ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory()
[qemu.git] / hw / mips / mips_malta.c
blobbb864fe90887b52a632cd721c39f081edbc35da9
1 /*
2 * QEMU Malta board support
4 * Copyright (c) 2006 Aurelien Jarno
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
25 #include "hw/hw.h"
26 #include "hw/i386/pc.h"
27 #include "hw/char/serial.h"
28 #include "hw/block/fdc.h"
29 #include "net/net.h"
30 #include "hw/boards.h"
31 #include "hw/i2c/smbus.h"
32 #include "sysemu/block-backend.h"
33 #include "hw/block/flash.h"
34 #include "hw/mips/mips.h"
35 #include "hw/mips/cpudevs.h"
36 #include "hw/pci/pci.h"
37 #include "sysemu/char.h"
38 #include "sysemu/sysemu.h"
39 #include "sysemu/arch_init.h"
40 #include "qemu/log.h"
41 #include "hw/mips/bios.h"
42 #include "hw/ide.h"
43 #include "hw/loader.h"
44 #include "elf.h"
45 #include "hw/timer/mc146818rtc.h"
46 #include "hw/timer/i8254.h"
47 #include "sysemu/block-backend.h"
48 #include "sysemu/blockdev.h"
49 #include "exec/address-spaces.h"
50 #include "hw/sysbus.h" /* SysBusDevice */
51 #include "qemu/host-utils.h"
52 #include "sysemu/qtest.h"
53 #include "qemu/error-report.h"
54 #include "hw/empty_slot.h"
55 #include "sysemu/kvm.h"
56 #include "exec/semihost.h"
58 //#define DEBUG_BOARD_INIT
60 #define ENVP_ADDR 0x80002000l
61 #define ENVP_NB_ENTRIES 16
62 #define ENVP_ENTRY_SIZE 256
64 /* Hardware addresses */
65 #define FLASH_ADDRESS 0x1e000000ULL
66 #define FPGA_ADDRESS 0x1f000000ULL
67 #define RESET_ADDRESS 0x1fc00000ULL
69 #define FLASH_SIZE 0x400000
71 #define MAX_IDE_BUS 2
73 typedef struct {
74 MemoryRegion iomem;
75 MemoryRegion iomem_lo; /* 0 - 0x900 */
76 MemoryRegion iomem_hi; /* 0xa00 - 0x100000 */
77 uint32_t leds;
78 uint32_t brk;
79 uint32_t gpout;
80 uint32_t i2cin;
81 uint32_t i2coe;
82 uint32_t i2cout;
83 uint32_t i2csel;
84 CharDriverState *display;
85 char display_text[9];
86 SerialState *uart;
87 } MaltaFPGAState;
89 #define TYPE_MIPS_MALTA "mips-malta"
90 #define MIPS_MALTA(obj) OBJECT_CHECK(MaltaState, (obj), TYPE_MIPS_MALTA)
92 typedef struct {
93 SysBusDevice parent_obj;
95 qemu_irq *i8259;
96 } MaltaState;
98 static ISADevice *pit;
100 static struct _loaderparams {
101 int ram_size, ram_low_size;
102 const char *kernel_filename;
103 const char *kernel_cmdline;
104 const char *initrd_filename;
105 } loaderparams;
107 /* Malta FPGA */
108 static void malta_fpga_update_display(void *opaque)
110 char leds_text[9];
111 int i;
112 MaltaFPGAState *s = opaque;
114 for (i = 7 ; i >= 0 ; i--) {
115 if (s->leds & (1 << i))
116 leds_text[i] = '#';
117 else
118 leds_text[i] = ' ';
120 leds_text[8] = '\0';
122 qemu_chr_fe_printf(s->display, "\e[H\n\n|\e[32m%-8.8s\e[00m|\r\n", leds_text);
123 qemu_chr_fe_printf(s->display, "\n\n\n\n|\e[31m%-8.8s\e[00m|", s->display_text);
127 * EEPROM 24C01 / 24C02 emulation.
129 * Emulation for serial EEPROMs:
130 * 24C01 - 1024 bit (128 x 8)
131 * 24C02 - 2048 bit (256 x 8)
133 * Typical device names include Microchip 24C02SC or SGS Thomson ST24C02.
136 //~ #define DEBUG
138 #if defined(DEBUG)
139 # define logout(fmt, ...) fprintf(stderr, "MALTA\t%-24s" fmt, __func__, ## __VA_ARGS__)
140 #else
141 # define logout(fmt, ...) ((void)0)
142 #endif
144 struct _eeprom24c0x_t {
145 uint8_t tick;
146 uint8_t address;
147 uint8_t command;
148 uint8_t ack;
149 uint8_t scl;
150 uint8_t sda;
151 uint8_t data;
152 //~ uint16_t size;
153 uint8_t contents[256];
156 typedef struct _eeprom24c0x_t eeprom24c0x_t;
158 static eeprom24c0x_t spd_eeprom = {
159 .contents = {
160 /* 00000000: */ 0x80,0x08,0xFF,0x0D,0x0A,0xFF,0x40,0x00,
161 /* 00000008: */ 0x01,0x75,0x54,0x00,0x82,0x08,0x00,0x01,
162 /* 00000010: */ 0x8F,0x04,0x02,0x01,0x01,0x00,0x00,0x00,
163 /* 00000018: */ 0x00,0x00,0x00,0x14,0x0F,0x14,0x2D,0xFF,
164 /* 00000020: */ 0x15,0x08,0x15,0x08,0x00,0x00,0x00,0x00,
165 /* 00000028: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
166 /* 00000030: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
167 /* 00000038: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x12,0xD0,
168 /* 00000040: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
169 /* 00000048: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
170 /* 00000050: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
171 /* 00000058: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
172 /* 00000060: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
173 /* 00000068: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
174 /* 00000070: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
175 /* 00000078: */ 0x00,0x00,0x00,0x00,0x00,0x00,0x64,0xF4,
179 static void generate_eeprom_spd(uint8_t *eeprom, ram_addr_t ram_size)
181 enum { SDR = 0x4, DDR2 = 0x8 } type;
182 uint8_t *spd = spd_eeprom.contents;
183 uint8_t nbanks = 0;
184 uint16_t density = 0;
185 int i;
187 /* work in terms of MB */
188 ram_size >>= 20;
190 while ((ram_size >= 4) && (nbanks <= 2)) {
191 int sz_log2 = MIN(31 - clz32(ram_size), 14);
192 nbanks++;
193 density |= 1 << (sz_log2 - 2);
194 ram_size -= 1 << sz_log2;
197 /* split to 2 banks if possible */
198 if ((nbanks == 1) && (density > 1)) {
199 nbanks++;
200 density >>= 1;
203 if (density & 0xff00) {
204 density = (density & 0xe0) | ((density >> 8) & 0x1f);
205 type = DDR2;
206 } else if (!(density & 0x1f)) {
207 type = DDR2;
208 } else {
209 type = SDR;
212 if (ram_size) {
213 fprintf(stderr, "Warning: SPD cannot represent final %dMB"
214 " of SDRAM\n", (int)ram_size);
217 /* fill in SPD memory information */
218 spd[2] = type;
219 spd[5] = nbanks;
220 spd[31] = density;
222 /* checksum */
223 spd[63] = 0;
224 for (i = 0; i < 63; i++) {
225 spd[63] += spd[i];
228 /* copy for SMBUS */
229 memcpy(eeprom, spd, sizeof(spd_eeprom.contents));
232 static void generate_eeprom_serial(uint8_t *eeprom)
234 int i, pos = 0;
235 uint8_t mac[6] = { 0x00 };
236 uint8_t sn[5] = { 0x01, 0x23, 0x45, 0x67, 0x89 };
238 /* version */
239 eeprom[pos++] = 0x01;
241 /* count */
242 eeprom[pos++] = 0x02;
244 /* MAC address */
245 eeprom[pos++] = 0x01; /* MAC */
246 eeprom[pos++] = 0x06; /* length */
247 memcpy(&eeprom[pos], mac, sizeof(mac));
248 pos += sizeof(mac);
250 /* serial number */
251 eeprom[pos++] = 0x02; /* serial */
252 eeprom[pos++] = 0x05; /* length */
253 memcpy(&eeprom[pos], sn, sizeof(sn));
254 pos += sizeof(sn);
256 /* checksum */
257 eeprom[pos] = 0;
258 for (i = 0; i < pos; i++) {
259 eeprom[pos] += eeprom[i];
263 static uint8_t eeprom24c0x_read(eeprom24c0x_t *eeprom)
265 logout("%u: scl = %u, sda = %u, data = 0x%02x\n",
266 eeprom->tick, eeprom->scl, eeprom->sda, eeprom->data);
267 return eeprom->sda;
270 static void eeprom24c0x_write(eeprom24c0x_t *eeprom, int scl, int sda)
272 if (eeprom->scl && scl && (eeprom->sda != sda)) {
273 logout("%u: scl = %u->%u, sda = %u->%u i2c %s\n",
274 eeprom->tick, eeprom->scl, scl, eeprom->sda, sda,
275 sda ? "stop" : "start");
276 if (!sda) {
277 eeprom->tick = 1;
278 eeprom->command = 0;
280 } else if (eeprom->tick == 0 && !eeprom->ack) {
281 /* Waiting for start. */
282 logout("%u: scl = %u->%u, sda = %u->%u wait for i2c start\n",
283 eeprom->tick, eeprom->scl, scl, eeprom->sda, sda);
284 } else if (!eeprom->scl && scl) {
285 logout("%u: scl = %u->%u, sda = %u->%u trigger bit\n",
286 eeprom->tick, eeprom->scl, scl, eeprom->sda, sda);
287 if (eeprom->ack) {
288 logout("\ti2c ack bit = 0\n");
289 sda = 0;
290 eeprom->ack = 0;
291 } else if (eeprom->sda == sda) {
292 uint8_t bit = (sda != 0);
293 logout("\ti2c bit = %d\n", bit);
294 if (eeprom->tick < 9) {
295 eeprom->command <<= 1;
296 eeprom->command += bit;
297 eeprom->tick++;
298 if (eeprom->tick == 9) {
299 logout("\tcommand 0x%04x, %s\n", eeprom->command,
300 bit ? "read" : "write");
301 eeprom->ack = 1;
303 } else if (eeprom->tick < 17) {
304 if (eeprom->command & 1) {
305 sda = ((eeprom->data & 0x80) != 0);
307 eeprom->address <<= 1;
308 eeprom->address += bit;
309 eeprom->tick++;
310 eeprom->data <<= 1;
311 if (eeprom->tick == 17) {
312 eeprom->data = eeprom->contents[eeprom->address];
313 logout("\taddress 0x%04x, data 0x%02x\n",
314 eeprom->address, eeprom->data);
315 eeprom->ack = 1;
316 eeprom->tick = 0;
318 } else if (eeprom->tick >= 17) {
319 sda = 0;
321 } else {
322 logout("\tsda changed with raising scl\n");
324 } else {
325 logout("%u: scl = %u->%u, sda = %u->%u\n", eeprom->tick, eeprom->scl,
326 scl, eeprom->sda, sda);
328 eeprom->scl = scl;
329 eeprom->sda = sda;
332 static uint64_t malta_fpga_read(void *opaque, hwaddr addr,
333 unsigned size)
335 MaltaFPGAState *s = opaque;
336 uint32_t val = 0;
337 uint32_t saddr;
339 saddr = (addr & 0xfffff);
341 switch (saddr) {
343 /* SWITCH Register */
344 case 0x00200:
345 val = 0x00000000; /* All switches closed */
346 break;
348 /* STATUS Register */
349 case 0x00208:
350 #ifdef TARGET_WORDS_BIGENDIAN
351 val = 0x00000012;
352 #else
353 val = 0x00000010;
354 #endif
355 break;
357 /* JMPRS Register */
358 case 0x00210:
359 val = 0x00;
360 break;
362 /* LEDBAR Register */
363 case 0x00408:
364 val = s->leds;
365 break;
367 /* BRKRES Register */
368 case 0x00508:
369 val = s->brk;
370 break;
372 /* UART Registers are handled directly by the serial device */
374 /* GPOUT Register */
375 case 0x00a00:
376 val = s->gpout;
377 break;
379 /* XXX: implement a real I2C controller */
381 /* GPINP Register */
382 case 0x00a08:
383 /* IN = OUT until a real I2C control is implemented */
384 if (s->i2csel)
385 val = s->i2cout;
386 else
387 val = 0x00;
388 break;
390 /* I2CINP Register */
391 case 0x00b00:
392 val = ((s->i2cin & ~1) | eeprom24c0x_read(&spd_eeprom));
393 break;
395 /* I2COE Register */
396 case 0x00b08:
397 val = s->i2coe;
398 break;
400 /* I2COUT Register */
401 case 0x00b10:
402 val = s->i2cout;
403 break;
405 /* I2CSEL Register */
406 case 0x00b18:
407 val = s->i2csel;
408 break;
410 default:
411 #if 0
412 printf ("malta_fpga_read: Bad register offset 0x" TARGET_FMT_lx "\n",
413 addr);
414 #endif
415 break;
417 return val;
420 static void malta_fpga_write(void *opaque, hwaddr addr,
421 uint64_t val, unsigned size)
423 MaltaFPGAState *s = opaque;
424 uint32_t saddr;
426 saddr = (addr & 0xfffff);
428 switch (saddr) {
430 /* SWITCH Register */
431 case 0x00200:
432 break;
434 /* JMPRS Register */
435 case 0x00210:
436 break;
438 /* LEDBAR Register */
439 case 0x00408:
440 s->leds = val & 0xff;
441 malta_fpga_update_display(s);
442 break;
444 /* ASCIIWORD Register */
445 case 0x00410:
446 snprintf(s->display_text, 9, "%08X", (uint32_t)val);
447 malta_fpga_update_display(s);
448 break;
450 /* ASCIIPOS0 to ASCIIPOS7 Registers */
451 case 0x00418:
452 case 0x00420:
453 case 0x00428:
454 case 0x00430:
455 case 0x00438:
456 case 0x00440:
457 case 0x00448:
458 case 0x00450:
459 s->display_text[(saddr - 0x00418) >> 3] = (char) val;
460 malta_fpga_update_display(s);
461 break;
463 /* SOFTRES Register */
464 case 0x00500:
465 if (val == 0x42)
466 qemu_system_reset_request ();
467 break;
469 /* BRKRES Register */
470 case 0x00508:
471 s->brk = val & 0xff;
472 break;
474 /* UART Registers are handled directly by the serial device */
476 /* GPOUT Register */
477 case 0x00a00:
478 s->gpout = val & 0xff;
479 break;
481 /* I2COE Register */
482 case 0x00b08:
483 s->i2coe = val & 0x03;
484 break;
486 /* I2COUT Register */
487 case 0x00b10:
488 eeprom24c0x_write(&spd_eeprom, val & 0x02, val & 0x01);
489 s->i2cout = val;
490 break;
492 /* I2CSEL Register */
493 case 0x00b18:
494 s->i2csel = val & 0x01;
495 break;
497 default:
498 #if 0
499 printf ("malta_fpga_write: Bad register offset 0x" TARGET_FMT_lx "\n",
500 addr);
501 #endif
502 break;
506 static const MemoryRegionOps malta_fpga_ops = {
507 .read = malta_fpga_read,
508 .write = malta_fpga_write,
509 .endianness = DEVICE_NATIVE_ENDIAN,
512 static void malta_fpga_reset(void *opaque)
514 MaltaFPGAState *s = opaque;
516 s->leds = 0x00;
517 s->brk = 0x0a;
518 s->gpout = 0x00;
519 s->i2cin = 0x3;
520 s->i2coe = 0x0;
521 s->i2cout = 0x3;
522 s->i2csel = 0x1;
524 s->display_text[8] = '\0';
525 snprintf(s->display_text, 9, " ");
528 static void malta_fpga_led_init(CharDriverState *chr)
530 qemu_chr_fe_printf(chr, "\e[HMalta LEDBAR\r\n");
531 qemu_chr_fe_printf(chr, "+--------+\r\n");
532 qemu_chr_fe_printf(chr, "+ +\r\n");
533 qemu_chr_fe_printf(chr, "+--------+\r\n");
534 qemu_chr_fe_printf(chr, "\n");
535 qemu_chr_fe_printf(chr, "Malta ASCII\r\n");
536 qemu_chr_fe_printf(chr, "+--------+\r\n");
537 qemu_chr_fe_printf(chr, "+ +\r\n");
538 qemu_chr_fe_printf(chr, "+--------+\r\n");
541 static MaltaFPGAState *malta_fpga_init(MemoryRegion *address_space,
542 hwaddr base, qemu_irq uart_irq, CharDriverState *uart_chr)
544 MaltaFPGAState *s;
546 s = (MaltaFPGAState *)g_malloc0(sizeof(MaltaFPGAState));
548 memory_region_init_io(&s->iomem, NULL, &malta_fpga_ops, s,
549 "malta-fpga", 0x100000);
550 memory_region_init_alias(&s->iomem_lo, NULL, "malta-fpga",
551 &s->iomem, 0, 0x900);
552 memory_region_init_alias(&s->iomem_hi, NULL, "malta-fpga",
553 &s->iomem, 0xa00, 0x10000-0xa00);
555 memory_region_add_subregion(address_space, base, &s->iomem_lo);
556 memory_region_add_subregion(address_space, base + 0xa00, &s->iomem_hi);
558 s->display = qemu_chr_new("fpga", "vc:320x200", malta_fpga_led_init);
560 s->uart = serial_mm_init(address_space, base + 0x900, 3, uart_irq,
561 230400, uart_chr, DEVICE_NATIVE_ENDIAN);
563 malta_fpga_reset(s);
564 qemu_register_reset(malta_fpga_reset, s);
566 return s;
569 /* Network support */
570 static void network_init(PCIBus *pci_bus)
572 int i;
574 for(i = 0; i < nb_nics; i++) {
575 NICInfo *nd = &nd_table[i];
576 const char *default_devaddr = NULL;
578 if (i == 0 && (!nd->model || strcmp(nd->model, "pcnet") == 0))
579 /* The malta board has a PCNet card using PCI SLOT 11 */
580 default_devaddr = "0b";
582 pci_nic_init_nofail(nd, pci_bus, "pcnet", default_devaddr);
586 /* ROM and pseudo bootloader
588 The following code implements a very very simple bootloader. It first
589 loads the registers a0 to a3 to the values expected by the OS, and
590 then jump at the kernel address.
592 The bootloader should pass the locations of the kernel arguments and
593 environment variables tables. Those tables contain the 32-bit address
594 of NULL terminated strings. The environment variables table should be
595 terminated by a NULL address.
597 For a simpler implementation, the number of kernel arguments is fixed
598 to two (the name of the kernel and the command line), and the two
599 tables are actually the same one.
601 The registers a0 to a3 should contain the following values:
602 a0 - number of kernel arguments
603 a1 - 32-bit address of the kernel arguments table
604 a2 - 32-bit address of the environment variables table
605 a3 - RAM size in bytes
608 static void write_bootloader (CPUMIPSState *env, uint8_t *base,
609 int64_t run_addr, int64_t kernel_entry)
611 uint32_t *p;
613 /* Small bootloader */
614 p = (uint32_t *)base;
616 stl_p(p++, 0x08000000 | /* j 0x1fc00580 */
617 ((run_addr + 0x580) & 0x0fffffff) >> 2);
618 stl_p(p++, 0x00000000); /* nop */
620 /* YAMON service vector */
621 stl_p(base + 0x500, run_addr + 0x0580); /* start: */
622 stl_p(base + 0x504, run_addr + 0x083c); /* print_count: */
623 stl_p(base + 0x520, run_addr + 0x0580); /* start: */
624 stl_p(base + 0x52c, run_addr + 0x0800); /* flush_cache: */
625 stl_p(base + 0x534, run_addr + 0x0808); /* print: */
626 stl_p(base + 0x538, run_addr + 0x0800); /* reg_cpu_isr: */
627 stl_p(base + 0x53c, run_addr + 0x0800); /* unred_cpu_isr: */
628 stl_p(base + 0x540, run_addr + 0x0800); /* reg_ic_isr: */
629 stl_p(base + 0x544, run_addr + 0x0800); /* unred_ic_isr: */
630 stl_p(base + 0x548, run_addr + 0x0800); /* reg_esr: */
631 stl_p(base + 0x54c, run_addr + 0x0800); /* unreg_esr: */
632 stl_p(base + 0x550, run_addr + 0x0800); /* getchar: */
633 stl_p(base + 0x554, run_addr + 0x0800); /* syscon_read: */
636 /* Second part of the bootloader */
637 p = (uint32_t *) (base + 0x580);
639 if (semihosting_get_argc()) {
640 /* Preserve a0 content as arguments have been passed */
641 stl_p(p++, 0x00000000); /* nop */
642 } else {
643 stl_p(p++, 0x24040002); /* addiu a0, zero, 2 */
645 stl_p(p++, 0x3c1d0000 | (((ENVP_ADDR - 64) >> 16) & 0xffff)); /* lui sp, high(ENVP_ADDR) */
646 stl_p(p++, 0x37bd0000 | ((ENVP_ADDR - 64) & 0xffff)); /* ori sp, sp, low(ENVP_ADDR) */
647 stl_p(p++, 0x3c050000 | ((ENVP_ADDR >> 16) & 0xffff)); /* lui a1, high(ENVP_ADDR) */
648 stl_p(p++, 0x34a50000 | (ENVP_ADDR & 0xffff)); /* ori a1, a1, low(ENVP_ADDR) */
649 stl_p(p++, 0x3c060000 | (((ENVP_ADDR + 8) >> 16) & 0xffff)); /* lui a2, high(ENVP_ADDR + 8) */
650 stl_p(p++, 0x34c60000 | ((ENVP_ADDR + 8) & 0xffff)); /* ori a2, a2, low(ENVP_ADDR + 8) */
651 stl_p(p++, 0x3c070000 | (loaderparams.ram_low_size >> 16)); /* lui a3, high(ram_low_size) */
652 stl_p(p++, 0x34e70000 | (loaderparams.ram_low_size & 0xffff)); /* ori a3, a3, low(ram_low_size) */
654 /* Load BAR registers as done by YAMON */
655 stl_p(p++, 0x3c09b400); /* lui t1, 0xb400 */
657 #ifdef TARGET_WORDS_BIGENDIAN
658 stl_p(p++, 0x3c08df00); /* lui t0, 0xdf00 */
659 #else
660 stl_p(p++, 0x340800df); /* ori t0, r0, 0x00df */
661 #endif
662 stl_p(p++, 0xad280068); /* sw t0, 0x0068(t1) */
664 stl_p(p++, 0x3c09bbe0); /* lui t1, 0xbbe0 */
666 #ifdef TARGET_WORDS_BIGENDIAN
667 stl_p(p++, 0x3c08c000); /* lui t0, 0xc000 */
668 #else
669 stl_p(p++, 0x340800c0); /* ori t0, r0, 0x00c0 */
670 #endif
671 stl_p(p++, 0xad280048); /* sw t0, 0x0048(t1) */
672 #ifdef TARGET_WORDS_BIGENDIAN
673 stl_p(p++, 0x3c084000); /* lui t0, 0x4000 */
674 #else
675 stl_p(p++, 0x34080040); /* ori t0, r0, 0x0040 */
676 #endif
677 stl_p(p++, 0xad280050); /* sw t0, 0x0050(t1) */
679 #ifdef TARGET_WORDS_BIGENDIAN
680 stl_p(p++, 0x3c088000); /* lui t0, 0x8000 */
681 #else
682 stl_p(p++, 0x34080080); /* ori t0, r0, 0x0080 */
683 #endif
684 stl_p(p++, 0xad280058); /* sw t0, 0x0058(t1) */
685 #ifdef TARGET_WORDS_BIGENDIAN
686 stl_p(p++, 0x3c083f00); /* lui t0, 0x3f00 */
687 #else
688 stl_p(p++, 0x3408003f); /* ori t0, r0, 0x003f */
689 #endif
690 stl_p(p++, 0xad280060); /* sw t0, 0x0060(t1) */
692 #ifdef TARGET_WORDS_BIGENDIAN
693 stl_p(p++, 0x3c08c100); /* lui t0, 0xc100 */
694 #else
695 stl_p(p++, 0x340800c1); /* ori t0, r0, 0x00c1 */
696 #endif
697 stl_p(p++, 0xad280080); /* sw t0, 0x0080(t1) */
698 #ifdef TARGET_WORDS_BIGENDIAN
699 stl_p(p++, 0x3c085e00); /* lui t0, 0x5e00 */
700 #else
701 stl_p(p++, 0x3408005e); /* ori t0, r0, 0x005e */
702 #endif
703 stl_p(p++, 0xad280088); /* sw t0, 0x0088(t1) */
705 /* Jump to kernel code */
706 stl_p(p++, 0x3c1f0000 | ((kernel_entry >> 16) & 0xffff)); /* lui ra, high(kernel_entry) */
707 stl_p(p++, 0x37ff0000 | (kernel_entry & 0xffff)); /* ori ra, ra, low(kernel_entry) */
708 stl_p(p++, 0x03e00009); /* jalr ra */
709 stl_p(p++, 0x00000000); /* nop */
711 /* YAMON subroutines */
712 p = (uint32_t *) (base + 0x800);
713 stl_p(p++, 0x03e00009); /* jalr ra */
714 stl_p(p++, 0x24020000); /* li v0,0 */
715 /* 808 YAMON print */
716 stl_p(p++, 0x03e06821); /* move t5,ra */
717 stl_p(p++, 0x00805821); /* move t3,a0 */
718 stl_p(p++, 0x00a05021); /* move t2,a1 */
719 stl_p(p++, 0x91440000); /* lbu a0,0(t2) */
720 stl_p(p++, 0x254a0001); /* addiu t2,t2,1 */
721 stl_p(p++, 0x10800005); /* beqz a0,834 */
722 stl_p(p++, 0x00000000); /* nop */
723 stl_p(p++, 0x0ff0021c); /* jal 870 */
724 stl_p(p++, 0x00000000); /* nop */
725 stl_p(p++, 0x08000205); /* j 814 */
726 stl_p(p++, 0x00000000); /* nop */
727 stl_p(p++, 0x01a00009); /* jalr t5 */
728 stl_p(p++, 0x01602021); /* move a0,t3 */
729 /* 0x83c YAMON print_count */
730 stl_p(p++, 0x03e06821); /* move t5,ra */
731 stl_p(p++, 0x00805821); /* move t3,a0 */
732 stl_p(p++, 0x00a05021); /* move t2,a1 */
733 stl_p(p++, 0x00c06021); /* move t4,a2 */
734 stl_p(p++, 0x91440000); /* lbu a0,0(t2) */
735 stl_p(p++, 0x0ff0021c); /* jal 870 */
736 stl_p(p++, 0x00000000); /* nop */
737 stl_p(p++, 0x254a0001); /* addiu t2,t2,1 */
738 stl_p(p++, 0x258cffff); /* addiu t4,t4,-1 */
739 stl_p(p++, 0x1580fffa); /* bnez t4,84c */
740 stl_p(p++, 0x00000000); /* nop */
741 stl_p(p++, 0x01a00009); /* jalr t5 */
742 stl_p(p++, 0x01602021); /* move a0,t3 */
743 /* 0x870 */
744 stl_p(p++, 0x3c08b800); /* lui t0,0xb400 */
745 stl_p(p++, 0x350803f8); /* ori t0,t0,0x3f8 */
746 stl_p(p++, 0x91090005); /* lbu t1,5(t0) */
747 stl_p(p++, 0x00000000); /* nop */
748 stl_p(p++, 0x31290040); /* andi t1,t1,0x40 */
749 stl_p(p++, 0x1120fffc); /* beqz t1,878 <outch+0x8> */
750 stl_p(p++, 0x00000000); /* nop */
751 stl_p(p++, 0x03e00009); /* jalr ra */
752 stl_p(p++, 0xa1040000); /* sb a0,0(t0) */
756 static void GCC_FMT_ATTR(3, 4) prom_set(uint32_t* prom_buf, int index,
757 const char *string, ...)
