blob: ff39aa9f48a25a22800444d406b001052bd5a0e1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
register: 0.977
architecture: 0.976
arm: 0.933
kernel: 0.930
virtual: 0.928
ppc: 0.877
boot: 0.855
socket: 0.855
graphic: 0.852
risc-v: 0.844
peripherals: 0.823
performance: 0.802
vnc: 0.795
permissions: 0.790
device: 0.777
debug: 0.738
assembly: 0.722
PID: 0.702
network: 0.683
TCG: 0.679
files: 0.660
VMM: 0.652
hypervisor: 0.619
semantic: 0.609
user-level: 0.607
i386: 0.547
KVM: 0.509
mistranslation: 0.494
x86: 0.480
arm HSTR trap settings routed to EL1 instead of EL2
Description of problem:
ARM's HSTR register is used to trap CP15 access from EL1/0. qemu's implementation seems to be inconsistent with ARM's documentation.
Take the system register VBAR for example, the following pseudo code is grabbed from ARM DDI 0487J.a ID042523 G8-10651, which is the logics behind when reading VBAR.
```
if PSTATE.EL == EL0 then
UNDEFINED;
elsif PSTATE.EL == EL1 then
if EL2Enabled() && !ELUsingAArch32(EL2) && HSTR_EL2.T12 == '1' then
AArch64.AArch32SystemAccessTrap(EL2, 0x03);
elsif EL2Enabled() && ELUsingAArch32(EL2) && HSTR.T12 == '1' then
AArch32.TakeHypTrapException(0x03);
elsif HaveEL(EL3) && ELUsingAArch32(EL3) then
R[t] = VBAR_NS;
else
R[t] = VBAR;
elsif PSTATE.EL == EL2 then
if HaveEL(EL3) && ELUsingAArch32(EL3) then
R[t] = VBAR_NS;
else
R[t] = VBAR;
elsif PSTATE.EL == EL3 then
if SCR.NS == '0' then
R[t] = VBAR_S;
else
R[t] = VBAR_NS;
```
The main logics in my attached test program are:
1. Setting EL2 and EL1's exception table
2. Set HSTR.T12
3. ERET to EL1, and read VBAR from EL1
As the document mentions, when CPU running on EL1 && HSTR.T12 is set, HypTrapException 0x3 should be taken, which is EL2. But the test program shows, on such circumstances, CPU is being routed to EL1's undefined exception.
Steps to reproduce:
1. Clone this repo https://github.com/roolrz/reproduce-qemu-arm-hstr-issue
2. Use make to build the test program
3. Use following command to launch it
```
qemu-system-arm \
-nographic \
-cpu cortex-a7 \
-M virt,virtualization=on \
-m 1G \
-kernel el2.elf
```
4. The following message is printed by the program, problem reproduced
```
EL2 Booted
Jumping to el1
el1 reached, triggering trap
EL1 undefined sync triggered
```
Additional information:
|