从零开始学RISC：第十五篇

三权分立：USM

我们在从零开始学RISC：第十三篇中支持了基础的机器模式M-Mode所需要的CSR寄存器。运行一些简单的程序大抵是够了，如裸机C程序或是汇编等。但在实际生产环境中，这根本不够。

我们考虑更复杂的情况。RISC-V规范规定，M 模式是唯一强制要求的模式，U 模式面向应用，而 S 模式面向操作系统。特权级就是用来给软件栈不同组件之间做保护的，为了后续能更方便地移植，我们这里就要考虑不同的特权级对不同指令进行分层，分出个三六九等。低等指令禁止访问高等资源，就是这种感觉。

放到实际系统里，就是：

U 模式跑用户进程；
S 模式跑内核；
M 模式留给最底层固件/安全监控/平台控制。

这样应用、内核、固件三层彼此分开，任何一层出问题，都不至于直接拿到“整机最高权限”。

实际上，RISC-V 规范本身就把只支持 M 的实现定位在简单嵌入式系统，支持M和U的算是更强调隔离的嵌入式系统，而同时支持M、U与S，才算是面向类 Unix 系统的典型组合。

defines.svh 修改

首先加一些需要用到的宏：

// ================== CSR    定义 ==================
    `define CSR_SSTATUS        12'h100
    `define CSR_SIE            12'h104
    `define CSR_STVEC          12'h105
    `define CSR_SSCRATCH       12'h140
    `define CSR_SEPC           12'h141
    `define CSR_SCAUSE         12'h142
    `define CSR_STVAL          12'h143
    `define CSR_SIP            12'h144
    `define CSR_SATP           12'h180
    `define CSR_MSTATUS        12'h300
    `define CSR_MEDELEG        12'h302
    `define CSR_MIDELEG        12'h303
    `define CSR_MTVEC          12'h305
    `define CSR_MEPC           12'h341
    `define CSR_MCAUSE         12'h342
    `define CSR_MIE            12'h304
    `define CSR_MIP            12'h344
    `define CSR_CYCLE          12'hC00
    `define CSR_CYCLEH         12'hC80
    `define CSR_INSTRET        12'hC02
    `define CSR_INSTRETH       12'hC82
    `define CSR_MISA           12'h301
    `define CSR_MSCRATCH       12'h340
    `define CSR_MTVAL          12'h343
    `define CSR_MCYCLE         12'hB00
    `define CSR_MCYCLEH        12'hB80

// ================== Privilege 定义 ==================
    `define PRV_U               2'b00
    `define PRV_S               2'b01
    `define PRV_M               2'b11

// ================== Exception Cause 定义 ==================
    `define EXC_INST_MISALIGNED 32'd0
    `define EXC_ILLEGAL_INSTR   32'd2
    `define EXC_BREAKPOINT      32'd3
    `define EXC_LOAD_MISALIGNED 32'd4
    `define EXC_STORE_MISALIGNED 32'd6
    `define EXC_ECALL_U         32'd8
    `define EXC_ECALL_S         32'd9
    `define EXC_ECALL_M         32'd11

CSR 修改

我们之前只加了M-Mode下几个关键的CSR寄存器。现在，我们需要补全——包括M、U与S。

首先，将原来的xret接口多加一个，加上sret信号输入。对于输出，我们直接写成xret，将它们合并——因为同一时间只能存在一种ret信号。

此外，我们还要加上当前特权级输出，以便中断或异常时进行特权级修改。

接着是定义一堆function，用于简化操作。

`include "include/defines.svh"

// CSR（控制和状态寄存器）模块
// 实现 RV32I 的 Zicsr 扩展，并提供最小可工作的 M/S/U 特权支持。
// 当前不实现中断控制、分页翻译和 vectored trap，仅支持同步异常与 xRET。
module CSR (
    input  logic        clk,
    input  logic        rst_n,

    // CSR 指令接口
    input  logic        csr_we,
    input  logic [11:0] csr_addr,
    input  logic [31:0] csr_wdata,
    input  logic [ 2:0] csr_op,
    output logic [31:0] csr_rdata,

    // 异常/陷阱接口
    input  logic        exception_valid,
    input  logic [31:0] exception_pc,
    input  logic [31:0] exception_cause,
    input  logic [31:0] exception_tval,

    // xRET 接口
    input  logic        mret_valid,
    input  logic        sret_valid,

    // Shadow stack / landing pad 状态更新
    input  logic        ssp_update_valid,
    input  logic [31:0] ssp_update_data,
    input  logic        elp_update_valid,
    input  logic        elp_update_expected,

    // 陷阱输出
    output logic        trap_to_mmode,
    output logic [31:0] trap_target,
    output logic [31:0] xret_target,

    // 当前特权状态输出
    output logic [ 1:0] current_priv_mode,
    output logic        mstatus_tsr,
    output logic        mstatus_tvm,
    output logic        current_sse_enabled,
    output logic        current_lpe_enabled,
    output logic        elp_expected,
    output logic [31:0] ssp_value
);

// 机器级 CSR
    logic [31:0] mstatus;
    logic [31:0] mstatush;
    logic [31:0] mtvec;
    logic [31:0] mepc;
    logic [31:0] mcause;
    logic [31:0] mscratch;
    logic [31:0] mtval;
    logic [31:0] mie;
    logic [31:0] mip;
    logic [31:0] misa;
    logic [31:0] medeleg;
    logic [31:0] mideleg;
    logic [31:0] menvcfg;
    logic [31:0] mseccfg;

// 监督级 CSR
    logic [31:0] stvec;
    logic [31:0] sepc;
    logic [31:0] scause;
    logic [31:0] sscratch;
    logic [31:0] stval;
    logic [31:0] satp;
    logic [31:0] senvcfg;

    // Zicfiss/Zicfilp 状态
    logic [31:0] ssp;
    logic        elp_state;

    // 计数器
    logic [63:0] mcycle;

    // 当前特权级
    logic [ 1:0] priv_mode;

// mstatus 位定义
    localparam integer SIE_BIT = 1;
    localparam integer MIE_BIT = 3;
    localparam integer SPIE_BIT = 5;
    localparam integer MPIE_BIT = 7;
    localparam integer SPP_BIT = 8;
    localparam integer MPP_LOW = 11;
    localparam integer MPP_HIGH = 12;
    localparam integer TVM_BIT = 20;
    localparam integer TSR_BIT = 22;
    localparam integer SPELP_BIT = `MSTATUS_SPELP_BIT;
    localparam integer MPELP_BIT = `MSTATUSH_MPELP_BIT;

    localparam logic [31:0] MSTATUS_WRITABLE_MASK = 32'h00F0_19AA;
    localparam logic [31:0] MSTATUSH_WRITABLE_MASK = 32'h0000_0200;
    localparam logic [31:0] SSTATUS_MASK = 32'h0080_0122;
    localparam logic [31:0] MENVCFG_WRITABLE_MASK = 32'h0000_000C;
    localparam logic [31:0] SENVCFG_WRITABLE_MASK = 32'h0000_000C;
    localparam logic [31:0] MSECCFG_WRITABLE_MASK = 32'h0000_0400;


// 4 字节对齐
    function automatic [31:0] align_trap_vector(input logic [31:0] value);
        begin
            align_trap_vector = {value[31:2], 2'b00};
        end
    endfunction

    function automatic [31:0] align_epc(input logic [31:0] value);
        begin
            align_epc = {value[31:2], 2'b00};
        end
    endfunction

// 提取出对外可见部分
    function automatic [31:0] compose_sstatus(input logic [31:0] mstatus_value);
        begin
            compose_sstatus = mstatus_value & SSTATUS_MASK;
        end
    endfunction

    function automatic [31:0] compose_senvcfg(
        input logic [31:0] menvcfg_value,
        input logic [31:0] senvcfg_value
    );
        logic [31:0] view_value;
        begin
            view_value = senvcfg_value & SENVCFG_WRITABLE_MASK;
            if (!menvcfg_value[`ENVCFG_SSE_BIT]) begin
                view_value[`ENVCFG_SSE_BIT] = 1'b0;
            end
            compose_senvcfg = view_value;
        end
    endfunction

// 规范化软件写入值
// 防止软件把 mstatus 写成非法/未实现状态
    function automatic [31:0] sanitize_mstatus(input logic [31:0] new_value);
        logic [31:0] sanitized;
        begin
            sanitized = new_value & MSTATUS_WRITABLE_MASK;
            // 若 MPP 被设置成保留的状态代码 强制改为用户态
            if (sanitized[MPP_HIGH:MPP_LOW] == 2'b10) begin
                sanitized[MPP_HIGH:MPP_LOW] = `PRV_U;
            end
            sanitize_mstatus = sanitized;
        end
    endfunction

    function automatic [31:0] sanitize_mstatush(input logic [31:0] new_value);
        begin
            sanitize_mstatush = new_value & MSTATUSH_WRITABLE_MASK;
        end
    endfunction

// 避免未实现位被随意写入
    function automatic [31:0] sanitize_menvcfg(input logic [31:0] new_value);
        begin
            sanitize_menvcfg = new_value & MENVCFG_WRITABLE_MASK;
        end
    endfunction

