Re: [RFC PATCH 1/3] dt-bindings: riscv: Add Worlds ISA extensions

Re: [RFC PATCH 1/3] dt-bindings: riscv: Add Worlds ISA extensions

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] The descriptions for the newly added RISC-V Worlds ISA extensions use placeholder 'TBD' text instead of a valid specification commit hash.
- [Low] The newly added multi-letter ISA extensions `smlwid` and `smlwidlist` are not sorted alphanumerically.
--

commit 16fbfa5650f850f6481cd820aa9d7deb379f7452
Author: Yu-Chien Peter Lin <peter.lin@sifive.com>

dt-bindings: riscv: Add Worlds ISA extensions

This commit adds device tree bindings for the RISC-V Worlds ISA extensions.
These extensions are used to tag transactions with World IDs that hardware
uses to enforce isolation across execution contexts.

> diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml b/Documentation/devicetree/bindings/riscv/extensions.yaml
> index 2b0a8a93bb214..1bc8b1aa67c06 100644
> --- a/Documentation/devicetree/bindings/riscv/extensions.yaml
> +++ b/Documentation/devicetree/bindings/riscv/extensions.yaml
> @@ -193,12 +193,35 @@ properties:
>              ratified at commit d70011dde6c2 ("Update to ratified state")
>              of riscv-j-extension.
>  
> +        - const: smlwid

[Severity: Low]
This isn't a bug, but are these extensions placed in the correct alphabetical
order? Multi-letter extensions are typically required to be sorted
alphanumerically, and "smlwid" appears to be inserted out of order relative
to other "sm" extensions.

> +          description: |
> +            The standard Smlwid extension for M-mode control of lower
> +            privilege World ID via the mlwid CSR as ratified at commit
> +            TBD ("TBD") of riscv-worlds.

[Severity: Medium]
Is the "TBD" placeholder intended to be kept in the final binding? Device tree
bindings usually require a specific commit hash to reference a frozen or
ratified specification.

> +
> +        - const: smlwidlist
> +          description: |
> +            The standard Smlwidlist extension for M-mode control of lower
> +            privilege World IDs via the mlwidlist CSR as ratified at commit
> +            TBD ("TBD") of riscv-worlds.

[Severity: Medium]
Does this also need to be updated with the actual ratification commit hash
instead of the placeholder?

> +
>          - const: smstateen
>            description: |
>              The standard Smstateen extension for controlling access to CSRs
>              added by other RISC-V extensions in H/S/VS/U/VU modes and as
>              ratified at commit a28bfae (Ratified (#7)) of riscv-state-enable.
>  
> +        - const: smwdeleg
> +          description: |
> +            The standard Smwdeleg extension for M-mode delegation of lower
> +            privilege World ID control to S-mode via the mwiddeleg CSR, as
> +            ratified at commit TBD ("TBD") of riscv-worlds.

[Severity: Medium]
Is the exact specification commit hash available to replace the placeholder
text here?

> +
> +        - const: smwid
> +          description: |
> +            The standard Smwid extension for M-mode World ID control via the
> +            mwid CSR as ratified at commit TBD ("TBD") of riscv-worlds.

[Severity: Medium]
Can we include the specific commit hash of riscv-worlds here instead of
using the temporary text?

[ ... ]

> @@ -262,6 +285,12 @@ properties:
>              ratified in RISC-V Profiles Version 1.0, with commit b1d806605f87
>              ("Updated to ratified state.")
>  
> +        - const: sswid
> +          description: |
> +            The standard Sswid extension for S-mode control of lower
> +            privilege World IDs via the slwid CSR as ratified at commit
> +            TBD ("TBD") of riscv-worlds.

[Severity: Medium]
Is the placeholder expected to be replaced with the actual ratification
commit before this is merged?

> +
>          - const: supm
>            description: |
>              The standard Supm extension for pointer masking support in user

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260619105834.1277302-1-peter.lin@sifive.com?part=1

[RFC PATCH 0/3] dt-bindings: riscv: Add RISC-V Worlds and SiFive WorldGuard DT bindings

[Yu-Chien Peter Lin]

Add device tree bindings for RISC-V Worlds, a standard extension that tags
every transaction with a World ID for fine-grained isolation. SiFive's
WorldGuard Checker is a hardware firewall in the system interconnect that
inspects transaction WIDs and enforces per-World access policies on memory
and MMIO devices.

The three patches add: Worlds ISA extension properties (riscv,nworlds and
sifive,trustedwid on /cpus), per-hart World ID constraints (riscv,pmwid,
riscv,pmwidlist, riscv,pmlwidlist on cpu@X nodes), and the wgchecker2
binding with access-controller specifiers.

The access-controllers specifier carries range, permission and config fields
to support three use cases: 
1. single range device protection
2. discontiguous range device protection
3. sub-range memory partitioning.

Link: https://github.com/riscvarchive/security/blob/main/papers/worldguard%20proposal.pdf

Yu-Chien Peter Lin (3):
  dt-bindings: riscv: Add Worlds ISA extensions
  dt-bindings: riscv: Add Worlds per-hart properties
  dt-bindings: sifive: Add WorldGuard Checker

 .../devicetree/bindings/riscv/cpus.yaml       |  21 ++
 .../devicetree/bindings/riscv/extensions.yaml |  29 +++
 .../devicetree/bindings/riscv/worlds.yaml     |  86 +++++++
 .../bindings/sifive/sifive,wgchecker2.yaml    | 237 ++++++++++++++++++
 4 files changed, 373 insertions(+)
 create mode 100644 Documentation/devicetree/bindings/riscv/worlds.yaml
 create mode 100644 Documentation/devicetree/bindings/sifive/sifive,wgchecker2.yaml

-- 
2.43.7

[RFC PATCH 1/3] dt-bindings: riscv: Add Worlds ISA extensions

[Yu-Chien Peter Lin]

Add DT bindings for RISC-V Worlds ISA extensions to tag
transactions with World IDs that hardware uses to enforce
world-based isolation across execution contexts.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
---
 .../devicetree/bindings/riscv/extensions.yaml | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml b/Documentation/devicetree/bindings/riscv/extensions.yaml
index 2b0a8a93bb21..1bc8b1aa67c0 100644
--- a/Documentation/devicetree/bindings/riscv/extensions.yaml
+++ b/Documentation/devicetree/bindings/riscv/extensions.yaml
@@ -193,12 +193,35 @@ properties:
             ratified at commit d70011dde6c2 ("Update to ratified state")
             of riscv-j-extension.
 
+        - const: smlwid
+          description: |
+            The standard Smlwid extension for M-mode control of lower
+            privilege World ID via the mlwid CSR as ratified at commit
+            TBD ("TBD") of riscv-worlds.
+
+        - const: smlwidlist
+          description: |
+            The standard Smlwidlist extension for M-mode control of lower
+            privilege World IDs via the mlwidlist CSR as ratified at commit
+            TBD ("TBD") of riscv-worlds.
+
         - const: smstateen
           description: |
             The standard Smstateen extension for controlling access to CSRs
             added by other RISC-V extensions in H/S/VS/U/VU modes and as
             ratified at commit a28bfae (Ratified (#7)) of riscv-state-enable.
 
+        - const: smwdeleg
+          description: |
+            The standard Smwdeleg extension for M-mode delegation of lower
+            privilege World ID control to S-mode via the mwiddeleg CSR, as
+            ratified at commit TBD ("TBD") of riscv-worlds.
+
+        - const: smwid
+          description: |
+            The standard Smwid extension for M-mode World ID control via the
+            mwid CSR as ratified at commit TBD ("TBD") of riscv-worlds.
+
         - const: ssaia
           description: |
             The standard Ssaia supervisor-level extension for the advanced
@@ -262,6 +285,12 @@ properties:
             ratified in RISC-V Profiles Version 1.0, with commit b1d806605f87
             ("Updated to ratified state.")
 
