[PATCH v3 4/4] platform: generic: eswin: add EIC7700

Bo Gan ganboing at gmail.com
Mon Dec 1 14:15:49 PST 2025 

Hi Peter,

Thanks for the review. I saw your other reply, but let me still reply here,
while trying to fix the formatting:

On 11/30/25 23:35, Yu-Chien Peter Lin wrote:
 > Hi Bo,
 >
 > On 11/20/25 5:34 PM, Bo Gan wrote:
 >> ...
 >> +/**
 >> + * EIC7700 special arrangement of PMP entries:
 >> + *
 >> + * We have to use extra PMPs to block data cacheable regions that
 >> + * that doesn't belong to the current hart's die in order to prevent
 >> + * speculative accesses or HW prefetcher from generating bus error:
 >> + *
 >> + *     bus error of cause event: 9, accrued: 0x220,
 >> + *    physical address: 0x24ffffffa0
 >> + *
 >> + * The data cacheable regions (per datasheet) include:
 >> + *
 >> + *   - [0x1a000000,    0x1a400000) -- Die 0 L3 zero device
 >> + *   - [0x3a000000,    0x3a400000) -- Die 1 L3 zero device
 >> + *   - [0x80000000, 0x80_00000000) -- memory port
 >> + *
 >> + * To make the blocker effective for M mode too, the extra PMPs need
 >> + * LOCK bit to be set, and once set, we can't change them later.
 >> + * We also have to to use 1 extra PMP to protect OpenSBI in uncached
 >> + * memory. EIC770X maps main memory (DRAM) twice -- one in memory
 >> + * port (cached), the other in system port (uncached). P550 doesn't
 >> + * support Svpbmt, so EIC770X use the uncached window to handle DMA
 >> + * that are cache incoherent -- pretty much all peripherals
 >> + *
 >> + * Final PMP configuration:
 >> + *
 >> + * From die 0 point of view, block
 >> + *   -         [0x3a000000,    0x3a400000) -- Die 1 L3 zero device
 >> + *   -      [0x10_00000000, 0x80_00000000) -- Die 1 cached mem + holes
 >> + *
 >> + * Root domain Harts:
 >> + *  PMP[0]: [   0x80000000,    0x80080000) ____ Firmware in cached mem
 >> + *  PMP[1]: [0xc0_00000000, 0xc0_00080000) ____ Firmware in uncached
 >> + *  PMP[2]: [   0x3a000000,    0x3a400000) L___ Die 1 L3 zero device
 >> + *  PMP[3]: [    0x2000000      0x2010000) ____ CLINT
 >> + *  PMP[4]: [          0x0, 0x10_00000000) _RWX P550/System/Die 0 cached mem
 >> + *  PMP[5]: <Free>
 >> + *  PMP[6]: [          0x0, 0x80_00000000) L___ P550/System/Memory Port
 >> + *  PMP[7]: [     0x0, 0xffffffffffffffff] _RWX Everything
 >>
 > I noticed that some PMP entries such as PMP[2] and PMP[6] are configured
 > with pmpcfg.L set. During domain context switch, all PMP entries managed by
 > OpenSBI domain will be disabled [1], so locked entries will remain active,
 > and if a hole entry not using identical PMP id across domains, other regions
 > that program the locked PMP id cannot be applied. This will block the use
 > of e.g. OP-TEE which relies on domain context switch mechanism.

The non-root domains shouldn't have ENF_PERMISSIONS (locked PMP entries).
I'll add docs for EIC7700 in subsequent patchsets. In short, it's a user
error to do that in EIC7700's case, or perhaps even applies for all plat
OP-TEE is supported (to some extent), and the boot log from cover letter
demonstrates a t/u-domain like setup. It, however, does require hacks to
existing code by reverting this patch from Himanshu Chauhan

   lib: utils: Disallow non-root domains from adding M-mode regions

Thus, I left it for future work. FYI, the domains are:

opensbi-domains {
   compatible = "opensbi,domain,config";

   tmem: tmem {
     compatible = "opensbi,domain,memregion";
     base = <0x4 0x7ff00000>;
     order = <20>;
   };

