Zkr architecture doesn't define a time limit on state transitions
which results in hanging on unresponsive or event-driven platforms.
To prevent this, we need to limit polling iterations and fall back
in case the budget is over, and stack guard keeps its initial value.
The budget is configurable with CONFIG_ZKR_POLL_BUDGET, defaulting
to 1000 iterations. Successful reads do not consume a try.
Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260519225014.244672-1-evvoevod@tenstorrent.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Instead of parsing ISA extensions separately for each hart in the
generic_extensions_init() function, it is better to parse ISA extensions
for all available harts in the cold boot path. Also, this allows us
to remove fdt_isa_bitmap from scratch space and directly initialize
"extensions" in struct sbi_hart_features for each hart.
Signed-off-by: Anup Patel <anup.patel@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260521082625.1520870-3-anup.patel@oss.qualcomm.com
Signed-off-by: Anup Patel <anup@brainfault.org>
UBSan (Undefined Behavior Sanitizer) is a tool implemented using
compiler instrumentation at runtime that allows checking for
statements whose output is not deterministic or defined by the C
standard. Compiling and running OpenSBI with UBSan instrumentation
will print a message in the console if any sentence performs such
an action.
Support involves two main components:
1. The UBSan implementation hooks (derived from NetBSD),
used by the compiler to handle the check output.
2. A test suite integrated with the SBI unit test framework to
verify correct operation at runtime.
Usage:
make UBSAN=y PLATFORM=generic ...
The test suite is built when both UBSAN=y and CONFIG_SBIUNIT=y are
enabled.
When UBSan is enabled, FW_PAYLOAD_OFFSET may need to be increased
due to the size increase added by the instrumentation. A
value of 0x400000 has been tested.
UBSan adds runtime overhead and is intended for development builds
only, not for production.
Note: This patch marks __stack_chk_guard in sbi_init.c as a weak
symbol to prevent multiple definition errors at compile time with
UBSan instrumentation enabled. This resolves the conflict
between the .globl definitions in sbi_init.c and test_head.S.
Signed-off-by: Marcos Oduardo <marcos.oduardo@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260515163321.2038366-1-marcos.oduardo@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
The following LLVM compile error is observed in sbi_mpxy.c:
CC lib/sbi/sbi_mpxy.o
lib/sbi/sbi_mpxy.c:535:36: error: result of comparison of constant 18446744073709551615 with
expression of type 'u32' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare]
535 | (attrs->msi_info.msi_addr_hi == INVALID_ADDR))
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~
lib/sbi/sbi_mpxy.c:534:36: error: result of comparison of constant 18446744073709551615 with
expression of type 'u32' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare]
534 | (attrs->msi_info.msi_addr_lo == INVALID_ADDR) &&
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~
2 errors generated.
To address the above issue, add u32 typecast to INVALID_ADDR.
Fixes: e92c8fd083 ("sbi: mpxy: define INVALID_ADDR using unsigned long width")
Fixes: 7939bf1329 ("lib: sbi: Add SBI Message Proxy (MPXY) framework")
Signed-off-by: Anup Patel <anup.patel@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260612062218.172726-1-anup.patel@oss.qualcomm.com
Signed-off-by: Anup Patel <anup@brainfault.org>
The payload for FW_PAYLOAD needs to be placed at a 2M/4M aligned address
(for 64/32 bit systems) and the current makefile uses FW_PAYLOAD_OFFSET
to achieve this. This only works if FW_TEXT_START is already 2M/4M
aligned. Most existing physical/virtual platforms have used a
FW_TEXT_START of 0x0 or 0x80000000, so this hasn't been an issue so far.
If, for example, FW_TEXT_START is 0x80000, the payload would end up
placed at 0x280000 on a 64 bit system, which isn't a 2M aligned
address.
Update the makefile to use FW_PAYLOAD_ALIGN instead. This will ensure
that the address picked for the payload is 2M/4M aligned irrespective of
where FW_TEXT_START is.
Signed-off-by: Anirudh Srinivasan <asrinivasan@oss.tenstorrent.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260508-payload_alignment-v1-1-6628b4ec1ed3@oss.tenstorrent.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Add rpmi_event_notification_state enum with disable, enable, and return
current state IDs. Also, add req_state field to rpmi_enable_notification_req
and current_state field to rpmi_enable_notification_resp for RPMI specification
compliance.
