Area Comparison of CHERIoT and PMP in Ibex

Abstract

This paper analyzes the hardware area cost of implementing Physical Memory Protection (PMP) and the CHERIoT capability-based security extension within the Ibex RISC-V core. Synthesis results show that PMP (16 regions) adds 24 thousand gate-equivalent (kGE) (42% core overhead), while CHERIoT adds 33 kGE (57% core overhead). However, when scaled to a complete system-on-chip (SoC) like OpenTitan Earl Grey, the estimated overheads are minor (0.6% for PMP and 1% for CHERIoT), justifying the substantial memory safety benefits.

Report

Key Highlights

• Core Under Test: Ibex RISC-V core.
• Extensions Evaluated: Physical Memory Protection (PMP) configured with 16 regions, and CHERIoT (Capability Hardware Extension to RISC-V for IoT).
• Core Area Overhead (PMP): 24 kGE, resulting in a 42% increase in the core size.
• Core Area Overhead (CHERIoT): 33 kGE, resulting in a 57% increase in the core size.
• System-Wide Overhead: The impact on the total System-on-Chip (SoC) area is minimal, estimated at 0.6% for PMP and 1% for CHERIoT, based on the OpenTitan Earl Grey microcontroller architecture.
• Conclusion: The marginal system-level area cost is highly justified by the critical security and memory safety improvements provided by both extensions.

Technical Details

• Methodology: The extended Ibex cores were synthesized using a commercial toolchain.
• Target Process: Open source FreePDK45 process technology.
• Area Metric: Area increases are quantified using thousands of Gate Equivalents (kGE).
• Source of Overhead: The area increase for both extensions is primarily attributed to the additional state required to store information regarding protected memory (e.g., PMP registers or CHERIoT capability metadata).
• Specific PMP Configuration: The PMP implementation used for comparison was configured with 16 distinct PMP regions.

Implications

• Validating Secure RISC-V: This study provides concrete, quantifiable data that low-power RISC-V cores (like Ibex) can implement advanced memory safety features (like CHERIoT and PMP) with negligible impact on overall chip area.
• Encouraging Security Adoption: The finding that security features only impose a 1% system-wide overhead removes a major barrier (cost/area) to adopting robust memory safety, especially in IoT and security-sensitive embedded systems.
• Ibex and OpenTitan Ecosystem: The results reinforce Ibex's suitability as a secure core foundation for platforms like OpenTitan, demonstrating that integrating security extensions does not significantly balloon the secure microcontroller footprint.
• Future Architectural Decisions: The comparison provides crucial trade-off information, allowing architects to decide between the established PMP mechanism and the more advanced capability-based protection offered by CHERIoT, based on precise area requirements.