diff --git a/chapter3.adoc b/chapter3.adoc index b5b49a1..34a445c 100644 --- a/chapter3.adoc +++ b/chapter3.adoc @@ -53,12 +53,12 @@ an illegal instruction exception. supervisor domains beyond the physical memory protection scheme described in Section 3.7 of the RISC-V privileged architecture specification cite:[ISA]. In this case, the remaining fields (`SDID`, `PPN`) in `mttp` must be set to -zeros, else generate a fault. When `XLEN=32`, the other valid settings for -`MODE` are `Smmtt34` and `Smmtt34rw`, to support allow/disallow and read-write +zeros, else generate a fault. When `XLEN=32`, the other valid setting for +`MODE` is `Smmtt34` to support allow/disallow and read-write-execute access permissions for 34-bit system physical addresses. When `XLEN=64`, other than `BARE`, the other valid settings for `MODE` are -`Smmtt[46, 56][rw]` to support read-write/access permissions for 46-bit and +`Smmtt[46 | 56]` to support read-write-execute permissions for 46-bit and 56-bit system physical addresses. The remaining `MODE` settings when `XLEN=64` are `reserved` for future use and @@ -73,12 +73,9 @@ protection scheme described in Section 3.7 of the RISC-V privileged architecture specification cite:[ISA] |1 |`Smmtt34` |Page-based supervisor domain protection for 34 bit physical -addresses with access allowed/disallowed per page +addresses with RWX permissions per page -|2 |`Smmtt34rw` |Page-based supervisor domain protection for 34 bit -physical addresses with RW permissions per page - -|3 |- |`_Reserved_` +|2 |- |`_Reserved_` |=== .Encoding of `mttp` `MODE` field for `XLEN=64`. @@ -90,18 +87,12 @@ protection scheme described in Section 3.7 of the RISC-V privileged architecture specification cite:[ISA] |1 |`Smmtt46` |Page-based supervisor domain protection for 46 bit physical -addresses - -|2 |`Smmtt46rw` |Page-based supervisor domain protection for 46 bit -physical addresses with RW permissions per page - -|3 |`Smmtt56` |Page-based supervisor domain protection for 56 bit physical -addresses +addresses with RWX permissions per page -|4 |`Smmtt56rw` |Page-based supervisor domain protection for 56 bit -physical addresses with RW permissions per page +|2 |`Smmtt56` |Page-based supervisor domain protection for 56 bit physical +addresses with RWX permissions per page -|5-15 |- |`_Reserved_` +|3-15 |- |`_Reserved_` |=== Implementations are not required to support all defined `MODE` settings when @@ -111,10 +102,10 @@ Instead, the fields of `mttp` are `WARL` in the normal way, when so indicated. The `MTTPPN` refers to an `MTTL3` table or an `MTTL2` table based on physical address width (`PAW`). For 56 >= `PAW` > 46, `MTTL3` table must be of size `2^(PAW-43)` bytes and naturally aligned to that sized byte boundary. For 46 ->= `PAW` > 32 the `MTTL2` table must be of size 2^(`PAW`-23) bytes for `Smmtt46` -and `Smmtt34`, 2^(`PAW`-22) bytes for `Smmtt46rw` and `Smmtt34rw`, and must be -naturally aligned to that sized byte boundary. In these modes, the lowest two -bits of the physical page number (`MTTPPN`) in `mttp` always read as zeros. +>= `PAW` > 32 the `MTTL2` table must be of size 2^(`PAW`-22) bytes for +`Smmtt46` and `Smmtt34`, and must be naturally aligned to that sized byte +boundary. In these modes, the lowest two bits of the physical page number +(`MTTPPN`) in `mttp` always read as zeros. The number of `SDID` bits is `UNSPECIFIED` and may be zero. The number of implemented `SDID` bits, termed `SDIDLEN`, may be determined by writing one to @@ -122,7 +113,7 @@ every bit position in the `SDID` field, then reading back the value in `mttp` to see which bit positions in the `SDID` field hold a one. The least-significant bits of `SDID` are implemented first: that is, if `SDIDLEN` > 0, `SDID`[`SDIDLEN`-1:0] is writable. The maximal value of `SDIDLEN`, termed -`SDIDMAX`, is 6 for `Smmtt34[rw]`, `Smmtt46[rw]`, and `Smmtt56[rw]`. +`SDIDMAX`, is 6 for `Smmtt[34 | 46 | 56]`. The `mttp` register is considered active for the purposes of the physical address protection algorithm unless the effective privilege mode is `M`. diff --git a/chapter4.adoc b/chapter4.adoc index eba2fb4..eca0f56 100644 --- a/chapter4.adoc +++ b/chapter4.adoc @@ -2,26 +2,59 @@ [[Smmtt]] == `Smmtt`: Hart MTT Extension -=== Smmtt[34, 46, 56]rw - -The `PPN` rooted structure for the MTT is shown below. The structure -below shows a 56 bit physical address lookup; for lower physical address -widths e.g. 46 bits, the `MTTL3` table is not applicable. In this mode of the -Smmtt[34, 46, 56]rw, each page is associated with a read and a write access -permission (2 bits). <> shows the Physical address (PA) being -used to index into the `MTT` structure in memory to lookup access -permissions for the supervisor domain specified in the `MTTL1` entry. -Intermediate `MTTL3` and `MTTL2` entries are used to allow this structure to -be sparsely populated. +[[Smmtt-rw]] +=== Smmtt[34 | 46 | 56] + +The Supervisor Physical Address (SPA) for RV32 and RV64 is shown below. +The MTT maps the SPA to read-write-execute access permissions. + +[caption="Figure {counter:image}: ", reftext="Figure {image}"] +[title="RV32 Supervisor Physical Address", id=rv32-spa] +[wavedrom, ,svg] +.... +{reg: [ + {bits: 12, name: 'page offset', attr: '12'}, + {bits: 3, name: 'pn[0]', attr: '3' }, + {bits: 10, name: 'pn[1]', attr: '10' }, + {bits: 9, name: 'pn[2]', attr: '9'}, +], config:{lanes: 1, hspace:1024}} +.... + +[caption="Figure {counter:image}: ", reftext="Figure {image}"] +[title="RV64 Supervisor Physical Address", id=rv64-spa] +[wavedrom, ,svg] +.... +{reg: [ + {bits: 12, name: 'page offset', attr: '12'}, + {bits: 4, name: 'pn[0]', attr: '4' }, + {bits: 9, name: 'pn[1]', attr: '9' }, + {bits: 21, name: 'pn[2]', attr: '21'}, + {bits: 10, name: 'pn[3]', attr: '10'}, +], config:{lanes: 1, hspace:1024}} +.... + +The `PPN` rooted structure for the MTT is shown below. <> +shows an RV64 supervisor physical address lookup; for lower physical +address widths e.g. 34 or 46 bits, the `MTTL3` table is not applicable as shown +in <>. Each physical-addressable page is associated with an +access-permission encoding. The Supervisor Physical address (SPA) is used to +index into the `MTT` structure in memory to lookup access permissions for the +supervisor domain specified in the `MTTL2` or `MTTL1` entries. Intermediate +`MTTL3` and `MTTL2` non-leaf entries are used to allow this structure to be +sparsely populated. [caption="Figure {counter:image}: ", reftext="Figure {image}"] -[title= "`MTT` Structures (overview)", id=mtt-map-rw] +[title= "`MTT` walk for RV64", id=mtt-map-rv64] image::images/fig3.png[] -The following MTT L2/L3 entries accomodate a 56 bit PAW. +[caption="Figure {counter:image}: ", reftext="Figure {image}"] +[title= "`MTT` walk for RV32", id=mtt-map-rv32] +image::images/fig3b.png[] + +The following MTT L3 entry accomodates a 56 bit PAW: [caption="Figure {counter:image}: ", reftext="Figure {image}"] -[title="`MTTL3` entry"] +[title="`MTTL3` entry (XLEN=64 only)"] [wavedrom, ,svg] .... {reg: [ @@ -30,14 +63,27 @@ The following MTT L2/L3 entries accomodate a 56 bit PAW. ], config:{lanes: 1, hspace:1024}} .... +The following are the `MTTL2` entry by XLEN: + [caption="Figure {counter:image}: ", reftext="Figure {image}"] -[title="`MTTL2` entry"] +[title="`MTTL2` entry (XLEN=64)"] [wavedrom, ,svg] .... {reg: [ {bits: 44, name: 'INFO'}, - {bits: 4, name: 'TYPE'}, - {bits: 16, name: 'ZERO'}, + {bits: 3, name: 'TYPE'}, + {bits: 17, name: 'ZERO'}, +], config:{lanes: 1, hspace:1024}} +.... + +[caption="Figure {counter:image}: ", reftext="Figure {image}"] +[title="`MTTL2` entry (XLEN=32)"] +[wavedrom, ,svg] +.... +{reg: [ + {bits: 22, name: 'INFO'}, + {bits: 3, name: 'TYPE'}, + {bits: 7, name: 'ZERO'}, ], config:{lanes: 1, hspace:1024}} .... @@ -46,184 +92,206 @@ The `ZERO` field must always be 0. The `TYPE` field determines the interpretation of the `MTTL2` entry. The `TYPE` field encoding is as follows: -* 0000b - `1G_disallow` - read and write access is not allowed for the 1G -range for this supervisor domain -* 0001b - `1G_allow_r` - read access for the 1G range is allowed for the -supervisor domain -* 0011b - `1G_allow_rw` - read and write access for the 1G range is allowed -for the supervisor domain -* 0100b - `MTT_L1_DIR` - The 32M range is composed of 8192x4K pages -* 0111b - `2M_PAGES` - The 32M range is composed of 16x2M pages -* All other encodings are `reserved` and cause an access violation +* 000b - `1G_disallow` - read, write or execute access is not allowed for the + 1 GiB range for the supervisor domain. +* 001b - `1G_allow_rx` - read and execute access for the 1 GiB range is allowed + for the supervisor domain. +* 010b - `1G_allow_rw` - read and write access for the 1 GiB range is allowed + for the supervisor domain +* 011b - `1G_allow_rwx` - read, write and execute access for the 1 GiB range is + allowed for the supervisor domain +* 100b - `MTT_L1_DIR` - The 32 MiB range is composed of 8192 x 4 KiB pages. +* 101b - `4M_PAGES` - The 32 MiB range is composed of 8 x 4 MiB pages. This + encoding only applies to RV32 and is reserved for RV64. +* 110b - `2M_PAGES` - The 32 MiB range is composed of 16 x 2 MiB pages. This + encoding only applies to RV64 and is reserved for RV32. +* 111b - `Reserved` for future use and causes an access violation if used. The `INFO` field depends on the `TYPE` field and is formatted as per the following table: +[[Smmtt-rw-l2-encoding]] .`MTTL2` Entry Type for Smmtt [width="100%",cols="25%,75%",options="header",] |=== |*`MTTL2` Entry `TYPE`* |*Description, `INFO` and `TYPE` field encoding* |`1G_disallow` a| -_The 1G range of address is not allowed for the domain._ -The `INFO` field must be 0. -When configuring 1G ranges, RDSM ensures that 32 `MTTL2` entries, each -corresponding to 32M of address space, have identical `TYPE` field values. - -|`1G_allow_r` a| -_The 1G range of address is allowed (read only) for the domain._ -The `INFO` field must be 0. -When configuring 1G ranges, RDSM ensures that 32 `MTTL2` entries, each -corresponding to 32M of address space, have identical `TYPE` field values. -The INFO field must be 0. +_read, write or execute is not allowed to this 1 GiB address range for the +domain._ The `INFO` field must be 0. When configuring 1 GiB ranges, RDSM must +ensure that 32 `MTTL2` entries, each corresponding to 32 MiB of address space, +have identical `TYPE` field values. + +|`1G_allow_rx` a| +_read and execute (but no write) is allowed to this 1 GiB address range for the +domain._ The `INFO` field must be 0. When configuring 1 GiB ranges, RDSM must +ensure that 32 `MTTL2` entries, each corresponding to 32 MiB of address space, +have identical `TYPE` field values. |`1G_allow_rw` a| -_The 1G range of address is allowed (read/write) for the domain._ -The `INFO` field must be 0. -When configuring 1G ranges, RDSM ensures that 32 `MTTL2` entries, each -corresponding to 32M of address space, have identical `TYPE` field values. +_read and write (but no execute) is allowed to this 1 GiB address range for the +domain._ The `INFO` field must be 0. When configuring 1 GiB ranges, RDSM must +ensure that 32 `MTTL2` entries, each corresponding to 32 MiB of address space, +have identical `TYPE` field values. + +|`1G_allow_rwx` a| +_read, write and execute is allowed to this 1 GiB address range for the domain._ +The `INFO` field must be 0. When configuring 1 GiB ranges, RDSM must ensure that +32 `MTTL2` entries, each corresponding to 32 MiB of address space, have +identical `TYPE` field values. |`MTT_L1_DIR` a| -The `INFO` field provides the PPN of the `MTTL1` page. -Entries of the `MTTL1` page hold a 4-bit `PERM` (permissions) field to indicate -the access for the supervisor domain (described in the `MTTL1` entry -<>). +The `INFO` field provides the PPN of the `MTTL1` page. Entries of the `MTTL1` +page hold XLEN/4 4-bit fields with 2-bit `PERM` field (bits 1:0) and 2 reserved +bits (3:2) for future use. The 2-bit `PERM` field holds access-permission +for 4 KiB pages for the supervisor domain, as described in <> for +RV64 and <> for RV32. |`2M_PAGES` a| -_The 32M range of address space is partitioned into 2M pages where each -page has read/write access allowed/not._ -The `INFO` field 31:0 holds 2 `PERM` bits per 2M address range to indicate -`access_disallowed` (00b), `read_allowed` (01b), `read_write_allowed` (11b); -(10b is `reserved`). Bits 32:43 are reserved and must be zero. +This encoding applies only to RV64. +_The 32 MiB range of address space is partitioned into 16 2 MiB pages where each +page has read/write/execute access allowed/not specified via the `INFO` field._ +The `INFO` field holds 16 2-bit `PERM` access-encoding for each 2 MiB address +range to indicate: `no_access_allowed` (00b), `read-execute-allowed` (01b), +`read-write-allowed` (10b), `read-write-execute-allowed` (11b). Bits +_mpte.info[31:0]_ holds the 2 MiB page permissions, and _mpte.info[43:32]_ are +reserved and must be zero. + +|`4M_PAGES` a| +This encoding applies only to RV32. +_The 32 MiB range of address space is partitioned into 8 4 MiB pages where each +page has read/write/execute access allowed/not specified via the `INFO` field._ +The `INFO` field holds 8 2-bit `PERM` access-encoding for each 4 MiB address +range to indicate: `no_access_allowed` (00b), `read-execute-allowed` (01b), +`read-write-allowed` (10b), `read-write-execute-allowed` (11b). Bits +_mpte.info[15:0]_ holds the 2 MiB page permissions, and _mpte.info[21:16]_ are +reserved and must be zero. |=== - -`MTTL1` table is populated if protection granularity of the 4KiB page is +The `MTTL1` table is populated if protection granularity of the 4 KiB page is desired for the supervisor domain. -`MTTL1` entry is indexed using PA[24:12] and each entry is a 4-bit `PERM` field -in the referenced page. The bits 24:16 are used to select