This document presents the mapping of the rules in the RMM specification to the test cases and the steps followed in the tests. This also provides the information about the test coverage scenarios that are implemented in the current release of ACS and the scenarios that are planned for the future releases.
| TestName | Test Assertions | Test Approach or Comments | Validated by ACS |
|---|---|---|---|
| mm_protected_ipa_boundary mm_unprotected_ipa_boundary |
IPA boundary check: Protected IPA Vs Unprotected IPA | 1. Take two pages from the realm IPA space Last page of protected IPA space(RAM) First page of un-protected IPA space 2. Make un-align access at IPA space boundary such that access goes through two separate stage1/stage2 walk. One for protected page and one for unprotected page. 3. For making access, try below page configuration a. Un-map protected page and Map unprotected page in the RTT and check that the access to page boundary access presented as non-emulatable abort to host b. Map protected page and un-map unprotected page in the RTT and check that the access to page boundary access presented as emulatable abort to host |
YES |
| mm_hipas_assigned_ripas_empty_da_ia mm_hipas_unassigned_ns_da_ia mm_hipas_unassigned_ripas_empty_da_ia mm_hipas_unassigned_ripas_ram_da_ia mm_ripas_destroyed_da mm_ripas_destroyed_ia |
Realm memory access to protected IPA of different RIPAS and HIPAS state combinations are allowed or disallowed as defined in the spec. The disallowed access must be properly reported to host or realm as given in the spec. | 1. Try to access the memory from Realm by following HIPAS and RIPAS states. a. RIPAS=Empty and HIPAS=UNASSIGNED, Data access - Check for SEA to Realm RIPAS=Empty and HIPAS=UNASSIGNED, instruction fetch - Check for SEA to Realm b. RIPAS=Empty and HIPAS=ASSIGNED, Data access - Check for SEA to Realm RIPAS=Empty and HIPAS=ASSIGNED, instruction fetch - Check for SEA to Realm c. RIPAS=Destroyed and HIPAS=unassigned, Data access - Check for REC exit due to data abort RIPAS=Destroyed and HIPAS=Unassigned, instruction fetch - Check for REC exit due to instruction abort d. RIPAS=RAM and HIPAS=Unassigned, Data access - Check for REC exit due to data abort RIPAS=Empty and HIPAS=Unassigned, instruction fetch - Check for REC exit due to instruction abort |
YES |
| mm_hipas_unassigned_ns_da_ia | Realm Data Access to Unprotected IPA Realm data access to unprotected IPA of different HIPAS states are allowed or disallowed as defined in the spec. The disallowed access must be properly reported to host given in the spec. |
1. Create the realm 2. Add unprotected page to the realm uisng the rmi_rtt_map_unprotected abi 3. unmap the unprotected page using rmi_rtt_unmap_unprotected abi. 4. Rec enter to realm and try to access the unmapped unprotected page. 5. Check for REC exit due to data abort. 5. Again Rec enter and try to instruction fetch from unprotected memory. 6. Check for SEA to Realm. |
YES |
| mm_realm_access_outside_ipa | Realm access outside IPA space If stage 1 translation is enabled, Realm access to an IPA which is greater than the IPA space of the Realm causes a stage 1 Address Size Fault taken to the Realm, with the fault status code indicating the level at which the fault occurred. If stage 1 translation is disabled, Realm access to an IPA which is greater than the IPA space of the Realm causes a stage 1 level 0 Address Size Fault taken to the Realm. |
Realm access outside IPA space If stage 1 translation is enabled, Realm access to an IPA which is greater than the IPA space of the Realm causes a stage 1 Address Size Fault taken to the Realm, with the fault status code indicating the level at which the fault occurred. If stage 1 translation is disabled, Realm access to an IPA which is greater than the IPA space of the Realm causes a stage 1 level 0 Address Size Fault taken to the Realm. |
YES |
| mm_ripas_change mm_ripas_change_partial |
Host partially and completes applies the RIPAS change | 1. Create the realm 2. Delegate the 12KB memory and set the RIPAS state to RAM using RMI_RTT_INIT_RIPAS. 3. Activate the realm and rec enter to realm. 4. Request the RIPAS state to EMPTY using RSI_IPA_STATE_SET. It triggers rec exit due to RIPAS change 5. Apply the requested RIPAS change by excuting the RMI_RTT_SET_RIPAS from base address to 12KB size. 6. Re enter to Realm and observe the X0=RSI_SUCCESS and X1=Base + 12KB. 7. Repeat the step 4 to step 6 passing size as 4KB and observe the X1=Base + 4KB |
YES |
| mm_ripas_change_reject | Host rejects the RIPAS change request | 1. Create the realm 2. Delegate the 12KB memory and set the RIPAS state to RAM using RMI_RTT_INIT_RIPAS. 3. Activate the realm and rec enter to realm. 4. Request the RIPAS state to EMPTY using RSI_IPA_STATE_SET. It triggers rec exit due to RIPAS change 5. Without changing the RIPAS state re-enter the REC 6. Observe the X0=RSI_SUCCESS and X1=Base. |
YES |
| mm_gpf_exception | Host access to RTT | 1. Create the realm 2. Delegate the memory and set the RIPAS state to RAM using RMI_RTT_INIT_RIPAS. 3. Activate the realm. 4. Try to access the Protected IPA from the host, it trigger the GPF. If platform not supporting the GPF exception handling at NS-EL2 then this test is out of ACS scope. If platform supports GPF exception handling at NS-EL2, enable the test by setting PLATFORM_GPF_SUPPORT_NS_EL2 = 1 |
NO |
| mm_rtt_translation_table | The translation granule size of an RTT is 4KB. The RMM architecture can only be deployed on a platform which implements a translation granule size of 4KB. |
1. Create RTT IPA1 address 2. Pick an IPA2 address pointed by IPA1 + 2MB and both IPA1 and IPA2 within the same GB range. 3. Read the RTTE entry for IPA2. 4. Check that the return RTTE state is UNASSIGNED and walk_level must be equal to 2. 5. Read the RTTE entry IPA1 + 4KB and check for return RTTE state is UNASSIGNED and walk_level must be equal to 3 5. Host to check the id_aa64mmfr0_el1 register value to check platform supports 4KB TG 6. Realm to check the id_aa64mmfr0_el1 register value to check platform supports 4KB TG |
YES |
| mm_rtt_fold_assigned mm_rtt_fold_unassigned_ns mm_rtt_fold_unassigned mm_rtt_fold_assigned_ns |
RTT Folding: An RTT is homogeneous if its entries satisfy one of the conditions in the following table. If an RTT is homogeneous, the following table specifies the state to which the parent RTTE is set. On RTT folding, the state of the parent RTTE is determined from the contents of the child RTTEs. On RTT folding, if the state of the parent RTTE is VALID_NS then the attributes of the parent RTTE are copied from the child RTTEs. RTT Unfolding: On RTT unfolding, if the state of the parent RTTE is ASSIGNED or VALID_NS, then the output addresses of RTTEs in the child RTT are set to a contiguous range which starts from the address of the parent RTTE. |
Check1: Check that the resulting parent entry after folding is correct (Repeat the check for all homogenous conditions for all HIPAS values. 1. Init L3 RTT entries to have exact same attributes and states. 2. Do RTT fold operations 3. Check that the resulting Block mapping at L2 is in the correct state and has the correct attributes set 4. Check that RTT walk can not reach to child RTT. 5. Unfold the IPA range by creating L3 RTT for the same IPA range 6. After unfolding check that the resulting RTT entries are homogenous Check2: Check that fold operation fails for non-homogenous conditions and parent entry and child entries remain unchanged after folding 7. Repeat the check for all homogenous conditions |
YES |
| mm_feat_s2fwb_check_1 mm_feat_s2fwb_check_2 mm_feat_s2fwb_check_3 |
RTT FEAT_S2FWB Check: Intention is to check that RMM has indeed enabled S2FWB The RMM uses FEAT_S2FWB to ensure that the cacheability attributes of an RTT entry whose state is ASSIGNED are independent of stage 1 translation. FEAT_S2FWB check using unprotected IPA. Also check that attributes of an RTT mapping at an Unprotected IPA are Host-controlled. |
