TPM)
804 && !arm_is_secure_below_el3(env)) {
805 return CP_ACCESS_TRAP_EL2;
806 }
807 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) {
808 return CP_ACCESS_TRAP_EL3;
809 }
810
811 return CP_ACCESS_OK;
812 }
813
814 #ifndef CONFIG_USER_ONLY
815
816 static inline bool arm_ccnt_enabled(CPUARMState *env)
817 {
818 /* This does not support checking PMCCFILTR_EL0 register */
819
820 if (!(env->cp15.c9_pmcr & PMCRE)) {
821 return false;
822 }
823
824 return true;
825 }
826
827 void pmccntr_sync(CPUARMState *env)
828 {
829 uint64_t temp_ticks;
830
831 temp_ticks = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
832 ARM_CPU_FREQ, NANOSECONDS_PER_SECOND);
833
834 if (env->cp15.c9_pmcr & PMCRD) {
835 /* Increment once every 64 processor clock cycles */
836 temp_ticks /= 64;
837 }
838
839 if (arm_ccnt_enabled(env)) {
840 env->cp15.c15_ccnt = temp_ticks - env->cp15.c15_ccnt;
841 }
842 }
843
844 static void pmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
845 uint64_t value)
846 {
847 pmccntr_sync(env);
848
849 if (value & PMCRC) {
850 /* The counter has been reset */
851 env->cp15.c15_ccnt = 0;
852 }
853
854 /* only the DP, X, D and E bits are writable */
855 env->cp15.c9_pmcr &= ~0x39;
856 env->cp15.c9_pmcr |= (value & 0x39);
857
858 pmccntr_sync(env);
859 }
860
861 static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
862 {
863 uint64_t total_ticks;
864
865 if (!arm_ccnt_enabled(env)) {
866 /* Counter is disabled, do not change value */
867 return env->cp15.c15_ccnt;
868 }
869
870 total_ticks = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
871 ARM_CPU_FREQ, NANOSECONDS_PER_SECOND);
872
873 if (env->cp15.c9_pmcr & PMCRD) {
874 /* Increment once every 64 processor clock cycles */
875 total_ticks /= 64;
876 }
877 return total_ticks - env->cp15.c15_ccnt;
878 }
879
880 static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
881 uint64_t value)
882 {
883 uint64_t total_ticks;
884
885 if (!arm_ccnt_enabled(env)) {
886 /* Counter is disabled, set the absolute value */
887 env->cp15.c15_ccnt = value;
888 return;
889 }
890
891 total_ticks = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
892 ARM_CPU_FREQ, NANOSECONDS_PER_SECOND);
893
894 if (env->cp15.c9_pmcr & PMCRD) {
895 /* Increment once every 64 processor clock cycles */
896 total_ticks /= 64;
897 }
898 env->cp15.c15_ccnt = total_ticks - value;
899 }
900
901 static void pmccntr_write32(CPUARMState *env, const ARMCPRegInfo *ri,
902 uint64_t value)
903 {
904 uint64_t cur_val = pmccntr_read(env, NULL);
905
906 pmccntr_write(env, ri, deposit64(cur_val, 0, 32, value));
907 }
908
909 #else /* CONFIG_USER_ONLY */
910
911 void pmccntr_sync(CPUARMState *env)
912 {
913 }
914
915 #endif
916
917 static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri,
918 uint64_t value)
919 {
920 pmccntr_sync(env);
921 env->cp15.pmccfiltr_el0 = value & 0x7E000000;
922 pmccntr_sync(env);
923 }
924
925 static void pmcntenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
926 uint64_t value)
927 {
928 value &= (1 << 31);
929 env->cp15.c9_pmcnten |= value;
930 }
931
932 static void pmcntenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
933 uint64_t value)
934 {
935 value &= (1 << 31);
936 env->cp15.c9_pmcnten &= ~value;
937 }
938
939 static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
940 uint64_t value)
941 {
942 env->cp15.c9_pmovsr &= ~value;
943 }
944
945 static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
946 uint64_t value)
947 {
948 env->cp15.c9_pmxevtyper = value & 0xff;
949 }
950
951 static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
952 uint64_t value)
953 {
954 env->cp15.c9_pmuserenr = value & 1;
955 }
956
957 static void pmintenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
958 uint64_t value)
959 {
960 /* We have no event counters so only the C bit can be changed */
961 value &= (1 << 31);
962 env->cp15.c9_pminten |= value;
963 }
964
965 static void pmintenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
966 uint64_t value)
967 {
968 value &= (1 << 31);
969 env->cp15.c9_pminten &= ~value;
970 }
971
972 static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
973 uint64_t value)
974 {
975 /* Note that even though the AArch64 view of this register has bits
976 * [10:0] all RES0 we can only mask the bottom 5, to comply with the
977 * architectural requirements for bits which are RES0 only in some
978 * contexts. (ARMv8 would permit us to do no masking at all, but ARMv7
979 * requires the bottom five bits to be RAZ/WI because they're UNK/SBZP.)
980 */
981 raw_write(env, ri, value & ~0x1FULL);
982 }
983
984 static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
985 {
986 /* We only mask off bits that are RES0 both for AArch64 and AArch32.
987 * For bits that vary between AArch32/64, code needs to check the
988 * current execution mode before directly using the feature bit.
989 */
990 uint32_t valid_mask = SCR_AARCH64_MASK | SCR_AARCH32_MASK;
991
992 if (!arm_feature(env, ARM_FEATURE_EL2)) {
993 valid_mask &= ~SCR_HCE;
994
995 /* On ARMv7, SMD (or SCD as it is called in v7) is only
996 * supported if EL2 exists. The bit is UNK/SBZP when
997 * EL2 is unavailable. In QEMU ARMv7, we force it to always zero
998 * when EL2 is unavailable.
999 * On ARMv8, this bit is always available.
1000 */
1001 if (arm_feature(env, ARM_FEATURE_V7) &&
1002 !arm_feature(env, ARM_FEATURE_V8)) {
1003 valid_mask &= ~SCR_SMD;
1004 }
1005 }
1006
1007 /* Clear all-context RES0 bits. */
1008 value &= valid_mask;
1009 raw_write(env, ri, value);
1010 }
1011
1012 static uint64_t ccsidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
1013 {
1014 ARMCPU *cpu = arm_env_get_cpu(env);
1015
1016 /* Acquire the CSSELR index from the bank corresponding to the CCSIDR
1017 * bank
1018 */
1019 uint32_t index = A32_BANKED_REG_GET(env, csselr,
1020 ri->secure & ARM_CP_SECSTATE_S);
1021
1022 return cpu->ccsidr[index];
1023 }
1024
1025 static void csselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1026 uint64_t value)
1027 {
1028 raw_write(env, ri, value & 0xf);
1029 }
1030
1031 static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
1032 {
1033 CPUState *cs = ENV_GET_CPU(env);
1034 uint64_t ret = 0;
1035
1036 if (cs->interrupt_request & CPU_INTERRUPT_HARD) {
1037 ret |= CPSR_I;
1038 }
1039 if (cs->interrupt_request & CPU_INTERRUPT_FIQ) {
1040 ret |= CPSR_F;
1041 }
1042 /* External aborts are not possible in QEMU so A bit is always clear */
1043 return ret;
1044 }
1045
1046 static const ARMCPRegInfo v7_cp_reginfo[] = {
1047 /* the old v6 WFI, UNPREDICTABLE in v7 but we choose to NOP */
1048 { .name = "NOP", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4,
1049 .access = PL1_W, .type = ARM_CP_NOP },
1050 /* Performance monitors are implementation defined in v7,
1051 * but with an ARM recommended set of registers, which we
1052 * follow (although we don't actually implement any counters)
1053 *
1054 * Performance registers fall into three categories:
1055 * (a) always UNDEF in PL0, RW in PL1 (PMINTENSET, PMINTENCLR)
1056 * (b) RO in PL0 (ie UNDEF on write), RW in PL1 (PMUSERENR)
1057 * (c) UNDEF in PL0 if PMUSERENR.EN==0, otherwise accessible (all others)
1058 * For the cases controlled by PMUSERENR we must set .access to PL0_RW
1059 * or PL0_RO as appropriate and then check PMUSERENR in the helper fn.
1060 */
1061 { .name = "PMCNTENSET", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 1,
1062 .access = PL0_RW, .type = ARM_CP_ALIAS,
1063 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten),
1064 .writefn = pmcntenset_write,
1065 .accessfn = pmreg_access,
1066 .raw_writefn = raw_write },
1067 { .name = "PMCNTENSET_EL0", .state = ARM_CP_STATE_AA64,
1068 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 1,
1069 .access = PL0_RW, .accessfn = pmreg_access,
1070 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten), .resetvalue = 0,
1071 .writefn = pmcntenset_write, .raw_writefn = raw_write },
1072 { .name = "PMCNTENCLR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 2,
1073 .access = PL0_RW,
1074 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten),
1075 .accessfn = pmreg_access,
1076 .writefn = pmcntenclr_write,
1077 .type = ARM_CP_ALIAS },
1078 { .name = "PMCNTENCLR_EL0", .state = ARM_CP_STATE_AA64,
1079 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 2,
1080 .access = PL0_RW, .accessfn = pmreg_access,
1081 .type = ARM_CP_ALIAS,
1082 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten),
1083 .writefn = pmcntenclr_write },
1084 { .name = "PMOVSR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 3,
1085 .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
1086 .accessfn = pmreg_access,
1087 .writefn = pmovsr_write,
1088 .raw_writefn = raw_write },
1089 { .name = "PMOVSCLR_EL0", .state = ARM_CP_STATE_AA64,
1090 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 3,
1091 .access = PL0_RW, .accessfn = pmreg_access,
1092 .type = ARM_CP_ALIAS,
1093 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
1094 .writefn = pmovsr_write,
1095 .raw_writefn = raw_write },
1096 /* Unimplemented so WI. */
1097 { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4,
1098 .access = PL0_W, .accessfn = pmreg_access, .type = ARM_CP_NOP },
1099 /* Since we don't implement any events, writing to PMSELR is UNPREDICTABLE.
1100 * We choose to RAZ/WI.
