|
| 1 | +[[smcfiss]] |
| 2 | + |
| 3 | +== Contributors |
| 4 | + |
| 5 | +Allen Baum, Ruud Derwig, Brian Grayson, Deepak Gupta, Freddie Huang, Yann |
| 6 | +Loisel, Ved Shanbhogue, Geoffrey Thorpe, Joe Xie, Adam Zabrocki |
| 7 | + |
| 8 | +== "Smpmpind" Extension for Indirect PMP CSR Access, Version 0.1 |
| 9 | + |
| 10 | +The Smpmpind extension defines a range of selector values for accessing PMP |
| 11 | +registers using the CSRs provided by the Smcsrind extension. The Smpmpind |
| 12 | +extension depends on the Smcsrind extension. |
| 13 | + |
| 14 | +For indirect access to PMP registers, `miselect` selects the target PMP |
| 15 | +entry; `mireg` accesses its `pmpaddr` register, and `mireg2` accesses its |
| 16 | +`pmpcfg` register. The `mireg3` through `mireg6` CSRs are reserved. |
| 17 | + |
| 18 | +The `pmpcfg` is a MXLEN wide register. The low 8 bits of this register are an |
| 19 | +alias of the 8-bit field of the PMP configuration register for this entry |
| 20 | +that can be accessed using a direct CSR access. |
| 21 | + |
| 22 | +The behavior of PMP entry locking is unchanged by this extension. |
| 23 | + |
| 24 | +Bit MXLEN-1 of the `pmpcfg` register is defined as the extended-attributes (`E`) |
| 25 | +field. When the `E` field is 0, the `XWR` bits in the `pmpcfg` register are |
| 26 | +interpreted as if the `Smpmpind` extension were not implemented. |
| 27 | + |
| 28 | +When the `E` field is 1, all encodings of the `XWR` bits are reserved unless |
| 29 | +they are defined by another standard extension. Attempting to access a PMP |
| 30 | +region when `E` is 1 and the `XWR` encoding is reserved raises an access fault |
| 31 | +exception corresponding to the original access type. |
| 32 | + |
| 33 | +== "Smcfiss" Extension for Machine-mode Shadow Stack, Version 0.1 |
| 34 | + |
| 35 | +The Smcfiss extension enables the use of a shadow stack to enforce |
| 36 | +backward-edge control-flow integrity in machine mode. |
| 37 | + |
| 38 | +The Smcfiss extension depends on the Zicfiss and Smpmpind extensions. |
| 39 | + |
| 40 | +The Smcfiss extension introduces an `MSSE` field in `mseccfg` to enable the use |
| 41 | +of Zicfiss in machine mode. When the Smcfiss extension is implemented, the |
| 42 | +shadow-stack-enabled (SSE) state, denoted by the term `xSSE`, is set to the |
| 43 | +value of `mseccfg.MSSE`. When Smcfiss is not implemented, the `MSSE` field is |
| 44 | +read-only zero. |
| 45 | + |
| 46 | +When the Smepmp extension is also implemented, if the `mseccfg.RLB` field is 0 |
| 47 | +while `pmpcfg.L` is 1 in any PMP entry, further writes to the `mseccfg.MSSE` |
| 48 | +field are ignored until a PMP reset. |
| 49 | + |
| 50 | +When `mseccfg.MSSE` is 1, a PMP entry with `E=1` and `XWR=010` denotes an M-mode |
| 51 | +shadow stack memory region. |
| 52 | + |
| 53 | +When `E=1` and `mseccfg.MSSE` is 0, the `XWR=010` encoding remains reserved. |
| 54 | + |
| 55 | +The following rules apply to accesses to M-mode shadow stack memory regions: |
| 56 | + |
| 57 | +* When the effective privilege mode of an access is M: |
| 58 | + ** Shadow stack instructions are permitted to access only M-mode shadow stack |
| 59 | + memory regions. Any attempt by a shadow stack instruction to access a |
| 60 | + memory region that is not an M-mode shadow stack memory region raises a |
| 61 | + store/AMO access fault exception. |
| 62 | + ** Instructions other than shadow stack instructions are not permitted to |
| 63 | + store to an M-mode shadow stack memory region. Any such attempt raises a |
| 64 | + store/AMO access fault exception. |
| 65 | + ** The M-mode shadow stack memory region may be read either by explicit load |
| 66 | + instructions or by shadow stack instructions. |
| 67 | + ** Implicit accesses, including instruction fetches, to an M-mode shadow stack |
| 68 | + memory region raise an access fault exception corresponding to the original |
| 69 | + access type. |
| 70 | + |
| 71 | +* When the effective privilege mode of an access is less than M, any access |
| 72 | + to an M-mode shadow stack memory region raises an access fault exception |
| 73 | + corresponding to the original access type. |
| 74 | + |
| 75 | +== "Smucfiss" Extension for User-mode Shadow Stack for M+U, Version 0.1 |
| 76 | + |
| 77 | +The Smucfiss extension enables the use of a shadow stack to enforce |
| 78 | +backward-edge control-flow integrity in user mode using PMPs when the S-mode |
| 79 | +is not implemented. |
| 80 | + |
| 81 | +The Smucfiss extension depends on the Zicfiss and Smcfiss extensions. The |
| 82 | +Smucfiss extension is not supported when the S-mode is implemented. |
| 83 | + |
| 84 | +When Smucfiss is implemented, the following rules apply: |
| 85 | + |
| 86 | +* The shadow-stack-enabled (SSE) state, denoted by the term `xSSE`, is set to |
| 87 | + the value of `menvcfg.SSE` for U-mode, enabling the use of Zicfiss in U-mode. |
| 88 | +* When `menvcfg.SSE` is 1, a PMP entry configured with `E=1` and `XWR=110` |
| 89 | + denotes a U-mode shadow stack memory region. |
| 90 | +* When `E=1` and `menvcfg.SSE` is 0, the `XWR=110` encoding remains reserved. |
| 91 | + |
| 92 | +The following rules apply to accesses to U-mode shadow stack memory regions: |
| 93 | + |
| 94 | +* When the effective privilege mode of an access is U: |
| 95 | + ** Shadow stack instructions are permitted to access only U-mode shadow stack |
| 96 | + memory regions. Any attempt by a shadow stack instruction to access a |
| 97 | + memory region that is not a U-mode shadow stack memory region raises a |
| 98 | + store/AMO access fault exception. |
| 99 | + ** Instructions other than shadow stack instructions are not permitted to |
| 100 | + store to a U-mode shadow stack memory region. Any such attempt raises a |
| 101 | + store/AMO access fault exception. |
| 102 | + ** The U-mode shadow stack memory region may be read either by explicit load |
| 103 | + instructions or by shadow stack instructions. |
| 104 | + ** Implicit accesses, including instruction fetches, to a U-mode shadow stack |
| 105 | + memory region raise an access fault exception corresponding to the original |
| 106 | + access type. |
| 107 | + |
| 108 | +* When the effective privilege mode of an access is not U, any access |
| 109 | + to a U-mode shadow stack memory region raises an access fault exception |
| 110 | + corresponding to the original access type. |
| 111 | + |
| 112 | +== "Sspmpss" Extension for S-level PMP Shadow Stack, Version 0.1 |
| 113 | + |
| 114 | +The Sspmpss extension enables the use of a shadow stack to enforce |
| 115 | +backward-edge control-flow integrity for S/HS- and U-mode software using |
| 116 | +S-level PMP (SPMP). The Sspmpss extension depends on the Zicfiss and |
| 117 | +Sspmp extensions. |
| 118 | + |
| 119 | +If `satp.MODE` is not `Bare` or if `menvcfg.SSE` is 0, the implementation |
| 120 | +behaves as if Sspmpss is not implemented. When Sspmpss is implemented, the |
| 121 | +`XWR=010` encoding in `spmpcfg[i]` with `spmpcfg.SHARED=0` denotes a shadow |
| 122 | +stack memory region. When Sspmpss is not implemented, the `XWR=010` encoding |
| 123 | +with `spmpcfg.SHARED=0` remains reserved. |
| 124 | + |
| 125 | +When Sspmpss is implemented, the following additional rules apply to memory |
| 126 | +accesses with effective privilege mode S/HS or U: |
| 127 | + |
| 128 | +* Shadow stack instructions are permitted to access only shadow stack memory |
| 129 | + regions. Any attempt by a shadow stack instruction to access a memory region |
| 130 | + that is not a shadow stack memory region raises a store/AMO access fault |
| 131 | + exception. |
| 132 | +* Instructions other than shadow stack instructions are not permitted to store |
| 133 | + to a shadow stack memory region. Any such attempt raises a store/AMO |
| 134 | + access fault exception. |
| 135 | +* Implicit accesses, including instruction fetches, to a shadow stack memory |
| 136 | + region raise an access fault exception corresponding to the original access |
| 137 | + type. |
| 138 | +* Shadow stack memory regions may be read either by explicit load instructions |
| 139 | + or by shadow stack instructions. |
| 140 | + |
| 141 | +The access faults caused by these additional rules occur at lower priority than |
| 142 | +a page fault due to the memory access being disallowed by the U bit, given the |
| 143 | +effective privilege mode of the access and the state of the `SUM` and `MXR` |
| 144 | +fields of the `mstatus` register. |
| 145 | + |
| 146 | +When the H extension is also implemented, the following additional rules apply |
| 147 | +to memory accesses with effective privilege mode VS or VU: |
| 148 | + |
| 149 | +* Shadow stack instructions that access memory require the SPMP to grant both |
| 150 | + read and write permission; otherwise, a store/AMO guest-page fault exception |
| 151 | + is raised. |
| 152 | +* Any attempt to access a shadow stack memory region, including by shadow stack |
| 153 | + instructions or implicit accesses, raises a guest-page fault exception |
| 154 | + corresponding to the original access type. |
0 commit comments