On 11/2/21 15:44, Darius Rad wrote:

On Tue, Nov 02, 2021 at 09:45:43AM +0100, Heinrich Schuchardt wrote:

On 10/31/21 08:51, Atish Patra wrote:

This version of the platform specification doesn't mandate M-mode
requirements. However, it should specify M-mode access protection
from lower privilege modes for platforms that do implement M-mode.
Otherwise, it is not very clear that such protection is required
to avoid lower privilege modes overwriting the memory where resident
firmware continues to run.

Signed-off-by: Atish Patra <atish.patra@...>
---
riscv-platform-spec.adoc | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

diff --git a/riscv-platform-spec.adoc b/riscv-platform-spec.adoc
index bf92acb32329..a3c9c7b2ffb2 100644
--- a/riscv-platform-spec.adoc
+++ b/riscv-platform-spec.adoc
@@ -543,6 +543,18 @@ software components:
Rationale: The platform specification intends to avoid fragmentation and
promotes interoperability.
+=== Security
+** If M-mode is supported in the platform, all machine mode assets, such as
+code and data, are protected from all non-machine mode accesses from the

%s/are/shall be/

Having M-mode does not protect anything. It is something the platform must
implement, e.g. via MMU configuration. We should use the wording according
to RFC 2119.

If that is indeed the case, that we should be using wording according to
RFC 2119, then this specification or the policy should be updated to
specifically say that.

We should use a language that is unambiguous. RFC 2119 is well established in the software industry. I am not aware of a better alternative. For sure it makes sense to reference this RFC in out spec.

Best regards

Heinrich

+harts in the system. Additionally, I/O agent access protection should also
+required within the system to protect machine mode assets. Therefore, the
+following requirements are recommended for platforms with M-mode:
+
+*** Platform should provide a protection mechanism from non-machine mode hart
+transactions that precisely traps if violated.
+*** Platform should provide a protection mechanism from I/O agents manipulating
+or accessing machine mode assets.

%s/should/must/

"should" would indicate that this protection is only recommended but not
required (cf. RFC 2119). Was this really your intent here? I would prefer to
avoid such ambiguity.

+
// Server extension for OS-A Platform
=== Server Extension
The server extension specifies additional requirements for server class
@@ -932,6 +944,16 @@ configuration.
** It is clearly understood what aspects of the platform boot process are
protected by secure boot.
+** If M-mode is supported in the platform, all machine mode assets, such as
+code and data, are protected from all non-machine mode accesses from the
+harts in the system. Additionally, I/O agent access protection should also
+required within the system to protect machine mode assets. Therefore, the
+following requirements are recommended for platforms with M-mode:
+
+*** Platform should provide a protection mechanism from non-machine mode hart
+transactions that precisely traps if violated.
+*** Platform should provide a protection mechanism from I/O agents manipulating
+or accessing machine mode assets.

Why do you duplicate this text. If it is defined for the base, it is already
required for the extension.

Best regards

Heinrich

==== RAS
All the below mentioned RAS features are required for the OS-A platform server

On Tue, Nov 02, 2021 at 09:45:43AM +0100, Heinrich Schuchardt wrote:

On 10/31/21 08:51, Atish Patra wrote:

This version of the platform specification doesn't mandate M-mode
requirements. However, it should specify M-mode access protection
from lower privilege modes for platforms that do implement M-mode.
Otherwise, it is not very clear that such protection is required
to avoid lower privilege modes overwriting the memory where resident
firmware continues to run.

Signed-off-by: Atish Patra <atish.patra@...>
---
riscv-platform-spec.adoc | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

diff --git a/riscv-platform-spec.adoc b/riscv-platform-spec.adoc
index bf92acb32329..a3c9c7b2ffb2 100644
--- a/riscv-platform-spec.adoc
+++ b/riscv-platform-spec.adoc
@@ -543,6 +543,18 @@ software components:
Rationale: The platform specification intends to avoid fragmentation and
promotes interoperability.
+=== Security
+** If M-mode is supported in the platform, all machine mode assets, such as
+code and data, are protected from all non-machine mode accesses from the

%s/are/shall be/

Having M-mode does not protect anything. It is something the platform must
implement, e.g. via MMU configuration. We should use the wording according
to RFC 2119.

If that is indeed the case, that we should be using wording according to
RFC 2119, then this specification or the policy should be updated to
specifically say that.

+harts in the system. Additionally, I/O agent access protection should also
+required within the system to protect machine mode assets. Therefore, the
+following requirements are recommended for platforms with M-mode:
+
+*** Platform should provide a protection mechanism from non-machine mode hart
+transactions that precisely traps if violated.
+*** Platform should provide a protection mechanism from I/O agents manipulating
+or accessing machine mode assets.

%s/should/must/

"should" would indicate that this protection is only recommended but not
required (cf. RFC 2119). Was this really your intent here? I would prefer to
avoid such ambiguity.