Add notification event ID enum and data structures for RPMI Performance
service group events: power change, limit change, and level change.
Signed-off-by: David E. Garcia Porras <david.garcia@aheadcomputing.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260608125257.3220114-4-anup.patel@oss.qualcomm.com
Signed-off-by: Anup Patel <anup@brainfault.org>
PMP functions that deal with hart PMP CSRs are given a sbi_hart_ prefix,
to distinguish from RISC-V PMP encoding functions.
The is_pmp_entry_mapped() function is changed a little more, to align
with other PMP conventions, and made to return a bool to make it more
obvious that it returns a bool and not an SBI_ return code.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260430045528.420437-8-npiggin@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
When switching between domains with different satp.MODE values (e.g.
Sv39 to Sv48), the RISC-V ISA permits hardware to use cached translations
from the old virtual-address width if no SFENCE.VMA intervenes. This
constrained-unpredictable behavior is clarified in riscv-isa-manual
PR #2219.
The hart protection re-configuration will anyway do full SFENCE / HFENCE
so move the hart protection re-configuration after register context switch
in switch_to_next_domain_context() to ensure translations from the new
domain's address width are used.
Link: https://github.com/riscv/riscv-isa-manual/pull/2219
Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260429181747.160033-1-vulab@iscas.ac.cn
Signed-off-by: Anup Patel <anup@brainfault.org>
Add bit-field defines for the RPMI performance domain attributes flags
and fast-channel attributes flags as specified in the RPMI specification.
These are needed by platform implementations that provide RPMI
performance services (e.g. DVFS controllers).
Also add the missing db_write_value field to
rpmi_perf_get_fast_chn_attr_resp to match the RPMI spec layout.
Signed-off-by: David E. Garcia Porras <david.garcia@aheadcomputing.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260328054347.3706029-5-david.garcia@aheadcomputing.com
Signed-off-by: Anup Patel <anup@brainfault.org>
This patch adds proper support for per-domain floating-point (FP) and
vector (V) contexts in the domain context switch logic. Each domain
now maintains its own FP and vector state, which is saved and restored
during domain switches.
Conditionalize FP and Vector save/restore based on extensions, unconditional
save and restore of floating-point (FP) and Vector registers fails on
generic platform firmware. This firmware must run on multiple platforms
that may lack these extensions.
Address this by conditionally executing FP save/restore only if the underlying
hart supports the F or D extensions. Similarly, perform Vector save/restore
only if the hart supports the Vector extension.
This improves support for multi-domain systems with FP and Vector
extensions, and prevents corruption of FP/Vector state during domain
switches.
Signed-off-by: Dave Patel <dave.patel@riscstar.com>
Signed-off-by: Anup Patel <anup.patel@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518083023.997323-4-anup.patel@oss.qualcomm.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Add support for saving and restoring RISC-V floating-point (F/D) extension
state in OpenSBI. This introduces a floating-point context structure and
helper routines to perform full context save and restore.
The floating-point context includes storage for all 32 FPi registers (f0–f31)
along with the fcsr control and status register. The register state is saved
and restored using double-precision load/store instructions (fsd/fld), and
single-precision load/store instructions (fsw/flw) on an RV64 system with
F and D-extension support.
The implementation follows an eager context switching model where the entire
FP state is saved and restored on every context switch. This avoids the need
for trap-based lazy management and keeps the design simple and deterministic.
Signed-off-by: Dave Patel <dave.patel@riscstar.com>
Signed-off-by: Anup Patel <anup.patel@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518083023.997323-3-anup.patel@oss.qualcomm.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Eager context switch: Add support for saving and restoring RISC-V vector
extension state in OpenSBI. This introduces a per-hart vector context
structure and helper routines to perform full context save and restore.
The vector context includes vcsr CSRs along with storage for all 32 vector
registers. The register state is saved and restored using byte-wise vector
load/store instructions (vs8r/vl8r).
The implementation follows an eager context switching model where the entire
vector state is saved and restored on every context switch. This provides a
simple and deterministic mechanism without requiring lazy trap-based
management.
Signed-off-by: Dave Patel <dave.patel@riscstar.com>
Signed-off-by: Anup Patel <anup.patel@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518083023.997323-2-anup.patel@oss.qualcomm.com
Signed-off-by: Anup Patel <anup@brainfault.org>
sbi_domain_check_addr_range() computes `max = addr + size` without
checking for integer overflow. When a caller passes a size large enough
to wrap around (e.g. addr=0x80000000, size=0xFFFFFFFF80000000), max
becomes less than addr, causing the while(addr < max) validation loop
to be skipped entirely. The function then returns true without
performing any permission checks.
This allows an S-mode caller to bypass domain memory protection and
access M-mode memory through SBI extensions that use address range
validation (e.g. DBCN console write/read).
Add an overflow check after computing max: if size is non-zero and
max wrapped to a value <= addr, reject the request.
Signed-off-by: Takumi Hara <takumihara1226@gmail.com>
Reviewed-by: Rahul Pathak <rahul@summations.net>
Link: https://lore.kernel.org/r/20260319132232.51572-1-takumihara1226@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Add a simple SpacemiT I2C driver for basic byte transfers over the I2C
bus, prioritizing simplicity over performance. The driver operates in
PIO mode and does not use interrupts, FIFO, or DMA.
The controller is reset at the start of each transaction to ensure a
known initial state, regardless of prior configuration by the kernel.
This also avoids the need for additional error recovery code.
This will be used for communication with onboard PMIC to reset and
power-off the board.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Tested-by: Anand Moon <linux.amoon@gmail.com>
Link: https://lore.kernel.org/r/20260419150857.2705843-2-aurelien@aurel32.net
Signed-off-by: Anup Patel <anup@brainfault.org>
The reg_stride field represents the address stride in bytes between
consecutive registers. The Linux kernel regmap framework validates
register accesses using IS_ALIGNED(reg, map->reg_stride) as an address
alignment check (drivers/base/regmap/regmap.c). The Linux kernel syscon
driver (drivers/mfd/syscon.c) sets reg_stride directly to reg_io_width:
syscon_config.reg_stride = reg_io_width;
The current OpenSBI code incorrectly multiplies reg_io_width by 8,
converting a byte value to bits. Fix this by using reg_io_width directly
as the stride value, consistent with the Linux kernel.
Fixes: f21d8f7d59 ("lib: utils/regmap: Add simple FDT based syscon regmap driver")
Signed-off-by: David E. Garcia Porras <david.garcia@aheadcomputing.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260403202903.3407945-1-david.garcia@aheadcomputing.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Currently when searching for a hardware counter for an event, if no
programmable counter is available, the code falls back to using a fixed
counter (mcycle/minstret) if one matches the event.
However the fallback is incorrect when sscofpmf is present but
smcntrpmf is not. That's because with sscofpmf, programmable counters
support mode filtering, but the fixed counters do not (without
smcntrpmf). Even if the caller didn't configure mode filtering, by
default programmable counters don't count M mode when sscofpmf is
present, whereas mcycle/minstret do.
Fix the logic to not fallback to a fixed counter if sscofpmf is present
but smcntrpmf is not.
Fixes: 0c304b6619 ("lib: sbi: Allow programmable counters to monitor cycle/instret events")
Signed-off-by: Michael Ellerman <mpe@kernel.org>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260324-mcycle-fix-v1-1-1444e9fe5c32@kernel.org
Signed-off-by: Anup Patel <anup@brainfault.org>
When using GDB for debugging, if FW_TEXT_START is not set to 0x80000000
during compilation, the following error occurs:
Reading symbols from build/platform/generic/firmware/fw_payload.elf...
Remote debugging using localhost:1234
mips_warm_boot ()
at /home/zrmin/opensbi/platform/generic/mips/mips_warm_boot.S:11
11 j _start_warm
(gdb) b _start
Breakpoint 1 at 0x0: file /home/zrmin/opensbi/firmware/fw_base.S, line 50.
(gdb) c
Continuing.
Remote connection closed
(gdb)
With FW_TEXT_START=0x80000000, debugging works correctly:
Reading symbols from build/platform/generic/firmware/fw_payload.elf...
Remote debugging using localhost:1234
0x0000000000001000 in ?? ()
(gdb) b _start
Breakpoint 1 at 0x80000000: file /home/zrmin/opensbi/firmware/fw_base.S, line 50.
(gdb) c
Continuing.