FEAT_S2FWB check using unprotected IPA. Also check that attributes of an RTT mapping at an Unprotected IPA are Host-controlled. Scenario 1 (verify FWB forces final memory attribute to Normal Cacheable irrespective of the value programmed in R-EL1 stage1 tables): 1. Host to map unprotected IPA stage2 attributes MemAttr[2:0](Stage 2 page/block) as 110 through RMI_MAP_UNPROTECTED and Realm to map IPA in its stage1 using Normal Non-Cacheable 2. Map the same NS PA granule in NS Host (NS-EL2) as Normal Cacheable and initialize the value to, say, V1. 3. Enter into Realm and read the value. Check it is V1. Update the value to V2 from R-EL1 4. Read from the Host and check that it sees the updated value by R-EL1 write (V2). Re-initialize the value to V3. 5. Enter into Realm and check that the value read is V3. Scenario 2 (verify FWB preserves R-EL1 stage1 memory attribute as final memory attribute): 1. Host to map unprotected IPA stage2 attributes MemAttr[2:0](Stage 2 page/block) as 111 through RMI_MAP_UNPROTECTED and Realm to map IPA in its stage1 using Normal Non-Cacheable 2. Map the same NS PA granule in NS Host (NS-EL2) as Normal Non-Cacheable. initialize the value to V1 and repeat steps 3-5 from above sequence. Scenario 3 (verify FWB forces final memory attribute to Normal Non-cacheable irrespective of the value programmed in R-EL1 stage1 tables): 1. Host to map unprotected IPA stage2 attributes MemAttr[2:0](Stage 2 page/block) as 101 through RMI_MAP_UNPROTECTED and Realm to map IPA in its stage1 using Normal Write-Back cacheable 2. Map the same NS PA granule in NS Host(NS-EL2) as Normal Non-Cacheable. Initialize the value to V1 and repeat steps 3-5 from above sequence. |
YES |
| mm_feat_s2fwb_check_3 | FEAT_S2FWB check using Protected IPA | ACS out of scope | NO |
| mm_ha_hd_access | Hardware access flag and dirty bit management: Hardware access flag and dirty bit management is disabled for the stage 2 translation used by a Realm. Hardware access flag and dirty bit management may be enabled by software executing within the Realm, for its own stage 1 translation. Unprotected IPA > PA, S2AP = Read-only, Perform write using the same IPA from REL1. RMM must see permission fault at REL2. |
To allow stage1 Hardware access flag and dirty bit management, Stage2 must allow updates to stage1 page table. (stage1 h/w updates should be permitted when enabled) Check1: HW dirty bit management: On write access, if HW dirty bit management is enabled at stage 1 and the stage 1 descriptor is writeable-clean, then it will be set by hardware to writeable-dirty. this is possible only when S2 Walk of S1 Table has RW permission, and this is the aspect we are trying to validate in below scenarios. 1. Create VA1 → IPA1 with memory attributes to RO and DBM set to 1, assume stage1 h/w dirty bit updates enabled 2. Perform STR using VA1 @REL1 3. If the store is not successful, fail the test. Check2: HW Access Flag management: On translation of VA → IPA, if HW access flag management is enabled at stage 1, then the AF bit in the stage 1 descriptor will be set by hardware to 1. 1. VA1 → IPA1, Set AF=0, assume stage1 h/w updates enabled 2. Perform LDR using VA1 3. Read the page table descriptor for VA1 and check that access flag is set to 1. If not, fail the test Check3: Hardware access flag and dirty bit management is disabled for the stage 2 translation used by a Realm Try to map un-protected IPA-PA with TTD.DBM=1 with RMI_MAP_UNPROTECTED abi. Check for the error status code. |
Yes |
| mm_rtt_level_start | The maximum depth of an RTT tree depends on the below parameters: Implemented IPA/PA (LPA2) rtt_level_start IPA width The number of starting level RTTs is architecturally defined as a function of the Realm IPA width and the RTT starting level. |
Try to create Realm using the below configuration: LPA2_SEL x rtt_level_start X S2SZ_SEL X rtt_num_start Where: LPA2_SEL <= LPA2_SUPP S2SZ_SEL <= S2SZ_SUPP Try RTT structure for different supported S2SZ_SEL values and rtt_level_start values to create possible concatenation of translation tables at starting level. Check that RMM supports the creation of different RTT setups Check that different RTT setup works for the realm. Verify the above algorithm for below combinations: [S2SZ_SEL, rtt_level_start, rtt_num_start]: [32, 2, 4], [34, 2, 16], [40, 1, 2], [42, 1, 8], [52, 0, 16] |
YES |