-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BSETI Decode Not Legal #49
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Observed Behavior
According to the RISC-V ISA, for the BSETI instruction, bit 26 must be 0, and bit 25 should also be 0. However, in the case of CHERIOT-IBEX, as shown in the waveform, the instruction is still decoded as BSETI even when both bits are set to 1.
Expected Behavior
This instruction not to be decoded as BSETI. The instruction decoded as BSETI is not a BSETI instruction as the bits 26:25 need to be 2'b00 as per the ISA. The challenge with decoding instructions as legal when they are not implies security vulnerabilities. A trojan with bits 26:25 being 2'b00 would be considered a legal BSETI instruction and will be sent to the pipe for execution and can execute malicious code. I believe this must be investigated along with other issues we have filed such as #48
Steps to reproduce the issue
Running formalISA v 3.0 app with Cadence JasperGold 2023.09, a cover that should have failed ends up passing.
My Environment
Running formalISA v 3.0 app with Cadence JasperGold 2023.09
EDA tool and version:
Running formalISA v 3.0 app with Cadence JasperGold 2023.09
Operating system:
Ubuntu 22.04.01
Version of the Ibex source code:
The text was updated successfully, but these errors were encountered: