Add missing DID too wide check for inval_pdt

contributors.adoc

@@ -4,3 +4,4 @@ This RISC-V specification has been contributed to directly or indirectly by (in
 
 [%hardbreaks]
 Aaron Durbin, Allen Baum, Anup Patel, Daniel Gracia Pérez, David Kruckemyer, Greg Favor, Ahmad Fawal, Guerney D Hunt, John Hauser, Josh Scheid, Matt Evans, Manuel Rodriguez, Nick Kossifidis, Paul Donahue, Paul Walmsley, Perrine Peresse, Philipp Tomsich, Rieul Ducousso, Scott Nelson, Siqi Zhao, Sunil V.L, Tomasz Jeznach, Vassilis Papaefstathiou, Vedvyas Shanbhogue
+

header.adoc

@@ -22,8 +22,9 @@
 :lang: en
 :listing-caption: Listing
 :sectnums:
+:sectnumlevels: 5
 :toc: left
-:toclevels: 4
+:toclevels: 5
 :source-highlighter: pygments
 ifdef::backend-pdf[]
 :source-highlighter: coderay
@@ -56,6 +57,7 @@ Copyright 2023 by RISC-V International.
 
 [preface]
 include::contributors.adoc[]
+include::iommu_preface.adoc[]
 include::iommu_intro.adoc[]
 include::iommu_data_structures.adoc[]
 include::iommu_in_memory_queues.adoc[]

iommu.bib

@@ -17,3 +17,11 @@ @electronic{AIA
   title = {RISC-V Advanced Interrupt Architecture},
   url = {https://github.com/riscv/riscv-aia}
 }
+@electronic{CFI,
+  title = {RISC-V Shadow Stacks and Landing Pads},
+  url = {https://github.com/riscv/riscv-cfi}
+}
+@electronic{PR243,
+  title = {Clarification updates to IOMMU v1.0.0},
+  url = {https://github.com/riscv-non-isa/riscv-iommu/pull/243/commits}
+}

iommu_data_structures.adoc

@@ -197,6 +197,8 @@ image::ddt-base.svg[width=800,height=400]
 //ddtp--->+--+ +->+--+ +->+--+  ddtp--->+--+ +->+--+  ddtp--->+--+
 //....
 
+<<<
+
 ==== Non-leaf DDT entry
 
 A valid (`V==1`) non-leaf DDT entry provides the PPN of the next level DDT.
@@ -374,6 +376,8 @@ that supports multiple process contexts and thus generates a valid `process_id`
 with its memory accesses. For PCIe, for example, if the request has a PASID
 then the PASID is used as the `process_id`.
 
+<<<
+
 When `PDTV` is 1, the `DPE` bit may set to 1 to enable the use of 0 as the
 default value of `process_id` for translating requests without a valid
 `process_id`. When `PDTV` is 0, the `DPE` bit is reserved for future standard
@@ -544,6 +548,8 @@ address.
 | 9-15 | --       | Reserved for standard use.
 |===
 
+<<<
+
 When `DC.tc.PDTV` is 1, the `DC.fsc` field holds the process-directory table
 pointer (`pdtp`). When the device supports multiple process contexts, selected
 by the `process_id`, the PDT is used to determine the first-stage page table and
@@ -906,6 +912,8 @@ translation and protection process. When address translation caches
 (<<CACHING>>) are implemented, the translation process may use the `GSCID` and
 `PSCID` to associate the cached translations with their address spaces.
 
+<<<
+
 The process to translate an `IOVA` is as follows:
 
 
@@ -991,7 +999,11 @@ The process to translate an `IOVA` is as follows:
 . Translation process is complete
 
 When checking the `U` bit in a second-stage PTE, the transaction is treated as
-not requesting supervisor privilege.
+not requesting supervisor privilege. The `pte.xwr=010` encoding, as specified by
+the Zicfiss cite:[CFI] extension for the Shadow Stack page type in single-stage
+and VS-stage page tables, remains a reserved encoding for IO transactions.
+
+<<<
 
 When the translation process reports a fault, and the request is an Untranslated
 request or a Translated request, the IOMMU requests the IO bridge to abort the
@@ -1151,8 +1163,8 @@ file and translating the address using the MSI page table is as follows:
   process are equivalent to that of a regular RISC-V second-stage PTE with
   `R`=`W`=`U`=1 and `X`=0. Similar to a second-stage PTE, when checking the `U`
   bit, the transaction is treated as not requesting supervisor privilege.
-. If the transaction is an Untranslated or Translated read-for-execute then stop
-  and report "Instruction access fault" (cause = 1).
+.. If the transaction is an Untranslated or Translated read-for-execute then stop
+   and report "Instruction access fault" (cause = 1).
 . MSI address translation process is complete.
 
 [NOTE]
@@ -1251,13 +1263,18 @@ no-write not requested and no write permission; no read permission)
 then a Success response is returned with the denied permission (R, W or X)
 set to 0 and the other permission bits set to the value determined from the
 page tables. The X permission is granted only if the R permission is also
-granted. Execute-only translations are not compatible with PCIe ATS as PCIe
-requires read permission to be granted if the execute permission is granted.
+granted and the execute permission was requested. Execute-only translations are
+not compatible with PCIe ATS as PCIe requires read permission to be granted
+if the execute permission is granted.
+
+<<<
 
 When a Success response is generated for an ATS translation request, no fault
 records are reported to software through the fault/event reporting mechanism,
 even when the response indicates no access was granted or some permissions were
-denied.
+denied. Conversely, when a UR or CA response is generated for an ATS translation
+request, the corresponding fault is reported to software through the fault/event
+reporting mechanism.
 
 If the translation request has an address determined to be an MSI address using
 the rules defined by the <<MSI_ID>> but the MSI PTE is configured in MRIF
@@ -1346,11 +1363,12 @@ of "Page Request".
   a "Page Request Group Response" message to the device.
 
 When the IOMMU generates the response, the status field of the response depends
-on the cause of the error.
+on the cause of the error. If a fault condition prevents locating a valid device
+context then the `PRPR` value assumed is 0.
 
 The status is set to Response Failure if the following faults are encountered:
 
-* `ddtp.iommu_mode` is `Off`
+* `ddtp.iommu_mode` is `Off` (cause = 256)
 * DDT entry load access fault (cause = 257)
 * DDT entry misconfigured (cause = 259)
 * DDT entry not valid (cause = 258)
@@ -1359,8 +1377,9 @@ The status is set to Response Failure if the following faults are encountered:
 
 The status is set to Invalid Request if the following faults are encountered:
 
-* `ddtp.iommu_mode` is `Bare`
-* `EN_PRI` is set to 0
+* `device_id` is wider than supported by the IOMMU mode (cause = 260)
+* `ddtp.iommu_mode` is `Bare` (cause = 260)
+* `EN_PRI` is set to 0 (cause = 260)
 
 The status is set to Success if no other faults were encountered but the
 "Page Request" could not be queued due to the page-request queue being full

iommu_hw_guidelines.adoc

@@ -46,6 +46,8 @@ indicate this condition. For AXI, for example, the completion status is provided
 by SLVERR on RRESP (Read Data channel). For PCIe, for example, the completion
 status field may be set to "Unsupported Request" (UR) or "Completer Abort" (CA).
 
+<<<
+
 [[RAS]]
 === Reliability, Availability, and Serviceability (RAS)
 The IOMMU may support a RAS architecture that specifies the methods for

iommu_in_memory_queues.adoc

@@ -180,7 +180,17 @@ operand is valid. Setting `PSCV` to 1 is allowed only for `IOTINVAL.VMA`. The
 the translations associated with the host (i.e. those where the second-stage
 is Bare) are operated on. When `GV` is 0, the `GSCID` operand is ignored.
 When `AV` is 0, the `ADDR` operand is ignored. When `PSCV` operand is 0, the
-`PSCID` operand is ignored.
+`PSCID` operand is ignored. When the `AV` operand is set to 1, if the `ADDR`
+operand specifies an invalid address, the command may or may not perform any
+invalidations.
+
+[NOTE]
+====
+When an invalid address is specified, an implementation may either complete the
+command with no effect or may complete the command using an alternate, yet
+`UNSPECIFIED`, legal value for the address. Note that entries may generally be
+invalidated from the address translation cache at any time.
+====
 
 `IOTINVAL.VMA` ensures that previous stores made to the first-stage page
 tables by the harts are observed by the IOMMU before all subsequent implicit
@@ -189,8 +199,8 @@ reads from IOMMU to the corresponding first-stage page tables.
 [[IVMA]]
 
 .`IOTINVAL.VMA` operands and operations
-[width=75%]
-[%header, cols="2,2,3,20"]
+[width=100%]
+[%header, cols="2,2,3,30"]
 |===
 |`GV`|`AV`|`PSCV`| Operation
 |0   |0   |0     | Invalidates all address-translation cache entries, including
@@ -234,8 +244,8 @@ is illegal.
 [[IGVMA]]
 
 .`IOTINVAL.GVMA` operands and operations
-[width=75%]
-[%header, cols="2,2,20"]
+[width=100%]
+[%header, cols="2,2,30"]
 |===
 | `GV` | `AV`   | Operation
 | 0    | ignored| Invalidates information cached from any level of the
@@ -245,8 +255,8 @@ is illegal.
                   identified by the `GSCID` operand.
 | 1    | 1      | Invalidates information cached from leaf second-stage page
                   table entries corresponding to the guest-physical-address in
-                  `ADDR` operand, for only for VM address spaces identified
-                  `GSCID` operand.
+                  `ADDR` operand, but only for VM address spaces identified
+                  by the `GSCID` operand.
 |===
 
 [NOTE]
@@ -270,6 +280,10 @@ match the `GSCID` argument, regardless of the address argument.
 Simpler implementations may ignore the operand of `IOTINVAL.VMA` and/or
 `IOTINVAL.GVMA` and always perform a global invalidation of all
 address-translation entries.
+
+Some implementations may cache an identity-mapped translation for the stage of
+address translation operating in `Bare` mode. Since these identity mappings
+are invariably correct, an explicit invalidation is unnecessary.
 ====
 
 [NOTE]
@@ -558,6 +572,8 @@ If the `DSV` operand is 1, then a valid destination segment number is specified
 by the `DSEG` operand. If the `DSV` operand is 0, then the `DSEG` operand is
 ignored.
 
+<<<
+
 [NOTE]
 ====
 A Hierarchy is a PCI Express I/O interconnect topology, wherein the