1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
|
\chapter{Machine-Level ISA, version \privrev}
\label{machine}
This chapter describes the machine-level operations available in
machine-mode (M-mode), which is the highest privilege mode in a RISC-V
system. M-mode is the only mandatory privilege mode in a RISC-V
hardware implementation. M-mode is used for low-level access to a
hardware platform and is the first mode entered at reset. M-mode can
also be used to implement features that are too difficult or expensive
to implement in hardware directly. The RISC-V machine-level ISA
contains a common core that is extended depending on which other
privilege levels are supported and other details of the hardware
implementation.
\section{Machine-Level CSRs}
In addition to the machine-level CSRs described in this section,
M-mode code can access all CSRs at lower privilege levels.
\subsection{Machine ISA Register {\tt misa}}
The {\tt misa} CSR is a \warl\ read-write register
reporting the ISA supported by the hart. This register must be
readable in any implementation, but a value of zero can be returned to
indicate the {\tt misa} register has not been implemented, requiring
that CPU capabilities be determined through a separate non-standard
mechanism.
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{c@{}c@{}L}
\instbitrange{MXLEN-1}{MXLEN-2} &
\instbitrange{MXLEN-3}{26} &
\instbitrange{25}{0} \\
\hline
\multicolumn{1}{|c|}{MXL[1:0] (\warl)} &
\multicolumn{1}{c|}{\wiri} &
\multicolumn{1}{c|}{Extensions[25:0] (\warl)} \\
\hline
2 & MXLEN-28 & 26 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine ISA register ({\tt misa}).}
\label{misareg}
\end{figure*}
The MXL (Machine XLEN) field encodes the native base integer ISA width
as shown in Table~\ref{misabase}. The MXL field may be writable in
implementations that support multiple base ISA widths. The effective
XLEN in M-mode, {\em MXLEN}, is given by the setting of MXL, or has a
fixed value if {\tt misa} is zero. The MXL field is always set to the
widest supported ISA variant at reset.
\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|r|}
\hline
MXL & XLEN \\
\hline
1 & 32 \\
2 & 64 \\
3 & 128 \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of MXL field in {\tt misa}}
\label{misabase}
\end{table*}
The {\tt misa} CSR is MXLEN bits wide. If the value read from {\tt misa} is
nonzero, field MXL of that value always denotes the current MXLEN. If a write
to {\tt misa} causes MXLEN to change, the position of MXL moves to the
most-significant two bits of {\tt misa} at the new width.
\begin{commentary}
The base width can be quickly ascertained using branches on the sign
of the returned {\tt misa} value, and possibly a shift left by one and
a second branch on the sign. These checks can be written in assembly
code without knowing the register width (XLEN) of the machine. The
base width is given by $\mbox{XLEN}=2^{\mbox{MXL+4}}$.
The base width can also be found if {\tt misa} is zero, by placing the
immediate 4 in a register then shifting the register left by 31 bits
at a time. If zero after one shift, then the machine is RV32. If
zero after two shifts, then the machine is RV64, else RV128.
\end{commentary}
When MXL is set to a value less than the widest supported XLEN, all
operations must ignore source operand register bits above the
configured XLEN, and must sign-extend results to fill the entire
widest supported XLEN in the destination register.
\begin{commentary}
We require that operations always fill the entire underlying hardware
registers with defined values to avoid implementation-defined
behavior.
\end{commentary}
The Extensions field encodes the presence of the standard extensions,
with a single bit per letter of the alphabet (bit 0 encodes presence
of extension ``A'' , bit 1 encodes presence of extension ``B'',
through to bit 25 which encodes ``Z''). The ``I'' bit will be set for
RV32I, RV64I, RV128I base ISAs, and the ``E'' bit will be set for
RV32E. The Extension is a \warl\ field that can contain writable bits
where the implementation allows the supported ISA to be modified. At
reset, the Extension field should contain the maximal set of supported
extensions, and I should be selected over E if both are available.
The ``G'' bit is used as an escape to allow expansion to a larger
space of standard extension names.
\begin{commentary}
G is used to indicate the combination IMAFD, so is redundant in the
{\tt misa} CSR, hence we reserve the bit to indicate that
additional standard extensions are present.
\end{commentary}
The ``U'' and ``S'' bits will be set if there is support for user and
supervisor modes respectively.
The ``X'' bit will be set if there are any non-standard extensions.
\begin{table*}
\begin{center}
\begin{tabular}{|r|r|l|}
\hline
Bit & Character & Description \\
\hline
0 & A & Atomic extension \\
1 & B & {\em Tentatively reserved for Bit operations extension} \\
2 & C & Compressed extension \\
3 & D & Double-precision floating-point extension \\
4 & E & RV32E base ISA \\
5 & F & Single-precision floating-point extension \\
6 & G & Additional standard extensions present \\
7 & H & Hypervisor extension \\
8 & I & RV32I/64I/128I base ISA \\
9 & J & {\em Tentatively reserved for Dynamically Translated Languages extension} \\
10 & K & {\em Reserved} \\
11 & L & {\em Tentatively reserved for Decimal Floating-Point extension} \\
12 & M & Integer Multiply/Divide extension \\
13 & N & User-level interrupts supported \\
14 & O & {\em Reserved} \\
15 & P & {\em Tentatively reserved for Packed-SIMD extension} \\
16 & Q & Quad-precision floating-point extension \\
17 & R & {\em Reserved} \\
18 & S & Supervisor mode implemented \\
19 & T & {\em Tentatively reserved for Transactional Memory extension} \\
20 & U & User mode implemented \\
21 & V & {\em Tentatively reserved for Vector extension} \\
22 & W & {\em Reserved} \\
23 & X & Non-standard extensions present \\
24 & Y & {\em Reserved} \\
25 & Z & {\em Reserved} \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of Extensions field in {\tt misa}. All bits that are
reserved for future use must return zero when read.}
\label{misaletters}
\end{table*}
\begin{commentary}
The {\tt misa} CSR exposes a rudimentary catalog of CPU features
to machine-mode code. More extensive information can be obtained in
machine mode by probing other machine registers, and examining other
ROM storage in the system as part of the boot process.
We require that lower privilege levels execute environment calls
instead of reading CPU registers to determine features available at
each privilege level. This enables virtualization layers to alter the
ISA observed at any level, and supports a much richer command
interface without burdening hardware designs.
\end{commentary}
Writing {\tt misa} may increase IALIGN, e.g., by disabling the ``C''
extension.
If an instruction that would write {\tt misa} increases IALIGN, and
the subsequent instruction's address is not IALIGN-bit aligned, the
write to {\tt misa} is suppressed, leaving {\tt misa} unchanged.
\clearpage
\subsection{Machine Vendor ID Register {\tt mvendorid}}
The {\tt mvendorid} CSR is a 32-bit read-only register providing
the JEDEC manufacturer ID of the provider of the core. This register
must be readable in any implementation, but a value of 0 can be
returned to indicate the field is not implemented or that this is a
non-commercial implementation.
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{JS}
\instbitrange{31}{7} &
\instbitrange{6}{0} \\
\hline
\multicolumn{1}{|c|}{Bank} &
\multicolumn{1}{c|}{Offset} \\
\hline
25 & 7 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Vendor ID register ({\tt mvendorid}).}
\label{mvendorreg}
\end{figure*}
JEDEC manufacturer IDs are ordinarily encoded as a sequence of one-byte
continuation codes {\tt 0x7f}, terminated by a one-byte ID not equal to
{\tt 0x7f}, with an odd parity bit in the most-significant bit of each byte.
{\tt mvendorid} encodes the number of one-byte continuation
codes in the Bank field, and encodes the final byte in the Offset field,
discarding the parity bit. For example, the JEDEC manufacturer ID
{\tt 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x8a}
(twelve continuation codes followed by {\tt 0x8a}) would be encoded in the
{\tt mvendorid} field as {\tt 0x60a}.
\begin{commentary}
Previously the vendor ID was to be a number allocated by the RISC-V
Foundation, but this duplicates the work of JEDEC in maintaining a
manufacturer ID standard. At time of writing, registering a
manufacturer ID with JEDEC has a one-time cost of \$500.
\end{commentary}
\subsection{Machine Architecture ID Register {\tt marchid}}
The {\tt marchid} CSR is an MXLEN-bit read-only register encoding the
base microarchitecture of the hart. This register must be readable in
any implementation, but a value of 0 can be returned to indicate the
field is not implemented. The combination of {\tt mvendorid} and {\tt
marchid} should uniquely identify the type of hart microarchitecture
that is implemented.
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Architecture ID} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Architecture ID register ({\tt marchid}).}
\label{marchreg}
\end{figure*}
Open-source project architecture IDs are allocated globally by the
RISC-V Foundation, and have non-zero architecture IDs with a zero
most-significant-bit (MSB). Commercial architecture IDs are allocated
by each commercial vendor independently, but must have the MSB set and
cannot contain zero in the remaining MXLEN-1 bits.
\begin{commentary}
The intent is for the architecture ID to represent the
microarchitecture associated with the repo around which development
occurs rather than a particular organization. Commercial fabrications
of open-source designs should (and might be required by the license
to) retain the original architecture ID. This will aid in reducing
fragmentation and tool support costs, as well as provide attribution.
Open-source architecture IDs should be administered by the Foundation
and should only be allocated to released, functioning open-source
projects. Commercial architecture IDs can be managed independently by
any registered vendor but are required to have IDs disjoint from the
open-source architecture IDs (MSB set) to prevent collisions if a
vendor wishes to use both closed-source and open-source
microarchitectures.
The convention adopted within the following Implementation field can
be used to segregate branches of the same architecture design,
including by organization. The {\tt misa} register also helps
distinguish different variants of a design, as does the configuration
string if present.
\end{commentary}
\subsection{Machine Implementation ID Register {\tt mimpid}}
The {\tt mimpid} CSR provides a unique encoding of the version of the
processor implementation. This register must be readable in any
implementation, but a value of 0 can be returned to indicate that the
field is not implemented. The Implementation value should reflect the
design of the RISC-V processor itself and not any surrounding system.
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Implementation} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Implementation ID register ({\tt mimpid}).}
\label{mimpidreg}
\end{figure*}
\begin{commentary}
The format of this field is left to the provider of the architecture
source code, but will be often be printed by standard tools as a
hexadecimal string without any leading or trailing zeros, so the
Implementation value can be left-justified (i.e., filled in from
most-significant nibble down) with subfields aligned on nibble
boundaries to ease human readability.
\end{commentary}
\subsection{Hart ID Register {\tt mhartid}}
The {\tt mhartid} CSR is an MXLEN-bit read-only register
containing the integer ID of the hardware thread running the code.
This register must be readable in any implementation. Hart IDs might
not necessarily be numbered contiguously in a multiprocessor system,
but at least one hart must have a hart ID of zero.
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Hart ID}\\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Hart ID register ({\tt mhartid}).}
\label{mhartidreg}
\end{figure*}
\begin{commentary}
In certain cases, we must ensure exactly one hart runs some code
(e.g., at reset), and so require one hart to have a known hart ID of
zero.
For efficiency, system implementers should aim to reduce the magnitude
of the largest hart ID used in a system.
\end{commentary}
\subsection{Machine Status Register ({\tt mstatus})}
The {\tt mstatus} register is an MXLEN-bit read/write register
formatted as shown in Figure~\ref{mstatusreg-rv32} for RV32 and
Figure~\ref{mstatusreg} for RV64 and RV128. The {\tt mstatus}
register keeps track of and controls the hart's current operating
state. Restricted views of the {\tt mstatus} register appear as the
{\tt sstatus} and {\tt ustatus} registers in the S-level and U-level
ISAs respectively.
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{cKccccccc}
\\
\instbit{31} &
\instbitrange{30}{23} &
\instbit{22} &
\instbit{21} &
\instbit{20} &
\instbit{19} &
\instbit{18} &
\instbit{17} &
\\
\hline
\multicolumn{1}{|c|}{SD} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{TSR} &
\multicolumn{1}{c|}{TW} &
\multicolumn{1}{c|}{TVM} &
\multicolumn{1}{c|}{MXR} &
\multicolumn{1}{c|}{SUM} &
\multicolumn{1}{c|}{MPRV} &
\\
\hline
1 & 8 & 1 & 1 & 1 & 1 & 1 & 1 & \\
\end{tabular}
\begin{tabular}{cccccccccccccc}
\\
&
\instbitrange{16}{15} &
\instbitrange{14}{13} &
\instbitrange{12}{11} &
\instbitrange{10}{9} &
\instbit{8} &
\instbit{7} &
\instbit{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
&
\multicolumn{1}{|c|}{XS[1:0]} &
\multicolumn{1}{c|}{FS[1:0]} &
\multicolumn{1}{c|}{MPP[1:0]} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SPP} &
\multicolumn{1}{c|}{MPIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SPIE} &
\multicolumn{1}{c|}{UPIE} &
\multicolumn{1}{c|}{MIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SIE} &
\multicolumn{1}{c|}{UIE} \\
\hline
& 2 & 2 & 2 & 2 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine-mode status register ({\tt mstatus}) for RV32.}
\label{mstatusreg-rv32}
\end{figure*}
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{cRccYccccccc}
\\
\instbit{MXLEN-1} &
\instbitrange{MXLEN-2}{36} &
\instbitrange{35}{34} &
\instbitrange{33}{32} &
\instbitrange{31}{23} &
\instbit{22} &
\instbit{21} &
\instbit{20} &
\instbit{19} &
\instbit{18} &
\instbit{17} &
\\
\hline
\multicolumn{1}{|c|}{SD} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SXL[1:0]} &
\multicolumn{1}{c|}{UXL[1:0]} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{TSR} &
\multicolumn{1}{c|}{TW} &
\multicolumn{1}{c|}{TVM} &
\multicolumn{1}{c|}{MXR} &
\multicolumn{1}{c|}{SUM} &
\multicolumn{1}{c|}{MPRV} &
\\
\hline
1 & MXLEN-37 & 2 & 2 & 9 & 1 & 1 & 1 & 1 & 1 & 1 & \\
\end{tabular}
\begin{tabular}{cccccccccccccc}
\\
&
\instbitrange{16}{15} &
\instbitrange{14}{13} &
\instbitrange{12}{11} &
\instbitrange{10}{9} &
\instbit{8} &
\instbit{7} &
\instbit{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
&
\multicolumn{1}{|c|}{XS[1:0]} &
\multicolumn{1}{c|}{FS[1:0]} &
\multicolumn{1}{c|}{MPP[1:0]} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SPP} &
\multicolumn{1}{c|}{MPIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SPIE} &
\multicolumn{1}{c|}{UPIE} &
\multicolumn{1}{c|}{MIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SIE} &
\multicolumn{1}{c|}{UIE} \\
\hline
& 2 & 2 & 2 & 2 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine-mode status register ({\tt mstatus}) for RV64 and RV128.}
\label{mstatusreg}
\end{figure*}
\subsection{Privilege and Global Interrupt-Enable Stack in {\tt mstatus} register}
\label{privstack}
Global interrupt-enable bits, MIE, SIE, and UIE, are provided for each
privilege mode. These bits are primarily used to guarantee atomicity
with respect to interrupt handlers in the current privilege mode.
\begin{commentary}
The global {\em x}IE bits are located in the low-order bits of {\tt mstatus},
allowing them to be atomically set or cleared with a single CSR
instruction.
