Attention is currently required from: Philipp Hug.

ron minnich has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/81152?usp=email )

Change subject: arch/riscv: use PMP ......................................................................

arch/riscv: use PMP

With this change, a simple S-mode payload works: 1: li a7, 1 li a0, 48 ecall j 1b

Without this change, it will not work.

Linux also boots with this on the command line: clk_ignore_unused

Resolving that problem will require a separate patch.

Getting this to build on RV32 required changes to the API, as it was incorrect. In RV32, PMP entries are 34 bits. Hence, the setup_pmp needed to accept u64. So, uinptr_t can not be used, as on 32 bits they are only 32 bit numbers. The internal API uses uintptr_t, but the exported API uses u64, so external code does not have to think about right shifts on base and size.

Another issue is that there is not requirement that PMP address registers implement all bits. So, for example, on the SiFive Fu740, only 32 bits are implemented, which means 34 bits of address, which means 16 GiB.

Further, on the SiFive FU740, the PMPcfg MUST be written first, or the PMP address will be changed when written.

Errors are detected: an error in base and size will result in a BIOS_EMERG print, but not a panic. Boots not bricks if possible.

There are small changes to the internal API to reduce stack pressure: there's no need to have two pmpcfg_t on the stack when one will do.

Change-Id: I8d7dd171ee69e83f3b904df38c7e2d36cc46a62e Signed-off-by: Ronald G Minnich rminnich@gmail.com --- M src/arch/riscv/include/arch/pmp.h M src/arch/riscv/payload.c M src/arch/riscv/pmp.c 3 files changed, 136 insertions(+), 55 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/52/81152/1

diff --git a/src/arch/riscv/include/arch/pmp.h b/src/arch/riscv/include/arch/pmp.h index b25fc96..f98adf7 100644 --- a/src/arch/riscv/include/arch/pmp.h +++ b/src/arch/riscv/include/arch/pmp.h @@ -14,7 +14,13 @@ /* reset PMP setting */ void reset_pmp(void);

-/* set up PMP record */ -void setup_pmp(uintptr_t base, uintptr_t size, uintptr_t flags); +/* + * set up PMP record + * reminder: base and size are 34-bits on RV32. + */ +void setup_pmp(u64 base, u64 size, u8 flags); + +/* write the last PMP record, i.e. the "default" case. */ +void close_pmp(void);

#endif /* __RISCV_PMP_H__ */ diff --git a/src/arch/riscv/payload.c b/src/arch/riscv/payload.c index a7a7dcb..a80b305 100644 --- a/src/arch/riscv/payload.c +++ b/src/arch/riscv/payload.c @@ -1,21 +1,18 @@ /* SPDX-License-Identifier: GPL-2.0-only */

#include <delay.h> +#include <cbmem.h> #include <program_loading.h> #include <stdint.h> #include <arch/boot.h> #include <arch/encoding.h> +#include <arch/pmp.h> #include <arch/smp/atomic.h> #include <console/console.h> #include <mcall.h> #include <vm.h> #include <arch/pmp.h>

-int pmp_entries_num(void) -{ - return 16; -} - /* Run OpenSBI and let OpenSBI hand over control to the payload */ void run_payload_opensbi(struct prog *prog, void *fdt, struct prog *opensbi, int payload_mode) { @@ -61,6 +58,7 @@ void (*doit)(int hart_id, void *fdt) = prog_entry(prog); int hart_id = read_csr(mhartid); uintptr_t status = read_csr(mstatus); + extern void *_text, *_estack; status = INSERT_FIELD(status, MSTATUS_MPIE, 0);

mdelay(1000 * hart_id); @@ -69,11 +67,31 @@ case RISCV_PAYLOAD_MODE_S: mstatus_init(); reset_pmp(); - // setup_pmp(0x84000000, 0xc0000000-0x84000000, PMP_R | PMP_W | PMP_X); - setup_pmp(0x20000000, 1<<10, 0); - setup_pmp(0x80000000, 1<<12, 0); - setup_pmp(0, 0xffffffffffffffff+1, PMP_R | PMP_W | PMP_X); status = 0; + /* + * Set up a PMP to protect coreboot, then close the PMPs. + * If a mainboard or SoC needs other ranges + * set up, they should do so before this point, + * as close_pmp puts in a "match all" entry, and + * PMPs are processed in linear order. + */ + + /* + * On this code path, coreboot is providing the coreboot SBI, and must + * protect the ramstage, from _text to _estack, from S and U + * modes. Because the number of PMP registers may be very + * small, make this an NAPOT area. The linker scripts + * should round _text and _estack to 4K. + */ + setup_pmp((u64)(uintptr_t) _text, + (u64)(uintptr_t) _estack - (u64)(uintptr_t) _text, 0); + + /* + * All pmp operations should be finished when close_pmp is called. + * Presently, this requirement is not enforced. + */ + close_pmp(); + status = INSERT_FIELD(status, MSTATUS_MPP, PRV_S);

