/*
 * ARM AHB5 TrustZone Memory Protection Controller emulation
 *
 * Copyright (c) 2018 Linaro Limited
 * Written by Peter Maydell
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 or
 * (at your option) any later version.
 */

#include "qemu/osdep.h"
#include "qemu/log.h"
#include "qemu/module.h"
#include "qapi/error.h"
#include "trace.h"
#include "hw/sysbus.h"
#include "migration/vmstate.h"
#include "hw/registerfields.h"
#include "hw/irq.h"
#include "hw/misc/tz-mpc.h"
#include "hw/qdev-properties.h"

/* Our IOMMU has two IOMMU indexes, one for secure transactions and one for
 * non-secure transactions.
 */
enum {
    IOMMU_IDX_S,
    IOMMU_IDX_NS,
    IOMMU_NUM_INDEXES,
};

/* Config registers */
REG32(CTRL, 0x00)
    FIELD(CTRL, SEC_RESP, 4, 1)
    FIELD(CTRL, AUTOINC, 8, 1)
    FIELD(CTRL, LOCKDOWN, 31, 1)
REG32(BLK_MAX, 0x10)
REG32(BLK_CFG, 0x14)
REG32(BLK_IDX, 0x18)
REG32(BLK_LUT, 0x1c)
REG32(INT_STAT, 0x20)
    FIELD(INT_STAT, IRQ, 0, 1)
REG32(INT_CLEAR, 0x24)
    FIELD(INT_CLEAR, IRQ, 0, 1)
REG32(INT_EN, 0x28)
    FIELD(INT_EN, IRQ, 0, 1)
REG32(INT_INFO1, 0x2c)
REG32(INT_INFO2, 0x30)
    FIELD(INT_INFO2, HMASTER, 0, 16)
    FIELD(INT_INFO2, HNONSEC, 16, 1)
    FIELD(INT_INFO2, CFG_NS, 17, 1)
REG32(INT_SET, 0x34)
    FIELD(INT_SET, IRQ, 0, 1)
REG32(PIDR4, 0xfd0)
REG32(PIDR5, 0xfd4)
REG32(PIDR6, 0xfd8)
REG32(PIDR7, 0xfdc)
REG32(PIDR0, 0xfe0)
REG32(PIDR1, 0xfe4)
REG32(PIDR2, 0xfe8)
REG32(PIDR3, 0xfec)
REG32(CIDR0, 0xff0)
REG32(CIDR1, 0xff4)
REG32(CIDR2, 0xff8)
REG32(CIDR3, 0xffc)

static const uint8_t tz_mpc_idregs[] = {
    0x04, 0x00, 0x00, 0x00,
    0x60, 0xb8, 0x1b, 0x00,
    0x0d, 0xf0, 0x05, 0xb1,
};

static void tz_mpc_irq_update(TZMPC *s)
{
    qemu_set_irq(s->irq, s->int_stat && s->int_en);
}

static void tz_mpc_iommu_notify(TZMPC *s, uint32_t lutidx,
                                uint32_t oldlut, uint32_t newlut)
{
    /* Called when the LUT word at lutidx has changed from oldlut to newlut;
     * must call the IOMMU notifiers for the changed blocks.
     */
    IOMMUTLBEvent event = {
        .entry = {
            .addr_mask = s->blocksize - 1,
        }
    };
    hwaddr addr = lutidx * s->blocksize * 32;
    int i;

    for (i = 0; i < 32; i++, addr += s->blocksize) {
        bool block_is_ns;

        if (!((oldlut ^ newlut) & (1 << i))) {
            continue;
        }
        /* This changes the mappings for both the S and the NS space,
         * so we need to do four notifies: an UNMAP then a MAP for each.
         */
        block_is_ns = newlut & (1 << i);

        trace_tz_mpc_iommu_notify(addr);
        event.entry.iova = addr;
        event.entry.translated_addr = addr;

        event.type = IOMMU_NOTIFIER_UNMAP;
        event.entry.perm = IOMMU_NONE;
        memory_region_notify_iommu(&s->upstream, IOMMU_IDX_S, event);
        memory_region_notify_iommu(&s->upstream, IOMMU_IDX_NS, event);

        event.type = IOMMU_NOTIFIER_MAP;
        event.entry.perm = IOMMU_RW;
        if (block_is_ns) {
            event.entry.target_as = &s->blocked_io_as;
        } else {
            event.entry.target_as = &s->downstream_as;
        }
        memory_region_notify_iommu(&s->upstream, IOMMU_IDX_S, event);
        if (block_is_ns) {
            event.entry.target_as = &s->downstream_as;
        } else {
            event.entry.target_as = &s->blocked_io_as;
        }
        memory_region_notify_iommu(&s->upstream, IOMMU_IDX_NS, event);
    }
}