+        - const: sswid
+          description: |
+            The standard Sswid extension for S-mode control of lower
+            privilege World IDs via the slwid CSR as ratified at commit
+            TBD ("TBD") of riscv-worlds.
+
         - const: supm
           description: |
             The standard Supm extension for pointer masking support in user
-- 
2.43.7

[RFC PATCH 2/3] dt-bindings: riscv: Add Worlds per-hart properties

[Yu-Chien Peter Lin]

Add per-hart DT properties for RISC-V Worlds architecture:
riscv,pmwid, riscv,pmwidlist, and riscv,pmlwidlist. These
platform-defined values are primarily used by M-mode firmware
to configure World ID CSRs and restrict WID usage across
privilege levels.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
---
 .../devicetree/bindings/riscv/cpus.yaml       | 21 +++++
 .../devicetree/bindings/riscv/worlds.yaml     | 77 +++++++++++++++++++
 2 files changed, 98 insertions(+)
 create mode 100644 Documentation/devicetree/bindings/riscv/worlds.yaml

diff --git a/Documentation/devicetree/bindings/riscv/cpus.yaml b/Documentation/devicetree/bindings/riscv/cpus.yaml
index 5feeb2203050..4b5778b6d3e7 100644
--- a/Documentation/devicetree/bindings/riscv/cpus.yaml
+++ b/Documentation/devicetree/bindings/riscv/cpus.yaml
@@ -26,6 +26,7 @@ description: |
 allOf:
   - $ref: /schemas/cpu.yaml#
   - $ref: extensions.yaml
+  - $ref: worlds.yaml
   - if:
       not:
         properties:
@@ -120,11 +121,31 @@ properties:
       thead systems where the vector register length is not identical on all harts, or
       the vlenb CSR is not available.
 
+  riscv,pmwid:
+    $ref: /schemas/types.yaml#/definitions/uint32
+    description:
+      Platform-defined M-mode World ID (WID) assigned to this hart.
+    minimum: 0
+    maximum: 63
+
+  riscv,pmwidlist:
+    $ref: /schemas/types.yaml#/definitions/uint64
+    description:
+      Platform-defined bitmap of M-mode World IDs (WIDs) that this hart may use.
+
+  riscv,pmlwidlist:
+    $ref: /schemas/types.yaml#/definitions/uint64
+    description:
+      Platform-defined bitmap of World IDs (WIDs) that S-mode and U-mode may use
+      on this hart.
+
   # RISC-V has multiple properties for cache op block sizes as the sizes
   # differ between individual CBO extensions
   cache-op-block-size: false
   # RISC-V requires 'timebase-frequency' in /cpus, so disallow it here
   timebase-frequency: false
+  # RISC-V requires 'riscv,nworlds' in /cpus, so disallow it here
+  riscv,nworlds: false
 
