On Tue, Oct 25, 2022 at 1:37 AM Peter Maydell <peter.mayd...@linaro.org>
wrote:
> On Mon, 17 Oct 2022 at 10:29, Ake Koomsin <a...@igel.co.jp> wrote:
> >
> > An exception targeting EL2 from lower EL is actually maskable when
> > HCR_E2H and HCR_TGE are both set. This applies to both secure and
> > non-secure Security state.
> >
> > Signed-off-by: Ake Koomsin <a...@igel.co.jp>
> > ---
> > target/arm/cpu.c | 24 +++++++++++++++++-------
> > 1 file changed, 17 insertions(+), 7 deletions(-)
> >
> > diff --git a/target/arm/cpu.c b/target/arm/cpu.c
> > index 94ca6f163f..86d3377d3f 100644
> > --- a/target/arm/cpu.c
> > +++ b/target/arm/cpu.c
> > @@ -561,14 +561,24 @@ static inline bool arm_excp_unmasked(CPUState *cs,
> unsigned int excp_idx,
> > if ((target_el > cur_el) && (target_el != 1)) {
> > /* Exceptions targeting a higher EL may not be maskable */
> > if (arm_feature(env, ARM_FEATURE_AARCH64)) {
> > - /*
> > - * 64-bit masking rules are simple: exceptions to EL3
> > - * can't be masked, and exceptions to EL2 can only be
> > - * masked from Secure state. The HCR and SCR settings
> > - * don't affect the masking logic, only the interrupt
> routing.
> > - */
> > - if (target_el == 3 || !secure || (env->cp15.scr_el3 &
> SCR_EEL2)) {
> > + switch (target_el) {
> > + case 2:
> > + /*
> > + * According to ARM DDI 0487H.a, an interrupt can be
> masked
> > + * when HCR_E2H and HCR_TGE are both set regardless of
> the
> > + * current Security state. Note that We need to revisit
> this
> > + * part again once we need to support NMI.
> > + */
> > + if ((hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H |
> HCR_TGE)) {
> > + unmasked = true;
> > + }
> > + break;
> > + case 3:
> > + /* Interrupt cannot be masked when the target EL is 3 */
> > unmasked = true;
> > + break;
> > + default:
> > + g_assert_not_reached();
>
> Hi; thanks for this patch. You're correct that there is a bug here, but
> it took me a while to work out why it's OK to remove the "don't allow
> masking if we're in Secure EL0/EL1 and the exception is going to NS EL2"
> check. The answer to that turns out to be "the target_el could never be
> 2 anyway in that case": because arm_phys_excp_target_el() uses
> arm_hcr_el2_eff(),
> if we're Secure and SEL2 isn't enabled then the effective HCR_EL2 bits
> will all be zero, which forces us into the "targets EL1" or "targets EL3"
> cases.
>
> So I think that's worth mentioning in the commit message:
>
> "We can remove the conditions that try to suppress masking of
> interrupts when we are Secure and the exception targets EL2 and
> Secure EL2 is disabled, because in that case arm_phys_excp_target_el()
> will never return 2 as the target EL. The 'not if secure' check
> in this function was originally written before arm_hcr_el2_eff(), and
> back then the target EL could be 2 even if we were in Secure EL0/EL1;
> it is no longer needed."
>
> I'll apply this to target-arm.next, with the commit message
> updated to include that.
>
> thanks
> -- PMM
>
Thank you very much for the review and additional commit
commit message for clarity.
---
Ake Koomsin
