Ludovic Mermod | be75da8 | 2025-09-17 11:13:28 +0200 | [diff] [blame^] | 1 | // SPDX-FileCopyrightText: Copyright The arm-tzc Contributors. |
| 2 | // SPDX-License-Identifier: MIT OR Apache-2.0 |
| 3 | use safe_mmio::{SharedMmioPointer, field_shared, fields::ReadPure}; |
| 4 | use zerocopy::{FromBytes, Immutable, IntoBytes, KnownLayout}; |
| 5 | |
| 6 | use crate::utils::{concatenate_address_parts, extract_bits, get_bit}; |
| 7 | |
| 8 | #[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)] |
| 9 | /// Each filter unit has a fail control register which contains the control status information of |
| 10 | /// the first access that failed a region permission check in the associated filter unit. This |
| 11 | /// occurs even if the [`ActionRegister`][crate::ActionRegister] is set to not drive the interrupt |
| 12 | /// signal. |
| 13 | /// |
| 14 | /// The first failing access is defined as the first permission failure in the associated filter |
| 15 | /// unit after one of the following occurs: |
| 16 | /// |
| 17 | /// - Reset. |
| 18 | /// - The last clearance of an interrupt using the |
| 19 | /// [`InterruptClearRegister`][crate::InterruptClearRegister]. |
| 20 | #[repr(transparent)] |
| 21 | pub struct FailControlRegister(u32); |
| 22 | |
| 23 | #[derive(Clone, Copy, Debug, Eq, PartialEq)] |
| 24 | /// See [`FailControlRegister::direction`]. |
| 25 | pub enum FailAccessDirection { |
| 26 | /// Attempted access was a read. |
| 27 | Read, |
| 28 | /// Attempted access was a write. |
| 29 | Write, |
| 30 | } |
| 31 | |
| 32 | impl FailControlRegister { |
| 33 | /// If a region permission check fails or a region overlap occurs, this field indicates whether |
| 34 | /// the failed access was a read or write access attempt. |
| 35 | /// |
| 36 | /// You must clear the associated interrupt status before this field can return the direction of |
| 37 | /// accesses of subsequent permission checks or region overlap failures. |
| 38 | /// |
| 39 | /// If the status flag for the filter unit in the |
| 40 | /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] is already set, new region |
| 41 | /// permission check failures in the same filter unit do not update the associated fail status |
| 42 | /// group of registers. |
| 43 | pub const fn direction(&self) -> FailAccessDirection { |
| 44 | if get_bit(self.0, 24) { |
| 45 | FailAccessDirection::Write |
| 46 | } else { |
| 47 | FailAccessDirection::Read |
| 48 | } |
| 49 | } |
| 50 | |
| 51 | /// If a region permission check fails or a region overlap occurs, this field indicates whether |
| 52 | /// it was a Secure (`false`) or Non-secure (`true`) access attempt. |
| 53 | /// |
| 54 | /// You must clear the associated interrupt status before this field can return the direction of |
| 55 | /// accesses of subsequent permission checks or region overlap failures. |
| 56 | /// |
| 57 | /// If the status flag for the filter unit in the |
| 58 | /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] is already set, new region |
| 59 | /// permission check failures in the same filter unit do not update the associated fail status |
| 60 | /// group of registers. |
| 61 | pub const fn non_secure(&self) -> bool { |
| 62 | get_bit(self.0, 21) |
| 63 | } |
| 64 | |
| 65 | /// If a region permission check fails or a region overlap occurs, this field indicates whether |
| 66 | /// it was a privileged (`true`) or unprivileged (`false`) access attempt. |
| 67 | /// |
| 68 | /// You must clear the associated interrupt status before this field can return the direction of |
| 69 | /// accesses of subsequent permission checks or region overlap failures. |
| 70 | /// |
| 71 | /// If the status flag for the filter unit in the |
| 72 | /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] is already set, new region |
| 73 | /// permission check failures in the same filter unit do not update the associated fail status |
| 74 | /// group of registers. |
| 75 | pub const fn privileged(&self) -> bool { |
| 76 | get_bit(self.0, 20) |
