diff --git a/src/hypervisor.adoc b/src/hypervisor.adoc index adfe5c1bc..88e9f6371 100644 --- a/src/hypervisor.adoc +++ b/src/hypervisor.adoc @@ -188,6 +188,13 @@ If HSXLEN is changed from 32 to a wider width, and if field VSXL is not restricted to a single value, it gets the value corresponding to the widest supported width not wider than the new HSXLEN. +If the Svukte extension is implemented, the HUKTE field determines +whether the HLV, HLVX, and HSV instructions, when executed in U-mode, +are Svukte-qualified. +When one of these instructions is executed in U-mode, it behaves as though +`senvcfg`.UKTE were set to the value of HUKTE. +If Svukte is not implemented, HUKTE is read-only zero. + The `hstatus` fields VTSR, VTW, and VTVM are defined analogously to the `mstatus` fields TSR, TW, and TVM, but affect execution only in VS-mode, and cause virtual-instruction exceptions instead of illegal-instruction @@ -652,6 +659,13 @@ The definition of the CBZE field is furnished by the Zicboz extension. The definitions of the CBCFE and CBIE fields are furnished by the Zicbom extension. +If the Svkt extension is implemented, the HUVKT field determines +whether the HLV, HLVX, and HSV instructions, when executed in U-mode, +are Svkt-qualified. +When one of these instructions is executed in U-mode, it behaves as though +`senvcfg`.SVKT were set to the value of HUVKT. +If Svkt is not implemented, HUVKT is read-only zero. + The definition of the PMM field is furnished by the Ssnpm extension. The Zicfilp extension adds the `LPE` field in `henvcfg`. When the `LPE` field diff --git a/src/images/bytefield/hstatusreg.edn b/src/images/bytefield/hstatusreg.edn index cce601e70..f2b6ca4a6 100644 --- a/src/images/bytefield/hstatusreg.edn +++ b/src/images/bytefield/hstatusreg.edn @@ -7,37 +7,43 @@ (def right-margin 30) (def boxes-per-row 32) -(draw-box nil {:span 3 :borders {}}) +(draw-box nil {:span 1 :borders {}}) (draw-box "63" {:span 8 :borders {} :text-anchor "start"}) (draw-box "34" {:borders {}}) (draw-box "33" {:span 2 :borders {} :text-anchor "start"}) (draw-box "32" {:span 2 :borders {} :text-anchor "end"}) (draw-box "31" {:span 3 :borders {} :text-anchor "start"}) -(draw-box "23" {:span 3 :borders {} :text-anchor "end"}) +(draw-box "25" {:span 3 :borders {} :text-anchor "end"}) +(draw-box "24" {:span 2:borders {}}) +(draw-box "23" {:span 2:borders {}}) (draw-box "22" {:span 2:borders {}}) (draw-box "21" {:span 2 :borders {}}) (draw-box "20" {:span 2:borders {}}) (draw-box nil {:borders {}}) -(draw-box nil {:span 3 :borders {}}) +(draw-box nil {:span 1 :borders {}}) -(draw-box nil {:span 3 :borders {}}) +(draw-box nil {:span 1 :borders {}}) (draw-box (text "WPRI" {:font-weight "bold" :font-size 24}) {:span 9}) (draw-box "VSXL[1:0]" {:span 4}) (draw-box (text "WPRI" {:font-weight "bold" :font-size 24}) {:span 6}) +(draw-box "HUKTE" {:span 2}) +(draw-box (text "WPRI" {:font-weight "bold" :font-size 24}) {:span 2}) (draw-box "VTSR" {:span 2}) (draw-box "VTW" {:span 2}) (draw-box "VTVM" {:span 2}) (draw-box nil {:borders {:top :border-unrelated :bottom :border-unrelated}}) -(draw-box nil {:span 3 :borders {}}) +(draw-box nil {:span 1 :borders {}}) -(draw-box nil {:span 3 :borders {}}) +(draw-box nil {:span 1 :borders {}}) (draw-box "30" {:span 9 :borders {}}) (draw-box "2" {:span 4 :borders {}}) -(draw-box "9" {:span 6 :borders {}}) +(draw-box "7" {:span 6 :borders {}}) (draw-box "1" {:span 2 :borders {}}) (draw-box "1" {:span 2 :borders {}}) (draw-box "1" {:span 2 :borders {}}) -(draw-box nil {:span 4 :borders {}}) +(draw-box "1" {:span 2 :borders {}}) +(draw-box "1" {:span 2 :borders {}}) +(draw-box nil {:span 2 :borders {}}) (draw-box nil {:span 32 :borders {}}) @@ -83,4 +89,4 @@ (draw-box "5" {:span 4 :borders {}}) (draw-box nil {:span 4 :borders {}}) ----- \ No newline at end of file +---- diff --git