   interrupt-controller:
     type: object
diff --git a/Documentation/devicetree/bindings/riscv/worlds.yaml b/Documentation/devicetree/bindings/riscv/worlds.yaml
new file mode 100644
index 000000000000..cc8b3747591e
--- /dev/null
+++ b/Documentation/devicetree/bindings/riscv/worlds.yaml
@@ -0,0 +1,77 @@
+# SPDX-License-Identifier: (GPL-2.0 OR MIT)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/riscv/worlds.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: RISC-V Worlds Extension
+
+maintainers:
+  - Yu-Chien Peter Lin <peter.lin@sifive.com>
+
+description: |
+  The RISC-V Worlds ISA extension, as described in the RISC-V Privileged
+  Specification, adds World ID tagging for context isolation.
+
+  This binding describes the system-wide Worlds configuration for the /cpus node
+  and is used alongside per-hart Worlds-related properties such as riscv,pmwid in
+  the RISC-V CPU binding and Worlds-related ISA extensions enumerated via
+  riscv,isa-extensions.
+
+select:
+  properties:
+    $nodename:
+      pattern: "^cpus$"
+
+properties:
+  riscv,nworlds:
+    $ref: /schemas/types.yaml#/definitions/uint32
+    description: |
+      Number of World IDs (WIDs) supported by the platform. This is a system-wide
+      property that describes the total number of isolation contexts available.
+      Hardware components such as the WorldGuard Checker use this to determine
+      the valid range of WID values.
+    minimum: 2
+    maximum: 64
+
+additionalProperties: true
+
+examples:
+  - |
+    // Example: System with 4 World IDs
+    cpus {
+        #address-cells = <1>;
+        #size-cells = <0>;
+        timebase-frequency = <1000000>;
+        riscv,nworlds = <4>;
+
+        cpu@0 {
+            device_type = "cpu";
+            reg = <0>;
+            compatible = "sifive,bullet0", "riscv";
+            riscv,isa-base = "rv64i";
+            riscv,isa-extensions = "i", "m", "a", "f", "d", "c";
+            riscv,pmwid = <0>;
+
+            interrupt-controller {
+                #interrupt-cells = <1>;
+                compatible = "riscv,cpu-intc";
+                interrupt-controller;
+            };
+        };
+
+        cpu@1 {
+            device_type = "cpu";
+            reg = <1>;
+            compatible = "sifive,bullet0", "riscv";
+            riscv,isa-base = "rv64i";
+            riscv,isa-extensions = "i", "m", "a", "f", "d", "c";
+            riscv,pmwid = <1>;
+
+            interrupt-controller {
+                #interrupt-cells = <1>;
+                compatible = "riscv,cpu-intc";
+                interrupt-controller;
+            };
+        };
+    };
-- 
2.43.7

[RFC PATCH 3/3] dt-bindings: sifive: Add WorldGuard Checker

[Yu-Chien Peter Lin]

Add DT binding for SiFive wgChecker2, a hardware firewall enforcing
WID-based access control in RISC-V Worlds. Provides checker slots to
program per-WID permissions for downstream resources, with optional
sub-range partitioning.

Link: https://github.com/riscvarchive/security/blob/main/papers/worldguard%20proposal.pdf
Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Reviewed-by: Jim Shu <jim.shu@sifive.com>
---
 .../devicetree/bindings/riscv/worlds.yaml     |   9 +
 .../bindings/sifive/sifive,wgchecker2.yaml    | 237 ++++++++++++++++++
 2 files changed, 246 insertions(+)
 create mode 100644 Documentation/devicetree/bindings/sifive/sifive,wgchecker2.yaml

diff --git a/Documentation/devicetree/bindings/riscv/worlds.yaml b/Documentation/devicetree/bindings/riscv/worlds.yaml
index cc8b3747591e..c39a06c2dd8d 100644
--- a/Documentation/devicetree/bindings/riscv/worlds.yaml
+++ b/Documentation/devicetree/bindings/riscv/worlds.yaml
@@ -34,6 +34,14 @@ properties:
     minimum: 2
     maximum: 64
 
+  sifive,trustedwid:
+    $ref: /schemas/types.yaml#/definitions/uint32
+    maximum: 31
+    description: |
+      The World ID (WID) designated as the trusted WID for this platform.
+      Transactions tagged with this WID are authorized to access and configure
+      WorldGuard blocks, including wgCheckers and wgMarkers.
+
 additionalProperties: true
 
 examples:
@@ -44,6 +52,7 @@ examples:
         #size-cells = <0>;
         timebase-frequency = <1000000>;
         riscv,nworlds = <4>;
+        sifive,trustedwid = <3>;
 
         cpu@0 {
             device_type = "cpu";
diff --git a/Documentation/devicetree/bindings/sifive/sifive,wgchecker2.yaml b/Documentation/devicetree/bindings/sifive/sifive,wgchecker2.yaml
new file mode 100644
index 000000000000..043c748385ed
--- /dev/null
+++ b/Documentation/devicetree/bindings/sifive/sifive,wgchecker2.yaml
@@ -0,0 +1,237 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+# Copyright (C) 2026 SiFive, Inc.
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/sifive/sifive,wgchecker2.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: SiFive WorldGuard Checker
+
+maintainers:
+  - Yu-Chien Peter Lin <peter.lin@sifive.com>
+
+description: |
+  The RISC-V Worlds ISA extension defines World IDs (WIDs) as architectural
+  identifiers that tag each system transaction with its originating context.
+  System integrators assign WIDs to execution contexts such as privilege modes,
+  trusted execution environments, or other isolation boundaries.
+
+  The SiFive WorldGuard Checker is a hardware firewall positioned in the
+  system interconnect fabric. It inspects every transaction, evaluating the
+  WID against access control policies encoded in checker slots for each
+  protected resource. Transactions from unauthorized WIDs are blocked and
+  reported as bus errors, interrupts, or both.
+
+  This enables spatial partitioning of memory regions and memory-mapped devices
+  across execution contexts. Different address ranges can enforce distinct
+  policies, allowing isolated workloads to coexist with hardware-enforced
+  protection.
+
+  The wgChecker acts as an access-controller provider as defined in the
+  access-controllers framework. Protected devices are consumers that declare
+  their access policy via the access-controllers property. The hardware
+  supports up to 32 World IDs.
+
+  The World ID authorized to configure WorldGuard blocks is specified by the
+  sifive,trustedwid property in the /cpus node.
+
+allOf:
+  - $ref: /schemas/access-controllers/access-controllers.yaml#
+
+properties:
+  compatible:
+    const: sifive,wgchecker2
+
+  reg:
+    maxItems: 1
+    description:
+      Base address and size of the wgChecker memory-mapped I/O registers.
+
+  interrupts:
+    maxItems: 1
+    description:
+      Interrupt line asserted when a WID access violation is detected and
+      interrupt reporting is enabled in the slot configuration (IR or IW
+      bits set).
+
+  '#access-controller-cells':
+    const: 7
+    description: |
+      Specifier for one access-control rule, encoded as seven u32 cells:
+        <addr-hi addr-lo size-hi size-lo perm-hi perm-lo config>
+
+      where:
+        - addr-hi, addr-lo: 64-bit base address of the protected region.
+        - size-hi, size-lo: 64-bit size of the protected region in bytes.
+        - perm-hi: Permission bitmap for WIDs 16..31. Two bits per WID:
+                     bit 2*(WID-16)   = Read  permission
+                     bit 2*(WID-16)+1 = Write permission
+                   Set bits grant access. Use 0x0 for systems with
+                   riscv,nworlds <= 16.
+        - perm-lo: Permission bitmap for WIDs 0..15. Two bits per WID:
+                     bit 2*WID   = Read  permission
+                     bit 2*WID+1 = Write permission
+                   Set bits grant access.
+        - config:  Slot configuration bits:
+                     Bit 0 (ER): Report read  violations as bus errors
+                     Bit 1 (EW): Report write violations as bus errors
+                     Bit 2 (IR): Report read  violations via interrupt
+                     Bit 3 (IW): Report write violations via interrupt
+                     Bit 4 (L):  Lock bit - prevents further modification
+                   Bits 5..31 are reserved and must be zero.
+
+      Multiple entries may be listed to apply different policies to
+      different address ranges, including sub-ranges within a single
+      physical resource.
+
+required:
+  - compatible
+  - reg
+  - '#access-controller-cells'
+
+additionalProperties: false
+
+examples:
+  - |
+    #include <dt-bindings/interrupt-controller/irq.h>
+
+    // Example 1: Single device protection
+    // WID 0 and WID 3 have RW access to UART; errors and IRQs reported.
