When FEAT_SEL2 (secure EL2) is implemented, the bits VSTCR_EL2.SW and VTCR_EL2.NSW allow the guest to set things up so that the stage 2 walk for an IPA is done to the other address space, eg * a stage 2 walk for an NS IPA done to secure physical memory (where the translation table base address and other parameters for the walk come from the NS control registers VTTBR_EL2 and VTCR_EL2) * a stage 2 walk for an S IPA done to non-secure physical memory (where the parameters from the walk come from the S control registers VSTTBR_EL2 and VSTCR_EL2)
We tried to implement this, but didn't get it right -- in get_phys_addr_twostage() we identify whether we need to do the s2 walk in Secure or NonSecure, but then we fail to pay attention to whether we were doing the walk for an NS or S IPA. The fix for this is simple -- set ptw->in_mmu_idx and ptw->in_secure based on ipa_secure, with only ptw->in_ptw_idx depending on s2walk_secure. However to make this work we first need to fix a couple of places in the ptw code that were incorrectly looking at ptw->in_secure when they either should not be or should be doing something based on ptw->in_ptw_idx. This fixes https://gitlab.com/qemu-project/qemu/-/issues/1600 . NB: I have tested that this fixes the test case in the bug, and that it doesn't break 'make check-avocado', but I don't have a huge supply of EL2-using guests to hand so the patchset hasn't received exhaustive testing. Plus this area of the architecture and this bit of QEMU's codebase are pretty hairy -- so careful review would be a good idea :-) thanks -- PMM Peter Maydell (3): target/arm: Don't allow stage 2 page table walks to downgrade to NS target/arm: Set ptw->out_secure correctly for stage 2 translations target/arm: handle ipa_secure vs s2walk_secure correctly target/arm/ptw.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) -- 2.34.1