Add basic static PMA support (#866)

Add basic support for static PMAs specified in the config file. Support
for the AMO level is not fully added yet because it needs to be added to
`AccessType`.

This also adds an implication operator `==>` which is useful for writing
SMT properties.

Author: Tim Hutt

README.md

@@ -131,6 +131,7 @@ For booting operating system images, see the information under the
 - Svinval extension for fine-grained address-translation cache invalidation, v1.0
 - Svrsw60t59b extension for PTE reserved-for-software bits 60-59, v1.0
 - Physical Memory Protection (PMP)
+- Static memory regions with some static PMAs (Physical Memory Attributes)
 
 <!-- Uncomment the following section when unratified extensions are added
 The following unratified extensions are supported and can be enabled using the `--enable-experimental-extensions` flag:

c_emulator/riscv_sim.cpp

@@ -280,16 +280,7 @@ uint64_t load_sail(const std::string &filename, bool main_file)
 
 void write_dtb_to_rom(const std::vector<uint8_t> &dtb)
 {
-  uint64_t rom_base = get_config_uint64({"platform", "rom", "base"});
-  uint64_t rom_size = get_config_uint64({"platform", "rom", "size"});
-
-  uint64_t addr = rom_base;
-
-  if (dtb.size() > rom_size) {
-    throw std::runtime_error("DTB (" + std::to_string(dtb.size())
-                             + " bytes) does not fit in platform.rom.size ("
-                             + std::to_string(rom_size) + " bytes).");
-  }
+  uint64_t addr = get_config_uint64({"memory", "dtb_address"});
 
   for (uint8_t d : dtb) {
     write_mem(addr++, d);

config/config.json.in

@@ -27,6 +27,9 @@
       "na4_supported": true,
       "napot_supported": true
     },
+    // This controls global support for misaligned access so it is
+    // checked before address translation. "misaligned_fault" in
+    // "regions" is checked after address translation.
     "misaligned": {
       "supported": true,
       "byte_by_byte": false,
@@ -35,23 +38,95 @@
     },
     "translation": {
       "dirty_update": false
-    }
+    },
+    // Address to write DTB to (if provided).
+    "dtb_address": {
+      "len": 64,
+      "value": "0x1000"
+    },
+    "regions": [
+      // ROM
+      {
+        "base": {
+          "len": 64,
+          "value": "0x1000"
+        },
+        "size": {
+          "len": 64,
+          "value": "0x1000"
+        },
+        "attributes": {
+          "cacheable": true,
+          "coherent": true,
+          "executable": false,
+          "readable": true,
+          "writable": false,
+          "read_idempotent": true,
+          "write_idempotent": true,
+          "misaligned_fault": "NoFault",
+          "reservability": "RsrvNone",
+          "supports_cbo_zero": false
+        },
+        "include_in_device_tree": false
+      },
+      // MMIO
+      {
+        "base": {
+          "len": 64,
+          "value": "0x2000000"
+        },
+        "size": {
+          "len": 64,
+          "value": "0x2000000"
+        },
+        "attributes": {
+          "cacheable": false,
+          "coherent": true,
+          "executable": false,
+          "readable": true,
+          "writable": true,
+          "read_idempotent": false,
+          "write_idempotent": false,
+          "misaligned_fault": "AlignmentFault",
+          "reservability": "RsrvNone",
+          "supports_cbo_zero": false
+        },
+        "include_in_device_tree": false
+      },
+      // RAM
+      {
+        "base": {
+          "len": 64,
+          "value": "0x80000000"
+        },
+        "size": {
+          "len": 64,
+          "value": "0x80000000"
+        },
+        "attributes": {
+          "cacheable": true,
+          "coherent": true,
+          "executable": true,
+          "readable": true,
+          "writable": true,
+          "read_idempotent": true,
+          "write_idempotent": true,
+          "misaligned_fault": "NoFault",
+          "reservability": "RsrvEventual",
+          "supports_cbo_zero": true
+        },
+        "include_in_device_tree": true
+      }
+    ]
   },
   "platform": {
     "vendorid": 0,
     "archid": 0,
     "impid": 0,
     "hartid": 0,
     "cache_block_size_exp": 6,
-    "ram": {
-      "base": 2147483648,
-      "size": 2147483648
-    },
-    "rom": {
-      "base": 4096,
-      "size": 4096
-    },
     "clint": {
+      // This must be in a suitable memory region (see memory.regions).
       "base": 33554432,
       "size": 786432
     },

doc/ChangeLog.md

@@ -36,6 +36,9 @@
 
 - Linux boot is now tested in CI.
 
