Merge pull request #20 from rsahita/topic/extdbg

Address external debug issue #11

chapter2.adoc

@@ -59,6 +59,11 @@ S-interrupt file or an APLIC domain to a Supervisor Domain. The interface also
 describes CSRs to allow M-mode software to retain control on notification of
 interrupts when Supervisor domains are enabled.
 
+* `Smsdedbg` (<<Smsdedbg>>) - This extension provides the controls to indicate
+if external debug is allowed for a supervisor domain. Whether external debug is
+authorized or not is expected to be done via a RoT and is outside the scope
+of this specification.
+
 === Theory of operation (informative)
 Supervisor Domain Access Protection extensions are used by M-mode software to
 program if physically-addressed memory (or device-mapped region) is

chapter3.adoc

@@ -129,3 +129,26 @@ Note that writing `mttp` does not imply any ordering constraints between
 If a supervisor domain's `MTT` structure has been modified, or if a `SDID` is
 reused, it may be necessary to execute a `FENCE.MTT` instruction before or
 after writing `mttp`.
+
+=== Machine supervisor domain configuration (`msdcfg`)
+
+The `msdcfg` is a 32-bit read/write register, formatted as shown in <<MSDCFG>>.
+This CSR is used by M-mode software to specify the active configuration for
+capabilities of the supervisor domain when associated with a hart. The
+extension `Smsdia` uses `msdcfg.SDICN` to specify the active configuration for
+the supervisor domain interrupt controller associated with the hart. Similarly
+the external debug allowed state for a supervisor domain is controlled via the
+`msdcfg.SDEDBALW` bit. Details of `Smsdia` and `Smsdedbg` are described in
+their respective sections in this specification.
+
+[[MSDCFG]]
+.`msdcfg` register
+
+[wavedrom, , ]
+....
+{reg: [
+  {bits:  6, name: 'SDICN'},
+  {bits: 25, name: 'WPRI'},
+  {bits:  1, name: 'SDEDBGALW'},
+], config:{lanes: 4, hspace:1024}}
+....

chapter7.adoc

@@ -81,7 +81,7 @@ The RDSM can employ the MTT and/or PMP to limit a supervisor domain's access to
 the memory-mapped register interface of the interrupt controller associated with
 it. The `Smsdia` supports the connection of multiple interrupt controllers to a
 hart, allowing a supervisor domain to be paired with one of these interrupt
-controllers. The `Smsdia` extension introduces the `msdcfg` CSRs to signify the
+controllers. The `Smsdia` extension uses the `msdcfg` CSR to signify the
 active interrupt controller for a supervisor domain. When CSRs are employed to
 interface with the interrupt controller state, they interact with the state
 corresponding to the active interrupt controller.
@@ -110,17 +110,6 @@ interrupt (`MSDEI`).
 
 The `msdcfg` is a 32-bit read/write register, formatted as shown in <<MSDCFG>>.
 
-[[MSDCFG]]
-.`msdcfg` register
-
-[wavedrom, , ]
-....
-{reg: [
-  {bits:  6, name: 'SDICN'},
-  {bits: 26, name: 'WPRI'},
-], config:{lanes: 1, hspace:1024}}
-....
-
 The `SDICN` field selects an interrupt controller among the plurality of
 supervisor domain interrupt controllers associated with a hart as the active
 supervisor domain interrupt controller for S- and VS-level external interrupts

chapter8.adoc

@@ -0,0 +1,37 @@
+[[chapter8]]
+[[Smsdedbg]]
+== `Smsdedbg`: Supervisor Domain External Debug
+
+The <<MSDCFG>> CSR contains the `sdedbgalw` bit that controls whether the
+current scheduled SD is allowed to be external-debugged. This bit is context
+switched (along with rest of the `msdcfg`) per SD.
+
+=== `Smsdedbg` interaction with external debug security controls (Informative)
+
+[caption="Figure {counter:image}: ", reftext="Figure {image}"]
+[title= "External Debug for Supervisor Domain", id=Smsdedbg_img]
+image::Smsdedbg.png[]
+
+This section will be moved into the non-ISA specification for external debug
+security. It is described here as informational.
+
+The `medbgen` is an enable control for external debug for the M-mode driven by
+the debug module and is expected to be established by the RoT (following RISC-V
+Security Model recommendation SR_GEN_007 and SR_GEN_012). When privilege is `M`,
+the `medbgen` gates the `haltreq` from the debug module and if is 0 prevents
+the hart from entering external debug mode. When privilege is less than `M`, the
+OR of the `MSDCFG.sdedbgalw` and `medbgen` gates the `haltreq` from the debug
+module and the hart will enter external debug mode if either is 1.
+
+The configuration for `MSDCFG.sdedbgalw` may be obtained from the manifest/
+configuration of the supervisoer domain and should be managed by the M-mode root
+security manager using secure memory.
+
+When `medbgen` is 1, there are no restrictions. When `medbgen` is 0 but
+`MSDCFG.sdedbgalw` is 1, then the external debug mode may be entered but has
+to have restrictions such as `M-mode` -privileged CSR accesses are prohibited
+and Memory accesses by instructions executed in external debug mode cannot
+use `M` privilege. When `medbgen` is 0 and `MSDCFG.sdedbgalw` is also 0, then
+the rules around triggers configured with action = 1 that may fire - such as
+always cause breakpoint exception. The external debug security extension TG
+will need to define the rules around what is allowed in external debug mode.

header.adoc

@@ -67,6 +67,7 @@ include::chapter4.adoc[]
 include::chapter5.adoc[]
 include::chapter6.adoc[]
 include::chapter7.adoc[]
+include::chapter8.adoc[]
 
 //the index must precede the bibliography
 //include::index.adoc[]