+
// Server extension for OS-A Platform
=== Server Extension
The server extension specifies additional requirements for server class
@@ -932,6 +944,16 @@ configuration.
** It is clearly understood what aspects of the platform boot process are
protected by secure boot.
+** If M-mode is supported in the platform, all machine mode assets, such as
+code and data, are protected from all non-machine mode accesses from the
+harts in the system. Additionally, I/O agent access protection should also
+required within the system to protect machine mode assets. Therefore, the
+following requirements are recommended for platforms with M-mode:
+
+*** Platform should provide a protection mechanism from non-machine mode hart
+transactions that precisely traps if violated.
+*** Platform should provide a protection mechanism from I/O agents manipulating
+or accessing machine mode assets.

Why do you duplicate this text. If it is defined for the base, it is already
required for the extension.

Best regards

Heinrich

==== RAS
All the below mentioned RAS features are required for the OS-A platform server

On 10/31/21 08:51, Atish Patra wrote:

This version of the platform specification doesn't mandate M-mode
requirements. However, it should specify M-mode access protection
from lower privilege modes for platforms that do implement M-mode.
Otherwise, it is not very clear that such protection is required
to avoid lower privilege modes overwriting the memory where resident
firmware continues to run.
Signed-off-by: Atish Patra <atish.patra@...>
---
riscv-platform-spec.adoc | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/riscv-platform-spec.adoc b/riscv-platform-spec.adoc
index bf92acb32329..a3c9c7b2ffb2 100644
--- a/riscv-platform-spec.adoc
+++ b/riscv-platform-spec.adoc
@@ -543,6 +543,18 @@ software components:
Rationale: The platform specification intends to avoid fragmentation and
promotes interoperability.
+=== Security
+** If M-mode is supported in the platform, all machine mode assets, such as
+code and data, are protected from all non-machine mode accesses from the

%s/are/shall be/

Having M-mode does not protect anything. It is something the platform must implement, e.g. via MMU configuration. We should use the wording according to RFC 2119.

+harts in the system. Additionally, I/O agent access protection should also
+required within the system to protect machine mode assets. Therefore, the
+following requirements are recommended for platforms with M-mode:
+
+*** Platform should provide a protection mechanism from non-machine mode hart
+transactions that precisely traps if violated.
+*** Platform should provide a protection mechanism from I/O agents manipulating
+or accessing machine mode assets.

%s/should/must/

"should" would indicate that this protection is only recommended but not required (cf. RFC 2119). Was this really your intent here? I would prefer to avoid such ambiguity.

+
// Server extension for OS-A Platform
=== Server Extension
The server extension specifies additional requirements for server class
@@ -932,6 +944,16 @@ configuration.
** It is clearly understood what aspects of the platform boot process are
protected by secure boot.
+** If M-mode is supported in the platform, all machine mode assets, such as
+code and data, are protected from all non-machine mode accesses from the
+harts in the system. Additionally, I/O agent access protection should also
+required within the system to protect machine mode assets. Therefore, the
+following requirements are recommended for platforms with M-mode:
+
+*** Platform should provide a protection mechanism from non-machine mode hart
+transactions that precisely traps if violated.
+*** Platform should provide a protection mechanism from I/O agents manipulating
+or accessing machine mode assets.

Why do you duplicate this text. If it is defined for the base, it is already required for the extension.

Best regards

Heinrich

==== RAS
All the below mentioned RAS features are required for the OS-A platform server

This version of the platform specification doesn't mandate M-mode
requirements. However, it should specify M-mode access protection
from lower privilege modes for platforms that do implement M-mode.
Otherwise, it is not very clear that such protection is required
to avoid lower privilege modes overwriting the memory where resident
firmware continues to run.

Signed-off-by: Atish Patra <atish.patra@...>
---
riscv-platform-spec.adoc | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

diff --git a/riscv-platform-spec.adoc b/riscv-platform-spec.adoc
index bf92acb32329..a3c9c7b2ffb2 100644
--- a/riscv-platform-spec.adoc
+++ b/riscv-platform-spec.adoc
@@ -543,6 +543,18 @@ software components:
Rationale: The platform specification intends to avoid fragmentation and
promotes interoperability.

+=== Security
+** If M-mode is supported in the platform, all machine mode assets, such as
+code and data, are protected from all non-machine mode accesses from the
+harts in the system. Additionally, I/O agent access protection should also
+required within the system to protect machine mode assets. Therefore, the
+following requirements are recommended for platforms with M-mode:
+
+*** Platform should provide a protection mechanism from non-machine mode hart
+transactions that precisely traps if violated.
+*** Platform should provide a protection mechanism from I/O agents manipulating
+or accessing machine mode assets.
+
// Server extension for OS-A Platform
=== Server Extension
The server extension specifies additional requirements for server class
@@ -932,6 +944,16 @@ configuration.
** It is clearly understood what aspects of the platform boot process are
protected by secure boot.

+** If M-mode is supported in the platform, all machine mode assets, such as
+code and data, are protected from all non-machine mode accesses from the
+harts in the system. Additionally, I/O agent access protection should also
+required within the system to protect machine mode assets. Therefore, the
+following requirements are recommended for platforms with M-mode:
+
+*** Platform should provide a protection mechanism from non-machine mode hart
+transactions that precisely traps if violated.
+*** Platform should provide a protection mechanism from I/O agents manipulating
+or accessing machine mode assets.

==== RAS
All the below mentioned RAS features are required for the OS-A platform server
--
2.31.1