"simple-bus" restricts the node names to predefined list. "soc" looks
like the most appropiate name considering the dies are M1 Max SoCs.
Signed-off-by: Janne Grunau <j@jannau.net>
This is for things that xnu hard-codes. This first one for AGX is
required to make coprocessor TLB coherency work properly...
Signed-off-by: Asahi Lina <lina@asahilina.net>
Turns out CTRR does not like working with huge pages, and just throws up
its hands in the air with an L2 address size fault if a huge page
overlaps the CTRR region.
Signed-off-by: Asahi Lina <lina@asahilina.net>
This is usually a race that happens when the Python side has just
removed a hook, but there was already a CPU core faulting on an access.
Signed-off-by: Asahi Lina <lina@asahilina.net>
This should fix the issue where console writes from another CPU in the
middle of events/etc corrupt data
Signed-off-by: Hector Martin <marcan@marcan.st>
Some of these errors are apparently sticky / write-1-to-clear, and if we
don't do this, then the SError behaves as level-triggered and just continues
to fire.
Signed-off-by: Asahi Lina <lina@asahilina.net>
Seems -v stopped being filtered (or never was?). Explicitly check boot
policy, so we don't depend on boot-args filtering directly (which can
change). -v still makes things verbose unconditionally, but the proxy
backdoor now requires that plus full SIP disable (sip0=127).
Signed-off-by: Hector Martin <marcan@marcan.st>
These are from a public Apple source that shall remain unidentified
(because it's utterly silly that they keep trying to hide these).
Signed-off-by: Hector Martin <marcan@marcan.st>
Unlike the MAC addresses Bluetooth addresses have to be stored
in little-endian byte order (see devicetree/bindings/net/bluetooth.txt)
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Depending on the chip stepping (stored in the OTP) either the blob for
beamforming or the normal calibration blob has to be used.
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Writing to the IPI register causes a trap, which sets the event...
causing every CPU to go into a tight loop of traps contended on the BHL.
We don't need to clear IPIs in WFE mode, so don't do that.
Signed-off-by: Hector Martin <marcan@marcan.st>
This stops DCP from killing our modeset if the connection cycles.
Also force a (potential) configure cycle if the display is external;
this makes sure updated stage2s will have a chance at fixing issues of
old stage1s. Modesetting is fast when it's the same mode as before.
Signed-off-by: Hector Martin <marcan@marcan.st>
Get rid of asc_cpu_stop() which was never a thing. The CPU start bit
should always be off in the steady state, it is only used momentarily to
start the CPU.
Signed-off-by: Hector Martin <marcan@marcan.st>
Commit 9c795fbdbf introduced the pair of
WFE and SEV for spinlock, but it caused delays of tens of seconds. A
possible explanation for the delay is lack of data synchronization
barrier between the store instruction and SEV instruction.
Arm Architecture Reference Manual for A-profile architecture (issue H.a)
says:
> Arm recommends that software includes a Data Synchronization Barrier
> (DSB) instruction before any SEV instruction. The DSB instruction
> ensures that no instructions, including any SEV instructions, that
> appear in program order after the DSB instruction, can execute until
> the DSB instruction has completed.
However, inserting a DSB instruction still didn't resolve the delay.
The exclusive load is an alternative to the SEV instruction. The manual
says:
> ...However, in Armv8, when the global monitor for a PE changes from
> Exclusive Access state to Open Access state, an event is generated.
> This is equivalent to issuing an SEVL instruction on the PE for which
> the monitor state has changed. It removes the need for spinlock code
> to include an SEV instruction after clearing a spinlock.
As an additional benefit, the exclusive load is local to the PE and
eliminates spurious events for other PEs.
Trusted Firmware-A v2.6 also employs the same algorithm.
Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
If an explicitly specified display mode exceeds the allocated
framebuffer allocate a new one from the top of RAM.
Note: macOS panics immediately with a realloced framebuffer.
Signed-off-by: Janne Grunau <j@jannau.net>
DART nodes for dcp and disp0 have pre-allocated L1 and L2 tables which
are annotated in the ADT. The pre-allocated memory is specified in
"pt-region-${DEVICE}". The first page is used as L1 table and the
following pages are used as L2 tables. The number of valid L2 tables is
specified in "l2-tt-${DEVICE}". The first entry identifies the region
and the second entry is the number of valid L2 tables.
iboot (macOS 12.3) inits just 2 L2 tables. Larger framebuffers require
more. By using the pre-allocated page tables we do not have worry about
keeping the memory mapped after m1n1 executes the next target.
Signed-off-by: Janne Grunau <j@jannau.net>
The reserved framebuffer on the Mac Studio is 0x854000 bytes. This is
too small for 1920x1200 with 4 byte per pixel. Setting 1920x1200 as
mode crashes dcp but not the actual display controller. The display
remains working and even comes back after display hotplug/power cycle.
Signed-off-by: Janne Grunau <j@jannau.net>
The device tree for multi die SoCs as the M1 Ultra has its devices
under "/soc/dieX" instead of directly under "/soc".
Signed-off-by: Janne Grunau <j@jannau.net>
Get rid of the hv_rearm() thing (which was always a bit dodgy) and
instead properly make sure that all CPUs rendezvous when needed and
switch the active proxy thread without ever exiting exception context.
The Python side can now switch proxy context (by waiting directly for
a proxy boot) without having to exit out of the hypervisor callback,
so cpu() now works as a normal Python method.
Add a cpus() iterator so you can do things like:
>>> for i in cpus(): bt()
Signed-off-by: Hector Martin <marcan@marcan.st>
This should reduce memory traffic spam and power usage from lock
contention when threads are blocked on a spinlock.
Signed-off-by: Hector Martin <marcan@marcan.st>
Previously RAM was mapped ad-hoc, but this can end up interacting
poorly with the tracer infrastructure which we are now using for RAM
too. Move to mapping guest RAM via the tracer infra, and also unmap the
TZ carveouts in the Python side so it knows about them.
This is a HV ABI break.
Signed-off-by: Asahi Lina <lina@asahilina.net>
The HV tick polling now only runs on CPU#0. All CPUs have the 1000Hz
HV tick, but secondaries only use it to poll the FIQ state and that path
does not take the BHL if no other FIQ was pending.
Signed-off-by: Hector Martin <marcan@marcan.st>
This fixes display DART real-time cache hits causing AMCC exceptions.
The relevant carve-outs have flags 0x60004016; 0x60004002 is used for
DCP which is non-realtime, so I'm guessing the '16' means we should map
it uncached.
Signed-off-by: Hector Martin <marcan@marcan.st>
The PCIe 4 link speed is only described as "target-link-speed" in the
"lan-10gb". This changed in macos 12.3 or earlier. Verified on Mac
Studio and with the template Mac Mini ADT.
Reported-by: Jeff Geerling <geerlingguy@mac.com>
Signed-off-by: Janne Grunau <j@jannau.net>
Adds support for up to 64-byte ops and more SIMD/paired operations.
This is good enough to trace a lot of GPU VM address space.
Signed-off-by: Asahi Lina <lina@asahilina.net>
Turns out it's just an 8-bit bool, not 32 bits, and when cast to int
the top bits can cause it to be interpreted as an error randomly...
Signed-off-by: Hector Martin <marcan@marcan.st>
This code is gated behind the CHAINLOADING define. To build a
release-style m1n1 with chainloading for use with the installer
or kmutil, use:
make CHAINLOADING=1 RELEASE=1
To tell m1n1 to chainload another binary, use this var payload:
chainload=<ESP partition UUID>;<file path>
e.g.
chainload=a17b7e46-e950-bb4f-bc82-8ab1047a058e;m1n1/m1n1.bin
Closes: #154
Co-authored-by: Finn Behrens <me@kloenk.dev>
Co-authored-by: Joey Gouly <joey.gouly@arm.com>
Signed-off-by: Hector Martin <marcan@marcan.st>
- Hide console by default unless booting in verbose mode.
- In verbose mode, enable USB early and poll for connection before
launching payloads.
- Show console on fallback to proxy.
Signed-off-by: Hector Martin <marcan@marcan.st>
Do not forget to clear the L2C_ERR flags in silent mode also. This is
necessary for proper recovery.
Signed-off-by: Martin Povišer <povik@protonmail.com>
This should not be required but it looks like the 12.1 ANS2 firmware
complains when NVME_CC.EN is cleared before the IO queues have been
deleted.
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Looks like Apple decided to change the compatible to sart,coastguard and rely
on the sart-version ADT property to differentiate between M1 and M1 Pro/Max
instead. sart-version is already present in the 11.x ADT so let's just
always decide based on that.
Signed-off-by: Sven Peter <sven@svenpeter.dev>
When loading m1n1.bin, SEPFW follows m1n1 and thus will show up at
the payload offset if there are no payloads.
Fixes: #158
Signed-off-by: Hector Martin <marcan@marcan.st>
These properties are needed such that U-Boot can enable the
serial port in its early pre-relocation phase.
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
This drops the tx/rxcookie and accepts TYPE_NOTIFY in addition to
TYPE_REPLY for command replies to make the DCP code also work on 11.x.
It'll still complain about an unexpected message during init but work.
Signed-off-by: Sven Peter <sven@svenpeter.dev>
s/IDLE/HIBERNATE/ to keep in sync with the Linux driver and then
hibernate DCP but send ANS2 to sleep to allow reusing both.
Signed-off-by: Sven Peter <sven@svenpeter.dev>
