Dear architect，

Can the M interrupt such as MTI be delegated to S mode  ?

Regards,

Oscar Jupp

Dear architect，

Can the M interrupt such as MTI be delegated to S mode  ?

Regards,

Oscar Jupp

Comments embedded:

On Dec 7, 2022, at 11:39 AM, Allen Baum via lists.riscv.org <allen.baum=esperantotech.com@...> wrote:

As far as I can tell,  an implementation may, but is not required to,  disallow it. 

I suspect all implementations disallow it, by forcing those bits in mideleg to 0. OpenSBI does not attempt to delegate those interrupts.[1]

If it is delegated, it shows up in the SIP. STIP bit

How so? I would expect it to show up in SIP[7], which is defined as 0 in the privileged spec, but corresponds to the MTIP bit. There is no mechanism for an interrupt to show up in a different position in SIP vs MIP.

But, if it is delegated, then it can only be cleared by an ECALL to Mmode SW..

MTIP is controlled by a wire driven by a memory-mapped interrupt controller (e.g. PLIC). If an SBI decided to delegate MTI to S-mode then they might also allow S-mode software to access the interrupt controller too, removing any need for an ECALL.

[1] https://github.com/riscv-software-src/opensbi/blob/b6e520b2a836cd7cc8dc99c25a21a470e8589888/lib/sbi/sbi_hart.c#L200-L202 but line 200 apparently has a typo and should say “S-mode interrupts” instead of “M-mode interrupts"

The non-normative note below figure 4.6 and 4.7 say that – but they don’t show that! 

 

 There is (currently) only one timer signal coming in.

If MTIP is delegated without STIP being set (Mmode can set it), then I'm not quite sure what happens; no trap is ever taken, I suspect - it is equivalent to disabling timer interrupts completely,

since both SIP and SIE are required to be set for the trap to occur, and they won't occur in M-mode because the delegation bit is set.

So, it has to show up in SIP if a trap is taken f MTIP delegated (it just doesn't automatically show up)

Spec section 3.1.8 says

 "if the supervisor timer interrupt (STI) is delegated to S-mode by setting mideleg[5], STIs will not be taken when executing in M-mode."

My reading of the spec is that both medeleg.stip] and xip.stip must be set for the trap to occur to an smode handler.

As Paul points out, delegating may not be advised, because the resources to clear the interrupt may not be available to Smode (which means an ECALL to Mmode to clear it)

and if it is available to Smode, then you have a security issue, because Smode can effectively ensure timer interrupts will never occur again.

That problem will go away if the STIMER extension is ratified, I think.

On Wed, Dec 7, 2022 at 2:23 PM Jeff Scott <jeff.scott@...> wrote:

Also from the spec:

 

“Bits 3, 7, and 11 of sip and sie correspond to the machine-mode software, timer, and

external interrupts, respectively. Since most platforms will choose not to make these interrupts

delegatable from M-mode to S-mode, they are shown as hardwired to 0 in Figures 4.6 and 4.7.”

 

I think the source of confusion is “most”.

 

Jeff

 

From: tech-privileged@... <tech-privileged@...> On Behalf Of Jeff Scott via lists.riscv.org
Sent: Wednesday, December 7, 2022 4:17 PM
To: allen.baum@...; Scott Johnson <scott.johnson@...>
Cc: Oscar Jupp <jupposcar@...>; tech-privileged@...; tech-privileged@...
Subject: [EXT] Re: [RISC-V] [tech-privileged] Question about mideleg

 

Caution: EXT Email

Allen,

 

I don’t agree that a machine mode interrupt (MEI, MSI, MTI) delegated to supervisor mode shows up in SIP as the supervisor version (SEI, SSI, STI) and not the machine version (MEI, MSI, MTI).

 

From the spec “The sip and sie registers are subsets of the mip and mie registers. Reading any implemented

field, or writing any writable field, of sip/sie effects a read or write of the homonymous field

of mip/mie.”

 

This discussion has come up before by the way.  If we updated the spec as a result of the last discussion, this wouldn’t have come up again.

 

Jeff

 

From: tech-privileged@... <tech-privileged@...> On Behalf Of Allen Baum via lists.riscv.org
Sent: Wednesday, December 7, 2022 3:52 PM
To: Scott Johnson <scott.johnson@...>
Cc: Oscar Jupp <jupposcar@...>; tech-privileged@...; tech-privileged@...
Subject: [EXT] Re: [RISC-V] [tech-privileged] Question about mideleg

 

Caution: EXT Email

I was looking figure 4.6 of the priv spec, and it does show STIP as bit 5, not bit 7. Bit 7 is MTIP, and it is invisible to Smode.

That's why the interrupt pending bit shows up in bit 5 if delegated, but bit 7 if not.

 

MTIP is NOT driven by the PLIC; the PLIC only sends external interrupts, not timer interrupts (which correspond to bits xstatus[11..9]

 

The timer interrupt can only be reset by writing the MTIMECMP CSR, which is M-only. An implementation could have a custom alias to that that would enable Smode to write it,

but that;s dangerous, as that means that Scode could prevent Mmode from getting timer interrupts by setting the CSR to a value in the far future.

 

On Wed, Dec 7, 2022 at 9:59 AM Scott Johnson <scott.johnson@...> wrote:

Comments embedded:

 

On Dec 7, 2022, at 11:39 AM, Allen Baum via lists.riscv.org <allen.baum=esperantotech.com@...> wrote:

 

As far as I can tell,  an implementation may, but is not required to,  disallow it. 

 

I suspect all implementations disallow it, by forcing those bits in mideleg to 0. OpenSBI does not attempt to delegate those interrupts.[1]

If it is delegated, it shows up in the SIP. STIP bit

 

How so? I would expect it to show up in SIP[7], which is defined as 0 in the privileged spec, but corresponds to the MTIP bit. There is no mechanism for an interrupt to show up in a different position in SIP vs MIP.

 

 

But, if it is delegated, then it can only be cleared by an ECALL to Mmode SW..

 

MTIP is controlled by a wire driven by a memory-mapped interrupt controller (e.g. PLIC). If an SBI decided to delegate MTI to S-mode then they might also allow S-mode software to access the interrupt controller too, removing any need for an ECALL.

 

 

[1] https://github.com/riscv-software-src/opensbi/blob/b6e520b2a836cd7cc8dc99c25a21a470e8589888/lib/sbi/sbi_hart.c#L200-L202 but line 200 apparently has a typo and should say “S-mode interrupts” instead of “M-mode interrupts"

Allen,

 

If you delegate mtip, and you get a mtip, bit 7 in sip will be set, as well as bit 7 in mip.

 

I agree that the non-normative note does not match what is shown in 4.6.  This has been discussed before.

 

Jeff

 

From: Allen Baum <allen.baum@...>
Sent: Wednesday, December 7, 2022 5:07 PM
To: Jeff Scott <jeff.scott@...>
Cc: Scott Johnson <scott.johnson@...>; Oscar Jupp <jupposcar@...>; tech-privileged@...; tech-privileged@...
Subject: Re: [EXT] Re: [RISC-V] [tech-privileged] Question about mideleg

 

Caution: EXT Email

The non-normative note below figure 4.6 and 4.7 say that – but they don’t show that! 

 

 There is (currently) only one timer signal coming in.

If MTIP is delegated without STIP being set (Mmode can set it), then I'm not quite sure what happens; no trap is ever taken, I suspect - it is equivalent to disabling timer interrupts completely,

since both SIP and SIE are required to be set for the trap to occur, and they won't occur in M-mode because the delegation bit is set.

 

So, it has to show up in SIP if a trap is taken f MTIP delegated (it just doesn't automatically show up)

Spec section 3.1.8 says

 "if the supervisor timer interrupt (STI) is delegated to S-mode by setting mideleg[5], STIs will not be taken when executing in M-mode."

My reading of the spec is that both medeleg.stip] and xip.stip must be set for the trap to occur to an smode handler.

As Paul points out, delegating may not be advised, because the resources to clear the interrupt may not be available to Smode (which means an ECALL to Mmode to clear it)

and if it is available to Smode, then you have a security issue, because Smode can effectively ensure timer interrupts will never occur again.

That problem will go away if the STIMER extension is ratified, I think.

 

On Wed, Dec 7, 2022 at 2:23 PM Jeff Scott <jeff.scott@...> wrote:

Also from the spec:

 

“Bits 3, 7, and 11 of sip and sie correspond to the machine-mode software, timer, and

external interrupts, respectively. Since most platforms will choose not to make these interrupts

delegatable from M-mode to S-mode, they are shown as hardwired to 0 in Figures 4.6 and 4.7.”

 

I think the source of confusion is “most”.

 

Jeff

 

From: tech-privileged@... <tech-privileged@...> On Behalf Of Jeff Scott via lists.riscv.org
Sent: Wednesday, December 7, 2022 4:17 PM
To: allen.baum@...; Scott Johnson <scott.johnson@...>
Cc: Oscar Jupp <jupposcar@...>; tech-privileged@...; tech-privileged@...
Subject: [EXT] Re: [RISC-V] [tech-privileged] Question about mideleg

 

Caution: EXT Email

Allen,

 

I don’t agree that a machine mode interrupt (MEI, MSI, MTI) delegated to supervisor mode shows up in SIP as the supervisor version (SEI, SSI, STI) and not the machine version (MEI, MSI, MTI).

 

From the spec “The sip and sie registers are subsets of the mip and mie registers. Reading any implemented

field, or writing any writable field, of sip/sie effects a read or write of the homonymous field

of mip/mie.”

 

This discussion has come up before by the way.  If we updated the spec as a result of the last discussion, this wouldn’t have come up again.

 

Jeff

 

From: tech-privileged@... <tech-privileged@...> On Behalf Of Allen Baum via lists.riscv.org
Sent: Wednesday, December 7, 2022 3:52 PM
To: Scott Johnson <scott.johnson@...>
Cc: Oscar Jupp <jupposcar@...>; tech-privileged@...; tech-privileged@...
Subject: [EXT] Re: [RISC-V] [tech-privileged] Question about mideleg

 

Caution: EXT Email

I was looking figure 4.6 of the priv spec, and it does show STIP as bit 5, not bit 7. Bit 7 is MTIP, and it is invisible to Smode.

That's why the interrupt pending bit shows up in bit 5 if delegated, but bit 7 if not.

 

MTIP is NOT driven by the PLIC; the PLIC only sends external interrupts, not timer interrupts (which correspond to bits xstatus[11..9]

 

The timer interrupt can only be reset by writing the MTIMECMP CSR, which is M-only. An implementation could have a custom alias to that that would enable Smode to write it,

but that;s dangerous, as that means that Scode could prevent Mmode from getting timer interrupts by setting the CSR to a value in the far future.

 

On Wed, Dec 7, 2022 at 9:59 AM Scott Johnson <scott.johnson@...> wrote:

Comments embedded:

 

On Dec 7, 2022, at 11:39 AM, Allen Baum via lists.riscv.org <allen.baum=esperantotech.com@...> wrote:

 

As far as I can tell,  an implementation may, but is not required to,  disallow it. 

 

I suspect all implementations disallow it, by forcing those bits in mideleg to 0. OpenSBI does not attempt to delegate those interrupts.[1]

If it is delegated, it shows up in the SIP. STIP bit

 

How so? I would expect it to show up in SIP[7], which is defined as 0 in the privileged spec, but corresponds to the MTIP bit. There is no mechanism for an interrupt to show up in a different position in SIP vs MIP.

 

 

But, if it is delegated, then it can only be cleared by an ECALL to Mmode SW..

 

MTIP is controlled by a wire driven by a memory-mapped interrupt controller (e.g. PLIC). If an SBI decided to delegate MTI to S-mode then they might also allow S-mode software to access the interrupt controller too, removing any need for an ECALL.

 

 

[1] https://github.com/riscv-software-src/opensbi/blob/b6e520b2a836cd7cc8dc99c25a21a470e8589888/lib/sbi/sbi_hart.c#L200-L202 but line 200 apparently has a typo and should say “S-mode interrupts” instead of “M-mode interrupts"