// 写入时约束 确保 S 态不能绕过 M 态总开关
    function automatic [31:0] sanitize_senvcfg(
        input logic [31:0] new_value,
        input logic [31:0] menvcfg_value
    );
        logic [31:0] sanitized;
        begin
            sanitized = new_value & SENVCFG_WRITABLE_MASK;
            if (!menvcfg_value[`ENVCFG_SSE_BIT]) begin
                sanitized[`ENVCFG_SSE_BIT] = 1'b0;
            end
            sanitize_senvcfg = sanitized;
        end
    endfunction

// 控制 M 态 landing pad 相关能力
    function automatic [31:0] sanitize_mseccfg(input logic [31:0] new_value);
        begin
            sanitize_mseccfg = new_value & MSECCFG_WRITABLE_MASK;
        end
    endfunction

// 对 sstatus 的写入合并到 mstatus 中
    function automatic [31:0] update_sstatus_view(
        input logic [31:0] old_mstatus,
        input logic [31:0] new_sstatus
    );
        logic [31:0] merged;
        begin
            merged = old_mstatus;
            merged[SIE_BIT] = new_sstatus[SIE_BIT];
            merged[SPIE_BIT] = new_sstatus[SPIE_BIT];
            merged[SPP_BIT] = new_sstatus[SPP_BIT];
            merged[SPELP_BIT] = new_sstatus[SPELP_BIT];
            update_sstatus_view = merged;
        end
    endfunction

// 判断当前特权级下 shadow stack 功能是否生效
    function automatic logic shadow_stack_enabled(
        input logic [ 1:0] priv,
        input logic [31:0] menvcfg_value,
        input logic [31:0] senvcfg_value
    );
        begin
            unique case (priv)
                `PRV_S: shadow_stack_enabled = menvcfg_value[`ENVCFG_SSE_BIT];
                `PRV_U:
                shadow_stack_enabled = menvcfg_value[`ENVCFG_SSE_BIT] &&
                                       senvcfg_value[`ENVCFG_SSE_BIT];
                default: shadow_stack_enabled = 1'b0;
            endcase
        end
    endfunction

// 判断当前特权级下 landing pad 功能是否生效
    function automatic logic landing_pad_enabled(
        input logic [ 1:0] priv,
        input logic [31:0] menvcfg_value,
        input logic [31:0] senvcfg_value,
        input logic [31:0] mseccfg_value
    );
        begin
            unique case (priv)
                `PRV_M: landing_pad_enabled = mseccfg_value[`MSECCFG_MLPE_BIT];
                `PRV_S: landing_pad_enabled = menvcfg_value[`ENVCFG_LPE_BIT];
                `PRV_U: landing_pad_enabled = senvcfg_value[`ENVCFG_LPE_BIT];
                default: landing_pad_enabled = 1'b0;
            endcase
        end
    endfunction

// 判断当前异常/中断是否应该委托给 S 态处理
    function automatic logic take_delegated_trap(
        input logic [ 1:0] priv,
        input logic [31:0] cause,
        input logic [31:0] medeleg_value,
        input logic [31:0] mideleg_value
    );
        begin
            if (priv == `PRV_M) begin
                take_delegated_trap = 1'b0;
            end else if (cause[31]) begin
                take_delegated_trap = mideleg_value[cause[4:0]];
            end else begin
                take_delegated_trap = medeleg_value[cause[4:0]];
            end
        end
    endfunction

    logic [31:0] senvcfg_view;
    assign senvcfg_view = compose_senvcfg(menvcfg, senvcfg);

// CSR 读取逻辑
    always_comb begin
        case (csr_addr)
            `CSR_SSP:                  csr_rdata = ssp;
            `CSR_SSTATUS:              csr_rdata = compose_sstatus(mstatus);
            `CSR_SIE:                  csr_rdata = mie & mideleg;
            `CSR_STVEC:                csr_rdata = stvec;
            `CSR_SENVCFG:              csr_rdata = senvcfg_view;
            `CSR_SSCRATCH:             csr_rdata = sscratch;
            `CSR_SEPC:                 csr_rdata = sepc;
            `CSR_SCAUSE:               csr_rdata = scause;
            `CSR_STVAL:                csr_rdata = stval;
            `CSR_SIP:                  csr_rdata = mip & mideleg;
            `CSR_SATP:                 csr_rdata = satp;
            `CSR_MSTATUS:              csr_rdata = mstatus;
            `CSR_MISA:                 csr_rdata = misa;
            `CSR_MEDELEG:              csr_rdata = medeleg;
            `CSR_MIDELEG:              csr_rdata = mideleg;
            `CSR_MIE:                  csr_rdata = mie;
            `CSR_MTVEC:                csr_rdata = mtvec;
            `CSR_MSTATUSH:             csr_rdata = mstatush;
            `CSR_MENVCFG:              csr_rdata = menvcfg;
            `CSR_MSCRATCH:             csr_rdata = mscratch;
            `CSR_MEPC:                 csr_rdata = mepc;
            `CSR_MCAUSE:               csr_rdata = mcause;
            `CSR_MTVAL:                csr_rdata = mtval;
            `CSR_MIP:                  csr_rdata = mip;
            `CSR_MSECCFG:              csr_rdata = mseccfg;
            `CSR_MCYCLE, `CSR_CYCLE:   csr_rdata = mcycle[31:0];
            `CSR_MCYCLEH, `CSR_CYCLEH: csr_rdata = mcycle[63:32];
            default:                   csr_rdata = 32'b0;
        endcase
    end

// 根据操作类型计算新的 CSR 值
    logic [31:0] csr_new_value;
    always_comb begin
        case (csr_op)
            `FUNCT3_CSRRW, `FUNCT3_CSRRWI: csr_new_value = csr_wdata;
            `FUNCT3_CSRRS, `FUNCT3_CSRRSI: csr_new_value = csr_rdata | csr_wdata;
            `FUNCT3_CSRRC, `FUNCT3_CSRRCI: csr_new_value = csr_rdata & (~csr_wdata);
            default:                       csr_new_value = csr_rdata;
        endcase
    end

    logic delegated_exception;
    assign delegated_exception = exception_valid &&
                                 take_delegated_trap(priv_mode, exception_cause, medeleg, mideleg);

    logic [1:0] mret_target_priv;
    logic [1:0] sret_target_priv;
    assign mret_target_priv = mstatus[MPP_HIGH:MPP_LOW];
    assign sret_target_priv = mstatus[SPP_BIT] ? `PRV_S : `PRV_U;

// CSR 写入、异常进入和 xRET 恢复
    always_ff @(posedge clk or negedge rst_n) begin
        if (!rst_n) begin
            mstatus   <= 32'h0000_1800;
            mstatush  <= 32'h0000_0000;
            mtvec     <= 32'h0114_5140;
            mepc      <= 32'h0000_0000;
            mcause    <= 32'h0000_0000;
            mscratch  <= 32'h0000_0000;
            mtval     <= 32'h0000_0000;
            mie       <= 32'h0000_0000;
            mip       <= 32'h0000_0000;
            misa      <= 32'h4014_0100;  // RV32I + S + U
            medeleg   <= 32'h0000_0000;
            mideleg   <= 32'h0000_0000;
            menvcfg   <= 32'h0000_0000;
            mseccfg   <= 32'h0000_0000;
            stvec     <= 32'h0114_5140;
            senvcfg   <= 32'h0000_0000;
            sepc      <= 32'h0000_0000;
            scause    <= 32'h0000_0000;
            sscratch  <= 32'h0000_0000;
            stval     <= 32'h0000_0000;
            satp      <= 32'h0000_0000;
            ssp       <= 32'h0000_0000;
            elp_state <= 1'b0;
            priv_mode <= `PRV_M;
        end else if (exception_valid) begin
            if (delegated_exception) begin
                sepc <= align_epc(exception_pc);
                scause <= exception_cause;
                stval <= exception_tval;
                mstatus[SPIE_BIT] <= mstatus[SIE_BIT];
                mstatus[SIE_BIT] <= 1'b0;
                mstatus[SPP_BIT] <= (priv_mode == `PRV_S);
                mstatus[SPELP_BIT] <= elp_state;
                elp_state <= 1'b0;
                priv_mode <= `PRV_S;
            end else begin
                mepc <= align_epc(exception_pc);
                mcause <= exception_cause;
                mtval <= exception_tval;
                mstatus[MPIE_BIT] <= mstatus[MIE_BIT];
                mstatus[MIE_BIT] <= 1'b0;
                mstatus[MPP_HIGH:MPP_LOW] <= priv_mode;
                mstatush[MPELP_BIT] <= elp_state;
                elp_state <= 1'b0;
                priv_mode <= `PRV_M;
            end
        end else if (mret_valid) begin
            priv_mode <= mret_target_priv;
            mstatus[MIE_BIT] <= mstatus[MPIE_BIT];
            mstatus[MPIE_BIT] <= 1'b1;
            mstatus[MPP_HIGH:MPP_LOW] <= `PRV_U;
            elp_state <= landing_pad_enabled(mret_target_priv, menvcfg, senvcfg, mseccfg) ?
                         mstatush[MPELP_BIT] : 1'b0;
            mstatush[MPELP_BIT] <= 1'b0;
        end else if (sret_valid) begin
            priv_mode <= sret_target_priv;
            mstatus[SIE_BIT] <= mstatus[SPIE_BIT];
            mstatus[SPIE_BIT] <= 1'b1;
            mstatus[SPP_BIT] <= 1'b0;
            elp_state <= landing_pad_enabled(sret_target_priv, menvcfg, senvcfg, mseccfg) ?
                         mstatus[SPELP_BIT] : 1'b0;
            mstatus[SPELP_BIT] <= 1'b0;
        end else if (ssp_update_valid) begin
            ssp <= ssp_update_data;
        end else if (elp_update_valid) begin
            elp_state <= elp_update_expected;
        end else if (csr_we) begin
            case (csr_addr)
                `CSR_SSP:      ssp <= csr_new_value;
                `CSR_SSTATUS:  mstatus <= update_sstatus_view(mstatus, csr_new_value);
                `CSR_SIE:      mie <= (mie & ~mideleg) | (csr_new_value & mideleg);
                `CSR_STVEC:    stvec <= align_trap_vector(csr_new_value);
                `CSR_SENVCFG:  senvcfg <= sanitize_senvcfg(csr_new_value, menvcfg);
                `CSR_SSCRATCH: sscratch <= csr_new_value;
                `CSR_SEPC:     sepc <= align_epc(csr_new_value);
                `CSR_SCAUSE:   scause <= csr_new_value;
                `CSR_STVAL:    stval <= csr_new_value;
                `CSR_SIP:      mip <= (mip & ~mideleg) | (csr_new_value & mideleg);
                `CSR_SATP:     satp <= csr_new_value;
                `CSR_MSTATUS:  mstatus <= sanitize_mstatus(csr_new_value);
                `CSR_MEDELEG:  medeleg <= csr_new_value;
                `CSR_MIDELEG:  mideleg <= csr_new_value;
                `CSR_MIE:      mie <= csr_new_value;
                `CSR_MTVEC:    mtvec <= align_trap_vector(csr_new_value);
                `CSR_MSTATUSH: mstatush <= sanitize_mstatush(csr_new_value);
                `CSR_MENVCFG:  menvcfg <= sanitize_menvcfg(csr_new_value);
                `CSR_MSCRATCH: mscratch <= csr_new_value;
                `CSR_MEPC:     mepc <= align_epc(csr_new_value);
                `CSR_MCAUSE:   mcause <= csr_new_value;
                `CSR_MTVAL:    mtval <= csr_new_value;
                `CSR_MIP:      mip <= csr_new_value;
                `CSR_MSECCFG:  mseccfg <= sanitize_mseccfg(csr_new_value);
                default:       ;
            endcase
        end
    end

// mcycle 计数器
    always_ff @(posedge clk or negedge rst_n) begin
        if (!rst_n) begin
            mcycle <= 64'h0;
        end else if (csr_we && csr_addr == `CSR_MCYCLE) begin
            mcycle[31:0] <= csr_new_value;
        end else if (csr_we && csr_addr == `CSR_MCYCLEH) begin
            mcycle[63:32] <= csr_new_value;
        end else begin
            mcycle <= mcycle + 64'h1;
        end
    end

    assign trap_to_mmode = exception_valid && !delegated_exception;
    assign trap_target = delegated_exception ? align_trap_vector(stvec) : align_trap_vector(mtvec);
    assign xret_target = mret_valid ? mepc : sepc;

    assign current_priv_mode = priv_mode;
    assign mstatus_tsr = mstatus[TSR_BIT];
    assign mstatus_tvm = mstatus[TVM_BIT];
    assign current_sse_enabled = shadow_stack_enabled(priv_mode, menvcfg, senvcfg_view);
    assign current_lpe_enabled = landing_pad_enabled(priv_mode, menvcfg, senvcfg_view, mseccfg);
    assign elp_expected = elp_state;
    assign ssp_value = ssp;

endmodule

Decoder 修改

我们还需要同步修改译码器，使其认识新加入的一些CSR指令。

对于xRET，它们不需要使用到rs1：

assign rs1_used =
    ~((opcode == OPCODE_LUI) || (opcode == OPCODE_AUIPC) || (opcode == OPCODE_JAL) ||
      (opcode == OPCODE_ZERO) || csr_use_imm ||
      ((opcode == OPCODE_ZICSR) && (funct3 == `FUNCT3_CALL)));
// ECALL/MRET/SRET don't use rs1

接着一层层检测CSR指令和ecall/xRET：

always_comb begin : csr_detection
    // 提取CSR地址
    csr_addr = instr[31:20];
    csr_op   = funct3;

    if (opcode == OPCODE_ZICSR) begin
        if (funct3 == `FUNCT3_CALL) begin
            // ECALL: instr = 0x00000073
            // MRET:  instr = 0x30200073
            // SRET:  instr = 0x10200073
            is_csr_instr = 1'b0;
            is_ecall     = (instr[31:7] == 25'b0);
            is_mret      = (instr[31:7] == 25'b0011000000100000000000000);
            is_sret      = (instr[31:7] == 25'b0001000000100000000000000);
        end else begin
            // CSR instructions: CSRRW, CSRRS, CSRRC, CSRRWI, CSRRSI, CSRRCI
            is_csr_instr = 1'b1;
            is_ecall     = 1'b0;
            is_mret      = 1'b0;
            is_sret      = 1'b0;
        end
    end else begin
        is_csr_instr = 1'b0;
        is_ecall     = 1'b0;
        is_mret      = 1'b0;
        is_sret      = 1'b0;
    end
end

然后补全OPCODE_ZICSR中的判断：

OPCODE_ZICSR: begin
    // CSR and system instructions
    if (funct3 == `FUNCT3_CALL) begin
        // ECALL: instr = 0x00000073
        // MRET:  instr = 0x30200073
        // SRET:  instr = 0x10200073
        // EBREAK: instr = 0x00100073 (not supported, marked as illegal)
        // WFI: instr = 0x10500073 (not supported, marked as illegal)
        // Check ECALL: bits[31:7] = 0
        // Check MRET: bits[31:20]=0x302, bits[19:7]=0
        // Check SRET: bits[31:20]=0x102, bits[19:7]=0
        is_illegal_instr = !((instr == 32'h00000073) ||  // ECALL
                             (instr == 32'h30200073) ||  // MRET
                             (instr == 32'h10200073));   // SRET
    end else begin
        // CSR instructions: funct3 001-011, 101-111 are valid
        // funct3 = 000 handled above, funct3 = 100 is invalid
        is_illegal_instr = (funct3 == 3'b100);
    end
end

PR_ID_EX.sv 修改

加几个输入端口，以及sret的数据传递就行。略。

顶层模块修改

顶层要改的就很多了：各种写信号、非法检测信号、异常返回……

logic is_sret_ID, is_sret_EX;
logic        csr_write_intent_ID, csr_write_intent_EX;
logic [ 1:0] current_priv_mode;
logic        mstatus_tsr;
logic        mstatus_tvm;
logic        privileged_illegal_instr_ID;
logic        illegal_instr_exception_effective_ID;
logic        flushes_id_exception_ID;
logic        redirect_from_ex_stage;
logic [31:0] xret_target;

然后添加各种CSR指令的判断，以及IF/ID级的非法指令检测。这里的非法指令检测还要加上特权指令是否越界：

always_comb begin
    unique case (csr_op_ID)
        `FUNCT3_CSRRW, `FUNCT3_CSRRWI: csr_write_intent_ID = is_csr_instr_ID;
        `FUNCT3_CSRRS, `FUNCT3_CSRRC, `FUNCT3_CSRRSI, `FUNCT3_CSRRCI:
            csr_write_intent_ID = is_csr_instr_ID && (instr_ID[19:15] != 5'b0);
        default: csr_write_intent_ID = 1'b0;
    endcase
end

assign privileged_illegal_instr_ID =
    (is_csr_instr_ID && (current_priv_mode < csr_addr_ID[9:8])) ||
    (is_csr_instr_ID && csr_write_intent_ID && (csr_addr_ID[11:10] == 2'b11)) ||
    (is_csr_instr_ID && (csr_addr_ID == `CSR_SATP) &&
     (current_priv_mode == `PRV_S) && mstatus_tvm) ||
    (is_mret_ID && (current_priv_mode != `PRV_M)) ||
    (is_sret_ID &&
     ((current_priv_mode == `PRV_U) ||
      ((current_priv_mode == `PRV_S) && mstatus_tsr)));

// 早期非法指令异常检测 (ID级)
// 当检测到非法指令时，在ID级就触发异常
// 这样可以防止非法指令前面的指令(在EX级)提交
assign illegal_instr_exception_ID = (is_illegal_instr_ID || privileged_illegal_instr_ID) && valid_ID;
assign illegal_instr_pc_ID = pc_ID;
assign illegal_instr_encoding_ID = instr_ID;

