RISC-V Privileged Architecture

Allen Baum
Esperanto Technologies.
[email protected]

8th RISC-V Workshop

Barcelona, Spain
May 7, 2018
 Introduction to RISC-V Privileged Architecture
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Privileged Features
- CSRs
- Instructions
 Memory Addressing
- Translation
- Protection
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
2
 Why a Privileged Architecture?
 We need ways of managing shared resources
- Memory
- I/O Devices
- Cores
 We need ways of protecting shared resources
- Memory: use virtual memory mapping
- I/O: also virtual memory mapping
- Access permissions: integrated into mapping (or as
separate functionality)
 We need ways of insulating implementation details
- Trapping unimplemented ops for SW emulation
- Handling external asynchronous events
- (IO events, Timer events, SW interrupts from other threads
- 2 Level address translation for Hypervisor support
3
 RISC-V Privileged Architecture Layers

Hardware
 Provides clean split between layers of the software stack
Layer Communicates with via
Application Application Execution Application Binary
Environment (AEE) Interface (ABI)
Operating Supervisor Execution System Binary
System Environment (SEE) Interface (SBI)
Hypervisor Hypervisor Execution Hypervisor Binary
Environment (HEE) Interface (HBI)
 ECALL instruction used for the communication
 All ISA levels designed to support virtualization
4
 Introduction to RISC-V Privileged Architecture
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Privileged Features
- CSRs
- Instructions Profiles
 Memory Addressing
- Translation
- Protection
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
5
 Platform Profile Concept: Some basic profiles
Mem
Profile Modes Trust Other
Protect
Embedded
all Low cost:16B each of
without M None
Trusted arch. State/timers/counters
Protection
Embedded
M+ Apps Phys Mem Optional N-extension for
with
U untrusted Protect user int. handling
Protection
Unix-like OS M+ OS Vmem Vaddr size options:
capable S+U Trusted + RWX 32,39,48b
M+
Cloud OS Hypervisor 2-level Vmem Unix+ (Supports >1 OS)
[V](S+
capable Trusted + RWX +new/background CSRs
U)
RiscV has rich set of architectural modes & optional features
A profile is restricted combination of all possible options
See https://github.com/riscv/riscv-platform-specs
6
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Privileged Features
- CSRs
Privileges and Modes
- Instructions
 Memory Addressing
- Translation
- Protection
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
7
 RISC-V Privilege Modes
 User & 2+ privileged modes (hierarchical)
- User (U-mode), normal and virtualized* (lowest privileges)
- Supervisor (S-mode), normal and virtualized*
- Machine (M-mode) (highest privileges)**
 Supported combinations of modes:
- M (simple embedded systems)
- M, U (embedded systems with protection)
- M, S, U (systems running Unix-like operating systems)
- M, [V]S, [V]U (systems running multiple Oses)
 Each privileged mode add a few ops, and
Control/Status Registers (CSRs) that control operations
- CSRs accessible only by code running at a specific privilege mode or higher
- There are (often) multiple CSR copies/views for each mode
*Virtualized modes for hypervisor support- not covered here
** A higher (Debug) mode exists: only entered if debug port connected & enabled,
has separate state saving CSRs, but otherwise much like M-mode
8
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Privileged Features
- CSRs
Privileged
- Instructions
 Memory Addressing
Features:
- Translation
- Protection
Instructions and CSRs
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
9
 Mode Specific Instructions
Privileged Machine (M-mode) & Supervisor (S-mode) add
instructions to base U-mode ops
- Priv Insts can only be executed from appropriate mode (or higher)
 All modes
- ECALL: generates <curr_mode>environment_call exception
- EBREAK: generates breakpoint exception
- FENCE[.I]: synchronizes updates to memory
- <x>RET: returns from a trap *from* the specified mode
- SRET provided only if S-mode is implemented
- URET provided only if U-mode traps supported (N-extension)
 S-mode (+M-mode): adds
- SFENCE.VMA: synchs updates to implicitly accessed memory
 M-mode: adds
- WFI: stall the current hart until an interrupt needs service
- Is a hint only (could be noop, 10
 Mode Specific CSRs
 Control/Status Regs (CSRs) have their own address space
– Direct address mode only
 Each hart has its own set of 4K CSRs (1K/mode)
 CSRs are accessed by dedicated ops
- that can implement atomic swap or bit set/clear
 CSRs are mode sensitive
- Can only be accessed by code in appropriate or higher privileged
mode; accesses by lower privilege modes will trap
 Many CSRs optional/ have optional fields/mode dependent
- Accesses to non-existent CSRs will trap
- Writes to Read_Only CSRs will trap
- But writes to read_only fields in read/write CSRs are ignored
- Accesses to optional CSRs read zeroes, & (if RW) ignore writes
- Note that optional vs. non-existent
can depend on architecture!
11
 CSR address space
CSR Machine- Supervisor- User-
Address Mode Mode Mode Binary Encoding
[11:10] [7:6] [9:8]=11 [9:8]=01 [9:8]=00
00 XX 0b00MM xxxx xxxx
01 0X 0b01MM 0xxx xxxx
01 10 0b01MM 100x xxxx
01 10 Debug only 0b01MM 101x xxxx
01 11 NonStandard 0b01MM 11xx xxxx
10 ~11 0b10MM ~11xx xxxx
10 11 nonStandard 0b10MM 11xx xxxx
11 ~11 RdOnly 0b11MM ~11xx xxxx
(RO) 11 NonStandard Rd Only 0b11MM 11xx xxxx

