/
Charter

Charter

Owned by RISC-V Tech Admin
Last updated: Nov 25, 2024 by Alex Richardson
3 min read

A well-written charter establishes clear objectives, definitions, and guidelines, aligning group members and the broader RISC-V Community from the start. It defines purpose, scope, and accountability, preventing confusion and scope creep, and serves as a reference to keep the group focused and efficient.

Introduction

The goal of the CHERI TG is to define a capability-based security extension.

CHERI provides deterministic spatial and temporal memory safety, and low-cost scalable compartmentalization features and is a fundamental step forward in terms of security for the RISC-V ecosystem.

Definitions (Optional)

Background

Memory safety is the biggest security threat to computer systems: Microsoft and Google Chromium identifying 70% of their critical vulnerabilities being in this class. CHERI-based memory safety has arisen from research starting in 2010 to be the focus of the Innovate UK Digital Security by Design Program (£90m UK government funding and over £200m from industry). Under this program, ARM Ltd has produced the Morello prototype: quad-core CHERI-ARM superscalar processors and GPU on a 7nm TSMC process, demonstrating little performance or area penalty from adding this security technology. Initially 1,000 Morello units have been shipped to partners for evaluation.

Microsoft’s Security Response Center’s 42-page report Security Analysis of CHERI ISA concludes that over ⅔ of all of Microsoft’s critical memory-safety vulnerabilities in 2019 would have been deterministically mitigated by CHERI - the closest competing technology, tagged memory extensions, achieved only 13% deterministic mitigation. Tens of millions of lines of C/C++ code have now been ported to CHERI including work by Capabilities Limited who measured just 0.026% lines-of-code change when porting an open-source desktop application stack including X11 and KDE. Microsoft’s Azure Silicon team has developed and released CHERIoT: Rethinking security for low-cost embedded systems that includes an open-source CHERIoT on Ibex - a CHERI extended embedded RISC-V core that will be taped out in the near future. The CHERIoT RTOS demonstrates how CHERI can provide scalable compartmentalisation and memory protection, which is more scalable and uses comparable silicon area to a PMP (physical memory protection as defined in the RISC-V privileged spec). The intergovernmental report Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default recommends CHERI as the secure hardware foundation for future systems, and also recommends the use of software compartmentalisation that CHERI supports efficiently.

Given the commercial demonstration of the effectiveness of CHERI, multiple vendors with in-flight hardware implementations, the practicality of porting software, and the regulatory push toward CHERI to fundamentally improve security of computer systems, we aim to produce a standardized CHERI extension to RISC-V for both RV64 and RV32.

Objectives

To create a standardization task group to create the following specifications:

  • Usermode CHERI RV64 and RV32 extensions

  • Privileged CHERI RV64 and RV32 extensions

  • CHERI RVA23[US]64 compatibility

  • CHERI RV64 and RV32 ABIs in conjunction with the psABI TG

This will include specifying requirements for:

  • Encoding 128-bit capabilities over a 64-bit baseline ISA; encoding 64-bit capabilities over a 32-bit baseline ISA

  • Tagged memory to support capability validity tags

  • CHERI extensions to the RV64 and RV32 ISA to support efficient temporal memory safety, initially for C/C++ memory protection

  • CHERI features to support safe, capability-aware exception handling

  • CHERI features to support compartmentalization models

  • ABI details including register conventions, calling conventions, and C/C++ types

  • Ensure CHERI for RV32 can support the CHERIoT software model

The task group will coordinate efforts to:

  • Update the CHERI-RISC-V Sail model to the most recent baseline RISC-V model

  • Develop a CHERI-RISC-V test suite and define the required coverage points

  • Add support for at least one compiler to target CHERI-RISC-V as specified (LLVM support exists already)

  • Demonstrate addition of CHERI support to both application-class POSIX and embedded operating systems

  • Engage with OS and compiler vendors to contribute these changes upstream

  • Add CHERI support to the QEMU emulator

  • Add CHERI support to the GDB debugger

  • Review non-ISA SoC components for CHERI compatibility and document any impact

  • Update the SBI specification to include support for CHERI-enabled systems and submit the OpenSBI CHERI port upstream

Collaborations

For more details, refer to the list of active work groups and committees.

Standard_2.png

 

RISC-V International