RISC-V Summit

Drawing inspiration from the academic/industry work around Multiple Independent Levels of Security and Safety (MILS), NVRISCV/Peregrine security architecture is presented that offers multiple isolated execution environments - partitions, all running on the same physical processor with SW defined and HW enforced capabilities. NVRISCV is NVIDIA’s implementation of the RISC-V ISA and Peregrine subsystem includes NVRISCV and multiple peripherals. They show how fine-grain access controls, formally verified for correctness, allow following the principle of least privilege for each partition. NVRISCV provides secure boot that starts with an immutable HW, the chain of trust extends to the Secure Monitor in SW, where partition policies are set up and isolation enforced using HW controls. Boot and Secure Monitor software is implemented in SPARK, formally verifiable programming language with verification toolset. Holistic approach on HW/SW security must consider attacks outside of defined architecture. The HW is hardened against in-field attacks, via multiple countermeasures they present in detail as well as the offensive research analysis against the architecture.