Bug in PMP register region bound checking

[kangoojim]

Hi,
I revisited the core since I reported this issue #392 in the PMP and I found a new bug/incompliance, also in the PMP. I know, it is not part of the current design, but maybe a report is still valuable for future secure versions of the core.

The ISA (Privileged Spec v. 20190608) states (on pages 49 and 50) that the contents of the (32 bit) PMP address registers encode bits [33:2] of a 34 bit physical address.
The PMP implementation, however, checks for NA4 and NAPOT only whether an address of a current access matches bits [29:0] of the configured region bounds. See the following lines:

cv32e40p/rtl/cv32e40p_pmp.sv

Line 600 in 2b7cd10

if ( data_addr_i[31:2] == start_addr[j][29:0] )

cv32e40p/rtl/cv32e40p_pmp.sv

Line 615 in 2b7cd10

if ( (data_addr_i[31:2] & mask_addr[j][29:0]) == start_addr[j][29:0] )

cv32e40p/rtl/cv32e40p_pmp.sv

Line 730 in 2b7cd10

if ( instr_addr_i[31:2] == start_addr[k][29:0] )

cv32e40p/rtl/cv32e40p_pmp.sv

Line 744 in 2b7cd10

if ( (instr_addr_i[31:2] & mask_addr[k][29:0]) == start_addr[k][29:0] )

By ignoring the two most significant bits of the PMP address registers, entries with the most significant bits != 2'b00 can match addresses outside of their regions. The issue can be easily fixed by replacing the lines with:

if ( {2'b00, data_addr_i[31:2]} == start_addr[j] )
and
if ( {2'b00, (data_addr_i[31:2] & mask_addr[j][29:0])} == start_addr[j] )
etc.

[Silabs-ArjanB]

Hi @kangoojim , thank you for the detailed bug report. We will certainly address it in a core including PMP.