Re: comments on PMP enhancements
Jonathan Behrens <behrensj@...>
toggle quoted message Show quoted text
Coming from an operating systems background, the concern about locking PMP entries being absolutely necessary for security comes across as overblown. I've never heard of a platform that provided locking functionality for page tables, yet no one says that all operating systems are insecure because of that. And page tables are vastly easier to modify: any store instruction in the entire text segment could be targeted to overwrite a PTE. By contrast, overwriting PMP entries requires dedicated PMP CSR instructions which appear in a handful of functions at most (if that!). Thinking about it, you could achieve basically the same effect as locking just by configuring the PMP so that all M-mode executable regions were read only and contained no PMP CSR instructions.
None of this is to say that we shouldn't supported locked PMP regions, just that it is important to be realistic about what benefit in practice they'd carry over the write XOR execute unlocked regions. Similarly, it is definitely worth trying to keep PMP as simple as possible while still providing the necessary functionality.
On Mon, Feb 17, 2020 at 10:27 PM Nick Kossifidis via Lists.Riscv.Org <mick=ics.forth.gr@...> wrote: