restructuring the specification for better readability

ybc-alkaid · ybc-alkaid · commit aa781a778b10 · 2025-12-02T21:03:56.000+08:00
diff --git a/rv-spmp-spec.pdf b/rv-spmp-spec.pdf
diff --git a/sspmp/Resource_Sharing.adoc b/sspmp/Resource_Sharing.adoc
@@ -4,7 +4,7 @@
 The similar architecture of PMP and SPMP registers, including their shared address-matching logic, makes hardware reuse a practical approach for resource conservation.
 This chapter introduces the `Smpmpdeleg` extension, a mechanism that allows hardware resources to be dynamically allocated between PMP and SPMP.
 
-*This extension is mandatory for implementations that support Sspmp (<<S-level_Physical_Memory_Protection>>) in conjunction with M-mode (i.e., `Sm1p13`).*
+*This extension is mandatory for implementations that support Sspmp in conjunction with M-mode (i.e., `Sm1p13`).*
 To streamline the specification and reduce optional features, the `Smpmpdeleg` extension implements 64 PMP entries, but fewer can be writable; any non-writable entries behave as read-only zero.
 
 
@@ -40,12 +40,17 @@ Both PMP and SPMP entries are indexed starting from zero.
 For example, in an implementation with 64 total entries where `pmpnum` is configured to 16:
 
 . PMP entries 0 through 15 act as PMP (i.e., `PMP[0..15]`) and are accessible via standard PMP CSRs (i.e., `pmpcfg[0..3]` and `pmpaddr[0..15]` for RV32; `pmpcfg[0,2]` and `pmpaddr[0..15]` for RV64).
-. The remaining 48 entries are delegated as SPMP (i.e., `SPMP[0..47]`) and are indirectly accessed via `xiselect` (see <<m_mode_indirect_access>> and <<access_method>>).
+. The remaining 48 entries are delegated as SPMP (i.e., `SPMP[0..47]`) and are indirectly accessed via `xiselect` (see <<access_method>> and <<m_mode_indirect_access>>).
 . Accesses to out-of-range indices, such as reading `PMP[16]` or writing to `SPMP[48]` in this scenario, are handled as follows: reads return zero, and writes are ignored.
 
 
+*Configuration registers:*
 
-*Reconfiguration:*
+The configuration register `spmpcfg[i]` of an SPMP entry is SXLEN-bit.
+Its lower 8 bits are an alias for the 8-bit field in the corresponding M-mode PMP configuration register.
+
+
+*Reconfiguration of delegated entries:*
 
 . M-mode software can dynamically adjust the allocation between PMP and SPMP by writing to the `mpmpdeleg` CSR.
 . The `pmpnum` value cannot be set to an index that is less than or equal to that of any locked PMP entry.
@@ -60,9 +65,9 @@ PMP entries are accessed directly through their dedicated CSRs (i.e., `pmpcfg` a
 Delegated SPMP entries, however, are accessed indirectly using the `xiselect` CSR (i.e., `siselect` and `miselect`).
 
 For these indirect accesses, `miselect` selects the target SPMP entry, `mireg` accesses its `spmpaddr` register, and `mireg2` accesses its `spmpcfg` register.
-The `mireg3` through `mireg6` are read-only 0.
+The `mireg3` through `mireg6` are reserved as WPRI.
 
-The lock bit (`spmpcfg[i].L`) of an SPMP entry can only be cleared by the execution environment (M-mode in this case) through an indirect access using `miselect`.
+The lock bit (`spmpcfg[i].L`) of an SPMP entry can only be cleared by M-mode through an indirect access using `miselect`.
 
 The view provided by `miselect` is identical to that of `siselect` (see <<access_method>>).
 For instance, if 48 out of 64 entries are delegated, both S-mode (via `siselect` indices 0-47) and M-mode (via `siselect` or `miselect` indices 0-47) can access `SPMP[0..47]`.
@@ -79,12 +84,7 @@ Any access attempt by either mode to an index outside this range (i.e., `i >= 48
 |===
 
 
-Indirect accesses to SPMP CSRs are not ordered with respect to each other or with subsequent memory accesses. 
-To enforce ordering, software must execute an `SFENCE.VMA` instruction with `rs1=x0` and `rs2=x0`, which synchronizes subsequent memory accesses with all preceding SPMP CSR writes.
-
+*Memory access in M-mode:*
+If the effective privilege mode of the memory access is M, the access is `allowed` regardless of the SPMP permissions.
 
-[NOTE]
-====
-Allowing indirect accesses to SPMP CSRs to be not ordered with respect to each other or to subsequent memory accesses enables fast context switching of SPMP registers. 
-While `SFENCE.VMA` instructions normally order preceding stores and subsequent implicit accesses to memory management structures, SPMP entries are also effectively regarded as memory management structures.
-====
+If the Hypervisor Extension is implemented in conjunction with `Sspmp`, then when V = 1 and hgatp.MODE = Bare, the Hypervisor Virtual Machine Load and Store instructions (HLV, HLVX, HSV) executed from M-mode are subject to SPMP checks.
diff --git a/sspmp/header.adoc b/sspmp/header.adoc
@@ -64,9 +64,9 @@ Copyright 2023 by RISC-V International.
 include::contributors.adoc[]
 
 include::intro.adoc[]
-include::Resource_Sharing.adoc[]
 include::spmp_spec.adoc[]
 include::spmpswitch.adoc[]
+include::Resource_Sharing.adoc[]
 // include::Summary_of_Hardware_Changes.adoc[]
 include::guidelines.adoc[]
 // include::Interaction_with_hypervisor_extension.adoc[]
diff --git a/sspmp/spmp_spec.adoc b/sspmp/spmp_spec.adoc
@@ -12,29 +12,8 @@ Consequently, if a memory access violates both SPMP and PMP/PMA rules, only the
 SPMP checks are enforced on all memory accesses with effective privilege modes less privileged than M-mode.
 SPMP can be configured to grant permissions to U-mode, which has none by default, and to revoke permissions from S-mode.
 
-If the Hypervisor Extension is implemented in conjunction with Sspmp, when V = 1 and hgatp.MODE = Bare, SPMP enforces access checks on all memory accesses from VS and VU-modes, effectively applying SPMP protections to guest execution contexts.
-Additionally, the Hypervisor Virtual Machine Load and Store instructions (HLV, HLVX, HSV), when executed from the execution environment, HS-mode, or U-mode (when hstatus.HU = 1), are also subject to SPMP checks under the V = 1 condition.
-
-
-[[spmp-and-paging]]
-=== SPMP and Paging
-SPMP and paged virtual memory are mutually exclusive.
-//  and cannot be enabled concurrently for two primary reasons:
-
-// . Enabling both introduces a redundant layer of permission checks for each memory access.
-// +
-// . Paged virtual memory, by itself, offers a sufficient level of protection.
-
-The following table dictates which isolation mechanism is active based on the satp configuration.
-
-
-[cols="^1,^1", stripes=even, options="header"]
-|===
-|satp|Isolation mechanism
-|satp.mode == Bare with Sspmp |SPMP only
-|satp.mode == Bare without Sspmp|no S-mode protection checks
-|satp.mode != Bare |Paged Virtual Memory only
-|===
+If the Hypervisor Extension is implemented in conjunction with `Sspmp`, when V = 1 and hgatp.MODE = Bare, SPMP enforces access checks on all memory accesses from VS and VU-modes, effectively applying SPMP protections to guest execution contexts.
+Additionally, the Hypervisor Virtual Machine Load and Store instructions (HLV, HLVX, HSV), when executed from the HS-mode, or U-mode (when hstatus.HU = 1), are also subject to SPMP checks under the V = 1 condition.
 
