4 Supervisor-Level ISA, Version 1.10

4.1.1 Supervisor Status Register (sstatus)

The sstatus register is an XLEN-bit read/write register formatted as shown in Figure 1.1 for RV32 and Figure 1.2 for RV64 and RV128. The sstatus register keeps track of the processor’s current operating state.

The SPP bit indicates the privilege level at which a hart was executing before entering supervisor mode. When a trap is taken, SPP is set to 0 if the trap originated from user mode, or 1 otherwise. When an SRET instruction (see Section [otherpriv]) is executed to return from the trap handler, the privilege level is set to user mode if the SPP bit is 0, or supervisor mode if the SPP bit is 1; SPP is then set to 0.

The SIE bit enables or disables all interrupts in supervisor mode. When SIE is clear, interrupts are not taken while in supervisor mode. When the hart is running in user-mode, the value in SIE is ignored, and supervisor-level interrupts are enabled. The supervisor can disable indivdual interrupt sources using the sie register.

The SPIE bit indicates whether supervisor interrupts were enabled prior to trapping into supervisor mode. When a trap is taken into supervisor mode, SPIE is set to SIE, and SIE is set to 0. When an SRET instruction is executed, SIE is set to SPIE, then SPIE is set to 1.

The UIE bit enables or disables user-mode interrupts. User-level interrupts are enabled only if UIE is set and the hart is running in user-mode. The UPIE bit indicates whether user-level interrupts were enabled prior to taking a user-level trap. When a URET instruction is executed, UIE is set to UPIE, and UPIE is set to 1. User-level interrupts are optional. If omitted, the UIE and UPIE bits are hardwired to zero.

4.1.2 Base ISA Control in sstatus Register

The UXL field controls the value of XLEN for U-mode, termed U-XLEN, which may differ from the value of XLEN for S-mode, termed S-XLEN. The encoding of UXL is the same as that of the MXL field of misa, shown in Table [misabase].

For RV32 systems, the UXL field does not exist, and U-XLEN = 32. For RV64 and RV128 systems, it is a WARL field that encodes the current value of U-XLEN. In particular, the implementation may hardwire UXL so that U-XLEN = S-XLEN.

If U-XLEN ≠ S-XLEN, instructions executed in the narrower mode must ignore source register operand bits above the configured XLEN, and must sign-extend results to fill the widest supported XLEN in the destination register.

4.1.3 Memory Privilege in sstatus Register

The MXR (Make eXecutable Readable) bit modifies the privilege with which loads access virtual memory. When MXR=0, only loads from pages marked readable (R=1 in Figure 1.16) will succeed. When MXR=1, loads from pages marked either readable or executable (R=1 or X=1) will succeed. MXR has no effect when page-based virtual memory is not in effect.

The SUM (permit Supervisor User Memory access) bit modifies the privilege with which S-mode loads, stores, and instruction fetches access virtual memory. When SUM=0, S-mode memory accesses to pages that are accessible by U-mode (U=1 in Figure 1.16) will fault. When SUM=1, these accesses are permitted. SUM has no effect when page-based virtual memory is not in effect, nor when executing in U-mode.

4.1.4 Supervisor Trap Vector Base Address Register (stvec)

The stvec register is an XLEN-bit read/write register that holds trap vector configuration, consisting of a vector base address (BASE) and a vector mode (MODE).

The BASE field in stvec is a WARL field that can hold any valid virtual or physical address, subject to the following alignment constraints: the address must always be at least 4-byte aligned, and the MODE setting may impose additional alignment constraints on the value in the BASE field.

The encoding of the MODE field is shown in Table [stvec-mode]. When MODE=Direct, all traps into supervisor mode cause the pc to be set to the address in the BASE field. When MODE=Vectored, all synchronous exceptions into supervisor mode cause the pc to be set to the address in the BASE field, whereas interrupts cause the pc to be set to the address in the BASE field plus four times the interrupt cause number. For example, a supervisor-mode timer interrupt (see Table [scauses]) causes the pc to be set to BASE+0x14. Setting MODE=Vectored may impose an additional alignment constraint on BASE, requiring up to 4×XLEN-byte alignment.

4.1.5 Supervisor Interrupt Registers (sip and sie)

The sip register is an XLEN-bit read/write register containing information on pending interrupts, while sie is the corresponding XLEN-bit read/write register containing interrupt enable bits.

Three types of interrupts are defined: software interrupts, timer interrupts, and external interrupts. A supervisor-level software interrupt is triggered on the current hart by writing 1 to its supervisor software interrupt-pending (SSIP) bit in the sip register. A pending supervisor-level software interrupt can be cleared by writing 0 to the SSIP bit in sip. Supervisor-level software interrupts are disabled when the SSIE bit in the sie register is clear.

Interprocessor interrupts are sent to other harts by means of SBI calls, which will ultimately cause the SSIP bit to be set in the recipient hart’s sip register.

A user-level software interrupt is triggered on the current hart by writing 1 to its user software interrupt-pending (USIP) bit in the sip register. A pending user-level software interrupt can be cleared by writing 0 to the USIP bit in sip. User-level software interrupts are disabled when the USIE bit in the sie register is clear. If user-level interrupts are not supported, USIP and USIE are hardwired to zero.

All bits besides SSIP, USIP, and UEIP in the sip register are read-only.

A supervisor-level timer interrupt is pending if the STIP bit in the sip register is set. Supervisor-level timer interrupts are disabled when the STIE bit in the sie register is clear. An SBI call to the SEE may be used to clear the pending timer interrupt.

A user-level timer interrupt is pending if the UTIP bit in the sip register is set. User-level timer interrupts are disabled when the UTIE bit in the sie register is clear. If user-level interrupts are supported, the ABI should provide a facility for scheduling timer interrupts in terms of real-time counter values. If user-level interrupts are not supported, UTIP and UTIE are hardwired to zero.

A supervisor-level external interrupt is pending if the SEIP bit in the sip register is set. Supervisor-level external interrupts are disabled when the SEIE bit in the sie register is clear. The SBI should provide facilities to mask, unmask, and query the cause of external interrupts.

The UEIP field in sip contains a single read-write bit. UEIP may be written by S-mode software to indicate to U-mode that an external interrupt is pending. Additionally, the platform-level interrupt controller may generate user-level external interrupts. The logical-OR of the software-writeable bit and the signal from the external interrupt controller are used to generate external interrupts for user mode. When the UEIP bit is read with a CSRRW, CSRRS, or CSRRC instruction, the value returned in the rd destination register contains the logical-OR of the software-writable bit and the interrupt signal from the interrupt controller. However, the value used in the read-modify-write sequence of a CSRRS or CSRRC instruction is only the software-writable UEIP bit, ignoring the interrupt value from the external interrupt controller.

User-level external interrupts are disabled when the UEIE bit in the sie register is clear. If the N extension for user-level interrupts is not implemented, UEIP and UEIE are hardwired to zero.

4.1.6 Supervisor Timers and Performance Counters

Supervisor software uses the same hardware performance monitoring facility as user-mode software, including the time, cycle, and instret CSRs. The SBI should provide a mechanism to modify the counter values.

The SBI must provide a facility for scheduling timer interrupts in terms of the real-time counter, time.

4.1.7 Counter-Enable Register (scounteren)

The counter-enable register scounteren controls the availability of the hardware performance monitoring counters to U-mode.

When the CY, TM, IR, or HPMn bit in the scounteren register is clear, attempts to read the cycle, time, instret, or hpmcountern register while executing in U-mode will cause an illegal instruction exception. When one of these bits is set, access to the corresponding register is permitted.

scounteren must be implemented. However, any of the bits may contain a hardwired value of zero, indicating reads to the corresponding counter will cause an exception when executing in U-mode. Hence, they are effectively WARL fields.

4.1.8 Supervisor Scratch Register (sscratch)

The sscratch register is an XLEN-bit read/write register, dedicated for use by the supervisor. Typically, sscratch is used to hold a pointer to the hart-local supervisor context while the hart is executing user code. At the beginning of a trap handler, sscratch is swapped with a user register to provide an initial working register.

4.1.9 Supervisor Exception Program Counter (sepc)

sepc is an XLEN-bit read/write register formatted as shown in Figure 1.8. The low bit of sepc (sepc[0]) is always zero. On implementations that do not support instruction-set extensions with 16-bit instruction alignment, the two low bits ( sepc[1:0]) are always zero.

sepc is a WARL register that must be able to hold all valid physical and virtual addresses. It need not be capable of holding all possible invalid addresses. Implementations may convert some invalid address patterns into other invalid addresses prior to writing them to sepc.

When a trap is taken into S-mode, sepc is written with the virtual address of the instruction that encountered the exception. Otherwise, sepc is never written by the implementation, though it may be explicitly written by software.

4.1.10 Supervisor Cause Register (scause)

The scause register is an XLEN-bit read-write register formatted as shown in Figure 1.9. When a trap is taken into S-mode, scause is written with a code indicating the event that caused the trap. Otherwise, scause is never written by the implementation, though it may be explicitly written by software.

The Interrupt bit in the scause register is set if the contains a code identifying the last exception. Table [scauses] lists the possible exception codes for the current supervisor ISAs, in descending order of priority. The Exception Code is an WLRL field, so is only guaranteed to hold supported exception codes.

4.1.11 Supervisor Trap Value (stval) Register

The stval register is an XLEN-bit read-write register formatted as shown in Figure 1.10. When a trap is taken into S-mode, stval is written with exception-specific information to assist software in handling the trap. Otherwise, stval is never written by the implementation, though it may be explicitly written by software.

When a hardware breakpoint is triggered, or an instruction-fetch, load, or store access or page-fault exception occurs, or an instruction-fetch or AMO address-misaligned exception occurs, stval is written with the faulting address. For other exceptions, stval is set to zero, but a future standard may redefine stval’s setting for other exceptions.

For instruction-fetch access faults and page faults on RISC-V systems with variable-length instructions, stval will point to the portion of the instruction that caused the fault while sepc will point to the beginning of the instruction.

The stval register can optionally also be used to return the faulting instruction bits on an illegal instruction exception ( sepc points to the faulting instruction in memory).

If this feature is not provided, then stval is set to zero on an illegal instruction fault.

If the feature is provided, after an illegal instruction trap, stval will contain the entire faulting instruction provided the instruction is no longer than XLEN bits. If the instruction is less than XLEN bits long, the upper bits of stval are cleared to zero. If the instruction is more than XLEN bits long, stval will contain the first XLEN bits of the instruction.

stval is a WARL register that must be able to hold all valid physical and virtual addresses and the value 0. It need not be capable of holding all possible invalid addresses. Implementations may convert some invalid address patterns into other invalid addresses prior to writing them to stval. If the feature to return the faulting instruction bits is implemented, stval must also be able to hold all values less than 2^N, where N is the smaller of XLEN and the width of the longest supported instruction.

4.1.12 Supervisor Address Translation and Protection (satp) Register

The satp register is an XLEN-bit read/write register, formatted as shown in Figure 1.11 for RV32 and Figure 1.12, which controls supervisor-mode address translation and protection. This register holds the physical page number (PPN) of the root page table, i.e., its supervisor physical address divided by 4 KiB; an address space identifier (ASID), which facilitates address-translation fences on a per-address-space basis; and the MODE field, which selects the current address-translation scheme.

Table 1.13 shows the encodings of the MODE field for RV32 and RV64. When MODE=Bare, supervisor virtual addresses are equal to supervisor physical addresses, and there is no additional memory protection beyond the physical memory protection scheme described in Section [sec:pmp]. In this case, the remaining fields in satp have no effect.

For RV32, the only other valid setting for MODE is Sv32, a paged virtual-memory scheme described in Section 1.3.

For RV64, two paged virtual-memory schemes are defined: Sv39 and Sv48, described in Sections 1.4 and 1.5, respectively. Two additional schemes, Sv57 and Sv64, will be defined in a later version of this specification. The remaining MODE settings are reserved for future use and may define different interpretations of the other fields in satp.

Implementations are not required to support all MODE settings, and if satp is written with an unsupported MODE, the entire write has no effect; no fields in satp are modified.

The number of supervisor physical address bits is implementation-defined; any unimplemented address bits are hardwired to zero in the satp register. The number of ASID bits is also implementation-defined and may be zero. The number of implemented ASID bits, termed ASIDLEN , may be determined by writing one to every bit position in the ASID field, then reading back the value in satp to see which bit positions in the ASID field hold a one. The least-significant bits of ASID are implemented first: that is, if ASIDLEN > 0, ASID[ASIDLEN-1:0] is writable. The maximal value of ASIDLEN, termed ASIDMAX, is 9 for Sv32 or 16 for Sv39 and Sv48

Note that writing satp does not imply any ordering constraints between page-table updates and subsequent address translations. If the new address space’s page tables have been modified, it may be necessary to execute an SFENCE.VMA instruction (see Section 1.2.1) prior to writing satp.

4.2.1 Supervisor Memory-Management Fence Instruction

The supervisor memory-management fence instruction SFENCE.VMA is used to synchronize updates to in-memory memory-management data structures with current execution. Instruction execution causes implicit reads and writes to these data structures; however, these implicit references are ordinarily not ordered with respect to loads and stores in the instruction stream. Executing an SFENCE.VMA instruction guarantees that any stores in the instruction stream prior to the SFENCE.VMA are ordered before all implicit references subsequent to the SFENCE.VMA.

For the common case that the translation data structures have only been modified for a single address mapping (i.e., one page or superpage), rs1 can specify a virtual address within that mapping to effect a translation fence for that mapping only. Furthermore, for the common case that the translation data structures have only been modified for a single address-space identifier, rs2 can specify the address space. The behavior of SFENCE.VMA depends on rs1 and rs2 as follows:

• If rs1=x0 and rs2=x0, the fence orders all reads and writes made to any level of the page tables, for all address spaces.

• If rs1=x0 and rs2≠x0, the fence orders all reads and writes made to any level of the page tables, but only for the address space identified by integer register rs2. Accesses to global mappings (see Section 1.3.1) are not ordered.

• If rs1≠x0 and rs2=x0, the fence orders only reads and writes made to the leaf page table entry corresponding to the virtual address in rs1, for all address spaces.

• If rs1≠x0 and rs2≠x0, the fence orders only reads and writes made to the leaf page table entry corresponding to the virtual address in rs1, for the address space identified by integer register rs2. Accesses to global mappings are not ordered.

When rs2≠x0, bits XLEN-1:ASIDMAX of the value held in rs2 are reserved for future use and should be zeroed by software and ignored by current implementations. Furthermore, if ASIDLEN < ASIDMAX, the implementation shall ignore bits ASIDMAX-1:ASIDLEN of the value held in rs2.

4.3.1 Addressing and Memory Protection

Sv32 implementations support a 32-bit virtual address space, divided into 4 KiB pages. An Sv32 virtual address is partitioned into a virtual page number (VPN) and page offset, as shown in Figure 1.14. When Sv32 virtual memory mode is selected in the MODE field of the satp register, supervisor virtual addresses are translated into supervisor physical addresses via a two-level page table. The 20-bit VPN is translated into a 22-bit physical page number (PPN), while the 12-bit page offset is untranslated. The resulting supervisor-level physical addresses are then checked using any physical memory protection structures (Sections [sec:pmp]), before being directly converted to machine-level physical addresses.

Sv32 page tables consist of 2¹⁰ page-table entries (PTEs), each of four bytes. A page table is exactly the size of a page and must always be aligned to a page boundary. The physical page number of the root page table is stored in the satp register.

The PTE format for Sv32 is shown in Figures 1.16. The V bit indicates whether the PTE is valid; if it is 0, bits 31–1 of the PTE are don’t-cares and may be used freely by software. The permission bits, R, W, and X, indicate whether the page is readable, writable, and executable, respectively. When all three are zero, the PTE is a pointer to the next level of the page table; otherwise, it is a leaf PTE. Writable pages must also be marked readable; the contrary combinations are reserved for future use. Table [pteperm] summarizes the encoding of the permission bits.

The U bit indicates whether the page is accessible to user mode. U-mode software may only access the page when U=1. If the SUM bit in the sstatus register is set, supervisor mode software may also access pages with U=1. However, supervisor code normally operates with the SUM bit clear, in which case, supervisor code will fault on accesses to user-mode pages.

The G bit designates a global mapping. Global mappings are those that exist in all address spaces. For non-leaf PTEs, the global setting implies that all mappings in the subsequent levels of the page table are global. Note that failing to mark a global mapping as global merely reduces performance, whereas marking a non-global mapping as global is an error.

The RSW field is reserved for use by supervisor software; the implementation shall ignore this field.

Each leaf PTE contains an accessed (A) and dirty (D) bit. The A bit indicates the virtual page has been read, written, or fetched from since the last time the A bit was cleared. The D bit indicates the virtual page has been written since the last time the D bit was cleared.

Two schemes to manage the A and D bits are permitted:

• When a virtual page is accessed and the A bit is clear, or is written and the D bit is clear, the implementation sets the corresponding bit in the PTE. The PTE update must be atomic with respect to other accesses to the PTE, and must atomically check that the PTE is valid and grants sufficient permissions. The PTE update must be exact (i.e., not speculative), and observed in program order by the local hart. The ordering on loads and stores provided by FENCE instructions and the acquire/release bits on atomic instructions also orders the PTE updates associated with those loads and stores as observed by remote harts.

• When a virtual page is accessed and the A bit is clear, or is written and the D bit is clear, a page-fault exception is raised.

Standard supervisor software should be written to assume either or both PTE update schemes may be in effect.

Any level of PTE may be a leaf PTE, so in addition to 4 KiB pages, Sv32 supports 4 MiB megapages. A megapage must be virtually and physically aligned to a 4 MiB boundary; a page-fault exception is raised if the physical address is insufficiently aligned.

For non-leaf PTEs, the D, A, and U bits are reserved for future use and must be cleared by software for forward compatibility.

4.3.2 Virtual Address Translation Process

A virtual address va is translated into a physical address pa as follows:

1. Let a be ${\tt satp}.ppn \times \textrm{PAGESIZE}$, and let i = LEVELS − 1. (For Sv32, PAGESIZE=2¹² and LEVELS=2.)

2. Let pte be the value of the PTE at address a + va.vpn[i] × PTESIZE. (For Sv32, PTESIZE=4.) If accessing pte violates a PMA or PMP check, raise an access exception.

3. If pte.v = 0, or if pte.r = 0 and pte.w = 1, stop and raise a page-fault exception.

4. Otherwise, the PTE is valid. If pte.r = 1 or pte.x = 1, go to step 5. Otherwise, this PTE is a pointer to the next level of the page table. Let i = i − 1. If i < 0, stop and raise a page-fault exception. Otherwise, let a = pte.ppn × PAGESIZE and go to step 2.

5. A leaf PTE has been found. Determine if the requested memory access is allowed by the pte.r, pte.w, pte.x, and pte.u bits, given the current privilege mode and the value of the SUM and MXR fields of the mstatus register. If not, stop and raise a page-fault exception.

6. If i > 0 and pa.ppn[i − 1 : 0] ≠ 0, this is a misaligned superpage; stop and raise a page-fault exception.

7. If pte.a = 0, or if the memory access is a store and pte.d = 0, either raise a page-fault exception or:

   • Set pte.a to 1 and, if the memory access is a store, also set pte.d to 1.

   • If this access violates a PMA or PMP check, raise an access exception.

   • This update and the loading of pte in step 2 must be atomic; in particular, no intervening store to the PTE may be perceived to have occurred in-between.

8. The translation is successful. The translated physical address is given as follows:

   • pa.pgoff = va.pgoff.

   • If i > 0, then this is a superpage translation and pa.ppn[i − 1 : 0] = va.vpn[i − 1 : 0].

   • pa.ppn[LEVELS − 1 : i] = pte.ppn[LEVELS − 1 : i].

4.4.1 Addressing and Memory Protection

Sv39 implementations support a 39-bit virtual address space, divided into 4 KiB pages. An Sv39 address is partitioned as shown in Figure 1.17. Load and store effective addresses, which are 64 bits, must have bits 63–39 all equal to bit 38, or else a page-fault exception will occur. The 27-bit VPN is translated into a 44-bit PPN via a three-level page table, while the 12-bit page offset is untranslated.

Sv39 page tables contain 2⁹ page table entries (PTEs), eight bytes each. A page table is exactly the size of a page and must always be aligned to a page boundary. The physical page number of the root page table is stored in the satp register’s PPN field.

The PTE format for Sv39 is shown in Figure 1.19. Bits 9–0 have the same meaning as for Sv32. Bits 63–54 are reserved for future use and must be zeroed by software for forward compatibility.

Any level of PTE may be a leaf PTE, so in addition to 4 KiB pages, Sv39 supports 2 MiB megapages and 1 GiB gigapages, each of which must be virtually and physically aligned to a boundary equal to its size. A page-fault exception is raised if the physical address is insufficiently aligned.

The algorithm for virtual-to-physical address translation is the same as in Section 1.3.2, except LEVELS equals 3 and PTESIZE equals 8.

4.5.1 Addressing and Memory Protection

Sv48 implementations support a 48-bit virtual address space, divided into 4 KiB pages. An Sv48 address is partitioned as shown in Figure 1.20. Load and store effective addresses, which are 64 bits, must have bits 63–48 all equal to bit 47, or else a page-fault exception will occur. The 36-bit VPN is translated into a 44-bit PPN via a four-level page table, while the 12-bit page offset is untranslated.

The PTE format for Sv48 is shown in Figure 1.22. Bits 9–0 have the same meaning as for Sv32. Any level of PTE may be a leaf PTE, so in addition to 4 KiB pages, Sv48 supports 2 MiB megapages, 1 GiB gigapages, and 512 GiB terapages, each of which must be virtually and physically aligned to a boundary equal to its size. A page-fault exception is raised if the physical address is insufficiently aligned.

The algorithm for virtual-to-physical address translation is the same as in Section 1.3.2, except LEVELS equals 4 and PTESIZE equals 8.