Message ID | 20200825001711.1340443-9-hskinnemoen@google.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Add Nuvoton NPCM730/NPCM750 SoCs and two BMC machines | expand |
On 200824 1717, Havard Skinnemoen via wrote: > This supports reading and writing OTP fuses and keys. Only fuse reading > has been tested. Protection is not implemented. > > Reviewed-by: Avi Fishman <avi.fishman@nuvoton.com> > Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > Signed-off-by: Havard Skinnemoen <hskinnemoen@google.com> > --- > include/hw/arm/npcm7xx.h | 3 + > include/hw/nvram/npcm7xx_otp.h | 79 ++++++ > hw/arm/npcm7xx.c | 29 +++ > hw/nvram/npcm7xx_otp.c | 439 +++++++++++++++++++++++++++++++++ > hw/nvram/meson.build | 1 + > 5 files changed, 551 insertions(+) > create mode 100644 include/hw/nvram/npcm7xx_otp.h > create mode 100644 hw/nvram/npcm7xx_otp.c > > diff --git a/include/hw/arm/npcm7xx.h b/include/hw/arm/npcm7xx.h > index ba7495869d..5816a07a72 100644 > --- a/include/hw/arm/npcm7xx.h > +++ b/include/hw/arm/npcm7xx.h > @@ -20,6 +20,7 @@ > #include "hw/cpu/a9mpcore.h" > #include "hw/misc/npcm7xx_clk.h" > #include "hw/misc/npcm7xx_gcr.h" > +#include "hw/nvram/npcm7xx_otp.h" > #include "hw/timer/npcm7xx_timer.h" > #include "target/arm/cpu.h" > > @@ -68,6 +69,8 @@ typedef struct NPCM7xxState { > NPCM7xxGCRState gcr; > NPCM7xxCLKState clk; > NPCM7xxTimerCtrlState tim[3]; > + NPCM7xxOTPState key_storage; > + NPCM7xxOTPState fuse_array; > } NPCM7xxState; > > #define TYPE_NPCM7XX "npcm7xx" > diff --git a/include/hw/nvram/npcm7xx_otp.h b/include/hw/nvram/npcm7xx_otp.h > new file mode 100644 > index 0000000000..156bbd151a > --- /dev/null > +++ b/include/hw/nvram/npcm7xx_otp.h > @@ -0,0 +1,79 @@ > +/* > + * Nuvoton NPCM7xx OTP (Fuse Array) Interface > + * > + * Copyright 2020 Google LLC > + * > + * This program is free software; you can redistribute it and/or modify it > + * under the terms of the GNU General Public License as published by the > + * Free Software Foundation; either version 2 of the License, or > + * (at your option) any later version. > + * > + * This program is distributed in the hope that it will be useful, but WITHOUT > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or > + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License > + * for more details. > + */ > +#ifndef NPCM7XX_OTP_H > +#define NPCM7XX_OTP_H > + > +#include "exec/memory.h" > +#include "hw/sysbus.h" > + > +/* Each OTP module holds 8192 bits of one-time programmable storage */ > +#define NPCM7XX_OTP_ARRAY_BITS (8192) > +#define NPCM7XX_OTP_ARRAY_BYTES (NPCM7XX_OTP_ARRAY_BITS / BITS_PER_BYTE) > + > +/* Fuse array offsets */ > +#define NPCM7XX_FUSE_FUSTRAP (0) > +#define NPCM7XX_FUSE_CP_FUSTRAP (12) > +#define NPCM7XX_FUSE_DAC_CALIB (16) > +#define NPCM7XX_FUSE_ADC_CALIB (24) > +#define NPCM7XX_FUSE_DERIVATIVE (64) > +#define NPCM7XX_FUSE_TEST_SIG (72) > +#define NPCM7XX_FUSE_DIE_LOCATION (74) > +#define NPCM7XX_FUSE_GP1 (80) > +#define NPCM7XX_FUSE_GP2 (128) > + > +/* > + * Number of registers in our device state structure. Don't change this without > + * incrementing the version_id in the vmstate. > + */ > +#define NPCM7XX_OTP_NR_REGS (0x18 / sizeof(uint32_t)) > + > +/** > + * struct NPCM7xxOTPState - Device state for one OTP module. > + * @parent: System bus device. > + * @mmio: Memory region through which registers are accessed. > + * @regs: Register contents. > + * @array: OTP storage array. > + */ > +typedef struct NPCM7xxOTPState { > + SysBusDevice parent; > + > + MemoryRegion mmio; > + uint32_t regs[NPCM7XX_OTP_NR_REGS]; > + uint8_t array[NPCM7XX_OTP_ARRAY_BYTES]; > +} NPCM7xxOTPState; > + > +#define TYPE_NPCM7XX_OTP "npcm7xx-otp" > +#define NPCM7XX_OTP(obj) OBJECT_CHECK(NPCM7xxOTPState, (obj), TYPE_NPCM7XX_OTP) > + > +#define TYPE_NPCM7XX_KEY_STORAGE "npcm7xx-key-storage" > +#define TYPE_NPCM7XX_FUSE_ARRAY "npcm7xx-fuse-array" > + > +typedef struct NPCM7xxOTPClass NPCM7xxOTPClass; > + > +/** > + * npcm7xx_otp_array_write - ECC encode and write data to OTP array. > + * @s: OTP module. > + * @data: Data to be encoded and written. > + * @offset: Offset of first byte to be written in the OTP array. > + * @len: Number of bytes before ECC encoding. > + * > + * Each nibble of data is encoded into a byte, so the number of bytes written > + * to the array will be @len * 2. > + */ > +extern void npcm7xx_otp_array_write(NPCM7xxOTPState *s, const void *data, > + unsigned int offset, unsigned int len); > + > +#endif /* NPCM7XX_OTP_H */ > diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c > index 9669ac5fa0..9166002598 100644 > --- a/hw/arm/npcm7xx.c > +++ b/hw/arm/npcm7xx.c > @@ -34,6 +34,10 @@ > #define NPCM7XX_MMIO_BA (0x80000000) > #define NPCM7XX_MMIO_SZ (0x7ffd0000) > > +/* OTP key storage and fuse strap array */ > +#define NPCM7XX_OTP1_BA (0xf0189000) > +#define NPCM7XX_OTP2_BA (0xf018a000) > + > /* Core system modules. */ > #define NPCM7XX_L2C_BA (0xf03fc000) > #define NPCM7XX_CPUP_BA (0xf03fe000) > @@ -144,6 +148,20 @@ void npcm7xx_load_kernel(MachineState *machine, NPCM7xxState *soc) > arm_load_kernel(&soc->cpu[0], machine, &npcm7xx_binfo); > } > > +static void npcm7xx_init_fuses(NPCM7xxState *s) > +{ > + NPCM7xxClass *nc = NPCM7XX_GET_CLASS(s); > + uint32_t value; > + > + /* > + * The initial mask of disabled modules indicates the chip derivative (e.g. > + * NPCM750 or NPCM730). > + */ > + value = tswap32(nc->disabled_modules); > + npcm7xx_otp_array_write(&s->fuse_array, &value, NPCM7XX_FUSE_DERIVATIVE, > + sizeof(value)); > +} > + > static qemu_irq npcm7xx_irq(NPCM7xxState *s, int n) > { > return qdev_get_gpio_in(DEVICE(&s->a9mpcore), n); > @@ -164,6 +182,10 @@ static void npcm7xx_init(Object *obj) > object_property_add_alias(obj, "power-on-straps", OBJECT(&s->gcr), > "power-on-straps"); > object_initialize_child(obj, "clk", &s->clk, TYPE_NPCM7XX_CLK); > + object_initialize_child(obj, "otp1", &s->key_storage, > + TYPE_NPCM7XX_KEY_STORAGE); > + object_initialize_child(obj, "otp2", &s->fuse_array, > + TYPE_NPCM7XX_FUSE_ARRAY); > > for (i = 0; i < ARRAY_SIZE(s->tim); i++) { > object_initialize_child(obj, "tim[*]", &s->tim[i], TYPE_NPCM7XX_TIMER); > @@ -232,6 +254,13 @@ static void npcm7xx_realize(DeviceState *dev, Error **errp) > sysbus_realize(SYS_BUS_DEVICE(&s->clk), &error_abort); > sysbus_mmio_map(SYS_BUS_DEVICE(&s->clk), 0, NPCM7XX_CLK_BA); > > + /* OTP key storage and fuse strap array. Cannot fail. */ > + sysbus_realize(SYS_BUS_DEVICE(&s->key_storage), &error_abort); > + sysbus_mmio_map(SYS_BUS_DEVICE(&s->key_storage), 0, NPCM7XX_OTP1_BA); > + sysbus_realize(SYS_BUS_DEVICE(&s->fuse_array), &error_abort); > + sysbus_mmio_map(SYS_BUS_DEVICE(&s->fuse_array), 0, NPCM7XX_OTP2_BA); > + npcm7xx_init_fuses(s); > + > /* Timer Modules (TIM). Cannot fail. */ > QEMU_BUILD_BUG_ON(ARRAY_SIZE(npcm7xx_tim_addr) != ARRAY_SIZE(s->tim)); > for (i = 0; i < ARRAY_SIZE(s->tim); i++) { > diff --git a/hw/nvram/npcm7xx_otp.c b/hw/nvram/npcm7xx_otp.c > new file mode 100644 > index 0000000000..ba4188ada8 > --- /dev/null > +++ b/hw/nvram/npcm7xx_otp.c > @@ -0,0 +1,439 @@ > +/* > + * Nuvoton NPCM7xx OTP (Fuse Array) Interface > + * > + * Copyright 2020 Google LLC > + * > + * This program is free software; you can redistribute it and/or modify it > + * under the terms of the GNU General Public License as published by the > + * Free Software Foundation; either version 2 of the License, or > + * (at your option) any later version. > + * > + * This program is distributed in the hope that it will be useful, but WITHOUT > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or > + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License > + * for more details. > + */ > + > +#include "qemu/osdep.h" > + > +#include "hw/nvram/npcm7xx_otp.h" > +#include "migration/vmstate.h" > +#include "qapi/error.h" > +#include "qemu/bitops.h" > +#include "qemu/log.h" > +#include "qemu/module.h" > +#include "qemu/units.h" > + > +/* Each module has 4 KiB of register space. Only a fraction of it is used. */ > +#define NPCM7XX_OTP_REGS_SIZE (4 * KiB) > + > +/* 32-bit register indices. */ > +typedef enum NPCM7xxOTPRegister { > + NPCM7XX_OTP_FST, > + NPCM7XX_OTP_FADDR, > + NPCM7XX_OTP_FDATA, > + NPCM7XX_OTP_FCFG, > + /* Offset 0x10 is FKEYIND in OTP1, FUSTRAP in OTP2 */ > + NPCM7XX_OTP_FKEYIND = 0x0010 / sizeof(uint32_t), > + NPCM7XX_OTP_FUSTRAP = 0x0010 / sizeof(uint32_t), > + NPCM7XX_OTP_FCTL, > + NPCM7XX_OTP_REGS_END, > +} NPCM7xxOTPRegister; > + > +/* Register field definitions. */ > +#define FST_RIEN BIT(2) > +#define FST_RDST BIT(1) > +#define FST_RDY BIT(0) > +#define FST_RO_MASK (FST_RDST | FST_RDY) > + > +#define FADDR_BYTEADDR(rv) extract32((rv), 0, 10) > +#define FADDR_BITPOS(rv) extract32((rv), 10, 3) > + > +#define FDATA_CLEAR 0x00000001 > + > +#define FCFG_FDIS BIT(31) > +#define FCFG_FCFGLK_MASK 0x00ff0000 > + > +#define FCTL_PROG_CMD1 0x00000001 > +#define FCTL_PROG_CMD2 0xbf79e5d0 > +#define FCTL_READ_CMD 0x00000002 > + > +/** > + * struct NPCM7xxOTPClass - OTP module class. > + * @parent: System bus device class. > + * @mmio_ops: MMIO register operations for this type of module. > + * > + * The two OTP modules (key-storage and fuse-array) have slightly different > + * behavior, so we give them different MMIO register operations. > + */ > +struct NPCM7xxOTPClass { > + SysBusDeviceClass parent; > + > + const MemoryRegionOps *mmio_ops; > +}; > + > +#define NPCM7XX_OTP_CLASS(klass) \ > + OBJECT_CLASS_CHECK(NPCM7xxOTPClass, (klass), TYPE_NPCM7XX_OTP) > +#define NPCM7XX_OTP_GET_CLASS(obj) \ > + OBJECT_GET_CLASS(NPCM7xxOTPClass, (obj), TYPE_NPCM7XX_OTP) > + > +static uint8_t ecc_encode_nibble(uint8_t n) > +{ > + uint8_t result = n; > + > + result |= (((n >> 0) & 1) ^ ((n >> 1) & 1)) << 4; > + result |= (((n >> 2) & 1) ^ ((n >> 3) & 1)) << 5; > + result |= (((n >> 0) & 1) ^ ((n >> 2) & 1)) << 6; > + result |= (((n >> 1) & 1) ^ ((n >> 3) & 1)) << 7; > + > + return result; > +} > + > +void npcm7xx_otp_array_write(NPCM7xxOTPState *s, const void *data, > + unsigned int offset, unsigned int len) > +{ > + const uint8_t *src = data; > + uint8_t *dst = &s->array[offset]; > + > + while (len-- > 0) { > + uint8_t c = *src++; > + > + *dst++ = ecc_encode_nibble(extract8(c, 0, 4)); > + *dst++ = ecc_encode_nibble(extract8(c, 4, 4)); > + } > +} > + > +/* Common register read handler for both OTP classes. */ > +static uint64_t npcm7xx_otp_read(NPCM7xxOTPState *s, NPCM7xxOTPRegister reg) > +{ > + uint32_t value = 0; > + > + switch (reg) { > + case NPCM7XX_OTP_FST: > + case NPCM7XX_OTP_FADDR: > + case NPCM7XX_OTP_FDATA: > + case NPCM7XX_OTP_FCFG: > + value = s->regs[reg]; > + break; > + > + case NPCM7XX_OTP_FCTL: > + qemu_log_mask(LOG_GUEST_ERROR, > + "%s: read from write-only FCTL register\n", > + DEVICE(s)->canonical_path); > + break; > + > + default: > + qemu_log_mask(LOG_GUEST_ERROR, "%s: read from invalid offset 0x%zx\n", > + DEVICE(s)->canonical_path, reg * sizeof(uint32_t)); > + break; > + } > + > + return value; > +} > + > +/* Read a byte from the OTP array into the data register. */ > +static void npcm7xx_otp_read_array(NPCM7xxOTPState *s) > +{ > + uint32_t faddr = s->regs[NPCM7XX_OTP_FADDR]; > + > + s->regs[NPCM7XX_OTP_FDATA] = s->array[FADDR_BYTEADDR(faddr)]; > + s->regs[NPCM7XX_OTP_FST] |= FST_RDST | FST_RDY; > +} > + > +/* Program a byte from the data register into the OTP array. */ > +static void npcm7xx_otp_program_array(NPCM7xxOTPState *s) > +{ > + uint32_t faddr = s->regs[NPCM7XX_OTP_FADDR]; > + > + /* Bits can only go 0->1, never 1->0. */ > + s->array[FADDR_BYTEADDR(faddr)] |= (1U << FADDR_BITPOS(faddr)); > + s->regs[NPCM7XX_OTP_FST] |= FST_RDST | FST_RDY; > +} > + > +/* Compute the next value of the FCFG register. */ > +static uint32_t npcm7xx_otp_compute_fcfg(uint32_t cur_value, uint32_t new_value) > +{ > + uint32_t lock_mask; > + uint32_t value; > + > + /* > + * FCFGLK holds sticky bits 16..23, indicating which bits in FPRGLK (8..15) > + * and FRDLK (0..7) that are read-only. > + */ > + lock_mask = (cur_value & FCFG_FCFGLK_MASK) >> 8; > + lock_mask |= lock_mask >> 8; > + /* FDIS and FCFGLK bits are sticky (write 1 to set; can't clear). */ > + value = cur_value & (FCFG_FDIS | FCFG_FCFGLK_MASK); > + /* Preserve read-only bits in FPRGLK and FRDLK */ > + value |= cur_value & lock_mask; > + /* Set all bits that aren't read-only. */ > + value |= new_value & ~lock_mask; > + > + return value; > +} > + > +/* Common register write handler for both OTP classes. */ > +static void npcm7xx_otp_write(NPCM7xxOTPState *s, NPCM7xxOTPRegister reg, > + uint32_t value) > +{ > + switch (reg) { > + case NPCM7XX_OTP_FST: > + /* RDST is cleared by writing 1 to it. */ > + if (value & FST_RDST) { > + s->regs[NPCM7XX_OTP_FST] &= ~FST_RDST; > + } > + /* Preserve read-only and write-one-to-clear bits */ > + value &= ~FST_RO_MASK; > + value |= s->regs[NPCM7XX_OTP_FST] & FST_RO_MASK; > + break; > + > + case NPCM7XX_OTP_FADDR: > + break; > + > + case NPCM7XX_OTP_FDATA: > + /* > + * This register is cleared by writing a magic value to it; no other > + * values can be written. > + */ > + if (value == FDATA_CLEAR) { > + value = 0; > + } else { > + value = s->regs[NPCM7XX_OTP_FDATA]; > + } > + break; > + > + case NPCM7XX_OTP_FCFG: > + value = npcm7xx_otp_compute_fcfg(s->regs[NPCM7XX_OTP_FCFG], value); > + break; > + > + case NPCM7XX_OTP_FCTL: > + switch (value) { > + case FCTL_READ_CMD: > + npcm7xx_otp_read_array(s); > + break; > + > + case FCTL_PROG_CMD1: > + /* > + * Programming requires writing two separate magic values to this > + * register; this is the first one. Just store it so it can be > + * verified later when the second magic value is received. > + */ > + break; > + > + case FCTL_PROG_CMD2: > + /* > + * Only initiate programming if we received the first half of the > + * command immediately before this one. > + */ > + if (s->regs[NPCM7XX_OTP_FCTL] == FCTL_PROG_CMD1) { > + npcm7xx_otp_program_array(s); > + } > + break; > + > + default: > + qemu_log_mask(LOG_GUEST_ERROR, > + "%s: unrecognized FCNTL value 0x%" PRIx32 "\n", > + DEVICE(s)->canonical_path, value); > + break; > + } > + if (value != FCTL_PROG_CMD1) { > + value = 0; > + } > + break; > + > + default: > + qemu_log_mask(LOG_GUEST_ERROR, "%s: write to invalid offset 0x%zx\n", > + DEVICE(s)->canonical_path, reg * sizeof(uint32_t)); > + return; > + } > + > + s->regs[reg] = value; > +} > + > +/* Register read handler specific to the fuse array OTP module. */ > +static uint64_t npcm7xx_fuse_array_read(void *opaque, hwaddr addr, > + unsigned int size) > +{ > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > + NPCM7xxOTPState *s = opaque; > + uint32_t value; > + > + /* > + * Only the Fuse Strap register needs special handling; all other registers > + * work the same way for both kinds of OTP modules. > + */ > + if (reg != NPCM7XX_OTP_FUSTRAP) { > + value = npcm7xx_otp_read(s, reg); > + } else { > + /* FUSTRAP is stored as three copies in the OTP array. */ > + uint32_t fustrap[3]; > + > + memcpy(fustrap, &s->array[0], sizeof(fustrap)); > + > + /* Determine value by a majority vote on each bit. */ > + value = (fustrap[0] & fustrap[1]) | (fustrap[0] & fustrap[2]) | > + (fustrap[1] & fustrap[2]); > + } > + > + return value; > +} > + > +/* Register write handler specific to the fuse array OTP module. */ > +static void npcm7xx_fuse_array_write(void *opaque, hwaddr addr, uint64_t v, > + unsigned int size) > +{ > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > + NPCM7xxOTPState *s = opaque; > + > + /* > + * The Fuse Strap register is read-only. Other registers are handled by > + * common code. > + */ > + if (reg != NPCM7XX_OTP_FUSTRAP) { > + npcm7xx_otp_write(s, reg, v); > + } > +} > + > +static const MemoryRegionOps npcm7xx_fuse_array_ops = { > + .read = npcm7xx_fuse_array_read, > + .write = npcm7xx_fuse_array_write, > + .endianness = DEVICE_LITTLE_ENDIAN, > + .valid = { > + .min_access_size = 4, > + .max_access_size = 4, > + .unaligned = false, > + }, > +}; > + > +/* Register read handler specific to the key storage OTP module. */ > +static uint64_t npcm7xx_key_storage_read(void *opaque, hwaddr addr, > + unsigned int size) > +{ > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > + NPCM7xxOTPState *s = opaque; > + > + /* > + * Only the Fuse Key Index register needs special handling; all other > + * registers work the same way for both kinds of OTP modules. > + */ > + if (reg != NPCM7XX_OTP_FKEYIND) { > + return npcm7xx_otp_read(s, reg); > + } > + > + qemu_log_mask(LOG_UNIMP, "%s: FKEYIND is not implemented\n", __func__); > + > + return s->regs[NPCM7XX_OTP_FKEYIND]; > +} > + > +/* Register write handler specific to the key storage OTP module. */ > +static void npcm7xx_key_storage_write(void *opaque, hwaddr addr, uint64_t v, > + unsigned int size) > +{ > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > + NPCM7xxOTPState *s = opaque; > + > + /* > + * Only the Fuse Key Index register needs special handling; all other > + * registers work the same way for both kinds of OTP modules. > + */ > + if (reg != NPCM7XX_OTP_FKEYIND) { > + npcm7xx_otp_write(s, reg, v); > + return; > + } > + > + qemu_log_mask(LOG_UNIMP, "%s: FKEYIND is not implemented\n", __func__); > + > + s->regs[NPCM7XX_OTP_FKEYIND] = v; > +} > + > +static const MemoryRegionOps npcm7xx_key_storage_ops = { > + .read = npcm7xx_key_storage_read, > + .write = npcm7xx_key_storage_write, > + .endianness = DEVICE_LITTLE_ENDIAN, > + .valid = { > + .min_access_size = 4, > + .max_access_size = 4, > + .unaligned = false, > + }, > +}; > + > +static void npcm7xx_otp_enter_reset(Object *obj, ResetType type) > +{ > + NPCM7xxOTPState *s = NPCM7XX_OTP(obj); > + > + memset(s->regs, 0, sizeof(s->regs)); > + > + s->regs[NPCM7XX_OTP_FST] = 0x00000001; > + s->regs[NPCM7XX_OTP_FCFG] = 0x20000000; > +} > + > +static void npcm7xx_otp_realize(DeviceState *dev, Error **errp) > +{ > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_GET_CLASS(dev); > + NPCM7xxOTPState *s = NPCM7XX_OTP(dev); > + SysBusDevice *sbd = &s->parent; > + > + memset(s->array, 0, sizeof(s->array)); > + > + memory_region_init_io(&s->mmio, OBJECT(s), oc->mmio_ops, s, "regs", > + NPCM7XX_OTP_REGS_SIZE); > + sysbus_init_mmio(sbd, &s->mmio); > +} > + > +static const VMStateDescription vmstate_npcm7xx_otp = { > + .name = "npcm7xx-otp", > + .version_id = 0, > + .minimum_version_id = 0, > + .fields = (VMStateField[]) { > + VMSTATE_UINT32_ARRAY(regs, NPCM7xxOTPState, NPCM7XX_OTP_NR_REGS), > + VMSTATE_UINT8_ARRAY(array, NPCM7xxOTPState, NPCM7XX_OTP_ARRAY_BYTES), > + VMSTATE_END_OF_LIST(), > + }, > +}; > + > +static void npcm7xx_otp_class_init(ObjectClass *klass, void *data) > +{ > + ResettableClass *rc = RESETTABLE_CLASS(klass); > + DeviceClass *dc = DEVICE_CLASS(klass); > + > + QEMU_BUILD_BUG_ON(NPCM7XX_OTP_REGS_END > NPCM7XX_OTP_NR_REGS); > + > + dc->realize = npcm7xx_otp_realize; > + dc->vmsd = &vmstate_npcm7xx_otp; > + rc->phases.enter = npcm7xx_otp_enter_reset; > +} > + > +static void npcm7xx_key_storage_class_init(ObjectClass *klass, void *data) > +{ > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_CLASS(klass); > + > + oc->mmio_ops = &npcm7xx_key_storage_ops; > +} Hello, With this series applied, when I build with --enable-sanitizers and run ./qemu-system-arm: ==373753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61000000b400 at pc 0x557496abbefc bp 0x7ffdd5851210 sp 0x7ffdd5851208 WRITE of size 8 at 0x61000000b400 thread T0 #0 0x557496abbefb in npcm7xx_key_storage_class_init /../hw/nvram/npcm7xx_otp.c:410:18 #1 0x5574998a8780 in type_initialize /../qom/object.c:362:9 #2 0x5574998a9bef in object_class_foreach_tramp /../qom/object.c:1030:5 #3 0x7fc26b427b2f in g_hash_table_foreach (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3eb2f) #4 0x5574998a9a41 in object_class_foreach /../qom/object.c:1052:5 #5 0x5574998ab28a in object_class_get_list /../qom/object.c:1109:5 #6 0x557498e6f8e1 in select_machine /../softmmu/vl.c:2438:24 #7 0x557498e5a921 in qemu_init /../softmmu/vl.c:3842:21 #8 0x557495b181d7 in main /../softmmu/main.c:49:5 #9 0x7fc269e7dcc9 in __libc_start_main csu/../csu/libc-start.c:308:16 #10 0x557495a6d9b9 in _start (/qemu-system-arm+0x35959b9) 0x61000000b400 is located 0 bytes to the right of 192-byte region [0x61000000b340,0x61000000b400) allocated by thread T0 here: #0 0x557495ae6272 in calloc (/qemu-system-arm+0x360e272) #1 0x7fc26b43f210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210) #2 0x5574998a9bef in object_class_foreach_tramp /../qom/object.c:1030:5 #3 0x7fc26b427b2f in g_hash_table_foreach (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3eb2f) SUMMARY: AddressSanitizer: heap-buffer-overflow /../hw/nvram/npcm7xx_otp.c:410:18 in npcm7xx_key_storage_class_init -Alex > + > +static void npcm7xx_fuse_array_class_init(ObjectClass *klass, void *data) > +{ > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_CLASS(klass); > + > + oc->mmio_ops = &npcm7xx_fuse_array_ops; > +} > + > +static const TypeInfo npcm7xx_otp_types[] = { > + { > + .name = TYPE_NPCM7XX_OTP, > + .parent = TYPE_SYS_BUS_DEVICE, > + .instance_size = sizeof(NPCM7xxOTPState), > + .class_init = npcm7xx_otp_class_init, > + .abstract = true, > + }, > + { > + .name = TYPE_NPCM7XX_KEY_STORAGE, > + .parent = TYPE_NPCM7XX_OTP, > + .class_init = npcm7xx_key_storage_class_init, > + }, > + { > + .name = TYPE_NPCM7XX_FUSE_ARRAY, > + .parent = TYPE_NPCM7XX_OTP, > + .class_init = npcm7xx_fuse_array_class_init, > + }, > +}; > +DEFINE_TYPES(npcm7xx_otp_types); > diff --git a/hw/nvram/meson.build b/hw/nvram/meson.build > index ba214558ac..1f2ed013b2 100644 > --- a/hw/nvram/meson.build > +++ b/hw/nvram/meson.build > @@ -4,6 +4,7 @@ softmmu_ss.add(when: 'CONFIG_DS1225Y', if_true: files('ds1225y.c')) > softmmu_ss.add(when: 'CONFIG_NMC93XX_EEPROM', if_true: files('eeprom93xx.c')) > softmmu_ss.add(when: 'CONFIG_AT24C', if_true: files('eeprom_at24c.c')) > softmmu_ss.add(when: 'CONFIG_MAC_NVRAM', if_true: files('mac_nvram.c')) > +softmmu_ss.add(when: 'CONFIG_NPCM7XX', if_true: files('npcm7xx_otp.c')) > softmmu_ss.add(when: 'CONFIG_NRF51_SOC', if_true: files('nrf51_nvm.c')) > > specific_ss.add(when: 'CONFIG_PSERIES', if_true: files('spapr_nvram.c')) > -- > 2.28.0.297.g1956fa8f8d-goog > >
On 200907 1547, Alexander Bulekov wrote: > On 200824 1717, Havard Skinnemoen via wrote: > > This supports reading and writing OTP fuses and keys. Only fuse reading > > has been tested. Protection is not implemented. > > > > Reviewed-by: Avi Fishman <avi.fishman@nuvoton.com> > > Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > > Signed-off-by: Havard Skinnemoen <hskinnemoen@google.com> > > --- > > include/hw/arm/npcm7xx.h | 3 + > > include/hw/nvram/npcm7xx_otp.h | 79 ++++++ > > hw/arm/npcm7xx.c | 29 +++ > > hw/nvram/npcm7xx_otp.c | 439 +++++++++++++++++++++++++++++++++ > > hw/nvram/meson.build | 1 + > > 5 files changed, 551 insertions(+) > > create mode 100644 include/hw/nvram/npcm7xx_otp.h > > create mode 100644 hw/nvram/npcm7xx_otp.c > > > > diff --git a/include/hw/arm/npcm7xx.h b/include/hw/arm/npcm7xx.h > > index ba7495869d..5816a07a72 100644 > > --- a/include/hw/arm/npcm7xx.h > > +++ b/include/hw/arm/npcm7xx.h > > @@ -20,6 +20,7 @@ > > #include "hw/cpu/a9mpcore.h" > > #include "hw/misc/npcm7xx_clk.h" > > #include "hw/misc/npcm7xx_gcr.h" > > +#include "hw/nvram/npcm7xx_otp.h" > > #include "hw/timer/npcm7xx_timer.h" > > #include "target/arm/cpu.h" > > > > @@ -68,6 +69,8 @@ typedef struct NPCM7xxState { > > NPCM7xxGCRState gcr; > > NPCM7xxCLKState clk; > > NPCM7xxTimerCtrlState tim[3]; > > + NPCM7xxOTPState key_storage; > > + NPCM7xxOTPState fuse_array; > > } NPCM7xxState; > > > > #define TYPE_NPCM7XX "npcm7xx" > > diff --git a/include/hw/nvram/npcm7xx_otp.h b/include/hw/nvram/npcm7xx_otp.h > > new file mode 100644 > > index 0000000000..156bbd151a > > --- /dev/null > > +++ b/include/hw/nvram/npcm7xx_otp.h > > @@ -0,0 +1,79 @@ > > +/* > > + * Nuvoton NPCM7xx OTP (Fuse Array) Interface > > + * > > + * Copyright 2020 Google LLC > > + * > > + * This program is free software; you can redistribute it and/or modify it > > + * under the terms of the GNU General Public License as published by the > > + * Free Software Foundation; either version 2 of the License, or > > + * (at your option) any later version. > > + * > > + * This program is distributed in the hope that it will be useful, but WITHOUT > > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or > > + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License > > + * for more details. > > + */ > > +#ifndef NPCM7XX_OTP_H > > +#define NPCM7XX_OTP_H > > + > > +#include "exec/memory.h" > > +#include "hw/sysbus.h" > > + > > +/* Each OTP module holds 8192 bits of one-time programmable storage */ > > +#define NPCM7XX_OTP_ARRAY_BITS (8192) > > +#define NPCM7XX_OTP_ARRAY_BYTES (NPCM7XX_OTP_ARRAY_BITS / BITS_PER_BYTE) > > + > > +/* Fuse array offsets */ > > +#define NPCM7XX_FUSE_FUSTRAP (0) > > +#define NPCM7XX_FUSE_CP_FUSTRAP (12) > > +#define NPCM7XX_FUSE_DAC_CALIB (16) > > +#define NPCM7XX_FUSE_ADC_CALIB (24) > > +#define NPCM7XX_FUSE_DERIVATIVE (64) > > +#define NPCM7XX_FUSE_TEST_SIG (72) > > +#define NPCM7XX_FUSE_DIE_LOCATION (74) > > +#define NPCM7XX_FUSE_GP1 (80) > > +#define NPCM7XX_FUSE_GP2 (128) > > + > > +/* > > + * Number of registers in our device state structure. Don't change this without > > + * incrementing the version_id in the vmstate. > > + */ > > +#define NPCM7XX_OTP_NR_REGS (0x18 / sizeof(uint32_t)) > > + > > +/** > > + * struct NPCM7xxOTPState - Device state for one OTP module. > > + * @parent: System bus device. > > + * @mmio: Memory region through which registers are accessed. > > + * @regs: Register contents. > > + * @array: OTP storage array. > > + */ > > +typedef struct NPCM7xxOTPState { > > + SysBusDevice parent; > > + > > + MemoryRegion mmio; > > + uint32_t regs[NPCM7XX_OTP_NR_REGS]; > > + uint8_t array[NPCM7XX_OTP_ARRAY_BYTES]; > > +} NPCM7xxOTPState; > > + > > +#define TYPE_NPCM7XX_OTP "npcm7xx-otp" > > +#define NPCM7XX_OTP(obj) OBJECT_CHECK(NPCM7xxOTPState, (obj), TYPE_NPCM7XX_OTP) > > + > > +#define TYPE_NPCM7XX_KEY_STORAGE "npcm7xx-key-storage" > > +#define TYPE_NPCM7XX_FUSE_ARRAY "npcm7xx-fuse-array" > > + > > +typedef struct NPCM7xxOTPClass NPCM7xxOTPClass; > > + > > +/** > > + * npcm7xx_otp_array_write - ECC encode and write data to OTP array. > > + * @s: OTP module. > > + * @data: Data to be encoded and written. > > + * @offset: Offset of first byte to be written in the OTP array. > > + * @len: Number of bytes before ECC encoding. > > + * > > + * Each nibble of data is encoded into a byte, so the number of bytes written > > + * to the array will be @len * 2. > > + */ > > +extern void npcm7xx_otp_array_write(NPCM7xxOTPState *s, const void *data, > > + unsigned int offset, unsigned int len); > > + > > +#endif /* NPCM7XX_OTP_H */ > > diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c > > index 9669ac5fa0..9166002598 100644 > > --- a/hw/arm/npcm7xx.c > > +++ b/hw/arm/npcm7xx.c > > @@ -34,6 +34,10 @@ > > #define NPCM7XX_MMIO_BA (0x80000000) > > #define NPCM7XX_MMIO_SZ (0x7ffd0000) > > > > +/* OTP key storage and fuse strap array */ > > +#define NPCM7XX_OTP1_BA (0xf0189000) > > +#define NPCM7XX_OTP2_BA (0xf018a000) > > + > > /* Core system modules. */ > > #define NPCM7XX_L2C_BA (0xf03fc000) > > #define NPCM7XX_CPUP_BA (0xf03fe000) > > @@ -144,6 +148,20 @@ void npcm7xx_load_kernel(MachineState *machine, NPCM7xxState *soc) > > arm_load_kernel(&soc->cpu[0], machine, &npcm7xx_binfo); > > } > > > > +static void npcm7xx_init_fuses(NPCM7xxState *s) > > +{ > > + NPCM7xxClass *nc = NPCM7XX_GET_CLASS(s); > > + uint32_t value; > > + > > + /* > > + * The initial mask of disabled modules indicates the chip derivative (e.g. > > + * NPCM750 or NPCM730). > > + */ > > + value = tswap32(nc->disabled_modules); > > + npcm7xx_otp_array_write(&s->fuse_array, &value, NPCM7XX_FUSE_DERIVATIVE, > > + sizeof(value)); > > +} > > + > > static qemu_irq npcm7xx_irq(NPCM7xxState *s, int n) > > { > > return qdev_get_gpio_in(DEVICE(&s->a9mpcore), n); > > @@ -164,6 +182,10 @@ static void npcm7xx_init(Object *obj) > > object_property_add_alias(obj, "power-on-straps", OBJECT(&s->gcr), > > "power-on-straps"); > > object_initialize_child(obj, "clk", &s->clk, TYPE_NPCM7XX_CLK); > > + object_initialize_child(obj, "otp1", &s->key_storage, > > + TYPE_NPCM7XX_KEY_STORAGE); > > + object_initialize_child(obj, "otp2", &s->fuse_array, > > + TYPE_NPCM7XX_FUSE_ARRAY); > > > > for (i = 0; i < ARRAY_SIZE(s->tim); i++) { > > object_initialize_child(obj, "tim[*]", &s->tim[i], TYPE_NPCM7XX_TIMER); > > @@ -232,6 +254,13 @@ static void npcm7xx_realize(DeviceState *dev, Error **errp) > > sysbus_realize(SYS_BUS_DEVICE(&s->clk), &error_abort); > > sysbus_mmio_map(SYS_BUS_DEVICE(&s->clk), 0, NPCM7XX_CLK_BA); > > > > + /* OTP key storage and fuse strap array. Cannot fail. */ > > + sysbus_realize(SYS_BUS_DEVICE(&s->key_storage), &error_abort); > > + sysbus_mmio_map(SYS_BUS_DEVICE(&s->key_storage), 0, NPCM7XX_OTP1_BA); > > + sysbus_realize(SYS_BUS_DEVICE(&s->fuse_array), &error_abort); > > + sysbus_mmio_map(SYS_BUS_DEVICE(&s->fuse_array), 0, NPCM7XX_OTP2_BA); > > + npcm7xx_init_fuses(s); > > + > > /* Timer Modules (TIM). Cannot fail. */ > > QEMU_BUILD_BUG_ON(ARRAY_SIZE(npcm7xx_tim_addr) != ARRAY_SIZE(s->tim)); > > for (i = 0; i < ARRAY_SIZE(s->tim); i++) { > > diff --git a/hw/nvram/npcm7xx_otp.c b/hw/nvram/npcm7xx_otp.c > > new file mode 100644 > > index 0000000000..ba4188ada8 > > --- /dev/null > > +++ b/hw/nvram/npcm7xx_otp.c > > @@ -0,0 +1,439 @@ > > +/* > > + * Nuvoton NPCM7xx OTP (Fuse Array) Interface > > + * > > + * Copyright 2020 Google LLC > > + * > > + * This program is free software; you can redistribute it and/or modify it > > + * under the terms of the GNU General Public License as published by the > > + * Free Software Foundation; either version 2 of the License, or > > + * (at your option) any later version. > > + * > > + * This program is distributed in the hope that it will be useful, but WITHOUT > > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or > > + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License > > + * for more details. > > + */ > > + > > +#include "qemu/osdep.h" > > + > > +#include "hw/nvram/npcm7xx_otp.h" > > +#include "migration/vmstate.h" > > +#include "qapi/error.h" > > +#include "qemu/bitops.h" > > +#include "qemu/log.h" > > +#include "qemu/module.h" > > +#include "qemu/units.h" > > + > > +/* Each module has 4 KiB of register space. Only a fraction of it is used. */ > > +#define NPCM7XX_OTP_REGS_SIZE (4 * KiB) > > + > > +/* 32-bit register indices. */ > > +typedef enum NPCM7xxOTPRegister { > > + NPCM7XX_OTP_FST, > > + NPCM7XX_OTP_FADDR, > > + NPCM7XX_OTP_FDATA, > > + NPCM7XX_OTP_FCFG, > > + /* Offset 0x10 is FKEYIND in OTP1, FUSTRAP in OTP2 */ > > + NPCM7XX_OTP_FKEYIND = 0x0010 / sizeof(uint32_t), > > + NPCM7XX_OTP_FUSTRAP = 0x0010 / sizeof(uint32_t), > > + NPCM7XX_OTP_FCTL, > > + NPCM7XX_OTP_REGS_END, > > +} NPCM7xxOTPRegister; > > + > > +/* Register field definitions. */ > > +#define FST_RIEN BIT(2) > > +#define FST_RDST BIT(1) > > +#define FST_RDY BIT(0) > > +#define FST_RO_MASK (FST_RDST | FST_RDY) > > + > > +#define FADDR_BYTEADDR(rv) extract32((rv), 0, 10) > > +#define FADDR_BITPOS(rv) extract32((rv), 10, 3) > > + > > +#define FDATA_CLEAR 0x00000001 > > + > > +#define FCFG_FDIS BIT(31) > > +#define FCFG_FCFGLK_MASK 0x00ff0000 > > + > > +#define FCTL_PROG_CMD1 0x00000001 > > +#define FCTL_PROG_CMD2 0xbf79e5d0 > > +#define FCTL_READ_CMD 0x00000002 > > + > > +/** > > + * struct NPCM7xxOTPClass - OTP module class. > > + * @parent: System bus device class. > > + * @mmio_ops: MMIO register operations for this type of module. > > + * > > + * The two OTP modules (key-storage and fuse-array) have slightly different > > + * behavior, so we give them different MMIO register operations. > > + */ > > +struct NPCM7xxOTPClass { > > + SysBusDeviceClass parent; > > + > > + const MemoryRegionOps *mmio_ops; > > +}; > > + > > +#define NPCM7XX_OTP_CLASS(klass) \ > > + OBJECT_CLASS_CHECK(NPCM7xxOTPClass, (klass), TYPE_NPCM7XX_OTP) > > +#define NPCM7XX_OTP_GET_CLASS(obj) \ > > + OBJECT_GET_CLASS(NPCM7xxOTPClass, (obj), TYPE_NPCM7XX_OTP) > > + > > +static uint8_t ecc_encode_nibble(uint8_t n) > > +{ > > + uint8_t result = n; > > + > > + result |= (((n >> 0) & 1) ^ ((n >> 1) & 1)) << 4; > > + result |= (((n >> 2) & 1) ^ ((n >> 3) & 1)) << 5; > > + result |= (((n >> 0) & 1) ^ ((n >> 2) & 1)) << 6; > > + result |= (((n >> 1) & 1) ^ ((n >> 3) & 1)) << 7; > > + > > + return result; > > +} > > + > > +void npcm7xx_otp_array_write(NPCM7xxOTPState *s, const void *data, > > + unsigned