CNRV

为推广RISC-V尽些薄力

View the Project on GitHub

RISC-V 雙周簡報 (2018-01-18)

要點新聞:

RV新聞

DornerWorks 獲得 DARPA SBIR 的合約,得以發展 seL4 Microkernel 的 RISC-V port

DornerWorks 最近獲得 DAPRA SBIR的合約,得以和其夥伴Draper一起發展 Inherently Secure Processor 和其對應的 RISC-V port。

Links:

Google開源新的 RISC-V IP核: “BottleRocket”

BottleRocket是RISCV RV32IMC的實現。

Google在2017年11月29日在Github上非官方開源了BottleRocket的RTL代碼,同時表明這並不是一個官方支持的Google產品,其使用Chisel編寫:GitHub Link

BottleRocket實現了32bit的RV32IMC ISA,特權指令集版本為v1.10,擁有Machine和User兩種特權模式,支持壓縮指令集(RVC)。它採用經典的三級流水線架構,與Z-Scale和V-Scale的微架構類似。對於打算從ARM遷移到RISCV的人又是一個好消息,因為它使用AMBA AXI4Litebus ,預計ARM AMBA下的多種IP可以比較方便與其整合,不需要Tilelink2AXI橋。

與UCB的Rocket Chip比較而言,BottleRocket顯得更加簡單直接。其最初發布的版源代碼引用了部分Rocket Chip的組件,實現部分僅有11個源碼文件。

或許是剛剛發布不久的關係,BottleRocket默認選entry編譯出的Verilog代碼似乎沒有對FPGA進行優化,邏輯層數很深。默認配置是16周期乘法器,對數字信號處理不友好。總共使用約26k個門,對於一個三級流水線的處理器而言已經不錯了。

(特別感謝 黃銳 的整理和介紹)

開源硬體更新

lowRISC 發布帶100M ethernet 支持的第5版

lowRISC是一個由英國劍橋大學的研究人員成立的非盈利組織,致力於提供基於RISC-V的多核處理器平臺。現在支持使用Rocket-Chip核和PULPino所組成的多核系統。 最近lowRISC發布了其第五版代碼,編號為ethernet-v0.5。 該版本包含了一個開源的ethernet MAC module ,並支持了網絡啟動核網絡文件系統。 具體的描述請參見第五版的用戶指導: http://www.lowrisc.org/docs/ethernet-v0.5/

開源軟體更新

glibc 的 RISC-V port v4

Palmer最近提交了第四版的glibc port,並希望之後不會再有Linux ABI的變動。希望這個port 能準時趕上2月1日的glibc 2.27發布。錯過了就要再等半年了….

From Palmer

It’s been a bit more than two weeks since the last patch set, and I think we’re starting to get something that’s in reasonable shape. Thanks to Darius for putting in a lot of time into the v4. We’ve also gotten the test suite in a bit better shape: we’re down to 200 failures when running natively on Linux, and all the test suite failures when running in user mode emulate appear to be environment issues. As far as I know the only remaining issue in our port is to triage the test suite failures, most of which we’re hoping are just deficiencies in our current environment. Of course, now that I’ve said that I’m sure we’ll find a bunch of bugs all over the place :)

Links:

QEMU的 RISC-V port v2 和 v3

Michael Clark最近提交了第二版和第三版的qemu port。這兩版主要是bug的修正,還沒有加進更多的功能。

From Michael:

This patch series has major clean ups to target/riscv. There may be some feedback that has been missed however the changelog is growing quite large so we have decided to respin the patch series. No new features have been added however a number of bugs have been fixed.

Link: QEMU port v3

第二次針對 Fedora/RISC-V bootstrap的結果

隨著Linux ABI 逐漸固定下來,最近Richard 針對Fedora/RISC-V 做了第二次bootstrap,不過還沒完成stage4。

Steps of bootstrapping made by Richard W.M. Jones:

stages 1 & 2: QEMU and cross-compiler are built from riscv-qemu and riscv-tools.

  • https://github.com/rwmjones/fedora-riscv-bootstrap/blob/1858bd496378ddcce88a63c5ceda5483d7b4fdbe/Makefile#L21
  • https://github.com/rwmjones/fedora-riscv-bootstrap/blob/1858bd496378ddcce88a63c5ceda5483d7b4fdbe/Makefile#L71

stage 3: We build a minimal Fedora/x86_64 chroot and remove all x86_64 ELF binaries and libraries. Using the hosted cross-compiler we build RISC-V binaries and libraries and to replace the x86 ones. We then build a disk image from the chroot (it has many other hacky aspects to it) and boot it under qemu.

  • https://github.com/rwmjones/fedora-riscv-bootstrap/blob/1858bd496378ddcce88a63c5ceda5483d7b4fdbe/Makefile#L117

The stage 3 disk image is just enough to run ‘rpmbuild’ and ‘gcc’ and a small handful of other tools, which is just enough to build RPMs.

  • https://github.com/rwmjones/fedora-riscv-bootstrap/blob/1858bd496378ddcce88a63c5ceda5483d7b4fdbe/Makefile#L1386

stage 4: Using only RPMs generated from stage 3 we build a pristine disk image. This disk image contains only files controlled by RPMs [actually there are two additional files needed: /init and a poweroff binary, both eventually will be replaced by systemd].

  • https://github.com/rwmjones/fedora-riscv-bootstrap/blob/1858bd496378ddcce88a63c5ceda5483d7b4fdbe/Makefile#L1420

Link: Status of the second bootstrap of Fedora/RISC-V

技術討論

使用PMA來控制物理內存區間內對 unaligned 的內存操作核 atomic 操作的控制

在12月21日的簡報中我們提及了關於“使用硬體支持 unaligned memory access的處理器必須支持對 unaligned address 的 atomic 操作”的爭議。 現在看來,物理內存空間的屬性標誌已經較好地規定了一個物理空間上對 unaligned 操作的處理。 具體來說:

Andrew Waterman的原文:https://groups.google.com/a/groups.riscv.org/d/msg/isa-dev/J1udFtmPEwI/RtHERGbSBAAJ

代碼更新

linux kernel 4.15-rc8 的更新。

這次的更新包含:

Ok, another week has gone by, and here’s the promised rc8.

I’m still hoping that this will be the last rc, despite all the Meltdown and Spectre hoopla. But we will just have to see, it obviously requires this upcoming week to not come with any huge surprises.

The patches aren’t huge, but architecture updates do end up being a largish part. That’s partly due to the x86 “retpoline” support (well, the basic stuff that is uncontested), but also because the powerpc people decided they wanted to play too, so there’s some low-level kernel entry changes there too. Aren’t we lucky?

Oh, and there’s a small RISC-V update too.

Link: 更多細節請 access LKML

Security點評

總結熔斷(Meltdown)和幽靈(Spectre)漏洞

繼月初簡報中報道的英特爾驚天漏洞,現在該漏洞的各具體細節都已經過了一系列的討論。現在我們來大概總結一下。

這次總共爆出了三個漏洞,我們來分別說一說:

熔斷漏洞 CVE-2017-5754:內存資料 access 的權限缺失

處理器為了提高性能,往往會預取(prefetch或者speculative access)內存資料並預測執行代碼。 現在發現,英特爾處理器在預取資料的時候,並沒有及時對資料頁的權限做檢查,導致root mode 的代碼能夠預取高權限的資料並使用該資料執行預測執行的代碼。 這種優化導致跨權讀取的資料被放入緩存,並存入物理寄存器引發更多的預測執行痕跡。 通過緩存側信道,攻擊者獲得緩存內的資料和預測執行的痕跡,即可猜出跨權資料。

為了修復該漏洞,各大操作系統廠商都在積極添加內核 page table 分離(KPTI)補丁。該方案旨在分離用戶和系統 address 空間。 這樣預取跨權資料時會因為 page table 缺失而失敗,從而堵上側信道的資料來源。 由於當前處理器(主要是英特爾處理器)不直接支持單獨的系統 page table 寄存器,導致內核上下文切換時會強迫刷新TLB,造成性能下降。 新一代的處理器已添加PCID對系統 page table 的支持,則不需要刷新TLB,則不會有明顯性能損失。

RISC-V指令集正在積極探討從指令集層面直接支持內核 page table 分離,相信很快將納入特權指令集標準。 同時,支持亂序的RISC-V核BOOM由於使用Rocket-Chip的資料緩存設計,不會越權讀取跨權資料,天然不受熔斷漏洞的影響。

幽靈漏洞 CVE-2017-5753:通過惡意訓練直接跳轉的分支預測從而預測執行內核代碼

現代處理器一般都會通過 branch predictor 預取指令執行。攻擊者可以通過惡意訓練 branch predictor 然後導致處理器預測執行不該執行的代碼。 該漏洞如果被用於攻擊一般會用於而已執行內核代碼從而造成內核資料泄露。

修復該漏洞可以在軟體強制在關鍵代碼區域內延遲分支預測從而降低預測執行代碼的數量。 英特爾的建議是在關鍵分支代碼之前添加LFENCE指令。 從硬體上也可以嘗試選擇性預測執行。比如在執行內核關鍵代碼區時直接關閉分支預測。

幽靈漏洞 CVE-2017-5715:通過惡意訓練間接跳轉的跳轉目標預測從而預測執行內核代碼或用戶代碼

現代處理器不光能分支預測,還能直接預測分支跳轉核間接跳轉的目標 address ,從而達到對間接跳轉的預取指支持。 攻擊者則利用該特性,惡意訓練對跳轉目標的預測器(BTB),達到跳轉到任意代碼的目的。

從軟體上修復,可以使用特殊的函數調用方式執行關鍵函數以確保關鍵函數的執行不能由跳轉目標預測決定。 從硬體上,可以要求上下文切換時清空BTB,這則直接避免了跨進程或跨優先級的惡意跳轉目標訓練。 對於利用該漏洞直接預測執行用戶代碼,可以用英特爾的SMEP核SMAP特性堵上直接使用用戶代碼對內核的代碼註入。

實用資料

RISC-V debug spec的介紹

HelloWorld 最近在 IT 鐵人賽上連載了一系列關於RISC-V debug spec 和openocd的文章。有興趣研究debug spec 和其openocd實作的可以參考。另外,NonerKao也在鐵人賽上連載了一系列關於RISC-V assembly 的文章。對於elf,nn,as 或是相關工具有興趣的朋友可以看看。

Links:

芯片編譯公眾號的開篇——RISC-V Tools編譯安裝三部曲

李浩同學在這個公眾號中手把手的介紹了怎麽編譯與安裝RISC-V tools。不過小編還是期待有好心人能早日釋出pre-built版本啊,最好是能用apt-get isntall就拿到更好。

Links:

行業視角

The Bisquick Alternative - SiFive Uses RISC-V to Simplify SoC Creation

微處理器領域的資深編輯和分析師Jim Turley在EE Journal上用生動詼諧的語言發表了他對RISC-V的一些看法。他首先提到了SiFive目前正在做的事情,展望了在未來定制化芯片時代或許不久就會到來。最後他對RISC-V在簡潔性和平衡性上也表示贊同。

Everybody wants their own custom or semi-custom device, but not everyone is equipped to design or build one, the company believes. Kang compares his customer base to programmers creating new smartphone apps. They’re good programmers, but they don’t know – or need to know – everything about how smartphones are put together. It’s enough to know what you want, not necessarily all the steps involved in making it happen. Today, anyone developing a custom chip has to be deeply knowledgeable about each step of design, testing, verification, and fabrication. SiFive is hoping to dumb that down a bit.

