Info |
---|
This document outlines the plan to ratify a RISC-V Specification, establishing a solid foundation and clear expectations for the entire specification development lifecycle. The timeline set here will serve as a reference to monitor progress and ensure milestones are met. Investing in a well-prepared plan promotes effective communication, enhances collaboration, and streamlines the process. |
About
Specification Name: CHERI
Task Group:
Jira Legacy server System Jira serverId 4d3dce95-b4be-35da-b49f-ec8432d8f473 key RVG-148 Task Group Charter: https://github.com/riscv-admin/cheri-tg/blob/main/charter.adoc Charter
Spec Jira:
Jira Legacy server System Jira serverId 4d3dce95-b4be-35da-b49f-ec8432d8f473 key RVS-2141
Background
The goal of the CHERI TG is to define a capability-based security extension.
...
Building on over a decade of pioneering research by the University of Cambridge and SRI International, the CHERI technology has been implemented by Arm on the Morello 7nm SoC evaluation platform, and many processors have been developed by academia and the industry (Microsoft, Google, Codasip, lowRISC, …)
Overview
The CHERI extension adds a new data type to RISC-V: the CHERI capability. This can be thought of as a (2*XLEN)-bit pointer with bounds information, permissions (e.g. read/write), type information and an out-of-band hardware-tracked validity tag. In combination with new instructions, this allows for fine-grained compartmentalization and deterministic memory safety. Importantly, any instruction operating on capabilities can only reduce the access rights granted and any attempt to amplify (e.g. by growing the bounds) will clear the validity tag.
...
For a more detailed description, please see the introduction of the specification document: https://riscv.github.io/riscv-cheri/#_introduction
Stakeholders Identification
References: Active Groups and Specifications Under Development
...
Security HC as well as Priv+Unpriv IC
CHERI SIG
psABI (to define the new pure-capability ABI)
Architectural Testing (to define a testsuite for CHERI-RISC-V)
Formal modelling (to upstream a CHERI-RISC-V Sail model)
Apps and Tools Software HC
SBI Specification
Design Considerations
The CHERI extension has been designed to be fully binary compatible with existing RISC-V code. When the extension is enabled, it is also possible to recompile code in a mode that uses capability registers (instead of integer GPRs) for all accesses, the so-called pure-capability programming environment.
Because of limited opcode space, it is not feasible to add new variations of every (vector) load/store instruction using a capability base register, so CHERI adds a decoding mode bit to the program counter that allows changing the interpretation of the base operand between integer and capability.
Proof-of-Concept and Tests
The CHERI specification has been validated in multiple operating systems:
...
In terms of ISA tests, Codasip has an extensive test suite and Cambridge has created a differential testing framework that works with CHERI.
Software Ecosystem Impacts
While CHERI is a larger extension, in most cases there is no need to explicitly use compiler intrinsics - instead enabling the extension and the appropriate ABI flag will transparently make use of new all instructions and result in a memory-safe application.
...
Importantly, the CHERI extension is fully binary compatible with existing RISC-V binaries, so there is no requirement to use this new ABI. Applications function as before, while parts of the software stack that opt-in to the new extension (e.g. the firmware, hypervisor, kernel, other programs) can run in a memory safe and compartmentalized environment,
Freeze Checklists
Item | Description | Plan | Resources |
---|---|---|---|
Opcode | Enough opcode encoding to support an assembler. | Full support in LLVM: https://github.com/CHERI-Alliance/llvm-project | Codasip+Cambridge Uni |
Simulator | Enough simulator support so that basic RISC-V tests can be run. See the policy for more details. | QEMU support implemented: https://github.com/CHERI-Alliance/qemu | Codasip+Cambridge Uni |
psABI | ABI extensions (if necessary) | Planned | Jessica Clarke + Alex Richardson |
GCC | Support on GCC (optimizations not required) | N/A, using LLVM instead | |
LLVM | Support on LLVM (optimizations not required) | Full support: https://github.com/CHERI-Alliance/llvm-project | Codasip+Cambridge Uni+SCISemi |
RISC-V Test Input | Test configuration input (YAML schema & values, Test Coverage YAML rules, see the policy) | Planned | Codasip+Cambridge Uni |
RISC-V Tests | Basic tests that do not cover corner cases. See the policy for more details. | Planned - Codasip has internal test suite and plans to release a set of basic ACT tests | Codasip |
RISC-V SAIL | Enablement of the new specification/extension as part of the RISC-V SAIL Golden Model. | Implemented: https://github.com/CHERI-Alliance/sail-cheri-riscv | Codasip |
Key Milestones
Info |
---|
To define you plan milestone dates, please use the https://tech.riscv.org/plan/. |
Milestone | Date |
---|---|
Plan Approval |
|
Internal Review Start |
|
ARC Review Freeze Request | 13 Jan |
Freeze | 08 |
Public Review Start | 09 |
TSC Ratification Approval |
|
BoD Ratification Approval |
|
Additional Notes
...