+
+    cpus {
+        #address-cells = <1>;
+        #size-cells = <0>;
+        timebase-frequency = <1000000>;
+        riscv,nworlds = <4>;
+        sifive,trustedwid = <3>;
+
+        cpu@0 {
+            device_type = "cpu";
+            reg = <0>;
+            compatible = "riscv";
+            riscv,isa = "rv64imac";
+        };
+    };
+
+    soc {
+        #address-cells = <2>;
+        #size-cells = <2>;
+
+        uart: uart@1c1000 {
+            compatible = "ns16550a";
+            reg = <0x0 0x001c1000 0x0 0x1000>;
+            reg-names = "control";
+            interrupts = <10 IRQ_TYPE_LEVEL_HIGH>;
+            // WID 0,3 RW; report errors+IRQs
+            access-controllers = <&wgchecker0
+                                  0x0 0x001c1000 0x0 0x00001000
+                                  0x0 0x000000c3 0x0f>;
+        };
+
+        wgchecker0: wgchecker@1c2000 {
+            compatible = "sifive,wgchecker2";
+            reg = <0x0 0x001c2000 0x0 0x1000>;
+            #access-controller-cells = <7>;
+            interrupts = <80 IRQ_TYPE_LEVEL_HIGH>;
+            interrupt-parent = <&aplic_m>;
+        };
+    };
+
+  - |
+    #include <dt-bindings/interrupt-controller/irq.h>
+
+    // Example 2: Multi-reg device with separate per-range rules
+    // m_mode: WID 3 only; s_mode: WID 0,3 RW.
+
+    cpus {
+        #address-cells = <1>;
+        #size-cells = <0>;
+        timebase-frequency = <1000000>;
+        riscv,nworlds = <16>;
+        sifive,trustedwid = <3>;
+
+        cpu@0 {
+            device_type = "cpu";
+            reg = <0>;
+            compatible = "riscv";
+            riscv,isa = "rv64imac";
+        };
+    };
+
+    soc {
+        #address-cells = <2>;
+        #size-cells = <2>;
+
+        device: device@10000 {
+            compatible = "vendor,soc1-ip";
+            reg = <0x0 0x00010000 0x0 0x8000>,
+                  <0x0 0x00a00000 0x0 0x4000>;
+            reg-names = "m_mode", "s_mode";
+            // m_mode: WID 3 only; s_mode: WID 0,3 RW
+            access-controllers = <&wgchecker1
+                                  0x0 0x00010000 0x0 0x00008000
+                                  0x0 0x000000c0 0x0f>,
+                                 <&wgchecker1
+                                  0x0 0x00a00000 0x0 0x00004000
+                                  0x0 0x000000c3 0x0f>;
+        };
+
+        wgchecker1: wgchecker@35000 {
+            compatible = "sifive,wgchecker2";
+            reg = <0x0 0x00035000 0x0 0x1000>;
+            #access-controller-cells = <7>;
+            interrupts = <81 IRQ_TYPE_LEVEL_HIGH>;
+            interrupt-parent = <&aplic_m>;
+        };
+    };
+
+  - |
+    #include <dt-bindings/interrupt-controller/irq.h>
+
+    // Example 3: DRAM partitioning with secure enclave
+    // Sub-range 1 [0x80000000, 0xC0000000): WID 0,1,3 RW
+    // Sub-range 2 [0xC0000000, 0xC1000000): WID 1,3 only (secure enclave)
+    // Sub-range 3 [0xC1000000, 0x100000000): WID 0,1,3 RW
+
+    cpus {
+        #address-cells = <1>;
+        #size-cells = <0>;
+        timebase-frequency = <1000000>;
+        riscv,nworlds = <4>;
+        sifive,trustedwid = <3>;
+
+        cpu@0 {
+            device_type = "cpu";
+            reg = <0>;
+            compatible = "riscv";
+            riscv,isa = "rv64imac";
+        };
+    };
+
+    soc {
+        #address-cells = <2>;
+        #size-cells = <2>;
+
+        ddr: memory@80000000 {
+            device_type = "memory";
+            reg = <0x0 0x80000000 0x0 0x80000000>;
+            access-controllers =
+                <&wgchecker2
+                 0x0 0x80000000 0x0 0x40000000
+                 0x0 0x000000cf 0x0f>,
+                <&wgchecker2
+                 0x0 0xc0000000 0x0 0x01000000
+                 0x0 0x000000cc 0x0f>,
+                <&wgchecker2
+                 0x0 0xc1000000 0x0 0x3f000000
+                 0x0 0x000000cf 0x0f>;
+        };
+
+        wgchecker2: wgchecker@40000000 {
+            compatible = "sifive,wgchecker2";
+            reg = <0x0 0x40000000 0x0 0x1000>;
+            #access-controller-cells = <7>;
+            interrupts = <82 IRQ_TYPE_LEVEL_HIGH>;
+            interrupt-parent = <&aplic_m>;
+        };
+    };
-- 
2.43.7

