Message ID | 20191108144240.204202-10-andre.przywara@arm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | arm: gic: Test SPIs and interrupt groups | expand |
Hi, On 11/8/19 2:42 PM, Andre Przywara wrote: > The DS (Disable Security) bit in the GICv3 GICD_CTLR register controls > access to Group 0 interrupts from the non-secure side. > The KVM VGIC emulation provides a "GIC with a single security state", > so both groups should be accessible. > Provide a test to check this bit can be set to one. The current KVM > emulation should treat this is as RAO/WI (which we also check here). It > would be architecturally compliant though to have this bit at 0 as well, > so we refrain from treating different behaviour as a FAIL. Are we not testing KVM? Why are we not treating a behaviour different than what KVM should emulate as a fail? > However we use this as a gateway for further Group 0 IRQ tests. > > Signed-off-by: Andre Przywara <andre.przywara@arm.com> > --- > arm/gic.c | 62 ++++++++++++++++++++++++++++++++++++++++++++ > lib/arm/asm/gic-v3.h | 1 + > 2 files changed, 63 insertions(+) > > diff --git a/arm/gic.c b/arm/gic.c > index 304b7b9..c882a24 100644 > --- a/arm/gic.c > +++ b/arm/gic.c > @@ -531,6 +531,8 @@ static void gic_test_mmio(void) > reg = readl(gic_dist_base + GICD_TYPER); > nr_irqs = GICD_TYPER_IRQS(reg); > report_info("number of implemented SPIs: %d", nr_irqs - GIC_FIRST_SPI); > + report_info("GIC %s security extension", > + reg & (1U << 10) ? "has" : "does not have"); > > if (gic_version() == 0x2) > test_typer_v2(reg); > @@ -638,6 +640,60 @@ static void spi_test_smp(void) > report("SPI delievered on all cores", cores == nr_cpus); > } > > +/* > + * Check the security state configuration of the GIC. > + * Test whether we can switch to a single security state, to test both > + * group 0 and group 1 interrupts. > + * Architecturally a GIC can be configured in different ways, so we don't > + * insist on the current way KVM emulates the GIC. > + */ > +static bool gicv3_check_security(void *gicd_base) You don't need gicd_base as a parameter, you know this is called only on a gicv3. > +{ > + u32 ctlr = readl(gicd_base + GICD_CTLR); > + > + if (ctlr & GICD_CTLR_DS) { > + writel(ctlr & ~GICD_CTLR_DS, gicd_base + GICD_CTLR); > + ctlr = readl(gicd_base + GICD_CTLR); > + if (!(ctlr & GICD_CTLR_DS)) > + report_info("GIC allowing two security states"); > + else > + report_info("GIC is one security state only"); > + } else { > + report_info("GIC resets to two security states"); > + } > + > + writel(ctlr | GICD_CTLR_DS, gicd_base + GICD_CTLR); > + ctlr = readl(gicd_base + GICD_CTLR); > + report("switching to single security state", ctlr & GICD_CTLR_DS); > + > + /* Group0 delivery only works in single security state. */ > + return ctlr & GICD_CTLR_DS; > +} > + > +/* > + * The GIC architecture describes two interrupt groups, group 0 and group 1. > + * On bare-metal systems, running in non-secure world on a GIC with the > + * security extensions, there is only one group available: group 1. > + * However in the kernel KVM emulates a GIC with only one security state, > + * so both groups are available to guests. > + * Check whether this works as expected (as Linux will not use this feature). > + * We can only verify this state on a GICv3, so we check it there and silently > + * assume it's valid for GICv2. > + */ > +static void test_irq_group(void *gicd_base) > +{ > + bool is_gicv3 = (gic_version() == 3); > + > + report_prefix_push("GROUP"); > + gic_enable_defaults(); Why is this here if you're only testing GICD_CTLR.DS emulation? Rebase artifact? > + > + if (is_gicv3) { You can remove the variable is_gicv3 and use gic_version() directly (as you do in spi_send). Or you can call test_irq_group from spi_send when gic_version is 3 and drop the check entirely. > + /* GICv3 features a bit to read and set the security state. */ > + if (!gicv3_check_security(gicd_base)) > + return; > + } > +} > + > static void spi_send(void) > { > irqs_enable(); > @@ -647,6 +703,12 @@ static void spi_send(void) > if (nr_cpus > 1) > spi_test_smp(); > > + if (gic_version() == 3) > + test_irq_group(gicv3_dist_base()); > + > + if (gic_version() == 2) > + test_irq_group(gicv2_dist_base()); test_irq_group run an actual test for gicv3 only, I think you can remove the call when gic_version is 2. Thanks, Alex > + > check_spurious(); > exit(report_summary()); > } > diff --git a/lib/arm/asm/gic-v3.h b/lib/arm/asm/gic-v3.h > index 8cfaed1..2eaf944 100644 > --- a/lib/arm/asm/gic-v3.h > +++ b/lib/arm/asm/gic-v3.h > @@ -19,6 +19,7 @@ > * group1 enable bits with respect to that view. > */ > #define GICD_CTLR_RWP (1U << 31) > +#define GICD_CTLR_DS (1U << 6) > #define GICD_CTLR_ARE_NS (1U << 4) > #define GICD_CTLR_ENABLE_G1A (1U << 1) > #define GICD_CTLR_ENABLE_G1 (1U << 0)
Hi, On 11/12/19 4:42 PM, Alexandru Elisei wrote: > Are we not testing KVM? Why are we not treating a behaviour different than what > KVM should emulate as a fail? Can kvm-unit-tests be run with qemu TCG? Cheers Vladimir
On Thu, 14 Nov 2019 13:39:33 +0000 Vladimir Murzin <vladimir.murzin@arm.com> wrote: > Hi, > > On 11/12/19 4:42 PM, Alexandru Elisei wrote: > > Are we not testing KVM? Why are we not treating a behaviour different than what > > KVM should emulate as a fail? > > Can kvm-unit-tests be run with qemu TCG? Yes, it does that actually by default if you cross compile. I also tested this explicitly on TCG: unlike KVM that actually passes all those tests. If you set the environment variable ACCEL to either tcg or kvm, you can select this at runtime: $ ACCEL=tcg arm/run arm/gic.flat -smp 3 -append irq Cheers, Andre
On 11/14/19 2:17 PM, Andre Przywara wrote: > On Thu, 14 Nov 2019 13:39:33 +0000 > Vladimir Murzin <vladimir.murzin@arm.com> wrote: > >> Hi, >> >> On 11/12/19 4:42 PM, Alexandru Elisei wrote: >>> Are we not testing KVM? Why are we not treating a behaviour different than what >>> KVM should emulate as a fail? >> >> Can kvm-unit-tests be run with qemu TCG? > > Yes, it does that actually by default if you cross compile. I also tested this explicitly on TCG: unlike KVM that actually passes all those tests. > If you set the environment variable ACCEL to either tcg or kvm, you can select this at runtime: > $ ACCEL=tcg arm/run arm/gic.flat -smp 3 -append irq Great! Then, IMO, it is absolutely valid to test this functionality! Thanks Vladimir > > Cheers, > Andre >
Hi, On 11/14/19 2:50 PM, Vladimir Murzin wrote: > On 11/14/19 2:17 PM, Andre Przywara wrote: >> On Thu, 14 Nov 2019 13:39:33 +0000 >> Vladimir Murzin <vladimir.murzin@arm.com> wrote: >> >>> Hi, >>> >>> On 11/12/19 4:42 PM, Alexandru Elisei wrote: >>>> Are we not testing KVM? Why are we not treating a behaviour different than what >>>> KVM should emulate as a fail? >>> Can kvm-unit-tests be run with qemu TCG? >> Yes, it does that actually by default if you cross compile. I also tested this explicitly on TCG: unlike KVM that actually passes all those tests. >> If you