Support for SBI's SRST extension (#34)

* Implemented support for SBI's SRST extension * Refactoring, simplifying name, removing unnecessary complexity --------- Signed-off-by: Wojciech Ozga <woz@zurich.ibm.com>
IBM · Jan 30, 2024 · afd4e63 · afd4e63
1 parent 9fc7798
commit afd4e63
Show file tree

Hide file tree

Showing 55 changed files with 444 additions and 435 deletions.
diff --git a/README.md b/README.md
@@ -3,9 +3,9 @@
 
 <img src=".github/ace.png" align="right" width="100" height="100"> 
 
-ACE-RISCV is an open-source project, whose goal is to deliver a confidential computing framework with a formally proven security monitor. It is based on a [canonical architecture](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) and targets RISC-V with the goal of being portable to other architectures. The formal verification efforts focus on the [security monitor](security-monitor/) implementation. We invite collaborators to work with us to push the boundaries of provable confidential computing technology. 
+ACE-RISCV is an open-source project, whose goal is to deliver a confidential computing framework with a formally proven security monitor. It is based on the [canonical architecture](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) and targets RISC-V with the goal of being portable to other architectures. The formal verification efforts focus on the [security monitor](security-monitor/) implementation. We invite collaborators to work with us to push the boundaries of provable confidential computing technology. 
 
-**This is an active research project, without warranties of any kind.** Please read our [paper](https://arxiv.org/abs/2308.10249) to learn about our approach and goals.
+**This is an active research project, without warranties of any kind.** Please read our [paper](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) to learn about our approach and goals.
 
 We are currently building on RISC-V with hypervisor extentions. We will adapt the AP-TEE extension once it is ratified.
 

diff --git a/confidential-vms/baremetal/src/worker.rs b/confidential-vms/baremetal/src/worker.rs
@@ -28,7 +28,7 @@ extern "C" fn worker_init(hart_id: usize) {
         riscv::register::sstatus::set_sie();
     }
 
-    loop {
+    for _ in 0..5 {
         uart.println(&format!("Hello from hart id: {}", hart_id));
     }
 

diff --git a/security-monitor/.rustfmt.toml b/security-monitor/.rustfmt.toml
@@ -1,8 +1,8 @@
 # check: https://rust-lang.github.io/rustfmt/
 
-max_width = 120
-comment_width = 120
-fn_call_width = 100
+max_width = 140
+comment_width = 140
+fn_call_width = 120
 
 fn_params_layout = "Compressed"
 

diff --git a/...ntext_switch/enter_from_confidential_vm.S → ...ext_switch/enter_from_confidential_hart.S b/...ntext_switch/enter_from_confidential_vm.S → ...ext_switch/enter_from_confidential_hart.S
@@ -7,9 +7,9 @@
 
 # This is the trap vector that gets executed on any interrupt or confidential VM-driven exception.
 # The trap vector address must be 4B aligned according to the spec.
-.globl enter_from_confidential_vm_asm
+.globl enter_from_confidential_hart_asm
 .align 4
-enter_from_confidential_vm_asm:
+enter_from_confidential_hart_asm:
     csrrw	    a0,	sscratch, a0
     # store current processor state (except for a0) in memory
     sd	        ra, ({HART_RA_OFFSET})(a0)
@@ -144,4 +144,4 @@ enter_from_confidential_vm_asm:
     # first argument (a0) must point to the dumped hart memory area
     # TODO: Prove that we don't violate C calling conventions and parameters 
     # are correctly passed.
-    j        enter_from_confidential_vm
+    j        enter_from_confidential_hart
diff --git a/.../context_switch/exit_to_confidential_vm.S → ...ontext_switch/exit_to_confidential_hart.S b/.../context_switch/exit_to_confidential_vm.S → ...ontext_switch/exit_to_confidential_hart.S
@@ -15,9 +15,9 @@
 # Restore the confidential VM virtual HART state and return the confidential VM execution. 
 # We do not store the security monitor's state because the security monitor is stateless.
 # A0 = pointer to VirtualCPU.
-.globl exit_to_confidential_vm_asm
+.globl exit_to_confidential_hart_asm
 .align 4
-exit_to_confidential_vm_asm:
+exit_to_confidential_hart_asm:
     # Should we maintain the mstatus when entering the confidential VM?
 	li		    t0, (0b01 << MSTATUS_MPP_SHIFT) | (0b1 << MSTATUS_MPV_SHIFT) | (1 << MSTATUS_MPIE_SHIFT)
 	csrw	    mstatus, t0
@@ -41,7 +41,7 @@ exit_to_confidential_vm_asm:
     csrw        hideleg, t0
 
     # set the trap vector, so any interrupt invokes the security monitor
-    la		    t0, enter_from_confidential_vm_asm
+    la		    t0, enter_from_confidential_hart_asm
 	csrw	    mtvec, t0    
 
 	# mepc stores the address of code that will start executing after mret

diff --git a/security-monitor/src/confidential_flow/context_switch/mod.rs b/security-monitor/src/confidential_flow/context_switch/mod.rs
@@ -10,14 +10,14 @@ use crate::core::control_data::HardwareHart;
 /// This is a private function, not accessible to safe Rust but accessible to the assembly code performing the context
 /// switch.
 #[no_mangle]
-extern "C" fn enter_from_confidential_vm(hart_ptr: *mut HardwareHart) -> ! {
+extern "C" fn enter_from_confidential_hart(hart_ptr: *mut HardwareHart) -> ! {
     let hart = unsafe { hart_ptr.as_mut().expect(crate::error::CTX_SWITCH_ERROR_MSG) };
     ConfidentialFlow::create(hart).route()
 }
 
 core::arch::global_asm!(
-    include_str!("enter_from_confidential_vm.S"),
-    include_str!("exit_to_confidential_vm.S"),
+    include_str!("enter_from_confidential_hart.S"),
+    include_str!("exit_to_confidential_hart.S"),
 
     HART_RA_OFFSET = const crate::core::control_data::HART_RA_OFFSET,
     HART_SP_OFFSET = const crate::core::control_data::HART_SP_OFFSET,
-Original file line number
+Diff line change
@@ Expand Up / @@ -28,7 +28,7 @@ extern "C" fn worker_init(hart_id: usize) { @@
             riscv::register::sstatus::set_sie();
         }
-        loop {
+        for _ in 0..5 {
             uart.println(&format!("Hello from hart id: {}", hart_id));
         }
@@ Expand Down @@