chapter2.adoc

Summary of extensions for Supervisor Domain Access Protection

The following normative architecture extensions are defined.

• Smsdid ([Smsdid]) - An interface to program the active supervisor domain under which a hart is operating. This is a dynamic control state on the hart that can be held in an M-mode CSR and modifiable by the RDSM via CSR r/w instructions - herewith called the supervisor domain identifier assigned to the hart. The SDID is a local identifier for the hart and may be used to tag hart-local resources to access-control data associated with the supervisor domain. The supervisor domain identifier is independent from the hart privilege levels and is held in a M-mode CSR. This extension may be used independently or may be combined with other extensions in this specification.

• Smmtt ([Smmtt]) - An extension to set the access permissions for a memory region or page associated with a supervisor domain. This extension allows for dynamic changes of access permission. Such dynamic changes may require flushing of appropriate state cached in harts. The access properties are programmed via an Memory Tracking Table (MTT) structure. The physical page number (PPN) of the root table of the MTT is programmed into a M-mode CSR. When Smmtt is implemented, MTT and e(PMP) are always active. Although there is no option to disable MTT, it can be effectively disabled if granular memory access control is not required by configuring MTT mode to be Bare.

• IO-MTT ([IO-MTT]) - A non-ISA extension that enables programming of an IO interconnect to associate an IOMMU and devices in scope of that IOMMU with an SD. The assignment of IOMMUs to supervisor domains is also expected to be under the purview of the RDSM. IO-MTT extension specifies the memory access control mechanisms for memory accesses performed by the IOMMU as well as by the devices associated with that SD. Note that isolation of data within a device is out of scope of this specification.

• Smsdia ([Smsdia]) - This extension enables assignment of IMSIC interrupt file(s) or an APLIC domain to a supervisor domain. The extension also provides CSRs to allow M-mode software to retain control on notification of interrupts when Supervisor domains are enabled.

• Smsdedbg ([Smsdedbg]) - This extension provides the controls to indicate if external debug is allowed for a supervisor domain. Whether external debug is authorized or not is expected to be done via a root of trust (RoT) and is outside the scope of this specification.

• Smsdetrc ([Smsdetrc]) - This extension provides the controls to indicate if external trace is allowed for a supervisor domain. Whether external trace is authorized or not is expected to be done via a root of trust (RoT) and is outside the scope of this specification.

• Smsqosid and CBQRI for Supervisor Domains ([Smsdqos]) - This extension provides an interface for the RDSM to enforce that resource accesses from a supervisor domain or the RDSM must not be observable by entities that are not within their TCB using the resource usage monitors. Similarly, the resource allocations for a supervisor domain or the RDSM must not be influenced by entities outside their TCB.