Update README.md

README.md

@@ -23,9 +23,11 @@ Any use of third-party trademarks or logos are subject to those third-party's po
 ## Introduction
 cheriot-ibex is 32-bit RISC-V microcontroller which implements the CHERIoT ISA extension in addition to RV32IMCB. Same as the original ibex core, the design can be configured either with a 2-stage or a 3-stage pipeline. It has passed preliminary simulation and FPGA validation, and is currently undergoing  further verification as well as PPA analysis at Microsoft.
 
+![image](https://github.com/microsoft/cheriot-ibex/assets/116126768/51b768f5-a528-4d93-bce4-392ac2fe1488)
+
 ## CHERIoT ISA support
 
-cheriot-ibex supports all 30 instructions listed in the CHERIoT ISA specification, including
+cheriot-ibex supports all instructions listed in the [CHERIoT ISA specification](https://github.com/microsoft/cheriot-sail/tree/main/archdoc), including
 
 - To query or test capabilities: cgetaddr, cgetbase, cgetlen, cgetperm, cgettag, cgettop, cgettype, ctestsubset, csetequalexact, csub
 - To modify or derive capabilities: auicgp, auipcc, candperm, ccleartag, cincaddr, cincaddrimm, cmove, cram, crrl, csetaddr, csetbounds, csetboundsexact, csetboundsimm, cseal, cunseal
@@ -52,10 +54,10 @@ Per CherIoT specification, the following SCR's are implemented,
 - MEPCC (address 31), which replaces mepc.
 
 In addition, the following SCR's are added for debug support
-- CDPC (address 24)
-- CDScratch0 (address 25)
-- CDScratch1 (address 26)
-- CDBGCTRL (address 27)
+- DEPCC (address 24)
+- DScratchC0 (address 25)
+- DScratchC1 (address 26)
+- ZTOPC (address 27)
 
 The PC capability register (PCC) is also implemented as part of the CSR module.
 
@@ -71,11 +73,22 @@ Exceptions are generated in the case of access rule violations.
 
 ## Temporal memory safety support
 
-The cheriot-ibex CLC implementation provides an optional load-barrier feature. When enabled (cheri_tsafe_en_i == 1), CLC checks a memory area which contains shadow flag bits for all memory data blocks at 8-byte granularity. The tag bit of the loaded capability is cleared if the corresponding shadow bits == 1 (revoked).
+The cheriot-ibex CLC implementation provides an optional load-filter feature. When enabled (cheri_tsafe_en_i == 1), the CLC instruction checks a memory area which contains shadow bits for the heap memory data at 8-byte granularity. The tag bit of the loaded capability is cleared if the corresponding shadow bits == 1 (revoked). The shadow bits are accessed through a dedicated memory interface (tsmap_*).
+
+## Integrated hardware accelerators 
+
+When configured accordingly, cheriot-ibex contains 2 internal tightly-coupled hardware accelerators,
+- The background revocation engine (TBRE). The TBRE engine is controlled by a memory-mapped registor interface. When activated, the engine scans a designated memory region and check all capabilities stored in the region against the revocation shadowbits area. If a match is found, the tag of the capability is cleared and stored back to the same memory location.
+- The stack zerorization engine (STKZ). The STKZ engine is controlled by the special capability register ZTOPC. The STKZ is used to zeroize a (stack) memory region as specified by ZTOPC, in order to facilitate context switching.
+
+Note that the main CPU pipeline, TBRE and STKZ all use the load-store unit to access the data memory space. The priorities in the case of contention are,
+1. CPU pipeline (highest priority)
+2. STKZ
+3. TBRE (lowest priority)
 
 ## Backward compatibility
 
-cheriot-ibex provides a backward-compatibility mode which is enabled by setting the input cheri_pmode_i = 1. In this mode, the CheirIoT instructions can still execute, however all access rules are disabled and any binary code generated by non-Cheri RV32 compilers can run unmodified in cheriot-ibex.
+cheriot-ibex provides a backward-compatibility mode which is enabled by setting the input cheri_pmode_i = 1. In this mode, all CheirIoT features are disabled. The cheriot-ibex core is logically equivalent to the non-CHERIoT ibex core and runs  unmodified RV32IMC binaries.
 
 ## Design configuration parameters
 
@@ -87,7 +100,7 @@ cheriot-ibex design added the following configuration parameters,
 | DataWidth  | Data bus width for load/store interface. <br /> Use 32 when CHERIoTEn = 0, 33 when CHERIoTEn = 1. |
 | CheriPPLBC | Configures pipelined implementation of load-barrier CLC. <br />  0: non-pipelined implementation <br />  1: pipelined implementation (better performance but needs a separate memory read interface).|
 | CheriSBND2 | Selects number of cycles taken by csetbounds* instructions. <br /> 0: csetbounds* takes 1 cycle. <br /> 1: csetbounds* takes 2 cycle (better fmax timing). |
-| CheriTBRE | Configures the hardware background revoker engine (TBRE). <br /> 0: Disables TBRE. <br /> 1: Enables TBRE.
+| CheriTBRE | Configures the TBRE and STKZ. <br /> 0: Disables TBRE/STKZ. <br /> 1: Enables TBRE/STKZ.
 | MemCapFmt | Selects the format used to store capabilities in memory. <br /> 0: use canonical memory capbility format. <br /> 1: use the alternative memory capability format (better memory access timing). |
 |HeapBase|32-bit starting address of the system heap memory. <br /> only capabilities whose base pointing to an address in the heap space are subject to load-barrier checks during CLC.|
 |TSMapSize|size of the shadow bits memory (in 32-bit words) used by the load-barrier operation. <br /> e.g., 1024 = 32k bits which covers 256kB heap memory. <br />This parameter is only used when CheriPPLSBC == 1.|