Closed mndstrmr closed 3 weeks ago
I discussed this with Louis-Emile and agree with this conclusion. I think the funct3
not equal to zero behaviour should be the same as for non-CHERI RISC-V which sets illegal_insn
when this is the case: https://github.com/lowRISC/ibex/blob/master/rtl/ibex_decoder.sv#L267-L269
I agree, this is bug indeed. Will fix, thanks.
This proves, thanks.
The decoder for CJALR will not raise an illegal instruction exception when
instr[14:12] != 0
, but it will also not setcheri_jalr_en
:https://github.com/microsoft/cheriot-ibex/blob/3f0ec8600cb7621c4c952951d211b3515116ea27/rtl/ibex_decoder.sv#L343-L367
When a CJALR instruction is run with
instr[14:12] != 0
, the instruction that runs becomes one which stores the next instruction PC to the register file, but does not branch, since it runs into the old logic for JALR. This is therefore not a security issue, but is a bug.Instead
illegal_insn
should be set wheninstr[14:12] != 0
(see the original code for JALR, which does the same).