RISC-V

References:

[1] TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V. NDSS, 201902. paper

[2] XuanTie 910, Pingtouge (Honey Badger), 20190725.

RISCV Terms

  • Hart: Hardware thread. Spec 20191213, Page 2.

More

  • Attacks
  • Reference1 A2: Analog Malicious Hardware Reference1 “In the open spaces of an already placed and routed design, we contruct a circuit that use capacitors to siphon charge from nearby wires as they transition between digital values.” “When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value, e.g the privileged bit for the processor.” “We replace the hundreds of gates required by conventional counter-based triggers implemented using digital logic with analog components – a capacitor and a few transistors wrapped-up in a single gate.

  • Ibex
  • References: ibex docs ibex rtl on github RTL Coding ibex core integration Main module is ibex_top, defined in ibex_top.sv Core logic is split-out from the register file and RAMs under ibex_top. This is to facilitate a dual-core lockstep implementation. Register File RegFile defined in rtl/ibex_pkg.sv Three register file implementations, depending on different target technologies: ibex_pkg::RegFileFF: flip-flop-based, default; ibex_pkg::RegFileLatch: latch-based; ibex_pkg::RegFileFPGA: for FPGA target; Identification CSRs Read-only CSRs, defined in rtl/ibex_pkg.

  • Sonic Boom
  • Instruction Fetch References: Docs » Instruction Fetch The Front-end fetches instructions and makes predictions throughout the Fetch stage to redirect the instruction stream in multiple fetch cycles (F0, F1…) Misprediction: Detected in BOOM’s Back-end(execution pipeline); A request is sent to the Front-end; ICache: Virtually indexed, physically tagged set-associative cache; To save power, the i-cache is only fired up again once the fetch register has been exhausted (or a branch prediction directs the PC elsewhere).

  • J Extension
  • References: Pointer Masking Proposal, 2022-10 Pointer Masking Feature of RISC-V: when enabled, the MMU will ignore the top N bits of the effective address. Then the application can use these top N bits in their own ways. Most commonly, those bits are used to store various type of tags, which can be leveraged by a number of hardware/software features, including sandboxing mechanisms and dynamic safety checkers such as HWASAN.

  • IOPMP
  • References: Syntacore IOPMP proposal. v.20210124, mailto:stanislav.zhelnio@syntacore.com Proposal Overview “The block is designed to filter requests to memory and peripherals” “Requests are checked on the basis of request address (and size) and the request source ID (SID)” Possible usage scenarios: filtering the CPU requests when the CPU PMP managed by OS or hypervisor is not trusted; filtering the DMA requests when the IOMMU settings managed by hypervisor are not trusted; filtering all the requests to memory or peripheral device.

Created Jul 7, 2019 // Last Updated Mar 28, 2022

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?