Breakpoint 1, _start () at /home/zrmin/opensbi/firmware/fw_base.S:50
50 MOV_3R s0, a0, s1, a1, s2, a2
(gdb)
This is because QEMU loads OpenSBI at address 0x80000000. When
FW_TEXT_START does not match this address, the debug symbols are
incorrectly offset, causing GDB to fail to set breakpoints properly.
Signed-off-by: Zhang RunMin <runmin.zhang@ingenic.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260319125641.480161-1-runmin.zhang@ingenic.com
Signed-off-by: Anup Patel <anup@brainfault.org>
The following compile error is seen with LLVM compiler:
CC platform/generic/lib/utils/mpxy/fdt_mpxy_rpmi_mm.o
lib/utils/mpxy/fdt_mpxy_rpmi_mm.c:17:6: error: use of GNU 'missing =' extension in
designator [-Werror,-Wgnu-designator]
17 | [0] {
| ^
| =
lib/utils/mpxy/fdt_mpxy_rpmi_mm.c:24:6: error: use of GNU 'missing =' extension in
designator [-Werror,-Wgnu-designator]
24 | [1] {
| ^
| =
2 errors generated.
Add missing "=" in mm_srvcdata[] array initialization to address
the above issue.
Fixes: 0b041e58c0 ("lib: utils: Add MPXY client driver for RPMI MM service group")
Signed-off-by: Anup Patel <anup.patel@oss.qualcomm.com>
Reviewed-by: Ranbir Singh <ranbir.singh@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260509161849.2935816-1-anup.patel@oss.qualcomm.com
Signed-off-by: Anup Patel <anup@brainfault.org>
The location of the RNMI/E trap vectors in the Smrnmi extension is
implementation-defined, so platforms with vendor-specific NMI vector
mechanisms must install the firmware's NMI entry points themselves.
Add an smrnmi_handlers_init() callback to sbi_platform_operations that
receives the firmware entry points and lets platform code install them
at the hardware-specific vector locations. Two pointers are passed:
- _trap_rnmi_handler: the dedicated RNMI entry point that saves
context using the Smrnmi MN* CSRs and returns via mnret.
- _trap_handler: the regular M-mode trap entry since RNME is taken
as a regular M-mode trap with NMIE=0.
When Smrnmi is present, install the platform's NMI vectors via the new
callback, initialize MNSCRATCH with the per-hart scratch pointer, and
set MNSTATUS.NMIE.
Smrnmi-enabled platforms must register smrnmi_handlers_init; if the
extension is detected but no callback is registered, sbi_panic() is
called since enabling NMIs without handlers in place would route
subsequent traps into nowhere.
Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/88b1470e1e3348d454b4b995a11a85c01914f7af.1778176768.git.evvoevod@tenstorrent.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Current placement of entropy initialization via Zkr extension requires a
trap-based mechanism to handle absent Zkr extension case. In presence of
Smrnmi extension no trap-based mechanisms should be used before Smrnmi is
detected and enabled otherwise trap will jump to undefined location.
Move stack guard initialization into init_coldboot function body after
device tree has been parsed so we know if Zkr extension is implemented by
the platform which helps to avoid trap-based discovery.
init_coldboot() is a safe place to initialize entropy because it doesn't
return so no check of __stack_chk_guard against value on entry
will be done.
Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/acd52b0f3468758bc5f09e6a45662341b31d4d87.1778176768.git.evvoevod@tenstorrent.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Implement basic Resumable NMI (RNMI) handler support for the RISC-V
Smrnmi extension.
The new _trap_rnmi_handler assembly entry point saves context using the
Smrnmi MN* CSRs (MNSCRATCH, MNEPC, MNSTATUS, MNCAUSE) and returns via
mnret. It dispatches to sbi_trap_rnmi_handler(), which optionally calls
a platform-specific ops->rnmi_handler callback for actual NMI
processing. If no platform handler is registered or it fails, the
event is reported as an unhandled NMI.
The RNMI handler reuses the generic trap context structure but stores MN*
CSR values (MNEPC, MNSTATUS, MNCAUSE) into the corresponding generic
fields (mepc, mstatus, cause) for compatibility with existing trap
infrastructure.
Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/050ae6d2762ba8d5b9dfb3cc1960a23aa3d6c549.1778176768.git.evvoevod@tenstorrent.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Evgeny Voevodin