Debugging and tracing are essential for developers to identify and rectify software and hardware issues, optimize performance, and ensure robust system functionality. The debugging and tracing extensions in the RISC-V ecosystem play a pivotal role in enabling these capabilities, allowing developers to monitor and control the execution of programs during the development, testing and production phases. However, the current RISC-V Debug specification grants the external debugger the highest privilege in the system, regardless of the privilege level at which the target system is running. It leads to privilege escalation issues when multiple actors are present.
This specification defines Debug Module Security Extension (non-ISA extension) and Sdsec (ISA extension) to address the above security issues in the current The RISC-V Debug Specification cite:[dbgspec] and trace specifications cite:[etrace] cite:[ntrace].
A summary of the changes introduced by The RISC-V External Debug Security Specification follows.
-
Per-Hart Debug Control: Introduce per-hart states to control whether external debug is allowed in M-mode and/or supervisor domains cite:[smmtt].
-
Per-Hart Trace Control: Introduce per-hart states to control whether tracing is allowed in M-mode and/or supervisor domains.
-
Non-secure debug: Add a non-secure debug state to relax security constraints.
-
Debug Mode entry: An external debugger can only halt the hart and enter debug mode when debug is allowed in current privilege mode.
-
Memory Access: Memory access from a hart’s point of view, using the Program Buffer or an Abstract Command, must be checked by the hart’s memory protection mechanisms as if the hart is running at debug access privilege level; memory access from the Debug Module using System Bus Access must be checked by a system memory protection mechanism, such as IOPMP or WorldGuard.
-
Register Access: Register access using the Program Buffer or an Abstract Command works as if the hart is running at debug access privilege level instead of M-mode privilege level. The debug CSRs (
dcsranddpc) are shadowed in supervisor domains while Smtdeleg/Sstcfg extensions expose the trigger CSRs to supervisor domains. -
Triggers: Triggers (with action=1) can only fire or match when external debug is allowed in the current privilege mode.
Abstract command |
A high-level Debug Module operation used to interact with and control harts |
Debug Access Privilege |
The privilege with which an Abstract Command or instructions in the Program Buffer access hardware resources |
Debug Mode |
An additional privilege mode to support off-chip debugging |
Hart |
A RISC-V hardware thread |
IOPMP |
Input-Output Physical Memory Protection unit |
M-mode |
The highest privileged mode in the RISC-V privilege model |
PMA |
Physical Memory Attributes |
PMP |
Physical Memory Protection unit |
Program buffer |
A mechanism that allows the Debug Module to execute arbitrary instructions on a hart |
Supervisor domain |
An isolated supervisor execution context defined in RISC-V Supervisor Domains Access Protection cite:[smmtt] |
Trace encoder |
A piece of hardware that takes in instruction execution information from a RISC-V hart and transforms it into trace packets |