On Sat, 2022-07-02 at 18:19 +0800, angell1518 wrote:
> At 2022-06-04 00:04:22, "Mayuresh Chitale" <mchit...@ventanamicro.com
> > wrote:
> >Smstateen extension specifies a mechanism to close
> >the potential covert channels that could cause security issues.
> >
> >This patch adds the CSRs defined in the specification and
> >the corresponding predicates and read/write functions.
> >
> >Signed-off-by: Mayuresh Chitale <mchit...@ventanamicro.com>
> >---
> > target/riscv/cpu.c | 2 +
> > target/riscv/cpu.h | 4 +
> > target/riscv/cpu_bits.h | 36 +++++++
> > target/riscv/csr.c | 210
> ++++++++++++++++++++++++++++++++++++++++
> > target/riscv/machine.c | 21 ++++
> > 5 files changed, 273 insertions(+)
> >
> >diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> >index e6e878ceb3..2d65ccd90f 100644
> >--- a/target/riscv/cpu.c
> >+++ b/target/riscv/cpu.c
> >@@ -913,6 +913,7 @@ static Property riscv_cpu_properties[] = {
> > DEFINE_PROP_BOOL("mmu", RISCVCPU, cfg.mmu, true),
> > DEFINE_PROP_BOOL("pmp", RISCVCPU, cfg.pmp, true),
> > DEFINE_PROP_BOOL("debug", RISCVCPU, cfg.debug, true),
> >+ DEFINE_PROP_BOOL("smstateen", RISCVCPU, cfg.ext_smstateen,
> false),
> >
> > DEFINE_PROP_STRING("priv_spec", RISCVCPU, cfg.priv_spec),
> > DEFINE_PROP_STRING("vext_spec", RISCVCPU, cfg.vext_spec),
> >@@ -1104,6 +1105,7 @@ static void riscv_isa_string_ext(RISCVCPU
> *cpu, char **isa_str, int max_str_len)
> > ISA_EDATA_ENTRY(zve64f, ext_zve64f),
> > ISA_EDATA_ENTRY(zhinx, ext_zhinx),
> > ISA_EDATA_ENTRY(zhinxmin, ext_zhinxmin),
> >+ ISA_EDATA_ENTRY(smstateen, ext_smstateen),
> > ISA_EDATA_ENTRY(svinval, ext_svinval),
> > ISA_EDATA_ENTRY(svnapot, ext_svnapot),
> > ISA_EDATA_ENTRY(svpbmt, ext_svpbmt),
> >diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
> >index f08c3e8813..1c269b77bd 100644
> >--- a/target/riscv/cpu.h
> >+++ b/target/riscv/cpu.h
> >@@ -327,6 +327,9 @@ struct CPUArchState {
> >
> > /* CSRs for execution enviornment configuration */
> > uint64_t menvcfg;
> >+ uint64_t mstateen[SMSTATEEN_MAX_COUNT];
> >+ uint64_t hstateen[SMSTATEEN_MAX_COUNT];
> >+ uint64_t sstateen[SMSTATEEN_MAX_COUNT];
> > target_ulong senvcfg;
> > uint64_t henvcfg;
> > #endif
> >@@ -411,6 +414,7 @@ struct RISCVCPUConfig {
> > bool ext_zhinxmin;
> > bool ext_zve32f;
> > bool ext_zve64f;
> >+ bool ext_smstateen;
> >
> > uint32_t mvendorid;
> > uint64_t marchid;
> >diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
> >index 4a55c6a709..2a3ef26d21 100644
> >--- a/target/riscv/cpu_bits.h
> >+++ b/target/riscv/cpu_bits.h
> >@@ -208,6 +208,12 @@
> > /* Supervisor Configuration CSRs */
> > #define CSR_SENVCFG 0x10A
> >
> >+/* Supervisor state CSRs */
> >+#define CSR_SSTATEEN0 0x10C
> >+#define CSR_SSTATEEN1 0x10D
> >+#define CSR_SSTATEEN2 0x10E
> >+#define CSR_SSTATEEN3 0x10F
> >+
> > /* Supervisor Trap Handling */
> > #define CSR_SSCRATCH 0x140
> > #define CSR_SEPC 0x141
> >@@ -257,6 +263,16 @@
> > #define CSR_HENVCFG 0x60A
> > #define CSR_HENVCFGH 0x61A
> >
> >+/* Hypervisor state CSRs */
> >+#define CSR_HSTATEEN0 0x60C
> >+#define CSR_HSTATEEN0H 0x61C
> >+#define CSR_HSTATEEN1 0x60D
> >+#define CSR_HSTATEEN1H 0x61D
> >+#define CSR_HSTATEEN2 0x60E
> >+#define CSR_HSTATEEN2H 0x61E
> >+#define CSR_HSTATEEN3 0x60F
> >+#define CSR_HSTATEEN3H 0x61F
> >+
> > /* Virtual CSRs */
> > #define CSR_VSSTATUS 0x200
> > #define CSR_VSIE 0x204
> >@@ -304,6 +320,26 @@
> > #define CSR_MENVCFG 0x30A
> > #define CSR_MENVCFGH 0x31A
> >
> >+/* Machine state CSRs */
> >+#define CSR_MSTATEEN0 0x30C
> >+#define CSR_MSTATEEN0H 0x31C
> >+#define CSR_MSTATEEN1 0x30D
> >+#define CSR_MSTATEEN1H 0x31D
> >+#define CSR_MSTATEEN2 0x30E
> >+#define CSR_MSTATEEN2H 0x31E
