

## RISC-V External Debug Security Specification

Version v0.5.0, 2024-07-02: Draft

## **Table of Contents**

| Preamble                                                                   | 1    |
|----------------------------------------------------------------------------|------|
| Copyright and license information                                          | 2    |
| Contributors                                                               | 3    |
| 1. Introduction                                                            | 4    |
| 1.1. Terminology                                                           | 4    |
| 2. External Debug Security Threat model                                    | 6    |
| 3. Sdsec (ISA extension)                                                   | 7    |
| 3.1. External Debug                                                        | 7    |
| 3.1.1. Machine Mode Debug Control                                          | 7    |
| 3.1.2. Supervisor Domain Debug Control                                     | 8    |
| 3.1.3. Debug Access Privilege                                              | 8    |
| Configuring dcsr for External Debugger Access Privileges                   | 8    |
| 3.1.4. Privilege Level Changing Instructions                               | 9    |
| 3.2. Trace                                                                 | 9    |
| M-Mode Trace Control                                                       | 9    |
| Supervisor Domain Trace Control                                            | 9    |
| 3.3. Trigger (Sdtrig)                                                      | . 10 |
| 3.3.1. M-mode accessibility to dmode                                       | . 10 |
| 3.3.2. External triggers                                                   | . 10 |
| 3.3.3. Trigger chain                                                       | . 11 |
| 3.3.4. Sdtrig CSR                                                          | . 11 |
| 3.4. Other CSR updates                                                     | . 12 |
| 3.4.1. Debug Control and Status (dcsr)                                     | . 12 |
| 3.4.2. Debug PC (dpc) and Debug Scratch Register (dscratch0 and dscratch1) | . 13 |
| 3.4.3. Sdsec CSR                                                           | . 13 |
| 4. Debug Module Security Extension (non-ISA extension)                     | . 14 |
| 4.1. External Debug Security Extensions Discovery                          | . 14 |
| 4.2. Halt                                                                  | . 14 |
| 4.3. Reset                                                                 | . 14 |
| 4.4. Keepalive                                                             | . 15 |
| 4.5. Abstract Commands                                                     | . 15 |
| 4.5.1. Relaxed Permission Check relaxedpriv                                | . 15 |
| 4.5.2. Address Translation aamvirtual.                                     | . 15 |
| 4.6. System Bus Access                                                     | . 15 |
| 4.7. Security Fault Error Reporting                                        | . 15 |
| 4.8. Update of Debug Module Status (dmstatus)                              | . 16 |
| Appendix A: Theory of Operation                                            | . 17 |
| A.1. Debug Module security control                                         | . 17 |

| A.2. Trace Encoder security control. | 18 |
|--------------------------------------|----|
| Bibliography                         | 19 |

## **Preamble**



This document is in the Development state

Expect potential changes. This draft specification is likely to evolve before it is accepted as a standard. Implementations based on this draft may not conform to the future standard.

## Copyright and license information

This specification is licensed under the Creative Commons Attribution 4.0 International License (CC-BY 4.0). The full license text is available at creativecommons.org/licenses/by/4.0/.

Copyright 2023-2024 by RISC-V International.

## **Contributors**

This RISC-V specification has been contributed to directly or indirectly by (in alphabetical order): Aote Jin (editor), Beeman Strong, Gokhan Kaplayan, Greg Favor, Iain Robertson, Joe Xie (editor), Ravi Sahita, Robert Chyla, Ved Shanbhogue, Vicky Goode

## **Chapter 1. Introduction**

Debugging and tracing are essential tools utilized by developers to identify and rectify software and hardware issues, optimize performance, and ensure robust system functionality. The debugging and tracing extensions in RISC-V ecosystem play a pivotal role in enabling these capabilities, allowing developers to monitor and control the execution of programs during the development, testing and production phases. However, the current RISC-V Debug and trace specification grants the external debugger highest privilege in the system, regardless of the privilege level at which the target system is running. It leads to privilege escalation issues when multiple actors are present.

This specification defines non-ISA extension Debug Module Security Extension (non-ISA extension) and ISA extension Sdsec (ISA extension) to address the above security issues in the current *The RISC-V Debug Specification* [1] and trace specifications [2] [3].

Below list summarizes changes introduced by *RISC-V External Debug Security Specification*:

- **Per-Hart Debug Control:** Introduce per-hart control knobs to control whether external debug is allowed in machine mode and/or supervisor domains [4]
- **Debug Mode:** External debugger can only halt the hart and enter debug mode when debug is allowed in current privilege mode; all operations are executed with debug access privilege instead of machine mode privilege
- Memory Access: Memory access from a hart's point of view using a Program Buffer or the
  Abstract Command must be checked by the hart's memory protection mechanisms as if the hart
  is running at debug access privilege; memory access from Debug Module using System Bus
  Access block without involving a hart must be checked by system memory protection
  mechanism, such as IOPMP or WorldGuard
- **Register Access:** Register access using Program Buffer or the Abstract Command works as if the hart is running in debug access privilege instead of machine mode privilege
- **Triggers:** Triggers (with action=1) can only fire or match when external debug is allowed in current privilege
- **Per-Hart Trace Control:** Introduce per-hart knobs to control whether tracing is allowed in machine mode and supervisor domains

## 1.1. Terminology

| Abstract command          | A high-level command in Debug Module used to interact with and control harts                            |
|---------------------------|---------------------------------------------------------------------------------------------------------|
| Debug Access<br>Privilege | The privilege with which abstract commands or instructions in program buffers access hardware resources |
| Debug Mode                | An additional privilege mode to support off-chip debugging                                              |
| Hart                      | A RISC-V hardware thread                                                                                |
| IOPMP                     | Input-Output Physical Memory Protection unit                                                            |
| Machine mode              | The highest privileged mode in the RISC-V privilege model                                               |

| PMA               | Physical Memory Attributes                                                                                                  |
|-------------------|-----------------------------------------------------------------------------------------------------------------------------|
| PMP               | Physical Memory Protection unit                                                                                             |
| Program buffer    | A buffer in Debug Module to execute arbitrary instructions on a hart                                                        |
| Supervisor domain | A isolated supervisor execution context defined in RISC-V Supervisor Domains Access Protection [4]                          |
| Trace encoder     | A piece of hardware that takes in instruction execution information from a RISC-V hart and transforms it into trace packets |

## Chapter 2. External Debug Security Threat model

Modern SoC development consists of several different actors who may not trust each other, resulting in the need to isolate actors' assets during the development and debugging phases. The current RISC-V Debug specification [1] grants external debuggers the highest privilege in the system regardless of the privilege level at which the target system is running. This leads to privilege escalation issues when multiple actors are present.

For example, the owner of a SoC, who needs to debug their machine mode firmware, may be able to use the external debugger to bypass PMP lock (pmpcfg.L=1) and attack Boot ROM (the SoC creator's asset).

Additionally, RISC-V privilege architecture supports multiple software entities or "supervisor domains" that do not trust each other. The supervisor domains are managed by secure monitor running in machine mode, they are isolated from each other by PMP/IOPMP and they may need different debug policies. The entity that owns secure monitor wants to disable external debug when shipping the secure monitor, however, the entity that owns the supervisor domain needs to enable external debug to develop the supervisor domain. Since the external debugger will be the granted highest privilege in the system, a malicious supervisor domain will be able to compromise machine mode secure monitor with the external debugger.

## Chapter 3. Sdsec (ISA extension)

This chapter introduces Sdsec ISA extension, which enhances the Sdext of *The RISC-V Debug Specification* [1]. The Sdsec extension provides privilege based protection for debug operations and trigger behaviors [1]. Furthermore, it constrains trace functionality [2] according to RISC-V privilege levels.

### 3.1. External Debug

Chapter 3 of *The RISC-V Debug Specification* [1] outlines all mandatory and optional debug operations. The operations listed below are affected by the Sdsec extension, other operations remain unaffected. In the context of this chapter, **debug operations** refer to those listed below.

Debug operations affected by Sdsec extension

- Halting the hart to enter Debug Mode
- Executing Program buffer
- Serving abstract commands (Access Register, Quick Access, Access Memory)

When the external debug is disallowed in running privilege level, the hart behaves as the following:

- The hart will not enter Debug Dode on halt request (haltreq), single step or halt group. Halt request will be pending until debug is allowed again
- Triggers (with action=1) will not match or fire
- Abstract commands without halting (Access Register and Quick Access) will be dropped and set cmderr to 6

The subsequent subsections describe how external debug is authorized by machine mode debug control and supervisor domain debug control.



A pending request to enter Debug Mode can dynamically change from a disallowed state to an allowed state due to updates in debug controls. For example, once the software completes executing confidential code, it can grant debuggability for an external debugger. Afterwards, the software can enter a while(1) loop, waiting for the debugger to take control and break out of the loop.

#### 3.1.1. Machine Mode Debug Control

An input port, named mdbgen[i], is introduced to control the debuggability of machine mode for each hart i. This signal is propagated to the hart i and Debug Module as depicted in Figure 1. When mdbgen[i] is set to 1, the following rules apply:

- The debug access privilege for the hart can be configured to any legal privilege level
- The debug operations are permitted when hart i executes in all modes
- Register access without halting the hart carries M-mode privilege if supported

When mdbgen[i] is set to 0, the debug operations are disallowed and the behaviros applies when the hart runs in machine mode.



For a homogeneous computing system, the implementation can consolidate all mdbgen[i] into a single port to enforce a unified debug policy across all harts.

#### 3.1.2. Supervisor Domain Debug Control

The Smsdedbg extension [4] introduces sdedbgalw field (bit 7) in CSR msdcfg to control the debuggability of supervisor domains. The sdedbgalw along with mdbgen[i] determines the debug allowed privilege levels, as illustrated in Table 1. The debug access privilege can only be configured to debug allowed levels.

Table 1. External debug allowed privilege levels per debug controls

| mdbgen[i] | sdedbgalw  | Debug allowed privilege levels |
|-----------|------------|--------------------------------|
| 1         | Don't care | All                            |
| 0         | 1          | All except M                   |
| 0         | 0          | None                           |

When debug is allowed in supervisor domain, debug operations are allowed when hart executes in supervisor domain. The register access without halting the hart carries supervisor mode privilege if supported.

#### 3.1.3. Debug Access Privilege

The **debug access privilege** is defined as the privilege level granted to the external debugger to access hardware resources with abstract commands or program buffers. Memory and register accesses from Debug Mode also carry **debug access privilege** instead of always with M-mode. The **debug access privilege** is represented by the prv and v fields in dcsr. The legal privilege levels programmable to dcsr in Debug Mode are elaborated in Section 3.1.3.1. Debugger accesses to registers and memory will checked by permission check mechanisms against **debug access privilege**, and trigger traps if they violate corresponding rules.

#### Configuring dcsr for External Debugger Access Privileges

The dcsr (at 0x7b0) is always accessible in Debug Mode and the prv and v fields in the dcsr have been modified to authorize privilege for external debug accesses. Upon transitioning into Debug Mode, the prv and v fields are updated to the privilege level the hart was previously operating in. The maximum debug privilege level that can be configured in prv and v is determined in Table 2. The fields retain legal values when the prv and v are configured with an illegal privilege level. Illegal privilege levels include unsupported levels and any level higher than the maximum allowed debug privilege. When the hart resumes from Debug Mode, the current privilege mode and virtualization mode are changed to that specified by prv and v.

