Department of Computer Science and Technology

CHERI

CHERI-RISC-V

CHERI-RISC-V is an in-progress application of the CHERI protection model to the 32-bit and 64-bit variants of the RISC-V Instruction-Set Architecture (ISA). The current draft specification of CHERI-RISC-V can be found in CHERI ISAv8, and we are continuing to update the spceification as we improve the architecture. We have prototype CHERI-RISC-V implementations of:

  • Formal Sail specification
  • Qemu ISA-level emulator
  • 3-stage and 5-stage pipelined cores, and a superscalar core, on FPGA
  • Adaptation of the CHERI Clang/LLVM/LLD and GDB
  • Adaptation of the 32-bit and 64-bit MMU-free CheriFreeRTOS operating system, based on FreeRTOS
  • Adaptation of the 64-bit MMU-enabled CheriBSD operating system, based on FreeBSD

We anticipate an updated CHERI ISAv9 in 2021Q3 or 2021Q4 that introduces a number of improvements relating to code linkage, extended performance counters for CHERI-related events, and support for compressed CHERI-RISC-V instructions. Many of these features are already present in our emulators, hardware, and software, but instruction and opcode choices are not yet finalized.


CHERI-RISC-V ISA and Implementations

CHERI-RISC-V Instruction-Set Architecture (ISA)

CHERI-RISC-V is a from-scratch application of the CHERI protection model to the 32-bit and 64-bit variants of the RISC-V ISA. Our approach learns from experience integrating CHERI into 64-bit MIPS, as well as our collaboration with Arm to create Morello, a CHERI extended version of ARMv8-A. CHERI ISAv8 contains a relatively mature prototype of the CHERI-RISC-V ISA, which we have implemented in multiple microarchitectures and Qemu, and for which we have complete CHERI Clang/LLVM/LLD/GDB and CheriBSD adaptations. We expect that future ISA versions will continue to evolve the specification (and, in particular, opcode encodings, which have not yet been optimized, but also compressed instructions), and so binary compatibility is not assured. Key differences between CHERI-MIPS and CHERI-RISC-V include:

  • Whereas CHERI-MIPS supported only a split capability register file, CHERI-RISC-V supports both merged and split register files. Currently, we are focusing on a merged register file.
  • CHERI-RISC-V extends 32-bit RISC-V with 64-bit capabilities, and 64-bit RISC-V with 128-bit capabilities; CHERI-MIPS supported only 128-bit capabilities with 64-bit MIPS.
  • CHERI-RISC-V supports hardware floating point.
  • CHERI-RISC-V benefits from a richer underlying architecture, including architectural page tables.
  • CHERI-RISC-V utilizes a new "capability mode" instruction encoding mode to conserve ISA opcode space. CHERI-RISC-V load and store instructions utilize identical load/store encodings, making code generation more similar between baseline RISC-V and pure-capability code.

Sail CHERI-RISC-V

We have extended the baseline RISC-V Sail model with support for CHERI. This is our golden model for CHERI-RISC-V, and all pseudocode in our textual specification is derived from the Sail model. We use the model for proofs about the architecture (such as that monotonicity holds), tandem verification, and hope soon to also use it for automated test generation. This implementation is experimental:

Qemu CHERI-RISC-V

We have extended QEMU-CHERI to support CHERI for 64-bit RISC-V. This is now incorporated into our mainline QEMU-CHERI implementation, which can be built using cheribuild. QEMU-CHERI is able to boot and run CheriBSD/RISC-V as well as CheriFreeRTOS. This implementation is experimental:

CHERI-Piccolo, CHERI-Flute, and CHERI-Toooba CPU cores on FPGA

We have extended the open-source Bluespec SystemVerilog (BSV) RISC-V cores Piccolo (32-bit, 3-stage), Flute (64-bit, 5-stage), and Toooba (64-bit, superscalar) with support for CHERI-RISC-V. We are developing these cores on the Xilinx VCU-118 board. These implementations are still highly experimental:

CHERI-RISC-V Software Stack

CHERI Clang/LLVM/LLD on CHERI-RISC-V

We have adapted CHERI Clang/LLVM and LLD, and GDB to support CHERI-RISC-V. These changes are part of our mainline CHERI implementations:

CheriFreeRTOS

CheriFreeRTOS is a version of the open-source FreeRTOS embedded operating system that has been extended to support CHERI memory protection. CheriFreeRTOS is compiled as a pure-capability binary, and includes strong hardware-supported spatial memory protection and pointer protection for the stack, heap, and global variables. We now have a prototype also supporting software compartmentalization (e.g., a sandboxed FreeRTOS TCP/IP stack), but this is not yet ready for more mainstream use.

GitHub repository to be available shortly.

CheriBSD

We have extended our existing CheriBSD implementation with support for CHERI-RISC-V, with the goal of full feature parity. CheriBSD is a CHERI-enabled adaptation of the open-source FreeBSD operating system, along with many of its applications. Currently, CheriBSD/RISC-V is experimental, and boots to multiuser mode with a statically and dynamically linked CheriABI userspace. These changes are part of our mainline implementation, and CHERI-RISC-V is now our preferred research platform for software work: