2.3.3 ACE protection support

ACE protection support provides a TBU configuration that protects devices that implement a fully coherent ACE interface. The configuration aligns with the restrictions that ACE5 defines for ACE usage of the Untranslated_Transactions extension.

A fully coherent master receives snoop transactions from the interconnect. Such snoop transactions travel in the opposite direction from regular transactions, and backward address translation is not possible. ACE protection configuration in the TBU however provides a protection check for such masters, by requiring that the input address and output address are the same.

ACE protection supports at least 255 outstanding snoop transactions on the snoop address channel before back-pressure is applied to the channel.

The following table shows the transactions that belong to each of the main ACE transaction groups.

Table 2-10 ACE transaction groups

Group

Reads

Writes

Non-shareable and I/O coherent transactions

ReadNoSnoop

ReadOnce

WriteNoSnoop

WriteUnique

WriteLineUnique

Non-shareable WriteBack

Non-shareable WriteClean

Non-shareable WriteEvict

Fully coherent transactions

ReadClean

ReadNotSharedDirty

ReadShared

ReadUnique

CleanUnique

MakeUnique

Shareable WriteBack

Shareable WriteClean

Shareable WriteEvict

Evict

ACE protection places restrictions on an upstream master. These restrictions ensure that transactions from one transaction group cannot manipulate data that is read into a cache by transactions from the other transaction group. The groups of transactions can therefore behave in different ways:

A TBU that is configured for ACE protection only supports stage 2 translation, and there cannot therefore be any RAZ/WI translation results. Therefore, anything other than translations that are supported in ACE protection can result in a transaction fault.

ACE protection does not support PCIe Address Translation Services (ATS). When an ACE TBU configuration is used, any transaction where armmuatst = 1 or awmmuatst = 1 is terminated with an SLVERR response.

Effect of ACE protection on transaction behavior

The scope of how ACE transactions are supported varies depending on whether ACE protection support is enabled.

The following table shows which transactions are supported in different circumstances, where the stated behavior is described after the table.

Table 2-11 ACE protection support for transactions

Transaction

Behavior for ACE-Lite TBU configurations

Behavior for ACE TBU configurations

ReadNoSnoop

WriteNoSnoop

ReadOnce

WriteUnique

WriteLineUnique

Translate Translate-NoSH

ReadClean

ReadNotSharedDirty

ReadShared

ReadUnique

CleanUnique

MakeUnique

Illegal Prot-RWX-only

Non-shareable WriteBack

Non-shareable WriteClean

Non-shareable WriteEvict

Illegal Abort

Shareable WriteBack

Shareable WriteClean

Shareable WriteEvict

Evict

Illegal Pass-through

CleanShared

CleanSharedPersist

CleanInvalid

MakeInvalid

Behavior depends on cmo_disable setting:

0Translate.
1Abort.
Abort

ReadOnceCleanInvalid

ReadOnceMakeInvalid

WriteUniquePtlStash

WriteUniqueFullStash

StashOnceShared

StashOnceUnique

StashTranslation

Translate Illegal

DVM Complete

Illegal Pass-through

DVM Message

Illegal Abort

The behaviors that the table describes have the following meanings:

Translate
The transaction is translated as normal.
Abort
The transaction is terminated with an SLVERR response.
Illegal
The transaction is defined as an AMBA protocol error on this type of interface.
Pass-through
The transaction propagates through the TBU without attribute checks or modification. The table-based hardware attributes and STE implementation defined auxiliary attributes AxUSER fields are 0.
Translate-NoSH
The transaction is translated, but terminated with an SLVERR response when any of the following apply:
  • Stage 1 translation is enabled.
  • The STE.MTCFG field is set to not use the incoming memory type.
  • The STE.SHCFG field is set to not use the incoming shareability attribute or STE.MTCFG
  • For translations where stage 2 translation is enabled, the SH field of the stage 2 translation table entry is not Non-shareable.
Prot-RWX-only
The transaction is translated, but terminated with an SLVERR response when any of the following apply:
  • Any of STE.NSCFG, STE.PRIVCFG, STE.INSTCFG, or STE.MTCFG are set to not use the incoming attribute, when those fields are not otherwise ignored.
  • For translations where Stage 2 translation is enabled, the MemAttr field of the Stage 2 translation table entry is not Inner and Outer Write-Back Cacheable.
  • For translations where Stage 2 translation is enabled, the output address of the Stage 2 translation table entry is not the same as the input address.
  • For translations where Stage 2 translation is enabled, the XN field of the Stage 2 translation table entry is not 0b00.
  • For translations where Stage 2 translation is enabled, the S2AP field of the Stage 2 translation table entry is not 0b11.
  • For Secure translations where Stage 2 translation is enabled, SMMU_S_CR0.SIF=1.

For transactions where the ACE protection behavior is Prot-RWX-only or Pass-through, the shareability and attributes are not modified. For these transactions:

  • The master and slave attribute normalization rules are not used.
  • The AxDOMAIN, AxCACHE, and AxLOCK values that are output from the TBM interface are the same as the values that are input to the TBS interface.
  • On the TBM interface, the outer cacheable bit in AxUSER is 1 if AxCACHE is a cacheable type, that is, if AxCACHE[3:2] != 0b00, and 0 otherwise.

Stalling faults

Ensure that stalling faults are not enabled for ACE TBUs that might enter fully coherent mode.

Stalling faults stall WriteNoSnoop and WriteUnique transactions, possibly leading to stalled Write-Back transactions, stalled snoop responses, and system deadlocks. The TBU does not know about stalling faults and therefore cannot prevent such circumstances. When a Stream Table Entry (STE) is used for a fully coherent master, the SMMUv3 driver must therefore:

  • Set the STE.S1STALLD bit.
  • Clear the STE.S2S bit.

Removing permission to access a translation table

When a translation table entry is modified and therefore invalidated, it is important to ensure that a master cannot read any modified cache lines into its coherent cache.

You can prevent a master from reading invalid cache lines by removing permission to access the affected translation table as follows:

Procedure

  1. Change the Stage 2 translation tables to remove permission to access.
  2. Invalidate the translation tables in the SMMU. After invalidating a translation table in the SMMU, a master cannot read the affected cache lines. However, those that the master holds in cache might still be invalid anyway.
  3. Issue Clean and Invalidate to Point of Coherency (PoC) operations to the affected cache lines. This removes the cache lines from the GPU coherent cache.
  4. Zero the data in the translation table.
  5. Issue Clean to PoC operations to the affected cache lines. This step is necessary to ensure that the zeroed data is visible to non-coherent masters.
  6. Change the translation tables to provide access to the new user of the table.
Non-ConfidentialPDF file icon PDF version100310_0100_00_en
Copyright © 2016–2018 Arm Limited or its affiliates. All rights reserved.