Table 2. Determining maximum debug access privilege with mdbgen[i] and sdedbgalw

| mdbgen[i] | sdedbgalw  | Maximum debug privilege allowed |
|-----------|------------|---------------------------------|
| 1         | Don't care | M                               |
| 0         | 1          | S(HS)                           |
| 0         | 0          | None                            |



As the prv and v fields in dcsr are Write Any Read Legal (WARL) fields, the external debugger is able to read back the written value to determine the maximum debug privilege level.

#### 3.1.4. Privilege Level Changing Instructions

The RISC-V Debug Specification [1] defines that the instructions that change the privilege mode have UNSPECIFIED behavior when executed within the Program Buffer, with exception of the ebreak instruction. In Sdsec, those instructions including mret, sret, uret, ecall, must either act as NOP or trigger an exception (stopping execution and setting cmderr to 3) in Program Buffer. Notably, these instructions retain their normal functionality during single stepping.

#### 3.2. Trace

When Sdsec is supported, the optional sideband signal to trace encoder, sec\_check[i] [2], must be implemented for each hart i, and this signal must be reset to 1 (disabled). The sec\_check[i] signal is only cleared when trace is allowed by machine mode trace control and/or supervisor domain trace control.

#### M-Mode Trace Control

For each hart i, an input port, mtrcen[i], controls M-mode trace availability. Setting mtrcen[i] to 1 enables machine mode and supervisor domain trace by clearing the sec\_check[i] signal to 0 across all privilege levels. Conversely, if mtrcen[i] is set to 0, the sec\_check[i] signal cannot be cleared when the hart runs in machine mode.



For a homogeneous computing system, similar to machine mode debug control, the implementation can consolidate all mtrcen[i] into a single port to constrain trace capability across all harts.

#### **Supervisor Domain Trace Control**

The Smsdetrc extension introduces sdetrcalw field (bit 8) in CSR msdcfg within hart i. The sec\_check[i] signal for hart i in supervisor domain is determined by the sdetrcalw field and mtrcen[i]. When the logical-OR of sdetrcalw and mtrcen[i] is 1, the sec\_check[i] signal is cleared while the hart runs in supervisor domain.

When both sdetrcalw and mtrcen[i] are set to 0, the sec\_check[i] signal cannot be cleared at all.

Table 3. Status of the sec\_check[i] sideband signal across privilege levels

| mtrcen | sdetrcalw | Machine mode     | Supervisor domain |  |  |
|--------|-----------|------------------|-------------------|--|--|
| 1      | X         | sec_check[i] = 0 | sec_check[i] = 0  |  |  |
| 0      | 1         | sec_check[i] = 1 | sec_check[i] = 0  |  |  |
| 0      | 0         | sec_check[i] = 1 | sec_check[i] = 1  |  |  |



The sec\_check signal serves as an additional signal for the trace module, indicating that trace output is prohibited due to security controls. Functionally, sec\_check behaves identically to the halted signal. Both sec\_check and halted signals cannot be active simultaneously. Reserved for future applications, the combined state of [sec\_check, halted] as 0b11 remains unutilized. In cases where a trace module lacks support for the sec\_check signal, the hart may alternatively toggle the halted signal to restrict trace output.

## 3.3. Trigger (Sdtrig)

Triggers configured to enter Debug Mode can only fire or match when external debug is allowed, as outlined in Table 1. A trigger enabled for a privilege level higher than debug allowed privilege is not accessible by an external debugger. When this trigger is selected using tselect, it always reads as 0, and any writes to it are ignored.



