Re-integrate Smepmp

[mickflemm]

• Current chapter is the proposal document as-is, clean it up to better fit with the rest of the document.

• Add a link to the proposal document for more info.

• Add references from/to mseccfg definition, and to the PMP chapter. While there also add a reference to the Smmpm chapter on mseccfg definition.

• Rename MMWP to MMAP (Allowlist instead of Whitelist) and update the register field definition and the visual representation fo Smepmp.

• Clarify the reset state of mseccfg.MML/MMAP/RLB in the reset chapter.

• Add the editors of Smepmp (me and Joe Xie) to the list of contributors.

[Timmmm]

I think I was imagining a lighter touch rewording that would be a bit easier to review. Not saying the new version isn't better, it's just a bit hard to tell if everything the old version said is still present.

[Timmmm]

You can just hyperlink "the Smepmp extension".

Suggested change

	extension, as defined in <<smepmp>>.
	The RLB, MMWP, and MML fields are defined in <<smepmp,the PMP-enhancement extension, Smepmp>>.

[Timmmm]

Suggested change

	The definition of the PMM field is furnished by the Smmpm extension in <<Zpm>>.
	The PMM field is defined in <<Zpm,the Smmpm extension>>.

[Timmmm]

This probably needs a changelog entry?

[Timmmm]

Suggested change

The Smepmp extension enhances the xref:pmp[xrefstyle=basic] mechanism to improve Machine mode's security, by providing stronger memory isolation and privilege separation. It enables preventing the execution of code from memory regions not explicitly marked as executable by Machine mode, and restricts Machine mode's access to memory regions designated for Supervisor and User modes. These capabilities help to mitigate control-flow subversion attacks that exploit execution of unauthorized code with Machine mode privileges, and provide security guarantees consistent with the mechanism described in <<sum>> for memory access and execution prevention between Supervisor and User mode.

The Smepmp extension enhances the xref:pmp[xrefstyle=basic] mechanism to improve Machine mode's security by providing stronger memory isolation and privilege separation. It allows preventing the execution of code from memory regions not explicitly marked as executable by Machine mode, and restricts Machine mode's access to memory regions designated for Supervisor and User modes. These capabilities help to mitigate control-flow subversion attacks that exploit execution of unauthorized code with Machine mode privileges, and provide security guarantees consistent with the mechanism described in <<sum>> for memory access and execution prevention between Supervisor and User mode.

Tbh I think the old text was a lot clearer. I would just change the second paragraph to

To prevent this attack vector, two mechanisms known as Supervisor Memory Access Prevention (SMAP) and Supervisor Memory Execution Prevention (SMEP) can be used. The first one prevents the OS from accessing the memory of an unprivileged process unless a specific code path is followed, and the second one prevents the OS from executing the memory of an unprivileged process at all times. RISC-V includes support for SMAP, through the sstatus.SUM bit, and for SMEP by always denying execution of virtual memory pages marked with the U bit, with Supervisor mode (OS) privileges, as mandated on the Privilege Spec. This extension adds support for similar mechanisms for Machine mode.

[mickflemm]

It makes more sense to explain what this extension does than why it's required, the why makes more sense in the proposal doc, than in the privilege spec. No information is lost here, We still summarize the attack vector, and reference the smap/smep behavior on S-mode for consistency, and it's more compact than the previous version. Also reading the original text people may assume that there is also a specific code path in this case, when instead we use shared regions for that purpose, so the more we mention what S-mode does, the more we risk misleading people.

[Timmmm]

This is all useful text! I don't think it should be deleted; just reworded.

[andrewdellow]

imo this is all redundant. it reads like a textbook, not an ISA standard

[Timmmm]

I don't see why an ISA standard shouldn't have some motivation. There are plenty of notes already in the specification that aren't normative.

It could be condensed though for sure. I think it's at least worth mentioning that this is most useful for M/U machines where supervisor protection mechanisms cannot be used.

[mickflemm]

Protecting Machine mode is always relevant, in any implementation scenario. What we said in the original document was that on systems where the OS runs on Machine mode, the attack surface is greatly increased, not because you don't have S-mode protections in-between, but because you run more complex code on M-mode with a higher probability of a vulnerability being present there that would allow for the exploitation of memory accesses from M-mode to less privileged modes ( tricking M-mode to execute code from less privileged modes). So it's not that Smepmp is most useful for M/U machines, we make this clear in the original document, in the last sentence of the part you quoted "Even on implementations with Supervisor mode present attacks are still possible...". With CoVE for example coming up, where we are going to have more complex code running on M-mode, it makes perfect sense to have Smepmp available, OpenSBI (which targets systems with Supervisor mode available) already uses it.

In any case this further explains the "why" not the "what" or "how", IMHO it makes more sense to keep the extended version of the "why" part in the proposal document which is referenced in case anyone wants to dig deeper, than having it as part of the ISA manual. The short version is still there: "to improve Machine mode's security by providing stronger memory isolation and privilege separation". I agree non-normative text still makes sense which is why I added tips e.g. for "how" shared regions may be used, or "why" the last two restrictions were added to MML, I think it's cleaner to have short tips than whole paragraphs.