Addr[9:8]==10 currently reserved for Hypervisor CSs

Read Only Non_Standard Debug
12
 CSRs and categories
Category CSR Name (some replicated/mode)
FP CSRs Exceptions, Rounding_Mode, Reg_State
Information Vendor/ Architecture/Implementation/Thread_IDs
Protection/ Address_Translation_Protection,
Translation PhysMemProtection Config[ ]/Addr[ ]
Status, ISA+Extension, Int/Excep_Delegation,
Trap Setup
Trap_Vector, Int_Enable, Cntr_Enab
Trap Handling Exception_PC, Scratch,
Int_Pending Trap_Cause/Value
Counter/ Cycles, Inst_Retired,
Timers Time PerfmonCntr [ ]
Counter Setup Perfmon Event selector[ ]
Debug/ Trace Control/Status/PC/Scratch
Trigger_RegSelect/Data[ ]

13
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Privileged Features
- CSRs
Memory
- Instructions
 Memory Addressing
Addressing:
- Translation
- Protection
Translation
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
14
 Memory Address Translation:
Virtual Memory
 S-mode adds virtual memory page mapping
- Smallest unit of protection/mapping is 4 KB pages
 Supports multiple User mode processes w/ separate
address spaces (using Addr_Space_ID field in SATP CSR)
 Page tables have multiple levels that are walked:
- 2 levels for RV32 (Sv32)
- 3,4 levels for RV64 (Sv39, Sv48)
- 5,6 levels RSVD (Sv57, Sv64)
 Page Table walk can stop at any level to create Superpages
- e.g. for Sv39 2 MB if stopped at 2 levels
- or 1 GB if stopped at 1 levels
 HW Page Table walk semantics specified in Priv Mode spec
- But could trap to M-mode for software TLB refill
15
 RISC-V Page Table Entries

(SV32 format shown)

 Accessed/Dirty bits optionally HW managed

- Updates must be atomic w.r.t. permissions check
- Complex to implement, so trap if A/D is clear
 Global bit indicates mapping belongs to all addr
spaces (e.g. Unix systems kernel pages
 Page granularity permissions (User/Read/Write/eXecute)
- (000 XWR indicates a non-leaf entry)
 Virtual Addr width, Current ASID, and PageTable root
controlled by SATP CSR
63 60 59 44 43
(SV64 format shown) 0
Mode ASID Page Table Root Physical Page Number
4 16 44
16
 More control: Memory Fences

 S-mode implements SFENCE.VMA instruction to

synchronize updates to memory data structures
- All page table levels, or just those corresponding to an addr
- All address spaces, or just a specific address space (not global)

 Generalization of TLB flush on other architectures

 Guarantees that all prior stores are ordered before all

subsequent implicit references in the instruction stream
 Affects only the local hart
- Synchronization with other harts requires IPIs

17
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Privileged Features
- CSRs
Memory
- Instructions
 Memory Addressing
Addressing:
- Translation
- Protection
Protection
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
18
 RISC-V Virtual Memory Protections

 Standard RWX permissions configurable for every page

- Supports X-only pages
- W & ~R combination reserved
 By default, S-mode can’t access user pages
- Helps detect OS/driver bugs
- Still need ability to read user memory, e.g. on system call
- Set “Supervisor Access to User Memory” (SUM) bit in sStatus to
read user memory, then turn it off again
- S-mode cannot execute from U-mode pages even if SUM=1
 Similarly, S-mode can’t read execute-only pages
- Set sStatus “Make eXecutable Readable” MXR bit to override
- Useful for illegal-instruction trap handlers
 S-mode can enable/disable VM and choose page-table
depth in SATP register
19
 RISC-V Physical Memory Protection Unit
 Optional new feature in v1.10
 Makes S/U-modes have no permissions by default
 Grants R/W/X permissions to up to 16 PMP regions
- Naturally aligned 2^N-byte regions (N>=2)
- Or use adjacent PMP regs to form base/bounds region
 PMPs can be locked
- Affects M-mode also
- Only a reset can unlock
 The fine print:
- If VM enabled, VM (& page faults) occur before PMP checks
- Useful for untrusted S-Mode

20
 Physical Memory Attributes
 RISC-V systems have the concept of Physical Memory
Attributes: platform and implementation specific
- Maps access to a bus transaction type, or an error
 PMA is dedicated HW that maps specific address
ranges to certain access attributes, e.g.
- Access widths allowed (e.g. 1/2/4/8/16/64B)
- Alignment restrictions (e.g. can’t cross 2^x byte boundary)
- Idempotency (enabling speculation)
- Ordering (Strong/Weak per Channel)
- Cacheability (incl Wt Thru, Wt Combining, etc)
- Priority (e.g. high/low if conflicting)
- Atomicity allowed (none, swap, logical, arithmetic)
- Allowed access modes (M/S/U/debug)
 Some attributes could be configurable
21
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Trap Handling:
Privileged Features
- CSRs
Exceptions and Interrupts
- Instructions
 Memory Addressing
- Translation
- Protection
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
22
 Interrupts vs Exceptions
 Exceptions: Synchronous events
- Synchronous: caused by a specific instruction execution
 Interrupts: Asynchronous events
- not caused by an inst: I/O, timer, SW (from another hart)
 Both handled (almost) identically by trapping:
Where - xTVEC CSR holds handler address
to trap - Interrupts optionally vector to xTVEC+4*xCause Trap setup
Mode to
- xI/EDELEG CSRs: select mode to trap into (next slide)
trap into
- xCause CSR (x=new mode) saves cause ID Trap handling
Reason - MSB: interrupt vs. exception, LSBs: interrupt /exception ID code
for trap - xTVAL CSR saves additional information about cause
- This could be an illegal address, or illegal opcode (not for int)
- xEPC CSR saves return Program Counter
How to
- could be next instruction (interrupts) or same inst (enabling retry)
return
from trap
- xSTATUS CSR saves curr Mode/IntEn bits
- xSTATUS[IntEn] cleared
23
 Trap Setup
Interrupt/Exception Handler Delegation
 Traps always sent to M-mode, but…
 Can be delegated to lower priv level, reducing overhead
- Never to a less privileged mode than the one that trapped!
 Bits in delegation CSR send traps to next lower priv level
- m[i/e]deleg: MS (or MU if no S-mode & N_extension)
- s[i/e]deleg: SU (if delegated to S-mode & N_extension)

 Int Delegation occurs only if corresponding enable bits

set (<x>ie CSR)
- But enable bit used only for delegated (higher mode)
- Exceptions are always enabled
 Interrupts that trap set corresponding <x>ip CSR bit

24
 Trap Handling
Interrupt/Exception Causes
• <x>cause CSR indicates which interrupt/exception occurred
• Corresponding bit is set in <x>E/IP CSR Interrupts > Exceptions
Trap Priority for simultaneous interrupts/exceptions: M-mode > S-mode > U-mode
Pending[N] > Pending[M] if N>M
Trap
code[62:0]
Exception (Cause[MSB]=0) Interrupt (Cause[MSB]==1)
Special case: Timer & SW
0 Instruction addr misaligned User Software Interrupt interrupt priorities swapped!
1 Instruction access fault Supervisor Software Interrupt
2 Illegal instruction Reserved

Local
3 Breakpoint Machine Software Interrupt
4 Load address misaligned User Timer Interrupt
5 Load access fault Supervisor Timer Interrupt
6 Store/AMO addr misaligned Reserved
7 Store/AMO access fault Machine Timer Interrupt

External
8 Environment call User External Interrupt
9 Supervisor External Interrupt
10 Reserved Reserved
11 Machine External Interrupt
12 Instruction page fault
13 Load page fault
Reserved
14 Reserved
15 Store/AMO page fault
>=16 Reserved Reserved

25
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Privileged Features
- CSRs
- Instructions Interrupts
 Memory Addressing
- Translation
- Protection
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
26
 Platform-Level Interrupt Overview
Global Interrupts Local Interrupts
External Hart 0
External External External Timer
Interrupt 1 Interrupt 2 Interrupt N U Software
Timer
S Software
Timer
M Software

PLIC Hart 1
Timer
U Software
Timer
S Software
Timer
M Software

27
 RISC-V Interrupt Source Categories
 Global (External) Interrupts
- Routed to harts via Platform-Level Interrupt Controller (PLIC)
- Actual source determined by read of PLIC MMIO CSR
 Local Interrupts
- Directly connected to one hart, independent of other harts
- Cause determined directly from <x>cause CSR
- Only two standard local interrupts (software, timer)
 Any interrupt can target any M/S/U mode
- Except for priority during simultaneous interrupts,
handling is identical

28
 External Interrupts
 Inputs from a Platform-Level Interrupt Controller (PLIC)
- PLIC targets hart based on hart interrupt threshold & enable,
and interrupt priority
 Interrupts can target multiple harts simultaneously
- Harts must arbitrate to determine which services it
- E.g. by racing to read MMIO mapped interrupt source CSR
 PLIC labels each output with a privilege mode
- Which can be handled differently using delegation
 Interrupts cleared via MMIO mapped LD/ST to PLIC
 Software can inject SEIP and UEIP interrupts to support
virtualizing the PLIC by writing CSR directly

29
 Software Interrupts
 Software interrupt are how harts interrupt each other
- Mechanism for inter-hart interrupts (IPIs)

 Setting the appropriate <x>SIP bit in another hart is

performed by a MMIO write
- But a hart can set its own <x>SIP bit if currmode >= <x>

 App/OS performs inter-hart ints only via ABI/SBI calls

- Destination virtual hart might be descheduled
- Interrupts virtualized by M-mode software using MSIP

30
 Timer Interrupts
 Single M-mode 64b real-time HW timer per system
 Single M-mode 64b Time comparator per hart (logically)
 NOT CSRs, but MMIO addressed
- Must count at a fixed rate, regardless of core clock or power
- mtime >= mtimecmp causes hart’s MTIP bit to be set
 M-mode responsible for virtualizing the single HW timer
and hart comparator for lower-privilege modes
- CSR reads by U-mode will trap & be handled by M-mode
 STIP and UTIP CSR bits are handled by M-mode
- ABI/SBI calls to set up timer
- M-mode software writes/clears STIP,UTIP

31
 Why a Privileged Architecture?
 Profiles
 Privileges and Modes
 Privileged Features
- CSRs
- Instructions
 Memory Addressing
Counters:
- Translation Time and Performance
- Protection
 Trap Handling
- Exceptions
- Interrupts
 Counters
- Time
- Performance
32
 Timers and Counters
 RISC-V has several architected Timers and Counters
implemented (mostly) as CSRs
 All are 64 bits (split into 2 CSRs for RV32 only)
- Real Time Clock Time, described in Timer Interrupt slide
- U/S-mode read of CSR traps to M-mode, which does MMIO read
- Instructions_Retired InstRet Counter
- M-mode RW, U-mode RO, used for RDINSTRET pseudo-instructions
- Cycles Cycle Counter
- M-mode RW, U-mode RO, used for RDCYCLE pseudo-instructions
- 0..29 HW Performance Monitors mhpmcounters
- each w/corresponding HPMEvent to select what to count

