The open standard ISA (Instruction Set Architecture) of RISC-V offers developers a wide range of standard extensions and options that support the design of an optimised processor. The RISC-V Privileged Specification includes PMP as a fundamental approach to memory protection that is essential in security applications that depend on TEE (Trusted Execution Environments) such as Keystone, OpenTitan, and many other techniques for security protection.
RISC-V processor implementations for security applications use physical memory protection (PMP) as a way to ensure memory isolation between key security applications and other activities.
The PMP specification provides a flexible and comprehensive approach based on control registers for the parameterization of modes to control the memory access, permissions, and policy. By using control registers, the actual policy and operation can be configured in software using the available hardware resources. As a consequence, the PMP policy can be configured to control the initial processor boot process and is fundamental to many systems that rely on a TEE for security applications.
RISC-V processor functional verification needs to ensure the design behaves as expected. In the case of the PMP functionality, due to the wide range of possible configurations and implementations, the architectural validation test suite also needs to cover the vulnerabilities that arise from a design error that may enable an unnecessary or unwanted option.
While some processor developers undertake both the design and test phases of a project, the advantage that 3rd party tests provide is an independent interpretation of the specification will provide an additional safeguard. This is especially important when specification options selected for the target device are used to direct the test plan, since an unintended design error that includes an unnecessary and therefore untested feature could allow for a security vulnerability.
“A key part of the RISC-V privilege specification that is fundamental for OS and application security is the PMP feature,” said Allen Baum of Esperanto Technologies and Chair of the RISC-V International Architecture Test SIG. “Enabling its correct operation is essential for security applications, and the Imperas PMP test suites are a valuable contribution to the RISC-V compatibility and verification community.”
“In any verification plan, the opportunity to use more tests is always a useful option, but as is often the case some tests are more useful than others,” said Simon Davidmann, CEO at Imperas Software. “Test suites have many useful qualities, perhaps the top two are coverage and specification completeness. The RISC-V PMP test requirements are significant given the complexity of the specification and security implications for any implementation errors. The Imperas mutating fault simulation technology ensures the test coverage, and the Imperas reference model covers the full envelope of the PMP specification, so when combined these produce a useful architectural validation test suite for any RISC-V processor targeted at security applications.”
The Imperas Physical Memory Protection (PMP) Architectural Validation test suites are available now to ImperasDV users as a beta release, with a full production release scheduled for Q2 2022.