Until a modified cache block has updated memory, a CBO.INVAL instruction may expose stale data values
in memory if the CSRs are programmed to perform an invalidate operation. This behavior may result in a
security hole if lower privileged level software performs an invalidate operation and accesses sensitive
information in memory.
In the machine mode, execute the cbo.inval instruction for an address (such as 0x83000000), and some data(0x1234) in the cache corresponding to the address is invalid
Switch to the user mode and execute the cbo.inval instruction for the same address (such as 0x83000000). Similarly, some data in the cache corresponding to this address is invalid. User mode does not get data 0x1234
So why does it lead to security hole when users access sensitive data?
Some sensitive data (0x1234) is written to a physical address (such as 0x83000000) in backing memory.
Some new sanitizing data (0x0000) is written to that same physical address in a (write-back) cache.
Execute the cbo.inval instruction for the same address (such as 0x83000000), so that the sanitizing data (0x0000) is discarded (not written back) from the cache.
Execute a load for the same address (such as 0x83000000), which reads the old sensitive data (0x1234) from backing memory.
quote:
https://github.com/riscv/riscv-CMOs/blob/ce72670f9843d94952c685346cf52d43b969ccdf/cmobase/csr_state.adoc。
A scene I guess is like this:
So why does it lead to security hole when users access sensitive data?