\end{commentary}
When a hart is executing in privilege mode {\em x}, interrupts are
globally enabled when {\em x}\,IE=1 and globally disabled when {\em
x}\,IE=0. Interrupts for lower-privilege modes, {\em w}$<${\em x},
are always globally disabled regardless of the setting of the
lower-privilege mode's global {\em w}\,IE bit. Interrupts for
higher-privilege modes, {\em y}$>${\em x}, are always globally enabled
regardless of the setting of the higher-privilege mode's global {\em
y}\,IE bit. Higher-privilege-level code can use separate
per-interrupt enable bits to disable selected high-privilege-mode
interrupts before ceding control to a lower-privilege mode.
\begin{commentary}
A higher-privilege mode {\em y} could disable all of its interrupts
before ceding control to a lower-privilege mode but this would be
unusual as it would leave only a synchronous trap, non-maskable
interrupt, or reset as means to regain control of the hart.
\end{commentary}
To support nested traps, each privilege mode {\em x} has a two-level
stack of interrupt-enable bits and privilege modes. {\em x}\,PIE
holds the value of the interrupt-enable bit active prior to the trap,
and {\em x}\,PP holds the previous privilege mode. The {\em x}\,PP
fields can only hold privilege modes up to {\em x}, so MPP is
two bits wide, SPP is one bit wide, and UPP is implicitly zero. When
a trap is taken from privilege mode {\em y} into privilege mode {\em
x}, {\em x}\,PIE is set to the value of {\em x}\,IE; {\em x}\,IE is set to
0; and {\em x}\,PP is set to {\em y}.
\begin{commentary}
For lower privilege modes, any trap (synchronous or asynchronous) is
usually taken at a higher privilege mode with interrupts disabled upon entry.
The higher-level trap handler will either service the trap and return
using the stacked information, or, if not returning immediately to the
interrupted context, will save the privilege stack before re-enabling
interrupts, so only one entry per stack is required.
\end{commentary}
The MRET, SRET, or URET instructions are used to return from
traps in M-mode, S-mode, or U-mode respectively. When
executing an {\em x}RET instruction, supposing {\em x}\,PP holds the
value {\em y}, {\em x}\,IE is set to {\em x}\,PIE; the privilege mode
is changed to {\em y}; {\em x}\,PIE is set to 1; and {\em x}\,PP is
set to U (or M if user-mode is not supported).
{\em x}\,PP fields are \warl\ fields that can hold only privilege mode {\em x}
and any implemented privilege mode lower than {\em x}. If privilege mode {\em
x} is not implemented, then {\em x}\,PP must be hardwired to 0.
\begin{commentary}
M-mode software can determine whether a privilege mode is implemented
by writing that mode to MPP then reading it back.
If the machine provides only U and M modes, then only a single
hardware storage bit is required to represent either 00 or 11 in MPP.
\end{commentary}
User-level interrupts are an optional extension and have been
allocated the ISA extension letter N.
If user-level interrupts are omitted, the
UIE and UPIE bits are hardwired to zero. For all other supported
privilege modes {\em x}, the {\em x}\,IE and {\em x}\,PIE must not
be hardwired.
\begin{commentary}
User-level interrupts are primarily intended to support secure
embedded systems with only M-mode and U-mode present, but can also be
supported in systems running Unix-like operating systems to support
user-level trap handling.
\end{commentary}
\begin{commentary}
Fields that were previously allocated for H-mode support in {\tt
mstatus} have now been reserved as \wpri\ fields. To reduce
backwards incompatibility with existing implementations, we did not
compact the register after removing these fields.
\end{commentary}
\subsection{Base ISA Control in {\tt mstatus} Register}
\label{xlen-control}
For RV64 and RV128 systems, the SXL and UXL fields are \warl\ fields
that control the value of XLEN for S-mode and U-mode,
respectively. The encoding of these fields is the same as the MXL
field of {\tt misa}, shown in Table~\ref{misabase}. The effective
XLEN in S-mode and U-mode are termed {\em SXLEN} and {\em UXLEN},
respectively.
For RV32 systems, the SXL and UXL fields do not exist, and
SXLEN=32 and UXLEN=32.
For RV64 and RV128 systems, if S-mode is not supported, then SXL is hardwired
to zero. Otherwise, it is a \warl\ field that encodes the current value of
SXLEN. In particular, the implementation may hardwire SXL so that
SXLEN=MXLEN.
For RV64 and RV128 systems, if U-mode is not supported, then UXL is hardwired
to zero. Otherwise, it is a \warl\ field that encodes the current value of
UXLEN. In particular, the implementation may hardwire UXL so that
UXLEN=MXLEN or UXLEN=SXLEN.
Whenever XLEN in any mode is set to a value less than the widest
supported XLEN, all operations must ignore source operand register
bits above the configured XLEN, and must sign-extend results to fill
the entire widest supported XLEN in the destination register.
\begin{commentary}
To reduce hardware complexity, the architecture imposes no checks that
lower-privilege modes have XLEN settings less than or equal to the
next-higher privilege mode. In practice, such settings would almost
always be an error, but machine operation is well-defined even in this
case.
\end{commentary}
If MXLEN is changed from 32 to a wider width, each of {\tt mstatus} fields SXL and
UXL, if not hardwired to a forced value, gets the value corresponding to the
widest supported width not wider than the new MXLEN.
\subsection{Memory Privilege in {\tt mstatus} Register}
The MPRV (Modify PRiVilege) bit modifies the privilege level at which
loads and stores execute in all privilege modes. When MPRV=0,
translation and protection behave as normal. When MPRV=1, load and
store memory addresses are translated and protected as though the
current privilege mode were set to MPP. Instruction
address-translation and protection are unaffected. MPRV is hardwired
to 0 if U-mode is not supported.
The MXR (Make eXecutable Readable) bit modifies the privilege with which loads
access virtual memory. When MXR=0, only loads from pages marked readable (R=1
in Figure~\ref{sv32pte}) will succeed. When MXR=1, loads from pages marked
either readable or executable (R=1 or X=1) will succeed. MXR has no effect
when page-based virtual memory is not in effect. MXR is hardwired to 0 if
S-mode is not supported.
\begin{commentary}
The MPRV and MXR mechanisms were conceived to improve the efficiency of M-mode
routines that emulate missing hardware features, e.g., misaligned loads and
stores. MPRV obviates the need to perform address translation in software.
MXR allows instruction words to be loaded from pages marked execute-only.
For simplicity, MPRV and MXR are in effect regardless of privilege
mode, but in normal use will only be enabled for short sequences in
machine mode.
\end{commentary}
The SUM (permit Supervisor User Memory access) bit modifies the privilege with
which S-mode loads and stores access virtual memory.
When SUM=0, S-mode memory accesses to pages that are accessible by U-mode (U=1
in Figure~\ref{sv32pte}) will fault. When SUM=1, these accesses are
permitted. SUM has no effect when page-based virtual memory is not in effect.
Note that, while SUM is ordinarily ignored when not executing in S-mode, it
{\em is} in effect when MPRV=1 and MPP=S. SUM is hardwired to 0 if S-mode is
not supported.
\subsection{Virtualization Support in {\tt mstatus} Register}
\label{virt-control}
The TVM (Trap Virtual Memory) bit supports intercepting
supervisor virtual-memory management operations. When TVM=1,
attempts to read or write the {\tt satp} CSR or execute the SFENCE.VMA
instruction while executing in S-mode will raise an illegal instruction
exception. When TVM=0, these operations are permitted in S-mode.
TVM is hard-wired to 0 when S-mode is not supported.
\begin{commentary}
The TVM mechanism improves virtualization efficiency by permitting guest
operating systems to execute in S-mode, rather than classically virtualizing
them in U-mode. This approach obviates the need to trap accesses to most
S-mode CSRs.
Trapping {\tt satp} accesses and the SFENCE.VMA instruction provides the
hooks necessary to lazily populate shadow page tables.
\end{commentary}
The TW (Timeout Wait) bit supports intercepting the WFI instruction (see
Section~\ref{wfi}). When TW=0, the WFI instruction is permitted in S-mode.
When TW=1, if WFI is executed in S-mode, and it does not complete within an
implementation-specific, bounded time limit, the WFI instruction causes an
illegal instruction trap. The time limit may always be 0, in which case WFI
always causes an illegal instruction trap in S-mode when TW=1.
TW is hard-wired to 0 when S-mode is not supported.
\begin{commentary}
Trapping the WFI
instruction can trigger a world switch to another guest OS, rather than
wastefully idling in the current guest.
\end{commentary}
The TSR (Trap SRET) bit supports intercepting the supervisor exception return
instruction, SRET. When TSR=1, attempts to execute SRET while executing in
S-mode will raise an illegal instruction exception. When TSR=0, this
operation is permitted in S-mode. TSR is hard-wired to 0 when S-mode is not
supported.
\begin{commentary}
Trapping SRET is necessary to emulate the Augmented Virtualization mechanism
(see Chapter~\ref{hypervisor}) on implementations that do not provide it.
\end{commentary}
\subsection{Extension Context Status in {\tt mstatus} Register}
Supporting substantial extensions is one of the primary goals of
RISC-V, and hence we define a standard interface to allow unchanged
privileged-mode code, particularly a supervisor-level OS, to support
arbitrary user-mode state extensions.
\begin{commentary}
To date, the V extension is the only standard extension that defines
additional state beyond the floating-point CSR and data registers.
\end{commentary}
The FS[1:0] read/write field and the XS[1:0] read-only field are used
to reduce the cost of context save and restore by setting and tracking
the current state of the floating-point unit and any other user-mode
extensions respectively. The FS field encodes the status of the
floating-point unit, including the CSR {\tt fcsr} and floating-point
data registers {\tt f0}--{\tt f31}, while the XS field encodes the
status of additional user-mode extensions and associated state.
These fields can be checked by a context switch routine to quickly
determine whether a state save or restore is required. If a save or
restore is required, additional instructions and CSRs are typically
required to effect and optimize the process.
\begin{commentary}
The design anticipates that most context switches will not need to
save/restore state in either or both of the floating-point unit or
other extensions, so provides a fast check via the SD bit.
\end{commentary}
The FS and XS fields use the same status encoding as shown in
Table~\ref{fsxsencoding}, with the four possible status values being
Off, Initial, Clean, and Dirty.
\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|l|l|}
\hline
Status & FS Meaning & XS Meaning\\
\hline
0 & Off & All off \\
1 & Initial & None dirty or clean, some on\\
2 & Clean & None dirty, some clean \\
3 & Dirty & Some dirty \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of FS[1:0] and XS[1:0] status fields.}
\label{fsxsencoding}
\end{table*}
In systems that do not implement S-mode and do not have a
floating-point unit, the FS field is hardwired to zero.
In systems without additional user extensions requiring new state, the
XS field is hardwired to zero. Every additional extension with state
adds a local field to {\tt mstatus} encoding the equivalent of the XS states.
The XS field represents a summary of all
extensions' status as shown in Table~\ref{fsxsencoding}.
\begin{commentary}
The XS field effectively reports the maximum status value across all
user-extension status fields, though individual extensions can use a
different encoding than XS.
\end{commentary}
The SD bit is a read-only bit that summarizes whether either the FS
field or XS field signals the presence of some dirty state that will
require saving extended user context to memory. If both XS and FS are
hardwired to zero, then SD is also always zero.
When an extension's status is set to Off, any instruction that
attempts to read or write the corresponding state will cause an
exception. When the status is Initial, the corresponding state should
have an initial constant value. When the status is Clean, the
corresponding state is potentially different from the initial value,
but matches the last value stored on a context swap. When the status
is Dirty, the corresponding state has potentially been modified since
the last context save.
During a context save, the responsible privileged code need only write
out the corresponding state if its status is Dirty, and can then reset
the extension's status to Clean. During a context restore, the
context need only be loaded from memory if the status is Clean (it
should never be Dirty at restore). If the status is Initial, the
context must be set to an initial constant value on context restore to
avoid a security hole, but this can be done without accessing memory.
For example, the floating-point registers can all be initialized to
the immediate value 0.
The FS and XS fields are read by the privileged code before saving the
context. The FS field is set directly by privileged code when
resuming a user context, while the XS field is set indirectly by
writing to the status register of the individual extensions. The
status fields will also be updated during execution of instructions,
regardless of privilege mode.
Extensions to the user-mode ISA often include additional user-mode
state, and this state can be considerably larger than the base integer
registers. The extensions might only be used for some applications,
or might only be needed for short phases within a single application.
To improve performance, the user-mode extension can define additional
instructions to allow user-mode software to return the unit to an
initial state or even to turn off the unit.
For example, a coprocessor might require to be configured before use
and can be ``unconfigured'' after use. The unconfigured state would
be represented as the Initial state for context save. If the same
application remains running between the unconfigure and the next
configure (which would set status to Dirty), there is no need to
actually reinitialize the state at the unconfigure instruction, as all
state is local to the user process, i.e., the Initial state may only
cause the coprocessor state to be initialized to a constant value at
context restore, not at every unconfigure.
Executing a user-mode instruction to disable a unit and place it into
the Off state will cause an illegal instruction exception to be raised
if any subsequent instruction tries to use the unit before it is
turned back on. A user-mode instruction to turn a unit on must also
ensure the unit's state is properly initialized, as the unit might
have been used by another context meantime.
Changing the setting of FS has no effect on the contents of the floating-point
register state. In particular, setting FS=Off does not destroy the state, nor
does setting FS=Initial clear the contents. Other extensions might not
preserve state when set to Off.
Implementations may choose to track the dirtiness of the floating-point
register state imprecisely by reporting the state to be dirty even when
it has not been modified. On some implementations, some instructions that
do not mutate the floating-point state may cause the state to transition from
Initial or Clean to Dirty. On other implementations, dirtiness might not be
tracked at all, in which case the valid FS states are Off and Dirty, and an
attempt to set FS to Initial or Clean causes it to be set to Dirty.
\begin{commentary}
This definition of FS does not disallow setting FS to Dirty as a result of
errant speculation. Some platforms may choose to disallow speculatively
writing FS to close a potential side channel.
\end{commentary}
Table~\ref{fsxsstates} shows all the possible state transitions for
the FS or XS status bits. Note that the standard floating-point
extensions do not support user-mode unconfigure or disable/enable
instructions.
\begin{table*}[h!]
\begin{center}
\begin{tabular}{|l|l|l|l|l|}
\hline
\multicolumn{1}{|r|}{Current State} & Off & Initial & Clean & Dirty \\
Action & & & &\\
\hline
\hline
\multicolumn{5}{|c|}{At context save in privileged code}\\
\hline
Save state? & No & No & No & Yes \\
Next state & Off & Initial & Clean & Clean \\
\hline
\hline
\multicolumn{5}{|c|}{At context restore in privileged code}\\
\hline
Restore state? & No & Yes, to initial & Yes, from memory & N/A \\
Next state & Off & Initial & Clean & N/A \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to read state}\\
\hline
Action? & Exception & Execute & Execute & Execute \\
Next state & Off & Initial & Clean & Dirty \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to modify state, including configuration}\\
\hline
Action? & Exception & Execute & Execute & Execute \\
Next state & Off & Dirty & Dirty & Dirty \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to unconfigure unit}\\
\hline
Action? & Exception & Execute & Execute & Execute \\
Next state & Off & Initial & Initial & Initial \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to disable unit}\\
\hline
Action? & Execute & Execute & Execute & Execute \\
Next state & Off & Off & Off & Off \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to enable unit}\\
\hline
Action? & Execute & Execute & Execute & Execute \\
Next state & Initial & Initial & Initial & Initial \\
\hline
\end{tabular}
\end{center}
\caption{FS and XS state transitions.}
\label{fsxsstates}
\end{table*}
Standard privileged instructions to initialize, save, and restore
extension state are provided to insulate privileged code from details
of the added extension state by treating the state as an opaque
object.
\begin{commentary}
Many coprocessor extensions are only used in limited contexts that
allows software to safely unconfigure or even disable units when done.
This reduces the context-switch overhead of large stateful
coprocessors.
We separate out floating-point state from other extension state, as
when a floating-point unit is present the floating-point registers are
part of the standard calling convention, and so user-mode software
cannot know when it is safe to disable the floating-point unit.
\end{commentary}
The XS field provides a summary of all added extension state, but
additional microarchitectural bits might be maintained in the
extension to further reduce context save and restore overhead.
The SD bit is read-only and is set when either the FS or XS bits
encode a Dirty state (i.e., SD=((FS==11) OR (XS==11))). This allows
privileged code to quickly determine when no additional context save is
required beyond the integer register set and PC.
The floating-point unit state is always initialized, saved, and
restored using standard instructions (F, D, and/or Q), and privileged
code must be aware of FLEN to determine the appropriate space to
reserve for each {\tt f} register.
In a supervisor-level OS, any additional user-mode state should be
initialized, saved, and restored using SBI calls that treats the
additional context as an opaque object of a fixed maximum size. The
implementation of the SBI initialize, save, and restore calls might
require additional implementation-dependent privileged instructions to
initialize, save, and restore microarchitectural state inside a
coprocessor.
All privileged modes share a single copy of the FS and XS bits. In a
system with more than one privileged mode, supervisor mode would
normally use the FS and XS bits directly to record the status with
respect to the supervisor-level saved context. Other more-privileged
active modes must be more conservative in saving and restoring the
extension state in their corresponding version of the context.
\begin{commentary}
In any reasonable use case, the number of context switches between
user and supervisor level should far outweigh the number of context
switches to other privilege levels. Note that coprocessors should not
require their context to be saved and restored to service asynchronous
interrupts, unless the interrupt results in a user-level context swap.
\end{commentary}
\subsection{Machine Trap-Vector Base-Address Register ({\tt mtvec})}
The {\tt mtvec} register is an MXLEN-bit read/write register that holds
trap vector configuration, consisting of a vector base address (BASE) and a
vector mode (MODE).
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{J@{}S}
\instbitrange{MXLEN-1}{2} &
\instbitrange{1}{0} \\
\hline
\multicolumn{1}{|c|}{BASE[MXLEN-1:2] (\warl)} &
\multicolumn{1}{c|}{MODE (\warl)} \\
\hline
MXLEN-2 & 2 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine trap-vector base-address register ({\tt mtvec}).}
\label{mtvecreg}
\end{figure*}
The {\tt mtvec} register must always be implemented, but can contain
a hardwired read-only value. If {\tt mtvec} is writable, the set of values
the register may hold can vary by implementation. The value in the BASE field
must always be aligned on a 4-byte boundary, and the MODE setting may impose
additional alignment constraints on the value in the BASE field.
\begin{commentary}
We allow for considerable flexibility in implementation of the trap
vector base address. On the one hand, we do not wish to burden low-end
implementations with a large number of state bits, but on the other
hand, we wish to allow flexibility for larger systems.
\end{commentary}
\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|c|l|}
\hline
Value & Name & Description \\
\hline
0 & Direct & All exceptions set {\tt pc} to BASE. \\
1 & Vectored & Asynchronous interrupts set {\tt pc} to BASE+4$\times$cause. \\
$\ge$2 & --- & {\em Reserved} \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of {\tt mtvec} MODE field.}
\label{mtvec-mode}
\end{table*}
The encoding of the MODE field is shown in Table~\ref{mtvec-mode}. When
MODE=Direct, all traps into machine mode cause the {\tt pc} to be set to the
address in the BASE field. When MODE=Vectored, all synchronous exceptions
into machine mode cause the {\tt pc} to be set to the address in the BASE
field, whereas interrupts cause the {\tt pc} to be set to the address in
the BASE field plus four times the interrupt cause number. For example,
a machine-mode timer interrupt (see Table~\ref{mcauses}) causes the {\tt pc}
to be set to BASE+{\tt 0x1c}.
\begin{commentary}
When vectored interrupts are enabled, interrupt cause 0, which corresponds to
user-mode software interrupts, are vectored to the same location as
synchronous exceptions. This ambiguity does not arise in practice, since
user-mode software interrupts are either disabled or delegated to
a less-privileged mode.
\end{commentary}
An implementation may have different alignment constraints for
different modes. In particular, MODE=Vectored may have stricter
alignment constraints than MODE=Direct.
\begin{commentary}
Allowing coarser alignments in Vectored mode enables vectoring to be
implemented without a hardware adder circuit.
\end{commentary}
\begin{commentary}
Reset and NMI vector locations are given in a platform specification.
\end{commentary}
\subsection{Machine Trap Delegation Registers ({\tt medeleg} and {\tt mideleg})}
By default, all traps at any privilege level are handled in machine
mode, though a machine-mode handler can redirect traps back to the
appropriate level with the MRET instruction (Section~\ref{otherpriv}).
To increase performance, implementations can provide individual
read/write bits within {\tt medeleg} and {\tt mideleg} to indicate
that certain exceptions and interrupts should be processed directly by
a lower privilege level. The machine exception delegation register
({\tt medeleg}) and machine interrupt delegation register ({\tt
mideleg}) are MXLEN-bit read/write registers.
In systems with all three privilege modes (M/S/U), setting a bit in
{\tt medeleg} or {\tt mideleg} will delegate the corresponding trap in
S-mode or U-mode to the S-mode trap handler. If U-mode traps are
supported, S-mode may in turn set corresponding bits in the {\tt
sedeleg} and {\tt sideleg} registers to delegate traps that occur in
U-mode to the U-mode trap handler.
In systems with two privilege modes (M/U) and support for U-mode
traps, setting a bit in {\tt medeleg} or {\tt mideleg} will
delegate the corresponding trap in U-mode to the U-mode trap handler.
In systems with only M-mode, or with both M-mode and U-mode but
without U-mode trap support, the {\tt medeleg} and {\tt mideleg}
registers should not exist.
\begin{commentary}
In versions 1.9.1 and earlier , these registers existed but were
hardwired to zero in M-mode only, or M/U without N systems. There
is no reason to require they return zero in those cases, as the {\tt
misa} register indicates whether they exist.
\end{commentary}
When a trap is delegated to a less-privileged mode {\em x}, the
{\em x}\,{\tt cause} register is written with the trap cause; the
{\em x}\,{\tt epc} register is written with the virtual address of
the instruction that took the trap; the {\em x}\,PP field
of {\tt mstatus} is written with the active privilege mode at the time of
the trap; the {\em x}\,PIE field of {\tt mstatus} is written with the
value of the {\em x}\,IE field at the time of the trap; and
the {\em x}\,IE field of {\tt mstatus} is cleared. The {\tt mcause} and
{\tt mepc} registers and the MPP and MPIE fields of {\tt mstatus} are
not written.
An implementation shall not hardwire any delegation bits to one, i.e.,
any trap that can be delegated must support not being delegated. An
implementation can choose to subset the delegatable traps, with the
supported delegatable bits found by writing one to every bit location,
then reading back the value in {\tt medeleg} or {\tt mideleg} to see
which bit positions hold a one.
Traps never transition from a more-privileged mode to a less-privileged mode.
For example, if M-mode has delegated illegal instruction traps to S-mode, and
M-mode software later executes an illegal instruction, the trap is taken in
M-mode, rather than being delegated to S-mode. By contrast, traps may be
taken horizontally. Using the same example, if M-mode has delegated illegal
instruction traps to S-mode, and S-mode software later executes an illegal
instruction, the trap is taken in S-mode.
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}U}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Synchronous Exceptions (\warl)} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Exception Delegation Register {\tt medeleg}.}
\label{medelegreg}
\end{figure}
{\tt medeleg} has a bit position allocated for every synchronous exception
shown in Table~\ref{mcauses}, with the index of the bit position equal to the
value returned in the {\tt mcause} register (i.e., setting bit 8 allows
user-mode environment calls to be delegated to a lower-privilege trap
handler).
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}U}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Interrupts (\warl)} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Interrupt Delegation Register {\tt mideleg}.}
\label{midelegreg}
\end{figure}
{\tt mideleg} holds trap delegation bits for individual interrupts, with the
layout of bits matching those in the {\tt mip} register (i.e., STIP interrupt
delegation control is located in bit 5).
Some exceptions cannot occur at less privileged modes, and corresponding
{\em x}\,{\tt edeleg} bits should be hardwired to zero. In particular,
{\tt medeleg}[11] and {\tt sedeleg}[11:9] are all hardwired to zero.
\subsection{Machine Interrupt Registers ({\tt mip} and {\tt mie})}
The {\tt mip} register is an MXLEN-bit read/write register containing
information on pending interrupts, while {\tt mie} is the
corresponding MXLEN-bit read/write register containing interrupt enable
bits. Only the bits corresponding to lower-privilege software
interrupts (USIP, SSIP), timer interrupts (UTIP, STIP),
and external interrupts (UEIP, SEIP) in {\tt mip}
are writable through this CSR address; the remaining bits are
read-only.
\begin{commentary}
The machine-level interrupt registers handle a few root interrupt
sources which are assigned a fixed service priority for simplicity,
while separate external interrupt controllers can implement a more
complex prioritization scheme over a much larger set of interrupts
that are then muxed into the machine-level interrupt sources.
