target: arm: HACK: implement dummy Mistral-specific registers

This includes dummy versions of the KTRR registers and four other registers
not documented in XNU source and only found on t8015.

Author: zhuowei

target/arm/cpu.h

@@ -474,6 +474,13 @@ typedef struct CPUARMState {
         uint64_t pmccfiltr_el0; /* Performance Monitor Filter Register */
         uint64_t vpidr_el2; /* Virtualization Processor ID Register */
         uint64_t vmpidr_el2; /* Virtualization Multiprocessor ID Register */
+        uint64_t ktrr_mystery0_el1; // ktrr reg 0
+        uint64_t ktrr_mystery1_el1; // ktrr reg 1
+        uint64_t ktrr_lock_el1; // ktrr reg 2
+        uint64_t ktrr_lower_el1; // ktrr reg 3
+        uint64_t ktrr_upper_el1; // ktrr reg 4
+        uint64_t ktrr_mystery6_el1; // ktrr reg 6
+        uint64_t ktrr_mystery7_el1; // ktrr reg 7
     } cp15;
 
     struct {

target/arm/helper.c

@@ -3738,6 +3738,36 @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
       .writefn = sdcr_write,
       .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
+    // zhuowei: hack: KTRR for Apple CPUs
+    { .name = "KTRR_MYSTERY0_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 2, .opc2 = 0,
+      .resetvalue = 0,
+      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.ktrr_mystery0_el1) },
+    { .name = "KTRR_MYSTERY1_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 2, .opc2 = 1,
+      .resetvalue = 0,
+      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.ktrr_mystery1_el1) },
+    { .name = "KTRR_LOCK_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 2, .opc2 = 2,
+      .resetvalue = 0,
+      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.ktrr_lock_el1) },
+    { .name = "KTRR_LOWER_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 2, .opc2 = 3,
+      .resetvalue = 0,
+      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.ktrr_lower_el1) },
+    { .name = "KTRR_UPPER_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 2, .opc2 = 4,
+      .resetvalue = 0,
+      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.ktrr_upper_el1) },
+    // no ktrr register 5, I think.
+    { .name = "KTRR_MYSTERY6_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 2, .opc2 = 6,
+      .resetvalue = 0,
+      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.ktrr_mystery6_el1) },
+    { .name = "KTRR_MYSTERY7_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 2, .opc2 = 7,
+      .resetvalue = 0,
+      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.ktrr_mystery7_el1) },
     REGINFO_SENTINEL
 };
 
@@ -5843,7 +5873,8 @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
             break;
         }
         /* assert our permissions are not too lax (stricter is fine) */
-        assert((r->access & ~mask) == 0);
+        // zhuowei: hack. make KTRR registers writable from EL1 even though they have opc1=4
+        // assert((r->access & ~mask) == 0);
     }
 
     /* Check that the register definition has enough info to handle