a 64-bit field -in the page and bits 15:12 are used to select a 4 bit `PERM` field in those 64 -bits. Thus, there are 4 `PERM` bits for each 4 KiB page. The encoding of `PERM` -is as follows: +The `MTTL1` entry is XLEN wide and holds XLEN/4 number of 4-bit fields where +each field specifies 2-bit access-permissions for a 4 KiB page (with 2 bits +reserved for future uses). The entry is selected by page.pn[1], and the 4-bit +field in the entry is selected using page.pn[0], with lsb bits 1:0 holding the +access-permission encoding. See <> for XLEN = 64 and +<> for XLEN = 32. Thus, there are 2 `PERM` bits for each 4 KiB +page. The encoding of `PERM` is as follows: -* 0000b - the 4K page specifies access is *not allowed* for the domain -* 0001b - the 4K page specifies *read* access is allowed for the domain -* 0011b - the 4K page specifies *read* and *write* access is allowed for the -domain -* Remaining encodings are *reserved* and cause an access violation. +[[Smmtt-rw-l1-encoding]] +.`MTTL1` Entry permission encoding +[width="100%",cols="25%,75%",options="header",] +|=== +|*`MTTL1` Access-permission encoding* |*Description* +|00b a| +The entry specifies access to the 4 KiB address space is *not allowed* for the +domain. +|01b a| +The entry specifies *read* and *execute* (but *no write*) access is allowed +to the 4 KiB address space for the domain. +|10b a| +The entry specifies *read* and *write* (but *no execute*) access is allowed +to the 4 KiB address space for the domain. +|11b a| +The entry specifies *read*, *write* and *execute* access is allowed to the 4 KiB +address space for the domain. +|=== [caption="Figure {counter:image}: ", reftext="Figure {image}"] -[title="`MTTL1` entry", id=mtt-l1-rw] +[title="`MTTL1` entry (XLEN=64)", id=mtt-l1-rv64] [wavedrom, ,svg] .... {reg: [ - {bits: 4, name: 'PERM'}, + {bits: 2, name: 'PERM'}, + {bits: 2, name: 'resv'}, {bits: 56, name: '...'}, - {bits: 4, name: 'PERM'}, + {bits: 2, name: 'PERM'}, + {bits: 2, name: 'resv'}, ], config:{lanes: 1, hspace:1024}} .... -=== Smmtt[34, 46, 56] - -The PPN rooted structure for the MTT is shown below. The structure -below shows a 56 bit physical address lookup; for lower physical address -widths e.g. 46 bits, the L3 table is not applicable. In this mode of the -Smmtt[34, 46, 56], each page is associated with an access allowed/disallowed -permission (1 bit) to allow for efficient caching. - [caption="Figure {counter:image}: ", reftext="Figure {image}"] -[title= "MTT Structures (overview)", id=mtt-map] -image::images/fig4.png[] - -[caption="Figure {counter:image}: ", reftext="Figure {image}"] -[title="`MTTL3` entry"] +[title="`MTTL1` entry (XLEN=32)", id=mtt-l1-rv32] [wavedrom, ,svg] .... {reg: [ - {bits: 44, name: 'MTTL2 PPN'}, - {bits: 20, name: 'ZERO'}, + {bits: 2, name: 'PERM'}, + {bits: 2, name: 'resv'}, + {bits: 24, name: '...'}, + {bits: 2, name: 'PERM'}, + {bits: 2, name: 'resv'}, ], config:{lanes: 1, hspace:1024}} .... -[caption="Figure {counter:image}: ", reftext="Figure {image}"] -[title="`MTTL2` entry"] -[wavedrom, ,svg] -.... -{reg: [ - {bits: 44, name: 'INFO'}, - {bits: 2, name: 'TYPE'}, - {bits: 18, name: 'ZERO'}, -], config:{lanes: 1, hspace:1024}} -.... +=== MTT access permissions lookup process -The `ZERO` field must always be 0. +MTT access-permissions for a physical address PA in the context of a +supervisor domain is ascertained as follows: -The `TYPE` field determines the interpretation of the `MTTL2` entry. The -`TYPE` field encoding is as follows: +1. Let _a_ be `mttp.ppn` x PAGESIZE, and let _i_ = LEVELS, where for mode +`Smmtt34`, LEVELS = 2 and for `Smmtt[46 | 56]`, LEVELS = 3; PAGESIZE +is 2^12^; MTT NON_LEAF_PTE_SIZE = 8 bytes (for RV32, MTT NON_LEAF_PTE_SIZE = +4 bytes). The `mttp` register must be active, i.e., the effective privilege mode +must be not-M-mode. -* 00b - `1G_disallow` - access to the 1G range is disallowed -* 01b - `1G_allow` - access to the 1G range is allowed -* 10b - `MTT_L1_DIR` - The 64M range is composed of 16384x4K pages -* 11b - `2M_PAGES` - The 64M range is composed of 32x2M pages +2. Let _mpte_ be the value of the `MTT` table entry at address _a_ + _pa.pn[i]_ + x NON_LEAF_PTE_SIZE. If accessing _mpte_ violates a PMA or PMP check, raise +an access-fault exception corresponding to the original access type. -The `INFO` field depends on the `TYPE` field and is formatted as per the table: +3. If any bits or encodings that are reserved for future standard use are +set within _mpte_, stop and raise an access-fault exception corresponding to +the original access type. -.`MTTL2` Entry for Smmtt[34, 46, 56] -[width="100%",cols="25%,75%",options="header",] -|=== -|*`MTTL2` Entry Type* |*Description, `INFO` and `TYPE` field encoding* -|`1G_allow` a| -_The 1G range of address is allowed for the domain._ -The `INFO` field must be 0. -When configuring 1G ranges, RDSM ensures that 16 `MTTL2` entries, each -corresponding to 64M of address space, have identical `TYPE` field values. +4. Otherwise, the _mpte_ is valid. If (_i_=0) or (_i_=1 and _mpte.type_ is not +`MTT_L1_DIR`), go to step 5. Otherwise, the _mpte_ is a pointer to the next +level of the `MTT`. Let _i_ = _i_-1. If _i_ < 0, stop and raise an access-fault +exception corresponding to the original access type. Otherwise, let +_a_ = _mpte.ppn_ x PAGESIZE and go to step 2. Note that when _mpte.type_ = +`MTT_L1_DIR`, the _mpte.ppn_ is the value of the _mpte.info_ field. -|`1G_disallow` a| -_The 1G range of address is not allowed for the domain._ -The `INFO` field must be 0. -When configuring 1G ranges, RDSM ensures that 16 `MTTL2` entries, each -corresponding to 64M of address space, have identical `TYPE` field values. +5. A leaf _mpte_ has been found. If any bits or encodings within _mpte.type_ +and _mpte.info_ that are reserved for future standard use, per +<>, are set within _mpte_, stop and raise an access-fault +exception corresponding to the access type. -|`MTT_L1_DIR` a| -The `INFO` field provides the PPN of the `MTTL1` page. -Entries of the `MTTL1` page hold a 2-bit `PERM` field to indicate the access -for the supervisor domain (described in the `MTTL1` entry <>). +6. The _mpte_ is a valid leaf _mpte_. Fetch the access-permissions for the +physical address per the steps described below: -|`2M_PAGES` a| -_The 64M range of address space is partitioned into 2M pages where each -page has access allowed/not._ -The `INFO` field bits 31:0 holds 1 bit per 2M address range to indicate -access disallowed(0b) or allowed (1b). `INFO` field bits 43:32 are -reserved (must be zero). -|=== +* if _i_=1, and the _mpte.type_ field directly specifies the access-permissions +for 1 GiB page regions (via 32 MTTL2 entries with identical _mpte.type_ values - +see <>); go to step 7, else -`MTTL1` table is populated if 4KiB page confidential pages are required -for the supervisor domain. +* if _i_=1, and for XLEN = 64 and the _mpte.type_ field value `2M_PAGES`, the +_mpte.info_[31:0] field contains 16 entries of 2-bit access-permission encodings +for 16 2 MiB address regions; For XLEN=32 and _mpte.type_ field value of +`4M_PAGES`, the _mpte.info_[16:0] field contains 8 entries of 2-bit +access-permission encodings for 8 4 MiB regions - see <>; +go to step 7, else -`MTTL1` entry is indexed using PA[25:12] and each entry is a 2-bit `PERM` field -in the referenced page. The bits 25:16 are used to select a 64-bit field -in the page and bits 16:12 are used to select a 2 bit `PERM` field in those 64 -bits. Thus, there are 2 `PERM` bits for each 4 KiB page. The encoding is as -follows: +* if _i_=0, the _mpte_ contains XLEN/4 entries that holds access-permission +encodings for 4 KiB pages. The 4-bit field has the lsb 2-bits specify the +access-permission encoding for the _pa_ (and 2 bits reserved) in the _mpte_ is +indexed via _pa.pn[i]_. The encodings are specified in <>. -* 00b - the 4K page specifies access is *not allowed* for the domain -* 01b - the 4K page specifies access is *allowed* for the domain -* 1xb - *reserved* (access causes access violation). +7. Determine if the requested physical memory access is allowed per the +access-permissions. If access is not permitted, stop and raise an access-fault +exception corresponding to the original access type. -[caption="Figure {counter:image}: ", reftext="Figure {image}"] -[title="`MTTL1` entry", id=mtt-l1] -[wavedrom, ,svg] -.... -{reg: [ - {bits: 2, name: 'PERM'}, - {bits: 60, name: '...'}, - {bits: 2, name: 'PERM'}, -], config:{lanes: 1, hspace:1024}} -.... +8. The access is allowed per the `MTT` lookup. + +All implicit accesses to the non-leaf memory tracking table data structures in +this algorithm are performed using width NON_LEAF_PTE_SIZE. + +[NOTE] +==== +MTT access-permissions can only further restrict access, and never grant +read, write or execute permission denied by 1st-stage or G-stage translations. +==== === Access Enforcement and Fault Reporting -As shown in <>, MTT lookup composes with, but does not require, +As shown in <>, and described in the MTT lookup process, +MTT lookup composes with, but does not require, page-based virtual memory (MMU, IOMMU) and physical memory protection mechanisms (PMP, Smepmp, IOPMP). When paging is enabled, instructions that access virtual memory may result in multiple physical-memory accesses, including (implicit @@ -271,7 +339,7 @@ in-memory MTT structures with current execution. `MFENCE.SPA` in this case, applies only to the memory tracking table data structures controlled by the CSR `mttp`. Executing a `MFENCE.SPA` guarantees that any previous stores already visible to the current hart are ordered before all implicit reads by that hart -done for the `MTT` for non-M-mode instructions that follow the `MFENCE.SPA`. +done for the `MTT` for non- `M-mode` instructions that follow the `MFENCE.SPA`. When `MINVAL.SPA` is used, access-permission cache synchronization may be batch optimized via the use of the sequence `SFENCE.W.INVAL`, `MINVAL.SPA` and diff --git a/images/fig3.png b/images/fig3.png index f72785d..6d14cf7 100644 Binary files a/images/fig3.png and b/images/fig3.png differ diff --git a/images/fig3b.png b/images/fig3b.png new file mode 100644 index 0000000..c94face Binary files /dev/null and b/images/fig3b.png differ diff --git a/images/fig4.png b/images/fig4.png deleted file mode 100644 index b4842f8..0000000 Binary files a/images/fig4.png and /dev/null differ