static void tz_mpc_autoinc_idx(TZMPC *s, unsigned access_size)
{
    /* Auto-increment BLK_IDX if necessary */
    if (access_size == 4 && (s->ctrl & R_CTRL_AUTOINC_MASK)) {
        s->blk_idx++;
        s->blk_idx %= s->blk_max;
    }
}

static MemTxResult tz_mpc_reg_read(void *opaque, hwaddr addr,
                                   uint64_t *pdata,
                                   unsigned size, MemTxAttrs attrs)
{
    TZMPC *s = TZ_MPC(opaque);
    uint64_t r;
    uint32_t offset = addr & ~0x3;

    if (!attrs.secure && offset < A_PIDR4) {
        /* NS accesses can only see the ID registers */
        qemu_log_mask(LOG_GUEST_ERROR,
                      "TZ MPC register read: NS access to offset 0x%x\n",
                      offset);
        r = 0;
        goto read_out;
    }

    switch (offset) {
    case A_CTRL:
        r = s->ctrl;
        break;
    case A_BLK_MAX:
        r = s->blk_max - 1;
        break;
    case A_BLK_CFG:
        /* We are never in "init in progress state", so this just indicates
         * the block size. s->blocksize == (1 << BLK_CFG + 5), so
         * BLK_CFG == ctz32(s->blocksize) - 5
         */
        r = ctz32(s->blocksize) - 5;
        break;
    case A_BLK_IDX:
        r = s->blk_idx;
        break;
    case A_BLK_LUT:
        r = s->blk_lut[s->blk_idx];
        tz_mpc_autoinc_idx(s, size);
        break;
    case A_INT_STAT:
        r = s->int_stat;
        break;
    case A_INT_EN:
        r = s->int_en;
        break;
    case A_INT_INFO1:
        r = s->int_info1;
        break;
    case A_INT_INFO2:
        r = s->int_info2;
        break;
    case A_PIDR4:
    case A_PIDR5:
    case A_PIDR6:
    case A_PIDR7:
    case A_PIDR0:
    case A_PIDR1:
    case A_PIDR2:
    case A_PIDR3:
    case A_CIDR0:
    case A_CIDR1:
    case A_CIDR2:
    case A_CIDR3:
        r = tz_mpc_idregs[(offset - A_PIDR4) / 4];
        break;
    case A_INT_CLEAR:
    case A_INT_SET:
        qemu_log_mask(LOG_GUEST_ERROR,
                      "TZ MPC register read: write-only offset 0x%x\n",
                      offset);
        r = 0;
        break;
    default:
        qemu_log_mask(LOG_GUEST_ERROR,
                      "TZ MPC register read: bad offset 0x%x\n", offset);
        r = 0;
        break;
    }

    if (size != 4) {
        /* None of our registers are read-sensitive (except BLK_LUT,
         * which can special case the "size not 4" case), so just
         * pull the right bytes out of the word read result.
         */
        r = extract32(r, (addr & 3) * 8, size * 8);
    }

read_out:
    trace_tz_mpc_reg_read(addr, r, size);
    *pdata = r;
    return MEMTX_OK;
}

static MemTxResult tz_mpc_reg_write(void *opaque, hwaddr addr,
                                    uint64_t value,
                                    unsigned size, MemTxAttrs attrs)
{
    TZMPC *s = TZ_MPC(opaque);
    uint32_t offset = addr & ~0x3;

    trace_tz_mpc_reg_write(addr, value, size);

    if (!attrs.secure && offset < A_PIDR4) {
        /* NS accesses can only see the ID registers */
        qemu_log_mask(LOG_GUEST_ERROR,
                      "TZ MPC register write: NS access to offset 0x%x\n",
                      offset);
        return MEMTX_OK;
    }

    if (size != 4) {
        /* Expand the byte or halfword write to a full word size.
         * In most cases we can do this with zeroes; the exceptions
         * are CTRL, BLK_IDX and BLK_LUT.
         */
        uint32_t oldval;

        switch (offset) {
        case A_CTRL:
            oldval = s->ctrl;
            break;
        case A_BLK_IDX:
            oldval = s->blk_idx;
            break;
        case A_BLK_LUT:
            oldval = s->blk_lut[s->blk_idx];
            break;
        default:
            oldval = 0;
            break;
        }
        value = deposit32(oldval, (addr & 3) * 8, size * 8, value);
    }