/* Trap vector base address point to the payload */ diff --git a/src/arch/riscv/pmp.c b/src/arch/riscv/pmp.c index 68dcc0f..08b3493 100644 --- a/src/arch/riscv/pmp.c +++ b/src/arch/riscv/pmp.c @@ -28,6 +28,12 @@ /* This variable is used to record which entries have been used. */ static uintptr_t pmp_entry_used_mask;

+/* The architectural spec says that up to 16 PMP entries are available. */ +int pmp_entries_num(void) +{ + return 16; +} + /* helper function used to read pmpcfg[idx] */ static uintptr_t read_pmpcfg(int idx) { @@ -96,19 +102,20 @@ new = (old & ~((uintptr_t)0xff << shift)) | ((cfg & 0xff) << shift); write_csr(pmpcfg0, new); - printk(BIOS_EMERG, "%s: cfg %lx old %lx new %lx\n", __func__, cfg, old, new); + printk(BIOS_INFO, "%s(%d, %lx) = %lx\n", __func__, idx, cfg, read_csr(pmpcfg0)); break; case 1: old = read_csr(pmpcfg2); new = (old & ~((uintptr_t)0xff << shift)) | ((cfg & 0xff) << shift); write_csr(pmpcfg2, new); + printk(BIOS_INFO, "%s(%d, %lx) = %lx\n", __func__, idx, cfg, read_csr(pmpcfg2)); break; } #endif if (read_pmpcfg(idx) != cfg) { - printk(BIOS_EMERG, "%s: read(%d) is %lx, not %lx\n", __func__, idx, read_pmpcfg(idx), cfg); - //die("write pmpcfg failure!"); + printk(BIOS_WARNING, "%s: PMPcfg%d: Wrote %lx, read %lx\n", __func__, idx, cfg, read_pmpcfg(idx)); + die("PMPcfg write failed"); } }

@@ -205,50 +212,64 @@ write_csr(pmpaddr15, val); break; } - if (read_pmpaddr(idx) != val){ - printk(BIOS_EMERG, "%s: read(%d) is %lx, not %lx\n", __func__, idx, read_pmpaddr(idx), val); - //die("write pmpaddr failure"); + + printk(BIOS_INFO, "%s(%d, %lx) = %lx\n", __func__, idx, val, read_pmpaddr(idx)); + /* The PMP is not required to return what we wrote. On some SoC, many bits are cleared. */ + if (read_pmpaddr(idx) != val) { + printk(BIOS_WARNING, "%s: PMPaddr%d: Wrote %lx, read %lx\n", __func__, + idx, val, read_pmpaddr(idx)); } }

+/* Generate a PMP configuration for all memory */ +static void generate_pmp_all(pmpcfg_t *p) +{ + p->cfg = PMP_NAPOT | PMP_R | PMP_W | PMP_X; + p->previous_address = 0; + p->address = (uintptr_t) -1; +} + /* Generate a PMP configuration of type NA4/NAPOT */ -static pmpcfg_t generate_pmp_napot( - uintptr_t base, uintptr_t size, uintptr_t flags) +static void generate_pmp_napot(pmpcfg_t *p, uintptr_t base, uintptr_t size, u8 flags) { - pmpcfg_t p; flags = flags & (PMP_R | PMP_W | PMP_X | PMP_L); - if (size > GRANULE) { - p.cfg = flags | PMP_NAPOT; - p.previous_address = 0; - p.address = (base + (size / 2 - 1)) >> PMP_SHIFT; - return p; - } - - p.cfg = flags | PMP_NA4; - p.previous_address = 0; - p.address = (base + (size / 2 - 1)) >> PMP_SHIFT; - return p; + p->cfg = flags | (size > GRANULE ? PMP_NAPOT : PMP_NA4); + p->previous_address = 0; + p->address = (base + (size / 2 - 1)); }

/* Generate a PMP configuration of type TOR */ -static pmpcfg_t generate_pmp_range( - uintptr_t base, uintptr_t size, uintptr_t flags) +static void generate_pmp_range(pmpcfg_t *p, uintptr_t base, uintptr_t size, u8 flags) { - pmpcfg_t p; flags = flags & (PMP_R | PMP_W | PMP_X | PMP_L); - p.cfg = flags | PMP_TOR; - p.previous_address = base >> PMP_SHIFT; - p.address = (base + size) >> PMP_SHIFT; - return p; + p->cfg = flags | PMP_TOR; + p->previous_address = base; + p->address = (base + size); }

