[Qemu-devel] [PATCH v4 00/17] arm_gic: Add security and grouping support

[Peter Maydell]

This patch series adds support for GICv1 and GICv2 security
extensions, as well as support for GIC interrupt grouping on GICv2.

This is based on the work originally by Fabian and then by Greg.
I've gone through and dealt with all the issues I raised in code
review, and a few others I noticed as I was working on it.
The general structure of the changes is still the same, though
I've reordered one or two of the patches; I've touched most of
the lines of code in the series, though, as well as deleting
quite a few (the patches now add ~375 lines of code rather than
over 475).

I think these patches are in a suitable state to apply (and
they have no dependencies that aren't in master), assuming no
further issues found in review.

With this patchset the security extensions are still disabled
on all boards, so the actual functional change is that GICv2
now correctly implements interrupt grouping. This is enabled
always for GICv2, because the programming model is fully backwards
compatible with treating the GIC like one which doesn't support
groups (which is what Linux does).

The next part of this work is going to be actually enabling
the security extensions. Here's a sketch of my plan for that:
 * the a15mpcore and a9mpcore wrapper objects will default to
   enabling the security extensions in the GIC they create
   (unless the GIC is the KVM one). They also provide a
   QOM property to override this
 * for the set of legacy boards which are currently disabling
   has_el3 on their CPUs, we also have them disable TZ in the GIC
   (a non-TZ CPU and a TZ GIC is a bad combo because the CPU
   has no way to put the interrupts into Group1 where it can
   use them, so the whole system is busted)
 * the virt board creates its GIC directly, so it should also
   set the has-security-extensions property as needed
 * if boot.c is starting the CPUs directly in NonSecure
   mode (because we're booting a kernel directly rather than
   starting firmware, and arm_boot_info::secure_boot is false)
   then it must also manually configure the GIC distributor
   to put all interrupts into Group1. This is boot.c having
   to do a firmware configuration job since it's effectively
   acting as lightweight builtin firmware.

I think we could reasonably review and commit this patchseries
without waiting for that bit of board-wiring work; let me know
if you disagree.


Major changes since v3:
 * renamed property to 'has-security-extensions', to be a bit
   more in line with the CPU's 'has_el3'. I'm not wedded to this
   name so if anybody wants to suggest something better (or
   tell me our convention for prop names is underscores!) feel free
 * error on realize if security extensions turned on for a GIC
   which doesn't support them
 * new patch: switch to read/write_with_attrs MMIO callbacks so
   we can get at the Secure/NonSecure tx attribute
 * make the GIC_*_GROUP macros work like the others, with a simple
   SET/CLEAR/TEST semantic
 * new patch: save and restore GICD_IGROUPRn state when using KVM
   now we have the state struct fields to keep it in [the kernel
   doesn't implement grouping, but if it ever does we will be ready]
 * rather than having a 2-element array for storing the S and NS
   banked versions of GICD_CTLR and GICC_CTLR, just store the S
   version, since in both cases the NS view is just an alias of
   a subset of bits from the S register. This allows us to nicely
   simplify a lot of the logic that deals with these registers.
 * fixed bug in handling of GICC_BPR for GICv2-without-TZ
 * added missing masks in gic_set_priority_mask() and gic_set_priority()
 * make AckCtl operate on GICv2-without-TZ
 * handle an UNPREDICTABLE case (Secure EOI of a Group1 irq
   with AckCtl == 0) in a way more convenient for the implementation
 * reuse gic_get_current_pending_irq() in implementation of IAR writes,
   rather than reimplementing equivalent logic
 * new patch: support grouping in a single gic_update function (rather
   than having split update functions for the two cases)
 * new patch: wire FIQ up on highbank/midway; this means we're now
   consistent in having FIQ wired up on all our boards with GICv2
 * lots of minor formatting tweaks, etc; see individual commit messages


Fabian Aggeler (12):
  hw/intc/arm_gic: Create outbound FIQ lines
  hw/intc/arm_gic: Add Security Extensions property
  hw/intc/arm_gic: Add Interrupt Group Registers
  hw/intc/arm_gic: Make ICDDCR/GICD_CTLR banked
  hw/intc/arm_gic: Make ICCBPR/GICC_BPR banked
  hw/intc/arm_gic: Make ICCICR/GICC_CTLR banked
  hw/intc/arm_gic: Implement Non-secure view of RPR
  hw/intc/arm_gic: Restrict priority view
  hw/intc/arm_gic: Handle grouping for GICC_HPPIR
  hw/intc/arm_gic: Change behavior of EOIR writes
  hw/intc/arm_gic: Change behavior of IAR writes
  hw/arm/vexpress.c: Wire FIQ between CPU <> GIC

Greg Bellows (1):
  hw/arm/virt.c: Wire FIQ between CPU <> GIC

Peter Maydell (4):
  hw/intc/arm_gic: Switch to read/write callbacks with tx attributes
  hw/intc/arm_gic_kvm.c: Save and restore GICD_IGROUPRn state
  hw/intc/arm_gic: Add grouping support to gic_update()
  hw/arm/highbank.c: Wire FIQ between CPU <> GIC

 hw/arm/highbank.c                |   3 +
 hw/arm/vexpress.c                |   2 +
 hw/arm/virt.c                    |   2 +
 hw/intc/arm_gic.c                | 469 ++++++++++++++++++++++++++++++++-------
 hw/intc/arm_gic_common.c         |  22 +-
 hw/intc/arm_gic_kvm.c            |  51 +++--
 hw/intc/armv7m_nvic.c            |   8 +-
 hw/intc/gic_internal.h           |  29 ++-
 include/hw/intc/arm_gic_common.h |  24 +-
 9 files changed, 492 insertions(+), 118 deletions(-)

-- 
1.9.1