We’ve covered CHERI, and our involvement with the development of the ARM Morello yocto layer before, so for those who aren’t aware of what it is we recommend looking back through our previous blog posts on Introducing ARM Morello and CHERI, and Linux Yocto layer for the ARM Morello board,
CHERI (Capability Hardware Enhanced RISC Instructions) enables finely-grained memory protection and scalable software compartmentalisation into the hardware. Unlike traditional memory pointers, a CHERI-enabled pointer contains metadata on how that memory may be used such as the memory’s bounds and permissions. A major benefit of this approach is that existing (potentially large/legacy) C/C++ codebases can be recompiled with minimal changes, instead of needing to be ported to a new memory-safe language like Rust or Go,.
CHERI’s Evolution
CHERI began in 2010 as a joint research project between the University of Cambridge and SRI International and since then has been driven by a growing collaborative ecosystem, which now combines academia, open-source developers, and industry.
- 2010 – Initial research by the University of Cambridge and SRI International on what could be done at a hardware level to improve memory safety as part of the DARPA CRASH program. Initial research focussed on the MIPS instruction set.
- 2014 – CHERI successfully runs full FreeBSD, proving OS compatibility. Arm begins collaboration.
- 2017 – CHERI first ported to RISC-V architecture.
- 2019 – The Arm Morello program is announced, a UKRI-funded project to develop a CHERI-enabled Arm prototype processor.
- 2022 – ARM Delivers CHERI-enabled Morello prototype SoC and development boards
- 2023 – The Good Penguin 🐧(that’s us!) publishes and becomes the maintainer of the official ARM Morello Yocto layer. Microsoft open-sources CHERIoT a CHERI enabled RISC-V microcontroller ISA for low costs embedded devices
- 2024 – CHERI Alliance CIC is launched to drive global adoption and standardisation. Codasip releases their RISC-V X730 processor IP, an adaptation of their existing A730 application-class processor with CHERI support. Codasip donate their CHERI-SDK to the CHERI Alliance, with the intention of those materials becoming public.
What’s happening now / next for the CHERI ecosystem?
Recent focus has been driving the development of CHERI in RISC-V in the RISC-space for CHERI instructions,
- Continued development of CheriBSD, an extension to FreeBSD to take advantage of capability hardware on ARM Morello or CHERI-RISC-V.
- The UK Department for Science, Innovation and Technology (DSIT) has run a competition to fund activities for maturing and growing the availability of off-the-shelf implementations of CHERI enabled devices (both hardware and software).
- UK Research and Innovation (UKRI) are providing funding to establish and operate a central CHERI Tools and Software Hub that will act as a strategic, collaborative engineering organisation
- We continue to maintain the Arm Morello yocto-layer
- Non-FPGA based hardware seems to be on the horizon for microcontroller level CHERI RISC-V devices from ICENI, with availability coming soon
- Codasip have announced their Codasip Prime development board, which uses their X730 CHERI-enabled RISC-V applications processor (FPGA based)
- Work is ongoing by some of the members of the Cheri-Alliance to create an up to date RISC-V CHERI Linux distribution, but to date there are no published yocto layers.
How can I get started with Linux on CHERI RISC-V?
At the time of writing, Codasip’s RISC-V CHERI SDK has not been fully published on the CHERI-Alliance GitHub. But, work previously done by researchers at Fraunhofer-Gesellschaft On CHERIfying Linux has been published on their GitHub, so we will focus on that.
Their aim was to validate the performance and security benefits of CHERI on a widely used system like the Linux Kernel. They have made modifications to the core kernel, its memory management, RISC-V bootstrap and selected drivers to enable compilation with CHERI, correcting instances where kernel code was accessing memory beyond its allocated bounds often only due to compiler optimisations. In the userspace, they modified the program loader to correctly handle CHERI-compiled user programs.
Their published implementation uses Buildroot as the build system, which we will be using to build a working CHERI enabled RISC-V system running under a CHERRI-enabled version of QEMU.
As their version is a few years old now, it is simplest to use a containerised build system so we can ensure we have all the correct dependencies available. We’ve written a handy Dockerfile to handle this:
FROM ubuntu:22.04
ENV DEBIAN_FRONTEND noninteractive
# Install Dependencies
RUN apt-get update
RUN apt install -y bison flex git file build-essential wget cpio unzip rsync bc libncurses5-dev screen python3 ninja-build clang-13 sudo
# Create build user
RUN adduser --quiet --disabled-password --gecos 'user' build
RUN echo build:build | chpasswd
RUN usermod -aG sudo build
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# Create link between installed clang binaries and clan
RUN ln -s /usr/bin/clang-13 /usr/bin/clang
RUN ln -s /usr/bin/clang++-13 /usr/bin/clang++
# Switch to 'build' user
USER build
WORKDIR /build
CMD "/bin/bash"To build and run this container as an interactive shell we need to build the container image, and run it. We can do this all in one with this:
docker run --rm -it --volume ./build:/build $(docker build -q .)Let’s break down what this is doing:
docker run– This tells the runtime we want to run a container--rm– Remove the created container after it has stopped--it– Run the container in interactive mode--volume ./build:build– Mount the folder “build” from the current directory on the host to /build inside the container (to persist the build files)$(docker build -q .)– This command will build a docker image from the Dockerfile in the current directory and pass the image id to the docker run command
After running the above command you should find yourself in a terminal session:
build@b8257b0082cb:/build$ Now we’ve got our containerised build environment set-up, let’s move onto building CHERI-Linux. First, clone their Buildroot configuration from github:
git clone https://github.com/cheri-linux/buildroot.git
cd buildrootAs this version is a few years old now there is a fix we need to make to update the version of the expat package to the latest version. This is because as new versions of this package get released and security vulnerabilities get patched, old versions of expat get renamed to prevent getting auto-pulled. At the time of writing the latest version is 2.7.1 so to replace the version 2.4.9 it comes with we run the command:
sed 's/2.4.9/2.7.1/g' package/expat-cheri/expat-cheri.mk -iWe’ve chosen to build the hybrid kernel + purecap userspace with GNU Libc, which uses the qemu_riscv64cheri_glibc_defconfig configuration file:
make O=riscv64cheri qemu_riscv64cheri_glibc_defconfig
cd riscv64cheri Finally start the build. For the fastest build time we can build with all our cores:
make -j$(nproc)This process will take some time (system dependent) but once the build has completed successfully you can execute the emulator using the script provided in build/run128_riscv.sh and passing in the path to the risc64cheri folder. From the repository root:
./build/run128_cheri.sh risc64cheriYou should now see QEMU start to boot, login with root and check version:
Welcome to Buildroot
buildroot login: root
uname -a
Linux buildroot 5.15.48 #1 Tue Jun 17 15:47:08 UTC 2025 riscv64 GNU/Linux🎉Congratulations🎉 You are now running CHERI RISC-V Linux inside the QEMU emulator! It’s also worth noting that now you have built the container, you can run the emulator directly from your host OS with the same script.
We’ve tried to cover over a decade of progress here so if you’re interested in reading further about the state of the CHERI ecosystem or more of a technical overview of CHERI, we recommend starting with videos from the 2025 CHERI Blossoms event, which can be found on the CHERI-Alliance youtube channel