{"id":817576,"url":"http://patchwork.ozlabs.org/api/patches/817576/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/1506092407-26985-13-git-send-email-peter.maydell@linaro.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<1506092407-26985-13-git-send-email-peter.maydell@linaro.org>","list_archive_url":null,"date":"2017-09-22T14:59:59","name":"[12/20] target/arm: Add v8M support to exception entry code","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"6b182cee0e12a6bd7ae6a951250507b2204074e9","submitter":{"id":5111,"url":"http://patchwork.ozlabs.org/api/people/5111/?format=json","name":"Peter Maydell","email":"peter.maydell@linaro.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/1506092407-26985-13-git-send-email-peter.maydell@linaro.org/mbox/","series":[{"id":4650,"url":"http://patchwork.ozlabs.org/api/series/4650/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=4650","date":"2017-09-22T14:59:47","name":"ARM v8M: exception entry, exit and security","version":1,"mbox":"http://patchwork.ozlabs.org/series/4650/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/817576/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/817576/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xzH802zjdz9sNw\n\tfor ;\n\tSat, 23 Sep 2017 01:14:24 +1000 (AEST)","from localhost ([::1]:59400 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dvPeo-0003hr-Cu\n\tfor incoming@patchwork.ozlabs.org; Fri, 22 Sep 2017 11:14:22 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:47213)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dvPQf-00085I-Jd\n\tfor qemu-devel@nongnu.org; Fri, 22 Sep 2017 10:59:50 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dvPQd-0004Eu-PV\n\tfor qemu-devel@nongnu.org; Fri, 22 Sep 2017 10:59:45 -0400","from orth.archaic.org.uk ([2001:8b0:1d0::2]:37568)\n\tby eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from )\n\tid 1dvPQZ-00046S-59; Fri, 22 Sep 2017 10:59:39 -0400","from pm215 by orth.archaic.org.uk with local (Exim 4.89)\n\t(envelope-from )\n\tid 1dvPQY-0007Cx-1Y; Fri, 22 Sep 2017 15:59:38 +0100"],"From":"Peter Maydell ","To":"qemu-arm@nongnu.org,\n\tqemu-devel@nongnu.org","Date":"Fri, 22 Sep 2017 15:59:59 +0100","Message-Id":"<1506092407-26985-13-git-send-email-peter.maydell@linaro.org>","X-Mailer":"git-send-email 2.7.4","In-Reply-To":"<1506092407-26985-1-git-send-email-peter.maydell@linaro.org>","References":"<1506092407-26985-1-git-send-email-peter.maydell@linaro.org>","X-detected-operating-system":"by eggs.gnu.org: Genre and OS details not\n\trecognized.","X-Received-From":"2001:8b0:1d0::2","Subject":"[Qemu-devel] [PATCH 12/20] target/arm: Add v8M support to exception\n\tentry code","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"patches@linaro.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"},"content":"Add support for v8M and in particular the security extension\nto the exception entry code. This requires changes to:\n * calculation of the exception-return magic LR value\n * push the callee-saves registers in certain cases\n * clear registers when taking non-secure exceptions to avoid\n leaking information from the interrupted secure code\n * switch to the correct security state on entry\n * use the vector table for the security state we're targeting\n\nSigned-off-by: Peter Maydell \n---\n target/arm/helper.c | 165 +++++++++++++++++++++++++++++++++++++++++++++-------\n 1 file changed, 145 insertions(+), 20 deletions(-)","diff":"diff --git a/target/arm/helper.c b/target/arm/helper.c\nindex 25f5675..7511566 100644\n--- a/target/arm/helper.c\n+++ b/target/arm/helper.c\n@@ -6200,12 +6200,12 @@ static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,\n }\n }\n \n-static uint32_t arm_v7m_load_vector(ARMCPU *cpu)\n+static uint32_t arm_v7m_load_vector(ARMCPU *cpu, bool targets_secure)\n {\n CPUState *cs = CPU(cpu);\n CPUARMState *env = &cpu->env;\n MemTxResult result;\n- hwaddr vec = env->v7m.vecbase[env->v7m.secure] + env->v7m.exception * 4;\n+ hwaddr vec = env->v7m.vecbase[targets_secure] + env->v7m.exception * 4;\n uint32_t addr;\n \n addr = address_space_ldl(cs->as, vec,\n@@ -6217,13 +6217,48 @@ static uint32_t arm_v7m_load_vector(ARMCPU *cpu)\n * Since we don't model Lockup, we just report this guest error\n * via cpu_abort().