gdbstub memory accesses performed with wrong attributes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Qemu-commit: b2f7c27f56bf111
The ARMv8-M architecture (with security extensions) contains a SAU, the Security Attribution Unit. After booting the mps2-an505 and immediately halting (`-S`), I attempt to read the SAU_TYPE register, located at 0xE000EDD4, using gdb (x 0xE000EDD4). The returned value is 0, while the expected value is 8 (number of regions).
On further investigation, it seems that `attrs.secure` is set to false (armv7m_nvic.c - nvic_readl, line 1167). Commenting out the check will return the correct value.
As the CPU should be in 'secure' mode after reset, I think this behavior is wrong.
Steps to reproduce:
Example code that loads an endless loop into the beginning of secure memory: https:/
Commandline: qemu-system-arm -machine mps2-an505 -cpu cortex-m33 \
-nographic -serial mon:stdio \
Attach with arm-none-eabi-gdb, and run x 0xE000EDD4.
information type: | Public → Public Security |
information type: | Public Security → Public |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
This is not an issue with the CPU emulation, it is a bug in the gdb memory read/write path, which currently effectively always does its accesses as nonsecure. The CPU itself is correctly coming out of reset in secure mode and will be able to read the correct value of the register.
I suspect that the following change will fix this: .2f0f40b0be6 100644 rw_debug( CPUState *cpu, target_ulong addr,
address_ space_write_ rom(cpu- >cpu_ases[ asidx]. as, phys_addr, UNSPECIFIED,
address_ space_rw( cpu->cpu_ ases[asidx] .as, phys_addr, UNSPECIFIED,
diff --git a/exec.c b/exec.c
index 6e875f0640a.
--- a/exec.c
+++ b/exec.c
@@ -3881,12 +3881,10 @@ int cpu_memory_
phys_addr += (addr & ~TARGET_PAGE_MASK);
if (is_write) {
- MEMTXATTRS_
- buf, l);
+ attrs, buf, l);
} else {
- MEMTXATTRS_
- buf, l, 0);
+ attrs, buf, l, 0);
}
len -= l;
buf += l;
I'll test it later today and send it as a proper patch if it works.