 
 === Extension Dependencies
@@ -45,8 +24,7 @@ The following table dictates which isolation mechanism is active based on the sa
 +
 . The `sstatus.MXR` (Make eXecutable Readable) bit must be *writable*. This writability supports M-mode emulation handlers that require reading instructions with `MXR=1 and MPRV=1`.
 +
-. If the Hypervisor Extension is implemented in conjunction with Sspmp, the only mandatory translation mode in both hgatp and satp is Bare.
-
+. If the Hypervisor Extension is implemented in conjunction with `Sspmp`, the only mandatory translation mode in both hgatp and satp is Bare.
 
 
 [NOTE]
@@ -73,10 +51,10 @@ An SPMP rule is defined by the contents of an `spmpcfg` register and its corresp
 These registers collectively define a protected physical memory region and its access constraints. 
 ====
 
-The SPMP address registers, named `spmpaddr0` through `spmpaddr63`, share the same layout as the machine-mode PMP architecture.
+The SPMP address registers, named `spmpaddr0` through `spmpaddr63`, share the same layout as the M-mode PMP architecture.
 On RV32 systems, each `spmpaddr` register encodes a 34-bit physical address from bit 33 down to bit 2, as illustrated in <<spmpaddr-rv32>>.
 On RV64 systems, each `spmpaddr` register encodes a 56-bit physical address from bit 55 down to bit 2, as shown in <<spmpaddr-rv64>>.
-An implementation may support fewer address bits, particularly on systems with a smaller physical address space.
+An implementation may support fewer address bits on systems with a smaller physical address space.
 All writable SPMP entries should implement the same number of address bits.
 Since not all physical address bits must be implemented, the SPMP address registers are considered WARL, with exceptions defined by granularity rules.
 Refer to the {privspec}, Section 3.7: Physical Memory Protection, Address Matching.
@@ -91,7 +69,6 @@ include::images/bytefield/spmpaddr-rv32.adoc[]
 include::images/bytefield/spmpaddr-rv64.adoc[]
 
 Every SPMP entry contains an SXLEN-bit configuration register, `spmpcfg[i]`.
-// Its lower 8 bits are an alias for the 8-bit field of the corresponding PMP configuration register.
 <<spmpcfg>> illustrates the layout of `spmpcfg[i]`.
 Permission rules and their encodings are detailed in <<encoding>>.
 
@@ -118,9 +95,45 @@ M-mode can leverage the L bit to create a sandbox for S-mode software.
 This is achieved by setting and locking high-priority SPMP entries where `spmpcfg[i].U` is 1. 
 This mechanism effectively thwarts privilege escalation attacks that might try to reconfigure SPMP entries to bypass S-mode restrictions. 
 While PMP/ePMP entries could offer a similar function, the resulting configuration is not identical because PMP does not distinguish between S-mode and U-mode. 
-Moreover, if resource sharing is statically defined (e.g., `mpmpdeleg.pmpnum` is hardwired, see <<PMP_Entry_Sharing>>), there might not be enough PMP/ePMP entries to enforce the intended isolation policy.
+Moreover, if resource sharing is statically defined (see <<PMP_Entry_Sharing>>), there might not be enough PMP/ePMP entries to enforce the intended isolation policy.
+====
+
+
+[[address_matching]]
+=== Address Matching
+
+The A field within an SPMP entry's configuration register determines the address-matching mode for its associated spmpaddr register.
+The following table details the A field's encoding.
+
+[cols="^1,^1,^3", stripes=even, options="header"]
+|===
+|spmpcfg[i].A|Name|Description
+|0|OFF|Null region (disabled)
+|1|TOR|Top of range
+|2|NA4|Naturally aligned four-byte region
+|3|NAPOT|Naturally aligned power-of-two region, ≥8 bytes
+|===
+
+
+[NOTE]
 ====
+This encoding is consistent with the PMP/ePMP.
+For comprehensive details, refer to the "Address Matching" subsection for PMP in the {privspec}.
 
