CHERI (Capability Hardware Enhanced RISC Instructions) is an advanced security technology developed by the University of Cambridge in a joint research project with SRI International that begun in 2010.
The research was aimed at revisiting fundamental design choices in hardware and software to improve system security and received funding from DARPA (Defense Advanced Research Projects Agency), UKRI (UK Research and Innovation), among others.
In 2023, the technology was for the first time made commercially available in a licensable processor by Codasip.
CHERI extends the Instruction Set Architecture (ISA) to enforce fine-grained memory access control. This prevents common vulnerabilities such as buffer overflows and memory corruption. However, to make use of the technology, developers must have access to software tools and packages that are adapted for CHERI.
The compiler, in particular, must be capable of generating applications that leverage the new instructions introduced by the modified ISA and hardware core. In collaboration with other CHERI Alliance members, Codasip has built these tools on existing open-source projects and is donating them to the CHERI Alliance for unrestricted use by everyone implementing CHERI on RISC-V.
"As more organisations and governments discover the potential of the CHERI technology to protect us, we need to speed up the pace of making the technology available in real systems," said Ron Black, chief executive officer, Codasip. "We have made a massive effort to implement a full Linux-capable SDK that we are now opening for everyone to use. I am confident this will be a great asset for the CHERI and RISC-V communities."
“The CHERI Alliance is strongly focused on collaboration and openness to make sure that CHERI security gets integrated into all high-tech products,” commented Michael Halsall, director of the CHERI Alliance. “The fact that Codasip makes their SDK openly available through the Alliance supports the standardisation effort of CHERI for RISC-V.
“CHERI can deliver a more secure future for electronics, and we must come together to make that happen, between academia, industry and government.”
The CHERI RISC-V SDK includes:
- C/C++ compiler and toolchain based on LLVM17
- CHERI-RISC-V Sail model
- QEMU open-source emulator
- OpenSBI implementation of the RISC-V Supervisor Binary Interface
- Das U-Boot bootloader
- Linux kernel 6.10
- FreeRTOS
- The GNU Debugger
- Yocto build system for Linux
- Basic user space environment based on Busybox
Access the SDK from the CHERI Alliance GitHub.