[Timmmm]

All mseccfg fields defined on this proposal are WARL

This seems to have been lost.

[mickflemm]

Good catch ! We make it clear than all bits are locked either on set or on clear, but we should say they are WARL in any case, I'll update the pull request.

[Timmmm]

Suggested change

	* When mseccfg.RLB=1, Locked PMP rules may be modified and locked PMP entries may be edited.
	* When mseccfg.RLB=1 *locked* PMP rules may be modified and *locked* PMP entries may be edited.

[Timmmm]

Has this been lost?

[mickflemm]

It seemed redundant, we only override this when MML is set, didn't make much sense to say that when MML is not set, those bits remain reserved. It's also clean from the visual representation, but if you think it's worth re-adding it, I'm ok with it.

[Timmmm]

BootROM -> "the firmware"?

[mickflemm]

"BootROM, ...during early boot, before transferring control to the firmware" The idea here is that the BootROM is implementation-specific, while the firmware as a software component may be more implementation-agnostic, such as OpenSBI for example or another third-party firmware (it makes perfect sense to have a reference firmware implementation like OpenSBI, that we can maintain/verify etc, and use that in most situations).

[Timmmm]

Feels like a shame to lose all this information too.

[mickflemm]

I think the important stuff is still there, some as part of the implementation considerations, some as tips/info, and the most important part regarding rlb is mentioned twice. It seems inconsistent with the rest of the document to keep this, it's a bit too much to e.g. explain why we didn't say anything about mprv, or what was our thought process etc. The document is still there for people to dig deeper, it doesn't have to be included in the privilege spec. The chapter was 7 pages long, it's now 4 pages long and still contains what's needed for someone to implement this.

[gfavor]

Tim and Andrew, You are both right in that the general practice for RISC-V arch specs is to focus on being just an architecture spec - with limited and concise key non-normative notes. Larger explanations of motivation, the why behind arch choices, usage guidelines, etc. should be elsewhere. The "original" ePMP spec contains large amounts of non-normative exposition - which is what Andrew is correctly commenting on. And part of the expected exercise in rewriting the spec - and not just integrating it largely as-is into the ISA manual - is to move it to the aforementioned general RISC-V practice for arch specs. The overall work needs to cover both stages of integration and rewrite, and then a review by security HC (and old ePMP TG) members should be conducted. Greg

…

On Mon, Mar 3, 2025 at 6:04 AM Tim Hutt ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In src/smepmp.adoc <#1879 (comment)> : > * *PMP Entry*: A pair of ``pmpcfg[i]`` / ``pmpaddr[i]`` registers. -* *PMP Rule*: The contents of a pmpcfg register and its associated pmpaddr register(s), that encode a valid protected physical memory region, where ``pmpcfg[i].A != OFF``, and if ``pmpcfg[i].A == TOR``, ``pmpaddr[i-1] < pmpaddr[i]``. -* *Ignored*: Any permissions set by a matching PMP rule are ignored, and _all_ accesses to the requested address range are allowed. -* *Enforced*: Only access types configured in the PMP rule matching the requested address range are allowed; failures will cause an access-fault exception. -* *Denied*: Any permissions set by a matching PMP rule are ignored, and _no_ accesses to the requested address range are allowed.; failures will cause an access-fault exception. -* *Locked*: A PMP rule/entry where the ``pmpcfg.L`` bit is set. -* *PMP reset*: A reset process where all PMP settings of the hart, including locked rules/settings, are re-initialized to a set of safe defaults, before releasing the hart (back) to the firmware / OS / application. -==== - -==== Threat model - -However, there are no such mechanisms available on Machine mode in the current (v1.11) Privileged Spec. It is not possible for a PMP rule to be *enforced* only on non-Machine modes and *denied* on Machine mode, to only allow access to a memory region by less-privileged modes. it is only possible to have a *locked* rule that will be *enforced* on all modes, or a rule that will be *enforced* on non-Machine modes and be *ignored* by Machine mode. So for any physical memory region which is not protected with a Locked rule, Machine mode has unlimited access, including the ability to execute it. - -Without being able to protect less-privileged modes from Machine mode, it is not possible to prevent the mentioned attack vector. This becomes even more important for RISC-V than on other architectures, since implementations are allowed where a hart only has Machine and User modes available, so the whole OS will run on Machine mode instead of the non-existent Supervisor mode. In such implementations the attack surface is greatly increased, and the same kind of attacks performed on Supervisor mode and mitigated through SMAP/SMEP, can be performed on Machine mode without any available mitigations. Even on implementations with Supervisor mode present attacks are still possible against the Firmware and/or the Secure Monitor running on Machine mode. I don't see why an ISA standard shouldn't have some motivation. There are plenty of notes already in the specification that aren't normative. It could be condensed though for sure. I think it's at least worth mentioning that this is most useful for M/U machines where supervisor protection mechanisms cannot be used. — Reply to this email directly, view it on GitHub <#1879 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALLX6GV4LEUCQZFS3Y3Q7W32SROPRAVCNFSM6AAAAABYGDGWM2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMNJUGIZDANJVGI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>