Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20171012' into staging

        return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;

    case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */

    {

        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;

        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;

        int i;

        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {

    switch (offset) {

    case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */

    {

        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;

        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;

        int i;

        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {

            return;

        }

        cpu->env.sau.ctrl = value & 3;

        break;

    case 0xdd4: /* SAU_TYPE */

        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {

            goto bad_offset;

static void aspeed_wdt_reload(AspeedWDTState *s, bool pclk)

{

    uint32_t reload;

    uint64_t reload;

    if (pclk) {

        reload = muldiv64(s->regs[WDT_RELOAD_VALUE], NANOSECONDS_PER_SECOND,

                          s->pclk_freq);

    } else {

        reload = s->regs[WDT_RELOAD_VALUE] * 1000;

        reload = s->regs[WDT_RELOAD_VALUE] * 1000ULL;

    }

    if (aspeed_wdt_is_enabled(s)) {

/* armv7m.c */

DeviceState *armv7m_init(MemoryRegion *system_memory, int mem_size, int num_irq,

                      const char *kernel_filename, const char *cpu_model);

                         const char *kernel_filename, const char *cpu_type);

/**

 * armv7m_load_kernel:

 * @cpu: CPU

    bool irvalid;

} V8M_SAttributes;

static void v8m_security_lookup(CPUARMState *env, uint32_t address,

                                MMUAccessType access_type, ARMMMUIdx mmu_idx,

                                V8M_SAttributes *sattrs);

/* Definitions for the PMCCNTR and PMCR registers */

#define PMCRD   0x8

#define PMCRC   0x4

    g_assert_not_reached();

}

void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)

{

    /* translate.c should never generate calls here in user-only mode */

    g_assert_not_reached();

}

void switch_mode(CPUARMState *env, int mode)

{

    ARMCPU *cpu = arm_env_get_cpu(env);

     *  - if the return value is a magic value, do exception return (like BX)

     *  - otherwise bit 0 of the return value is the target security state

     */

    if (dest >= 0xff000000) {

    uint32_t min_magic;

    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {

        /* Covers FNC_RETURN and EXC_RETURN magic */

        min_magic = FNC_RETURN_MIN_MAGIC;

    } else {

        /* EXC_RETURN magic only */

        min_magic = EXC_RETURN_MIN_MAGIC;

    }

    if (dest >= min_magic) {

        /* This is an exception return magic value; put it where

         * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.

         * Note that if we ever add gen_ss_advance() singlestep support to

    env->regs[15] = dest & ~1;

}

void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)

{

    /* Handle v7M BLXNS:

     *  - bit 0 of the destination address is the target security state

     */

    /* At this point regs[15] is the address just after the BLXNS */

    uint32_t nextinst = env->regs[15] | 1;

    uint32_t sp = env->regs[13] - 8;

    uint32_t saved_psr;

    /* translate.c will have made BLXNS UNDEF unless we're secure */

    assert(env->v7m.secure);

    if (dest & 1) {

        /* target is Secure, so this is just a normal BLX,

         * except that the low bit doesn't indicate Thumb/not.

         */

        env->regs[14] = nextinst;

        env->thumb = 1;

        env->regs[15] = dest & ~1;

        return;

    }

    /* Target is non-secure: first push a stack frame */

    if (!QEMU_IS_ALIGNED(sp, 8)) {

        qemu_log_mask(LOG_GUEST_ERROR,

                      "BLXNS with misaligned SP is UNPREDICTABLE\n");

    }

    saved_psr = env->v7m.exception;

    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {

        saved_psr |= XPSR_SFPA;

    }

    /* Note that these stores can throw exceptions on MPU faults */

    cpu_stl_data(env, sp, nextinst);

    cpu_stl_data(env, sp + 4, saved_psr);

    env->regs[13] = sp;

    env->regs[14] = 0xfeffffff;

    if (arm_v7m_is_handler_mode(env)) {

        /* Write a dummy value to IPSR, to avoid leaking the current secure

         * exception number to non-secure code. This is guaranteed not

         * to cause write_v7m_exception() to actually change stacks.

         */

        write_v7m_exception(env, 1);

    }

    switch_v7m_security_state(env, 0);

    env->thumb = 1;

    env->regs[15] = dest;

}

static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,

                                bool spsel)

{

    bool exc_secure = false;

    bool return_to_secure;

    /* We can only get here from an EXCP_EXCEPTION_EXIT, and

     * gen_bx_excret() enforces the architectural rule

     * that jumps to magic addresses don't have magic behaviour unless

     * we're in Handler mode (compare pseudocode BXWritePC()).

    /* If we're not in Handler mode then jumps to magic exception-exit

     * addresses don't have magic behaviour. However for the v8M

     * security extensions the magic secure-function-return has to

     * work in thread mode too, so to avoid doing an extra check in

     * the generated code we allow exception-exit magic to also cause the

     * internal exception and bring us here in thread mode. Correct code

     * will never try to do this (the following insn fetch will always

     * fault) so we the overhead of having taken an unnecessary exception

     * doesn't matter.

     */

    assert(arm_v7m_is_handler_mode(env));

    if (!arm_v7m_is_handler_mode(env)) {

        return;

    }

    /* In the spec pseudocode ExceptionReturn() is called directly

     * from BXWritePC() and gets the full target PC value including

    qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");

}

static bool do_v7m_function_return(ARMCPU *cpu)

{

    /* v8M security extensions magic function return.

     * We may either:

     *  (1) throw an exception (longjump)

     *  (2) return true if we successfully handled the function return

     *  (3) return false if we failed a consistency check and have

     *      pended a UsageFault that needs to be taken now

     *

     * At this point the magic return value is split between env->regs[15]

     * and env->thumb. We don't bother to reconstitute it because we don't

     * need it (all values are handled the same way).

     */

    CPUARMState *env = &cpu->env;

    uint32_t newpc, newpsr, newpsr_exc;

    qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");

    {

        bool threadmode, spsel;

        TCGMemOpIdx oi;

        ARMMMUIdx mmu_idx;

        uint32_t *frame_sp_p;

        uint32_t frameptr;

        /* Pull the return address and IPSR from the Secure stack */

        threadmode = !arm_v7m_is_handler_mode(env);

        spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;

        frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);

        frameptr = *frame_sp_p;

        /* These loads may throw an exception (for MPU faults). We want to

         * do them as secure, so work out what MMU index that is.

         */

        mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);

        oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));

        newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);

        newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);

        /* Consistency checks on new IPSR */

        newpsr_exc = newpsr & XPSR_EXCP;

        if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||

              (env->v7m.exception == 1 && newpsr_exc != 0))) {

            /* Pend the fault and tell our caller to take it */

            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;

            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,

                                    env->v7m.secure);

            qemu_log_mask(CPU_LOG_INT,

                          "...taking INVPC UsageFault: "

                          "IPSR consistency check failed\n");

            return false;

        }

        *frame_sp_p = frameptr + 8;

    }

    /* This invalidates frame_sp_p */

    switch_v7m_security_state(env, true);

    env->v7m.exception = newpsr_exc;

    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;

    if (newpsr & XPSR_SFPA) {

        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;

    }

    xpsr_write(env, 0, XPSR_IT);

    env->thumb = newpc & 1;

    env->regs[15] = newpc & ~1;

    qemu_log_mask(CPU_LOG_INT, "...function return successful\n");

    return true;

}

static void arm_log_exception(int idx)

{

    if (qemu_loglevel_mask(CPU_LOG_INT)) {

    }

}

static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,

                               uint32_t addr, uint16_t *insn)

{

    /* Load a 16-bit portion of a v7M instruction, returning true on success,

     * or false on failure (in which case we will have pended the appropriate

     * exception).

     * We need to do the instruction fetch's MPU and SAU checks

     * like this because there is no MMU index that would allow

     * doing the load with a single function call. Instead we must

     * first check that the security attributes permit the load

     * and that they don't mismatch on the two halves of the instruction,

     * and then we do the load as a secure load (ie using the security

     * attributes of the address, not the CPU, as architecturally required).

