From 154742afbc2dd3c9ed4482da1f78c82a68542e78 Mon Sep 17 00:00:00 2001 From: Ved Shanbhogue Date: Wed, 30 Aug 2023 09:00:44 -0500 Subject: [PATCH 1/2] clarify xSSE and xLPE for a M+U - no S-mode - hart --- cfi_backward.adoc | 74 +++++++++++++++++++++++++++++------------------ cfi_forward.adoc | 63 +++++++++++++++++++++++++--------------- 2 files changed, 86 insertions(+), 51 deletions(-) diff --git a/cfi_backward.adoc b/cfi_backward.adoc index f5970d3..ef76d0a 100644 --- a/cfi_backward.adoc +++ b/cfi_backward.adoc @@ -75,16 +75,20 @@ This chapter specifies the CSR state of the Zicfiss extensions. ], config:{lanes: 4, hspace:1024}} .... -Zicfiss extension introduces the `SSE` field (bit 3) in `menvcfg`. When -`SSE` field is 1, the Zicfiss extension is enabled in S-mode. When `SSE` -field is 0, the Zicfiss extension is not enabled in S-mode and the following -rules apply to privilege modes less than M. +The Zicfiss extension adds the `SSE` field (bit 3) to `menvcfg`. When the `SSE` +field is set to 1 and S-mode is supported, the Zicfiss extension is enabled in +S-mode. If S-mode isn't supported but U-mode is, then with the SSE field set to +1, the Zicfiss extension is enabled in U-mode. -* Attempts to access the `ssp` CSR raise an illegal instruction exception. -* The 32-bit Zicfiss instructions revert to their Zimop defined behavior. -* The 16-bit Zicfiss instructions revert to their Zcmop defined behavior. -* The `pte.xwr=010b` encoding in S-stage page tables is reserved. -* The `henvcfg.SSE` and `senvcfg.SSE` fields are read-only zero. +When `SSE` field is 0, the following rules apply to privilege modes that are +less than M: + +* Any attempt to access the `ssp` CSR will result in an illegal instruction + exception. +* 32-bit Zicfiss instructions will revert to their behavior as defined by Zimop. +* 16-bit Zicfiss instructions will revert to their behavior as defined by Zcmop. +* The `pte.xwr=010b` encoding in S-stage page tables becomes reserved. +* The `henvcfg.SSE` and `senvcfg.SSE` fields will read as zero and are read-only. ==== Supervisor environment configuration registers (`senvcfg`) @@ -102,14 +106,15 @@ rules apply to privilege modes less than M. ], config:{lanes: 4, hspace:1024}} .... -Zicfiss extension introduces the `SSE` field (bit 3) in `senvcfg`. When -`SSE` field is 1, the Zicfiss extension is enabled in VU/U-mode. When `SSE` -field is 0, the Zicfiss extension is not enabled in VS/U-mode and the following -rules apply: +Zicfiss extension introduces the `SSE` field (bit 3) in `senvcfg`. If the +`SSE` field is set to 1, the Zicfiss extension is activated in VU/U-mode. When +the `SSE` field is 0, the Zicfiss extension remains inactive in VS/U-mode, and +the following rules apply: -* Attempts to access the `ssp` CSR raise an illegal instruction exception. -* The 32-bit Zicfiss instructions revert to their Zimop defined behavior. -* The 16-bit Zicfiss instructions revert to their Zcmop defined behavior. +* Any attempts to access the `ssp` CSR will result in an illegal instruction + exception. +* 32-bit Zicfiss instructions will revert to their behavior as defined by Zimop. +* 16-bit Zicfiss instructions will revert to their behavior as defined by Zcmop. ==== Hypervisor environment configuration registers (`henvcfg and henvcfgh`) @@ -130,16 +135,17 @@ rules apply: ], config:{lanes: 4, hspace:1024}} .... -Zicfiss extension introduces the `SSE` field (bit 3) in `henvcfg`. When -`SSE` field is 1, the Zicfiss extension is enabled in VS-mode. When `SSE` -field is 0, the Zicfiss extension is not enabled in VS-mode and the following -rules apply when `V=1`. +Zicfiss extension introduces the `SSE` field (bit 3) in `henvcfg`. If the +`SSE` field is set to 1, the Zicfiss extension is activated in VS-mode. When +the `SSE` field is 0, the Zicfiss extension remains inactive in VS-mode, and +the following rules apply when `V=1`: -* Attempts to access the `ssp` CSR raise an illegal instruction exception. -* The 32-bit Zicfiss instructions revert to their Zimop defined behavior. -* The 16-bit Zicfiss instructions revert to their Zcmop defined behavior. -* The `pte.xwr=010b` encoding in VS-stage page tables is reserved. -* The `senvcfg.SSE` field is read-only zero. +* Any attempts to access the `ssp` CSR will result in an illegal instruction + exception. +* 32-bit Zicfiss instructions will revert to their behavior as defined by Zimop. +* 16-bit Zicfiss instructions will revert to their behavior as defined by Zcmop. +* The `pte.xwr=010b` encoding in VS-stage page tables becomes reserved. +* The `senvcfg.SSE` field will read as zero and is read-only. ==== Shadow stack pointer (`ssp`) @@ -175,10 +181,11 @@ are specified in <>. === Shadow-Stack-Enabled (SSE) state The term `xSSE` is used to determine if backward-edge CFI using shadow stacks -provided by the Zicfiss extension is enabled at a privilege mode and it is -determined as follows: +provided by the Zicfiss extension is enabled at a privilege mode. + +When S-mode is supported, it is determined as follows: -.`xSSE` determination +.`xSSE` determination when S-mode is supported [width=100%] [%header, cols="^4,^12"] |=== @@ -189,6 +196,17 @@ determined as follows: | U or VU | `senvcfg.SSE` |=== +When S-mode is not supported, it is determined as follows: + +.`xSSE` determination when S-mode is not supported +[width=100%] +[%header, cols="^4,^12"] +|=== +|Privilege Mode| xSSE +| M | `1` +| U | `menvcfg.SSE` +|=== + [NOTE] ==== Activating Zicfiss in U-mode must be done explicitly per process. Not activating diff --git a/cfi_forward.adoc b/cfi_forward.adoc index 7d40117..d19888c 100644 --- a/cfi_forward.adoc +++ b/cfi_forward.adoc @@ -127,14 +127,19 @@ This chapter specifies the CSR state of the Zicfilp extension. ], config:{lanes: 4, hspace:1024}} .... -Zicfilp extension introduces the `LPE` field (bit 2) in `menvcfg`. When -`LPE` field is 1, the Zicfilp extension is enabled in S-mode. When `LPE` -field is 0, the Zicfilp extension is not enabled in S-mode and the following -rules apply to S-mode: +Zicfilp extension introduces the `LPE` field (bit 2) in `menvcfg`. When the +`LPE` field is set to 1 and S-mode is supported, the Zicfilp extension is +enabled in S-mode. If `LPE` field is set to 1 and S-mode is not supported, the +Zicfilp extension is enabled in U-mode. -* The hart does not update the expected landing pad (`ELP`) state and the `ELP` - state is always `NO_LP_EXPECTED`. -* The `lpad` instruction executes as a no-op. +When `LPE` field is 0, the Zicfilp extension is not enabled in S-mode, and the +following rules apply to S-mode: + +* The hart does not update the expected landing pad (`ELP`) state, and the `ELP` + state remains `NO_LP_EXPECTED`. +* The `lpad` instruction operates as a no-op. + +If the `LPE` field is 0 and S-mode is not supported, these rules apply to U-mode. ==== Supervisor environment configuration registers (`senvcfg`) @@ -153,14 +158,14 @@ rules apply to S-mode: ], config:{lanes: 4, hspace:1024}} .... -Zicfilp extension introduces the `LPE` field (bit 2) in `senvcfg`. When -`LPE` field is 1, the Zicfilp extension is enabled in VU/U-mode. When `LPE` -field is 0, the Zicfilp extension is not enabled in VU/U-mode and the +Zicfilp extension introduces the `LPE` field (bit 2) in `senvcfg`. When the +`LPE` field is set to 1, the Zicfilp extension is enabled in VU/U-mode. When the +`LPE` field is 0, the Zicfilp extension is not enabled in VU/U-mode and the following rules apply to VU/U-mode: * The hart does not update the expected landing pad (`ELP`) state and the `ELP` - state is always `NO_LP_EXPECTED`. -* The `lpad` instruction executes as a no-op. + state remains `NO_LP_EXPECTED`. +* The `lpad` instruction operates as a no-op. ==== Hypervisor environment configuration registers (`henvcfg and henvcfgh`) @@ -182,14 +187,14 @@ following rules apply to