int offset, unsigned int len) > > +{ > > + const uint8_t *src = data; > > + uint8_t *dst = &s->array[offset]; > > + > > + while (len-- > 0) { > > + uint8_t c = *src++; > > + > > + *dst++ = ecc_encode_nibble(extract8(c, 0, 4)); > > + *dst++ = ecc_encode_nibble(extract8(c, 4, 4)); > > + } > > +} > > + > > +/* Common register read handler for both OTP classes. */ > > +static uint64_t npcm7xx_otp_read(NPCM7xxOTPState *s, NPCM7xxOTPRegister reg) > > +{ > > + uint32_t value = 0; > > + > > + switch (reg) { > > + case NPCM7XX_OTP_FST: > > + case NPCM7XX_OTP_FADDR: > > + case NPCM7XX_OTP_FDATA: > > + case NPCM7XX_OTP_FCFG: > > + value = s->regs[reg]; > > + break; > > + > > + case NPCM7XX_OTP_FCTL: > > + qemu_log_mask(LOG_GUEST_ERROR, > > + "%s: read from write-only FCTL register\n", > > + DEVICE(s)->canonical_path); > > + break; > > + > > + default: > > + qemu_log_mask(LOG_GUEST_ERROR, "%s: read from invalid offset 0x%zx\n", > > + DEVICE(s)->canonical_path, reg * sizeof(uint32_t)); > > + break; > > + } > > + > > + return value; > > +} > > + > > +/* Read a byte from the OTP array into the data register. */ > > +static void npcm7xx_otp_read_array(NPCM7xxOTPState *s) > > +{ > > + uint32_t faddr = s->regs[NPCM7XX_OTP_FADDR]; > > + > > + s->regs[NPCM7XX_OTP_FDATA] = s->array[FADDR_BYTEADDR(faddr)]; > > + s->regs[NPCM7XX_OTP_FST] |= FST_RDST | FST_RDY; > > +} > > + > > +/* Program a byte from the data register into the OTP array. */ > > +static void npcm7xx_otp_program_array(NPCM7xxOTPState *s) > > +{ > > + uint32_t faddr = s->regs[NPCM7XX_OTP_FADDR]; > > + > > + /* Bits can only go 0->1, never 1->0. */ > > + s->array[FADDR_BYTEADDR(faddr)] |= (1U << FADDR_BITPOS(faddr)); > > + s->regs[NPCM7XX_OTP_FST] |= FST_RDST | FST_RDY; > > +} > > + > > +/* Compute the next value of the FCFG register. */ > > +static uint32_t npcm7xx_otp_compute_fcfg(uint32_t cur_value, uint32_t new_value) > > +{ > > + uint32_t lock_mask; > > + uint32_t value; > > + > > + /* > > + * FCFGLK holds sticky bits 16..23, indicating which bits in FPRGLK (8..15) > > + * and FRDLK (0..7) that are read-only. > > + */ > > + lock_mask = (cur_value & FCFG_FCFGLK_MASK) >> 8; > > + lock_mask |= lock_mask >> 8; > > + /* FDIS and FCFGLK bits are sticky (write 1 to set; can't clear). */ > > + value = cur_value & (FCFG_FDIS | FCFG_FCFGLK_MASK); > > + /* Preserve read-only bits in FPRGLK and FRDLK */ > > + value |= cur_value & lock_mask; > > + /* Set all bits that aren't read-only. */ > > + value |= new_value & ~lock_mask; > > + > > + return value; > > +} > > + > > +/* Common register write handler for both OTP classes. */ > > +static void npcm7xx_otp_write(NPCM7xxOTPState *s, NPCM7xxOTPRegister reg, > > + uint32_t value) > > +{ > > + switch (reg) { > > + case NPCM7XX_OTP_FST: > > + /* RDST is cleared by writing 1 to it. */ > > + if (value & FST_RDST) { > > + s->regs[NPCM7XX_OTP_FST] &= ~FST_RDST; > > + } > > + /* Preserve read-only and write-one-to-clear bits */ > > + value &= ~FST_RO_MASK; > > + value |= s->regs[NPCM7XX_OTP_FST] & FST_RO_MASK; > > + break; > > + > > + case NPCM7XX_OTP_FADDR: > > + break; > > + > > + case NPCM7XX_OTP_FDATA: > > + /* > > + * This register is cleared by writing a magic value to it; no other > > + * values can be written. > > + */ > > + if (value == FDATA_CLEAR) { > > + value = 0; > > + } else { > > + value = s->regs[NPCM7XX_OTP_FDATA]; > > + } > > + break; > > + > > + case NPCM7XX_OTP_FCFG: > > + value = npcm7xx_otp_compute_fcfg(s->regs[NPCM7XX_OTP_FCFG], value); > > + break; > > + > > + case NPCM7XX_OTP_FCTL: > > + switch (value) { > > + case FCTL_READ_CMD: > > + npcm7xx_otp_read_array(s); > > + break; > > + > > + case FCTL_PROG_CMD1: > > + /* > > + * Programming requires writing two separate magic values to this > > + * register; this is the first one. Just store it so it can be > > + * verified later when the second magic value is received. > > + */ > > + break; > > + > > + case FCTL_PROG_CMD2: > > + /* > > + * Only initiate programming if we received the first half of the > > + * command immediately before this one. > > + */ > > + if (s->regs[NPCM7XX_OTP_FCTL] == FCTL_PROG_CMD1) { > > + npcm7xx_otp_program_array(s); > > + } > > + break; > > + > > + default: > > + qemu_log_mask(LOG_GUEST_ERROR, > > + "%s: unrecognized FCNTL value 0x%" PRIx32 "\n", > > + DEVICE(s)->canonical_path, value); > > + break; > > + } > > + if (value != FCTL_PROG_CMD1) { > > + value = 0; > > + } > > + break; > > + > > + default: > > + qemu_log_mask(LOG_GUEST_ERROR, "%s: write to invalid offset 0x%zx\n", > > + DEVICE(s)->canonical_path, reg * sizeof(uint32_t)); > > + return; > > + } > > + > > + s->regs[reg] = value; > > +} > > + > > +/* Register read handler specific to the fuse array OTP module. */ > > +static uint64_t npcm7xx_fuse_array_read(void *opaque, hwaddr addr, > > + unsigned int size) > > +{ > > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > > + NPCM7xxOTPState *s = opaque; > > + uint32_t value; > > + > > + /* > > + * Only the Fuse Strap register needs special handling; all other registers > > + * work the same way for both kinds of OTP modules. > > + */ > > + if (reg != NPCM7XX_OTP_FUSTRAP) { > > + value = npcm7xx_otp_read(s, reg); > > + } else { > > + /* FUSTRAP is stored as three copies in the OTP array. */ > > + uint32_t fustrap[3]; > > + > > + memcpy(fustrap, &s->array[0], sizeof(fustrap)); > > + > > + /* Determine value by a majority vote on each bit. */ > > + value = (fustrap[0] & fustrap[1]) | (fustrap[0] & fustrap[2]) | > > + (fustrap[1] & fustrap[2]); > > + } > > + > > + return value; > > +} > > + > > +/* Register write handler specific to the fuse array OTP module. */ > > +static void npcm7xx_fuse_array_write(void *opaque, hwaddr addr, uint64_t v, > > + unsigned int size) > > +{ > > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > > + NPCM7xxOTPState *s = opaque; > > + > > + /* > > + * The Fuse Strap register is read-only. Other registers are handled by > > + * common code. > > + */ > > + if (reg != NPCM7XX_OTP_FUSTRAP) { > > + npcm7xx_otp_write(s, reg, v); > > + } > > +} > > + > > +static const MemoryRegionOps npcm7xx_fuse_array_ops = { > > + .read = npcm7xx_fuse_array_read, > > + .write = npcm7xx_fuse_array_write, > > + .endianness = DEVICE_LITTLE_ENDIAN, > > + .valid = { > > + .min_access_size = 4, > > + .max_access_size = 4, > > + .unaligned = false, > > + }, > > +}; > > + > > +/* Register read handler specific to the key storage OTP module. */ > > +static uint64_t npcm7xx_key_storage_read(void *opaque, hwaddr addr, > > + unsigned int size) > > +{ > > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > > + NPCM7xxOTPState *s = opaque; > > + > > + /* > > + * Only the Fuse Key Index register needs special handling; all other > > + * registers work the same way for both kinds of OTP modules. > > + */ > > + if (reg != NPCM7XX_OTP_FKEYIND) { > > + return npcm7xx_otp_read(s, reg); > > + } > > + > > + qemu_log_mask(LOG_UNIMP, "%s: FKEYIND is not implemented\n", __func__); > > + > > + return s->regs[NPCM7XX_OTP_FKEYIND]; > > +} > > + > > +/* Register write handler specific to the key storage OTP module. */ > > +static void npcm7xx_key_storage_write(void *opaque, hwaddr addr, uint64_t v, > > + unsigned int size) > > +{ > > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > > + NPCM7xxOTPState *s = opaque; > > + > > + /* > > + * Only the Fuse Key Index register needs special handling; all other > > + * registers work the same way for both kinds of OTP modules. > > + */ > > + if (reg != NPCM7XX_OTP_FKEYIND) { > > + npcm7xx_otp_write(s, reg, v); > > + return; > > + } > > + > > + qemu_log_mask(LOG_UNIMP, "%s: FKEYIND is not implemented\n", __func__); > > + > > + s->regs[NPCM7XX_OTP_FKEYIND] = v; > > +} > > + > > +static const MemoryRegionOps npcm7xx_key_storage_ops = { > > + .read = npcm7xx_key_storage_read, > > + .write = npcm7xx_key_storage_write, > > + .endianness = DEVICE_LITTLE_ENDIAN, > > + .valid = { > > + .min_access_size = 4, > > + .max_access_size = 4, > > + .unaligned = false, > > + }, > > +}; > > + > > +static void npcm7xx_otp_enter_reset(Object *obj, ResetType type) > > +{ > > + NPCM7xxOTPState *s = NPCM7XX_OTP(obj); > > + > > + memset(s->regs, 0, sizeof(s->regs)); > > + > > + s->regs[NPCM7XX_OTP_FST] = 0x00000001; > > + s->regs[NPCM7XX_OTP_FCFG] = 0x20000000; > > +} > > + > > +static void npcm7xx_otp_realize(DeviceState *dev, Error **errp) > > +{ > > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_GET_CLASS(dev); > > + NPCM7xxOTPState *s = NPCM7XX_OTP(dev); > > + SysBusDevice *sbd = &s->parent; > > + > > + memset(s->array, 0, sizeof(s->array)); > > + > > + memory_region_init_io(&s->mmio, OBJECT(s), oc->mmio_ops, s, "regs", > > + NPCM7XX_OTP_REGS_SIZE); > > + sysbus_init_mmio(sbd, &s->mmio); > > +} > > + > > +static const VMStateDescription vmstate_npcm7xx_otp = { > > + .name = "npcm7xx-otp", > > + .version_id = 0, > > + .minimum_version_id = 0, > > + .fields = (VMStateField[]) { > > + VMSTATE_UINT32_ARRAY(regs, NPCM7xxOTPState, NPCM7XX_OTP_NR_REGS), > > + VMSTATE_UINT8_ARRAY(array, NPCM7xxOTPState, NPCM7XX_OTP_ARRAY_BYTES), > > + VMSTATE_END_OF_LIST(), > > + }, > > +}; > > + > > +static void npcm7xx_otp_class_init(ObjectClass *klass, void *data) > > +{ > > + ResettableClass *rc = RESETTABLE_CLASS(klass); > > + DeviceClass *dc = DEVICE_CLASS(klass); > > + > > + QEMU_BUILD_BUG_ON(NPCM7XX_OTP_REGS_END > NPCM7XX_OTP_NR_REGS); > > + > > + dc->realize = npcm7xx_otp_realize; > > + dc->vmsd = &vmstate_npcm7xx_otp; > > + rc->phases.enter = npcm7xx_otp_enter_reset; > > +} > > + > > +static void npcm7xx_key_storage_class_init(ObjectClass *klass, void *data) > > +{ > > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_CLASS(klass); > > + > > + oc->mmio_ops = &npcm7xx_key_storage_ops; > > +} > > Hello, > With this series applied, when I build with --enable-sanitizers and run > ./qemu-system-arm: > > ==373753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61000000b400 at pc 0x557496abbefc bp 0x7ffdd5851210 sp 0x7ffdd5851208 > WRITE of size 8 at 0x61000000b400 thread T0 > #0 0x557496abbefb in npcm7xx_key_storage_class_init /../hw/nvram/npcm7xx_otp.c:410:18 > #1 0x5574998a8780 in type_initialize /../qom/object.c:362:9 > #2 0x5574998a9bef in object_class_foreach_tramp /../qom/object.c:1030:5 > #3 0x7fc26b427b2f in g_hash_table_foreach (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3eb2f) > #4 0x5574998a9a41 in object_class_foreach /../qom/object.c:1052:5 > #5 0x5574998ab28a in object_class_get_list /../qom/object.c:1109:5 > #6 0x557498e6f8e1 in select_machine /../softmmu/vl.c:2438:24 > #7 0x557498e5a921 in qemu_init /../softmmu/vl.c:3842:21 > #8 0x557495b181d7 in main /../softmmu/main.c:49:5 > #9 0x7fc269e7dcc9 in __libc_start_main csu/../csu/libc-start.c:308:16 > #10 0x557495a6d9b9 in _start (/qemu-system-arm+0x35959b9) > > 0x61000000b400 is located 0 bytes to the right of 192-byte region [0x61000000b340,0x61000000b400) > allocated by thread T0 here: > #0 0x557495ae6272 in calloc (/qemu-system-arm+0x360e272) > #1 0x7fc26b43f210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210) > #2 0x5574998a9bef in object_class_foreach_tramp /../qom/object.c:1030:5 > #3 0x7fc26b427b2f in g_hash_table_foreach (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3eb2f) > > SUMMARY: AddressSanitizer: heap-buffer-overflow /../hw/nvram/npcm7xx_otp.c:410:18 in npcm7xx_key_storage_class_init > > -Alex > > > + > > +static void npcm7xx_fuse_array_class_init(ObjectClass *klass, void *data) > > +{ > > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_CLASS(klass); > > + > > + oc->mmio_ops = &npcm7xx_fuse_array_ops; > > +} > > + > > +static const TypeInfo npcm7xx_otp_types[] = { > > + { > > + .name = TYPE_NPCM7XX_OTP, > > + .parent = TYPE_SYS_BUS_DEVICE, > > + .instance_size = sizeof(NPCM7xxOTPState), Adding this fixes it for me: .class_size = sizeof(NPCM7xxOTPClass), -Alex > > + .class_init = npcm7xx_otp_class_init, > > + .abstract = true, > > + }, > > + { > > + .name = TYPE_NPCM7XX_KEY_STORAGE, > > + .parent = TYPE_NPCM7XX_OTP, > > + .class_init = npcm7xx_key_storage_class_init, > > + }, > > + { > > + .name = TYPE_NPCM7XX_FUSE_ARRAY, > > + .parent = TYPE_NPCM7XX_OTP, > > + .class_init = npcm7xx_fuse_array_class_init, > > + }, > > +}; > > +DEFINE_TYPES(npcm7xx_otp_types); > > diff --git a/hw/nvram/meson.build b/hw/nvram/meson.build > > index ba214558ac..1f2ed013b2 100644 > > --- a/hw/nvram/meson.build > > +++ b/hw/nvram/meson.build > > @@ -4,6 +4,7 @@ softmmu_ss.add(when: 'CONFIG_DS1225Y', if_true: files('ds1225y.c')) > > softmmu_ss.add(when: 'CONFIG_NMC93XX_EEPROM', if_true: files('eeprom93xx.c')) > > softmmu_ss.add(when: 'CONFIG_AT24C', if_true: files('eeprom_at24c.c')) > > softmmu_ss.add(when: 'CONFIG_MAC_NVRAM', if_true: files('mac_nvram.c')) > > +softmmu_ss.add(when: 'CONFIG_NPCM7XX', if_true: files('npcm7xx_otp.c')) > > softmmu_ss.add(when: 'CONFIG_NRF51_SOC', if_true: files('nrf51_nvm.c')) > > > > specific_ss.add(when: 'CONFIG_PSERIES', if_true: files('spapr_nvram.c')) > > -- > > 2.28.0.297.g1956fa8f8d-goog > > > >
On Mon, Sep 7, 2020 at 12:58 PM Alexander Bulekov <alxndr@bu.edu> wrote: > > On 200907 1547, Alexander Bulekov wrote: > > On 200824 1717, Havard Skinnemoen via wrote: > > > This supports reading and writing OTP fuses and keys. Only fuse reading > > > has been tested. Protection is not implemented. > > > > > > Reviewed-by: Avi Fishman <avi.fishman@nuvoton.com> > > > Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > > > Signed-off-by: Havard Skinnemoen <hskinnemoen@google.com> > > > --- > > > include/hw/arm/npcm7xx.h | 3 + > > > include/hw/nvram/npcm7xx_otp.h | 79 ++++++ > > > hw/arm/npcm7xx.c | 29 +++ > > > hw/nvram/npcm7xx_otp.c | 439 +++++++++++++++++++++++++++++++++ > > > hw/nvram/meson.build | 1 + > > > 5 files changed, 551 insertions(+) > > > create mode 100644 include/hw/nvram/npcm7xx_otp.h > > > create mode 100644 hw/nvram/npcm7xx_otp.c > > > > > > diff --git a/include/hw/arm/npcm7xx.h b/include/hw/arm/npcm7xx.h > > > index ba7495869d..5816a07a72 100644 > > > --- a/include/hw/arm/npcm7xx.h > > > +++ b/include/hw/arm/npcm7xx.h > > > @@ -20,6 +20,7 @@ > > > #include "hw/cpu/a9mpcore.h" > > > #include "hw/misc/npcm7xx_clk.h" > > > #include "hw/misc/npcm7xx_gcr.h" > > > +#include "hw/nvram/npcm7xx_otp.h" > > > #include "hw/timer/npcm7xx_timer.h" > > > #include "target/arm/cpu.h" > > > > > > @@ -68,6 +69,8 @@ typedef struct NPCM7xxState { > > > NPCM7xxGCRState gcr; > > > NPCM7xxCLKState clk; > > > NPCM7xxTimerCtrlState tim[3]; > > > + NPCM7xxOTPState key_storage; > > > + NPCM7xxOTPState fuse_array; > > > } NPCM7xxState; > > > > > > #define TYPE_NPCM7XX "npcm7xx" > > > diff --git a/include/hw/nvram/npcm7xx_otp.h b/include/hw/nvram/npcm7xx_otp.h > > > new file mode 100644 > > > index 0000000000..156bbd151a > > > --- /dev/null > > > +++ b/include/hw/nvram/npcm7xx_otp.h > > > @@ -0,0 +1,79 @@ > > > +/* > > > + * Nuvoton NPCM7xx OTP (Fuse Array) Interface > > > + * > > > + * Copyright 2020 Google LLC > > > + * > > > + * This program is free software; you can redistribute it and/or modify it > > > + * under the terms of the GNU General Public License as published by the > > > + * Free Software Foundation; either version 2 of the License, or > > > + * (at your option) any later version. > > > + * > > > + * This program is distributed in the hope that it will be useful, but WITHOUT > > > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or > > > + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License > > > + * for more details. > > > + */ > > > +#ifndef NPCM7XX_OTP_H > > > +#define NPCM7XX_OTP_H > > > + > > > +#include "exec/memory.h" > > > +#include "hw/sysbus.h" > > > + > > > +/* Each OTP module holds 8192 bits of one-time programmable storage */ > > > +#define NPCM7XX_OTP_ARRAY_BITS (8192) > > > +#define NPCM7XX_OTP_ARRAY_BYTES (NPCM7XX_OTP_ARRAY_BITS / BITS_PER_BYTE) > > > + > > > +/* Fuse array offsets */ > > > +#define NPCM7XX_FUSE_FUSTRAP (0) > > > +#define NPCM7XX_FUSE_CP_FUSTRAP (12) > > > +#define NPCM7XX_FUSE_DAC_CALIB (16) > > > +#define NPCM7XX_FUSE_ADC_CALIB (24) > > > +#define NPCM7XX_FUSE_DERIVATIVE (64) > > > +#define NPCM7XX_FUSE_TEST_SIG (72) > > > +#define NPCM7XX_FUSE_DIE_LOCATION (74) > > > +#define NPCM7XX_FUSE_GP1 (80) > > > +#define NPCM7XX_FUSE_GP2 (128) > > > + > > > +/* > > > + * Number of registers in our device state structure. Don't change this without > > > + * incrementing the version_id in the vmstate. > > > + */ > > > +#define NPCM7XX_OTP_NR_REGS (0x18 / sizeof(uint32_t)) > > > + > > > +/** > > > + * struct NPCM7xxOTPState - Device state for one OTP module. > > > + * @parent: System bus device. > > > + * @mmio: Memory region through which registers are accessed. > > > + * @regs: Register contents. > > > + * @array: OTP storage array. > > > + */ > > > +typedef struct NPCM7xxOTPState { > > > + SysBusDevice parent; > > > + > > > + MemoryRegion mmio; > > > + uint32_t regs[NPCM7XX_OTP_NR_REGS]; > > > + uint8_t array[NPCM7XX_OTP_ARRAY_BYTES]; > > > +} NPCM7xxOTPState; > > > + > > > +#define TYPE_NPCM7XX_OTP "npcm7xx-otp" > > > +#define NPCM7XX_OTP(obj) OBJECT_CHECK(NPCM7xxOTPState, (obj), TYPE_NPCM7XX_OTP) > > > + > > > +#define TYPE_NPCM7XX_KEY_STORAGE "npcm7xx-key-storage" > > > +#define TYPE_NPCM7XX_FUSE_ARRAY "npcm7xx-fuse-array" > > > + > > > +typedef struct NPCM7xxOTPClass NPCM7xxOTPClass; > > > + > > > +/** > > > + * npcm7xx_otp_array_write - ECC encode and write data to OTP array. > > > + * @s: OTP module. > > > + * @data: Data to be encoded and written. > > > + * @offset: Offset of first byte to be written in the OTP array. > > > + * @len: Number of bytes before ECC encoding. > > > + * > > > + * Each nibble of data is encoded into a byte, so the number of bytes written > > > + * to the array will be @len * 2. > > > + */ > > > +extern void npcm7xx_otp_array_write(NPCM7xxOTPState *s, const void *data, > > > + unsigned int offset, unsigned int len); > > > + > > > +#endif /* NPCM7XX_OTP_H */ > > > diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c > > > index 9669ac5fa0..9166002598 100644 > > > --- a/hw/arm/npcm7xx.c > > > +++ b/hw/arm/npcm7xx.c > > > @@ -34,6 +34,10 @@ > > > #define NPCM7XX_MMIO_BA (0x80000000) > > > #define NPCM7XX_MMIO_SZ (0x7ffd0000) > > > > > > +/* OTP key storage and fuse strap array */ > > > +#define NPCM7XX_OTP1_BA (0xf0189000) > > > +#define NPCM7XX_OTP2_BA (0xf018a000) > > > + > > > /* Core system modules. */ > > > #define NPCM7XX_L2C_BA (0xf03fc000) > > > #define NPCM7XX_CPUP_BA (0xf03fe000) > > > @@ -144,6 +148,20 @@ void npcm7xx_load_kernel(MachineState *machine, NPCM7xxState *soc) > > > arm_load_kernel(&soc->cpu[0], machine, &npcm7xx_binfo); > > > } > > > > > > +static void npcm7xx_init_fuses(NPCM7xxState *s) > > > +{ > > > + NPCM7xxClass *nc = NPCM7XX_GET_CLASS(s); > > > + uint32_t value; > > > + > > > + /* > > > + * The initial mask of disabled modules indicates the chip derivative (e.g. > > > + * NPCM750 or NPCM730). > > > + */ > > > + value = tswap32(nc->disabled_modules); > > > + npcm7xx_otp_array_write(&s->fuse_array, &value, NPCM7XX_FUSE_DERIVATIVE, > > > + sizeof(value)); > > > +} > > > + > > > static qemu_irq npcm7xx_irq(NPCM7xxState *s, int n) > > > { > > > return qdev_get_gpio_in(DEVICE(&s->a9mpcore), n); > > > @@ -164,6 +182,10 @@ static void npcm7xx_init(Object *obj) > > > object_property_add_alias(obj, "power-on-straps", OBJECT(&s->gcr), > > > "power-on-straps"); > > > object_initialize_child(obj, "clk", &s->clk, TYPE_NPCM7XX_CLK); > > > + object_initialize_child(obj, "otp1", &s->key_storage, > > > + TYPE_NPCM7XX_KEY_STORAGE); > > > + object_initialize_child(obj, "otp2", &s->fuse_array, > > > + TYPE_NPCM7XX_FUSE_ARRAY); > > > > > > for (i = 0; i < ARRAY_SIZE(s->tim); i++) { > > > object_initialize_child(obj, "tim[*]", &s->tim[i], TYPE_NPCM7XX_TIMER); > > > @@ -232,6 +254,13 @@ static void npcm7xx_realize(DeviceState *dev, Error **errp) > > > sysbus_realize(SYS_BUS_DEVICE(&s->clk), &error_abort); > > > sysbus_mmio_map(SYS_BUS_DEVICE(&s->clk), 0, NPCM7XX_CLK_BA); > > > > > > + /* OTP key storage and fuse strap array. Cannot fail. */ > > > + sysbus_realize(SYS_BUS_DEVICE(&s->key_storage), &error_abort); > > > + sysbus_mmio_map(SYS_BUS_DEVICE(&s->key_storage), 0, NPCM7XX_OTP1_BA); > > > + sysbus_realize(SYS_BUS_DEVICE(&s->fuse_array), &error_abort); > > > + sysbus_mmio_map(SYS_BUS_DEVICE(&s->fuse_array), 0, NPCM7XX_OTP2_BA); > > > + npcm7xx_init_fuses(s); > > > + > > > /* Timer Modules (TIM). Cannot fail. */ > > > QEMU_BUILD_BUG_ON(ARRAY_SIZE(npcm7xx_tim_addr) != ARRAY_SIZE(s->tim)); > > > for (i = 0; i < ARRAY_SIZE(s->tim); i++) { > > > diff --git a/hw/nvram/npcm7xx_otp.c b/hw/nvram/npcm7xx_otp.c > > > new file mode 100644 > > > index 0000000000..ba4188ada8 > > > --- /dev/null > > > +++ b/hw/nvram/npcm7xx_otp.c > > > @@ -0,0 +1,439 @@ > > > +/* > > > + * Nuvoton NPCM7xx OTP (Fuse Array) Interface > > > + * > > > + * Copyright 2020 Google LLC > > > + * > > > + * This program is free software; you can redistribute it and/or modify it > > > + * under the terms of the GNU General Public License as published by the > > > + * Free Software Foundation; either version 2 of the License, or > > > + * (at your option) any later version. > > > + * > > > + * This program is distributed in the hope that it will be useful, but WITHOUT > > > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or > > > + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License > > > + * for more details. > > > + */ > > > + > > > +#include "qemu/osdep.h" > > > + > > > +#include "hw/nvram/npcm7xx_otp.h" > > > +#include "migration/vmstate.h" > > > +#include "qapi/error.h" > > > +#include "qemu/bitops.h" > > > +#include "qemu/log.h" > > > +#include "qemu/module.h" > > > +#include "qemu/units.h" > > > + > > > +/* Each module has 4 KiB of register space. Only a fraction of it is used. */ > > > +#define NPCM7XX_OTP_REGS_SIZE (4 * KiB) > > > + > > > +/* 32-bit register indices. */ > > > +typedef enum NPCM7xxOTPRegister { > > > + NPCM7XX_OTP_FST, > > > + NPCM7XX_OTP_FADDR, > > > + NPCM7XX_OTP_FDATA, > > > + NPCM7XX_OTP_FCFG, > > > + /* Offset 0x10 is FKEYIND in OTP1, FUSTRAP in OTP2 */ > > > + NPCM7XX_OTP_FKEYIND = 0x0010 / sizeof(uint32_t), > > > + NPCM7XX_OTP_FUSTRAP = 0x0010 / sizeof(uint32_t), > > > + NPCM7XX_OTP_FCTL, > > > + NPCM7XX_OTP_REGS_END, > > > +} NPCM7xxOTPRegister; > > > + > > > +/* Register field definitions. */ > > > +#define FST_RIEN BIT(2) > > > +#define FST_RDST BIT(1) > > > +#define FST_RDY BIT(0) > > > +#define FST_RO_MASK (FST_RDST | FST_RDY) > > > + > > > +#define FADDR_BYTEADDR(rv) extract32((rv), 0, 10) > > > +#define FADDR_BITPOS(rv) extract32((rv), 10, 3) > > > + > > > +#define FDATA_CLEAR 0x00000001 > > > + > > > +#define FCFG_FDIS BIT(31) > > > +#define FCFG_FCFGLK_MASK 0x00ff0000 > > > + > > > +#define FCTL_PROG_CMD1 0x00000001 > > > +#define FCTL_PROG_CMD2 0xbf79e5d0 > > > +#define FCTL_READ_CMD 0x00000002 > > > + > > > +/** > > > + * struct NPCM7xxOTPClass - OTP module class. > > > + * @parent: System bus device class. > > > + * @mmio_ops: MMIO register operations for this type of module. > > > + * > > > + * The two OTP modules (key-storage and fuse-array) have slightly different > > > + * behavior, so we give them different MMIO register operations. > > > + */ > > > +struct NPCM7xxOTPClass { > > > + SysBusDeviceClass parent; > > > + > > > + const MemoryRegionOps *mmio_ops; > > > +}; > > > + > > > +#define NPCM7XX_OTP_CLASS(klass) \ > > > + OBJECT_CLASS_CHECK(NPCM7xxOTPClass, (klass), TYPE_NPCM7XX_OTP) > > > +#define NPCM7XX_OTP_GET_CLASS(obj) \ > > > + OBJECT_GET_CLASS(NPCM7xxOTPClass, (obj), TYPE_NPCM7XX_OTP) > > > + > > > +static uint8_t ecc_encode_nibble(uint8_t n) > > > +{ > > > + uint8_t result = n; > > > + > > > + result |= (((n >> 0) & 1) ^ ((n >> 1) & 1)) << 4; > > > + result |= (((n >> 2) & 1) ^ ((n >> 3) & 1)) << 5; > > > + result |= (((n >> 0) & 1) ^ ((n >> 2) & 1)) << 6; > > > + result |= (((n >> 1) & 1) ^ ((n >> 3) & 1)) << 7; > > > + > > > + return result; > > > +} > > > + > > > +void npcm7xx_otp_array_write(NPCM7xxOTPState *s, const void *data, > > > + unsigned int offset, unsigned int len) > > > +{ > > > + const uint8_t *src = data; > > > + uint8_t *dst = &s->array[offset]; > > > + > > > + while (len-- > 0) { > > > + uint8_t c = *src++; > > > + > > > + *dst++ = ecc_encode_nibble(extract8(c, 0, 4)); > > > + *dst++ = ecc_encode_nibble(extract8(c, 4, 4)); > > > + } > > > +} > > > + > > > +/* Common register read handler for both OTP classes. */ > > > +static uint64_t npcm7xx_otp_read(NPCM7xxOTPState *s, NPCM7xxOTPRegister reg) > > > +{ > > > + uint32_t value = 0; > > > + > > > + switch (reg) { > > > + case NPCM7XX_OTP_FST: > > > + case NPCM7XX_OTP_FADDR: > > > + case NPCM7XX_OTP_FDATA: > > > + case NPCM7XX_OTP_FCFG: > > > + value = s->regs[reg]; > > > + break; > > > + > > > + case NPCM7XX_OTP_FCTL: > > > + qemu_log_mask(LOG_GUEST_ERROR, > > > + "%s: read from write-only FCTL register\n", > > > + DEVICE(s)->canonical_path); > > > + break; > > > + > > > + default: > > > + qemu_log_mask(LOG_GUEST_ERROR, "%s: read from invalid offset 0x%zx\n", > > > + DEVICE(s)->canonical_path, reg * sizeof(uint32_t)); > > > + break; > > > + } > > > + > > > + return value; > > > +} > > > + > > > +/* Read a byte from the OTP array into the data register. */ > > > +static void npcm7xx_otp_read_array(NPCM7xxOTPState *s) > > > +{ > > > + uint32_t faddr = s->regs[NPCM7XX_OTP_FADDR]; > > > + > > > + s->regs[NPCM7XX_OTP_FDATA] = s->array[FADDR_BYTEADDR(faddr)]; > > > + s->regs[NPCM7XX_OTP_FST] |= FST_RDST | FST_RDY; > > > +} > > > + > > > +/* Program a byte from the data register into the OTP array. */ > > > +static void npcm7xx_otp_program_array(NPCM7xxOTPState *s) > > > +{ > > > + uint32_t faddr = s->regs[NPCM7XX_OTP_FADDR]; > > > + > > > + /* Bits can only go 0->1, never 1->0. */ > > > + s->array[FADDR_BYTEADDR(faddr)] |= (1U << FADDR_BITPOS(faddr)); > > > + s->regs[NPCM7XX_OTP_FST] |= FST_RDST | FST_RDY; > > > +} > > > + > > > +/* Compute the next value of the FCFG register. */ > > > +static uint32_t npcm7xx_otp_compute_fcfg(uint32_t cur_value, uint32_t new_value) > > > +{ > > > + uint32_t lock_mask; > > > + uint32_t value; > > > + > > > + /* > > > + * FCFGLK holds sticky bits 16..23, indicating which bits in FPRGLK (8..15) > > > + * and FRDLK (0..7) that are read-only. > > > + */ > > > + lock_mask = (cur_value & FCFG_FCFGLK_MASK) >> 8; > > > + lock_mask |= lock_mask >> 8; > > > + /* FDIS and FCFGLK bits are sticky (write 1 to set; can't clear). */ > > > + value = cur_value & (FCFG_FDIS | FCFG_FCFGLK_MASK); > > > + /* Preserve read-only bits in FPRGLK and FRDLK */ > > > + value |= cur_value & lock_mask; > > > + /* Set all bits that aren't read-only. */ > > > + value |= new_value & ~lock_mask; > > > + > > > + return value; > > > +} > > > + > > > +/* Common register write handler for both OTP classes. */ > > > +static void npcm7xx_otp_write(NPCM7xxOTPState *s, NPCM7xxOTPRegister reg, > > > + uint32_t value) > > > +{ > > > + switch (reg) { > > > + case NPCM7XX_OTP_FST: > > > + /* RDST is cleared by writing 1 to it. */ > > > + if (value & FST_RDST) { > > > + s->regs[NPCM7XX_OTP_FST] &= ~FST_RDST; > > > + } > > > + /* Preserve read-only and write-one-to-clear bits */ > > > + value &= ~FST_RO_MASK; > > > + value |= s->regs[NPCM7XX_OTP_FST] & FST_RO_MASK; > > > + break; > > > + > > > + case NPCM7XX_OTP_FADDR: > > > + break; > > > + > > > + case NPCM7XX_OTP_FDATA: > > > + /* > > > + * This register is cleared by writing a magic value to it; no other > > > + * values can be written. > > > + */ > > > + if (value == FDATA_CLEAR) { > > > + value = 0; > > > + } else { > > > + value = s->regs[NPCM7XX_OTP_FDATA]; > > > + } > > > + break; > > > + > > > + case NPCM7XX_OTP_FCFG: > > > + value = npcm7xx_otp_compute_fcfg(s->regs[NPCM7XX_OTP_FCFG], value); > > > + break; > > > + > > > + case NPCM7XX_OTP_FCTL: > > > + switch (value) { > > > + case FCTL_READ_CMD: > > > + npcm7xx_otp_read_array(s); > > > + break; > > > + > > > + case FCTL_PROG_CMD1: > > > + /* > > > + * Programming requires writing two separate magic values to this > > > + * register; this is the first one. Just store it so it can be > > > + * verified later when the second magic value is received. > > > + */ > > > + break; > > > + > > > + case FCTL_PROG_CMD2: > > > + /* > > > + * Only initiate programming if we received the first half of the > > > + * command immediately before this one. > > > + */ > > > + if (s->regs[NPCM7XX_OTP_FCTL] == FCTL_PROG_CMD1) { > > > + npcm7xx_otp_program_array(s); > > > + } > > > + break; > > > + > > > + default: > > > + qemu_log_mask(LOG_GUEST_ERROR, > > > + "%s: unrecognized FCNTL value 0x%" PRIx32 "\n", > > > + DEVICE(s)->canonical_path, value); > > > + break; > > > + } > > > + if (value != FCTL_PROG_CMD1) { > > > + value = 0; > > > + } > > > + break; > > > + > > > + default: > > > + qemu_log_mask(LOG_GUEST_ERROR, "%s: write to invalid offset 0x%zx\n", > > > + DEVICE(s)->canonical_path, reg * sizeof(uint32_t)); > > > + return; > > > + } > > > + > > > + s->regs[reg] = value; > > > +} > > > + > > > +/* Register read handler specific to the fuse array OTP module. */ > > > +static uint64_t npcm7xx_fuse_array_read(void *opaque, hwaddr addr, > > > + unsigned int size) > > > +{ > > > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > > > + NPCM7xxOTPState *s = opaque; > > > + uint32_t value; > > > + > > > + /* > > > + * Only the Fuse Strap register needs special handling; all other registers > > > + * work the same way for both kinds of OTP modules. > > > + */ > > > + if (reg != NPCM7XX_OTP_FUSTRAP) { > > > + value = npcm7xx_otp_read(s, reg); > > > + } else { > > > + /* FUSTRAP is stored as three copies in the OTP array. */ > > > + uint32_t fustrap[3]; > > > + > > > + memcpy(fustrap, &s->array[0], sizeof(fustrap)); > > > + > > > + /* Determine value by a majority vote on each bit. */ > > > + value = (fustrap[0] & fustrap[1]) | (fustrap[0] & fustrap[2]) | > > > + (fustrap[1] & fustrap[2]); > > > + } > > > + > > > + return value; > > > +} > > > + > > > +/* Register write handler specific to the fuse array OTP module. */ > > > +static void npcm7xx_fuse_array_write(void *opaque, hwaddr addr, uint64_t v, > > > + unsigned int size) > > > +{ > > > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > > > + NPCM7xxOTPState *s = opaque; > > > + > > > + /* > > > + * The Fuse Strap register is read-only. Other registers are handled by > > > + * common code. > > > + */ > > > + if (reg != NPCM7XX_OTP_FUSTRAP) { > > > + npcm7xx_otp_write(s, reg, v); > > > + } > > > +} > > > + > > > +static const MemoryRegionOps npcm7xx_fuse_array_ops = { > > > + .read = npcm7xx_fuse_array_read, > > > + .write = npcm7xx_fuse_array_write, > > > + .endianness = DEVICE_LITTLE_ENDIAN, > > > + .valid = { > > > + .min_access_size = 4, > > > + .max_access_size = 4, > > > + .unaligned = false, > > > + }, > > > +}; > > > + > > > +/* Register read handler specific to the key storage OTP module. */ > > > +static uint64_t npcm7xx_key_storage_read(void *opaque, hwaddr addr, > > > + unsigned int size) > > > +{ > > > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > > > + NPCM7xxOTPState *s = opaque; > > > + > > > + /* > > > + * Only the Fuse Key Index register needs special handling; all other > > > + * registers work the same way for both kinds of OTP modules. > > > + */ > > > + if (reg != NPCM7XX_OTP_FKEYIND) { > > > + return npcm7xx_otp_read(s, reg); > > > + } > > > + > > > + qemu_log_mask(LOG_UNIMP, "%s: FKEYIND is not implemented\n", __func__); > > > + > > > + return s->regs[NPCM7XX_OTP_FKEYIND]; > > > +} > > > + > > > +/* Register write handler specific to the key storage OTP module. */ > > > +static void npcm7xx_key_storage_write(void *opaque, hwaddr addr, uint64_t v, > > > + unsigned int size) > > > +{ > > > + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); > > > + NPCM7xxOTPState *s = opaque; > > > + > > > + /* > > > + * Only the Fuse Key Index register needs special handling; all other > > > + * registers work the same way for both kinds of OTP modules. > > > + */ > > > + if (reg != NPCM7XX_OTP_FKEYIND) { > > > + npcm7xx_otp_write(s, reg, v); > > > + return; > > > + } > > > + > > > + qemu_log_mask(LOG_UNIMP, "%s: FKEYIND is not implemented\n", __func__); > > > + > > > + s->regs[NPCM7XX_OTP_FKEYIND] = v; > > > +} > > > + > > > +static const MemoryRegionOps npcm7xx_key_storage_ops = { > > > + .read = npcm7xx_key_storage_read, > > > + .write = npcm7xx_key_storage_write, > > > + .endianness = DEVICE_LITTLE_ENDIAN, > > > + .valid = { > > > + .min_access_size = 4, > > > + .max_access_size = 4, > > > + .unaligned = false, > > > + }, > > > +}; > > > + > > > +static void npcm7xx_otp_enter_reset(Object *obj, ResetType type) > > > +{ > > > + NPCM7xxOTPState *s = NPCM7XX_OTP(obj); > > > + > > > + memset(s->regs, 0, sizeof(s->regs)); > > > + > > > + s->regs[NPCM7XX_OTP_FST] = 0x00000001; > > > + s->regs[NPCM7XX_OTP_FCFG] = 0x20000000; > > > +} > > > + > > > +static void npcm7xx_otp_realize(DeviceState *dev, Error **errp) > > > +{ > > > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_GET_CLASS(dev); > > > + NPCM7xxOTPState *s = NPCM7XX_OTP(dev); > > > + SysBusDevice *sbd = &s->parent; > > > + > > > + memset(s->array, 0, sizeof(s->array)); > > > + > > > + memory_region_init_io(&s->mmio, OBJECT(s), oc->mmio_ops, s, "regs", > > > + NPCM7XX_OTP_REGS_SIZE); > > > + sysbus_init_mmio(sbd, &s->mmio); > > > +} > > > + > > > +static const VMStateDescription vmstate_npcm7xx_otp = { > > > + .name = "npcm7xx-otp", > > > + .version_id = 0, > > > + .minimum_version_id = 0, > > > + .fields = (VMStateField[]) { > > > + VMSTATE_UINT32_ARRAY(regs, NPCM7xxOTPState, NPCM7XX_OTP_NR_REGS), > > > + VMSTATE_UINT8_ARRAY(array, NPCM7xxOTPState, NPCM7XX_OTP_ARRAY_BYTES), > > > + VMSTATE_END_OF_LIST(), > > > + }, > > > +}; > > > + > > > +static void npcm7xx_otp_class_init(ObjectClass *klass, void *data) > > > +{ > > > + ResettableClass *rc = RESETTABLE_CLASS(klass); > > > + DeviceClass *dc = DEVICE_CLASS(klass); > > > + > > > + QEMU_BUILD_BUG_ON(NPCM7XX_OTP_REGS_END > NPCM7XX_OTP_NR_REGS); > > > + > > > + dc->realize = npcm7xx_otp_realize; > > > + dc->vmsd = &vmstate_npcm7xx_otp; > > > + rc->phases.enter = npcm7xx_otp_enter_reset; > > > +} > > > + > > > +static void npcm7xx_key_storage_class_init(ObjectClass *klass, void *data) > > > +{ > > > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_CLASS(klass); > > > + > > > + oc->mmio_ops = &npcm7xx_key_storage_ops; > > > +} > > > > Hello, > > With this series applied, when I build with --enable-sanitizers and run > > ./qemu-system-arm: > > > > ==373753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61000000b400 at pc 0x557496abbefc bp 0x7ffdd5851210 sp 0x7ffdd5851208 > > WRITE of size 8 at 0x61000000b400 thread T0 > > #0 0x557496abbefb in npcm7xx_key_storage_class_init /../hw/nvram/npcm7xx_otp.c:410:18 > > #1 0x5574998a8780 in type_initialize /../qom/object.c:362:9 > > #2 0x5574998a9bef in object_class_foreach_tramp /../qom/object.c:1030:5 > > #3 0x7fc26b427b2f in g_hash_table_foreach (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3eb2f) > > #4 0x5574998a9a41 in object_class_foreach /../qom/object.c:1052:5 > > #5 0x5574998ab28a in object_class_get_list /../qom/object.c:1109:5 > > #6 0x557498e6f8e1 in select_machine /../softmmu/vl.c:2438:24 > > #7 0x557498e5a921 in qemu_init /../softmmu/vl.c:3842:21 > > #8 0x557495b181d7 in main /../softmmu/main.c:49:5 > > #9 0x7fc269e7dcc9 in __libc_start_main csu/../csu/libc-start.c:308:16 > > #10 0x557495a6d9b9 in _start (/qemu-system-arm+0x35959b9) > > > > 0x61000000b400 is located 0 bytes to the right of 192-byte region [0x61000000b340,0x61000000b400) > > allocated by thread T0 here: > > #0 0x557495ae6272 in calloc (/qemu-system-arm+0x360e272) > > #1 0x7fc26b43f210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210) > > #2 0x5574998a9bef in object_class_foreach_tramp /../qom/object.c:1030:5 > > #3 0x7fc26b427b2f in g_hash_table_foreach (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3eb2f) > > > > SUMMARY: AddressSanitizer: heap-buffer-overflow /../hw/nvram/npcm7xx_otp.c:410:18 in npcm7xx_key_storage_class_init > > > > -Alex > > > > > + > > > +static void npcm7xx_fuse_array_class_init(ObjectClass *klass, void *data) > > > +{ > > > + NPCM7xxOTPClass *oc = NPCM7XX_OTP_CLASS(klass); > > > + > > > + oc->mmio_ops = &npcm7xx_fuse_array_ops; > > > +} > > > + > > > +static const TypeInfo npcm7xx_otp_types[] = { > > > + { > > > + .name = TYPE_NPCM7XX_OTP, > > > + .parent = TYPE_SYS_BUS_DEVICE, > > > + .instance_size = sizeof(NPCM7xxOTPState), > Adding this fixes it for me: > .class_size = sizeof(NPCM7xxOTPClass), You're absolutely right. I'll send out another series with this fix. Thanks for catching this. Havard
diff --git a/include/hw/arm/npcm7xx.h b/include/hw/arm/npcm7xx.h index ba7495869d..5816a07a72 100644 --- a/include/hw/arm/npcm7xx.h +++ b/include/hw/arm/npcm7xx.h @@ -20,6 +20,7 @@ #include "hw/cpu/a9mpcore.h" #include "hw/misc/npcm7xx_clk.h" #include "hw/misc/npcm7xx_gcr.h" +#include "hw/nvram/npcm7xx_otp.h" #include "hw/timer/npcm7xx_timer.h" #include "target/arm/cpu.h" @@ -68,6 +69,8 @@ typedef struct NPCM7xxState { NPCM7xxGCRState gcr; NPCM7xxCLKState clk; NPCM7xxTimerCtrlState tim[3]; + NPCM7xxOTPState key_storage; + NPCM7xxOTPState fuse_array; } NPCM7xxState; #define TYPE_NPCM7XX "npcm7xx" diff --git a/include/hw/nvram/npcm7xx_otp.h b/include/hw/nvram/npcm7xx_otp.h new file mode 100644 index 0000000000..156bbd151a --- /dev/null +++ b/include/hw/nvram/npcm7xx_otp.h @@ -0,0 +1,79 @@ +/* + * Nuvoton NPCM7xx OTP (Fuse Array) Interface + * + * Copyright 2020 Google LLC + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ +#ifndef NPCM7XX_OTP_H +#define NPCM7XX_OTP_H + +#include "exec/memory.h" +#include "hw/sysbus.h" + +/* Each OTP module holds 8192 bits of one-time programmable storage */ +#define NPCM7XX_OTP_ARRAY_BITS (8192) +#define NPCM7XX_OTP_ARRAY_BYTES (NPCM7XX_OTP_ARRAY_BITS / BITS_PER_BYTE) + +/* Fuse array offsets */ +#define NPCM7XX_FUSE_FUSTRAP (0) +#define NPCM7XX_FUSE_CP_FUSTRAP (12) +#define NPCM7XX_FUSE_DAC_CALIB (16) +#define NPCM7XX_FUSE_ADC_CALIB (24) +#define NPCM7XX_FUSE_DERIVATIVE (64) +#define NPCM7XX_FUSE_TEST_SIG (72) +#define NPCM7XX_FUSE_DIE_LOCATION (74) +#define NPCM7XX_FUSE_GP1 (80) +#define NPCM7XX_FUSE_GP2 (128) + +/* + * Number of registers in our device state structure. Don't change this without + * incrementing the version_id in the vmstate. + */ +#define NPCM7XX_OTP_NR_REGS (0x18 / sizeof(uint32_t)) + +/** + * struct NPCM7xxOTPState - Device state for one OTP module. + * @parent: System bus device. + * @mmio: Memory region through which registers are accessed. + * @regs: Register contents. + * @array: OTP storage array. + */ +typedef struct NPCM7xxOTPState { + SysBusDevice parent; + + MemoryRegion mmio; + uint32_t regs[NPCM7XX_OTP_NR_REGS]; + uint8_t array[NPCM7XX_OTP_ARRAY_BYTES]; +} NPCM7xxOTPState; + +#define TYPE_NPCM7XX_OTP "npcm7xx-otp" +#define NPCM7XX_OTP(obj) OBJECT_CHECK(NPCM7xxOTPState, (obj), TYPE_NPCM7XX_OTP) + +#define TYPE_NPCM7XX_KEY_STORAGE "npcm7xx-key-storage" +#define TYPE_NPCM7XX_FUSE_ARRAY "npcm7xx-fuse-array" + +typedef struct NPCM7xxOTPClass NPCM7xxOTPClass; + +/** + * npcm7xx_otp_array_write - ECC encode and write data to OTP array. + * @s: OTP module. + * @data: Data to be encoded and written. + * @offset: Offset of first byte to be written in the OTP array. + * @len: Number of bytes before ECC encoding. + * + * Each nibble of data is encoded into a byte, so the number of bytes written + * to the array will be @len * 2. + */ +extern void npcm7xx_otp_array_write(NPCM7xxOTPState *s, const void *data, + unsigned int offset, unsigned int len); + +#endif /* NPCM7XX_OTP_H */ diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c index 9669ac5fa0..9166002598 100644 --- a/hw/arm/npcm7xx.c +++ b/hw/arm/npcm7xx.c @@ -34,6 +34,10 @@ #define NPCM7XX_MMIO_BA (0x80000000) #define NPCM7XX_MMIO_SZ (0x7ffd0000) +/* OTP key storage and fuse strap array */ +#define NPCM7XX_OTP1_BA (0xf0189000) +#define NPCM7XX_OTP2_BA (0xf018a000) + /* Core system modules. */ #define NPCM7XX_L2C_BA (0xf03fc000) #define NPCM7XX_CPUP_BA (0xf03fe000) @@ -144,6 +148,20 @@ void npcm7xx_load_kernel(MachineState *machine, NPCM7xxState *soc) arm_load_kernel(&soc->cpu[0], machine, &npcm7xx_binfo); } +static void npcm7xx_init_fuses(NPCM7xxState *s) +{ + NPCM7xxClass *nc = NPCM7XX_GET_CLASS(s); + uint32_t value; + + /* + * The initial mask of disabled modules indicates the chip derivative (e.g. + * NPCM750 or NPCM730). + */ + value = tswap32(nc->disabled_modules); + npcm7xx_otp_array_write(&s->fuse_array, &value, NPCM7XX_FUSE_DERIVATIVE, + sizeof(value)); +} + static qemu_irq npcm7xx_irq(NPCM7xxState *s, int n) { return qdev_get_gpio_in(DEVICE(&s->a9mpcore), n); @@ -164,6 +182,10 @@ static void npcm7xx_init(Object *obj) object_property_add_alias(obj, "power-on-straps", OBJECT(&s->gcr), "power-on-straps"); object_initialize_child(obj, "clk", &s->clk, TYPE_NPCM7XX_CLK); + object_initialize_child(obj, "otp1", &s->key_storage, + TYPE_NPCM7XX_KEY_STORAGE); + object_initialize_child(obj, "otp2", &s->fuse_array, + TYPE_NPCM7XX_FUSE_ARRAY); for (i = 0; i < ARRAY_SIZE(s->tim); i++) { object_initialize_child(obj, "tim[*]", &s->tim[i], TYPE_NPCM7XX_TIMER); @@ -232,6 +254,13 @@ static void npcm7xx_realize(DeviceState *dev, Error **errp) sysbus_realize(SYS_BUS_DEVICE(&s->clk), &error_abort); sysbus_mmio_map(SYS_BUS_DEVICE(&s->clk), 0, NPCM7XX_CLK_BA); + /* OTP key storage and fuse strap array. Cannot fail. */ + sysbus_realize(SYS_BUS_DEVICE(&s->key_storage), &error_abort); + sysbus_mmio_map(SYS_BUS_DEVICE(&s->key_storage), 0, NPCM7XX_OTP1_BA); + sysbus_realize(SYS_BUS_DEVICE(&s->fuse_array), &error_abort); + sysbus_mmio_map(SYS_BUS_DEVICE(&s->fuse_array), 0, NPCM7XX_OTP2_BA); + npcm7xx_init_fuses(s); + /* Timer Modules (TIM). Cannot fail. */ QEMU_BUILD_BUG_ON(ARRAY_SIZE(npcm7xx_tim_addr) != ARRAY_SIZE(s->tim)); for (i = 0; i < ARRAY_SIZE(s->tim); i++) { diff --git a/hw/nvram/npcm7xx_otp.c b/hw/nvram/npcm7xx_otp.c new file mode 100644 index 0000000000..ba4188ada8 --- /dev/null +++ b/hw/nvram/npcm7xx_otp.c @@ -0,0 +1,439 @@ +/* + * Nuvoton NPCM7xx OTP (Fuse Array) Interface + * + * Copyright 2020 Google LLC + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "qemu/osdep.h" + +#include "hw/nvram/npcm7xx_otp.h" +#include "migration/vmstate.h" +#include "qapi/error.h" +#include "qemu/bitops.h" +#include "qemu/log.h" +#include "qemu/module.h" +#include "qemu/units.h" + +/* Each module has 4 KiB of register space. Only a fraction of it is used. */ +#define NPCM7XX_OTP_REGS_SIZE (4 * KiB) + +/* 32-bit register indices. */ +typedef enum NPCM7xxOTPRegister { + NPCM7XX_OTP_FST, + NPCM7XX_OTP_FADDR, + NPCM7XX_OTP_FDATA, + NPCM7XX_OTP_FCFG, + /* Offset 0x10 is FKEYIND in OTP1, FUSTRAP in OTP2 */ + NPCM7XX_OTP_FKEYIND = 0x0010 / sizeof(uint32_t), + NPCM7XX_OTP_FUSTRAP = 0x0010 / sizeof(uint32_t), + NPCM7XX_OTP_FCTL, + NPCM7XX_OTP_REGS_END, +} NPCM7xxOTPRegister; + +/* Register field definitions. */ +#define FST_RIEN BIT(2) +#define FST_RDST BIT(1) +#define FST_RDY BIT(0) +#define FST_RO_MASK (FST_RDST | FST_RDY) + +#define FADDR_BYTEADDR(rv) extract32((rv), 0, 10) +#define FADDR_BITPOS(rv) extract32((rv), 10, 3) + +#define FDATA_CLEAR 0x00000001 + +#define FCFG_FDIS BIT(31) +#define FCFG_FCFGLK_MASK 0x00ff0000 + +#define FCTL_PROG_CMD1 