759 va_list ap;
760 int32_t table_addr;
762 if (index >= ENVP_NB_ENTRIES)
763 return;
765 if (string == NULL) {
766 prom_buf[index] = 0;
767 return;
770 table_addr = sizeof(int32_t) * ENVP_NB_ENTRIES + index * ENVP_ENTRY_SIZE;
771 prom_buf[index] = tswap32(ENVP_ADDR + table_addr);
773 va_start(ap, string);
774 vsnprintf((char *)prom_buf + table_addr, ENVP_ENTRY_SIZE, string, ap);
775 va_end(ap);
778 /* Kernel */
779 static int64_t load_kernel (void)
781 int64_t kernel_entry, kernel_high;
782 long initrd_size;
783 ram_addr_t initrd_offset;
784 int big_endian;
785 uint32_t *prom_buf;
786 long prom_size;
787 int prom_index = 0;
788 uint64_t (*xlate_to_kseg0) (void *opaque, uint64_t addr);
790 #ifdef TARGET_WORDS_BIGENDIAN
791 big_endian = 1;
792 #else
793 big_endian = 0;
794 #endif
796 if (load_elf(loaderparams.kernel_filename, cpu_mips_kseg0_to_phys, NULL,
797 (uint64_t *)&kernel_entry, NULL, (uint64_t *)&kernel_high,
798 big_endian, ELF_MACHINE, 1) < 0) {
799 fprintf(stderr, "qemu: could not load kernel '%s'\n",
800 loaderparams.kernel_filename);
801 exit(1);
804 /* Sanity check where the kernel has been linked */
805 if (kvm_enabled()) {
806 if (kernel_entry & 0x80000000ll) {
807 error_report("KVM guest kernels must be linked in useg. "
808 "Did you forget to enable CONFIG_KVM_GUEST?");
809 exit(1);
812 xlate_to_kseg0 = cpu_mips_kvm_um_phys_to_kseg0;
813 } else {
814 if (!(kernel_entry & 0x80000000ll)) {
815 error_report("KVM guest kernels aren't supported with TCG. "
816 "Did you unintentionally enable CONFIG_KVM_GUEST?");
817 exit(1);
820 xlate_to_kseg0 = cpu_mips_phys_to_kseg0;
823 /* load initrd */
824 initrd_size = 0;
825 initrd_offset = 0;
826 if (loaderparams.initrd_filename) {
827 initrd_size = get_image_size (loaderparams.initrd_filename);
828 if (initrd_size > 0) {
829 initrd_offset = (kernel_high + ~INITRD_PAGE_MASK) & INITRD_PAGE_MASK;
830 if (initrd_offset + initrd_size > ram_size) {
831 fprintf(stderr,
832 "qemu: memory too small for initial ram disk '%s'\n",
833 loaderparams.initrd_filename);
834 exit(1);
836 initrd_size = load_image_targphys(loaderparams.initrd_filename,
837 initrd_offset,
838 ram_size - initrd_offset);
840 if (initrd_size == (target_ulong) -1) {
841 fprintf(stderr, "qemu: could not load initial ram disk '%s'\n",
842 loaderparams.initrd_filename);
843 exit(1);
847 /* Setup prom parameters. */
848 prom_size = ENVP_NB_ENTRIES * (sizeof(int32_t) + ENVP_ENTRY_SIZE);
849 prom_buf = g_malloc(prom_size);
851 prom_set(prom_buf, prom_index++, "%s", loaderparams.kernel_filename);
852 if (initrd_size > 0) {
853 prom_set(prom_buf, prom_index++, "rd_start=0x%" PRIx64 " rd_size=%li %s",
854 xlate_to_kseg0(NULL, initrd_offset), initrd_size,
855 loaderparams.kernel_cmdline);
856 } else {
857 prom_set(prom_buf, prom_index++, "%s", loaderparams.kernel_cmdline);
860 prom_set(prom_buf, prom_index++, "memsize");
861 prom_set(prom_buf, prom_index++, "%u", loaderparams.ram_low_size);
863 prom_set(prom_buf, prom_index++, "ememsize");
864 prom_set(prom_buf, prom_index++, "%u", loaderparams.ram_size);
866 prom_set(prom_buf, prom_index++, "modetty0");
867 prom_set(prom_buf, prom_index++, "38400n8r");
868 prom_set(prom_buf, prom_index++, NULL);
870 rom_add_blob_fixed("prom", prom_buf, prom_size,
871 cpu_mips_kseg0_to_phys(NULL, ENVP_ADDR));
873 g_free(prom_buf);
874 return kernel_entry;
877 static void malta_mips_config(MIPSCPU *cpu)
879 CPUMIPSState *env = &cpu->env;
880 CPUState *cs = CPU(cpu);
882 env->mvp->CP0_MVPConf0 |= ((smp_cpus - 1) << CP0MVPC0_PVPE) |
883 ((smp_cpus * cs->nr_threads - 1) << CP0MVPC0_PTC);
886 static void main_cpu_reset(void *opaque)
888 MIPSCPU *cpu = opaque;
889 CPUMIPSState *env = &cpu->env;
891 cpu_reset(CPU(cpu));
893 /* The bootloader does not need to be rewritten as it is located in a
894 read only location. The kernel location and the arguments table
895 location does not change. */
896 if (loaderparams.kernel_filename) {
897 env->CP0_Status &= ~(1 << CP0St_ERL);
900 malta_mips_config(cpu);
902 if (kvm_enabled()) {
903 /* Start running from the bootloader we wrote to end of RAM */
904 env->active_tc.PC = 0x40000000 + loaderparams.ram_size;
908 static
909 void mips_malta_init(MachineState *machine)
911 ram_addr_t ram_size = machine->ram_size;
912 ram_addr_t ram_low_size;
913 const char *cpu_model = machine->cpu_model;
914 const char *kernel_filename = machine->kernel_filename;
915 const char *kernel_cmdline = machine->kernel_cmdline;
916 const char *initrd_filename = machine->initrd_filename;
917 char *filename;
918 pflash_t *fl;
919 MemoryRegion *system_memory = get_system_memory();
920 MemoryRegion *ram_high = g_new(MemoryRegion, 1);
921 MemoryRegion *ram_low_preio = g_new(MemoryRegion, 1);
922 MemoryRegion *ram_low_postio;
923 MemoryRegion *bios, *bios_copy = g_new(MemoryRegion, 1);
924 target_long bios_size = FLASH_SIZE;
925 const size_t smbus_eeprom_size = 8 * 256;
926 uint8_t *smbus_eeprom_buf = g_malloc0(smbus_eeprom_size);
927 int64_t kernel_entry, bootloader_run_addr;
928 PCIBus *pci_bus;
929 ISABus *isa_bus;
930 MIPSCPU *cpu;
931 CPUMIPSState *env;
932 qemu_irq *isa_irq;
933 int piix4_devfn;
934 I2CBus *smbus;
935 int i;
936 DriveInfo *dinfo;
937 DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
938 DriveInfo *fd[MAX_FD];
939 int fl_idx = 0;
940 int fl_sectors = bios_size >> 16;
941 int be;
943 DeviceState *dev = qdev_create(NULL, TYPE_MIPS_MALTA);
944 MaltaState *s = MIPS_MALTA(dev);
946 /* The whole address space decoded by the GT-64120A doesn't generate
947 exception when accessing invalid memory. Create an empty slot to
948 emulate this feature. */
949 empty_slot_init(0, 0x20000000);
951 qdev_init_nofail(dev);
953 /* Make sure the first 3 serial ports are associated with a device. */
954 for(i = 0; i < 3; i++) {
955 if (!serial_hds[i]) {
956 char label[32];
957 snprintf(label, sizeof(label), "serial%d", i);
958 serial_hds[i] = qemu_chr_new(label, "null", NULL);
962 /* init CPUs */
963 if (cpu_model == NULL) {
964 #ifdef TARGET_MIPS64
965 cpu_model = "20Kc";
966 #else
967 cpu_model = "24Kf";
968 #endif
971 for (i = 0; i < smp_cpus; i++) {
972 cpu = cpu_mips_init(cpu_model);
973 if (cpu == NULL) {
974 fprintf(stderr, "Unable to find CPU definition\n");
975 exit(1);
977 env = &cpu->env;
979 /* Init internal devices */
980 cpu_mips_irq_init_cpu(env);
981 cpu_mips_clock_init(env);
982 qemu_register_reset(main_cpu_reset, cpu);
984 cpu = MIPS_CPU(first_cpu);
985 env = &cpu->env;
987 /* allocate RAM */
988 if (ram_size > (2048u << 20)) {
989 fprintf(stderr,
990 "qemu: Too much memory for this machine: %d MB, maximum 2048 MB\n",
991 ((unsigned int)ram_size / (1 << 20)));
992 exit(1);
995 /* register RAM at high address where it is undisturbed by IO */
996 memory_region_allocate_system_memory(ram_high, NULL, "mips_malta.ram",
997 ram_size);
998 memory_region_add_subregion(system_memory, 0x80000000, ram_high);
1000 /* alias for pre IO hole access */
1001 memory_region_init_alias(ram_low_preio, NULL, "mips_malta_low_preio.ram",
1002 ram_high, 0, MIN(ram_size, (256 << 20)));
1003 memory_region_add_subregion(system_memory, 0, ram_low_preio);
1005 /* alias for post IO hole access, if there is enough RAM */
1006 if (ram_size > (512 << 20)) {
1007 ram_low_postio = g_new(MemoryRegion, 1);
1008 memory_region_init_alias(ram_low_postio, NULL,
1009 "mips_malta_low_postio.ram",
1010 ram_high, 512 << 20,
1011 ram_size - (512 << 20));
1012 memory_region_add_subregion(system_memory, 512 << 20, ram_low_postio);
1015 /* generate SPD EEPROM data */
1016 generate_eeprom_spd(&smbus_eeprom_buf[0 * 256], ram_size);
1017 generate_eeprom_serial(&smbus_eeprom_buf[6 * 256]);
1019 #ifdef TARGET_WORDS_BIGENDIAN
1020 be = 1;
1021 #else
1022 be = 0;
1023 #endif
1024 /* FPGA */
1025 /* The CBUS UART is attached to the MIPS CPU INT2 pin, ie interrupt 4 */
1026 malta_fpga_init(system_memory, FPGA_ADDRESS, env->irq[4], serial_hds[2]);
1028 /* Load firmware in flash / BIOS. */
1029 dinfo = drive_get(IF_PFLASH, 0, fl_idx);
1030 #ifdef DEBUG_BOARD_INIT
1031 if (dinfo) {
1032 printf("Register parallel flash %d size " TARGET_FMT_lx " at "
1033 "addr %08llx '%s' %x\n",
1034 fl_idx, bios_size, FLASH_ADDRESS,
1035 blk_name(dinfo->bdrv), fl_sectors);
1037 #endif
1038 fl = pflash_cfi01_register(FLASH_ADDRESS, NULL, "mips_malta.bios",
1039 BIOS_SIZE,
1040 dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
1041 65536, fl_sectors,
1042 4, 0x0000, 0x0000, 0x0000, 0x0000, be);
1043 bios = pflash_cfi01_get_memory(fl);
1044 fl_idx++;
1045 if (kernel_filename) {
1046 ram_low_size = MIN(ram_size, 256 << 20);
1047 /* For KVM we reserve 1MB of RAM for running bootloader */
1048 if (kvm_enabled()) {
1049 ram_low_size -= 0x100000;
1050 bootloader_run_addr = 0x40000000 + ram_low_size;
1051 } else {
1052 bootloader_run_addr = 0xbfc00000;
1055 /* Write a small bootloader to the flash location. */
1056 loaderparams.ram_size = ram_size;
1057 loaderparams.ram_low_size = ram_low_size;
1058 loaderparams.kernel_filename = kernel_filename;
1059 loaderparams.kernel_cmdline = kernel_cmdline;
1060 loaderparams.initrd_filename = initrd_filename;
1061 kernel_entry = load_kernel();
1063 write_bootloader(env, memory_region_get_ram_ptr(bios),
1064 bootloader_run_addr, kernel_entry);
1065 if (kvm_enabled()) {
1066 /* Write the bootloader code @ the end of RAM, 1MB reserved */
1067 write_bootloader(env, memory_region_get_ram_ptr(ram_low_preio) +
1068 ram_low_size,
1069 bootloader_run_addr, kernel_entry);
1071 } else {
1072 /* The flash region isn't executable from a KVM guest */
1073 if (kvm_enabled()) {
1074 error_report("KVM enabled but no -kernel argument was specified. "
1075 "Booting from flash is not supported with KVM.");
1076 exit(1);
1078 /* Load firmware from flash. */
1079 if (!dinfo) {
1080 /* Load a BIOS image. */
1081 if (bios_name == NULL) {
1082 bios_name = BIOS_FILENAME;
1084 filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
1085 if (filename) {
1086 bios_size = load_image_targphys(filename, FLASH_ADDRESS,
1087 BIOS_SIZE);
1088 g_free(filename);
1089 } else {
1090 bios_size = -1;
1092 if ((bios_size < 0 || bios_size > BIOS_SIZE) &&
1093 !kernel_filename && !qtest_enabled()) {
1094 error_report("Could not load MIPS bios '%s', and no "
1095 "-kernel argument was specified", bios_name);
1096 exit(1);
1099 /* In little endian mode the 32bit words in the bios are swapped,
1100 a neat trick which allows bi-endian firmware. */
1101 #ifndef TARGET_WORDS_BIGENDIAN
1103 uint32_t *end, *addr = rom_ptr(FLASH_ADDRESS);
1104 if (!addr) {
1105 addr = memory_region_get_ram_ptr(bios);
1107 end = (void *)addr + MIN(bios_size, 0x3e0000);
1108 while (addr < end) {
1109 bswap32s(addr);
1110 addr++;
1113 #endif
1117 * Map the BIOS at a 2nd physical location, as on the real board.
1118 * Copy it so that we can patch in the MIPS revision, which cannot be
1119 * handled by an overlapping region as the resulting ROM code subpage
1120 * regions are not executable.
1122 memory_region_init_ram(bios_copy, NULL, "bios.1fc", BIOS_SIZE,
1123 &error_fatal);
1124 if (!rom_copy(memory_region_get_ram_ptr(bios_copy),
1125 FLASH_ADDRESS, BIOS_SIZE)) {
1126 memcpy(memory_region_get_ram_ptr(bios_copy),
1127 memory_region_get_ram_ptr(bios), BIOS_SIZE);
1129 memory_region_set_readonly(bios_copy, true);
1130 memory_region_add_subregion(system_memory, RESET_ADDRESS, bios_copy);
1132 /* Board ID = 0x420 (Malta Board with CoreLV) */
1133 stl_p(memory_region_get_ram_ptr(bios_copy) + 0x10, 0x00000420);
1135 /* Init internal devices */
1136 cpu_mips_irq_init_cpu(env);
1137 cpu_mips_clock_init(env);
1140 * We have a circular dependency problem: pci_bus depends on isa_irq,
1141 * isa_irq is provided by i8259, i8259 depends on ISA, ISA depends
1142 * on piix4, and piix4 depends on pci_bus. To stop the cycle we have
1143 * qemu_irq_proxy() adds an extra bit of indirection, allowing us
1144 * to resolve the isa_irq -> i8259 dependency after i8259 is initialized.
1146 isa_irq = qemu_irq_proxy(&s->i8259, 16);
1148 /* Northbridge */
1149 pci_bus = gt64120_register(isa_irq);
1151 /* Southbridge */
1152 ide_drive_get(hd, ARRAY_SIZE(hd));
1154 piix4_devfn = piix4_init(pci_bus, &isa_bus, 80);
1156 /* Interrupt controller */
1157 /* The 8259 is attached to the MIPS CPU INT0 pin, ie interrupt 2 */
1158 s->i8259 = i8259_init(isa_bus, env->irq[2]);
1160 isa_bus_irqs(isa_bus, s->i8259);
1161 pci_piix4_ide_init(pci_bus, hd, piix4_devfn + 1);
1162 pci_create_simple(pci_bus, piix4_devfn + 2, "piix4-usb-uhci");
1163 smbus = piix4_pm_init(pci_bus, piix4_devfn + 3, 0x1100,
1164 isa_get_irq(NULL, 9), NULL, 0, NULL);
1165 smbus_eeprom_init(smbus, 8, smbus_eeprom_buf, smbus_eeprom_size);
1166 g_free(smbus_eeprom_buf);
1167 pit = pit_init(isa_bus, 0x40, 0, NULL);
1168 DMA_init(0);
1170 /* Super I/O */
1171 isa_create_simple(isa_bus, "i8042");
1173 rtc_init(isa_bus, 2000, NULL);
1174 serial_hds_isa_init(isa_bus, 2);
1175 parallel_hds_isa_init(isa_bus, 1);
1177 for(i = 0; i < MAX_FD; i++) {
1178 fd[i] = drive_get(IF_FLOPPY, 0, i);
1180 fdctrl_init_isa(isa_bus, fd);
1182 /* Network card */
1183 network_init(pci_bus);
1185 /* Optional PCI video card */
1186 pci_vga_init(pci_bus);
1189 static int mips_malta_sysbus_device_init(SysBusDevice *sysbusdev)
1191 return 0;
1194 static void mips_malta_class_init(ObjectClass *klass, void *data)
1196 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1198 k->init = mips_malta_sysbus_device_init;
1201 static const TypeInfo mips_malta_device = {
1202 .name = TYPE_MIPS_MALTA,
1203 .parent = TYPE_SYS_BUS_DEVICE,
1204 .instance_size = sizeof(MaltaState),
1205 .class_init = mips_malta_class_init,
1208 static void mips_malta_machine_init(MachineClass *mc)
1210 mc->desc = "MIPS Malta Core LV";
1211 mc->init = mips_malta_init;
1212 mc->max_cpus = 16;
1213 mc->is_default = 1;
1216 DEFINE_MACHINE("malta", mips_malta_machine_init)
1218 static void mips_malta_register_types(void)
1220 type_register_static(&mips_malta_device);
1223 type_init(mips_malta_register_types)