From 40d18544114b3f03d98c1a6dd6203607f278429e Mon Sep 17 00:00:00 2001 From: Andrew Waterman Date: Wed, 24 Jul 2024 18:45:53 -0700 Subject: [PATCH] Add draft of Svkt extension Svkt provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. I plan to submit this as a fast-track soon. --- src/hypervisor.adoc | 10 +++++++++- src/supervisor.adoc | 24 ++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/src/hypervisor.adoc b/src/hypervisor.adoc index b81952cbc..fc0d394a3 100644 --- a/src/hypervisor.adoc +++ b/src/hypervisor.adoc @@ -593,7 +593,9 @@ mode V=1. {bits: 2, name: 'CBIE'}, {bits: 1, name: 'CBCFE'}, {bits: 1, name: 'CBZE'}, - {bits: 24, name: 'WPRI'}, + {bits: 16, name: 'WPRI'}, + {bits: 1, name: 'HUVKT'}, + {bits: 7, name: 'WPRI'}, {bits: 2, name: 'PMM'}, {bits: 25, name: 'WPRI'}, {bits: 1, name: 'DTE'}, @@ -651,6 +653,12 @@ The definition of the CBZE field is furnished by the Zicboz extension. The definitions of the CBCFE and CBIE fields are furnished by the Zicbom extension. +If the Svkt extension is implemented, the HUVKT field affects the behavior of +the HLV, HLVX, and HSV instructions when executed in U-mode. +When one of these instructions is executed in U-mode, it behaves as though +`senvcfg`.SVKT were set to the value of HUVKT. +If Svkt is not implemented, HUVKT is read-only zero. + The definition of the PMM field will be furnished by the forthcoming Ssnpm extension. Its allocation within `henvcfg` may change prior to the ratification of that extension. diff --git a/src/supervisor.adoc b/src/supervisor.adoc index fee952fff..5c9448d4c 100644 --- a/src/supervisor.adoc +++ b/src/supervisor.adoc @@ -730,6 +730,7 @@ characteristics of the U-mode execution environment. {bits: 2, name: 'CBIE'}, {bits: 1, name: 'CBCFE'}, {bits: 1, name: 'CBZE'}, + {bits: 1, name: 'SVKT'}, {bits: 24, name: 'WPRI'}, {bits: 2, name: 'PMM'}, {bits: 30, name: 'WPRI'}, @@ -824,6 +825,17 @@ The definitions of the CBCFE and CBIE fields will be furnished by the forthcoming Zicbom extension. Their allocations within `senvcfg` may change prior to the ratification of that extension. +If the Svkt extension is implemented, the SVKT field affects the behavior of +instruction fetches and explicit memory accesses. +When SVKT=0, instruction fetches and explicit memory accesses proceed as +though the Svkt extension were not implemented. +When SVKT=1, an instruction fetch or explicit memory access with effective +privilege mode U or VU that attempts to access a virtual address {ge} +2^SXLEN-1^ raises a page-fault exception corresponding to the original access +type. +The timing of an instruction that raises an exception for this reason must be +independent of the faulting virtual address. + The definition of the PMM field will be furnished by the forthcoming Ssnpm extension. Its allocation within `senvcfg` may change prior to the ratification of that extension. @@ -2270,6 +2282,18 @@ Invalid PTEs using a bounded timer, or making address-translation caches coherent with store instructions that modify PTEs. ==== +[[sec:svkt]] +== "Svkt" Extension for Address-Independent Latency of User-Mode Faults to Supervisor Addresses, Version 0.2 + +The Svkt extension provides a means to make user-mode accesses to supervisor +memory raise page faults in constant time, mitigating attacks that attempt to +discover the supervisor software's address-space layout. + +If the Svkt extension is implemented, the `senvcfg`.SVKT field is writable. +If the hypervisor extension is additionally implemented, the `henvcfg`.HUVKT +field is also writable. +See <> and <> for the definitions of those fields. + //// [[sec:ssqosid]] == "Ssqosid" Extension for Quality-of-Service (QoS) Identifiers, Version 1.0