a/src/supervisor.adoc b/src/supervisor.adoc index 85a41ab9f..550ceec35 100644 --- a/src/supervisor.adoc +++ b/src/supervisor.adoc @@ -732,7 +732,8 @@ characteristics of the U-mode execution environment. {bits: 2, name: 'CBIE'}, {bits: 1, name: 'CBCFE'}, {bits: 1, name: 'CBZE'}, - {bits: 24, name: 'WPRI'}, + {bits: 1, name: 'UKTE'}, + {bits: 23, name: 'WPRI'}, {bits: 2, name: 'PMM'}, {bits: 30, name: 'WPRI'}, ], config:{lanes: 4, hspace:1024}} @@ -823,6 +824,14 @@ The definition of the CBZE field is furnished by the Zicboz extension. The definitions of the CBCFE and CBIE fields are furnished by the Zicbom extension. +If the Svukte extension is implemented, the UKTE field affects the behavior of +instruction fetches and explicit memory accesses. +When UKTE=0, instruction fetches and explicit memory accesses proceed as +though the Svukte extension were not implemented. +When UKTE=1, instruction fetches and explicit memory accesses with effective +privilege mode U or VU are Svukte-qualified, as described in <>. +If Svukte is not implemented, UKTE is read-only zero. + The definition of the PMM field is furnished by the Ssnpm extension. The Zicfilp extension adds the `LPE` field in `senvcfg`. When the `LPE` field is @@ -2273,6 +2282,52 @@ Invalid PTEs using a bounded timer, or making address-translation caches coherent with store instructions that modify PTEs. ==== +[[sec:svukte]] +== "Svukte" Extension for Address-Independent Latency of User-Mode Faults to Supervisor Addresses, Version 0.3 + +The Svukte extension provides a means to make user-mode accesses to supervisor +memory raise page faults with timing independent of the address-translation +configuration and page-table contents, thereby mitigating attacks that attempt +to discover the supervisor software's address-space layout. + +If the Svukte extension is implemented, the `senvcfg`.UKTE field is writable. +If the hypervisor extension is additionally implemented, the `hstatus`.HUKTE +field is also writable. +See <> and <> for the definitions of those fields. + +The Svukte extension depends on Sv39. + +NOTE: Svukte is not defined for Sv32 because the small address space limits the +available entropy, reducing the effectiveness of address-space layout +randomization. +If an Sv32 variant were to be defined, it would need to account for the fact +that it is more common to reserve only the upper 1 GiB of the virtual-address +space for the operating system, leaving the lower 3 GiB for user +processes. + +When `senvcfg`.UKTE=1, an instruction fetch or explicit memory access whose +effective privilege mode is U or VU is considered to be _Svukte-qualified_. +For any Svukte-qualified memory access, virtual addresses {ge} 2^SXLEN-1^ are +considered to be invalid; hence, an Svukte-qualified access to such an address +raises a page-fault exception corresponding to the original access type. +The timing of an instruction that raises an exception for this reason must be +independent of the faulting virtual address. + +NOTE: An Svukte-qualified access to such an address raises an exception even +if the underlying PTE would have otherwise allowed the access. +Practical implementations of Svukte will raise these exceptions based upon the +effective address, without accessing the page tables or address-translation +caches. + +NOTE: Since whether an instruction is Svukte-qualified depends on the _effective_ +privilege mode of the access, even some instructions executed in HS-mode or M-mode +(e.g. HLV with `hstatus`.SPVP=0, or LW with `mstatus`.MPRV=1 and +`mstatus`.MPP=U) are Svukte-qualified. + +As described in <>, the `hstatus`.HUKTE field, rather than the +`senvcfg`.UKTE field, determines whether HLV, HLVX, and HSV instructions +executed within U-mode are Svukte-qualified. + [[ssqosid]] == "Ssqosid" Extension for Quality-of-Service (QoS) Identifiers, Version 1.0