211e701d66
Implement a model of the TrustZone Master Securtiy Controller, as documented in the Arm CoreLink SIE-200 System IP for Embedded TRM (DDI0571G): https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g The MSC is intended to sit in front of a device which can be a bus master (eg a DMA controller) and programmably gate its transactions. This allows a bus-mastering device to be controlled by non-secure code but still restricted from making accesses to addresses which are secure-only. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20180820141116.9118-12-peter.maydell@linaro.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
80 lines
2.8 KiB
C
80 lines
2.8 KiB
C
/*
|
|
* ARM TrustZone master security controller emulation
|
|
*
|
|
* Copyright (c) 2018 Linaro Limited
|
|
* Written by Peter Maydell
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 or
|
|
* (at your option) any later version.
|
|
*/
|
|
|
|
/*
|
|
* This is a model of the TrustZone master security controller (MSC).
|
|
* It is documented in the ARM CoreLink SIE-200 System IP for Embedded TRM
|
|
* (DDI 0571G):
|
|
* https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g
|
|
*
|
|
* The MSC sits in front of a device which can be a bus master (such as
|
|
* a DMA controller) and allows secure software to configure it to either
|
|
* pass through or reject transactions made by that bus master.
|
|
* Rejected transactions may be configured to either be aborted, or to
|
|
* behave as RAZ/WI. An interrupt can be signalled for a rejected transaction.
|
|
*
|
|
* The MSC has no register interface -- it is configured purely by a
|
|
* collection of input signals from other hardware in the system. Typically
|
|
* they are either hardwired or exposed in an ad-hoc register interface by
|
|
* the SoC that uses the MSC.
|
|
*
|
|
* We don't currently implement the irq_enable GPIO input, because on
|
|
* the MPS2 FPGA images it is always tied high, which is awkward to
|
|
* implement in QEMU.
|
|
*
|
|
* QEMU interface:
|
|
* + Named GPIO input "cfg_nonsec": set to 1 if the bus master should be
|
|
* treated as nonsecure, or 0 for secure
|
|
* + Named GPIO input "cfg_sec_resp": set to 1 if a rejected transaction should
|
|
* result in a transaction error, or 0 for the transaction to RAZ/WI
|
|
* + Named GPIO input "irq_clear": set to 1 to clear a pending interrupt
|
|
* + Named GPIO output "irq": set for a transaction-failed interrupt
|
|
* + Property "downstream": MemoryRegion defining where bus master transactions
|
|
* are made if they are not blocked
|
|
* + Property "idau": an object implementing IDAUInterface, which defines which
|
|
* addresses should be treated as secure and which as non-secure.
|
|
* This need not be the same IDAU as the one used by the CPU.
|
|
* + sysbus MMIO region 0: MemoryRegion defining the upstream end of the MSC;
|
|
* this should be passed to the bus master device as the region it should
|
|
* make memory transactions to
|
|
*/
|
|
|
|
#ifndef TZ_MSC_H
|
|
#define TZ_MSC_H
|
|
|
|
#include "hw/sysbus.h"
|
|
#include "target/arm/idau.h"
|
|
|
|
#define TYPE_TZ_MSC "tz-msc"
|
|
#define TZ_MSC(obj) OBJECT_CHECK(TZMSC, (obj), TYPE_TZ_MSC)
|
|
|
|
typedef struct TZMSC {
|
|
/*< private >*/
|
|
SysBusDevice parent_obj;
|
|
|
|
/*< public >*/
|
|
|
|
/* State: these just track the values of our input signals */
|
|
bool cfg_nonsec;
|
|
bool cfg_sec_resp;
|
|
bool irq_clear;
|
|
/* State: are we asserting irq ? */
|
|
bool irq_status;
|
|
|
|
qemu_irq irq;
|
|
MemoryRegion *downstream;
|
|
AddressSpace downstream_as;
|
|
MemoryRegion upstream;
|
|
IDAUInterface *idau;
|
|
} TZMSC;
|
|
|
|
#endif
|