Implementations shall make sure that pending triggers intending to enter Debug Mode match or fire before the privilege mode switch, thus the hart will never enter Debug Mode in higher privilege mode with debug disallowed

#### 3.3.1. M-mode accessibility to dmode

When Sdsec extension is implemented, dmode is read/write for both M-mode and Debug Mode when mdbgen[i] is 0 and remains only accessible to Debug Mode when mdbgen[i] is 1



The dmode being read/write allows M-mode to switch trigger context. The trigger can form a side-channel to debug disallowed supervisor domains from a debug allowed supervisor domain if the trigger context is not switched. Although the trigger cannot fire or match in disallowed supervisor domain to enter Debug Mode, the malicious debugger can exploit it by setting a trigger to raise breakpoint exception (action = 0) when it is in debug allowed supervisor domain. If the trigger hits in debug disallowed supervisor domain, the external debugger can indirectly observe the executed PC, accessed memory address or read/write data in debug disallowed supervisor domain by the checking value in hit0/hit1. As the dmode is accessible when mdbgen[i] is 0, such attack can be mitigated by having M-mode firmware switch the trigger context at supervisor domain boundary.

#### 3.3.2. External triggers

The external trigger outputs (with action = 8/9) will not fire or match when the privilege level of the hart exceeds debug allowed privilege as specified in Table 1.

The external trigger input can be driven by any input signals, e.g. the external trigger output from another hart or interrupt signals etc. The input signals cause the trigger to fires only when the hart is allowed to debug. The initiators of these signals are responsible for determining whether the signal is allowed to assert. For example, if the external trigger input of hart i is connected to external trigger output of hart j. The assertion of output signal from hart j is determined by its own allowed privilege level for debug. The output signal of hart j must not assert when debug is disallowed. Similarly, signals from other module in the system are managed by the individual module. When the module is not allowed to debug, the signal connected to external trigger input must not be asserted.

#### 3.3.3. Trigger chain

The privilege level of the trigger chain is determined by the trigger enabled for the highest privilege level inside the chain. The entire trigger chain cannot be modified if the chain privilege level exceeds debug allowed privilege level.



This represents a balance between usability and hardware complexity. There may be instances where the triggers are linked across different privilege levels (e.g., from S-mode to M-mode), while the external debugger may only have access with S-mode privilege. The external debugger should not modify the chain, because it could be suppressed or incorrectly match or fire in M-mode.

#### 3.3.4. Sdtrig CSR

The CSRs tcontrol, scontext, hcontext, mcontext, and mscontext must follow access rules defined in debug access privilege. Meanwhile, tselect, tdata1, tdata2, tdata3 are read/write when debug is allowed. The below table illustrates the accessibliby for Sdtrig CSRs.

Table 4. Trigger CSR accessibility in Debug Mode

| Register         | without Sdsec | with Sdsec                         |
|------------------|---------------|------------------------------------|
| tselect(0x7a0)   | Always        | mdbgen[i] == 1    sdedbgalw == 1   |
| tdata1(0x7a1)    | Always        | mdbgen[i] == 1    sdedbgalw == 1   |
| tdata2(0x7a2)    | Always        | mdbgen[i] == 1    sdedbgalw == 1   |
| tdata3(0x7a3)    | Always        | mdbgen[i] == 1    sdedbgalw == 1   |
| tinfo(0x7a4)     | Always        | mdbgen[i] == 1    sdedbgalw == 1   |
| tcontrol(0x7a5)  | Always        | access with debug access privilege |
| scontext(0x5a8)  | Always        | access with debug access privilege |
| hcontext(0x6a8)  | Always        | access with debug access privilege |
| mcontext(0x7a8)  | Always        | access with debug access privilege |
| mscontext(0x7aa) | Always        | access with debug access privilege |

Below fields in mcontrol, mcontrol6, icount, itrigger, etrigger, and tmexttrigger must follow the access rule specified in the table.

Table 5. Tdata1 fields accessibility against privilege granted to external debugger

| Field | Accessibility                    |
|-------|----------------------------------|
| m     | mdbgen[i] == 1                   |
| S     | mdbgen[i] == 1    sdedbgalw == 1 |
| u     | mdbgen[i] == 1    sdedbgalw == 1 |
| vs    | mdbgen[i] == 1    sdedbgalw == 1 |
| vu    | mdbgen[i] == 1    sdedbgalw == 1 |

The intctl and sselect fields in tmexttrigger are redifined as follows.

