Area Comparison of CHERIoT and PMP in Ibex
Samuel Riedel, Marno van der Maas, John Thomson, Andreas Kurth, Pirmin Vogel
TL;DR
This paper addresses memory-safety for Ibex-based embedded processors by comparing two architectural approaches: PMP and CHERIoT/CHERI. It conducts a hardware-area study using synthesis in FreePDK45, reporting core-area overheads of $42\%$ for PMP and $57\%$ for CHERIoT, while demonstrating that system-wide impact on a complete SoC like OpenTitan Earl Grey remains modest ($0.6\%$ and $1\%$ respectively). The analysis highlights that PMP and CHERIoT provide strong security benefits with only small increases to overall chip area, due to the core occupying a small fraction of the total system. The results support using memory-safety extensions in secure embedded designs as a favorable trade-off between security guarantees and silicon cost.
Abstract
Memory safety is a critical concern for modern embedded systems, particularly in security-sensitive applications. This paper explores the area impact of adding memory safety extensions to the Ibex RISC-V core, focusing on physical memory protection (PMP) and Capability Hardware Extension to RISC-V for Internet of Things (CHERIoT). We synthesise the extended Ibex cores using a commercial tool targeting the open FreePDK45 process and provide a detailed area breakdown and discussion of the results. The PMP configuration we consider is one with 16 PMP regions. We find that the extensions increase the core size by 24 thousand gate-equivalent (kGE) for PMP and 33 kGE for CHERIoT. The increase is mainly due to the additional state required to store information about protected memory. While this increase amounts to 42% for PMP and 57% for CHERIoT in Ibex's area, its effect on the overall system is minimal. In a complete system-on-chip (SoC), like the secure microcontroller OpenTitan Earl Grey, where the core represents only a fraction of the total area, the estimated system-wide overhead is 0.6% for PMP and 1% for CHERIoT. Given the security benefits these extensions provide, the area trade-off is justified, making Ibex a compelling choice for secure embedded applications.