\n */\n- cpu_abort(cs, \"Failed to read from exception vector table \"\n- \"entry %08x\\n\", (unsigned)vec);\n+ cpu_abort(cs, \"Failed to read from %s exception vector table \"\n+ \"entry %08x\\n\", targets_secure ? \"secure\" : \"nonsecure\",\n+ (unsigned)vec);\n }\n return addr;\n }\n \n-static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr)\n+static void v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain)\n+{\n+ /* For v8M, push the callee-saves register part of the stack frame.\n+ * Compare the v8M pseudocode PushCalleeStack().\n+ * In the tailchaining case this may not be the current stack.\n+ */\n+ CPUARMState *env = &cpu->env;\n+ CPUState *cs = CPU(cpu);\n+ uint32_t *frame_sp_p;\n+ uint32_t frameptr;\n+\n+ if (dotailchain) {\n+ frame_sp_p = get_v7m_sp_ptr(env, true,\n+ lr & R_V7M_EXCRET_MODE_MASK,\n+ lr & R_V7M_EXCRET_SPSEL_MASK);\n+ } else {\n+ frame_sp_p = &env->regs[13];\n+ }\n+\n+ frameptr = *frame_sp_p - 0x28;\n+\n+ stl_phys(cs->as, frameptr, 0xfefa125b);\n+ stl_phys(cs->as, frameptr + 0x8, env->regs[4]);\n+ stl_phys(cs->as, frameptr + 0xc, env->regs[5]);\n+ stl_phys(cs->as, frameptr + 0x10, env->regs[6]);\n+ stl_phys(cs->as, frameptr + 0x14, env->regs[7]);\n+ stl_phys(cs->as, frameptr + 0x18, env->regs[8]);\n+ stl_phys(cs->as, frameptr + 0x1c, env->regs[9]);\n+ stl_phys(cs->as, frameptr + 0x20, env->regs[10]);\n+ stl_phys(cs->as, frameptr + 0x24, env->regs[11]);\n+\n+ *frame_sp_p = frameptr;\n+}\n+\n+static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain)\n {\n /* Do the \"take the exception\" parts of exception entry,\n * but not the pushing of state to the stack. This is\n@@ -6231,14 +6266,84 @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr)\n */\n CPUARMState *env = &cpu->env;\n uint32_t addr;\n+ bool targets_secure;\n+\n+ targets_secure = armv7m_nvic_acknowledge_irq(env->nvic);\n \n- armv7m_nvic_acknowledge_irq(env->nvic);\n+ if (arm_feature(env, ARM_FEATURE_V8)) {\n+ if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&\n+ (lr & R_V7M_EXCRET_S_MASK)) {\n+ /* The background code (the owner of the registers in the\n+ * exception frame) is Secure. This means it may either already\n+ * have or now needs to push callee-saves registers.\n+ */\n+ if (targets_secure) {\n+ if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {\n+ /* We took an exception from Secure to NonSecure\n+ * (which means the callee-saved registers got stacked)\n+ * and are now tailchaining to a Secure exception.\n+ * Clear DCRS so eventual return from this Secure\n+ * exception unstacks the callee-saved registers.\n+ */\n+ lr &= ~R_V7M_EXCRET_DCRS_MASK;\n+ }\n+ } else {\n+ /* We're going to a non-secure exception; push the\n+ * callee-saves registers to the stack now, if they're\n+ * not already saved.\n+ */\n+ if (lr & R_V7M_EXCRET_DCRS_MASK &&\n+ !(dotailchain && (lr & R_V7M_EXCRET_ES_MASK))) {\n+ v7m_push_callee_stack(cpu, lr, dotailchain);\n+ }\n+ lr |= R_V7M_EXCRET_DCRS_MASK;\n+ }\n+ }\n+\n+ lr &= ~R_V7M_EXCRET_ES_MASK;\n+ if (targets_secure || !arm_feature(env, ARM_FEATURE_M_SECURITY)) {\n+ lr |= R_V7M_EXCRET_ES_MASK;\n+ }\n+ lr &= ~R_V7M_EXCRET_SPSEL_MASK;\n+ if (env->v7m.control[targets_secure] & R_V7M_CONTROL_SPSEL_MASK) {\n+ lr |= R_V7M_EXCRET_SPSEL_MASK;\n+ }\n+\n+ /* Clear registers if necessary to prevent non-secure exception\n+ * code being able to see register values from secure code.\n+ * Where register values become architecturally UNKNOWN we leave\n+ * them with their previous values.\n+ */\n+ if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {\n+ if (!targets_secure) {\n+ /* Always clear the caller-saved registers (they have been\n+ * pushed to the stack earlier in v7m_push_stack()).\n+ * Clear callee-saved registers if the background code is\n+ * Secure (in which case these regs were saved in\n+ * v7m_push_callee_stack()).