Table 6. Redefinition of field intctl and sselect within tmexttrigger

| Field   | Description                                                                                                                                                                                                | Access | Reset |
|---------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-------|
| intctl  | This optional bit, when set, causes this trigger to fire whenever an attached interrupt controller signals a trigger. the field is only configurable when mdbgen[i] is set to 1.                           | WLRL   | 0     |
| sselect | Selects any combination of up to 16 Trigger Module external trigger inputs that cause this trigger to fire The legal value must be constrained by mdbgen[i] and sdedbgalw according to trigger input type. | WLRL   | 0     |

## 3.4. Other CSR updates

#### 3.4.1. Debug Control and Status (dcsr)

The dcsr is always accessible in Debug Mode. The access rules for field prv and v are addressed in subsection Section 3.1.3.1. Beside prv and v, the accessibility of remaining fields are listed in the following table.

Table 7. Dcsr fields accessibility against privilege granted to external debugger

| Field    | Accessibility                    |
|----------|----------------------------------|
| ebreakvs | mdbgen[i] == 1    sdedbgalw == 1 |
| ebreakvu | mdbgen[i] == 1    sdedbgalw == 1 |
| ebreakm  | mdbgen[i] == 1                   |
| ebreaks  | mdbgen[i] == 1    sdedbgalw == 1 |
| ebreaku  | mdbgen[i] == 1    sdedbgalw == 1 |
| stepie   | mdbgen[i] == 1                   |
| stoptime | mdbgen[i] == 1                   |
| mprven   | mdbgen[i] == 1                   |
| nmip     | mdbgen[i] == 1                   |

#### 3.4.2. Debug PC (dpc) and Debug Scratch Register (dscratch0 and dscratch1)

Debug PC (at 0x7b1) and Debug Scratch Register (at 0x7b2 and 0x7b3) are not restricted by debug access privilege, they are always accessible in Debug Mode.

#### 3.4.3. Sdsec CSR

The Sdsec extension does not introduce any new CSR. The CSR control knobs in msdcfg for supervisor domain debug and trace are specified in Smsdedbg and Smsdetrc extension respectively in *RISC-V Supervisor Domains Access Protection* [4]. The Smsdedbg and/or Smsdetrc extension must be implemented to support security control for debugging and/or tracing in supervisor domain.

# Chapter 4. Debug Module Security Extension (non-ISA extension)

This chapter outlines the security enhancements defined for the Debug Module as non-ISA extension. The debug operations listed below are modified by the non-ISA extension. All features in this chapter must be implemented in Debug Module to achieve external debug security. If any hart in the system implements the Sdec extension, the Debug Module must also implement the non-ISA extension.

- Halt
- Reset
- Keepalive
- Abstract commands (Access Register, Quick Access, Access Memory)
- · System bus access

## 4.1. External Debug Security Extensions Discovery

The ISA and non-ISA external debug security extensions impose security constraints and introduce non-backward-compatible changes. The presence of the extensions can be determined by polling the allsecured or/and anysecured bits in dmstatus Table 8. If the field allsecured or anysecured is set to 1, it represents that all or any selected harts adopt the Sdsec extension. When any hart adopts the Sdsec extension, it indicates the Debug Module implements Debug Module Security Extension as described in this chapter.

#### 4.2. Halt

The halt behavior for a hart is detailed in Section 3.1. According to *The RISC-V Debug Specification* [1], a halt request must be responded within one second. However, this constraint must be eliminated as the request might be pending due to the situations where debugging is disallowed. Additionally, when machine mode is not permitted (mdbgen[i] set to 0) to engage in debugging, the halt-on-reset (resethaltreq) operation must fail and raise security fault error. The debugger could check the error by polling allsecfault or/and anysecfault fields in dmstatus for selected harts, as specified in Table 8.

#### **4.3.** Reset

The hartreset operation resets selected harts. This operation must be prohibited when machine mode is not allowed to be debugged. The security fault error will be raised if the operation is issued when mdbgen[i] is 0. The debugger could monitor the error by polling allsecfault or/and any secfault in dmstatus.

The ndmreset operation is a system-level reset not tied to hart privilege levels and reset the entire system (excluding the Debug Module). It can only be secured by the system. Thus, it must be defeatured. The debugger can determine support for the ndmreset operation by setting the field to 1

and subsequently verifying the returned value upon reading.

## 4.4. Keepalive

The keepalive operation serves as an optional request for the hart to remain available for debugger. It is only allowed when machine mode is permitted to debug. Otherwise, it causes a security fault error when mdbgen[i] is 0, indicated by allsecfault or/and anysecfault bits in dmstatus.

### 4.5. Abstract Commands

The hart response to abstract commands is detailed in Section 3.1. The following subsection delineates the constraints when the Debug Module issues the abstract commands.

#### 4.5.1. Relaxed Permission Check relaxedpriv

relaxedpriv is hardwired to 0

#### 4.5.2. Address Translation aamvirtual

The field aamvirtual in command (at 0x17 in Debug Module) determines whether physical or virtual address translation is employed. When mdbgen[i] is 0, the extension mandates that aamvirtual is hardwire to 1 and memory access addresses are processed as if initiated by the hart in debug access privilege.

### 4.6. System Bus Access

The System Bus Access must be checked by bus initiator protection mechanisms such as IOPMP [5], WorldGuard [6]. The bus protection unit can return error to Debug Module on illegal access, in that case, Debug Module will set sberror to 6 (security fault error).



Trusted entities like RoT should configure IOPMP or equivalent protection before granting debug access to machine mode. Similarly, machine mode should apply the protection before enabling supervisor domain debug.

## 4.7. Security Fault Error Reporting

A dedicated error code, security fault error (cmderr 6), is included in cmderr of abstractcs (at 0x16 in Debug Module). Misconfigurations of the dcsr and issuance of abstract commands under disallowed circumstance can signify such an error. Additionally, the bus security fault error (sberror 6) is introduced in sberror of sbcs (at 0x38 in Debug Module) to denote errors related to system bus access.

The error raised by resethaltreq, reset and keepalive can be identified through the fields allsecfault and anysecfault in dmstatus. The security fault errors must be detectable prior to any subsequent read of the register responsible for reporting the error. Error statuses are internally maintained for each hart, with the allsecfault and anysecfault fields indicating the error status of the currently selected harts. Any error indicated by allsecfault and anysecfault remains until

updated through a successful resethaltreq, reset or keepalive operation.



While the resethaltreq, reset, and keepalive operations can potentially take a significant amount of time to complete depending on the implementation, the error status can be immediately reported via following read of allsecfault/anysecfault if the operation is prohibited. Therefore, if a read of allsecfault/anysecfault indicates no error, it suggests that the operation is allowed and either currently in progress or has been successfully executed.

## 4.8. Update of Debug Module Status (dmstatus)

|            | 31         |    |   |       | 27             | 26            | 25          | 24    |                | 22   |
|------------|------------|----|---|-------|----------------|---------------|-------------|-------|----------------|------|
|            |            | '  | 0 |       |                | allsecfault   | anysecfault | defin | ed in Debug Mo | dule |
| 21         | 20         | 19 | • |       |                |               | •           | •     |                | 11   |
| allsecured | anysecured |    |   |       | defin          | ed in Debug M | odule       |       |                |      |
| 10         |            |    |   | •     |                |               | •           |       |                | 0    |
|            |            |    |   | defin | ed in Debug Mo | odule         |             |       |                |      |

