cva6 [BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region

[BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region

Open riscv914 opened this issue 1 year ago • 0 comments

Is there an existing CVA6 bug for this?

[X] I have searched the existing bug issues

Bug Description

Summary

Delay in enforcing PMP rules in CVA6 cores. For instance, enforcing the PMP rule on the next instruction will not take effect until the next 128 bits (address with the final four bits equal to zero).

Details

CVA6 does not apply PMP rules on the next 128bits due to an issue in microarchitectural implementation.

PoC

int main(void){
    asm volatile ("li t1, 0x22000000");
    asm volatile ("csrw pmpaddr0, t1");
    asm volatile ("li t0, 0x89 ");
    asm volatile (".align 4");
    asm volatile ("csrw pmpcfg0, t0 ");
    asm volatile ("li t3, 0x88000000"); // Should throw exception here!!
    asm volatile ("lw t4, 0(t3)");
    asm volatile ("sw t5, 0(t3)"); // Throw the exception here.
    asm volatile ("li a0, 1");
}

Impact

Unexpected Behaviour: an attacker can read 128 bits of data in the PMP regions like Secure Boot Room.

Oct 25 '24 12:10 riscv914

cva6 cva6 copied to clipboard

[BUG] Delay in enforcing PMP rules leading to attacker can read 128bits of data in PMP region

Is there an existing CVA6 bug for this?

Bug Description

cva6
cva6 copied to clipboard