+For a rule to be valid, its `spmpcfg[i].A` field must not be OFF. 
+Furthermore, if `spmpcfg[i].A` is set to TOR, the condition `spmpaddr[i-1] < spmpaddr[i]` must hold.
+Particularly, if `spmpcfg[0].A` is set to TOR, zero is used for the lower bound.
+
+Software can probe the minimum SPMP granularity.
+This is done by clearing `spmpcfg[i]`, writing all ones to `spmpaddr[i]`, and then reading back the resulting `spmpaddr[i]` value.
+If asciimath:[G] is the index of the least-significant bit set in the result, the granularity is asciimath:[2^{G+2}] bytes.
+
+Software can also determine the implemented physical address bits in `spmpaddr`.
+This involves setting `spmpcfg[i].A` to `0b11`, writing all ones to `spmpaddr[i]`, and reading back the result.
+(Consult the "NAPOT range encoding in PMP address and configuration registers" table in the {privspec} for interpretation.)
+
+Because the `spmpcfg[i].A` field is WARL, an implementation is free to hardwire a specific address-matching mode.
+====
 
 
 [[encoding]]
@@ -168,51 +181,7 @@ The semantics of `sstatus.SUM` within SPMP are consistent with its definition in
 ====
 
 
-[[address_matching]]
-=== Address Matching
-
-The A field within an SPMP entry's configuration register determines the address-matching mode for its associated spmpaddr register.
-The following table details the A field's encoding.
-
-[cols="^1,^1,^3", stripes=even, options="header"]
-|===
-|spmpcfg[i].A|Name|Description
-|0|OFF|Null region (disabled)
-|1|TOR|Top of range
-|2|NA4|Naturally aligned four-byte region
-|3|NAPOT|Naturally aligned power-of-two region, ≥8 bytes
-|===
-
-For a rule to be valid, its `spmpcfg[i].A` field must not be OFF. 
-Furthermore, if `spmpcfg[i].A` is set to TOR, the condition `spmpaddr[i-1] < spmpaddr[i]` must hold.
-Particularly, if `spmpcfg[0].A` is set to TOR, zero is used for the lower bound.
-
-
-[NOTE]
-====
-This encoding is consistent with the PMP/ePMP.
-For comprehensive details, refer to the "Address Matching" subsection for PMP in the {privspec}.
-====
-
-
-
-[NOTE]
-====
-Software can probe the minimum SPMP granularity.
-This is done by clearing `spmpcfg[i]`, writing all ones to `spmpaddr[i]`, and then reading back the resulting `spmpaddr[i]` value.
-If asciimath:[G] is the index of the least-significant bit set in the result, the granularity is asciimath:[2^{G+2}] bytes.
-
-Software can also determine the implemented physical address bits in `spmpaddr`.
-This involves setting `spmpcfg[i].A` to `0b11`, writing all ones to `spmpaddr[i]`, and reading back the result.
-(Consult the "NAPOT range encoding in PMP address and configuration registers" table in the {privspec} for interpretation.)
-
-Because the `spmpcfg[i].A` field is WARL, an implementation is free to hardwire a specific address-matching mode.
-====
-
-
 === Matching Logic
-
-
 . SPMP entries are statically prioritized.
 +
 . The lowest-numbered SPMP entry that matches any byte of an access (indicated by an address and the accessed length) determines whether that access is allowed or denied.
@@ -241,6 +210,23 @@ S-mode software can subsequently constrain these permissions by refining the SPM
 ====
 
 
+[[spmp-and-paging]]
+=== SPMP and Paging
+SPMP and paged virtual memory are mutually exclusive.
+
+The following table dictates which isolation mechanism is active based on the satp configuration.
+
+
+[cols="^1,^1", stripes=even, options="header"]
+|===
+|satp|Isolation mechanism
+|satp.mode == Bare with Sspmp |SPMP only
+|satp.mode == Bare without Sspmp|no S-mode protection checks
+|satp.mode != Bare |Paged Virtual Memory only
+|===
+
+
+
 [[access_method]]
 === The Access Method for SPMP CSRs in S-mode
 Each value of `siselect` maps to a corresponding set of SPMP CSRs.