Register 1: Newly introduced fields in dmstatus

Table 8. Details of newly introduced fields in dmstatus

| Field       | Description                                                                                                      | Access | Reset |
|-------------|------------------------------------------------------------------------------------------------------------------|--------|-------|
| allsecured  | The field is 1 when all currently selected harts implement Sdsec extension                                       | R      | -     |
| anysecured  | The field is 1 when any currently selected hart implements Sdsec extension                                       | R      | -     |
| allsecfault | The field is 1 when all currently selected harts have raised security fault due to reset or keepalive operation. | R      | -     |
| anysecfault | The field is 1 when any currently selected hart has raised security fault due to reset or keepalive operation.   | R      | -     |

## **Appendix A: Theory of Operation**

This chapter explains the theory of operation for the External Debug Security Extension. The subsequent diagram illustrates the reference implementation of security control for the Debug Module and trace encoder, respectively.

## A.1. Debug Module security control

As outlined in the specification, the security control on the Debug Module can vary for each hart. The dedicated security policy for hart i is enforced by the input port mdbgen[i] and the sdedbgalw field inside CSR msdcfg. The security control logic examines all debug operations and triggers (with action=1) firing/matching based on mdbgen[i], sdedbgalw, and the privilege level of the hart. The failed action will either be dropped or pending. Additionally, the platform-specific external trigger inputs must obey to platform constraints, which must be carefully handled by platform owner. The mdbgen[i] can be bundled in an MMIO (Memory-Mapped I/O) outside the hart, such as in the Debug Module, or implemented as fuses.

The privilege level of the hart is determined by code execution, while the debug requests are validated against the privilege level generated by the hart. This process involves two actors, which may lead to a potential Time-of-Check Time-of-Use (TOCTOU) issue. To mitigate this, the implementation must ensure that the inspection and execution of debug requests occur within the same privilege level of the hart. Failure to do so could result in debug requests bypassing access controls intended for higher privilege levels. If the accesses fail the security check, it must prompt an immediate termination of access to prevent any information leakage.

When the external debugger is stepping through an instruction that triggers a transition to a higher privilege level, the security control logic must verify against debug capability according to Table 1 before entering Debug Mode. If debugging is permitted, the hart re-enters Debug Mode after executing the instruction. Otherwise, the hart continues executing with the pending single step request until it becomes debuggable and can re-enter Debug Mode. In scenarios where multiple supervisor domains are debuggable, the secure monitor in machine mode may switch the context during single stepping. In such cases, the debugger might stop in a different application than the original one. Users of the debugger should be mindful of this possibility.

Application-level debugging is primarily accomplished through self-hosted debugging, allowing the management of debug policies at the supervisor/hypervisor level. As a result, user-level debugging management is not addressed within this extension.



Figure 1. The security control on Debug Module

## A.2. Trace Encoder security control

Similar to the Debug Module, the trace encoder is controlled by the mtrcen[i] and sdetrcalw in CSR msdcfg for each hart i. The halted sideband signal to the trace encoder is determined by Table 3.



Figure 2. The security control on trace module

## **Bibliography**

- [1] "RISC-V Debug Specification." [Online]. Available: github.com/riscv/riscv-debug-spec.
- [2] "RISC-V Efficient Trace for RISC-V." [Online]. Available: github.com/riscv-non-isa/riscv-trace-spec.
- [3] "RISC-V N-Trace (Nexus-based Trace) Specification." [Online]. Available: github.com/riscv-non-isa/tg-nexus-trace.
- [4] "RISC-V Supervisor Domains Access Protection." [Online]. Available: github.com/riscv/riscv-smmtt.
- [5] "RISC-V IOPMP Architecture Specification." [Online]. Available: github.com/riscv-non-isa/iopmp-spec/releases.
- [6] "WorldGuard Specification." [Online]. Available: github.com/riscv-admin/security/blob/main/papers/worldguard%20proposal.pdf.