    if ((s->ctrl & R_CTRL_LOCKDOWN_MASK) &&
        (offset == A_CTRL || offset == A_BLK_LUT || offset == A_INT_EN)) {
        /* Lockdown mode makes these three registers read-only, and
         * the only way out of it is to reset the device.
         */
        qemu_log_mask(LOG_GUEST_ERROR, "TZ MPC register write to offset 0x%x "
                      "while MPC is in lockdown mode\n", offset);
        return MEMTX_OK;
    }

    switch (offset) {
    case A_CTRL:
        /* We don't implement the 'data gating' feature so all other bits
         * are reserved and we make them RAZ/WI.
         */
        s->ctrl = value & (R_CTRL_SEC_RESP_MASK |
                           R_CTRL_AUTOINC_MASK |
                           R_CTRL_LOCKDOWN_MASK);
        break;
    case A_BLK_IDX:
        s->blk_idx = value % s->blk_max;
        break;
    case A_BLK_LUT:
        tz_mpc_iommu_notify(s, s->blk_idx, s->blk_lut[s->blk_idx], value);
        s->blk_lut[s->blk_idx] = value;
        tz_mpc_autoinc_idx(s, size);
        break;
    case A_INT_CLEAR:
        if (value & R_INT_CLEAR_IRQ_MASK) {
            s->int_stat = 0;
            tz_mpc_irq_update(s);
        }
        break;
    case A_INT_EN:
        s->int_en = value & R_INT_EN_IRQ_MASK;
        tz_mpc_irq_update(s);
        break;
    case A_INT_SET:
        if (value & R_INT_SET_IRQ_MASK) {
            s->int_stat = R_INT_STAT_IRQ_MASK;
            tz_mpc_irq_update(s);
        }
        break;
    case A_PIDR4:
    case A_PIDR5:
    case A_PIDR6:
    case A_PIDR7:
    case A_PIDR0:
    case A_PIDR1:
    case A_PIDR2:
    case A_PIDR3:
    case A_CIDR0:
    case A_CIDR1:
    case A_CIDR2:
    case A_CIDR3:
        qemu_log_mask(LOG_GUEST_ERROR,
                      "TZ MPC register write: read-only offset 0x%x\n", offset);
        break;
    default:
        qemu_log_mask(LOG_GUEST_ERROR,
                      "TZ MPC register write: bad offset 0x%x\n", offset);
        break;
    }

    return MEMTX_OK;
}

static const MemoryRegionOps tz_mpc_reg_ops = {
    .read_with_attrs = tz_mpc_reg_read,
    .write_with_attrs = tz_mpc_reg_write,
    .endianness = DEVICE_LITTLE_ENDIAN,
    .valid.min_access_size = 1,
    .valid.max_access_size = 4,
    .impl.min_access_size = 1,
    .impl.max_access_size = 4,
};

static inline bool tz_mpc_cfg_ns(TZMPC *s, hwaddr addr)
{
    /* Return the cfg_ns bit from the LUT for the specified address */
    hwaddr blknum = addr / s->blocksize;
    hwaddr blkword = blknum / 32;
    uint32_t blkbit = 1U << (blknum % 32);

    /* This would imply the address was larger than the size we
     * defined this memory region to be, so it can't happen.
     */
    assert(blkword < s->blk_max);
    return s->blk_lut[blkword] & blkbit;
}

static MemTxResult tz_mpc_handle_block(TZMPC *s, hwaddr addr, MemTxAttrs attrs)
{
    /* Handle a blocked transaction: raise IRQ, capture info, etc */
    if (!s->int_stat) {
        /* First blocked transfer: capture information into INT_INFO1 and
         * INT_INFO2. Subsequent transfers are still blocked but don't
         * capture information until the guest clears the interrupt.
         */

        s->int_info1 = addr;
        s->int_info2 = 0;
        s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, HMASTER,
                                  attrs.requester_id & 0xffff);
        s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, HNONSEC,
                                  ~attrs.secure);
        s->int_info2 = FIELD_DP32(s->int_info2, INT_INFO2, CFG_NS,
                                  tz_mpc_cfg_ns(s, addr));
        s->int_stat |= R_INT_STAT_IRQ_MASK;
        tz_mpc_irq_update(s);
    }

    /* Generate bus error if desired; otherwise RAZ/WI */
    return (s->ctrl & R_CTRL_SEC_RESP_MASK) ? MEMTX_ERROR : MEMTX_OK;
}

