1. Patchew
  2. QEMU
  3. View series

[PATCH v1] target/riscv: clear mseccfg on reset for all dependent extensions

Zishun Yi posted 1 patch 2 weeks, 4 days ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260512052240.330815-1-vulab@iscas.ac.cn
Maintainers: Palmer Dabbelt <palmer@dabbelt.com>, Alistair Francis <alistair.francis@wdc.com>, Weiwei Li <liwei1518@gmail.com>, Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>, Liu Zhiwei <zhiwei_liu@linux.alibaba.com>, Chao Liu <chao.liu.zevorn@gmail.com>
target/riscv/cpu.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
[PATCH v1] target/riscv: clear mseccfg on reset for all dependent extensions
Posted by Zishun Yi 2 weeks, 4 days ago 
Currently, the `mseccfg` CSR is only cleared to 0 during reset if the
`ext_smepmp` is enabled. However, this register is now shared by
several other extensions such as `zkr`, `smmpm`, and `zicfilp`.

Fix by clearing `mseccfg` if any dependent extension is present, and
adjusting the relevant comments.

This vulnerability was discovered and reported by SpecHunter, an
AI-driven architecture specification analysis tool.

Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-svvptc/pr-134/qemu.txt
Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>
---
 target/riscv/cpu.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index ce15a17c37de..3cabfeb1fa7a 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -756,10 +756,14 @@ static void riscv_cpu_reset_hold(Object *obj, ResetType type)
 
     /*
      * Clear mseccfg and unlock all the PMP entries upon reset.
-     * This is allowed as per the priv and smepmp specifications
-     * and is needed to clear stale entries across reboots.
+     * This is required as per the priv, smepmp, and other security
+     * extension specifications that share this CSR, and is needed
+     * to clear stale entries across reboots.
      */
-    if (riscv_cpu_cfg(env)->ext_smepmp) {
+    if (riscv_cpu_cfg(env)->ext_smepmp ||
+        riscv_cpu_cfg(env)->ext_zkr ||
+        riscv_cpu_cfg(env)->ext_smmpm ||
+        riscv_cpu_cfg(env)->ext_zicfilp) {
         env->mseccfg = 0;
     }
 
-- 
2.51.2
Re: [PATCH v1] target/riscv: clear mseccfg on reset for all dependent extensions
Posted by Alistair Francis 1 week, 5 days ago 
On Tue, May 12, 2026 at 3:24 PM Zishun Yi <vulab@iscas.ac.cn> wrote:
>
> Currently, the `mseccfg` CSR is only cleared to 0 during reset if the
> `ext_smepmp` is enabled. However, this register is now shared by
> several other extensions such as `zkr`, `smmpm`, and `zicfilp`.
>
> Fix by clearing `mseccfg` if any dependent extension is present, and
> adjusting the relevant comments.
>
> This vulnerability was discovered and reported by SpecHunter, an
> AI-driven architecture specification analysis tool.
>
> Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-svvptc/pr-134/qemu.txt
> Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>

Thanks!

Applied to riscv-to-apply.next

Alistair

> ---
>  target/riscv/cpu.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index ce15a17c37de..3cabfeb1fa7a 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -756,10 +756,14 @@ static void riscv_cpu_reset_hold(Object *obj, ResetType type)
>
>      /*
>       * Clear mseccfg and unlock all the PMP entries upon reset.
> -     * This is allowed as per the priv and smepmp specifications
> -     * and is needed to clear stale entries across reboots.
> +     * This is required as per the priv, smepmp, and other security
> +     * extension specifications that share this CSR, and is needed
> +     * to clear stale entries across reboots.
>       */
> -    if (riscv_cpu_cfg(env)->ext_smepmp) {
> +    if (riscv_cpu_cfg(env)->ext_smepmp ||
> +        riscv_cpu_cfg(env)->ext_zkr ||
> +        riscv_cpu_cfg(env)->ext_smmpm ||
> +        riscv_cpu_cfg(env)->ext_zicfilp) {
>          env->mseccfg = 0;
>      }
>
> --
> 2.51.2
>
>
Re: [PATCH v1] target/riscv: clear mseccfg on reset for all dependent extensions
Posted by Daniel Henrique Barboza 2 weeks, 2 days ago 

On 5/12/2026 2:22 AM, Zishun Yi wrote:
> Currently, the `mseccfg` CSR is only cleared to 0 during reset if the
> `ext_smepmp` is enabled. However, this register is now shared by
> several other extensions such as `zkr`, `smmpm`, and `zicfilp`.
> 
> Fix by clearing `mseccfg` if any dependent extension is present, and
> adjusting the relevant comments.
> 
> This vulnerability was discovered and reported by SpecHunter, an
> AI-driven architecture specification analysis tool.
> 
> Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-svvptc/pr-134/qemu.txt
> Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>
> ---

Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>

>   target/riscv/cpu.c | 10 +++++++---
>   1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index ce15a17c37de..3cabfeb1fa7a 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -756,10 +756,14 @@ static void riscv_cpu_reset_hold(Object *obj, ResetType type)
>   
>       /*
>        * Clear mseccfg and unlock all the PMP entries upon reset.
> -     * This is allowed as per the priv and smepmp specifications
> -     * and is needed to clear stale entries across reboots.
> +     * This is required as per the priv, smepmp, and other security
> +     * extension specifications that share this CSR, and is needed
> +     * to clear stale entries across reboots.
>        */
> -    if (riscv_cpu_cfg(env)->ext_smepmp) {
> +    if (riscv_cpu_cfg(env)->ext_smepmp ||
> +        riscv_cpu_cfg(env)->ext_zkr ||
> +        riscv_cpu_cfg(env)->ext_smmpm ||
> +        riscv_cpu_cfg(env)->ext_zicfilp) {
>           env->mseccfg = 0;
>       }
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.