Add draft of Svkt extension

Svkt provides a means to make user-mode accesses to supervisor memory raise
page faults in constant time, mitigating attacks that attempt to discover the
supervisor software's address-space layout.

I plan to submit this as a fast-track soon.

src/hypervisor.adoc

@@ -593,7 +593,9 @@ mode V=1.
   {bits:  2, name: 'CBIE'},
   {bits:  1, name: 'CBCFE'},
   {bits:  1, name: 'CBZE'},
-  {bits: 24, name: 'WPRI'},
+  {bits: 16, name: 'WPRI'},
+  {bits: 1, name: 'HUVKT'},
+  {bits: 7, name: 'WPRI'},
   {bits:  2, name: 'PMM'},
   {bits: 25, name: 'WPRI'},
   {bits:  1, name: 'DTE'},
@@ -651,6 +653,12 @@ The definition of the CBZE field is furnished by the Zicboz extension.
 
 The definitions of the CBCFE and CBIE fields are furnished by the Zicbom extension.
 
+If the Svkt extension is implemented, the HUVKT field affects the behavior of
+the HLV, HLVX, and HSV instructions when executed in U-mode.
+When one of these instructions is executed in U-mode, it behaves as though
+`senvcfg`.SVKT were set to the value of HUVKT.
+If Svkt is not implemented, HUVKT is read-only zero.
+
 The definition of the PMM field will be furnished by the forthcoming
 Ssnpm extension. Its allocation within `henvcfg` may change prior to the
 ratification of that extension.

src/supervisor.adoc

@@ -730,6 +730,7 @@ characteristics of the U-mode execution environment.
   {bits:  2, name: 'CBIE'},
   {bits:  1, name: 'CBCFE'},
   {bits:  1, name: 'CBZE'},
+  {bits:  1, name: 'SVKT'},
   {bits: 24, name: 'WPRI'},
   {bits:  2, name: 'PMM'},
   {bits: 30, name: 'WPRI'},
@@ -824,6 +825,17 @@ The definitions of the CBCFE and CBIE fields will be furnished by the
 forthcoming Zicbom extension. Their allocations within `senvcfg` may
 change prior to the ratification of that extension.
 
+If the Svkt extension is implemented, the SVKT field affects the behavior of
+instruction fetches and explicit memory accesses.
+When SVKT=0, instruction fetches and explicit memory accesses proceed as
+though the Svkt extension were not implemented.
+When SVKT=1, an instruction fetch or explicit memory access with effective
+privilege mode U or VU that attempts to access a virtual address {ge}
+2^SXLEN-1^ raises a page-fault exception corresponding to the original access
+type.
+The timing of an instruction that raises an exception for this reason must be
+independent of the faulting virtual address.
+
 The definition of the PMM field will be furnished by the forthcoming
 Ssnpm extension. Its allocation within `senvcfg` may change prior to the
 ratification of that extension.
@@ -2270,6 +2282,18 @@ Invalid PTEs using a bounded timer, or making address-translation caches
 coherent with store instructions that modify PTEs.
 ====
 
+[[sec:svkt]]
+== "Svkt" Extension for Address-Independent Latency of User-Mode Faults to Supervisor Addresses, Version 0.2
+
+The Svkt extension provides a means to make user-mode accesses to supervisor
+memory raise page faults in constant time, mitigating attacks that attempt to
+discover the supervisor software's address-space layout.
+
+If the Svkt extension is implemented, the `senvcfg`.SVKT field is writable.
+If the hypervisor extension is additionally implemented, the `henvcfg`.HUVKT
+field is also writable.
+See <<sec:senvcfg>> and <<sec:henvcfg>> for the definitions of those fields.
+
 ////
 [[sec:ssqosid]]
 == "Ssqosid" Extension for Quality-of-Service (QoS) Identifiers, Version 1.0