System-Level Isolation for Mixed-Criticality RISC-V SoCs: A "World" Reality Check

TL;DR

The paper tackles robust system-level isolation for heterogeneous, mixed-criticality RISC-V SoCs under SWaP-C constraints by comparing leading target-side protection primitives (RISC-V Worlds, SmMTT, and IOPMP) and implementing three checkers (IOPMP, World Checker, and a refined World Checker) in a CVA6-based platform. It systematically evaluates latency, area, and scalability, showing that World-based checkers offer deterministic, low-latency enforcement and that proposed refinements (start–end matching, explicit WID-permission entries, and expanded slots) can reduce area by up to about 5% in IID-heavy configurations. The work highlights trade-offs in shareability and complexity, demonstrates that IOPMP incurs higher latency variability, and provides open-source artifacts to influence standardization and future RISC-V SoC designs. Overall, the study argues for WC-based designs as a strong foundation for real-time mixed-criticality systems and offers concrete pathways to scalable, interoperable system-level isolation.

Abstract

As RISC-V adoption accelerates, domains such as automotive, the Internet of Things (IoT), and industrial control are attracting growing attention. These domains are subject to stringent Size, Weight, Power, and Cost (SWaP-C) constraints, which have driven a shift toward heterogeneous Systems-on-Chip (SoCs) integrating general-purpose CPUs, tightly coupled accelerators, and diverse I/O devices with different integrity levels. While such integration improves cost efficiency and performance, it introduces a fundamental safety and security challenge: enforcing system-level isolation in mixed-criticality environments. Although RISC-V International has proposed several hardware isolation primitives, including RISC-V Worlds, IOPMP, and SmMTT, their interoperability, scalability, and suitability for real-time systems remain insufficiently understood. In this paper, we present a comparative analysis of these primitives from the perspective of practical heterogeneous SoC designs. We implement an IOPMP, a World-based checker, and a modified RISC-V World checker that addresses key limitations of the baseline specification, and evaluate their trade-offs in terms of security guarantees and power-performance-area (PPA). Our results show that the World-based checker introduces a fixed, configuration-independent access latency, achieving lower worst-case delay than the evaluated alternatives while scaling predictably with system size. At the macro level, we estimate that the proposed modifications reduce SoC area by up to approximately 5% compared to a baseline design. All artifacts will be released as open source, and we expect these findings to directly contribute to the evolution and ratification of RISC-V specifications, as well as to the design of future RISC-V SoCs.

Figures (7)

• Figure 1: SoC overview illustrating the limitations of initiator-side protection. (1) Trap-and-emulate at the CPU, (2) initiator-side access checks, and (3) a DMA-capable peripheral configured by an application to bypass protections.
• Figure 2: RISC-V Worlds system overview. Each color represents a different WID.
• Figure 3: IOPMP and WC diagram overview.
• Figure 4: Introduced latency, in clock cycles, from the different IPs in read and write transactions.
• Figure 5: Resource utilization comparison between S-WC, M-WC, and IOPMP across different rule and IID configurations. The top row shows scaling with the number of rules, while the bottom row highlights scaling with the number of IIDs.