# Confidential Computing on RISC-V platforms (update)

Ravi Sahita

August 8, 2025







# Confidential Computing on RISC-V







# RISC-V Priv. ISA and Supervisor Domains ISA Extension



Supervisor domains extends RISC-V priv. ISA to enable isolated supervisor contexts





# Memory Isolation Model (Smmpt)







### Secure Interrupts (Smsdia - extends RISC-V Advanced Interrupt Arch.)



Figure: Smsdia-defined CSRs and controls in bold

Via a sub-extension Smgeien, a subset of Guest interrupt files within a Sup. Interrupt domain may be made accessible to another supervisor domain





#### Non-ISA: Platform IO and Data Protection

Devices may be assigned to supervisor domains

IOMPT composes with RISC-V IOPMP, IOMMU, Smmpt for direct device assignment to supervisor domains

Enables compatibility with PCIe & CXL standard interfaces for TEE-IO







#### Non-ISA: SW - CoVE ABI and Ref. Arch.



**Spec in reviews towards STABLE** 





# CoVE-IO



**Spec in reviews towards STABLE** 

https://github.com/riscv-non-isa/riscv-ap-tee-io/releases/download/v0.2.0/riscv-cove-io-v0.2.0.pdf





#### **CoVE ABI**

#### https://github.com/riscv-non-isa/riscv-ap-tee/releases

sbi\_covh\_get\_tsm\_info

sbi\_covh\_convert\_pages

sbi\_covh\_reclaim\_pages

Pre-build

sbi\_covh\_global\_fence

sbi\_covh\_local\_fence

sbi\_covh\_finalize\_tvm

sbi\_covh\_destroy\_tvm

**TVM** build

sbi\_covh\_add\_tvm\_memory\_region

sbi\_covh\_add\_tvm\_page\_table\_pages

sbi\_covh\_add\_tvm\_measured\_pagessbi\_covi\_init\_tvm\_aia sbi covi set tvm aia cpu imsic addi TVM build sbi covh create tvm vcpu sbi covi convert tvm aia imsic sbi covh\_add\_tvm\_shared\_pages sbi covi reclaim tvm aia imsic sbi covi bind aia imsic sbi covh add tvm zero pages sbi covi unbind aia imsic begin sbi covh run tvm vcpu sbil covi unbind aia imsic end sbi covh tvm fence sbi covi inject tvm cpu sbi covh tvm invalidate pages sbi\_covi\_rebind\_aia\_imsic\_begin sbi covi rebind aia imsic clone sbi\_covh\_tvm\_validate\_pages sbi covi rebind aia imsic end sbi covh tvm remove pages TVM exec

sbi\_covg\_add\_mmio\_region sbi\_covg\_remove\_mmio\_region sbi covg share memory region TVM exec sbi\_covg\_unshare\_memory\_region sbi covg allow external interrupt sbi covg deny external interrupt sbi\_covg\_get\_attcaps sbi covg extend measurement sbi covg get evidence sbi\_covg\_read\_measurement

TVM attestation





## ISA, non-ISA emulation work items

Supervisor domains spec is at v0.4 - stable with ARC review updates incorporated for baseline ISA

#### ISA Emulation

- Memory & State
   Isolation (Smsdid,
   Smmpt)
- AIA and Interrupt
   Isolation (Smsdia)
- QoS (Smqosid CSR emulation)

Non-ISA HW Emulation (IO)

 IO-MPT (use existing IOMMU model)







## ISA, non-ISA SW work items to test emul.

- Extending prior work on Smmpt emulation in QEMU - work started by Gregor Haas (<u>link</u>)
  - Support all deployment models 1 (TSM as HS-peer), 2 (TSM as HS) and 3 (TSM in M-mode)
- Supporting code for OpenSBI, kvm-unit-tests to test the QEMU changes
  - Tests create two domains
  - Tests memory access control for different page sizes
  - Invalidation of permissions







# CoVE ABI (SBI Ext) work items.

- Linux KVM Host, KVMtool
  - TVM creation, runtime and teardown
  - Future TEE-IO updates for TVM direct-IO

TEE Security Manager (TSM) updates

- o COVH, COVG, COVI
- Coordinate with pKVM







#### Attestation

- RoT (Platform specific)
  - Security model recommends DICE measurement interfaces for Secure boot, TSM measurement
  - TSM implements COVG TVM measurement and COVG for fetching attestation payload
- Format of remote attestation payload documented in CoVE spec.
  - The CoVE Attestation Evidence uses the IETF Entity Attestation Token, formatted as CWT
  - Attestation certificate can be either CBOR-formatted or X.509.







# PoCs & open tasks

Updates to Qemu, kvm-unit-tests, OpenSBI (<u>link</u>)

Start effort on Spike, SAIL, ACT

2 RVI/RISE Workstreams - pKVM (Client) and TSM as HS-peer (Data-center) for CoVE & CoVE-IO

OpenSBI changes for MPT mgmt, Context switching (message format for MPXY), KVM tests

**Linux TEE-IO interfaces** 

TSM dynamic updates.