\n+ */\n+ int i;\n+\n+ for (i = 0; i < 13; i++) {\n+ /* r4..r11 are callee-saves, zero only if EXCRET.S == 1 */\n+ if (i < 4 || i > 11 || (lr & R_V7M_EXCRET_S_MASK)) {\n+ env->regs[i] = 0;\n+ }\n+ }\n+ /* Clear EAPSR */\n+ xpsr_write(env, 0, XPSR_NZCV | XPSR_Q | XPSR_GE | XPSR_IT);\n+ }\n+ }\n+ }\n+\n+ /* Switch to target security state -- must do this before writing SPSEL */\n+ switch_v7m_security_state(env, targets_secure);\n write_v7m_control_spsel(env, 0);\n arm_clear_exclusive(env);\n /* Clear IT bits */\n env->condexec_bits = 0;\n env->regs[14] = lr;\n- addr = arm_v7m_load_vector(cpu);\n+ addr = arm_v7m_load_vector(cpu, targets_secure);\n env->regs[15] = addr & 0xfffffffe;\n env->thumb = addr & 1;\n }\n@@ -6404,7 +6509,7 @@ static void do_v7m_exception_exit(ARMCPU *cpu)\n if (sfault) {\n env->v7m.sfsr |= R_V7M_SFSR_INVER_MASK;\n armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);\n- v7m_exception_taken(cpu, excret);\n+ v7m_exception_taken(cpu, excret, true);\n qemu_log_mask(CPU_LOG_INT, \"...taking SecureFault on existing \"\n \"stackframe: failed EXC_RETURN.ES validity check\\n\");\n return;\n@@ -6416,7 +6521,7 @@ static void do_v7m_exception_exit(ARMCPU *cpu)\n */\n env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;\n armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);\n- v7m_exception_taken(cpu, excret);\n+ v7m_exception_taken(cpu, excret, true);\n qemu_log_mask(CPU_LOG_INT, \"...taking UsageFault on existing \"\n \"stackframe: failed exception return integrity check\\n\");\n return;\n@@ -6464,7 +6569,7 @@ static void do_v7m_exception_exit(ARMCPU *cpu)\n /* Take a SecureFault on the current stack */\n env->v7m.sfsr |= R_V7M_SFSR_INVIS_MASK;\n armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);\n- v7m_exception_taken(cpu, excret);\n+ v7m_exception_taken(cpu, excret, true);\n qemu_log_mask(CPU_LOG_INT, \"...taking SecureFault on existing \"\n \"stackframe: failed exception return integrity \"\n \"signature check\\n\");\n@@ -6527,7 +6632,7 @@ static void do_v7m_exception_exit(ARMCPU *cpu)\n armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,\n env->v7m.secure);\n env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;\n- v7m_exception_taken(cpu, excret);\n+ v7m_exception_taken(cpu, excret, true);\n qemu_log_mask(CPU_LOG_INT, \"...taking UsageFault on existing \"\n \"stackframe: failed exception return integrity \"\n \"check\\n\");\n@@ -6564,7 +6669,7 @@ static void do_v7m_exception_exit(ARMCPU *cpu)\n armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, false);\n env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;\n v7m_push_stack(cpu);\n- v7m_exception_taken(cpu, excret);\n+ v7m_exception_taken(cpu, excret, false);\n qemu_log_mask(CPU_LOG_INT, \"...taking UsageFault on new stackframe: \"\n \"failed exception return integrity check\\n\");\n return;\n@@ -6708,20 +6813,40 @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)\n return; /* Never happens. Keep compiler happy. */\n }\n \n- lr = R_V7M_EXCRET_RES1_MASK |\n- R_V7M_EXCRET_S_MASK |\n- R_V7M_EXCRET_DCRS_MASK |\n- R_V7M_EXCRET_FTYPE_MASK |\n- R_V7M_EXCRET_ES_MASK;\n- if (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_SPSEL_MASK) {\n- lr |= R_V7M_EXCRET_SPSEL_MASK;\n+ if (arm_feature(env, ARM_FEATURE_V8)) {\n+ lr = R_V7M_EXCRET_RES1_MASK |\n+ R_V7M_EXCRET_DCRS_MASK |\n+ R_V7M_EXCRET_FTYPE_MASK;\n+ /* The S bit indicates whether we should return to Secure\n+ * or NonSecure (ie our current state).\n+ * The ES bit indicates whether we're taking this exception\n+ * to Secure or NonSecure (ie our target state). We set it\n+ * later, in v7m_exception_taken().\n+ * The SPSEL bit is also set in v7m_exception_taken() for v8M.\n+ * This corresponds to the ARM ARM pseudocode for v8M setting\n+ * some LR bits in PushStack() and some in ExceptionTaken();\n+ * the distinction matters for the tailchain cases where we\n+ * can take an exception without pushing the stack.\n+ */\n+ if (env->v7m.secure) {\n+ lr |= R_V7M_EXCRET_S_MASK;\n+ }\n+ } else {\n+ lr = R_V7M_EXCRET_RES1_MASK |\n+ R_V7M_EXCRET_S_MASK |\n+ R_V7M_EXCRET_DCRS_MASK |\n+ R_V7M_EXCRET_FTYPE_MASK |\n+ R_V7M_EXCRET_ES_MASK;\n+ if (env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK) {\n+ lr |= R_V7M_EXCRET_SPSEL_MASK;\n+ }\n }\n if (!arm_v7m_is_handler_mode(env)) {\n lr |= R_V7M_EXCRET_MODE_MASK;\n }\n \n v7m_push_stack(cpu);\n- v7m_exception_taken(cpu, lr);\n+ v7m_exception_taken(cpu, lr, false);\n qemu_log_mask(CPU_LOG_INT, \"... as %d\\n\", env->v7m.exception);\n }\n \n","prefixes":["12/20"]}