33
 Timer/Counter protections
 Easily accessible timers have issues
- Lack of reproducibility
- Side channel security attacks (Meltdown, Spectre…)
 <x>CounterEn CSRs enables access to the counters
- 1 bit per counter (Time/Cycle/InstRet/HPMCounter[])
- Accessing <x>timer/counter in a mode<x will trap if
corresponding bit in <x>CounterEn is clear for x<y
- Any bit may be optionally hardwired to zero

34
Wrap Up

35
 Privileged Architecture is Stable
 Latest version is v1.11 draft

 keeps compatibility with v1.9.1 for

machine-mode-only implementations
 Future releases should be compatible with
v1.10 for supervisor ISA, too
 Adds draft Hypervisor support

 Caveat: these are proposals;

not yet ratified by Foundation

36
 Implementation Status
 Spike and UCB Rocket-Chip conform to v1.11
 Linux port is upstreamed and conforms to v1.11
- works with Spike/Rocket
 QEMU port is upstreamed and conforms to v1.11
 Upstream GCC and binutils ports are compatible

37
 Questions?

Specs available at
https://github.com/riscv/riscv-isa-manual

38
Backup

39
 <x>Status CSR
In S,U-mode In U-mode <x>PP, <x>PIE, <x>IE
(SD moves to read as zero if curr_mode<x
read as zero read as zero
SV64 only bit 31 for SV32)

63 35 34 33 32 22 21 20 19 18 1716:15 14:13 12 8 7 4 3 0

S SXL UXL S T T T M S M XS FS M – S M – S U M – S U
D D S WV X U P PP PIE IE
R MR M R
V

Previous Current
S-mode XLEN
Previous Per Mode
U-mode XLEN
Privilege Int Enable
Extension state is dirty
Modes
TSR Trap if SRET is executed in S-mode M: MSU
TW Trap if WFI in S-mode exceeds timeout S: SU
TVM Trap on S-mode execution of SFENCE.VMA
FP
0= Off
MXR Allow Ld from pages with RX=01 1= Initial
SUM Allow SMode accessest to U-mode pages 2=Clean
MPRV Use priv mode in MPP for Ld/St 3=Dirty

Summary (other)
0= All Off
1= No Dirty/Clean, some on
2=No dirty, Some clean
3=Some dirty
40
 CSRs, Privileged Modes, & Options
CSR
Category CSR Name Comments M-mode S-mode Umode
Accrued Exceptions X(DF)
Floating-Point CRs Dynamic Rounding Mode X(DF)
Ctl & Status Reg (frm + fflags) X(DF)
Vendor ID (o) Encoded JEDEC ID X
(DF) Optional unless D/F extension implemented
Architecture ID (o) MSB==Commercial X
Information (UN) Exists only in Umode & N-extension implemented
Implementation ID (o) X
Hardware_thread_ID Hart 0 must exist (U32)Exists only in Umode & RV32I architecture
Status (S) X HBX (H) X (n) Exact number is implementation dependent
ISAs and Extensions X (I) exist only if RV23I architecture
Exception_Delegation X (SN) BX (H,N) (R) Single register with restricted view
Trap Setup Interrupt_ Delegation X (SN) BX (H,N) (P) Only bits corresponding to <= curr mode are visible
Interrupt Enable (R) X BX (H) X (UN) (H) Swapped with background CSR on VM entry/exit
Trap_Vector_Base_Address (z) X BX (H) X (UN) (o) Optional (Read 0 if unimplemented)
Counter Enable (Z) X X (SN)Exists only if Smode | N-extension implemented
Scratch Register For Trap handlers X BX (H) X (UN) (z) Some bits may be hardwired RdOnly
Exception_Program_Counter X BX (H) X (UN)
(Z) May be hardwired RdOnly zero
Trap_Cause (P,Z) X BX (H) X (UN)
Trap Handling
Trap_Value (Z) X HBX X (UN)
Interrupt pending (R) X BX (H) X (UN)
Addr Translation & Protection(RZ) BX (H)
Protection/Translation Phys Mem Prot Config[3:0] (on) X
Phys Mem Prot Addr[15:0] (on) X * = optional (read as zero)
Cycle_counter For RDCYCLE inst X X Types of CSR fields:
Time For RTIME inst X X - WIRI (Reserved) Writes ignored, Reads ignored
Instr-retired_counter For RDINSTRET inst X X - WPRI (Reserved) Writes preserved, Reads ignored
Perfmon counters[31:3] (Zn) X X - WLRL Write Legal, Read Legal
Counter/Timers
Upper_32b_of_cycle X (I) X (U32)
- WARL Write Any, Read Legal
Upper_32b_of_time X (I) X (U32)
Upper_32b_of_instret X (I) X (U32)
Upper_32b_of_perfmon[31:3] (Z) X (I,n) X(U32n) H= new CSR version added for Hypervisor extension
Counter Setup Perfmon Event selector[31:3] (Z) X(n) B = background CSR added for Hypervisor extension
Debug/Trace Trigger Reg Select X
Debug/Trace trigger data Reg[3:1] X
Debug/Trace Debug Control/Status X
Debug PC X
Debug Scratch Reg X

41
 Interrupt/Exception Handler Delegation
Global Enable M = currMode<M + currMode==M & Mstatus.MIE
Global Enable S = currMode<S + currMode== S & Mstatus.SIE
Global Enable U = currMode<U + currMode== U & Mstatus.UIE
Treat as 0 if
Global
no S-mode or Enables
Interrupts > Exceptions
no U-mode or M > S > U-mode
Int
Deleg no N_extension Enable Pending[N] > Pending[M]
M if N>M
PEND M Exception: Timer
Trap & SW interrupt
Exception M

Priority Logic
0
or 1
S New priorities swapped!
Interrupt Mode
S
0
Deleg 1 U Cause
S U

Treat as 1 if S-mode Interrupts only

unimplemented Exceptions always enabled
42
 Interrupt Pending/Enable CSRs <x>ip,ie
(not visible in
U mode
(not visible in (only visible if
S/U modes) N-extension)
(Add Non-Standard
Local Interrupts Here)
XLEN-12 16 15 12 11 10 9 8 7 6 5 4 3 2 1 0
(WIRI) Local Standard Rsvd MEIP (WIRI) SEIP UEIP MTIP (WIRI) STIP UTIP MSIP (WIRI) SSIP USIP
XLEN-12 4 1 1 1 1 1 1 1 1 1 1 1 1

External (from PLIC) Local Timer Local Software

 <x>ip reflects pending status of interrupts for hart
- Enabled by corresponding bits of <x>ie with same per/mode visibility
- In addition to global interrupt enables in <x>status for each privilege mode
 Separate ints for each priv level (M/S/U), directed to M-mode
- M-mode can delegate to S-mode and U-modes
- Higher privilege modes override lower privilege modes
 Opt. User interrupt handling (“N”) feature when U-mode present
 Interrupts always disabled for privimodes lower
than current mode; always enabled for privilege
modes higher than current mode 43
 PLIC Block Diagram
foreach hart {
converts edge/level/polarity,
Replicated for find highest priority enabled interrupt
etc to common format
each hart if(interrupt_priority>hart_priority) {
Int ID

present interrupt[highest] to hart

Hart#n }
Int Gateway

Int Enab }
Int Src

Int Pend

Int Priority Max hart#0 Int ID

MaxPriority
Max > hart#0 ExtIntPend
Max & >
assoc. > hart#n Int ID
Int ID

> hart#n ExtIntPend

ID for
Hart#n Hart#N
Int Gateway

Int Enab
Int Src

Int Pend

Int Priority Hart#0

Priority
Hart#n
Priority
Replicated for
each int source 44
 Hypervisor mode
 Feedback led us to HW support for Type-2 hypervisors (like KVM)
- Can also support type-1
 Hypervisors run in S-mode
 Guests run in virtualized (V) S and U modes
- Major difference is 2-level page table walk
- Certain operations can be inhibited or trap (individually)
- Execution of WFI if the wait exceeds some limit can be trapped
- SRET ,FENCE.VMA, SATP and counters CSR accesses can be trapped
- But CYCLE and INSTRET will still count
- Force translation to use supervisor previous priv level
- Additional bits added to STATUS CSR
- Previous Virtualization mode
- Translation fault level
- Some control bits interpreted differently: SPRV, SPV, SPP
 Vmode changes cause CSR swap/selection w/background versions
- Use HSTATUS, HEDELEG, HIDELEG, HTVAL
- Swaps SSTATUS, SIE,SIP, STVEC, SSCRATCH,
SCAUSE, SEPC, STVAL, SATP
45