Area Comparison of CHERIoT and PMP in Ibex

TL;DR

This paper evaluates the area overhead of adding memory safety extensions, PMP and CHERIoT, to the Ibex RISC-V core, showing minimal impact on overall system size despite significant core area increases.

Contribution

It provides a detailed area analysis of PMP and CHERIoT extensions on Ibex, demonstrating their minimal system-wide impact and justifying their security benefits.

Findings

PMP increases core size by 24kGE, CHERIoT by 33kGE.

Core area increases by 42% for PMP and 57% for CHERIoT.

System-wide overhead is approximately 0.6% for PMP and 1% for CHERIoT.

Abstract

Memory safety is a critical concern for modern embedded systems, particularly in security-sensitive applications. This paper explores the area impact of adding memory safety extensions to the Ibex RISC-V core, focusing on physical memory protection (PMP) and Capability Hardware Extension to RISC-V for Internet of Things (CHERIoT). We synthesise the extended Ibex cores using a commercial tool targeting the open FreePDK45 process and provide a detailed area breakdown and discussion of the results. The PMP configuration we consider is one with 16 PMP regions. We find that the extensions increase the core size by 24 thousand gate-equivalent (kGE) for PMP and 33 kGE for CHERIoT. The increase is mainly due to the additional state required to store information about protected memory. While this increase amounts to 42% for PMP and 57% for CHERIoT in Ibex's area, its effect on the overall system is minimal. In a complete system-on-chip (SoC), like the secure microcontroller OpenTitan Earl Grey, where the core represents only a fraction of the total area, the estimated system-wide overhead is 0.6% for PMP and 1% for CHERIoT. Given the security benefits these extensions provide, the area trade-off is justified, making Ibex a compelling choice for secure embedded applications.