clicintattr.mode should not be writable from S-mode

riscv / riscv-fast-interrupt

Proposal for a RISC-V Core-Local Interrupt Controller (CLIC)

https://jira.riscv.org/browse/RVG-63

Creative Commons Attribution 4.0 International

247 stars 49 forks source link

clicintattr.mode should not be writable from S-mode #424

Open christian-herber-nxp opened 1 month ago

christian-herber-nxp commented 1 month ago

Looks like a security hole to me. If M-mode assign an interrupt to S-mode, it does not sound ok for S-mode to throw that back. Seems like an easy way to corrupt M-mode.

I would suggest adding something along the lines of:

When in mode x, it is only allowed to write values to clicintattr.mode which correspond to equally or less privileged modes. Writing other values is reserved.

(Please help me with the language)

christian-herber-nxp commented 1 month ago

I overlooked the following note:

For security purpose, the mode field can only be set to a privilege mode that is equal to or lower than the currently running privilege mode and if interrupts are supported at that privilege mode (e.g. ssclic extension).

This should not be a note, but part of the normative spec.