Re: [RFC PATCH 2/3] dt-bindings: riscv: Add Worlds per-hart properties

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Incorrect and unnecessary schema reference: `cpus.yaml` (which validates child `/cpus/cpu@*` nodes) improperly includes a `$ref` to `worlds.yaml` (which validates the parent `/cpus` container node). This erroneously bleeds parent constraints into the child schema.
--

commit 2b4a193c4b5716c3f96b6ae87becc46dcf104835
Author: Yu-Chien Peter Lin <peter.lin@sifive.com>

dt-bindings: riscv: Add Worlds per-hart properties

This commit adds per-hart device tree properties for the RISC-V Worlds
architecture, such as riscv,pmwid and riscv,pmwidlist. These platform-defined
values are used by M-mode firmware to configure World ID CSRs and restrict
usage across privilege levels.

> diff --git a/Documentation/devicetree/bindings/riscv/cpus.yaml b/Documentation/devicetree/bindings/riscv/cpus.yaml
> index 5feeb2203050a..4b5778b6d3e70 100644
> --- a/Documentation/devicetree/bindings/riscv/cpus.yaml
> +++ b/Documentation/devicetree/bindings/riscv/cpus.yaml
> @@ -26,6 +26,7 @@ description: |
>  allOf:
>    - $ref: /schemas/cpu.yaml#
>    - $ref: extensions.yaml
> +  - $ref: worlds.yaml

[Severity: Medium]
Does this reference unintentionally bleed the parent container properties into
the child hart nodes?

The schema worlds.yaml is designed to validate the system-wide /cpus node
via its select: pattern: "^cpus$", while cpus.yaml validates the individual
/cpus/cpu@* nodes. By referencing worlds.yaml here, properties meant for
the parent container leak into the child schema. Any future properties added
to worlds.yaml would implicitly bypass unevaluatedProperties strict
evaluation on the cpu@* nodes.

>    - if:
>        not:

[ ... ]

> @@ -120,11 +121,31 @@ properties:
>        thead systems where the vector register length is not identical on all harts, or
>        the vlenb CSR is not available.

[ ... ]

>    # RISC-V requires 'timebase-frequency' in /cpus, so disallow it here
>    timebase-frequency: false
> +  # RISC-V requires 'riscv,nworlds' in /cpus, so disallow it here
> +  riscv,nworlds: false

[Severity: Medium]
Is this explicit disallowance a workaround for pulling in the parent schema
via the reference above?

If the reference to worlds.yaml is removed from the allOf block, this manual
workaround shouldn't be necessary. Removing the reference would also prevent
future parent properties from silently sneaking into the child node schemas.

