On Tue, May 12, 2026 at 3:24 PM Zishun Yi <[email protected]> wrote:
>
> Currently, the `mseccfg` CSR is only cleared to 0 during reset if the
> `ext_smepmp` is enabled. However, this register is now shared by
> several other extensions such as `zkr`, `smmpm`, and `zicfilp`.
>
> Fix by clearing `mseccfg` if any dependent extension is present, and
> adjusting the relevant comments.
>
> This vulnerability was discovered and reported by SpecHunter, an
> AI-driven architecture specification analysis tool.
>
> Link:
> https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-svvptc/pr-134/qemu.txt
> Signed-off-by: Zishun Yi <[email protected]>
Thanks!
Applied to riscv-to-apply.next
Alistair
> ---
> target/riscv/cpu.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index ce15a17c37de..3cabfeb1fa7a 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -756,10 +756,14 @@ static void riscv_cpu_reset_hold(Object *obj, ResetType
> type)
>
> /*
> * Clear mseccfg and unlock all the PMP entries upon reset.
> - * This is allowed as per the priv and smepmp specifications
> - * and is needed to clear stale entries across reboots.
> + * This is required as per the priv, smepmp, and other security
> + * extension specifications that share this CSR, and is needed
> + * to clear stale entries across reboots.
> */
> - if (riscv_cpu_cfg(env)->ext_smepmp) {
> + if (riscv_cpu_cfg(env)->ext_smepmp ||
> + riscv_cpu_cfg(env)->ext_zkr ||
> + riscv_cpu_cfg(env)->ext_smmpm ||
> + riscv_cpu_cfg(env)->ext_zicfilp) {
> env->mseccfg = 0;
> }
>
> --
> 2.51.2
>
>
