Domain switching between multiple security domains

joxie / riscv-debug-security

repo for riscv debug security extension spec dev

0 stars 1 forks source link

Domain switching between multiple security domains #9

Closed gokhankaplayan closed 8 months ago

gokhankaplayan commented 1 year ago

Machine Debug Security Control Register (mdbgsec) is reprogrammed by M-mode software when domain switching between security domains. This approach has the following concerns:

Context Switching performance overhead
Life cycle management: It requires modification in M-mode software (secure monitor software) during the lifecycle of CPU.
M-mode TCB, robustness against fault attacks: Lock feature can be added to mdbgsec, but it prevents context switching.

External pin control approach to hardwire mdbgsec for security domains should be added as an optional feature.

AoteJin commented 1 year ago

The use of debug control should be limited to low level firmware and we do not expected it happen as frequent as those in OS. Thus, the context switching overhead should be trivial.
We would expect the secure monitor to implement a parser to parse the binary input -- debug policy, in order to have unified code with different policies during lifecycle.
Right, simply locking the mdbgsec seems losing flexibility, I agree we need revisit it.

gokhankaplayan commented 1 year ago

Just to clarify the life cycle management, debug policy binary file (encrypted) will be same during the lifecycle and the interpretation of the binary file is different for each phase of the lifecycle by secure monitor.This idea make sense to me. I am aware that the details are implementation specific, but it is good to understand whether we miss something.

AoteJin commented 8 months ago

Close. The issue is addressed in smmtt TG