2 * ARMV7M System emulation.
4 * Copyright (c) 2006-2007 CodeSourcery.
5 * Written by Paul Brook
7 * This code is licensed under the GPL.
10 #include "qemu/osdep.h"
11 #include "hw/arm/armv7m.h"
12 #include "qapi/error.h"
13 #include "hw/sysbus.h"
14 #include "hw/arm/boot.h"
15 #include "hw/loader.h"
16 #include "hw/qdev-properties.h"
17 #include "hw/qdev-clock.h"
19 #include "sysemu/reset.h"
20 #include "qemu/error-report.h"
21 #include "qemu/module.h"
23 #include "target/arm/idau.h"
24 #include "target/arm/cpu.h"
25 #include "target/arm/cpu-features.h"
26 #include "target/arm/cpu-qom.h"
27 #include "migration/vmstate.h"
29 /* Bitbanded IO. Each word corresponds to a single bit. */
31 /* Get the byte address of the real memory for a bitband access. */
32 static inline hwaddr
bitband_addr(BitBandState
*s
, hwaddr offset
)
34 return s
->base
| (offset
& 0x1ffffff) >> 5;
37 static MemTxResult
bitband_read(void *opaque
, hwaddr offset
,
38 uint64_t *data
, unsigned size
, MemTxAttrs attrs
)
40 BitBandState
*s
= opaque
;
48 /* Find address in underlying memory and round down to multiple of size */
49 addr
= bitband_addr(s
, offset
) & (-size
);
50 res
= address_space_read(&s
->source_as
, addr
, attrs
, buf
, size
);
54 /* Bit position in the N bytes read... */
55 bitpos
= (offset
>> 2) & ((size
* 8) - 1);
56 /* ...converted to byte in buffer and bit in byte */
57 bit
= (buf
[bitpos
>> 3] >> (bitpos
& 7)) & 1;
62 static MemTxResult
bitband_write(void *opaque
, hwaddr offset
, uint64_t value
,
63 unsigned size
, MemTxAttrs attrs
)
65 BitBandState
*s
= opaque
;
73 /* Find address in underlying memory and round down to multiple of size */
74 addr
= bitband_addr(s
, offset
) & (-size
);
75 res
= address_space_read(&s
->source_as
, addr
, attrs
, buf
, size
);
79 /* Bit position in the N bytes read... */
80 bitpos
= (offset
>> 2) & ((size
* 8) - 1);
81 /* ...converted to byte in buffer and bit in byte */
82 bit
= 1 << (bitpos
& 7);
84 buf
[bitpos
>> 3] |= bit
;
86 buf
[bitpos
>> 3] &= ~bit
;
88 return address_space_write(&s
->source_as
, addr
, attrs
, buf
, size
);
91 static const MemoryRegionOps bitband_ops
= {
92 .read_with_attrs
= bitband_read
,
93 .write_with_attrs
= bitband_write
,
94 .endianness
= DEVICE_NATIVE_ENDIAN
,
95 .impl
.min_access_size
= 1,
96 .impl
.max_access_size
= 4,
97 .valid
.min_access_size
= 1,
98 .valid
.max_access_size
= 4,
101 static void bitband_init(Object
*obj
)
103 BitBandState
*s
= BITBAND(obj
);
104 SysBusDevice
*dev
= SYS_BUS_DEVICE(obj
);
106 memory_region_init_io(&s
->iomem
, obj
, &bitband_ops
, s
,
107 "bitband", 0x02000000);
108 sysbus_init_mmio(dev
, &s
->iomem
);
111 static void bitband_realize(DeviceState
*dev
, Error
**errp
)
113 BitBandState
*s
= BITBAND(dev
);
115 if (!s
->source_memory
) {
116 error_setg(errp
, "source-memory property not set");
120 address_space_init(&s
->source_as
, s
->source_memory
, "bitband-source");
125 static const hwaddr bitband_input_addr
[ARMV7M_NUM_BITBANDS
] = {
126 0x20000000, 0x40000000
129 static const hwaddr bitband_output_addr
[ARMV7M_NUM_BITBANDS
] = {
130 0x22000000, 0x42000000
133 static MemTxResult
v7m_sysreg_ns_write(void *opaque
, hwaddr addr
,
134 uint64_t value
, unsigned size
,
137 MemoryRegion
*mr
= opaque
;
140 /* S accesses to the alias act like NS accesses to the real region */
142 return memory_region_dispatch_write(mr
, addr
, value
,
143 size_memop(size
) | MO_TE
, attrs
);
145 /* NS attrs are RAZ/WI for privileged, and BusFault for user */
153 static MemTxResult
v7m_sysreg_ns_read(void *opaque
, hwaddr addr
,
154 uint64_t *data
, unsigned size
,
157 MemoryRegion
*mr
= opaque
;
160 /* S accesses to the alias act like NS accesses to the real region */
162 return memory_region_dispatch_read(mr
, addr
, data
,
163 size_memop(size
) | MO_TE
, attrs
);
165 /* NS attrs are RAZ/WI for privileged, and BusFault for user */
174 static const MemoryRegionOps v7m_sysreg_ns_ops
= {
175 .read_with_attrs
= v7m_sysreg_ns_read
,
176 .write_with_attrs
= v7m_sysreg_ns_write
,
177 .endianness
= DEVICE_NATIVE_ENDIAN
,
180 static MemTxResult
v7m_systick_write(void *opaque
, hwaddr addr
,
181 uint64_t value
, unsigned size
,
184 ARMv7MState
*s
= opaque
;
187 /* Direct the access to the correct systick */
188 mr
= sysbus_mmio_get_region(SYS_BUS_DEVICE(&s
->systick
[attrs
.secure
]), 0);
189 return memory_region_dispatch_write(mr
, addr
, value
,
190 size_memop(size
) | MO_TE
, attrs
);
193 static MemTxResult
v7m_systick_read(void *opaque
, hwaddr addr
,
194 uint64_t *data
, unsigned size
,
197 ARMv7MState
*s
= opaque
;
200 /* Direct the access to the correct systick */
201 mr
= sysbus_mmio_get_region(SYS_BUS_DEVICE(&s
->systick
[attrs
.secure
]), 0);
202 return memory_region_dispatch_read(mr
, addr
, data
, size_memop(size
) | MO_TE
,
206 static const MemoryRegionOps v7m_systick_ops
= {
207 .read_with_attrs
= v7m_systick_read
,
208 .write_with_attrs
= v7m_systick_write
,
209 .endianness
= DEVICE_NATIVE_ENDIAN
,
213 * Unassigned portions of the PPB space are RAZ/WI for privileged
214 * accesses, and fault for non-privileged accesses.
216 static MemTxResult
ppb_default_read(void *opaque
, hwaddr addr
,
217 uint64_t *data
, unsigned size
,
220 qemu_log_mask(LOG_UNIMP
, "Read of unassigned area of PPB: offset 0x%x\n",
229 static MemTxResult
ppb_default_write(void *opaque
, hwaddr addr
,
230 uint64_t value
, unsigned size
,
233 qemu_log_mask(LOG_UNIMP
, "Write of unassigned area of PPB: offset 0x%x\n",
241 static const MemoryRegionOps ppb_default_ops
= {
242 .read_with_attrs
= ppb_default_read
,
243 .write_with_attrs
= ppb_default_write
,
244 .endianness
= DEVICE_NATIVE_ENDIAN
,
245 .valid
.min_access_size
= 1,
246 .valid
.max_access_size
= 8,
249 static void armv7m_instance_init(Object
*obj
)
251 ARMv7MState
*s
= ARMV7M(obj
);
254 /* Can't init the cpu here, we don't yet know which model to use */
256 memory_region_init(&s
->container
, obj
, "armv7m-container", UINT64_MAX
);
258 object_initialize_child(obj
, "nvic", &s
->nvic
, TYPE_NVIC
);
259 object_property_add_alias(obj
, "num-irq",
260 OBJECT(&s
->nvic
), "num-irq");
261 object_property_add_alias(obj
, "num-prio-bits",
262 OBJECT(&s
->nvic
