Department of Computer Science and Technology


The Arm Morello Board

October 2020: We have released a prototype of our CHERI software stack for Morello, which can be downloaded and run on Arm's Morello FVP ISA-level simulator.

September 2020: Arm has published its Morello architecture specification, a fully elaborated integration of the CHERI protection model into the ARMv8-A architecture.

October 2019: Arm announced Morello, an experimental CHERI-extended, multicore, superscalar ARMv8-A processor, System-on-Chip (SoC), and prototype board to be available from late 2021. Morello is a part of the UKRI £187M Digital Security by Design Challenge (DSbD) supported by the UK Industrial Strategy Challenge Fund, including a commitment of over £50M commitment by Arm. This web page provides more information on Morello, drawing from publicly available Arm content, as well as our own material on CHERI. You can learn more about CHERI by reading our technical report, An Introduction to CHERI.

What is Morello?

Morello is an industrial demonstrator of a capability architecture: a prototype System-on-Chip (SoC) and development board, developed by Arm, implementing a CHERI-extended ARMv8-A processor, GPU, peripherals, and memory subsystem, to ship in early 2022. The purposes of Morello are to enable industrial evaluation of the CHERI hardware and software ideas, to gather evidence for adoption, and to support further related research and development. This will be enabled by applying CHERI to a widely deployed, real-world architecture via a high-end mature processor design, and a mature software ecosystem.

Morello will be based on Arm's existing Neoverse N1 platform and CPU; this is roughly an Arm A76 with an enhanced server-class memory subsystem. Richard Grisenthwaite (Arm)'s talk at the 29 September 2019 ISCF DSbD Collaborators' Workshop included the following work-in-progress Morello SoC block diagram:

(Click for large version)

The Morello SoC will include two CPU clusters, each containing two out-of-order cores, all implementing CHERI. The Morello SoC will be fabricated in 7nm process, with a targeted clock frequency around 2GHz.

The coherent memory interconnect will be extended to carry tag bits, and the on-board DRAM controllers will support memory tagging. Other DMA-enabled devices, including the on-SoC Mali GPU, will not implement CHERI, but will be conservative with respect to tag interaction. They will clear tags on any memory that they overwrite, to prevent capability corruption or introduction.

Various aspects of the Morello design remain subject to change prior to the board becoming available in 2021.

Morello Talks from Cambridge, Arm, and Microsoft

UKRI has now posted slides and videos from the 26 September 2019 Digital Security by Design Challenge Collaborators' Workshop::

  • Robert N. M. Watson, Simon W. Moore, Peter Sewell, and Peter G. Neumann. CHERI: Capability Hardware Enhanced RISC Instructions, ISCF Digital Security by Design Challenge Collaborators' Workshop, London, UK, 26 September 2019. (Slides) (Video)
  • Richard Grisenthwaite (Arm). Digital Security by Design, ISCF Digital Security by Design Challenge Collaborators' Workshop, London, UK, 26 September 2019. (Slides) (Video)
  • Manuel Costa (Microsoft). Hardware Memory Safety: Challenges and Opportunities, ISCF Digital Security by Design Challenge Collaborators' Workshop, London, UK, 26 September 2019. (Slides) (Video)

What is the Morello timeline?

Implementation is well under way, including architecture, hardware, and software. Arm has published the following prospective timeline for Morello:

October 2020
  • Virtual Platform Model of Morello board (behavioural software model)
  • Architecture Specification of the CPU architecture used in the Morello board
    (This includes XML and pseudo-code to allow formal proofs and other auto-generated collateral)
January 2022
  • Morello boards made available with initial software and toolchains

What ISA will Morello implement?

Morello will implement an architecture combining the CHERI protection model (roughly as in CHERI ISAv8) and the ARMv8-A (application-class) ISA. ARMv8-A is found in a broad range of devices including almost all mobile devices (e.g., iOS and Android phones and tablets) as well as an increasing number of server-class systems. The experimental architecture was developed in a DARPA-supported collaboration, starting in 2014, between Arm, SRI International, and the University of Cambridge. In September 2020: Arm has published its Morello architecture specification, a fully elaborated integration of the CHERI protection model into the ARMv8-A architecture.

The baseline Neoverse N1 processor core implements ARMv8.2; only AArch64 (not 32) will be supported. It is expected that, except for 32-bit compatibility, all existing ARMv8.2-A software should work without change on Morello. CHERI-enabled software will be able to enable and use the CHERI feature set for the purposes of fine-grained memory protection, software compartmentalization, and so on. This approach allows rigorous performance (and other) comparisons betweeen CHERI-aware and CHERI-unaware software stacks, as well as supporting our incremental adoption goals for CHERI.

Morello will implement a superset architecture supporting various mechanisms for compartmentalisation, a collection of features for which there remains ongoing research into their effectiveness (e.g., accelerations for temporal memory safety), and multiple techniques for implementing tagging in the microarchitecture (see below). This will impact clock frequency, with the aim of allowing a key set of experiments to be run rather than to produce a commercial product.

Richard Grisenthwaite's slides from the DSbD workshop include the following notes regarding forward compatibility to future CHERI-enabled Arm ISAs:

  • The Morello Board will be the ONLY physical implementation of this prototype architecture.
    • Learnings from these experiments will be adopted into a mainstream extension to the Arm architecture.
      • But successful concepts are expected to be carried forward into the architecture and can be reused there.

The architecture will have formally proved security properties, based on out methodology developed for CHERI-MIPS. See our page on CHERI Rigorous Engineering to learn more about this work.

How will Morello store CHERI's tag bits?

Morello will support two different implementations of physical memory tagging, to allow their properties to be compared experimentally. In one configuration, ECC bits will be used to hold memory tags. In the other, a tag controller and tag cache will be used to hold memory tags (see our ICCD 2017 paper on efficient memory tagging).

What CHERI-aware software will Morello run?

The following slide from Robert Watson (Cambridge)'s slides from the DSbD workshop illustrate the rough anticipated software stack to be available when Morello ships:

Arm will provide an adaptation of the CHERI Clang/LLVM compiler suite targeted for the architecture present in Morello.

SRI International and the University of Cambridge will provide a full adaptation of the CheriBSD operating system and application stack for Morello. This will include support for a spatially and referentially safe open-source UNIX kernel, and spatially, referentially, and temporally safe UNIX userspace. There will also be associated CHERI-adapted toolchain and tools such as the run-time linker, debugger, and so on. We currently anticipate that applications will include OpenSSH, PostgreSQL, and WebKit, as well as a host of other third-party open-source software packages. See ASPLOS 2019 paper on CheriABI for details and evaluation of the memory-safety model. We will also provide a Morello-adapted memory-safe version of Google's Hafnium hypervisor. Unmodified ARMv8-A applications will continue to run.

Arm will provide an adaptation of the Android operating system.