riscv-non-isa · joxie · Apr 9, 2024 · Apr 9, 2024 · Apr 9, 2024 · Apr 9, 2024
diff --git a/Makefile b/Makefile
@@ -31,7 +31,7 @@ OPTIONS := --trace \
            -a pdf-fontsdir=docs-resources/fonts \
            -a pdf-style=docs-resources/themes/riscv-pdf.yml \
            --failure-level=ERROR
-REQUIRES := \
+REQUIRES := --require=asciidoctor-bibtex \
             --require=asciidoctor-diagram \
             --require=asciidoctor-mathematical
 

diff --git a/chapter2.adoc b/chapter2.adoc
@@ -1,14 +1,14 @@
 [[zedsec]]
 == Zedsec (ISA extension)
 
-This chapter introduces the Zedsec ISA extension, which extends the ISA section of The RISC-V Debug Specification. The RISC-V hart must implement all features to ensure external debug security. It is designed to enforce access control over operations initiated by the Debug Module, as well as constraints on trigger behaviors. Additionally, it incorporates trace functionality, with its output undergoing check based on hart privilege levels.
+This chapter introduces the Zedsec ISA extension, which extends the ISA section of The RISC-V Debug Specification. The RISC-V hart must implement all features to ensure external debug security. It is designed to enforce access control over operations initiated by the Debug Module, as well as constraints on trigger behaviors cite:[dbgspec]. Additionally, it incorporates trace functionality cite:[etrace], with its output undergoing check based on hart privilege levels.
 
 === External Debug
 
 By default, the extension forbids the following debug operation in <<dbops>> unless they are explicitly granted to the external debugger.
 
 [[dbops]]
-.The debug operations affected by zedsec extension
+.The debug operations affected by Zedsec extension
 * Entering Debug Mode                                                     
 * Executing Program buffer                                                
 * Serving abstract commands (Access Register, Quick Access, Access Memory)
@@ -24,9 +24,9 @@ In addition, the `mprv` and `mpp` fields take effect exclusively when the *debug
 
 [[maxdbgpriv]]
 [options="header"]
-.Determining maximum debug access privilege with mdbgen and sdbgen
+.Determining maximum debug access privilege with mdbgen and sdedbgalw
 |=========================================
-| mdbgen | sdbgen | Maximum debug privilege 
+| mdbgen | sdedbgalw | Maximum debug privilege 
 | 1      | x      | M                 
 | 0      | 1      | S(HS)             
 | 0      | 0      | n/a               
@@ -44,55 +44,59 @@ When mdbgen[i] is set to 0, debug operations in machine mode are prohibited for
 
 [[submdbgctl]]
 ==== Submachine Mode Debug Control
-The submachine mode debug of hart i is determined by the `sdbgen` field of CSR `mseccfg` within hart i and mdbgen[i]. Debug operations listed in <<dbops>> are allowed when hart i executes in submachine mode only if the logical-OR of values in sdbgen and mdbgen[i] is 1.
+The submachine mode debug of hart i is determined by the `sdedbgalw` field of CSR <<zedseccsr,msdcfg>> within hart i and mdbgen[i]. Debug operations listed in <<dbops>> are allowed when hart i executes in submachine mode only if the logical-OR of values in sdedbgalw and mdbgen[i] is 1.
 
-The legal value of <<dbgaccpriv, debug access privilege>> for hart i is solely determined by sdbgen when mdbgen[i] is 0. In the event of sdbgen being 1 while mdbgen[i] is 0, the debug access privilege can be configured to privilege levels other than machine mode. Any attempt to set debug access privilege to machine mode will result in a security fault error (cmderr 6).
+The legal value of <<dbgaccpriv, debug access privilege>> for hart i is solely determined by `sdedbgalw` when mdbgen[i] is 0. In the event of `sdedbgalw` being 1 while mdbgen[i] is 0, the debug access privilege can be configured to privilege levels other than machine mode. Any attempt to set debug access privilege to machine mode will result in a security fault error (cmderr 6).
 
-If register access without halting the hart is supported, this access bears the privilege of supervisor/hypervisor mode to access the hart when mdbgen[i] is 0 and sdbgen is 1.
+If register access without halting the hart is supported, this access bears the privilege of supervisor/hypervisor mode to access the hart when mdbgen[i] is 0 and `sdedbgalw` is 1.
 
-Debug operations in all modes are prohibited for hart i when the logical-OR of sdbgen and mdbgen[i] is 0. All halt requests from the Debug Module will remain pending, and triggers configured to enter debug mode will neither match nor fire. The register access without halting is dropped.
+Debug operations in all modes are prohibited for hart i when the logical-OR of `sdedbgalw` and mdbgen[i] is 0. All halt requests from the Debug Module will remain pending, and triggers configured to enter debug mode will neither match nor fire. The register access without halting is dropped.
 
 [[dbgpriv]]
 [options="header"]
 .The debuggable privilege levels per debug controls 
 |============================================
-| mdbgen | sdbgen | Debuggable privilege levels 
+| mdbgen | sdedbgalw | Debuggable privilege levels 
 | 1      | x      | All                      
 | 0      | 1      | All except M             
 | 0      | 0      | n/a                      
 |============================================
 
 
 === Trace
-The extension requires that trace availability from each hart is constrained by default. When zdesec is supported, the optional sideband signal to trace encoder, halted, must be implemented for each hart, and this signal must be reset to 1. The halted signal is only cleared when trace is permitted by machine mode trace control or submachine mode trace control.
+The extension requires that trace availability from each hart is constrained by default. When Zedsec is supported, the optional sideband signal to trace encoder, sec_check cite:[etrace], must be implemented for each hart, and this signal must be reset to 1. The sec_check signal is only cleared when trace is permitted by machine mode trace control or submachine mode trace control.
 
 ==== Machine Mode Trace Control 
-For each hart i, an input port, mtrcen[i], controls machine mode trace availability. Setting mtrcen[i] to 1 enables machine mode and submachine mode trace by clearing the halted signal to 0 across all privilege levels. Conversely, if mtrcen[i] is set to 0, the halted signal cannot be cleared when the hart operates in machine mode.
+For each hart i, an input port, mtrcen[i], controls machine mode trace availability. Setting mtrcen[i] to 1 enables machine mode and submachine mode trace by clearing the sec_check signal to 0 across all privilege levels. Conversely, if mtrcen[i] is set to 0, the sec_check signal cannot be cleared when the hart operates in machine mode.
 
 ==== Submachine Mode Trace Control 
-The halted signal for hart i in submachine mode is determined by the strcen field of CSR mseccfg within hart i, alongside mtrcen[i]. When the logical-OR of strcen and mtrcen[i] is 1, the halted signal is cleared while the hart runs in submachine mode.
+The sec_check signal for hart i in submachine mode is determined by the `sdetrcalw` field of CSR <<zedseccsr, msdcfg>> within hart i, alongside mtrcen[i]. When the logical-OR of `sdetrcalw` and mtrcen[i] is 1, the sec_check signal is cleared while the hart runs in submachine mode.
 
-When both strcen and mtrcen[i] are set to 0, the halted signal cannot be cleared at all.
+When both `sdetrcalw` and mtrcen[i] are set to 0, the sec_check signal cannot be cleared at all.
 
 [[trcctl]]
 [options="header"]
-.The status of the halted sideband signal across privilege levels
+.The status of the sec_check sideband signal across privilege levels
 |===========================================================
-| mtrcen| strcen| Machine mode | Submachine mode
-| 1     | x     | halted = 0   | halted = 0     
-| 0     | 1     | halted = 1   | halted = 0     
-| 0     | 0     | halted = 1   | halted = 1     
+| mtrcen| sdetrcalw| Machine mode | Submachine mode
+| 1     | x     | sec_check = 0   | sec_check = 0     
+| 0     | 1     | sec_check = 1   | sec_check = 0     
+| 0     | 0     | sec_check = 1   | sec_check = 1     
 |===========================================================
 
+[NOTE]
+
+The sec_check signal serves as an additional signal for the trace module, indicating that trace output is prohibited due to security controls. Functionally, sec_check behaves identically to the halted signal. Both sec_check and halted signals cannot be active simultaneously. Reserved for future applications, the combined state of [sec_check, halted] as 0b11 remains unutilized. In cases where a trace module lacks support for the sec_check signal, the hart may alternatively toggle the halted signal to restrict trace output.
+
 === Trigger 
 
-The trigger configured to enter Debug Mode is checked by zedsec extension. The trigger can fire or match in privilege modes outlined in <<dbgpriv>>. 
+The trigger configured to enter Debug Mode is checked by Zedsec extension. The trigger can fire or match in privilege modes outlined in <<dbgpriv>>. 
 
 The extension requires that all pending triggers intending to enter Debug Mode must match or fire before any hart mode switch to prevent privilege escalation.
 
