This chapter describes two extensions Smsdedbg and Smsdetrc that enable a
RDSM to manage isolation of supervisor domains when external debug and trace
mechanisms are being utilized. Smsdedbg defines the sdedbgalw bit in the
[MSDCFG] CSR that specifies if a supervisor domain is allowed to be
externally-debugged. Similarly, Smsdetrc defines the sdetrcalw bit in the
[MSDCFG] CSR that specifies if a supervisor domain is allowed to be
externally-traced cite:[ExtDbg]. External trace refers to tracing software
running on a separate target RISC-V platform, via a trace control/data transport
that provides external access to the trace encoder controls cite:[ETrc]. These
two extensions only affect debug and trace orchestrated by an external actor -
self-hosted debug (and trace) are managed directly by the RDSM. This chapter
refers to the Debug specification cite:[ExtDbg], Trace specification
cite:[ETrc], and the External debug security extension cite:[ExtDbgSec] for the
description and behavior of controls outside the scope of this specification,
but which interact with controls specified in this specification when one or
more supervisor domains are used. Note that Smsdedbg and Smsdetrc may be
used as independent extensions even when a single supervisor domain is being
utilized on a platform.
|
Note
|
The configuration for |
When M-mode external debug is enabled, all supervisor domains may also be
debugged by an external debugger irrespective of the configuration held in
msdcfg.sdedbgalw.
When M-mode external debug is disabled, whether execution at privilege modes
less than M-mode may be debugged by an external debugger depends on the
configuration held in msdcfg.sdedbgalw, as described below:
When msdcfg.sdedbgalw is 0:
-
Access by external debuggers to the memory and/or state of the supervisor domain is disallowed.
-
Entry to Debug Mode from a supervisor domain is disallowed.
When msdcfg.sdedbgalw = 1 then external debug of privilege modes less than
M-mode is allowed for such a supervisor domain on a per-hart basis,
with the additional requirements listed below.
-
External debug must be able to access supervisor domain memory and/or state. In this context, "state" includes all supervisor domain resources accessible per the Debug specification cite:[ExtDbg].
-
Entry to Debug Mode from a supervisor domain is allowed.
To enforce the above controls specified by this extension, the following functional and security requirements must be met by the external secure debug system cite:[ExtDbgSec]:
-
External debug of M-mode can be enabled only by the HW RoT of the RDSM (See RISC-V Security model requirements SR_GEN_007 and SR_GEN_012).
-
The RDSM must be able to context switch all triggers even when
d-mode= 1. This functional change allows the RDSM to remain in control of external debug for supervisor domains when it is not under external debug itself.
When M-mode external trace is enabled, all supervisor domains activity may also
be traced by an external trace tool irrespective of the configuration held in
msdcfg.sdetralw.
When M-mode external trace is disabled, whether execution at privilege modes
less than M-mode may be traced by an external trace tool depends on the
configuration held in msdcfg.sdetrcalw, as described below:
When msdcfg.sdetrcalw = 0, external trace of the supervisor domain is
disallowed.
When msdcfg.sdetrcalw = 1 then external trace of privilege modes less than
M-mode shall be allowed for the SD on a per hart basis, with the
additional requirements listed below.
-
When M-mode external tracing is disabled, tracing must be stopped on:
-
entry to Debug mode
-
entry to
M-modeprivilege -
entry to privilege less than
M-modewithmsdcfg.sdetrcalw= 0.
-
To enforce the above controls specified by this extension, the following functional and security requirements must be met by the external debug security system cite:[ExtDbgSec]:
-
External trace of M-mode can be enabled only by the HW RoT of the RDSM (See RISC-V Security model requirements SR_GEN_007 and SR_GEN_012).