Department of Computer Science and Technology

CHERI

The Arm Morello Board

On 18 October 2019, Arm announced Morello, an experimental CHERI-extended, multicore, superscalar ARMv8-A processor, System-on-Chip (SoC), and prototype board to be available from late 2021. Morello is a part of the UKRI £187M Digital Security by Design Challenge (DSbD) supported by the UK Industrial Strategy Challenge Fund, including a commitment of over £50M commitment by Arm. This web page provides more information on Morello, drawing from publicly available Arm content, as well as our own material on CHERI. You can learn more about CHERI by reading our technical report, An Introduction to CHERI.

What is Morello?

Morello is an industrial demonstrator of a capability architecture: a prototype System-on-Chip (SoC) and development board, developed by Arm, implementing a CHERI-extended ARMv8-A processor, GPU, peripherals, and memory subsystem, to ship in late 2021. The purposes of Morello are to enable industrial evaluation of the CHERI hardware and software ideas, to gather evidence for adoption, and to support further related research and development. This will be enabled by applying CHERI to a widely deployed, real-world architecture via a high-end mature processor design, and a mature software ecosystem.

Morello will be based on Arm's existing Neoverse N1 platform and CPU; this is roughly an Arm A76 with an enhanced server-class memory subsystem. Richard Grisenthwaite (Arm)'s talk at the 29 September 2019 ISCF DSbD Collaborators' Workshop included the following work-in-progress Morello SoC block diagram:

(Click for large version)


The Morello SoC will include two CPU clusters, each containing two out-of-order cores, all implementing CHERI. The Morello SoC will be fabricated in 7nm process, with a targeted clock frequency around 2GHz.

The coherent memory interconnect will be extended to carry tag bits, and the on-board DRAM controllers will support memory tagging. Other DMA-enabled devices, including the on-SoC Mali GPU, will not implement CHERI, but will be conservative with respect to tag interaction. They will clear tags on any memory that they overwrite, to prevent capability corruption or introduction.

Various aspects of the Morello design remain subject to change prior to the board becoming available in 2021.

What is the Morello timeline?

Implementation is well under way, including architecture, hardware, and software. Arm has published the following prospective timeline for Morello:

September 2020
  • Virtual Platform Model of Morello board (behavioural software model)
  • Architecture Specification of the CPU architecture used in the Morello board
    (This includes XML and pseudo-code to allow formal proofs and other auto-generated collateral)
September 2021
  • Morello boards made available with initial software and toolchains

What ISA will Morello implement?

Morello will implement an architecture combining the CHERI protection model (roughly as in CHERI ISAv7) and the ARMv8-A (application-class) ISA. ARMv8-A is found in a broad range of devices including almost all mobile devices (e.g., iOS and Android phones and tablets) as well as an increasing number of server-class systems. The experimental architecture was developed in a DARPA-supported collaboration, starting in 2014, between Arm, SRI International, and the University of Cambridge.

The baseline Neoverse N1 processor core implements ARMv8.2; only AArch64 (not 32) will be supported. It is expected that, except for 32-bit compatibility, all existing ARMv8.2-A software should work without change on Morello. CHERI-enabled software will be able to enable and use the CHERI feature set for the purposes of fine-grained memory protection, software compartmentalization, and so on. This approach allows rigorous performance (and other) comparisons betweeen CHERI-aware and CHERI-unaware software stacks, as well as supporting our incremental adoption goals for CHERI.

Morello will implement a superset architecture supporting various mechanisms for compartmentalisation, a collection of features for which there remains ongoing research into their effectiveness (e.g., accelerations for temporal memory safety), and multiple techniques for implementing tagging in the microarchitecture (see below). This will impact clock frequency, with the aim of allowing a key set of experiments to be run rather than to produce a commercial product.

Richard Grisenthwaite's slides from the DSbD workshop include the following notes regarding forward compatibility to future CHERI-enabled Arm ISAs:

  • The Morello Board will be the ONLY physical implementation of this prototype architecture.
    • Learnings from these experiments will be adopted into a mainstream extension to the Arm architecture.
    • NO COMMITMENT TO FULL BINARY COMPATIBILITY TO THE PROTOTYPE ARCHITECTURE.
      • But successful concepts are expected to be carried forward into the architecture and can be reused there.

The architecture will have formally proved security properties, based on out methodology developed for CHERI-MIPS. See our page on CHERI Rigorous Engineering to learn more about this work.

How will Morello store CHERI's tag bits?

Morello will support two different implementations of physical memory tagging, to allow their properties to be compared experimentally. In one configuration, ECC bits will be used to hold memory tags. In the other, a tag controller and tag cache will be used to hold memory tags (see our ICCD 2017 paper on efficient memory tagging).

What CHERI-aware software will Morello run?

The following slide from Robert Watson (Cambridge)'s slides from the DSbD workshop illustrate the rough anticipated software stack to be available when Morello ships:


Arm will provide an adaptation of the CHERI Clang/LLVM compiler suite targeted for the architecture present in Morello.

SRI International and the University of Cambridge will provide a full adaptation of the CheriBSD operating system and application stack for Morello. This will include support for a spatially and referentially safe open-source UNIX kernel, and spatially, referentially, and temporally safe UNIX userspace. There will also be associated CHERI-adapted toolchain and tools such as the run-time linker, debugger, and so on. We currently anticipate that applications will include OpenSSH, PostgreSQL, and WebKit, as well as a host of other third-party open-source software packages. See ASPLOS 2019 paper on CheriABI for details and evaluation of the memory-safety model. We will also provide a Morello-adapted memory-safe version of Google's Hafniumh hypervisor. Unmodified ARMv8-A applications will continue to run.

Arm will provide an adaptation of the Android operating system.