然后是在EX级的CSR逻辑扩展，以及异常值的选择：

// CSR write data selection:
// - Register variants (CSRRW/CSRRS/CSRRC): use rs1 value (rf_rd1_EX)
// - Immediate variants (CSRRWI/CSRRSI/CSRRCI): use 5-bit zimm from imm_EX
always_comb begin
    if (csr_op_EX[2]) begin
        // Immediate variants: zimm is zero-extended 5-bit immediate
        csr_wdata_EX = {27'b0, imm_EX[4:0]};
    end else begin
        // Register variants: use rs1 value
        csr_wdata_EX = rf_rd1_EX;
    end
end

always_comb begin
    unique case (csr_op_EX)
        `FUNCT3_CSRRW, `FUNCT3_CSRRWI: csr_write_intent_EX = is_csr_instr_EX;
        `FUNCT3_CSRRS, `FUNCT3_CSRRC, `FUNCT3_CSRRSI, `FUNCT3_CSRRCI:
            csr_write_intent_EX = is_csr_instr_EX && (instr_EX[19:15] != 5'b0);
        default: csr_write_intent_EX = 1'b0;
    endcase
end

// Exception handling:
// 异常分为两类：
// 1. ID级异常：非法指令 - 需要早期检测以防止其前面的指令提交
// 2. EX级异常：地址未对齐、ECALL - 在执行阶段检测
//
// - Instruction address misaligned: mcause = 0, mtval = misaligned address
// - Illegal instruction: mcause = 2, mtval = instruction encoding
// - Load address misaligned: mcause = 4, mtval = misaligned address
// - Store address misaligned: mcause = 6, mtval = misaligned address
// - ECALL: mcause = 11, mtval = 0

// Misaligned address detection (EX stage)
// For JALR: target must be 4-byte aligned (bit 1 must be 0 for RV32I without C extension)
// JAL/branch targets must also be 4-byte aligned when the C extension is absent.
// JALR target = (rs1 + imm) & ~1, so we check bit 1 of alu_result (before masking).
logic instr_misaligned_EX;
logic [31:0] jalr_target_EX;
logic [31:0] branch_target_normal;
logic [31:0] instr_target_EX;
logic branch_jal_target_misaligned_EX;
logic take_branch_normal;
assign jalr_target_EX = {alu_result_EX[31:1], 1'b0};  // JALR target after masking bit 0
assign branch_jal_target_misaligned_EX = take_branch_normal &&
                                         (jump_type_EX != `JUMP_JALR) &&
                                         (branch_target_normal[1] != 1'b0);
assign instr_misaligned_EX = ((jump_type_EX == `JUMP_JALR) && (alu_result_EX[1] != 1'b0)) ||
                             branch_jal_target_misaligned_EX;
assign instr_target_EX = (jump_type_EX == `JUMP_JALR) ? jalr_target_EX : branch_target_normal;

// Load/Store address misaligned detection (EX stage)
// LW/SW: must be 4-byte aligned (bits [1:0] == 00)
// LH/LHU/SH: must be 2-byte aligned (bit [0] == 0)
// LB/LBU/SB: no alignment requirement
logic load_misaligned_EX;
logic store_misaligned_EX;
always_comb begin
    load_misaligned_EX = 1'b0;
    store_misaligned_EX = 1'b0;
    case (sl_type_EX)
        `MEM_LW:  load_misaligned_EX  = (alu_result_EX[1:0] != 2'b00);
        `MEM_LH,
        `MEM_LHU: load_misaligned_EX  = (alu_result_EX[0] != 1'b0);
        `MEM_SW:  store_misaligned_EX = (alu_result_EX[1:0] != 2'b00);
        `MEM_SH:  store_misaligned_EX = (alu_result_EX[0] != 1'b0);
        default: begin
            load_misaligned_EX  = 1'b0;
            store_misaligned_EX = 1'b0;
        end
    endcase
end

// EX级异常 (不包括非法指令，非法指令在ID级处理)
logic exception_valid_EX;
assign exception_valid_EX = (instr_misaligned_EX || load_misaligned_EX ||
                             store_misaligned_EX || is_ecall_EX) && valid_EX;
assign redirect_from_ex_stage = take_branch_normal ||
                                exception_valid_EX ||
                                (is_mret_EX && valid_EX) ||
                                (is_sret_EX && valid_EX);
assign flushes_id_exception_ID = take_branch_normal ||
                                 (is_mret_EX && valid_EX) ||
                                 (is_sret_EX && valid_EX);
assign illegal_instr_exception_effective_ID =
    illegal_instr_exception_ID && !flushes_id_exception_ID;

// 总异常信号：EX级异常 OR ID级非法指令异常
// 优先级：EX级异常 > ID级异常
// 注意：当EX级有有效的跳转/分支时 ID级的指令将被flush，
// 所以ID级的非法指令异常不应该生效
// 这防止了跳转到数据区域时 数据被误认为非法指令而触发异常
assign exception_valid = exception_valid_EX ||
                         illegal_instr_exception_effective_ID;