/* Accesses only reach these read and write functions if the MPC is
 * blocking them; non-blocked accesses go directly to the downstream
 * memory region without passing through this code.
 */
static MemTxResult tz_mpc_mem_blocked_read(void *opaque, hwaddr addr,
                                           uint64_t *pdata,
                                           unsigned size, MemTxAttrs attrs)
{
    TZMPC *s = TZ_MPC(opaque);

    trace_tz_mpc_mem_blocked_read(addr, size, attrs.secure);

    *pdata = 0;
    return tz_mpc_handle_block(s, addr, attrs);
}

static MemTxResult tz_mpc_mem_blocked_write(void *opaque, hwaddr addr,
                                            uint64_t value,
                                            unsigned size, MemTxAttrs attrs)
{
    TZMPC *s = TZ_MPC(opaque);

    trace_tz_mpc_mem_blocked_write(addr, value, size, attrs.secure);

    return tz_mpc_handle_block(s, addr, attrs);
}

static const MemoryRegionOps tz_mpc_mem_blocked_ops = {
    .read_with_attrs = tz_mpc_mem_blocked_read,
    .write_with_attrs = tz_mpc_mem_blocked_write,
    .endianness = DEVICE_LITTLE_ENDIAN,
    .valid.min_access_size = 1,
    .valid.max_access_size = 8,
    .impl.min_access_size = 1,
    .impl.max_access_size = 8,
};

static IOMMUTLBEntry tz_mpc_translate(IOMMUMemoryRegion *iommu,
                                      hwaddr addr, IOMMUAccessFlags flags,
                                      int iommu_idx)
{
    TZMPC *s = TZ_MPC(container_of(iommu, TZMPC, upstream));
    bool ok;

    IOMMUTLBEntry ret = {
        .iova = addr & ~(s->blocksize - 1),
        .translated_addr = addr & ~(s->blocksize - 1),
        .addr_mask = s->blocksize - 1,
        .perm = IOMMU_RW,
    };

    /* Look at the per-block configuration for this address, and
     * return a TLB entry directing the transaction at either
     * downstream_as or blocked_io_as, as appropriate.
     * If the LUT cfg_ns bit is 1, only non-secure transactions
     * may pass. If the bit is 0, only secure transactions may pass.
     */
    ok = tz_mpc_cfg_ns(s, addr) == (iommu_idx == IOMMU_IDX_NS);

    trace_tz_mpc_translate(addr, flags,
                           iommu_idx == IOMMU_IDX_S ? "S" : "NS",
                           ok ? "pass" : "block");

    ret.target_as = ok ? &s->downstream_as : &s->blocked_io_as;
    return ret;
}

static int tz_mpc_attrs_to_index(IOMMUMemoryRegion *iommu, MemTxAttrs attrs)
{
    /* We treat unspecified attributes like secure. Transactions with
     * unspecified attributes come from places like
     * rom_reset() for initial image load, and we want
     * those to pass through the from-reset "everything is secure" config.
     * All the real during-emulation transactions from the CPU will
     * specify attributes.
     */
    return (attrs.unspecified || attrs.secure) ? IOMMU_IDX_S : IOMMU_IDX_NS;
}

static int tz_mpc_num_indexes(IOMMUMemoryRegion *iommu)
{
    return IOMMU_NUM_INDEXES;
}

static void tz_mpc_reset(DeviceState *dev)
{
    TZMPC *s = TZ_MPC(dev);

    s->ctrl = 0x00000100;
    s->blk_idx = 0;
    s->int_stat = 0;
    s->int_en = 1;
    s->int_info1 = 0;
    s->int_info2 = 0;

    memset(s->blk_lut, 0, s->blk_max * sizeof(uint32_t));
}

static void tz_mpc_init(Object *obj)
{
    DeviceState *dev = DEVICE(obj);
    TZMPC *s = TZ_MPC(obj);

    qdev_init_gpio_out_named(dev, &s->irq, "irq", 1);
}

static void tz_mpc_realize(DeviceState *dev, Error **errp)
{
    Object *obj = OBJECT(dev);
    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
    TZMPC *s = TZ_MPC(dev);
    uint64_t size;

    /* We can't create the upstream end of the port until realize,
     * as we don't know the size of the MR used as the downstream until then.
     * We insist on having a downstream, to avoid complicating the code
     * with handling the "don't know how big this is" case. It's easy
     * enough for the user to create an unimplemented_device as downstream
     * if they have nothing else to plug into this.
     */
    if (!s->downstream) {
        error_setg(errp, "MPC 'downstream' link not set");
        return;
    }

    size = memory_region_size(s->downstream);

    memory_region_init_iommu(&s->upstream, sizeof(s->upstream),
                             TYPE_TZ_MPC_IOMMU_MEMORY_REGION,
                             obj, "tz-mpc-upstream", size);

    /* In real hardware the block size is configurable. In QEMU we could
     * make it configurable but will need it to be at least as big as the
     * target page size so we can execute out of the resulting MRs. Guest
     * software is supposed to check the block size using the BLK_CFG
     * register, so make it fixed at the page size.
     */
    s->blocksize = memory_region_iommu_get_min_page_size(&s->upstream);
    if (size % s->blocksize != 0) {
        error_setg(errp,
                   "MPC 'downstream' size %" PRId64
                   " is not a multiple of %" HWADDR_PRIx " bytes",
                   size, s->blocksize);
        object_unref(OBJECT(&s->upstream));
        return;
    }

    /* BLK_MAX is the max value of BLK_IDX, which indexes an array of 32-bit
     * words, each bit of which indicates one block.
     */
    s->blk_max = DIV_ROUND_UP(size / s->blocksize, 32);

    memory_region_init_io(&s->regmr, obj, &tz_mpc_reg_ops,
                          s, "tz-mpc-regs", 0x1000);
    sysbus_init_mmio(sbd, &s->regmr);

    sysbus_init_mmio(sbd, MEMORY_REGION(&s->upstream));

    /* This memory region is not exposed to users of this device as a
     * sysbus MMIO region, but is instead used internally as something
     * that our IOMMU translate function might direct accesses to.
     */
    memory_region_init_io(&s->blocked_io, obj, &tz_mpc_mem_blocked_ops,
                          s, "tz-mpc-blocked-io", size);

    address_space_init(&s->downstream_as, s->downstream,
                       "tz-mpc-downstream");
    address_space_init(&s->blocked_io_as, &s->blocked_io,
                       "tz-mpc-blocked-io");

    s->blk_lut = g_new0(uint32_t, s->blk_max);
}

static int tz_mpc_post_load(void *opaque, int version_id)
{
    TZMPC *s = TZ_MPC(opaque);

    /* Check the incoming data doesn't point blk_idx off the end of blk_lut. */
    if (s->blk_idx >= s->blk_max) {
        return -1;
    }
    return 0;
}

static const VMStateDescription tz_mpc_vmstate = {
    .name = "tz-mpc",
    .version_id = 1,
    .minimum_version_id = 1,
    .post_load = tz_mpc_post_load,
    .fields = (VMStateField[]) {
        VMSTATE_UINT32(ctrl, TZMPC),
        VMSTATE_UINT32(blk_idx, TZMPC),
        VMSTATE_UINT32(int_stat, TZMPC),
        VMSTATE_UINT32(int_en, TZMPC),
        VMSTATE_UINT32(int_info1, TZMPC),
        VMSTATE_UINT32(int_info2, TZMPC),
        VMSTATE_VARRAY_UINT32(blk_lut, TZMPC, blk_max,
                              0, vmstate_info_uint32, uint32_t),
        VMSTATE_END_OF_LIST()
    }
};

static Property tz_mpc_properties[] = {
    DEFINE_PROP_LINK("downstream", TZMPC, downstream,
                     TYPE_MEMORY_REGION, MemoryRegion *),
    DEFINE_PROP_END_OF_LIST(),
};

static void tz_mpc_class_init(ObjectClass *klass, void *data)
{
    DeviceClass *dc = DEVICE_CLASS(klass);

    dc->realize = tz_mpc_realize;
    dc->vmsd = &tz_mpc_vmstate;
    dc->reset = tz_mpc_reset;
    device_class_set_props(dc, tz_mpc_properties);
}

static const TypeInfo tz_mpc_info = {
    .name = TYPE_TZ_MPC,
    .parent = TYPE_SYS_BUS_DEVICE,
    .instance_size = sizeof(TZMPC),
    .instance_init = tz_mpc_init,
    .class_init = tz_mpc_class_init,
};

static void tz_mpc_iommu_memory_region_class_init(ObjectClass *klass,
                                                  void *data)
{
    IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);

    imrc->translate = tz_mpc_translate;
    imrc->attrs_to_index = tz_mpc_attrs_to_index;
    imrc->num_indexes = tz_mpc_num_indexes;
}

static const TypeInfo tz_mpc_iommu_memory_region_info = {
    .name = TYPE_TZ_MPC_IOMMU_MEMORY_REGION,
    .parent = TYPE_IOMMU_MEMORY_REGION,
    .class_init = tz_mpc_iommu_memory_region_class_init,
};

static void tz_mpc_register_types(void)
{
    type_register_static(&tz_mpc_info);
    type_register_static(&tz_mpc_iommu_memory_region_info);
}

type_init(tz_mpc_register_types);