aboutsummaryrefslogtreecommitdiff
path: root/include/hw/misc/tz-ppc.h
blob: fc8b806e4dfb45a3ba9ba6992ee912d1f203ca35 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/*
 * ARM TrustZone peripheral protection controller emulation
 *
 * Copyright (c) 2018 Linaro Limited
 * Written by Peter Maydell
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 or
 * (at your option) any later version.
 */

/* This is a model of the TrustZone peripheral protection controller (PPC).
 * It is documented in the ARM CoreLink SIE-200 System IP for Embedded TRM
 * (DDI 0571G):
 * https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g
 *
 * The PPC sits in front of peripherals and allows secure software to
 * configure it to either pass through or reject transactions.
 * Rejected transactions may be configured to either be aborted, or to
 * behave as RAZ/WI. An interrupt can be signalled for a rejected transaction.
 *
 * The PPC has no register interface -- it is configured purely by a
 * collection of input signals from other hardware in the system. Typically
 * they are either hardwired or exposed in an ad-hoc register interface by
 * the SoC that uses the PPC.
 *
 * This QEMU model can be used to model either the AHB5 or APB4 TZ PPC,
 * since the only difference between them is that the AHB version has a
 * "default" port which has no security checks applied. In QEMU the default
 * port can be emulated simply by wiring its downstream devices directly
 * into the parent address space, since the PPC does not need to intercept
 * transactions there.
 *
 * In the hardware, selection of which downstream port to use is done by
 * the user's decode logic asserting one of the hsel[] signals. In QEMU,
 * we provide 16 MMIO regions, one per port, and the user maps these into
 * the desired addresses to implement the address decode.
 *
 * QEMU interface:
 * + sysbus MMIO regions 0..15: MemoryRegions defining the upstream end
 *   of each of the 16 ports of the PPC
 * + Property "port[0..15]": MemoryRegion defining the downstream device(s)
 *   for each of the 16 ports of the PPC
 * + Named GPIO inputs "cfg_nonsec[0..15]": set to 1 if the port should be
 *   accessible to NonSecure transactions
 * + Named GPIO inputs "cfg_ap[0..15]": set to 1 if the port should be
 *   accessible to non-privileged transactions
 * + Named GPIO input "cfg_sec_resp": set to 1 if a rejected transaction should
 *   result in a transaction error, or 0 for the transaction to RAZ/WI
 * + Named GPIO input "irq_enable": set to 1 to enable interrupts
 * + Named GPIO input "irq_clear": set to 1 to clear a pending interrupt
 * + Named GPIO output "irq": set for a transaction-failed interrupt
 * + Property "NONSEC_MASK": if a bit is set in this mask then accesses to
 *   the associated port do not have the TZ security check performed. (This
 *   corresponds to the hardware allowing this to be set as a Verilog
 *   parameter.)
 */

#ifndef TZ_PPC_H
#define TZ_PPC_H

#include "hw/sysbus.h"

#define TYPE_TZ_PPC "tz-ppc"
#define TZ_PPC(obj) OBJECT_CHECK(TZPPC, (obj), TYPE_TZ_PPC)

#define TZ_NUM_PORTS 16

typedef struct TZPPC TZPPC;

typedef struct TZPPCPort {
    TZPPC *ppc;
    MemoryRegion upstream;
    AddressSpace downstream_as;
    MemoryRegion *downstream;
} TZPPCPort;

struct TZPPC {
    /*< private >*/
    SysBusDevice parent_obj;

    /*< public >*/

    /* State: these just track the values of our input signals */
    bool cfg_nonsec[TZ_NUM_PORTS];
    bool cfg_ap[TZ_NUM_PORTS];
    bool cfg_sec_resp;
    bool irq_enable;
    bool irq_clear;
    /* State: are we asserting irq ? */
    bool irq_status;

    qemu_irq irq;

    /* Properties */
    uint32_t nonsec_mask;

    TZPPCPort port[TZ_NUM_PORTS];
};

#endif