Department of Computer Science and Technology

CHERI

The Arm Morello Board

August 2021: We have released an updated version of our CHERI software stack for Morello, which can be downloaded and run on the Arm Morello FVP ISA-level simulator or on QEMU-Morello. Key features include pure-capability kernel support, and integrated support for Morello in our main CheriBSD development branch.

September 2020: Arm has published its Morello architecture specification, a fully elaborated integration of the CHERI protection model into the ARMv8-A architecture.

October 2019: Arm announced Morello, an experimental CHERI-extended, multicore, superscalar ARMv8-A processor, System-on-Chip (SoC), and prototype board to be available from late 2021. Morello is a part of the UKRI £187M Digital Security by Design Challenge (DSbD) supported by the UK Industrial Strategy Challenge Fund, including a commitment of over £50M commitment by Arm. This web page provides more information on Morello, drawing from publicly available Arm content, as well as our own material on CHERI. You can learn more about CHERI by reading our technical report, An Introduction to CHERI.

What is Morello?

Morello is an industrial demonstrator of a capability architecture: a prototype System-on-Chip (SoC) and development board, developed by Arm, implementing a CHERI-extended ARMv8-A processor, GPU, peripherals, and memory subsystem, to ship in early 2022. The purposes of Morello are to enable industrial evaluation of the CHERI hardware and software ideas, to gather evidence for adoption, and to support further related research and development. This will be enabled by applying CHERI to a widely deployed, real-world architecture via a high-end mature processor design, and a mature software ecosystem.

Morello will be based on Arm's existing Neoverse N1 platform and CPU; this is roughly an Arm A76 with an enhanced server-class memory subsystem. Richard Grisenthwaite (Arm)'s talk at the 29 September 2019 ISCF DSbD Collaborators' Workshop included the following work-in-progress Morello SoC block diagram:

(Click for large version)


The Morello SoC includes two CPU clusters, each containing two out-of-order cores, all implementing CHERI. The Morello SoC has been fabricated in 7nm process, with a target clock frequency of 2.5GHz.

The coherent memory interconnect has been extended to carry tag bits, and the on-board DRAM controllers supports memory tagging. Other DMA-enabled devices, including the on-SoC Mali GPU, do not implement CHERI, but will be conservative with respect to tag interaction. They clear tags on any memory that they overwrite, to prevent capability corruption or introduction.

Various aspects of the Morello design remain subject to change prior to the board becoming available in 2022.

Morello Talks from Cambridge, Arm, and Microsoft

UKRI has now posted slides and videos from the 26 September 2019 Digital Security by Design Challenge Collaborators' Workshop::

  • Robert N. M. Watson, Simon W. Moore, Peter Sewell, and Peter G. Neumann. CHERI: Capability Hardware Enhanced RISC Instructions, ISCF Digital Security by Design Challenge Collaborators' Workshop, London, UK, 26 September 2019. (Slides) (Video)
  • Richard Grisenthwaite (Arm). Digital Security by Design, ISCF Digital Security by Design Challenge Collaborators' Workshop, London, UK, 26 September 2019. (Slides) (Video)
  • Manuel Costa (Microsoft). Hardware Memory Safety: Challenges and Opportunities, ISCF Digital Security by Design Challenge Collaborators' Workshop, London, UK, 26 September 2019. (Slides) (Video)

What is the Morello timeline?

Implementation is well under way, including architecture, hardware, and software. Arm has published the following prospective timeline for Morello:

October 2020
  • Virtual Platform Model of Morello board (behavioural software model)
  • Architecture Specification of the CPU architecture used in the Morello board
    (This includes XML and pseudo-code to allow formal proofs and other auto-generated collateral)
January 2022
  • Morello boards made available with initial software and toolchains

What ISA will Morello implement?

Morello implements an architecture combining the CHERI protection model (synchronized to CHERI ISAv8) and the ARMv8-A (application-class) ISA. ARMv8-A is found in a broad range of devices including almost all mobile devices (e.g., iOS and Android phones and tablets) as well as an increasing number of server-class systems. The experimental architecture was developed in a DARPA-supported collaboration, starting in 2014, between Arm, SRI International, and the University of Cambridge. In September 2020, Arm published its Morello architecture specification, a fully elaborated integration of the CHERI protection model into the ARMv8-A architecture.

The baseline Neoverse N1 processor core implements ARMv8.2; only AArch64 (not 32) will be supported. It is expected that, except for 32-bit compatibility, all existing ARMv8.2-A software should work without change on Morello. CHERI-enabled software enables and uses the CHERI feature set for the purposes of fine-grained memory protection, software compartmentalization, and so on. This approach allows rigorous performance (and other) comparisons betweeen CHERI-aware and CHERI-unaware software stacks, as well as supporting our incremental adoption goals for CHERI.

Morello implements a superset architecture supporting various mechanisms for compartmentalisation, a collection of features for which there remains ongoing research into their effectiveness (e.g., accelerations for temporal memory safety), and multiple techniques for implementing tagging in the microarchitecture (see below). This choice impacts clock frequency, with the aim of allowing a key set of experiments to be run rather than to produce a commercial product. A production design would be expected to perform substantially better as a result.

Richard Grisenthwaite's slides from the DSbD workshop include the following notes regarding forward compatibility to future CHERI-enabled Arm ISAs:

  • The Morello Board will be the ONLY physical implementation of this prototype architecture.
    • Learnings from these experiments will be adopted into a mainstream extension to the Arm architecture.
    • NO COMMITMENT TO FULL BINARY COMPATIBILITY TO THE PROTOTYPE ARCHITECTURE.
      • But successful concepts are expected to be carried forward into the architecture and can be reused there.

The architecture will have formally proved security properties, based on out methodology developed for CHERI-MIPS. See our page on CHERI Rigorous Engineering to learn more about this work.

How will Morello store CHERI's tag bits?

Morello supports two different implementations of physical memory tagging, to allow their properties to be compared experimentally. In one configuration, ECC bits are used to hold memory tags. In the other, a tag controller and tag cache are used to hold memory tags (see our ICCD 2017 paper on efficient memory tagging).

What CHERI-aware software will Morello run?

The following slide from Robert Watson (Cambridge)'s slides from the DSbD workshop illustrate the rough anticipated software stack to be available when Morello ships; portions of this stack remain under development:


Arm has adapted the CHERI Clang/LLVM compiler suite to target the architecture present in Morello.

SRI International and the University of Cambridge will are providing an adaptation of the CheriBSD operating system and application stack for Morello. This includes support for a spatially and referentially safe open-source UNIX kernel, and spatially, referentially, and temporally safe UNIX userspace. There are also the associated CHERI-adapted toolchain and tools such as the run-time linker, debugger, and so on. We currently anticipate that applications will include OpenSSH, PostgreSQL, and WebKit, as well as a host of other third-party open-source software packages. See ASPLOS 2019 paper on CheriABI for details and evaluation of the memory-safety model. We will also provide a Morello-adapted memory-safe version of Google's Hafnium hypervisor. Unmodified ARMv8-A applications will continue to run.

Arm is providing an experimental adaptation of the Android operating system.