0x00000001 +#define FCTL_PROG_CMD2 0xbf79e5d0 +#define FCTL_READ_CMD 0x00000002 + +/** + * struct NPCM7xxOTPClass - OTP module class. + * @parent: System bus device class. + * @mmio_ops: MMIO register operations for this type of module. + * + * The two OTP modules (key-storage and fuse-array) have slightly different + * behavior, so we give them different MMIO register operations. + */ +struct NPCM7xxOTPClass { + SysBusDeviceClass parent; + + const MemoryRegionOps *mmio_ops; +}; + +#define NPCM7XX_OTP_CLASS(klass) \ + OBJECT_CLASS_CHECK(NPCM7xxOTPClass, (klass), TYPE_NPCM7XX_OTP) +#define NPCM7XX_OTP_GET_CLASS(obj) \ + OBJECT_GET_CLASS(NPCM7xxOTPClass, (obj), TYPE_NPCM7XX_OTP) + +static uint8_t ecc_encode_nibble(uint8_t n) +{ + uint8_t result = n; + + result |= (((n >> 0) & 1) ^ ((n >> 1) & 1)) << 4; + result |= (((n >> 2) & 1) ^ ((n >> 3) & 1)) << 5; + result |= (((n >> 0) & 1) ^ ((n >> 2) & 1)) << 6; + result |= (((n >> 1) & 1) ^ ((n >> 3) & 1)) << 7; + + return result; +} + +void npcm7xx_otp_array_write(NPCM7xxOTPState *s, const void *data, + unsigned int offset, unsigned int len) +{ + const uint8_t *src = data; + uint8_t *dst = &s->array[offset]; + + while (len-- > 0) { + uint8_t c = *src++; + + *dst++ = ecc_encode_nibble(extract8(c, 0, 4)); + *dst++ = ecc_encode_nibble(extract8(c, 4, 4)); + } +} + +/* Common register read handler for both OTP classes. */ +static uint64_t npcm7xx_otp_read(NPCM7xxOTPState *s, NPCM7xxOTPRegister reg) +{ + uint32_t value = 0; + + switch (reg) { + case NPCM7XX_OTP_FST: + case NPCM7XX_OTP_FADDR: + case NPCM7XX_OTP_FDATA: + case NPCM7XX_OTP_FCFG: + value = s->regs[reg]; + break; + + case NPCM7XX_OTP_FCTL: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: read from write-only FCTL register\n", + DEVICE(s)->canonical_path); + break; + + default: + qemu_log_mask(LOG_GUEST_ERROR, "%s: read from invalid offset 0x%zx\n", + DEVICE(s)->canonical_path, reg * sizeof(uint32_t)); + break; + } + + return value; +} + +/* Read a byte from the OTP array into the data register. */ +static void npcm7xx_otp_read_array(NPCM7xxOTPState *s) +{ + uint32_t faddr = s->regs[NPCM7XX_OTP_FADDR]; + + s->regs[NPCM7XX_OTP_FDATA] = s->array[FADDR_BYTEADDR(faddr)]; + s->regs[NPCM7XX_OTP_FST] |= FST_RDST | FST_RDY; +} + +/* Program a byte from the data register into the OTP array. */ +static void npcm7xx_otp_program_array(NPCM7xxOTPState *s) +{ + uint32_t faddr = s->regs[NPCM7XX_OTP_FADDR]; + + /* Bits can only go 0->1, never 1->0. */ + s->array[FADDR_BYTEADDR(faddr)] |= (1U << FADDR_BITPOS(faddr)); + s->regs[NPCM7XX_OTP_FST] |= FST_RDST | FST_RDY; +} + +/* Compute the next value of the FCFG register. */ +static uint32_t npcm7xx_otp_compute_fcfg(uint32_t cur_value, uint32_t new_value) +{ + uint32_t lock_mask; + uint32_t value; + + /* + * FCFGLK holds sticky bits 16..23, indicating which bits in FPRGLK (8..15) + * and FRDLK (0..7) that are read-only. + */ + lock_mask = (cur_value & FCFG_FCFGLK_MASK) >> 8; + lock_mask |= lock_mask >> 8; + /* FDIS and FCFGLK bits are sticky (write 1 to set; can't clear). */ + value = cur_value & (FCFG_FDIS | FCFG_FCFGLK_MASK); + /* Preserve read-only bits in FPRGLK and FRDLK */ + value |= cur_value & lock_mask; + /* Set all bits that aren't read-only. */ + value |= new_value & ~lock_mask; + + return value; +} + +/* Common register write handler for both OTP classes. */ +static void npcm7xx_otp_write(NPCM7xxOTPState *s, NPCM7xxOTPRegister reg, + uint32_t value) +{ + switch (reg) { + case NPCM7XX_OTP_FST: + /* RDST is cleared by writing 1 to it. */ + if (value & FST_RDST) { + s->regs[NPCM7XX_OTP_FST] &= ~FST_RDST; + } + /* Preserve read-only and write-one-to-clear bits */ + value &= ~FST_RO_MASK; + value |= s->regs[NPCM7XX_OTP_FST] & FST_RO_MASK; + break; + + case NPCM7XX_OTP_FADDR: + break; + + case NPCM7XX_OTP_FDATA: + /* + * This register is cleared by writing a magic value to it; no other + * values can be written. + */ + if (value == FDATA_CLEAR) { + value = 0; + } else { + value = s->regs[NPCM7XX_OTP_FDATA]; + } + break; + + case NPCM7XX_OTP_FCFG: + value = npcm7xx_otp_compute_fcfg(s->regs[NPCM7XX_OTP_FCFG], value); + break; + + case NPCM7XX_OTP_FCTL: + switch (value) { + case FCTL_READ_CMD: + npcm7xx_otp_read_array(s); + break; + + case FCTL_PROG_CMD1: + /* + * Programming requires writing two separate magic values to this + * register; this is the first one. Just store it so it can be + * verified later when the second magic value is received. + */ + break; + + case FCTL_PROG_CMD2: + /* + * Only initiate programming if we received the first half of the + * command immediately before this one. + */ + if (s->regs[NPCM7XX_OTP_FCTL] == FCTL_PROG_CMD1) { + npcm7xx_otp_program_array(s); + } + break; + + default: + qemu_log_mask(LOG_GUEST_ERROR, + "%s: unrecognized FCNTL value 0x%" PRIx32 "\n", + DEVICE(s)->canonical_path, value); + break; + } + if (value != FCTL_PROG_CMD1) { + value = 0; + } + break; + + default: + qemu_log_mask(LOG_GUEST_ERROR, "%s: write to invalid offset 0x%zx\n", + DEVICE(s)->canonical_path, reg * sizeof(uint32_t)); + return; + } + + s->regs[reg] = value; +} + +/* Register read handler specific to the fuse array OTP module. */ +static uint64_t npcm7xx_fuse_array_read(void *opaque, hwaddr addr, + unsigned int size) +{ + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); + NPCM7xxOTPState *s = opaque; + uint32_t value; + + /* + * Only the Fuse Strap register needs special handling; all other registers + * work the same way for both kinds of OTP modules. + */ + if (reg != NPCM7XX_OTP_FUSTRAP) { + value = npcm7xx_otp_read(s, reg); + } else { + /* FUSTRAP is stored as three copies in the OTP array. */ + uint32_t fustrap[3]; + + memcpy(fustrap, &s->array[0], sizeof(fustrap)); + + /* Determine value by a majority vote on each bit. */ + value = (fustrap[0] & fustrap[1]) | (fustrap[0] & fustrap[2]) | + (fustrap[1] & fustrap[2]); + } + + return value; +} + +/* Register write handler specific to the fuse array OTP module. */ +static void npcm7xx_fuse_array_write(void *opaque, hwaddr addr, uint64_t v, + unsigned int size) +{ + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); + NPCM7xxOTPState *s = opaque; + + /* + * The Fuse Strap register is read-only. Other registers are handled by + * common code. + */ + if (reg != NPCM7XX_OTP_FUSTRAP) { + npcm7xx_otp_write(s, reg, v); + } +} + +static const MemoryRegionOps npcm7xx_fuse_array_ops = { + .read = npcm7xx_fuse_array_read, + .write = npcm7xx_fuse_array_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 4, + .max_access_size = 4, + .unaligned = false, + }, +}; + +/* Register read handler specific to the key storage OTP module. */ +static uint64_t npcm7xx_key_storage_read(void *opaque, hwaddr addr, + unsigned int size) +{ + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); + NPCM7xxOTPState *s = opaque; + + /* + * Only the Fuse Key Index register needs special handling; all other + * registers work the same way for both kinds of OTP modules. + */ + if (reg != NPCM7XX_OTP_FKEYIND) { + return npcm7xx_otp_read(s, reg); + } + + qemu_log_mask(LOG_UNIMP, "%s: FKEYIND is not implemented\n", __func__); + + return s->regs[NPCM7XX_OTP_FKEYIND]; +} + +/* Register write handler specific to the key storage OTP module. */ +static void npcm7xx_key_storage_write(void *opaque, hwaddr addr, uint64_t v, + unsigned int size) +{ + NPCM7xxOTPRegister reg = addr / sizeof(uint32_t); + NPCM7xxOTPState *s = opaque; + + /* + * Only the Fuse Key Index register needs special handling; all other + * registers work the same way for both kinds of OTP modules. + */ + if (reg != NPCM7XX_OTP_FKEYIND) { + npcm7xx_otp_write(s, reg, v); + return; + } + + qemu_log_mask(LOG_UNIMP, "%s: FKEYIND is not implemented\n", __func__); + + s->regs[NPCM7XX_OTP_FKEYIND] = v; +} + +static const MemoryRegionOps npcm7xx_key_storage_ops = { + .read = npcm7xx_key_storage_read, + .write = npcm7xx_key_storage_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 4, + .max_access_size = 4, + .unaligned = false, + }, +}; + +static void npcm7xx_otp_enter_reset(Object *obj, ResetType type) +{ + NPCM7xxOTPState *s = NPCM7XX_OTP(obj); + + memset(s->regs, 0, sizeof(s->regs)); + + s->regs[NPCM7XX_OTP_FST] = 0x00000001; + s->regs[NPCM7XX_OTP_FCFG] = 0x20000000; +} + +static void npcm7xx_otp_realize(DeviceState *dev, Error **errp) +{ + NPCM7xxOTPClass *oc = NPCM7XX_OTP_GET_CLASS(dev); + NPCM7xxOTPState *s = NPCM7XX_OTP(dev); + SysBusDevice *sbd = &s->parent; + + memset(s->array, 0, sizeof(s->array)); + + memory_region_init_io(&s->mmio, OBJECT(s), oc->mmio_ops, s, "regs", + NPCM7XX_OTP_REGS_SIZE); + sysbus_init_mmio(sbd, &s->mmio); +} + +static const VMStateDescription vmstate_npcm7xx_otp = { + .name = "npcm7xx-otp", + .version_id = 0, + .minimum_version_id = 0, + .fields = (VMStateField[]) { + VMSTATE_UINT32_ARRAY(regs, NPCM7xxOTPState, NPCM7XX_OTP_NR_REGS), + VMSTATE_UINT8_ARRAY(array, NPCM7xxOTPState, NPCM7XX_OTP_ARRAY_BYTES), + VMSTATE_END_OF_LIST(), + }, +}; + +static void npcm7xx_otp_class_init(ObjectClass *klass, void *data) +{ + ResettableClass *rc = RESETTABLE_CLASS(klass); + DeviceClass *dc = DEVICE_CLASS(klass); + + QEMU_BUILD_BUG_ON(NPCM7XX_OTP_REGS_END > NPCM7XX_OTP_NR_REGS); + + dc->realize = npcm7xx_otp_realize; + dc->vmsd = &vmstate_npcm7xx_otp; + rc->phases.enter = npcm7xx_otp_enter_reset; +} + +static void npcm7xx_key_storage_class_init(ObjectClass *klass, void *data) +{ + NPCM7xxOTPClass *oc = NPCM7XX_OTP_CLASS(klass); + + oc->mmio_ops = &npcm7xx_key_storage_ops; +} + +static void npcm7xx_fuse_array_class_init(ObjectClass *klass, void *data) +{ + NPCM7xxOTPClass *oc = NPCM7XX_OTP_CLASS(klass); + + oc->mmio_ops = &npcm7xx_fuse_array_ops; +} + +static const TypeInfo npcm7xx_otp_types[] = { + { + .name = TYPE_NPCM7XX_OTP, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_size = sizeof(NPCM7xxOTPState), + .class_init = npcm7xx_otp_class_init, + .abstract = true, + }, + { + .name = TYPE_NPCM7XX_KEY_STORAGE, + .parent = TYPE_NPCM7XX_OTP, + .class_init = npcm7xx_key_storage_class_init, + }, + { + .name = TYPE_NPCM7XX_FUSE_ARRAY, + .parent = TYPE_NPCM7XX_OTP, + .class_init = npcm7xx_fuse_array_class_init, + }, +}; +DEFINE_TYPES(npcm7xx_otp_types); diff --git a/hw/nvram/meson.build b/hw/nvram/meson.build index ba214558ac..1f2ed013b2 100644 --- a/hw/nvram/meson.build +++ b/hw/nvram/meson.build @@ -4,6 +4,7 @@ softmmu_ss.add(when: 'CONFIG_DS1225Y', if_true: files('ds1225y.c')) softmmu_ss.add(when: 'CONFIG_NMC93XX_EEPROM', if_true: files('eeprom93xx.c')) softmmu_ss.add(when: 'CONFIG_AT24C', if_true: files('eeprom_at24c.c')) softmmu_ss.add(when: 'CONFIG_MAC_NVRAM', if_true: files('mac_nvram.c')) +softmmu_ss.add(when: 'CONFIG_NPCM7XX', if_true: files('npcm7xx_otp.c')) softmmu_ss.add(when: 'CONFIG_NRF51_SOC', if_true: files('nrf51_nvm.c')) specific_ss.add(when: 'CONFIG_PSERIES', if_true: files('spapr_nvram.c'))