> >+#define CSR_MSTATEEN3 0x30F
> >+#define CSR_MSTATEEN3H 0x31F
> >+
> >+/* Common defines for all smstateen */
> >+#define SMSTATEEN_MAX_COUNT 4
> >+#define SMSTATEEN0_CS 0
> >+#define SMSTATEEN0_FCSR 0
> >+#define SMSTATEEN0_IMSIC 58
> >+#define SMSTATEEN0_AIA 59
> >+#define SMSTATEEN0_SVSLCT 60
> >+#define SMSTATEEN0_HSENVCFG 62
> >+#define SMSTATEEN_STATEN 63
> >+
> > /* Enhanced Physical Memory Protection (ePMP) */
> > #define CSR_MSECCFG 0x747
> > #define CSR_MSECCFGH 0x757
> >diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> >index 409a209f14..324fefce59 100644
> >--- a/target/riscv/csr.c
> >+++ b/target/riscv/csr.c
> >@@ -247,6 +247,42 @@ static RISCVException hmode32(CPURISCVState
> *env, int csrno)
> >
> > }
> >
> >+static RISCVException mstateen(CPURISCVState *env, int csrno)
> >+{
> >+ CPUState *cs = env_cpu(env);
> >+ RISCVCPU *cpu = RISCV_CPU(cs);
> >+
> >+ if (!cpu->cfg.ext_smstateen) {
> >+ return RISCV_EXCP_ILLEGAL_INST;
> >+ }
> >+
> >+ return any(env, csrno);
> >+}
> >+
> >+static RISCVException hstateen(CPURISCVState *env, int csrno)
> >+{
> >+ CPUState *cs = env_cpu(env);
> >+ RISCVCPU *cpu = RISCV_CPU(cs);
> >+
> >+ if (!cpu->cfg.ext_smstateen) {
> >+ return RISCV_EXCP_ILLEGAL_INST;
> >+ }
> >+
> >+ return hmode(env, csrno);
> >+}
> >+
>
> I think we should take the stateen bit(bit 63) for matching mstateen
> into consideration here.
> Similar to following sstateen function.
ok.
> >+static RISCVException sstateen(CPURISCVState *env, int csrno)
> >+{
> >+ CPUState *cs = env_cpu(env);
> >+ RISCVCPU *cpu = RISCV_CPU(cs);
> >+
> >+ if (!cpu->cfg.ext_smstateen) {
> >+ return RISCV_EXCP_ILLEGAL_INST;
> >+ }
> >+
> >+ return smode(env, csrno);
> >+}
> >+
> > /* Checks if PointerMasking registers could be accessed */
> > static RISCVException pointer_masking(CPURISCVState *env, int
> csrno)
> > {
> >@@ -1574,6 +1610,129 @@ static RISCVException
> write_henvcfgh(CPURISCVState *env, int csrno,
> > return RISCV_EXCP_NONE;
> > }
> >
> >+static inline void write_smstateen(CPURISCVState *env, uint64_t
> *reg,
> >+ uint64_t wr_mask, uint64_t
> new_val)
> >+{
> >+ *reg = (*reg & ~wr_mask) | (new_val & wr_mask);
> >+}
> >+
> >+static RISCVException read_mstateen(CPURISCVState *env, int csrno,
> >+ target_ulong *val)
> >+{
> >+ *val = env->mstateen[csrno - CSR_MSTATEEN0];
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> >+static RISCVException write_mstateen(CPURISCVState *env, int csrno,
> >+ target_ulong new_val)
> >+{
> >+ uint64_t *reg;
> >+ uint64_t wr_mask = 1UL << SMSTATEEN_STATEN;
> >+
> >+ reg = &env->mstateen[csrno - CSR_MSTATEEN0];
> >+ write_smstateen(env, reg, wr_mask, new_val);
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> >+static RISCVException read_mstateenh(CPURISCVState *env, int csrno,
> >+ target_ulong *val)
> >+{
> >+ *val = env->mstateen[csrno - CSR_MSTATEEN0H] >> 32;
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> >+static RISCVException write_mstateenh(CPURISCVState *env, int
> csrno,
> >+ target_ulong new_val)
> >+{
> >+ uint64_t *reg;
> >+ uint64_t val;
> >+ uint64_t wr_mask = 1UL << SMSTATEEN_STATEN;
> >+
> >+ reg = &env->mstateen[csrno - CSR_MSTATEEN0H];
> >+ val = (uint64_t)new_val << 32;
> >+ val |= *reg & 0xFFFFFFFF;
> >+ write_smstateen(env, reg, wr_mask, val);
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> >+static RISCVException read_hstateen(CPURISCVState *env, int csrno,
> >+ target_ulong *val)
> >+{
> >+ *val = env->hstateen[csrno - CSR_HSTATEEN0];
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
>
> I think we should also take mstateen into consideration here just
> like the following write function.
> As the spec said, If we set certain bit in the matching mstateen csr
> to zero, the same bit in hstateen should be read-only zero.
> However, writes to mstateen will not affect the value in matching
> hstateen directly in current implementation,
> so if we read hstateen just immediately after write zero to certain
> bit of mstateen, the same bit read from hstateen may not be zero.
I need to check this but as per my understanding this it is the
responsibility of the software to clear the corresponding
hstateen/stateen bits.
>
> similar to read function of sstateen.
> >+static RISCVException write_hstateen(CPURISCVState *env, int csrno,
> >+ target_ulong new_val)
> >+{
> >+ uint64_t *reg;
> >+ uint64_t wr_mask = 1UL << SMSTATEEN_STATEN;
> >+ int index = csrno - CSR_HSTATEEN0;
> >+
> >+ reg = &env->hstateen[index];
> >+ wr_mask &= env->mstateen[index];
> >+ write_smstateen(env, reg, wr_mask, new_val);
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> >+static RISCVException read_hstateenh(CPURISCVState *env, int csrno,
> >+ target_ulong *val)
> >+{
> >+ *val = env->hstateen[csrno - CSR_HSTATEEN0H] >> 32;
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> >+static RISCVException write_hstateenh(CPURISCVState *env, int
> csrno,
> >+ target_ulong new_val)
> >+{
> >+ uint64_t *reg;
> >+ uint64_t val;
> >+ uint64_t wr_mask = 1UL << SMSTATEEN_STATEN;
> >+ int index = csrno - CSR_HSTATEEN0H;
> >+
> >+ reg = &env->hstateen[index];
> >+ val = (uint64_t)new_val << 32;
> >+ val |= *reg & 0xFFFFFFFF;
> >+ wr_mask &= env->mstateen[index];
> >+
> >+ write_smstateen(env, reg, wr_mask, val);
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> >+static RISCVException read_sstateen(CPURISCVState *env, int csrno,
> >+ target_ulong *val)
> >+{
> >+ *val = env->sstateen[csrno - CSR_SSTATEEN0];
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> >+static RISCVException write_sstateen(CPURISCVState *env, int csrno,
> >+ target_ulong new_val)
> >+{
> >+ uint64_t *reg;
> >+ uint64_t wr_mask = 0;
> >+ int index = csrno - CSR_SSTATEEN0;
> >+ bool virt = riscv_cpu_virt_enabled(env);
> >+
> >+ reg = &env->sstateen[index];
> >+ if (virt) {
> >+ wr_mask &= env->mstateen[index];
> >+ } else {
> >+ wr_mask &= env->hstateen[index];
> >+ }
> Why this? I think hstateen works in virt mode, so this may be:
> if (virt) {
> wr_mask &= env->mstateen[index] & env->hstateen[index];;
> } else {
> wr_mask &= env->mstateen[index];
> }
> >+ write_smstateen(env, reg, wr_mask, new_val);
> >+
> >+ return RISCV_EXCP_NONE;
> >+}
> >+
> > static RISCVException rmw_mip64(CPURISCVState *env, int csrno,
> > uint64_t *ret_val,
> > uint64_t new_val, uint64_t wr_mask)
> >@@ -3441,6 +3600,57 @@ riscv_csr_operations csr_ops[CSR_TABLE_SIZE]
> = {
> > [CSR_HENVCFGH] = { "henvcfgh", hmode32, read_henvcfgh,
> write_henvcfgh,
> > .min_priv_ver =
> PRIV_VERSION_1_12_0 },
> >
> >+ /* Smstateen extension CSRs */
> >+ [CSR_MSTATEEN0] = { "mstateen0", mstateen, read_mstateen,
> write_mstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_MSTATEEN0H] = { "mstateen0h", mstateen, read_mstateenh,
> >+ write_mstateenh,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_MSTATEEN1] = { "mstateen1", mstateen, read_mstateen,
> write_mstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
>
> It seems unreasonable for mstateen1~3 to share the same read/write
> function with mstateen0 ,
> since their field mask is different.
> Similar to sstateen1~3 and hstateen1~3
I will fix it in the next version.
>
> Regards,
> Weiwei Li
> >+ [CSR_MSTATEEN1H] = { "mstateen1h", mstateen, read_mstateenh,
> >+ write_mstateenh,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_MSTATEEN2] = { "mstateen2", mstateen, read_mstateen,
> write_mstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_MSTATEEN2H] = { "mstateen2h", mstateen, read_mstateenh,
> >+ write_mstateenh,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_MSTATEEN3] = { "mstateen3", mstateen, read_mstateen,
> write_mstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_MSTATEEN3H] = { "mstateen3h", mstateen, read_mstateenh,
> >+ write_mstateenh,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+
> >+ [CSR_HSTATEEN0] = { "hstateen0", hstateen, read_hstateen,
> write_hstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_HSTATEEN0H] = { "hstateen0h", hstateen, read_hstateenh,
> >+ write_hstateenh,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_HSTATEEN1] = { "hstateen1", hstateen, read_hstateen,
> write_hstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_HSTATEEN1H] = { "hstateen1h", hstateen, read_hstateenh,
> >+ write_hstateenh,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_HSTATEEN2] = { "hstateen2", hstateen, read_hstateen,
> write_hstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_HSTATEEN2H] = { "hstateen2h", hstateen, read_hstateenh,
> >+ write_hstateenh,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_HSTATEEN3] = { "hstateen3", hstateen, read_hstateen,
> write_hstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_HSTATEEN3H] = { "hstateen3h", hstateen, read_hstateenh,
> >+ write_hstateenh,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+
> >+ [CSR_SSTATEEN0] = { "sstateen0", sstateen, read_sstateen,
> write_sstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_SSTATEEN1] = { "sstateen1", sstateen, read_sstateen,
> write_sstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_SSTATEEN2] = { "sstateen2", sstateen, read_sstateen,
> write_sstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> >+ [CSR_SSTATEEN3] = { "sstateen3", sstateen, read_sstateen,
> write_sstateen,
> >+ .min_priv_ver = PRIV_VERSION_1_12_0 },
> > /* Supervisor Trap Setup */
> > [CSR_SSTATUS] = { "sstatus", smode,
> read_sstatus, write_sstatus, NULL,
> > read_sstatus_i128
> },
> >diff --git a/target/riscv/machine.c b/target/riscv/machine.c
> >index 2a437b29a1..84a75dbb08 100644
> >--- a/target/riscv/machine.c
> >+++ b/target/riscv/machine.c
> >@@ -262,6 +262,26 @@ static int riscv_cpu_post_load(void *opaque,
> int version_id)
> > return 0;
> > }
> >
> >+static bool smstateen_needed(void *opaque)
> >+{
> >+ RISCVCPU *cpu = opaque;
> >+
> >+ return cpu->cfg.ext_smstateen;
> >+}
> >+
> >+static const VMStateDescription vmstate_smstateen = {
> >+ .name = "cpu/smtateen",
> >+ .version_id = 1,
> >+ .minimum_version_id = 1,
> >+ .needed = smstateen_needed,
> >+ .fields = (VMStateField[]) {
> >+ VMSTATE_UINT64_ARRAY(env.mstateen, RISCVCPU, 4),
> >+ VMSTATE_UINT64_ARRAY(env.hstateen, RISCVCPU, 4),
> >+ VMSTATE_UINT64_ARRAY(env.sstateen, RISCVCPU, 4),
> >+ VMSTATE_END_OF_LIST()
> >+ }
> >+};
> >+
> > static bool envcfg_needed(void *opaque)
> > {
> > RISCVCPU *cpu = opaque;
> >@@ -347,6 +367,7 @@ const VMStateDescription vmstate_riscv_cpu = {
> > &vmstate_kvmtimer,
> > &vmstate_envcfg,
> > &vmstate_debug,
> >+ &vmstate_smstateen,
> > NULL
> > }
> > };
> >--
> >2.25.1
> >