\end{commentary}
Restricted views of the {\tt mip} and {\tt mie} registers appear as
the {\tt sip}/{\tt sie}, and {\tt uip}/{\tt uie} registers in
S-mode and U-mode respectively. If an interrupt is delegated to
privilege mode {\em x} by setting a bit in the {\tt mideleg} register,
it becomes visible in the {\em x}\,{\tt ip} register and is maskable
using the {\em x}\,{\tt ie} register. Otherwise, the corresponding
bits in {\em x}\,{\tt ip} and {\em x}\,{\tt ie} appear to be hardwired
to zero.
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{Rcccccccccccc}
\instbitrange{MXLEN-1}{12} &
\instbit{11} &
\instbit{10} &
\instbit{9} &
\instbit{8} &
\instbit{7} &
\instbit{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{\wiri} &
\multicolumn{1}{c|}{MEIP} &
\multicolumn{1}{c|}{\wiri} &
\multicolumn{1}{c|}{SEIP} &
\multicolumn{1}{c|}{UEIP} &
\multicolumn{1}{c|}{MTIP} &
\multicolumn{1}{c|}{\wiri} &
\multicolumn{1}{c|}{STIP} &
\multicolumn{1}{c|}{UTIP} &
\multicolumn{1}{c|}{MSIP} &
\multicolumn{1}{c|}{\wiri} &
\multicolumn{1}{c|}{SSIP} &
\multicolumn{1}{c|}{USIP} \\
\hline
MXLEN-12 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine interrupt-pending register ({\tt mip}).}
\label{mipreg}
\end{figure*}
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{Rcccccccccccc}
\instbitrange{MXLEN-1}{12} &
\instbit{11} &
\instbit{10} &
\instbit{9} &
\instbit{8} &
\instbit{7} &
\instbit{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{\wpri} &
\multicolumn{1}{c|}{MEIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SEIE} &
\multicolumn{1}{c|}{UEIE} &
\multicolumn{1}{c|}{MTIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{STIE} &
\multicolumn{1}{c|}{UTIE} &
\multicolumn{1}{c|}{MSIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SSIE} &
\multicolumn{1}{c|}{USIE} \\
\hline
MXLEN-12 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine interrupt-enable register ({\tt mie}).}
\label{miereg}
\end{figure*}
The MTIP, STIP, UTIP bits correspond to timer interrupt-pending bits
for machine, supervisor, and user timer interrupts, respectively. The
MTIP bit is read-only and is cleared by writing to the memory-mapped
machine-mode timer compare register. The UTIP and STIP bits may be
written by M-mode software to deliver timer interrupts to lower
privilege levels. User and supervisor software may clear the UTIP and
STIP bits with calls to the AEE and SEE respectively.
There is a separate timer interrupt-enable bit, named MTIE, STIE, and
UTIE for M-mode, S-mode, and U-mode timer interrupts respectively.
Each lower privilege level has a separate software interrupt-pending
bit (SSIP, USIP), which can be both read and written by CSR accesses
from code running on the local hart at the associated or any higher
privilege level. The machine-level MSIP bits are written by accesses
to memory-mapped control registers, which are used by remote harts to
provide machine-mode interprocessor interrupts. Interprocessor
interrupts for lower privilege levels are implemented through ABI and
SBI calls to the AEE or SEE respectively, which might ultimately
result in a machine-mode write to the receiving hart's MSIP bit. A
hart can write its own MSIP bit using the same memory-mapped control
register.
The MSIE, SSIE, and USIE fields in the {\tt mie} CSR enable M-mode software
interrupts, S-mode software interrupts, and U-mode software interrupts,
respectively.
\begin{commentary}
We only allow a hart to directly write its own SSIP or USIP
bits when running in the appropriate mode, as other harts might be
virtualized and possibly descheduled by higher privilege levels. We
rely on ABI and SBI calls to provide interprocessor interrupts
for this reason. Machine-mode harts are not virtualized and can
directly interrupt other harts by setting their MSIP bits, typically
using uncached I/O writes to memory-mapped control registers depending
on the platform specification.
\end{commentary}
The MEIP field in {\tt mip} is a read-only bit that indicates a machine-mode
external interrupt is pending. MEIP is set and cleared by a platform-specific
interrupt controller, such as the standard platform-level interrupt controller
specified in Chapter~\ref{plic}. The MEIE field in {\tt mie} enables machine
external interrupts when set.
The SEIP field in {\tt mip} contains a single read-write bit. SEIP
may be written by M-mode software to indicate to S-mode that an
external interrupt is pending. Additionally, the platform-level
interrupt controller may generate supervisor-level external interrupts. The
logical-OR of the software-writable bit and the signal from the
external interrupt controller is used to generate external interrupts
to the supervisor. When the SEIP bit is read with a CSRRW, CSRRS, or
CSRRC instruction, the value returned in the {\tt rd} destination
register contains the logical-OR of the software-writable bit and the
interrupt signal from the interrupt controller. However, the value
used in the read-modify-write sequence of a CSRRS or CSRRC instruction
is only the software-writable SEIP bit, ignoring the interrupt value
from the external interrupt controller.
\begin{commentary}
The SEIP field behavior is designed to allow a higher privilege
layer to mimic external interrupts cleanly, without losing any real
external interrupts. The behavior of the CSR instructions is
slightly modified from regular CSR accesses as a result.
\end{commentary}
The UEIP field in {\tt mip} provides user-mode external interrupts when the
N extension for user-mode interrupts is implemented. It is defined
analogously to SEIP.
The MEIE, SEIE, and UEIE fields in the {\tt mie} CSR enable M-mode external
interrupts, S-mode external interrupts, and U-mode external interrupts,
respectively.
\begin{commentary}
The non-maskable interrupt is not made visible via the {\tt mip}
register as its presence is implicitly known when executing the NMI
trap handler.
\end{commentary}
For all the various interrupt types (software, timer, and external),
if a privilege level is not supported, or if U-mode is supported but
the N extension is not supported, than the associated pending and
interrupt-enable bits are hardwired to zero in the {\tt mip} and {\tt
mie} registers respectively. Hence, these are all effectively
\warl\ fields.
Implementations may add additional platform-specific machine-level
interrupt sources to bits 16 and above of the {\tt mip} and {\tt mie}
registers. The other unallocated interrupt sources (15--12, 10, 6, and 2)
are reserved for future standard use.
An interrupt {\em i} will be taken if bit {\em i} is set in both {\tt
mip} and {\tt mie}, and if interrupts are globally enabled. By
default, M-mode interrupts are globally enabled if the hart's current
privilege mode is less than M, or if the current privilege mode is M
and the MIE bit in the {\tt mstatus} register is set. If bit {\em i}
in {\tt mideleg} is set, however, interrupts are considered to be
globally enabled if the hart's current privilege mode equals the
delegated privilege mode (S or U) and that mode's interrupt enable
bit (SIE or UIE in {\tt mstatus}) is set, or if the current
privilege mode is less than the delegated privilege mode.
Multiple simultaneous interrupts destined for different privilege modes are
handled in decreasing order of destined privilege mode. Multiple simultaneous
interrupts destined for the same privilege mode are handled in the following
decreasing priority order: MEI, MSI, MTI, SEI, SSI, STI, UEI, USI, UTI.
Synchronous exceptions are of lower priority than all interrupts.
\begin{commentary}
The machine-level interrupt fixed-priority ordering rules were developed
with the following rationale.
The platform-specific machine-level interrupt sources in bits 16 and
above have the highest service priority to support very fast local
vectored interrupts.
Interrupts for higher privilege modes must be serviced before
interrupts for lower privilege modes to support pre-emption.
External interrupts are handled before internal (timer/software)
interrupts as external interrupts are usually generated by devices
that might require low interrupt service times.
Software interrupts are handled before internal timer interrupts,
because internal timer interrupts are usually intended for time
slicing, where time precision is less important, whereas software
interrupts are used for inter-processor messaging. Software
interrupts can be avoided when high-precision timing is required, or
high-precision timer interrupts can be routed via a different
interrupt path.
Software interrupts are located in the lowest four bits of {\tt mip}
as these are often written by software, and this position allows the
use of a single CSR instruction with a five-bit immediate.
Synchronous exceptions are given the lowest priority to minimize
worst-case interrupt latency.
\end{commentary}
\subsection{Machine Timer Registers ({\tt mtime} and {\tt mtimecmp})}
Platforms provide a real-time counter, exposed as a memory-mapped
machine-mode register, {\tt mtime}. {\tt mtime} must run at constant
frequency, and the platform must provide a mechanism for determining
the timebase of {\tt mtime}.
The {\tt mtime} register has a 64-bit precision on all RV32, RV64, and
RV128 systems. Platforms provide a 64-bit memory-mapped machine-mode
timer compare register ({\tt mtimecmp}), which causes a timer
interrupt to be posted when the {\tt mtime} register contains a value
greater than or equal to the value in the {\tt mtimecmp} register.
The interrupt remains posted until it is cleared by writing the {\tt
mtimecmp} register. The interrupt will only be taken if interrupts
are enabled and the MTIE bit is set in the {\tt mie} register.
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{63}{0} \\
\hline
\multicolumn{1}{|c|}{\tt mtime} \\
\hline
64 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine time register (memory-mapped control register).}
\end{figure}
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{63}{0} \\
\hline
\multicolumn{1}{|c|}{\tt mtimecmp} \\
\hline
64 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine time compare register (memory-mapped control register).}
\end{figure}
\begin{commentary}
The timer facility is defined to use wall-clock time rather than a
cycle counter to support modern processors that run with a highly
variable clock frequency to save energy through dynamic voltage and
frequency scaling.
Accurate real-time clocks (RTCs) are relatively expensive to provide
(requiring a crystal or MEMS oscillator) and have to run even when the
rest of system is powered down, and so there is usually only one in a
system located in a different frequency/voltage domain from the
processors. Hence, the RTC must be shared by all the harts in a
system and accesses to the RTC will potentially incur the penalty of a
voltage-level-shifter and clock-domain crossing. It is thus more
natural to expose {\tt mtime} as a memory-mapped register than as a CSR.
Lower privilege levels do not have their own {\tt timecmp} registers.
Instead, machine-mode software can implement any number of virtual timers on
a hart by multiplexing the next timer interrupt into the {\tt mtimecmp}
register.
Simple fixed-frequency systems can use a single clock for both cycle
counting and wall-clock time.
\end{commentary}
In RV32, memory-mapped writes to {\tt mtimecmp} modify only one 32-bit
part of the register. The following code sequence sets a 64-bit {\tt
mtimecmp} value without spuriously generating a timer interrupt due
to the intermediate value of the comparand:
\begin{figure}[h!]
\begin{center}
\begin{verbatim}
# New comparand is in a1:a0.
li t0, -1
sw t0, mtimecmp # No smaller than old value.
sw a1, mtimecmp+4 # No smaller than new value.
sw a0, mtimecmp # New value.
\end{verbatim}
\end{center}
\caption{Sample code for setting the 64-bit time comparand in RV32
assuming the registers live in a strongly ordered I/O region.}
\label{mtimecmph}
\end{figure}
\subsection{Hardware Performance Monitor}
M-mode includes a basic hardware performance-monitoring facility. The
{\tt mcycle} CSR counts the number of cycles the hart has executed.
The {\tt minstret} CSR counts the number of instructions the hart has
retired. The {\tt mcycle} and {\tt minstret} registers have 64-bit
precision on all RV32, RV64, and RV128 systems.
The counter registers have an arbitrary value after system reset, and
can be written with a given value. Any CSR write takes effect after
the writing instruction has otherwise completed.
The hardware performance monitor includes 29 additional 64-bit event counters, {\tt
mhpmcounter3}--{\tt mhpmcounter31}. The event selector CSRs, {\tt
mhpmevent3}--{\tt mhpmevent31}, are MXLEN-bit \warl\ registers that control which event
causes the corresponding counter to increment. The meaning of these events is
defined by the platform, but event 0 is defined to mean ``no event.''
All counters should be implemented, but a legal implementation is to hard-wire
both the counter and its corresponding event selector to 0.
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}K@{}W@{}K}
\instbitrange{63}{0} \\ \cline{1-1}
\multicolumn{1}{|c|}{\tt mcycle} \\ \cline{1-1}
\multicolumn{1}{|c|}{\tt minstret} \\ \cline{1-1}
& & \instbitrange{MXLEN-1}{0} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{|c|}{\tt mhpmcounter3} & & \multicolumn{1}{|c|}{\tt mhpmevent3} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{|c|}{\tt mhpmcounter4} & & \multicolumn{1}{|c|}{\tt mhpmevent4} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{c}{\vdots} & & \multicolumn{1}{c}{\vdots} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{|c|}{\tt mhpmcounter30} & & \multicolumn{1}{|c|}{\tt mhpmevent30} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{|c|}{\tt mhpmcounter31} & & \multicolumn{1}{|c|}{\tt mhpmevent31} \\ \cline{1-1}\cline{3-3}
64 & & MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Hardware performance monitor counters.}
\end{figure}
All of these counters have 64-bit precision on RV32, RV64, and RV128.
On RV32 only, reads of the {\tt mcycle}, {\tt minstret}, and {\tt
mhpmcounter{\em n}} CSRs return the low 32 bits, while reads of the {\tt
mcycleh}, {\tt minstreth}, and {\tt mhpmcounter{\em n}h} CSRs return bits
63--32 of the corresponding counter.
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}K}
\instbitrange{31}{0} \\ \hline
\multicolumn{1}{|c|}{\tt mcycleh} \\ \hline
\multicolumn{1}{|c|}{\tt minstreth} \\ \hline
\multicolumn{1}{|c|}{\tt mhpmcounter3h} \\ \hline
\multicolumn{1}{|c|}{\tt mhpmcounter4h} \\ \hline
\multicolumn{1}{c}{\vdots} \\ \hline
\multicolumn{1}{|c|}{\tt mhpmcounter30h} \\ \hline
\multicolumn{1}{|c|}{\tt mhpmcounter31h} \\ \hline
32 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Upper 32 bits of hardware performance monitor counters, RV32 only.}
\end{figure}
On RV128 systems, the 64-bit values in {\tt mcycle}, {\tt minstret}, and
{\tt mhpmcounter{\em n}} are sign-extended to 128-bits when read.
\begin{samepage-commentary}
On RV128 systems, both signed and unsigned 64-bit values are held in a
canonical form with bit 63 repeated in all higher bit positions. The
counters are 64-bit values even in RV128, and so the counter CSR reads
preserve the sign-extension invariant. Implementations may choose to
implement fewer bits of the counters, provided software would be unlikely
to experience wraparound (e.g., $2^{63}$ instructions executed)
and thereby avoid having to actually implement the sign-extension
circuitry.
\end{samepage-commentary}
\subsection{Counter-Enable Registers ({\tt [m|s]counteren})}
\label{sec:mcounteren}
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{cccMcccccc}
\instbit{31} &
\instbit{30} &
\instbit{29} &
\instbitrange{28}{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{HPM31} &
\multicolumn{1}{c|}{HPM30} &
\multicolumn{1}{c|}{HPM29} &
\multicolumn{1}{c|}{...} &
\multicolumn{1}{c|}{HPM5} &
\multicolumn{1}{c|}{HPM4} &
\multicolumn{1}{c|}{HPM3} &
\multicolumn{1}{c|}{IR} &
\multicolumn{1}{c|}{TM} &
\multicolumn{1}{c|}{CY} \\
\hline
1 & 1 & 1 & 23 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Counter-enable registers ({\tt mcounteren} and {\tt scounteren}).}
\label{mcounteren}
\end{figure*}
The counter-enable registers {\tt mcounteren} and {\tt scounteren}
are 32-bit registers that
control the availability of the hardware performance monitoring
counters to the next-lowest privileged mode.
The settings in these registers only control accessibility. The act
of reading or writing these registers, does not affect the underlying
counters, which continue to increment even when not accessible.
When the CY, TM, IR, or HPM{\em n} bit in the {\tt mcounteren}
register is clear, attempts to read the {\tt cycle}, {\tt time}, {\tt
instret}, or {\tt hpmcounter{\em n}} register while executing in
S-mode or U-mode will cause an illegal instruction exception. When
one of these bits is set, access to the corresponding register is
permitted in the next implemented privilege mode (S-mode if
implemented, otherwise U-mode).
If S-mode is implemented, the same bit positions in the {\tt scounteren}
register analogously control access to these registers while executing
in U-mode. If S-mode is permitted to access a counter register and the
corresponding bit is set in {\tt scounteren}, then U-mode is also permitted
to access that register.
Registers {\tt mcounteren} and {\tt scounteren} are \warl\ registers
that must be implemented if U-mode and S-mode are implemented,
Any of the bits may contain
a hardwired value of zero, indicating reads to the corresponding counter will
cause an exception when executing in a less-privileged mode.
\begin{commentary}
The counter-enable bits support two common use cases with minimal hardware.
For systems that do not need high-performance timers and counters,
machine-mode software can trap accesses and implement all features in
software. For systems that need high-performance timers and counters
but are not concerned with obfuscating the underlying hardware
counters, the counters can be directly exposed to lower privilege modes.
\end{commentary}
The {\tt cycle}, {\tt instret}, and {\tt hpmcounter{\em n}} CSRs are
read-only shadows of {\tt mcycle}, {\tt minstret}, and {\tt mhpmcounter{\em
n}}, respectively. The {\tt time} CSR is a read-only shadow of the
memory-mapped {\tt mtime} register.
\begin{commentary}
Implementations can convert reads of the {\tt time} CSR into loads to
the memory-mapped {\tt mtime} register, or hard-wire the TM bit in
{\tt mcounteren} to 0
and emulate this functionality in M-mode software.
\end{commentary}
\subsection{Machine Scratch Register ({\tt mscratch})}
The {\tt mscratch} register is an MXLEN-bit read/write register
dedicated for use by machine mode. Typically, it is used to hold a
pointer to a machine-mode hart-local context space and swapped with a
user register upon entry to an M-mode trap handler.
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{\tt mscratch} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine-mode scratch register.}
\label{mscratchreg}
\end{figure}
\begin{commentary}
The MIPS ISA allocated two user registers ({\tt k0}/{\tt k1}) for use
by the operating system. Although the MIPS scheme provides a fast and
simple implementation, it also reduces available user registers, and
does not scale to further privilege levels, or nested traps. It can
also require both registers are cleared before returning to user level
to avoid a potential security hole and to provide deterministic
debugging behavior.
The RISC-V user ISA was designed to support many possible privileged
system environments and so we did not want to infect the user-level
ISA with any OS-dependent features. The RISC-V CSR swap instructions
can quickly save/restore values to the {\tt mscratch} register.
Unlike the MIPS design, the OS can rely on holding a value in the {\tt
mscratch} register while the user context is running.
\end{commentary}
\subsection{Machine Exception Program Counter ({\tt mepc})}
{\tt mepc} is an MXLEN-bit read/write register formatted as shown in
Figure~\ref{mepcreg}. The low bit of {\tt mepc} ({\tt mepc[0]}) is
always zero. On implementations that support only IALIGN=32, the two low bits
({\tt mepc[1:0]}) are always zero.
If an implementation allows IALIGN to be either 16 or 32 (by
changing CSR {\tt misa}, for example), then, whenever IALIGN=32, bit
{\tt mepc[1]} is masked on reads so that it appears to be 0. This
masking occurs also for the implicit read by the MRET instruction.
Though masked, {\tt mepc[1]} remains writable when IALIGN=32.
{\tt mepc} is a \warl\ register that must be able to hold all valid physical
and virtual addresses. It need not be capable of holding all possible invalid
addresses. Implementations may convert some invalid address patterns into
other invalid addresses prior to writing them to {\tt mepc}.
When a trap is taken into M-mode, {\tt mepc} is written with the virtual
address of the instruction that encountered the exception or was interrupted.
Otherwise, {\tt mepc} is never written by the implementation, though it may be
explicitly written by software.
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{\tt mepc} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine exception program counter register.}
\label{mepcreg}
\end{figure}
\subsection{Machine Cause Register ({\tt mcause})}
The {\tt mcause} register is an MXLEN-bit read-write register formatted as
shown in Figure~\ref{mcausereg}. When a trap is taken into M-mode, {\tt
mcause} is written with a code indicating the event that caused the trap.
Otherwise, {\tt mcause} is never written by the implementation, though it may be
explicitly written by software.
The Interrupt bit in the {\tt mcause} register is set if the
trap was caused by an interrupt. The Exception Code field
contains a code identifying the last exception. Table~\ref{mcauses}
lists the possible machine-level exception codes. The Exception Code
is an \wlrl\ field, so is only guaranteed to hold supported exception
codes.
\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{c@{}U}
\instbit{MXLEN-1} &
\instbitrange{MXLEN-2}{0} \\
\hline
\multicolumn{1}{|c|}{Interrupt} &
\multicolumn{1}{c|}{Exception Code (\wlrl)} \\
\hline
1 & MXLEN-1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Cause register {\tt mcause}.}
\label{mcausereg}
\end{figure*}
\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|r|l|l|}
\hline
Interrupt & Exception Code & Description \\
\hline
1 & 0 & User software interrupt \\
1 & 1 & Supervisor software interrupt \\
1 & 2 & {\em Reserved} \\
1 & 3 & Machine software interrupt \\ \hline
1 & 4 & User timer interrupt \\
1 & 5 & Supervisor timer interrupt \\
1 & 6 & {\em Reserved} \\
1 & 7 & Machine timer interrupt \\ \hline
1 & 8 & User external interrupt \\
1 & 9 & Supervisor external interrupt \\
1 & 10 & {\em Reserved} \\
1 & 11 & Machine external interrupt \\ \hline
1 & $\ge$12 & {\em Reserved} \\ \hline
0 & 0 & Instruction address misaligned \\
0 & 1 & Instruction access fault \\
0 & 2 & Illegal instruction \\
0 & 3 & Breakpoint \\
0 & 4 & Load address misaligned \\
0 & 5 & Load access fault \\
0 & 6 & Store/AMO address misaligned \\
0 & 7 & Store/AMO access fault \\
0 & 8 & Environment call from U-mode\\
0 & 9 & Environment call from S-mode \\
0 & 10 & {\em Reserved} \\
0 & 11 & Environment call from M-mode \\
0 & 12 & Instruction page fault \\
0 & 13 & Load page fault \\
0 & 14 & {\em Reserved} \\
0 & 15 & Store/AMO page fault \\
0 & $\ge$16 & {\em Reserved} \\
\hline
\end{tabular}
\end{center}
\caption{Machine cause register ({\tt mcause}) values after trap.}
\label{mcauses}
\end{table*}
\begin{commentary}
We do not distinguish privileged instruction exceptions from illegal
opcode exceptions. This simplifies the architecture and also hides
details of which higher-privilege instructions are supported by an
implementation. The privilege level servicing the trap can implement
a policy on whether these need to be distinguished, and if so, whether
a given opcode should be treated as illegal or privileged.
\end{commentary}
\begin{commentary}
Interrupts can be separated from other traps with a single branch on the sign of
the {\tt mcause} register value. A shift left can remove the
interrupt bit and scale the exception codes to index into a trap
vector table.
\end{commentary}
\subsection{Machine Trap Value ({\tt mtval}) Register}
The {\tt mtval} register is an MXLEN-bit read-write register formatted as shown
in Figure~\ref{mtvalreg}. When a trap is taken into M-mode, {\tt mtval} is
either set to zero or written with exception-specific information to assist
software in handling the trap. Otherwise, {\tt mtval} is never written by the
implementation, though it may be explicitly written by software. The hardware
platform will specify which exceptions must set {\tt mtval} informatively and
which may unconditionally set it to zero.
When a hardware breakpoint is triggered, or an instruction-fetch, load, or
store address-misaligned, access, or page-fault exception occurs, {\tt
mtval} is written with the faulting virtual address. On an illegal
instruction trap, {\tt mtval} may be written with the first XLEN or ILEN
bits of the faulting instruction as described below. For other traps,
{\tt mtval} is set to zero, but a future standard may redefine {\tt
mtval}'s setting for other traps.
\begin{commentary}
The {\tt mtval} register replaces the {\tt mbadaddr} register in
the previous specification. In addition to providing bad addresses,
the register can now provide the bad instruction that triggered an
illegal instruction trap (and may in future be used to return other
information). Returning the instruction bits accelerates instruction emulation and also
removes some races that might be present when trying to emulate
illegal instructions.
\end{commentary}
\begin{commentary}
When page-based virtual memory is enabled, {\tt mtval} is written with
the faulting virtual address, even for physical-memory access exceptions.
This design reduces datapath cost for most implementations, particularly
those with hardware page-table walkers.
\end{commentary}
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{\tt mtval} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Trap Value register.}
\label{mtvalreg}
\end{figure}
For misaligned loads and stores that cause access or page-fault exceptions,
{\tt mtval} will contain the virtual address of the portion of the access that
caused the fault. For instruction-fetch access or page-fault exceptions on
systems with variable-length instructions, {\tt mtval} will contain the
virtual address of the portion of the instruction that caused the fault while
{\tt mepc} will point to the beginning of the instruction.
The {\tt mtval} register can optionally also be used to return the
faulting instruction bits on an illegal instruction exception ({\tt
mepc} points to the faulting instruction in memory).
If this feature is not provided, then {\tt mtval} is set to zero on
an illegal instruction fault.
If this feature is provided, after an illegal instruction trap, {\tt mtval}
will contain the shortest of:
\begin{compactitem}
\item the actual faulting instruction
\item the first ILEN bits of the faulting instruction
\item the first XLEN bits of the faulting instruction
\end{compactitem}
The value loaded into {\tt mtval} is right-justified and all unused upper
bits are cleared to zero.
\begin{commentary}
Capturing the faulting instruction in {\tt mtval} reduces the
overhead of instruction emulation, potentially avoiding several
partial instruction loads if the instruction is misaligned, and
likely data cache misses or slow uncached accesses when loads are
used to fetch the instruction into a data register. There is also a
problem of atomicity if another agent is manipulating the
instruction memory, as might occur in a dynamic translation system.
A requirement is that the entire instruction (or at least the first
XLEN bits) are fetched into {\tt mtval} before taking the trap.
This should not constrain implementations, which would typically
fetch the entire instruction before attempting to decode the
instruction, and avoids complicating software handlers.
A value of zero in {\tt mtval} signifies either that the feature is
not supported, or an illegal zero instruction was fetched. A load
from the instruction memory pointed to by {\tt mepc} can be used to
distinguish these two cases (or alternatively, the system
configuration information can be interrogated to install the
appropriate trap handling before runtime).
\end{commentary}
If the hardware platform specifies that no exceptions set {\tt mtval} to a
nonzero value, then it may be hardwired to zero. Otherwise,
{\tt mtval} is a \warl\ register that must be able to hold all valid physical
and virtual addresses and the value 0. It need not be capable of holding all
possible invalid addresses. Implementations may convert some invalid address
patterns into other invalid addresses prior to writing them to {\tt mtval}.