>  
>    interrupt-controller:
>      type: object

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260619105834.1277302-1-peter.lin@sifive.com?part=2

Re: [RFC PATCH 3/3] dt-bindings: sifive: Add WorldGuard Checker

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] The `#access-controller-cells` specifier inappropriately encodes 64-bit absolute physical addresses and sizes, bypassing Devicetree's native address translation.
- [Low] The schema examples reference an undefined label `&aplic_m`, causing a `dt_binding_check` compilation failure.
- [Low] The `sifive,trustedwid` property is not explicitly disallowed in `riscv/cpus.yaml`, allowing it to bypass schema validation if erroneously placed in a `cpu@*` node.
- [Low] The examples in `sifive,wgchecker2.yaml` omit the required `interrupt-controller` child node in their `cpu@0` definitions, leading to a schema validation error.
--

commit 26cbbd0f7310c04b5d6fe920375466bc89dd2479
Author: Yu-Chien Peter Lin <peter.lin@sifive.com>

dt-bindings: sifive: Add WorldGuard Checker

This commit adds a Device Tree binding for the SiFive wgChecker2, a
hardware firewall enforcing World ID (WID) based access control. It enables
spatial partitioning of memory and memory-mapped devices by providing checker
slots to program per-WID permissions.

Link: https://github.com/riscvarchive/security/blob/main/papers/worldguard%20proposal.pdf

> diff --git a/Documentation/devicetree/bindings/riscv/worlds.yaml b/Documentation/devicetree/bindings/riscv/worlds.yaml
> index cc8b3747591eb..c39a06c2dd8d3 100644
> --- a/Documentation/devicetree/bindings/riscv/worlds.yaml
> +++ b/Documentation/devicetree/bindings/riscv/worlds.yaml
> @@ -34,6 +34,14 @@ properties:
>      minimum: 2
>      maximum: 64
>  
> +  sifive,trustedwid:
> +    $ref: /schemas/types.yaml#/definitions/uint32

[Severity: Low]
Because riscv/cpus.yaml includes worlds.yaml via $ref, does this
allow the property to be erroneously placed on individual cpu@* nodes
without failing validation?

To enforce correct usage, should sifive,trustedwid: false be explicitly
added to riscv/cpus.yaml, similar to riscv,nworlds: false?

[ ... ]
> diff --git a/Documentation/devicetree/bindings/sifive/sifive,wgchecker2.yaml b/Documentation/devicetree/bindings/sifive/sifive,wgchecker2.yaml
> new file mode 100644
> index 0000000000000..043c748385ed4
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/sifive/sifive,wgchecker2.yaml
[ ... ]
> +  '#access-controller-cells':
> +    const: 7
> +    description: |
> +      Specifier for one access-control rule, encoded as seven u32 cells:
> +        <addr-hi addr-lo size-hi size-lo perm-hi perm-lo config>

[Severity: High]
Does encoding absolute physical addresses and sizes directly into the
access-controllers array bypass Devicetree's native address translation?

If the protected device is behind a bus with a translation mapping, or if
a bootloader dynamically patches reg sizes, the hardcoded addresses in the
firewall configuration might be incorrect since they are opaque to DT
address translation APIs.

[ ... ]
> +    cpus {
> +        #address-cells = <1>;
> +        #size-cells = <0>;
> +        timebase-frequency = <1000000>;
> +        riscv,nworlds = <4>;
> +        sifive,trustedwid = <3>;
> +
> +        cpu@0 {
> +            device_type = "cpu";
> +            reg = <0>;
> +            compatible = "riscv";
> +            riscv,isa = "rv64imac";
> +        };

[Severity: Low]
Will this omission cause a dt_binding_check failure?

When validated against riscv/cpus.yaml, the schema strictly mandates an
interrupt-controller child node for cpu@0 nodes with compatible = "riscv".

[ ... ]
> +        wgchecker0: wgchecker@1c2000 {
> +            compatible = "sifive,wgchecker2";
> +            reg = <0x0 0x001c2000 0x0 0x1000>;
> +            #access-controller-cells = <7>;
> +            interrupts = <80 IRQ_TYPE_LEVEL_HIGH>;
> +            interrupt-parent = <&aplic_m>;

[Severity: Low]
Is the aplic_m label defined anywhere in these examples?

It appears missing, which might cause make dt_binding_check to fail with a
"Reference to non-existent node or label" error.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260619105834.1277302-1-peter.lin@sifive.com?part=3