+- Support for specifying arbitrary memory regions and some basic
+  static PMAs (Physical Memory Attributes) has been added.
+
 # Release notes for the 0.8 release
 
 This is a major release with some backwards-incompatible changes.

model/core/prelude.sail

@@ -160,6 +160,10 @@ function operator >_u  (x, y) = unsigned(x) > unsigned(y)
 function operator <=_u (x, y) = unsigned(x) <= unsigned(y)
 function operator >=_u (x, y) = unsigned(x) >= unsigned(y)
 
+// Implication. This has the lowest precedence.
+infix 1 ==>
+function operator ==> (x : bool, y : bool) -> bool = not(x) | y
+
 infix 7 >>
 infix 7 <<
 

model/core/range_util.sail

@@ -0,0 +1,53 @@
+// =======================================================================================
+// This Sail RISC-V architecture model, comprising all files and
+// directories except where otherwise noted is subject the BSD
+// two-clause license in the LICENSE file.
+//
+// SPDX-License-Identifier: BSD-2-Clause
+// =======================================================================================
+
+// Return true if the right-open range `a` is a subset of `b` (or equal to it).
+// Ranges wrap around the end. The 64 bit limit is just so Sail generates more
+// efficient C code.
+function range_subset forall 'n, 0 <= 'n <= 64 . (
+  a_begin : bits('n),
+  a_size  : bits('n),
+  b_begin : bits('n),
+  b_size  : bits('n),
+) -> bool = {
+  // Rotate so that be starts at 0.
+  let a_end = (a_begin + a_size) - b_begin;
+  let b_end = (b_begin + b_size) - b_begin;
+  let a_begin = a_begin - b_begin;
+  a_begin <=_u b_end & a_end <=_u b_end & a_begin <=_u a_end
+}
+
+$[test]
+function test_range_subset() -> unit = {
+  assert(range_subset(0x0, 0x0, 0x0, 0x0));
+  assert(range_subset(0x1, 0x0, 0x1, 0x0));
+  assert(range_subset(0x0, 0x0, 0x0, 0x1));
+  assert(range_subset(0x1, 0x0, 0x0, 0x1));
+  assert(range_subset(0x8, 0xc, 0x8, 0xc));
+  assert(not(range_subset(0x8, 0xc, 0x9, 0xc)));
+  assert(not(range_subset(0x8, 0xc, 0x8, 0xb)));
+  assert(not(range_subset(0x3e, 0xe0, 0xc1, 0x9f)));
+  assert(not(range_subset(0xc1, 0x9f, 0x3e, 0xe0)));
+}
+
+// Check if two ranges are subsets of each other they must be equal.
+$[property]
+function range_subset_equals(a_begin : bits(8), a_size : bits(8), b_begin : bits(8), b_size : bits(8)) -> bool =
+  range_subset(a_begin, a_size, b_begin, b_size) & range_subset(b_begin, b_size, a_begin, a_size)
+    ==> (a_begin == b_begin & a_size == b_size)
+
+// Check that if A is a subset of B, then all indices in A must be in B.
+// Also check that an index exists that is in A but not B then A cannot be a subset of B.
+$[property]
+function range_subset_precise(a_begin : bits(8), a_size : bits(8), b_begin : bits(8), b_size : bits(8), index : bits(8)) -> bool = {
+  let index_in_a = (index - a_begin) <_u a_size;
+  let index_in_b = (index - b_begin) <_u b_size;
+  let is_subset = range_subset(a_begin, a_size, b_begin, b_size);
+
+  (is_subset & index_in_a ==> index_in_b) & ((index_in_a & not(index_in_b)) ==> not(is_subset))
+}

model/extensions/Zicbom/zicbom_insts.sail

@@ -98,8 +98,8 @@ function process_clean_inval(rs1, cbop) = {
           // the proper Cache access type when it is available. See
           // https://github.com/riscv/sail-riscv/pull/792
           let ep = effectivePrivilege(Read(Data), mstatus, cur_privilege);
-          let exc_read = phys_access_check(Read(Data), ep, paddr, cache_block_size);
-          let exc_write = phys_access_check(Write(Data), ep, paddr, cache_block_size);
+          let exc_read = phys_access_check(Read(Data), ep, paddr, cache_block_size, false);
+          let exc_write = phys_access_check(Write(Data), ep, paddr, cache_block_size, false);
           match (exc_read, exc_write) {
             // Access is permitted if read OR write are allowed. If neither
             // are allowed then we always report a store exception.

model/postlude/device_tree.sail

@@ -99,12 +99,29 @@ function generate_isa_string(fmt : ISA_Format) -> string = {
 
 // Generates the full Device-Tree configuration for the model.
 
+function generate_dts_memories(pmas : list(PMA_Region)) -> string =
+  match pmas {
+    [||] => "",
+    pma :: rest => {
+      if pma.include_in_device_tree then {
+        let base_hi = unsigned(pma.base >> 32);
+        let base_lo = unsigned(pma.base[31 .. 0]);
+        let size_hi = unsigned(pma.size >> 32);
+        let size_lo = unsigned(pma.size[31 .. 0]);
+
+          "  memory@" ^ string_drop(hex_str(unsigned(pma.base)), 2) ^ " {\n"
+        ^ "    device_type = \"memory\";\n"
+        ^ "    reg = <" ^ hex_str(base_hi) ^ " " ^ hex_str(base_lo)
+        ^ " " ^ hex_str(size_hi) ^ " " ^ hex_str(size_lo) ^ ">;\n"
+        ^ "  };\n"
+        ^ generate_dts_memories(rest)
+      } else generate_dts_memories(rest)
+    }
+  }
+
 function generate_dts() -> string = {
   let clock_freq : nat = config platform.clock_frequency;
-  let ram_base_hi = unsigned(plat_ram_base >> 32);
-  let ram_base_lo = unsigned(plat_ram_base[31 .. 0]);
-  let ram_size_hi = unsigned(plat_ram_size >> 32);
-  let ram_size_lo = unsigned(plat_ram_size[31 .. 0]);
+
   let clint_base_hi = unsigned(plat_clint_base >> 32);
   let clint_base_lo = unsigned(plat_clint_base[31 .. 0]);
   let clint_size_hi = unsigned(plat_clint_size >> 32);
@@ -148,11 +165,8 @@ function generate_dts() -> string = {
 ^ "      };\n"
 ^ "    };\n"
 ^ "  };\n"
-^ "  memory@" ^ string_drop(hex_str(unsigned(plat_ram_base)), 2) ^ " {\n"
-^ "    device_type = \"memory\";\n"
-^ "    reg = <" ^ hex_str(ram_base_hi) ^ " " ^ hex_str(ram_base_lo)
-^ " " ^ hex_str(ram_size_hi) ^ " " ^ hex_str(ram_size_lo) ^ ">;\n"
-^ "  };\n"
+^ generate_dts_memories(pma_regions)
+
 ^ "  soc {\n"
 ^ "    #address-cells = <2>;\n"
 ^ "    #size-cells = <2>;\n"

model/postlude/model.sail

@@ -36,5 +36,5 @@ function init_model(config_filename : string) -> unit = {
 // See https://github.com/torvalds/linux/blob/master/Documentation/arch/riscv/boot.rst
 function init_boot_requirements() -> unit = {
   X(Regno(10)) = mhartid;
-  X(Regno(11)) = to_bits_checked(config platform.rom.base : int);
+  X(Regno(11)) = trunc(config memory.dtb_address : bits(64));
 }

model/postlude/validate_config.sail

@@ -177,39 +177,27 @@ function check_vext_config() -> bool = {
   valid;
 }
 
-function has_overlap(a_lo : nat, a_hi : nat, b_lo : nat, b_hi : nat) -> bool = {
-  not((a_lo < b_lo & a_hi < b_lo) | (b_lo < a_lo & b_hi < a_lo))
-}
-
-// This will change when we have a more general memory layout.
-function check_mem_layout() -> bool = {
-  var valid : bool = true;
-  // Memory regions should not overlap. There are currently only three: ram, rom and clint.
-  let ram_lo = unsigned(plat_ram_base);
-  let ram_hi = unsigned(plat_ram_base) + unsigned(plat_ram_size);
-  let rom_lo = unsigned(plat_rom_base);
-  let rom_hi = unsigned(plat_rom_base) + unsigned(plat_rom_size);
-  let clint_lo = unsigned(plat_clint_base);
-  let clint_hi = unsigned(plat_clint_base) + unsigned(plat_clint_size);
-  if has_overlap(rom_lo, rom_hi, ram_lo, ram_hi)
-  then {
-    valid = false;
-    print_endline("The RAM and ROM regions overlap.");
-  };
-  if has_overlap(clint_lo, clint_hi, rom_lo, rom_hi)
-  then {
-    valid = false;
-    print_endline("The Clint and ROM regions overlap.");
-  };
-  if has_overlap(clint_lo, clint_hi, ram_lo, ram_hi)
-  then {
-    valid = false;
-    print_endline("The Clint and RAM regions overlap.");
-  };
+// Return true if a list of PMA regions are sorted and don't overlap.
+function check_pma_regions(pmas : list(PMA_Region), prev_base : bits(64), prev_size : bits(64)) -> bool =
+  match pmas {
+    [||] => true,
+    pma :: rest => {
+      if pma.base <_u prev_base + prev_size then {
+        print_endline("Memory region starting at " ^ bits_str(pma.base) ^
+                      " is not above the end of the previous region starting at " ^
+                      bits_str(prev_base) ^ " and ending at " ^ bits_str(prev_base + prev_size) ^ ".");
+        return false;
+      };
+      check_pma_regions(rest, pma.base, pma.size)
+    },
+  }
 
-  // Should memory regions also be 4K aligned?
-  valid
-}
+// Check that all memory regions are sorted and don't overlap.
+function check_mem_layout() -> bool =
+  if pma_regions == [||] then {
+    print_endline("No memory regions specified.");
+    false
+  } else check_pma_regions(pma_regions, zeros(), zeros())
 
 function check_pmp() -> bool = {
   var valid : bool = true;