If the feature to return the faulting instruction bits is implemented, {\tt
mtval} must also be able to hold all values less than $2^N$, where $N$ is the
smaller of XLEN and the width of the longest supported instruction.
\section{Machine-Mode Privileged Instructions}
\subsection{Environment Call and Breakpoint}
\vspace{-0.2in}
\begin{center}
\begin{tabular}{M@{}R@{}F@{}R@{}S}
\\
\instbitrange{31}{20} &
\instbitrange{19}{15} &
\instbitrange{14}{12} &
\instbitrange{11}{7} &
\instbitrange{6}{0} \\
\hline
\multicolumn{1}{|c|}{funct12} &
\multicolumn{1}{c|}{rs1} &
\multicolumn{1}{c|}{funct3} &
\multicolumn{1}{c|}{rd} &
\multicolumn{1}{c|}{opcode} \\
\hline
12 & 5 & 3 & 5 & 7 \\
ECALL & 0 & PRIV & 0 & SYSTEM \\
EBREAK & 0 & PRIV & 0 & SYSTEM \\
\end{tabular}
\end{center}
The ECALL instruction is used to make a request to the supporting execution
environment. When executed in U-mode, S-mode, or M-mode, it generates an
environment-call-from-U-mode exception, environment-call-from-S-mode exception, or environment-call-from-M-mode exception, respectively, and performs no other operation.
\begin{commentary}
ECALL generates a different exception for each originating privilege mode
so that environment call exceptions can be selectively delegated. A typical
use case for Unix-like operating systems is to delegate to S-mode the
environment-call-from-U-mode exception but not the others.
\end{commentary}
The EBREAK instruction is used by debuggers to cause control to be transferred
back to a debugging environment. It generates a breakpoint exception and
performs no other operation.
\begin{commentary}
As described in the ``C'' Standard Extension for Compressed Instructions in
Volume I of this manual, the C.EBREAK instruction performs the same operation
as the EBREAK instruction.
\end{commentary}
ECALL and EBREAK cause the receiving privilege mode's {\tt epc} register
to be set to the address of the ECALL or EBREAK instruction itself, {\em not}
the address of the following instruction.
\subsection{Trap-Return Instructions}
\label{otherpriv}
Instructions to return from trap are encoded under the PRIV
minor opcode.
\vspace{-0.2in}
\begin{center}
\begin{tabular}{M@{}R@{}F@{}R@{}S}
\\
\instbitrange{31}{20} &
\instbitrange{19}{15} &
\instbitrange{14}{12} &
\instbitrange{11}{7} &
\instbitrange{6}{0} \\
\hline
\multicolumn{1}{|c|}{funct12} &
\multicolumn{1}{c|}{rs1} &
\multicolumn{1}{c|}{funct3} &
\multicolumn{1}{c|}{rd} &
\multicolumn{1}{c|}{opcode} \\
\hline
12 & 5 & 3 & 5 & 7 \\
MRET/SRET/URET & 0 & PRIV & 0 & SYSTEM \\
\end{tabular}
\end{center}
To return after handling a trap, there are separate trap return
instructions per privilege level: MRET, SRET, and URET. MRET is
always provided. SRET must be provided if supervisor mode is
supported, and should raise an illegal instruction exception otherwise. SRET
should also raise an illegal instruction exception when TSR=1 in {\tt mstatus},
as described in Section~\ref{virt-control}. URET is only provided if user-mode
traps are supported, and should raise an illegal instruction otherwise.
An {\em x}\,RET instruction can be executed in privilege mode {\em x}
or higher, where executing a lower-privilege {\em x}\,RET instruction
will pop the relevant lower-privilege interrupt enable and privilege
mode stack. In addition to manipulating the privilege stack as
described in Section~\ref{privstack}, {\em x}\,RET sets the {\tt pc}
to the value stored in the {\em x}\,{\tt epc} register.
\begin{commentary}
Previously, there was only a single ERET instruction (which was also
earlier known as SRET). To support the addition of user-level
interrupts, we needed to add a separate URET instruction to continue
to allow classic virtualization of OS code using the ERET instruction.
It then became more orthogonal to support a different {\em x}RET
instruction per privilege level.
\end{commentary}
If the A extension is supported, the {\em x},RET instruction is
allowed to clear any outstanding LR address reservation but is not
required to. Trap handlers should explicitly clear the reservation if
required (e.g., by using a dummy SC) before executing the {\em x}RET.
\begin{commentary}
If {\em x},RET instructions always cleared LR reservations, it would
be impossible to single-step through LR/SC sequences using a
debugger.
\end{commentary}
\subsection{Wait for Interrupt}
\label{wfi}
The Wait for Interrupt instruction (WFI) provides a hint to the
implementation that the current hart can be stalled until an interrupt
might need servicing. Execution of the WFI instruction can also be
used to inform the hardware platform that suitable interrupts should
preferentially be routed to this hart. WFI is available in all of the
supported S and M privilege modes, and optionally available to
U-mode for implementations that support U-mode interrupts. This instruction may
raise an illegal instruction exception when TW=1 in {\tt mstatus}, as described
in Section~\ref{virt-control}.
\vspace{-0.2in}
\begin{center}
\begin{tabular}{M@{}R@{}F@{}R@{}S}
\\
\instbitrange{31}{20} &
\instbitrange{19}{15} &
\instbitrange{14}{12} &
\instbitrange{11}{7} &
\instbitrange{6}{0} \\
\hline
\multicolumn{1}{|c|}{funct12} &
\multicolumn{1}{c|}{rs1} &
\multicolumn{1}{c|}{funct3} &
\multicolumn{1}{c|}{rd} &
\multicolumn{1}{c|}{opcode} \\
\hline
12 & 5 & 3 & 5 & 7 \\
WFI & 0 & PRIV & 0 & SYSTEM \\
\end{tabular}
\end{center}
If an enabled interrupt is present or later becomes present while the
hart is stalled, the interrupt exception will be taken on the
following instruction, i.e., execution resumes in the trap handler and
{\tt mepc} = {\tt pc} + 4.
\begin{commentary}
The following instruction takes the interrupt exception and trap, so
that a simple return from the trap handler will execute code after the
WFI instruction.
\end{commentary}
The WFI instruction is just a hint, and a legal implementation is to
implement WFI as a NOP.
\begin{commentary}
If the implementation does not stall the hart on execution of the
instruction, then the interrupt will be taken on some instruction in
the idle loop containing the WFI, and on a simple return from the
handler, the idle loop will resume execution.
\end{commentary}
\begin{commentary}
We have removed the earlier requirement that implementations ignore
the {\em rs1} and {\em rd} fields, so non-zero values in these fields
should now raise illegal instruction exceptions.
\end{commentary}
The WFI instruction can also be executed when interrupts are disabled. The
operation of WFI must be unaffected by the global interrupt bits in {\tt
mstatus} (MIE/SIE/UIE) and the delegation registers {\tt [m|s]ideleg}
(i.e., the hart must resume if a locally enabled interrupt becomes pending,
even if it has been delegated to a less-privileged mode), but should honor the
individual interrupt enables (e.g, MTIE) (i.e., implementations should
avoid resuming the hart if the interrupt is pending but not
individually enabled). WFI is also required to resume execution for
locally enabled interrupts pending at any privilege level, regardless
of the global interrupt enable at each privilege level.
If the event that causes the hart to resume execution does not cause
an interrupt to be taken, execution will resume at {\tt pc} + 4, and
software must determine what action to take, including looping back to
repeat the WFI if there was no actionable event.
\begin{commentary}
By allowing wakeup when interrupts are disabled, an alternate entry
point to an interrupt handler can be called that does not require
saving the current context, as the current context can be saved or
discarded before the WFI is executed.
As implementations are free to implement WFI as a NOP, software must
explicitly check for any relevant pending but disabled interrupts in
the code following an WFI, and should loop back to the WFI if no
suitable interrupt was detected. The {\tt mip}, {\tt sip},
or {\tt uip} registers can be interrogated to determine the presence
of any interrupt in machine, supervisor, or user mode
respectively.
The operation of WFI is unaffected by the delegation register settings.
WFI is defined so that an implementation can trap into a higher
privilege mode, either immediately on encountering the WFI or after
some interval to initiate a machine-mode transition to a lower power
state, for example.
\end{commentary}
\begin{commentary}
The same ``wait-for-event'' template might be used for possible future
extensions that wait on memory locations changing, or message
arrival.
\end{commentary}
\section{Reset}
\label{sec:reset}
Upon reset, a hart's privilege mode is set to M. The {\tt mstatus} fields MIE
and MPRV are reset to 0. The {\tt pc} is
set to an implementation-defined reset vector. The {\tt mcause} register is
set to a value indicating the cause of the reset. All other hart state is
undefined.
The {\tt mcause} values after reset have implementation-specific
interpretation, but the value 0 should be returned on implementations
that do not distinguish different reset conditions. Implementations
that distinguish different reset conditions should only use 0 to
indicate the most complete reset (e.g., hard reset).
\begin{commentary}
Some designs may have multiple causes of reset (e.g., power-on reset,
external hard reset, brownout detected, watchdog timer elapse,
sleep-mode wakeup), which machine-mode software and debuggers may wish
to distinguish.
{\tt mcause} reset values may alias {\tt mcause} values following synchronous
exceptions. There should be no ambiguity in this overlap, since on reset the
{\tt pc} is typically set to a different value than on other traps.
\end{commentary}
\section{Non-Maskable Interrupts}
\label{sec:nmi}
Non-maskable interrupts (NMIs) are only used for hardware error
conditions, and cause an immediate jump to an implementation-defined
NMI vector running in M-mode regardless of the state of a hart's
interrupt enable bits. The {\tt mepc} register is written with the
address of the next instruction to be executed at the time the NMI was
taken, and {\tt mcause} is set to a value indicating the source of the
NMI. The NMI can thus overwrite state in an active machine-mode
interrupt handler.
The values written to {\tt mcause} on an NMI are
implementation-defined, but a value of 0 is reserved to mean ``unknown
cause'' and implementations that do not distinguish sources of NMIs
via the {\tt mcause} register should return 0.
Unlike resets, NMIs do not reset processor state, enabling diagnosis,
reporting, and possible containment of the hardware error.
\section{Physical Memory Attributes}
\label{sec:pma}
The physical memory map for a complete system includes various address
ranges, some corresponding to memory regions, some to memory-mapped
control registers, and some to empty holes in the address space. Some
memory regions might not support reads, writes, or execution; some
might not support subword or subblock accesses; some might not support
atomic operations; and some might not support cache coherence or might
have different memory models. Similarly, memory-mapped control
registers vary in their supported access widths, support for atomic
operations, and whether read and write accesses have associated side
effects. In RISC-V systems, these properties and capabilities of each
region of the machine's physical address space are termed {\em
physical memory attributes} (PMAs). This section describes RISC-V
PMA terminology and how RISC-V systems implement and check PMAs.
PMAs are inherent properties of the underlying hardware and rarely
change during system operation. Unlike physical memory protection
values described in Section~\ref{sec:pmp}, PMAs do not vary by
execution context. The PMAs of some memory regions are fixed at chip
design time---for example, for an on-chip ROM. Others are fixed at
board design time, depending, for example, on which other chips are
connected to off-chip buses. Off-chip buses might also support
devices that could be changed on every power cycle (cold pluggable) or
dynamically while the system is running (hot pluggable). Some devices
might be configurable at run time to support different uses that imply
different PMAs---for example, an on-chip scratchpad RAM might be
cached privately by one core in one end-application, or accessed as a
shared non-cached memory in another end-application.
Most systems will require that at least some PMAs are dynamically
checked in hardware later in the execution pipeline after the physical
address is known, as some operations will not be supported at all
physical memory addresses, and some operations require knowing the
current setting of a configurable PMA attribute. While many other architectures
specify some PMAs in the virtual memory page tables and use the TLB to
inform the pipeline of these properties, this approach injects platform-specific
information into a virtualized layer and can cause system errors
unless attributes are correctly initialized in each page-table entry
for each physical memory region. In addition, the available
page sizes might not be optimal for specifying attributes in the
physical memory space, leading to address-space fragmentation and
inefficient use of expensive TLB entries.
For RISC-V, we separate out specification and checking of PMAs into a
separate hardware structure, the {\em PMA checker}. In many cases,
the attributes are known at system design time for each physical
address region, and can be hardwired into the PMA checker. Where the
attributes are run-time configurable, platform-specific memory-mapped
control registers can be provided to specify these attributes at a
granularity appropriate to each region on the platform (e.g., for an
on-chip SRAM that can be flexibly divided between cacheable and
uncacheable uses). PMAs are checked for any access to physical
memory, including accesses that have undergone virtual to physical
memory translation. To aid in system debugging, we strongly recommend
that, where possible, RISC-V processors precisely trap physical memory
accesses that fail PMA checks. Precisely trapped PMA violations manifest
as load, store, or instruction-fetch access exceptions, distinct from
virtual-memory page-fault exceptions. Precise PMA traps might not always be
possible, for example, when probing a legacy bus architecture that
uses access failures as part of the discovery mechanism. In this
case, error responses from slave devices will be reported as imprecise
bus-error interrupts.