), "num-prio-bits");
264 object_initialize_child(obj
, "systick-reg-ns", &s
->systick
[M_REG_NS
],
267 * We can't initialize the secure systick here, as we don't know
271 for (i
= 0; i
< ARRAY_SIZE(s
->bitband
); i
++) {
272 object_initialize_child(obj
, "bitband[*]", &s
->bitband
[i
],
276 s
->refclk
= qdev_init_clock_in(DEVICE(obj
), "refclk", NULL
, NULL
, 0);
277 s
->cpuclk
= qdev_init_clock_in(DEVICE(obj
), "cpuclk", NULL
, NULL
, 0);
280 static void armv7m_realize(DeviceState
*dev
, Error
**errp
)
282 ARMv7MState
*s
= ARMV7M(dev
);
287 if (!s
->board_memory
) {
288 error_setg(errp
, "memory property was not set");
292 /* cpuclk must be connected; refclk is optional */
293 if (!clock_has_source(s
->cpuclk
)) {
294 error_setg(errp
, "armv7m: cpuclk must be connected");
298 memory_region_add_subregion_overlap(&s
->container
, 0, s
->board_memory
, -1);
300 s
->cpu
= ARM_CPU(object_new_with_props(s
->cpu_type
, OBJECT(s
), "cpu",
303 error_propagate(errp
, err
);
307 object_property_set_link(OBJECT(s
->cpu
), "memory", OBJECT(&s
->container
),
309 if (object_property_find(OBJECT(s
->cpu
), "idau")) {
310 object_property_set_link(OBJECT(s
->cpu
), "idau", s
->idau
,
313 if (object_property_find(OBJECT(s
->cpu
), "init-svtor")) {
314 if (!object_property_set_uint(OBJECT(s
->cpu
), "init-svtor",
315 s
->init_svtor
, errp
)) {
319 if (object_property_find(OBJECT(s
->cpu
), "init-nsvtor")) {
320 if (!object_property_set_uint(OBJECT(s
->cpu
), "init-nsvtor",
321 s
->init_nsvtor
, errp
)) {
325 if (object_property_find(OBJECT(s
->cpu
), "vfp")) {
326 if (!object_property_set_bool(OBJECT(s
->cpu
), "vfp", s
->vfp
, errp
)) {
330 if (object_property_find(OBJECT(s
->cpu
), "dsp")) {
331 if (!object_property_set_bool(OBJECT(s
->cpu
), "dsp", s
->dsp
, errp
)) {
335 object_property_set_bool(OBJECT(s
->cpu
), "start-powered-off",
336 s
->start_powered_off
, &error_abort
);
339 * Real M-profile hardware can be configured with a different number of
340 * MPU regions for Secure vs NonSecure. QEMU's CPU implementation doesn't
341 * support that yet, so catch attempts to select that.
343 if (arm_feature(&s
->cpu
->env
, ARM_FEATURE_M_SECURITY
) &&
344 s
->mpu_ns_regions
!= s
->mpu_s_regions
) {
346 "mpu-ns-regions and mpu-s-regions properties must have the same value");
349 if (s
->mpu_ns_regions
!= UINT_MAX
&&
350 object_property_find(OBJECT(s
->cpu
), "pmsav7-dregion")) {
351 if (!object_property_set_uint(OBJECT(s
->cpu
), "pmsav7-dregion",
352 s
->mpu_ns_regions
, errp
)) {
358 * Tell the CPU where the NVIC is; it will fail realize if it doesn't
359 * have one. Similarly, tell the NVIC where its CPU is.
361 s
->cpu
->env
.nvic
= &s
->nvic
;
362 s
->nvic
.cpu
= s
->cpu
;
364 if (!qdev_realize(DEVICE(s
->cpu
), NULL
, errp
)) {
368 /* Note that we must realize the NVIC after the CPU */
369 if (!sysbus_realize(SYS_BUS_DEVICE(&s
->nvic
), errp
)) {
373 /* Alias the NVIC's input and output GPIOs as our own so the board
374 * code can wire them up. (We do this in realize because the
375 * NVIC doesn't create the input GPIO array until realize.)
377 qdev_pass_gpios(DEVICE(&s
->nvic
), dev
, NULL
);
378 qdev_pass_gpios(DEVICE(&s
->nvic
), dev
, "SYSRESETREQ");
379 qdev_pass_gpios(DEVICE(&s
->nvic
), dev
, "NMI");
382 * We map various devices into the container MR at their architected
383 * addresses. In particular, we map everything corresponding to the
384 * "System PPB" space. This is the range from 0xe0000000 to 0xe00fffff
385 * and includes the NVIC, the System Control Space (system registers),
386 * the systick timer, and for CPUs with the Security extension an NS
387 * banked version of all of these.
389 * The default behaviour for unimplemented registers/ranges
390 * (for instance the Data Watchpoint and Trace unit at 0xe0001000)
391 * is to RAZ/WI for privileged access and BusFault for non-privileged
394 * The NVIC and System Control Space (SCS) starts at 0xe000e000
395 * and looks like this:
397 * 0x010 - 0xff - systick
398 * 0x100..0x7ec - NVIC
399 * 0x7f0..0xcff - Reserved
400 * 0xd00..0xd3c - SCS registers
401 * 0xd40..0xeff - Reserved or Not implemented
404 * Some registers within this space are banked between security states.
405 * In v8M there is a second range 0xe002e000..0xe002efff which is the
406 * NonSecure alias SCS; secure accesses to this behave like NS accesses
407 * to the main SCS range, and non-secure accesses (including when
408 * the security extension is not implemented) are RAZ/WI.
409 * Note that both the main SCS range and the alias range are defined
410 * to be exempt from memory attribution (R_BLJT) and so the memory
411 * transaction attribute always matches the current CPU security
412 * state (attrs.secure == env->v7m.secure). In the v7m_sysreg_ns_ops
413 * wrappers we change attrs.secure to indicate the NS access; so
414 * generally code determining which banked register to use should
415 * use attrs.secure; code determining actual behaviour of the system
416 * should use env->v7m.secure.
418 * Within the PPB space, some MRs overlap, and the priority
419 * of overlapping regions is:
420 * - default region (for RAZ/WI and BusFault) : -1
421 * - system register regions (provided by the NVIC) : 0
423 * This is because the systick device is a small block of registers
424 * in the middle of the other system control registers.
427 memory_region_init_io(&s
->defaultmem
, OBJECT(s
), &ppb_default_ops
, s
,
428 "nvic-default", 0x100000);
429 memory_region_add_subregion_overlap(&s
->container
, 0xe0000000,
432 /* Wire the NVIC up to the CPU */
433 sbd
= SYS_BUS_DEVICE(&s
->nvic
);
434 sysbus_connect_irq(sbd
, 0,
435 qdev_get_gpio_in(DEVICE(s
->cpu
), ARM_CPU_IRQ
));
437 memory_region_add_subregion(&s
->container
, 0xe000e000,
438 sysbus_mmio_get_region(sbd
, 0));
439 if (arm_feature(&s
->cpu
->env
, ARM_FEATURE_V8
)) {
440 /* Create the NS alias region for the NVIC sysregs */
441 memory_region_init_io(&s
->sysreg_ns_mem
, OBJECT(s
),
443 sysbus_mmio_get_region(sbd
, 0),
444 "nvic_sysregs_ns", 0x1000);
445 memory_region_add_subregion(&s
->container
, 0xe002e000,
450 * Create and map the systick devices. Note that we only connect
451 * refclk if it has been connected to us; otherwise the systick
452 * device gets the wrong answer for clock_has_source(refclk), because
453 * it has an immediate source (the ARMv7M's clock object) but not
454 * an ultimate source, and then it won't correctly auto-select the
455 * CPU clock as its only possible clock source.
457 if (clock_has_source(s
->refclk
)) {
458 qdev_connect_clock_in(DEVICE(&s
->systick
[M_REG_NS
]), "refclk",
461 qdev_connect_clock_in(DEVICE(&s
->systick
[M_REG_NS
]), "cpuclk", s
->cpuclk
);
462 if (!sysbus_realize(SYS_BUS_DEVICE(&s
->systick
[M_REG_NS
]), errp
)) {
465 sysbus_connect_irq(SYS_BUS_DEVICE(&s
->systick
[M_REG_NS
]), 0,
466 qdev_get_gpio_in_named(DEVICE(&s
->nvic
),
467 "systick-trigger", M_REG_NS
));
469 if (arm_feature(&s
->cpu
->env
, ARM_FEATURE_M_SECURITY
)) {
471 * We couldn't init the secure systick device in instance_init
472 * as we didn't know then if the CPU had the security extensions;
473 * so we have to do it here.
475 object_initialize_child(OBJECT(dev
), "systick-reg-s",
476 &s
->systick
[M_REG_S
], TYPE_SYSTICK
);
477 if (clock_has_source(s
->refclk
)) {
478 qdev_connect_clock_in(DEVICE(&s
->systick
[M_REG_S
]), "refclk",
481 qdev_connect_clock_in(DEVICE(&s
->systick
[M_REG_S
]), "cpuclk",
484 if (!sysbus_realize(SYS_BUS_DEVICE(&s
->systick
[M_REG_S
]), errp
)) {
487 sysbus_connect_irq(SYS_BUS_DEVICE(&s
->systick
[M_REG_S
]), 0,
488 qdev_get_gpio_in_named(DEVICE(&s
->nvic
),
489 "systick-trigger", M_REG_S
));
492 memory_region_init_io(&s
->systickmem
, OBJECT(s
),
494 "v7m_systick", 0xe0);
496 memory_region_add_subregion_overlap(&s
->container
, 0xe000e010,
498 if (arm_feature(&s
->cpu
->env
, ARM_FEATURE_V8
)) {
499 memory_region_init_io(&s
->systick_ns_mem
, OBJECT(s
),
500 &v7m_sysreg_ns_ops
, &s
->systickmem
,
501 "v7m_systick_ns", 0xe0);
502 memory_region_add_subregion_overlap(&s
->container
, 0xe002e010,
503 &s
->systick_ns_mem
, 1);
506 /* If the CPU has RAS support, create the RAS register block */
507 if (cpu_isar_feature(aa32_ras
, s
->cpu
)) {
508 object_initialize_child(OBJECT(dev
), "armv7m-ras",
509 &s
->ras
, TYPE_ARMV7M_RAS
);
510 sbd
= SYS_BUS_DEVICE(&s
->ras
);
511 if (!sysbus_realize(sbd
, errp
)) {
514 memory_region_add_subregion_overlap(&s
->container
, 0xe0005000,
515 sysbus_mmio_get_region(sbd
, 0), 1);
518 for (i
= 0; i
< ARRAY_SIZE(s
->bitband
); i
++) {
519 if (s
->enable_bitband
) {
520 Object
*obj
= OBJECT(&s
->bitband
[i
]);
521 sbd
= SYS_BUS_DEVICE(&s
->bitband
[i
]);
523 if (!object_property_set_int(obj
, "base",
524 bitband_input_addr
[i
], errp
)) {
527 object_property_set_link(obj
, "source-memory",
528 OBJECT(s
->board_memory
), &error_abort
);
529 if (!sysbus_realize(SYS_BUS_DEVICE(obj
), errp
)) {
533 memory_region_add_subregion(&s
->container
, bitband_output_addr
[i
],
534 sysbus_mmio_get_region(sbd
, 0));
536 object_unparent(OBJECT(&s
->bitband
[i
]));
541 static Property armv7m_properties
[] = {
542 DEFINE_PROP_STRING("cpu-type", ARMv7MState
, cpu_type
),
543 DEFINE_PROP_LINK("memory", ARMv7MState
, board_memory
, TYPE_MEMORY_REGION
,
545 DEFINE_PROP_LINK("idau", ARMv7MState
, idau
, TYPE_IDAU_INTERFACE
, Object
*),
546 DEFINE_PROP_UINT32("init-svtor", ARMv7MState
, init_svtor
, 0),
547 DEFINE_PROP_UINT32("init-nsvtor", ARMv7MState
, init_nsvtor
, 0),
548 DEFINE_PROP_BOOL("enable-bitband", ARMv7MState
, enable_bitband
, false),
549 DEFINE_PROP_BOOL("start-powered-off", ARMv7MState
, start_powered_off
,
551 DEFINE_PROP_BOOL("vfp", ARMv7MState
, vfp
, true),
552 DEFINE_PROP_BOOL("dsp", ARMv7MState
, dsp
, true),
553 DEFINE_PROP_UINT32("mpu-ns-regions", ARMv7MState
, mpu_ns_regions
, UINT_MAX
),
554 DEFINE_PROP_UINT32("mpu-s-regions", ARMv7MState
, mpu_s_regions
, UINT_MAX
),
555 DEFINE_PROP_END_OF_LIST(),
558 static const VMStateDescription vmstate_armv7m
= {
561 .minimum_version_id
= 1,
562 .fields
= (const VMStateField
[]) {
563 VMSTATE_CLOCK(refclk
, ARMv7MState
),
564 VMSTATE_CLOCK(cpuclk
, ARMv7MState
),
565 VMSTATE_END_OF_LIST()
569 static void armv7m_class_init(ObjectClass
*klass
, void *data
)
571 DeviceClass
*dc
= DEVICE_CLASS(klass
);
573 dc
->realize
= armv7m_realize
;
574 dc
->vmsd
= &vmstate_armv7m
;
575 device_class_set_props(dc
, armv7m_properties
);
578 static const TypeInfo armv7m_info
= {
580 .parent
= TYPE_SYS_BUS_DEVICE
,
581 .instance_size
= sizeof(ARMv7MState
),
582 .instance_init
= armv7m_instance_init
,
583 .class_init
= armv7m_class_init
,
586 static void armv7m_reset(void *opaque
)
588 ARMCPU
*cpu
= opaque
;
593 void armv7m_load_kernel(ARMCPU
*cpu
, const char *kernel_filename
,
594 hwaddr mem_base
, int mem_size
)
600 CPUState
*cs
= CPU(cpu
);
602 if (arm_feature(&cpu
->env
, ARM_FEATURE_EL3
)) {
607 as
= cpu_get_address_space(cs
, asidx
);
609 if (kernel_filename
) {
610 image_size
= load_elf_as(kernel_filename
, NULL
, NULL
, NULL
,
612 NULL
, 0, EM_ARM
, 1, 0, as
);
613 if (image_size
< 0) {
614 image_size
= load_image_targphys_as(kernel_filename
, mem_base
,
617 if (image_size
< 0) {
618 error_report("Could not load kernel '%s'", kernel_filename
);
623 /* CPU objects (unlike devices) are not automatically reset on system
624 * reset, so we must always register a handler to do so. Unlike
625 * A-profile CPUs, we don't need to do anything special in the
626 * handler to arrange that it starts correctly.
627 * This is arguably the wrong place to do this, but it matches the
628 * way A-profile does it. Note that this means that every M profile
629 * board must call this function!
631 qemu_register_reset(armv7m_reset
, cpu
);
634 static Property bitband_properties
[] = {
635 DEFINE_PROP_UINT32("base", BitBandState
, base
, 0),
636 DEFINE_PROP_LINK("source-memory", BitBandState
, source_memory
,
637 TYPE_MEMORY_REGION
, MemoryRegion
*),
638 DEFINE_PROP_END_OF_LIST(),
641 static void bitband_class_init(ObjectClass
*klass
, void *data
)
643 DeviceClass
*dc
= DEVICE_CLASS(klass
);
645 dc
->realize
= bitband_realize
;
646 device_class_set_props(dc
, bitband_properties
);
649 static const TypeInfo bitband_info
= {
650 .name
= TYPE_BITBAND
,
651 .parent
= TYPE_SYS_BUS_DEVICE
,
652 .instance_size
= sizeof(BitBandState
),
653 .instance_init
= bitband_init
,
654 .class_init
= bitband_class_init
,
657 static void armv7m_register_types(void)
659 type_register_static(&bitband_info
);
660 type_register_static(&armv7m_info
);
663 type_init(armv7m_register_types
)