 ==== Machine mode accessibility to `dmode` accessibility
 
-The RISC-V Debug Specification defines that the `dmode` field is accessible only in Debug Mode. When this field is set, the trigger is allocated exclusively to Debug Mode, and any write access from the hart are disregarded. However, the Debug Mode exclusive trigger could potentially serve as an attack surface for unauthorized submachine mode software where debugging is forbidden. The extension relaxes the constrain to the `dmode`, allowing it to be R/W in machine mode when mdbgen is set to 0. When mdbgen is set to 0, it remains exclusively accessible within Debug Mode.
+The RISC-V Debug Specification defines that the `dmode` field is accessible only in Debug Mode. When this field is set, the trigger is allocated exclusively to Debug Mode, and any write access from the hart are disregarded. However, the Debug Mode exclusive trigger could potentially serve as an attack surface for unauthorized submachine mode software where debugging is forbidden. The extension relaxes the constrain to the `dmode`, allowing it to be R/W in machine mode when `mdbgen` is set to 0. When `mdbgen` is set to 0, it remains exclusively accessible within Debug Mode.
 
 [NOTE]
 In this definition, machine mode software assumes responsibility for switching the trigger context according to the debug policy enforced for the sub-machine mode. As a result, it maintains a clean trigger context for the sub-machine mode.
@@ -101,7 +105,7 @@ In this definition, machine mode software assumes responsibility for switching t
 
 The external trigger outputs follow the same limitations as other triggers, ensuring they do not fire or match when the privilege level of the hart exceeds the ones specified in <<dbgpriv>>.
 
-The sources of external trigger input (such as machine mode performance counter overflow, interrupts, etc.) require protection to prevent information leakage. The external trigger inputs supported are platform-specific. Therefore, the platform is responsible for enforcing limitations on input sources. As a result, tmexttrigger.intctl and tmexttrigger.select should be restricted to legal values based on `mdbgen` and `sdbgen`. Their definitions are provided in the <<redtmext>> below.
+The sources of external trigger input (such as machine mode performance counter overflow, interrupts, etc.) require protection to prevent information leakage. The external trigger inputs supported are platform-specific. Therefore, the platform is responsible for enforcing limitations on input sources. As a result, tmexttrigger.intctl and tmexttrigger.select should be restricted to legal values based on `mdbgen` and `sdedbgalw`. Their definitions are provided in the <<redtmext>> below.
 
 ==== Trigger chain
 
@@ -178,7 +182,7 @@ Beyond CSR-level accessibility adjustments, the fields within mcontrol, mcontrol
 | vu    | M/S/VS/VU                  
 |====================================
 
-The textra32, textra64 provides additional filtering capability for triggers. They are permitted for access in Debug Mode, as they do not affect the trigger firing/matching as it is constrained by `mdbgen` and `sdbgen`.
+The textra32, textra64 provides additional filtering capability for triggers. They are permitted for access in Debug Mode, as they do not affect the trigger firing/matching as it is constrained by `mdbgen` and `sdedbgalw`.
 
 The `intctl` and `sselect` field within tmexttrigger are redifined as follows. 
 
@@ -188,47 +192,11 @@ The `intctl` and `sselect` field within tmexttrigger are redifined as follows.
 |========================================================================================================================================================================================================================================================================
 | Field  | Description                                                                                                                                                                                                                                 | Access  | Reset 
 | intctl | This optional bit, when set, causes this trigger to fire whenever an attached interrupt controller signals a trigger.  the field is only configurable when `mdbgen` is set to 1. | WLRL    | 0     
-| select | Selects any combination of up to 16 TM external trigger inputs that cause this trigger to fire The legal value must be constrained by `mdbgen` and `sdbgen` according to trigger input type.                                         | WLRL    | 0     
+| select | Selects any combination of up to 16 TM external trigger inputs that cause this trigger to fire The legal value must be constrained by `mdbgen` and `sdedbgalw` according to trigger input type.                                         | WLRL    | 0     
 |========================================================================================================================================================================================================================================================================
 
