-
Notifications
You must be signed in to change notification settings - Fork 653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add draft of Svukte extension #1564
base: main
Are you sure you want to change the base?
Conversation
fd45e3d
to
81dc927
Compare
OK, what happens if the extension is enabled, the Ubit in the PTE is set ( so the access would be valid if the extension was disabled). Does that override the U-bit? Implicitly, it does, but I'd like to see that explicit (possibly in this extension spec, and/or in the the description of the U-bit in the spec section on the definition of the U-bit |
The basic premise of Svukte is to take advantage of the convention in all 64-bit OS that user mappings are in positive address space and supervisor mappings are in negative address space. An OS that create user mappings in negative address space - even a single mapping - cannot turn on Svukte or the OS has to provide an emulation. For instance, for x86 based Linux legacy vDSO were located in negative address space and when LASS was introduced the OS provided emulation for such legacy vDSO. Non legacy vDSO on x86 and vDSO on RISC-V are located in positive address space. The point of Svukte is to fault on user access to negative addresses without consulting the address translation caches or doing implicit accesses to the page tables. So I think the state of the U bit is a don't care for this extension. For that matter the PTE itself may not be valid at all. |
I understand that convention of supervisor mappings in negative VA space.
I agree that *implicitly* the state of the U-bit ( or the validity of the
PTE entry) is a don't care.
I am just saying that it should be *explicit*, and not require a careful
reading.
There is nothing in the spec that says that PTE entries *must* not be
fetched - just that, if they are accessed, the amount of time to get to the
leaf PTE should be constant
(it isn't clear how time is measured: realtime, #cycles, etc - but my
assumption is however SW could measure it).
There is nothing in the spec that says an OS that allows U-mode mappings in
negative address space cannot (or must-not) turn on Svukte.
Bad things may (or may not) happen if it does (as Ved points out), but
certainly there is no HW enforcement.
There is nothing that prevents describing the obvious implementation
(short circuiting the translation process) into the spec
( or even making it a requirement if it is that obvious and simple).
instead of making all implementors puzzle it out / re-invent it from first
principles.
…On Wed, Oct 9, 2024 at 11:44 AM Ved Shanbhogue ***@***.***> wrote:
OK, what happens if the extension is enabled, the Ubit in the PTE is set (
so the access would be valid if the extension was disabled). Does that
override the U-bit? Implicitly, it does, but I'd like to see that explicit
(possibly in this extension spec, and/or in the the description of the
U-bit in the spec section on the definition of the U-bit
The basic premise of Svukte is to take advantage of the convention in all
64-bit OS that user mappings are in positive address space and supervisor
mappings are in negative address space. An OS that create user mappings in
negative address space - even a single mapping - cannot turn on Svukte or
the OS has to provide an emulation. For instance, for x86 based Linux
legacy vDSO were located in negative address space and when LASS was
introduced the OS provided emulation for such legacy vDSO. Non legacy vDSO
on x86 and vDSO on RISC-V are located in positive address space. The point
of Svukte is to fault on user access to negative addresses without
consulting the address translation caches or doing implicit accesses to the
page tables.
So I think the state of the U bit is a don't care for this extension. For
that matter the PTE itself may not be valid at all.
—
Reply to this email directly, view it on GitHub
<#1564 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHPXVJVI46WBNAB3PIF7OJDZ2V2RXAVCNFSM6AAAAABLNSDROGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBTGA2TQNBYGY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
OK, I'll make it explicit. |
I would interpret "user-mode accesses to supervisor memory" to mean "where
the U-bit is zero".
"supervisor memory" is not a RISC-V architectural definition, except for
the above.
If there is an obvious implementation of this, why not just come right out
and describe it in a non-normative note?
I guarantee no one will firebomb your hourse if you do that (but if you
don't - no guarantees)
…On Wed, Oct 9, 2024 at 2:26 PM Andrew Waterman ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In src/supervisor.adoc
<#1564 (comment)>
:
> @@ -2270,6 +2279,45 @@ Invalid PTEs using a bounded timer, or making address-translation caches
coherent with store instructions that modify PTEs.
====
+[[sec:svukte]]
+== "Svukte" Extension for Address-Independent Latency of User-Mode Faults to Supervisor Addresses, Version 0.3
+
+The Svukte extension provides a means to make user-mode accesses to supervisor
+memory raise page faults in constant time, mitigating attacks that attempt to
I went with my version, but we can revisit this later if need be.
—
Reply to this email directly, view it on GitHub
<#1564 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHPXVJUV2XRYORWADJ75SYTZ2WNRNAVCNFSM6AAAAABLNSDROGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDGNJYGM2DMNJXGE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I don’t understand what you’re asking for at this point. The note I added, that the PTE contents don’t matter, is even stronger than the thing you asked for! |
Hey everyone, just to piggy back on @allenjbaum comment, as I share the same opinion. I also misinterpreted the text on my first reading, and thought the hart would have to check the U bit on the PTE on every U-mode access and deliver an exception in constant-time (even though an implementation like this would be possible). However, after the presentation at the Security HC meeting, I now understand the extension much better. The desired final implementation is to AND three bits: vaddr[2^SXLEN-1], priv == u-mode, and senvcfg.UKTE (or the equivalent for the guest). I think it would be immensely helpful to add this short sentence as an implementation hint to the reader. |
Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Signed-off-by: Fea.Wang <[email protected]> Reviewed-by: Frank Chang <[email protected]> Reviewed-by: Jim Shu <[email protected]>
@lfiolhais after discussing offline with Allen, I did add another sentence to the NOTE that directly addresses the matter. (No TLB accessess or page-table walks occur, therefore implicitly, the U-bit can't be of relevance.) |
@aswaterman Thanks! I think it's better now. |
Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Signed-off-by: Fea.Wang <[email protected]> Reviewed-by: Frank Chang <[email protected]> Reviewed-by: Jim Shu <[email protected]>
https://lore.kernel.org/qemu-devel/[email protected] --- From: "Fea.Wang" <[email protected]> To: [email protected], [email protected] Cc: Palmer Dabbelt <[email protected]>, Alistair Francis <[email protected]>, Bin Meng <[email protected]>, Weiwei Li <[email protected]>, Daniel Henrique Barboza <[email protected]>, Liu Zhiwei <[email protected]>, "Fea.Wang" <[email protected]> Subject: [PATCH v2 0/5] Introduce svukte ISA extension Date: Fri, 8 Nov 2024 16:52:34 +0800 Message-Id: <[email protected]> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::102b; [email protected]; helo=mail-pj1-x102b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: [email protected] X-Mailman-Version: 2.1.29 Precedence: list List-Id: <qemu-riscv.nongnu.org> List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-riscv>, <mailto:[email protected]?subject=unsubscribe> List-Archive: <https://lists.nongnu.org/archive/html/qemu-riscv> List-Post: <mailto:[email protected]> List-Help: <mailto:[email protected]?subject=help> List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-riscv>, <mailto:[email protected]?subject=subscribe> Errors-To: [email protected] Sender: [email protected] The Svukte ISA extension has been approved for fast-track development. https://lf-riscv.atlassian.net/browse/RVS-2977 And there are Linux patches for the Svukte that are under review. https://lore.kernel.org/kvm/[email protected]/T/#mf70fcb22cd2987ad268c0efee9b8583197d3cb4f Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 * Refactor the code base-commit: 27652f9 [v1] * Add svukte extension Fea.Wang (5): target/riscv: Add svukte extension capability variable target/riscv: Support senvcfg[UKTE] bit when svukte extension is enabled target/riscv: Support hstatus[HUKTE] bit when svukte extension is enabled target/riscv: Check memory access to meet svuket rule target/riscv: Expose svukte ISA extension target/riscv/cpu.c | 2 ++ target/riscv/cpu_bits.h | 2 ++ target/riscv/cpu_cfg.h | 1 + target/riscv/cpu_helper.c | 57 +++++++++++++++++++++++++++++++++++++++ target/riscv/csr.c | 7 +++++ 5 files changed, 69 insertions(+) -- 2.34.1 Signed-off-by: GitHub Actions Bot <[email protected]>
This is the extension for "Address-Independent Latency of User-Mode Faults to Supervisor Addresses". Spec: riscv/riscv-isa-manual#1564 The spec states that the `svukte` depends on `sv39`, but we don't have `sv39` yet, so I didn't add it to the implied list.
Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Signed-off-by: Fea.Wang <[email protected]> Reviewed-by: Frank Chang <[email protected]> Reviewed-by: Jim Shu <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]>
https://lore.kernel.org/qemu-devel/[email protected] --- From: "Fea.Wang" <[email protected]> To: [email protected], [email protected] Cc: Palmer Dabbelt <[email protected]>, Alistair Francis <[email protected]>, Bin Meng <[email protected]>, Weiwei Li <[email protected]>, Daniel Henrique Barboza <[email protected]>, Liu Zhiwei <[email protected]>, "Fea.Wang" <[email protected]> Subject: [PATCH v3 0/5] Introduce svukte ISA extension Date: Tue, 12 Nov 2024 17:14:18 +0800 Message-Id: <[email protected]> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::434; [email protected]; helo=mail-pf1-x434.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: [email protected] X-Mailman-Version: 2.1.29 Precedence: list List-Id: <qemu-devel.nongnu.org> List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>, <mailto:[email protected]?subject=unsubscribe> List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel> List-Post: <mailto:[email protected]> List-Help: <mailto:[email protected]?subject=help> List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>, <mailto:[email protected]?subject=subscribe> Errors-To: [email protected] Sender: [email protected] The Svukte ISA extension has been approved for fast-track development. https://lf-riscv.atlassian.net/browse/RVS-2977 And there are Linux patches for the Svukte that are under review. https://lore.kernel.org/kvm/[email protected]/T/#mf70fcb22cd2987ad268c0efee9b8583197d3cb4f Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 base-commit: 27652f9 [v3] * Fix some typos * Refine code by separating a function into two dedicated functions. * Follow the riscv,isa order [v2] * Refactor the code [v1] * Add svukte extension Fea.Wang (5): target/riscv: Add svukte extension capability variable target/riscv: Support senvcfg[UKTE] bit when svukte extension is enabled target/riscv: Support hstatus[HUKTE] bit when svukte extension is enabled target/riscv: Check memory access to meet svukte rule target/riscv: Expose svukte ISA extension target/riscv/cpu.c | 2 ++ target/riscv/cpu_bits.h | 2 ++ target/riscv/cpu_cfg.h | 1 + target/riscv/cpu_helper.c | 61 +++++++++++++++++++++++++++++++++++++++ target/riscv/csr.c | 7 +++++ 5 files changed, 73 insertions(+) -- 2.34.1 Signed-off-by: GitHub Actions Bot <[email protected]>
Svkt provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. I plan to submit this as a fast-track soon.
Co-authored-by: Josep Sans <[email protected]> Signed-off-by: Andrew Waterman <[email protected]>
Changes: - Extension renamed from Svkt to Svukte - SVKT field renamed to UKTE - HUVKT field moved from henvcfg to hstatus - HUVKT field renamed to HUKTE
Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Signed-off-by: Fea.Wang <[email protected]> Reviewed-by: Frank Chang <[email protected]> Reviewed-by: Jim Shu <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Alistair Francis <[email protected]>
https://lore.kernel.org/qemu-devel/[email protected] --- From: "Fea.Wang" <[email protected]> To: [email protected], [email protected] Cc: Palmer Dabbelt <[email protected]>, Alistair Francis <[email protected]>, Bin Meng <[email protected]>, Weiwei Li <[email protected]>, Daniel Henrique Barboza <[email protected]>, Liu Zhiwei <[email protected]>, "Fea.Wang" <[email protected]> Subject: [PATCH v4 0/6] Introduce svukte ISA extension Date: Wed, 20 Nov 2024 15:48:48 +0800 Message-Id: <[email protected]> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::634; [email protected]; helo=mail-pl1-x634.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: [email protected] X-Mailman-Version: 2.1.29 Precedence: list List-Id: <qemu-riscv.nongnu.org> List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-riscv>, <mailto:[email protected]?subject=unsubscribe> List-Archive: <https://lists.nongnu.org/archive/html/qemu-riscv> List-Post: <mailto:[email protected]> List-Help: <mailto:[email protected]?subject=help> List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-riscv>, <mailto:[email protected]?subject=subscribe> Errors-To: [email protected] Sender: [email protected] The Svukte ISA extension has been approved for fast-track development. https://lf-riscv.atlassian.net/browse/RVS-2977 And there are Linux patches for the Svukte that are under review. https://lore.kernel.org/kvm/[email protected]/T/#mf70fcb22cd2987ad268c0efee9b8583197d3cb4f Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 base-commit: 27652f9 [v4] * Add a svukte extension check in RV32. * Refine the code. [v3] * Fix some typos * Refine code by separating a function into two dedicated functions. * Follow the riscv,isa order [v2] * Refactor the code [v1] * Add svukte extension Fea.Wang (6): target/riscv: Add svukte extension capability variable target/riscv: Support senvcfg[UKTE] bit when svukte extension is enabled target/riscv: Support hstatus[HUKTE] bit when svukte extension is enabled target/riscv: Check memory access to meet svukte rule target/riscv: Expose svukte ISA extension target/riscv: Check svukte is not enabled in RV32 target/riscv/cpu.c | 2 ++ target/riscv/cpu_bits.h | 2 ++ target/riscv/cpu_cfg.h | 1 + target/riscv/cpu_helper.c | 55 ++++++++++++++++++++++++++++++++++++++ target/riscv/csr.c | 7 +++++ target/riscv/tcg/tcg-cpu.c | 5 ++++ 6 files changed, 72 insertions(+) -- 2.34.1 Signed-off-by: GitHub Actions Bot <[email protected]>
This is the extension for "Address-Independent Latency of User-Mode Faults to Supervisor Addresses". Spec: riscv/riscv-isa-manual#1564, https://lf-riscv.atlassian.net/browse/RVS-2977 The spec states that the `svukte` depends on `sv39`, but we don't have `sv39` yet, so I didn't add it to the implied list.
Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Signed-off-by: Fea.Wang <[email protected]> Reviewed-by: Frank Chang <[email protected]> Reviewed-by: Jim Shu <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Alistair Francis <[email protected]>
https://lore.kernel.org/qemu-devel/[email protected] --- From: "Fea.Wang" <[email protected]> To: [email protected], [email protected] Cc: Palmer Dabbelt <[email protected]>, Alistair Francis <[email protected]>, Bin Meng <[email protected]>, Weiwei Li <[email protected]>, Daniel Henrique Barboza <[email protected]>, Liu Zhiwei <[email protected]>, "Fea.Wang" <[email protected]> Subject: [PATCH v5 0/6] Introduce svukte ISA extension Date: Tue, 3 Dec 2024 11:49:26 +0800 Message-Id: <[email protected]> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::629; [email protected]; helo=mail-pl1-x629.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: [email protected] X-Mailman-Version: 2.1.29 Precedence: list List-Id: <qemu-riscv.nongnu.org> List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-riscv>, <mailto:[email protected]?subject=unsubscribe> List-Archive: <https://lists.nongnu.org/archive/html/qemu-riscv> List-Post: <mailto:[email protected]> List-Help: <mailto:[email protected]?subject=help> List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-riscv>, <mailto:[email protected]?subject=subscribe> Errors-To: [email protected] Sender: [email protected] The Svukte ISA extension has been approved for fast-track development. https://lf-riscv.atlassian.net/browse/RVS-2977 And there are Linux patches for the Svukte that are under review. https://lore.kernel.org/kvm/[email protected]/T/#mf70fcb22cd2987ad268c0efee9b8583197d3cb4f Svukte provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout. Refer to the draft of svukte extension from: riscv/riscv-isa-manual#1564 base-commit: 2209cae121e5da3cfbdb9dd4b06d52d0ef66ea69 [v5] * Update the warning log and the commit message [v4] * Add a svukte extension check in RV32. * Refine the code. [v3] * Fix some typos * Refine code by separating a function into two dedicated functions. * Follow the riscv,isa order [v2] * Refactor the code [v1] * Add svukte extension Fea.Wang (6): target/riscv: Add svukte extension capability variable target/riscv: Support senvcfg[UKTE] bit when svukte extension is enabled target/riscv: Support hstatus[HUKTE] bit when svukte extension is enabled target/riscv: Check memory access to meet svukte rule target/riscv: Expose svukte ISA extension target/riscv: Check svukte is not enabled in RV32 target/riscv/cpu.c | 2 ++ target/riscv/cpu_bits.h | 2 ++ target/riscv/cpu_cfg.h | 1 + target/riscv/cpu_helper.c | 55 ++++++++++++++++++++++++++++++++++++++ target/riscv/csr.c | 7 +++++ target/riscv/tcg/tcg-cpu.c | 5 ++++ 6 files changed, 72 insertions(+) -- 2.34.1 Signed-off-by: GitHub Actions Bot <[email protected]>
Svkt provides a means to make user-mode accesses to supervisor memory raise page faults in constant time, mitigating attacks that attempt to discover the supervisor software's address-space layout.
I plan to submit this as a fast-track soon.