Overview
Physical Memory Protection (PMP) is a RISC-V feature used for memory isolation in security-critical systems. It provides per-hardware-thread machine-mode control registers that specify access privileges for physical memory regions. [C1]
Control registers
The ProcessorFuzz paper identifies two PMP-related RISC-V control and status registers (CSRs): pmpcfg, which contains the physical memory protection configuration, and pmpaddr, which contains physical memory protection addresses. These registers appear in the paper's table of CSRs not monitored by ProcessorFuzz. [C2]
Security uses
PMP is described as part of the trusted computing base for the Keystone trusted execution environment, where it is relied on to support security guarantees such as integrity and confidentiality. [C3]
PMP has also been proposed as a primitive for lightweight remote attestation on constrained RISC-V devices. The LIRA-V design uses read-only memory together with RISC-V PMP to build a trust anchor for remote attestation and secure channel creation, and also supports mutual attestation for trusted communication between two devices. [C4]
Verification relevance
One line of work formally verifies an open-source RISC-V PMP hardware implementation. That work formalizes PMP functional rules based on the RISC-V ISA manual, translates a Chisel PMP module to UCLID5 using LIME, encodes the specification in UCLID5, and verifies the hardware implementation's functional correctness. [C5]
PMP behavior is also relevant to processor fuzzing and simulator validation. ProcessorFuzz reported a Dromajo issue in which PMP checks were performed and exceptions were raised on violations even when no PMP entries were set. [C6]