Memory, MMU and Harvard protection
HarvOS separates instructions and data at SoC level. The boot ROM uses
a controlled IMEM write path, while running applications see DMEM and
MMIO through the data side.
Address spaces
| Region | Address / parameter | Use |
|---|
| IMEM | 0x00000000 to 0x000003ff in the default SoC: IMEM_WORDS = 256 / 1024 bytes. | Instructions, boot ROM and loaded ELF text. |
| DMEM | D_RAM_BASE = 0x00000400 to 0x000013ff in the default SoC: DMEM_WORDS = 1024 / 4096 bytes. | Data, BSS, stack, start parameters, HTTP bundle and DMA window. |
| DMA window | 0x00000500 to 0x00000cff, 2048 bytes. | USB and HNET transfer buffer. |
| MMIO | 0xffff0000 to 0xffff00ff. | Debug, IMEM loader, HNET, USB and HPS block bridge. |
| Boot ROM app plan | BOOT_APP_LOAD_BASE = 0x00100000, BOOT_APP_STACK_TOP = 0x00178000. | Planned application address range for larger configurations. |
IMEM_WORDS and DMEM_WORDS are synthesis/testbench
parameters, not ISA limits.
Access pipeline
Fetch: PC -> Fetch MMU -> Fetch MPU -> IMEM read
Load/Store: ALU addr -> Data MMU -> Data MPU -> DMEM/MMIO bus
| Stage | Task | Result |
|---|
| Address formation | PC for fetch, rs1 + imm for load/store, clr_addr for CLRMEM. | Virtual address and access type. |
| MMU | TLB lookup, page-walk/region decision, PTE-style flag checks, user/capability policy and W^X. | Physical address or MMU cause. |
| MPU | Fixed physical region check for IMEM, DMEM, MMIO and lock state. | Final allow, MMIO marker or trap cause. |
| SoC decode | Route to IMEM, DMEM, IMEM loader, HNET, USB, HPS block or debug MMIO. | Data word, byte write or default zero. |
MMU model
The CPU instantiates two MMUs: one for fetch and one for data. Both use
PTE-style flags V, R, W,
X, U, G, A and
D. The current walker can either use RAM-backed L1/L0 page
tables when configured by the supervisor path, or fall back to the fixed
HarvOS region model.
| Path | TLB | Specific rule |
|---|
| Fetch MMU | 32 entries | Instruction accesses only; W^X faults are treated as fetch faults. |
| Data MMU | 64 entries | Load/store checks, user/supervisor policy and W^X protection. |
Current region fallback
| Virtual region | Access | Result |
|---|
| IMEM/I-ROM | Fetch | Valid, identity mapped with execute permission. |
| IMEM/I-ROM | Load/Store | SCAUSE_HARVARD_VIOLATION. |
| DMEM | Load/Store | Valid, identity mapped with user/data permissions. |
| DMEM | Fetch | SCAUSE_HARVARD_VIOLATION. |
| MMIO | Load/Store | Valid for supervisor; no user flag. |
| Other addresses | Fetch/Load/Store | Instruction, load or store access fault. |
MPU and locking
The MPU checks physical addresses after the MMU. It is a fixed HarvOS
region policy, not RISC-V PMP. Fetch is allowed only from IMEM/I-ROM
when the lock state permits it. Data access into IMEM is always a
Harvard violation. Supervisor MMIO is allowed; user MMIO is denied.
| Case | Decision | Cause if denied |
|---|
| Fetch from locked IMEM/I-ROM | Allowed. | - |
| Fetch from DMEM | Denied. | SCAUSE_HARVARD_VIOLATION. |
| Load/store in DMEM | Allowed. | - |
| Load/store in IMEM/I-ROM | Denied. | SCAUSE_HARVARD_VIOLATION. |
| Supervisor load/store in MMIO | Allowed and marked as MMIO. | - |
| User load/store in MMIO | Denied. | Load or store access fault. |
Boot ROM payload layout
params_addr = round_up(highest_loaded_segment_end, 4096)
content_addr = params_addr + 4096
stack_guard = BOOT_APP_STACK_TOP - BOOT_APP_STACK_GUARD
require content_addr + BOOT_MAX_BUNDLE <= stack_guard
