Debug access control for U-mode only domain

riscv / riscv-smmtt

This specification will define the RISC-V privilege ISA extensions required to support Supervisor Domain isolation for multi-tenant security use cases e.g. confidential-computing, trusted platform services, fault isolation and so on.

https://jira.riscv.org/browse/RVG-65

Creative Commons Attribution 4.0 International

35 stars 15 forks source link

Debug access control for U-mode only domain #33

Closed AoteJin closed 7 months ago

AoteJin commented 7 months ago

The current proposal has only a knob in CSR to enable debuggability for supervisor mode. It will result in privilege escalation if a domain has only U-mode application (e.g. PENGLAI TEE architecture). This choice of U-mode only domain might reduce overhead of context switch (without save/restore S-mode context).

privilege security control-Page-1 drawio

There are tow direction to mitigate:

In addition to S mode knob, add another U mode knob.
Mandate that the SW has to add a thin layer of S mode runtime to enable self-hosted debug

Originally posted by @AoteJin in https://github.com/riscv/riscv-smmtt/issues/11#issuecomment-1918645811

ved-rivos commented 7 months ago

A supervisor domain should not be conflated with supervisor mode. In a M+U implementation, the supervisor domain only has U-mode. In a M+S+U implementation, it is M mode policy whether it allows execution in S-mode. The external debug control is for a Supervisor Domain - and not for S-Mode in a Supervisor Domain. When a Supervisor Domain is external debug allowed, all privilege modes in that Supervisor Domain are external debug allowed.

AoteJin commented 7 months ago

When a Supervisor Domain is external debug allowed, all privilege modes in that Supervisor Domain are external debug allowed.

Yes, this is exactly what I understood. But this will be an issue for TEE design like this: https://www.usenix.org/system/files/osdi21-feng.pdf

This TEE architecture has M+S+U privilege mode and creates U-mode only enclave to boost performance and improve memory utilization.

ved-rivos commented 7 months ago

But this will be an issue for TEE design like this

In such a design where RDSM only allows U-mode on a Supervisor Domain - that enclave is either external debug enabled or is not external debug enabled. Whether there is any execution in Supervisor Mode of that supervisor domain is not material. When running such U-mode only security domains there may or may not be page tables - if there are page tables setup for the U-mode then those page tables are managed by the RDSM and programmed into the satp. If there is no virtual memory used by those U-mode enclaves then RDSM sets the satp to Bare.

In the picture you listed you seem to imply that Domain 2 page tables will be in effect for Domain 1 execution. That is not correct. A page table, if used, has to be managed by the TCB of the domain 1 - and domain 2 is not in the TCB.

Could you elaborate on the specific issue?

rsahita commented 7 months ago

To add, the paper referenced above asserts that "The secure monitor maintains all the enclave page tables" on page 279 (memory isolation among enclaves). From the sw arch diagram, secure monitor runs in M-mode. If the M-mode RDSM is itself not under external debug, the U-mode SD can be ext-debug allowed without any impact to the enclave page tables managed by the RDSM.

rsahita commented 7 months ago

@AoteJin can i close this issue?

rsahita commented 7 months ago

closing this one - please re-open if required.