| 77 | } |
| 78 | } |
| 79 | |
| 80 | #[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)] |
| 81 | /// Each filter unit has a fail id register which contains the master ACE-Lite ARID or AWID of the |
| 82 | /// first access that failed a region permission check in the associated filter unit. This occurs |
| 83 | /// even if the [`ActionRegister`][crate::ActionRegister] is set to not drive the interrupt signal. |
| 84 | /// |
| 85 | /// The first failing access is defined as the first permission failure in the associated filter |
| 86 | /// unit after one of the following occurs: |
| 87 | /// |
| 88 | /// - Reset. |
| 89 | /// - The last clearance of an interrupt using the |
| 90 | /// [`InterruptClearRegister`][crate::InterruptClearRegister]. |
| 91 | #[repr(transparent)] |
| 92 | pub struct FailIDRegister(u32); |
| 93 | |
| 94 | impl FailIDRegister { |
| 95 | /// If a region permission check fails or a region overlap occurs, this field returns the VN |
| 96 | /// number of the first failed access, from either ARVNET<x> or AWVNET<x> as |
| 97 | /// appropriate. If the status flag for the filter unit in the |
| 98 | /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] already set, new region |
| 99 | /// permission check failures in the same filter unit do not update the associated fail status |
| 100 | /// group of registers. |
| 101 | pub const fn vnet(&self) -> u32 { |
| 102 | extract_bits(self.0, 27, 24) |
| 103 | } |
| 104 | |
| 105 | /// If a region permission check fails or a region overlap occurs, this field returns the |
| 106 | /// ACE-Lite ID values of the first failed access. |
| 107 | /// |
| 108 | /// If the status flag for the filter unit in the |
| 109 | /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] is already set, new region |
| 110 | /// permission check failures in the same filter unit do not update the associated fail status |
| 111 | /// group of registers. |
| 112 | pub const fn id(&self) -> u32 { |
| 113 | // TODO: use AID_WIDTH - 1 as upper bound. |
| 114 | extract_bits(self.0, 23, 0) |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | #[derive(Debug, Clone, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)] |
| 119 | #[repr(C, align(4))] |
| 120 | pub(crate) struct FailRegisters { |
| 121 | /// 0x020 + (0x10 * x): Fail address low register. |
| 122 | fail_address_low: ReadPure<u32>, |
| 123 | /// 0x024 + (0x10 * x): Fail address high register. |
| 124 | fail_address_high: ReadPure<u32>, |
| 125 | /// 0x028 + (0x10 * x): Fail control register. |
| 126 | fail_control: ReadPure<FailControlRegister>, |
| 127 | /// 0x02C + (0x10 * x): Fail ID register. |
| 128 | fail_id: ReadPure<FailIDRegister>, /* TODO: size depends on configuration: https://developer.arm.com/documentation/ddi0504/c/programmers-model/register-summary?lang=en, footnote d. */ |
| 129 | } |
| 130 | /// Wrapper structure to allow reading registers detailing the last failure of a filter unit. See |
| 131 | /// also [`Tzc::fail`][crate::Tzc::filter_failure]. |
| 132 | pub struct TzcFail<'regs> { |
| 133 | pub(crate) regs: SharedMmioPointer<'regs, FailRegisters>, |
| 134 | } |
| 135 | |
| 136 | impl<'a> TzcFail<'a> { |
| 137 | /// Returns the address of the first access that failed a region permission check in the |
| 138 | /// associated filter unit. This occurs even if the [`ActionRegister`][crate::ActionRegister] is |
| 139 | /// set to not drive the interrupt signal. See Action register. |
| 140 | /// |
| 141 | /// The first failing access is defined as the first permission failure in the associated filter |
| 142 | /// unit after one of the following occurs: |
| 143 | /// - Reset. |
| 144 | /// - The last clearance of an interrupt using the |
| 145 | /// [`InterruptClearRegister`][crate::InterruptClearRegister]. |
| 146 | pub fn fail_address(&self) -> u64 { |
| 147 | concatenate_address_parts( |
| 148 | field_shared!(self.regs, fail_address_low).read(), |
| 149 | field_shared!(self.regs, fail_address_high).read(), |
| 150 | ) |
| 151 | } |
| 152 | |
| 153 | /// Returns the [`FailControlRegister`] of this filter. |
| 154 | pub fn fail_control(&self) -> FailControlRegister { |
| 155 | field_shared!(self.regs, fail_control).read() |
| 156 | } |
| 157 | |
| 158 | /// Returns the [`FailIDRegister`] of this filter. |
| 159 | pub fn fail_id(&self) -> FailIDRegister { |
| 160 | field_shared!(self.regs, fail_id).read() |
| 161 | } |
| 162 | } |
| 163 | |
| 164 | #[cfg(test)] |
| 165 | mod tests { |
| 166 | use crate::{tests::FakeTZCRegisters, *}; |
| 167 | |
| 168 | #[test] |
| 169 | fn fail_oob() { |
| 170 | let mut regs = FakeTZCRegisters::new(); |
| 171 | regs.reg_write(0x008, 0b0000_0000_0000_0010_0000_0000_0000_0000); |
| 172 | let tzc = regs.tzc_for_test(); |
| 173 | |
| 174 | assert!(tzc.filter_failure(2).is_none()); |
| 175 | assert!(tzc.filter_failure(3).is_none()); |
| 176 | assert!(tzc.filter_failure(4).is_none()); |
| 177 | assert!(tzc.filter_failure(18).is_none()); |
| 178 | } |
| 179 | |
| 180 | #[test] |
| 181 | pub fn fail_address() { |
| 182 | let mut regs = FakeTZCRegisters::new(); |
| 183 | regs.reg_write(0x000, 0b0000_0011_0000_0000_0010_1111_0000_1000); |
| 184 | for i in 0..4 { |
| 185 | regs.reg_write(0x020 + i * 0x10, 0xabcd_0000); |
| 186 | regs.reg_write(0x024 + i * 0x10, 0xfc00 | i as u32); |
| 187 | } |
| 188 | |
| 189 | let tzc = regs.tzc_for_test(); |
| 190 | |
| 191 | for i in 0..4 { |
| 192 | assert_eq!( |
| 193 | tzc.filter_failure(i).unwrap().fail_address(), |
| 194 | 0xfc00_abcd_0000 | ((i as u64) << 32), |
| 195 | ); |
| 196 | } |
| 197 | } |
| 198 | |
| 199 | #[test] |
| 200 | fn fail_control() { |
| 201 | let mut regs = FakeTZCRegisters::new(); |
| 202 | regs.reg_write(0x000, 0b0000_0011_0000_0000_0010_1111_0000_1000); |
| 203 | regs.reg_write(0x028, 0b0000_0001_0010_0000_0000_0000_0000_0000); |
| 204 | regs.reg_write(0x038, 0b0000_0000_0011_0000_0000_0000_0000_0000); |
| 205 | regs.reg_write(0x048, 0b0000_0001_0000_0000_0000_0000_0000_0000); |
| 206 | regs.reg_write(0x058, 0b0000_0000_0001_0000_0000_0000_0000_0000); |
| 207 | let tzc = regs.tzc_for_test(); |
| 208 | |
| 209 | let fc0 = tzc.filter_failure(0).unwrap().fail_control(); |
| 210 | let fc1 = tzc.filter_failure(1).unwrap().fail_control(); |
| 211 | let fc2 = tzc.filter_failure(2).unwrap().fail_control(); |
| 212 | let fc3 = tzc.filter_failure(3).unwrap().fail_control(); |
| 213 | |
| 214 | assert_eq!(fc0.direction(), FailAccessDirection::Write); |
| 215 | assert!(!fc0.privileged()); |
| 216 | assert!(fc0.non_secure()); |
| 217 | |
| 218 | assert_eq!(fc1.direction(), FailAccessDirection::Read); |
| 219 | assert!(fc1.privileged()); |
| 220 | assert!(fc1.non_secure()); |
| 221 | |
| 222 | assert_eq!(fc2.direction(), FailAccessDirection::Write); |
| 223 | assert!(!fc2.privileged()); |
| 224 | assert!(!fc2.non_secure()); |
| 225 | |
| 226 | assert_eq!(fc3.direction(), FailAccessDirection::Read); |
| 227 | assert!(fc3.privileged()); |
| 228 | assert!(!fc3.non_secure()); |
| 229 | } |
| 230 | |
| 231 | #[test] |
| 232 | fn fail_id() { |
| 233 | let mut regs = FakeTZCRegisters::new(); |
| 234 | regs.reg_write(0x000, 0b0000_0011_0000_0000_0010_1111_0000_1000); |
| 235 | regs.reg_write(0x02C, 0x05_00_be_ef); |
| 236 | regs.reg_write(0x03C, 0x02_de_ad_00); |
| 237 | regs.reg_write(0x04C, 0x08_ab_cd_ef); |
| 238 | regs.reg_write(0x05C, 0x0f_fe_d0_af); |
| 239 | let tzc = regs.tzc_for_test(); |
| 240 | |
| 241 | let fid0 = tzc.filter_failure(0).unwrap().fail_id(); |
| 242 | let fid1 = tzc.filter_failure(1).unwrap().fail_id(); |
| 243 | let fid2 = tzc.filter_failure(2).unwrap().fail_id(); |
| 244 | let fid3 = tzc.filter_failure(3).unwrap().fail_id(); |
| 245 | |
| 246 | assert_eq!(fid0.vnet(), 5); |
| 247 | assert_eq!(fid0.id(), 0xbeef); |
| 248 | |
| 249 | assert_eq!(fid1.vnet(), 2); |
| 250 | assert_eq!(fid1.id(), 0xdead00); |
| 251 | |
| 252 | assert_eq!(fid2.vnet(), 8); |
| 253 | assert_eq!(fid2.id(), 0xabcdef); |
| 254 | |
| 255 | assert_eq!(fid3.vnet(), 15); |
| 256 | assert_eq!(fid3.id(), 0xfed0af); |
| 257 | } |
| 258 | } |