1101 */
1102 { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
1103 .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
1104 .accessfn = pmreg_access },
1105 #ifndef CONFIG_USER_ONLY
1106 { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
1107 .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_IO,
1108 .readfn = pmccntr_read, .writefn = pmccntr_write32,
1109 .accessfn = pmreg_access },
1110 { .name = "PMCCNTR_EL0", .state = ARM_CP_STATE_AA64,
1111 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 0,
1112 .access = PL0_RW, .accessfn = pmreg_access,
1113 .type = ARM_CP_IO,
1114 .readfn = pmccntr_read, .writefn = pmccntr_write, },
1115 #endif
1116 { .name = "PMCCFILTR_EL0", .state = ARM_CP_STATE_AA64,
1117 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 15, .opc2 = 7,
1118 .writefn = pmccfiltr_write,
1119 .access = PL0_RW, .accessfn = pmreg_access,
1120 .type = ARM_CP_IO,
1121 .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0),
1122 .resetvalue = 0, },
1123 { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1,
1124 .access = PL0_RW,
1125 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmxevtyper),
1126 .accessfn = pmreg_access, .writefn = pmxevtyper_write,
1127 .raw_writefn = raw_write },
1128 /* Unimplemented, RAZ/WI. */
1129 { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2,
1130 .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
1131 .accessfn = pmreg_access },
1132 { .name = "PMUSERENR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 0,
1133 .access = PL0_R | PL1_RW, .accessfn = access_tpm,
1134 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
1135 .resetvalue = 0,
1136 .writefn = pmuserenr_write, .raw_writefn = raw_write },
1137 { .name = "PMUSERENR_EL0", .state = ARM_CP_STATE_AA64,
1138 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 14, .opc2 = 0,
1139 .access = PL0_R | PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
1140 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
1141 .resetvalue = 0,
1142 .writefn = pmuserenr_write, .raw_writefn = raw_write },
1143 { .name = "PMINTENSET", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 1,
1144 .access = PL1_RW, .accessfn = access_tpm,
1145 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
1146 .resetvalue = 0,
1147 .writefn = pmintenset_write, .raw_writefn = raw_write },
1148 { .name = "PMINTENCLR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 2,
1149 .access = PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
1150 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
1151 .writefn = pmintenclr_write, },
1152 { .name = "PMINTENCLR_EL1", .state = ARM_CP_STATE_AA64,
1153 .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 2,
1154 .access = PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
1155 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
1156 .writefn = pmintenclr_write },
1157 { .name = "VBAR", .state = ARM_CP_STATE_BOTH,
1158 .opc0 = 3, .crn = 12, .crm = 0, .opc1 = 0, .opc2 = 0,
1159 .access = PL1_RW, .writefn = vbar_write,
1160 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.vbar_s),
1161 offsetof(CPUARMState, cp15.vbar_ns) },
1162 .resetvalue = 0 },
1163 { .name = "CCSIDR", .state = ARM_CP_STATE_BOTH,
1164 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 0,
1165 .access = PL1_R, .readfn = ccsidr_read, .type = ARM_CP_NO_RAW },
1166 { .name = "CSSELR", .state = ARM_CP_STATE_BOTH,
1167 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 2, .opc2 = 0,
1168 .access = PL1_RW, .writefn = csselr_write, .resetvalue = 0,
1169 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.csselr_s),
1170 offsetof(CPUARMState, cp15.csselr_ns) } },
1171 /* Auxiliary ID register: this actually has an IMPDEF value but for now
1172 * just RAZ for all cores:
1173 */
1174 { .name = "AIDR", .state = ARM_CP_STATE_BOTH,
1175 .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 7,
1176 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
1177 /* Auxiliary fault status registers: these also are IMPDEF, and we
1178 * choose to RAZ/WI for all cores.
1179 */
1180 { .name = "AFSR0_EL1", .state = ARM_CP_STATE_BOTH,
1181 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 0,
1182 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
1183 { .name = "AFSR1_EL1", .state = ARM_CP_STATE_BOTH,
1184 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 1,
1185 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
1186 /* MAIR can just read-as-written because we don't implement caches
1187 * and so don't need to care about memory attributes.
1188 */
1189 { .name = "MAIR_EL1", .state = ARM_CP_STATE_AA64,
1190 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0,
1191 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[1]),
1192 .resetvalue = 0 },
1193 { .name = "MAIR_EL3", .state = ARM_CP_STATE_AA64,
1194 .opc0 = 3, .opc1 = 6, .crn = 10, .crm = 2, .opc2 = 0,
1195 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[3]),
1196 .resetvalue = 0 },
1197 /* For non-long-descriptor page tables these are PRRR and NMRR;
1198 * regardless they still act as reads-as-written for QEMU.
1199 */
1200 /* MAIR0/1 are defined separately from their 64-bit counterpart which
1201 * allows them to assign the correct fieldoffset based on the endianness
1202 * handled in the field definitions.
1203 */
1204 { .name = "MAIR0", .state = ARM_CP_STATE_AA32,
1205 .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0, .access = PL1_RW,
1206 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair0_s),
1207 offsetof(CPUARMState, cp15.mair0_ns) },
1208 .resetfn = arm_cp_reset_ignore },
1209 { .name = "MAIR1", .state = ARM_CP_STATE_AA32,
1210 .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 1, .access = PL1_RW,
1211 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair1_s),
1212 offsetof(CPUARMState, cp15.mair1_ns) },
1213 .resetfn = arm_cp_reset_ignore },
1214 { .name = "ISR_EL1", .state = ARM_CP_STATE_BOTH,
1215 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 0,
1216 .type = ARM_CP_NO_RAW, .access = PL1_R, .readfn = isr_read },
1217 /* 32 bit ITLB invalidates */
1218 { .name = "ITLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 0,
1219 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1220 { .name = "ITLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 1,
1221 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1222 { .name = "ITLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 2,
1223 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1224 /* 32 bit DTLB invalidates */
1225 { .name = "DTLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 0,
1226 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1227 { .name = "DTLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 1,
1228 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1229 { .name = "DTLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 2,
1230 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1231 /* 32 bit TLB invalidates */
1232 { .name = "TLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0,
1233 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1234 { .name = "TLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1,
1235 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1236 { .name = "TLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2,
1237 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1238 { .name = "TLBIMVAA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
1239 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimvaa_write },
1240 REGINFO_SENTINEL
1241 };
1242
1243 static const ARMCPRegInfo v7mp_cp_reginfo[] = {
1244 /* 32 bit TLB invalidates, Inner Shareable */
1245 { .name = "TLBIALLIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0,
1246 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_is_write },
1247 { .name = "TLBIMVAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1,
1248 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_is_write },
1249 { .name = "TLBIASIDIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2,
1250 .type = ARM_CP_NO_RAW, .access = PL1_W,
1251 .writefn = tlbiasid_is_write },
1252 { .name = "TLBIMVAAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
1253 .type = ARM_CP_NO_RAW, .access = PL1_W,
1254 .writefn = tlbimvaa_is_write },
1255 REGINFO_SENTINEL
1256 };
1257
1258 static void teecr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1259 uint64_t value)
1260 {
1261 value &= 1;
1262 env->teecr = value;
1263 }
1264
1265 static CPAccessResult teehbr_access(CPUARMState *env, const ARMCPRegInfo *ri,
1266 bool isread)
1267 {
1268 if (arm_current_el(env) == 0 && (env->teecr & 1)) {
1269 return CP_ACCESS_TRAP;
1270 }
1271 return CP_ACCESS_OK;
1272 }
1273
1274 static const ARMCPRegInfo t2ee_cp_reginfo[] = {
1275 { .name = "TEECR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 6, .opc2 = 0,
1276 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, teecr),
1277 .resetvalue = 0,
1278 .writefn = teecr_write },
1279 { .name = "TEEHBR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 6, .opc2 = 0,
1280 .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, teehbr),
1281 .accessfn = teehbr_access, .resetvalue = 0 },
1282 REGINFO_SENTINEL
1283 };
1284
1285 static const ARMCPRegInfo v6k_cp_reginfo[] = {
1286 { .name = "TPIDR_EL0", .state = ARM_CP_STATE_AA64,
1287 .opc0 = 3, .opc1 = 3, .opc2 = 2, .crn = 13, .crm = 0,
1288 .access = PL0_RW,
1289 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[0]), .resetvalue = 0 },
1290 { .name = "TPIDRURW", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 2,
1291 .access = PL0_RW,
1292 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrurw_s),
1293 offsetoflow32(CPUARMState, cp15.tpidrurw_ns) },
1294 .resetfn = arm_cp_reset_ignore },
1295 { .name = "TPIDRRO_EL0", .state = ARM_CP_STATE_AA64,
1296 .opc0 = 3, .opc1 = 3, .opc2 = 3, .crn = 13, .crm = 0,
1297 .access = PL0_R|PL1_W,
1298 .fieldoffset = offsetof(CPUARMState, cp15.tpidrro_el[0]),
1299 .resetvalue = 0},
1300 { .name = "TPIDRURO", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 3,
1301 .access = PL0_R|PL1_W,
1302 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidruro_s),
1303 offsetoflow32(CPUARMState, cp15.tpidruro_ns) },
1304 .resetfn = arm_cp_reset_ignore },
1305 { .name = "TPIDR_EL1", .state = ARM_CP_STATE_AA64,
1306 .opc0 = 3, .opc1 = 0, .opc2 = 4, .crn = 13, .crm = 0,
1307 .access = PL1_RW,
1308 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[1]), .resetvalue = 0 },
1309 { .name = "TPIDRPRW", .opc1 = 0, .cp = 15, .crn = 13, .crm = 0, .opc2 = 4,
1310 .access = PL1_RW,
1311 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrprw_s),
1312 offsetoflow32(CPUARMState, cp15.tpidrprw_ns) },
1313 .resetvalue = 0 },
1314 REGINFO_SENTINEL
1315 };
1316
1317 #ifndef CONFIG_USER_ONLY
1318
1319 static CPAccessResult gt_cntfrq_access(CPUARMState *env, const ARMCPRegInfo *ri,
1320 bool isread)
1321 {
1322 /* CNTFRQ: not visible from PL0 if both PL0PCTEN and PL0VCTEN are zero.
1323 * Writable only at the highest implemented exception level.
1324 */
1325 int el = arm_current_el(env);
1326
1327 switch (el) {
1328 case 0:
1329 if (!extract32(env->cp15.c14_cntkctl, 0, 2)) {
1330 return CP_ACCESS_TRAP;
1331 }
1332 break;
1333 case 1:
1334 if (!isread && ri->state == ARM_CP_STATE_AA32 &&
1335 arm_is_secure_below_el3(env)) {
1336 /* Accesses from 32-bit Secure EL1 UNDEF (*not* trap to EL3!) */
1337 return CP_ACCESS_TRAP_UNCATEGORIZED;
1338 }
1339 break;
1340 case 2:
1341 case 3:
1342 break;
1343 }
1344
1345 if (!isread && el < arm_highest_el(env)) {
1346 return CP_ACCESS_TRAP_UNCATEGORIZED;
1347 }
1348
1349 return CP_ACCESS_OK;
1350 }
1351
1352 static CPAccessResult gt_counter_access(CPUARMState *env, int timeridx,
1353 bool isread)
1354 {
1355 unsigned int cur_el = arm_current_el(env);
1356 bool secure = arm_is_secure(env);
1357
1358 /* CNT[PV]CT: not visible from PL0 if ELO[PV]CTEN is zero */
1359 if (cur_el == 0 &&
1360 !extract32(env->cp15.c14_cntkctl, timeridx, 1)) {
1361 return CP_ACCESS_TRAP;
1362 }
1363
1364 if (arm_feature(env, ARM_FEATURE_EL2) &&
1365 timeridx == GTIMER_PHYS && !secure && cur_el < 2 &&
1366 !extract32(env->cp15.cnthctl_el2, 0, 1)) {
1367 return CP_ACCESS_TRAP_EL2;
1368 }
1369 return CP_ACCESS_OK;
1370 }
1371
1372 static CPAccessResult gt_timer_access(CPUARMState *env, int timeridx,
1373 bool isread)
1374 {
1375 unsigned int cur_el = arm_current_el(env);
1376 bool secure = arm_is_secure(env);
1377
1378 /* CNT[PV]_CVAL, CNT[PV]_CTL, CNT[PV]_TVAL: not visible from PL0 if
1379 * EL0[PV]TEN is zero.
1380 */
1381 if (cur_el == 0 &&
1382 !extract32(env->cp15.c14_cntkctl, 9 - timeridx, 1)) {
1383 return CP_ACCESS_TRAP;
1384 }
1385
1386 if (arm_feature(env, ARM_FEATURE_EL2) &&
1387 timeridx == GTIMER_PHYS && !secure && cur_el < 2 &&
1388 !extract32(env->cp15.cnthctl_el2, 1, 1)) {
1389 return CP_ACCESS_TRAP_EL2;
1390 }
1391 return CP_ACCESS_OK;
1392 }
1393
1394 static CPAccessResult gt_pct_access(CPUARMState *env,
1395 const ARMCPRegInfo *ri,
1396 bool isread)
1397 {
1398 return gt_counter_access(env, GTIMER_PHYS, isread);
1399 }
1400
1401 static CPAccessResult gt_vct_access(CPUARMState *env,
1402 const ARMCPRegInfo *ri,
1403 bool isread)
1404 {
1405 return gt_counter_access(env, GTIMER_VIRT, isread);
1406 }
1407
1408 static CPAccessResult gt_ptimer_access(CPUARMState *env, const ARMCPRegInfo *ri,
1409 bool isread)
1410 {
1411 return gt_timer_access(env, GTIMER_PHYS, isread);
1412 }
1413
1414 static CPAccessResult gt_vtimer_access(CPUARMState *env, const ARMCPRegInfo *ri,
1415 bool isread)
1416 {
1417 return gt_timer_access(env, GTIMER_VIRT, isread);
1418 }
1419
1420 static CPAccessResult gt_stimer_access(CPUARMState *env,
1421 const ARMCPRegInfo *ri,
1422 bool isread)
1423 {
1424 /* The AArch64 register view of the secure physical timer is
1425 * always accessible from EL3, and configurably accessible from
1426 * Secure EL1.
1427 */
1428 switch (arm_current_el(env)) {
1429 case 1:
1430 if (!arm_is_secure(env)) {
1431 return CP_ACCESS_TRAP;
1432 }
1433 if (!(env->cp15.scr_el3 & SCR_ST)) {
1434 return CP_ACCESS_TRAP_EL3;
1435 }
1436 return CP_ACCESS_OK;
1437 case 0:
1438 case 2:
1439 return CP_ACCESS_TRAP;
1440 case 3:
1441 return CP_ACCESS_OK;
1442 default:
1443 g_assert_not_reached();
1444 }
1445 }
1446
1447 static uint64_t gt_get_countervalue(CPUARMState *env)
1448 {
1449 return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / GTIMER_SCALE;
1450 }
1451
1452 static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
1453 {
1454 ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
1455
1456 if (gt->ctl & 1) {
1457 /* Timer enabled: calculate and set current ISTATUS, irq, and
1458 * reset timer to when ISTATUS next has to change
1459 */
1460 uint64_t offset = timeridx == GTIMER_VIRT ?
1461 cpu->env.cp15.cntvoff_el2 : 0;
1462 uint64_t count = gt_get_countervalue(&cpu->env);
1463 /* Note that this must be unsigned 64 bit arithmetic: */
1464 int istatus = count - offset >= gt->cval;
1465 uint64_t nexttick;
1466
1467 gt->ctl = deposit32(gt->ctl, 2, 1, istatus);
1468 qemu_set_irq(cpu->gt_timer_outputs[timeridx],
1469 (istatus && !(gt->ctl & 2)));
1470 if (istatus) {
1471 /* Next transition is when count rolls back over to zero */
1472 nexttick = UINT64_MAX;
1473 } else {
1474 /* Next transition is when we hit cval */
1475 nexttick = gt->cval + offset;
1476 }
1477 /* Note that the desired next expiry time might be beyond the
1478 * signed-64-bit range of a QEMUTimer -- in this case we just
1479 * set the timer for as far in the future as possible. When the
1480 * timer expires we will reset the timer for any remaining period.
1481 */
1482 if (nexttick > INT64_MAX / GTIMER_SCALE) {
1483 nexttick = INT64_MAX / GTIMER_SCALE;
1484 }
1485 timer_mod(cpu->gt_timer[timeridx], nexttick);
1486 } else {
1487 /* Timer disabled: ISTATUS and timer output always clear */
1488 gt->ctl &= ~4;
1489 qemu_set_irq(cpu->gt_timer_outputs[timeridx], 0);
1490 timer_del(cpu->gt_timer[timeridx]);
1491 }
1492 }
1493
1494 static void gt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri,
1495 int timeridx)
1496 {
1497 ARMCPU *cpu = arm_env_get_cpu(env);
1498
1499 timer_del(cpu->gt_timer[timeridx]);
1500 }
1501
1502 static uint64_t gt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
1503 {
1504 return gt_get_countervalue(env);
1505 }
1506
1507 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
1508 {
1509 return gt_get_countervalue(env) - env->cp15.cntvoff_el2;
1510 }
1511
1512 static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1513 int timeridx,
1514 uint64_t value)
1515 {
1516 env->cp15.c14_timer[timeridx].cval = value;
1517 gt_recalc_timer(arm_env_get_cpu(env), timeridx);
1518 }
1519
1520 static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
1521 int timeridx)
1522 {
1523 uint64_t offset = timeridx == GTIMER_VIRT ? env->cp15.cntvoff_el2 : 0;
1524
1525 return (uint32_t)(env->cp15.c14_timer[timeridx].cval -
1526 (gt_get_countervalue(env) - offset));
1527 }
1528
1529 static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1530 int timeridx,
1531 uint64_t value)
1532 {
1533 uint64_t offset = timeridx == GTIMER_VIRT ? env->cp15.cntvoff_el2 : 0;
1534
1535 env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) - offset +
1536 sextract64(value, 0, 32);
1537 gt_recalc_timer(arm_env_get_cpu(env), timeridx);
1538 }
1539
1540 static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1541 int timeridx,
1542 uint64_t value)
1543 {
1544 ARMCPU *cpu = arm_env_get_cpu(env);
1545 uint32_t oldval = env->cp15.c14_timer[timeridx].ctl;
1546
1547 env->cp15.c14_timer[timeridx].ctl = deposit64(oldval, 0, 2, value);
1548 if ((oldval ^ value) & 1) {
1549 /* Enable toggled */
1550 gt_recalc_timer(cpu, timeridx);
1551 } else if ((oldval ^ value) & 2) {
1552 /* IMASK toggled: don't need to recalculate,
1553 * just set the interrupt line based on ISTATUS
1554 */
1555 qemu_set_irq(cpu->gt_timer_outputs[timeridx],
1556 (oldval & 4) && !(value & 2));
1557 }
1558 }
1559
1560 static void gt_phys_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1561 {
1562 gt_timer_reset(env, ri, GTIMER_PHYS);
1563 }
1564
1565 static void gt_phys_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1566 uint64_t value)
1567 {
1568 gt_cval_write(env, ri, GTIMER_PHYS, value);
1569 }
1570
1571 static uint64_t gt_phys_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1572 {
1573 return gt_tval_read(env, ri, GTIMER_PHYS);
1574 }
1575
1576 static void gt_phys_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1577 uint64_t value)
1578 {
1579 gt_tval_write(env, ri, GTIMER_PHYS, value);
1580 }
1581
1582 static void gt_phys_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1583 uint64_t value)
1584 {
1585 gt_ctl_write(env, ri, GTIMER_PHYS, value);
1586 }
1587
1588 static void gt_virt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1589 {
1590 gt_timer_reset(env, ri, GTIMER_VIRT);
1591 }
1592
1593 static void gt_virt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1594 uint64_t value)
1595 {
1596 gt_cval_write(env, ri, GTIMER_VIRT, value);
1597 }
1598
1599 static uint64_t gt_virt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1600 {
1601 return gt_tval_read(env, ri, GTIMER_VIRT);
1602 }
1603
1604 static void gt_virt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1605 uint64_t value)
1606 {
1607 gt_tval_write(env, ri, GTIMER_VIRT, value);
1608 }
1609
1610 static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1611 uint64_t value)
1612 {
1613 gt_ctl_write(env, ri, GTIMER_VIRT, value);
1614 }
1615
1616 static void gt_cntvoff_write(CPUARMState *env, const ARMCPRegInfo *ri,
1617 uint64_t value)
1618 {
1619 ARMCPU *cpu = arm_env_get_cpu(env);
1620
1621 raw_write(env, ri, value);
1622 gt_recalc_timer(cpu, GTIMER_VIRT);
1623 }
1624
1625 static void gt_hyp_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1626 {
1627 gt_timer_reset(env, ri, GTIMER_HYP);
1628 }
1629
1630 static void gt_hyp_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1631 uint64_t value)
1632 {
1633 gt_cval_write(env, ri, GTIMER_HYP, value);
1634 }
1635
1636 static uint64_t gt_hyp_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1637 {
1638 return gt_tval_read(env, ri, GTIMER_HYP);
1639 }
1640
1641 static void gt_hyp_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1642 uint64_t value)
1643 {
1644 gt_tval_write(env, ri, GTIMER_HYP, value);
1645 }
1646
1647 static void gt_hyp_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1648 uint64_t value)
1649 {
1650 gt_ctl_write(env, ri, GTIMER_HYP, value);
1651 }
1652
1653 static void gt_sec_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1654 {
1655 gt_timer_reset(env, ri, GTIMER_SEC);
1656 }
1657
1658 static void gt_sec_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1659 uint64_t value)
1660 {
1661 gt_cval_write(env, ri, GTIMER_SEC, value);
1662 }
1663
1664 static uint64_t gt_sec_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1665 {
1666 return gt_tval_read(env, ri, GTIMER_SEC);
1667 }
1668
1669 static void gt_sec_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1670 uint64_t value)
1671 {
1672 gt_tval_write(env, ri, GTIMER_SEC, value);
1673 }
1674
1675 static void gt_sec_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1676 uint64_t value)
1677 {
1678 gt_ctl_write(env, ri, GTIMER_SEC, value);
1679 }
1680
1681 void arm_gt_ptimer_cb(void *opaque)
1682 {
1683 ARMCPU *cpu = opaque;
1684
1685 gt_recalc_timer(cpu, GTIMER_PHYS);
1686 }
1687
1688 void arm_gt_vtimer_cb(void *opaque)
1689 {
1690 ARMCPU *cpu = opaque;
1691
1692 gt_recalc_timer(cpu, GTIMER_VIRT);
1693 }
1694
1695 void arm_gt_htimer_cb(void *opaque)
1696 {
1697 ARMCPU *cpu = opaque;
1698
1699 gt_recalc_timer(cpu, GTIMER_HYP);
1700 }
1701
1702 void arm_gt_stimer_cb(void *opaque)
1703 {
1704 ARMCPU *cpu = opaque;
1705
1706 gt_recalc_timer(cpu, GTIMER_SEC);
1707 }
1708
1709 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
1710 /* Note that CNTFRQ is purely reads-as-written for the benefit
1711 * of software; writing it doesn't actually change the timer frequency.
1712 * Our reset value matches the fixed frequency we implement the timer at.
1713 */
1714 { .name = "CNTFRQ", .cp = 15, .crn = 14, .crm = 0, .opc1 = 0, .opc2 = 0,
1715 .type = ARM_CP_ALIAS,
1716 .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
1717 .fieldoffset = offsetoflow32(CPUARMState, cp15.c14_cntfrq),
1718 },
1719 { .name = "CNTFRQ_EL0", .state = ARM_CP_STATE_AA64,
1720 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0,
1721 .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
1722 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq),
1723 .resetvalue = (1000 * 1000 * 1000) / GTIMER_SCALE,
1724 },
1725 /* overall control: mostly access permissions */
1726 { .name = "CNTKCTL", .state = ARM_CP_STATE_BOTH,
1727 .opc0 = 3, .opc1 = 0, .crn = 14, .crm = 1, .opc2 = 0,
1728 .access = PL1_RW,
1729 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntkctl),
1730 .resetvalue = 0,
1731 },
1732 /* per-timer control */
1733 { .name = "CNTP_CTL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
1734 .secure = ARM_CP_SECSTATE_NS,
1735 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
1736 .accessfn = gt_ptimer_access,
1737 .fieldoffset = offsetoflow32(CPUARMState,
1738 cp15.c14_timer[GTIMER_PHYS].ctl),
1739 .writefn = gt_phys_ctl_write, .raw_writefn = raw_write,
1740 },
1741 { .name = "CNTP_CTL(S)",
1742 .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
1743 .secure = ARM_CP_SECSTATE_S,
1744 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
1745 .accessfn = gt_ptimer_access,
1746 .fieldoffset = offsetoflow32(CPUARMState,
1747 cp15.c14_timer[GTIMER_SEC].ctl),
1748 .writefn = gt_sec_ctl_write, .raw_writefn = raw_write,
1749 },
1750 { .name = "CNTP_CTL_EL0", .state = ARM_CP_STATE_AA64,
1751 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 1,
1752 .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
1753 .accessfn = gt_ptimer_access,
1754 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl),
1755 .resetvalue = 0,
1756 .writefn = gt_phys_ctl_write, .raw_writefn = raw_write,
1757 },
1758 { .name = "CNTV_CTL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 1,
1759 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
1760 .accessfn = gt_vtimer_access,
1761 .fieldoffset = offsetoflow32(CPUARMState,
1762 cp15.c14_timer[GTIMER_VIRT].ctl),
1763 .writefn = gt_virt_ctl_write, .raw_writefn = raw_write,
1764 },
1765 { .name = "CNTV_CTL_EL0", .state = ARM_CP_STATE_AA64,
1766 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 1,
1767 .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
1768 .accessfn = gt_vtimer_access,
1769 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl),
1770 .resetvalue = 0,
1771 .writefn = gt_virt_ctl_write, .raw_writefn = raw_write,
1772 },
1773 /* TimerValue views: a 32 bit downcounting view of the underlying state */
1774 { .name = "CNTP_TVAL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
1775 .secure = ARM_CP_SECSTATE_NS,
1776 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1777 .accessfn = gt_ptimer_access,
1778 .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write,
1779 },
1780 { .name = "CNTP_TVAL(S)",
1781 .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
1782 .secure = ARM_CP_SECSTATE_S,
1783 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1784 .accessfn = gt_ptimer_access,
1785 .readfn = gt_sec_tval_read, .writefn = gt_sec_tval_write,
1786 },
1787 { .name = "CNTP_TVAL_EL0", .state = ARM_CP_STATE_AA64,
1788 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 0,
1789 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1790 .accessfn = gt_ptimer_access, .resetfn = gt_phys_timer_reset,
1791 .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write,
1792 },
1793 { .name = "CNTV_TVAL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 0,
1794 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1795 .accessfn = gt_vtimer_access,
1796 .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write,
1797 },
1798 { .name = "CNTV_TVAL_EL0", .state = ARM_CP_STATE_AA64,
1799 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 0,
1800 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1801 .accessfn = gt_vtimer_access, .resetfn = gt_virt_timer_reset,
1802 .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write,
1803 },
1804 /* The counter itself */
1805 { .name = "CNTPCT", .cp = 15, .crm = 14, .opc1 = 0,
1806 .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
1807 .accessfn = gt_pct_access,
1808 .readfn = gt_cnt_read, .resetfn = arm_cp_reset_ignore,
1809 },
1810 { .name = "CNTPCT_EL0", .state = ARM_CP_STATE_AA64,
1811 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 1,
1812 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1813 .accessfn = gt_pct_access, .readfn = gt_cnt_read,
1814 },
1815 { .name = "CNTVCT", .cp = 15, .crm = 14, .opc1 = 1,
1816 .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
1817 .accessfn = gt_vct_access,
1818 .readfn = gt_virt_cnt_read, .resetfn = arm_cp_reset_ignore,
1819 },
1820 { .name = "CNTVCT_EL0", .state = ARM_CP_STATE_AA64,
1821 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 2,
1822 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1823 .accessfn = gt_vct_access, .readfn = gt_virt_cnt_read,
1824 },
1825 /* Comparison value, indicating when the timer goes off */
1826 { .name = "CNTP_CVAL", .cp = 15, .crm = 14, .opc1 = 2,
1827 .secure = ARM_CP_SECSTATE_NS,
1828 .access = PL1_RW | PL0_R,
1829 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
1830 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
1831 .accessfn = gt_ptimer_access,
1832 .writefn = gt_phys_cval_write, .raw_writefn = raw_write,
1833 },
1834 { .name = "CNTP_CVAL(S)", .cp = 15, .crm = 14, .opc1 = 2,
1835 .secure = ARM_CP_SECSTATE_S,
1836 .access = PL1_RW | PL0_R,
1837 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
1838 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
1839 .accessfn = gt_ptimer_access,
1840 .writefn = gt_sec_cval_write, .raw_writefn = raw_write,
1841 },
1842 { .name = "CNTP_CVAL_EL0", .state = ARM_CP_STATE_AA64,
1843 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 2,
1844 .access = PL1_RW | PL0_R,
1845 .type = ARM_CP_IO,
1846 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
1847 .resetvalue = 0, .accessfn = gt_ptimer_access,
1848 .writefn = gt_phys_cval_write, .raw_writefn = raw_write,
1849 },
1850 { .name = "CNTV_CVAL", .cp = 15, .crm = 14, .opc1 = 3,
1851 .access = PL1_RW | PL0_R,
1852 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
1853 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
1854 .accessfn = gt_vtimer_access,
1855 .writefn = gt_virt_cval_write, .raw_writefn = raw_write,
1856 },
1857 { .name = "CNTV_CVAL_EL0", .state = ARM_CP_STATE_AA64,
1858 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 2,
1859 .access = PL1_RW | PL0_R,
1860 .type = ARM_CP_IO,
1861 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
1862 .resetvalue = 0, .accessfn = gt_vtimer_access,
1863 .writefn = gt_virt_cval_write, .raw_writefn = raw_write,
1864 },
1865 /* Secure timer -- this is actually restricted to only EL3
1866 * and configurably Secure-EL1 via the accessfn.
1867 */
1868 { .name = "CNTPS_TVAL_EL1", .state = ARM_CP_STATE_AA64,
1869 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 0,
1870 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW,
1871 .accessfn = gt_stimer_access,
1872 .readfn = gt_sec_tval_read,
1873 .writefn = gt_sec_tval_write,
1874 .resetfn = gt_sec_timer_reset,
1875 },
1876 { .name = "CNTPS_CTL_EL1", .state = ARM_CP_STATE_AA64,
1877 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 1,
1878 .type = ARM_CP_IO, .access = PL1_RW,
1879 .accessfn = gt_stimer_access,
1880 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].ctl),
1881 .resetvalue = 0,
1882 .writefn = gt_sec_ctl_write, .raw_writefn = raw_write,
1883 },
1884 { .name = "CNTPS_CVAL_EL1", .state = ARM_CP_STATE_AA64,
1885 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 2,
1886 .type = ARM_CP_IO, .access = PL1_RW,
1887 .accessfn = gt_stimer_access,
1888 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
1889 .writefn = gt_sec_cval_write, .raw_writefn = raw_write,
1890 },
1891 REGINFO_SENTINEL
1892 };
1893
1894 #else
1895 /* In user-mode none of the generic timer registers are accessible,
1896 * and their implementation depends on QEMU_CLOCK_VIRTUAL and qdev gpio outputs,
1897 * so instead just don't register any of them.
1898 */
1899 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
1900 REGINFO_SENTINEL
1901 };
1902
1903 #endif
1904
1905 static void par_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
1906 {
1907 if (arm_feature(env, ARM_FEATURE_LPAE)) {
1908 raw_write(env, ri, value);
1909 } else if (arm_feature(env, ARM_FEATURE_V7)) {
1910 raw_write(env, ri, value & 0xfffff6ff);
1911 } else {
1912 raw_write(env, ri, value & 0xfffff1ff);
1913 }
1914 }
1915
1916 #ifndef CONFIG_USER_ONLY
1917 /* get_phys_addr() isn't present for user-mode-only targets */
1918
1919 static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri,
1920 bool isread)
1921 {
1922 if (ri->opc2 & 4) {
1923 /* The ATS12NSO* operations must trap to EL3 if executed in
1924 * Secure EL1 (which can only happen if EL3 is AArch64).
1925 * They are simply UNDEF if executed from NS EL1.
1926 * They function normally from EL2 or EL3.
1927 */
1928 if (arm_current_el(env) == 1) {
1929 if (arm_is_secure_below_el3(env)) {
1930 return CP_ACCESS_TRAP_UNCATEGORIZED_EL3;
1931 }
1932 return CP_ACCESS_TRAP_UNCATEGORIZED;
1933 }
1934 }
1935 return CP_ACCESS_OK;
1936 }
1937
1938 static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
1939 int access_type, ARMMMUIdx mmu_idx)
1940 {
1941 hwaddr phys_addr;
1942 target_ulong page_size;
1943 int prot;
1944 uint32_t fsr;
1945 bool ret;
1946 uint64_t par64;
1947 MemTxAttrs attrs = {};
1948 ARMMMUFaultInfo fi = {};
1949
1950 ret = get_phys_addr(env, value, access_type, mmu_idx,
1951 &phys_addr, &attrs, &prot, &page_size, &fsr, &fi);
1952 if (extended_addresses_enabled(env)) {
1953 /* fsr is a DFSR/IFSR value for the long descriptor
1954 * translation table format, but with WnR always clear.
1955 * Convert it to a 64-bit PAR.
1956 */
1957 par64 = (1 << 11); /* LPAE bit always set */
1958 if (!ret) {
1959 par64 |= phys_addr & ~0xfffULL;
1960 if (!attrs.secure) {
1961 par64 |= (1 << 9); /* NS */
1962 }
1963 /* We don't set the ATTR or SH fields in the PAR. */
1964 } else {
1965 par64 |= 1; /* F */
1966 par64 |= (fsr & 0x3f) << 1; /* FS */
1967 /* Note that S2WLK and FSTAGE are always zero, because we don't
1968 * implement virtualization and therefore there can't be a stage 2
1969 * fault.
1970 */
1971 }
1972 } else {
1973 /* fsr is a DFSR/IFSR value for the short descriptor
1974 * translation table format (with WnR always clear).
1975 * Convert it to a 32-bit PAR.
1976 */
1977 if (!ret) {
1978 /* We do not set any attribute bits in the PAR */
1979 if (page_size == (1 << 24)
1980 && arm_feature(env, ARM_FEATURE_V7)) {
1981 par64 = (phys_addr & 0xff000000) | (1 << 1);
1982 } else {
1983 par64 = phys_addr & 0xfffff000;
1984 }
1985 if (!attrs.secure) {
1986 par64 |= (1 << 9); /* NS */
1987 }
1988 } else {
1989 par64 = ((fsr & (1 << 10)) >> 5) | ((fsr & (1 << 12)) >> 6) |
1990 ((fsr & 0xf) << 1) | 1;
1991 }
1992 }
1993 return par64;
1994 }
1995
1996 static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
1997 {
1998 int access_type = ri->opc2 & 1;
1999 uint64_t par64;
2000 ARMMMUIdx mmu_idx;
2001 int el = arm_current_el(env);
2002 bool secure = arm_is_secure_below_el3(env);
2003
2004 switch (ri->opc2 & 6) {
2005 case 0:
2006 /* stage 1 current state PL1: ATS1CPR, ATS1CPW */
2007 switch (el) {
2008 case 3:
2009 mmu_idx = ARMMMUIdx_S1E3;
2010 break;
2011 case 2:
2012 mmu_idx = ARMMMUIdx_S1NSE1;
2013 break;
2014 case 1:
2015 mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S1NSE1;
2016 break;
2017 default:
2018 g_assert_not_reached();
2019 }
2020 break;
2021 case 2:
2022 /* stage 1 current state PL0: ATS1CUR, ATS1CUW */
2023 switch (el) {
2024 case 3:
2025 mmu_idx = ARMMMUIdx_S1SE0;
2026 break;
2027 case 2:
2028 mmu_idx = ARMMMUIdx_S1NSE0;
2029 break;
2030 case 1:
2031 mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S1NSE0;
2032 break;
2033 default:
2034 g_assert_not_reached();
2035 }
2036 break;
2037 case 4:
2038 /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */
2039 mmu_idx = ARMMMUIdx_S12NSE1;
2040 break;
2041 case 6:
2042 /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */
2043 mmu_idx = ARMMMUIdx_S12NSE0;
2044 break;
2045 default:
2046 g_assert_not_reached();
2047 }
2048
2049 par64 = do_ats_write(env, value, access_type, mmu_idx);
2050
2051 A32_BANKED_CURRENT_REG_SET(env, par, par64);
2052 }
2053
2054 static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
2055 uint64_t value)
2056 {
2057 int access_type = ri->opc2 & 1;
2058 uint64_t par64;
2059
2060 par64 = do_ats_write(env, value, access_type, ARMMMUIdx_S2NS);
2061
2062 A32_BANKED_CURRENT_REG_SET(env, par, par64);
2063 }
2064
2065 static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri,
2066 bool isread)
2067 {
2068 if (arm_current_el(env) == 3 && !(env->cp15.scr_el3 & SCR_NS)) {
2069 return CP_ACCESS_TRAP;
2070 }
2071 return CP_ACCESS_OK;
2072 }
2073
2074 static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
2075 uint64_t value)
2076 {
2077 int access_type = ri->opc2 & 1;
2078 ARMMMUIdx mmu_idx;
2079 int secure = arm_is_secure_below_el3(env);
2080
2081 switch (ri->opc2 & 6) {
2082 case 0:
2083 switch (ri->opc1) {
2084 case 0: /* AT S1E1R, AT S1E1W */
2085 mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S1NSE1;
2086 break;
2087 case 4: /* AT S1E2R, AT S1E2W */
2088 mmu_idx = ARMMMUIdx_S1E2;
2089 break;
2090 case 6: /* AT S1E3R, AT S1E3W */
2091 mmu_idx = ARMMMUIdx_S1E3;
2092 break;
2093 default:
2094 g_assert_not_reached();
2095 }
2096 break;
2097 case 2: /* AT S1E0R, AT S1E0W */
2098 mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S1NSE0;
2099 break;
2100 case 4: /* AT S12E1R, AT S12E1W */
2101 mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S12NSE1;
2102 break;
2103 case 6: /* AT S12E0R, AT S12E0W */
2104 mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S12NSE0;
2105 break;
2106 default:
2107 g_assert_not_reached();
2108 }
2109
2110 env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx);
2111 }
2112 #endif
2113
2114 static const ARMCPRegInfo vapa_cp_reginfo[] = {
2115 { .name = "PAR", .cp = 15, .crn = 7, .crm = 4, .opc1 = 0, .opc2 = 0,
2116 .access = PL1_RW, .resetvalue = 0,
2117 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.par_s),
2118 offsetoflow32(CPUARMState, cp15.par_ns) },
2119 .writefn = par_write },
2120 #ifndef CONFIG_USER_ONLY
2121 /* This underdecoding is safe because the reginfo is NO_RAW. */
2122 { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
2123 .access = PL1_W, .accessfn = ats_access,
2124 .writefn = ats_write, .type = ARM_CP_NO_RAW },
2125 #endif
2126 REGINFO_SENTINEL
2127 };
2128
2129 /* Return basic MPU access permission bits. */
2130 static uint32_t simple_mpu_ap_bits(uint32_t val)
2131 {
2132 uint32_t ret;
2133 uint32_t mask;
2134 int i;
2135 ret = 0;
2136 mask = 3;
2137 for (i = 0; i < 16; i += 2) {
2138 ret |= (val >> i) & mask;
2139 mask <<= 2;
2140 }
2141 return ret;
2142 }
2143
2144 /* Pad basic MPU access permission bits to extended format. */
2145 static uint32_t extended_mpu_ap_bits(uint32_t val)
2146 {
2147 uint32_t ret;
2148 uint32_t mask;
2149 int i;
2150 ret = 0;
2151 mask = 3;
2152 for (i = 0; i < 16; i += 2) {
2153 ret |= (val & mask) << i;
2154 mask <<= 2;
2155 }
2156 return ret;
2157 }
2158
2159 static void pmsav5_data_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
2160 uint64_t value)
2161 {
2162 env->cp15.pmsav5_data_ap = extended_mpu_ap_bits(value);
2163 }
2164
2165 static uint64_t pmsav5_data_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
2166 {
2167 return simple_mpu_ap_bits(env->cp15.pmsav5_data_ap);
2168 }
2169
2170 static void pmsav5_insn_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
2171 uint64_t value)
2172 {
2173 env->cp15.pmsav5_insn_ap = extended_mpu_ap_bits(value);
2174 }
2175
2176 static uint64_t pmsav5_insn_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
2177 {
2178 return simple_mpu_ap_bits(env->cp15.pmsav5_insn_ap);
2179 }
2180
2181 static uint64_t pmsav7_read(CPUARMState *env, const ARMCPRegInfo *ri)
2182 {
2183 uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri);
2184
2185 if (!u32p) {
2186 return 0;
2187 }
2188
2189 u32p += env->cp15.c6_rgnr;
2190 return *u32p;
2191 }
2192
2193 static void pmsav7_write(CPUARMState *env, const ARMCPRegInfo *ri,
2194 uint64_t value)
2195 {
2196 ARMCPU *cpu = arm_env_get_cpu(env);
2197 uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri);
2198
2199 if (!u32p) {
2200 return;
2201 }
2202
2203 u32p += env->cp15.c6_rgnr;
2204 tlb_flush(CPU(cpu), 1); /* Mappings may have changed - purge! */
2205 *u32p = value;
2206 }
2207
2208 static void pmsav7_reset(CPUARMState *env, const ARMCPRegInfo *ri)
2209 {
2210 ARMCPU *cpu = arm_env_get_cpu(env);
2211 uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri);
2212
2213 if (!u32p) {
2214 return;
2215 }
2216
2217 memset(u32p, 0, sizeof(*u32p) * cpu->pmsav7_dregion);
2218 }
2219
2220 static void pmsav7_rgnr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2221 uint64_t value)
2222 {
2223 ARMCPU *cpu = arm_env_get_cpu(env);
2224 uint32_t nrgs = cpu->pmsav7_dregion;
2225
2226 if (value >= nrgs) {
2227 qemu_log_mask(LOG_GUEST_ERROR,
2228 "PMSAv7 RGNR write >= # supported regions, %" PRIu32
2229 " > %" PRIu32 "\n", (uint32_t)value, nrgs);
2230 return;
2231 }
2232
2233 raw_write(env, ri, value);
2234 }
2235
2236 static const ARMCPRegInfo pmsav7_cp_reginfo[] = {
2237 { .name = "DRBAR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 0,
2238 .access = PL1_RW, .type = ARM_CP_NO_RAW,
2239 .fieldoffset = offsetof(CPUARMState, pmsav7.drbar),
2240 .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset },
2241 { .name = "DRSR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 2,
2242 .access = PL1_RW, .type = ARM_CP_NO_RAW,
2243 .fieldoffset = offsetof(CPUARMState, pmsav7.drsr),
2244 .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset },
2245 { .name = "DRACR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 4,
2246 .access = PL1_RW, .type = ARM_CP_NO_RAW,
2247 .fieldoffset = offsetof(CPUARMState, pmsav7.dracr),
2248 .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset },
2249 { .name = "RGNR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 2, .opc2 = 0,
2250 .access = PL1_RW,
2251 .fieldoffset = offsetof(CPUARMState, cp15.c6_rgnr),
2252 .writefn = pmsav7_rgnr_write },
2253 REGINFO_SENTINEL
2254 };
2255
2256 static const ARMCPRegInfo pmsav5_cp_reginfo[] = {
2257 { .name = "DATA_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0,
2258 .access = PL1_RW, .type = ARM_CP_ALIAS,
2259 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap),
2260 .readfn = pmsav5_data_ap_read, .writefn = pmsav5_data_ap_write, },
2261 { .name = "INSN_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1,
2262 .access = PL1_RW, .type = ARM_CP_ALIAS,
2263 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap),
2264 .readfn = pmsav5_insn_ap_read, .writefn = pmsav5_insn_ap_write, },
2265 { .name = "DATA_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 2,
2266 .access = PL1_RW,
2267 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap),
2268 .resetvalue = 0, },
2269 { .name = "INSN_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 3,
2270 .access = PL1_RW,
2271 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap),
2272 .resetvalue = 0, },
2273 { .name = "DCACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
2274 .access = PL1_RW,
2275 .fieldoffset = offsetof(CPUARMState, cp15.c2_data), .resetvalue = 0, },
2276 { .name = "ICACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 1,
2277 .access = PL1_RW,
2278 .fieldoffset = offsetof(CPUARMState, cp15.c2_insn), .resetvalue = 0, },
2279 /* Protection region base and size registers */
2280 { .name = "946_PRBS0", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0,
2281 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2282 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[0]) },
2283 { .name = "946_PRBS1", .cp = 15, .crn = 6, .crm = 1, .opc1 = 0,
2284 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2285 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[1]) },
2286 { .name = "946_PRBS2", .cp = 15, .crn = 6, .crm = 2, .opc1 = 0,
2287 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2288 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[2]) },
2289 { .name = "946_PRBS3", .cp = 15, .crn = 6, .crm = 3, .opc1 = 0,
2290 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2291 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[3]) },
2292 { .name = "946_PRBS4", .cp = 15, .crn = 6, .crm = 4, .opc1 = 0,
2293 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2294 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[4]) },
2295 { .name = "946_PRBS5", .cp = 15, .crn = 6, .crm = 5, .opc1 = 0,
2296 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2297 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[5]) },
2298 { .name = "946_PRBS6", .cp = 15, .crn = 6, .crm = 6, .opc1 = 0,
2299 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2300 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[6]) },
2301 { .name = "946_PRBS7", .cp = 15, .crn = 6, .crm = 7, .opc1 = 0,
2302 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2303 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[7]) },
2304 REGINFO_SENTINEL
2305 };
2306
2307 static void vmsa_ttbcr_raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
2308 uint64_t value)
2309 {
2310 TCR *tcr = raw_ptr(env, ri);
2311 int maskshift = extract32(value, 0, 3);
2312
2313 if (!arm_feature(env, ARM_FEATURE_V8)) {
2314 if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) {
2315 /* Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when
2316 * using Long-desciptor translation table format */
2317 value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
2318 } else if (arm_feature(env, ARM_FEATURE_EL3)) {
2319 /* In an implementation that includes the Security Extensions
2320 * TTBCR has additional fields PD0 [4] and PD1 [5] for
2321 * Short-descriptor translation table format.
2322 */
2323 value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N;
2324 } else {
2325 value &= TTBCR_N;
2326 }
2327 }
2328
2329 /* Update the masks corresponding to the TCR bank being written
2330 * Note that we always calculate mask and base_mask, but
2331 * they are only used for short-descriptor tables (ie if EAE is 0);
2332 * for long-descriptor tables the TCR fields are used differently
2333 * and the mask and base_mask values are meaningless.
2334 */
2335 tcr->raw_tcr = value;
2336 tcr->mask = ~(((uint32_t)0xffffffffu) >> maskshift);
2337 tcr->base_mask = ~((uint32_t)0x3fffu >> maskshift);
2338 }
2339
2340 static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2341 uint64_t value)
2342 {
2343 ARMCPU *cpu = arm_env_get_cpu(env);
2344
2345 if (arm_feature(env, ARM_FEATURE_LPAE)) {
2346 /* With LPAE the TTBCR could result in a change of ASID
2347 * via the TTBCR.A1 bit, so do a TLB flush.
2348 */
2349 tlb_flush(CPU(cpu), 1);
2350 }
2351 vmsa_ttbcr_raw_write(env, ri, value);
2352 }
2353
2354 static void vmsa_ttbcr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
2355 {
2356 TCR *tcr = raw_ptr(env, ri);
2357
2358 /* Reset both the TCR as well as the masks corresponding to the bank of
2359 * the TCR being reset.
2360 */
2361 tcr->raw_tcr = 0;
2362 tcr->mask = 0;
2363 tcr->base_mask = 0xffffc000u;
2364 }
2365
2366 static void vmsa_tcr_el1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2367 uint64_t value)
2368 {
2369 ARMCPU *cpu = arm_env_get_cpu(env);
2370 TCR *tcr = raw_ptr(env, ri);
2371
2372 /* For AArch64 the A1 bit could result in a change of ASID, so TLB flush. */
2373 tlb_flush(CPU(cpu), 1);
2374 tcr->raw_tcr = value;
2375 }
2376
2377 static void vmsa_ttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2378 uint64_t value)
2379 {
2380 /* 64 bit accesses to the TTBRs can change the ASID and so we
2381 * must flush the TLB.
2382 */
2383 if (cpreg_field_is_64bit(ri)) {
2384 ARMCPU *cpu = arm_env_get_cpu(env);
2385
2386 tlb_flush(CPU(cpu), 1);
2387 }
2388 raw_write(env, ri, value);
2389 }
2390
2391 static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2392 uint64_t value)
2393 {
2394 ARMCPU *cpu = arm_env_get_cpu(env);
2395 CPUState *cs = CPU(cpu);
2396
2397 /* Accesses to VTTBR may change the VMID so we must flush the TLB. */
2398 if (raw_read(env, ri) != value) {
2399 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S12NSE1, ARMMMUIdx_S12NSE0,
2400 ARMMMUIdx_S2NS, -1);
2401 raw_write(env, ri, value);
2402 }
2403 }
2404
2405 static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = {
2406 { .name = "DFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0,
2407 .access = PL1_RW, .type = ARM_CP_ALIAS,
2408 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dfsr_s),
2409 offsetoflow32(CPUARMState, cp15.dfsr_ns) }, },
2410 { .name = "IFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1,
2411 .access = PL1_RW, .resetvalue = 0,
2412 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.ifsr_s),
2413 offsetoflow32(CPUARMState, cp15.ifsr_ns) } },
2414 { .name = "DFAR", .cp = 15, .opc1 = 0, .crn = 6, .crm = 0, .opc2 = 0,
2415 .access = PL1_RW, .resetvalue = 0,
2416 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.dfar_s),
2417 offsetof(CPUARMState, cp15.dfar_ns) } },
2418 { .name = "FAR_EL1", .state = ARM_CP_STATE_AA64,
2419 .opc0 = 3, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 0,
2420 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]),
2421 .resetvalue = 0, },
2422 REGINFO_SENTINEL
2423 };
2424
2425 static const ARMCPRegInfo vmsa_cp_reginfo[] = {
2426 { .name = "ESR_EL1", .state = ARM_CP_STATE_AA64,
2427 .opc0 = 3, .crn = 5, .crm = 2, .opc1 = 0, .opc2 = 0,
2428 .access = PL1_RW,
2429 .fieldoffset = offsetof(CPUARMState, cp15.esr_el[1]), .resetvalue = 0, },
2430 { .name = "TTBR0_EL1", .state = ARM_CP_STATE_BOTH,
2431 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0,
2432 .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
2433 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
2434 offsetof(CPUARMState, cp15.ttbr0_ns) } },
2435 { .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,
2436 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1,
2437 .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
2438 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
2439 offsetof(CPUARMState, cp15.ttbr1_ns) } },
2440 { .name = "TCR_EL1", .state = ARM_CP_STATE_AA64,
2441 .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
2442 .access = PL1_RW, .writefn = vmsa_tcr_el1_write,
2443 .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
2444 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[1]) },
2445 { .name = "TTBCR", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
2446 .access = PL1_RW, .type = ARM_CP_ALIAS, .writefn = vmsa_ttbcr_write,
2447 .raw_writefn = vmsa_ttbcr_raw_write,
2448 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tcr_el[3]),
2449 offsetoflow32(CPUARMState, cp15.tcr_el[1])} },
2450 REGINFO_SENTINEL
2451 };
2452
2453 static void omap_ticonfig_write(CPUARMState *env, const ARMCPRegInfo *ri,
2454 uint64_t value)
2455 {
2456 env->cp15.c15_ticonfig = value & 0xe7;
2457 /* The OS_TYPE bit in this register changes the reported CPUID! */
2458 env->cp15.c0_cpuid = (value & (1 << 5)) ?
2459 ARM_CPUID_TI915T : ARM_CPUID_TI925T;
2460 }
2461
2462 static void omap_threadid_write(CPUARMState *env, const ARMCPRegInfo *ri,
2463 uint64_t value)
2464 {
2465 env->cp15.c15_threadid = value & 0xffff;
2466 }
2467
2468 static void omap_wfi_write(CPUARMState *env, const ARMCPRegInfo *ri,
2469 uint64_t value)
2470 {
2471 /* Wait-for-interrupt (deprecated) */
2472 cpu_interrupt(CPU(arm_env_get_cpu(env)), CPU_INTERRUPT_HALT);
2473 }
2474
2475 static void omap_cachemaint_write(CPUARMState *env, const ARMCPRegInfo *ri,
2476 uint64_t value)
2477 {
2478 /* On OMAP there are registers indicating the max/min index of dcache lines
2479 * containing a dirty line; cache flush operations have to reset these.
2480 */
2481 env->cp15.c15_i_max = 0x000;
2482 env->cp15.c15_i_min = 0xff0;
2483 }
2484
2485 static const ARMCPRegInfo omap_cp_reginfo[] = {
2486 { .name = "DFSR", .cp = 15, .crn = 5, .crm = CP_ANY,
2487 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_OVERRIDE,
2488 .fieldoffset = offsetoflow32(CPUARMState, cp15.esr_el[1]),
2489 .resetvalue = 0, },
2490 { .name = "", .cp = 15, .crn = 15, .crm = 0, .opc1 = 0, .opc2 = 0,
2491 .access = PL1_RW, .type = ARM_CP_NOP },
2492 { .name = "TICONFIG", .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0,
2493 .access = PL1_RW,
2494 .fieldoffset = offsetof(CPUARMState, cp15.c15_ticonfig), .resetvalue = 0,
2495 .writefn = omap_ticonfig_write },
2496 { .name = "IMAX", .cp = 15, .crn = 15, .crm = 2, .opc1 = 0, .opc2 = 0,
2497 .access = PL1_RW,
2498 .fieldoffset = offsetof(CPUARMState, cp15.c15_i_max), .resetvalue = 0, },
2499 { .name = "IMIN", .cp = 15, .crn = 15, .crm = 3, .opc1 = 0, .opc2 = 0,
2500 .access = PL1_RW, .resetvalue = 0xff0,
2501 .fieldoffset = offsetof(CPUARMState, cp15.c15_i_min) },
2502 { .name = "THREADID", .cp = 15, .crn = 15, .crm = 4, .opc1 = 0, .opc2 = 0,
2503 .access = PL1_RW,
2504 .fieldoffset = offsetof(CPUARMState, cp15.c15_threadid), .resetvalue = 0,
2505 .writefn = omap_threadid_write },
2506 { .name = "TI925T_STATUS", .cp = 15, .crn = 15,
2507 .crm = 8, .opc1 = 0, .opc2 = 0, .access = PL1_RW,
2508 .type = ARM_CP_NO_RAW,
2509 .readfn = arm_cp_read_zero, .writefn = omap_wfi_write, },
2510 /* TODO: Peripheral port remap register:
2511 * On OMAP2 mcr p15, 0, rn, c15, c2, 4 sets up the interrupt controller
2512 * base address at $rn & ~0xfff and map size of 0x200 << ($rn & 0xfff),
2513 * when MMU is off.
2514 */
2515 { .name = "OMAP_CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
2516 .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
2517 .type = ARM_CP_OVERRIDE | ARM_CP_NO_RAW,
2518 .writefn = omap_cachemaint_write },
2519 { .name = "C9", .cp = 15, .crn = 9,
2520 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW,
2521 .type = ARM_CP_CONST | ARM_CP_OVERRIDE, .resetvalue = 0 },
2522 REGINFO_SENTINEL
2523 };
2524
2525 static void xscale_cpar_write(CPUARMState *env, const ARMCPRegInfo *ri,
2526 uint64_t value)
2527 {
2528 env->cp15.c15_cpar = value & 0x3fff;
2529 }
2530
2531 static const ARMCPRegInfo xscale_cp_reginfo[] = {
2532 { .name = "XSCALE_CPAR",
2533 .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0, .access = PL1_RW,
2534 .fieldoffset = offsetof(CPUARMState, cp15.c15_cpar), .resetvalue = 0,
2535 .writefn = xscale_cpar_write, },
2536 { .name = "XSCALE_AUXCR",
2537 .cp = 15, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 1, .access = PL1_RW,
2538 .fieldoffset = offsetof(CPUARMState, cp15.c1_xscaleauxcr),
2539 .resetvalue = 0, },
2540 /* XScale specific cache-lockdown: since we have no cache we NOP these
2541 * and hope the guest does not really rely on cache behaviour.
2542 */
2543 { .name = "XSCALE_LOCK_ICACHE_LINE",
2544 .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
2545 .access = PL1_W, .type = ARM_CP_NOP },
2546 { .name = "XSCALE_UNLOCK_ICACHE",
2547 .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
2548 .access = PL1_W, .type = ARM_CP_NOP },
2549 { .name = "XSCALE_DCACHE_LOCK",
2550 .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 0,
2551 .access = PL1_RW, .type = ARM_CP_NOP },
2552 { .name = "XSCALE_UNLOCK_DCACHE",
2553 .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 1,
2554 .access = PL1_W, .type = ARM_CP_NOP },
2555 REGINFO_SENTINEL
2556 };
2557
2558 static const ARMCPRegInfo dummy_c15_cp_reginfo[] = {
2559 /* RAZ/WI the whole crn=15 space, when we don't have a more specific
2560 * implementation of this implementation-defined space.