+[[zedseccsr]]
 ==== Zedsec CSR
 
-===== Machine Security Configuration (mseccfg, at 0x747 on RV64, 0x747(low 32 bits) and 0x757(high 32 bits) on RV32) 
-
-The fields `sdbgen` and `strcen` are introduce in mseccfg to control debug and trace capbility in submachine modes.
-
-[caption="Register {counter:rimage}: ", reftext="Register {rimage}"]
-[title="The `sdbgen` and `strcen` fields in mseccfg on RV32"]
-[id=mseccfg-edsec-32]
-[wavedrom, ,svg]
-....
-{reg: [
-  {bits:   3, name: 'defined in Smepmp'},
-  {bits:   1, name: 'WPRI'},
-  {bits:   1, name: 'strcen'},
-  {bits:   1, name: 'sdbgen'},
-  {bits:   26, name: 'WPRI'},
-], config:{lanes: 2, hspace:1024}}
-....
-[caption="Register {counter:rimage}: ", reftext="Register {rimage}"]
-[title="The `sdbgen` and `strcen` fields in mseccfg on RV64"]
-[id=mseccfg-edsec-64]
-[wavedrom, ,svg]
-....
-{reg: [
-  {bits:   3, name: 'defined in Smepmp'},
-  {bits:   1, name: 'WPRI'},
-  {bits:   1, name: 'strcen'},
-  {bits:   1, name: 'sdbgen'},
-  {bits:   58, name: 'WPRI'},
-], config:{lanes: 3, hspace:1024}}
-....
+The CSR control knobs in `msdcfg` for submachine mode debug and submachine mode trace are specified in Smsdedbg and Smsdetrc extension respectively in _RISC-V Supervisor Domains Access Protection_ cite:[smmtt]. The Smsdedbg and/or Smsdetrc extension must be implemented to activate security enforcement for debugging and/or tracing.
 
-[options="header"]
-|==========================================================================================================================================================================================================================
-| Field  | Description                                                                                                                                                                                   | Access  | Reset 
-| sdbgen | 0(disabled): The external debug capbility in submachine mode is solely determined by machine mode control `mdbgen`.  
-1(enable): The external debug capbility in submachine mode is activated. | WARL    | 0     
-| strcen | 0(disabled): The sideband signal halted to trace encoder is determined solely by `mtrcen`.  
-1(enable): The sideband signal halted to trace encoder is set to 0.                               | WARL    | 0     
-|==========================================================================================================================================================================================================================
diff --git a/example.bib b/example.bib
@@ -1,36 +1,14 @@
-@inproceedings{riscI-isca1981,
-  title = {{RISC I}: {A} Reduced Instruction Set {VLSI} Computer},
-  author = {David A. Patterson and Carlo H. S\'{e}quin},
-  booktitle = {ISCA},
-  location = {Minneapolis, Minnesota, USA},
-  pages = {443-458},
-  year = {1981}
-}
-
-@inproceedings{Katevenis:1983,
-  author = {Manolis G.H. Katevenis and Robert W. Sherburne Jr. and David A. Patterson and Carlo H. S\'{e}quin},
-  title = {The {RISC II} micro-architecture},
-  booktitle = {Proceedings VLSI 83 Conference},
-  year = {1983},
-  month = {August}
-}
 
-@inproceedings{Ungar:1984,
-  author = {David Ungar and Ricki Blau and Peter Foley and Dain Samples and David Patterson},
-  title = {Architecture of {SOAR}: {Smalltalk} on a {RISC}},
-  booktitle = {ISCA},
-  address = {Ann Arbor, MI},
-  year = {1984},
-  pages = {188-197}
+@electronic{smmtt,
+   title = {RISC-V Supervisor Domains Access Protection},
+   url = {https://github.com/riscv/riscv-smmtt}
 }
+@electronic{etrace,
+   title = {RISC-V Efficient Trace for RISC-V},
+   url = {https://github.com/riscv-non-isa/riscv-trace-spec}
+ }
 
-@article{spur-jsscc1989,
-  author = {David D. Lee and Shing I. Kong and Mark D. Hill and George S. Taylor and David A. Hodges and Randy H. Katz and David A. Patterson},
-  title = {A {VLSI} Chip Set for a Multiprocessor Workstation--{Part I}: An {RISC} Microprocessor with Coprocessor Interface and Support for Symbolic Processing},
-  journal = {IEEE JSSC},
-  year = {1989},
-  volume = {24},
-  number = {6},
-  pages = {1688-1698},
-  month = {December}
-}
+ @electronic{dbgspec,
+  title = {RISC-V Debug Specification},
+   url = {https://github.com/riscv/riscv-debug-spec}
+ }
diff --git a/external-debug-security.pdf b/external-debug-security.pdf
diff --git a/header.adoc b/header.adoc
@@ -19,8 +19,8 @@
 //:WaveDromEditorApp: app/wavedrom-editor.app
 :imagesoutdir: docs-resources/images
 :bibtex-file: example.bib
-:bibtex-order: alphabetical
-:bibtex-style: apa
+:bibtex-order: appearance 
+:bibtex-style: ieee
 :icons: font
 :lang: en
 :listing-caption: Listing