[RFC PATCH 00/12] Add RISC-V Worlds ISA support to OpenSBI
Yu-Chien Peter Lin
peter.lin at sifive.com
Fri Jun 26 03:14:21 PDT 2026
This RFC patch series adds support for RISC-V Worlds ISA extensions,
enabling hardware-enforced isolation boundaries based on World IDs (WIDs)
by extending the OpenSBI domain framework.
Trust Model and Boot-time Roles
--------------------------------
The implementation follows the two-phase M-mode trust model:
- RoT M-mode phase: Prior boot stage (ROM/SPL) that may program mwid/
mlwidlist and lock mwid before handing off to OpenSBI.
- Regular M-mode phase (OpenSBI): Treats pmwid/pmwidlist/pmlwidlist as
read-only input policy from hardware/RoT. Locks mwid during feature
detection to prevent later M-mode code from changing its own WID.
Programs per-domain mlwid/mwiddeleg based on DT configuration.
Device Tree Bindings
---------------------
New CPU properties (per-hart):
- riscv,pmwid: Platform-defined M-mode World ID
- riscv,pmwidlist: M-mode permitted WID bitmap (u64, 2 cells)
- riscv,pmlwidlist: S/U-mode permitted WID bitmap (u64, 2 cells)
New domain properties (per-domain):
- next-wid: Override S-mode WID for this domain (u32, 1 cell)
- next-widlist: WID delegation bitmap for this domain (u64, 2 cells)
If a domain lacks next-wid, OpenSBI falls back to pmwid (M-mode and
S-mode run in the same World).
Example DT snippet:
cpus {
riscv,nworlds = <4>;
cpu at 0 {
riscv,pmwid = <3>;
riscv,pmwidlist = <0x0 0xf>;
riscv,pmlwidlist = <0x0 0xf>;
};
};
chosen {
opensbi-domains {
trusted-domain {
next-wid = <1>;
next-widlist = <0x0 0x2>;
};
untrusted-domain {
next-wid = <0>;
next-widlist = <0x0 0x1>;
};
};
};
Known Limitations and Future Work
----------------------------------
This RFC implements core functionality but has several areas requiring
refinement in the future revisions:
1. WID Validation:
- Domain next-wid is NOT validated against pmlwidlist
- Domain next-widlist is NOT validated as subset of pmlwidlist
- Invalid WID configuration fails at runtime with software-check
exceptions rather than at domain registration time
- Planned: Add validation in sanitize_domain() to catch errors early
2. Resume Path mwid Restoration:
- Current implementation only re-locks mwid on resume, assuming RoT
has already restored the correct WID value
- No mechanism to verify or actively restore mwid to RoT-defined value
Specification References
-------------------------
- RISC-V Worlds ISA Spec: https://github.com/riscv/riscv-worlds
(Release: riscv-isa-release-4c81a3f-2026-04-14)
- Device Tree Proposal: https://lore.kernel.org/all/20260619105834.1277302-1-peter.lin@sifive.com/
Yu-Chien Peter Lin (12):
lib: sbi_hart: detect RISC-V Worlds ISA extensions
lib: utils: fdt_helper: parse RISC-V Worlds DT properties
lib: sbi_hart: enforce riscv,pmwid for Worlds ISA
lib: sbi_hart: lock mwid CSR for RoT immutability
include: sbi_domain: add Worlds WID fields
include: sbi_types: add PRIx64 format macro
lib: sbi_domain: print World ID config at boot
lib: sbi_init: print M-mode World ID at boot
platform: generic: parse root domain WID config from DT
lib: utils: fdt_domain: parse per-domain WID properties
lib: sbi_domain: add Worlds CSR config on domain entry
docs: add RISC-V Worlds next-wid/next-widlist DT properties
docs/domain_support.md | 13 ++++++
docs/opensbi_config.md | 13 ++++++
include/sbi/riscv_encoding.h | 12 +++++
include/sbi/sbi_domain.h | 9 ++++
include/sbi/sbi_hart.h | 25 +++++++++++
include/sbi/sbi_types.h | 2 +
include/sbi_utils/fdt/fdt_helper.h | 2 +
lib/sbi/sbi_domain.c | 50 +++++++++++++++++++++
lib/sbi/sbi_domain_context.c | 3 ++
lib/sbi/sbi_hart.c | 71 ++++++++++++++++++++++++++++++
lib/sbi/sbi_hsm.c | 4 ++
lib/sbi/sbi_init.c | 13 ++++++
lib/utils/fdt/fdt_domain.c | 15 +++++++
lib/utils/fdt/fdt_helper.c | 61 +++++++++++++++++++++++++
platform/generic/platform.c | 33 +++++++++++++-
15 files changed, 324 insertions(+), 2 deletions(-)
--
2.43.7
More information about the opensbi
mailing list