Versions Compared

Version Old Version 7 New Version 8
Changes made by

Alex Richardson

Alex Richardson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This document outlines the plan to ratify a RISC-V Specification, establishing a solid foundation and clear expectations for the entire specification development lifecycle. The timeline set here will serve as a reference to monitor progress and ensure milestones are met. Investing in a well-prepared plan promotes effective communication, enhances collaboration, and streamlines the process.

About

Background

The goal of the CHERI TG is to define a capability-based security extension.

...

Building on over a decade of pioneering research by the University of Cambridge and SRI International, the CHERI technology has been implemented by Arm on the Morello 7nm SoC evaluation platform, and many processors have been developed by academia and the industry (Microsoft, Google, Codasip, lowRISC,…)

Overview

The CHERI extension adds a new data type to RISC-V: the CHERI capability. This can be thought of as a (2*XLEN+1)-bit pointer with bounds information, permissions (e.g. read/write), type information and a hardware-tracked validity tag. In combination with new instructions, this allows for fine-grained compartmentalization and memory safety. Importantly, any instruction operating on capabilities can only reduce the access rights granted and any attempt to amplify (e.g. by growing the bounds) will clear the validity tag.

When a core implements CHERI, the general purpose registers and CSRs that hold pointers (e.g. xtvec) are widened to capability size and the memory subsystem propagates the validity tags to memory. New instructions operating on the extended GPRs perform bounds and permission checks when loading/storing to enforce memory safety and new jump instructions allow for efficient compartment switching.

For a more detailed description, please see the introduction of the specification document: https://riscv.github.io/riscv-cheri/#_introduction

Stakeholders Identification

References: Active Groups and Specifications Under Development

...

  • Security HC as well as Priv+Unpriv IC

  • CHERI SIG

  • psABI (to define the new pure-capability ABI)

  • Architectural Testing (to define a testsuite for CHERI-RISC-V)

  • Formal modelling (to upstream a CHERI-RISC-V Sail model)

  • Apps and Tools Software HC

  • SBI Specification

Design Considerations

The CHERI extension has been designed to be fully binary compatible with existing RISC-V code. When the extension is enabled, it is also possible to recompile code in a mode uses capability registers (instead of integer GPRs) for all accesses, the so-called pure-capability programming environment.

For opcode space reasons it is not feasible to add new variations of every (vector) load/store instruction using a capability base register, so CHERI adds a decoding mode bit to the program counter that allows changing the interpretation of the base operand between integer and capability.

Proof-of-Concept and Tests

The CHERI specification has been validated in multiple operating systems:

...

In terms of ISA tests, Codasip has an extensive test suite and Cambridge has create a differential testing framework that works with CHERI.

Software Ecosystem Impacts

Freeze Checklists

Select one of the options below (ISA or NON-ISA) and complete the table with the required information.

Expand
titleISA

Item

Description

Plan

Resources

Opcode

Enough opcode encoding to support GCC.

Full support in LLVM: https://github.com/CHERI-Alliance/llvm-project

Codasip+Cambridge Uni

Simulator

Enough simulator support so that basic RISC-V tests can be run. See the policy for more details.

QEMU support implemented: https://github.com/CHERI-Alliance/qemu

Codasip+Cambridge Uni

psABI

ABI extensions (if necessary)

Planned

Jessica Clarke + Alex Richardson

GCC

Support on GCC (optimizations not required)

N/A, using LLVM instead

LLVM

Support on LLVM (optimizations not required)

Full support: https://github.com/CHERI-Alliance/llvm-project

Codasip+Cambridge Uni

RISC-V Test Input

Test configuration input (YAML schema & values, Test Coverage YAML rules, see the policy)

RISC-V Tests

Basic tests that do not cover corner cases. See the policy for more details.

Available on demand

Codasip

RISC-V SAIL

Enablement of the new specification/extension as part of the RISC-V SAIL Golden Model.

Implemented: https://github.com/CHERI-Alliance/sail-cheri-riscv

Codasip

Expand
titleNON-ISA

Item

Description

Plan

Resources

Code

Describe any updated software project by name and, if possible, by version. make each project its own row.

Tests

Describe testing to validate specification compatibility if applicable. This may be ACT, PCT, or other tests. Make each test project its own row.

Key Milestones

Info

To define you plan milestone dates, please use the https://tech.riscv.org/plan/.

Milestone

Date

Plan Approval

Internal Review Start

ARC Review Freeze Request

Freeze

Public Review Start

TSC Ratification Approval

BoD Ratification Approval

Additional Notes

...

Standard_2.png