Add stage-2 MMIO handler support by zhangxp1998 · Pull Request #41 · google/ritm

zhangxp1998 · 2026-06-11T01:37:44Z

Summary

Add stage-2 memory access handler support for trapping selected IPA ranges.
Add typed read/write handler APIs so write handlers cannot return read results.
Add a QEMU filtered MMIO test page and integration coverage.
Support platform-specific binary make targets.

Tests

cargo fmt --all -- --check
git diff --check
make build PLATFORM=qemu
make clippy PLATFORM=qemu
make test PLATFORM=qemu
git show --check upstream/main..HEAD

m4tx

This is a bit bigger than I originally anticipated. I'm wondering if we actually need to implement the entire instruction decoding functionality - I originally planned that maybe we could just get away with a generic data abort handler and leave the implementation of any specific behavior to the users of the project. On the other hand, perhaps most of them would end up implementing the same stuff anyway - unless there's some way to achieve data reads/writes for the guest easier somehow.

Because this touches way more aarch64 aspects than I'm comfortable reviewing, let's also see what @qwandor thinks.

zhangxp1998 · 2026-06-11T14:33:43Z

Pushed an update addressing the comments:

align_up_to_page now uses next_multiple_of, and the helper names are now to_pages / to_ipa.
Moved the syndrome decode entry point to DecodedMemoryAccess::from_register_state.
Removed the per-data-abort Stage2Config lock by keeping only the IdMap behind a mutex; handler lookup is read-only after initialization.
When injecting an unhandled data abort back to EL1, ESR_EL1 now rewrites EC 0x24 (lower EL) to 0x25 (same EL).

On the broader scope question: the current emulation remains syndrome-only, not a full trapped-instruction decoder. If the CPU does not provide a valid GPR-transfer syndrome (ISV), we fall through to the normal guest Data Abort injection path. I left full writeback/SIMD support as part of the larger design question for @qwandor rather than expanding this PR further.

Locally re-ran cargo fmt --all -- --check, git diff --check, make build PLATFORM=qemu, make clippy PLATFORM=qemu, and make test PLATFORM=qemu.

m4tx

Looks reasonable to me except two last nitpicks.

I can't find any obvious flaws, but as mentioned earlier, I'm not comfortable reviewing aarch64 internals used in this PR. Let's see what @qwandor says before merging this.

Allow targets such as target/ritm.qemu_bl33.bin to build RITM with --cfg platform="qemu_bl33" directly from the target stem. This lets tests request a platform-specific binary without relying on the global PLATFORM setting.

Add the syndrome and IPA decoding as a standalone step before the stage-2 memory access handler support, so the following commit can focus on handler registration and dispatch.

The aarch64-rt exception frame only saved volatile registers, so a trapped memory access using x19-x28 as Rt could not be read or updated by the MMIO emulation path. That made otherwise valid guest load/store instructions fall through as unhandled Data Aborts. Provide a RITM-owned EL2 vector table and trap frame that saves x0-x30 before calling the Rust handler, while keeping HVC/SMC forwarding limited to the SMCCC x1-x17 argument ABI. Add integration coverage for filtered MMIO through x19 and x28.

zhangxp1998 requested a review from m4tx June 11, 2026 01:39

zhangxp1998 force-pushed the feature/stage2-mmio-handlers branch 2 times, most recently from d17e460 to 47fa4e3 Compare June 11, 2026 02:24

m4tx requested a review from qwandor June 11, 2026 11:41

m4tx requested changes Jun 11, 2026

View reviewed changes

zhangxp1998 force-pushed the feature/stage2-mmio-handlers branch 2 times, most recently from 9e20948 to cd9e099 Compare June 11, 2026 14:32

zhangxp1998 force-pushed the feature/stage2-mmio-handlers branch 3 times, most recently from 69f7b92 to d085967 Compare June 11, 2026 16:39

zhangxp1998 requested a review from m4tx June 15, 2026 17:19

m4tx approved these changes Jun 16, 2026

View reviewed changes

Comment thread src/hypervisor.rs Outdated

Comment thread src/hypervisor.rs Outdated

zhangxp1998 force-pushed the feature/stage2-mmio-handlers branch from d085967 to ba58a2c Compare June 16, 2026 16:07

qwandor reviewed Jun 18, 2026

View reviewed changes

zhangxp1998 force-pushed the feature/stage2-mmio-handlers branch 3 times, most recently from 2f04a0f to e1c7070 Compare June 18, 2026 20:00

zhangxp1998 added 4 commits June 18, 2026 13:45

make: derive platform from ritm binary target

d9a84c8

Allow targets such as target/ritm.qemu_bl33.bin to build RITM with --cfg platform="qemu_bl33" directly from the target stem. This lets tests request a platform-specific binary without relying on the global PLATFORM setting.

Add memory access decoder

6705bbf

Add the syndrome and IPA decoding as a standalone step before the stage-2 memory access handler support, so the following commit can focus on handler registration and dispatch.

Add stage-2 MMIO handler support

2ddd91e

zhangxp1998 force-pushed the feature/stage2-mmio-handlers branch from e1c7070 to e9afcbd Compare June 18, 2026 20:45

Conversation

zhangxp1998 commented Jun 11, 2026

Summary

Tests

Uh oh!

m4tx left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

zhangxp1998 commented Jun 11, 2026

Uh oh!

m4tx left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants