[BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region #2567

riscv914 · 2024-10-25T12:21:47Z

Is there an existing CVA6 bug for this?

I have searched the existing bug issues

Bug Description

Summary

Delay in enforcing PMP rules in CVA6 cores. For instance, enforcing the PMP rule on the next instruction will not take effect until the next 128 bits (address with the final four bits equal to zero).

Details

CVA6 does not apply PMP rules on the next 128bits due to an issue in microarchitectural implementation.

PoC

int main(void){
    asm volatile ("li t1, 0x22000000");
    asm volatile ("csrw pmpaddr0, t1");
    asm volatile ("li t0, 0x89 ");
    asm volatile (".align 4");
    asm volatile ("csrw pmpcfg0, t0 ");
    asm volatile ("li t3, 0x88000000"); // Should throw exception here!!
    asm volatile ("lw t4, 0(t3)");
    asm volatile ("sw t5, 0(t3)"); // Throw the exception here.
    asm volatile ("li a0, 1");
}

Impact

Unexpected Behaviour: an attacker can read 128 bits of data in the PMP regions like Secure Boot Room.

The text was updated successfully, but these errors were encountered:

riscv914 added the Type:Bug For bugs in the RTL, Documentation, Verification environment or Tool and Build system label Oct 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region #2567

[BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region #2567

riscv914 commented Oct 25, 2024

[BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region #2567

[BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region #2567

Comments

riscv914 commented Oct 25, 2024

Is there an existing CVA6 bug for this?

Bug Description