PMAs must also be readable by software to correctly access certain
devices or to correctly configure other hardware components that
access memory, such as DMA engines. As PMAs are tightly tied to a
given physical platform's organization, many details are inherently
platform-specific, as is the means by which software can learn the PMA
values for a platform. The configuration string
(Chapter~\ref{cfgstr}) can encode PMAs for on-chip devices and might
also describe on-chip controllers for off-chip buses that can be
dynamically interrogated to discover attached device PMAs. Some
devices, particularly legacy buses, do not support discovery of PMAs
and so will give error responses or time out if an unsupported access
is attempted. Typically, platform-specific machine-mode code will
extract PMAs and ultimately present this information to higher-level
less-privileged software using some standard representation.
Where platforms support dynamic reconfiguration of PMAs, an interface
will be provided to set the attributes by passing requests to a
machine-mode driver that can correctly reconfigure the platform. For
example, switching cacheability attributes on some memory regions
might involve platform-specific operations, such as cache flushes,
that are available only to machine-mode.
\subsection{Main Memory versus I/O versus Empty Regions}
The most important characterization of a given memory address range is
whether it holds regular main memory, or I/O devices, or is empty.
Regular main memory is required to have a number of properties,
specified below, whereas I/O devices can have a much broader range of
attributes. Memory regions that do not fit into regular main
memory, for example, device scratchpad RAMs, are categorized as I/O
regions. Empty regions are also classified as I/O regions but with
attributes specifying that no accesses are supported.
\subsection{Supported Access Type PMAs}
Access types specify which access widths, from 8-bit byte to long
multi-word burst, are supported, and also whether misaligned accesses
are supported for each access width.
\begin{commentary}
Although software running on a RISC-V hart cannot directly generate
bursts to memory, software might have to program DMA engines to access
I/O devices and might therefore need to know which access sizes are
supported.
\end{commentary}
Main memory regions always support read, write, and execute of all
access widths required by the attached devices.
\begin{commentary}
In some cases, the design of a processor or device accessing main
memory might support other widths, but must be able to function with
the types supported by the main memory.
\end{commentary}
I/O regions can specify which combinations of read, write, or execute
accesses to which data widths are supported.
\subsection{Atomicity PMAs}
Atomicity PMAs describes which atomic instructions are supported in
this address region. Main memory regions must support the atomic
operations required by the processors attached. I/O regions may only
support a subset or none of the processor-supported atomic operations.
Support for atomic instructions is divided into two categories: {\em
LR/SC} and {\em AMOs}. Within AMOs, there are four levels of
support: {\em AMONone}, {\em AMOSwap}, {\em AMOLogical}, and {\em
AMOArithmetic}. AMONone indicates that no AMO operations are
supported. AMOSwap indicates that only {\tt amoswap} instructions are
supported in this address range. AMOLogical indicates that swap
instructions plus all the logical AMOs ({\tt amoand}, {\tt amoor},
{\tt amoxor}) are supported. AMOArithmetic indicates that all RISC-V
AMOs are supported. For each level of support, naturally aligned AMOs
of a given width are supported if the underlying memory region
supports reads and writes of that width.
\begin{table*}[h!]
\begin{center}
\begin{tabular}{|l|l|}
\hline
AMO Class & Supported Operations \\
\hline
AMONone & {\em None} \\
AMOSwap & {\tt amoswap} \\
AMOLogical & above + {\tt amoand}, {\tt amoor}, {\tt amoxor} \\
AMOArithmetic & above + {\tt amoadd}, {\tt amomin}, {\tt amomax}, {\tt amominu}, {\tt amomaxu} \\
\hline
\end{tabular}
\end{center}
\caption{Classes of AMOs supported by I/O regions. Main memory
regions must always support all AMOs required by the processor.}
\label{amoclasses}
\end{table*}
\begin{commentary}
We recommend providing at least AMOLogical support for I/O regions
where possible. Most I/O regions will not support LR/SC accesses, as
these are most conveniently built on top of a cache-coherence scheme.
\end{commentary}
Memory regions that support LR/SC will define the conditions under which LR/SC
sequences must succeed or must fail. Main memory must guarantee the eventual
success of any LR/SC sequence that meets the requirements described in the
user ISA specification.
Memory regions that support aligned LR/SC or aligned AMOs might also support
misaligned LR/SC or misaligned AMOs for some addresses and access widths. If,
for a given address and access width, a misaligned LR/SC or AMO generates
a misaligned address exception, then {\em all} loads, stores, LRs/SCs, and
AMOs using that address and access width must generate misaligned address
exceptions.
\begin{commentary}
The standard ``A'' extension does not support misaligned AMOs or LR/SC pairs.
Support for misaligned AMOs is provided by the standard ``Zam'' extension.
Support for misaligned LR/SC sequences is not currently standardized,
so LR and SC to misaligned addresses must raise an exception.
Mandating that misaligned loads and stores trap wherever misaligned AMOs trap
permits the emulation of misaligned AMOs in an M-mode trap handler. The
handler guarantees atomicity by acquiring a global mutex and emulating the
access within the critical section. Provided that the handler for misaligned
loads and stores uses the same mutex, all accesses to a given address that
use the same word size will be mutually atomic.
\end{commentary}
\subsection{Memory-Ordering PMAs}
Regions of the address space are classified as either {\em main
memory} or {\em I/O} for the purposes of ordering by the FENCE
instruction and atomic-instruction ordering bits.
Accesses by one hart to main memory regions are observable not only by
other harts but also by other devices with the capability to initiate
requests in the main memory system (e.g., DMA engines). Main memory
regions always have the standard RISC-V relaxed memory model.
Accesses by one hart to the I/O space are observable not only by other
harts and bus mastering devices, but also by targeted slave I/O
devices. Within I/O, regions may further be classified as
implementing either {\em relaxed} or {\em strong} ordering. A relaxed
I/O region has no ordering guarantees on how memory accesses made by
one hart are observable by different harts or I/O devices beyond those
enforced by FENCE and AMO instructions. A strongly ordered I/O region
ensures that all accesses made by a hart to that region are only
observable in program order by all other harts or I/O devices.
Each strongly ordered I/O region specifies a numbered ordering
channel, which is a mechanism by which ordering guarantees can be
provided between different I/O regions. Channel 0 is used to indicate
point-to-point strong ordering only, where only accesses by the hart to the
single associated I/O region are strongly ordered.
Channel 1 is used to provide global strong ordering across all I/O
regions. Any accesses by a hart to any I/O region associated with
channel 1 can only be observed to have occurred in program order by all
other harts and I/O devices, including relative to accesses made by
that hart to relaxed I/O regions or strongly ordered I/O regions with
different channel numbers. In other words, any access to a region in
channel 1 is equivalent to executing a {\tt fence io,io}
instruction before and after the instruction.
Other larger channel numbers provide program ordering to accesses by
that hart across any regions with the same channel number.
Systems might support dynamic configuration of ordering properties on
each memory region.
\begin{commentary}
Strong ordering can be used to improve compatibility with legacy
device driver code, or to enable increased performance compared to
insertion of explicit ordering instructions when the implementation is
known to not reorder accesses.
Local strong ordering (channel 0) is the default form of strong
ordering as it is often straightforward to provide if there is only a
single in-order communication path between the hart and the I/O
device.
Generally, different strongly ordered I/O regions can share the same
ordering channel without additional ordering hardware if they share
the same interconnect path and the path does not reorder requests.
\end{commentary}
\subsection{Coherence and Cacheability PMAs}
Coherence is a property defined for a single physical address, and
indicates that writes to that address by one agent will eventually be
made visible to other agents in the system. Coherence is not to be
confused with the memory consistency model of a system, which defines
what values a memory read can return given the previous history of
reads and writes to the entire memory system. In RISC-V platforms,
the use of hardware-incoherent regions is discouraged due to software
complexity, performance, and energy impacts.
The cacheability of a memory region should not affect the software
view of the region except for differences reflected in other PMAs,
such as main memory versus I/O classification, memory ordering,
supported accesses and atomic operations, and coherence. For this
reason, we treat cacheability as a platform-level setting managed by
machine-mode software only.
Where a platform supports configurable cacheability settings for a
memory region, a platform-specific machine-mode routine will change
the settings and flush caches if necessary, so the system is only
incoherent during the transition between cacheability settings. This
transitory state should not be visible to lower privilege levels.
\begin{commentary}
We categorize RISC-V caches into three types: {\em master-private},
{\em shared}, and {\em slave-private}. Master-private caches are
attached to a single master agent, i.e., one that issues read/write
requests to the memory system. Shared caches are located between
masters and slaves and may be hierarchically organized. Slave-private
caches do not impact coherence, as they are local to a single slave
and do not affect other PMAs at a master, so are not considered
further here. We use {\em private cache} to mean a master-private
cache in the following section, unless explicitly stated otherwise.
Coherence is straightforward to provide for a shared memory region
that is not cached by any agent. The PMA for such a region would
simply indicate it should not be cached in a private or shared cache.
Coherence is also straightforward for read-only regions, which can be
safely cached by multiple agents without requiring a cache-coherence
scheme. The PMA for this region would indicate that it can be cached,
but that writes are not supported.
Some read-write regions might only be accessed by a single agent, in
which case they can be cached privately by that agent without
requiring a coherence scheme. The PMA for such regions would indicate
they can be cached. The data can also be cached in a shared cache, as
other agents should not access the region.
If an agent can cache a read-write region that is accessible by other
agents, whether caching or non-caching, a cache-coherence scheme is
required to avoid use of stale values. In regions lacking hardware
cache coherence (hardware-incoherent regions), cache coherence can be
implemented entirely in software, but software coherence schemes are
notoriously difficult to implement correctly and often have severe
performance impacts due to the need for conservative software-directed
cache-flushing. Hardware cache-coherence schemes require more complex
hardware and can impact performance due to the cache-coherence probes,
but are otherwise invisible to software.
For each hardware cache-coherent region, the PMA would indicate that
the region is coherent and which hardware coherence controller to use
if the system has multiple coherence controllers. For some systems,
the coherence controller might be an outer-level shared cache, which
might itself access further outer-level cache-coherence controllers
hierarchically.
Most memory regions within a platform will be coherent to software,
because they will be fixed as either uncached, read-only, hardware
cache-coherent, or only accessed by one agent.
\end{commentary}
\subsection{Idempotency PMAs}
Idempotency PMAs describe whether reads and writes to an address
region are idempotent. Main memory regions are assumed to be
idempotent. For I/O regions, idempotency on reads and writes can be
specified separately (e.g., reads are idempotent but writes are not).
If accesses are non-idempotent, i.e., there is potentially a side
effect on any read or write access, then speculative or redundant
accesses must be avoided.
For the purposes of defining the idempotency PMAs, changes in observed
memory ordering created by redundant accesses are not considered a
side effect.
\begin{commentary}
While hardware should always be designed to avoid speculative or
redundant accesses to memory regions marked as non-idempotent, it is
also necessary to ensure software or compiler optimizations do not
generate spurious accesses to non-idempotent memory regions.
\end{commentary}
\begin{commentary}
Non-idempotent regions might not support misaligned accesses, in which case
software might emulate misaligned accesses as a sequence of aligned accesses,
each possibly causing side effects. Therefore, portable software should not
issue misaligned accesses to non-idempotent regions.
\end{commentary}
\section{Physical Memory Protection}
\label{sec:pmp}
To support secure processing and contain faults, it is desirable to
limit the physical addresses accessible by software running on a hart.
An optional physical memory protection (PMP) unit provides
per-hart machine-mode control registers to allow
physical memory access privileges (read, write, execute) to be
specified for each physical memory region. The PMP values are checked
in parallel with the PMA checks described in Section~\ref{sec:pma}.
The granularity of PMP access control settings are platform-specific and
within a platform may vary by physical memory region, but the standard PMP
encoding supports regions as small as four bytes. Certain regions' privileges
can be hardwired---for example, some regions might only ever be visible in
machine mode but in no lower-privilege layers.
\begin{commentary}
Platforms vary widely in demands for physical memory protection, and
some platforms may provide other PMP structures in addition to or
instead of the scheme described in this section.
\end{commentary}
PMP checks are applied to all accesses when the hart is running in
S or U modes, and for loads and stores when the MPRV bit is set in
the {\tt mstatus} register and the MPP field in the {\tt mstatus}
register contains S or U. PMP checks are also applied to page-table
accesses for virtual-address translation, for which the effective
privilege mode is S. Optionally, PMP checks may additionally apply
to M-mode accesses, in which case the PMP registers themselves are
locked, so that even M-mode software cannot change them without
a system reset. In effect, PMP can {\em grant} permissions to S and U
modes, which by default have none, and can {\em revoke} permissions
from M-mode, which by default has full permissions.
PMP violations are always trapped precisely at the processor.
\subsection{Physical Memory Protection CSRs}
PMP entries are described by an 8-bit configuration register and one MXLEN-bit
address register. Some PMP settings additionally use the address register
associated with the preceding PMP entry. Up to 16 PMP entries are supported.
If any PMP entries are implemented, then all PMP CSRs must be implemented,
but all PMP CSR fields are \warl\ and may be hardwired to zero. PMP CSRs
are only accessible to M-mode.
The PMP configuration registers are densely packed into CSRs to minimize
context-switch time. For RV32, four CSRs, {\tt pmpcfg0}--{\tt pmpcfg3}, hold
the configurations {\tt pmp0cfg}--{\tt pmp15cfg} for the 16 PMP entries, as
shown in Figure~\ref{pmpcfg-rv32}. For RV64, {\tt pmpcfg0} and {\tt pmpcfg2}
hold the configurations for the 16 PMP entries, as shown in
Figure~\ref{pmpcfg-rv64}; {\tt pmpcfg1} and {\tt pmpcfg3} are illegal.
\begin{commentary}
RV64 systems use {\tt pmpcfg2}, rather than {\tt pmpcfg1}, to hold
configurations for PMP entries 8--15. This design reduces the cost of
supporting multiple MXLEN values, since the configurations for PMP
entries 8--11 appear in {\tt pmpcfg2}[31:0] for both RV32 and RV64.