-/* Generate a PMP configuration */ -static pmpcfg_t generate_pmp(uintptr_t base, uintptr_t size, uintptr_t flags) +/* + * Generate a PMP configuration. + * reminder: base and size are 34 bit numbers on RV32. + */ +static int generate_pmp(pmpcfg_t *p, u64 base, u64 size, u8 flags) { - if (IS_POWER_OF_2(size) && (size >= 4) && ((base & (size - 1)) == 0)) - return generate_pmp_napot(base, size, flags); - else - return generate_pmp_range(base, size, flags); + uintptr_t b = (uintptr_t) base >> PMP_SHIFT, s = (uintptr_t) size >> PMP_SHIFT; +#if __riscv_xlen == 32 + /* verify that base + size fits in 34 bits */ + if ((base + size - 1) >> 34) { + printk(BIOS_EMERG, "%s: base (%llx) + size (%llx) - 1 is more than 34 bits\n", + __func__, base, size); + return 1; + } +#endif + if (base == (u64)-1) { + generate_pmp_all(p); + } else if (IS_POWER_OF_2(size) && (size >= 4) && ((base & (size - 1)) == 0)) { + generate_pmp_napot(p, b, s, flags); + } else { + generate_pmp_range(p, b, s, flags); + } + return 0; }

/* @@ -289,38 +310,74 @@ /* reset PMP setting */ void reset_pmp(void) { - printk(BIOS_EMERG, "%s: start\n", __func__); for (int i = 0; i < pmp_entries_num(); i++) { if (read_pmpcfg(i) & PMP_L) - die("Some PMP configurations are locked " - "and cannot be reset!"); + die("Some PMP configurations are locked and cannot be reset!"); write_pmpcfg(i, 0); write_pmpaddr(i, 0); } - printk(BIOS_EMERG, "%s: done\n", __func__); }

-/* set up PMP record */ -void setup_pmp(uintptr_t base, uintptr_t size, uintptr_t flags) +/* + * set up PMP record + * Why are these u64 and not uintptr_t? + * because, per the spec: + * The Sv32 page-based virtual-memory scheme described in Section 4.3 + * supports 34-bit physical addresses for RV32, so the PMP scheme must + * support addresses wider than XLEN for RV32. + * Yes, in RV32, these are 34-bit numbers. + * Rather than require every future user of these to remember that, + * this ABI is 64 bits. + * generate_pmp will check for out of range values. + */ +void setup_pmp(u64 base, u64 size, u8 flags) { pmpcfg_t p; int is_range, n;

- printk(BIOS_EMERG, "%s: start base %lx size %lx flags %lx\n", __func__, base, size, flags); - p = generate_pmp(base, size, flags); + if (generate_pmp(&p, base, size, flags)) + return; + is_range = ((p.cfg & PMP_A) == PMP_TOR);

n = find_empty_pmp_entry(is_range);

+ /* + * NOTE! you MUST write the cfg register first, or on (e.g.) + * the SiFive FU740, it will not take all the bits. + * This is different than QEMU. NASTY! + */ + write_pmpcfg(n, p.cfg); + write_pmpaddr(n, p.address); if (is_range) write_pmpaddr(n - 1, p.previous_address); - printk(BIOS_EMERG, "%s: p.cfg is %lx\n", __func__, p.cfg); - write_pmpcfg(n, p.cfg);

mask_pmp_entry_used(n); if (is_range) mask_pmp_entry_used(n - 1); - printk(BIOS_EMERG, "%s: done\n", __func__); }

+/* + * close_pmp will "close" the pmp. + * This consists of adding the "match every address" entry. + * This should be the last pmp function that is called. + * Because we can not be certain that there is not some reason for it + * NOT to be last, we do not check -- perhaps, later, a check would + * make sense, but, for now, we do not check. + * If previous code has used up all pmp entries, print a warning + * and continue. + * The huge constant for the memory size may seem a bit odd here. + * Recall that PMP is to protect a *limited* number of M mode + * memory ranges from S and U modes. Therefore, the last range + * entry should cover all possible addresses, up to + * an architectural limit. It is entirely acceptable + * for it to cover memory that does not exist -- PMP + * protects M mode, nothing more. + * Think of this range as the final catch-all else + * in an if-then-else. + */ +void close_pmp(void) +{ + setup_pmp((u64)-1, 0, PMP_R|PMP_W|PMP_X); +}