Skip to content

Latest commit

 

History

History
34 lines (28 loc) · 4.43 KB

intro.adoc

File metadata and controls

34 lines (28 loc) · 4.43 KB

Introduction

Debugging and tracing are essential for developers to identify and rectify software and hardware issues, optimize performance, and ensure robust system functionality. The debugging and tracing extensions in the RISC-V ecosystem play a pivotal role in enabling these capabilities, allowing developers to monitor and control the execution of programs during the development, testing and production phases. However, the current RISC-V Debug specification grants the external debugger the highest privilege in the system, regardless of the privilege level at which the target system is running. It leads to privilege escalation issues when multiple actors are present.

This specification defines Debug Module Security Extension (non-ISA extension) and Sdsec (ISA extension) to address the above security issues in the current The RISC-V Debug Specification cite:[dbgspec] and trace specifications cite:[etrace] cite:[ntrace].

A summary of the changes introduced by The RISC-V External Debug Security Specification follows.

  • Per-Hart Debug Control: Introduce per-hart states to control whether external debug is allowed in M-mode and/or supervisor domains cite:[smmtt].

  • Per-Hart Trace Control: Introduce per-hart states to control whether tracing is allowed in M-mode and/or supervisor domains.

  • Non-secure debug: Add a non-secure debug state to relax security constraints.

  • Debug Mode entry: An external debugger can only halt the hart and enter debug mode when debug is allowed in current privilege mode.

  • Memory Access: Memory access from a hart’s point of view, using the Program Buffer or an Abstract Command, must be checked by the hart’s memory protection mechanisms as if the hart is running at debug access privilege level; memory access from the Debug Module using System Bus Access must be checked by a system memory protection mechanism, such as IOPMP or WorldGuard.

  • Register Access: Register access using the Program Buffer or an Abstract Command works as if the hart is running at debug access privilege level instead of M-mode privilege level. The debug CSRs (dcsr and dpc ) are shadowed in supervisor domains while Smtdeleg cite:[smtdeleg] and Smstateen cite:[smstateen] extensions expose the trigger CSRs to supervisor domains.

  • Triggers: Triggers (with action=1) can only fire or match when external debug is allowed in the current privilege mode.

Terminology

Abstract command

A high-level Debug Module operation used to interact with and control harts

Debug Access Privilege

The privilege with which an Abstract Command or instructions in the Program Buffer access hardware resources

Debug Mode

An additional privilege mode to support off-chip debugging

Hart

A RISC-V hardware thread

IOPMP

Input-Output Physical Memory Protection unit

M-mode

The highest privileged mode in the RISC-V privilege model

PMA

Physical Memory Attributes

PMP

Physical Memory Protection unit

Program buffer

A mechanism that allows the Debug Module to execute arbitrary instructions on a hart

Supervisor domain

An isolated supervisor execution context defined in RISC-V Supervisor Domains Access Protection cite:[smmtt]

Trace encoder

A piece of hardware that takes in instruction execution information from a RISC-V hart and transforms it into trace packets