   tuart: tuart {
     compatible = "opensbi,domain,memregion";
     base = <0x0 0x50910000>;
     order = <12>;
     mmio;
   };

   p550_sys: p550_sys {
     compatible = "opensbi,domain,memregion";
     base = <0x0 0x0>;
     order = <31>;
     mmio;
   };

   p550_sys_mem: p550_sys_mem {
     compatible = "opensbi,domain,memregion";
     base = <0x0 0x0>;
     order = <36>;
   };

   allmem: allmem {
     compatible = "opensbi,domain,memregion";
     base = <0x0 0x0>;
     order = <64>;
   };

   tdomain: trusted-domain {
     compatible = "opensbi,domain,instance";
     possible-harts = <>;
     regions = <&tuart (MEM_MRW | MEM_SURW)>,
               <&p550_sys MEM_MRW>,
               <&tmem MEM_SURWX>;
     next-addr = <0x4 0x7ff00000>;
     next-arg1 = <0x0 0x0>;
     next-mode = <0x1>;
   };

   udomain: untrusted-domain {
     compatible = "opensbi,domain,instance";
     possible-harts = <>;
     regions = <&p550_sys_mem (MEM_MRW | MEM_SURWX)>,
               <&tmem 0>,
               <&allmem MEM_SURWX>;
   };
};

In short, there's no need to match the PMP entry id from non-root domains
The pmp_configure will figure out the order of programming PMPs, and the
pmp_unconfigure will reset everything to a state where OpenSBI can still
function before the next pmp_configure(). The memory region config in the
domain instance has indeed became a little bit tedious, where it needs to
explicitly allow certain regions, but I hope it's acceptable.

 >
 > I am proposing reserved PMP allocator [2]. Hopefully, it can address this requirement.
 > By specifying reserved 3 entries on P550 platform, the PMP usage should become:
 >
 > PMP[0]: Reserved NAPOT [   0x3a000000,    0x3a400000) L___ Die 1 L3 zero device
 > PMP[1]: Reserved TOR1  [0x10_00000000,                L___ Die 1 cached mem + holes
 > PMP[2]: Reserved TOR2                  0x80_00000000) L___ Die 1 cached mem + holes
 > PMP[3]: Domain0Region0 [   0x80000000,    0x80080000) ____ Firmware in cached mem
 > PMP[4]: Domain0Region1 [0xc0_00000000, 0xc0_00080000) ____ Firmware in uncached
 > PMP[5]: Domain0Region2 [    0x2000000      0x2010000) ____ CLINT
 > PMP[6]: Domain0Region3 [     0x0, 0xffffffffffffffff] _RWX Everything
 > PMP[7]: unused
 >

Sounds reasonable to me, but there are 2 concerns.

1. My v2 change was using PMP TOR, and it's NAK'ed by Anup. Perhaps I
    should wait and see his feedback on this one, and your other change,
    before moving forward.

2. From die 1 POV, it's not easy to block those "hole" ranges using PMP
    at the beginning. Even with TOR, we'll run out of PMPs, because die
    1 needs to have 2 ranges in memory port blocked. It'll inevitably be
    done with reserved PMP and domain PMP interleaved, like what I have
    here.

 > One aspect that requires careful attention is CPU suspend with power gating scenarios.
 > When reserved PMP states can be removed, additional reserved PMP management
 > (save/restore operations for PMPs that protect holes) must be included in the
 > suspend/resume flow.
 >
 > [1] https://github.com/riscv-software-src/opensbi/blob/825d0e918a9e41cc57097a8cb913f26550699911/lib/sbi/sbi_domain_context.c#L123-L131
 > [2] https://lore.kernel.org/all/20251130111643.1291462-7-peter.lin@sifive.com/

This can be enhanced in future pathsets. My plan is to have a HSM that
restores the PMP blocking those "holes". Actually it also needs to restore
those feature enable/disable CSRs. This patchset is the "initial support"
for EIC7700, and I'm not precluding future improvements.

 >> ...

I'll fix the RV32 build issue for sure. Thanks again.

Bo.

More information about the opensbi mailing list