Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BSETI Decode Not Legal #49

Open
itsomaia opened this issue Sep 27, 2024 · 0 comments
Open

BSETI Decode Not Legal #49

itsomaia opened this issue Sep 27, 2024 · 0 comments

Comments

@itsomaia
Copy link

Observed Behavior

image

According to the RISC-V ISA, for the BSETI instruction, bit 26 must be 0, and bit 25 should also be 0. However, in the case of CHERIOT-IBEX, as shown in the waveform, the instruction is still decoded as BSETI even when both bits are set to 1.

image

Expected Behavior

This instruction not to be decoded as BSETI. The instruction decoded as BSETI is not a BSETI instruction as the bits 26:25 need to be 2'b00 as per the ISA. The challenge with decoding instructions as legal when they are not implies security vulnerabilities. A trojan with bits 26:25 being 2'b00 would be considered a legal BSETI instruction and will be sent to the pipe for execution and can execute malicious code. I believe this must be investigated along with other issues we have filed such as #48

Steps to reproduce the issue

Running formalISA v 3.0 app with Cadence JasperGold 2023.09, a cover that should have failed ends up passing.

My Environment

Running formalISA v 3.0 app with Cadence JasperGold 2023.09

EDA tool and version:

Running formalISA v 3.0 app with Cadence JasperGold 2023.09

Operating system:

Ubuntu 22.04.01

Version of the Ibex source code:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant