On 2/12/20 10:38 PM, John Hauser wrote:

Bill Huffman wrote:

Chipmakers sometimes wish to include code in a memory region which is
set by boot code to be execute-only forever (until reset). They want to
do this so that even their customers, who do additional programming on
the chip - including in M mode - cannot read the chipmaker's code.

With the statements about MXR, MPRV, and MPP below, I think this can
only be accomplished for code executable in M mode only.

Concerning PMP, that's what I was suggesting, yes.

I wonder if there is a way it can be done for code executable in S/U
mode.

I believe the answer can be physical memory attributes (PMAs), which
apply in addition to the software-programmable PMP mechanism. If this
is a ROM at known addresses, then just say the region is execute-only
according to the machine's PMAs. PMP can't override that.

If the address range is unknown at chip fabrication time or starts as
writable, you can still invent a custom mechanism to manipulate the
chip's PMAs underneath the standard PMP facility, without violating
any RISC-V rules as I understand them. Obviously, a custom mechanism
wouldn't be portable beyond your own line of chips, but it doesn't need
to be for this purpose, does it?

- John Hauser

Sure, something custom would work. And what you suggested is a good
possibility. But I brought it up because I thought the use case might
be more broadly applicable and maybe some combination in the privilege
spec would allow for that. I'll think some more about it.

Bill