2561 * Ideally this should eventually disappear in favour of actually
2562 * implementing the correct behaviour for all cores.
2563 */
2564 { .name = "C15_IMPDEF", .cp = 15, .crn = 15,
2565 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
2566 .access = PL1_RW,
2567 .type = ARM_CP_CONST | ARM_CP_NO_RAW | ARM_CP_OVERRIDE,
2568 .resetvalue = 0 },
2569 REGINFO_SENTINEL
2570 };
2571
2572 static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = {
2573 /* Cache status: RAZ because we have no cache so it's always clean */
2574 { .name = "CDSR", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 6,
2575 .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2576 .resetvalue = 0 },
2577 REGINFO_SENTINEL
2578 };
2579
2580 static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = {
2581 /* We never have a a block transfer operation in progress */
2582 { .name = "BXSR", .cp = 15, .crn = 7, .crm = 12, .opc1 = 0, .opc2 = 4,
2583 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2584 .resetvalue = 0 },
2585 /* The cache ops themselves: these all NOP for QEMU */
2586 { .name = "IICR", .cp = 15, .crm = 5, .opc1 = 0,
2587 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2588 { .name = "IDCR", .cp = 15, .crm = 6, .opc1 = 0,
2589 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2590 { .name = "CDCR", .cp = 15, .crm = 12, .opc1 = 0,
2591 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2592 { .name = "PIR", .cp = 15, .crm = 12, .opc1 = 1,
2593 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2594 { .name = "PDR", .cp = 15, .crm = 12, .opc1 = 2,
2595 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2596 { .name = "CIDCR", .cp = 15, .crm = 14, .opc1 = 0,
2597 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2598 REGINFO_SENTINEL
2599 };
2600
2601 static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = {
2602 /* The cache test-and-clean instructions always return (1 << 30)
2603 * to indicate that there are no dirty cache lines.
2604 */
2605 { .name = "TC_DCACHE", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 3,
2606 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2607 .resetvalue = (1 << 30) },
2608 { .name = "TCI_DCACHE", .cp = 15, .crn = 7, .crm = 14, .opc1 = 0, .opc2 = 3,
2609 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2610 .resetvalue = (1 << 30) },
2611 REGINFO_SENTINEL
2612 };
2613
2614 static const ARMCPRegInfo strongarm_cp_reginfo[] = {
2615 /* Ignore ReadBuffer accesses */
2616 { .name = "C9_READBUFFER", .cp = 15, .crn = 9,
2617 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
2618 .access = PL1_RW, .resetvalue = 0,
2619 .type = ARM_CP_CONST | ARM_CP_OVERRIDE | ARM_CP_NO_RAW },
2620 REGINFO_SENTINEL
2621 };
2622
2623 static uint64_t midr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2624 {
2625 ARMCPU *cpu = arm_env_get_cpu(env);
2626 unsigned int cur_el = arm_current_el(env);
2627 bool secure = arm_is_secure(env);
2628
2629 if (arm_feature(&cpu->env, ARM_FEATURE_EL2) && !secure && cur_el == 1) {
2630 return env->cp15.vpidr_el2;
2631 }
2632 return raw_read(env, ri);
2633 }
2634
2635 static uint64_t mpidr_read_val(CPUARMState *env)
2636 {
2637 ARMCPU *cpu = ARM_CPU(arm_env_get_cpu(env));
2638 uint64_t mpidr = cpu->mp_affinity;
2639
2640 if (arm_feature(env, ARM_FEATURE_V7MP)) {
2641 mpidr |= (1U << 31);
2642 /* Cores which are uniprocessor (non-coherent)
2643 * but still implement the MP extensions set
2644 * bit 30. (For instance, Cortex-R5).
2645 */
2646 if (cpu->mp_is_up) {
2647 mpidr |= (1u << 30);
2648 }
2649 }
2650 return mpidr;
2651 }
2652
2653 static uint64_t mpidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2654 {
2655 unsigned int cur_el = arm_current_el(env);
2656 bool secure = arm_is_secure(env);
2657
2658 if (arm_feature(env, ARM_FEATURE_EL2) && !secure && cur_el == 1) {
2659 return env->cp15.vmpidr_el2;
2660 }
2661 return mpidr_read_val(env);
2662 }
2663
2664 static const ARMCPRegInfo mpidr_cp_reginfo[] = {
2665 { .name = "MPIDR", .state = ARM_CP_STATE_BOTH,
2666 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
2667 .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
2668 REGINFO_SENTINEL
2669 };
2670
2671 static const ARMCPRegInfo lpae_cp_reginfo[] = {
2672 /* NOP AMAIR0/1 */
2673 { .name = "AMAIR0", .state = ARM_CP_STATE_BOTH,
2674 .opc0 = 3, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 0,
2675 .access = PL1_RW, .type = ARM_CP_CONST,
2676 .resetvalue = 0 },
2677 /* AMAIR1 is mapped to AMAIR_EL1[63:32] */
2678 { .name = "AMAIR1", .cp = 15, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 1,
2679 .access = PL1_RW, .type = ARM_CP_CONST,
2680 .resetvalue = 0 },
2681 { .name = "PAR", .cp = 15, .crm = 7, .opc1 = 0,
2682 .access = PL1_RW, .type = ARM_CP_64BIT, .resetvalue = 0,
2683 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.par_s),
2684 offsetof(CPUARMState, cp15.par_ns)} },
2685 { .name = "TTBR0", .cp = 15, .crm = 2, .opc1 = 0,
2686 .access = PL1_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,
2687 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
2688 offsetof(CPUARMState, cp15.ttbr0_ns) },
2689 .writefn = vmsa_ttbr_write, },
2690 { .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1,
2691 .access = PL1_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,
2692 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
2693 offsetof(CPUARMState, cp15.ttbr1_ns) },
2694 .writefn = vmsa_ttbr_write, },
2695 REGINFO_SENTINEL
2696 };
2697
2698 static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2699 {
2700 return vfp_get_fpcr(env);
2701 }
2702
2703 static void aa64_fpcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2704 uint64_t value)
2705 {
2706 vfp_set_fpcr(env, value);
2707 }
2708
2709 static uint64_t aa64_fpsr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2710 {
2711 return vfp_get_fpsr(env);
2712 }
2713
2714 static void aa64_fpsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2715 uint64_t value)
2716 {
2717 vfp_set_fpsr(env, value);
2718 }
2719
2720 static CPAccessResult aa64_daif_access(CPUARMState *env, const ARMCPRegInfo *ri,
2721 bool isread)
2722 {
2723 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UMA)) {
2724 return CP_ACCESS_TRAP;
2725 }
2726 return CP_ACCESS_OK;
2727 }
2728
2729 static void aa64_daif_write(CPUARMState *env, const ARMCPRegInfo *ri,
2730 uint64_t value)
2731 {
2732 env->daif = value & PSTATE_DAIF;
2733 }
2734
2735 static CPAccessResult aa64_cacheop_access(CPUARMState *env,
2736 const ARMCPRegInfo *ri,
2737 bool isread)
2738 {
2739 /* Cache invalidate/clean: NOP, but EL0 must UNDEF unless
2740 * SCTLR_EL1.UCI is set.
2741 */
2742 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UCI)) {
2743 return CP_ACCESS_TRAP;
2744 }
2745 return CP_ACCESS_OK;
2746 }
2747
2748 /* See: D4.7.2 TLB maintenance requirements and the TLB maintenance instructions
2749 * Page D4-1736 (DDI0487A.b)
2750 */
2751
2752 static void tlbi_aa64_vmalle1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2753 uint64_t value)
2754 {
2755 ARMCPU *cpu = arm_env_get_cpu(env);
2756 CPUState *cs = CPU(cpu);
2757
2758 if (arm_is_secure_below_el3(env)) {
2759 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S1SE1, ARMMMUIdx_S1SE0, -1);
2760 } else {
2761 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S12NSE1, ARMMMUIdx_S12NSE0, -1);
2762 }
2763 }
2764
2765 static void tlbi_aa64_vmalle1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2766 uint64_t value)
2767 {
2768 bool sec = arm_is_secure_below_el3(env);
2769 CPUState *other_cs;
2770
2771 CPU_FOREACH(other_cs) {
2772 if (sec) {
2773 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S1SE1, ARMMMUIdx_S1SE0, -1);
2774 } else {
2775 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S12NSE1,
2776 ARMMMUIdx_S12NSE0, -1);
2777 }
2778 }
2779 }
2780
2781 static void tlbi_aa64_alle1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2782 uint64_t value)
2783 {
2784 /* Note that the 'ALL' scope must invalidate both stage 1 and
2785 * stage 2 translations, whereas most other scopes only invalidate
2786 * stage 1 translations.
2787 */
2788 ARMCPU *cpu = arm_env_get_cpu(env);
2789 CPUState *cs = CPU(cpu);
2790
2791 if (arm_is_secure_below_el3(env)) {
2792 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S1SE1, ARMMMUIdx_S1SE0, -1);
2793 } else {
2794 if (arm_feature(env, ARM_FEATURE_EL2)) {
2795 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S12NSE1, ARMMMUIdx_S12NSE0,
2796 ARMMMUIdx_S2NS, -1);
2797 } else {
2798 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S12NSE1, ARMMMUIdx_S12NSE0, -1);
2799 }
2800 }
2801 }
2802
2803 static void tlbi_aa64_alle2_write(CPUARMState *env, const ARMCPRegInfo *ri,
2804 uint64_t value)
2805 {
2806 ARMCPU *cpu = arm_env_get_cpu(env);
2807 CPUState *cs = CPU(cpu);
2808
2809 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S1E2, -1);
2810 }
2811
2812 static void tlbi_aa64_alle3_write(CPUARMState *env, const ARMCPRegInfo *ri,
2813 uint64_t value)
2814 {
2815 ARMCPU *cpu = arm_env_get_cpu(env);
2816 CPUState *cs = CPU(cpu);
2817
2818 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S1E3, -1);
2819 }
2820
2821 static void tlbi_aa64_alle1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2822 uint64_t value)
2823 {
2824 /* Note that the 'ALL' scope must invalidate both stage 1 and
2825 * stage 2 translations, whereas most other scopes only invalidate
2826 * stage 1 translations.
2827 */
2828 bool sec = arm_is_secure_below_el3(env);
2829 bool has_el2 = arm_feature(env, ARM_FEATURE_EL2);
2830 CPUState *other_cs;
2831
2832 CPU_FOREACH(other_cs) {
2833 if (sec) {
2834 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S1SE1, ARMMMUIdx_S1SE0, -1);
2835 } else if (has_el2) {
2836 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S12NSE1,
2837 ARMMMUIdx_S12NSE0, ARMMMUIdx_S2NS, -1);
2838 } else {
2839 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S12NSE1,
2840 ARMMMUIdx_S12NSE0, -1);
2841 }
2842 }
2843 }
2844
2845 static void tlbi_aa64_alle2is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2846 uint64_t value)
2847 {
2848 CPUState *other_cs;
2849
2850 CPU_FOREACH(other_cs) {
2851 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S1E2, -1);
2852 }
2853 }
2854
2855 static void tlbi_aa64_alle3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2856 uint64_t value)
2857 {
2858 CPUState *other_cs;
2859
2860 CPU_FOREACH(other_cs) {
2861 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S1E3, -1);
2862 }
2863 }
2864
2865 static void tlbi_aa64_vae1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2866 uint64_t value)
2867 {
2868 /* Invalidate by VA, EL1&0 (AArch64 version).
2869 * Currently handles all of VAE1, VAAE1, VAALE1 and VALE1,
2870 * since we don't support flush-for-specific-ASID-only or
2871 * flush-last-level-only.
2872 */
2873 ARMCPU *cpu = arm_env_get_cpu(env);
2874 CPUState *cs = CPU(cpu);
2875 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2876
2877 if (arm_is_secure_below_el3(env)) {
2878 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S1SE1,
2879 ARMMMUIdx_S1SE0, -1);
2880 } else {
2881 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S12NSE1,
2882 ARMMMUIdx_S12NSE0, -1);
2883 }
2884 }
2885
2886 static void tlbi_aa64_vae2_write(CPUARMState *env, const ARMCPRegInfo *ri,
2887 uint64_t value)
2888 {
2889 /* Invalidate by VA, EL2
2890 * Currently handles both VAE2 and VALE2, since we don't support
2891 * flush-last-level-only.
2892 */
2893 ARMCPU *cpu = arm_env_get_cpu(env);
2894 CPUState *cs = CPU(cpu);
2895 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2896
2897 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S1E2, -1);
2898 }
2899
2900 static void tlbi_aa64_vae3_write(CPUARMState *env, const ARMCPRegInfo *ri,
2901 uint64_t value)
2902 {
2903 /* Invalidate by VA, EL3
2904 * Currently handles both VAE3 and VALE3, since we don't support
2905 * flush-last-level-only.
2906 */
2907 ARMCPU *cpu = arm_env_get_cpu(env);
2908 CPUState *cs = CPU(cpu);
2909 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2910
2911 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S1E3, -1);
2912 }
2913
2914 static void tlbi_aa64_vae1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2915 uint64_t value)
2916 {
2917 bool sec = arm_is_secure_below_el3(env);
2918 CPUState *other_cs;
2919 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2920
2921 CPU_FOREACH(other_cs) {
2922 if (sec) {
2923 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S1SE1,
2924 ARMMMUIdx_S1SE0, -1);
2925 } else {
2926 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S12NSE1,
2927 ARMMMUIdx_S12NSE0, -1);
2928 }
2929 }
2930 }
2931
2932 static void tlbi_aa64_vae2is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2933 uint64_t value)
2934 {
2935 CPUState *other_cs;
2936 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2937
2938 CPU_FOREACH(other_cs) {
2939 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S1E2, -1);
2940 }
2941 }
2942
2943 static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2944 uint64_t value)
2945 {
2946 CPUState *other_cs;
2947 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2948
2949 CPU_FOREACH(other_cs) {
2950 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S1E3, -1);
2951 }
2952 }
2953
2954 static void tlbi_aa64_ipas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2955 uint64_t value)
2956 {
2957 /* Invalidate by IPA. This has to invalidate any structures that
2958 * contain only stage 2 translation information, but does not need
2959 * to apply to structures that contain combined stage 1 and stage 2
2960 * translation information.
2961 * This must NOP if EL2 isn't implemented or SCR_EL3.NS is zero.
2962 */
2963 ARMCPU *cpu = arm_env_get_cpu(env);
2964 CPUState *cs = CPU(cpu);
2965 uint64_t pageaddr;
2966
2967 if (!arm_feature(env, ARM_FEATURE_EL2) || !(env->cp15.scr_el3 & SCR_NS)) {
2968 return;
2969 }
2970
2971 pageaddr = sextract64(value << 12, 0, 48);
2972
2973 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S2NS, -1);
2974 }
2975
2976 static void tlbi_aa64_ipas2e1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2977 uint64_t value)
2978 {
2979 CPUState *other_cs;
2980 uint64_t pageaddr;
2981
2982 if (!arm_feature(env, ARM_FEATURE_EL2) || !(env->cp15.scr_el3 & SCR_NS)) {
2983 return;
2984 }
2985
2986 pageaddr = sextract64(value << 12, 0, 48);
2987
2988 CPU_FOREACH(other_cs) {
2989 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S2NS, -1);
2990 }
2991 }
2992
2993 static CPAccessResult aa64_zva_access(CPUARMState *env, const ARMCPRegInfo *ri,
2994 bool isread)
2995 {
2996 /* We don't implement EL2, so the only control on DC ZVA is the
2997 * bit in the SCTLR which can prohibit access for EL0.
2998 */
2999 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_DZE)) {
3000 return CP_ACCESS_TRAP;
3001 }
3002 return CP_ACCESS_OK;
3003 }
3004
3005 static uint64_t aa64_dczid_read(CPUARMState *env, const ARMCPRegInfo *ri)
3006 {
3007 ARMCPU *cpu = arm_env_get_cpu(env);
3008 int dzp_bit = 1 << 4;
3009
3010 /* DZP indicates whether DC ZVA access is allowed */
3011 if (aa64_zva_access(env, NULL, false) == CP_ACCESS_OK) {
3012 dzp_bit = 0;
3013 }
3014 return cpu->dcz_blocksize | dzp_bit;
3015 }
3016
3017 static CPAccessResult sp_el0_access(CPUARMState *env, const ARMCPRegInfo *ri,
3018 bool isread)
3019 {
3020 if (!(env->pstate & PSTATE_SP)) {
3021 /* Access to SP_EL0 is undefined if it's being used as
3022 * the stack pointer.
3023 */
3024 return CP_ACCESS_TRAP_UNCATEGORIZED;
3025 }
3026 return CP_ACCESS_OK;
3027 }
3028
3029 static uint64_t spsel_read(CPUARMState *env, const ARMCPRegInfo *ri)
3030 {
3031 return env->pstate & PSTATE_SP;
3032 }
3033
3034 static void spsel_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val)
3035 {
3036 update_spsel(env, val);
3037 }
3038
3039 static void sctlr_write(CPUARMState *env, const ARMCPRegInfo *ri,
3040 uint64_t value)
3041 {
3042 ARMCPU *cpu = arm_env_get_cpu(env);
3043
3044 if (raw_read(env, ri) == value) {
3045 /* Skip the TLB flush if nothing actually changed; Linux likes
3046 * to do a lot of pointless SCTLR writes.
3047 */
3048 return;
3049 }
3050
3051 raw_write(env, ri, value);
3052 /* ??? Lots of these bits are not implemented. */
3053 /* This may enable/disable the MMU, so do a TLB flush. */
3054 tlb_flush(CPU(cpu), 1);
3055 }
3056
3057 static CPAccessResult fpexc32_access(CPUARMState *env, const ARMCPRegInfo *ri,
3058 bool isread)
3059 {
3060 if ((env->cp15.cptr_el[2] & CPTR_TFP) && arm_current_el(env) == 2) {
3061 return CP_ACCESS_TRAP_FP_EL2;
3062 }
3063 if (env->cp15.cptr_el[3] & CPTR_TFP) {
3064 return CP_ACCESS_TRAP_FP_EL3;
3065 }
3066 return CP_ACCESS_OK;
3067 }
3068
3069 static void sdcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
3070 uint64_t value)
3071 {
3072 env->cp15.mdcr_el3 = value & SDCR_VALID_MASK;
3073 }
3074
3075 static const ARMCPRegInfo v8_cp_reginfo[] = {
3076 /* Minimal set of EL0-visible registers. This will need to be expanded
3077 * significantly for system emulation of AArch64 CPUs.
3078 */
3079 { .name = "NZCV", .state = ARM_CP_STATE_AA64,
3080 .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 2,
3081 .access = PL0_RW, .type = ARM_CP_NZCV },
3082 { .name = "DAIF", .state = ARM_CP_STATE_AA64,
3083 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 2,
3084 .type = ARM_CP_NO_RAW,
3085 .access = PL0_RW, .accessfn = aa64_daif_access,
3086 .fieldoffset = offsetof(CPUARMState, daif),
3087 .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore },
3088 { .name = "FPCR", .state = ARM_CP_STATE_AA64,
3089 .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4,
3090 .access = PL0_RW, .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
3091 { .name = "FPSR", .state = ARM_CP_STATE_AA64,
3092 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4,
3093 .access = PL0_RW, .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
3094 { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64,
3095 .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0,
3096 .access = PL0_R, .type = ARM_CP_NO_RAW,
3097 .readfn = aa64_dczid_read },
3098 { .name = "DC_ZVA", .state = ARM_CP_STATE_AA64,
3099 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 1,
3100 .access = PL0_W, .type = ARM_CP_DC_ZVA,
3101 #ifndef CONFIG_USER_ONLY
3102 /* Avoid overhead of an access check that always passes in user-mode */
3103 .accessfn = aa64_zva_access,
3104 #endif
3105 },
3106 { .name = "CURRENTEL", .state = ARM_CP_STATE_AA64,
3107 .opc0 = 3, .opc1 = 0, .opc2 = 2, .crn = 4, .crm = 2,
3108 .access = PL1_R, .type = ARM_CP_CURRENTEL },
3109 /* Cache ops: all NOPs since we don't emulate caches */
3110 { .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64,
3111 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
3112 .access = PL1_W, .type = ARM_CP_NOP },
3113 { .name = "IC_IALLU", .state = ARM_CP_STATE_AA64,
3114 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0,
3115 .access = PL1_W, .type = ARM_CP_NOP },
3116 { .name = "IC_IVAU", .state = ARM_CP_STATE_AA64,
3117 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1,
3118 .access = PL0_W, .type = ARM_CP_NOP,
3119 .accessfn = aa64_cacheop_access },
3120 { .name = "DC_IVAC", .state = ARM_CP_STATE_AA64,
3121 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,
3122 .access = PL1_W, .type = ARM_CP_NOP },
3123 { .name = "DC_ISW", .state = ARM_CP_STATE_AA64,
3124 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2,
3125 .access = PL1_W, .type = ARM_CP_NOP },
3126 { .name = "DC_CVAC", .state = ARM_CP_STATE_AA64,
3127 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 1,
3128 .access = PL0_W, .type = ARM_CP_NOP,
3129 .accessfn = aa64_cacheop_access },
3130 { .name = "DC_CSW", .state = ARM_CP_STATE_AA64,
3131 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2,
3132 .access = PL1_W, .type = ARM_CP_NOP },
3133 { .name = "DC_CVAU", .state = ARM_CP_STATE_AA64,
3134 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 11, .opc2 = 1,
3135 .access = PL0_W, .type = ARM_CP_NOP,
3136 .accessfn = aa64_cacheop_access },
3137 { .name = "DC_CIVAC", .state = ARM_CP_STATE_AA64,
3138 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 1,
3139 .access = PL0_W, .type = ARM_CP_NOP,
3140 .accessfn = aa64_cacheop_access },
3141 { .name = "DC_CISW", .state = ARM_CP_STATE_AA64,
3142 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2,
3143 .access = PL1_W, .type = ARM_CP_NOP },
3144 /* TLBI operations */
3145 { .name = "TLBI_VMALLE1IS", .state = ARM_CP_STATE_AA64,
3146 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0,
3147 .access = PL1_W, .type = ARM_CP_NO_RAW,
3148 .writefn = tlbi_aa64_vmalle1is_write },
3149 { .name = "TLBI_VAE1IS", .state = ARM_CP_STATE_AA64,
3150 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1,
3151 .access = PL1_W, .type = ARM_CP_NO_RAW,
3152 .writefn = tlbi_aa64_vae1is_write },
3153 { .name