Armv9 RME Cache access and GPC sequence order

I'm studying the Realm Management Extensions, and a question came to mind. The Arm ARM and other documentation (e.g., den0126) suggest that, conceptually, the GPC is performed before any memory access (including the caches). However, since cache lines are tagged with the associated PA, I imagine that this cache tag is used in coherency protocols as part of the snooped address. If so, imagine a hypothetical scenario where we are using different GPTs in two coherent cores with mutually exclusive regions marked as Normal and the rest of the PA marked as Root, both running in the Normal world. Could one of the cores access the other core's memory by fetching the data via the coherency bus if it were present in the other core cache (thus tagged as Normal) despite being marked as Root in its local GPT? Would the line be fetched but blocked by the GPC? If not, this would contradict my first observation. What behavior should I expect in future implementations? Can you point me to other documentation that would clear this up for me?

Note that I am perfectly aware that CCA was designed for a single shared GPT across all PEs. However, the spec seems to suggest that this is kind of implementation dependent (constrained unpredictable behavior which allows it in one of the variants). Also, I imagine we'll only likely find TLB entries with cached GPT information shared across PEs in SMT implementations.

Parents
  • cache operations by VA are treated as accesses

    Nevertheless, set/way-based CMOs would not have an address to check... 

    Based on your description, I think what you're trying to do is achieve isolation between different PEs running in the same Security state.  For example, two PEs both in Non-secure state, but with isolation between them.  Right?

    If yes, GPTs are designed to allocated resources between Security states, not within a given Security state.  For isolation within a Security state you should be looking at S1 or S2 translation.

    You are completely right. We are just exploring the possibility of leveraging RME to further harden the isolation guarantees based on page tables. I guess we'll need to wait for the real silicon to understand if this is feasible. In your experience, do FVP models provide a faithful emulation of this type of behavior? To what degree do you believe we should expect the behavior we see on the models to represent future real implementations?

Reply
  • cache operations by VA are treated as accesses

    Nevertheless, set/way-based CMOs would not have an address to check... 

    Based on your description, I think what you're trying to do is achieve isolation between different PEs running in the same Security state.  For example, two PEs both in Non-secure state, but with isolation between them.  Right?

    If yes, GPTs are designed to allocated resources between Security states, not within a given Security state.  For isolation within a Security state you should be looking at S1 or S2 translation.

    You are completely right. We are just exploring the possibility of leveraging RME to further harden the isolation guarantees based on page tables. I guess we'll need to wait for the real silicon to understand if this is feasible. In your experience, do FVP models provide a faithful emulation of this type of behavior? To what degree do you believe we should expect the behavior we see on the models to represent future real implementations?

Children