set the environment variable ACCEL to either tcg or kvm, you can select this at runtime: >> $ ACCEL=tcg arm/run arm/gic.flat -smp 3 -append irq > Great! Then, IMO, it is absolutely valid to test this functionality! TCG emulates a GIC with a single security state for me: /usr/bin/qemu-system-aarch64 -nodefaults -machine virt,gic-version=3,accel=tcg -cpu cortex-a57 -device virtio-serial-device -device virtconsole,chardev=ctd -chardev testdev,id=ctd -device pci-testdev -display none -serial stdio -kernel arm/gic.flat -append irq PASS: gicv3: irq: SPI triggered by CPU write PASS: gicv3: irq: disabled SPI does not fire PASS: gicv3: irq: now enabled SPI fires INFO: gicv3: irq: GROUP: GIC is one security state only [..] But that could change someday, so I'm fine with failing only if we are not allowed to have GICD_CTLR.DS=1, because that will prevent us from testing group 0 interrupts. Thanks, Alex > Thanks > Vladimir > >> Cheers, >> Andre >>
On Thu, 14 Nov 2019 at 15:21, Alexandru Elisei <alexandru.elisei@arm.com> wrote: > TCG emulates a GIC with a single security state for me: > > /usr/bin/qemu-system-aarch64 -nodefaults -machine virt,gic-version=3,accel=tcg > -cpu cortex-a57 -device virtio-serial-device -device virtconsole,chardev=ctd > -chardev testdev,id=ctd -device pci-testdev -display none -serial stdio -kernel > arm/gic.flat -append irq The virt board doesn't do EL3 by default, but if you add -machine secure=true to your command line then it it should emulate it, including a trustzone-aware GIC. thanks -- PMM
Hi, On 11/14/19 3:27 PM, Peter Maydell wrote: > On Thu, 14 Nov 2019 at 15:21, Alexandru Elisei <alexandru.elisei@arm.com> wrote: >> TCG emulates a GIC with a single security state for me: >> >> /usr/bin/qemu-system-aarch64 -nodefaults -machine virt,gic-version=3,accel=tcg >> -cpu cortex-a57 -device virtio-serial-device -device virtconsole,chardev=ctd >> -chardev testdev,id=ctd -device pci-testdev -display none -serial stdio -kernel >> arm/gic.flat -append irq > The virt board doesn't do EL3 by default, but if you add -machine secure=true > to your command line then it it should emulate it, including a > trustzone-aware GIC. > > thanks > -- PMM Indeed, and that made the test fail because apparently qemu implements it as RAZ/WI (which is allowed by the architecture). Thank you for the suggestion! Thanks, Alex
On Thu, 14 Nov 2019 at 15:47, Alexandru Elisei <alexandru.elisei@arm.com> wrote: > On 11/14/19 3:27 PM, Peter Maydell wrote: > > The virt board doesn't do EL3 by default, but if you add -machine secure=true > > to your command line then it it should emulate it, including a > > trustzone-aware GIC. > Indeed, and that made the test fail because apparently qemu implements it as > RAZ/WI (which is allowed by the architecture). Thank you for the suggestion! Hmm. The behaviour QEMU thinks it's implementing is: * if we have only one security state, then CTLR.DS is RAO/WI * if we have two security states, then: - for access from NonSecure, CTLR.DS is RAZ/WI - for access from Secure, CTLR.DS is initially 0, and is writeable, but if you write 1 to it then the only way to get it to go back to zero is to reset the system thanks -- PMM
diff --git a/arm/gic.c b/arm/gic.c index 304b7b9..c882a24 100644 --- a/arm/gic.c +++ b/arm/gic.c @@ -531,6 +531,8 @@ static void gic_test_mmio(void) reg = readl(gic_dist_base + GICD_TYPER); nr_irqs = GICD_TYPER_IRQS(reg); report_info("number of implemented SPIs: %d", nr_irqs - GIC_FIRST_SPI); + report_info("GIC %s security extension", + reg & (1U << 10) ? "has" : "does not have"); if (gic_version() == 0x2) test_typer_v2(reg); @@ -638,6 +640,60 @@ static void spi_test_smp(void) report("SPI delievered on all cores", cores == nr_cpus); } +/* + * Check the security state configuration of the GIC. + * Test whether we can switch to a single security state, to test both + * group 0 and group 1 interrupts. + * Architecturally a GIC can be configured in different ways, so we don't + * insist on the current way KVM emulates the GIC. + */ +static bool gicv3_check_security(void *gicd_base) +{ + u32 ctlr = readl(gicd_base + GICD_CTLR); + + if (ctlr & GICD_CTLR_DS) { + writel(ctlr & ~GICD_CTLR_DS, gicd_base + GICD_CTLR); + ctlr = readl(gicd_base + GICD_CTLR); + if (!(ctlr & GICD_CTLR_DS)) + report_info("GIC allowing two security states"); + else + report_info("GIC is one security state only"); + } else { + report_info("GIC resets to two security states"); + } + + writel(ctlr | GICD_CTLR_DS, gicd_base + GICD_CTLR); + ctlr = readl(gicd_base + GICD_CTLR); + report("switching to single security state", ctlr & GICD_CTLR_DS); + + /* Group0 delivery only works in single security state. */ + return ctlr & GICD_CTLR_DS; +} + +/* + * The GIC architecture describes two interrupt groups, group 0 and group 1. + * On bare-metal systems, running in non-secure world on a GIC with the + * security extensions, there is only one group available: group 1. + * However in the kernel KVM emulates a GIC with only one security state, + * so both groups are available to guests. + * Check whether this works as expected (as Linux will not use this feature). + * We can only verify this state on a GICv3, so we check it there and silently + * assume it's valid for GICv2. + */ +static void test_irq_group(void *gicd_base) +{ + bool is_gicv3 = (gic_version() == 3); + + report_prefix_push("GROUP"); + gic_enable_defaults(); + + if (is_gicv3) { + /* GICv3 features a bit to read and set the security state. */ + if (!gicv3_check_security(gicd_base)) + return; + } +} + static void spi_send(void) { irqs_enable(); @@ -647,6 +703,12 @@ static void spi_send(void) if (nr_cpus > 1) spi_test_smp(); + if (gic_version() == 3) + test_irq_group(gicv3_dist_base()); + + if (gic_version() == 2) + test_irq_group(gicv2_dist_base()); + check_spurious(); exit(report_summary()); } diff --git a/lib/arm/asm/gic-v3.h b/lib/arm/asm/gic-v3.h index 8cfaed1..2eaf944 100644 --- a/lib/arm/asm/gic-v3.h +++ b/lib/arm/asm/gic-v3.h @@ -19,6 +19,7 @@ * group1 enable bits with respect to that view. */ #define GICD_CTLR_RWP (1U << 31) +#define GICD_CTLR_DS (1U << 6) #define GICD_CTLR_ARE_NS (1U << 4) #define GICD_CTLR_ENABLE_G1A (1U << 1) #define GICD_CTLR_ENABLE_G1 (1U << 0)
The DS (Disable Security) bit in the GICv3 GICD_CTLR register controls access to Group 0 interrupts from the non-secure side. The KVM VGIC emulation provides a "GIC with a single security state", so both groups should be accessible. Provide a test to check this bit can be set to one. The current KVM emulation should treat this is as RAO/WI (which we also check here). It would be architecturally compliant though to have this bit at 0 as well, so we refrain from treating different behaviour as a FAIL. However we use this as a gateway for further Group 0 IRQ tests. Signed-off-by: Andre Przywara <andre.przywara@arm.com> --- arm/gic.c | 62 ++++++++++++++++++++++++++++++++++++++++++++ lib/arm/asm/gic-v3.h | 1 + 2 files changed, 63 insertions(+)