// 异常PC和原因/值的选择
always_comb begin
    if (instr_misaligned_EX && valid_EX) begin
        // EX级地址未对齐异常优先
        exception_pc    = pc_EX;
        exception_cause = 32'd0;  // Instruction address misaligned
        exception_tval  = instr_target_EX;
    end else if (load_misaligned_EX && valid_EX) begin
        exception_pc    = pc_EX;
        exception_cause = 32'd4;  // Load address misaligned
        exception_tval  = alu_result_EX;
    end else if (store_misaligned_EX && valid_EX) begin
        exception_pc    = pc_EX;
        exception_cause = `EXC_STORE_MISALIGNED;
        exception_tval  = alu_result_EX;
    end else if (is_ecall_EX && valid_EX) begin
        exception_pc    = pc_EX;
        case (current_priv_mode)
            `PRV_U:  exception_cause = `EXC_ECALL_U;
            `PRV_S:  exception_cause = `EXC_ECALL_S;
            default: exception_cause = `EXC_ECALL_M;
        endcase
        exception_tval  = 32'b0;
    end else if (illegal_instr_exception_effective_ID) begin
        // ID级非法指令异常
        exception_pc    = illegal_instr_pc_ID;
        exception_cause = `EXC_ILLEGAL_INSTR;
        exception_tval  = illegal_instr_encoding_ID;
    end else begin
        // 默认值 (不应该到达这里)
        exception_pc    = pc_EX;
        exception_cause = `EXC_INST_MISALIGNED;
        exception_tval  = 32'b0;
    end
end

CSR u_CSR (
    .clk            (clk),
    .rst_n          (rst_n),
    // CSR instruction interface
    .csr_we         (is_csr_instr_EX && valid_EX && csr_write_intent_EX),
    .csr_addr       (csr_addr_EX),
    .csr_wdata      (csr_wdata_EX),
    .csr_op         (csr_op_EX),
    .csr_rdata      (csr_rdata_EX),
    // Exception/trap interface
    .exception_valid(exception_valid),
    .exception_pc   (exception_pc),
    .exception_cause(exception_cause),
    .exception_tval (exception_tval),
    // xRET interface
    .mret_valid     (is_mret_EX && valid_EX),
    .sret_valid     (is_sret_EX && valid_EX),
    // Trap output
    .trap_to_mmode  (trap_to_mmode),
    .trap_target    (trap_target),
    .xret_target    (xret_target),
    .current_priv_mode(current_priv_mode),
    .mstatus_tsr    (mstatus_tsr),
    .mstatus_tvm    (mstatus_tvm)
);

接着是NextPC计算，需要考虑异常和xRET的优先级：

NextPC_Generator u_NextPC_Generator (
    .is_branch_instr     (is_branch_instr_EX),
    .branch_type         (branch_type_EX),
    .jump_type           (jump_type_EX),
    .alu_result          (alu_result_EX),
    .branch_target_i     (branch_target_EX),
    .alu_zero            (alu_zero),
    .alu_sign            (alu_sign),
    .alu_unsigned        (alu_unsigned),
    .take_branch         (take_branch_normal),
    .branch_target_NextPC(branch_target_normal)
);

// 优先级: Exception > xRET > Normal branch/jump
always_comb begin
    if (exception_valid) begin
        take_branch_NextPC    = 1'b1;
        branch_target_NextPC  = trap_target;
    end else if ((is_mret_EX || is_sret_EX) && valid_EX) begin
        take_branch_NextPC    = 1'b1;
        branch_target_NextPC  = xret_target;
    end else begin
        take_branch_NextPC    = take_branch_normal;
        branch_target_NextPC  = branch_target_normal;
    end
end

最后，是EX/MEM级的修改。之前的代码有个小问题，在ID级的非法指令会让前面已经跑到MEM/WB级的指令被冲刷，但是这是不对的。ID级非法指令只应杀掉它自己和更年轻的指令，不能回滚更老的 EX/MEM/WB 指令。

// 异常处理和流水线冲刷：
// - EX级异常需要阻止 faulting 指令进入 MEM
// - ID级非法指令只应杀掉它自己和更年轻的指令，不能回滚更老的 EX/MEM/WB 指令
logic flush_EX_MEM;
logic flush_MEM_WB;
assign flush_EX_MEM = exception_valid_EX;
// assign flush_MEM_WB = illegal_instr_exception_ID && !exception_valid_EX;
assign flush_MEM_WB = 1'b0;