In the process, the company uses RISC-V as a configurable part of its IP portfolio. Again, the company doesn’t expect its customers to be microprocessor aficionados, or to have strong ideas about how to customize their CPU. That’s what SiFive is for. They can recommend the changes, if any, that will benefit the customer’s application, and then make those changes happen. Along the way, SiFive will surround the CPU with its in-house IP, produce a complete design, and fab it for you at TSMC. Just add water.

It’s right there in the name: RISC-V. As in, “reduced instruction set.” The whole point behind any RISC architecture is simplicity; that you can do more with less. Superfluous instructions aren’t just unnecessary; they’re bad things. Gratuitous features just add hardware complexity and slow down the pipeline. John von Neumann posited that computers really need only three operations; anything beyond that is window-dressing. Today’s RISC machines aren’t quite that Spartan, but the point is still valid. RISC-V, like most other RISC architectures, is already supposed to be “just right,” neither too simple nor too complicated. Meddling with that would seem to defeat the purpose.

Still, SiFive is happy to let you experiment. Maybe you’ll discover that one custom feature that radically alters your system’s performance, or security, or power consumption. Or maybe you’re happy with the standard configuration. Either way, SiFive can make your SoC dreams come true. You can have your pancake and eat it, too.

Link: The Bisquick Alternative: SiFive Uses RISC-V to Simplify SoC Creation

MIPS Is Back, With An Eye on AI

MIPS重回矽谷,得到了新的VC的投資並且開始招兵買馬,EETime的這篇文章採訪了多為業內人士講述了這幾年MIPS所經歷的種種,

Lost identity, foot print

While MIPS was under Imagination Technologies’ roof, it lost focus, its own identity and its footprint on the market. Bemanian acknowledged during the interview that many MIPS engineers felt as though they were forced into becoming what they were not in order to support its parent company. Imagination had hoped MIPS could be the processing core in the mobile market. “We felt as though we lost our heritage,” Bemanian said.

Krewell added, “What’s missing is mainstream operating system support (Android and Windows). Even embedded OS support is starting to wane.” Further, the problem, as he sees it, is “that the trajectory for MIPS was heading in the wrong direction and with the rise of RISC-V, there was less and less reason to support MIPS as an alternative to ARM.”

MIPS似乎也打算緊隨潮流的參與到AI的浪潮中,另一件值得關註的事情是MIPS的創始人之一John Hennessy也強勢回歸!

In his view, MIPS’ versatility and efficiency will work to MIPS’ advantage as it moves deeper into the AI market. MIPS can handle payload in the data plane, but will also be very effective in managing data in the control plane on the edge. “MIPS can be a part of inference engines or it can be used to manage accelerators around GPUs and FPGAs as well,” Bemanian said.

In a statement, Hennessy said, “With the emergence of AI in applications that will touch all of our lives in ways we can’t yet begin to fathom, this is an incredibly exciting time to see MIPS position themselves in the epicenter of the AI universe.” He emphasized the initial simplicity, efficiency and extensibility of the MIPS architecture will provide “advantages for an ever-changing range of applications.”

Link: MIPS Is Back, With An Eye on AI

CNRV網站更新

暴走事件

二月

五月

招聘簡訊

CNRV提供為行業公司提供公益性質的一句話的招聘信息發布,若有任何Architecture、IC設計、軟體開發的招聘信息,歡迎聯系我們!


整理編集: 宋威、黃柏瑋、郭雄飛

特別感謝:黃銳


歡迎關註微信公眾號CNRV,接收最新最時尚的RISC-V訊息!

CNRV微信公眾號


創用 CC 授權條款
本著作系採用創用 CC 姓名標示-非商業性-相同方式分享 3.0 臺灣 授權條款授權.