VU/U-mode: ], config:{lanes: 4, hspace:1024}} .... -Zicfilp extension introduces the `LPE` field (bit 2) in `henvcfg`. When -`LPE` field is 1, the Zicfilp extension is enabled in VS-mode. When `LPE` +Zicfilp extension introduces the `LPE` field (bit 2) in `henvcfg`. When the +`LPE` field is set to 1, the Zicfilp extension is enabled in VS-mode. When `LPE` field is 0, the Zicfilp extension is not enabled in VS-mode and the following rules apply to VS-mode: * The hart does not update the expected landing pad (`ELP`) state and the `ELP` - state is always `NO_LP_EXPECTED`. -* The `lpad` instruction executes as a no-op. + state remains `NO_LP_EXPECTED`. +* The `lpad` instruction operates as a no-op. ==== Machine status registers (`mstatus`) @@ -265,7 +270,7 @@ fields that hold the previous `ELP`, and are updated as specified in ], config:{lanes: 4, hspace:1024}} .... -Access to the `SPELP` field introducecd by Zicfilp accesses the homonymous +Access to the `SPELP` field introduced by Zicfilp accesses the homonymous fields of `mstatus` when `V=0` and the homonymous fields of `vsstatus` when `V=1`. @@ -298,7 +303,7 @@ when `V=1`. ], config:{lanes: 4, hspace:1024}} .... -The Zicfilp extension introduces the `SPELP` (bit 23) field that hold the +The Zicfilp extension introduces the `SPELP` (bit 23) field that holds the previous `ELP`, and is updated as specified in <>. The `SPELP` field is encoded as follows: @@ -328,8 +333,8 @@ is 0, the Zicfilp extension is not enabled in M-mode and the following rules apply to M-mode. * The hart does not update the expected landing pad (`ELP`) state and the `ELP` - state is always `NO_LP_EXPECTED`. -* The `lpad` instruction executes as a no-op. + state remains `NO_LP_EXPECTED`. +* The `lpad` instruction operates as a no-op. ==== Debug Control and Status (`dcsr`) @@ -369,10 +374,11 @@ holds the previous `ELP`, and is updated as specified in <>. The === Landing-Pad-Enabled (LPE) state The term `xLPE` is used to determine if forward-edge CFI using landing pads -provided by the Zicfilp extension is enabled at a privilege mode and it is -determined as follows: +provided by the Zicfilp extension is enabled at a privilege mode. -.`xLPE` determination +When S-mode is supported, it is determined as follows: + +.`xLPE` determination when S-mode is supported [width=100%] [%header, cols="^4,^12"] |=== @@ -383,6 +389,17 @@ determined as follows: | U or VU | `senvcfg.LPE` |=== +When S-mode is not supported, it is determined as follows: + +.`xLPE` determination when S-mode is not supported +[width=100%] +[%header, cols="^4,^12"] +|=== +|Privilege Mode| xLPE +| M | `mseccfg.MLPE` +| U | `menvcfg.LPE` +|=== + [NOTE] ==== The Zicfilp must be explicitly enabled for use at each privilege mode. From b812e43db6fdf49de87938db866c0eb4ec156090 Mon Sep 17 00:00:00 2001 From: Ved Shanbhogue Date: Thu, 31 Aug 2023 13:29:16 -0500 Subject: [PATCH 2/2] recommend denying vs. disabling extension --- cfi_intro.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cfi_intro.adoc b/cfi_intro.adoc index 1e1f89b..4e469ed 100644 --- a/cfi_intro.adoc +++ b/cfi_intro.adoc @@ -112,8 +112,9 @@ An application that has the Zicfiss extension active may request the dynamic loader at runtime to load a new dynamic shared object (using dlopen() for example). If the requested object does not have the Zicfiss attribute then the dynamic loader, based on its policy (e.g, established by the operating -system or the administrator) configuration, either fail the request or -deactivate the Zicfiss extension for the application. +system or the administrator) configuration, either deny the request or +deactivate the Zicfiss extension for the application. It is recommended that +the policy enforces a strict security posture and denies the request. When the Zicfiss extension is not active or not implemented, the Zicfiss instructions revert to their Zimop/Zcmop defined behavior. This allows a