     */

    CPUState *cs = CPU(cpu);

    CPUARMState *env = &cpu->env;

    V8M_SAttributes sattrs = {};

    MemTxAttrs attrs = {};

    ARMMMUFaultInfo fi = {};

    MemTxResult txres;

    target_ulong page_size;

    hwaddr physaddr;

    int prot;

    uint32_t fsr;

    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);

    if (!sattrs.nsc || sattrs.ns) {

        /* This must be the second half of the insn, and it straddles a

         * region boundary with the second half not being S&NSC.

         */

        env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;

        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);

        qemu_log_mask(CPU_LOG_INT,

                      "...really SecureFault with SFSR.INVEP\n");

        return false;

    }

    if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,

                      &physaddr, &attrs, &prot, &page_size, &fsr, &fi)) {

        /* the MPU lookup failed */

        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;

        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);

        qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");

        return false;

    }

    *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,

                                 attrs, &txres);

    if (txres != MEMTX_OK) {

        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;

        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);

        qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");

        return false;

    }

    return true;

}

static bool v7m_handle_execute_nsc(ARMCPU *cpu)

{

    /* Check whether this attempt to execute code in a Secure & NS-Callable

     * memory region is for an SG instruction; if so, then emulate the

     * effect of the SG instruction and return true. Otherwise pend

     * the correct kind of exception and return false.

     */

    CPUARMState *env = &cpu->env;

    ARMMMUIdx mmu_idx;

    uint16_t insn;

    /* We should never get here unless get_phys_addr_pmsav8() caused

     * an exception for NS executing in S&NSC memory.

     */

    assert(!env->v7m.secure);

    assert(arm_feature(env, ARM_FEATURE_M_SECURITY));

    /* We want to do the MPU lookup as secure; work out what mmu_idx that is */

    mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);

    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {

        return false;

    }

    if (!env->thumb) {

        goto gen_invep;

    }

    if (insn != 0xe97f) {

        /* Not an SG instruction first half (we choose the IMPDEF

         * early-SG-check option).

         */

        goto gen_invep;

    }

    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {

        return false;

    }

    if (insn != 0xe97f) {

        /* Not an SG instruction second half (yes, both halves of the SG

         * insn have the same hex value)

         */

        goto gen_invep;

    }

    /* OK, we have confirmed that we really have an SG instruction.

     * We know we're NS in S memory so don't need to repeat those checks.

     */

    qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32

                  ", executing it\n", env->regs[15]);

    env->regs[14] &= ~1;

    switch_v7m_security_state(env, true);

    xpsr_write(env, 0, XPSR_IT);

    env->regs[15] += 4;

    return true;

gen_invep:

    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;

    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);

    qemu_log_mask(CPU_LOG_INT,

                  "...really SecureFault with SFSR.INVEP\n");

    return false;

}

void arm_v7m_cpu_do_interrupt(CPUState *cs)

{

    ARMCPU *cpu = ARM_CPU(cs);

             * the SG instruction have the same security attributes.)

             * Everything else must generate an INVEP SecureFault, so we

             * emulate the SG instruction here.

             * TODO: actually emulate SG.

             */

            env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;

            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);

            qemu_log_mask(CPU_LOG_INT,

                          "...really SecureFault with SFSR.INVEP\n");

            if (v7m_handle_execute_nsc(cpu)) {

                return;

            }

            break;

        case M_FAKE_FSR_SFAULT:

            /* Various flavours of SecureFault for attempts to execute or

    case EXCP_IRQ:

        break;

    case EXCP_EXCEPTION_EXIT:

        if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {

            /* Must be v8M security extension function return */

            assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);

            assert(arm_feature(env, ARM_FEATURE_M_SECURITY));

            if (do_v7m_function_return(cpu)) {

                return;

            }

        } else {

            do_v7m_exception_exit(cpu);

            return;

        }

        break;

    default:

        cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);

        return; /* Never happens.  Keep compiler happy.  */

DEF_HELPER_2(v7m_mrs, i32, env, i32)

DEF_HELPER_2(v7m_bxns, void, env, i32)

DEF_HELPER_2(v7m_blxns, void, env, i32)

DEF_HELPER_4(access_check_cp_reg, void, env, ptr, i32, i32)

DEF_HELPER_3(set_cp_reg, void, env, ptr, i32)