As per the AArch64.S2Walk() psuedo-code in the ARMv8 ARM, the final decision as to the output address's PA space based on the SA/SW/NSA/NSA bits needs to take the input IPA's PA space into account, and not the PA space of the result of the stage 2 walk itself.
Signed-off-by: Idan Horowitz <idan.horow...@gmail.com> --- target/arm/helper.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index e2695e846a..16c2628f8f 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -12644,6 +12644,7 @@ bool get_phys_addr(CPUARMState *env, target_ulong address, hwaddr ipa; int s2_prot; int ret; + bool ipa_secure; ARMCacheAttrs cacheattrs2 = {}; ARMMMUIdx s2_mmu_idx; bool is_el0; @@ -12657,14 +12658,15 @@ bool get_phys_addr(CPUARMState *env, target_ulong address, return ret; } + ipa_secure = attrs->secure; if (arm_is_secure_below_el3(env)) { - if (attrs->secure) { + if (ipa_secure) { attrs->secure = !(env->cp15.vstcr_el2.raw_tcr & VSTCR_SW); } else { attrs->secure = !(env->cp15.vtcr_el2.raw_tcr & VTCR_NSW); } } else { - assert(!attrs->secure); + assert(!ipa_secure); } s2_mmu_idx = attrs->secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2; @@ -12701,7 +12703,7 @@ bool get_phys_addr(CPUARMState *env, target_ulong address, /* Check if IPA translates to secure or non-secure PA space. */ if (arm_is_secure_below_el3(env)) { - if (attrs->secure) { + if (ipa_secure) { attrs->secure = !(env->cp15.vstcr_el2.raw_tcr & (VSTCR_SA | VSTCR_SW)); } else { -- 2.35.1