\end{commentary}
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}Y@{}Y@{}Y@{}Yl}
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-4}
\multicolumn{1}{|c|}{pmp3cfg} &
\multicolumn{1}{c|}{pmp2cfg} &
\multicolumn{1}{c|}{pmp1cfg} &
\multicolumn{1}{c|}{pmp0cfg} &
\tt pmpcfg0 \\
\cline{1-4}
8 & 8 & 8 & 8 & \\
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-4}
\multicolumn{1}{|c|}{pmp7cfg} &
\multicolumn{1}{c|}{pmp6cfg} &
\multicolumn{1}{c|}{pmp5cfg} &
\multicolumn{1}{c|}{pmp4cfg} &
\tt pmpcfg1 \\
\cline{1-4}
8 & 8 & 8 & 8 & \\
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-4}
\multicolumn{1}{|c|}{pmp11cfg} &
\multicolumn{1}{c|}{pmp10cfg} &
\multicolumn{1}{c|}{pmp9cfg} &
\multicolumn{1}{c|}{pmp8cfg} &
\tt pmpcfg2 \\
\cline{1-4}
8 & 8 & 8 & 8 & \\
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-4}
\multicolumn{1}{|c|}{pmp15cfg} &
\multicolumn{1}{c|}{pmp14cfg} &
\multicolumn{1}{c|}{pmp13cfg} &
\multicolumn{1}{c|}{pmp12cfg} &
\tt pmpcfg3 \\
\cline{1-4}
8 & 8 & 8 & 8 & \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{RV32 PMP configuration CSR layout.}
\label{pmpcfg-rv32}
\end{figure}
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}Y@{}Y@{}Y@{}Y@{}Y@{}Y@{}Y@{}Yl}
\instbitrange{63}{56} &
\instbitrange{55}{48} &
\instbitrange{47}{40} &
\instbitrange{39}{32} &
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-8}
\multicolumn{1}{|c|}{pmp7cfg} &
\multicolumn{1}{c|}{pmp6cfg} &
\multicolumn{1}{c|}{pmp5cfg} &
\multicolumn{1}{c|}{pmp4cfg} &
\multicolumn{1}{c|}{pmp3cfg} &
\multicolumn{1}{c|}{pmp2cfg} &
\multicolumn{1}{c|}{pmp1cfg} &
\multicolumn{1}{c|}{pmp0cfg} &
\tt pmpcfg0 \\
\cline{1-8}
8 & 8 & 8 & 8 & 8 & 8 & 8 & 8 & \\
\instbitrange{63}{56} &
\instbitrange{55}{48} &
\instbitrange{47}{40} &
\instbitrange{39}{32} &
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-8}
\multicolumn{1}{|c|}{pmp15cfg} &
\multicolumn{1}{c|}{pmp14cfg} &
\multicolumn{1}{c|}{pmp13cfg} &
\multicolumn{1}{c|}{pmp12cfg} &
\multicolumn{1}{c|}{pmp11cfg} &
\multicolumn{1}{c|}{pmp10cfg} &
\multicolumn{1}{c|}{pmp9cfg} &
\multicolumn{1}{c|}{pmp8cfg} &
\tt pmpcfg2 \\
\cline{1-8}
8 & 8 & 8 & 8 & 8 & 8 & 8 & 8 & \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{RV64 PMP configuration CSR layout.}
\label{pmpcfg-rv64}
\end{figure}
The PMP address registers are CSRs named {\tt pmpaddr0}--{\tt pmpaddr15}.
Each PMP address register encodes bits 33--2 of a 34-bit physical address for
RV32, as shown in Figure~\ref{pmpaddr-rv32}. For RV64, each PMP address
register encodes bits 55--2 of a 56-bit physical address, as shown in
Figure~\ref{pmpaddr-rv64}. Not all physical address bits may be implemented,
and so the {\tt pmpaddr} registers are \warl.
\begin{commentary}
The Sv32 page-based virtual-memory scheme described in Section~\ref{sec:sv32}
supports 34-bit physical addresses for RV32, so the PMP scheme must support
addresses wider than XLEN for RV32.
The Sv39 and Sv48 page-based virtual-memory schemes described in
Sections~\ref{sec:sv39} and~\ref{sec:sv48} support a 56-bit physical address
space, so the RV64 PMP address registers impose the same limit.
\end{commentary}
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{31}{0} \\
\hline
\multicolumn{1}{|c|}{address[33:2] (\warl)} \\
\hline
32 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{PMP address register format, RV32.}
\label{pmpaddr-rv32}
\end{figure}
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}F@{}J}
\instbitrange{63}{54} &
\instbitrange{53}{0} \\
\hline
\multicolumn{1}{|c|}{\wiri} &
\multicolumn{1}{c|}{address[55:2] (\warl)} \\
\hline
10 & 54 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{PMP address register format, RV64.}
\label{pmpaddr-rv64}
\end{figure}
Figure~\ref{pmpcfg} shows the layout of a PMP configuration register. The R,
W, and X bits, when set, indicate that the PMP entry permits read, write, and
instruction execution, respectively. When one of these bits is clear, the
corresponding access type is denied. The combination R=0 and W=1 is reserved
for future use. The remaining two fields, A and L, are
described in the following sections.
\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{YSSYYY}
\instbit{7} &
\instbitrange{6}{5} &
\instbitrange{4}{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{L (\warl)} &
\multicolumn{1}{c|}{\wiri} &
\multicolumn{1}{c|}{A (\warl)} &
\multicolumn{1}{c|}{X (\warl)} &
\multicolumn{1}{c|}{W (\warl)} &
\multicolumn{1}{c|}{R (\warl)}
\\
\hline
1 & 2 & 2 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{PMP configuration register format.}
\label{pmpcfg}
\end{figure}
Attempting to fetch an instruction from a PMP region that does not have execute
permissions raises a fetch access exception. Attempting to execute
a load or load-reserved instruction whose effective address lies within
a PMP region without read permissions raises a load access exception.
Attempting to execute a store, store-conditional (regardless of success),
or AMO instruction whose effective address lies within a PMP region without
write permissions raises a store access exception.
\subsubsection*{Address Matching}
The A field in a PMP entry's configuration register encodes the
address-matching mode of the associated PMP address register. The encoding of
this field is shown in Table~\ref{pmpcfg-a}. When A=0, this PMP entry is
disabled and matches no addresses. Two other address-matching modes are
supported: naturally aligned power-of-2 regions (NAPOT), including the special
case of naturally aligned four-byte regions (NA4); and the top boundary of an
arbitrary range (TOR). These modes support four-byte granularity.
\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|c|l|}
\hline
A & Name & Description \\
\hline
0 & OFF & Null region (disabled) \\
1 & TOR & Top of range \\
2 & NA4 & Naturally aligned four-byte region \\
3 & NAPOT & Naturally aligned power-of-two region, $\ge$8 bytes \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of A field in PMP configuration registers.}
\label{pmpcfg-a}
\end{table*}
NAPOT ranges make use of the low-order bits of the associated address register
to encode the size of the range, as shown in Table~\ref{pmpcfg-napot}.
\begin{table*}[h!]
\begin{center}
\begin{tabular}{|c|c|l|}
\hline
\tt pmpaddr & {\tt pmpcfg}.A & Match type and size \\
\hline
\tt yyyy...yyyy & NA4 & 4-byte NAPOT range \\
\tt yyyy...yyy0 & NAPOT & 8-byte NAPOT range \\
\tt yyyy...yy01 & NAPOT & 16-byte NAPOT range \\
\tt yyyy...y011 & NAPOT & 32-byte NAPOT range \\
\multicolumn{1}{|c|}{\ldots} & \ldots & \multicolumn{1}{|c|}{\ldots} \\
\tt yy01...1111 & NAPOT & $2^{XLEN}$-byte NAPOT range \\
\tt y011...1111 & NAPOT & $2^{XLEN+1}$-byte NAPOT range \\
\tt 0111...1111 & NAPOT & $2^{XLEN+2}$-byte NAPOT range \\
\tt 1111...1111 & NAPOT & {\em Reserved} \\
\hline
\end{tabular}
\end{center}
\caption{NAPOT range encoding in PMP address and configuration registers.}
\label{pmpcfg-napot}
\end{table*}
If TOR is selected, the associated address register forms the top of the
address range, and the preceding PMP address register forms the bottom of the
address range. If PMP entry $i$'s A field is set to TOR, the entry matches
any address $y$ such that ${\tt pmpaddr}_{i-1}\leq y < {\tt pmpaddr}_i$. If
PMP entry 0's A field is set to TOR, zero is used for the lower bound, and so
it matches any address $y < {\tt pmpaddr}_0$.
Although the PMP mechanism supports regions as small as four bytes, platforms
may specify coarser PMP regions. In general, the PMP grain is $2^{G+2}$ bytes
and must be the same across all PMP regions. When $G>0$, the NA4 mode may not
be selected, and bit ${\tt pmpaddr}_i$[G-1] is hardwired to 0. Furthermore,
if $G \geq 2$, then bits ${\tt pmpaddr}_i$[G-2:0] all read as equal to ${\tt
pmpcfg}_i$.A[1]---i.e., all ones when the mode is NAPOT, or all zeros when the
mode is TOR or OFF. When $G>0$, bits ${\tt pmpaddr}_i$[G-1:0] do not affect
the address-matching logic.
\begin{commentary}
Software may determine the PMP granularity by writing zero to {\tt pmp0cfg},
then writing all ones to {\tt pmpaddr0}, then reading back {\tt pmpaddr0}.
If $G$ is the index of the least-significant bit set,
the PMP granularity is $2^{G+2}$ bytes.
\end{commentary}
\subsubsection*{Locking and Privilege Mode}
The L bit indicates that the PMP entry is locked, i.e., writes to the
configuration register and associated address registers are ignored. Locked
PMP entries may only be unlocked with a system reset. If PMP entry $i$ is
locked, writes to {\tt pmp}$i${\tt cfg} and {\tt pmpaddr}$i$ are ignored.
Additionally, if {\tt pmp}$i${\tt cfg}.A is set to TOR, writes to {\tt
pmpaddr}$i$-1 are ignored.
In addition to locking the PMP entry, the L bit indicates whether the R/W/X
permissions are enforced on M-mode accesses. When the L bit is set, these
permissions are enforced for all privilege modes. When the L bit is clear,
any M-mode access matching the PMP entry will succeed; the R/W/X
permissions apply only to S and U modes.
\subsubsection*{Priority and Matching Logic}
PMP entries are statically prioritized. The lowest-numbered PMP entry that
matches any byte of an access determines whether that access succeeds or
fails. The matching PMP entry must match all bytes of an access, or the
access fails, irrespective of the L, R, W, and X bits. For example, if a PMP
entry is configured to match the four-byte range {\tt 0xC}--{\tt 0xF}, then an
8-byte access to the range {\tt 0x8}--{\tt 0xF} will fail, assuming that
PMP entry is the highest-priority entry that matches those addresses.
If a PMP entry matches all bytes of an access, then the L, R, W, and X bits
determine whether the access succeeds or fails. If the L bit is clear and the
privilege mode of the access is M, the access succeeds. Otherwise, if the
L bit is set or the privilege mode of the access is S or U, then the access
succeeds only if the R, W, or X bit corresponding to the access type is set.
If no PMP entry matches an M-mode access, the access succeeds. If no PMP
entry matches an S-mode or U-mode access, but at least one PMP entry is
implemented, the access fails.
Failed accesses generate a load, store, or instruction access exception. Note
that a single instruction may generate multiple accesses, which may not be
mutually atomic. An access exception is generated if at least one access
generated by an instruction fails, though other accesses generated by that
instruction may succeed with visible side effects. Notably, instructions that
reference virtual memory are decomposed into multiple accesses.
On some implementations, misaligned loads, stores, and instruction fetches may
also be decomposed into multiple accesses, some of which may succeed before an
access exception occurs. In particular, a portion of a misaligned store
that passes the PMP check may become visible, even if another portion fails
the PMP check. The same behavior may manifest for floating-point stores wider
than XLEN bits (e.g., the FSD instruction in RV32D), even when the store
address is naturally aligned.
\subsection{Physical Memory Protection and Paging}
\label{pmp-vmem}
The Physical Memory Protection mechanism is designed to compose with the
page-based virtual memory systems described in Chapter~\ref{supervisor}. When
paging is enabled, instructions that access virtual memory may result in
multiple physical-memory accesses, including implicit references to the page
tables. The PMP checks apply to all of these accesses. The effective
privilege mode for implicit page-table accesses is S.
Implementations with virtual memory are permitted to perform address
translations speculatively and earlier than required by an explicit
virtual-memory access. The PMP settings for the resulting physical address
may be checked at any point between the address translation and the explicit
virtual-memory access. Hence, when the PMP settings are modified in a manner
that affects either the physical memory that holds the page tables or the
physical memory to which the page tables point, M-mode software must
synchronize the PMP settings with the virtual memory system. This is
accomplished by executing an SFENCE.VMA instruction with {\em rs1}={\tt x0}
and {\em rs2}={\tt x0}, after the PMP CSRs are written. Note, SFENCE.VMA is
only guaranteed to synchronize the PMP settings with the virtual memory system
when it is executed in M-mode.
If page-based virtual memory is not implemented, or when it is disabled,
memory accesses check the PMP settings synchronously, so no fence is needed.
|