1/* 2 * ARM TrustZone peripheral protection controller emulation 3 * 4 * Copyright (c) 2018 Linaro Limited 5 * Written by Peter Maydell 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 or 9 * (at your option) any later version. 10 */ 11 12/* This is a model of the TrustZone peripheral protection controller (PPC). 13 * It is documented in the ARM CoreLink SIE-200 System IP for Embedded TRM 14 * (DDI 0571G): 15 * https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g 16 * 17 * The PPC sits in front of peripherals and allows secure software to 18 * configure it to either pass through or reject transactions. 19 * Rejected transactions may be configured to either be aborted, or to 20 * behave as RAZ/WI. An interrupt can be signalled for a rejected transaction. 21 * 22 * The PPC has no register interface -- it is configured purely by a 23 * collection of input signals from other hardware in the system. Typically 24 * they are either hardwired or exposed in an ad-hoc register interface by 25 * the SoC that uses the PPC. 26 * 27 * This QEMU model can be used to model either the AHB5 or APB4 TZ PPC, 28 * since the only difference between them is that the AHB version has a 29 * "default" port which has no security checks applied. In QEMU the default 30 * port can be emulated simply by wiring its downstream devices directly 31 * into the parent address space, since the PPC does not need to intercept 32 * transactions there. 33 * 34 * In the hardware, selection of which downstream port to use is done by 35 * the user's decode logic asserting one of the hsel[] signals. In QEMU, 36 * we provide 16 MMIO regions, one per port, and the user maps these into 37 * the desired addresses to implement the address decode. 38 * 39 * QEMU interface: 40 * + sysbus MMIO regions 0..15: MemoryRegions defining the upstream end 41 * of each of the 16 ports of the PPC 42 * + Property "port[0..15]": MemoryRegion defining the downstream device(s) 43 * for each of the 16 ports of the PPC 44 * + Named GPIO inputs "cfg_nonsec[0..15]": set to 1 if the port should be 45 * accessible to NonSecure transactions 46 * + Named GPIO inputs "cfg_ap[0..15]": set to 1 if the port should be 47 * accessible to non-privileged transactions 48 * + Named GPIO input "cfg_sec_resp": set to 1 if a rejected transaction should 49 * result in a transaction error, or 0 for the transaction to RAZ/WI 50 * + Named GPIO input "irq_enable": set to 1 to enable interrupts 51 * + Named GPIO input "irq_clear": set to 1 to clear a pending interrupt 52 * + Named GPIO output "irq": set for a transaction-failed interrupt 53 * + Property "NONSEC_MASK": if a bit is set in this mask then accesses to 54 * the associated port do not have the TZ security check performed. (This 55 * corresponds to the hardware allowing this to be set as a Verilog 56 * parameter.) 57 */ 58 59#ifndef TZ_PPC_H 60#define TZ_PPC_H 61 62#include "hw/sysbus.h" 63 64#define TYPE_TZ_PPC "tz-ppc" 65#define TZ_PPC(obj) OBJECT_CHECK(TZPPC, (obj), TYPE_TZ_PPC) 66 67#define TZ_NUM_PORTS 16 68 69typedef struct TZPPC TZPPC; 70 71typedef struct TZPPCPort { 72 TZPPC *ppc; 73 MemoryRegion upstream; 74 AddressSpace downstream_as; 75 MemoryRegion *downstream; 76} TZPPCPort; 77 78struct TZPPC { 79 /*< private >*/ 80 SysBusDevice parent_obj; 81 82 /*< public >*/ 83 84 /* State: these just track the values of our input signals */ 85 bool cfg_nonsec[TZ_NUM_PORTS]; 86 bool cfg_ap[TZ_NUM_PORTS]; 87 bool cfg_sec_resp; 88 bool irq_enable; 89 bool irq_clear; 90 /* State: are we asserting irq ? */ 91 bool irq_status; 92 93 qemu_irq irq; 94 95 /* Properties */ 96 uint32_t nonsec_mask; 97 98 TZPPCPort port[TZ_NUM_PORTS]; 99}; 100 101#endif 102