Skip to content

Latest commit

 

History

History
executable file
·
9 lines (5 loc) · 1.38 KB

chapter1.adoc

File metadata and controls

executable file
·
9 lines (5 loc) · 1.38 KB

External Debug Security Threat model

Modern SoC development consists of several different actors who may not trust each other, resulting in the need to isolate actors’ assets during the development and debugging phases. The current RISC-V Debug specification cite:[dbgspec] grants external debuggers the highest privilege in the system, regardless of the privilege level at which the target system is running. This leads to privilege escalation issues when multiple actors are present.

For example, the owner of an SoC, who needs to debug their M-mode firmware, may be able to use the external debugger to bypass PMP lock (pmpcfg.L=1) and attack Boot ROM (the SoC creator’s asset).

Additionally, RISC-V privilege architecture supports multiple software entities, or "supervisor domains," that do not trust each other. The supervisor domains are managed by a secure monitor running in M-mode, are isolated from each other by PMP/IOPMP, and may need different debug policies. The entity that owns the secure monitor wants to disable external debug when shipping the secure monitor; however, the entity that owns the supervisor domain needs to enable external debug to develop the supervisor domain. Since the external debugger will be granted the highest privilege in the system, a malicious supervisor domain will be able to compromise M-mode secure monitor with the external debugger.