Every extension that adds registers an OS doesn’t know about creates a
covert channel: thread A writes jvt or an AIA CSR, thread B reads it,
and the kernel — unaware the state exists — never swaps it. F and V are
protected by mstatus.FS/VS; the
stateen extension stateen mechanism Smstateen/Ssstateen: mstateen0-3 / hstateen0-3 / sstateen0-3 gate LESS-privileged access to small extensions' state (jvt, Zfinx fcsr, AIA CSRs, custom state...), closing covert channels the OS doesn't context-switch. Zero cascades down as read-only-zero; blocked access = illegal/virtual-instruction; bit 63 gates the next level's stateen itself (emulation recursion).
defined in ch. II·4 — open in glossary
generalizes that
gate to every small extension, past and future, without burning
sstatus bits.
The register file: mstateen0-3 (64-bit, +h twins on RV32),
sstateen0-3 (upper halves permanently zero — no h twins),
hstateen0-3 (+h, with H). Each bit gates less-privileged access
to one extension’s state — never the CSR’s own level, exactly like
mcounteren. A blocked access raises illegal-instruction (or
virtual-instruction from VS/VU).
mstateen0 (0x30C) — Figure 3
hstateen0 mirrors this layout minus P1P13/SRMCFG; sstateen0 keeps
only the low bits (C, FCSR, JVT).
The cascade rules
| Rule | |
|---|---|
| Zero cascades down | mstateen bit = 0 ⇒ same bit read-only 0 in hstateen and sstateen; hstateen bit = 0 ⇒ read-only 0 in sstateen as seen from VS |
| RO-1 cascades up | A lower-level bit may be read-only one only if it is read-only one at every level above |
| Unimplemented ⇒ RO-0 | Bits for state the hart lacks, and all reserved bits, read zero |
| Reset | Writable mstateen bits reset to 0; software zeroes the lower-level stateen CSRs when it enables bits above them |
| Single-context shortcut | A level hosting only ONE lower context may blanket-write all-ones — no covert channel with one context (typical for M-mode, and single-guest hypervisors) |
Hardware Designer Notes
Implementation is one mask register per level and a handful of AND gates in the CSR/instruction decode paths — the cheapest security feature in Volume II. Adopt it the moment you add any of its clients (Zcmt, Zfinx, AIA, Smctr); Linux and KVM already program it when present.
Minimal Linux-boot hart MUST
- Gate protected CSR decode with the AND-cascade of the relevant stateen bits per current mode; raise virtual-instruction (not illegal) from VS/VU where the H rules say so
- Implement the zero-cascade as combinational masking of lower-level stateen reads
- Reset writable mstateen bits to zero
MAY simplify / trap-and-emulate
- Omit the extension entirely on a fixed-configuration core with no gated extensions — all state then follows its own spec
- Hardwire implemented-but-ungated bits RO-1 through the whole stack
Check yourself — state enables
1.What attack do the stateen CSRs close, that mstatus.FS/VS already close for F and V?
2.mstateen0.JVT = 0. What does sstateen0.JVT read in S-mode, and what happens when U-mode code executes cm.jt?
3.Why does bit 63 (SE0) of mstateen0 gate access to sstateen0/hstateen0 themselves?
4.A single-guest type-1 hypervisor doesn't track extension state. What's the sanctioned lazy configuration?