Skip to content

Latest commit

 

History

History
160 lines (118 loc) · 6.13 KB

cfi_csrs.adoc

File metadata and controls

160 lines (118 loc) · 6.13 KB
Raw

Shadow Stack and Landing Pad CSRs

This chapter specifies the CSR state of the Zisslpcfi extension.

Machine environment configuration registers (menvcfg and menvcfgh)

The CFIE (bit 60) field controls if Zisslpcfi extension is available for use in modes less privileged than M. When CFIE is 1, the SFCFIE (bit 59) field enables forward-edge CFI at S-mode.

When menvcfg.CFIE bit is 0, then at privilege modes less privileged than M:

  • Attempts to access ssp CSR and lplr CSR raise an illegal instruction exception.

  • Zisslpcfi extension instructions revert to the Zimops defined behavior.

  • The UBCFIE, UFCFIE and SPELP fields in mstatus are read-only zero.

  • The CFIE field in henvcfg is read-only zero.

  • The pte.xwr=010b encoding in S-stage page tables is reserved.

Note

When the Zisslpcfi extension is available for use at privilege level less than M, the operating system may use the UBCFIE and UFCFIE to selectively enable the backward-edge and forward-edge CFI at U mode per application.

When the Zisslpcfi extension is available for use at S-mode, the operating system may use shadow stacks at S-mode. If the operating system uses forward-edge CFI then it may request the SEE to set SFCFIE to 1.

With these set of controls the backward-edge and forward-edge CFI may be separately enforced at S-mode and for each application.

Hypervisor environment configuration registers (henvcfg and henvcfgh)

The CFIE (bit 60) bit controls if Zisslpcfi extension is available for use in VS and VU modes. When menvcfg.CFIE is 0, henvcfg.CFIE is read-only zero.

When henvcfg.CFI bit is 0, then at privilege modes VS and VU:

  • Attempts to access ssp CSR and lplr CSR raise an illegal instruction exception.

  • The UBCFIE, UFCFIE and SPELP fields in vsstatus are read-only zero.

  • The pte.xwr=010b encoding in VS-stage page tables remains reserved.

When CFIE is 1, the SFCFIE (bit 59) field enables forward-edge CFI at VS-mode.

Machine status registers (mstatus)

The UFCFIE (bit 23) and UBCFIE (bit 24) are WARL fields that when set to 1 enable backward-edge and forward-edge CFI respectively at U-mode.

The SPELP (bit 25) and MPELP (bit 26) WARL fields are updated when a trap is taken into M-mode or S-mode respectively. When a trap is taken into privilege mode x, the xPELP fields are updated to indicate that a landing pad was expected at the privilege level xPP at the time of taking the trap.

The xPELP fields are encoded as follows:

  • 0 - NO_LP_EXPECTED - no landing pad instruction expected

  • 1 - LP_EXPECTED - landing pad instruction expected

Supervisor status registers (sstatus)

When menvcfg.CFI is 1, access to the following fields accesses the homonymous field of mstatus register. When menvcfg.CFI is 0, these fields are read-only zero.

  • UFCFIE (bit 23)

  • UBCFIE (bit 24)

  • SPELP (bit 25)

Virtual supervisor status registers (vsstatus)

The vsstatus register is VS-mode’s version of sstatus and the Zisslpcfi extension introduces the following fields.

  • UFCFIE (bit 23)

  • UBCFIE (bit 24)

  • SPELP (bit 25)

When menvcfg.CFI is 0, these fields are read-only zero. When menvcfg.CFI is 1 and henvcfg.CFI is 0, these fields are read-only zero in sstatus (really vsstatus) when V=1.

Note

The vsstatus and henvcfg CSR for a virtual machine may be restored in any order. The state of henvcfg.CFI does not prevent access to the bits introduced in vsstatus when the CSR is accessed in HS-mode.

Landing pad label register (lplr)

The lplr CSR is a unprivileged read-write (URW) 32-bit register that holds the label expected at the target of an indirect call or an indirect jump. The label is split into a 8-bit upper label (UL), 8-bit middle label (ML), and a 9-bit lower label (LL).

lplr for RV32 and RV64
{reg: [
  {bits: 9, name: 'LL'},
  {bits: 8, name: 'ML'},
  {bits: 8, name: 'UL'},
  {bits: 7, name: 'WPRI'},
], config:{lanes: 1, hspace:1024}}

When menvcfg.CFI is 0, an attempt to access lplr in a mode other than M-mode raises an illegal instruction exception. When sstatus.UFCFIE is 0, an attempt to access lplr in U-mode raises an illegal instruction exception.

Note

Access to lplr at S-mode is not dependent on sstatus.UFCFIE or menvcfg.SFCFIE to allow an operating system to be able to context switch U-mode lplr state even when the operating system itself does not enable the use of forward-edge CFI at S-mode.

When menvcfg.CFI is 1 but henvcfg.CFI is 0, an attempt to access lplr when V=1 raises a virtual instruction exception.

When menvcfg.CFI and henvcfg.CFI are both 1 but vstatus.UFCFIE is 0, an attempt to access lplr in VU-mode raises an illegal instruction exception.

Shadow stack pointer (ssp)

The ssp CSR is an unprivileged read-write (URW) CSR that reads and writes XLEN low order bits of the shadow stack pointer (ssp). There is no high CSR defined as the ssp is always as wide as the XLEN of the current privilege level.

When menvcfg.CFI is 0, an attempt to access ssp in a mode other than M-mode raises an illegal instruction exception. When sstatus.UBCFIE is 0, an attempt to access ssp in U-mode raises an illegal instruction exception.

Note

Access to ssp at S-mode is not dependent on sstatus.UBCFIE to allow an operating system to be able to context switch U-mode ssp per application.

When menvcfg.CFI is 1 but henvcfg.CFI is 0, an attempt to access ssp when V=1 raises a virtual instruction exception.

When menvcfg.CFI and henvcfg.CFI are both 1 but vsstatus.UBCFIE is 0, an attempt to access ssp in VU-mode raises an illegal instruction exception.

Machine Security Configuration (mseccfg)

When the Smepmp extension is implemented, a new WARL field sspmp is defined in bits 8:3 of the mseccfg CSR to configure a PMP entry as the shadow stack memory region for M-mode accesses. The rules enforced by PMP for M-mode shadow stack memory accesses are outlined in [PMP_SS].

The MFCFIE (bit 9) is a WARL fields that when set to 1 enables forward-edge CFI at M-mode.