Department of Computer Science and Technology

CHERI

CHERI-RISC-V

CHERI-RISC-V is an in-progress application of the CHERI protection model to the 32-bit and 64-bit variants of the RISC-V Instruction-Set Architecture (ISA). The current draft specification of CHERI-RISC-V can be found in CHERI ISAv7, but we are actively improving the specification and anticipate an updated version in the forthcoming CHERI ISAv8 (due 2020Q2). We have prototype CHERI-RISC-V implementations of:

  • Formal Sail specification
  • Qemu ISA-level emulator
  • 3-stage and 5-stage pipelined cores, and a superscalar core, on FPGA
  • Adaptation of the CHERI Clang/LLVM/LLD and GDB
  • Adaptation of the 32-bit MMU-free CheriFreeRTOS operating system, based on FreeRTOS
  • Adaptation of the 64-bit MMU-enabled CheriBSD operating system, based on FreeBSD

CHERI-RISC-V ISA and Implementations

CHERI-RISC-V Instruction-Set Architecture (ISA)

CHERI-RISC-V is a from-scratch application of the CHERI protection model to the 32-bit and 64-bit variants of the RISC-V ISA. Our approach learns from experience integrating CHERI into 64-bit MIPS, as well as our collaboration with Arm to create a CHERI adaptation of ARMv8-A. CHERI ISAv7 is the first full draft specification of CHERI-RISC-V. We anticipate incremental updates to CHERI-RISC-V in the forthcoming CHERI ISAv8 arising from further experience with hardware and software implementation. Key differences between CHERI-MIPS and CHERI-RISC-V include:

  • Whereas CHERI-MIPS supported only a split capability register file, CHERI-RISC-V supports both merged and split register files. Currently, we are focusing on a merged register file.
  • CHERI-RISC-V extends 32-bit RISC-V with 64-bit capabilities, and 64-bit RISC-V with 128-bit capabilities; CHERI-MIPS supported only 128-bit capabilities with 64-bit MIPS.
  • CHERI-RISC-V supports hardware floating point.
  • CHERI-RISC-V benefits from a richer underlying architecture, including architectural page tables.
  • CHERI-RISC-V utilizes a new "capability mode" instruction encoding mode to conserve ISA opcode space. CHERI-RISC-V load and store instructions utilize identical load/store encodings, making code generation more similar between baseline RISC-V and pure-capability code.

Sail CHERI-RISC-V

We have extended the baseline RISC-V Sail model with support for CHERI. This is our golden model for CHERI-RISC-V, and all pseudocode in our textual specification is derived from the Sail model. We use the model for proofs about the architecture (such as that monotonicity holds), tandem verification, and hope soon to also use it for automated test generation. This implementation is experimental:

Qemu CHERI-RISC-V

We have extended QEMU-CHERI to support CHERI for 64-bit RISC-V. This is now incorporated into our mainline Qemu implementation, which can be built using cheribuild. QEMU-CHERI is able to boot and run CheriBSD/RISC-V. This implementation is experimental:

CHERI-Piccolo, CHERI-Flute, and CHERI-Toooba CPU cores on FPGA

We have extended the open-source Bluespec SystemVerilog (BSV) RISC-V cores Piccolo (32-bit, 3-stage), Flute (64-bit, 5-stage), and Toooba (64-bit, superscalar) with support for CHERI-RISC-V. We are developing these cores on the Xilinx VCU-118 board. These implementations are still highly experimental:

CHERI-RISC-V Software Stack

CHERI Clang/LLVM/LLD on CHERI-RISC-V

We have adapted CHERI Clang/LLVM, LLD, and GDB to support CHERI-RISC-V. These changes are part of our mainline implementations:

CheriFreeRTOS

CheriFreeRTOS is a version of the open-source FreeRTOS embedded operating system that has been extended to support CHERI memory protection. CheriFreeRTOS is compiled as a pure-capability binary, and includes strong hardware-supported spatial memory protection and pointer protection for the stack, heap, and global variables.

GitHub repository to be available shortly.

CheriBSD

We have extended our existing CheriBSD implementation with support for CHERI-RISC-V, with the goal of full feature parity. CheriBSD is a CHERI-enabled adaptation of the open-source FreeBSD operating system, along with many of its applications. Currently, CheriBSD/RISC-V is experimental, and boots to multiuser mode with a statically linked CheriABI userspace. It has a number of functional gaps, including not yet supporting dynamically linked CheriABI binaries, or GDB debugging with capability support. Progress is rapid, and we hope to have feature completeness relative to CHERI-MIPS at the end of 2020Q2. These changes are part of our mainline implementation: