A Linux-capable secure enclave chip design with CHERI

We are excited at lowRISC® to announce the second Minimum Viable Product (MVP) release of the CHERI Mocha Secure Enclave reference design. This release is able to boot CHERI Linux and includes all the hardware IP blocks necessary for a secure enclave system on chip. This release is a key part of the COSMIC project, which is funded by DSIT and IUK (grant number 10168492).

CHERI Mocha block diagram

This update greatly increases the maturity of the hardware design by providing enough infrastructure to run a full operating system on an FPGA, and booting CHERI-Linux out of the box. The design is a subsystem system-on-chip (SoC) that can be integrated into a larger SoC to provide secure enclave services.

It enables developers to explore the behaviour of CHERI on RISC-V in a complex software environment, port other operating systems and develop drivers and software applications. SoC designers can use it to design a secure enclave based on their use-case, e.g. biometric authentication, password management, etc.

Hardware Enhancements

The MVP-2 release adds several new hardware IP blocks to the compute sub-system, transforming it into a more complete Secure Enclave design. The newly integrated peripherals include:

  • A debug module for increased visibility of code running in the enclave during the development cycle.
  • An entropy source for cryptographic applications that need a good source of randomness.
  • A KMAC block to verify the integrity of the boot firmware.
  • A ROM controller to contain the boot firmware in read-only memory.
  • An SPI host to interact with non-volatile memory.

Additionally, synthesis to the Genesys 2 FPGA board is now fully supported. Instructions are provided in the GitHub release notes.

Initial CHERI-Linux Support

Linux booting on CHERI Mocha

On the software side, this release features initial support for CHERI-Linux. The design successfully boots into a terminal prompt, utilizing an initial root file system provided by BusyBox.

While Linux driver support is currently limited, we have made bare-metal software shims available. These shims include a hardware abstraction layer and bare-metal tests, serving as a helpful reference for developers looking to build drivers in the future.

Get Started and Contribute

Developers can find collateral and instructions on how to get started by visiting the release page on GitHub. The tagged release (v0.1.0) is available here: https://github.com/lowRISC/mocha/releases/tag/v0.1.0

Community contributions are highly encouraged. If you are interested in contributing, please review the contributing guidelines located in the repository’s README file.

To get involved with the COSMIC project, please email us at cosmic@lowrisc.org.